Background

1. The Australian Public Service Commission (APSC) has reported that as at 31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.¹ APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.²

2. APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’³

3. Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, the APSC has stated that:

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.⁴

4. Additionally, the APSC has published guidance in the form of Guiding principles for agencies when considering the use of SES contractors⁵ relating to the use of contractors in APS Senior Executive Service (SES) roles.⁶ Similar guidance has not been issued for entities when considering the use of contractors for non-SES level roles.

5. The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. These decisions must consider:

• the Commonwealth Procurement Rules (CPRs), which establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement;
• the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security⁷; and
• entity-specific procurement and contract management arrangements which may be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines.

6. As at 30 June 2021, the Department of Veterans’ Affairs (DVA) workforce included 1287 contractors, representing 34.1 per cent of its total workforce of 3778. DVA’s contractor workforce performs work in most parts of the entity.⁸

Rationale for undertaking the audit

7. The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years.⁹

8. This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. DVA was selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits in this series review the management of contractors by the Department of Defence and Services Australia.

Audit objective and criteria

9. The objective of the audit was to examine the effectiveness of DVA’s arrangements for the management of contractors.

10. To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has DVA established a fit-for-purpose framework for the use of contractors?
• Does DVA have fit-for-purpose arrangements for the engagement of contractors?
• Has DVA established fit-for-purpose arrangements for the management of contractors?

Conclusion

11. DVA has established largely fit-for-purpose policies and processes for the management of contractors and can demonstrate the effectiveness of some but not all aspects of its arrangements. There remains scope to improve implementation of aspects of Policy 12 of the Protective Security Policy Framework (PSPF) relating to the eligibility and suitability of personnel, PSPF Policy 13 relating to the ongoing assessment of personnel, and PSPF Policy 14 relating to separating personnel.

12. DVA has established a fit-for-purpose framework for the use of contractors. Enterprise-level guidance sets out the different personnel types, including contractors, and provides instructions for determining whether there is an operational requirement for the use of contractors.

13. DVA has established largely fit-for-purpose arrangements for the engagement of contractors. These arrangements include a contracting suite that is tailored for the use of contractors and induction training covering expected behaviours and standards from relevant Commonwealth legislation and DVA policy. While DVA collects data to monitor the completion of training, there is opportunity for DVA to improve its arrangements for annual follow-up checks. As at 22 December 2021, 44 per cent of contractors had not completed all modules of the mandatory induction program. DVA has established arrangements (policy, processes and monitoring) that largely support compliance with PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors, except for establishing a policy to support compliance with Supporting Requirement 1(c) and Supporting Requirement 2(d)(ii) of Policy 12.

14. DVA has established largely fit-for-purpose arrangements for the management of contractors. Guidance on departmental requirements and expectations regarding the oversight (supervision) of contractors is outlined in a Blended Workforce Guide and Induction Booklet, and DVA has established a Procurement and Contract Management Framework. However, the framework does not cover contract management and DVA provides guidance for its contract managers through intranet links to a contract management best practice guide and the Department of Finance’s Australian Government Contract Management Guide. DVA has established arrangements (policy, processes and monitoring) for the management of contractors that largely support compliance with the requirements of PSPF Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel, except for the following. DVA policy does not address:

• PSPF Policy 13 Supporting Requirement 1(a)(iii) relating to monitoring and reporting of conditional clearances, and Supporting Requirement 1(a)(iv) relating to annual review of eligibility waivers; and
• PSPF Policy 14 Supporting Requirement 1(c) relating to providing receiving entities with relevant security information, and Supporting Requirement 3 relating to the assessment of risk in instances where it is not possible to undertake required separation procedures.

15. DVA has established arrangements to monitor compliance with PSPF requirements and has identified, through this work, that the following processes have not been effectively implemented: advising separating personnel of their ongoing security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and processes to ensure that separating personnel are complying with their separation obligations, particularly regarding the return of equipment.

Supporting findings

Framework for using contractors

16. DVA guidance provides clarity regarding the different personnel types, including contractors. (See paragraphs 2.3–2.4)

17. DVA’s Strategic Workforce Plan recognises its external workforce as part of its workforce mix and outlines operational requirements for its contractor workforce at a strategic level. DVA has delegated responsibility for engaging contractors to business areas and line managers and has developed a Blended Workforce Guide to provide operational-level guidance on the type of work that contractors would typically be expected to undertake. (See paragraphs 2.5–2.19)

Arrangements for engaging contractors

18. DVA’s contracting suite documentation includes clauses that align with the behavioural requirements and expectations that contractors are expected to meet when working with the department. Contract documentation underpinning DVA’s standing panel arrangements — which represented 73 per cent of DVA’s contractor workforce expenditure for 2020–21 — include clauses to support contractor compliance with all mandatory policies. (See paragraphs 3.3–3.14)

19. DVA has developed requirements and guidance for the induction of contractors, including training courses that cover expected behaviours and standards from relevant Commonwealth legislation and DVA policy. Managers are responsible for monitoring contractors’ completion of mandatory training. Recent (May 2022) DVA data for the completion of mandatory training indicates improvement following the introduction of a new course in April 2022, after DVA identified that the previous fraud awareness training course had been left off its learning management system, DVAtrain. DVA data as at 22 December 2021 showed that 56 per cent of contractors had completed all modules of the mandatory induction program. The completion rate prior to the inclusion of the new training module on DVAtrain indicates that there is opportunity for DVA to improve its arrangements for annual follow-up checks. (See paragraphs 3.15–3.35)

20. DVA has documented policies and processes that support compliance with most requirements of PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors. DVA does not have policies or processes in place to obtain an individual’s agreement to comply with government policies, standards, protocols and guidelines that safeguard resources from harm, as required under Supporting Requirement 1(c) of PSPF Policy 12. DVA has established a delegation arrangement for waiving citizenship requirements that does not align with Supporting Requirement 2(d)(ii) of PSPF Policy 12. (See paragraphs 3.36–3.50)

21. DVA has in place assurance mechanisms to monitor contractor compliance with the requirements of PSPF Policy 12. Specifically, Services Australia provides DVA with daily updates on the completion of processes required under Policy 12 when onboarding contractors and DVA has established a quality checking plan. Services Australia and DVA are also establishing an annual assurance statement process through which Services Australia will confirm that the services delivered under bilateral arrangements meet DVA expectations. The first statement is to cover 2021–22. (See paragraphs 3.51–3.62)

Arrangements for managing contractors

22. DVA has established a Procurement and Contract Management Framework, however the ANAO’s review of this framework indicates that it does not cover contract management. DVA provides guidance for contract managers through a link on its intranet to a contract management best practice guide and a link to the Department of Finance’s Australian Government Contract Management Guide. Guidance on DVA requirements and expectations regarding the oversight (supervision) of contractors is outlined in DVA’s Blended Workforce Guide and Induction Booklet. While DVA offers contract management training to all staff, it does not mandate or monitor contract management training for its personnel who manage contracts and contractors. (See paragraphs 4.3–4.14)

23. DVA has established policies and processes that support compliance with most requirements of PSPF Policy 13 for contractors. DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Policy 13 Supporting Requirement 1(a)(iii). Further, DVA’s Personnel Security Protocol does not cover two requirements of PSPF Policy 13 Supporting Requirement 1(a)(iv), relating to: the annual review of eligibility waivers; or review before revalidation of a security clearance, and prior to any proposed position transfer. (See paragraphs 4.15–4.18)

24. DVA has established arrangements to monitor and report on compliance with PSPF Policy 13. Through these arrangements, DVA has identified that annual security checks on security cleared personnel are not institutionalised and that clearances were not held by some contractors in roles with clearance requirements. (See paragraphs 4.19–4.31)

25. DVA has established policies and processes that support compliance with most requirements of PSPF Policy 14: Separating personnel for contractors. DVA has not established policies or processes that outline a requirement for DVA to: provide receiving entities with relevant security information, as required under PSPF Policy 14 Supporting Requirement 1(c); or undertake a risk assessment to identify security implications in instances where it is not possible to undertake separation procedures, as required under PSPF Policy 14 Supporting Requirement 3. (See paragraphs 4.32–4.36)

26. DVA has established a Security Quarterly Assurance Plan which includes assurance activities to support compliance with PSPF Policy 14. DVA’s assurance activities indicate that the following processes are not being implemented effectively: advising separating personnel of their ongoing security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and ensuring that separating personnel are complying with their separation obligations, particularly regarding the return of equipment. DVA’s assurance activities identified instances where contractor personnel had not returned equipment to DVA upon separation, and found that 81 per cent of separating personnel did not complete DVA’s mandatory cessation checklist. (See paragraphs 4.37–4.50)

Recommendations

Summary of entity responses

27. DVA’s summary response is provided below and its full response is included at Appendix 1. An extract of this report was sent to the APSC. The APSC’s summary response is provided below and its full response is included at Appendix 1.

DVA’s summary response

The Department of Veterans’ Affairs (DVA) welcomes the ANAO findings and recommendations. The ANAO report acknowledges that DVA has established policies and processes that largely support compliance with the Personnel Security requirements of the Protective Security Policy Framework (PSPF). DVA is reassured that the findings largely mirror areas for improvement identified in our annual self-assessed maturity report to Government; that at a ‘Developing’ level the entity’s security maturity is defined as providing substantial protection of our people, information and assets.

The Department acknowledges the ANAO’s findings in the report and agrees with the recommendations. Work is planned for 2022-23 to review and update personnel security policies and protocols to enhance maturity with the PSPF requirements, and work has already commenced to identify technological solutions to brief personnel and obtain and record acknowledgement of specific obligations in line with PSPF requirements surrounding engagement and separation of personnel.

APSC’s summary response

The Australian Public Service Commission (APSC) acknowledges the extract of the Proposed Audit Report on the ‘Effectiveness of the Management of Contractors’ provided for comment.

The APSC recognises the importance of robust workforce planning through implementation of the APS Workforce Strategy 2025. This includes strengthening APS capability, and the strategic use of mixed models of employment, to ensure agencies achieve their outcomes.

Whilst no recommendations are directed toward the APSC, the Commission will consider any relevant findings following the audit’s completion.

28. At Appendix 2, there is a summary of improvements that were observed by the ANAO during the course of the audit.

Key messages and observations

29. This is one of a series of three performance audits undertaken to provide independent assurance to Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. As well as DVA, the ANAO has examined the effectiveness of the management of contractors by the Department of Defence¹⁰ and Services Australia.¹¹

30. Chapter 5 of this audit report sets out high-level observations and key messages for all Australian Public Service agencies following the ANAO’s examination of the three selected agencies’ management of contractors. The observations focus on: data availability and transparency issues relating to the contractor workforce; and the application of ethical and personnel security requirements to the contractor workforce.

