Introduction

1.1 Procurement is the process of acquiring goods and services. Procurement of goods and services is integral to the conduct of Australian Government activity and a core function of the Commonwealth public sector.

1.2 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), an entity’s accountable authority has a duty to promote the proper (efficient, effective, economical and ethical) use and management of public resources. Under the PGPA Act, the Finance Minister issues the Commonwealth Procurement Rules (CPRs) for officials to follow when performing duties in relation to procurement.⁵ The CPRs govern how entities buy goods and services and are designed to ensure the government and taxpayers get value for money. The CPRs state:

[Procurement] begins when a need has been identified and a decision has been made on the procurement requirement. Procurement continues through the processes of risk assessment, seeking and evaluating alternative solutions, and the awarding and reporting of a contract.⁶

1.3 Achieving value for money is the core rule of the CPRs, which requires ‘the consideration of financial and non-financial costs and benefits associated with procurement’.⁷ The CPRs state that ‘Officials responsible for a procurement must be satisfied, after reasonable enquiries, that the procurement achieves a value for money outcome’ and that procurements should:

• encourage competition and be non-discriminatory;
• use public resources in an efficient, effective, economical and ethical manner that is not inconsistent with the policies of the Commonwealth;
• facilitate accountable and transparent decision making;
• encourage appropriate engagement with risk; and
• be commensurate with the scale and scope of the business requirement.⁸

1.4 The CPRs are supported by tools such as the AusTender reporting system, guidance material and templates developed and maintained by the Department of Finance (Finance).

Procurement methods

1.5 There are two main procurement methods: open tender and limited tender.

• Open tender involves publishing an open approach to market and inviting submissions. This includes multi-stage procurements, provided the first stage (such as setting up a panel) is an open approach to market.⁹ Open tender is the default for all procurements valued above the relevant threshold.¹⁰
• Limited tender involves an entity approaching one or more potential suppliers to make submissions. These can be undertaken for any procurement under the relevant threshold where it represents value for money. For procurements above the relevant threshold, limited tender can only be used where it is specifically allowed by the CPRs, and the reasons for the limited tender must be reported on AusTender.

1.6 A standing offer arrangement, such as a panel arrangement, can be established through an open tender or limited tender process. Panel arrangements are a way to procure goods or services regularly acquired by entities. In a panel arrangement, suppliers have been appointed to supply goods or services for a set period of time under agreed terms and conditions. Once a panel has been established, an entity may approach one or more suppliers to seek a quote for a particular procurement. Finance’s guidance on panel procurements states:

Wherever possible, you should approach more than one supplier on a Panel for a quote. Even though value for money has been demonstrated for the supplier to be on a panel, you will still need to demonstrate value for money when engaging from a Panel, and competition is one of the easier ways to demonstrate this.¹¹

Contract management

1.7 After a procurement has been undertaken and a contract awarded, an entity needs to manage the contract. Finance states that ‘good contract management is an essential component in achieving value for money’ and defines contract management as:

all the activities undertaken by an entity, after the contract has been signed or commenced, to manage the performance of the contract (including any corrective action) and to achieve the agreed outcomes.¹²

1.8 Finance’s guidance on contract management states: ‘When managing contracts, officials operate in a complex environment of legislation and Commonwealth policy’. This includes but is not limited to: the PGPA Act; the Public Governance, Performance and Accountability Rule 2014; the CPRs; Accountable Authority Instructions; and resource management guides (RMGs) (such as RMG 400 Commitment of Relevant Money, RMG 411 Grants, Procurements and Other Financial Arrangements and RMG 417 Supplier Pay On-Time or Pay Interest Policy).¹³

1.9 Contract management includes establishing contract management arrangements, managing contract performance, ensuring objectives are met and value for money is achieved, and reporting on contracts and variations.

Digital Transformation Agency

1.10 The Digital Transformation Agency (DTA) was established in October 2016, absorbing the former Digital Transformation Office, which had been established in March 2015. In April 2021, the DTA moved to the Prime Minister and Cabinet portfolio and its mandate was updated. In July 2022, the DTA moved to the Finance portfolio. The DTA’s purpose and priorities have changed over this period — from a focus on delivering ICT-related programs in 2019–20 to a focus on providing ICT investment advice and oversight in 2021–22 (as shown in Table 1.1).

Table 1.1: DTA purpose and priorities, 2019–20 to 2021–22

Source: ANAO analysis of DTA Corporate Plans for 2019–20, 2020–21 and 2021–22.

DTA’s procurement activities

1.11 The DTA spends most of its budget through procurement. In 2020–21, the DTA’s expenses were $119.9 million, of which $77.6 million (65 per cent) was used for procuring goods and services from suppliers, as shown in Table 1.2. The profile of the DTA’s procurement activities has changed since DTA’s mandate changed in 2021–22, with the DTA moving away from the direct delivery of ICT projects.

Table 1.2: DTA expenses, including expenses for procuring goods and services from suppliers, 2019–20 and 2020–21

Note a: Depreciation and amortisation, impairment loss on financial instruments, write-down and impairment of other assets and finance costs.

Source: ANAO analysis of DTA Annual Reports for 2019–20 and 2020–21.

Rationale for undertaking the audit

1.12 Procurement is a core function of the DTA. This audit was conducted to provide: increased transparency over the DTA’s procurement framework; and assurance to the Parliament that the DTA’s procurement of ICT-related services is being conducted effectively and that the DTA is effectively managing contracts to deliver on intended objectives and achieve value for money.

Audit approach

Audit objective, criteria and scope

1.13 The objective of the audit was to assess the effectiveness of the DTA’s procurement of ICT-related services.

1.14 To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria:

• Has the DTA established a sound procurement framework?
• Has the DTA conducted procurements effectively?
• Has the DTA managed contracts effectively?

1.15 The audit scope did not include the establishment of whole of Australian Government arrangements that are set up for Commonwealth entities to use when procuring certain goods or services. These are either coordinated or cooperative procurements, some of which are mandatory for use, and generally result in overarching contracts or panel arrangements. The audit scope also did not include the establishment of ICT-related panels, which was the subject of an ANAO audit in 2020.¹⁴

Procurements examined in this audit

1.16 The ANAO examined a sample of nine procurements for ICT-related services undertaken by the DTA with a published start date between 1 July 2019 and 30 June 2021. The nine procurements were selected based on value, risk, relevance and type of procurement and included seven of the nine highest value procurements (excluding whole-of-government procurements). As most of the DTA’s ICT-related services are procured through the Digital Marketplace panel, seven of the procurements selected for examination were undertaken through this panel (which was established through an open tender).¹⁵ In addition, the ANAO selected one procurement that was conducted as an open tender and one that was conducted as a limited tender. The selected procurements range in value from $127,334 to $28.1 million — with a total value of $54.5 million, as shown in Table 1.3.

Table 1.3: Nine procurements examined during this audit, by value

Note a: This procurement related to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA and AusTender data.

1.17 The period within the audit scope includes the start of the COVID-19 pandemic. The pace of the Australian Government’s response to the pandemic increased the risks involved in procurements, particularly where procurements were undertaken on shortened timeframes or transferred from one entity to another. Three of the nine procurements in the ANAO’s sample relate to the Australian Government’s response to the pandemic: myGov Upgrade Horizon 1; COVIDSafe App Development; and COVIDSafe App Enhancements. Paragraph 2.6 of the CPRs states that the CPRs do not apply to the extent that an official applies measures determined by their accountable authority to be necessary for the protection of human health. The DTA did not set aside the CPRs under paragraph 2.6 of the CPRs for any of the nine procurements.

1.18 As shown in Table 1.4, the value of the procurements in the ANAO’s sample represents approximately 44 per cent of the DTA’s procurement expenses during 2019–20 and 2020–21 (not including procurements through the ICT Coordinated Procurement Special Account¹⁶, which were out of the audit scope).

Table 1.4: Value of procurements in the ANAO sample as a percentage of total DTA procurement expenses

Source: ANAO analysis of DTA Annual Reports for 2019–20 and 2020–21 and AusTender data.

Audit methodology

1.19 To address the audit criteria and achieve the audit objective, the audit team:

• examined relevant DTA and AusTender documentation;
• conducted meetings with DTA senior officials and officials involved in the procurement framework and procurement activities; and
• discussed elements of the audit relating to Australian Government procurement policy and guidelines with the Department of Finance.

1.20 In addition to a draft audit report being provided to the DTA, extracts of the draft audit report were provided to: the Department of Finance; ConceptSix; CyberCX; Delv; and Nous Group. Formal responses were provided to the ANAO by the DTA, the Department of Finance and CyberCX (see Appendix A).

1.21 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $442,000.

1.22 The team members for this audit were Jennifer Eddie, Elizabeth Robinson, Sam Jones, Graeme Corbett, Grace Sixsmith, Christine Chalmers and Daniel Whyte.

2.1 This chapter examines whether the DTA has established a sound procurement framework. A procurement framework includes procurement instructions, policies and guidance and is supported by governance, oversight and probity arrangements. A sound framework helps ensure that: procurements are undertaken effectively, ethically and in compliance with relevant rules and legislation; entities properly use and manage public resources; and procurements achieve their objectives and value for money outcomes.

Has the DTA established a procurement framework that aligns with the CPRs and the PGPA Act?

Accountable Authority Instructions

2.2 Section 20A of the PGPA Act states: ‘the accountable authority of a Commonwealth entity may, by written instrument, give instructions to an official of the entity about any matter relating to the finance law’. The Department of Finance (Finance) provides further guidance in its Resource Management Guide (RMG) 206 on Accountable Authority Instructions.¹⁷

2.3 The DTA has established Accountable Authority Instructions that align with the requirements of section 20A of the PGPA Act and with RMG 206. Two versions of the Accountable Authority Instructions were in place during the period examined by the audit – one was approved by the CEO in September 2018 and the second in May 2021. Both versions of the instructions stated the key duties and responsibilities of officials under the PGPA Act, including:

• requirements for entering into commitments of relevant money (section 23); and
• the general duties of officials (sections 25 to 29), such as the duties: of care and diligence; to act honestly, in good faith and for a proper purpose; in relation to use of position; in relation to use of information; and to disclose interests.

2.4 The May 2021 version of the Accountable Authority Instructions included clearer references to requirements under the PGPA Act relating to:

• the proper use and management of public resources (section 15); and
• establishing appropriate systems of risk management and internal control (section 16).

2.5 Both versions of the Accountable Authority Instructions stated that all officials undertaking a procurement must: comply with the CPRs, PGPA Act and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule); treat all potential suppliers to government equitably; act ethically throughout a procurement; and not seek to obtain benefit from supplier practices that may be dishonest, unethical or unsafe.

