Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Currently showing reports relevant to all Senate estimates committees. Filter by committee using the links to the right.
Summary and recommendations
Background
1. The Department of Foreign Affairs and Trade (DFAT) is responsible for issuing passports to Australian citizens in accordance with the Australian Passports Act 2005, with delivery of passport services in Australia and overseas being one of DFAT’s three key outcomes. In July 2006, DFAT established the Australian Passport Office as a separate division to provide passport services. The Australian Passport Office has offices in each Australian capital city and it collaborates with Australian diplomatic missions and consulates to provide passport services to Australians located overseas.
2. DFAT is also the entity responsible for Australia’s international trade agreements. The Commonwealth Procurement Rules (CPRs) incorporate the requirements of Australia’s international trade obligations and government policy on procurement into a set of rules. As a legislative instrument, the CPRs have the force of law.1 Officials from non-corporate Commonwealth entities such as DFAT must comply with the CPRs when performing duties related to procurement. Achieving value for money is the core rule of the CPRs.
Rationale for undertaking the audit
3. The issuing of passports to Australian citizens is an important function of the Department of Foreign Affairs and Trade, undertaken by its Australian Passport Office. Between 1 July 2019 and 31 December 2023, the Australian Passport Office managed 331 contracts totalling $1.58 billion.
4. During the conduct of an earlier audit, Auditor-General Report No. 13 2023–24 Efficiency of the Australian Passport Office, the ANAO observed a number of practices in respect of the conduct of procurement by DFAT through its Australian Passport Office that merited further examination. The Auditor-General decided to commence a separate audit of whether the procurements DFAT conducts through its Australian Passport Office comply with the Commonwealth Procurement Rules and demonstrate the achievement of value for money.
5. The audit provides assurance to the Parliament of the effectiveness of the department’s procurement activities in achieving value for money, and the ethics of the department’s procurement processes, noting that procurement is an area of continuing focus by the Joint Committee of Public Accounts and Audit.2
Audit objective and criteria
6. The objective of the audit was to examine whether the procurements that DFAT conducts through its Australian Passport Office are complying with the Commonwealth Procurement Rules and demonstrating the achievement of value for money.
7. To form a conclusion against this objective, the following high-level criteria were applied.
- Have open and competitive procurement processes been employed?
- Has decision-making been accountable and transparent?
8. The audit focussed on procurement activities by the Australian Passport Office relating to contracts and contract variations that had a start date of between 1 July 2019 and 31 December 2023.
Conclusion
9. The procurements that DFAT conducted through its Australian Passport Office did not comply with the Commonwealth Procurement Rules and DFAT’s procurement policies, and did not demonstrate it had achieved value for money.
10. DFAT did not employ open and competitive processes in the conduct of Australian Passport Office procurement. There were no procurements conducted between July 2019 and December 2023 by way of an open approach to the market. Of the 73 procurements examined in detail by the ANAO, 29 per cent involved competition where the department had not identified a preferred supplier prior to inviting quotes.
11. Procurement decision-making was not sufficiently accountable and was not transparent. Procurement practices have fallen short of ethical standards, with DFAT initiating inquiries of the conduct of at least 18 individuals, both employees and contractors, in relation to Australian Passport Office procurement activities examined by the ANAO.
Supporting findings
Open and competitive procurement
12. DFAT did not appropriately plan the procurement activities for its Australian Passport Office. There was no overarching procurement strategy. The department engaged a contractor to develop a multi-year procurement strategy that was never completed. Overall, only 15 per cent of the 62 approaches to market examined by the ANAO met the minimum requirements at planning stage. (See paragraphs 2.3 to 2.20)
13. None of the 243 contracts totalling $476.5 million the APO entered between 1 July 2019 and 31 December 2023 was let via an approach to the open market.
14. DFAT’s AusTender reporting indicates the APO procures by open tender from a panel arrangement 71 per cent of the time. The ANAO examined 53 contracts DFAT had reported this way and identified that for 15 contracts (28 per cent) the APO had deviated from the panel arrangement to the extent that the approach constituted a limited tender. The ANAO also examined 12 contracts valued over the $80,000 threshold reported by DFAT as let by limited tender. The approach taken for six of these contracts (50 per cent) did not demonstrably satisfy the limited tender condition or exemption from open tender that had been reported by DFAT. The department’s approach is inconsistent with the Commonwealth Procurement Rules which, in turn, reflect the requirements of the Australia-United States Free Trade Agreement (DFAT is the Australian Government entity responsible for Australia’s international trade agreements). (See paragraphs 2.22 to 2.50)
15. A competitive approach was used to establish only 29 per cent of the 73 contracts tested by number or 25 per cent by value. This involved the APO inviting more than one supplier to quote in a process that did not have a pre-determined outcome. On 19 occasions the procurement approach was not genuine as the purported competitive process did not, in fact, involve competition. (See paragraphs 2.51 to 2.70)
16. For 14 per cent of contracts tested, evaluation criteria were included in request documentation with those same criteria used to assess submissions. (See paragraphs 2.72 to 2.77)
17. There was not a documented approval to approach the market for 36 per cent of the 73 contracts examined in detail by the ANAO. Advice provided to approvers on the outcomes of approaches to market in most cases did not demonstrate how value for money was considered to have been achieved. Three-quarters of the time the approval was requested by an embedded contractor, often populating a template as an administrative function and sometimes at the direction of the approver telling them what to recommend.
18. One quarter of the time, approval was given within a week of the expected contract start date. A 2022–23 practice of approving commitments on the understanding that the Department of Finance would later agree to additional funding to cover the costs was not sound financial management. (See paragraphs 2.79 to 2.104)
Accountable and transparent decision-making
19. For 71 per cent of the procurements examined by the ANAO, an appropriate contractual arrangement was in place prior to works commencing and after approval had been obtained to enter the arrangement. (See paragraphs 3.3 to 3.13)
20. Sound and timely advice was not provided to inform decisions about whether to vary contracts. In aggregate, the contracts the APO entered between 1 July 2019 and 30 June 2023 doubled in value during that period through contract amendment. The approval records for contract variations did not include advice on how value for money would be achieved and, for a number of high value contracts, approval was sought after costs were incurred. A quarter of the variations tested were entered after the related services had commenced and/or costs incurred. (See paragraphs 3.14 to 3.35)
21. ANAO analysis of AusTender data between 1 July 2019 and 30 June 2023 indicated that DFAT did not meet the Commonwealth Procurement Rules requirement to report contracts and amendments within 42 days of execution at least 22 per cent of the time. The extent of non-compliance increased to 44 per cent when the analysis was based on ANAO examination of the departmental records in a sample of 230 contracts and amendments. The AusTender reporting of 70 APO contracts examined was largely accurate. The reported descriptions of the goods or services procured was usually applicable but was also usually lacking in detail. The reported reasons given for 112 contract amendments examined did not contain sufficient detail to meet the minimum instructions in the AusTender reporting guide 81 per cent of the time. (See paragraphs 3.37 to 3.52)
22. Procurement activities fell short of ethical requirements. In response to ethical findings made by the ANAO in relation to a number of the procurements examined as part of this performance audit, the department advised the ANAO that it considers there are clear indications of misconduct involving a number of current or former DFAT officials and contractors as well as clear cultural issues. The department has commenced, or is considering, investigation (or referral) activity in relation to the conduct of at least 18 individuals in relation to various procurements examined by the ANAO. (See paragraphs 3.53 to 3.83)
23. The department’s central procurement team has not exercised sufficient oversight of the APO’s procurement activities. Departmental risk controls that have been documented have not been complied with by the APO and this non-compliance should have been evident to the central procurement team, and addressed. The department also does not have adequate arrangements in place for the identification and reporting of breaches of finance legislation. (See paragraphs 3.85 to 3.105)
Recommendations
Recommendation no. 1
Paragraph 2.21
The Department of Foreign Affairs and Trade improve its planning of procurement activity for the Australian Passport Office, including but not limited to taking steps to assure itself that procurement planning requirements (internal to the department as well as those required by the Commonwealth Procurement Rules) are being complied with.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 2
Paragraph 2.71
The Department of Foreign Affairs and Trade strengthen its procurement processes for the Australian Passport Office so that there is an emphasis on the use of genuinely open competition in procurement to deliver value for money outcomes consistent with the requirements and intent of the Commonwealth Procurement Rules.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 3
Paragraph 2.78
The Department of Foreign Affairs and Trade include evaluation criteria in request documentation for all procurements undertaken for the Australian Passport Office, and procurement decision-makers ensure those criteria have been applied in the evaluation of which candidate represents the best value for money.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 4
Paragraph 2.106
The Department of Foreign Affairs and Trade to strengthen its procurement policy framework by directly addressing the risk of officials being cultivated or influenced by existing or potential suppliers.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 5
Paragraph 3.36
The Department of Foreign Affairs and Trade strengthen its controls to ensure any contract variations are consistent with the terms of the original approach to market, and that officials do not vary contracts to avoid competition or other obligations and ethical requirements under the Commonwealth Procurement Rules.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 6
Paragraph 3.84
The Department of Foreign Affairs and Trade examine whether procurements not included in the sample examined by the ANAO also include ethical and integrity failures, and subject any such procurements to appropriate investigatory action.
Department of Foreign Affairs and Trade response: Agreed.
Recommendation no. 7
Paragraph 3.94
The Department of Foreign Affairs and Trade strengthen oversight by its central procurement area of the procurement activities of the Australian Passport Office. This should include being represented on the evaluation team for each procurement activity of higher risk or value.
Department of Foreign Affairs and Trade response: Agreed.
Summary of entity responses
24. The proposed report was provided to DFAT. Extracts of the proposed report were also provided to Alluvial Pty Ltd, Brink’s Australia Pty Ltd, Compas Pty Ltd, Community and Public Sector Union, Customer Driven Solutions Pty Ltd, Datacom Systems (AU) Pty Ltd, Deloitte Touche Tohmatsu, Department of Finance, Grosvenor Performance Group Pty Ltd, Hays Specialist Recruitment (Australia) Pty Ltd, Mühlbauer ID Services GmbH, Peoplebank Australia Ltd, Procurement Professionals Pty Ltd, Propel Design Pty Ltd, Randstad Pty Ltd, Serco Citizen Services Pty Ltd, Services Australia, UiPath S.R.L, Verizon Australia Pty Ltd and Yardstick Advisory Pty Ltd. The letters of response that were received for inclusion in the audit report are at Appendix 1. Summary responses, where provided, are included below.
Department of Foreign Affairs and Trade
The department values the ANAO’s independent review of procurement practices at the Australian Passport Office (APO). The audit came at a time when the department was assessing the effectiveness of the current procurement model. As a result of both reviews, the department’s procurement practices will be amended to improve compliance and efficiency. This will include the Finance Division taking more centralised and direct control over procurement activities, and additional resources to implement changes and provide enhanced oversight.
The ANAO audit highlighted the proactive steps the current Executive Director APO took to address procurement and cultural issues when she commenced with the department in early 2023. Work has continued, leading to the creation of a new Procurement, Finance and Assurance Section within APO. Additionally, the Internal Audit Branch has initiated a wide-ranging internal audit of procurement activities across the department.
Following the ANAO audit report and internal reviews, the department will also revise its Compliance and Assurance Framework as it relates to Public Governance, Performance and Accountability Act 2013 obligations. The updated Framework will be purpose-built, adopt a risk-based approach, and include effective assurance mechanisms. The department has initiated activities to address specific areas of concern regarding actions of staff.
Compas Pty Ltd
Compas is concerned that the Proposed Report conveys an imputation that it has engaged in conduct that may not be in accordance with the Commonwealth Procurement Rules.
Such an imputation is incorrect.
The relevant evaluation process was an internal DFAT process over which Compas, rightly, had no visibility. Given this, Compas cannot respond to, nor is it privy to, what processes were taken by DFAT to address the Panel Member’s affiliation to it.
Any deficiencies in the evaluation process cannot be attributed to Compas, and the final report should make this expressly clear in its findings. Any failure to do so could result in a reader being under a misapprehension that Compas had the ability to influence the process, did in fact influence the process improperly and, as a result, gained an improper advantage or benefit.
Should such a misrepresentation occur, this would have an unreasonably adverse effect on Compas’ reputation that it has built over nearly 40 years and have a deleterious effect on our business.
Propel Design Pty Ltd
Propel Design notes the extract provided by the ANAO. Propel Design submitted its tender for the procurement in question in accordance with all requirements under the Digital Marketplace (now BUYICT) and was not aware of any individuals appointed to the evaluation panel. We believe our employee was selected as the preferred contractor based on their skills and experience, as set out in their resumé and our responses to the selection criteria.
Key messages from this audit for all Australian Government entities
25. Below is a summary of key messages that have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance
Procurement
Summary and recommendations
Background
1. Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.1
2. The Australian Government defines fraud as:
Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.2
3. Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).3 The Australian Government’s requirements for fraud control apply to both internal and external fraud risks. The 2024 Commonwealth Fraud and Corruption Control Framework states that:
Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.4
Australian Skills Quality Authority
4. The Australian Skills Quality Authority (ASQA) is the Australian Government agency responsible for the regulation of around 90 per cent of vocational education and training (VET) providers operating in Australia. ASQA’s purpose is ‘to ensure quality VET, so that students, industry, governments and the community can have confidence in the integrity of national qualifications issued by training providers’.5
Rationale for undertaking the audit
5. Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.6 All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.7 This audit is intended to provide assurance to the Parliament regarding the fraud control arrangements in ASQA.
Audit objective and criteria
6. The objective of the audit was to assess the effectiveness of ASQA’s fraud control arrangements as the national regulator of the vocational education and training sector.
7. To form a conclusion against this objective, the following high-level criteria were adopted.
- Have appropriate arrangements been established to oversee and manage fraud risks?
- Have appropriate mechanisms been established to prevent fraud and promote a culture of integrity?
- Have appropriate mechanisms been established to detect and respond to fraud?
- Has the Australian Skills Quality Authority appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?
Conclusion
8. ASQA has established partly effective fraud control arrangements. ASQA’s Fraud Control Plan 2022–2024 and Fraud Control Policy focus on internal fraud risks and do not consider the entity’s regulatory fraud environment. ASQA has undertaken minimal steps to align with the Commonwealth’s revised Fraud and Corruption Control Framework which came into effect on 1 July 2024.
9. ASQA has not established appropriate arrangements to manage fraud risk. Fraud control arrangements are based on a fraud control policy that was developed in 2013 and does not reflect current Commonwealth legislative and policy requirements. ASQA’s Fraud Control Plan 2022–2024 does not consider its regulatory fraud control environment, and there is no process to test regulatory fraud controls systematically and regularly. The Fraud Control Plan 2022–2024 contains an overlap of roles and responsibilities of key officials.
10. ASQA has established largely appropriate mechanisms to prevent fraud and promote integrity across its internal and regulatory environments. This includes channels to promote fraud awareness and integrity internally through training, fraud qualifications and professional development, and engagement including social media and sector alerts. Within its regulatory environment, ASQA has established outreach mechanisms to the VET sector that address fraud awareness. ASQA has not appropriately assessed the effectiveness of these mechanisms.
11. ASQA has recently established detection controls, including a tip-off line and information-sharing relationships with external agencies. ASQA has not assessed the effectiveness of these detection controls. ASQA has established an investigatory process for regulatory fraud but does not measure its outcomes or effectiveness.
12. ASQA has taken minimal steps to align with the revised Commonwealth Fraud and Corruption Policy through the development of an updated draft Fraud and Corruption Control Policy and Plan for 2024–2026. ASQA has not prepared an implementation plan and there is no evaluation plan for the new or revised controls. ASQA’s new Fraud and Corruption Control Policy and Plan 2024–2026 has minimal updates from the Fraud Control Policy and Plan 2022–2024 and does not include regulatory fraud or corruption controls.
Supporting findings
Oversight and management of fraud risks
13. ASQA’s fraud control framework is based on a fraud control policy that was developed in 2013 and does not reflect current Commonwealth legislative and policy requirements, or the changes the entity has undergone in the 10 years since the policy was developed. ASQA’s Fraud Control Plan 2022–2024 does not consider the entity’s regulatory fraud control environment, and associated fraud control activities. ASQA has developed a regulatory model which details ASQA’s regulatory and compliance approach. The regulatory model does not specifically address fraud. ASQA’s fraud control plan includes an overlap of responsibilities between key officials. (See paragraphs 2.2 to 2.23)
14. ASQA’s Fraud Control Plan 2022–2024 identified one external fraud risk. The Plan identified seven internal fraud risks, six of which were reviewed during the period covered by the plan. ASQA undertook risk assessments in 2023 and 2024 within its regulatory environment using its environmental scan tool which identified fraud risk relating to visa fraud. The outcomes of risk assessments were not provided to ASQA’s internal audit function. (See paragraphs 2.24 to 2.39)
15. ASQA’s Fraud Control Plan 2022–2024 addresses internal fraud risks and controls and one external fraud risk relating to false or misleading information. The Plan does not address ASQA’s role as the national regulator for the VET sector and its associated regulatory fraud control environment. The Fraud Control Plan 2022–2024 contains controls commensurate with the identified internal fraud risks. Limited testing of controls occurred once in 2023, and mechanisms to test the internal fraud controls on a regular basis have not been established. (See paragraphs 2.40 to 2.48)
Fraud prevention and integrity culture
16. Internal preventative controls align with the risks identified in the entity’s Fraud Control Plan 2022–2024. Regulatory preventative measures include sector alerts and participation in the Fraud Fusion Taskforce. ASQA has not tested the effectiveness of its internal or regulatory fraud prevention controls (including its controls for managing identity fraud), or its documented procedures for preventing, detecting and responding to fraud. (See paragraphs 3.2 to 3.20)
17. ASQA promotes a fraud awareness culture within the entity through annual mandatory fraud awareness training and utilising internal communication channels, including CEO messages emailed to all staff. As at April 2024, the reported completion rate for ASQA’s mandatory fraud awareness training was 84 per cent. ASQA also undertakes outreach programs through mechanisms such as sector alerts and social media alerts to promote fraud awareness. (See paragraphs 3.21 to 3.27)
18. Officials with fraud control responsibilities at ASQA have opportunities for ongoing professional development through training, such as that provided by the Commonwealth Director of Public Prosecutions. ASQA officials engaged in fraud control activities hold relevant qualifications, including the Certificate IV in Government (Investigation) and Diploma in Government (Investigation). (See paragraphs 3.28 to 3.35)
Fraud detection and response
19. ASQA’s detection controls include mechanisms such as a tip-off line and information sharing arrangements with external agencies which provide an appropriate detection framework. There is no documented or consistent process for monitoring and evaluating the effectiveness of these detective controls. (See paragraphs 4.2 to 4.25)
20. ASQA has established mechanisms to investigate and respond to fraud but does not measure its performance, including the effectiveness and efficiency of its fraud response. There were no consistent documented processes and procedures for the operation of ASQA’s investigation capability. ASQA has referred matters to external agencies as part of their information sharing mechanisms. In early August 2024 there were two instances where ASQA referred fraud matters to the Commonwealth Director of Public Prosecutions. One fraud matter was discussed with the Australian Federal Police in 2023–24. (See paragraphs 4.26 to 4.37)
21. ASQA’s Annual Report 2022–23 includes its Accountable Authority’s certification on fraud control confirming that the CEO was satisfied that ASQA has appropriate prevention, detection, investigation, reporting and data collection procedures and processes in place. This certification in the annual report was not supported by evidence. ASQA has established reporting channels with other Commonwealth entities to report fraud and has provided information to the Australian Institute of Criminology as required, and has not kept records of the information provided. (See paragraphs 4.38 to 4.46)
Preparation for the revised Commonwealth Fraud and Corruption Control Framework
22. ASQA does not have an implementation plan for the revised Commonwealth Fraud and Corruption Control Policy. ASQA has an updated Fraud and Corruption Control Policy and Plan 2024–2026. As at July 2024, this document is still in draft and does not address ASQA’s regulatory fraud control environment. (See paragraphs 5.2 to 5.8)
23. ASQA has not established a plan to evaluate the implementation of new or revised fraud and corruption controls. (See paragraphs 5.9 to 5.10)
Recommendations
Recommendation no. 1
Paragraph 2.15
The Australian Skills Quality Authority ensures roles and responsibilities covered in its fraud control arrangements are current and commensurate with existing governance arrangements.
Australian Skills Quality Authority response: Agreed.
Recommendation no. 2
Paragraph 2.47
The Australian Skills Quality Authority updates its Fraud Control Policy and Plan to cover the full extent of its functions including its regulatory activities, supported by risk assessments that clearly address fraud risk and contain robust mitigation strategies.
Australian Skills Quality Authority response: Agreed in-part.
Recommendation no. 3
Paragraph 4.24
The Australian Skills Quality Authority documents its processes for monitoring and evaluating the effectiveness of its fraud controls across prevention and detection.
Australian Skills Quality Authority response: Agreed.
Summary of entity response
24. The proposed audit report was provided to ASQA. ASQA’s summary response is provided below, and its full response is included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
ASQA places a high value on review and improvement and welcomes the role that ANAO plays in providing independent insights supporting performance improvement. ASQA is already taking action to improve clarity of roles and responsibilities, and document our processes for monitoring and evaluating the effectiveness of fraud controls across prevention and detection to ensure that our internal controls are fit for purpose to protect the entity from these risks. Giving consideration to the audit findings, ASQA will now finalise our Fraud and Corruption Policy and Plan 2024-2026 under the revised Commonwealth Fraud and Corruption Control Framework, which came into effect during this audit in July 2024.
We note that the Commonwealth Fraud and Corruption Control Framework provides a system of governance and accountability across entities for protecting public resources from fraud and corruption. In its role as the National Regulator of VET ASQA is focused on protecting vulnerable students and taking action against non-genuine providers, and to scrutinise those who are in the business of managing or operating RTOs. This has a broader public purpose to prevent harms including those that might arise from external fraud that are not directed at or directly detrimental to the Commonwealth, but to students, employers or industry. This fact has implications for ASQA’s consideration of Recommendation 2 of this report.
Key messages from this audit for all Australian Government entities
25. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Program design
Summary and recommendations
Background
1. Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.1
2. The Australian Government defines fraud as:
Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.2
3. Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).3 The Australian Government’s requirements for fraud control apply to both internal and external fraud risks. The 2024 Commonwealth Fraud and Corruption Control Framework states that:
Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.4
4. The audit examines fraud control arrangements in the National Health and Medical Research Council (the NHMRC). The NHMRC administers the Medical Research Endowment Account (MREA) to provide assistance for public health and medical research and training, primarily through grant programs.
5. The NHMRC also manages grants through the Medical Research Future Fund (MRFF) on behalf of the Department of Health and Aged Care (Health) pursuant to a shared services agreement.
Rationale for undertaking the audit
6. Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.5 All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the NHMRC’s fraud control arrangements.
8. To form a conclusion against this objective, the following high-level criteria were adopted.
- Have appropriate arrangements been established to oversee and manage fraud risks?
- Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
- Have appropriate mechanisms been established to detect and respond to fraud?
- Has the NHMRC appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?
Conclusion
9. The NHRMC’s fraud control arrangements are partly effective. The NHMRC has appropriate mechanisms in place for internal fraud control, but there are inadequate mechanisms in place to prevent, detect and investigate fraud risks relating to grant recipients.
10. The NHMRC has established partly appropriate arrangements to oversee and manage fraud risks. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework is aligned with the 2017 Commonwealth Fraud Control Framework. The agency has established largely appropriate oversight arrangements for the management of fraud risks. The Audit and Risk Committee did not provide independent advice to the accountable authority on the appropriateness of the system of risk management. The NHMRC’s 2023–2025 Fraud and Corruption Risk Assessment includes risks relating to its core business, the administration of grant funding. The Fraud and Corruption Control Plan is largely appropriate for internal fraud risks. It falls short of appropriately managing external fraud risks relating to the NHMRC’s administration of grant funding. The NHMRC has not identified and assessed all external fraud risks relating to grant funding. The NHMRC’s risk assessment of grant related fraud risks is not based on all relevant information. Most of the controls for grant related fraud risks rely on the cooperation of, or untested assurances from, the grant recipients. The NHMRC has not established mechanisms to review the effectiveness of the controls listed in the 2023–2025 Fraud and Corruption Risk Assessment.
11. The NHMRC has established partly effective mechanisms to prevent fraud and promote a culture of integrity. The NHMRC included preventative controls for all risks identified in its Fraud and Corruption Control Risk Assessment. The controls have not been assessed for their appropriateness or effectiveness. Fraud awareness training and relevant resources are provided to all staff. External stakeholders are made aware of the NHMRC’s processes for managing fraud risks through various publications on its website. The NHMRC’s monitoring of compliance with annual fraud awareness training provides reasonable assurance to the accountable authority of the completion rate. No arrangements have been put in place to ensure that the NHMRC staff who identify, assess and manage fraud risks or investigate suspected fraud have the relevant training or qualifications or undertake ongoing professional development.
12. The NHMRC has established partly appropriate mechanisms to detect and respond to fraud. The NHMRC has not assessed the appropriateness or effectiveness of the detective controls listed for the internal and external fraud risks identified in its 2023–2025 Fraud and Corruption Control Plan. The detective controls relating to the NHMRC’s administration of grants do not provide the NHMRC with assurance on the level of compliance with reporting and investigation obligations placed on grant recipients under the NHMRC’s funding agreements. By not requiring that investigations by grant recipients are undertaken by a qualified investigator, the NHMRC’s procedures are inconsistent with the 2017 Commonwealth Fraud Control Framework. The fraud and misconduct registers maintained by the NHMRC are not consistent with each other and do not contain sufficient information to support informed decision-making and continuous improvement activities. The NHMRC reported one instance of significant non-compliance and advised the minister that it recovered grant funding associated with the one case where fraud was substantiated in 2022–23 and 2023–24.
13. The NHMRC’s preparations for the commencement of the revised Commonwealth Fraud and Corruption Policy on 1 July 2024 have been largely appropriate, with change management activities yet to be delivered. The NHMRC included a definition of corruption and reporting and referral obligations to the National Anti-Corruption Commission in its 2023–2025 Fraud and Corruption Control Framework. No corruption related risks were added to the Fraud and Corruption Control Plan at this time. The NHMRC developed an implementation plan and, as at 1 July 2024, had developed a draft framework and a plan to achieve compliance with the new policy. Over the period 2024 to 2026, the NHMRC plans to review grant fraud risks and test the controls for selected grant fraud risks, including risks with high risk ratings.
Supporting findings
Oversight and management of fraud risks
14. The NHMRC established a Fraud and Corruption Framework that covers key elements of the 2017 Commonwealth Fraud Control Framework. Senior officials were assigned responsibility for fraud control activities and a Fraud and Corruption Control Officer (FCCO) was appointed. The NHRMC’s Executive Board is responsible for, and the Audit and Risk Committee (ARC) provides assurance over, risk management including fraud. Both the Executive Board and the ARC reviewed the NHMRC’s fraud and corruption control policy. The procedures for dealing with alleged grant fraud are incomplete. They do not effectively support the NHMRC to conduct fraud risk assessments based on all available information and data, or to fulfil its obligations for specific grants administered under the shared services agreement with the Department of Health and Aged Care. The ARC did not seek further information on the effectiveness of controls following consideration of the reports of instances of suspected fraud. The ARC’s advice to the Chief Executive Officer (CEO) relied on assertions from management that the agency complies with the Commonwealth Risk Management Policy and the Commonwealth Fraud Control Framework. (See paragraphs 2.2 to 2.15)
15. The NHMRC undertook fraud risk assessments in 2019 and 2023. The 2019 fraud risk assessment was not updated following the launch of a new grants management IT system. The 2023–2025 Fraud and Corruption Risk Assessment included risks related to the NHMRC’s administration of grants which is one of the agency’s core functions. The risk assessment utilises the risk matrix for likelihood and consequence set out in the enterprise risk management framework. The relationship between accepted risk ratings and the NHRMC’s tolerances for specific risk categories is not documented. The NHMRC’s ARC did not consider the 2023–2025 Fraud and Corruption Control Plan in assessing the appropriateness of the 2024–25 internal audit work program. (See paragraphs 2.16 to 2.38)
16. The NHMRC’s 2023–2025 Fraud and Corruption Control Plan included 27 fraud risks, seven of which related to external risks. Responsibility for managing each of the controls was not listed in the 2023–2025 Fraud and Corruption Risk Assessment. Controls for internal risks are more clearly aligned with the identified risks than those listed for external risks in the 2023–2025 Fraud and Corruption Control Plan. The non-mandatory reporting to the NHMRC of all instances of alleged fraud, including where it relates to research misconduct, limits the information that the NHMRC has regard to when conducting risk assessments for external fraud risks. The NHMRC has not established appropriate mechanisms to gain assurance over all grant recipients’ compliance with the terms of funding agreements or MREA grant recipients’ responses to the annual self-assessment compliance survey. Both of these are listed as controls for external risks related to the NHMRC’s administration of grant programs. Except for specific ICT controls, the NHMRC has not established a mechanism to review the effectiveness of controls listed in the 2023–2025 Fraud and Corruption Risk Assessment. (See paragraphs 2.39 to 2.62)
Fraud prevention and integrity culture
17. The NHMRC’s 2023–2025 Fraud and Corruption Control Risk Assessment includes preventative controls for all identified risks. Preventative controls for internal fraud risks directly relate to the cause of the risk. Preventative controls for external fraud risks largely relate to education and guidance materials for grant recipients and expected compliance with the NHMRC funding agreement. The NHMRC has not assessed the appropriateness and effectiveness of its preventative controls for fraud risks. Fraud risks are considered in the development of new grant guideline opportunities. The fraud risks were not reviewed following a change in ICT systems or based on the results of the annual compliance review for grant recipients. There are inconsistencies in the NHMRC’s procedures for staff on preventing, detecting and dealing with fraud. The NHMRC’s strategies to mitigate the risk of fraud are stronger for internal fraud risks than external fraud risks. (See paragraphs 3.2 to 3.24)
18. The NHMRC has fraud related guidance materials on its intranet. Fraud awareness training must be completed by staff upon commencement with the entity and refreshed on an annual basis. As at 30 June 2024, 189 of 244 staff had completed fraud awareness training, representing 77.5 per cent of the NHMRC’s total workforce. One of six senior executive service officers had completed this training. The NHMRC publishes its Research Integrity and Misconduct Policy on its website, which includes a section on fraud and other misconduct. The NHMRC’s website also allows anonymous reports of fraud to be provided. The NHMRC has not evaluated the effectiveness of its fraud awareness training. (See paragraphs 3.25 to 3.35)
19. The NHMRC does not carry out fraud investigations and has no qualified investigators. It does not oversee fraud investigations conducted by grant recipients or gain assurance they have been undertaken by qualified investigators. The NHMRC’s staff who identify, assess and manage fraud risks do not have the relevant fraud control training or qualifications. The NHMRC does not have a plan in place for the professional development of staff involved in fraud and corruption activities. (See paragraphs 3.36 to 3.46)
Fraud detection and response
20. The NHMRC listed detective controls for all but two of the risks identified in the 2023–2025 Fraud and Corruption Control Risk Assessment. Detective controls for internal fraud risks directly relate to the cause of the risk. Detective controls for external fraud risks largely require the cooperation of grant recipients. Except for limited testing of ICT controls, the NHMRC has not assessed the appropriateness and effectiveness of its detective controls for fraud risks. The NHMRC has processes in place to receive anonymous reports of alleged fraud. A 2023–24 audit of grant applications prior to the award of funding identified 11 applications which were ineligible that had not been detected during the NHMRC’s standard application review processes. The fraud risk assessment was not updated following the outcome of this audit. (See paragraphs 4.2 to 4.21)
21. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework contains a flowchart of the steps to be undertaken following notification of a suspected fraud. These processes do not relate to instances of suspected fraud by a grant recipient as they are not investigated by the NHMRC. The funding agreements between the NHMRC and grant recipients do not provide the NHMRC with complete information in relation to suspected frauds. The NHMRC’s fraud registers do not contain sufficient information of the investigation or decision-making process. For the one case between 2022–23 and 2023–24 where an allegation of suspected fraud was substantiated after investigation by the grant recipient, the NHMRC did not report the incident to the Australian Federal Police (AFP). The NHMRC recovered $2.6 million in relation to this fraud case. (See paragraphs 4.22 to 4.37)
22. The NHMRC has complied with its reporting obligations in its annual report and to the Australian Institute of Criminology. For the only substantiated fraud in 2022–23 and 2023–24, the NHMRC briefed the Minister for Health and Aged Care following a press release by the relevant grant recipient. The NHMRC has arrangements in place with Health for the management of suspected fraud and other research misconduct. The NHMRC maintains fraud risk registers as well as misconduct and integrity registers, with a separate register developed for each year. These registers do not include detailed information about the incidents and are not consistent with each other. (See paragraphs 4.38 to 4.53)
Preparation for the revised Commonwealth Fraud and Corruption Control Framework 2024
23. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework reflects the establishment of the National Anti-Corruption Commission in July 2023 and relevant reporting and referral requirements. In February 2024 the NHMRC developed an implementation plan, with key milestones and deadlines, for the commencement of the 2024 Commonwealth Fraud and Corruption Policy. As at July 2024 the NHMRC had prepared a draft updated framework and plan to satisfy the requirements of the 2024 Commonwealth Fraud and Corruption Policy. The NHMRC has not developed a plan to put the revised Policy into action, including the delivery of change management activities. (See paragraphs 5.2 to 5.10)
24. The NHMRC plans to review ten grant fraud risks and to test the controls for four grant fraud risks over the period 2024 to 2026. (See paragraphs 5.11 to 5.15)
Recommendations
Recommendation no. 1
Paragraph 2.34
The National Health and Medical Research Council ensure its fraud risk assessments comply with the NHMRC’s 2023–2026 Risk Management Framework and Policy, including documentation of estimated value of fraud as a result of identified risks occurring, and account for all elements of its risk environment and administrative systems.
National Health and Medical Research Council response: Agreed.
Recommendation no. 2
Paragraph 2.55
The National Health and Medical Research Council implement risk-based mechanisms to gain independent assurance of the effectiveness of grant recipients’ fraud risk controls.
National Health and Medical Research Council response: Agreed.
Recommendation no. 3
Paragraph 2.61
The National Health and Medical Research Council plan and undertake regular assessments and testing of the effectiveness of the controls and mitigating strategies listed in its Fraud and Corruption Control Plan.
National Health and Medical Research Council response: Agreed.
Recommendation no. 4
Paragraph 3.45
The National Health and Medical Research Council ensure that all its officials who identify, assess and manage fraud and corruption risks possess the qualifications and skills required by the Fraud Policy.
National Health and Medical Research Council response: Agreed.
Recommendation no. 5
Paragraph 4.28
The National Health and Medical Research Council:
- amend the 2019 Research Integrity and Misconduct Policy to require grant recipients to report all allegations of suspected fraud relating to grants administered by the NHMRC; and
- ensure all investigations of suspected fraud relating to grants administered by the NHMRC, including investigations by a grant recipient, are undertaken or overseen by suitably qualified personnel and reports are provided directly to the NHMRC.
National Health and Medical Research Council response: Agreed.
Summary of entity response
25. The proposed audit report was provided to the NHMRC. The NHMRC’s full response is provided below.
The National Health and Medical Research Council (NHMRC) takes its responsibilities in relation to fraud and corruption risk seriously. We welcome the ANAO’s review of the efficacy of our systems and processes to prevent, detect and respond to this risk.
A small statutory authority within the Health and Aged Care portfolio, NHMRC funds the highest quality health and medical research and training, and issues guidelines and advice on the prevention, diagnosis and treatment of disease, the provision of health care and on ethical issues relating to health. NHMRC is committed to continuous improvement across all its endeavours and recognises that ensuring the effective and efficient discharge of our responsibilities is fundamental to maintaining community confidence in the health and medical research that underpins Australia’s health care system.
NHMRC accepts the audit findings, conclusions and recommendation and considers that this audit outcome presents an opportunity to further strengthen our management of fraud and corruption risk. NHMRC agrees with all five audit recommendations and will progress implementation with the guidance of our Executive Board and with quality assurance oversight from our independent Audit and Risk Committee.
Key messages from this audit for all Australian Government entities
26. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Summary
1. The purpose of the Australian National Audit Office (ANAO) is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance. The ANAO delivers its purpose under the Auditor-General’s mandate in accordance with the Auditor-General Act 1997, the Public Governance, Performance and Accountability Act 2013 and the Public Service Act 1999.
2. The executive arm of government is accountable to the Parliament for its use of public resources and the administration of legislation passed by the Parliament. The Auditor-General provides independent assurance as to whether the executive is operating and accounting for its performance in accordance with the Parliament’s intent. The ANAO’s performance audit program is one of the main assurance functions of the Auditor-General.
3. The Auditor-General Act 1997 (the Act) authorises the Auditor-General to conduct financial statements audits, performance audits, assurance reviews or audits of the performance statements and performance measures of Commonwealth entities, Commonwealth companies and their subsidiaries. The Act also authorises providing other audit services as required by other legislation or allowed under section 20 of the Act, and reporting directly to the Parliament on any matter or to a minister on any important matter that comes to the attention of the Auditor-General. Under sections 32 and 33 of the Act, the Auditor-General has extensive information-gathering and access powers to support auditing processes. The ANAO’s preference is to obtain information through cooperation with audited entities.
4. The ANAO’s primary relationship is with the Australian Parliament, particularly the Joint Committee of Public Accounts and Audit (JCPAA). The ANAO consults with and has regard to the priorities of the Parliament as determined by the JCPAA when developing its Annual Audit Work Program as required under the Act.