Introduction

1.1 The Australian Public Service Commission (APSC) has reported that as at 31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.¹² APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.¹³

1.2 APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’¹⁴

1.3 In summary, Finance’s guidance states that services performed by a contractor are under the supervision of the entity, which specifies how the work is to be undertaken and has control over the final form of any resulting output. The output of a contractor is produced on behalf of the entity and the output is generally regarded as an entity product. In contrast, performance of consultancy services is left largely up to the discretion and professional expertise of the consultant, performance is without the entity’s direct supervision, and the output reflects the independent views or findings of the consultant. While the output of a consultant is produced for the entity, the output may not belong to the entity. Box 1 below sets out the contract characteristics, identified in Finance guidance, that help entities distinguish between contractors and consultants.

Source: Department of Finance, Contract Characteristics, available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-characteristics [accessed 20 January 2022].

1.4 Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, in respect to the mix between APS and non-APS personnel, the APSC has stated that:

The APS continues to deploy a flexible approach to resourcing that strikes the balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers collaborate to deliver outcomes within agencies.

A mixed workforce approach will continue to be a feature of APS workforce planning. Non-APS workers, when used effectively in appropriate circumstances, can provide significant benefits to agencies and help them achieve their outcomes. Non-APS workers can also provide access to specialist and in-demand skills to supplement the APS workforce in peak times in business cycles. There will be a need for APS agencies to access skills, capability or capacity differently, including through contractors and consultants, or through external partnerships with academia or industry. There may also be a need to engage with industry to develop skills and capabilities to drive delivery of programs across the service. The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.

A professional public service harnesses skills, expertise and capacity from a variety of sources to deliver services as priorities arise. We must focus on understanding and removing barriers to external mobility and encouraging the mobilisation of skills from both across and outside the APS.¹⁵

1.5 In addition, the APSC has published guidance relating to the use of contractors in APS Senior Executive Service (SES) roles.¹⁶ In its Guiding principles for agencies when considering the use of SES contractors¹⁷, the APSC states that:

To meet their business needs, agency heads have the flexibility to engage individuals by the most appropriate means to ensure their agency is best placed to deliver for the Australian public. These guiding principles are designed to assist agencies when considering the appropriateness of using a contractor for a Senior Executive Service (SES) equivalent role and to ensure that appropriate governance arrangements are in place.

…

For the purposes of these principles, an ‘SES contractor’ is an SES-equivalent (e.g. equivalent work value, duties, responsibility, and accountability), contracted by an APS agency via a recruitment agency or third party as an integrated part of the agency’s senior leadership workforce. That is, the agency will have no direct employment relationship under the PS Act with the SES contractor.

1.6 The APSC has stated that the purpose of the principles is ‘to provide APS agencies with considerations when seeking to go beyond the APS employment framework for senior executive capabilities’.¹⁸ Box 2 below sets out the considerations identified in the APSC guidance.

Source: Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors, 14 May 2021, paragraphs 5–7, available from https://www.apsc.gov.au/working-aps/aps-employees-and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

1.7 The APSC guidance states that the APSC will collect data on SES contractors, and that for the purposes of reporting, an SES contractor is a person undertaking SES equivalent work who is not engaged under the PS Act or an agency’s enabling legislation.¹⁹ As at 8 March 2022 the APSC had not published data on SES contractors. The APSC advised the ANAO on 3 March 2022 that there were 40 SES contractors in the APS as at 31 October 2021.

1.8 The APSC has not issued guiding principles for the use of non-SES contractors in APS agencies.²⁰

1.9 The APSC and Finance guidance may be supplemented at the entity-level by internal guidance on the different personnel types and how to decide whether there is an operational requirement for the use of non-APS personnel such as contractors.

1.10 The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. The Commonwealth Procurement Rules (CPRs) establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement. Entity-specific procurement and contract management arrangements may also be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines. Contract managers must implement applicable internal requirements and the CPRs and associated requirements set by Finance. Non-APS personnel must comply with their contractual obligations and any applicable management, oversight and behavioural requirements.

1.11 Non-APS personnel may be ‘officials’ under section 13 of the PGPA Act, in which case they must comply with the finance law in addition to their contractual obligations and applicable entity requirements.²¹ The finance law includes the PGPA Act, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), entity AAIs, and other legal and policy frameworks — including the whole-of-government procurement, grants, advertising and risk management frameworks. All personnel exercising delegated power under the PGPA Act or other legislation must also comply with the requirements attaching to those delegations.

1.12 Entities’ management of their non-APS personnel is subject to the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security.²² The PSPF policies under the ‘personnel security’ outcome outline how to screen and vet personnel and contractors to assess their eligibility and suitability. They also cover how to assess the ongoing suitability of entity personnel to access government resources and how to manage personnel separation.²³ Entity compliance with the three personnel security policies under the PSPF ‘ensures its employees and contractors are suitable to access Australian Government resources, and meet an appropriate standard of integrity and honesty’.²⁴ The policies and their core requirements are outlined in Figure 1.1 below.

Figure 1.1: PSPF personnel policies and core requirements

Source: Protective Policy Security Framework, Personnel Security, available from https://www.protectivesecurity.gov.au/policies/personnel-security [accessed 3 December 2021].

1.13 Under the PSPF, all agencies must develop their own protective security policies and processes. The Department of Veterans’ Affairs (DVA) has developed its own security policies and processes, which are available on its intranet.

Reviews and inquiries into the APS’s use of contractors

2015 report of the Independent Review of Whole-of-Government Internal Regulation

1.14 The 2015 Independent Review of Whole-of-Government Internal Regulation (the Belcher Review)²⁵ observed the impact of a number of APS legislative and reporting requirements²⁶, which the review considered to have:

created a recruiting environment where entities tended to engage staff through a particular employment category that may not align with their business needs. For example: … contractors hired individually, or through firms, are excluded from ASL [Average Staffing Level] and headcount reporting. While a valid engagement option, it may present longer term issues regarding organisational capacity and knowledge management, and may be a more expensive option in the longer run.²⁷

1.15 Box 3 below contains an excerpt from a Parliamentary Library research paper on public sector staffing and resourcing, which addresses the ASL concept and related issues.²⁸

Note a: ANAO comment: the APSC has stated that ‘ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.’ See Appendix 3 of this audit.

Source: Philip Hamilton, Public sector staffing and resourcing (Staffing, contractors and consultancies), Parliamentary Library Research Publications, October 2020, available from https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/BudgetReview202021/PublicSectorStaffingResourcing [accessed 27 January 2022].

2019 report of the Independent Review of the APS

1.16 The 2019 Our Public Service, Our Future: Independent Review of the Australian Public Service (the Thodey Review) also considered the non-APS workforce.²⁹ The Thodey Review commented that:

Labour contractors and consultants are increasingly being used to perform work that has previously been core in-house capability, such as program management. Over the past five years, spending on contractors and consultants has significantly increased while spending on APS employee expenses has remained steady.³⁰

1.17 The Thodey Review published data (see Figure 1.2 below) based on submissions to the Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into Australian Government Contract Reporting – Inquiry based on Auditor-General’s report No. 19 (2017–18).³¹ The Thodey Review stated that submissions to the JCPAA inquiry ‘revealed that [the] spend on contractors more than doubled across a sample of 24 agencies between 2012–13 and 2016–17.’³²

Figure 1.2: Thodey Review — percentage change in spend on employees, labour contractors and consultancy contract notices

Source: Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, p. 186.

1.18 The Thodey Review further observed that:

The use of labour contractors and consultancy services warrants specific discussion. About a quarter of the submissions [to the review] commented on their use. Most expressed concern about the growing size of the APS’s external workforce and the negative effect on in-house capability. Data on this topic, as is the case with many APS-wide workforce matters, are not gathered or analysed centrally and are often inadequate. For example, the number of contractors and consultants working for the APS is not counted and data on expenditure are inconsistently collected across the service. Data insights that would shed light on whether contractors or consultants met objectives are not routinely aggregated. This makes it difficult to assess the value of external providers relative to in-house employees or to infer the effect on APS capability.³³

…

There is clearly benefit in the APS leveraging the best external capability. It is not possible to have expertise in everything in-house and external providers can be the most efficient way of delivering the best advice, services or support. But the use of external capability needs to be strategic and well-informed, meaning that the APS:

• makes decisions on the use of external capability by reference to a whole-of-service workforce strategy that identifies the core capabilities the APS should invest in building in-house – with external capability used to perform non-core or variable work activity;
• manages use of external capability closely, from the contract design stage through to performance of the prescribed tasks; and
• ensures that all arrangements lead to a transfer of knowledge to the APS.

At all stages the APS should be focused on achieving value for money and better outcomes.

The APS needs to find the right balance between retaining and developing core in-house capability and leveraging external capability to ensure a sustainable and efficient operating model for the decades ahead. To do this effectively, two traditionally autonomous parts of agencies — HR and procurement — must work closely together.³⁴

October 2021 second interim report of the Senate Select Committee on Job Security

1.19 In October 2021, the Senate Select Committee on Job Security released its second interim report, Insecurity in publicly-funded jobs.³⁵ The report examined employment arrangements across the public sector. Drawing on the Thodey Review and JCPAA inquiry, the committee stated that:

the utilisation of labour contractors and consultants has increased markedly in recent years. Across a sample of 24 agencies, spending on contractors has more than doubled over the period between 2012–13 and 2016–17. Furthermore, information sourced from AusTender indicated that the total value of consultant contracts across the APS increased from $386 million to $545 million during the same four year period.³⁶

1.20 In common with the Thodey Review³⁷, the committee was critical of data collection relating to the non-APS workforce:

Neither the Australian Public Service Commission (APSC), nor the Department of Finance, was able to confirm how many people engaged through labour hire or other external contracting arrangements are working within the Australian Public Service. This data is not collected, and neither agency provided an explanation for why this is the case.³⁸

1.21 The committee made the following recommendation on this matter:

The committee recommends that the Australian Government requires:

• the Australian Public Service Commission to collect and publish agency and service-wide data on the Government’s utilisation of contractors, consultants, and labour hire workers;
• the Department of Finance to regularly collect and publish service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment; and
• labour-hire firms to disclose disaggregated pay rates and employee conditions.³⁹

November 2021 report on the Senate Finance and Public Administration References Committee Inquiry into the Current Capability of the APS

1.22 In November 2021 the Senate Finance and Public Administration References Committee reported on its Inquiry into the Current Capability of the Australian Public Service.⁴⁰ The matter referred to the committee for inquiry and report was as follows⁴¹:

The current capability of the Australian Public Service (APS) with particular reference to:

(a) the APS’ digital and data capability, including co-ordination, infrastructure and workforce;

(b) whether APS transformation and modernisation projects initiated since the 2014 Budget have achieved their objectives;

(c) the APS workforce; and

(d) any other related matters.