Procurement policies and guidance

2.6 The DTA has established other procurement policies and guidance to assist staff with understanding their duties and procurement processes, such as:

• finance policies on simple and medium procurement, panel procurement and limited tender procurement;
• PGPA Act operational guidelines;
• intranet pages on procurement processes, delegations, risk management and contract management;
• a Probity Guideline and Declaration of Interest Policy; and
• a Fraud and Corruption Control Plan.

2.7 These policies and guidance were largely appropriate and available to staff on the DTA intranet.¹⁸ The application of the DTA’s procurement policies and instructions are discussed, where relevant, throughout this report.

Has the DTA established sound governance and oversight arrangements for procurements?

2.8 In its Annual Report 2020–21, the DTA described its governance framework as including (in addition to policies and instructions and corporate and business planning): governance committees (Executive Board and Audit Committee); risk and fraud management; and internal audit and assurance activities.

Executive Board

2.9 The Executive Board is the DTA’s primary governance forum. It meets monthly and comprises the senior leadership team. According to its terms of reference, the Executive Board is to determine strategic direction, manage overall performance, and provide advice on the administration and operations of the DTA, including, but not limited to, the:

• development and implementation of systems, processes, and internal controls for the management of the DTA’s risks;
• consideration of investment proposals;
• prioritisation and allocation of resources; and
• changes to scope, schedule and budget for internal mandates.

2.10 The Executive Board receives updates on DTA programs and projects on an ad hoc basis, which includes those undertaken through contracts with suppliers.

2.11 In 2020–21, the Executive Board did not consider procurements or provide advice on managing procurement risk. The DTA’s 2020–21 Corporate Plan stated that the DTA actively manages risks at its Executive Board meetings. However, risk management was not included as an agenda item for any of the Executive Board meetings in 2020–21.

2.12 From September 2021 the Board added a standing agenda item on ‘DTA governance and oversight’, which was intended to include discussions on ‘strategy, people and risk management’.

• At the September 2021 meeting, under this item, the Executive Board: discussed the development of strategic and organisational risk management processes; decided to run a risk management session to identify significant strategic and organisational risks; and agreed to include regular risk management updates in future meetings. This discussion resulted in the following action item: ‘The Board undertake a strategic and organisational risk assessment process and report back against it on a regular basis’.
• At the next meeting in October 2021 there was a ‘nil’ report under the new agenda item on governance and oversight. The meeting papers recommended that the risk management action item be closed, with the update: ‘A strategic and operational risk assessment was performed and included in the final version of the Corporate Plan published end of August 2021’.¹⁹

2.13 The standing agenda item on governance and oversight remained on the agenda, but there was no evidence that risk management was discussed at the five meetings between November 2021 and March 2022. At the April 2022 meeting, there was an additional agenda item on the ‘DTA Strategic Risk Assessment Review’, and a paper was provided that outlined five strategic risks with related controls and treatments. This was the first evidence of substantive consideration of risk by the DTA’s Executive Board during the period examined by this audit. None of the five strategic risks outlined in the paper related to procurement of ICT-related services.

Audit Committee

2.14 Section 17 of the PGPA Rule states that an accountable authority ‘must, by written charter, determine the functions of the audit committee for the entity’ and these functions must include reviewing the appropriateness of the entity’s: financial and performance reporting; system of risk oversight and management; and system of internal control.

2.15 The DTA’s Audit Committee Charter includes the functions required under the PGPA Rule, and states that the audit committee will meet at least four times each year. The audit committee met: five times in 2019–20²⁰; and five times in 2020–21.²¹

2.16 The Audit Committee Charter indicates that the committee will review and provide advice on the appropriateness of the DTA’s: risk management framework; articulation of key roles and responsibilities relating to risk management; and approach to managing the entity’s key risks, including those associated with projects and program implementation.

2.17 In August 2019, the audit committee reviewed a one-page report on the DTA’s governance, risk and controls, which noted that the following items were ‘in place’ but not yet ‘mature’: first line monitoring and controls; business planning; staff training; control framework; Risk Policy and Framework; and Enterprise Risk Management Plan.

2.18 The June 2021 audit committee papers included a template for branch-level business plans, which included a section on risk. In June 2022, the DTA provided the ANAO with drafts of branch-level business plans that included risks, but as at June 2022, none of the plans for the 2021–22 financial year had been finalised or approved.

2.19 In November 2021, the DTA’s CEO presented his first executive briefing to the audit committee. He discussed risks facing the DTA, such as high staff turnover²², and stated that the DTA needed to revise its strategic risk assessment and corporate planning.

2.20 At the March 2022 audit committee meeting, there was an agenda item on ‘Risk Management’ and the committee was provided with a copy of the 2018 Risk Management Policy²³ and a draft strategic risk assessment (with a note that it was under review by the Executive Board). There was no evidence in the Audit Committee papers that the Audit Committee considered or provided advice on risks relating to the procurement of ICT-related services during the period examined by this audit.

Risk management

2.21 Accountable authorities are required under section 16 of the PGPA Act to establish and maintain an appropriate system of risk oversight and management for the entity.

2.22 In 2018 the DTA engaged KPMG Australia to develop a risk management policy, risk management process and enterprise risk report. In 2021–22, the risk management policy and enterprise risk report documents were no longer in use. Elements of the risk management process were still in use.

2.23 As noted at paragraph 2.17, the DTA assessed the status of its governance, risk and controls in 2019 and rated the following items as ‘in place’ but not yet mature:

• Risk Policy and Framework — ‘Developed. Work is required to embed this in product teams’; and
• Enterprise Risk Management Plan — ‘Enterprise risk assessment is complete. Executive Board have asked for this to be included as a standard item’.²⁴

2.24 In its 2019–20 and 2020–21 annual reports, the DTA stated:

We take a risk-based approach to treating sources of risk that may negatively affect our ability to deliver DTA priorities, while remaining open to positive risks and opportunities that support our objectives. Many of our delivery approaches, such as agile and iterative development, help to contain risk and respond quickly to changes in the surrounding environment or to feedback.

2.25 The DTA’s 2021–22 Corporate Plan (published in August 2021) identified five strategic risks — that the DTA would be unable to: provide advice, insights and assurance on whole-of-government digital and ICT investments; lead whole-of-government strategies and policies to drive the government’s agenda; deliver on its funded priorities; enlist the support of its stakeholders to achieve shared outcomes; or attract, retain and develop its people.

2.26 The DTA’s 2021–22 Corporate Plan describes the DTA’s system of risk oversight and management as follows:

We manage risk in line with our Enterprise Risk Framework, the AS/NZS 31000:2018 Risk management – Guidelines, as well as the Commonwealth Risk Management Guidelines. We have efficient and effective controls in place to anticipate and manage risk and drive organisational performance. We actively manage risks continually across our organisation with oversight provided at our Executive Board meetings. We encourage staff to engage with risk appropriately.

2.27 The DTA defines its risk management framework as ‘all policies, procedures and governance structures directly or indirectly guiding our behaviour and actions when managing risk’.

2.28 The DTA had the following risk policies and guidance in place and accessible to staff on the DTA intranet:

• ‘Managing risk’ — an intranet page on identifying, reporting and escalating risk;
• ‘Risk management process’ — an intranet page about the process; and
• a template for a risk and control register, with a risk matrix and guidance on ‘how to conduct a risk assessment’ and ‘how to approach the risk register’.

2.29 Although the DTA has established guidance on risk management, this guidance is not being applied systemically. The DTA had prepared risk assessments for only two of the nine procurements examined for this audit, and neither risk assessment was consistent with DTA guidance on how to assess and rate risks.

2.30 In 2021–22, no enterprise risk plan or framework was available to staff on the DTA intranet. In March 2022, the DTA advised the ANAO that it did not currently have central or business level risk registers. In June 2022, the DTA provided the ANAO with a copy of a risk register that it stated had been in use in 2019. All of the risks listed had due dates in 2019 and there was no evidence that the register had been updated since that time. Having a central risk register or registers by division or branch that are accessible to staff would enable the DTA to better manage, and assign responsibility for, key risks.

Fraud management

2.32 Section 10 of the PGPA Rule states that an accountable authority must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

• conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity;
• developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment;
• having an appropriate mechanism for preventing fraud, including by ensuring that officials of the entity are made aware of what constitutes fraud, and the risk of fraud is taken into account in planning and conducting the activities of the entity; and
• having an appropriate mechanism for detecting incidents of fraud or suspected fraud, investigating or otherwise dealing with incidents of fraud or suspected fraud, and recording and reporting incidents of fraud or suspected fraud.

2.33 In its annual reports for 2019–20 and 2020–21, the DTA’s CEO certified that:

in accordance with sections 10 and 17AG of the PGPA Rule, the Digital Transformation Agency has prepared a fraud risk assessment and a fraud control plan, and has in place appropriate fraud prevention, detection, investigation and reporting mechanisms and has taken all reasonable measures to appropriately deal with fraud related to our agency.

2.34 The DTA has a section on fraud control in its Accountable Authority Instructions and has established a Fraud and Corruption Control Plan. The plan outlines the DTA’s approach to fraud control, which includes (but is not limited to):

• maintaining an effective system of internal controls to protect public money, information and property;
• ensuring all DTA officials are aware of their obligations in relation to fraud through fraud awareness training;
• conducting periodic fraud risk assessment reviews;
• establishing formal procedures for reporting and investigating allegations of dishonest and/or fraudulent behaviour; and
• investigating fraud in accordance with the Australian Government Investigations Standards.

2.35 The plan includes an assessment of key risks related to assets, decisions, finance processes, and human resources, such as that:

• invoices are inappropriately paid to the wrong accounts or in the wrong amounts;
• purchases are made without appropriate approval, probity and purpose;
• contracts are awarded inappropriately or not managed according to requirements; and
• DTA employees use their position and trusted access to commit fraud.

2.36 The Fraud and Corruption Control Plan assigns responsibility for fraud control and outlines key fraud control strategies and mechanisms for reporting and investigating fraud. The plan also states that: ‘The DTA is committed to the investigation of all reports and suspicions of fraudulent activity’.

2.37 The DTA reported ‘no instances of fraud were identified during the year’ in its annual reports for 2019–20 and 2020–21.

2.38 There was an incident of potential fraud in 2020–21, which was examined after probity concerns were raised. The examination was conducted by McGrathNicol — the firm contracted to manage the DTA’s internal audit program.