5. Audit quality is fundamental to the reliance placed on Auditor-General reports by the Parliament, and the ANAO focuses on delivering quality audits through its Quality Management Framework and Plan. Key elements of the framework include external and internal reviews that provide assurance to the Auditor-General that the audits had been conducted in accordance with the requirements of the Act, ANAO Auditing Standards and associated methodologies.
6. In 2023–24, the Auditor-General presented 45 performance audit reports to the Parliament. In 2024–25, the target for performance audits increases to 48, consistent with the Parliament’s expectations. Resourcing the ANAO to complete the performance audit program brings challenges. There is no ‘tertiary ready’ workforce to recruit directly into the ANAO, requiring an ongoing training and coaching program to bring capability and quality. Increases in costs in mandatory financial statements auditing can reduce the resources available to undertake performance auditing.
Analysis of performance audits from 2019–20 to 2023–24
7. In October 2020, the 15th Auditor-General, Mr Grant Hehir, released a mid-term report, which provided statistics on the coverage of the performance audit program from 2015–16 to 2019–20, as well as audit outcomes by metric across the sector.1 This information report has been prepared to provide a similar analysis of performance audits from 2019–20 to 2023–24, with a particular focus on outcomes from 2023–24.
8. Performance audits conducted by the ANAO in 2023–24 identified deficiencies in public sector governance and procurement activities. Grants administration audits in 2023–24 have seen improvements when compared to the average from 2019–20 to 2023–24. The procurement and grants frameworks are established under finance law and represent a minimum expectation of compliance and administration. Getting the ‘basics right’ such as adhering to the law, whole-of-government policy and frameworks, and record keeping practices enables entities to achieve outcomes, minimise risk and make decisions in the public interest. A challenge for leaders is to ensure they consistently demonstrate the expected behaviours, professionalism and standards that promote a culture of compliance with both the letter and intent of the law, along with an expectation that results are achieved.
9. Poor record keeping practices continued to be observed through 2023–24 with every performance audit report commenting on record keeping. All public sector staff have a role to play in record keeping. The National Archives of Australia states that:
Public trust in the functions of agencies depends on accountability—our ability to show that decisions have been made on the basis of reason and evidence; Australian Government resources are being used appropriately; and that consideration of the public interest is foremost in our work.2
10. An analysis of reports from 2019–20 to 2023–243 identified the following:
- the National Disability Insurance Agency had the highest percentage of negative conclusions and the highest average number of recommendations and the Social Services and Treasury portfolios had the highest percentages of unqualified conclusions;
- audits with a negative conclusion represented 63 per cent of policy development activity audits, 60 per cent of grants administration activity audits and 53 per cent of procurement activity audits. Audits with a positive conclusion represented 66 per cent of asset management and sustainment activity audits; and
- five of the six efficiency audits had negative conclusions.
11. Entities fully agreed with more than 90 per cent of recommendations each year from 2019–20 to 2023–24, with 94 per cent of recommendations agreed to in 2023–24. Between 2017–18 and 2021–22, an average of 80 per cent of recommendations were self-reported by entities to have been implemented.4
12. From 2021–22, performance audit reports included an appendix to capture improvements made by entities observed during the course of an audit. In 2023–24, 40 of the 45 performance audits (89 per cent) tabled in the Parliament identified improvements observed during the auditing process.
Themes from 2023–24 performance audits
13. The ANAO’s performance audit activities involve independent, objective and evidenced-based assessment of all or part of an entity’s operations and administrative support systems. Through this assessment, the ANAO identifies key messages that arise from both good practice and deficiencies. Themes arising from performance audit reports tabled in 2023–24 are summarised below.
Assurance of the operation of government frameworks
14. There are a number of mandatory whole-of-government frameworks with which the public sector needs to comply. Policy owners for these frameworks establish their rules of operation and then largely rely on Public Governance, Performance and Accountability Act 2013 (PGPA Act) accountable authorities and Australian Public Service agency heads to ensure compliance with the frameworks. The ANAO has for a number of years suggested that the policy owners of frameworks in areas such as resource management, procurement, grants administration, cyber security, record keeping, freedom of information, and ethical conduct should take a stronger or more active regulatory posture. In 2023–24, compliance with frameworks continued to be arising from performance audits.
Integrity, probity and ethics
15. In 2023–24, the ANAO tabled six performance audit reports in the Parliament that focused on compliance with selected public service legislative and policy requirements for corporate credit cards and gifts, benefits and hospitality. Findings from these performance audits can provide indicators of areas of risk to integrity, probity and ethics, including where action may be necessary to avert systemic issues. Compliance with credit card requirements, particularly by senior executives, can be indicative of the tone set for the entity. Likewise, establishing a guiding principle for officials to generally avoid the acceptance of gifts, benefits and hospitality and creating transparency of the acceptance of gifts, benefits and hospitality can help to promote a culture of integrity.
Planning and implementation
16. Over 2019–20 to 2023–24, 63 per cent of performance audits classified as policy development activity audits were found to be either ‘not effective’ or ‘partly effective’. In 2023–24, the themes of governance and planning were included in key messages set out in audit reports. Performance audits have identified that early and proactive planning is more likely to result in good implementation and governance.
Evaluation
17. In December 2021, the Commonwealth Evaluation Policy was released.5 The policy applies to all Australian Government entities subject to the PGPA Act. The need to plan for evaluation at the commencement of a program, with a particular focus on identifying what data will be needed for evaluation purposes, was a recurring key message from performance audits in 2023–24.
Procurement and contract management
18. ANAO performance audits assess procurement in Australian Government entities against the Commonwealth Procurement Rules (or their equivalent) and the PGPA Act. There were 36 performance audits of procurement and contract management conducted over 2019–20 to 2023–24, with 53 per cent found to be either ‘not effective’ or ‘partly effective’. In 2023–24, audits on procurement activities had some of the highest number of recommendations with improvements required in planning and record keeping practices as well as compliance with the rules framework.
Cyber security
19. Australian Government entities are expected to be ‘cyber exemplars’ as they process and store some of Australia’s most sensitive data to support the delivery of essential public services. Low levels of cyber resilience make entities more susceptible to cyber attack and reduce business continuity and recovery prospects following a cyber security incident. Preparedness to respond to and recover from a cyber attack is a key part of cyber resilience particularly in the public sector which relies on IT to deliver services. Auditor-General Report No. 38 2023–24, Management of Cyber Security Incidents and a previous audit report6 detailed potential deficiencies of which entities need to be aware when implementing cyber security requirements.
Observations on record keeping practices
20. In 2023–24, the ANAO made negative findings on record keeping practices in all 45 performance audit reports tabled in the Parliament. Getting the ‘basics right’ in terms of record keeping processes continues to be a challenge for entities. Good record keeping is required by law and supports effective corporate governance, accountability and performance.
Further guidance material
21. The ANAO has published audit ‘Insights’ products7 on risk management, procurement and contract management, grants administration, cyber security and other areas of note to assist entities improve their performance. In September 2024, the ANAO published its inaugural quarterly Audit Matters newsletter to inform external audiences of updates on the ANAO’s work and provide insights on what we are seeing in the Australian Government sector.8
Summary and recommendations
Background
1. Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.1
2. The Australian Government defines fraud as:
Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.2
3. Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).3 The Australian Government’s requirements for fraud control apply to both internal and external fraud risks. The 2024 Commonwealth Fraud and Corruption Control Framework states that:
Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.4
4. This audit examines fraud controls arrangements in the Department of Health and Aged Care (the department), using the Indigenous Australians’ Health Programme as a case study of how the arrangements are applied.
Rationale for undertaking the audit
5. Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.5 All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.
6. The Indigenous Australians’ Health Programme was selected as a case study to assess the department’s fraud control arrangements, due to the program’s size, variety of funded activities, and opportunity it presented to assess the department’s fraud control arrangements as they related to grants administration. The Indigenous Australians’ Health Programme is the department’s main overarching Aboriginal and Torres Strait Islander health program.6 The program funds initiatives to increase access to health care and improve the health of Aboriginal and Torres Strait Islander people, and represents the Australian Government’s largest direct expenditure on Indigenous primary healthcare.7
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the Department of Health and Aged Care’s fraud control arrangements, with a specific focus on the Indigenous Australians’ Health Programme.
8. To form a conclusion against this objective, the following high-level criteria were adopted.
- Have appropriate arrangements been established to oversee and manage fraud risks?
- Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
- Have appropriate mechanisms been established to detect and respond to fraud?
- Has the department appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?
Conclusion
9. The department had partly effective fraud control arrangements in 2022–23 and 2023–24. Key deficiencies included the lack of a current fraud risk assessment at the enterprise level, fraud risk assessments for departmental programs, and recent testing of fraud control effectiveness. The department undertook an organisational change process in 2023–24 that has the potential to improve its fraud governance and controls. Planning for the commencement of the 2024 Commonwealth Fraud and Corruption Control Framework was appropriate.
10. The department established partly appropriate arrangements to manage and oversee fraud risks in 2022–23 and 2023–24. There were appropriate governance and oversight arrangements for fraud control, except that consideration of fraud risks was limited to one of 39 internal audits conducted in the period. There was a largely appropriate fraud control policy framework. Fraud risks were assessed at the enterprise level. These risks were not consistently assessed at the divisional or program level (including for the Indigenous Australians’ Health Programme). Enterprise level fraud risks were not reviewed regularly. There was a fraud control plan, which was not supported by a current fraud risk assessment, regular review, or testing of fraud control effectiveness.
11. The department’s mechanisms to prevent fraud and to promote a culture of integrity were largely appropriate. The department established preventative controls for fraud. The effectiveness of preventative controls was not tested in accordance with the department’s fraud control plan. The department established largely appropriate mechanisms to promote internal and external fraud awareness. Not all fraud control officials and investigators attained the required minimum vocational qualifications.
12. The department’s mechanisms to detect and respond to fraud were partly appropriate. Planned testing of the effectiveness of detective controls in 2022–23 and 2023–24 was incomplete. Detective controls were primarily reactive in the form of referrals and tip-offs. As at June 2024 the department was putting in place measures to increase its use of proactive detective controls such as data analytics. Mechanisms to investigate and respond to fraud, including policies and procedures, were developing as part of an organisational change process. In 2022–23 and 2023–24, the department took ‘no further action’ on all closed fraud referrals and tip-offs relating to the Indigenous Australians’ Health Programme. Recorded decision-making in relation to these matters did not fully comply with investigations procedures. The department established largely appropriate mechanisms to record and report fraud.
13. Planning for the commencement of the 2024 Commonwealth Fraud and Corruption Framework was appropriate. There was a fit-for-purpose implementation plan. Although the department was not fully prepared in accordance with its implementation plan on 1 July 2024, most elements were completed or in progress. In early July 2024 the department established a framework to support the periodic testing of fraud controls.
Supporting findings
Oversight and management of fraud risks
14. Roles and responsibilities for fraud control were assigned; there were committees with fraud oversight; and the accountable authority was kept informed. There was organisational change in 2023–24 with regard to line management arrangements. As at June 2024 roles and responsibilities were evolving and fraud control policies needed to be updated to reflect this. (See paragraphs 2.2 to 2.16)
15. The department identified and assessed fraud risks at the enterprise level. This had not been reviewed in accordance with 2017 Commonwealth guidance (which suggested as better practice, a review at least every two years). Fraud risks were not consistently considered as part of divisional and business planning. For 2024–25 divisional planning, the department introduced a requirement that division heads certify that they have considered fraud and corruption risks in developing their divisional plans. Fraud risks for Indigenous Australians’ Health Programme grant programs were not consistently assessed at the design stage. One of 39 internal audits completed in 2022–23 and 2023–24 considered fraud. (See paragraphs 2.17 to 2.36)
16. The department had a fraud control plan, which was not informed by a current fraud risk assessment. The fraud control plan was not regularly reviewed. As at May 2024, 32 per cent of fraud control owners identified in the enterprise fraud and corruption risk register had left the department. Fraud control activities outlined in the fraud control plans were not fully implemented. The department tested the effectiveness of controls when developing its enterprise fraud and corruption risk assessment in 2022. Six-monthly testing of the effectiveness of controls (as required under the fraud control plan) was not done. The department finalised a mechanism for the regular, ongoing controls testing in July 2024. (See paragraphs 2.39 to 2.51)
Fraud prevention and integrity culture
17. The department established preventative controls for fraud risks, including instructions and procedures to assist officials to prevent, detect and deal with fraud. Mechanisms to ensure fraud risk is considered in planning and conducting entity activities were inconsistently implemented. The department tested the effectiveness of its preventative controls for enterprise fraud risks in 2021. Although the Fraud and Corruption Control Plan 2021–2023 required that controls be tested every six months, preventative controls for enterprise-level fraud risks were not tested after 2021 (except for Community Grants Hub fraud risks in 2022). The 2021 testing found that 57 per cent of the preventative controls for enterprise fraud risks were effective and 43 per cent were partly effective. Treatments were developed to address partly effective controls. (See paragraphs 3.2 to 3.12)
18. Mechanisms were implemented to promote staff awareness of what constitutes fraud. Fraud awareness and integrity training were mandatory for all staff and completion rates were reported to executive and oversight committees. Reported completion rates in 2023 and 2024 ranged from 84 to 88 per cent overall. The department promoted fraud awareness to external parties through outreach activities, although grant opportunity guidelines and grant agreements for the Indigenous Australians’ Health Programme did not all refer to fraud. The effectiveness of measures to promote fraud awareness internally and externally was largely not evaluated. (See paragraphs 3.15 to 3.22)
19. The department’s fraud control and investigation functions were centralised in the Fraud and Integrity Branch in April 2024. As at June 2024, 80 per cent of investigators and 76 per cent of officials undertaking fraud control activities had the appropriate qualifications. There was no framework for ongoing professional development. (See paragraphs 3.24 to 3.30)
Fraud detection and response
20. The department established detective controls for fraud, primarily confidential reporting of tip-offs. For grants administered through the Community Grants Hub, there were arrangements in place with the Department of Social Services to escalate fraud risks and incidents. There were 12 potential fraud tip-offs and escalations relating to the Indigenous Australians’ Health Programme in 2022–23 and 2023–24. Proactive detective controls, such as data analytics, were developing. The department tested the effectiveness of its detective controls for enterprise fraud risks in 2021. Although the Fraud and Corruption Control Plan 2021–2023 required that controls be tested every six months, detective controls for enterprise-level fraud risks were not tested after 2021 (except for 2022 testing of Community Grants Hub fraud risks). The 2021 testing found that 65 per cent detective controls were effective and 35 per cent were partly effective. Treatments were developed to address partly effective controls. (See paragraphs 4.2 to 4.18)
21. Between February 2023 and April 2024, previously devolved investigative functions were centralised in one branch. Documented procedures to support the investigative function were developing and at 30 June 2024 were not fully compliant with Australian Government Investigations Standard, consistent across different investigative functions or types of external fraud, or finalised. The audit examined 12 fraud referrals and tip-offs relating to the Indigenous Australians’ Health Programme that were made in 2022–23 and 2023–24. One allegation was not assessed, and as at July 2024, two matters had not been finalised. Decisions to take no further action on the remaining nine fraud matters were largely documented. Decisions were not made by officials with the appropriate level of seniority in seven of nine matters. There were no referrals to the Australian Federal Police for the Indigenous Australians’ Health Programme in 2022–23 and 2023–24. Case management system records did not include estimates of loss to fraud for non-health provider benefit external fraud matters, and these were not included in the department’s response to the Australian Institute of Criminology’s Fraud Census. It is therefore not possible for the department to assure itself that it has taken reasonable measures to recover financial losses caused by external fraud in a number of the department’s programs. (See paragraphs 4.19 to 4.41)
22. The department had standard operating procedures to collect and manage fraud information, although many were in draft form as at June 2024. Procedures for recording information in a fraud case management system did not require the linkage of matters with programs, obscuring visibility of program-related fraud matters by responsible officials. This practice is inconsistent with divisional responsibility for fraud control activities and controls. The department completed the annual Fraud Census reporting requirements for 2022–23 with inaccuracies. The department established a process to identify matters representing significant non-compliance with finance law that should be reported to relevant ministers, and no fraud matters were reported in 2022–23 or 2023–24. The accountable authority certified in the annual report that the department has taken all reasonable steps to deal with fraud. The Secretary’s certification was supported by assurances from the Audit and Risk Committee. In 2022–23 and 2023–24 the Audit and Risk Committee did not implement all of its planned activities in relation to fraud controls, and in assuring the accountable authority on the effectiveness and appropriateness of the department’s fraud control arrangements, it largely relied on management representations. Disclosures about fraud matters were made to other entities in relation to internal and external health provider fraud. (See paragraphs 4.44 to 4.59)
Preparation for the 2024 Commonwealth Fraud and Corruption Control Framework
23. The department developed an implementation plan to prepare for the Commonwealth Fraud and Corruption Control Framework. Education and awareness activities were delivered, and existing governance arrangements were assessed and considered suitable to meet the requirements of the new framework. On 1 July 2024 the department published revised governance documents to meet requirements of the new framework. Of 10 implementation plan activities due to be completed by 30 June 2024, nine had been delivered by early July. The one exception was a revised Enterprise Fraud and Corruption Risk Assessment. (See paragraphs 5.2 to 5.7)
24. A fraud and corruption control testing framework was finalised on 4 July 2024. (See paragraphs 5.8 to 5.10)
Recommendations
Recommendation no. 1
Paragraph 2.32
For Portfolio Budget Statement programs presenting a high overall fraud risk profile, the Department of Health and Aged Care undertake detailed fraud risk assessments.
Department of Health and Aged Care response: Agreed.
Recommendation no. 2
Paragraph 2.37
The Department of Health and Aged Care ensure that fraud is covered in the internal audit work program, in proportion to the risk that fraud poses to the department and its programs.
Department of Health and Aged Care response: Agreed.
Recommendation no. 3
Paragraph 3.13
The Department of Health and Aged Care test the effectiveness of preventative and other fraud controls regularly, with appropriate intervals of control testing determined in line with the critical nature of the control; the department’s risk appetite and tolerance; and any changes to the internal or external operating environment of the entity.
Department of Health and Aged Care response: Agreed.
Recommendation no. 4
Paragraph 3.28
The Department of Health and Aged Care ensure that fraud control and investigations officials have obtained the minimum qualifications set out in the Fraud Policy and Guidance and Australian Government Investigations Standard.
Department of Health and Aged Care response: Agreed.
Recommendation no. 5
Paragraph 4.42
The Department of Health and Aged Care implement processes to quantify and record estimates of losses from external fraud for all types of external fraud and all departmental programs, where quantification is possible.
Department of Health and Aged Care response: Agreed.
Summary of entity response
25. The proposed audit report was provided to the Department of Health and Aged Care. The Department of Health and Aged Care’s summary response to the audit is provided below and its full response is at Appendix 1.
The Department of Health and Aged Care (the department) welcomes the findings in the report and accepts the recommendations directed to the department. The department is committed to effective implementation of Australian National Audit Office (ANAO) recommendations and has already taken steps to address the issues identified in this audit.
It was pleasing to note the ANAO found the fraud control policy framework largely appropriate and that the audit acknowledged the work the department has done to strengthen its fraud management, in particular by consolidating all fraud functions into a dedicated branch. These arrangements are continuing to be strengthened as the branch streamlines and matures its operations, uplifts capability and enhances its governance.
The audit found some areas for improvement, including how the department assesses fraud risk and tests fraud controls, and ensuring currency of qualifications of its fraud control and investigations officials. To address these findings, the department has commenced a review of its enterprise fraud and corruption risk assessment, commenced targeted pressure testing activities, and established a capability framework for its staff. Regular updates of the progress of this work will be provided to the department’s Audit and Risk Committee over the 2024–25 financial year.
Key messages from this audit for all Australian Government entities
26. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Summary
1. Since its emergence in late 2019, coronavirus disease 2019 (COVID-19) became a global pandemic that impacted on human health and national economies. A variety of funding and delivery mechanisms were employed by the Australian Government to address the immediate health and economic needs arising from the COVID-19 pandemic. These included income support payments, grants, procurements, loans and tax relief.
2. To support the Australian Government’s COVID-19 pandemic response priorities, the Australian Public Service (APS) quickly adapted its workplace practices and deployed resources to priority areas, while continuing to deliver business-as-usual activities.
3. In 2019–20, eight entities were significantly impacted by the COVID-19 pandemic and required either additional funding, letters of support or a restructuring of operations.1
4. At the request of the Chief Operating Officers Committee (COO Committee)2, the ANAO developed an Insights product, Rapid Implementation of Australian Government Initiatives, based on key lessons learned from audits of past activities, likely to have wider applicability to the APS in supporting the national COVID-19 pandemic response.3 The product was published on 16 April 2020.
5. The ANAO responded to the emerging sector-wide risks for public administration by developing a strategy for a program of audits examining the delivery of the Australian Government’s COVID-19 pandemic response (COVID-19 audit strategy). This information report summarises and consolidates the learnings from the audits and reviews conducted by the ANAO under the COVID-19 audit strategy.
6. As a public sector entity, the ANAO also adapted its work practices to ensure the continued delivery of its assurance services while safeguarding the health and wellbeing of its staff. The ANAO’s operations were identified as critical during the COVID-19 pandemic as the ANAO supports government accountability and transparency through its independent reporting to Parliament. Financial and performance reporting requirements for government entities — and therefore the audit mandate for the ANAO — remained unchanged during the COVID-19 pandemic, except to the extent accountable authorities considered it not reasonably possible to meet the existing reporting deadlines for their 2020–21 corporate plans and 2019–20 annual reports.4
7. Prior investment in new IT capabilities, including transition to ‘PROTECTED’ cloud services in 2018 and the rollout of laptops and wireless peripherals to staff to facilitate a mobile and connected workforce commenced in early 2019. This investment enabled the ANAO to respond quickly to the COVID-19 pandemic and support the majority of ANAO staff to continue to work remotely, including from home from late March 2020. Entities also assisted the ANAO by making remote access to their systems available to enable audit work to continue.
8. During April 2020, the ANAO implemented an engagement ‘pause’ for performance audits in recognition of the work that audited entities were undertaking to adjust to new working arrangements and, for many, implementing the COVID-19 pandemic response measures announced by the Australian Government. Audits with fieldwork that involved interstate travel — such as the audits on the Northern Territory Land Councils — were put on hold to comply with lockdowns and other public health measures.
9. The engagement pause, while well received within the sector, impacted the delivery of the 2019–20 performance audit program, with the Auditor-General tabling 42 audit reports in the Parliament in 2019–20 against a target of 48.5 The target of 42 performance audits in 2020–21 was met.6 For financial statements audits, the ANAO completed 243 of 249 (98 per cent) mandated financial statements audits for the year ended 30 June 20197 in 2019–20, and 246 of 246 (100 per cent) mandated financial statements audits for the year ended 30 June 2020 in 2020–21.8
10. In the first set of audits conducted under the COVID-19 audit strategy, the ANAO focused its audit approach on identifying areas of risk and emerging lessons for the public sector entities, reflecting the operating environment and challenges associated with rapid implementation of government initiatives. As such, three of four COVID-19 audits tabled in December 2020 did not contain recommendations for the audited entities and identified key messages for Australian Government entities to consider in identifying and responding to the challenges and risks associated with the rapid implementation of initiatives. The key messages were consolidated in an Audit Lessons product on Emergency Management — Insights from the Australian Government’s COVID-19 Response, which was published on 28 May 2021.
11. This information report was developed to summarise and consolidate the lessons from the audits and reviews undertaken by the ANAO under its COVID-19 audit strategy. The APS undertook many activities to support the Australian Government’s response to the COVID-19 pandemic in sometimes very short timeframes and often on a much larger scale than business-as-usual activities. The lessons from the ANAO’s work can contribute to preparedness for future crisis events. As the themes arising from the COVID-19 performance audits analysed in this report indicate, capturing and implementing lessons learned for continuous improvement is an important element of effective program delivery. Key lessons for planning and responding to crises identified through the ANAO’s audits and reviews conducted under the COVID-19 audit strategy are outlined in Appendix 1.
Summary and recommendations
Background
1. The Australian Government Crisis Management Framework (AGCMF) outlines the Australian Government’s approach to preparing for, responding to, and recovering from crisis.1 The AGCMF describes an ‘all-hazards’ approach that includes mitigation, planning, and assisting states and territories to manage emergencies resulting from natural events.2
2. The AGCMF has been used to respond to a variety of crises between 2020 and 2023 including:
- the COVID-19 pandemic;
- natural disasters such as prolonged flood events across Australia and tropical cyclone events;
- cyber security incidents including data breaches involving Medibank and Latitude Financial, and the security breach affecting the email gateway system supporting some ACT Government systems; and
- the Turkiye and Syria earthquake for which the Australian Government committed humanitarian assistance.
3. In March 2023, government agreed to conduct a review of the AGCMF. The Department of the Prime Minister & Cabinet (PM&C) conducted this review. Following the 2023 AGCMF Review, a revised AGCMF was released at the 2024–25 Higher Risk Weather Season National Preparedness Summit in Canberra on 18–19 September 2024.3
Rationale for undertaking the audit
4. The AGCMF is the basis for the Australian Government’s response to crises including pandemics, natural disasters, terrorism, and cyber incidents. This audit provides assurance to the Parliament on whether Australian Government entities have identified and applied lessons from crises between 2020 and 2023, including the COVID-19 pandemic, to the AGCMF in preparation for future severe to catastrophic crises.
5. In its report on the Department of Foreign Affairs and Trade’s crisis management approaches, the Joint Committee of Public Accounts and Audit (JCPAA) recommended that the Auditor-General consider undertaking a performance audit of the AGCMF, and include within the audit scope whether the updated framework adequately reflects lessons learned from the COVID-19 pandemic.4 The JCPAA also identified an audit of the AGCMF as an audit priority of the Parliament in 2022–23.
Audit objective and criteria
6. The audit objective was to assess whether the Australian Government has established an appropriate framework for responding to crises.
7. To form a conclusion against the objective, the following high-level criteria were adopted:
- Has the readiness of systems and processes to respond to crises been assessed?
- Is the AGCMF fit for purpose to respond to a changing threat environment?
8. The audit examined whole-of-government crisis coordination arrangements established through seven versions of the AGCMF between 2020 and 2023, and the 2023 review of the AGCMF undertaken by PM&C. The audit focussed on whole-of-government crisis coordination arrangements between 2020 and 2023 including the supporting mechanisms to convene key committees under the AGCMF.
9. The audit did not examine:
- the application of the framework to the response to the COVID-19 pandemic or other crises;
- the adherence to individual national plans required under the AGCMF;
- agency specific crisis coordination arrangements; or
- operational responses to crises.
Conclusion
10. In establishing the revised AGCMF, PM&C has developed a largely appropriate framework for responding to crises. The revised AGCMF incorporates lessons from prior crises and provides increased guidance for all-hazards responses, including complex and concurrent crises. The increased oversight and additional continuous improvement activities established in the revised AGCMF will be important to ensure the framework remains appropriate for responding to crises over time as threats and the environment continue to evolve. The revised AGCMF represents a shift in approach from previous versions of the AGCMF and will require sustained effort to build and maintain appropriate capability.
11. A structured assessment of the readiness of systems and processes contained in the AGCMF was not undertaken prior to the 2023 Review. Updates to the AGCMF during 2020 to 2023 were administrative in nature and reflected changes that had already been operationalised. The roles and responsibilities set out under previous versions of the AGCMF were not clearly defined. The 2023 AGCMF Review was guided by a project plan which captured evidence from a range of inputs including comprehensive stakeholder engagement and testing of recommendations and proposed actions. Clarifying arrangements for annual updates and future comprehensive reviews is important to ensure these activities adequately capture and address required changes in a timely manner. The lessons management capability and associated processes are evolving. Formal lessons activities are not conducted for all crises. Thresholds for conducting a lessons process had not been defined or documented prior to 2024.
12. The revised AGCMF released in September 2024 incorporates an increased emphasis on continuous improvement and improved oversight. These amendments, if effectively implemented, should position the framework to respond to a changing threat environment. Activities that informed the 2023 AGCMF Review, such as ‘futures workshops’, would provide value to the framework into the future as they provide an opportunity to examine whether the framework is strategically positioned to adapt to the future. The revised AGCMF introduces several new roles. The responsibilities of these roles are largely clear. Until 2024, there has been a lack of oversight over national level plans to ensure they are reviewed and updated. The annual national exercise program conducted by the National Emergency Management Agency (NEMA) has primarily focussed on natural disaster scenarios. Compounding non-natural disaster specific impacts are now being integrated into natural disaster scenario-based exercises within the program. There is scope to improve the transparency and currency of national plans and risk planning in relation to shared risks and key management personnel risks.
Supporting findings
Readiness of systems and processes
13. Within the AGCMF, specific hazards are identified with lead ministers and entities assigned to these hazards. The emergence of newly identified hazards has led to updates in the AGCMF. Space weather events were added as a specific hazard as they were identified as posing a risk to critical infrastructure. Cyber incidents were added as a specified hazard following a review of crises that indicated roles and responsibilities were not clearly defined. Under previous versions of the AGCMF, triggers and thresholds for activation of whole-of-government crisis coordination were broad and did not provide clear guidance to entities. There are multiple mechanisms that support crisis coordination and response. Some of these mechanisms were not defined in the AGCMF. The role and interactions between various crisis mechanisms could have been more clearly defined. The National Coordination Mechanism (NCM) was introduced as a means to provide broader engagement than previously existing arrangements. The NCM was embedded in the AGCMF after it became a regularly used mechanism during the COVID-19 pandemic response. (See paragraphs 2.3 to 2.33)
14. Updates undertaken annually between 2020 and 2023 were largely limited to documenting machinery of government changes. These updates varied in the approach and stakeholder engagement. There was no engagement with states and territories as part of the administrative updates in 2020, the second update in 2021 or 2022. More significant comments relating to the framework were held over in anticipation of a future review, which was conducted in 2023. The 2023 AGCMF Review had not been approved at the time. The approach to the 2023 AGCMF Review was guided by a project plan which captured evidence from a range of inputs including comprehensive stakeholder engagement and testing of recommendations and proposed actions. There are minor gaps in documentation relating to the analysis of some of this evidence base. Lessons management, including a lessons management capability, to inform continuous improvement activities is evolving. (See paragraphs 2.34 to 2.79)
15. There are gaps in lesson management at the whole-of-government level. As the lessons management capability matures, implementation of actions to address identified lessons is improving. During crises between 2019 and 2023, an APS Surge Reserve was established from lessons relating to capability across the APS. While intended to provide additional personnel capacity in the event of a crisis, the APS Surge Reserve provides staff with generalist skills. The 2023 AGCMF Review identified a gap in suitably qualified staff for crisis management roles. NEMA has sought opportunities to utilise the Centres for National Resilience for certain crises, however, an agreement to utilise Department of Finance managed centres has not yet been established. NEMA has established the National Emergency Management Stockpile to enable the rapid deployment of resources. (See paragraphs 2.80 to 2.97)
Responding to a changing threat environment
16. Risk assessments do not include potential key management personnel risks. The 2023 ACGMF Review incorporated strategic risk consideration including future scenario planning which had not previously been conducted. The Crisis Appreciation and Strategic Planning (CASP) methodology has been embedded in NEMA’s approach to operational response activities, however, the methodology has not yet been established as a consistent planning tool across the range of entities involved in crisis management, or in horizon scanning activities to detect emerging threats. When fully embedded, the CASP methodology has the potential to provide a robust approach to planning and preparedness as well as recovery. (See paragraphs 3.3 to 3.37)
17. The revised AGCMF provides increased clarity on roles and responsibilities. This includes introduction of a tiered crisis coordination model intended to provide greater flexibility as crises evolve. The revised AGCMF groups key information relating to roles and responsibilities together for an easier read. The Handbook provides additional guidance to senior officials. The revised AGCMF has largely addressed feedback obtained during the 2023 AGCMF Review to improve the clarity of the arrangements for the available crisis mechanisms. PM&C have identified ongoing activities are required to support the implementation of the revised AGCMF including by improving capability. (See paragraphs 3.38 to 3.67)
18. Previous versions of the AGCMF did not establish oversight arrangements for the full suite of national level plans to ensure they are reviewed and updated to respond to future events. The September 2024 version of the AGCMF establishes oversight arrangements. As at July 2024, thirty-two per cent of the publicly available plans have not been updated in the last three years. (See paragraphs 3.68 to 3.80)
19. NEMA delivers two annual national-level exercises primarily focussed on multi-jurisdictional natural disasters. Since 2022 compounding non-natural disaster specific impacts such as mass power outages and supply chain issues have been included in NEMA led exercises. Prior to 2024, there were gaps in the arrangements to identify and prioritise whole-of-government exercises. There are limitations with arrangements to capture information relating to exercises led by other entities, reducing the ability to advise government on the preparedness of Australian Government entities to response to crises. The expanded role of the Crisis Arrangements Committee under the revised AGCMF provides coverage of these gaps. Higher Risk Weather Season (HRWS) preparedness has evolved with the addition of ministerial exercises and the HRWS National Preparedness Summit. (See paragraphs 3.81 to 3.111)
Recommendations
Recommendation no. 1
Paragraph 2.44
The Department of the Prime Minister and Cabinet:
- document a process for annual administrative updates that provides a consistent approach including ensuring appropriate records of engagement and input are maintained; and
- ensure significant issues are documented to be considered in comprehensive reviews of the AGCMF.
Department of the Prime Minister and Cabinet response: Agreed.
Recommendation no. 2
Paragraph 2.75
The Department of the Prime Minister and Cabinet:
- provide stronger guidance to entities in their development and updating of entity level and relevant national level crisis management policies and plans; and
- provide a formal response to the Joint Committee of Public Accounts and Audit that outlines actions taken to address recommendation three from Report 494: Inquiry into the Department of Foreign Affairs and Trade’s crisis management arrangements.
Department of the Prime Minister and Cabinet response: Agreed.
Recommendation no. 3
Paragraph 3.23
The Department of the Prime Minister and Cabinet embed arrangements for future scenario planning into ongoing review and update arrangements for the AGCMF. These should be appropriately documented to ensure lessons are captured and can be learned.
Department of the Prime Minister and Cabinet response: Agreed.
Recommendation no. 4
Paragraph 3.79
The Department of the Prime Minister and Cabinet include in the Australian Government Crisis Management Handbook criteria for the publication of plans to appropriately inform stakeholders of crisis arrangements.
Department of the Prime Minister and Cabinet response: Agreed.
Recommendation no. 5
Paragraph 3.97
The National Emergency Management Agency document its consideration of Crisis Arrangements Committee advice on gaps and priorities for whole-of-government exercising, as well as the annual analysis undertaken to review and update the list of identified hazards under AGCMF, to inform the development of the annual national exercise program. This should include ensuring that exercises consider both natural and all-hazard scenarios.
National Emergency Management Agency response: Agreed.
Summary of entity responses
20. The proposed audit report was provided to the Department of the Prime Minister and Cabinet and the National Emergency Management Agency. Letters of response provided by each entity are included at Appendix 1. The summary responses provided are included below. The improvements observed by the ANAO during the course of this audit are at Appendix 2.
Department of the Prime Minister and Cabinet
The Department of the Prime Minister and Cabinet (PM&C) welcomes the proposed report on the Australian Government Crisis Management Framework (AGCMF). PM&C accepts the key findings and recommendations, and has commenced steps to address these matters.
PM&C is committed to strengthening the Australian Government’s crisis management arrangements and preparedness in partnership with other Australian Government agencies. It has undertaken a comprehensive review of the AGCMF, resulting in the development of a new and enhanced Framework, supporting Handbook and more robust continuous improvement processes. It will continue to enhance guidance under these products to guide the publication of plans, assessment of staffing capacities and the development of surge arrangements.
PM&C will also continue to work other relevant agencies, including the National Emergency Management Agency (NEMA), to enhance guidance on national planning and preparedness activities, including human rights considerations and consider options to clarify crisis responsibilities following machinery of government changes. It will establish improved guidance and repeatable processes for the annual review of the AGCMF, as well as for future comprehensive reviews, to ensure lessons from future scenario planning and exercises are captured. PM&C will also assess its senior staffing capacities in the context of crisis response.
National Emergency Management Agency
The National Emergency Management Agency (NEMA) welcomes the findings of the ANAO Performance Audit of the Australian Government Crisis Management Framework (AGCMF) and is committed to preparing Australia for all hazard crisis events, now and into the future. The Performance Audit complements the recent review of the AGCMF. NEMA will continue to work with the Department of the Prime Minister and Cabinet (PM&C), the Australian Government, jurisdictions, industry and non-government organisations for continuous improvement in crisis management preparedness.
NEMA will work with PM&C to ensure whole-of-government crisis exercising aligns to the priorities identified by the Crisis Arrangements Committee, including consideration of natural and all-hazard impacts and consequences.
Acknowledging the current and future risk of consecutive, compounding and concurrent crises, NEMA will continue building crisis capability within the agency and across the Australian Government. NEMA will work alongside PM&C to assess crisis workforce planning needs and increase crisis workforce capability.
NEMA is committed to building the Australian Government’s strategic crisis planning capability through the Crisis Appreciation and Strategic Planning (CASP) methodology. We will continue to support a nationally-consistent approach to planning and preparedness activities through CASP, ensuring Australians and their communities are supported before, during and after crisis events.
Key messages from this audit for all Australian Government entities
21. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Records management
Summary and recommendations
Background
1. The Victorian Government announced the construction of the Suburban Rail Loop (SRL) in August 2018. When complete, the SRL will be a 90-kilometre rail line from Cheltenham to Werribee.
2. In May 2022, a $2.2 billion initial contribution towards the SRL East project was announced by the Australian Labor Party as part of its 2022 federal election campaign. SRL East is the first section of the SRL project and connects Cheltenham to Box Hill.