1.23 The committee drew on data in the Thodey Review⁴² and JCPAA inquiry⁴³, and in an effort to ascertain the scale of labour hire usage across the APS⁴⁴, requested staffing profile information from agencies across all portfolios.⁴⁵ The committee observed that:

The responses received indicated that agencies had differing methods of collecting data, and that many agencies did not collect data that allowed them to disaggregate the numbers of labour hire workers from other contractors.

For example, some agencies advised that their recordkeeping systems did not or could not differentiate between contractors directly procured by the agency (e.g. independent contractors), and workers procured through labour hire firms.⁴⁶

1.24 The committee made 13 recommendations, including the following recommendations on data collection and reporting:

• the annual employee census conducted by the APSC ahead of the State of the Service report be expanded to include all labour hire staff who have been engaged on behalf of the APS in that calendar year (recommendation 5);
• the APSC collect and publish standardised agency and service-wide data on the Australian Government’s utilisation of contractors, consultants, and labour hire workers (recommendation 6); and
• the Department of Finance regularly collect and publish annually service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment for each role (recommendation 8).

Department of Veterans’ Affairs workforce

1.25 DVA is a non-corporate Commonwealth entity.⁴⁷ In its 2020–21 annual report, DVA stated that its purpose is to:

support the wellbeing of those who serve or have served in the defence of our nation, and their families, by:

• partnering with organisations and individuals to help design, implement and deliver effective programs and benefits, which enhance wellbeing of veterans and their families; and
• providing and maintaining war graves and delivering meaningful commemorative activities to promote community recognition and understanding of the service and sacrifice of veterans.⁴⁸

1.26 DVA’s key functions include: delivering income and disability support to veterans and their dependents; providing access to general medical, hospital and community care and support; providing and maintaining war graves; and delivering commemorative services.⁴⁹ To deliver its key functions, DVA has an approved average staffing level (ASL) of resources in the Portfolio Budget Statements (PBS). The actual APS workforce is reported on in the DVA annual report each year. Table 1.1 below sets out DVA’s allocation and utilisation of its ASL, over three years.

Table 1.1: DVA’s average staffing level (ASL)

Note a: Budget Estimate data is sourced from DVA’s Portfolio Budget Statements (PBS).

Note b: Actual workforce data is sourced from DVA’s annual reports, reported as FTE (over the financial year). This differs from the figures in Table 1.2 which are reported by headcount.

Source: Department of Veterans’ Affairs Portfolio Budget Statements and annual reports for 2018–19, 2019–20 and 2020–21

1.27 DVA’s Strategic Workforce Plan 2019–23 recognises its contingent workforce as an integrated part of its blended workforce. DVA has defined three types of contingent workforce resources utilised by the agency: consultants, independent contractors, and labour hire.⁵⁰ Box 4 below sets out the contingent workforce definitions used by DVA that have the characteristics of a ‘contractor’ discussed earlier in paragraphs 1.2–1.3 and Box 1.

Source: Department of Veterans’ Affairs, Blended Workforce Guide. DVA’s Blended Workforce Guide also states that a consultant is: ‘a person engaged by the department, according to a contract for services.’ The Blended Workforce Guide identifies the following characteristics for consultants: they do not work under the direction of an APS employee; they are not covered by DVA’s workers’ compensation; they have a defined area for investigation and reporting and sometimes own the product of that consultancy; they provide specialist advice or answers to specific questions; and the outcomes of the advice are normally expressed as recommendations in a report.

1.28 This audit has focused on members of DVA’s contingent workforce engaged as an ‘independent contractor’ and ‘labour hire’ as defined in Box 4 above.⁵¹ DVA’s workforce data indicates that these personnel types perform work in key functions across the department.⁵²

Contractor numbers in the Department of Veterans’ Affairs

1.29 Table 1.2 below sets out DVA’s workforce headcount by category, over three years.

Table 1.2: DVA’s workforce headcount at 30 June 2019, 2020 and 2021

Note a: See definitions in Box 4 above.

Source: Department of Veterans’ Affairs.

1.30 DVA advised the Senate Finance and Public Administration Legislation Committee in September 2021 that it spent $123.3 million on labour hire staff in 2020–21. Further information on the characteristics of the 1287 contractors and labour hire personnel DVA engaged as at 30 June 2021 is at Appendix 4, including the organisational group and job families they worked in.

Previous audits and reports

1.31 Agencies’ management of their contracted workforce is considered when necessary in the conduct of ANAO audit and assurance work. Examples of ANAO performance audits which have considered the management of a contracted workforce include:

• Auditor-General Report No.2 2017–18 Defence’s Management of Materiel Sustainment⁵³;
• Auditor-General Report No.38 2017–18 Mitigating Insider Threats through Personnel Security⁵⁴;
• Auditor-General Report No.28 2018–19 Management of Smart Centres’ Centrelink Telephone Services — Follow-up⁵⁵;
• Auditor-General Report No.1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1⁵⁶;
• Auditor-General Report No.4 2021–22 Defence’s Contract Administration — Defence Industry Security Program57; and
• Auditor-General Report No. 6 2021–22 Management of the Civil Maritime Surveillance Services Contract.⁵⁸

1.32 The ANAO has prepared two information reports on procurement activity in the Australian public sector, which have included publicly available information on consultants:

• Auditor-General Report No.19 2017–18 Australian Government Procurement Contract Reporting; and
• Auditor-General Report No.27 2019–20 Australian Government Procurement Contract Reporting Update.

1.33 These information reports presented publicly available data from public sector procurement activity in a number of ways.⁵⁹ The publicly available data includes entity reporting on contracts relating to consultancies, including consultancy contract value.

Rationale for undertaking the audit

1.34 The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years, discussed above at paragraphs 1.14–1.24.

1.35 This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. DVA was selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits in this series review the management of contractors by the Department of Defence and Services Australia.

Audit objective, criteria and scope

1.36 The objective of the audit was to examine the effectiveness of DVA’s arrangements for the management of contractors.

1.37 To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has DVA established a fit-for-purpose framework for the use of contractors?
• Does DVA have fit-for-purpose arrangements for the engagement of contractors?
• Has DVA established fit-for-purpose arrangements for the management of contractors?

1.38 The audit examined DVA’s framework of policies, plans, processes and guidance that apply to its use, engagement and day-to-day management of contractors.

1.39 The audit did not examine:

• the specific procurement arrangements through which particular contractors or outsourced service providers are engaged, or the assessment of the value-for-money aspect of specific decisions to engage such personnel instead of APS personnel;
• performance management in terms of specific contracted deliverables as this is part of the management of a contract; or
• the vetting process for contractors undertaken by the Australian Government Security Vetting Agency (AGSVA).⁶⁰

Audit methodology

1.40 Audit procedures included discussions with relevant DVA officials and an examination of the following DVA documentation:

• plans, forecasts and management decisions about DVA’s workforce use;
• guidance available to assist officials’ decision making on whether to engage a contractor instead of an APS resource, including the information provided to delegates regarding such choices;
• DVA’s contracting mechanisms that are available for the engagement of contractors;
• documentation that sets out mandatory training requirements, processes and completion reports for induction training;
• policies, processes and reporting that supports DVA’s compliance with PSPF policies 12–14 that relate to the onboarding, ongoing management (including where staff move within the entity) and offboarding of contracted staff; and
• management reports as evidence of the application of DVA’s framework for the management of contractors.

1.41 The audit was open to contributions from the public. The ANAO received and considered two submissions.

1.42 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $342,000.

1.43 The team members for this audit were Jarrad Hamilton, Hugh Balgarnie, James Wright, Georgia Johnston, Michael Brown, Helen Sellers and Sally Ramsey.

2.1 As discussed in paragraph 1.4, the APS Workforce Strategy 2025 released by the Australian Public Service Commission (APSC), identifies that an important element of successful mixed workforce models is a ‘structured approach to the use of non-APS employees’ which includes Australian Public Service (APS) agencies ‘considering where work would be best delivered by an APS employee.’ The strategy also states that:

The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.⁶¹

2.2 This chapter considers the framework established by DVA to guide decisions to use contractors. The ANAO examined whether guidance had been developed and issued by DVA, that:

• provided clarity about the different personnel types that are utilised as DVA’s external workforce, including the definition of ‘contractor’, so the most appropriate option is selected for a particular role; and
• assisted officials to determine whether there is an operational requirement for the use of contractors to support the efficient and effective use of resources.

Does DVA guidance provide clarity regarding the different personnel types, including contractors?

2.3 DVA has provided internal guidance regarding the different personnel types. This guidance is accessible through DVA’s Blended Workforce Guide, which provides guidance for managers of staff in DVA. This guidance is available on DVA’s intranet and includes the definitions for the three types of contingent workforce utilised by the agency: consultants; independent contractors; and labour hire.⁶²

2.4 DVA also utilises a list which includes definitions for the 11 workforce types (cohorts) utilised by Services Australia in addition to its APS workforce.⁶³ Reference to this list is necessary for the purposes of categorising DVA’s workforce for entry into Services Australia’s SAP system.⁶⁴ The definitions of ‘contractor’ and ‘labour hire’ on Services Australia’s list are largely consistent with the definitions of ‘independent contractor’ and ‘labour hire’ adopted in DVA’s guidance for managers.

Does DVA provide guidance on determining whether there is an operational requirement for the use of contractors?

2.5 DVA has set out guidance on determining whether there is an operational requirement for the use of contractors in the following documents:

• the Strategic Workforce Plan 2019–2023 and the June 2021 interim update to this plan; and
• the Blended Workforce Guide.

Strategic workforce planning

2.6 DVA’s Strategic Workforce Plan 2019–2023 recognises its contingent (including contractor) workforce as part of its workforce mix and sets out how DVA expects to use contingent workforce personnel over time and across different functions. The operating environment and risks to the successful delivery of DVA’s purpose are considered in the plan(discussed further below). A shorter version of the Strategic Workforce Plan is available on DVA’s intranet. DVA advised that this shorter version was disseminated to staff, to provide high-level guidance around operational requirements for the use of contractors.

2.7 The 2021 interim update to the Strategic Workforce Plan describes the operational environment as follows:

Using [the] business-sourced operating models to envision the future state required by DVA to deliver on its strategy, and meet future challenges, and addressing Enterprise Risk 6: The ability to provide a professional engaged and flexible workforce, the Enterprise Strategic Workforce Plan (the Plan) provides a workforce capacity and capability assessment of DVA in its journey. It considers the requirements to maintain business as usual outcomes, effectively respond with a surge workforce to priorities such as disaster relief and Royal Commission support, whilst transforming for the future.