2.39 As mentioned at paragraph 2.34, the DTA Fraud and Corruption Control Plan states that the DTA’s approach to fraud control includes investigating potential fraud in accordance with the Australian Government Investigations Standards. This was not done in this instance. The McGrathNicol report does not mention the Australian Government Investigations Standards and notes that it was an ‘initial assessment’ and not a fraud investigation. The report includes the disclaimer:

This report has been prepared in accordance with the scope agreed with the DTA as set out in our engagement letter dated 10 June 2021.²⁵ […] We have not carried out a statutory audit and accordingly, an audit opinion has not been provided. The scope of our work is different from a statutory audit and it cannot be relied upon to provide the same level of assurance as a statutory audit. Our conclusions are based solely on the information provided to us by the DTA, and we have not sought to verify any of this information.

2.40 The examination found: ‘based on available information, there is insufficient evidence to substantiate an act of fraud or corruption’; but ‘the evidence does substantiate […] a potential breach of probity guidelines, in particular the perception […] that the procurement process was not open, fair or transparent’. This incident is discussed further in Case Study 1.

Fraud incident register

2.41 The Fraud and Corruption Control Plan states that:

the Fraud Control Officer will maintain a Fraud Incident Register. The Fraud Incident Register records a summary of reported fraud incidents, regardless of their outcome, and is used as a basis for providing quarterly reports to the Audit Committee.

2.42 There is no evidence that the DTA maintains a fraud incident register, but there is evidence of reporting on fraud to the audit committee. The June 2021 audit committee papers mention that there had been an instance of possible fraud (the instance discussed in Case Study 1) and that an investigation was underway. The September 2021 audit committee papers included an annual fraud control minute with the statement:

There was one instance of potential fraud reported in 2020–21. The instance was related to procurement and was identified by the central procurement team in Corporate Branch. A preliminary investigation by McGrathNicol determined that there was no evidence of fraud, and a report was prepared for the CEO.

Fraud awareness and procurement training

2.43 The PGPA Rule requires that entities have ‘an appropriate mechanism for preventing fraud, including by ensuring that: officials of the entity are made aware of what constitutes fraud’. One way to help ensure that staff are aware of what constitutes fraud, and how to prevent and deal with it, is for staff to complete fraud awareness training.

2.44 The DTA has voluntary fraud awareness training and mandatory procurement and finance training, but there have been low levels of completion. In 2020–21, from a total of approximately 350 personnel (250 DTA officials and 100 contractors):

• 95 people (27 per cent) had completed fraud awareness training; and
• 66 people (19 per cent) had completed mandatory procurement and finance training.

Internal audit and assurance activities

2.46 The DTA completed 11 internal audits between 2019 and 2021. The DTA tracks audit recommendations and reports on these to the audit committee. The 2021–22 Internal Audit Program identified two breaches of the PGPA Act where instances of expenditure exceeded the approved section 23(3) purchase order. They were for labour hire, under $5,000 and considered low risk. It also identified 112 instances where contracts and variations were reported late to AusTender, in breach of paragraph 7.18 of the CPRs.

2.47 The DTA conducted an internal audit on procurement in August 2019, which found that:

Although the DTA has developed a sound foundation for its procurement framework, this framework requires significant enhancement before it will provide adequate assurance that all DTA procurements are conducted in compliance with the CPRs and the Commonwealth Procurement Framework more broadly. Specifically, the internal audit found that:

• the DTA procurement framework is heavily reliant on the expertise of the DTA’s Procurement Team resulting in a business continuity risk; [… and]
• the DTA could improve its probity controls in place to provide increased assurance that its complex or high-risk procurements are conducted in a manner that is fair, equitable and defensible.

2.48 The internal audit made recommendations related to: improving procurement guidance and training; documenting key elements of procurements (such as risk assessments, evaluations and interest declarations); and demonstrating compliance with the CPRs. The audit committee closed out these recommendations in November 2019. However, as discussed throughout this report, the ANAO found that there are ongoing issues related to these recommendations, such as poor documentation, not completing risk assessments and conflict of interest declarations, and not demonstrating compliance with the CPRs.

Has the DTA effectively managed probity for procurements, including identifying and managing conflicts of interest?

2.49 Probity is the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.²⁶ It provides a level of assurance to delegates, suppliers and the Australian Government that a procurement was conducted in a manner that is fair, equitable and defensible.²⁷ The CPRs state that officials undertaking a procurement must act ethically throughout the procurement, which includes recognising and dealing with actual, potential and perceived conflicts of interest.²⁸

Probity guideline and probity advisors

2.50 The DTA has established a DTA Probity Guideline, which was approved by its Chief Finance Officer in July 2020. It outlines probity principles, such as: fairness and impartiality; consistency and transparency of process; security and confidentiality; identification and resolution of actual or perceived conflicts of interest; compliance with legislative obligations and government policies as they apply to competitive tendering and contracting; and accountability.

2.51 The DTA Probity Guideline outlines that: ‘all DTA Officers and DTA Affiliates²⁹ participating in a procurement will be required to agree to, and satisfy the principles and protocols set out in this Probity Guideline before undertaking any procurement-related activities’. This involves completing and signing a ‘Declaration of Acknowledgement and Agreement to the DTA Probity Guideline’. No officials signed declarations related to probity for any of the nine procurements examined in this audit.

2.52 The DTA Probity Guideline mentions the use of procurement and evaluation plans, but it does not mention probity plans. None of the nine procurements examined by the ANAO had a probity plan.

2.53 The guideline indicates that ‘the requirement for a probity advisor is dependent on the risk and value of a procurement. An advisor is required where the procurement risk is significant or high, or the procurement is high in value.’

2.54 Higher value procurements did not have a probity advisor, and the DTA did not make risk-based decisions on whether to appoint a probity advisor. As the DTA did not assess the risk for seven of the procurements examined, the ANAO could not assess whether these procurements should have had a probity advisor according to DTA policy. The Record Management Software procurement, which was the only procurement in the ANAO sample that had a probity advisor, had been assessed for risk, but it was assessed as low risk. There was no evidence of any advice given by the probity advisor for the Record Management Software procurement, and the evaluation report for the procurement stated: ‘There were no deviations from the approved procurement plan or [evaluation plan] during the course of the [request for tender] process’.

2.55 There was one instance in 2020–21 where the DTA commissioned an examination into potential fraud after probity concerns were raised for the myGov and Digital Identify Charging Framework procurement. As discussed in Case Study 1, the DTA did not follow through on the report’s recommendation to conduct an investigation into the potential breach of the DTA Probity Guideline. Further, no remedial actions were taken in relation to the contract, and the contract was varied twice after the fraud examination was completed, without the approving delegate being informed of the potential probity breach.

Conflicts of Interest

2.57 Effective management of conflicts of interest should be a central component of an entity’s integrity framework. Poor practice, or the perception of poor practice, in the management of conflicts of interest undermines trust and confidence in an entity’s activities. The Australian Public Service (APS) Code of Conduct, which is set out in section 13 of the Public Service Act 1999, requires that APS employees take reasonable steps to avoid any real or apparent conflict of interest. Where conflicts cannot be avoided, the APS Code of Conduct, PGPA Act, and PGPA Rule require that employees must disclose details of any material personal interest. Finance guidance on ethics and probity in procurement states that:

Persons involved in the tender process, including contractors […] should make a written declaration of any actual, potential or perceived conflicts of interests prior to taking part in the process. These persons should also have an ongoing obligation to disclose any conflicts that arise through until the completion of the tender process.³⁰

2.58 The CPRs state officials undertaking procurement must recognise and deal with actual, potential and perceived conflicts of interest.

Activity-specific interest declarations

2.59 According to the Australian Public Service Commission (APSC) guide APS Values and Code of Conduct in Practice, entities may choose to require written declarations of interest of employees at particular risk of conflict of interest, such as those involved in procurement.

2.60 The DTA Accountable Authority Instructions state that all DTA officials ‘must disclose material personal interests in line with Commonwealth and DTA policy and operational guidelines’. The DTA Probity Guideline states that:

Any DTA Officers and DTA Affiliates with an actual, potential or perceived conflict of interest should declare that interest as soon as that conflict is known [and]

DTA Officers and DTA Affiliates must ensure their conduct does not give rise to a perception that would allow for the erosion of industry and community confidence in the way in which DTA conducts Procurement. Where DTA Officers and DTA Affiliates are concerned that a perceived or real conflict may exist, they should document all details immediately and raise the matter with the Responsible Person.

2.61 The DTA Probity Guideline further states that all DTA officers and contractors (‘DTA Affiliates’) involved in an open tender procurement must complete and sign a declaration of interests and disclosure statement (the guideline does not discuss limited tender procurements). The declaration template is provided as an appendix to the guideline — with one for APS employees and one for contractors. The DTA’s Declaration of Interest Policy also outlines that ‘procurement employees must complete the Declaration of Interest form’.

2.62 Of the nine procurements examined by the ANAO:

• for eight procurements, there was no evidence of activity-specific declarations being completed by any of the officials or contractors involved in the procurement; and
• for the Record Management Software procurement, a declaration of interest form had been completed for one of the five members of the evaluation panel, which included the statement that the official did not have any actual or perceived conflict of interest.

2.63 The ANAO spoke with the DTA procurement team and with the DTA officials involved in all of the examined procurements. The officials indicated that completing activity-based declarations of interest has not been part of general business practice at the DTA.

Senior Executive Service interest declarations

2.64 According to the APSC guide APS Values and Code of Conduct in Practice, ‘Agency heads and Senior Executive Service (SES) employees are subject to a specific regime that requires them to submit, at least annually, a written declaration of their own and their immediate family’s financial and other material personal interests’.

2.65 The DTA’s Declaration of Interest Policy states that ‘senior executives must complete the Declaration of Interest form on engagement. Forms are to be revised whenever personal circumstances change’.

2.66 Records of general interest declarations were maintained for all the senior executives involved in the nine procurements examined. However, there were three instances where a declaration for a particular year was not on file, with the DTA explaining for these instances:

• for a 2019 declaration — ‘this may be due to the fact that [the SES officer’s] SES acting had recently commenced, and acting arrangements are expected to be temporary’;
• for a 2019 declaration — ‘the missing form may not have been shared with HR’; and
• for a 2021 declaration — ‘there is no record of a declaration of interest for [this SES officer] for 2021. […] the missing form may not have been shared with HR’.