3. The Australian Government committed $2.2 billion to SRL East in the October 2022–23 Federal Budget.
4. Australian Government funding for land transport infrastructure projects is administered by the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (the department) and the Department of the Treasury (Treasury), with input from the states and territories and Infrastructure Australia. The funding is governed by an approval process. As at June 2024, the SRL East project has progressed only through the first stage of the project approval process (refer to Figure 1.3).
Rationale for undertaking the audit
5. The Australian Government provides significant investment in land transport infrastructure, in partnership with state and territory governments. This audit provides assurance to Parliament that Australian Government funding decisions for the SRL East project were supported by appropriate advice and consistent with the requirements for Australian Government infrastructure investment.1
Audit objective and criteria
6. The audit objective was to assess whether the department effectively managed the approval and administration of the Australian Government’s $2.2 billion funding commitment towards SRL East.
7. To form a conclusion against the objective, the ANAO examined the following criteria:
- Did the department provide appropriate advice to the Australian Government on allocation of funding to SRL East?
- Were established processes for allocating infrastructure funding to the states and territories followed to protect the Australian Government’s interests and achieve value for money?
Conclusion
8. The department was largely effective in managing the approval and administration of the Australian Government’s $2.2 billion commitment to SRL East, noting the current status of the SRL East project within the project approval process.
9. The department provided largely appropriate advice to the Australian Government on the SRL East project, relative to its current status in the project approval process. The advice focused on including the $2.2 billion election commitment in the October 2022–23 Federal Budget. Other advice provided on the SRL East commitment to the Minister for Infrastructure, Transport, Regional Development and Local Government (the minister) was primarily through email correspondence or verbal advice — for which limited records were kept.
10. There are established processes in place to support land transport infrastructure investment by the Australian Government, which align with legislative requirements and have review mechanisms in place. For SRL East, the department has followed the components of the process required to be undertaken as of June 2024. As at June 2024, the SRL East is yet to go through the formal project approval process, which must occur before funding can be expended.
Supporting findings
Advice to government on the SRL East project
11. The department provided advice to the Australian Government on the SRL commitment as part of the October 2022–23 Federal Budget process. The department used the $2.2 billion election commitment as the basis for the level of funding and provided high-level risks, relative to the current status of the project in the project approval process. Where information was provided verbally between the department and the minister’s office, there were limited records kept by the department. (See paragraphs 2.2 to 2.25)
Process approval process
12. The process for the Australian Government to approve and administer land transport infrastructure investment projects aligns with legislation and frameworks. There are changes underway to the frameworks based on findings and recommendations from three external reviews conducted since 2022. (See paragraphs 3.3 to 3.32)
13. The SRL East project was identified as a land transport investment project by the department following the announcement of SRL East as a 2022 election commitment. The Australian Government’s commitment of $2.2 billion to the SRL East project was made through the usual Federal Budget processes. The $2.2 billion has been added to the national partnership agreement schedule as required and updated to reflect the change to the funding profile agreed to by the Australian Government as part of the Mid-Year Economic and Fiscal Outlook (MYEFO) 2023–24. (See paragraphs 3.33 to 3.35)
14. A project proposal report from the Victorian Government is due to be submitted to the department by the end of 2024 to facilitate assessment of the project and consideration and approval by the minister. An updated SRL business case is also required to be submitted to Infrastructure Australia by the Victorian Government for a formal evaluation, which is required as part of project approval for any Australian Government contribution to infrastructure projects over $250 million. (See paragraphs 3.36 to 3.48)
Summary of entity responses
15. The proposed report was provided to the department. Extracts of the proposed report were provided to Infrastructure Australia and the Treasury. The summary response from the department and the Treasury are provided below and the full responses from the department and the Treasury are at Appendix 1. Infrastructure Australia chose not to provide a response letter.
Department of Infrastructure, Regional Development, Transport, Communications and the Arts
The department welcomes the proposed report and the report’s overall conclusion that the department was largely effective in managing the approval and administration of the Australian Government’s $2.2 billion commitment to Suburban Rail Loop East (SRL East), noting the current project status within the project approval process.
As noted in the report, SRL East is yet to go through the formal project approval process, which must occur before Australian Government funding can be approved. Following receipt and assessment of a project proposal report from the Victorian Government, and having regard to the formal assessment provided by Infrastructure Australia, the department will provide advice to the Minister for Infrastructure, Transport, Regional Development and Local Government, in regards to approval of the SRL East project, in accordance with the Public Governance, Performance and Accountability Act 2013 and the National Land Transport Act 2014.
Infrastructure Australia
No summary response provided.
The Department of the Treasury
Treasury welcomes the report. Although there are no recommendations or findings specifically directed to Treasury, Treasury notes and accepts the report’s key message for all Australian Government entities, regarding the importance of appropriate records management and providing advice through formal ministerial briefings.
Key messages from this audit for all Australian Government entities
16. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Records management
Summary and recommendations
Background
1. The security of government information and communications technology (ICT) systems, networks and data supports Australia’s social, economic and national security interests as well as the privacy of its citizens. Malicious cyber activity has been identified as a significant threat affecting Australians, exacerbated by low levels of cyber maturity across many Australian Government entities.1
2. The Department of Defence’s (Defence’s) mission and purpose is to defend Australia and its national interests in order to advance Australia’s security and prosperity. Defence’s 2022 Cyber Security Strategy states that ‘Malicious cyber activity now represents one of Defence’s most critical risks.’2
3. The Protective Security Policy Framework (PSPF) was introduced in 2010 to help Australian Government entities protect their people, information and assets, both at home and overseas. The PSPF sets out the government’s protective security policy approach and is comprised of 16 core policies.3 PSPF Policy 11 Robust ICT systems requires that:
Entities must [emphasis in original] only process, store or communicate information and data on an ICT system that the determining authority (or their delegate) has authorised to operate based on the acceptance of the residual security risks associated with its operation.4
When establishing new ICT systems, or implementing improvements to an existing system, the decision to authorise (or reauthorise) a system to operate must [emphasis in original] be based on the Information Security Manual’s [ISM] six step risk-based approach for cyber security.5
4. Defence has established the Defence Security Principles Framework (DSPF) to support compliance with the requirements of the PSPF. The DSPF outlines Defence’s requirements for ICT assessment and authorisation including that ‘all Defence ICT systems must be authorised prior to processing, storing or communicating official information’.
Rationale for undertaking the audit
5. Through its 2022 Cyber Security Strategy, Defence has recognised that ‘Malicious cyber activity now represents one of Defence’s most critical risks.’ Robust ICT systems protect the confidentiality, integrity and availability of the information and data that entities process, store and communicate. PSPF Policy 11 outlines how entities can safeguard ICT systems through assessment and authorisation activities to support the secure and continuous delivery of government business.
6. Questions regarding Defence’s system authorisation process were raised at hearings of the Senate Foreign Affairs, Defence and Trade Legislation Committee in June 2021, including in relation to:
- Defence’s use of provisional authorisations beyond 12 months for systems where security concerns have not been sufficiently addressed;
- deficiencies in Defence’s processes for identifying and assessing risks as part of the authorisation process; and
- DSPF compliance with the Information Security Manual (ISM).
7. This audit was conducted to provide assurance to the Parliament on Defence’s arrangements for the management of ICT systems security authorisations.6
Audit objective and criteria
8. The audit objective was to assess the effectiveness of the Department of Defence’s arrangements to manage the security authorisation of its ICT systems.
9. To form a conclusion against this objective, the following high-level criteria were adopted.
- Does Defence have fit-for-purpose arrangements for the security authorisation of its ICT systems?
- Has Defence implemented its arrangements for the security authorisation of its ICT systems?
Engagement with the Australian Signals Directorate
10. Independent timely reporting on the implementation of the cyber security policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. Previous ANAO reports on cyber security have drawn to the attention of Parliament and relevant entities the need for change in entity implementation of mandatory cyber security requirements, at both the individual entity and framework levels.
11. In preparing audit reports to the Parliament on cyber security in Australian Government entities, the interests of accountability and transparency must be balanced with the need to manage cyber security risks. The Australian Signals Directorate (ASD) has advised the ANAO that adversaries use publicly available information about cyber vulnerabilities to more effectively target their malicious activities.
12. The extent to which this report details the cyber security vulnerabilities of Defence was a matter of careful consideration during the course of this audit. To assist in appropriately balancing the interests of accountability and potential risk exposure through transparent audit reporting, the ANAO engaged with ASD to better understand the evolving nature and extent of risk exposure that may arise through the disclosure of technical information in the audit report. This report focusses on matters material to the audit findings against the objective and criteria.
Conclusion
13. Defence’s arrangements to manage the security authorisation of its ICT systems have been partly effective. Systems have not been authorised in a timely manner and were assessed through processes that did not consistently comply with Protective Security Policy Framework (PSPF) requirements.
14. Defence’s arrangements for the security authorisation of its ICT systems are partly fit for purpose. Defence’s policies, frameworks and processes to support system assessment and authorisation have not been regularly reviewed or updated to align with PSPF and Defence Security Principles Framework (DSPF) requirements. These policy and process documents are internally inconsistent. Defence has not established training to ensure that key personnel involved in the authorisation process remain up-to-date with changing cyber security requirements in the Information Security Manual (ISM) and PSPF.
15. Defence has partly implemented arrangements for the security authorisation of its ICT systems. Defence’s data on its system assessments and authorisations is incomplete and indicates that System Owner obligations to obtain and maintain authorisation of their systems are not being fulfilled.
16. There were deficiencies in relation to Defence’s monitoring and reporting arrangements, including non-compliance with DSPF reporting requirements. Key information on the system authorisation status of Defence’s systems was omitted from Defence’s reporting, including not addressing a request from the Minister for Defence to include metrics in reporting on unapproved ICT systems within Defence. Defence’s internal and external reporting on its assessments indicated a more optimistic outlook than was otherwise reflected in other internal Defence documentation. Across the ICT systems examined in case studies, deficiencies included: the absence of key data and mandatory security documentation; no evidence of assessment of control implementation; and deficiencies in the peer review process.
Supporting findings
Defence’s arrangements for the security authorisation of its ICT systems
17. Defence has not appropriately maintained its policy and governance framework for the authorisation of its ICT systems. When the DSPF was implemented in July 2018, some sections were not complete, with key authorisation roles listed but not defined for 13 of the 14 Defence Services and Groups listed. These roles remained undefined until a May 2024 review of the DSPF. Prior to the May 2024 update, DSPF Principle 23 and DSPF Control 23.1 had not been updated since July 2020. This meant that key changes to the mandatory requirements in PSPF Policies 10 and 11 between August 2020 and February 2022 — such as the introduction of the ‘Essential Eight’ and the ISM six-step process for system assessment and authorisation — were not reflected in the DSPF until 10 May 2024. (See paragraphs 2.3–2.25)
18. Directives, instructions, and policies issued by the Australian Defence Force (ADF) services for ICT authorisations for Army, Navy and Air Force systems contain provisions that are either not consistent with or not permitted by the requirements of the DSPF, or PSPF Policy 11. These provisions have allowed for exemptions to Defence’s system authorisation process that are not permitted under the DSPF or PSPF. (See paragraphs 2.26–2.38)
19. A key supporting framework, the Defence ICT Certification and Accreditation Framework (DICAF) — developed to ensure consistency in the authorisation process for all Defence ICT systems that process, store or communicate official, sensitive or classified information — has been in draft since December 2015. As at May 2024, the DICAF remains incomplete with a placeholder remaining for a key section that was to be developed on the assessment and authorisation process. In response to shortcomings identified in the DICAF by an internal audit in May 2020, Defence developed a separate ‘Assessment and Authorisation Framework’ document in December 2021. The framework was approved by Defence’s Chief Information Security Officer (CISO) in February 2024 and released in May 2024. (See paragraphs 2.39–2.51)
20. Defence does not have an up-to-date set of consolidated guidance to support the implementation of its framework in a consistent manner across the organisation. Defence’s assessment and authorisation process guidance is internally inconsistent and a number of supporting templates have not been finalised or are outdated. Separate instructions, directives and policies exist for the Army, Navy and Air Force, which include some requirements that are inconsistent with Defence’s assessment and authorisation process, the DSPF and PSPF. (See paragraphs 2.52–2.73)
21. Defence has not established training to ensure that Security Assessors remain up-to-date on evolving cyber security requirements, instead relying on peer review and Assessment Authority review to mitigate any ‘deficiencies in knowledge’. Deficiencies were identified in Defence’s implementation of the peer review process and Defence does not undertake assurance activities to monitor the extent to which training is completed. The absence of a formalised training approach to support the implementation of DSPF requirements for the assessment and authorisation of ICT systems creates a risk that systems are not being authorised as intended. Defence data on ICT system authorisations shows that 47 per cent of its systems have a status of either ‘Expired’ or ‘No accreditation’, indicating that System Owner obligations in respect to obtaining and maintaining the authorisation of their systems are not being met. (See paragraphs 2.74–2.93)
Implementation of arrangements for the security authorisation of Defence’s ICT systems
22. Defence’s data indicates that the obligations of System Owners to obtain and maintain the authorisation of their systems are not being fulfilled. (See paragraphs 3.5–3.26)
23. Defence self-assesses and reports annually on its compliance with PSPF Policy 11 and has established governance and internal reporting requirements for DSPF controls, including DSPF Control 23.1 ICT Certification and Accreditation. Deficiencies in Defence’s reporting include that:
- Defence has not reported on the authorisation status of ICT systems at an enterprise level since 2018–19 in its PSPF and DSPF reporting (a key indicator of compliance against DSPF Control 23.1 and PSPF Policy 11);
- Defence’s PSPF and DSPF reporting is not consistent with, and does not reflect, other information available within Defence on the assessment and authorisation of its ICT systems; and
- Defence has not complied with the DSPF requirement to provide individual Control Owner reports to the Defence Security Committee since 2019–20. (See paragraphs 3.27–3.68)
24. Defence has not briefed the minister on its ICT assessment and authorisation activities in the last three years. In September 2019, the minister requested that Defence include a metric on the reduction of unapproved systems in an ‘ICT reform stream report’. Defence did not address this request. (See paragraphs 3.69–3.73)
25. Defence has not consistently complied with the requirements of its assessment and authorisation process. For example, for all five systems examined:
- key supporting data had not been entered in Defence’s ICT authorisation management system, and mandatory security documentation had not been provided to the Security Assessors;
- Defence was unable to substantiate that document reviews and control implementation assessments took place; and
- there were shortcomings in the peer review process, including not identifying that mandatory security documentation was missing, and not identifying inaccuracies and errors in Risk Assessments. (See paragraphs 3.74–3.90)
26. There were instances where systems had been re-authorised based on the re-authorisation triggers in the DSPF. These re-authorisations were not always granted prior to authorisation expiry. (See paragraphs 3.91–3.100)
Recommendations
Recommendation no. 1
Paragraph 2.24
The Department of Defence ensure that DSPF roles and requirements for system assessment and authorisation are complete, current, and regularly reviewed for alignment with the PSPF and Group/Service appointments.
Department of Defence response: Agreed.
Recommendation no. 2
Paragraph 2.72
The Department of Defence conducts a review of, and updates, its assessment and authorisation process documentation to ensure:
- alignment with current DSPF and PSPF requirements;
- consistency across all internal guidance documents, including those developed by the ADF Services; and
- that any internal inconsistencies within individual guidance documents are eliminated.
Department of Defence response: Agreed.
Recommendation no. 3
Paragraph 2.89
The Department of Defence:
- implements improved training and awareness raising activities to ensure that key personnel involved in the assessment and authorisation process are aware of their obligations under the PSPF and DSPF, and remain up-to-date with evolving cyber security requirements; and
- implements a framework to monitor and report on the completion of training and awareness raising activities.
Department of Defence response: Agreed.
Recommendation no. 4
Paragraph 3.25
The Department of Defence develops and implements processes to ensure that information entered into its ICT authorisation management system is complete, accurate, and supports effective monitoring of ICT system authorisations.
Department of Defence response: Agreed.
Recommendation no. 5
Paragraph 3.45
The Department of Defence:
- implement enterprise-wide assurance arrangements to support the effective implementation of DSPF system authorisation requirements; and
- implement arrangements to ensure that deficiencies and non-compliance identified through Service assurance activities relating to system authorisations are addressed and rectified.
Department of Defence response: Agreed.
Recommendation no. 6
Paragraph 3.67
The Department of Defence implement arrangements to ensure reporting to senior Defence leadership on compliance with system authorisation requirements under the PSPF and DSPF is comprehensive, accurate, and based on available data.
Department of Defence response: Agreed.
Recommendation no. 7
Paragraph 3.72
The Department of Defence:
- ensures that relevant ministers are provided with timely and accurate advice on key issues and risks relating to Defence’s ICT security authorisations and its compliance with the PSPF; and
- provides regular (at least annual) updates to relevant ministers to support oversight for improvements to its assessment and authorisation policies, frameworks and processes.
Department of Defence response: Agreed.
Recommendation no. 8
Paragraph 3.98
The Department of Defence implements arrangements to ensure that PSPF requirements, DSPF requirements and Defence’s assessment and authorisation process are complied with, including:
- ensuring that all required documentation has been completed prior to system assessment and authorisation;
- documenting the approval and review of mandatory supporting documentation;
- conducting and documenting assessments of the implementation and effectiveness of controls and provisional authorisation conditions against all relevant ISM and DSPF controls; and
- ensuring systems are proactively monitored against the conditions for re-authorisation.
Department of Defence response: Agreed.
Summary of the Department of Defence’s response
27. The proposed audit report was provided to the Department of Defence. Defence’s summary response is provided below, and its full response is included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Defence welcomes the Auditor-General Report: Defence’s Management of ICT Security Authorisation. Defence agrees to the eight recommendations aimed at improving Defence’s Cyber Security Assessment and Authorisation Framework to more effectively govern and monitor the authorisation of ICT systems and networks and control cyber-related ICT risk.
Defence is committed to strengthening and standardising our approach to safeguarding data from cyber threats and ensuring the secure operation of our ICT systems to protect the continuous delivery of Defence outcomes. Defence is currently reviewing its Cyber Security Assessment and Authorisation Framework, along with the associated policies, practices and processes, as part of Defence’s wider initiative to uplift cyber security governance and its cyber risk management framework. This includes an overhaul of several pertinent Defence Security Principles Framework policies, which are undergoing review, along with a program to drive Essential 8 Maturity.
Key messages from this audit for all Australian Government entities
28. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Performance and impact measurement
Summary and recommendations
Background
1. Security vetting involves the assessment of an individual’s suitability to hold a security clearance at a particular level. Australian Government employees and contractors require a security clearance to access classified resources, which can relate to Australia’s national security, economic and other interests.1 The security vetting and clearance process is an important risk mitigation activity intended to protect the national interest, which can also affect an individual’s employment and the business operations of entities if not managed effectively or in a timely manner.
2. The Australian Government Security Vetting Agency (AGSVA) is part of the Department of Defence (Defence) and provides security clearance assessments as a whole-of-government service. In February 2014, Defence identified the need for long-term and potentially significant investment in ICT solutions because the existing system used by AGSVA to process security clearances, the Personnel Security Assessment Management System (PSAMS), did not have the ‘functionality needed for the future’. The February 2016 Defence Integrated Investment Program (IIP) subsequently outlined a need for ‘expanded security vetting’ as one of the ‘principal areas of focus’ for Defence.2
3. In October 2016, the Australian Government agreed to a suite of reforms to improve government entities’ management of the threat posed by malicious insiders, which included upgrading AGSVA’s ICT system.3
Vetting Transformation Project
4. The ‘Defence and Security Vetting Services 20/20 Reform Program’ was established in December 2016 and consisted of four workstreams: vetting; security policy, services and advice; security governance, assurance and reporting; and cultural change. The objectives for the vetting workstream included delivering: a new vetting security business model; a supporting ICT system; and relevant training, communications and change management activities.
5. The Vetting Transformation Project was established to deliver the vetting workstream objectives, including the design and implementation of a new system that:
- provides sponsoring entities with information on identified risk factors associated with individual clearance holders;
- increases automation of clearance decision-making and data collection (including across other government holdings, and online social-media information); and
- supports continuous assessment of security risk.4
Previous ANAO reports
6. The ANAO previously reviewed Defence’s performance in providing security vetting services through AGSVA in the following performance audits.
- Auditor-General Report No. 45 2014–15 Central Administration of Security Vetting, which was presented for tabling in Parliament in June 2015. The audit conclusion was that the performance of centralised vetting had been mixed and government expectations of improved efficiency and cost savings had not been realised.5
- Auditor-General Report No. 38 2017–18 Mitigating Insider Threats through Personnel Security, which was presented for tabling in May 2018. The audit conclusion was that the effectiveness of personnel security arrangements for managing insider threats had been reduced by AGSVA not implementing the government’s policy direction to share information with client entities on identified personnel security risks. The report also observed that AGSVA planned to realise the necessary process improvements through the procurement of a new ICT system, expected to be fully operational in 2023.6
Rationale for undertaking the audit
7. The ANAO undertook this audit, and previous (2015 and 2018) audits of Defence’s provision of security vetting services through AGSVA, as effective personnel security arrangements underpin the protection of the Australian Government’s people, information and assets. Previous audits identified deficiencies in AGSVA’s information systems. In the context of the Joint Committee of Public Accounts and Audit’s (JCPAA) inquiry into the ANAO’s 2018 audit, Defence advised the JCPAA that a project to build a new ICT system had received first-pass approval in April 2018, with delivery of the ‘initial operating capability’ (the base capability) expected in late 2020.7
8. The base capability of the new system was introduced on 28 November 2022. By February 2023, the extent of user issues experienced after the system ‘went live’ were the subject of parliamentary interest. This audit provides independent assurance to the Parliament on the effectiveness of Defence’s procurement and implementation of the new ICT system, now known as myClearance, and Defence’s remediation progress to date.
Audit objective and criteria
9. The objective of the audit was to assess the effectiveness of Defence’s procurement and implementation of the myClearance system to date.
10. To form a conclusion against the audit objective the following high-level criteria were adopted.
- Did Defence plan effectively and establish fit for purpose governance, oversight and reporting arrangements?
- Was Defence’s implementation of the system effective and supported by procurement processes conducted in accordance with the Commonwealth Procurement Rules (CPRs)?
11. The audit focused on the procurement of the project approval and support services provider (Deloitte), the prime systems integrator (Accenture), the organisational change management partner (KPMG) and the project delivery partner (VOAK Group). The audit also considered the arrangements used to procure the hardware and software components of the myClearance system, and other services to manage the delivery of the Vetting Transformation Project. The audit did not examine Defence’s administration or management of its contracts with the service providers.
Conclusion
12. Defence’s procurement and implementation of the myClearance system to date has been partly effective. The full functionality of the system will not be delivered as key elements, including the continuous assessment, automated risk-sharing and enhanced interface functionalities, were de-scoped from the project in November 2023.
13. Defence’s planning activities were largely effective. Early planning work in 2016 and 2017 focused on industry engagement and assessing the market’s ability to deliver and integrate the new IT system into Defence’s ICT environment. Work to refine the user and system requirements in mid-2018 was not informed by other government entities or stakeholders. Defence designed governance, oversight and reporting arrangements in line with the requirements of its Capability Life Cycle framework. The project governance arrangements were not implemented effectively and there was a lack of clarity on the purpose of and relationship between the various decision-making forums. Project reporting did not support informed, risk-based decision-making as project risks and issues were not clearly communicated to Defence leadership.
14. Defence’s procurement processes were partly effective. The processes to engage project approval and support services and the organisational change management partner were conducted in line with the Commonwealth Procurement Rules (CPRs). The process to engage the prime systems integrator was not consistent with the CPRs. The tender documentation included a list of mandatory products referring to trade names and producers — an approach that did not comply with Defence’s procurement policy framework. Defence’s conduct of the ‘Analysis of Alternatives’ in early 2020 resulted in material changes to the technical solution, schedule and delivery approach and provided opportunities to the preferred supplier that were not provided to other prospective suppliers. Defence’s approach to engaging the Project Delivery Partner in 2022 did not comply with Defence’s Accountable Authority Instructions or the intent of the CPRs.
15. Defence’s implementation of the myClearance system has been partly effective. Identified risks and issues were not resolved in a timely manner. Data cleansing and migration activities were not effective. Testing processes were truncated and were not conducted in line with agreed testing plans or Defence guidance. To address the issues encountered after the core vetting system went live in November 2022, Defence established the myClearance taskforce in February 2023. Defence’s remediation activities have progressively improved the performance of the system since it went live. In July 2023, Defence advised government that it had delivered a system that largely met the initial operating capability requirements. In November 2023 Defence advised government that the myClearance system would not deliver the full functionality as approved in December 2020.
Supporting findings
Effectiveness of planning activities
16. Defence conducted early planning activities between late 2016 and early 2018. Industry engagement and market research was undertaken to assess the market’s ability to design, build and integrate a new IT system into Defence’s ICT environment. Workshops and forums held to refine the user requirements and technical components in June 2018 did not include external stakeholders such as other government entities with ICT systems that AGSVA’s new vetting system would need to integrate or interface with. (See paragraphs 2.7 to 2.29)
17. The financial and technical risks associated with the planned procurement were assessed. To mitigate some of the identified risks, a list of mandatory products referring to trade names and producers was included in Defence’s tender documentation for the IT solution to be delivered by the systems integrator. As a result, the design of the procurement:
- did not comply with Defence’s procurement policy framework and was inconsistent with the Commonwealth Procurement Rules (CPRs);
- reduced the opportunity for suppliers to propose alternative solutions based on ‘functional and performance requirements’ that may have met Defence’s requirements; and
- introduced critical dependencies that increased the integration and schedule risks of the project. These risks were not effectively managed or communicated to senior Defence leadership or government. (See paragraphs 2.30 to 2.52)
Governance, oversight and reporting arrangements
18. Defence established governance, oversight and reporting arrangements for the Vetting Transformation Project in accordance with its Capability Life Cycle Manual — a framework that was designed to govern Defence’s acquisition of complex military equipment and materiel. These arrangements were not implemented effectively. (See paragraphs 2.63 to 2.79)
19. Reporting to decision-making forums accurately assessed the risks and issues that contributed to the problems experienced after the system ‘went live’. The impacts of those risks and issues on the expected functionality and capability of the system were not clearly communicated to Defence leadership. (See paragraphs 2.86 to 2.96)
20. Successive reviews, including independent assurance reviews found that project governance arrangements were not ‘formally defined and maintained’ and there was a lack of clarity on the purpose of and relationship between each forum within the governance model. At March 2024, Defence had commenced a program of work to address the identified governance issues, including the implementation of a new governance model for the project. (See paragraphs 2.82 to 2.84 and 2.103 to 2.112)
Procurement processes
21. The processes to engage project approval and support services and the organisational change management partner were conducted in accordance with the CPRs. For the prime systems integrator (PSI) procurement, processes such as initial screening, evaluation, value for money assessment, and additional clarification activities were compliant with CPR requirements. Key shortcomings in the design of the PSI procurement resulted in the conduct of activities that were not consistent with the CPRs. These activities involved material changes to the technical solution, schedule and delivery approach and provided opportunities to the preferred supplier that were not provided to other prospective suppliers. These opportunities enabled the preferred supplier to develop a ‘solution to a budget’ and submit costings for work it did not originally tender for. (See paragraphs 3.15 to 3.44)
22. Defence did not comply with its Accountable Authority Instructions for the procurement of the Project Delivery Partner in June 2022. Up to 85 per cent of the project management and other specialist support services were engaged through approaches to single suppliers, selected from a panel on each occasion. This approach was technically compliant with the CPRs but was not consistent with their intent — to drive value for money through competition. (See paragraphs 3.48 to 3.56)
Implementation of the system
23. Identified risks and issues were not resolved in a timely manner and cumulative delays in providing Government Furnished Materials to the Prime Systems Integrator gave rise to risks impacting the critical path of the project. These risks were realised, reducing the time available to test the system as required prior to the core vetting system (the base capability) going live on 28 November 2022. (See paragraphs 3.63 to 3.66, 3.70 to 3.72, and 3.84 to 3.90)
- Data cleansing and migration activities were not conducted effectively or completed in a timely manner. Representative data (production data) was not used for testing as planned. The impacts arising from these issues on the functionality and capability of the system were not clearly communicated to decision-makers. (See paragraphs 3.103 to 3.110)
- Testing activities were truncated and were not conducted in line with agreed testing plans or in a manner consistent with Defence guidance. Testing activities that were to be conducted sequentially were conducted in parallel. (See paragraphs 3.111 to 3.123)
- Defence does not have a program in place to monitor and review privileged user activity and does not have a process to periodically revalidate user accounts for the myClearance system. (See paragraphs 3.91 to 3.100)
24. Throughout 2023, Defence’s myClearance taskforce achieved progressive improvements to the core vetting system. In November 2023, Defence recommended that the government agree to de-scoping the: continuous assessment; automated risk sharing; use of artificial intelligence; and enhanced interfaces from the myClearance system. As a consequence, the myClearance system will not deliver the desired capability uplift or provide the full functionality advised to government in December 2020. (See paragraphs 3.135 to 3.139)
Recommendations
25. The ANAO has made two recommendations to improve risk management for complex high value ICT projects and manage and maintain the security of the system.
Recommendation no. 1
Paragraph 2.53
The Department of Defence ensure that risk management plans, comprising a risk appetite statement and risk tolerances, are developed, implemented and maintained for its complex, high value ICT projects.
Department of Defence response: Agreed.
Recommendation no. 2
Paragraph 3.101
The Department of Defence develop and implement a program of work to periodically revalidate user access and monitor privileged user accounts to ensure that management of the myClearance system complies with the requirements of the Information Security Manual.
Department of Defence response: Agreed.
Summary of the Department of Defence’s response
26. The proposed audit report was provided to the Department of Defence. Defence’s summary response is provided below, and its full response is included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Defence acknowledges the Auditor-General’s findings that the implementation of the myClearance system was partly effective. Defence is committed to strengthening procurement and governance arrangements, ensuring important projects are delivered in the best interests of Australia’s national security.
Defence has achieved substantial improvements in security clearance processing since the system launched. Following the introduction of myClearance in November 2022, over 110,000 clearances have been processed, with over 75,000 clearances completed in the myClearance system during 2023–24. Vetting timeframes for all clearance levels are also being consistently met.
Defence is committed to increasing ICT project risk oversight and management through three robust lines of assurance to ensure decision makers are well informed of emerging risks and potential impacts. The methodology includes:
- Establishing robust first-line assurance for ICT projects prior to progressing through gate decisions, ensuring all mandatory project artefacts are complete and performance milestones are achieved;
- Increasing second-line assurance, assessing ICT project governance implementation and the end-to-end business solution; and
- Continuing third-line enterprise level objective assessment of adequacy, effectiveness and efficiency of governance, performance and risk management.
Defence is confident this holistic approach to oversight and assurance will enable active identification, robust management and reporting of risks and opportunities.
Key messages from this audit for all Australian Government entities
27. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Summary and recommendations
Background
1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.1 Credit cards are used by Commonwealth entities to support timely and efficient payment of suppliers for goods and services.2 For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).
2. The Australian Research Council (ARC) reported 140 staff in 2021–22 and 167 staff in 2022–23. Forty-three staff (30.7 per cent) in 2021–22 and 49 staff (29.3 per cent) in 2022–23 held corporate credit cards. Credit card expenditure in 2021–22 was $226,860.22 (from 441 transactions) and in 2022–23 was $411,957.31 (from 1,417 transactions). Total credit card expenditure over the two financial years was $638,817.53 (from 1,858 transactions). The number of transactions increased between the two financial years, due to the influence of the COVID-19 pandemic, which limited staff travel and hospitality during 2021–22. Credit card and travel expenditure represented 5.16 per cent and 16.93 per cent of ARC’s supplier expenses in 2021–22 and 2022–23.3
Rationale for undertaking the audit
3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:
establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.4
4. In describing the role of Senior Executive Service (SES) officers, the APSC states that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.5 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:
[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.6
5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.7 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority for approving credit card transactions8 and ineffective controls to manage the use of corporate credit cards.9 This audit was conducted to provide the Parliament with assurance that the ARC is effectively managing corporate credit cards in accordance with legislative and entity requirements.
6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements audit series are the:
- Australian Research Council;
- Federal Court of Australia;
- National Disability Insurance Agency; and
- Productivity Commission.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the ARC’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.
8. To form a conclusion against the objective, the ANAO examined:
- whether the ARC has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
- whether the ARC has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.
Conclusion
9. The ARC was largely effective in managing the use of corporate credit cards for official purposes in accordance with legislative and entity requirements. Better implementation of preventive and detective controls could improve the ARC’s assurance over its corporate credit card use.
10. The ARC’s arrangements for managing the issue, return and use of corporate credit cards were largely effective. Documentation of policies and procedures could be improved and the ARC has not tested all risk controls related to credit cards. The ARC did not respond to parliamentary questions on notice with accurate information on credit card use.
11. The implementation of the ARC’s preventive and detective controls was partly effective in controlling risk. Controls were not always implemented in accordance with policy. Although the ARC had identified 10 instances of non-compliance that did not align with policies and procedures in 2021–22 and 2022–23, the ANAO identified 83. Positional authority risks were not directly addressed and there was no analysis of usage trends to improve the effectiveness of controls. The ARC has documented processes for managing non-compliance. This does not include detail on the processes for managing repeated instances of non-compliance.
Supporting findings
Arrangements for managing corporate credit cards
12. Risks related to credit card misuse are contained in the ARC’s Fraud Control Plan. Credit card compliance is reviewed through an annual CEO compliance review and a compliance survey every four months. There are opportunities for the ARC to improve the identification and management of controls around duplicate transactions. (See paragraphs 2.4 to 2.24)
13. The ARC’s policies and procedures for the issue, return and use of credit cards included coverage of requirements within accountable authority instructions and other policies. There is scope to improve documentation of policies and procedures. Policies and procedures were not reviewed and updated in line with the ARC’s timeframes. Language in the documents could be strengthened. (See paragraphs 2.25 to 2.43)
14. The ARC Credit Card Procedure and acquittal form provide details for acquittal. The cardholder agreement form outlines the credit card usage requirements. The ARC provides mandatory Fraud Awareness and Commonwealth Resource Management Framework e-learning to all staff and access to relevant webinars on fraud and scams. (See paragraphs 2.44 to 2.45)
15. The ARC has arrangements for monitoring and reporting on the issue, return and use of credit cards. The finance team monitors statements and acquittals on an ongoing basis and can produce reports on issue, return and use of cards through the HSBC Online Portal, as required. The ARC reports on credit card use as part of the annual CEO compliance review and monitors credit card compliance. The ARC reported on credit card issue and use when requested by Parliament, which included an overstatement for two questions on notice. (See paragraphs 2.46 to 2.54)
Controls and processes for corporate credit cards
16. Preventive controls implemented by the ARC could be strengthened by consistency in documentation. Documentation of expenditure type and credit card limits in the initial application process is not completed in line with policies and procedures. There is no process in place to periodically review cardholders with monthly credit limits above the policy-defined limits. Cancellation practice did not align with policies and procedures. (See paragraphs 3.4 to 3.20)
17. ARC reviews, acquits and verifies transactions manually each month. The supporting evidence required for all expenditure is not consistently provided to the delegate for approval. The ARC’s process for tracking travel approvals is inconsistent. The ARC implemented an Official Hospitality and Gifts Policy in June 2023. The ARC has not directly addressed positional authority risk. (See paragraphs 3.21 to 3.45)
18. The ARC has a process to manage instances of non-compliance, however this process under-identified instances of non-compliances during 2021–22 and 2022–23. The ARC identified 10 instances of non-compliance that did not align with policies and procedures, compared with the ANAO’s identification of 83. The ARC has not established preventive and detective processes to periodically analyse usage trends to detect patterns across its corporate credit card and Diners Club virtual card expenditure. The policy and procedure require immediate reporting of credit card misuse; it does not include detail on the processes for managing repeated instances of non-compliance. (See paragraphs 3.46 to 3.54)
Recommendations
Recommendation no. 1
Paragraph 3.34
The Australian Research Council resolve inconsistencies between policies and procedures and actual practice.
Australian Research Council response: Agreed.
Recommendation no. 2
Paragraph 3.41
The Australian Research Council should consider positional authority risk directly, including for key roles, like the Chief Executive Officer (CEO); and if suitable, implement transparency measures, such as regularly report on these expenses to the Audit Committee Chair.
Australian Research Council response: Agreed.
Recommendation no. 3
Paragraph 3.51
The Australian Research Council review credit card transactions, to identify trends, such as trends in use and non-compliance, and their impact on policies and review and take corrective action. This work could include:
- periodic review of usage patterns to assess whether there is an ongoing business case for a credit card; and
- analysing patterns of credit card spending to develop ongoing improvements to methods for monitoring the effectiveness of the acquittal process.
Australian Research Council response: Agreed.
Summary of entity response
19. The proposed audit report was provided to the ARC. The ARC’s summary response is reproduced below. Its full response is included at Appendix 1. Improvements observed by the ANAO during the course of the audit are at Appendix 2.
The Australian Research Council (ARC) welcomes the Australian National Audit Office’s (ANAO) report and accepts the recommendations made for the agency.
The report finds that the ARC is effective overall in managing the use of corporate credit cards in accordance with legislative and entity requirements and the issue, return and use of corporate credit cards. The ANAO’s review of all credit card transactions for the audit period (2021–22 to 2022–23) also revealed no instances of fraud or deliberate misuse.