The Government’s response to the June 2019 Productivity Commission Report, A Better Way to Support Veterans, the Independent Review of the Australian Public Service (APS), the impact of COVID on DVA’s workforce, the establishment of a Royal Commission into Defence and veteran suicide, and the continuing relationship of DVA with Services Australia have the potential to impact upon the operation of DVA.

Effective workforce planning is essential to a successful transformation, and during a Royal Commission environment strategic workforce planning and management will be key to DVA’s capability and capacity in responding to the Commission while consolidating a transformation program and maintaining BAU [Business as Usual].

Another critical factor guiding DVA’s workforce plan is the Average Staffing Level (ASL) cap which governs APS staffing. ASL figures are dictated by claims submitted by Veterans and their families and services delivered to veterans and their families. For the 2020-21 FY, DVA’s ASL cap is 1,615. For the 2021-22 FY, DVA’s budget-adjusted ASL cap is 2,062.⁶⁵ … Given the pronounced capability and sourcing risks, targeted interventions will be required to ensure the right capabilities are retained, transitioned, developed and sourced to maintain business continuity whilst shifting to DVA’s Future BOM [business-sourced operating model].

2.8 The Strategic Workforce Plan identifies the contingent workforce as one of five risk themes under the heading ‘The right skills’. The plan sets out the following:

To achieve DVA’s strategic intent, the workforce will need to be adaptive to change and uplifted in critical skills. Building this workforce will require effective talent management, supported by strategic sourcing decisions such as utilising APS or contingent labour.

2.9 A mitigation to address the contingent workforce risk has been outlined and was identified as a priority in both the original plan and the interim update. The mitigation was:

Strengthen contractual agreements between contingent labour and APS

Develop contractual agreements with recruitment agencies to improve contingent workforce agreements, including robust knowledge transfer requirements for contingent workforce service agreements and complementary development services.

2.10 DVA advised the ANAO in March 2022 that:

In early 2020 an internal review of the labour hire processes in DVA was undertaken by PSB [People Services Branch] in light of the mitigation strategy outlined in the Strategic Workforce Plan. The review found a large number of labour hire agencies were being used by the different DVA Business Areas.

On the basis of activity over the period July 2017–February 2020 and following input from Business Areas, a list of Preferred Providers⁶⁶ was established for all labour hire recruitment activity.

2.11 The June 2021 interim update of the Strategic Workforce Plan indicated that DVA planned to deliver a revised plan over the next six months to:

provide deep analysis of use of contingent labour, workforce in front facing positions, and surge vs specialist workforce.

2.12 DVA advised the ANAO in April 2022 that the next review and update of the Strategic Workforce Plan is to be presented to DVA’s Executive Management Board in the second half of 2022.⁶⁷

Supporting workforce planning documents

2.13 DVA’s Strategic Workforce Plan outlines the requirements for its contractor workforce at an entity level. To support the Strategic Workforce Plan, DVA has developed divisional and operational workforce plans. Figure 2.1 below outlines how these documents form DVA’s workforce planning model.

Figure 2.1: Workforce planning in the Department of Veterans’ Affairs

Source: DVA’s Strategic Workforce Plan 2019–2023.

2.14 DVA’s divisional workforce plans set out the workforce planning environment at that organisational level. The divisional workforce plans are supported by operational workforce plans that include further detail on initiatives and workforce considerations at the divisional level and below.

2.15 DVA advised the ANAO in June 2022 that:

Due to resourcing issues, enterprise level project management of the Divisional and Operational plans was not undertaken and therefore it is unclear how much of the implementation has been completed.

Blended Workforce Guide

2.16 DVA advised the ANAO in December 2021 that the decision to engage contractors is delegated to business areas and line managers. DVA has developed a Blended Workforce Guide for managers, to provide guidance on the type of work that contractors (independent contractors and labour hire staff) would typically be expected to undertake. The guide states that:

Labour hire staff are engaged for a variety of workforce solutions, including meeting a short term work requirement, or providing a specialist skillset. Use of labour hire enables staffing needs to be met where funding is available but Average Staffing Level (ASL) headcount pressures limit available recruitment options.

…

Labour hire staff bring a variety of skills, capabilities and experiences to the department. They also bring a ‘fresh set of eyes’ to the way we do things offering opportunities to learn and expand our understanding of systems, processes and approaches.

Labour hire staff perform work which can be viewed as either generalist/administrative (e.g. Claims Officer, Frontline Customer Service) or specialised (e.g. Social Worker, Change Manager, Project Manager, Business Analyst, Medical Adviser).

2.17 In relation to independent contractors, the guide states that:

They are often contracted by the department to provide a service for a fixed term (i.e. to undertake a specific project or task).

2.18 DVA advised the ANAO in February 2022 that it:

is currently in the process of developing Standard Operating Procedures (SOP) for contingent labour hire to further assist hiring business areas with the decision making and process around engaging and managing labour hire.

The SOP will cover:

• Definition of labour hire, contractors & consultants
• Role and responsibilities
• Points of contact
• Mandatory processes, procedures and templates
• Required documentation standards
• Compliance monitoring activities.

2.19 DVA advised the ANAO in April 2022 that these SOPs were still under development.

3.1 DVA’s contracting templates, standing offer arrangements, induction arrangements and arrangements to support compliance with PSPF Policy 12: Eligibility and suitability of personnel are the primary mechanisms through which the department ensures that contractors are obliged to comply with DVA’s policies and Commonwealth legislation, understand these obligations, and are suitable to access DVA’s information.

3.2 To form a view on the fitness-for-purpose of DVA’s arrangements for engaging contractors, the ANAO examined the standing offer arrangements and contracting templates used for engaging contractors. Well-designed arrangements, contracting templates and clauses help operationalise requirements and assist officials to consistently apply them at the point of engagement. They also document the expectations placed on contractors and provide a basis for managing performance and non-compliance. Contracting documentation and templates available through panel arrangements (see paragraphs 3.8–3.10), covering 73 per cent of DVA’s contractor workforce expenditure for 2020–21⁶⁸, were reviewed by the ANAO to establish whether DVA included clauses requiring the contracted personnel to meet performance standards and comply with DVA’s policies and Commonwealth legislation. In addition, the ANAO examined:

• the induction arrangements established to help contractors understand their responsibilities and how to meet their obligations when working for DVA; and
• the policies and processes in place to ensure that the eligibility and suitability of contractors to access Australian Government resources has been established at engagement, as required by PSPF Policy 12: Eligibility and suitability of personnel.⁶⁹ Monitoring and reporting on compliance with the policy was also examined.

Does DVA have a contracting suite that is tailored for the use of contractors?

3.3 The engagement of a contractor is a procurement process and requires the establishment of a contract between DVA and the contractor or the contractor’s employer. DVA has delegated responsibility for the engagement of contractors to business areas.

3.4 DVA has set out guidance for the engagement of contractors in a workflow document and a checklist available on its intranet. These documents also outline the process for engaging contractor personnel in DVA. Figure 3.1 below illustrates the key steps in this process.

Figure 3.1: Process set out in DVA’s guidance on how to engage a contractor

Source: ANAO summary of DVA documentation.

3.5 Contractors and labour hire personnel engaged by DVA ‘generally work side by side with other departmental staff’ or under the direction of an APS employee. DVA’s policies set out the behavioural requirements and expectations that contractors are expected to meet when working with the department. These policies cover: conduct and behaviour; work health and safety; personnel security; privacy; fraud; and conflict of interest.

3.6 The ANAO examined the guidance and support available to the three DVA business areas with the largest cohorts of contractors: the Client Engagement and Support Services division; the Client Benefits division; and the Mental Health and Wellbeing division. These business areas collectively employed 942 contractors, representing 73 per cent of DVA’s total contractor workforce as at 30 June 2021.

3.7 These business areas have established dedicated recruitment teams. DVA advised the ANAO that these teams were established in order to deliver a more consistent and efficient approach to onboarding contractors and to reduce the administrative burden on staff within business areas.⁷⁰ These teams have developed their own guidance to support the engagement of contractors. The ANAO examined guidance for the engagement of contractors established by these business areas and found that the guidance was consistent with entity-level guidance.

Contracting suite

3.8 DVA uses three main panel arrangements to source labour hire staff. These panels were established by the Australian Digital Health Agency, Australian Federal Police, and Australian Taxation Office. Each panel arrangement establishes a Deed of Standing Offer.⁷¹ DVA has established arrangements with 16 preferred labour hire recruitment agencies when engaging labour hire staff. For the three deeds of standing offer reviewed by the ANAO (one example for each panel) the broad contractual arrangements between the contracting entity and labour hire recruitment agencies were outlined.

3.9 Each Deed of Standing Offer available through these panel arrangements is supported by customised work order templates that are available on DVA’s intranet for contract managers to use when engaging labour hire staff. The work order templates include work level standards outlining the work performance expectations of labour hire staff and include DVA’s pre-populated agency details.

3.10 For contractors engaged outside of labour hire arrangements, such as independent contractors (as defined in Box 4 in Chapter 1), DVA has established a centrally managed process for preparing contracts and providing advice on the procurement process. For these arrangements, DVA requires that its officials utilise the Commonwealth Contracting Suite.⁷²

Analysis of deeds of standing offer and work order templates

3.11 As discussed in paragraph 3.2, the documents available under the panel arrangements identified above covered 73 per cent of DVA’s contractor workforce expenditure in 2020–21. The ANAO examined the three Deed of Standing Offer documents and work order templates to establish whether they included clauses to require labour hire or contractor personnel to comply with DVA’s policies and processes⁷³, and to meet performance standards.

3.12 The ANAO’s review of these documents found that all three deeds included clauses requiring compliance with all relevant processes and guidelines required by DVA.⁷⁴ All three deeds also include clauses addressing non-compliance with required performance standards and non-compliance with mandatory polices referred to in the contract, including the option of termination of services on the basis of convenience or default.

3.13 The work order templates have been customised by DVA to include work level standards for contractors performing roles at the APS1 to EL2 level, that are consistent with the expectations for equivalent-level APS staff. The work level standards outline the nature of the work typically expected at each level including the: degree of complexity, autonomy and judgement required; level of technical or policy proficiency; level of personnel management; and degree of public contact.

3.14 DVA’s contracting suite documentation includes clauses that set out the behavioural requirements and expectations that contractors are expected to meet when working with the agency.

Does DVA have fit-for-purpose arrangements for inducting contractors?