2.67 The DTA Accountable Authority Instructions state that the Human Resources Director ‘must maintain a register of all material personal interests that relates to the affairs of the DTA in accordance with these instructions’. In April 2022, the DTA advised the ANAO that it does not maintain a register of declared personal interests. In June 2022, the DTA provided the ANAO with a declaration of interest register that included details on 15 SES declarations made in the first quarter of 2021–22. The DTA provided no evidence that a declaration of interest register had been in place in 2019–20 or 2020–21.

Receiving gifts and benefits

2.69 The CPRs state that procurement officials must act ethically throughout a procurement, including ‘by not accepting inappropriate gifts or hospitality’ (paragraph 6.6). Finance guidance states that: ‘officials must not accept hospitality, gifts or benefits from any potential suppliers’.³¹ The APS Code of Conduct states that: ‘An APS employee must not improperly use inside information or the employee’s duties, status, power or authority: to gain, or seek to gain, a benefit or an advantage for the employee or any other person’.³²

2.70 The DTA established a policy for receiving gifts and benefits in June 2021. According to this policy, all gifts received that exceed $200 and all ‘consequential gifts’ received must be recorded on the gift register and published on the DTA’s website.³³ The DTA policy states that before accepting a gift, DTA employees must consider (among other things) ‘any perceived conflict of interest and public perception of receiving the gift’ and ‘the relationship the DTA has with the person, company or organisation offering the gift, for example, if there is a contractual relationship’.

2.71 The DTA’s 2021 gift and benefit policy did not fully align with APSC guidance (which came into effect in 2019), with the DTA guidance requiring gifts over $200 to be reported and the APSC guidance requiring gifts over $100 to be reported. The DTA advised the ANAO in June 2022 that it had updated its policy to align with the APSC guidance in response to the ANAO’s findings.

2.72 The DTA has established a gifts and benefits register. There were nine entries on the register for 2019–20; five entries for inconsequential gifts under $50 for 2020–21; and one entry for an inconsequential gift for 2021–22.

2.73 One of the entries for 2019–20 was a gift from a supplier to a DTA senior official for a $200 ticket to an Institute of Public Administration Australia event in November 2019. The register entry gives the following reason for the gift: ‘tickets were sold out and [the supplier] offered a seat at their table’. The DTA reported 14 contracts awarded to this supplier in 2019–20 and 2020–21, with a total value of $4.5 million. One of these contracts was awarded (directly, without competition) after the SES-level gift recipient suggested this supplier for a particular set of work in March 2020. Accepting a gift or hospitality from a potential or current supplier does not align with Finance guidance or the DTA’s gifts and benefits policy.³⁴ Further, the senior official’s accepting of a gift from a supplier could have been perceived as a conflict of interest, particularly as the official was in a position to make procurement decisions that involved this supplier.

2.75 In 2019, the APSC issued guidance on gifts and benefits, including that agency heads must:

• publish a register of gifts and benefits they accept that are valued at over $100 on their departmental or agency website on a quarterly basis;
• provide a link to the agency head gifts and benefits register to the APSC for publication on the APSC’s website;
• collect and store the relevant information, and manage their register, in accordance with their agency’s procedures;
• update the register within 31 days of receiving a gift or benefit; and
• publish a ‘nil’ declaration on the gifts and benefits register where agency heads have not accepted any gifts during the reporting period.

2.76 As at 11 May 2022, no gifts and benefits register had been published to the DTA website, and there was no link to a DTA gifts and benefits register on the APSC website. In response to this finding, in June 2022, the DTA published a gifts and benefits register to its website for the first three quarters of 2021–22.³⁵

2.77 The DTA had not recorded a declaration (nil or otherwise) for the position of CEO on the DTA gifts and benefits register for the past three financial years, and the DTA had not published any record of whether or not the CEO had received gifts and benefits over the past three financial years on the DTA website.

3.1 This chapter examines whether the DTA has conducted procurements effectively, including an assessment of compliance with the CPRs.³⁷ Conducting procurements effectively includes: undertaking appropriate planning; assessing and managing procurement risks; undertaking an approach to market that is fair and transparent and promotes competition and value for money outcomes; evaluating tenders based on established evaluation criteria; treating tenderers equitably; and providing sound and complete advice to decision-makers.

Has the DTA conducted approach to market processes effectively and in compliance with the CPRs?

Procurement planning and approach to market considerations

3.2 The ANAO found examples of poor planning documentation and non-compliance with the CPRs in relation to the DTA’s approach to market processes, as illustrated in Table 3.1. Only two of the nine procurements examined (GovDesk Development and Record Management Software) met or partly met all assessed components of an appropriate approach to market.

Table 3.1: Assessment of planning and approach to market considerations

Note a: This includes records on planning, such as the requirement for the procurement, the procurement process, how value for money was considered, an estimate of value of procurement, and a risk assessment.

Note b: Procurement relates to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.

Procurement planning

3.3 Adequate planning assists in achieving the efficient, effective, ethical and economical procurement practices required under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the CPRs. There was no planning documentation for four of the nine procurements examined, and only two of the procurements had a procurement plan (see Table 3.1). Of the four procurements that had no planning documentation, one related to the COVID-19 pandemic response.

Value for money consideration

3.4 As discussed at paragraph 1.3, achieving value for money is the core rule of the CPRs. Approaching multiple suppliers generates competitive tension, helps drive value for money, enables greater transparency and fairness, and is consistent with the intent of the CPRs.

3.5 Value for money was mentioned in procurement planning documentation for only one of the procurements examined (GovDesk Development) (see Table 3.1). This plan noted that the evaluation team would consider the value for money proposition for each quote taking into consideration technical scores, pricing and overall risk. The procurement for record management software included a detailed consideration of value for money in its later evaluation plan, which is discussed at paragraph 3.55.

Estimation of expected value of procurements

3.6 The CPRs state at paragraph 9.2 that: ‘the expected value of a procurement must be estimated before a decision on the procurement method is made’.³⁸ The CPRs also state, at paragraph 9.3:

the maximum value of the goods and services being procured must include: a. all forms of remuneration, including any premiums, fees, commissions, interest, allowances and other revenue streams that may be provided for in the proposed contract; b. the value of the goods and services being procured, including the value of any options in the proposed contract; and c. any taxes or charges.

The intent of this requirement is to ensure that entities have taken the estimated value and relevant thresholds into account and have established that the chosen procurement method is allowable under the CPRs.

3.7 For five of the nine procurements examined, the DTA did not estimate the maximum value of procurements before a decision was made on the procurement method (of the five, two related to the COVID-19 pandemic response). For the four procurements that included an estimate on the maximum value, only one procurement (Record Management Software) included records to show that this estimation included all of the elements required by the CPRs (see Table 3.1).

Risk assessment

3.8 The CPRs define risk management as: ‘the activities and actions taken by a relevant entity to ensure that it is mindful of the risks it faces, that it makes informed decisions in managing these risks, and identifies and harnesses potential opportunities’.³⁹ Paragraph 4.4 of the CPRs states that ‘Officials responsible for a procurement must be satisfied, after reasonable enquiries, that the procurement achieves a value for money outcome’ and the procurement should ‘encourage appropriate engagement with risk’. Paragraph 8.2 states that:

Relevant entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract.⁴⁰

3.9 For seven of the nine procurements examined, the DTA had not undertaken a risk assessment (see Table 3.1). This included three procurements related to the COVID-19 pandemic response. Neither of the two risk assessments that had been completed was consistent with DTA guidance on how to assess and rate risk.

3.10 DTA guidance provides a risk matrix with five potential risk ratings: low, minor, moderate, high and very high. DTA guidance describes the risk escalation process as:

• we treat minor risks and document them in the risk register;
• escalate moderate risks to your product manager and monitor them quarterly;
• escalate high risks to your SES Band 1 and report them to the Executive Board;
• escalate very high risks to the Executive Board.

3.11 The risk assessment for the GovDesk Development procurement included a risk matrix with four (rather than five) potential risk ratings: low, medium-low, medium-high and high. The risk matrix noted ‘medium-high and high risks are to be escalated’. The procurement risk ratings of ‘medium-high’ and ‘high’ partly aligned to the DTA official risk ratings of ‘high’ and ‘very high’, respectively. Further, one of the four risks on the register was rated as ‘medium-low’ when, according to the matrix, the selected likelihood and consequence should have resulted in a rating of ‘medium-high’. If the risk had been rated in alignment with the risk matrix, this risk should have been escalated to the Executive Board, but it was not.

Recordkeeping

3.12 In relation to recordkeeping, the CPRs state at paragraphs 7.2–7.5:

7.2 Officials must maintain for each procurement a level of documentation commensurate with the scale, scope and risk of the procurement.

7.3 Documentation should provide accurate and concise information on: a. the requirement for the procurement; b. the process that was followed; c. how value for money was considered and achieved; d. relevant approvals; and e. relevant decisions and the basis of those decisions.

7.4 Relevant entities must have access to evidence of agreements with suppliers […].

7.5 Documentation must be retained in accordance with the Archives Act 1983.

3.13 The DTA did not maintain appropriate records of the approach to market for seven of the procurements examined (see Table 3.1). For two of the procurements (GovDesk Development and Record Management Software), the DTA had maintained most of the key records (see Table 3.1).

Compliance with requirements for limited and open tender procurements

Limited Tender procurement

3.14 The CPRs define limited tender procurement as an entity ‘approaching one or more potential suppliers to make submissions, when the process does not meet the rules for open tender’.⁴¹ The CPRs state at paragraph 9.10:

For procurements at or above the relevant procurement threshold,⁴² limited tender can only be conducted in accordance with paragraph 10.3, or when a procurement is exempt as detailed in Appendix A.⁴³

3.15 Paragraph 9.11 further states: ‘When conducting a limited tender in accordance with paragraph 9.10, the relevant exemption or limited tender condition must be reported on AusTender’.⁴⁴

3.16 In 2019–20 and 2020–21, the DTA conducted 37 limited tender procurements at a value of about $19.1 million. Of this, about $14.8 million was categorised on AusTender as for ‘software’. The ANAO examined one limited tender procurement that related to the procurement of workflow ticketing software. For this procurement, the DTA approached only one supplier. The DTA reported on AusTender that it had conducted this limited tender under the exemption outlined at paragraph 10.3.e of the CPRs:

e. for additional deliveries of goods and services by the original supplier or authorised representative that are intended either as replacement parts, extensions, or continuing services for existing equipment, software, services, or installations, when a change of supplier would compel the relevant entity to procure goods and services that do not meet requirements for compatibility with existing equipment or services.