The report does identify areas for improvement and makes three recommendations where the ARC can take steps to further strengthen its policies, processes, and controls. The ARC agrees with, and will take steps to implement, these recommendations.
Key messages from this audit for all Australian Government entities
20. This audit is part of a series of audits that apply a standard methodology to corporate credit card management in Commonwealth entities. The four entities included in the ANAO’s 2023–24 corporate credit card management series are the:
- Australian Research Council;
- Federal Court of Australia;
- National Disability Insurance Agency; and
- Productivity Commission.
21. Key messages from the ANAO’s series of credit card management audits will be outlined in an Insights product available on the ANAO website.
Summary and recommendations
Background
1. Income management is a key activity listed in the Department of Social Services’ (the department’s) Corporate Plan 2022–23.1 Income management2 is a ‘tool that helps people budget their welfare payments and ensures they are getting the basic essentials of life, such as food, housing, electricity and education’.3
2. On 23 May 2021, the Australian Labor Party made an election commitment to abolish the Cashless Debit Card (CDC) program if it were elected to govern. The CDC program facilitated a portion of a participant’s income support payment being allocated to a restricted bank account, accessed by a debit card which did not allow cash withdrawals, or the purchase of alcohol, gambling or cash-like products. The proportion of income was prescribed by legislation. The CDC program had a legislated end date of 31 December 2022.4 On 3 June 2022, the Minister for Social Services issued a press release stating she had held discussions with the department on the cessation of the CDC program.5 The Social Security (Administration) Amendment (Repeal of Cashless Debit Card and Other Measures) Bill 2022 (the Bill) contained legislative amendments to abolish the CDC and implement a new form of income management, the Enhanced Income Management program, on 6 March 2023. The Bill was passed on 28 September 2022 and the relevant provisions establishing the Income Management Program came into effect on 1 October 2022.6
3. CDC participants from the Northern Territory, Cape York and Doomadgee regions were required by legislation to transfer to the Enhanced Income Management program. Participants from Bundaberg, Hervey Bay, the Goldfields, Ceduna and East Kimberley regions were exited from the CDC program and could voluntarily become a participant of Enhanced Income Management.
4. As at 30 September 2022 the department recorded there were 16,616 participants on the CDC program. The department recorded that 4,039 participants were transferred from the CDC program to the Enhanced Income Management program as at 10 March 2023, with 181 of these participants (4.5 per cent) voluntarily choosing to participate in the program. The CDC participants who were not mandated to transfer to the Enhanced Income Management program or who did not volunteer to transfer, did not continue with any form of income management.
5. Services Australia was allocated funding in the October 2022–23 Federal Budget to support the cessation of the CDC program, including the procurement and supply of the new card and the banking and telephony services to support the transition from the CDC program to Enhanced Income Management.
6. Appendix 3 sets out the timeline of key dates for the cessation of the CDC program and the introduction of Enhanced Income Management.
Rationale for undertaking the audit
7. This audit provides assurance to the Parliament on the effectiveness of the management of the transition from the CDC program to the Enhanced Income Management program.
8. The ANAO undertook two previous performance audits of the CDC program. Auditor-General Report No. 1 2018–19 The Implementation and Performance of the Cashless Debit Card Trial examined the department’s implementation and evaluation of the CDC trial.7 The audit found that while the department largely established appropriate arrangements to implement the CDC trial, its approach to monitoring and evaluation was inadequate. It was therefore difficult to conclude if the CDC trial was effective in achieving its objective of reducing social harm and whether the card was a lower cost welfare quarantining approach.
9. Auditor-General Report No. 29 2021–22 Implementation and Performance of the Cashless Debit Card Trail — Follow-on examined the effectiveness of the department’s administration of the CDC program.8 The audit found that the department’s administrative oversight of the CDC program was largely effective, however the department had not demonstrated that the CDC program was meeting its intended objectives.
Audit objective and criteria
10. The objective of the audit was to assess the effectiveness of the transitional arrangements from the CDC program to the Enhanced Income Management program.
11. To form a conclusion against the objective, the following high level criteria were applied:
- Did the department have effective oversight of the transition arrangements?
- Was the design of the Enhanced Income Management program based on appropriate advice and evidence?
- Did Services Australia undertake the procurement process for the Enhanced Income Management program in accordance with the Commonwealth Procurement Rules?
Conclusion
12. The transitional arrangements from the Cashless Debit Card program to the Enhanced Income Management program were largely effective. Robust program monitoring and performance measurement to inform future policy design has not been implemented and no evaluation plan has been developed for the Enhanced Income Management program.
13. The department had largely effective oversight of the transition arrangements.
14. The department established an internal branch to deliver the transition activities and coordinate activities across the Australian Government and utilised the existing joint steering committee with Services Australia, established under the bilateral arrangements, to oversee the transition. The governance arrangements would have been enhanced with appropriate record keeping practices and defined reporting responsibilities. There was regular reporting on operational matters and participation rates to the executives of the department and Services Australia. There was no evidence that shared risks rated ‘high’ on the joint risk register with Services Australia were escalated in accordance with the department’s Risk Management Framework.
15. The department design of the Enhanced Income Management program was largely based on appropriate advice and evidence. There was no evidence the design was informed by ANAO performance audit reports on the Cashless Debit Card (CDC) program, or evaluations and lessons learned from the CDC program. The department’s program monitoring and performance measurement is not sufficiently robust to inform future policy design. No evaluation plan has been developed for the Enhanced Income Management program.
16. Services Australia’s limited tender procurement for the Enhanced Income Management program was largely compliant with the Commonwealth Procurement Rules (CPRs). Probity and conflicts of interest were managed largely in accordance with the CPRs and policy requirements. Services Australia’s engagement with Indue Limited (Indue) during the response period for the request for quote was not consistently documented. Advice to decision-makers was sufficiently detailed and largely documented appropriately. The evaluation committee’s assessment of value for money was informed by expert advice and provided to the delegate. The benchmarking activity due to be undertaken in June 2023, that was a significant factor in Services Australia achieving a value for money outcome, commenced seven months later than the timeframe set out in the contract with Indue.
Supporting findings
Did the Department of Social Services have effective oversight of the transition arrangements?
17. The department established an internal branch, known as the Taskforce, to coordinate activities between the department, Services Australia and the National Indigenous Australians Agency (NIAA), during the transition period. The effectiveness of the Taskforce’s activities would have been enhanced by appropriate record keeping practices. The department utilised an existing joint steering committee with Services Australia, established under the bilateral arrangements, to oversee the transition. The department established a joint risk register to manage shared risks with Services Australia which was reported to the joint steering committee. There was no evidence the joint steering committee monitored progress against the department’s strategy or project management plan for the transition. The Taskforce provided regular reporting on operational matters and participation rates to the department’s and Services Australia’s executives. (See paragraphs 2.3 to 2.42)
18. The department and Services Australia developed a joint risk register for shared risks relating the transition. Each identified risk was accompanied by a risk assessment. The review, amendment and approval of the joint risk registers was not consistently documented. Risks relating to the application of product level blocking technology to the Enhanced Income Management program were not documented in the joint risk register between June 2022 to June 2023. There was no evidence that any of the eight risks rated ‘high’ were escalated in accordance with the department’s Risk Management Framework (RMF). (See paragraph 2.43 to 2.64)
Was the design of the Enhanced Income Management program based on appropriate advice and evidence?
19. The department advised the Australian Government that the Enhanced Income Management program was designed to address community concerns about the proposed legislation to abolish the CDC program, particularly in relation to participants returning to use the older technology offered for the BasicsCard Income Management program. The department provided risk based advice on the date for implementation of the transition to the Enhanced Income Management program. There is no evidence that the design of the Enhanced Income Management program was informed by ANAO audit recommendations, evaluations or lessons learned from the CDC program or other relevant programs. (See paragraphs 3.3 to 3.17)
20. The department’s Corporate Plan contains a performance measure related to participants using their account following the transition from the CDC program to the Enhanced Income Management program. No additional key performance indicators or performance measures have been established. The department regularly monitors data on participant numbers and geographical location and Services Australia produces monthly reporting on the product level blocking used to prevent the sale of restricted items. Services Australia’s reporting does not include all merchants operating product level blocking technology. No evaluation plan was developed for the Enhanced Income Management program. (See paragraphs 3.18 to 3.44)
Did Services Australia undertake the procurement process for the Enhanced Income Management program in accordance with the Commonwealth Procurement Rules?
21. Approval from the Deputy Chief Executive Officer (Deputy CEO) and Services Australia’s Executive Committee for the limited tender issued was appropriately documented. Services Australia engaged a probity advisor and established a probity protocol to support the limited tender process. A conflicts of interest register was established. An assessment of the two declared potential conflicts was not documented. The delegate did not complete a conflict of interest declaration for the procurement activity. Services Australia did not document all interactions with the tenderer during the request for quote response period. (See paragraphs 4.4 to 4.28)
22. The tender evaluation report documented the committee’s assessment of the response to the request for quotation. The spending proposal provided to the delegate summarised the outcomes of the contract negotiations and the reasons for the recommendation to award the contract. (See paragraphs 4.29 to 4.44)
23. The evaluation committee documented its technical, pricing and risk assessment of Indue’s response to the request for quotation and how the outcome of the contract negotiations demonstrated achievement of value for money. The evaluation committee’s assessment was informed by the technical analysis undertaken by a pricing expert who compared Indue’s proposal with the similar services provided under the contract with the Department of Social Services. Services Australia commenced the benchmarking review seven months later than stated in the contract with Indue. (See paragraphs 4.45 to 4.60)
Recommendations
Recommendation no. 1
Paragraph 2.26
The Department of Social Services and Services Australia:
- ensure the terms of reference for all oversight and governance committees and bodies related to income management programs clearly define their reporting structure and responsibilities and, where applicable, refer to the governance arrangements set out in the bilateral agreement or supporting protocols and service agreements; and
- implement mechanisms to gain assurance that all oversight and governance committees and bodies are operating in accordance with the terms of reference.
Department of Social Services response: Agreed.
Services Australia response: Agreed.
Recommendation no. 2
Paragraph 2.57
The Department of Social Services implement controls to gain assurance that risks rated ‘high’ or ‘extreme’ are escalated to the Deputy Secretary and the Executive Management Group consistent with the department’s risk management policy.
Department of Social Services response: Agreed.
Recommendation no. 3
Paragraph 3.31
The Department of Social Services establish appropriate program monitoring to gain assurance that controls implemented for the Enhanced Income Management program, including product blocking technology, are working effectively to achieve the policy intent of the program.
Department of Social Services response: Agreed.
Recommendation no. 4
Paragraph 3.45
The Department of Social Services develop and implement an evaluation plan for the Enhanced Income Management program that is consistent with the Commonwealth Evaluation Toolkit to inform policy design changes and any other relevant programs.
Department of Social Services response: Agreed.
Summary of entity response
24. The proposed audit report was provided to the department and Services Australia. The department and Services Australia’s summary responses are reproduced below. The full responses from both entities are at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Department of Social Services
The Department of Social Services (the Department) acknowledges the insights and opportunities for improvement outlined in the Australian National Audit Office (ANAO) report on Transitional Arrangements for the Cashless Debit Card (CDC).
The Department welcomes the ANAO’s conclusion that the transitional arrangements from the CDC to the enhanced Income Management (IM) program were largely effective. The Department accepts the conclusion relating to the need to strengthen program monitoring and performance measurement to inform future policy design, as well as the need to implement an evaluation plan for the enhanced IM program.
The Department agrees with all four Recommendations and acknowledges the suggested opportunities for improvement and has taken steps to address these matters.
Services Australia
Services Australia (the Agency) notes the overall finding that the transitional arrangements for the Cashless Debit Card program to the Enhanced Income Management program were largely effective, and that the Agency’s limited tender procurement was largely compliant with the Commonwealth Procurement Rules.
The Agency will continue to work with the Department of Social Services to further strengthen our governance and performance monitoring arrangements related to the Enhanced Income Management program.
Key messages from this audit for all Australian Government entities
25. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Evaluation and monitoring
Procurement
Summary and recommendations
Background
1. The Mulwala facility in New South Wales is the sole remaining manufacturing site of military propellants and high explosives in Australia. The nearby munitions facility at Benalla, Victoria, uses some of the output of the Mulwala facility in its operations. Both facilities are owned by the Commonwealth and operated by a third party, Australian Munitions, a wholly owned subsidiary of Thales Australia (Thales).1 Thales has managed and operated the facilities at Benalla and Mulwala under several different contractual arrangements since 1999 (outlined in Appendix 3).
2. The Australian Government announced on 29 June 2020 that the Department of Defence (Defence) had signed a new 10-year agreement valued at $1.2 billion with Thales for the continued management and operation of the Mulwala and Benalla facilities.2 The agreement was intended to provide surety of supply of key munitions and components for the Australian Defence Force (ADF) and maintain a domestic munitions manufacturing capability. The agreement took effect on 1 July 2020 and resulted from a complex multi-year sole source procurement begun in 2016. The sole source procurement followed a terminated competitive procurement process undertaken between 2009 and 2014.
3. The Australian Government also announced on 29 June 2020 a new contract between the Commonwealth and NIOA Munitions (NIOA) for a tenancy at the Benalla munitions factory.3 This agreement was to establish NIOA as a tenant alongside Thales and provide opportunities for domestic manufacturing while enhancing supplies of key munitions for Defence.4
4. On 24 April 2023, the Australian Government released a public version of the final report of the Defence Strategic Review (DSR).5 It referenced the continuing importance of advanced munitions manufacturing, stating that the immediate focus must be on consolidating ADF guided weapons and explosive ordnance (GWEO) needs, establishing a domestic manufacturing capability, and the acceleration of foreign military and commercial sales. The report further outlined that, to do this, the ADF must hold sufficient stocks of GWEO and have the ability to manufacture certain lines, with the realisation of a GWEO enterprise being ‘central to achieving this objective.’6
5. At 19 June 2024, the implementation of a GWEO enterprise remains a key government priority, with the domestic manufacture of GWEO and munitions in Australia included: as one of seven ‘Sovereign Defence Industrial Priorities’ in the Defence Industry Development Strategy (announced in February 2024)7; and as part of the ‘immediate priorities’ set out in the public versions of the 2024 Integrated Investment Program (IIP) and the 2024 National Defence Strategy (both announced on 17 April 2024).8
6. On 5 May 2023, the Minister for Defence Industry announced the appointment of a senior responsible officer with responsibility for a Defence GWEO enterprise.9 At June 2024, Defence’s website stated that the facilities at Mulwala and Benalla ‘are key assets within the GWEO enterprise and will play a role in the expansion of domestic GWEO manufacturing.’10
Rationale for undertaking the audit
7. To establish the arrangements for the operation and maintenance of the Mulwala and Benalla facilities beyond June 2020, Defence undertook a complex and lengthy procurement process that was based on a sole source approach. This audit examined whether this process was effective and in accordance with the Commonwealth Procurement Rules (CPRs).
8. This audit builds on previous work by the ANAO which has examined Defence’s management of the Benalla and Mulwala facilities over time, and provides independent assurance to the Parliament on Defence’s establishment of arrangements for the operation and maintenance of the Mulwala and Benalla facilities beyond June 2020.
Audit objective and criteria
9. The audit objective was to assess whether the arrangements for the operation and maintenance of the Mulwala and Benalla facilities beyond June 2020 were established through appropriate processes and in accordance with the CPRs.
10. To form a conclusion against the audit objective, the following high-level criteria were selected:
- Did Defence plan effectively for the operation and maintenance of the facilities beyond the expiry of the 2015–20 interim contract?
- Did Defence conduct an effective sole source procurement process to establish the 2020–30 contractual arrangements?
- Did Defence effectively manage probity throughout the process?
11. This report is the first of two performance audit reports examining Defence’s establishment and management of the facilities beyond June 2020. It focuses on Defence’s establishment of the 2020–30 operating arrangements, including the tender assessment process, advice to decision makers and the decision to conduct a sole source procurement. Defence’s management of performance against the contract is the focus of a second report, which will be presented for tabling later in 2024.
Conclusion
12. Defence’s conduct of the sole source procurement for the operation and maintenance of the Mulwala and Benalla facilities beyond June 2020 was partly effective. Defence’s management of probity was not effective and there was evidence of unethical conduct.
13. Defence’s planning processes prior to the expiry of the 2015 interim contract were partly effective. While options for the management of the facilities beyond June 2020 were developed, deficiencies were identified in Defence’s subsequent procurement and probity planning processes and in its advice to decision-makers. Defence’s decision to conduct a sole sourced procurement was not informed by an estimated value of the procurement prior to this decision and Defence did not document the legal basis for selecting a sole sourced procurement approach, as required by the CPRs. Probity risks were realised in 2016 when Defence personnel provided Thales with confidential information relating to its Investment Committee (IC) proposal, and advice to decision-makers did not address how value for money would be achieved and commercial leverage maintained in the context of a sole source procurement.
14. Defence’s conduct of the sole source procurement process to establish the 2020–30 contractual arrangements was partly effective. Risk assessments were not timely and appropriate records for key meetings with Thales during the tender process were not developed or retained by Defence. After assessing Thales’ tender response as not being value for money in October 2019, Defence proceeded to contract negotiations in December 2019 notwithstanding internal advice that Defence was at a disadvantage in such negotiations due to timing pressures.
15. The negotiated outcomes were not fully consistent with Defence’s objectives and success criteria. Defence’s approach to negotiating the contract in accordance with high-level issues reduced the line of sight between the request for tender (RFT) requirements and the negotiated outcomes. Defence’s advice to ministers on the tender and contract negotiations did not inform them of the extent of tender non-compliance, basis of the decision to proceed to negotiations, or ‘very high risk’ nature of the negotiation schedule.
16. Defence did not establish appropriate probity arrangements in a timely manner. A procurement-specific probity framework to manage risks associated with the high level of interaction between Defence and Thales was not put in place until July 2018. Probity risks arose and were realised during 2016 and 2017, including when a Defence official solicited a bottle of champagne from a Thales representative. Defence did not maintain records relating to probity management and could not demonstrate that required briefings on probity and other legal requirements were delivered.
Supporting findings
Planning during the interim contract period
Options development and consideration of facilities management beyond June 2020
17. Defence provided advice to the Minister for Defence during 2014 on a range of options for the management of the facilities beyond June 2020, including: continuing with the status quo; the Commonwealth operating the facilities; and closing the facilities. These options continued to be considered by Defence and the government between 2015 and mid-2017. In 2016, a clear preference emerged to sole source the operation and maintenance of the facilities to the incumbent, Thales. By July 2016, Defence was primarily focused on developing a proposed ‘strategic partnership’ arrangement with Thales. Defence did not document the legal basis (that is, an exemption provided by paragraph 2.6 of the CPRs) for the proposed sole source activity to inform its subsequent procurement planning (see paragraphs 2.1 to 2.51).
18. A procurement-specific probity framework was not put in place until July 2018, to help manage probity risks in the context of pursuing a strategic partnership arrangement with Thales. These risks crystallised during 2016 when:
- senior Defence personnel advised Thales at an October 2016 summit meeting that Defence’s preference would be to progress a government-owned contractor-operated arrangement with Thales into the future.
- a Defence official sought assistance from and provided information to Thales in November 2016 on the development of internal advice to the IC, Defence’s committee processes, and internal Defence thinking and positioning. Government information of this sort is normally considered confidential, and the relevant email exchange evidenced unethical conduct (see paragraphs 2.48 to 2.51).
Advice and analysis informing the decision to conduct a sole source process with the incumbent operator
19. Defence’s advice to the IC in December 2016 and the Minister for Defence Industry in mid-2017 on the decision to sole source was not complete. The advice did not address the legal basis for the procurement method, the risks associated with a sole source procurement approach, or value for money issues — including how Defence expected to achieve value for money and maintain commercial leverage in the context of a sole source procurement. When the IC approved the sole source procurement method in December 2016, Defence had not estimated the value of the procurement. This was not consistent with the CPR requirement to estimate the value of a procurement before a decision on the procurement method is made (see paragraphs 2.52 to 2.71).
Establishment of the 2020–30 arrangements
Procurement planning activities
20. Defence’s procurement planning activities were not timely. Prior to mid-2017, Defence’s planning had largely focussed on seeking approval by June 2017 to inform Thales of the arrangements for the facilities beyond June 2020 (as required of Defence under the interim contract) and to enable collaborative contract development with Thales to commence. Defence’s advice to decision-makers was not informed by the results of key planning processes, as required by the CPRs and Defence’s procurement policy framework. These key processes were not conducted until after December 2016, when the sole source procurement method was approved and included:
- the progressive development of Defence’s requirements for the facilities between March 2017 and July 2019, with assistance from Thales; and
- internal workshops between October 2017 and May 2018, which identified risks that had not been previously documented. Defence did not develop a risk management plan to actively manage those risks (see paragraphs 3.1 to 3.31).
Development of the request for tender
21. Defence undertook a process which included the principal elements of a complex procurement as set out in Defence’s procurement policy framework, including an Endorsement to Proceed (EtP), RFT process and detailed contract negotiations. A feature of Defence’s process was the high level of interaction with Thales on the contents of the RFT before and after it was issued on 16 August 2019, including during the tender response period. Defence’s Complex Procurement Guide (CPG) identified ‘probity risks inherent in such activities’ and stated that relevant engagement processes and activities ‘should be planned and conducted with appropriate specialist support.’ Seeking specialist advice on the propriety and defensibility of its approach would have been prudent and consistent with the Public Governance, Performance and Accountability Act 2013 (PGPA Act) duty that officials exercise care and diligence (see paragraphs 3.32 to 3.63).
Tender evaluation
22. By October 2019, Defence had determined that Thales’ tender response was not value for money due to assessing the proposal as ‘Deficient – Significant’ with ‘High’ risk against all five evaluation criteria and identifying 199 non-compliances against the RFT. Defence considered the number of non-compliances to be ‘unprecedented’ and initially agreed, internally, to extend the interim contract with Thales to allow sufficient time to negotiate the non-compliances with the RFT (see paragraphs 3.64 to 3.78).
23. Following senior-level discussions in November 2019 with Thales, Defence decided to conclude the evaluation process on 4 December 2019 and proceed to contract negotiations. This decision was made notwithstanding internal advice that Defence was at a disadvantage in negotiations due to timing pressures. Defence’s internal advice considered that it had no ‘off-ramps’ due to the impending expiry of the interim contract on 30 June 2020. Defence did not clearly document the basis for reducing risk ratings against all the evaluation criteria from ‘High’ to ‘Medium’, following the senior-level discussions with Thales (see paragraphs 3.79 to 3.90).
24. Defence did not prepare or retain appropriate records for key meetings with Thales during the tender where the identified risks required active Defence management in the Commonwealth interest. Defence’s approach to record keeping was not consistent with requirements in the relevant Communications Plan, internal procurement advice, guidance in the CPG, or the CPRs (see paragraphs 3.91 to 3.100).
Negotiation outcomes
25. The negotiated outcomes for the 2020–30 contract were not fully consistent with Defence’s objectives and success criteria approved by Defence in July 2019. At the conclusion of negotiations in February 2020, three of the 15 success criteria aimed at incentivising satisfactory performance and reducing the contract management burden and total cost of ownership for the facilities were reported as not achieved. Defence’s approach to negotiations involved agreeing a schedule and high-level negotiation issues with Thales, to guide negotiations between December 2019 and February 2020. Defence did not systematically address the 199 non-compliances it had identified in Thales’ tender response. This approach reduced the traceability between the RFT requirements, risks and issues identified during tender assessment, and the negotiated outcomes in the agreed contract (see paragraphs 3.101 to 3.114).
26. Defence’s advice to its ministers on the tender and 2020–30 contract negotiations did not inform them of key issues such as the extent of tender non-compliance, the basis of the decision to proceed to negotiations, and Defence’s assessment of the ‘very high risk’ nature of the negotiation schedule (see paragraphs 3.115 to 3.133).
Probity management
Establishment of probity arrangements
27. Defence did not establish appropriate probity arrangements in a timely manner. Defence did not have project and procurement-specific probity arrangements in place until July 2018, more than two years after its initial engagement with Thales (in March 2016) about future domestic munitions manufacturing arrangements. Prior to establishing these probity arrangements, Defence did not assess or take steps to manage potential probity risks arising from ongoing direct engagement with the incumbent operator or remind those involved of their probity obligations, including in relation to offers of gifts and hospitality. During this period, probity risks were realised and there was evidence of unethical conduct, including when a Defence official solicited a bottle of champagne from a Thales representative (see paragraphs 4.1 to 4.30).
28. While Defence’s CPG identified ‘inherent’ probity risks in ‘any procurement that involves high levels of tenderer interaction’ Defence did not appoint a probity adviser that was external to the department. Defence maintained a register of probity documentation but did not retain relevant records for one of the 65 personnel recorded as having completed documentation. For 22 (25 per cent) of the 87 personnel who completed probity documentation, this completion was not recorded in any register. There was no relevant probity documentation for a further six individuals involved for a period in the procurement. Defence’s conflict of interest (COI) register for the procurement was also incomplete. It did not record six instances where a Defence official or contractor declared a potential, perceived or actual COI, including a Tender Evaluation Board member’s declaration of long-term social relationships with Thales staff. Defence was unable to provide evidence that briefings on probity and other legal requirements were delivered in accordance with the Legal Process and Probity Plan for the procurement (see paragraphs 4.31 to 4.50).
Recommendations
Recommendation no. 1
Paragraph 2.31
The Department of Defence document at the time the proposed procurement activities are decided:
- the circumstances and conditions justifying the proposed sole source approach, to inform subsequent procurement planning; and
- which exemption in the CPRs is being relied upon as the basis for the approach and how the procurement would represent value for money in the circumstances.
Department of Defence response: Agreed.
Recommendation no. 2
Paragraph 2.61
The Department of Defence, including its relevant governance committees, ensure that when planning procurements, the department estimates the maximum value (including GST) of the proposed contract, including options, extensions, renewals or other mechanisms that may be executed over the life of the contract, before a decision on the procurement method is made.
Department of Defence response: Agreed.
Recommendation no. 3
Paragraph 2.64
The Department of Defence, including its relevant governance committees, ensure that advice to decision-makers on complex procurements is informed by timely risk assessment processes that are commensurate with the scale, scope and risk of the relevant procurement.
Department of Defence response: Agreed.
Recommendation no. 4
Paragraph 3.61
The Department of Defence ensure that when it undertakes complex procurements with high levels of tenderer interaction, it seeks appropriate specialist advice, including from the Department of Finance as necessary.
Department of Defence response: Agreed.
Recommendation no. 5
Paragraph 3.94
The Department of Defence ensure compliance with the Defence Records Management Policy and statutory record keeping requirements over the life of the 2020–30 Strategic Domestic Manufacturing contract, including capturing the rationale for key decisions, maintaining records, and ensuring that records remain accessible over time.
Department of Defence response: Agreed.
Recommendation no. 6
Paragraph 3.112
The Department of Defence ensure, for complex procurements, that there is traceability between request for tender (RFT) requirements, the risks and issues identified during the tender assessment process, and the negotiated outcomes.
Department of Defence response: Agreed.
Recommendation no. 7
Paragraph 4.10
The Department of Defence develop procurement-specific probity advice for complex procurements at the time that procurement planning begins and develop probity guidance for:
- complex procurements involving high levels of tenderer interaction; and
- managing engagement risks in the context of long-term strategic partnership arrangements.
Department of Defence response: Agreed.
Recommendation no. 8
Paragraph 4.25
The Department of Defence make appointment of external probity advisers mandatory for all complex procurements with high probity risks, such as procurements with high levels of tenderer interaction.
Department of Defence response: Agreed.
Summary of entity response
29. The proposed audit report was provided to Defence. Defence’s summary response is reproduced below. The full response from Defence is at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Department of Defence
Defence acknowledges the findings contained in the audit report on Defence’s Management of Contracts for the Supply of Munitions, which assessed the effectiveness of the procurement and contract establishment for the Department’s Strategic Domestic Munitions Manufacturing contracting arrangement.
The Mulwala and Benalla munition factories underpin Australia’s ability to develop critical propellants, explosives and munitions for the Australian Defence Force and are recognised as a world-class capability. Since this procurement activity, the strategic landscape has changed, as outlined in the Defence Strategic Update of 2020 and the Defence Strategic Review in 2023. The National Defence Strategy further prioritises these factories as critical and foundational industrial capabilities for Australian domestic manufacturing, supporting sovereign resilience and our allies.
Defence welcomes collaborative engagement with our industry partners in delivering unique capability outcomes. Defence acknowledges and understands the need to ensure that such engagement is appropriately managed, and will strengthen the guidance in relation to identifying and managing procurement and probity risks early in the process as well as maintaining these records for the life of the procurement activity. Defence is continually improving and updating the Defence frameworks that underpin the issues raised.
Key messages from this audit for all Australian Government entities
30. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Procurement
Summary and recommendations
Background
1. The Public Service Act 1999 requires that Australian Public Service (APS) employees, agency heads and statutory office holders abide by the APS Code of Conduct. The APS Code of Conduct, consistent with duties under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), requires officials to declare the receipt of gifts, benefits and hospitality. Collectively, these requirements establish obligations for officials and Commonwealth entities in relation to how they manage the provision and receipt of gifts, benefits and hospitality.
2. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person.1 The National Anti-Corruption Commission Act 2022 also contains provisions against conduct that adversely affects (or could adversely affect) the honest and impartial exercise of any public official’s powers, functions or duties.2
3. The Australian Public Service Commission (APSC) publishes Guidance for Agency Heads – Gifts and Benefits. The principles underpinning this guidance are that:
- agency heads are meeting public expectations of integrity, accountability, independence, transparency and professionalism in relation to gifts and benefits; and
- there is consistency in relation to agency heads’ management of gifts and benefits across APS agencies and Commonwealth entities and companies.
4. The Australian Communications and Media Authority (ACMA), established under the Australian Communications and Media Authority Act 20053 (ACMA Act), is a non-corporate Commonwealth entity covered by the Public Service Act 1999. ACMA is the Australian Government regulator for a range of legislation covering Australia’s telecommunications, broadcasting, radiocommunications, unsolicited communications and certain online content. The ACMA Act establishes ACMA as a Commonwealth statutory authority and the ACMA Chair as the accountable authority.4 The Online Safety Act 2021 establishes the eSafety Commissioner as a statutory office holder5, supported by ACMA, and sets out the eSafety Commissioner’s functions and powers. In accordance with section 184 of the Online Safety Act 2021, ACMA must make available members of the staff of ACMA to assist the eSafety Commissioner to perform their functions and exercise their powers and are subject to the directions of the eSafety Commissioner. As at 30 June 2023, ACMA had 525 staff working in Canberra, Melbourne and Sydney.6
Rationale for undertaking the audit
5. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person. Public service entities must meet public expectations of integrity, accountability, independence, transparency, and professionalism. Acceptance of a gift or benefit that relates to an official’s employment can create a real or apparent conflict of interest that should be avoided.7
6. Public confidence in Commonwealth entities and the APS can be damaged when gifts and benefits that create a conflict of interest are accepted or not properly declared. APSC states in its publication, APS Values and Code of Conduct in practice, that the risk of the appearance of a conflict can be damaging to public confidence:
The appearance of a conflict can be just as damaging to public confidence in public administration as a conflict which gives rise to a concern based on objective facts.8
7. This audit provides assurance to the Parliament that ACMA has complied with gifts, benefits and hospitality requirements.
Audit objective and criteria
8. The objective of the audit was to assess whether ACMA had complied with gifts, benefits and hospitality requirements.
9. To form a conclusion against the objective, the ANAO adopted the following two high-level audit criteria.
Did ACMA have effective arrangements in place to manage gifts, benefits and hospitality?
Were ACMA’s controls and processes for gifts, benefits and hospitality operating effectively in accordance with policies and procedures?
10. The audit examined the management of gifts, benefits and hospitality within ACMA over the period from 1 July 2021 to 30 September 2023.
Conclusion
11. ACMA is partly effective in managing and controlling the risks associated with giving and receiving gifts, benefits and hospitality. ACMA’s policies are largely in place to manage gifts, benefits and hospitality. The implementation of its policies is partly effective, with deficiencies in enforcing the requirements for: making declarations of gifts, benefits and hospitality; complying with declaration timeframes; and the completion of mandatory training and conflicts of interest declarations.
12. ACMA has established largely fit-for-purpose arrangements to manage the compliance requirements and risks associated with the management of gifts, benefits and hospitality. ACMA has implemented policies for gifts, benefits and hospitality that include an internal declaration process to support the public reporting requirements for all officials including the agency head. The policies also identify business functions where the acceptance or provision of gifts, benefits and hospitality may create increased risk of conflicts of interest, impacting on ACMA’s integrity and independence as the Australian Government regulator for communications and media services. ACMA’s policy does not include the requirement in the APSC Guidance to declare items based on their market value and items accepted by the agency head’s immediate families and dependants where it is related to the agency head’s official duties. ACMA’s suite of mandatory training covers obligations relating to gifts, benefits and hospitality. Risks associated with the acceptance or provision of gifts, benefits and hospitality, and the controls in place to manage them, have not been identified, assessed, and documented in ACMA’s Strategic Risk Register, fraud and corruption risk register, and divisional risk registers.
13. ACMA’s controls are partly effective in supporting its compliance with gifts, benefits and hospitality requirements. Analysis identified 19 instances of gifts, benefits and hospitality that were not declared in accordance with ACMA’s policy requirements. Of ACMA’s declarations of gifts, benefits and hospitality, 42 per cent did not meet ACMA’s declaration timeframe of 14 days. Mandatory training and conflicts of interest declarations were not completed as required in ACMA’s policies. For Senior Executive Service (SES) officers’ conflicts of interest declarations that were completed in 2022 and 2023, ACMA could not provide evidence that the ACMA Chair as the accountable authority had reviewed these as required by ACMA’s policy.
Supporting findings
Arrangements for managing gifts, benefits and hospitality
14. ACMA’s Strategic Risk Register contains an assessment of an integrity-related risk and controls such as declarations of conflicts of interests, training, enhanced identity authentication checks, and awareness of the National Anti-Corruption Commission. The risk assessment does not identify and assess controls to address potential impacts to integrity from gifts, benefits and hospitality. ACMA’s fraud and corruption risk register makes no reference to risks or controls arising from the provision or acceptance of gifts, benefits and hospitality. ACMA’s divisional risk registers, including for the Office of the eSafety Commissioner, do not identify controls to manage and reduce risks to its integrity, particularly where the provision and acceptance of gifts, benefits and hospitality may create conflicts of interest for specific functions and positions. (See paragraphs 2.6 to 2.14)
15. ACMA has established requirements for its staff pertaining to being offered, accepting and offering gifts, benefits and hospitality. ACMA’s policy framework aligns with the APSC Guidance except in the areas of reporting items at market value, and the declaration of items received by the agency head’s immediate families and dependants where it is associated with the agency head’s official duties. ACMA’s policy framework could be strengthened to cover the range of circumstances of gifts, benefits and hospitality impacting conflicts of interest, particularly given ACMA’s role as a regulator of communications and media services. (See paragraphs 2.18 to 2.51)
16. ACMA has established mandatory training arrangements that include learning relating to the Commonwealth Resource Management Framework, fraud awareness and the APS Values and Code of Conduct. These topics include the potential conflicts of interest impacts from gifts, benefits and hospitality. (See paragraphs 2.53 to 2.55)
17. ACMA has established policy and processes that centralise the reporting of receipt and provision of gifts, benefits and hospitality declarations. The process supports the collation of items that are reportable under the APSC Guidance and ACMA’s policy framework for reporting gifts, benefits and hospitality. ( See paragraphs 2.56 to 2.60)
Implementation and effectiveness of arrangements for managing gifts, benefits and hospitality
18. ACMA has implemented preventative controls through its policies and declarations for gifts, benefits and hospitality, mandatory staff training, conflicts of interest declarations and delegations. ACMA’s preventative controls do not enable ACMA to effectively manage its risks relating to gifts, benefits and hospitality. ACMA relies on staff knowing its policy requirements and declaring all gifts, benefits and hospitality in a timely manner. ACMA has relied on staff to have undertaken the training and declaring potential conflicts of interest as its key preventative controls. Measures for staff training, conflicts of interest declarations and the timeliness of declaring gifts, benefits and hospitality within 14 days have not been effectively enforced to ensure compliance. (See paragraphs 3.2 to 3.33)
19. ACMA has establish detective controls through its bi-annual PGPA Management Assurance Survey and quarterly reminders to relevant officials as the key mechanisms to detect non-compliance with its policy requirements. ACMA’s quarterly email reminders and conflicts of interest declaration process support detection for its management of gifts, benefits and hospitality requirements. (See paragraphs 3.38 to 3.40)
20. When non-compliance with gifts, benefits and hospitality policy requirements is identified, ACMA seeks the staff member involved to make the declaration for collation and publication, where applicable, onto the gifts, benefits and hospitality register on ACMA’s website. (See paragraphs 3.41 to 3.43)
21. The ACMA Chair reviews the quarterly gifts, benefits and hospitality register and approves its publication on ACMA’s website. These declarations are reliant on staff knowing the declaration requirements within ACMA’s Official Hospitality and Business Catering Guide or from having received the quarterly reminder emails, rather than assurance arrangements that validate control effectiveness for its gifts, benefits and hospitality requirements. (See paragraphs 3.44 to 3.48)
Recommendations
Recommendation no. 1
Paragraph 2.15
Australian Communications and Media Authority:
- update the Strategic Risk Register and fraud and corruption risk assessment to include consideration of risks and controls in relation to gifts, benefits, and hospitality; and
- ensure that divisional risk assessments, including for the Office of the eSafety Commissioner, are completed for all business divisions and reflect the risks associated with gifts, benefits and hospitality, particularly for those functions with heightened risk.