3.15 The induction process for contractors is outlined in DVA’s Induction Booklet⁷⁵, and includes a mandatory induction program with online training modules on risk, fraud awareness, security and APS Values. Further, DVA’s Blended Workforce Guide advises DVA officials that:

Induction (including Security onboarding and meeting the Secretary/Deputy Commissioner) should be undertaken by all new members of the department’s workforce, regardless of the nature or duration of their employment.

Other training should be managed on a case-by-case basis…

3.16 The ANAO’s review of contract documentation under the panel arrangements used by DVA (discussed at paragraph 3.8) found that, in addition to requiring compliance with all relevant processes and guidelines required by DVA:

• the Deed of Standing Offer available under the Australian Digital Health Agency panel included a clause stating that the provider must conduct inductions with contractor staff relating to conditions of employment and relevant workplace health and safety requirements for the agency; and
• the Deed of Standing Offer available under the Australian Taxation Office panel included a clause requiring the service provider to provide training and development.

Mandatory induction and refresher training programs

3.17 DVA advised the ANAO in December 2021 that all new staff, including contractors, are required to complete DVA’s Essential Elearning Plan (EEP). New staff are to be automatically assigned to the EEP on commencement.⁷⁶ DVA further advised that it has in place three versions of the EEP:

• EEP — Standard: comprising ten modules that most staff complete, including labour hire/contractors;
• EEP — Contractors & Labour Hires: this program is for labour hires/contractors exempted from the standard EEP due to the short-term nature of their hire. It consists of four modules from the standard EEP⁷⁷; and
• EEP — Clinical Advisers: this program is only applicable to Clinical Advisers from the Chief Health Officer Division and consists of six modules from the standard EEP.

3.18 DVA staff must complete the relevant mandatory induction program within three months of their commencement with the department, and complete mandatory refresher training every one or two years.⁷⁸

3.19 DVA advised the ANAO that DVA business areas may also have additional induction requirements for new staff, in addition to the corporate offerings identified above. These business-specific induction programs remain the responsibility of relevant business areas to enforce/monitor.⁷⁹

3.20 In addition to setting out mandatory induction training, DVA’s Induction Booklet includes checklists to: familiarise new starters with DVA, including DVA’s relevant integrity and professional standards; gain IT systems access; complete mandatory security briefings; cover off learning and development requirements; and set up performance management agreements. In relation to ongoing training requirements, the Induction Booklet states that all DVA employees:

have a responsibility to ensure their skills remain relevant, however your manager has an obligation to provide learning and development opportunities as required.

3.21 The ANAO reviewed the content of the mandatory induction program to assess the extent to which expected behaviours and standards from mandatory DVA policies were covered by the training. The results of the analysis are summarised below in Table 3.1.

3.22 As illustrated in Table 3.1, DVA’s mandatory induction training for contractors covers the agency’s mandatory policies for all personnel including contractors. However, the ANAO’s analysis identified that:

• The Security Awareness DVA – Induction module and the Work Health and Safety module did not cover working from home arrangements. There is opportunity for DVA to review the content of these modules to ensure that induction training covers the additional risks posed by remote working arrangements; and
• the Performance Management module does not include content relating to the incorporation of ongoing suitability assessments in annual performance discussions. DVA’s Personnel Security Protocol⁸⁰ states that managers must embed security considerations into their annual performance appraisals by seeking confirmation from staff that they have reported changes of circumstances, if any. This requirement is discussed in Chapter 4 (paragraphs 4.19–4.23).

Monitoring the completion of training

3.23 Staff completion of the mandatory induction program is captured through the department’s Learning Management System (DVAtrain).

3.24 The ANAO examined DVAtrain data on the completion of mandatory induction modules by labour hire employees as at 22 December 2021. Of the 1076 labour hire personnel recorded in DVAtrain as at 22 December 2021, 602 (56 per cent) had completed the entire mandatory induction course or were still within the allowable timeframe for completion.

3.25 Figure 3.2 (below) illustrates the number of labour hire personnel that had completed each module of the mandatory induction program as at 22 December 2021. As shown in Figure 3.2, the completion rate of the ‘Fraud Awareness at DVA’ module was lower than the completion rates for the other nine modules. Of the 1076 labour hire personnel engaged by DVA as at 22 December 2021, 490 (46 per cent) had completed the fraud awareness module. Completion rates across the other nine modules were 76 per cent or higher.

3.26 DVA advised the ANAO in June 2022 that the ‘Fraud Awareness at DVA’ module commenced on 18 December 2020, replacing ‘Fraud Awareness’ and ‘Fraud Control in DVA’ modules which were decommissioned due to Adobe Flash not being supported on DVAtrain. DVA further advised that:

The decommissioning of the two unsupported modules (“Fraud Awareness” and “Fraud Control in DVA”) on 01/01/2021, resulted in the new “Fraud Awareness at DVA” (HTML5 version) being inadvertently left off of the EEP on DVA-Train.

Both the Fraud Awareness and Fraud Control in DVA modules remained referenced (during this time) in the DVA Induction Booklet (attached) and was an expected requirement of on-boarding.

When the business area (the newly established Fraud Strategy and Prevention Section) became aware of the matter, they requested [that] the People and Services Branch reinstate the module to the EEP on DVA-Train on 21/09/2021.

Figure 3.2: DVA mandatory induction modules — completion rates for labour hire as at 22 December 2021

Note: As shown in the figure above, of the 1076 labour hire staff recorded in DVAtrain as at 22 December 2021, between 1000–1010 labour hire personnel have a completion status recorded for each of the modules. The variation in total labour hire personnel assigned to each module reflects labour hire staff on different versions of the EEP. DVA advised the ANAO that 53 staff had not activated their DVAtrain account by logging in and 14 personnel had not been automatically assigned to an EEP.

Note: ‘Within allowance’ refers to modules that are not complete but are still within the allowable timeframes for completion (refer to paragraph 3.18).

Source: ANAO analysis of DVA data.

3.27 DVA provided the ANAO with updated DVAtrain data as at 18 May 2022, which indicated that of the 1099 labour hire personnel recorded in DVAtrain, 896 (82 per cent) had completed the entire mandatory induction course or were still within the allowable timeframe for completion. The increase in the overall course completion rate since 22 December 2021 followed the introduction of a new ‘Fraud and Corruption Control in DVA’ course replacing the previous ‘Fraud Awareness at DVA’ module, discussed at paragraph 3.26. The new module was introduced in late April 2022 and staff are allowed two months to complete the module. As such, all DVA staff were within the allowable timeframe for completion of the module during the course of the audit. The ANAO did not examine the implementation of the new fraud awareness module.

3.28 DVA’s Induction Booklet states that managers are responsible for providing their staff with ‘all relevant and necessary on the job training’. DVA advised the ANAO that:

DVAtrain automatically sends emails to both staff and Managers when EEP components are due for completion. Managers can review the training progress of their staff, and typically do so through regular catch ups as per DVA’s Performance Management Framework. Managers can access the training records of their staff at any time through DVAtrain.

3.29 DVA further advised that there is currently no notification from DVAtrain for managers when a course has not been completed before the due date, and that:

There is currently no centralised monitoring undertaken to ensure that all managers are appropriately discharging their managerial responsibilities, however PSB does provide yearly “EEP Completion Reports” to Division Heads, who typically cascade findings to relevant Branch Heads to address any issues that have been identified.⁸¹

3.30 The ANAO did not examine the extent to which DVA contract managers or the supervisors of contractors across DVA undertook monitoring activities to confirm contract compliance with induction requirements. While current DVA data indicates improvement due to the recent introduction of a new mandatory training course, DVA’s December 2021 data (see paragraph 3.24) indicates that there is an opportunity for DVA to improve its arrangements for annual follow-up checks, to provide assurance to senior management that contractors are completing mandatory induction training. Completion of mandatory induction training supports contractors to understand their obligations.

Contractors with financial delegations

3.31 DVA’s Accountable Authority Instructions (AAIs) state that:

If you are a contractor and occupy a staff role, and you have been prescribed as an official on the Department’s Prescribed Officials Delegations Register for the purposes of the Commonwealth Resource Management Framework, you must:

a) comply with the PGPA Act and these AAIs; and

b) comply with DVA-related policies and procedures; and

c) hold and exercise only those financial delegations that have been allocated under the arrangements entered into for undertaking the duties as defined in your contract or job role description.

3.32 DVA’s Financial Delegations instrument outlines what financial delegations are available to staff, including Prescribed Officials. DVA’s Prescribed Officials Delegations Register indicates that, as of 16 March 2022, there were 113 contractors identified as Prescribed Officials. Of the 113 contractors with financial delegations, 82 (73 per cent) were at the APS3 level.

Contractors with Human Resource delegations

3.33 HR delegations are not outlined in DVA’s AAIs. DVA’s Blended Workforce Guide states that:

Non-APS staff performing duties equivalent to APS6 or higher may be able to exercise HR delegations applicable to their role where there is a demonstrated business need. This will enable non-APS staff to approve time sheets, leave and general HR requests in a team management capacity.

…

It is important to note that non-APS staff are not able to approve matters under the Public Service Act or subordinate legislation (Regulations, Commissioner’s Directions and Classification Rules). These pieces of legislation largely cover matters that non-APS staff will not be overseeing, such as the engagement and termination of employees, review of actions and imposing sanctions for breaches of the code of conduct.

3.34 In December 2019, DVA’s Executive Management Board endorsed a proposal that non-APS personnel equivalent to the APS EL1 level and above be permitted to exercise HR delegations applicable to their role, where there is a demonstrated business need. Internal advice stated that:

This was in recognition of a growing number of non-APS staff being engaged to positions that manage teams, however not being able to exercise HR delegations. Team members were submitting leave, timesheets and other HR requests to more senior DVA managers for approval.

3.35 In December 2020, these delegations were extended to include non-APS personnel equivalent to the APS6 level, in recognition of staff in client facing business areas performing team leader roles.⁸² DVA advised the ANAO in May 2022 that there were 48 non-APS staff managing a total of 382 staff across DVA staff as at 5 April 2022. DVA further advised that ‘there is no additional mandatory training for contractors holding HR delegations’ outside of the Essential Elearning Plan discussed in paragraph 3.17.

Has DVA established arrangements for the engagement of contractors that support compliance with PSPF Policy 12: Eligibility and suitability of personnel?

3.36 Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel⁸³ sets out ‘the pre-employment screening processes and standardised vetting practices to be undertaken when employing personnel and contractors.’ Policy 12 has the following core requirements:

Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets).

Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

3.37 The policy states that pre-employment screening is the primary activity used to mitigate an entity’s personnel security risks. Entities may use security clearances where they need additional assurance of the suitability and integrity of personnel. This could be for access to security classified information, or to provide greater assurance for designated positions. Under the policy:

Entities must undertake pre-employment screening, including:

• verifying a person’s identity using the Document Verification Service⁸⁴;
• confirming a person’s eligibility to work in Australia; and
• obtaining assurance of a person’s suitability to access Australian Government resources, including their agreement to comply with the government’s policies, standards, protocols and guidelines that safeguard resources from harm.