3.17 Further detail on this procurement is provided in Case Study 2.

3.18 For contracts awarded through limited tender, the CPRs also require:

In accordance with the general rules for accountability set out in these CPRs, for each contract awarded through limited tender, an official must prepare and appropriately file within the relevant entity’s records management system a written report that includes: a. the value and type of goods and services procured; b. a statement indicating the circumstances and conditions that justified the use of limited tender; and c. a record demonstrating how the procurement represented value for money in the circumstances.⁴⁵

3.19 For the procurement of Zendesk software, the DTA had not prepared a written report or a statement indicating the circumstances and conditions that justified the use of limited tender or that demonstrated how the procurement represented value for money in the circumstances.

Open Tender procurement

3.20 During 2019–20 and 2020–21, the DTA reported 15 non-panel open tender procurements at a value of about $7 million. The ANAO examined one open tender procurement that related to the procurement of record management software. This procurement involved an open approach to market, was on the market for 27 days and resulted in 23 responses. The DTA issued four addenda on AusTender during the approach to market. No late quotes were received. Most of the key approach documentation had been retained, including a procurement plan, request documentation and a risk assessment (see Table 3.1).

3.21 Open Tender procurements are subject to the rules in Division 2 of the CPRs. Key requirements, and DTA compliance with these requirements, are outlined in Table 3.2.

Table 3.2: Compliance with Division 2 requirements of the CPRs for the Record Management Software procurement

Note a: The request documentation included information on the evaluation process and stated: ‘In the first stage, all complying responses will be evaluated according to merit against the evaluation criteria listed in clause A.B.5 of the Commonwealth Approach to Market (ATM) Terms provided with this ATM document’. The request document did not include the procurement-specific evaluation criteria that were used to evaluate the tenders.

Note b: The ANAO saw no evidence to indicate that any suppliers had been treated unfairly or in a discriminatory manner.

Source: ANAO analysis of DTA information.

Panel procurements

Digital Marketplace procurements

3.22 The establishment of the Digital Marketplace panel was an initiative under the Australian Government’s 2015 National Innovation and Science Agenda.⁴⁶ The DTA was given responsibility for creating a new online marketplace of digital and ICT services. The Digital Marketplace opened in August 2016. The objectives of the Digital Marketplace were increasing participation of small to medium enterprises (SMEs) and start-ups by breaking down barriers to entry,⁴⁷ making it easier for these businesses to compete for government contracts and encouraging innovation across government.

3.23 The DTA reported for 2016–17 that: there were 485 digital sellers on the marketplace; 190 opportunities had been posted; and, of the contracts reported to AusTender, 82 per cent had been awarded to SMEs. For 2020–21, the DTA reported that 60 per cent of Digital Marketplace opportunities had been awarded to SMEs, with the six SMEs receiving the highest number of contracts being employment agencies or recruitment specialists. These six SMEs received about 700 contracts in 2020–21 (an average of 115 contracts each).

3.24 In February 2022, the DTA reported that: there were 4132 sellers on the Digital Marketplace; since August 2016, 25 per cent of all Digital Marketplace opportunities had been open to all sellers; 73 per cent of all opportunities on the marketplace had been for labour hire; and 82 per cent (2309 of 2814) of non-labour hire opportunities received between zero and five responses. The DTA did not report how many of these opportunities involved an approach to only one potential supplier.⁴⁸

3.25 In May 2022, the Digital Marketplace moved to BuyICT.gov.au, which is a collection of seven ICT-related marketplaces. The DTA advised the ANAO in June 2022 that the new platform has a prompt for buyers that states: ‘it is considered best practice to include at least three sellers’. The Digital Marketplace on the BuyICT website also includes information for each opportunity on whether the opportunity is open to all suppliers, a limited number of suppliers or only one supplier in the category.

DTA’s use of the Digital Marketplace

3.26 The DTA used a panel arrangement for more than 80 per cent of the contracts it reported to AusTender in 2020–21, with the Digital Marketplace panel being used in 71 per cent of those cases.⁴⁹ The ANAO examined seven procurements that involved the Digital Marketplace panel, as outlined in Table 3.3. These procurements were selected on the basis of value, risk, relevance and type of procurement and include seven of the DTA’s nine highest value procurements (other than whole-of-government procurements) for 2019–20 and 2020–21.

3.27 Only one supplier was approached for four of the seven Digital Marketplace procurements examined by the ANAO: the COVIDSafe App Development procurement; the myGov Upgrade Horizon 1 procurement; the myGov Funding Case Support procurement; and the HGIT Program Support procurement.⁵⁰

3.28 For the COVIDSafe App Development procurement, the rationale for approaching only one supplier was that it was an ‘urgent’ requirement ‘to support the Covid-19 response’. DTA’s internal finance team advised the business area that, as the procurement was COVID-19-related, ‘we can bypass the usual process’. The supplier had already been engaged by the Department of Health to develop the COVIDSafe App before responsibility for developing the app was transferred to the DTA. The DTA notes running the procurement process through the Digital Marketplace ‘allow[ed] the seller to transition from Department of Health to the DTA’.

3.29 For the two procurements related to the myGov project (myGov Upgrade Horizon 1 and myGov Funding Case Support), although the contractors were on the Digital Marketplace panel and the DTA reported the procurements on AusTender as ‘open tender’ Digital Marketplace procurements, in each case the contractor was approached directly outside of the Digital Marketplace portal and the DTA accepted a verbal offer. More detail on the MyGov Funding Case Support procurement is provided in Case Study 3.

3.30 For the HGIT Program Support procurement, 16 suppliers on the Digital Marketplace panel were approached and five tenders were received and evaluated, but the DTA decided not to proceed with any of the tenderers. The DTA then directly approached and contracted one supplier, CyberCX, as outlined in Case Study 4.

3.31 Multiple suppliers were approached for three of the seven Digital Marketplace procurements examined by the ANAO: the GovDesk Development procurement, the myGov and Digital Identity Charging Framework procurement, and the COVIDSafe App Enhancements procurement. However, for the myGov and Digital Identity Charging Framework procurement, where four suppliers were approached, the opportunity was on the Digital Marketplace for only three days and one of the successful suppliers knew about the procurement at least one week before the opportunity was published (see Case Study 1 in Chapter 2).

3.32 The ANAO saw examples where the DTA’s procurement processes, particularly the use of panels, fell short of supporting the intent of the CPRs. These included:

• finding a supplier and then working with the Digital Marketplace team to get the supplier assessed and added to the relevant category on the marketplace so that the supplier could be approached on the marketplace;
• the DTA procurement team instructing an official to investigate which panels a specific provider was on to approach them for a quote, after a DTA official was advised by the provider in a ‘random catch up’ that they could provide probity training;
• a senior official asking why there was no flexibility in a contract to fill a new position and asking if they could ‘work around’ the issue, with the team suggesting a direct approach to an existing supplier on a panel, with a request for their preferred person;
• an official advising a senior official that directly approaching a supplier through the Digital Marketplace is a ‘better approach’ because it is an ‘open approach to market as opposed to a limited tender’; and
• planning to leverage a current contract for a new body of work, but after being told by the procurement team that new work was out of scope for the original contract, directly approaching the same supplier through the Digital Marketplace.

Use of procurement panels by Australian Government entities

3.34 Auditor-General Report No.31 of 2011–12 Establishment and Use of Procurement Panels highlighted concerns with how procurement panels were being used at the time — particularly, the low percentage of panel procurements that involved multiple quotes and the lack of documentation on how procurements represented value for money. The report states:

A purchase made under a panel arrangement is a procurement activity subject to the procurement policy framework and accordingly must, in itself, achieve value for money. Obtaining multiple quotes is one way in which competition can be used to promote value for money when procuring from a panel. In this respect, the agencies should have more often sought multiple quotes when selecting a supplier to support the achievement of value for money, particularly for higher value procurements. For procurements over $100 000 two of the agencies only sought multiple quotes in around one‐third of their procurements included in the audit sample. Further, the three agencies did not sufficiently document how individual procurements represented value for money for between 41 per cent and 71 per cent of the procurements examined. These results highlight the need for greater emphasis to be given by agencies to clearly demonstrating the basis for supplier selection when procurements are made under a panel arrangement.⁵²

3.35 The ANAO made recommendations that entities ‘succinctly document the basis for selecting a particular supplier to evidence value for money in the circumstances’ and ‘evaluate the use and effectiveness of panels at an appropriate time during their lifecycle’.⁵³

3.36 Auditor-General Report No.27 of 2019–20 Australian Government Procurement Contract Reporting Update reported that the number and value of panel contracts had increased significantly over the last ten years, with the number of panel contracts reported on AusTender increasing from 652 contracts in 2009–10 to 28,560 contracts in 2018–19.⁵⁴

3.37 Auditor-General Report No.4 of 2020–21 Establishment and Use of ICT Related Procurement Panels and Arrangements states:

Entities should ensure their approach to using panel arrangements supports the intent of the CPRs by encouraging competition to drive value for money, and is not limited to doing the minimum necessary — such as always seeking a single quote — to achieve technical compliance.⁵⁵

3.38 Entities using panels to approach single suppliers with insufficient consideration of value for money, suggests that there are continuing issues with how panels are being used by Australian Government entities.⁵⁶

3.39 The Department of Finance (Finance) ‘assists the Australian Government to achieve its fiscal and policy objectives by advising on expenditure, managing sustainable public sector resourcing, driving public sector transformation and delivering efficient, cost-effective services to, and for, government’.⁵⁷ Finance is responsible for administering the PGPA Act and managing the Australian Government’s resource management framework, CPRs, policies and guidance that supports Australian Government procurement, including procurement from panels.

3.40 Finance’s guidance on panels states:

A Panel is designed to deliver efficiencies for both agencies and the supplier – with that in mind, when procuring from a panel, you should resist seeking all suppliers on a Panel to provide a quote unless there is a demonstrated business need for such an approach.⁵⁸

3.41 The guidance also states:

Wherever possible, you should approach more than one supplier on a Panel for a quote. Even though value for money has been demonstrated for the supplier to be on a panel, you will still need to demonstrate value for money when engaging from a Panel, and competition is one of the easier ways to demonstrate this. Where you only approach one supplier, you should provide your delegate with reasons on how value for money will be achieved in the procurement.⁵⁹

3.42 On 1 July 2022, the CPRs were amended to include a new paragraph 9.14: ‘To maximise competition, officials should, where possible, approach multiple potential suppliers on a standing offer’.