Australian Communications and Media Authority response: Agreed.
Recommendation no. 2
Paragraph 2.38
Australian Communications and Media Authority review its policy framework for gifts, benefits and hospitality and implement amendments to align with the APSC Guidance for the requirements to declare items at current market value and the declaration of any service or item received by the family of the agency head, where there is a clear link with the agency head’s official duties.
Australian Communications and Media Authority response: Agreed.
Recommendation no. 3
Paragraph 3.34
Australian Communications and Media Authority establish governance and reporting arrangements to monitor and enforce its policy requirements for compliance with gifts, benefits and hospitality that include the completion of:
- declarations of offers, acceptance and the provision of gifts, benefits and hospitality within the stipulated time according to ACMA’s policy framework and delegations;
- mandatory training; and
- conflicts of interest declarations and management of actual or potential conflicts.
Australian Communications and Media Authority response: Agreed.
Summary of entity response
22. The proposed audit report was provided to ACMA. ACMA’s summary response to the audit is provided below and its full response is at Appendix 1.
The ACMA, including the Office of the eSafety Commissioner (eSafety), acknowledges the ANAO’s findings and agrees with, and has already taken steps to implement, the three recommendations identified in the Report. The ACMA remains committed to strengthening our controls for managing the risks associated with the giving and receiving of gifts, benefits and hospitality, including managing real and perceived conflicts of interest.
The ACMA will also implement all the additional opportunities for improvement identified in the Report in line with government best practice. Actions arising from the ANAO’s audit will include improved processes to ensure compliance with updated internal policies, additional reviews and cross-checking to avoid omissions and errors and better documentation of the assessment of conflicts of interest and actions to be taken where conflicts are identified. The ACMA thanks the ANAO audit team, who were professional and collaborative during their engagement with our staff.
Key messages from this audit for all Australian Government entities
23. This audit is part of a series of performance audits reviewing compliance with gifts, benefits and hospitality in selected non-corporate Commonwealth entities:
- Australian Communications and Media Authority;
- Department of the Treasury; and
- Murray Darling Basin Authority.
24. Key messages from this audit series will be outlined in an ANAO Insights product available on the ANAO website.
Summary and recommendations
Background
1. Australian Defence Force (ADF) recruitment advertising campaigns are typically the largest conducted by Australian Government entities each year. The Department of Finance reported that the Department of Defence’s (Defence’s) recruitment advertising expenditure was $60.2 million for 2022–23, representing approximately 33.6 per cent of total Australian Government advertising expenditure of $179.3 million.1 In conjunction with a range of contracted suppliers, Defence designs and administers advertising campaigns aimed at particular target audiences.
2. Australian Government entities are required to comply with a framework established by the Australian Government Guidelines on Information and Advertising Campaigns by non-corporate Commonwealth entities (the Guidelines).2
3. The Guidelines state that they ‘operate on the underpinning premise that’:
- members of the public have equal rights to access comprehensive information about government policies, programs and services which affect their entitlements, rights and obligations; and
- governments may legitimately use public funds to explain government policies, programs or services, to inform members of the public of their obligations, rights and entitlements, to encourage informed consideration of issues or to change behaviour.
4. The Guidelines are a government policy and entities subject to them must be able to demonstrate compliance with five overarching principles when planning, developing and implementing publicly-funded information and advertising campaigns. The principles require that campaigns are:
- relevant to government responsibilities;
- presented in an objective, fair and accessible manner;
- objective and not directed at promoting party political interests;
- justified and undertaken in an efficient, effective and relevant manner; and
- compliant with legal requirements and procurement policies and procedures.
Rationale for undertaking the audit
5. Campaign advertising for ADF recruitment is an ongoing Defence activity and represents a material component of all Australian Government campaign advertising. In meeting its outcomes, Defence has identified ‘investing in the growth and retention of a highly skilled workforce to meet Australia’s defence and national security requirements’ as one of its seven key activities.3 This audit provides independent assurance to the Parliament on Defence’s management of selected ADF recruitment advertising campaigns.
Audit objective and criterion
6. The audit objective was to assess the effectiveness of Defence’s management of advertising campaigns for Australian Defence Force recruitment.
7. To form a conclusion against the audit objective, the ANAO adopted the following high-level criterion.
- Were the selected campaigns compliant with the Australian Government’s campaign advertising framework?
8. The ANAO selected three campaigns for review, which were launched in 2022–23:
- Take a Closer Look — launched on 21 August 2022;
- Where It All Begins — launched on 6 February 2023; and
- Live a Story Worth Telling — launched on 19 March 2023.
Conclusion
9. The Department of Defence’s management of the three selected advertising campaigns for Australian Defence Force recruitment was largely effective.
10. For the selected campaigns, Defence largely complied with the review, certification and publication requirements of the Australian Government’s campaign advertising framework and complied with the requirements of Principles 1 to 3 of the Guidelines.
11. Defence largely complied with Principle 4 except that it could not provide the ANAO with supporting evidence to verify the accuracy of cost information for each campaign.
12. With respect to Principle 5, Defence did not clearly document the substantive basis for its advice that there were no legal concerns with respect to the campaign materials.
13. Defence does not evaluate the overall effectiveness of its recruitment advertising campaigns after they have ended. The extent to which Defence’s recruitment advertising activities have contributed towards increasing the number of applications to join the ADF has therefore not been assessed by Defence.
14. There is scope for Defence to improve the transparency of its public reporting on individual advertising campaigns and to strengthen the assurance provided to the Secretary of Defence on compliance with the principles of the campaign advertising framework.
Supporting findings
Defence campaigns — compliance with requirements
15. For the three selected campaigns, Defence complied with most of the review, certification and publication requirements of the campaign advertising framework.
16. Each campaign received government approvals in accordance with the framework requirements applying at the time they were considered. (See paragraphs 2.8 to 2.33)
17. The Defence Secretary completed certifications that the campaigns complied with the five ‘overarching principles’ of the Guidelines and the certifications were published on Defence’s website. The Secretary’s certifications were informed by a third-party certification from the Independent Communications Committee (ICC) as required by the Guidelines, and Defence advice on compliance. (See paragraphs 2.12, 2.23 and 2.31)
18. As required by the framework, Defence developed a 2022–23 Media Strategy that was reviewed by the ICC. The ICC provided a report to the Defence Secretary, which was published on the Department of Finance’s website as required. (See paragraphs 2.34 to 2.40)
19. Defence did not publish research reports for the selected campaigns on its website and did not document why it was not appropriate to do so. (See paragraphs 2.17, 2.25 and 2.32)
20. While Defence’s annual report includes information on overall campaign expenditure, it does not specify the individual advertising campaigns conducted by Defence, as required by the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). (See paragraphs 2.14, 2.25 and 2.33)
21. Defence complied with the requirements of Principles 1 to 3 of the Guidelines.
22. Defence largely complied with Principle 4 except that it could not provide the ANAO with supporting evidence to verify the accuracy of cost information that it provided. In the absence of this information, no assurance can be provided on the accuracy or completeness of the campaign advertising expenditure as advised by Defence. (See paragraphs 2.102 to 2.107)
23. With respect to Principle 5 (compliance with legal requirements and procurement policies and procedures), Defence did not clearly document the substantive basis for its advice that there were no legal concerns with respect to the campaigns. (See paragraphs 2.72 to 2.75)
24. Defence uses quarterly Communications Tracking reports to monitor the performance of its active campaigns. Defence does not evaluate the overall effectiveness of its recruitment advertising campaigns after they have ended. The extent to which Defence’s recruitment advertising activities have contributed towards increasing the number of applications to join the ADF has therefore not been assessed by Defence. (See paragraphs 2.102 to 2.107)
Recommendations
Recommendation no. 1
Paragraph 2.15
The Department of Defence comply with the requirement of the Public Governance, Performance and Accountability Rule 2014 to include a statement, in its annual report, on the specific advertising campaigns conducted by Defence.
Department of Defence response: Agreed.
Recommendation no. 2
Paragraph 2.100
The Department of Defence provide the Department of Finance with details of expenditure on individual Defence advertising campaigns for inclusion in Finance’s annual report on Campaign Advertising by Australian Government Departments and Entities.
Department of Defence response: Agreed.
Recommendation no. 3
Paragraph 2.108
To meet the requirements of the Australian Government Guidelines on Information and Advertising Campaigns by non-corporate Commonwealth entities and the Commonwealth Evaluation Policy, for future advertising campaigns, the Department of Defence:
- establish clear objectives for each campaign prior to the development of the campaign;
- document an evaluation plan; and
- at the conclusion of each campaign, prepare a final evaluation report.
Department of Defence response: Agreed.
Summary of entity response
Department of Defence
Defence acknowledges the Auditor-General’s assessment that Defence has mostly complied with the requirements of the Government’s advertising framework and related guidelines, and its management of three selected ADF advertising campaigns has been largely effective as a result.
Defence notes that each of its campaigns are subject to rigorous and comprehensive quarterly evaluations over the life of a campaign, a period of typically four to six years, to regularly assess the audience’s resonance with, recollection of, and reaction to, the subject campaign. However, Defence accepts the finding that it has not conducted a final evaluation of campaigns it has elected to remove from market.
Defence agrees with the recommendations regarding the improvements to transparency in formal reporting. While Defence has reported expenditure connected to all of its advertising campaigns in annual reports authored by the Department of Defence and the Department of Finance, Defence has not provided details relating to expenditure by campaign, an action it will undertake in formal reporting in the future.
Key messages from this audit for all Australian Government entities
25. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Summary and recommendations
Background
1. The Public Service Act 1999 (PS Act) requires that Australian Public Service (APS) employees, agency heads and statutory office holders abide by the APS Code of Conduct. The APS Code of Conduct, consistent with duties under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), require officials to declare the receipt of gifts, benefits and hospitality. Collectively, these requirements establish obligations for officials and Commonwealth entities in relation to how they manage the provision and receipt of gifts, benefits and hospitality.
2. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person.1 The National Anti-Corruption Commission Act 2022 also contains provisions against conduct that adversely affects (or could adversely affect) the honest and impartial exercise of any public official’s powers, functions or duties.2
3. The Australian Public Service Commission (APSC) publishes Guidance for Agency Heads — Gifts and Benefits. The principles underpinning this guidance are that:
- agency heads are meeting public expectations of integrity, accountability, independence, transparency and professionalism in relation to gifts and benefits; and
- there is consistency in relation to agency heads’ management of gifts and benefits across APS agencies and Commonwealth entities and companies.
4. The Department of the Treasury (Treasury) is a non-corporate Commonwealth entity. Treasury is the government’s lead economic advisor, providing advice to the government and implementing policies and programs to achieve strong and sustainable economic and fiscal outcomes for Australians.3
Rationale for undertaking the audit
5. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person. Public service entities must meet public expectations of integrity, accountability, independence, transparency, and professionalism. Acceptance of a gift or benefit that relates to an official’s employment can create a real or apparent conflict of interest that should be avoided.4
6. Public confidence in Commonwealth entities and the APS can be damaged when gifts and benefits that create a conflict of interest are accepted or not properly declared. APSC states in its publication, APS Values and Code of Conduct in practice, that the risk of the appearance of a conflict can be damaging to public confidence:
The appearance of a conflict can be just as damaging to public confidence in public administration as a conflict which gives rise to a concern based on objective facts.5
7. This audit provides assurance to the Parliament that Treasury has complied with gifts, benefits and hospitality requirements.
Audit objective and criteria
8. The objective of the audit was to assess whether Treasury had complied with gifts, benefits and hospitality requirements.
9. To form a conclusion against the objective, the ANAO adopted the following two high-level audit criteria.
- Did Treasury have effective arrangements in place to manage gifts, benefits and hospitality?
- Were Treasury’s controls and processes for gifts, benefits and hospitality operating effectively in accordance with policies and procedures?
10. The audit examined the management of gifts, benefits and hospitality within Treasury over the period 1 July 2021 to 30 September 2023.
Conclusion
11. Treasury has been largely effective in complying with its gifts, benefits and hospitality requirements. Shortcomings in the alignment of Treasury’s internal policy to APSC requirements, training and education arrangements for Treasury’s statutory office holders, and processes not detecting non-compliance reduced the effectiveness of arrangements.
12. Treasury has established largely effective arrangements for managing gifts, benefits and hospitality. Treasury has a system, policies and training to support officials in their management of gifts, benefits and hospitality. The policy applies to all Treasury officials. The policy is aligned to the requirements of APSC Guidance for Agency Heads — Gifts and Benefits, with the exception of requirements for declaring and reporting the receipt of hospitality. As a result, Treasury has reduced the transparency in public reporting for hospitality that has been received by officials. Not all statutory office holders that are officials of Treasury are provided guidance and training in relation to gifts, benefits and hospitality.
13. The operating effectiveness of Treasury’s processes and controls for gifts, benefits and hospitality is partly effective. Training and education arrangements that had been implemented for internal staff were operating effectively. Training and education arrangements were not provided to all statutory office holders of Treasury. Treasury made a decision in 2022 not to implement detective controls such as proactive compliance monitoring so Treasury is reliant on the self-declaration of officials that receive gifts, benefits and hospitality. Treasury processes had not identified two instances of non-compliance with Treasury’s internal policy requirements and a further 10 instances of non-compliance with the PGPA Act and APSC Guidance for Agency Heads — Gifts and Benefits.
Supporting findings
Arrangements for managing gifts, benefits and hospitality
14. Treasury has established arrangements for identifying and managing risks associated with the acceptance and provision of gifts, benefits and hospitality. Treasury’s risk management policy and framework outline the requirements for assessing risks and provide related guidance. Treasury has undertaken a fraud and corruption risk assessment at an entity-level and risk assessments for each of its groups. These risk assessments have considered gifts, benefits and hospitality. There is an opportunity to specifically articulate operational controls which are of relevance to gifts, benefits and hospitality rather than only high-level enterprise controls as expressed in the Fraud Risk Assessment. (See paragraphs 2.6 to 2.12)
15. Treasury has developed policies and procedures for officials regarding the acceptance of gifts, benefits and hospitality. These policies and procedures reference other relevant departmental policy including the conflict of interest policy. These policies and procedures align with the APSC Guidance for Agency Heads — Gifts and Benefits with the exception of the processes to declare and approve the receipt of hospitality. (See paragraphs 2.13 to 2.22)
16. Treasury has developed policies and procedures for officials regarding the provision of gifts, benefits and hospitality. These policies and procedures align with the APSC Guidance for Agency Heads — Gifts and Benefits and also reference other relevant departmental policy including the conflict of interest policy. Treasury policy refers to the application of guidance provided by the Department of Foreign Affairs and Trade (DFAT) in relation to the provision of gifts by officials posted overseas. (See paragraphs 2.23 to 2.27)
17. Treasury maintains mandatory training packages which include responsibilities and expectations for officials relating to gifts, benefits and hospitality. There are mechanisms in place to monitor mandatory training completion and follow-up non-compliance with training requirements. While Treasury provides onboarding material to officials noting requirements to comply with the PGPA Act, Treasury does not have arrangements for statutory office holders (that are Treasury officials) to ensure consistency in the training and education arrangements made available to them. The Treasury Secretary has completed all mandatory training and completion of mandatory training modules by other Treasury staff ranges from 89 per cent to 92 per cent. (See paragraphs 2.28 to 2.43)
18. Treasury has implemented arrangements to support the reporting of the public register for gifts and benefits in accordance with APSC Guidance for Agency Heads — Gifts and Benefits. Treasury does not provide periodic reporting to internal governance committees on matters relating to gifts, benefits and hospitality, or have a formalised framework for monitoring compliance against internal policy requirements. (See paragraphs 2.44 to 2.49)
Implementation and effectiveness of arrangements for managing gifts, benefits and hospitality
19. Treasury’s preventative controls include its operational guidelines and online training modules. Access to the training modules was not provided to all statutory office holders that are officials of the department. Not all statutory office holders that had access to the training arrangements had completed the online training modules. (See paragraphs 3.2 to 3.20)
20. Treasury has not implemented detective controls that are specifically for the purpose of monitoring compliance with requirements for the receipt and provision of gifts, benefits and hospitality. Treasury has detective controls that can indirectly support the identification of non-compliance with related requirements. This includes assessing corporate credit card transactions and obtaining annual conflict of interest declarations from officials. (See paragraphs 3.21 to 3.35)
21. There were no documented processes for managing identified instances of non-compliance relating to gifts, benefits and hospitality. Treasury has not previously identified instances of non-compliance relating to gifts, benefits and hospitality so the effectiveness of related processes for managing non-compliance were unable to be assessed. (See paragraphs 3.36 to 3.38)
22. Treasury has not developed an evidence-based assurance framework that considers gifts, benefits and hospitality. The inclusion of gifts, benefits and hospitality in Treasury’s Financial Framework Assurance Plan was considered following a prior internal audit and decision was made by Treasury that no further assurance processes were required. (See paragraphs 3.39 to 3.40)
Recommendations
Recommendation no. 1
Paragraph 2.12
The Department of the Treasury reassess the risks associated with gifts, benefits and hospitality with consideration to the findings of this audit and whether additional controls are required (including monitoring and reporting on compliance). In reassessing the risks, operational controls related to gifts, benefits and hospitality should be identified and recorded to support monitoring their effectiveness.
Department of the Treasury response: Agreed.
Recommendation no. 2
Paragraph 2.18
The Department of the Treasury update its internal policies to ensure its guidance is consistent with APSC Guidance for Agency Heads — Gifts and Benefits which requires that all gifts, that are valued at over $AUD 100 (excluding GST) and are accepted, are declared and recorded on Treasury’s gifts and benefits register.
Department of the Treasury response: Agreed.
Recommendation no. 3
Paragraph 3.18
The Department of the Treasury improve the arrangements for communicating and outlining obligations relating to managing gifts, benefits and hospitality. The Department of the Treasury:
- circulate APSC Guidance for Agency Heads — Gifts and Benefits to its statutory office holders (who are Treasury officials) to communicate requirements and provide guidance relating to gifts, benefits and hospitality;
- provide statutory office holders (who are Treasury officials) with access to departmental training materials; and
- encourage the consideration and use of departmental travel arrangements in accordance with paragraph 10(5)(c) and section 14 of the Remuneration Tribunal (Official Travel) Determination 2023 for its statutory office holders (who are Treasury officials).
Department of the Treasury response: Agreed.
Recommendation no. 4
Paragraph 3.32
The Department of the Treasury update the public gifts and benefits register to record instances of gifts and benefits received by officials, that have not previously been declared, to ensure reporting in accordance with requirements specified in the APSC Guidance for Agency Heads — Gifts and Benefits.
Department of the Treasury response: Agreed.
Summary of entity response
23. The proposed audit report was provided to the Department of the Treasury. The summary response to the report is below and the full response is at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Department of the Treasury
Treasury welcomes this report and thanks the ANAO for their professional and collaborative approach to this audit. Treasury is committed to ensuring full compliance and transparency with regard to gifts, benefits and hospitality and accepts the recommendations provided by the ANAO. Treasury has already implemented changes as per recommendations 2 and 4 and will consider how best to implement recommendations 1 and 3. Implementation and closure of these recommendations will be monitored by our Audit and Risk Committee.
Treasury notes the instances of non-compliance (relating to non-declaration of gifts) identified by the ANAO were not significant in nature, nor do they suggest a systemic issue with regard to the declaration of gifts received. The minor misalignment with the Australian Public Service Commission gifting guidelines, which created the non-compliance, has been rectified and Treasury has amended its public gift register to include the 4 gifts identified in this report as non-compliant.
Treasury will continue to ensure our internal policies and systems continue to mature and function effectively.
Key messages from this audit for all Australian Government entities
24. This audit is one of a series of gifts, benefits and hospitality audits that apply a standard methodology to selected entities’ compliance with gift, benefits and hospitality requirements. The three entities included in the ANAO’s gifts, benefits and hospitality series are:
- Department of the Treasury;
- Australian Communications and Media Authority; and
- Murray-Darling Basin Authority.
25. Key messages from the ANAO’s series of gifts, benefits and hospitality audits will be outlined in an Insights product available on the ANAO website.
Summary and recommendations
Background
1. The Australian Public Service (APS) is established by the Public Service Act 1999 (PS Act). It is one part of the wider Commonwealth public sector and consists of agency heads and APS employees engaged under the PS Act.1 The APS operates largely under principles-based frameworks, including that established by the PS Act, which impose high expectations regarding integrity.
2. Members of the APS are subject to integrity obligations specified in the PS Act, including the APS Values2 and APS Code of Conduct.3 At 5 April 2024 the PS Act specified five APS Values — committed to service, ethical, respectful, accountable and impartial.4 The APS Code of Conduct has 13 requirements relating to: behaving honestly and with integrity in connection with APS employment; acting with care and diligence; treating people with respect and courtesy; complying with all applicable Australian laws; complying with any lawful and reasonable direction; maintaining confidentiality; avoiding conflicts of interest and disclosing material personal interests; proper use of resources; not providing false or misleading information; not misusing power or authority; upholding the APS values; upholding the integrity and good reputation of the agency and the APS; and upholding the good reputation of Australia when overseas.
3. Under the PS Act, further integrity obligations apply to agency heads5 and members of the Senior Executive Service (SES)6, which comprise the senior cadre of the APS.
4. The Public Governance, Performance and Accountability Act 2013 (PGPA Act) establishes the overarching governance, performance and accountability framework for resource use and management within the Commonwealth public sector as a whole, including all members of the APS. It is a principles-based framework that imposes high expectations on the sector, including ‘high standards of governance, performance and accountability’.7
5. The PGPA Act contains ‘general duties of officials’ applying to both the accountable authority of the PGPA entity8 and entity officials. The general duties relate to: acting with care and diligence; acting honestly, in good faith and for a proper purpose; not misusing one’s position; the proper use of information; and disclosing interests.9 Taken together, the general duties establish an overarching framework for integrity, probity and ethical behaviour applying to the accountable authorities and officials of all PGPA Act entities, including all members of the APS.
6. There are also ‘general duties of accountable authorities’ applying to the accountable authority of a PGPA entity. These include the duty to govern the entity in a way that promotes the proper use and management of public resources for which the accountable authority is responsible.10
7. The office of Australian Public Service Commissioner (Commissioner) is established under the PS Act.11 The Commissioner’s functions are set out in section 41 of the PS Act and include the following functions considered in this audit.
- To uphold high standards of integrity and conduct in the APS.12
- To promote the APS Values, the APS Employment Principles and the Code of Conduct.13
- To evaluate the extent to which Agencies incorporate and uphold the APS Values and the APS Employment Principles.14
- To partner with Secretaries in the stewardship of the APS.15
- To provide advice and assistance to Agencies on public service matters.16
- To evaluate the adequacy of systems and procedures in Agencies for ensuring compliance with the Code of Conduct.17
8. The Commissioner and APS employees assisting the Commissioner together constitute a statutory agency under the PS Act, known as the Australian Public Service Commission (APSC).18 In 2022–23 the departmental expenses of the APSC were $80.8 million.19 At 30 June 2023, the APSC had 373 employees.20
9. Within the Commonwealth public sector, which includes the APS, there is both collective and individual responsibility for maintaining integrity, probity and ethical conduct — shared by framework policy owners, the heads of public sector organisations, and their personnel.
10. Framework policy owners establish the rules of operation in key areas and then largely rely on the accountable authorities of PGPA Act entities and the agency heads of APS agencies to be responsible for culture and compliance within public sector organisations. In that respect the frameworks are devolved and largely self-regulating. Under the principles-based approach, mandatory rules are largely set to control actions where risks are deemed highest. Key policy owners include the Department of Finance for the PGPA Act framework and the APSC for the PS Act integrity framework.21
11. The role of policy owners in maintaining a culture of integrity in the sector, including respect for the rule of law, has been a focus of recent reviews, initiatives and investigations relating to the APS and its performance. These have included the following.22
- The 2019 Independent review of the APS (Thodey review) and 2022 government APS reform agenda intended to build on the Thodey review.
- The 2023 Royal Commission into the Robodebt Scheme (Royal Commission), government response to the Royal Commission recommendations, and 16 Code of Conduct processes resulting from the Royal Commission.
- The 2023 APS Integrity Action Plan intended to address the 2022 government APS reform agenda and 2023 Royal Commission findings.
- The 2023 Code of Conduct inquiry and termination of a departmental secretary.
Rationale for undertaking the audit
12. The Australian Parliament has provided, in the PS Act, that all members of the APS are subject to the integrity, probity and ethical obligations specified in the Act. The Parliament has also provided that one of the three broad functions of the Commissioner under the Act is ‘to uphold high standards of integrity and conduct in the APS’.23 The function of upholding APS integrity standards occurs in a changing and often dynamic operating environment, which in recent years has featured the following.
- Reviews, initiatives and investigations, which have often focused on perceived shortcomings in upholding APS integrity, probity and ethics, including at the highest levels of APS leadership and the Secretaries Board.
- Australian Government statements that the Royal Commission Robodebt Scheme identified ‘serious failings within the Australian Public Service’.24 The APSC has stated that ‘Rebuilding trust in the APS is a priority’25 and that this process includes ‘reinforcing a culture with integrity at its core’.26
- Leadership change at the top of the APS, with 69 per cent turnover of departmental secretaries between July 2022 and December 2023.27
- Growth in APS employment. The APSC reported in March 2024 that at 31 December 2023 the APS headcount was 177,442, a 9.9 per cent increase since December 2022.28
- Establishment of the National Anti-Corruption Commission to: detect, investigate and report on serious or systemic corruption in the Commonwealth public sector; and educate the sector and the public about corruption risks and prevention.29
13. There is ongoing parliamentary interest in APS integrity, probity and ethics, including by the Joint Committee of Public Accounts and Audit (JCPAA), which in June 2023 adopted an inquiry into probity and ethics in the Australian public sector. This audit provides independent assurance and reporting to the Parliament on the APSC’s administration of statutory functions relating to upholding high standards of integrity and ethical conduct in the APS.
Audit objective, criteria and scope
14. The audit objective was to assess the effectiveness of the APSC’s administration of statutory functions relating to upholding high standards of integrity and ethical conduct in the APS.
15. To form a conclusion against the audit objective, the following high-level criteria were adopted.
- Has the APSC effectively promoted the APS Values and Code of Conduct?
- Has the APSC effectively monitored and evaluated agencies’ implementation of the APS Values and Code of Conduct?
- Has the APSC effectively contributed to stewardship of the APS?
16. The ANAO reviewed the APSC’s administration for the period July 2022 to December 2023.
Conclusion
17. The APSC was partly effective in its administration of statutory functions relating to upholding high standards of integrity and ethical conduct in the APS during the audit review period (July 2022 to December 2023). The APSC’s approach was largely activity-driven and it did not have relevant strategies, linked to measurable outcomes, to guide its efforts. As a consequence, the APSC could not demonstrate or provide assurance on whether its activities relating to integrity functions were well directed or fully effective. In the context of an operating environment focused on perceived shortcomings in APS integrity, the APSC was in the process of developing a more strategic approach.
18. The APSC was partly effective in promoting the APS Values and Code of Conduct and in providing advice and assistance to APS agencies on public service matters. The APSC did not have a strategy, linked to outcomes which can be measured, for promoting the APS Values and Code of Conduct and its approach to this function was largely activity-driven. While the APSC communicated integrity and ethical requirements and expectations through a variety of activities, including training and guidance, they were not guided by a risk-based strategy. APSC guidance was revised or new guidance issued, to manage identified risks and issues, without reference to a forward engagement strategy. The APSC had limited arrangements in place to provide assurance to the Commissioner and Parliament that it had effectively promoted the APS Values and Code of Conduct.
19. The APSC did not have a sound basis for monitoring and evaluating the extent to which agencies incorporate and uphold the APS Values, or the adequacy of systems and procedures in agencies to ensure compliance with the Code of Conduct. There was no mechanism to provide assurance or insight to the Commissioner or the Parliament on agencies’ implementation of the APS Values and Code of Conduct.
20. The APSC did not have a documented strategy or plan to support the Commissioner’s functions relating to stewardship and partnering with secretaries or agency heads. The APSC did not clearly articulate the stewardship concept appearing since 2013 in the PS Act and did not measure its effectiveness in administering the stewardship function. The APSC’s approach to the stewardship function was largely activity-driven, and it contributed to or led a range of APS improvement initiatives, including with the Secretaries Board.
Supporting findings
Promote, advise and assist
21. The APSC did not have a strategy, linked to outcomes which, can be measured, for promoting the APS Values and Code of Conduct during the audit review period and its approach to this function was largely activity-driven. The APSC had two strategies with components relating to the promotion of integrity, ethics and the APS Values and Code of Conduct — an APS Workforce Strategy and APS Academy Engagement and Communication strategy. These two strategies, when read together, do not equate to a strategy for promoting the APS Values and Code of Conduct.
22. The APSC provided or administered guidance, support and training/event offerings intended to promote the APS Values and Code of Conduct. While the APSC communicated integrity and ethical requirements and expectations through these activities, they were not guided by a risk-based strategy.
23. The APSC had limited arrangements in place to provide assurance to the Commissioner and Parliament that it had effectively promoted the APS Values and Code of Conduct. Data collection and feedback received on APSC training and guidance did not link to a structured approach to assessing whether the APSC’s activities to ‘promote’ were achieving their intended purpose. There was no record of the APSC’s most senior internal committees — the Executive Board and Executive Committee — discussing issues relating to the APS Values during the audit review period. Issues relating to the APS Code of Conduct were discussed at 13 per cent of Executive Board meetings and five per cent of Executive Committee meetings. More generally, there were deficiencies in the APSC’s record keeping arrangements for its governance committees.
24. The enterprise-level risks documented in the APSC’s enterprise risk register did not directly relate to the APSC’s delivery of its statutory functions relating to the APS Values, Code of Conduct or integrity. This was in the context of an operating environment which featured ongoing scrutiny of perceived shortcomings in upholding APS integrity, including at the highest levels of APS leadership. (See paragraphs 2.4 to 2.96)
25. The ANAO reviewed six APSC mechanisms in operation during the audit review period to provide advice and assistance to APS agencies on public service matters: the Integrity Agencies Group (IAG); the Ethics Advisory Service (EAS); Ethics Contact Officer network (ECOnet); Cross-agency Code of Conduct Practitioners’ Forum (conduct forum); APS Agency Survey (agency survey); and consultation and advice on suspected breaches of the APS Code of Conduct.
26. The IAG offers opportunities for information-sharing amongst participants. The EAS received 684 enquiries during the audit review period. The APSC is not able to demonstrate what advice or assistance it provided on public service matters to the agencies represented at meetings of ECOnet or the conduct forum.
27. The APSC used the 2021 agency survey results to develop its Integrity Metrics Resource, which was released in 2022. If used by agencies, it provides a basis to focus their efforts to lift integrity measurement, monitoring and reporting.
28. During the audit review period, APSC guidance was revised or new guidance issued, to manage identified risks and issues, without reference to a forward engagement strategy. The APSC issued timely guidance and advice for APS agency heads in 2023, relating to the management of Code of Conduct reviews following the report of the Royal Commission Robodebt Scheme. (See paragraphs 2.97 to 2.147)
Evaluate
29. The APSC did not have fit-for-purpose arrangements to evaluate the extent to which agencies incorporate and uphold the APS Values, or a documented strategy linked to outcomes which could be measured.
30. The APSC collected information from several mechanisms and activities to inform its understanding of issues and developments in the APS and which may influence its thinking, actions and priorities. It has not leveraged the data and insights gained from its various activities to evaluate the extent to which agencies incorporate and uphold the APS Values. This does not provide the Commissioner or Parliament with broader insight or assurance on the extent to which agencies uphold the APS Values.
31. A capability review conducted in 2023 assessed the APSC as having a maturity rating of ‘developing’ in respect to ‘Review and evaluation’. The APSC advised the ANAO in November 2023 that it has begun work to systematise its use of data to observe patterns or areas of concern for agencies. (See paragraphs 3.43 to 3.44)
32. The APSC did not have fit-for-purpose arrangements to evaluate the adequacy of systems and procedures in agencies for ensuring compliance with the Code of Conduct, or a documented strategy linked to outcomes which could be measured.
33. There was no mechanism to provide assurance or insight to the Commissioner or Parliament on the adequacy of systems and procedures in agencies for ensuring compliance with the Code of Conduct. (See paragraphs 3.45 to 3.48)
Stewardship
34. The APSC did not have a documented strategy or plan to support the Commissioner’s functions relating to stewardship and partnering with secretaries or agency heads — including where the Commissioner is independently performing functions under the PS Act — or to measure its effectiveness in administering the Commissioner’s stewardship function.
35. The APSC’s approach to the stewardship function was largely activity-driven, and included: participation in sector-wide boards and committees with integrity-related roles or functions, such as the Secretaries Board; briefing and induction activity for new secretaries and other agency heads; engaging with APS agency heads on SES Code of Conduct matters; providing advice and guidance on integrity issues; and involvement in SES recruitment and talent management activities.
36. The APSC has undertaken planning relating to the addition of ‘stewardship’ as a sixth APS Value in the PS Act. The Public Service Amendment Bill 2023 received royal assent on 11 June 2024 and is now known as the Public Service Amendment Act 2024. (See paragraphs 4.3 to 4.34)
Recommendations
37. This report makes four recommendations to the Australian Public Service Commission.
Recommendation no. 1
Paragraph 2.30
The Australian Public Service Commission develop a strategy to document and guide its objectives, key activities, relationships with key stakeholders, and desired outcomes relating to the statutory function to ‘promote’ the APS Values and Code of Conduct set out in paragraph 41(2)(e) of the Public Service Act 1999.
Australian Public Service Commission response: Agreed.
Recommendation no. 2
Paragraph 2.80
The Australian Public Service Commission develop and implement an evaluation strategy for its integrity training to determine if its suite of integrity training is achieving the intended outcomes.
Australian Public Service Commission response: Agreed.
Recommendation no. 3
Paragraph 2.86
The Australian Public Service Commission should review record keeping arrangements for its governance committees.
Australian Public Service Commission response: Agreed.
Recommendation no. 4
Paragraph 3.40
The Australian Public Service Commission develop an evaluation strategy and review its current evaluation methodology to improve the level of assurance provided to the Commissioner and Parliament on whether agencies incorporate and uphold the APS Values, and the adequacy of agencies’ systems and procedures for ensuring compliance with the APS Code of Conduct.
Australian Public Service Commission response: Agreed.
Summary of entity response
38. The proposed final performance audit report was provided to the APSC. The summary response from the APSC is provided below and the full response is at Appendix 1. Improvements observed by the ANAO during the audit are at Appendix 2.
Australian Public Service Commission
The Commission welcomes the observations of the ANAO in this report, and agrees with the four recommendations and intent of the opportunities for improvement. These recommendations are timely given our ongoing program of work to strengthen the articulation of our purpose, key activities, priorities and performance measures. In addition, actions to address these recommendations will dovetail with work arising from our Capability Review to enhance strategies and tools for data and stakeholder engagement, as well as corporate systems for governance, risk, information management and assurance.
In our stewardship role, we will partner with the Attorney General’s Department to develop an enduring APS Integrity Strategy to articulate a clear narrative for integrity activities and reforms, and to clearly identify the role and actions all agencies and public servants are required to embrace to demonstrate excellence in integrity. In parallel, the Commission will bring together its broad suite of integrity initiatives into an overarching integrity strategy, supporting impact and outcome-focussed evaluation to strengthen assurance over the performance of our legislated functions.
Key messages from this audit for all Australian Government entities
39. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Records management
Summary and recommendations
Background
1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.1 Credit cards are used by Commonwealth entities to support timely and efficient payment of suppliers for goods and services.2 For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).
2. The Productivity Commission (the Commission) uses corporate credit cards for official purchases under $10,000, including for procurement, domestic taxi, and travel purposes. For 2021–22 and 2022–23, the Commission’s total credit card expenditure was approximately $1.5 million, comprising 6,884 transactions. Credit card expenditure represented 18 per cent of the Commission’s supplier expenses across the two years.3
Rationale for undertaking the audit
3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:
establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrongdoing.4
4. In describing the role of Senior Executive Service (SES) officers, the APSC states that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.5 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:
[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.6
5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.7 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority for approving credit card transactions8 and ineffective controls to manage the use of credit cards.9 This audit was conducted to provide the Parliament with assurance that the Commission is effectively managing corporate credit cards in accordance with legislative and entity requirements.
6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:
- Productivity Commission (the Commission);
- Australian Research Council;
- Federal Court of Australia; and
- National Disability Insurance Agency.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the Commission’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.
8. To form a conclusion against the objective, the ANAO examined:
- whether the Commission has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
- whether the Commission has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.
Conclusion
9. The Commission’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective, as there were weaknesses in its implementation of preventive and detective controls and monitoring and reporting arrangements.
10. The Commission’s arrangements for managing the issue, return and use of corporate credit cards were partly effective. The Commission has considered risks associated with the use of corporate credit cards within its fraud control framework and identified relevant controls. Policies and procedures were largely fit for purpose, but eligibility criteria for issuing cards and information on providing supporting documentation for low value transactions (under $82.50) could be improved. The Commission did not have structured training and education arrangements in place to promote compliance with credit card policy and procedural requirements. The Commission’s credit card register was incomplete and inaccurate, and monitoring and reporting on credit card use was not regular and systematic. The Commission did not respond to Parliamentary questions on notice with accurate reporting on credit card use.