3.38 In its mandatory annual report to the Attorney-General’s Department (AGD) in 2018–19, DVA self-assessed its security maturity against PSPF Policy 12 requirements as ‘developing’. In its 2019–20 and 2020–21 reports, DVA lifted its maturity rating for PSPF Policy 12 to ‘managing’.⁸⁵

Arrangements for conducting pre-employment screening and standardised vetting

3.39 DVA utilises a shared services arrangement with Services Australia for the onboarding of DVA contractors. This arrangement is supported by a Statement of Intent and a Corporate Shared Services Schedule which outlines the agreed services being provided to DVA.⁸⁶ These services include:

• verifying identity and Australian citizenship;
• assessing work rights where required;
• submitting and reviewing results of the National Coordinated Criminal History Check; and
• notifying DVA Security of Disclosable Court Outcomes.

3.40 DVA has established an Agency Security Plan that sets out the arrangements for protective security within DVA. The Agency Security Plan includes an overview of DVA’s security threats, risk appetite, investigations processes for security incidents, and an outline of governance mechanisms against PSPF core requirements. This document was last reviewed in November 2019.⁸⁷ DVA advised the ANAO in April 2022 that an updated Agency Security Plan is scheduled to be delivered by June 2022.

3.41 DVA’s Personnel Security Protocol sits under the Agency Security Plan and sets out what DVA must do to meet PSPF Policy 12. This policy applies to DVA’s workforce, including contractors, and was last updated in November 2019.

3.42 Table 3.2 below outlines the requirements of PSPF Policy 12 that are to be established by DVA and the arrangements DVA has established for pre-employment screening processes and standardised vetting practices when engaging contractors.

Table 3.2: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 12: Eligibility and suitability of personnel

Note a: DVA advised the ANAO in March 2022 that DVA ‘considers the security delegation of this decision making by the Chief Security Officer (CSO) to Security Advisors (in this instance the EL2 Director of Security) to be compliant with, and in the spirit of PSPF requirements.’ DVA also noted that PSPF Policy 2: Management structures and responsibilities states that: ‘the CSO is empowered to appoint security advisors…[and] is encouraged to…ensure delegations allow security advisors to undertake specific action in line with the policy of the entity’. In DVA’s PSPF maturity self-assessments submitted to AGD, DVA reported one non-citizenship waiver in 2019–20 and nil waivers in 2020–21.

Note b: Services Australia submits security clearance requests to AGSVA on behalf of DVA.

Source: ANAO assessment of DVA documentation.

3.43 In summary, DVA has policies and processes in place to address most requirements in PSPF Policy 12. The requirements not addressed in DVA’s Personnel Security Protocol relate to: obtaining an individual’s agreement to comply with government policies, standards, protocols and guidelines that safeguard resources from harm, as required under Supporting Requirement 1(c) of PSPF Policy 12; and a delegation arrangement for waiving citizenship requirements that does not align with Supporting Requirement 2(d)(ii) of PSPF Policy 12.

3.44 DVA advised the ANAO that:

The PSPF recommendation that entities are encouraged to seek an agreement to comply with government policies as part of the pre-employment eligibility process is not a mandatory requirement of the PSPF, rather reflects better practice.

3.45 The ANAO sought advice from AGD as to whether the requirement was mandatory or not. AGD advised that:

We can confirm that as part of the pre-employment screening requirement in Policy 12, it is mandatory for entities to obtain a person’s agreement to comply with the government’s policies, standards, protocols and guidelines that safeguard resources from harm. The PSPF does not mandate the form of that agreement, but it is recommended that entities obtain that agreement by asking a person to sign an undertaking to that effect.

3.46 The PSPF is an Australian Government policy, which means that non-corporate Commonwealth entities, including DVA, must apply the framework to the extent consistent with legislation.⁸⁸

Arrangements for monitoring and reporting that requirements of PSPF Policy 12 have been addressed when contractors have been engaged

Shared Services assurance arrangements

3.51 A DVA and Services Australia Partnership Forum (DSPF) was established in March 2016. The DSPF oversees delivery against the Statement of Intent and addresses critical strategic and operational issues impacting the health of the partnership between the two agencies. The DSPF receives updates from operational sub-committees including the Shared Services Committee that oversees corporate shared services. The DSPF last met in August 2021. DVA advised that future meetings have been postponed and the DSPF is now undergoing a review.⁸⁹

3.52 Under the Corporate Shared Services Schedule, Services Australia is required to perform relevant checks, as discussed in paragraph 3.37, and advise DVA of the outcome.⁹⁰ The Corporate Shared Services Schedule also provides for monthly reporting from Services Australia which includes the number of pre-employment checks processed for the month and the cumulative total for the financial year.

3.53 DVA uses a tracking spreadsheet to monitor progress in its onboarding of personnel. The spreadsheet is sent back-and-forth between Services Australia and DVA on a daily basis. DVA updates the spreadsheet with information it has provided to Services Australia such as noting the date that pre-employment documentation was submitted to Services Australia, and Services Australia updates the spreadsheet based on the status of Services Australia’s screening tasks. DVA advised the ANAO that it uses the monthly reporting from Services Australia, discussed above, to validate the number of pre-employment checks recorded in the tracking spreadsheet. DVA advised the ANAO in March 2022 that:

The purpose of the daily excel tracker sent between DVA PSB [People Services Branch] and Services Australia (SAu) is to ensure accuracy across all contractors onboarding information between both teams.

3.54 Services Australia provides dashboard reporting to the DSPF that includes the number of DVA personnel (including contractors) onboarded by Services Australia and relevant management projects and activities, including any issues raised via the tracking spreadsheet.

Annual Assurance Statement

3.55 Commencing in 2021–22, Services Australia intends to provide DVA with an Annual Assurance Statement (AAS), aligning its approach to assurance reporting across all key partner entities. A proposed approach to developing the AAS was introduced by Services Australia to the DSPF in August 2021.⁹¹ The DSPF noted the anticipated benefits of the AAS:

An AAS provides objective-level assurance against the strategic principles outlined in the Statement of Intent and complements existing financial assurance frameworks. An AAS will also increase visibility of programme performance and service delivery commitments.

3.56 DVA has been engaged in the design of the statement. A draft statement was shared with stakeholders in DVA for review and feedback in October 2021. DVA has identified that the benefits of the AAS will include: the provision of confirmation that services delivered under bilateral arrangements meet the expectations of DVA and support financial and non-financial reporting; and identification of risks that extend beyond a single entity.

Security Quarterly Action Plan

3.57 In 2020–21 DVA established a Security Quarterly Action Plan (SQAP), comprising a range of annual assurance activities planned for each of the 16 PSPF policies. The SQAP is set out in a spreadsheet that is updated throughout the year to reflect progress against planned activities, including findings, remediation actions, and opportunities for process improvements. DVA advised the ANAO that prior to 2020–21:

DVA’s security assurance activities were predominantly ad-hoc requests from DVA governance committees, and therefore not routinely planned or documented.

3.58 The SQAP forms part of the evidence for auditing and maturity reporting for a given PSPF cycle. DVA has stated in the SQAP that:

As a general rule, PSPF Reporting should be the primary SQAP Activity of Q1, as it provides considerable weight for prioritisation and identification of actions for the forward work plan.

…

It is important to monitor ‘BAU’ work being undertaken … to identify actions that should be recorded in the SQAP, and trigger a re-prioritisation of existing SQAP activities.

3.59 DVA advised the ANAO that the current process for identifying activities for inclusion in the SQAP includes: review of previous SQAP findings; relevant audit findings; PSPF Maturity reporting; peer review; and Security Committee review.

3.60 The ANAO reviewed the 2020–21 and 2021–22 SQAPs and identified four review activities that were completed relating to PSPF Policy 12.

• A review in 2021–22 of whether security clearances held by personnel met the security clearance requirements of their role. The review identified 29 personnel holding positions requiring an NV1 security clearance or above, who were not recorded as holding a valid security clearance. Mitigation involved a number of activities including: initiating the security clearance process; upgrading clearance levels; transferring sponsorship from other entities; resolving errors in HR SAP records; and downgrading or removing a clearance requirement from the position to reflect the role requirements.
• A review in 2020–21 on the currency of security clearance waivers which found that all identified waivers were either completed or still within the timeframe for annual review. There was a recommendation to create standard operating procedures for this process.
• Two reviews of the ten most recently employed staff and contractors to ensure pre-employment screening, clearance and induction were completed.
  • The first review was conducted in quarter two of 2020–21 and found that: all ten staff had undertaken a police check; only one staff member required a clearance for their position and the clearance process had been initiated; and the induction completion status could not be determined for nine staff.⁹²
  • The second review was conducted in quarter three of 2020–21 and found that: one staff member did not have the required clearance for their position (this person’s clearance process was initiated to remediate the finding); and four new starters were not captured in the induction process. A review of induction systems to capture missing staff, and create consistent records, was recommended.⁹³

3.61 DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each meeting.⁹⁴ The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A summary of outcomes from the 2020–21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021–22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021–22 SQAP was provided to DVA’s Audit Committee in March 2022.

3.62 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 12.

4.1 Once engaged by DVA, the ongoing management of contractors involves:

• day-to-day oversight of the contractor and management of the contract to ensure that contracted outcomes are being delivered as required;
• assessment and management of the ongoing suitability of the contractor to access Australian Government resources; and
• withdrawing access and managing any ongoing risks at the end of the contract.

4.2 The ANAO examined the following to form a view on the fitness-for-purpose of DVA’s arrangements for the management of contractors.

• Documentation promulgated to officials to inform them of the agency’s requirements and expectations for the management of contractors and the training that was available to support implementation of the guidance.
• Policies and processes for ensuring the ongoing suitability of contracted personnel to access Australian Government resources, as required by PSPF Policy 13: Ongoing assessment of personnel, and monitoring and reporting on compliance.
• Policies and processes for contracted personnel to have their access withdrawn and to be informed of any ongoing security obligations, as required under PSPF Policy 14: Separating personnel, and monitoring and reporting on compliance.

Has DVA clearly documented its requirements and expectations regarding the management and oversight of contractors?

Framework documenting the requirements and expectations of contract managers

4.3 DVA has established the ‘Finance Business Rule: Procurement and Contract Management Framework’, which is available on DVA’s intranet and is intended to mitigate procurement and contract management risks identified by DVA.⁹⁵ DVA advised the ANAO that:

The Procurement and Contract Management Framework was implemented to create a more transparent and centralised approach to procurement, strengthened by enhanced capabilities of all staff and embed processes for improved planning and quality documentation.