3.43 The CPRs state in relation to procurements from standing offers (such as a panel) that officials ‘should report the original procurement method used to establish the standing offer’. As panel procurements involve two stages of procurement and the method for only the first stage (establishing the panel) is reported, there is no transparency on AusTender as to which contracts involved a direct approach to one supplier — as all contracts established through a panel that had been established by open tender are reported as ‘open tender’ on AusTender. Transparency on whether an opportunity was open to all suppliers on a panel (or in the relevant panel category) and the number of suppliers that were approached would encourage entities to conduct competitive procurements and would help achieve value for money outcomes.

Has the DTA conducted tender evaluation processes effectively and in compliance with the CPRs?

Evaluation planning, criteria and value for money considerations

3.46 Internal DTA policy states that evaluation plans should set out the procurement need and ensure compliance with legislation. The CPRs recommend that entities use relevant evaluation criteria to enable the proper identification, assessment and comparison of submissions on a fair, common and appropriately transparent basis. The CPRs state that evaluation criteria should be included in request documentation and that entities must consider relevant financial and non-financial costs and benefits of each submission. The ANAO found examples of poor evaluation planning documentation and non-compliance with the CPRs for the evaluation phase, as outlined in Table 3.4.

Table 3.4: Assessment of evaluation planning, criteria and value for money considerations

Note a: Procurement relates to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.

Evaluation plans

3.47 The establishment and application of an evaluation plan that sets out evaluation criteria and how decisions will be made helps promote fairness and transparency. The DTA’s internal finance policy states that panel procurements and ‘more complicated simple and medium procurements’ should use procurement and evaluation plans to set out the procurement need and ensure compliance with legislation. The DTA’s internal policy states that an evaluation plan should include: evaluation criteria and weightings; the names of the DTA employees who will evaluate the suppliers; a description of how evaluation will be conducted and how DTA employees will make a decision; and an explanation of how quality and standards, total costs, value for money and any associated commercial risks will be assessed.

3.48 Of the eight open tender (including panel) procurements examined by the ANAO, two had an evaluation plan: the GovDesk Development procurement and the Record Management Software procurement (see Table 3.4). These two evaluation plans were approved by the relevant delegate; however, the plans were not approved until after the market had been approached. The plans included details on the evaluation criteria and weightings, the names and responsibilities of the DTA employees on the evaluation panel, how the evaluation would be conducted, and how submissions would be assessed. The evaluation plan for the Record Management Software procurement provided detail on how value for money would be assessed, including taking into account cost, technical worth and an assessment of risk. The evaluation plan for the GovDesk Development procurement did not discuss how value for money would be assessed, however value for money was subsequently discussed in the evaluation report.

3.49 Both evaluation plans included a risk assessment. The risk assessments did not directly address how associated commercial risks would be assessed and neither risk assessment complied with the DTA risk assessment template. Both risk assessments listed four risks.

• The risk assessment for the Record Management Software procurement included an inherent risk rating, mitigation strategy and residual risk rating. It did not list risk sources, consequences, likelihood, impact or a responsible official for treatment of risk, as instructed by the DTA risk assessment template.
• The risk assessment for the GovDesk Development procurement included risk consequences, existing controls, and an initial assessment of the risk likelihood, impact and rating. It did not include a consideration of risk sources, treatments, responsible official for treatment or an assessment of the residual likelihood and impact of the risk after treatment, as instructed by the DTA risk assessment template.

3.50 For limited tender procurements, internal DTA policy requires employees to complete a limited tender procurement plan. The one limited tender procurement examined by the ANAO did not have a tender procurement plan. The DTA advised the ANAO it was unable to locate any documentation relating to the initial approach to market for this procurement.

Evaluation criteria

3.51 The CPRs state that ‘Relevant entities should include relevant evaluation criteria in request documentation to enable the proper identification, assessment and comparison of submissions on a fair, common and appropriately transparent basis’.⁶⁰

3.52 While six procurements had evaluation reports that included evidence of evaluation criteria, only three sets of evaluation criteria were fit for purpose. Three of the evaluation reports with evidence of evaluation criteria used the same generic criteria in their evaluation reports, ‘the extent to which the offer met the Request for Quote requirements; capacity to provide the requirement; proposed costs’, without specifying how these criteria would be assessed. In summary, six of the nine procurements examined did not use fit-for-purpose evaluation criteria in their evaluation reports (see Table 3.4).

3.53 Two of the three procurements with fit-for-purpose evaluation criteria did not include the criteria in the request documentation to potential tenderers (see Table 3.4).

Value for money

3.54 As mentioned in paragraph 1.3, achieving value for money is the core rule of the CPRs. Price is not the sole factor when assessing value for money. When conducting a procurement, the CPRs state an official must consider relevant financial and non-financial costs and benefits of each submissions including: the quality of the goods and services; fitness for purpose of the proposal; the potential suppliers’ relevant experience and performance history; and whole of life costs (including initial purchase price, maintenance and operating costs, additional features procured after the initial procurement).

3.55 For the nine procurements examined by the ANAO, the DTA did not consistently evaluate tenders for value for money.

• One procurement (Workflow Ticketing Software) did not have any documentation relating to the initial approach to market or evaluation of the supplier.
• For two procurements relating to the myGov project, suppliers (Deloitte and Nous Group) were approached directly, and value for money considerations were not documented.
• One procurement (HGIT Program Support) included partial consideration of value for money, with the evaluation report stating that the proposal was value for money, without an explanation or rationale.
• Value for money was considered as part of the evaluation process for five procurements.

Comparison with maximum daily rates approved for sellers on the Digital Marketplace

3.56 To be approved as a seller on the Digital Marketplace, suppliers are required to provide a maximum daily rate as part of the assessment process for each marketplace category they would like to be included on. The ‘Seller pricing’ page of the Digital Marketplace stated ‘To determine value for money, rates are evaluated along with the seller’s technical and commercial capabilities’. Four of the nine procurements examined (for the CyberCX, Nous Group, ConceptSix and Deloitte contracts) included hourly or daily rates for contractors in contracts. Of the rates for the 22 positions included in these four procurements, the rates for six positions exceeded the maximum daily rate that the DTA had approved for that seller on the Digital Marketplace.

Comparison with Digital Marketplace reported daily market rates

3.57 To help Digital Marketplace buyers achieve value for money, the DTA also publishes reports on daily rates, showing the overall market rate ranges (from lowest rate to highest rate) and median rates charged by category and role on the Digital Marketplace over the previous year. Of the 22 positions included in the four contracts with contractor rates (in the ANAO sample), the rates for only three positions were within the daily market rate ranges published on the Digital Marketplace. The daily rates for 19 positions were higher than the relevant daily market rate ranges.

Evaluation reports, notifying tenderers and recordkeeping considerations

3.59 The DTA’s internal finance policy states that once a procurement evaluation team has completed its evaluations, it should complete an evaluation report. The CPRs require that entities notify unsuccessful tenderers and keep appropriate records of procurement processes. The ANAO found examples of poor documentation and non-compliance with the CPRs for the evaluation phase, as outlined in Table 3.5.

Table 3.5: Assessment of evaluation reporting, notifying tenderers and recordkeeping considerations

Note a: This includes records and information such as the evaluation plan, evaluation criteria, the evaluation report, consideration of value for money and tenderer debriefings.

Note b: Procurement relates to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.

Evaluation reports and value for money consideration

3.60 Three of the nine procurements examined did not have a tender evaluation report (see Table 3.5). One procurement was a limited tender procurement. The two other procurements without evaluation reports were classified as open tender, but suppliers were directly approached by the DTA outside of the Digital Marketplace portal.

3.61 Of the six evaluation reports, five included a record that value for money was considered as part of the evaluation process (see Table 3.5). One report, for the HGIT Program Support procurement, stated the proposal represented value for money, but did not demonstrate how value for money was considered or assessed.

Notifying and debriefing tenderers

3.62 The CPRs state at paragraph 7.17:

Following the rejection of a submission or the award of a contract, officials must promptly inform affected tenderers of the decision. Debriefings must be made available, on request, to unsuccessful tenderers outlining the reasons the submission was unsuccessful. Debriefings must also be made available, on request, to the successful supplier(s).⁶¹

3.63 For two of the examined procurements, there was no evidence that unsuccessful tenderers were notified (see Table 3.5). One of these involved two approaches to market, with the first approach involving an approach to 16 sellers and the second approach being a direct approach. There is no evidence that any of the 16 sellers in the first approach were notified of the decision (this procurement is discussed in Case Study 4 above). For the two procurements where debriefings were requested by tenderers, the DTA advised the ANAO that these debriefings were provided. However, the DTA did not document the debriefings.

Recordkeeping

3.64 For six of the examined procurements, the DTA did not maintain appropriate records of the evaluation phase, such as a record of evaluation criteria, how value for money was considered and an evaluation report (see Table 3.5). For three of the examined procurements, the DTA had maintained most of the key records, but evaluation criteria and tenderer debriefings were not always documented.

Has the DTA provided sound advice to decision-makers, including how the selected tenderers would achieve value for money?

Advice to decision-makers

3.66 As noted at paragraph 1.3, the CPRs state that achieving value for money is the core rule of the CPRs, and that ‘officials responsible for a procurement must be satisfied, after reasonable enquires, that the procurement achieves a value for money outcome’.⁶² Procurements should also facilitate accountable and transparent decision making and encourage appropriate engagement with risk. Decision-makers rely on sound advice to make informed procurement decisions and ensure that the selected tenders will achieve value for money.

3.67 Following evaluation, the DTA’s policy states that a recommendation in writing should be put to the delegate outlining the outcomes of the evaluation process, the preferred supplier and the final contract value. The policy notes the spending approval request to the delegate should include: the procurement’s total whole-of-life value including any extension options and total contract amount; the approach to market process; details on the evaluation including scoring against selection criteria; and the reason for choosing a supplier who does not offer the lowest price.

3.68 The ANAO found examples of the DTA not providing complete advice to decision-makers, as outlined in Table 3.6.

Table 3.6: Assessment of advice to decision-makers

Note a: Procurement relates to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.

Advice on value for money

3.69 Paragraph 7.3 of the CPRs states that procurement documentation should provide accurate and concise information on ‘how value for money was considered and achieved’. The advice to decision-makers did not consistently provide a statement on how value for money was considered and achieved. The request for spending approval for three of the nine procurements included advice on value for money and for five procurements it did not include this information. For the myGov Upgrade Horizon 1 procurement (which was one of the DTA’s highest value procurements for 2019–20 and 2020–21), the DTA had not maintained a record of the request for spending approval (see Table 3.6).