11. The Commission’s controls and processes for managing credit card issue, usage and return were partly effective in controlling the risk of credit card misuse. Preventive controls were not effective in preventing non-compliant taxi card transactions. There were weaknesses in detective controls relating to the provision of supporting documentation when reconciling taxi transactions. Positional authority risks could be better managed by clarifying delegation and approval requirements for senior executive cardholders. While the Commission has recovered funds from cardholders where instances of personal misuse have been identified, it has not documented its processes for escalating and managing identified non-compliance.
Supporting findings
Arrangements for managing corporate credit cards
12. The Commission had identified threats relating to credit card misuse and relevant controls in its fraud control plan. Assessment of these threats in the fraud risk register had not been informed by systematic controls testing. The Commission undertook an internal audit in 2022 that found significant gaps and weaknesses in its credit card controls and took action to address these findings. (See paragraphs 2.4 to 2.11)
13. The Commission’s policies and procedures for the issue, return and use of credit cards included coverage of core requirements within the Commission’s accountable authority instructions and other policies. Eligibility criteria for issuing credit cards and information on the need for supporting documentation for transactions under $82.50 could be improved. (See paragraphs 2.12 to 2.30)
14. While the Commission had published relevant policies and procedures on its intranet, it did not provide structured training and education to promote compliance with corporate credit card policy and procedural requirements. (See paragraphs 2.31 to 2.33)
15. The Commission’s cardholder register was incomplete and inaccurate and did not include sufficient details on the issue and return of cards. Reporting on the use of credit cards has occurred on an ad-hoc basis, with monitoring capability limited by the current financial management system in use. Detailed reporting on credit card non-compliance has not been provided to the Commission’s executive management, diminishing its understanding of fraud, risk and integrity implications arising from non-compliance. While the Commission reported on credit card issue and use when requested by Parliament, there were errors in its reporting. (See paragraphs 2.34 to 2.45)
Controls and processes for corporate credit cards
16. Preventive controls implemented by the Commission could be improved by strengthening visibility of cardholder spending and transaction limits. Preventive controls for hospitality and catering expenditure, purchases covered by whole-of-government arrangements, and to prevent non-compliant taxi card transactions were not operating effectively. Positional authority risks could be further managed through clarifying delegation and approval requirements for senior executive cardholders. (See paragraphs 3.4 to 3.30)
17. The Commission’s finance team reviews, acquits and verifies transactions manually each month. The Commission has not developed an approach to retaining and storing receipts for all taxi card transactions, which heightens the risk of errors, irregularities and fraud going undetected. (See paragraphs 3.31 to 3.41)
18. The Commission’s credit card control framework could be strengthened to ensure it identifies all potential instances of non-compliance. While the Commission has recovered funds from cardholders where instances of personal misuse have been identified, it has not documented its processes for escalating and managing identified non-compliance.(See paragraphs 3.43 to 3.50)
Recommendations
Recommendation no. 1
Paragraph 2.16
The Productivity Commission update its policies and procedures for issuing credit cards to provide further guidance on eligibility criteria and applicable spending limits.
Productivity Commission response: Agreed.
Recommendation no. 2
Paragraph 2.36
The Productivity Commission implement a process to ensure its register of corporate credit cards:
- is up-to-date, complete and accurate; and
- includes appropriate details on the issue and return of cards and card limits in place.
Productivity Commission response: Agreed.
Recommendation no. 3
Paragraph 2.42
The Productivity Commission implement a systematic approach to reporting on corporate credit card issue, return and use to executive management on a periodic basis.
Productivity Commission response: Agreed.
Recommendation no. 4
Paragraph 3.23
The Productivity Commission establish arrangements to ensure corporate credit cards are only used for the purposes defined within its policy requirements.
Productivity Commission response: Agreed.
Recommendation no. 5
Paragraph 3.37
The Productivity Commission improve reconciliation of corporate credit card transactions by ensuring appropriate documentation is provided to approvers and the finance team as part of monthly reconciliation processes.
Productivity Commission response: Agreed.
Recommendation no. 6
Paragraph 3.50
The Productivity Commission document its process for managing identified instances of credit card non-compliance.
Productivity Commission response: Agreed.
Summary of entity response
19. The proposed audit report was provided to the Productivity Commission. The Commission’s summary response is reproduced below. Its full response is included at Appendix 1. Improvements observed by the ANAO during the course of the audit are listed at Appendix 2.
The Commission is committed to improving the management of corporate credit cards, agrees with all six recommendations put forward by the ANAO, and appreciates the additional improvement opportunities. The Commission acknowledges the work undertaken by the ANAO to prepare the report and their constructive engagement with us during the audit.
Key messages from this audit for all Australian Government entities
20. This audit is part of a series of audits that applies a standard audit methodology to corporate credit card management in Commonwealth entities. The four entities included in the ANAO’s 2023–24 corporate credit card management series are the:
- Productivity Commission;
- Australian Research Council;
- Federal Court of Australia; and
- National Disability Insurance Agency.
21. Key messages from the ANAO’s series of credit card management audits will be outlined in an Insights product available on the ANAO website.
Summary and recommendations
Background
1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.1 Credit cards are used by Commonwealth entities to support timely and efficient payment of suppliers for goods and services.2 For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).
2. The Federal Court of Australia (FCA) uses corporate credit cards for official purchases under $10,000 and CabCharge cards for domestic taxi fares. For 2021–22 and 2022–23, the FCA’s total credit card expenditure was approximately $2.1 million, comprising 13,393 transactions. Credit card expenditure represented 16 per cent of the FCA’s supplier expenses across the two years.3
Rationale for undertaking the audit
3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:
establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrongdoing.4
4. In describing the role of Senior Executive Service (SES) officers, the APSC states that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.5 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:
[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.6
5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.7 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority for approving credit card transactions8 and ineffective controls to manage the use of credit cards.9 This audit was conducted to provide the Parliament with assurance that the FCA is effectively managing corporate credit cards in accordance with legislative and entity requirements.
6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:
- Federal Court of Australia (FCA);
- Australian Research Council;
- National Disability Insurance Agency; and
- Productivity Commission.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the FCA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.
8. To form a conclusion against the objective, the ANAO examined:
- whether the FCA has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
- whether the FCA has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.
Conclusion
9. The FCA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective, as there were weaknesses in its implementation of preventive and detective controls.
10. The FCA’s arrangements for managing the issue, return and use of corporate credit cards were largely effective. The FCA had considered risks associated with the use of corporate credit cards within its overarching risk framework and identified relevant controls. Policies and procedures included core requirements but lacked detail on eligibility criteria for issuing cards and requirements for using CabCharge cards. No structured training and education arrangements were in place to promote compliance with policy and procedural requirements. While arrangements had been established for monitoring and reporting on credit card issue, return and use, detailed reporting was not provided to the FCA’s executive management on credit card non-compliance. The FCA did not respond to Parliamentary questions on notice with accurate reporting on credit card use.
11. The FCA’s implementation of controls and processes for corporate credit cards in accordance with its policies and procedures was partly effective. There were weaknesses in its preventive controls relating to assessing and recording business needs for issuing credit cards and documenting pre-approval and rationales for purchases. The implementation of detective controls was partly effective, with no managerial review process for CabCharge card transactions and no use of data analytics across credit card transactions to detect potential instances of purchase splitting. These deficiencies heighten the risk that instances of credit card non-compliance could go undetected. Where misuse was detected, the FCA used established escalation processes and mechanisms to deal with non-compliant transactions.
Supporting findings
Arrangements for managing corporate credit cards
12. The FCA had considered risks associated with the use of corporate credit cards within its overarching risk framework and identified relevant controls. Its enterprise-level fraud risk register identified misuse or unauthorised use of corporate credit cards as a low risk. The register was last updated in June 2021 and the FCA had not recently tested the effectiveness of its credit card controls. Risk monitoring and reporting arrangements were undergoing change and yet to be formalised. (See paragraphs 2.4 to 2.21)
13. The FCA’s policies and procedures for the issue, return and use of corporate credit cards included core requirements, which were covered within the FCA’s accountable authority instructions and other policies. Eligibility requirements for issuing credit cards could be improved by defining business need criteria for card issuance in policies and procedures. More guidance could be provided on using and acquitting CabCharge cards. (See paragraphs 2.22 to 2.44)
14. While the FCA had published relevant policies and procedures on its intranet, it did not provide structured training and education to promote compliance with corporate credit card policy and procedural requirements. Support was provided by the FCA’s finance team for cardholders and managers upon card issuance and when requested. (See paragraphs 2.45 to 2.48)
15. The FCA had arrangements in place for monitoring and reporting on the issue, return and use of corporate credit cards. Credit card usage was monitored by the FCA’s finance team. Detailed reporting on credit card non-compliance was not provided to the FCA’s executive management, diminishing its understanding of fraud, risk and integrity implications arising from non-compliance. While FCA reported on credit card usage and expenditure when requested by Parliament, there were errors in its reporting. (See paragraphs 2.49 to 2.58)
Controls and processes for corporate credit cards
16. The FCA’s implementation of preventive controls did not include a systematic approach to assessing and recording that staff have valid business needs prior to issuing credit cards. There were control weaknesses in documenting pre-approvals and rationales for entertainment purchases and purchases covered by whole-of-government arrangements. There were also control weaknesses in documenting pre-approvals for CabCharge card transactions that fell outside approved domestic travel budgets. The card returns process placed a reliance on the relevant manager both identifying that the employee had a card to return and ensuring the card was either returned to the finance team or destroyed. (See paragraphs 3.4 to 3.35)
17. The FCA has implemented detective controls to acquit, verify and review transactions. The monthly acquittal process for corporate credit card transactions could be improved by ensuring CabCharge card transactions are acquitted by cardholders and signed off by responsible managers. The FCA could make greater use of data analytics to identify potential non-compliance, such as purchase that have been split to avoid transaction limits. (See paragraphs 3.37 to 3.58)
18. Deficiencies in the FCA’s credit card control framework heighten the risk that instances of credit card non-compliance could go undetected. The FCA detected four instances of non-compliance in 2022–23 that triggered the escalation protocols in its credit card policy. This has led to the recovery of funds from cardholders and merchants where accidental misuse and fraudulent transactions were identified. (See paragraphs 3.60 to 3.63)
Recommendations
Recommendation no. 1
Paragraph 2.26
The Federal Court of Australia update its policies and procedures for issuing credit cards and CabCharge cards to provide guidance on eligibility criteria and accurately reflect current processes.
Federal Court of Australia response: Agreed.
Recommendation no. 2
Paragraph 2.38
The Federal Court of Australia update its policies and procedures for credit card use to provide additional guidance on receipt and approval requirements for CabCharge cards.
Federal Court of Australia response: Agreed.
Recommendation no. 3
Paragraph 3.19
The Federal Court of Australia establish a process to confirm evidence of pre-approval by the designated official and the rationale for spending are documented when acquitting credit card transactions for official hospitality and entertainment purchases and instances where whole-of-government arrangements are not being utilised.
Federal Court of Australia response: Agreed.
Recommendation no. 4
Paragraph 3.28
The Federal Court of Australia establish a process to ensure evidence of pre-approval and receipts are recorded for all CabCharge card transactions.
Federal Court of Australia response: Agreed.
Recommendation no. 5
Paragraph 3.45
The Federal Court of Australia establish a process to ensure CabCharge card transactions are acquitted by cardholders and approved by their responsible managers on a monthly basis.
Federal Court of Australia response: Agreed.
Recommendation no. 6
Paragraph 3.57
The Federal Court of Australia formalise and document its process for conducting periodic analysis of credit card transactions targeting key areas of risk, including purchase splitting, and update its policies and procedures to prohibit purchase splitting.
Federal Court of Australia response: Agreed.
Summary of entity response
19. The proposed audit report was provided to the FCA. The FCA’s summary response is reproduced below. Its full response is included at Appendix 1. Improvements observed by the ANAO during the course of the audit are listed at Appendix 2.
The Federal Court of Australia (the Court) acknowledges and agrees the recommendations of the Australian National Audit Office and accepts the identified areas where the Court has opportunity to improve.
The Court will continue to focus on strengthening the current processes and guidance that are necessary to reduce risks associated with the potential inappropriate use of credit cards.
Key messages from this audit for all Australian Government entities
20. This audit is part of a series of audits that apply a standard methodology to corporate credit card management in Commonwealth entities. The four entities included in the ANAO’s 2023–24 corporate credit card management series are the:
- Federal Court of Australia;
- Australian Research Council;
- National Disability Insurance Agency; and
- Productivity Commission.
21. Key messages from the ANAO’s series of credit card management audits will be outlined in an Insights product available on the ANAO website.
Summary and recommendations
Background
1. Evaluation is a structured assessment of the value of government programs or activities, aimed at supporting improvement, accountability, and decision-making throughout the policy cycle. Pilot programs are small-scale tests or trials of programs with the aim of informing future decision-making.
2. The Public Governance, Performance and Accountability Act 2013 (the PGPA Act) requires the accountable authority of a Commonwealth entity to measure and assess the performance of the entity in achieving its purposes1, and that a minister must not approve expenditure unless satisfied that the expenditure would be an efficient, effective, economical and ethical use of public money.2
3. In 2019, the Australian Government released the Independent Review of the Australian Public Service3, which recommended that the APS embed a culture of evaluation and learning from experience to underpin evidence-based policy and delivery (Recommendation 26). The Australian Government agreed in part to this recommendation.4 The Minister for Finance endorsed a Commonwealth Evaluation Policy5 and Resource Management Guide 130 Commonwealth Evaluation Toolkit6 (the Toolkit) on 1 December 2021. The Toolkit provides a principles-based approach for the conduct of evaluations. It applies to all Commonwealth entities and companies subject to the PGPA Act.
Rationale for undertaking the audit
4. Pilot programs are trial programs of limited size that are used to decide whether a proposed policy should be adopted, and what adjustments should be made before adoption. Monitoring and evaluation are critical components of a pilot to support an assessment of the program or activity’s impact and efficiency.
5. The audit involved the examination of five Australian Government pilot programs across the Department of Health and Aged Care (Health), the Department of Home Affairs (Home Affairs), and the Department of Veterans’ Affairs (DVA). The pilots ranged in length from two to three years. The audit provides assurance to the Parliament over the appropriateness of frameworks for evaluation, and the adequacy of evaluation of pilot programs.
Audit objective and criteria
6. The objective of the audit was to assess the effectiveness of the evaluation of selected Australian Government pilot programs.
7. To form a conclusion against this objective, the following high-level criteria were adopted:
- Do the selected entities have governance arrangements in place to support effective program evaluation?
- Was the evaluation approach for the selected pilot programs robust?
- Was pilot program reporting and advice to government appropriate?
Conclusion
8. The evaluation of the selected Australian Government pilot programs was mixed. Health’s evaluation of the Take Home Naloxone pilot was largely effective, and the evaluation of the Kava pilot was partly effective. DVA’s evaluation of the Wellbeing and Support Program pilot was largely effective, and the evaluation of the Non-Liability Rehabilitation pilot was partly effective. Home Affairs’ evaluation of the Skilled Refugee Labour Agreement pilot was partly effective.
9. Health and DVA have largely effective governance arrangements to support the evaluation of pilot programs. Home Affairs has partly effective arrangements. Health and DVA have strengthened their governance arrangements through the updating or development of entity-specific frameworks, guidance, and training on what, when and how to conduct an evaluation. Home Affairs does not have entity-specific evaluation guidance. Evaluation culture is maturing within Health and DVA, and is immature at Home Affairs. Pilot programs are only referenced in DVA’s entity-specific guidance.
10. The evaluation planning and approach for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot were largely robust, including appropriate stakeholder engagement and relevant ethics approvals. Planning for the evaluation of Health’s Kava pilot did not identify the risk that ethics approval may not be granted for one of the planned qualitative analysis methods, and there was a lack of baseline evidence to support the planned evaluation methodology. The effectiveness of planning for the evaluation of DVA’s Non-Liability Rehabilitation pilot was reduced as the analytical methodologies were not documented, and no external stakeholders were consulted. Home Affairs did not complete its planning for, or undertake, a robust evaluation for the Skilled Refugee Labour Agreement pilot. All evaluation plans and approaches could have been enhanced by a greater focus on the availability of data and an assessment of the proper use of public money.
11. Health’s evaluation reporting and advice to the Australian Government for the Take Home Naloxone pilot was largely effective, with the recommendations made to expand the naloxone pilot largely informed by the lessons learnt from the evaluation. Health’s evaluation reporting and advice to the Australian Government for the Kava pilot was partly effective as neither the evaluation report nor recommendations on the continuation of the pilot have been provided to the Australian Government. The evaluation report for DVA’s Wellbeing and Support Program pilot was largely effective. There was no evidence of DVA advising the Australian Government on the evaluation findings and impact on future program design. The evaluation for the Non-Liability Rehabilitation pilot has not yet commenced, and reporting and advice to the Australian Government on the mid-pilot review was partly effective. Home Affairs’ evaluation reporting and advice to the Australian Government for the Skilled Refugee Labour Agreement pilot was partly effective, with outputs rather than pilot outcomes analysed and reported to the minister.
Supporting findings
Governance arrangements
12. The Commonwealth Evaluation Toolkit provides appropriate high-level guidance to support entities in determining what programs or policies should be evaluated and when. It provides limited guidance on conducting an economic evaluation, including any assessment of cost effectiveness of implementation, and does not include a requirement for all pilots to be evaluated.
- With the exception of DVA’s Non-Liability Rehabilitation pilot, at the time the other examined pilots commenced, only Health had established internal evaluation guidance.
- In November 2023, Health published a revised evaluation strategy which specifies roles and responsibilities and includes a tiered system for identifying evaluation priorities across the department.
- Since the commencement of the Wellbeing and Support Program pilot, DVA developed a framework which supports when and what to evaluate based on program characteristics, timing and capability. In August 2023, DVA introduced a framework for the planning, monitoring and evaluation of its health and wellbeing programs, which includes roles and responsibilities.
- Home Affairs does not have an entity-specific approach to determining when and what to evaluate.
- Each entity has an internal evaluation team to provide guidance and support on evaluation practice.
13. Health and DVA have policies and guidance materials for how to conduct program evaluations. Only Health has guidance on when economic evaluation should be undertaken and the guidance is limited. Training on evaluation practices is provided at Health and DVA. Attendance is not consistently monitored. Home Affairs has no entity-specific guidance on conducting evaluations, and no training programs available to staff. (See paragraphs 2.59 to 2.69)
Evaluation approach
14. Planning for evaluation, including stakeholder engagement, was completed for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot. Planning for stakeholder engagement for evaluation of Health’s Kava pilot did not account for the risk that ethics approval may not be granted and the resulting impact on the planned analysis and evaluation methodology. The effectiveness of planning for the evaluation of DVA’s Non-Liability Rehabilitation pilot was reduced as the methodologies to be used were not documented, and no external stakeholders were consulted. Home Affairs did not complete its planning for the evaluation for the Skilled Refugee Labour Agreement pilot. While data sources were identified within the evaluation plans that were developed, one or more planned data sources within each pilot were not available for the evaluation, and this risk had not been identified. (See paragraphs 3.6 to 3.52)
15. The evaluation methodologies used for three out of the five pilots examined were largely consistent with the Toolkit. For the evaluations conducted, all could have been strengthened with a greater focus on baseline data, control group outcomes, and an assessment of the proper use of public money. Ethics approvals were obtained for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot. The ethics approval sought for Health’s Kava pilot was not granted and no alternative strategy was developed to obtain information that was critical to the evaluation. DVA’s Non-Liability Rehabilitation pilot evaluation plan did not include a consideration of ethics approval and the post-implementation review has not yet been undertaken. As Home Affairs did not conduct an evaluation of its pilot, there was no methodology applied, or consideration of the need for ethics approval. (See paragraphs 3.53 to 3.80)
Reporting and advice to the Australian Government
16. The analysis of pilot evaluation outcomes for Health’s pilots and DVA’s Wellbeing and Support Program pilot were largely fit for purpose, with the evaluation reports documenting the application of statistical methods to provide defensible findings and make recommendations on the basis of the analysis completed. The evaluation of DVA’s Non-Liability Rehabilitation pilot has not yet commenced. Home Affairs’ reporting of outputs of the Skilled Refugee Labour Agreement pilot did not contain fit-for-purpose analysis and does not satisfy the requirements of evaluation reporting in the Commonwealth Evaluation Toolkit. (See paragraphs 4.5 to 4.33)
17. Advice provided by Health to the Australian Government in relation to the Take Home Naloxone pilot was appropriate, including the lessons learnt from the pilot. The recommendation to expand the pilot into different environments was partly informed by evaluation. Health has not provided advice to the Australian Government on the findings of the evaluation or lessons learnt in relation to the Kava pilot. DVA did not advise the Minister for Veterans’ Affairs on the evaluation findings or lessons learnt for future program delivery for the Wellbeing and Support Program pilot. Home Affairs’ advice to the Australian Government for the continuation of the Skilled Refugee Labour Agreement pilot was not informed by an evaluation. (See paragraphs 4.34 to 4.52)
Recommendations
Recommendation no. 1
Paragraph 2.16
The Department of the Treasury update the Commonwealth Evaluation Policy and Toolkit to include:
- a definition of a ‘pilot’;
- guidance on how to conduct an economic evaluation and other methods for considering whether spending represents an appropriate use of public money;
- a recommendation that evaluations of pilot programs be undertaken;
- a recommendation for evaluation planning to be conducted alongside pilot design; and
- guidance on governance arrangements for cross-entity evaluations to minimise duplication and maximise coordination and learnings across entities.
Department of the Treasury’s response: Agreed.
Recommendation no. 2
Paragraph 2.32
The Departments of Health and Aged Care and Veterans’ Affairs include in their entity-specific evaluation policies:
- decision-making criteria for the appropriate style of evaluation to be completed by reference to the activity’s risk, objective and outcomes;
- guidance on how to demonstrate whether a program represented a proper use of public money, including the cost-effectiveness of its implementation, and how to undertake an economic evaluation where appropriate; and
- guidance related to evaluation of pilot programs.
Department of Health and Aged Care’s response: Agreed.
Department of Veterans’ Affairs’ response: Agreed.
Recommendation no. 3
Paragraph 2.35
The Department of Home Affairs develop entity-specific policies for evaluation, including:
- decision-making criteria as to when an evaluation is required and the appropriate style of evaluation by reference to the activity’s risk, objective and outcomes;
- guidance on how to demonstrate whether a program represented a proper use of public money, including the cost-effectiveness of its implementation, and how to undertake an economic evaluation where appropriate; and
- guidance related to evaluation of pilot programs.
Department of Home Affairs’ response: Agreed.
Recommendation no. 4
Paragraph 2.55
The Departments of Health and Aged Care, Veterans’ Affairs and Home Affairs develop and implement explicit guidance to support early engagement with central evaluation teams to improve evaluation strategy and planning.
Department of Health and Aged Care’s response: Agreed.
Department of Veterans’ Affairs’ response: Agreed.
Department of Home Affairs’ response: Agreed.
Recommendation no. 5
Paragraph 3.25
The Departments of Health and Aged Care, Veterans’ Affairs and Home Affairs ensure evaluation plans are prepared for policies or programs subject to evaluation requirements and that they be approved prior to the implementation of the policy or program. Consistent with the Commonwealth Evaluation Toolkit, evaluation plans should incorporate proportionate and risk-based level of information, including:
- methods for measuring or capturing baseline evidence, and attributing changes to the pilot, policy or program; and
- a method of economic evaluation or other means of assessing the proper use of public money.
Department of Health and Aged Care’s response: Agreed.
Department of Veterans’ Affairs’ response: Agreed.
Department of Home Affairs’ response: Agreed.
Recommendation no. 6
Paragraph 4.50
The Departments of Veterans’ Affairs’ and Home Affairs’ advice to government on the cessation, continuation or scaling up of a pilot draws on evidence and learnings from the evaluation, including limitations on the robustness of the evaluation undertaken.
Department of Veterans’ Affairs’ response: Agreed.
Department of Home Affairs’ response: Agreed.
Summary of entity responses
18. The proposed audit report was provided to Health, DVA, Home Affairs and the Department of the Treasury. Letters of response provided by each entity are included at Appendix 1. The summary responses provided are included below. The improvements observed by the ANAO during the course of this audit are at Appendix 2.
Department of Health and Aged Care
The Department of Health and Aged Care welcome the findings, in the report and accept the recommendation directed to the department. The department is committed to implementing the recommendations effectively and has already taken steps to address issues identified in this audit.
The ANAO found the department has largely effective governance arrangements to support evaluation. The audit also found the department’s evaluation culture is maturing, including:
- updating our guidance and training on what, when and how to conduct an evaluation.
- establishing the role of Chief Evaluation Officer to provide strategic oversight of evaluation activities and to engage with other Senior Executive to champion evaluation as part of policy design and program management.
The department notes the finding on the need to develop better guidance on conducting economic evaluations or other means of assessing the proper use of public money.
Since the audit was conducted, the department has launched its Strategic Investment Framework, which makes sure our policy and program officers embed evaluation and evidence within all programs. The Framework will ensure investments are supported by robust, evidence-based program evaluation and target funding to high-value programs aligned with priority areas.
The department notes that the audit on the Kava Pilot Program was undertaken while the pilot period was still under way, and certain aspects of the pilot, including recommendations to Government on the future of the Program, are yet to be finalised.
The department is building its in-house evaluation capability through a range of initiatives including:
- implementing the new Evaluation Strategy 2023-26
- developing a suite of departmental-specific tools and resources to support high-quality evaluation.
- partnering with Australian Centre for Evaluation in Treasury and leveraging opportunities to showcase in-house impact evaluation capability.
Department of Veterans’ Affairs
The Department of Veterans’ Affairs (DVA) welcome the ANAO recommendations. The ANAO report acknowledges that DVA has established policies and processes that largely support compliance with the Commonwealth Evaluation Policy (the Policy).
The Department acknowledge and agree with the ANAO’s recommendations. Work is planned for 2024 to review and update the relevant policies and protocols to enhance maturity with the Commonwealth Evaluation Policy requirements, and work has already commenced to implement these enhancements.
Department of Home Affairs
The department agree with the recommendations, and as part of its ongoing efforts to strengthen evaluation, acknowledge the benefits of a more robust evaluation culture to inform Government decision-making.
The department continues to leverage Commonwealth resources and materials to assist in guiding staff on how an evaluation should be carried out. To supplement the Commonwealth Evaluation Toolkit, the department is developing additional resources to assist staff in determining when, and to what extent, an evaluation should be conducted.
The department is monitoring the outcomes of the Skilled Refugee Labour Agreement to build a sufficient evidence base to assess the viability and future scalability of the program. The department’s advice to Government on the future of the Skilled Refugee Labour Agreement Pilot will be informed by an evaluation consistent with the Commonwealth Evaluation Policy.
Department of the Treasury
Treasury welcomes the report and agrees with the recommendation to update guidance in the Commonwealth Evaluation Toolkit (the Toolkit). Specifically, Treasury will update the Toolkit to include a definition of a ‘pilot’, and provide guidance on: economic evaluation, evaluation of pilots, and governance arrangements for cross-entity evaluations.
Treasury’s guidance on whether spending represents an appropriate use of public money will focus on (and be limited to) guidance on economic evaluation methods, and other fit-for-purpose evaluation approaches. The broader importance of appropriately using public money is well addressed through the suite of guidance administered by the Department of Finance to support resource management and therefore will not be duplicated through Treasury materials.
Treasury will recommend, but not mandate, that all pilots are subject to evaluation consistent with the principles-based Commonwealth Evaluation Policy, which recommends that responsible managers need to determine robust, proportional evaluation approaches for specific pilots or programs.
The Department of the Treasury is committed to continuous improvement of the Evaluation Toolkit. Planned enhancements will include more practical guidance on analytical methods, including economic evaluation, and effective governance arrangements that can help to improve the way Commonwealth entities assess implementation, measure the impact of government programs, and frame policy decisions.
Key messages from this audit for all Australian Government entities
19. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Performance and impact measurement
Summary and recommendations
Background
1. New and emerging technologies play an important role in delivering digital services for Australian Government entities. As the development, integration and use of technology increases, so does the number of possible entry or weak points that malicious cyber actors can exploit. This is commonly referred to as the ‘attack surface’.1 It is important that Australian Government entities continue to uplift their cyber security maturity and implement arrangements to manage cyber security incidents2 effectively. The ability to maintain business continuity following a cyber security incident is critical to ensuring the continued provision of government services.
2. Australian Government entities are attractive, high-value targets for a range of malicious cybercriminals because they hold the personal and financial information of Australians.3 In 2022–23, approximately 31 per cent of cyber security incidents reported to the Australian Signals Directorate (ASD) were from non-corporate Commonwealth entities. Over 40 per cent of these cyber security incidents were coordinated, low-level malicious cyberattacks directed specifically at the Australian Government, government shared services, or regulated critical infrastructure.4 Ransomware was the most destructive cybercrime threat in 2022–235 and continues to pose considerable risk to Australian Government entities, businesses and individuals.
Rationale for undertaking the audit
3. On 22 November 2023, the Australian Government released the 2023–30 Australian Cyber Security Strategy which outlines a forecast approach towards uplifting Australia’s cyber resilience as well as ‘[building] … national cyber readiness [and] proactively identifying and closing gaps in … cyber defences and incident response plans’.
4. Australian Government entities are expected to be ‘cyber exemplars’, as they receive, process and store some of Australia’s most sensitive data to support the delivery of essential public services.6 Whilst there were reported improvements from 2022, ASD’s 2023 Cyber Security Posture Report highlighted that the overall maturity level across entities remained low in 2023.7
5. Previous audits conducted by the ANAO identified low levels of cyber resilience in entities. Low levels of cyber resilience continue to make entities susceptible to cyberattack and reduce business continuity and recovery prospects following a cyber security incident. An entity’s preparedness to respond to and recover from a cyberattack is a key part of cyber resilience. This audit was conducted to provide assurance to Parliament about the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents.
Audit objective, criteria and scope
6. The objective of this audit was to assess the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents in accordance with the Protective Security Policy Framework (PSPF) and relevant ASD Cyber Security Guidelines.
7. To form a conclusion against the audit objective, the following high-level criteria were adopted:
- Do the Australian Transaction Reports and Analysis Centre (AUSTRAC) and Services Australia have appropriately designed and implemented cyber security incident management procedures?
- Have AUSTRAC and Services Australia effectively implemented cyber security incident management processes for investigating, monitoring and responding to cyber security incidents?
- Have AUSTRAC and Services Australia effectively implemented recovery processes that mitigate disruptions during and after cyber security incidents?
Engagement with the Australian Signals Directorate
8. Independent timely reporting on the implementation of the cyber security policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. Previous ANAO reports on cyber security have drawn to the attention of Parliament and relevant entities the need for change in entity implementation of mandatory cyber security requirements, at both the individual entity and framework levels.
9. In preparing audit reports to the Parliament on cyber security in Australian Government entities, the interests of accountability and transparency must be balanced with the need to manage cyber security risks. ASD has advised the ANAO that adversaries use publicly available information about cyber vulnerabilities to more effectively target their malicious activities.
10. The extent to which this report details the cyber security vulnerabilities of individual entities was a matter of careful consideration during the course of this audit. To assist in appropriately balancing the interests of accountability and potential risk exposure through transparent audit reporting, the ANAO engaged with ASD to better understand the evolving nature and extent of risk exposure that may arise through the disclosure of technical information in the audit report. This report therefore focusses on matters material to the audit findings against the objective and criteria and contains less detailed technical information than previous audits. Detailed technical information flowing from the audit was provided to the relevant accountable authorities during the audit process to assist them to gain their own assurance that their remediation plans are focussed on improving cyber resilience as required and support reliable reporting through the existing cyber security policy framework.
Conclusion
11. The implementation of arrangements by AUSTRAC and Services Australia to manage cyber security incidents has been partly effective. Neither entity is well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident.
AUSTRAC
12. AUSTRAC has partly effective cyber security incident management procedures for investigating, monitoring and responding to cyber security incidents. It has established management structures and a framework of procedures to support these processes. It has not detailed the responsibilities for its Chief Information Security Officer (CISO), its approach to continuous monitoring and improvement reporting, or defined timeframes for reporting to stakeholders.
13. AUSTRAC has partly implemented effective response processes that mitigate disruptions during and after cyber security incidents. It has established a Security Information and Event Management (SIEM) solution and processes for reporting cyber security incidents. The coverage of log events is not in accordance with ASD’s Cyber Security Guidelines. AUSTRAC does not have an event logging policy and does not document its analysis of all cyber security events.
14. AUSTRAC has procedures to support its cyber security incident recovery processes. These procedures do not include the security and testing of backup solutions, nor detail the systems, applications and servers supporting critical business processes. AUSTRAC performs recovery of backups as part of business area requests. It does not perform testing of restoration of backups for disaster recovery purposes.
Services Australia
15. Services Australia is partly effective in its design of cyber security incident management procedures. It has established a framework of procedures and an incident response plan. It has not documented an approach to threat and vulnerability assessments. Services Australia does not have a policy covering the management of cyber security incidents.
16. Services Australia has partly effective cyber security incident response procedures for investigating and responding to cyber security incidents. It has procedures for managing data spills, malicious code infections and external instructions. It has implemented a Security Information and Event Management (SIEM) solution and a systematic approach to monitoring and prioritisation of alerts. Services Australia has not established a timeframe for triage and escalation activities nor a process for analysing archived SIEM data. Services Australia has not defined an approach for cyber security investigations.
17. Services Australia has partly implemented effective recovery processes that mitigate disruptions during and after cyber security incidents. It has developed business continuity and disaster recovery plans and implemented regular backups. Its plans do not include all systems and applications supporting critical business processes and it does not test the recoverability of backups.
Supporting findings
AUSTRAC
18. AUSTRAC has established management structures and responsibilities for managing cyber security incidents. However, it has not documented the assigned responsibilities for its CISO although the CISO is empowered to make decisions. AUSTRAC has documented a framework of procedures for cyber security risk and incident management. However, it does not detail a process for reviewing, updating and testing its cyber security incident management procedures, nor has it implemented a security maturity monitoring plan that details an approach that defines a continuous improvement cycle as well as reporting to management. AUSTRAC has developed reporting processes for significant or reportable cyber security incidents. AUSTRAC does not document cyber security incident meetings, nor has it defined timeframes for reporting to relevant stakeholders. (See paragraphs 2.6 to 2.32)
19. AUSTRAC has reporting processes for reporting significant or reportable cyber security incidents to internal and external stakeholders. These processes do not include the engagement of relevant expertise in other business areas, such as legal advisors, and do not ensure the integrity of evidence supporting cyber security investigations. AUSTRAC has documented cyber security incident monitoring and response procedures. It has not developed an event log policy for handling and containing malicious code infections or intrusions, or containment actions in the event of a data spill. AUSTRAC has implemented a Security Information and Event Management (SIEM) solution. Its coverage of event logs is not in accordance with ASD’s Cyber Security Guidelines. It undertakes an analysis of event logs and escalates significant or reportable cyber security incidents to management and relevant external stakeholders. It does not record or document its analysis of non-significant cyber security events, nor has it defined timeframes for triage and escalation activities. AUSTRAC is able to analyse data within its SIEM solution, it does not have a process for retrieving and analysing production and archived SIEM data. (See paragraphs 2.33 to 2.65)
20. AUSTRAC has documented procedures to support its cyber security incident recovery processes. These procedures do not include the security and testing of backup solutions, nor detail the systems, applications and servers supporting critical business processes. AUSTRAC has not tested the recoverability of its systems and applications supporting critical business processes. It has not included all relevant systems, including the tools used for managing backups, within disaster recovery testing schedules and security policies. AUSTRAC is not well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident. AUSTRAC has primary and secondary data centres to support its approach to regular backups. AUSTRAC performs recovery of backups as part of business area requests. It does not perform testing of restoration of backups for disaster recovery purposes. It does not have a process for extracting and analysing production and archive backup data. AUSTRAC’s incident reports include post-incident learning and post-remediation analysis. These reports are not used to review or update existing cyber security recovery procedures, with potential improvements highlighted in these reports not being considered for incorporation into existing cyber security documentation. (See paragraphs 2.66 to 2.93)
Services Australia
21. Services Australia has established management structures and responsibilities for its management of cyber security incidents. It has not documented an approach to threat and vulnerability assessments, nor does it have a policy covering the management of cyber security incidents but it does have a security maturity monitoring plan although this does not detail an approach that defines a continuous improvement cycle as well as reporting to management. Services Australia has developed a cyber security incident response plan and a trusted insider program. However, its trusted insider program has not considered input from other business areas, such as its legal function. Services Australia’s critical asset and data registers do not have complete information on critical systems and data assets. Services Australia has documented a framework of procedures for cyber security risk and incident management. However, it does not detail a process for reviewing, updating and testing its cyber security incident management procedures. Services Australia has reporting processes that provide regular reporting of cyber security incidents, including significant or reportable cyber security incidents, to internal and external stakeholders. It has not defined the timeframes for reporting to relevant stakeholders and the consideration of engaging other relevant expertise, such as legal advisors, during reporting processes. (See paragraphs 3.6 to 3.44)
22. Services Australia has documented its approach for managing data spills, malicious code infections and intrusions. It has not established processes for reviewing, updating and testing these cyber security incident response procedures. Services Australia has implemented a Security Information and Event Management (SIEM) solution and developed a systematic approach to the monitoring and prioritisation of security alerts. Services Australia has an Event Logging and Monitoring Policy. It has not established processes for extracting, retrieving and analysing archived SIEM data, nor has it defined the timeframe requirements for triage and escalation activities. Services Australia has not defined an approach for cyber security investigations. (See paragraphs 3.45 to 3.73)
23. Services Australia has not defined an approach to digital preservation related to cyber security incidents and regular backups and nor does it have business continuity or disaster recovery plans that address all systems, including the systems which support the critical recovery processes. It is not well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident. Services Australia has processes for performing regular backups. These processes do not include all platforms and Services Australia does not test the restoration of data, applications and settings from backups as part of disaster recovery exercises. Services Australia has not appropriately documented an embedded post-incident learning approach following a cyber security incident. Services Australia has not established a process that leverages post-incident learnings to review and improve the effective implementation of arrangements to manage cyber security incidents. (See paragraphs 3.74 to 3.103)
Recommendations
Recommendation no. 1
Paragraph 2.24
Australian Transaction Reports and Analysis Centre develops and implements:
- policies that define the responsibilities of the Chief Information Security Officer in accordance with the Protective Security Policy Framework requirements; and
- a security maturity monitoring plan that defines a continuous improvement cycle as well as reporting to management, including documenting the determination of reporting frequency and escalation.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 2
Paragraph 2.31
Australian Transaction Reports and Analysis Centre develops and implements:
- processes for ensuring cyber security incident meetings are documented;
- timeframes for reporting to relevant external stakeholders; and
- processes that ensure regular risk reporting to its portfolio minister and the Department of Home Affairs.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 3
Paragraph 2.41
Australian Transaction Reports and Analysis Centre develops and implements:
- procedures that define assigned security roles and responsibilities for coordinating responses, including engagement of relevant expertise; and
- processes for managing and maintaining evidence during and after cyber security investigations.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 4
Paragraph 2.47
Australian Transaction Reports and Analysis Centre develops and implements:
- an approach for containment actions that restrict access to data, systems and networks in the event of a data spill; and
- an event log policy for handling and containing malicious code infections or intrusions.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 5
Paragraph 2.57
Australian Transaction Reports and Analysis Centre implements a strategy for Security Information and Event Management (SIEM) solution coverage that is in accordance with Australian Signals Directorate’s Guidelines for System Monitoring and performs a risk assessment to support any deviations from the guideline’s recommendations.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 6
Paragraph 2.63
Australian Transaction Reports and Analysis Centre establishes:
- a process for retrieving and analysing production Security Information and Event Management (SIEM) solution data held within its SIEM solution and archived SIEM data;
- record keeping requirements for triage and escalation activities over non-significant cyber security events to ensure completeness of activities; and
- timeframe requirements for triage and escalation activities.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 7
Paragraph 2.78
Australian Transaction Reports and Analysis Centre develops and implements:
- disaster recovery testing schedules that include backup solutions;
- business continuity planning processes that incorporate the systems, applications and servers which support critical business processes; and
- processes that test the recoverability of its systems and applications supporting critical business processes, including implementing any lessons learned into future testing schedules.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 8
Paragraph 2.88
Australian Transaction Reports and Analysis Centre establishes a program that assesses the effectiveness of recovery processes for all production and archived backup data.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 9
Paragraph 2.92
Australian Transaction Reports and Analysis Centre leverage its post-incident learning approaches following a cyber security incident to inform a process that reviews, updates and tests all of the relevant security documentation for the effective management of cyber security incidents. That is:
- supporting security documentation to its security plans;
- framework of procedures for cyber security incident management;
- associated guidance for cyber security incident response; and
- associated guidance for cyber security incident recovery.