4.4 The ANAO’s review indicates that the framework covers procurement requirements, including the Commonwealth Procurement Rules and procurement pathways within DVA, but does not cover contract management.

4.5 The ANAO’s review of DVA’s Accountable Authority Instructions (AAIs) and Blended Workforce Guide found that there was no guidance in these documents on the responsibilities of its contract managers in: actively managing the contract to ensure the contract meets its objectives; monitoring the achievement of contract deliverables and budgets to ensure the department obtains value for money; and identifying, assessing and managing contract risks.

4.6 DVA advised the ANAO in February 2022 that it is:

currently in the process of developing Standard Operating Procedures (SOP) for contingent labour hire to further assist hiring business areas with the decision making and process around engaging and managing labour hire.

4.7 DVA has established an intranet page to provide procurement templates and guidance, including a link to the Department of Finance’s Australian Government Contract Management Guide.⁹⁶ In relation to this guide, DVA advised the ANAO that:

The guide provides practical process guidance to support effective contract management at a practitioner level for Commonwealth entities. It is a resource DVA contract managers can access and refer to.

4.8 The intranet page also includes a link to a contract management best practice guide, developed by DVA, which outlines a summary of best practice for aspects of contract management including: risk management; performance management; financial management; and contract variations and amendments.

4.9 DVA has documented its requirements and expectations regarding the oversight (supervision) of contractors in the Blended Workforce Guide and Induction Booklet. This information is available on DVA’s intranet. These documents list the responsibilities of DVA’s managers, which include: reinforcing DVA’s Cultural Vision; establishing expectations and managing performance; leading knowledge sharing activities to maintain corporate knowledge; guiding new staff through the induction and orientation process, which includes mandatory training; and providing relevant and necessary on the job training.

Training for contract managers about managing and oversighting contractors

4.10 DVA advised the ANAO in March 2022 that:

DVA offers training to support the general uplift of contract and procurement skills across the department. Currently, we run the Procurement Essentials and Contract Management course for interested staff. This course is a one day workshop, and is owned and delivered by the APS Academy.⁹⁷

4.11 DVA advised that this course is not mandatory but is available to all DVA staff. Courses conducted prior to this used a platform (Adobe Flash) that is no longer supported.

4.12 DVA also advised that:

DVA runs QUEST (Quarterly Update – Education, Support & Training) training to support the professional, technical and personal development for all delegates and service delivery staff in the Client Benefits Division, Client Engagement & Support Services Division, and the Mental Health & Wellbeing Services Division. QUEST video #06 specifically refers (Procurement and Contract Management Framework). The QUEST program is compulsory for CBD and CESS staff.

4.13 The ANAO’s review of QUEST video program #06 found that the program covers DVA’s Procurement and Contract Management Framework. As discussed at paragraph 4.4, the ANAO’s review of the framework found that it covers procurement requirements but does not cover contract management.

Monitoring of contract manager training completion rates

4.14 As discussed in Chapter 3 (paragraphs 3.28–3.29), DVA advised the ANAO that: it is the responsibility of every manager to monitor and support their staff members to complete all training as required for the successful completion of their role; and there is currently no centralised monitoring undertaken to ensure that all managers are appropriately discharging these responsibilities.

Has DVA established arrangements for the management of contractors that support compliance with PSPF Policy 13: Ongoing assessment of personnel?

4.15 When personnel (including contractors) are engaged, entities must ensure that the eligibility and suitability requirements that were established prior to commencement continue to be met. This entity responsibility is set out in PSPF Policy 13: Ongoing assessment of personnel. The purpose of the policy is to describe how entities maintain confidence in the suitability of their personnel to access Australian Government resources and manage the risk of malicious or unwitting insiders. The core requirement of PSPF Policy 13 is that ‘each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.’

4.16 In its 2018–19, 2019–20, and 2020–21 self-assessment of its maturity against PSPF Policy 13 requirements submitted to the Attorney-General’s Department (AGD), DVA rated its maturity as ‘developing’.⁹⁸

Arrangements for assessing and managing the ongoing suitability of contractors and sharing relevant information

4.17 DVA’s Personnel Security Protocol and Managing Security Incidents Protocol apply to DVA’s workforce, including contractors, and set out what the agency must do to meet PSPF Policy 13. Table 4.1 (below) outlines the results of the ANAO’s review of DVA’s policies and processes for assessing and managing the ongoing suitability of contractors.

Table 4.1: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 13: Ongoing assessment of personnel

Note a: PSPF Policy 13 Supporting Requirement 1(a)(ii) requires that entities must conduct annual security checks with all security cleared personnel. DVA’s security awareness training module highlights reporting requirements, including change of circumstance reporting.

Note b: PSPF Policy 13 Supporting Requirement 1(a)(iii) requires that entities must monitor compliance with, and manage risk in relation to, clearance maintenance requirements for security clearance holders granted a conditional security clearance and reporting non-compliance to the authorised vetting agency.

Note c: DVA advised the ANAO that it has not sponsored security clearance eligibility waivers for contractors, and as such there has been no need to have a specific or DVA branded policy or procedure with regard to annual reviews of them. In its 2020–21 self-assessment of its maturity against PSPF Policy 13 requirements submitted to AGD, DVA reported nil instances of where the accountable authority had waived the citizenship or checkable background requirements for any security clearances sponsored by the entity. DVA advised the ANAO in May 2022 that ‘the recording of nil against question 13.7 of the 2020– 21 PSPF report appears to be a clerical error’ as DVA had sponsored one citizenship eligibility waiver for an APS staff member as at 30 June 2021.

Source: ANAO analysis of DVA documentation.

4.18 In summary, DVA has established policies and processes to support compliance with most of the core requirements of PSPF Policy 13. DVA’s policies and processes address most aspects of the PSPF requirements and apply to all personnel, including contractors. DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Policy 13 Supporting Requirement 1(a)(iii). DVA’s Personnel Security Protocol also does not cover the annual review of eligibility waivers, or review before revalidation of a security clearance, and prior to any proposed position transfer, as required under PSPF Policy 13 Supporting Requirement 1(a)(iv).

Arrangements for monitoring and reporting that the ongoing suitability of contractors has been assessed and managed

4.19 PSPF Policy 13 Supporting Requirement 1(a)(ii) requires that entities must conduct annual security checks with all security cleared personnel. As stated in Table 4.1, DVA’s Personnel Security Protocol requires managers to embed security considerations into their annual performance appraisals. DVA advised the ANAO that:

The performance cycle has both a mid-cycle review conducted in March, and an end of cycle review conducted in September. This involves a verbal conversation between manager and staff member. Having these conversations or ‘checks’ with staff twice a year, exceeds the PSPF requirement for it to be done once a year, or ‘annually’.

The DVA Security Awareness training module, and Personnel Security Protocol provide guidance to Managers to support them in identifying changes and behaviours of concern with regard to personnel security, to assist with the biannual check conversations, and detect potential non-compliance with regard to clearance obligations.

4.20 The ANAO’s analysis of DVA’s mandatory training modules in Chapter 3 (paragraph 3.22) found that, while the Performance Management training module provides guidance in identifying changes and behaviours of concern with regard to personnel security, the module does not include content informing managers of their responsibility to incorporate ongoing suitability assessments into annual performance discussions.

4.21 DVA’s 2021–22 Security Quarterly Action Plan (SQAP) includes a future remediation activity involving work with DVA’s HR function to integrate annual security clearance checking into performance cycle assessments. This activity has no indicative timeframe for completion in the SQAP. DVA advised the ANAO in April 2022 that:

work has not commenced on this task to date. It is intended to be scheduled for completion in the following FY as part of the 2022–23 SQAP.

4.22 DVA reported in its 2020–21 self-assessment that:

As part of the revised Security Risk Management Plan, DVA Security will coordinate a Personnel Security Risk Assessment, with a view to updating policies and awareness to better address a consistent and monitored approach to clearance maintenance, reporting and aftercare management.

This is scheduled to be implemented by 30 June 2022, and will support DVA’s efforts to achieve a ‘Managing’ rating for the 2022–23 reporting period.

4.23 In summary, further work is required by DVA to embed security considerations into DVA annual performance appraisals. DVA has identified that its policy is not being implemented as required, and it has established a schedule to update policies and raise awareness by 30 June 2022. DVA should update its senior executive and the PSPF policy owner on the status of this work, as part of its next annual report.

Security Quarterly Action Plan

4.27 As discussed in paragraphs 3.57 and 4.21, DVA has established a SQAP which is comprised of a forward work program of assurance activities by financial year to assess compliance with the PSPF, including Policy 13. The SQAP was established in 2020–21.

4.28 The ANAO reviewed the 2020–21 SQAP and identified the following assurance activities that were completed in relation to PSPF Policy 13.

• Review of a random 10 per cent of contractors in Designated Security Assessed Positions (DSAPs) to ensure clearances met role requirements. Of the 20 contractors reviewed in 2020–21, 14 had a suitable security clearance. Of the remaining six contractors, three had the security clearance process initiated⁹⁹, two were identified as holding positions that no longer required security clearances, and one did not have an outcome recorded in the SQAP.
• Review of a random five per cent of DSAPs to assess the effectiveness of ongoing security clearance management and awareness arrangements. Of the eight positions reviewed in 2020–21, five positions were vacant, one position had an occupant whose clearance was being finalised, and two positions had occupants without security clearances.¹⁰⁰ For the two positions that had occupants without security clearances, DVA emailed the relevant staff advising them of the requirement to obtain a clearance and asking them to commence the clearance process.¹⁰¹

4.29 The 2021–22 SQAP also includes an activity to gain assurance over the extent to which changes in circumstances have been reported to the Australian Government Security Vetting Agency (AGSVA).

4.30 As discussed in paragraph 3.61, DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each Security Committee meeting. The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A summary of outcomes from the 2020–21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021–22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021–22 SQAP was provided to DVA’s Audit Committee in March 2022.

4.31 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 13. Testing conducted by DVA during 2020–21 indicates that policies are not being implemented for contractors in roles with security clearance requirements. This situation requires further attention.

Has DVA established arrangements for the separation of contractors that support compliance with PSPF Policy 14: Separating personnel?

4.32 When individuals (including contractors) permanently or temporarily leave their employment with an entity, entities are required to take steps to mitigate risks that Australian Government resources will be accessed by individuals without permission or that ongoing security obligations are not met. These requirements are set out in PSPF Policy 14: Separating personnel. Policy 14 states that:

Each entity must ensure that separating personnel:

a) have their access to Australian Government resources withdrawn;

b) are informed of any ongoing security obligations.