Advice on whole-of-life procurement value

3.70 While one procurement (myGov Upgrade Horizon 1) did not have a record of the spending advice or approval, the other eight procurements had advice that included information on the whole-of-life value and total contract amount (see Table 3.6). For seven of these procurements, the advice included information on options to extend; and for one procurement (myGov and Digital Identity Charging Framework), it did not. In the advice for two procurements (HGIT Program Support and COVIDSafe App Enhancements) the DTA included costs for ‘time and materials’ in addition to the tenderer’s quote to ‘support flexibility in delivering the program’:

• for the COVIDSafe App Enhancements procurement, an additional $200,000 was added by the DTA for ‘time and materials’ to the recommended supplier’s quote (Shine Solutions Group), bringing the contract up to $777,700; and
• for the HGIT Program Support procurement, additional funds for ‘time and materials’ (up to $340,792) were added by the DTA to the recommended supplier’s quote (CyberCX) for $659,208, bringing the request for spending approval to $1 million.

3.71 The advice to the delegate for both of these procurements did not include how the additional funds for ‘time and materials’ would be charged or agreed. The contract with Shine Solutions Group did not mention that funds for time and materials were included, stating only ‘the total contract price is not to exceed $777,700’. The contract with CyberCX included: a statement that ‘an additional $340,792 (incl GST) is available to scale up or scale down as required based on a Time and Materials arrangement’; and a table of rates for any additional work.

Advice on procurement processes

3.72 Paragraph 7.3 of the CPRs states that procurement documentation should provide accurate and concise information on ‘the process that was followed’. Information on the process includes the method that was used to request quotes, who was approached and the results from the evaluation of tenders.

• Advice for seven procurements included the method used to request quotes and suppliers who were approached in the spending request. One procurement involved a direct approach to Nous Group outside of the Digital Marketplace portal, and this information was not included in the spending approval request to the delegate (this is discussed further in Case Study 3). For the myGov Upgrade Horizon 1 procurement, the DTA had not maintained a record of the advice to the decision-maker (see Table 3.6).
• Five of the procurements examined included multiple tenderers.
  • For three of the five, the advice to the decision-maker included a ranking of the tenderers based on the evaluation criteria.
  • The advice to the decision-maker for the myGov and Digital Identity Charging Framework procurement did not include information on the tender evaluation process or rankings.
  • The advice to the decision-maker for the HGIT Program Support procurement did not include a comparison between the 16 suppliers approached in the initial approach and the supplier that was approached directly in the second approach (this is discussed further in Case Study 4).

Advice on procurement risk

3.73 The CPRs state that entities ‘should consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract’.⁶³ Seven of the procurements examined did not have advice to decision-makers that included information on risks or how they would be managed. Requests for spending approval for two procurements included advice on risks, with both procurements rated as a ‘minor risk’ with no issues identified.

3.74 The DTA’s risk management guidance instructs DTA officials to report high risks to the Executive Board and to escalate very high risks to the Executive Board. As discussed at paragraphs 3.9 to 3.11, the risk matrix in one procurement evaluation plan (for the GovDesk Development procurement) noted that medium-high and high risks are to be escalated. The same procurement evaluation plan incorrectly calculated one risk as medium-low, when according to the matrix it should have been medium-high. No risks were escalated or mentioned in the spending advice to the delegate.

Advice on selected supplier

3.75 Advice for seven of the procurements examined included the recommended supplier and a rationale for the recommendation — however, the rationale did not always mention value for money considerations (see Table 3.6). Advice for one procurement (Workflow Ticketing System) included the recommended supplier but did not provide the rationale. As mentioned at paragraph 3.69, the myGov Upgrade Horizon 1 procurement had no advice or approval documentation.

4.1 This chapter examines whether the DTA has managed contracts effectively. Effective contract management is essential to achieving value for money and ensuring that contract objectives are met. Effective contract management includes: assigning key roles and responsibilities; identifying, assessing and managing risks; monitoring and verifying performance against expectations; ensuring payments are timely and accurate; actively managing contracts to ensure they deliver against their objectives and achieve value for money; and not varying contracts due to a failure to appropriately plan procurement needs, to continue supplier relationships, or with the intention of avoiding competition or obligations under the Commonwealth Procurement Rules (CPRs).

Has the DTA established effective contract management arrangements?

Contract management plans

4.2 Effective planning affects how a contract is managed and whether there is a successful outcome. A contract manager should: assign key roles and responsibilities; identify the management activities and resources needed to effectively manage the contract; and assess the risks to the performance of the contract and its ability to achieve desired outcomes.⁶⁵

4.3 A contract management plan should reflect the contract’s complexity and risk profile and contain key information about how the contract will be managed over its life to ensure that objectives are met and value for money is achieved. A contract management plan can include a summary of key activities to be completed, roles and responsibilities, identified risks and how these risks will be managed.

4.4 None of the nine procurements examined by the ANAO had a contract management plan. In response to requests for documents that outlined contract management roles and responsibilities, the DTA referred the ANAO to procurement contracts, requirements documents and seller proposals.

4.5 For three of the nine procurements, contract management roles and responsibilities were partly outlined in the contract.

• Contracts for two procurements listed a business representative and procurement representative. For one procurement, the contract listed the procurement manager responsible for financial matters and another DTA employee responsible for project matters.
• Contracts for five procurements listed DTA officials as the buyer representative, but no details were provided on their role and responsibilities.
• One procurement used a purchase order instead of a contract and this document did not list roles and responsibilities.

Risk management

4.6 Managing risk is an essential part of procurement and contract management. Contract managers should identify risks associated with delivery of a contract and assess the seriousness of those risks and likelihood of them occurring. Risk controls and treatments should be applied to prevent risks from occurring or to minimise their consequences. All officials with a role in managing the contract play a part in managing risks and identifying emerging issues. A risk management plan provides a systematic approach to identifying, evaluating and treating risks associated with the contract.⁶⁶

4.7 None of the nine procurements examined had a risk management plan. In response to ANAO requests for risk management documentation, the DTA advised the ANAO for one procurement that: ‘risk was managed in line with standard processes under the Digital Marketplace and in line with standard DTA processes’. For two other procurements, DTA advised the ANAO that: ‘Risks were assessed on a per submission basis and can be found in the evaluation criteria and documentation’. There was no evidence to indicate that the DTA was actively managing risks related to contract management for the examined procurements.

Reporting to AusTender

4.9 The CPRs state that relevant entities must report contracts and amendments on AusTender within 42 days of entering into (or amending) a contract if they are valued at or above the reporting threshold. Accurate and timely reporting of contracts and amendments on AusTender provides transparency in the use of public money.

4.10 As shown in Table 4.1, the majority of the DTA’s contracts and variations were reported to AusTender on time (within 42 days) in 2019–20 and 2020–21. There were 167 instances (13.5 per cent) over this period where a contract or amendment was published 42 days or more after the reported start date. These 167 contract notices were not compliant with the CPRs.

• In 2019–20: 36 contracts were reported late, with a range of between one and 934 days late; and nine variations were reported late, with a range of between six and 302 days late.
• In 2020–21: 70 contracts were reported late, with a range of between one and 294 days late; and 52 variations were reported late, with a range of between one and 360 days late.

Table 4.1: DTA contracts and variations reported to AusTender within 42 days or late

Source: ANAO analysis of AusTender information.

4.11 As illustrated in Figure 4.1, more than 30 per cent of non-compliant contract notices were published more 90 days after the reported start date.

Figure 4.1: Non-compliant contract notices by reporting delay, 2019–20 and 2020–21

Source: ANAO analysis of AusTender data.

4.12 For the nine procurements examined by the ANAO, eight were reported to AusTender within the 42 days of the contract commencement date. One procurement (myGov Upgrade Horizon 1) was reported to AusTender late (52 days after the commencement date). The original value of the contract was incorrectly reported by $9,995,000. This discrepancy was discovered one month after the contract had been signed. Another procurement examined (myGov Funding Case Support) did not include GST in the original reported contract value, and the DTA amended it six months later to the correct value.

4.13 For seven procurements examined, contracts were amended to increase the total contract value by at least $10,000, requiring the variation be reported to AusTender (under paragraphs 7.18 and 7.19a of the CPRs). For two procurements, all amendments were reported to AusTender within 42 days. Five procurements had at least one variation that: did not match the amendment value reported to AusTender; was published more than 42 days after commencement; or was not reported to AusTender at all.

4.14 For the GovDesk Development procurement, all four contract amendments were reported to AusTender on the same day. The amendment start dates were incorrectly reported as 10 April 2020, whereas the actual commencement dates ranged between November 2019 and March 2020. Two amendments were reported 141 and 161 days after commencement. The other two amendments were reported within 42 days.

Timeliness and accuracy of payments

4.16 When verifying an invoice, the Department of Finance’s (Finance’s) guidance recommends that the contract manager check:

• the description of goods or services on the invoice matches the description in the contract and the quantity matches a delivery receipt and does not exceed the contracted amount;
• the invoice has been correctly calculated;
• the invoice date is after the goods or services were received (unless payment in advance has been agreed);
• there are no other obvious errors; and
• the invoice meets any other contract requirements.

4.17 To mitigate the risk of fraud, Finance recommends at least two people independently verify the invoice payment process. Finance also recommends paying an invoice only when:

• all goods or services received meet the required standards;
• the supplier is compliant with the contract and other contract payment terms;
• the invoice received is accurate and correct according to the contract; and
• all necessary authorisations and approvals have been obtained.

4.18 Finance’s Resource Management Guide (RMG) 417 Supplier Pay On-Time or Pay Interest Policy (January 2020) stated that for contracts with an original value of $1 million or below, suppliers must be paid within 20 calendar days following the acknowledgement of satisfactory delivery of goods or services and receipt of the invoice.⁶⁷ DTA reported paying 83.8 per cent of invoices for contracts up to $1 million within 20 days in 2019–20 and 87.8 per cent in 2020–21.

4.19 The ANAO found issues with the timeliness, accuracy or recordkeeping of payments for eight of the nine procurements examined. For eight of the procurements there were instances of late payments, for one there were inaccurate payments, and for five there were incomplete records (see Table 4.2).

Table 4.2: Payment timeliness, accuracy and recordkeeping

Note a: This includes invoices, confirmation of goods receipt and payment receipts.

Note b: Procurement related to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.

4.20 For the COVIDSafe App Development procurement, the ANAO identified two duplicate payments — which resulted in overpayments totalling $380,600 — as outlined in Case Study 5.

Internal controls to prevent and detect irregular payments

4.21 After identifying the issue with duplicate payments, the ANAO: met with the DTA’s Chief Finance Officer and finance team to discuss the issues; and requested further documentation from the DTA on its historical accounts payable system. The ANAO’s examination of the DTA’s historical procurement controls is discussed in Box 1.