Australian Transaction Reports and Analysis Centre response: Agreed.
Recommendation no. 10
Paragraph 3.18
Services Australia updates its trusted insider program with the support of legal advice and other relevant expertise and ensure it is fit for purpose across the organisation.
Services Australia response: Agreed.
Recommendation no. 11
Paragraph 3.23
Services Australia updates its systems criticality assessments and data registers with the necessary information to confirm the criticality of each system and data asset.
Services Australia response: Agreed.
Recommendation no. 12
Paragraph 3.29
Services Australia establishes a Cyber Security Incident Management Policy or include ‘cyber security incidents’ as part of the scope of the Incident Management and Escalation Policy.
Services Australia response: Agreed.
Recommendation no. 13
Paragraph 3.35
Services Australia develops and implements an approach that ensures continuous monitoring and improvement reporting is provided to management, including documenting the determination of reporting frequency and escalation.
Services Australia response: Agreed.
Recommendation no. 14
Paragraph 3.43
Services Australia designs and implements procedures detailing:
- the timeframes for reporting to internal and external stakeholders; and
- roles and responsibilities for coordinating responses, including engagement of relevant expertise.
Services Australia response: Agreed.
Recommendation no. 15
Paragraph 3.59
Services Australia develops and implements procedures detailing:
- the process for performing cyber security investigations in accordance with the Australian Government Investigations Standard; and
- the process for managing and maintaining evidence during and after cyber security investigations.
Services Australia response: Agreed.
Recommendation no. 16
Paragraph 3.71
Services Australia develops and implements:
- a process for retrieving and analysing archived Security Information and Event Management (SIEM) solution data; and
- timeframe requirements for triage and escalation activities.
Services Australia response: Agreed.
Recommendation no. 17
Paragraph 3.87
Services Australia develop and implement:
- a policy for digital preservation;
- a policy for regular backups;
- business continuity and disaster recovery plans that include the systems, applications and servers which support their critical recovery processes; and
- processes that test the recoverability of their systems and applications supporting critical business processes, and implement any lessons learned into future testing plans.
Services Australia response: Agreed.
Recommendation no. 18
Paragraph 3.96
Services Australia establish a program that assesses the effectiveness of recovery processes for all production and archived backup data.
Services Australia response: Agreed.
Recommendation no. 19
Paragraph 3.101
Services Australia develops its post-incident learning approaches following a cyber security incident to inform a process that reviews, updates and tests all of the relevant security documentation for the effective management of cyber security incidents. That is:
- supporting security documentation to their security plans;
- framework of procedures for cyber security incident management;
- associated guidance for cyber security incident response; and
- associated guidance for cyber security incident recovery.
Services Australia response: Agreed.
Summary of entity responses
24. The proposed audit report was provided to AUSTRAC and Services Australia. The entities’ summary responses are reproduced below. Their full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.
AUSTRAC
AUSTRAC welcomes the review and the opportunity to reflect on its processes and procedures for managing cybersecurity incidents. AUSTRAC maintains that our processes to date have enabled effective management of cyber security incidents if and as they occur, involving prioritisation, escalation and seeking internal and external expertise to inform AUSTRAC’s effective cyber security incident response. AUSTRAC welcomes the ANAO’s recommendations, which will support AUSTRAC to strengthen our approach to cybersecurity incident management through greater clarity and certainty provided by documenting much of our existing approach and enhancing it where gaps have been identified. In response to the recommendations, AUSTRAC will update key incident response plans and documents, as well as develop testing schedules consistent with our risk profile and appetite and operational requirements.
Services Australia
Services Australia (the Agency) notes the audit findings and the recommendations for the Agency associated with improving the management of cyber security. The Agency agrees with the recommendations, and will work towards further strengthening controls in the identified areas.
The Agency takes its responsibility to safeguard the personal information and data of its customers very seriously, as well as the need to ensure continuity of the essential services and payments that the Agency provides. I consider that the implementation of the recommendations contained in the report will support the Agency in achieving those outcomes.
Key messages from this audit for all Australian Government entities
Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Performance and impact measurement
Summary and recommendations
Background
1. Established in 1948, the Adult Migrant English Program (AMEP) provides free English tuition to eligible migrants and humanitarian entrants with no or low English levels.1 The program supports an average of 53,000 participants annually. The design of the program recognises that learning English can help migrant settlement.
2. Contracted delivery of the Adult Migrant English Program (AMEP) has been in place for 25 years.2 The current contracts commenced in 2017 and deliver English language lessons in over 300 locations and online, to clients in metropolitan, regional and remote locations in Australia. The 15 contracts3 were initially valued at $1.22 billion which had increased by 75 per cent) to more $2.153 billion as at April 2024, representing an average annual contract value of $287 million. There is also a contract for quality assurance, for which the reported value increased from $6.15 million to $22.52 million. The October 2022 Federal Budget included $20 million to provide more flexible delivery options for the program and to increase case management support for students (to deliver on an election commitment).
3. All contracts were due to end on 30 June 2023. These contract arrangements were extended in December 2022, to 30 June 2024 (with work orders under the contracts not due to expire until 31 December 2024), after a government decision to delay implementation of a further new AMEP business model.4 The request for tender for new AMEP contracts was to be issued in September 2023, and new arrangements to commence 1 January 2025. On 30 November 2023, the Minister for Immigration, Citizenship and Multicultural Affair approved a further delay5, with no new release date advised. In February 2024 the department advised the ANAO that advice to the minister and a new policy proposal were in development and the release date of the request for tender is dependent on government agreement to a new model and implementation date.
Rationale for undertaking the audit
4. Contracts for the delivery and quality assurance of delivery of AMEP are valued at over $2 billion and will have been in place for at least seven and a half years by the time they are replaced. The ANAO has audited the management of AMEP contracts once previously (in 20016), with the audit report including six recommendations, all of which were agreed to. Those recommendations related to improving program performance management and reporting; strategic management and coordination; management of financial risk; and monitoring of contractor performance.
5. The audit provides assurance to the Parliament that the department is appropriately administering the Adult Migrant English Program contracts.
Audit objective and criteria
6. The objective of the audit was to assess whether the design and administration of AMEP is effective.
7. To form a conclusion against the objective, the following high-level criteria were applied:
- Are appropriate contractual arrangements in place?
- Are the service provider contracts appropriately managed?
- Are contracted quality assurance services being delivered to an appropriate standard?
8. In addition to auditing the management of contracts by the Department of Home Affairs, the audit used the follow the money power provided under paragraph 18B(1)(b) of the Auditor-General Act 1997 to examine the performance of Linda Wyse and Associates (LWA), the quality assurance provider for the AMEP.
Conclusion
9. The design and administration of the Adult Migrant English Program contracts has not been effective.
10. Appropriate contractual arrangements are not in place with the 13 general service providers. The contracts are continuing to operate past their stated completion date, despite there being no extension options in the contracts. While the contracts, and associated instructions, clearly outline the contracted deliverables:
- there have been significant variations made to each of the contracts, with insufficient documentation to evidence that each variation represented value for money to the Australian Government and the records of the variations are inadequate;
- there are deficiencies in the processes by which the department has engaged advisers and contracted the existing service providers to identify areas that could benefit from adaptation of new ideas and innovative service delivery to enhance client outcomes (referred to as innovative projects);
- there is no probity plan for the management of the contracts, and inadequate departmental transition planning for the end of the contracts.
11. The general service provider contracts have not been appropriately managed. A comprehensive set of contracted performance indicators was in place when the contracts were first signed, but that framework has been amended over time such that it no longer addresses the educational outcomes being achieved by students, the accuracy of provider assessments of student educational outcomes or the timeliness of service provider provision of data to the department. The only indicator that has remained relates to the extent to which eligible students commence in the program. In addition:
- invoice verification processes have not been sufficiently robust; and
- the department has not implemented a previously agreed recommendation that it would use complaints data from providers to inform and improve service delivery for students.
12. In its administration of the contract with the firm engaged as quality assurance provider, the Department of Home Affairs (Home Affairs) has not obtained appropriate assurance over the work of the 13 contracted general service providers. Key factors that led to this result include:
- the contractual performance framework was diminished after the quality assurance provider was selected and the contract signed, and key performance indicators have not been met notwithstanding that the targeted quantity of work has been reduced over time by the department;
- the approach to planning quality assurance work is not risk based; and
- Home Affairs has significantly changed the nature of services provided away from quality assurance over the work of the general service providers. For 2023–24, the department decided that 15 per cent of the budget for the provider would be spent on quality assurance work, down from 78 per cent in the first year of the contract.
Supporting findings
Contractual arrangements
13. The service provider contracts, and associated Service Provider Instructions, clearly outlined the contracted deliverables. (See paragraphs 2.2 to 2.7)
14. Significant variations have been made to each of the contracts since they were signed such that the terms and conditions are now different in important respects from the procurement opportunity that was presented to the market. The department has not kept adequate records of the contract variations that have occurred. Home Affairs’ records of decisions to vary the contracts do not adequately address value for money considerations and therefore do not demonstrate that each of the variations has been appropriate. (See paragraphs 2.8 to 2.30)
15. Contracted advisers have not been engaged through appropriate procurement processes. In addition to engaging advisers, the contracts with service providers were amended to enable the department to engage them to deliver ‘innovative projects’ that are additional to the services they were contracted to deliver at the conclusion of the 2017 procurement process. (See paragraphs 2.33 to 2.42)
16. There is no probity plan for the management of the AMEP contracts. As a result, there are no conflict of interest declaration and other probity risk management requirements in place for the AMEP contracts. (See paragraphs 2.47 to 2.49)
17. Appropriate transition management plans are not in place. The contracts were due to end on 30 June 2023 and did not include any extension options yet, due to delays with the procurement process to replace them, they are continuing to operate past the stated completion date. As of December 2023, the department had not finalised and approved a transition out plan for the existing contracts, notwithstanding that those contracts were originally due to expire in June 2023 (they are now due to expire on 30 June 2024, with work orders under the contracts due to expire on 31 December 2024). Further, the draft transition in plan is substantively incomplete, reflecting the uncertainty about the future contractual arrangements (the tender process for replacement contracts has been subject to delays). (See paragraphs 2.53 to 2.63)
Service provider contract management
18. The introduction of an information technology system to support the department’s oversight of contractor service delivery has not proceeded. The department’s continued use of a system that was not replaced as planned has not provided a sound basis for monitoring service provider performance, or to support the payment of invoiced amounts. The failure to introduce the planned new system also required the department to make additional payments to the service providers to recognise the additional administrative burden placed on them, and has meant one of the four key performance indicators for the general service provider contracts has not been applied. (See paragraphs 3.2 to 3.9)
19. The contracts, when first signed, established a performance measurement and management framework for the general service providers, focused on four key performance indicators (KPIs). The request for tender that led to the contracts being signed had stated that the four KPIs represented ‘a minimum performance standard that service providers will be expected to meet and it is an expectation of the department that service providers will strive to deliver above these standards’. The department has amended the framework over time such that the suite of four KPIs have not been used to inform contract management:
- none of the four KPIs were applied for the first 12 months of the contract term;
- the KPI relating to data timeliness has not been applied at all;
- the target addressing the KPI relating to the accuracy of service provider assessments of client learning outcomes was first reduced and was later paused in November 2021 for the remaining term of the contracts; and
- the English attainment progress KPI has been removed. (See paragraphs 3.10 to 3.20)
20. The invoices for general service providers have not been appropriately verified. Invoicing and payments to the 13 AMEP general service providers has not consistently adhered to the contracts with issues identified in a number of areas including the application of goods and services tax, fee indexation and backdating fee increases. (See paragraph 3.24 to 3.28)
21. The Department of Home Affairs does not have appropriate complaint resolution processes for the delivery of services under the Adult Migrant English Program, and has not implemented an ANAO recommendation from a 2000–01 audit report7 that it had agreed to. While the contractual framework includes appropriate arrangements to enable the department to monitor the number and nature of complaints being received by the 13 general service providers, the department has not effectively administered those arrangements. As a result, the department is unable to assure itself that service providers are meeting their obligations for the timely and effective handling of complaints, and the department does not analyse complaints data to identify opportunities to improve service delivery across the program. (See paragraph 3.29 to 3.34)
Quality assurance services
22. The contracted performance management framework has not been appropriately implemented by Home Affairs. The KPI framework was changed after the completion of the procurement process to select the provider of quality assurance services, and does not reflect the full scope of services expected of the contractor. Further, notwithstanding that the department has reduced over time the amount of quality assurance reviews required to be undertaken8, in only two years has the provider reported undertaking the (reduced) number of client file verifications specified in the annual plan (a shortfall of 27 per cent in the first six years) and has only undertaken the (reduced) number of onsite quality assurance reviews in 2022–23 (a shortfall of 20 per cent in the first six years). (See paragraphs 4.2 to 4.10)
23. Performance of AMEP service providers has not been a direct input into the development of quality assurance work. The department has not consistently implemented a risk-based approach to quality assurance work. The department decided to cease using a risk-based approach in 2020–21 and a proportional approach, based on student populations, was instead implemented from 2021–22. (See paragraphs 4.15 to 4.27)
24. The budgeting for, and tasking of, the quality assurance provider, by Home Affairs, has significantly changed the nature of services provided under this contract. The contracted provider has identified that the changes have redirected services from the intended purpose of the quality assurance role. As a result of the department refocusing the work of the contracted quality assurance provider to the delivery of professional development and development of ‘program delivery documents’, the quality assurance activities planned and delivered have not appropriately monitored the performance of the contracted general service providers. (See paragraphs 4.31 to 4.68)
25. The contractual arrangements in place to not allow an evidence-based assessment of whether the work of the quality assurance provider has improved the performance of the general service providers. (See paragraphs 4.73 to 4.77)
26. The invoices for the AMEP quality assurance provider have not been appropriately verified or paid in accordance with the AMEP quality assurance contract. (See paragraphs 4.78 to 4.79)
Recommendations
Recommendation no. 1
Paragraph 2.18
To meet its record keeping obligations and ensure appropriate performance management of contracts, the Department of Home Affairs develop a complete record of all contract variations, including those variations agreed through correspondence, together with a master version of the contracts that incorporates all variations.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 2
Paragraph 2.31
When considering potential contract variations for the Adult Migrant English Program, the Department of Home Affairs make a decision-making record that addresses whether the proposed changes represent value for money, including by reference to the value for money assessment that underpinned the procurement decision-making prior to the contract being awarded.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 3
Paragraph 2.43
The Department of Home Affairs introduce stronger governance arrangements over the process by which it engages service providers under the Adult Migrant English Program to identify areas that could benefit from adaptation of new ideas and innovative service delivery to enhance client outcomes including opportunities to offer these opportunities to open competition.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed
Recommendation no. 4
Paragraph 2.50
The Department of Home Affairs develop a probity plan to govern the management of contracts for the Adult Migrant English Program.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 5
Paragraph 2.64
The Department of Home Affairs improve its transition planning for the Adult Migrant English Program by:
- finalising the transition out plan for the current contracts and, for future contracts, preparing the transition out plan early in the new contract period; and
- aligning the development of the transition in plan for the replacement contracts with the preparation of the approach to market documentation.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 6
Paragraph 3.21
The Department of Home Affairs establish a comprehensive suite of performance indicators and targets in the service provider contracts for the Adult Migrant English Program, require that service providers report performance against the indicators and targets and take appropriate contract management action where performance is below requirements.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 7
Paragraph 3.35
The Department of Home Affairs analyse and review complaints data from the general service providers for the Adult Migrant English Program to inform and improve service delivery to students.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 8
Paragraph 4.11
The Department of Home Affairs strengthen the contractual performance management framework for the provision of quality assurance services for the Adult Migrant English Program.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 9
Paragraph 4.28
The Department of Home Affairs undertake a systematic, documented, evidence-based approach to determining and targeting quality assurance activities based on general service provider performance and other risk information known to the department.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Recommendation no. 10
Paragraph 4.69
The Department of Home Affairs give greater emphasis to monitoring the quality of services being delivered to students by the contracted general service providers.
Department of Home Affairs response: Agreed.
Linda Wyse and Associates response: Agreed.
Summary of entity response
27. The proposed audit report was provided to Home Affairs and Linda Wyse and Associates (LWA), the quality assurance provider for the AMEP. The letters of response are included in Appendix 1. Summary responses from Home Affairs and LWA are reproduced below.
Department of Home Affairs
The department has agreed to the recommendations made by the ANAO. While acknowledging room for improvement, the Department does not consider the ANAO’s findings, listed below, reflect and recognise the environment in which the AMEP Agreements were being delivered:
- The design and administration of the current Agreements have not been effective, and
- The appropriate contractual arrangements are not in place.a
The AMEP has successfully delivered English language tuition to eligible migrants and humanitarian entrants, including during a period of unprecedented disruption due to the impact of COVID-19.b
Since implementation of Administrative Orders, transferring the administration of the AMEP to the department in July 2019, the department has sought to strengthen processes, procedures and the technology that support the management of the Agreements.c Several recommendations made have previously been identified by the department as opportunities for improvement in the design of the future contract/s.d The procurement process for this future contract cycle has been delayed due to the change of Government and subsequent program setting reviews. Through the future contract/s, the department will implement an enhanced performance management framework, including key performance indicators supporting the strategic intent of the AMEP and effective performance management, and deliver a new IT system supporting the administration of the contract/s.
ANAO comments on Department of Home Affairs summary response
28. ANAO comments regarding Home Affair’s summary responses are included below, with rejoinders to the letter of response included within Appendix 1.
- An important consideration in the ANAO’s conclusions that the design and administration of the contracts has not been effective relates to the Key Performance Indicators (KPIs) for service providers. Of the four KPIs identified included in the contracts that commenced in July 2017 to establish ‘a minimum performance standard’ that service providers were expected to meet, three are no longer in place, including the KPI relating to the desired program outcome of progressive English attainment by students (see paragraphs 3.11 to 3.20).
- The impact of the COVID-19 pandemic on the program, and/or how the impact was addressed or not addressed by the department, is discussed throughout the audit report (paragraphs 1.4, 2.7, 2.26 and 2.27, 3.15, 4.25, 4.31, 4.36, 4.57, 4.60 to 4.68 and Table 3.1).
- Administration of the AMEP contracts transferred into the Department of Home Affairs nearly five years ago, in July 2019. Relevant records and some key staff moved with the program to the Department of Home Affairs (see footnote 28). Consistent with the ‘Collaborative Agreement’ signed by the two departments in October 2019, changes made since 2019 by the Department of Employment and Workplace Relations to the parts of the head contracts that apply to both AMEP and SEE have occurred through engagement with, and input from, the Department of Home Affairs. Home Affairs agreed that the department responsible for the SEE program would be the lead agency, and that any variations to the general clauses in the contract must be agreed by both departments.
- The ANAO notes the scope of its work has been on the current contracts and as such the findings relate to the administration of the current contracts. The ANAO has not audited the design of future contract/s, for which no request for tender has yet been issued.
Linda Wyse and Associates
LWA welcomes the report and its recognition that the Adult Migrant English Program (AMEP) contract faced many challenges in its tenure. The disruption caused by COVID-19 cannot be underestimated; it was the impetus for the change in work carried out by LWA to support AMEP providers facing the challenges of moving from face-to-face classes to online delivery for a diverse cohort of clients, who personified the digital divide.
LWA agrees in full with the 10 recommendations given in the report, recognising the importance of assuring quality and ensuring documentation accurately captures quality assurance activities. We feel strongly that monitoring the quality of services being delivered to the student is an important duty of the quality assurance provider and welcome the ANAO recommendation to give more emphasis to this activity.
LWA is committed to working with the Department to implement the recommendations and is initiating steps, as noted against the relevant recommendation, to address the areas identified for improvement.
Key messages from this audit for all Australian Government entities
29. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Contract management
Summary and recommendations
Background
1. My Health Record (MHR) is a national public system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.1 The My Health Records Act 2012 (MHR Act) states that the goals of MHR are to overcome fragmentation and improve the availability and quality of health information; reduce adverse medical events and the duplication of treatment; and improve the coordination and quality of health care provided by different healthcare providers.2
2. The Australian Digital Health Agency (ADHA) was established as a corporate Commonwealth entity in 2016, at which time it became MHR system operator.
3. MHR ‘national infrastructure’ is comprised of the IT systems and support enabling the flow of information in and out of the MHR system. The Department of Health and Aged Care and ADHA used IT supplier contracts to implement MHR national infrastructure. The largest contract is for the National Infrastructure Operator (NIO), which is responsible for operation, maintenance, support and integration of MHR national infrastructure.
4. The NIO contract was first executed with Accenture Australia Holdings Pty Ltd (Accenture) on 27 June 2012 for a total value of $47 million to 30 June 2014. As at February 2024, arrangements with Accenture totalled $746 million for MHR NIO services between 2012 and 2025.
Rationale for undertaking the audit
5. The Australian Digital Health Agency reports that approximately 23.8 million Australians had a My Health record as at March 2024.3 It is estimated that $2 billion has been invested in the My Health Record system.4
6. There has been parliamentary interest in government procurement.5 Procurement of large public IT systems can raise risks relating to obsolescence, security and interoperability. This audit provides assurance to the Australian Parliament about whether ADHA has effectively managed MHR procurement.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the Australian Digital Health Agency’s procurement and contract management of the My Health Record National Infrastructure Operator.
8. To form a conclusion against the objective, the ANAO adopted the following high-level criteria.
- Does ADHA have a fit-for-purpose governance framework for contract management and procurement?
- Has ADHA managed the My Health Record National Infrastructure Operator contracts effectively?
- Has ADHA conducted procurements of the My Health Record National Infrastructure Operator effectively?
Conclusion
9. ADHA’s procurement and contract management of the My Health Record National Infrastructure Operator has been partly effective. Effectiveness has been diminished by poor procurement planning and failure to observe core elements of the Commonwealth Procurement Rules.
10. ADHA’s governance framework for contract management and procurement is largely fit for purpose. There are policies and guidance for procurement and contract management, although probity guidance could be improved. Management and oversight arrangements for procurements and contract management are largely appropriate. Internal audit coverage of procurement has been limited.
11. ADHA’s management of the National Infrastructure Operator contract has been partly effective. The identification and assessment of commercial risk has been limited. The effectiveness of day-to-day administration of the contract is diminished by contract management planning that is not fully fit for purpose. Contract variations within the existing contract term have been made with insufficient assessment of risk, consideration of materiality and justification of value for money. The management of contract performance has not utilised all available levers under the contract.
12. ADHA has not conducted procurements of the National Infrastructure Operator contract effectively. ADHA’s planning and decisions about how to approach the market for the contract in 2019 and 2022 were deficient. For both sole source limited tender procurements, ADHA’s conduct of limited tender processes under Division 1 of the Commonwealth Procurement Rules (including demonstrating value for money, managing probity and public procurement reporting) was also deficient.
Supporting findings
Governance framework for procurement
13. ADHA provides procurement and contract management training to staff and has policies and guidance for procurement and contract management. Although there are policies and guidance, these are not always reviewed in accordance with requirements. There are policies relevant to managing conflicts of interest in procurement and contract management, although instructions are inconsistent across policy documents. There is a policy relevant to managing gifts and benefits which lacked specificity but has been improved. Chief Executive Officer (CEO) gifts and benefits declarations are not always timely. (See paragraphs 2.2 to 2.21)
14. Business areas are responsible for procurement and contract management and are supported by a central procurement area. The board approves contracts above a certain value threshold and delegates the power to enter into a contract to the CEO for other contracts. There are CEO authorisation instruments to allow officials to conduct procurements and enter into contracts. From April 2021 there was regular reporting to the board on complex and high-risk procurement. The internal audit program has considered contract management but has had limited coverage of procurement. An Audit and Risk Committee has included procurement issues in its reporting to the board but has not provided advice about the sufficiency of controls over procurement risks. (See paragraphs 2.23 to 2.30)
Contract management
15. In addition to a quarterly strategic risk assessment which includes consideration of My Health Record and the National Infrastructure Operator, risk assessments specifically related to ADHA’s commercial relationship with Accenture were conducted in 2016, 2019, 2020 and 2022. The quality of the risk assessments varied. Although a 2021 contract management plan assessed the overall risk for the National Infrastructure Operator contract as ‘medium’, it provided no information to justify this overall rating, no indication if this risk assessment exceeded its risk appetite, and no description of or treatments for specific risks. ADHA did not re-assess contract risk on five of the six occasions when the contract with Accenture was varied during an existing contract term between 2018 and February 2024. ADHA assessed risk on two occasions when the contract with Accenture was varied through a procurement, although the quality of risk assessment for one procurement was poor. The terms and conditions of the National Infrastructure Operator contract address a range of commercial and security risks. (See paragraphs 3.3 to 3.16)
16. The effectiveness of contract administration has been diminished by the following.
- There is a National Infrastructure Operator contract management plan. The plan has not been reviewed as required and does not contain some of the required information. There are no instructions to officials about how and when to assess contract risk.
- The National Infrastructure Operator contract with Accenture was amended eight times between January 2018 and February 2024 largely to fund My Health Record system enhancements, including six amendments (valued at $54 million) executed during the term of the existing contract. For the six contract amendments, ADHA did not document value for money considerations.
- ADHA did not review the contractor’s performance when it exercised an option to extend the contract.
- ADHA held strategic and operational meetings with the contractor, but these were not always at the specified frequency. Not all specified meeting types took place and some meeting types took place that were not specified.
- Officials managing the National Infrastructure Operator contract did not adhere to the ADHA’s records management policies. (See paragraphs 3.17 to 3.34)
17. Although there is evidence of ADHA conducting reviews and requiring some National Infrastructure Operator deliverables to be resubmitted, ADHA has not reviewed contract reporting deliverables as required. Contract and contract management plan provisions to support performance management have rarely or never been used (benchmarking, annual performance reviews and audits) or have not been used as planned (issues monitoring). A request for updated My Health Record system architecture in August 2019 in preparation for approaching the market for the National Infrastructure Operator in June 2020 coincided with the commencement of a dispute between ADHA and Accenture about system architecture documentation. The dispute was not resolved until March 2023. The practice of advance payment for services before delivery weakens ADHA’s leverage in managing performance. ADHA has invoked contract provisions that penalise the contractor for failing to meet certain service levels. (See paragraphs 3.36 to 3.59)
Procurement processes
18. Planning and approach to market processes for the 2019 and 2022 procurements of the National Infrastructure Operator were deficient.
- Procurement plans were not approved before procurement decisions were made.
- Risk associated with a direct source limited tender was not well assessed for the 2019 procurement but was assessed for the 2022 procurement.
- For the 2019 and 2022 procurements, ADHA justified not going to open market using limited tender conditions listed in the Commonwealth Procurement Rules, however there were weaknesses in how conditions were justified, approved, implemented and reported. In particular, the use of paragraph 10.3b of the CPRs (‘when, for reasons of extreme urgency brought about by events unforeseen by the relevant entity, the goods and services could not be obtained in time under open tender’) was inappropriate.
- In making procurement planning decisions, relevant information (including performance issues) was not appropriately considered by the decision-maker. (See paragraphs 4.3 to 4.36)
19. Cost and other factors, including Accenture’s experience as the National Infrastructure Operator, were considered in the decision to award a contract ‘extension’ to Accenture in 2019 and 2022. However, the accountable authority made the decision without fully considering Accenture’s performance history and ADHA did not document a clear value for money assessment for either procurement. Approvals were given by officials with appropriate authority and were appropriately documented. The approach to declaring potential conflicts of interest did not comply with ADHA policy and program-specific probity obligations were unclear. ADHA partly complied with AusTender reporting requirements. (See paragraphs 4.40 to 4.68)
Recommendations
20. This report makes 13 recommendations to ADHA.
Recommendation no. 1
Paragraph 3.11
Australian Digital Health Agency review risks associated with procurement and management of My Health Record.
Australian Digital Health Agency response: Agreed.
Recommendation no. 2
Paragraph 3.20
Australian Digital Health Agency update its National Infrastructure Operator contract management plan:
- annually, in accordance with review requirements;
- to provide sufficient guidance on key contract management elements such as termination and step-in, issues management and escalation;
- to incorporate guidance on key contract provisions such as dispute resolution, subcontracting, benchmarking and annual review of contractor performance; and
- to provide guidance and instructions to officials on how and when to identify, assess and manage National Infrastructure Operator contract risks.
Australian Digital Health Agency response: Agreed.
Recommendation no. 3
Paragraph 3.26
Australian Digital Health Agency ensure that:
- decisions to expend money through a contract variation document whether the variation represents a ‘minor’ change, and the value for money of the variation; and
- it reviews performance and deliverables prior to exercising a contract extension option.
Australian Digital Health Agency response: Agreed.
Recommendation no. 4
Paragraph 3.35
The Australian Digital Health Agency ensure that records created as part of the National Infrastructure Operator contract are stored in accordance with its information governance framework.
Australian Digital Health Agency response: Agreed.
Recommendation no. 5
Paragraph 3.46
The Australian Digital Health Agency document its approach to reviewing and reporting deliverables, put in place arrangements to ensure that it reviews National Infrastructure Operator contract reports and deliverables as required, and establish appropriate controls to provide assurance that reviews are occurring.
Australian Digital Health Agency response: Agreed.
Recommendation no. 6
Paragraph 3.50
The Australian Digital Health Agency ensure that National Infrastructure Operator contract arrangements that follow the expiry of the existing contract in June 2025 clearly specify the maintenance and provision of system architecture documentation and provide appropriate assurance arrangements for their timely provision.
Australian Digital Health Agency response: Agreed.
Recommendation no. 7
Paragraph 4.8
In anticipation of the expiry of the National Infrastructure Operator contract on 30 June 2025, Australian Digital Health Agency:
- publish a procurement plan on AusTender that provides reasonable notice to the market about the expiry of the contract; and
- prepare and endorse an internal procurement plan.
Australian Digital Health Agency response: Agreed.
Recommendation no. 8
Paragraph 4.35
The Australian Digital Health Agency implement controls to ensure that, in making procurement decisions, relevant information (including legal advice, and any past and ongoing disputes and performance issues with a supplier) is incorporated into the value for money assessment.
Australian Digital Health Agency response: Agreed.
Recommendation no. 9
Paragraph 4.37
The Australian Digital Health Agency ensure limited tender processes do not commence before the limited tender procurement approach has been approved by the relevant decision-maker, including (if applicable) consideration by the decision-maker of the specific conditions justifying limited tender.
Australian Digital Health Agency response: Agreed.
Recommendation no. 10
Paragraph 4.38
For the procurement of a National Infrastructure Operator following the expiry of the National Infrastructure Operator contract on 30 June 2025, Australian Digital Health Agency conduct an open tender in accordance with the Commonwealth Procurement Rules.
Australian Digital Health Agency response: Agreed in principle.
Recommendation no. 11
Paragraph 4.46
The Australian Digital Health Agency, in approving expenditure through a procurement, ensure that decisions are supported by a clear value for money assessment, which considers the financial and non-financial costs and benefits of the procurement.
Australian Digital Health Agency response: Agreed.
Recommendation no. 12
Paragraph 4.60
Australian Digital Health Agency:
- ensure program-specific probity frameworks are consistent with other agency policies; and
- establish assurance processes over the declaration of interests in procurements to ensure that positive declarations are made as required under Australian Digital Health Agency’s conflict of interest policy and National Infrastructure Modernisation probity framework.
Australian Digital Health Agency response: Agreed.
Recommendation no. 13
Paragraph 4.69
The Australian Digital Health Agency establish controls to ensure that:
- all contracts and contract variations are reported accurately on AusTender within the required timeframes; and
- in accordance with the Commonwealth Procurement Rules, for each contract awarded through limited tender, a written report is prepared that includes the value, a statement indicating the circumstance and conditions that justified the use of limited tender, and a demonstration of how the procurement represented value for money in the circumstances.
Australian Digital Health Agency response: Agreed.
Summary of entity response
21. The proposed audit report was provided to ADHA. ADHA’s summary response to the audit is provided below and its full response is at Appendix 1.
As the Report highlights, the My Health Record System (MHR) is a national public system supporting coordination and quality clinical decision making and provides health information for 23.7 million Australians where and when they need it.
MHR has been operating successfully for over a decade – delivering secure, reliable health information, with choice and privacy firmly in the hands of Australians. The Agency welcomes the key Report finding that governance frameworks and contract management approaches for MHR are largely fit for purpose.
During the pandemic, when Australian communities were at highest risk, MHR was upgraded to provide rapid access to COVID test results and vaccination certificates as part of the national effort to protect Australians and support freedom of movement. During this period system stability and reliability were priorities in procurement approaches taken.
The Agency accepts the ANAO’s recommendations on strengthening approval and review processes and record keeping across the procurement and contract management lifecycle and has significantly augmented these areas over the last three years. This includes successful complex IT infrastructure modernisation through competitive procurements that have reduced single vendor dependency. Further modernisation work is underway to deliver greater health information sharing and more connected care across the health system.
22. An extract of the proposed report was provided to Accenture Australia Holdings Pty Ltd. Accenture’s full response is provided at Appendix 1.
Key messages from this audit for all Australian Government entities
23. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Procurement
Summary and recommendations
Background
1. The value of Australia’s agricultural production is forecast to rise by six per cent to $85 billion in 2024–25.1 Australia exports approximately 72 per cent of the total value of agricultural, fisheries and forestry production.2 The Australian Government regulates the export of agricultural, fisheries and forestry products, issuing export documentation that verifies that the goods being exported meet both the Australian export requirements and the importing country’s requirements.3
2. The Department of Agriculture, Fisheries and Forestry (the department) uses information and communications technology (ICT) systems to regulate and facilitate the export of agricultural, fisheries and forestry products and to issue export documentation.
3. In the 2020–21 Budget, the Australian Government committed $328.4 million over four years for a package of measures titled ‘Busting Congestion for Agricultural Exporters’. The Digital Services to Take Farmers to Markets measure accounted for $222.2 million of this funding and was intended to modernise Australia’s agricultural export systems.4
Rationale for undertaking the audit
4. The effective administration of the digital reform of agricultural export systems is intended to minimise disruption to exports and provide exporters with the benefits of faster, more reliable and cost-effective export services.
5. Past external reviews and ANAO performance audits of the department have found weaknesses in the department’s governance and culture, as well as its arrangements to manage its performance as a regulator.5
6. Large-scale ICT improvement programs aimed at uplifting or replacing aging ICT systems are increasingly common across Australian Government entities. Recent audits of other ICT improvement programs have found weaknesses in monitoring and reporting on the program’s status and performance, which increases the risk that the program fails to deliver outcomes and limits effective measurement of benefits realisation.6
7. This audit provides assurance to Parliament on the effectiveness of the department’s administration of the digital reform of the agricultural export systems.