4.33 In its 2018–19, 2019–20, and 2020–21 self-assessment of maturity against PSPF Policy 14 requirements, submitted to AGD, DVA rated its maturity level as ‘developing’.¹⁰²

4.34 To examine whether DVA had established arrangements for the management of contractors that support compliance with PSPF Policy 14, the ANAO reviewed DVA’s arrangements for:

• withdrawing access and informing separating contractors of any ongoing security obligations; and
• obtaining assurance that access has been withdrawn and briefings provided to separating contractors.

Arrangements for managing access and ongoing security obligations of separating contractors

4.35 DVA’s Personnel Security Protocol applies to DVA’s workforce, including contractors, and sets out what the agency must do to meet PSPF Policy 14. Table 4.2 below outlines the results of the ANAO’s review of DVA’s policies and processes for managing access and ongoing security obligations of separating contractors.

Table 4.2: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 14: Separating Personnel

Note a: Refer to Auditor-General Report No. 32 2021–22 Interim Report on Key Financial Controls of Major Entities, paragraphs 3.4.18–3.4.20.

Note b: DVA advised the ANAO that ‘the highly exceptional nature of this requirement, complex privacy issues and role of AGSVA has not necessitated a policy or procedure to address PSPF 14 1c’.

Source: ANAO assessment of DVA documentation.

4.36 In summary, DVA has established policies and processes that largely support compliance with the core requirements of PSPF Policy 14. DVA has established arrangements to remove access to Australian Government resources and inform separating personnel of ongoing security obligations. However, DVA has not established policies or processes that outline a requirement for DVA to provide receiving entities with relevant security information, as required under PSPF Policy 14 Supporting Requirement 1(c), or to undertake a risk assessment to identify security implications in instances where it is not possible to undertake required separation procedures as required under PSPF Policy 14 Supporting Requirement 3.

Arrangements for monitoring and reporting that the requirements of PSPF Policy 14 have been met when contractors are separating

4.37 In its 2020–21 self-assessment of maturity against PSPF Policy 14 requirements, submitted to AGD, DVA identified that:

further work is required to strengthen staff/contractor separating processes. Furthermore, it has been identified [that] risk assessments have only been conducted on an ad-hoc basis for these staff, and where a separation procedure was unable to be followed.

A Personnel Security Risk Assessment and planned review of the Personnel Security Protocol will mandate this practice, with processes being developed, in conjunction with Human Resources, to ensure a debrief will be a mandatory component of the separation checklist.¹⁰³

4.38 PSPF Policy 14 Supporting Requirement 1(b) requires that entities debrief separating personnel who have access to sensitive or security classified information, including advising them of their continuing obligations under the Commonwealth Criminal Code and other relevant legislation, and obtain the person’s acknowledgement of these obligations. DVA advised the ANAO that:

DVA Security has been working with People Services Branch for several months (as part of their ‘Docusign’ project)¹⁰⁴ to incorporate advising separating staff of secrecy/ongoing obligations regarding information security, and seek their acknowledgement.

4.39 In its 2020–21 self-assessment of maturity against PSPF Policy 14 requirements, DVA reported that:

DVA Security is revising the Agency Security Plan (ASP) and Security Risk Management Plan (SRMP), and participating in multi-disciplinary work-groups to ensure increases in the department’s maturity against this module.

4.40 DVA further advised the ANAO in March 2022 that the revision of the Agency Security Plan and Security Risk Management Plan:

is underway, although currently behind schedule owing to the culmination of staffing level shortages, increases in operational workload and an increasing number of ad-hoc priority requests relating to governance.

Security Quarterly Action Plan

4.45 As discussed in paragraph 3.57, DVA has established a SQAP which is comprised of a forward work program of assurance activities by financial year to assess compliance with the PSPF, including Policy 14.

4.46 The ANAO reviewed the initial SQAP (2020–21) and identified one assurance activity related to PSPF Policy 14 — to review the ten most recent staff cessations to assess the extent to which advice to AGSVA and separation documents were complete. The review found that IT access and building access passes had been deactivated for all ten separated personnel. The review also noted that staff separation documents did not include questions related to security and recommended that security questions be included in separation documents to support compliance with PSPF Policy 14.

4.47 The ANAO also reviewed the 2021–22 SQAP and identified one completed assurance activity to review a sample of personnel separating from DVA. In March 2022, the DVA Security Committee was advised that this review found that, of the 105 separated APS and labour hire personnel sampled, 81 per cent did not complete DVA’s cessation checklist, leaving an ‘unknown level of security risk regarding the return of assets and potential access to systems’.

4.48 Further, the review of separating personnel noted that ‘anecdotal evidence from DVA Security Incident Reports suggests that a number of ICT Assets (namely Surface Pros) have not been returned to the department, and in a number of the recorded instances, this has been due to contractor personnel not returning equipment upon separation from the department’. DVA advised the ANAO in June 2022 that ‘DVA assurance activities identified instances where contractor personnel had not returned equipment to DVA until after their separation.’ The 2021–22 SQAP includes further activity to assess the removal of clearance sponsorship, removal of IT access, return of assets, and debriefing on confidentiality requirements. The 2021–22 SQAP also includes an activity to review software introduced to automate the processing of separating personnel.

4.49 As discussed in paragraph 3.61, DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each Security Committee meeting. The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A summary of outcomes from the 2020–21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021–22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021–22 SQAP was provided to DVA’s Audit Committee in March 2022.

4.50 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 14.

Appendix 1 Entity responses

Appendix 2 Performance improvements observed by the ANAO

1. The fact that independent external audit exists, and the accompanying potential for scrutiny, improves performance. Program-level improvements usually occur: in anticipation of ANAO audit activity; during an audit engagement as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• initiating reviews or investigations; and
• introducing or revising policies or guidelines.

4. In this context, the below improvements were observed by the ANAO during the course of the audit. It is not clear if these actions and/or the timing of these actions were already planned before this audit commenced. The ANAO has not sought to obtain reasonable assurance over the source of these improvements or whether they have been appropriately implemented.

5. The following performance improvements were observed by the ANAO during the course of this audit.

• DVA provided the ANAO with updated training data as at 18 May 2022, which indicated an increase in the overall course completion rate since 22 December 2021. The ANAO notes that this increase followed the introduction of a new ‘Fraud and Corruption Control in DVA’ course which replaced the previous ‘Fraud Awareness at DVA’ module, discussed at paragraphs 3.26–3.27. During the course of the audit, DVA identified that the previous fraud awareness training course had been left off DVAtrain, which is the department’s learning management system. The new training course was introduced in late April 2022 and staff are allowed two months to complete the module. As such, all DVA staff were within the allowable timeframe for completion of the module during the course of the audit.
• DVA has commenced work on the creation of a central register for all new DVA personnel to mitigate issues identified in the 2020–21 Security Quarterly Action Plan (see paragraph 3.60) and ensure that all staff complete security induction training. DVA advised the ANAO that the register will collect the date that new personnel commence employment and the date that their induction training is completed. DVA advised that it intends to monitor the register and follow-up when non-completion is identified.
• DVA is currently developing standard operating procedures to assist business areas with the decision making and process around engaging and managing labour hire (see paragraph 4.6). These procedures are intended to cover: the definition of labour hire, contractors and consultants; roles and responsibilities; points of contact; and mandatory processes, procedures and templates.

Appendix 3 Measures for reporting on workforce size

1. The Australian Public Service Commission (APSC) provides the following information on measures used to report on workforce size.¹⁰⁹

2. Each year a ‘snapshot’ of data concerning all Australian Public Service (APS) employees as at 30 June and 31 December is released by the APSC. The data is provided by agencies and is drawn from the Australian Public Service Employment Database. APS employment data includes:

• demographic variables including age, gender and work location;
• classification level of APS employees, from trainee to Senior Executive Service;
• diversity data including voluntary items self-reported by APS staff such as disability status, Indigenous status, and cultural diversity; and
• staff movements including engagements, separations and transfers between agencies.

3. The reported size of the APS workforce is a headcount of all people employed at the time of the snapshot. This figure does not adjust for hours worked and it includes any employees who are on extended leave (for 3 months or more), including those on maternity leave and leave without pay.

4. This figure is different to Average Staffing Level (ASL) data provided in the Federal Budget papers. The ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part-time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.

5. The Government places a cap on ASL. This is applied across the General Government Sector (which incorporates all of the APS and a range of other government agencies). ASL caps are published in the Federal Budget Papers each year.

6. Another measure of employee numbers used by both private and public sector organisations is Full Time Equivalent (FTE). This is a count of all hours worked at a point in time and then converted to the number of full-time staff. For example, two staff each working 0.6 days per week would be counted as 1.2 FTE.

Appendix 4 DVA labour hire and contractor data as at 30 June 2021

1. As at 30 June 2021, DVA’s records indicate that it had 1287 contractors and labour hire personnel. The following sections provide further information of the contractors and labour hire personnel including organisation group, and job family.

2. Figure A.1 illustrates the 1287 contractor and labour hire personnel as at 30 June 2021 by DVA organisational group. Of the 1287 contractor and labour hire personnel, the majority of personnel (942 personnel or 73.2 per cent) were employed in three organisational groups. DVA’s Mental Health and Wellbeing Services division accounted for 477 personnel (37.1 per cent), the Client Benefits Division accounted for 286 personnel (22.2 per cent) and the Client Engagement and Support Services division accounted for 179 personnel (13.9 per cent).

Figure A.1: DVA’s contractors and labour hire personnel as at 30 June 2021 by DVA organisational group^a

Note a: Other organisational unit fields include: ‘General Counsel’ (19 staff), ‘Veteran and Family Policy’ (22 staff), Veterans’ Review Board (4 staff) and 61 staff who did not have an allocated organisational group.

Source: ANAO analysis of DVA data.

3. Figure A.2 illustrates the 1287 contractor and labour hire personnel as at 30 June 2021 by DVA job family. Of the 1287 contractor and labour hire personnel, the majority — 960 personnel or 74.6 per cent — were employed in three job families. Service Delivery had 569 personnel (44.2 per cent), Health had 269 personnel (21 per cent) and Project and Program had 122 personnel (9.5 per cent).

Figure A.2: DVA’s contractors and labour hire personnel as at 30 June 2021 by job family.^a

Note a: ‘Other’ job family categories include: ‘Accounting and Finance’ (18 staff), ‘Human Resources’ (12 staff), ‘Legal and Parliamentary’ (11 staff), ‘ICT’ (25 staff), ‘Monitoring and Audit’ (6 staff), ‘Organisational Leadership’ (31 staff), ‘Strategic Policy’ (8 staff), and 6 staff who did not have an allocated job family.

Source: ANAO analysis of DVA data.

Appendix 5 Essential Elearning Plan module structure