4.22 The DTA’s accounts payable (AP) system was ‘uplifted’ to Finance’s Service Delivery Office (SDO)⁶⁸ in February 2022 as part of an ‘AP Uplift’ program. The ANAO requested information from the SDO on the new system controls implemented for the DTA. New procurement controls were identified that would resolve some of the historical issues identified in Box 1. However, there are still risks that duplicate payments could occur, as discussed in Box 2.

4.23 To mitigate the risks identified in Box 2, the DTA should improve its training and management of internal payment controls such as contract management, cost centre reporting and the monitoring of privileged users’ activity. The DTA should also verify the effectiveness of its payment controls.

Do contracts include performance expectations and has the DTA been effectively monitoring performance against these expectations?

4.25 Performance management involves ensuring goods or services are delivered as required under the contract. Good performance management is key to delivering value for money. Performance management should take place throughout the life of the contract and be based on the performance expectations established in the contract. Paragraph 2.10 of the CPRs states:

Following the awarding of the contract, the delivery of and payment for the goods and services and, where relevant, the ongoing management of the contract and consideration of disposal of goods, are important elements in achieving the objectives of the procurement.

4.26 The role of a contract manager is to ensure the supplier is meeting its obligations under the contract — including that the goods or services purchased under the contract are received on time, within budget and fully compliant with contract specifications.

Performance expectations

4.27 Eight of the nine ICT-related procurements examined by the ANAO included a description of the scope of services, deliverables and performance expectations in the contract work order. Performance expectations were broken down into specific deliverables, such as: program management and secretariat activities; technical support and maintenance; strategic advice; and data modelling. One procurement (Workflow Ticketing System) used a purchase order instead of a contract.

Performance monitoring

4.28 For three of the nine procurements examined, performance monitoring was documented through weekly status reports or other forms of milestone tracking prepared by contractors for the DTA. For two procurements, the DTA advised performance was monitored primarily through regular meetings with the contractor. For the two procurements related to the COVIDSafe App, the DTA was unable to produce any documentation to demonstrate that performance had been monitored. The DTA noted that the contract manager for these two contracts was no longer employed at the DTA and it could not find any relevant records. The ANAO’s assessment of the DTA’s performance management of the nine procurements is provided in Appendix 4.

Performance verification

4.29 For two of the nine procurements (GovDesk Development and myGov and Digital Identity Charging Framework), performance was tied to milestone payments. Invoices for both procurements were linked to specific milestones agreed under the contracts. ConceptSix (the contractor for the myGov and Digital Identity Charging Framework procurement) also included timesheets in PDF form to the DTA with its invoices.

4.30 For five of the nine procurements, payments were not tied to milestones. Invoices for four procurements (for contractors Deloitte, CyberCX, Nous Group and Shine Solutions Group) were for time charged by consultants on the project and were not linked to milestones or deliverables. The DTA did not have documentation to demonstrate how timesheets were verified for any of the procurements. For the COVIDSafe App Development procurement, the invoices did not include timesheets for time charged or consistently specify the milestones or deliverables completed under the work order or variation.

Has the DTA effectively managed contracts to deliver against the objectives of the procurements and to achieve value for money?

4.32 Part of achieving value for money is ensuring that the objectives of the procurement are met without a substantial increase in cost. Finance’s guidance on contract end dates states that, when officials are deciding whether to exercise an extension option or extend a contract by variation, they should consider the costs and benefits in continuing with the current contract, including: whether extending the contract would continue to provide value for money; whether reapproaching the market would result in a better outcome, having regard to potential costs involved; the performance of the current provider(s); whether there will be sufficient time to run a new procurement process; and the changing needs/requirements of entities.⁷¹

4.33 Finance’s guidance also states:

• Any variation to a procurement contract should not significantly change the scope of the contract’ and ‘as a general rule, contract should only be extended for the length of time that will allow for the […] provision of all deliverables under the original contract’.
• Entities should only extend a contract where necessary. Extending a contract via variation may not result in a value for money outcome […]. Entities are therefore encouraged to not rely upon the ability to extend a contract by variation. Contracts should not be extended by variation due to a failure to appropriately plan procurement needs, continue supplier relationships, or with the intention of discriminating against a supplier, avoiding competition, or to avoid obligations under the CPRs.⁷²

4.34 A contract may be extended if all of the following conditions are met: the contract contains an (unused) option to extend; it is value for money to extend the contract; and the contract has not yet expired. When increasing a contract value by $10,000 or more, appropriate approval must be obtained from a delegate under subsection 23(3) of the Public Governance, Performance and Accountability Act 2013. The DTA’s internal guidance on approving spending notes the spending approval should contain ‘an explanation as to how the expenditure represents value for money’.

4.35 Seven of the nine procurements examined by the ANAO were varied to increase the value of the contract by more than $10,000 at least once, as summarised in Table 4.3.

Value for money considerations

4.36 Value for money was not consistently discussed in spending approval documentation provided to delegates for the variations to the seven contracts (as outlined in Table 4.3).

• For one procurement (COVIDSafe App Enhancements), value for money was discussed in all four variation spending approvals that went to the delegate. The value for money rationale covered both financial and non-financial benefits.
• Four procurements had one or more spending approvals that discussed value for money.
• For two procurements (COVIDSafe App Development and myGov and Digital Identity Charging Framework), value for money was not discussed in any spending approvals.

Contract for myGov Funding Case Support

4.37 As discussed in Case Study 3 (in Chapter 3), the myGov Funding Case Support procurement involved substantial increases in value and scope. The contract was varied ten times over two years, increasing to 40 times its original value from $121,000 to $4,942,080 (illustrated at Figure 4.2).

Figure 4.2: Variations to myGov Funding Case Support contract, May 2020 to May 2022

Source: ANAO Analysis of DTA information.

4.38 The scope of the contract also significantly increased. The DTA advised the ANAO that it had ‘leveraged’ the contract for additional work in another team. The scope substantially changed from providing advice on a business case, to include writing ministerial briefs and other correspondence and providing strategic advice on different projects for four different teams, such as on the Mid-Year Economic Fiscal Outlook (MYEFO) 2021–22, Digital Identity program and ‘Front Door for Business’ project (see Table 4.4).

Table 4.4: Contract variations — myGov Funding Case Support

Note a: It was later discovered that the DTA could not extend the contract to 31 December 2021, as under the terms of the contract, it could be extended by four further periods of up to only three months each.

Note b: Variation 5B was reported to AusTender with a value of $1,722,557, which included $547,708 for Variation 5A, which had not been reported.

Source: ANAO analysis of DTA information.

4.39 In addition to the 10 variations outlined in Table 4.4, DTA senior officials attempted to vary the contract to include work on another project. The DTA’s finance and procurement team strongly advised against this, which led to the DTA directly approaching Nous Group and engaging them under a separate contract, as discussed in Case Study 6.

4.40 These contracts with Nous, which were the result of direct approaches, are an example of the DTA leveraging contracts and substantially changing the scope of contracts through variations for multiple teams across the DTA. These types of procurement practices fall short of ethical behaviour requirements and in supporting the intent of the CPRs.⁷³

4.41 As mentioned at paragraph 4.33, Finance guidance states that contracts should not be extended by variation due to a failure to appropriately plan procurement needs, to continue supplier relationships, or with the intention of avoiding competition or obligations under the CPRs.

Appendix 1 Entity responses

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2021–22 Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, among other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

Table A.1: Improvements observed by the ANAO

Appendix 3 Ethical behaviour requirements

1. The Australian Parliament has established requirements in the Public Governance, Performance and Accountability Act 2013 (PGPA Act) including to require the Commonwealth and Commonwealth entities to use and manage public resources properly (section 5). The accountable authority for an entity responsible for relevant money has a duty under section 15 of the PGPA Act to promote the proper use of the money for which the accountable authority is responsible. ‘Proper’, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical (section 8).

2. The Department of Finance PGPA Glossary defines ethical as:

the extent to which the proposed use of public resources is consistent with the core beliefs and values of society. Where a person behaves in an ethical manner it could be expected that a person in a similar situation would undertake a similar course of action. For the approval of proposed commitments of relevant money, an ethical use of resources involves managing conflicts of interests, and approving the commitment based on the facts without being influenced by personal bias. Ethical considerations must be balanced with whether the use will also be efficient, effective and economical.

3. The Australian Parliament has also established, through the Public Service Act 1999 (PS Act), the Australian Public Service (APS) Values set out in section 10. Subsection 10(2) states that: ‘The APS demonstrates leadership, is trustworthy, and acts with integrity, in all that it does’. The APS Commissioner has made directions under the PS Act including in subsection 16(f) requiring accountability of APS members by ‘being able to demonstrate clearly that resources have been used efficiently, effectively, economically and ethically’. A mandatory code of conduct is set out in section 13 of the PS Act for APS employees.

4. PGPA Act requirements, including ethical requirements, directly inform key public sector resource management frameworks for specific Australian public sector activities addressed through performance audits. These frameworks contain ethical requirements specific to the activity they regulate. For government procurement, the Commonwealth Procurement Rules (CPRs) state that ‘officials undertaking a procurement must act ethically throughout the procurement’ and outline key ethical behaviour expectations, which are set out in paragraphs 4.4, 6.5 and 6.6 of the CPRs, as outlined in the table below. For the ANAO, in conducting performance audits of procurement activities in entities subject to the PS Act, compliance with the CPRs is assessed against the background of the requirements of the PS Act.

5. In conducting performance audits of entities, the ANAO obtains evidence to inform an assessment of whether the audited entity executes its activities in accordance with the requirement to promote proper use of public money. Findings may be made as to whether the use or management of public money was efficient, effective, economical and ethical. In forming an overall conclusion in a performance audit, the ANAO may also form a view on whether the entity’s activities have been executed in accordance with both compliance with the Rules framework and the intent of that framework, including the requirements of the PS Act for the APS (the entity) to act with integrity in all that it does.

6. Where ANAO findings or a conclusion are made as to whether the use or management of public resources by the entity has been ethical, it is a matter for an accountable authority to assess whether the audit findings in the particular case reflect the broader posture of the entity or relate to individual APS staff conduct.

Table A.2: Key ethical behaviour requirements in the CPRs and instances of entity non-compliance

Source: ANAO analysis of the CPRs and DTA information.

Appendix 4 DTA procurement performance monitoring

Table A.3: DTA procurement performance monitoring

Note a: Procurement relates to the Australian Government’s response to the COVID-19 pandemic.

Source: ANAO analysis of DTA information.