Audit objective and criteria
8. The objective of the audit was to assess the effectiveness of the department’s administration of the digital reform of the agricultural export systems.
9. To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria.
- Has the department established effective governance arrangements for the program?
- Is the department implementing the program effectively?
- Is the department managing change for the program effectively?
10. The Australian Government has been investing in the digital reform of the agricultural export systems through a series of measures (see paragraphs 1.4 to 1.7).
11. The audit focused on the department’s administration of the package of work approved by the Australian Government in October 2020 and relevant in-flight initiatives. This work is being delivered in three tranches, the first of which was scheduled to conclude at the end of 2022–23. The audit focused on the delivery of the first tranche (Tranche 1).
12. This package of work is funded by the Digital Services to Take Farmers to Market budget measure and builds on elements of work undertaken under previous measures, such as the delivery of a digital export certification management system. The report refers to this package of work collectively as ‘the program’.
13. The audit did not examine:
- the effectiveness of individual initiatives or projects administered by the program;
- the delivery of digital initiatives that are not related to the export systems; or
- whole-of-government initiatives such as the Simplified Trade System.7
Conclusion
14. The department is partly effective in administering the digital reform of the agricultural export systems. The program focuses on short-term delivery goals without consideration of how this will contribute to the delivery of tranche or program end-states. There is a risk that the work being undertaken by the program may not effectively achieve the outcomes or benefits the program has committed to deliver.
15. The program’s governance arrangements are largely effective. The department prepared and presented first and second pass business cases for the program to the Australian Government as well as a Business Case Addendum to document the department’s implementation of the program. It does not document how the program’s outcomes will be measured. The department has established governance arrangements to support the Senior Responsible Officer to deliver the agreed program outcomes and the realisation of the program benefits. The department has established assurance arrangements and risk and issue management arrangements for the program. The department is not identifying and managing program risks that extend beyond the department and require shared oversight and management.
16. The department’s implementation of the program is partly effective. The department established a Tranche 1 implementation plan that did not specify an end-state for Tranche 1. In March 2024, the department advised the ANAO that, of the 35 initiatives in Tranche 1, six (17 per cent) had been delivered and 13 (37 per cent) had been partially delivered. In November 2022, the Executive Board agreed to spending reductions across the department to address a forecast departmental overspend. In December 2022 and March 2023, the program’s budget was reduced to support the department’s efforts to reduce spending. This resulted in the program stopping planned work, pausing the implementation of initiatives and reducing contractor staffing. The department established consultation and communication arrangements for the program.
17. The department’s arrangements to manage, measure and report on changes made through its digital reform program are partly effective. The department has not fully implemented change management arrangements for the program. Not all agricultural export ICT systems have authority to operate. While the department has established a benefits management framework, it has not established an evidence-based baseline or methodology. Internal reporting is limited to short-term delivery goals. It does not include reporting on the program’s progress in delivering the outcomes that the program has committed to deliver. The department has continued to receive significant or moderate findings from the ANAO regarding its external reporting to the Parliament.
Supporting findings
Governance
18. The department prepared and presented first and second pass business cases to the Australian Government in October 2018 and July 2020 respectively. In October 2021, the department presented a Business Case Addendum to the Australian Government to document the department’s implementation of the program. It does not document how its outcome statements will be measured. Without measurable outcomes, the department’s ability to effectively monitor and report on the achievement of the program’s implementation is limited and there is a risk that the work being undertaken by the program may not effectively achieve the program outcomes or benefits. (See paragraphs 2.2 to 2.22)
19. The Senior Responsible Officer (SRO) is accountable to the accountable authority for the delivery of the agreed program outcomes and the realisation of the program benefits. The department has established policies and strategies for the program as well as governance bodies to support the Senior Responsible Officer. The department has established assurance arrangements for the program and is subject to assurance activities for the program, such as Department of Finance Gateway Reviews and internal audits. (See paragraphs 2.23 to 2.58)
20. The department has established risk and issue management arrangements for the program, which align with the department’s Enterprise Risk Management Framework and Policy. The program maintains centralised risk and issue registers. The program has developed a risk management plan that details the key risks for the program and how they are being managed. The department is not identifying and managing program risks that extend beyond the department and require shared oversight and management. (See paragraphs 2.59 to 2.83)
Implementation
21. The department established a Tranche 1 implementation plan that did not specify an end-state for Tranche 1. In March 2024, the department advised the ANAO that, of the 35 initiatives in Tranche 1, six (17 per cent) had been delivered; 13 (37 per cent) had been partially delivered; and 16 (46 per cent) had been discontinued, consolidated into other initiatives, or were under development. (See paragraphs 3.3 to 3.26)
22. Funding for the Digital Services to Take Farmers to Market measure amounted to $199.9 million for 2020–21 to 2022–23. During this period, the department spent $166.2 million. In November 2022, the Executive Board agreed to spending reductions across the department to address a forecast departmental overspend. In December 2022 and March 2023, the program’s budget was reduced to support the department’s efforts to reduce spending. This resulted in the program stopping planned work for the program, pausing the implementation of initiatives and reducing contractor staffing. The department established a sourcing strategy and financial management arrangements for the program and its financial reporting accurately reflected the financial records in the department’s financial management system. (See paragraphs 3.27 to 3.57)
23. The department established consultation and communication arrangements for the program. The department is not coordinating consultation and communication activities that are being undertaken by program teams. (See paragraphs 3.58 to 3.68)
Change management, monitoring benefits and reporting
24. The program has not fully implemented the change management arrangements established by the department. The program is not completing impact assessments for all of its projects and is not completing readiness assessments for all projects with ‘medium’ and ‘high’ impact changes. As at June 2023, 67 per cent of exports-related instructional material documents were overdue for review. Not all of the agricultural export systems have active authority to operate. The department has not documented whether the functionality of those systems without active authority to operate would require an active authority to operate. (See paragraphs 4.3 to 4.25)
25. The department has established a benefits management framework and is reporting on the achievement of financial benefits for program initiatives. The department has not established an evidence-based baseline or methodology for the total forecast value of the program’s benefits. The department is unable to demonstrate that its benefits reporting provides decision-makers with complete and accurate information on the realisation of financial benefits for the program. (See paragraphs 4.26 to 4.53)
26. Program reporting is limited to short-term delivery goals. It does not focus on reporting on the program’s progress in delivering Tranche 1 as a whole, or the program initiatives’ progress in achieving their established end-states. Nor does it report on progress in achieving program outcomes. This limits the SRO’s ability to effectively monitor the progress of the program as a whole and to determine whether the program is on track to deliver its commitments on time and within budget. The department has continued to receive significant or moderate findings from the ANAO regarding its external reporting to the Parliament. (See paragraphs 4.54 to 4.90)
Recommendations
Recommendation no. 1
Paragraph 2.21
The Department of Agriculture, Fisheries and Forestry determine how:
- the program’s initiatives will contribute to the delivery of the program’s outcomes; and
- the achievement of the program’s outcomes will be measured.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 2
Paragraph 2.82
The Department of Agriculture, Fisheries and Forestry identify and manage program risks that extend beyond the department and require shared oversight and management.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 3
Paragraph 3.21
The Department of Agriculture, Fisheries and Forestry establish end-states for program tranches prior to tranche implementation.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 4
Paragraph 4.12
The Department of Agriculture, Fisheries and Forestry complete impact assessments and readiness assessments in accordance with the change management arrangements established by the department.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 5
Paragraph 4.22
The Department of Agriculture, Fisheries and Forestry ensure that all ICT systems that process, store or communicate information and data have an active authority to operate.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 6
Paragraph 4.52
The Department of Agriculture, Fisheries and Forestry review its benefits management arrangements for the program to ensure that all benefits are measurable and evidence-based, including:
- establishing appropriate baselines for each benefit;
- establishing methodologies to measure each benefit; and
- ensuring consistent reporting of realised benefits to inform decision-makers regarding progress towards achieving the program’s expected benefits.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Recommendation no. 7
Paragraph 4.76
The Department of Agriculture, Fisheries and Forestry review and update its reporting arrangements to ensure that progress and performance reporting includes:
- reporting against the outcomes of the program, as a whole, and how the work being undertaken is contributing to these outcomes; and
- consistent updates on the program’s overall progress towards the delivery of the program’s outcomes, so that performance can be effectively measured over time.
Department of Agriculture, Fisheries and Forestry response: Agreed.
Summary of entity response
The Department of Agriculture, Fisheries and Forestry (the department) is committed to appropriate and timely implementation of the seven recommendations of the report, all of which we agree.
The recommendations focus on establishing and measuring program initiatives and outcomes, risk management, change management, benefits management, and progress and performance reporting. These recommendations provide valuable insight to inform work underway in the department to deliver digital reform of the agricultural export systems.
The department welcomes the ANAO’s assessment that the governance arrangements for the digital reform of the agricultural export systems are largely effective, with such arrangements established to support the Senior Responsible Officer to deliver the agreed program outcomes and the realisation of the program benefits. The department also notes the ANAO’s assessment that financial reporting accurately reflected the records in the department’s financial management system.
The department acknowledges it can benefit from improving processes for managing shared risks, measuring and reporting benefits and ensuring consistency with departmental processes, and notes work is underway to clarify the documentation of end states and enhance reporting against progress in delivering the program.
The department also notes work is already underway to action the matters identified by the report as opportunities for improvement.
Key messages from this audit for all Australian Government entities
27. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Policy/program design
Performance and impact measurement
Summary and recommendations
Background
1. The Australian Maritime Safety Authority (AMSA) is responsible for providing the Australian Government’s network of marine Aids to Navigation (AtoN) to the commercial shipping industry that meets international standards. Since 2001, AMSA’s AtoN maintenance program has been implemented continuously through one external contractor, with the current contract due to end on 30 June 2024.
2. Between August 2022 and July 2023 AMSA undertook an open procurement process for the provision of AtoN maintenance services. One tender was received, which was from the incumbent contractor. After completing a full evaluation of the tender that was received, including a value for money assessment, a contract for the maintenance of the AtoN was not awarded.
Rationale for undertaking the audit
3. This performance audit of the AtoN maintenance procurement was undertaken in response to a request from the Minister for Infrastructure, Transport, Regional Development and Local Government (the minister).1 The request from the minister referenced concerns about the conduct of the procurement from the unsuccessful tenderer. This performance audit provides assurance to Parliament on the effectiveness of AMSA’s management of the 2022–23 AtoN maintenance procurement.
Audit objective and criteria
4. The audit objective was to assess the effectiveness of AMSA’s management of the 2022–23 AtoN maintenance procurement.
5. To form a conclusion against the objective, the following high-level criteria were adopted.
- Did AMSA take appropriate steps to encourage open and effective competition?
- Was the tender evaluation planned and undertaken consistently with the Request for Tender?
- In its management of the procurement process and when dealing with complaints from the unsuccessful tenderer, did AMSA act ethically and has it been accountable and transparent?
Conclusion
6. AMSA’s management of the 2022–23 AtoN maintenance procurement was largely effective. Achieving value for money is the core rule of the Commonwealth Procurement Rules (CPRs) and the result of the open tender conducted by AMSA identified that the tender received for AtoN maintenance services did not demonstrably represent value for money. Accordingly, and consistent with the CPRs, it was not in the public interest for AMSA to award a contract for AtoN maintenance services. In its debriefing of the unsuccessful tenderer for the AtoN maintenance services contract, and its public statements about the tender outcome, AMSA did not clearly communicate the reasons for not awarding the AtoN contract.
7. AMSA took appropriate steps to design and conduct the procurement in a way that would deliver open and effective competition. This included taking on board information obtained through a market sounding exercise. The tender closing date was also extended twice, at the request of potential tenderers. Some additional steps could have been taken in pursuit of the goal of open and effective competition, in recognition that there was an incumbent contractor, as follows:
- disclosing the weighting of the evaluation criteria, as this would have communicated to potential tenderers that their capability and capacity was more important than whether they had experience in providing the services being tendered. Identifying the weightings would also have allowed AMSA to meet the requirement under the CPRs that request documentation disclose the relative importance of the criteria; and
- clearly communicating to potential tenderers that the draft AtoN contract included with the Request for Tender (RFT) involved changes from the existing contract. This would not detract from tenderer’s responsibility to inform themselves about the services they were tendering to provide.
8. In response to the RFT, AMSA received one tender (from the incumbent contractor) for the AtoN contract. An absence of competition makes it more difficult for the procuring entity to be satisfied that that it has obtained value for money.
9. AMSA’s evaluation of the tender received for AtoN maintenance was planned and undertaken consistent with the RFT. The tender that was received was assessed as compliant. It was scored at 65.3 per cent against the four evaluation criteria included in the RFT, with AMSA identifying the scores as ‘marginal’ in a number of areas. As required by the CPRs and the RFT, tender evaluation was completed by AMSA undertaking a value for money assessment. That assessment concluded that a value for money outcome had not been achieved. On the basis of the evaluation results, AMSA’s conclusion that it was not in the public interest to award a contract was appropriate and complied with the CPRs. AMSA has not provided clear and accurate reasons for why it did not award a contract in its debrief of the unsuccessful tenderer or publicly.2
10. Important elements of a framework for conducting the procurement ethically were in place including a probity plan and the engagement of a probity advisor. There was no probity plan in place for the industry engagement activities that informed the design of the RFT. There were also a number of shortcomings in the implementation of the probity framework for the RFT, including insufficient risk management and a lack of evidence that all procurement personnel received probity briefings and completion of conflict of interest declarations. AMSA’s investigation of the procurement complaint made by the unsuccessful tenderer under the Government Procurement (Judicial Review) Act 2018 was timely and scoped appropriately. There were errors in the investigation report although those errors did not affect the findings that the alleged breaches of the CPRs had not occurred.
Supporting findings
The approach to market
11. Prior to, and separate from the RFT, AMSA conducted a market sounding exercise. This was conducted by AMSA issuing an open Request for Information (RFI). The 14 submissions received by AMSA:
- provided information about the likely level of market interest in the AtoN maintenance and level 1 Emergency Towage Capability (ETC) services contracts. There was no market interest in the AtoN contract separate to the ETC contract, seven respondents indicated interest in both contracts and seven respondents were interested solely in the ETC contract; and
- provided information that AMSA used to confirm the design of the contracts included in the subsequent approach to the market. AMSA decided to offer separate contracts for AtoN maintenance and ETC, as well as the opportunity to lodge a tender for both, and lengthened the proposed duration of the contracts (to ten years, with extension options for up to a further five years). (See paragraphs 2.1 to 2.9)
12. With the objective of having competition for the contracts, the procurement was conducted by way of an open RFT with the tender closing date extended twice. In addition to designing the RFT in a way intended to encourage competition, AMSA extended the tender closing date twice at the request of potential tenderers. To encourage competition, there would have been benefits in AMSA informing potential tenderers of the criteria weightings and also highlighting that some changes were proposed to the contract for AtoN maintenance compared with the existing contract.
13. The RFT did not result in competing tenders being received for the AtoN maintenance contract. Most of the respondents to the RFI did not proceed to lodge a tender. Seven RFI respondents indicated they were likely to tender for both contracts with six of those not proceeding to tender for both contracts (although one of those six did tender for the ETC contract). No RFI respondents indicated they were likely to tender for the AtoN contract alone. One tender for the AtoN contract was received, from the incumbent contractor. The incumbent contractor also tendered for the ETC contract. This was the only respondent that tendered to provide both services. (See paragraphs 2.10 to 2.22)
Tender evaluation
14. AMSA implemented appropriate arrangements to govern the evaluation of tenders. (See paragraphs 3.1 to 3.10)
15. An evaluation plan was documented and approved prior to tenders closing. The evaluation plan was consistent with the RFT, with the exception of including criteria weightings that had not been disclosed in the RFT. (See paragraphs 3.11 to 3.13)
16. The tender received for AtoN maintenance services was evaluated in the manner required by the RFT. At the conclusion of tender evaluation, AMSA was unable to conclude that the tender offered value for money. This conclusion drew upon evaluation results against the four weighted criteria, as well as analysis of the price tendered. AMSA also took into account the nature and extent of contractual non-compliance identified, and the related risks, in identifying that tender clarification would, in effect, amount to bid repair. (See paragraphs 3.14 to 3.32)
17. AMSA has not clearly communicated the reasons for not awarding the AtoN contract. The result of the tender evaluation was that the tender received for the AtoN maintenance services had been assessed to not represent value for money. Statements by AMSA that a value for money assessment was not completed, or that the tendered price for AtoN maintenance services was not evaluated, are inconsistent with AMSA’s tender evaluation records:
- A Value for Money Assessment Report was prepared, and signed in June 2023 by each member of the two Procurement Evaluation Committees. It applied the methodology set out in the RFT to assess the value for money offered by the tenders received for the two contracts. This included comparing tendered prices to the pre-tender estimate, other ETC tenders (where there was competition) and to the cost of the existing AtoN maintenance contract (where there was no competition).
- The final Tender Evaluation Report, signed in June 2023 by each member of the Consolidation Evaluation Panel, recorded the Panel’s assessment of whether the tender received for AtoN maintenance services, as well as the tenders received for ETC services, represented value for money.
18. The value for money assessment, documented in these two evaluation reports, was relied upon by AMSA to support it awarding a contract for ETC services to the tender assessed as offering the best value for money. The same documents set out the evaluation conclusion that the one tender received for the AtoN maintenance services did not represent a value for money outcome and a contract should not be awarded.
19. If AMSA had not completed a value for money assessment, as AMSA has stated was the case, it would have been inconsistent with the RFT, as well as a breach of the CPRs. (See paragraphs 3.33 to 3.38)
Ethics, accountability and transparency
20. A probity plan was not in place to govern the industry engagement activities that informed the design of the procurement process. A probity plan was in place for the RFT process, and an external probity advisor was engaged. AMSA did not specifically assess probity risk and did not fully adhere to the probity plan requirements for procurement personnel to receive probity briefings and make conflict of interest declarations. The probity advisor provided an interim report at the completion of tender evaluation, and a final report following completion of the procurement process. (See paragraphs 4.1 to 4.26)
21. AMSA engaged a probity advisor for the RFT process and an internal audit of the procurement was undertaken. The commissioning of the internal audit did not follow AMSA’s internal processes and AMSA’s Board Audit and Risk Committee was not informed of the limitations regarding the assurance level of the work that was undertaken. The format of the report, a brief email, was not fit for its purpose. (See paragraphs 4.27 to 4.37)
22. There have been three complaints by the unsuccessful tenderer in relation to the AtoN tender.
- An August 2023 complaint under the Government Procurement (Judicial Review) Act 2018 alleging breaches of the CPRs was handled appropriately by AMSA. The investigation was appropriately scoped and completed in a timely fashion. There were two errors of fact3 in the investigation report. Those errors did not affect the investigation’s conclusion that the alleged contraventions of the CPRs had not occurred.
- In November 2023 the unsuccessful tenderer alleged that the Chair of the AMSA Board had a conflict of interest. AMSA advised the Department of Infrastructure, Transport, Regional Development, Communications and the Arts that the results of the evaluation process, and the decision that a contract should not be awarded, was not influenced by the Chair or any other member of the Board.
- Also in November 2023, the unsuccessful tenderer made allegations about the conduct of the chair of the Consolidation Evaluation Panel. Once it became aware of those allegations in January 2024, AMSA took timely and appropriate action to investigate, finding that there was no evidence to support the allegations. (See paragraphs 4.38 to 4.69)
Recommendations
Recommendation no. 1
Paragraph 2.19
The Australian Maritime Safety Authority strengthen its procurement controls and better inform the market by setting out in its request documentation the relative importance of the evaluation criteria that will be applied.
Australian Maritime Safety Authority response: Agreed.
Recommendation no. 2
Paragraph 2.22
When re-tendering contracts, the Australian Maritime Safety Authority consider the benefits to encouraging competition by identifying any major changes proposed to the contractual arrangements in the request documentation.
Australian Maritime Safety Authority response: Agreed.
Recommendation no. 3
Paragraph 3.37
When debriefing tenderers and in any public statements on the results of procurement processes, the Australian Maritime Safety Authority promote transparency by ensuring the reasons it provides are consistent with the tender evaluation reports.
Australian Maritime Safety Authority response: Agreed.
Recommendation no. 4
Paragraph 4.16
To effectively manage probity risks in procurement activities, the Australian Maritime Safety Authority:
- include an assessment of probity risks and identify how they should be managed within the risk register for large and/or complex procurements; and
- have in place a probity plan that governs any pre-procurement activities including industry engagement and addresses the way it will engage with any incumbent contractor(s) during the planning for, and conduct of, the procurement process.
Australian Maritime Safety Authority response: Agreed.
Summary of entity response
23. The proposed final report was provided to the Australian Maritime Safety Authority and extracts were provided to the Department of Infrastructure, Transport, Regional Development, Communications and the Arts. The summary response from AMSA to the report is provided below (the department did not provide a summary response). The full response from each entity is at Appendix 1.
Australian Maritime Safety Authority
AMSA takes seriously its obligations to comply with the Public Governance, Performance and Accountability Act 2013, the Commonwealth Procurement Rules and conducting procurements ethically under its own internal procurement requirements. AMSA appreciates the ANAO’s conclusion that AMSA’s management of the AtoN maintenance procurement was largely effective and that consistent with the Commonwealth Procurement Rules it was not in the public interest for AMSA to award a contract for AtoN maintenance services. AMSA also accepts the identified recommendations and the suggested opportunity for improvement and will amend its practices accordingly.
Key messages from this audit for all Australian Government entities
24. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Procurement
Summary and recommendations
Background
1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.1 Credit cards are used by Australian Government entities to support timely and efficient payment of suppliers for goods and services.2 For the purposes of the Public Governance, Performance and Accountability Act 2013, credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).
2. For 2021–22 and 2022–23, the National Disability Insurance Agency’s (NDIA’s) total credit card expenditure was approximately $6.7 million, comprising 11,925 transactions. For the same period, the NDIA’s total travel expenditure was approximately $9.1 million, representing 8,509 trips. Credit card and travel expenditure both represented one per cent or less of the NDIA’s supplier expenses in each year.3
Rationale for undertaking the audit
3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:
establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.4
4. In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.5 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:
[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.6
5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.7 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions8 and ineffective controls in the management of the use of credit cards.9 This audit provides Parliament with assurance that the NDIA is effectively managing corporate credit cards in accordance with legislative and the NDIA’s policy requirements.
6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:
- National Disability Insurance Agency (NDIA);
- Federal Court of Australia;
- Australian Research Council; and
- Productivity Commission.
Audit objective and criteria
7. The objective of the audit was to assess the effectiveness of the NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.
8. To form a conclusion against the objective, the ANAO examined:
- whether the NDIA has effective arrangements in place to manage the issue, return, and use of corporate credit cards; and
- whether the NDIA has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.
Conclusion
9. The NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective. The NDIA has established controls that were not robustly implemented to provide sufficient assurance to the NDIA Board that fraud risks are being managed.
10. The NDIA has partly effective arrangements in place to manage the issue, return and use of corporate credit cards. The NDIA’s senior leadership team and the Board have limited oversight of credit card management and use, including for travel. Reporting of use and non-compliance is provided to Financial Control Branch within the Chief Finance Officer Division, and non-compliance incidents are reported to the Risk Advisory Branch. Financial authorisations for Services Australia to enter into borrowing arrangements on the NDIA’s behalf were not in place. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no shared risk register or approach with Services Australia. The NDIA has largely fit-for-purpose policy and procedures and training to support use of credit cards, except for not addressing positional authority risks.
11. The NDIA has implemented partly effective controls and processes for management and control of corporate credit cards. Preventive controls were partly implemented, with cards issued to Senior Executive Service (SES) officers without line manager endorsement, credit limits that were not consistent with NDIA policies and the NDIA not utilising merchant blocking technology. Detective controls were partly effective in supporting detection of credit card misuse, and travel approval and acquittal non-compliance. Travel by Board members, and travel and credit card expenditure by the CEO and SES officers, was often approved by a staff member junior to the traveller or credit cardholder and did not address positional authority risk. The NDIA’s policies permit discretion when identifying and recording non-compliance during a quality assurance review, leading to under-reporting of non-compliance. The NDIA has partly implemented effective controls for managing non-compliance. The NDIA does not monitor the timeliness of travel acquittals, use its system to record all instances of travel non-compliance or take action in response to most identified travel non-compliance.
Supporting findings
Credit card arrangements
12. The NDIA has not delegated authority for Services Australia to enter into borrowing arrangements on its behalf. The NDIA reports regularly on use and management of credit cards (including non-compliance) at the responsible branch level. Credit card and travel non-compliance are aggregated with other instances of non-compliance with finance law, diminishing the NDIA Board and Senior Leadership Team’s understanding of fraud, risk and integrity implications arising from non-compliance. In relation to the delivery of shared services by Services Australia, the NDIA receives quarterly non-compliance reports for travel by NDIA staff and an annual assurance statement relating to Services Australia’s controls environment. (See paragraphs 2.4 to 2.24)
13. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no evidence of consideration of credit cards or travel within the Chief Financial Officer’s divisional risk register. There is no shared risk register or approach with Services Australia for shared services provided. (See paragraphs 2.25 to 2.41)
14. Accountable Authority Instructions (AAIs) and the NDIA Finance Policies are reviewed annually and are largely consistent with Australian Government guidance on managing credit cards. Policies and procedures do not address positional authority considerations for the acquittal of the Board and CEO’s credit card and travel expenditure. (See paragraphs 2.42 to 2.57)
15. The NDIA staff applying for a credit card are required to complete online training, which covers all responsibilities and policy requirements, prior to being issued with the card. When it is recommended staff complete refresher training following instances of non-compliance, this does not always occur. Line manager reviewers of credit card acquittals, travellers and travel spending approvers are not required to complete training. (See paragraphs 2.58 to 2.61)
Management and control of credit cards
16. Controls relating to the issue of credit cards were generally operating as intended, except that line managers did not endorse Senior Executive Service officer credit card applications. The NDIA does not have assurance that credit limits are applied consistent with policy requirements. The NDIA does not use merchant blocking to prevent misuse. The NDIA cancelled and suspended cards for staff who had left the NDIA or were on long term leave following annual reviews of ongoing business need for the card, indicating that other preventive controls were not operating as intended. (See paragraphs 3.4 to 3.20)
17. The NDIA has implemented detective controls for credit cards including credit card acquittal by cardholders, review by line managers and a quality assurance review process. The NDIA’s policies do not provide guidance on detecting the splitting of a transaction to remain under the relevant credit card limit. For a sample of 117 transactions, ANAO identified 18 instances of potentially split transactions, and 20 credit card acquittals of the CEO and SES where the approving officer was junior to the credit cardholder, introducing positional authority risk. In 2021–22 and 2022–23, daily assurance checks resulted in requests for supporting documentation from credit cardholders for four per cent of all credit card transactions. In 2021–22 and 2022–23, the ANAO identified 11 credit card transactions which occurred where the NDIA policies required the credit card be suspended, and one where the policies required the credit card be cancelled. (See paragraphs 3.21 to 3.46)
18. The NDIA implemented detective controls for travel approvals including travel acquittal by travellers, review by delegates and quality assurance processes. For a sample of 93 trips, 24 travel requests were not submitted within required timeframes, 10 trips did not have supporting documentation, and 18 trips were not acquitted within required timeframes. The delegate was junior to the traveller for 51 trips by the CEO and Board, introducing positional authority risk. Services Australia made 30 recommendations to the NDIA to address travel related non-compliance identified by quality assurance processes. The NDIA did not respond to Services Australia or implement the recommendations. (See paragraphs 3.21 to 3.46)
19. The NDIA records credit card non-compliance by specific categories, including accidental private use. Reported instances of travel non-compliance did not reconcile. The NDIA recorded action taken in relation to credit card non-compliance, including recovery of personal expenditure and recommendation of further training. The NDIA did not record any actions taken in response to recommendations made by Services Australia to remedy travel non-compliance. For the one instance of travel non-compliance recorded in the NDIA’s internal reporting, the action taken was to inform the staff member of the policy requirements. (See paragraphs 3.47 to 3.64)
Recommendations
Recommendation no. 1
Paragraph 2.11
The National Disability Insurance Agency establishes a financial authorisation to support the borrowing undertaken by Services Australia on its behalf under the shared services arrangements.
National Disability Insurance Agency response: Agreed.
Recommendation no. 2
Paragraph 2.19
The National Disability Insurance Agency’s (NDIA’s) Board receive and consider complete and accurate reporting of non-compliances with finance law and NDIA policies, including for credit card and travel expenditure.
National Disability Insurance Agency response: Agreed.
Recommendation no. 3
Paragraph 2.35
The National Disability Insurance Agency clearly articulate in approved risk registers the reasons for risk ratings and incorporate effective controls and mitigations so that risk is managed within approved tolerance levels, consistent with the Agency’s Risk Management Guide.
National Disability Insurance Agency response: Agreed.
Recommendation no. 4
Paragraph 2.38
Services Australia and the National Disability Insurance Agency approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.
National Disability Insurance Agency response: Agreed.
Services Australia response: Agreed.
Recommendation no. 5
Paragraph 2.53
The National Disability Insurance Agency (NDIA) address positional authority risk relating to the approval of the NDIA Board Chair, NDIA Board members and CEO credit card expenditure and travel, by requiring that:
- expenditure made by or on behalf of the NDIA Board Chair be approved by a deputy or other NDIA Board member;
- expenditure made by or on behalf of the NDIA Board members (other than the Chair) be approved by the NDIA Board Chair; and
- expenditure made by or on behalf of the NDIA CEO be approved by the NDIA Board.
National Disability Insurance Agency response: Agreed.
Recommendation no. 6
Paragraph 3.8
The National Disability Insurance Agency introduce controls to:
- prevent the activation or use of new or replacement credit cards until cardholders have acknowledged receipt of the card and confirm they will comply with NDIA policy; and
- require approval from the supervising Senior Executive Service (SES) officer for all credit card applications by SES officers, consistent with the NDIA’s policy requirements.
National Disability Insurance Agency response: Agreed.
Recommendation no. 7
Paragraph 3.37
To support accountability and separation of duties, the National Disability Insurance Agency introduce additional assurance processes for cardholder transactions in the Chief Financial Officer Division and Financial Control Branch.
National Disability Insurance Agency response: Agreed.
Recommendation no. 8
Paragraph 3.40
The National Disability Insurance Agency (NDIA) develop guidance on steps for identification of all types of credit card non-compliance with the NDIA Finance Policies, and a system for reporting all non-compliance, including those that are rectified as part of the quality assurance process.
National Disability Insurance Agency response: Agreed.
Recommendation no. 9
Paragraph 3.53
The National Disability Insurance Agency introduce a quality assurance process to cross check reports for completeness and accuracy with other relevant information sources, document identified discrepancies and remedial action taken.
National Disability Insurance Agency response: Agreed.
Summary of entity responses
20. The proposed audit report was provided to the NDIA and an extract was provided to Services Australia. The entities’ summary responses are reproduced below. The entities’ full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.
National Disability Insurance Agency
The National Disability Insurance Agency (NDIA) welcomes the ANAO’s analysis that the level of non-compliance across the Agency is minor and that no significant non-compliances, or instances of fraud, were identified.
The NDIA notes the ANAO’s reference to discretion in relation to the reporting of compliance and disputes the reference to under-reporting of misuse. Discretion is applied where it is identified that additional documentation is required, should additional documentation not be provided a non-compliance is recorded.
The NDIA notes the ANAO’s reference to “junior staff” approving Board and CEO travel. This reference related to a historical administrative arrangement undertaken by an SES Band 2 to provide approvals for CEO travel and credit card expenditure. The NDIA notes the CEO does not currently hold a credit card.
The NDIA notes the ANAO’s comments on reporting of use and non-compliance are only provided to the Agency Budget and Financial Control Branch. All non-compliances are reported to the Agency’s Risk Management Branch on a monthly basis for inclusion in whole-of-Agency compliance reporting.
The NDIA acknowledges the recommendations and the opportunities for improvement. The NDIA has commenced action in line with our responses to the recommendations. Noting the above, and the extant sound governance and controls relating to credit card and travel administration, the NDIA suggests that the use of corporate credit cards is effective rather than partly effective.
ANAO comment on the National Disability Insurance Agency’s response
21. The approval of a credit cardholder’s acquittal or travel by an officer junior to the cardholder or traveller, even if the approver is an SES officer, introduces positional authority risk (see paragraphs 3.25 and 3.30). The NDIA has not developed appropriate policies or procedures to manage this risk (see paragraph 2.52).
22. The absence of criteria or guidance for identifying and recording credit card non-compliance, detected during the daily quality assurance checks, is discussed at paragraphs 3.34 and 3.43. The audit identified instances of transactions that were potentially split, IT assets purchased without approval, credit card acquittals not completed within required timeframes, lack of required documentation and use of credit card while on leave contrary to policy requirements (see paragraphs 3.22, 3.23 and 3.25). None of these instances were reported by the NDIA as non-compliance.
23. Credit card non-compliances were reported in the financial system (see paragraph 3.47), this does not include all non-compliance detected by quality assurance processes (see paragraph 3.35). Only credit card and travel non-compliances recorded in the financial system are reported to the Risk Advisory Branch (see paragraphs 2.17 and 3.51, and footnotes 47 and 81).
Services Australia
Services Australia (the Agency) notes the audit findings and the recommendation for the Agency and the National Disability Insurance Agency (NDIA) to approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.
The Agency acknowledges the requirement under the Commonwealth Risk Management Policy 2023 (the Policy) for entities to collaborate to manage shared risks and will work with the NDIA through existing bilateral governance arrangements to further strengthen risk management between the agencies in respect of corporate credit card and travel arrangements.
Key messages from this audit for all Australian Government entities
24. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Records management
Engagement with the audit process
Summary and recommendations
Background
1. As of 2022, Australia’s school education system was made up of 9,614 schools, attended by four million students, and staffed by 307,228 teaching staff (full time equivalent, including principals).1 There were also 90,028 prospective teachers enrolled in Initial Teacher Education (ITE) courses.2
2. The Australian Institute for Teaching and School Leadership Limited (AITSL, or the company) was established in 2010 to lead the promotion of excellence in teaching and school leadership on behalf of the Australian Government and state and territory governments, with an initial focus on national standards and professional development resources.3
3. As of December 2023, AITSL is responsible for administering 10 national standards and frameworks, which inform teacher regulation, professional development and career pathways, codify agreed common approaches to regulation between states and territories, and provide assistance and support for teachers and school leaders in areas of identified need.4 In 2022–23, AITSL had 81 employees (not including board directors), and received $17.1 million in revenue, including $10.3 million from the Australian Government (Table 1.1).
Rationale for undertaking the audit
4. AITSL was established ‘to provide national leadership for the Commonwealth, state and territory governments in promoting excellence in the profession of teaching and school leadership’.5 As of December 2023, AITSL is responsible for administering 10 national standards and frameworks, which inform the regulation, professional development and career pathways of the teaching profession.6
5. This audit provides assurance to the Parliament over the effectiveness of AITSL’s administration of national standards and frameworks.
Audit objective and criteria
6. The audit objective was to assess the effectiveness of AITSL’s administration of national standards and frameworks.
7. To form a conclusion against the objective, the following high-level audit criteria were adopted:
- Has AITSL established fit-for-purpose governance arrangements to support the administration of national standards and frameworks?
- Has AITSL adopted an appropriate approach to developing, revising and supporting the implementation of national standards and frameworks?
- Does AITSL effectively measure, monitor, evaluate and report on national standards and frameworks?
Conclusion
8. AITSL’s administration of national standards and frameworks is largely effective. By improving its strategic planning and assurance, AITSL would be better positioned to determine whether national standards and frameworks are having the intended impact on the quality of teaching and school leadership in Australia.
9. AITSL has established governance arrangements that are largely fit‐for‐purpose to support the administration of national standards and frameworks. Strategic planning arrangements largely support the company’s work on national standards and frameworks. Alignment between the corporate plan and annual work plan could be improved. Risk management and internal reporting arrangements incorporate national standards and frameworks, and action is taken in response to risks. The company’s arrangements to gather, document, and use expert advice support its purpose. Feedback to expert advisory groups on how AITSL uses their advice could be improved. The Department of Education’s support for assessing the collective expertise of the Board to support appointments could be improved.
10. AITSL has adopted a largely appropriate approach to developing, revising and supporting the implementation of national standards and frameworks. While stakeholder engagement approaches are in place, there is no overarching strategy for stakeholder engagement activities. Training, guidance and information resources to support the implementation of national standards and frameworks are appropriate. There is no overarching strategy to consider how materials contribute to and are relevant to the implementation of the national standards and frameworks. The company’s information management, framework to guide decision-making about the contents of its collection of training, guidance and information resources, guidance for stakeholders other than teachers and school leaders, and clarity of its role in respect to early childhood teachers, could be improved.
11. AITSL’s measurement, monitoring, evaluation and reporting on national standards and frameworks is largely effective. An effective assurance approach for all agreed national standards and frameworks has not been established. AITSL executes the assurance role it has been afforded in initial teacher education (ITE) effectively. AITSL’s measurement, monitoring, evaluation and reporting does not occur across all national standards and frameworks. As a consequence, AITSL is not able to determine whether national standards and frameworks are having the intended impact on the quality of teaching and school leadership in Australia. AITSL’s reporting obligations to the Department of Education could be improved.
Supporting findings
Governance
12. AITSL does not have a strategic planning framework which documents the interactions between the AITSL Constitution, corporate plan, annual work plan, priorities given by education ministers, and its approach to providing strategic advice to ministers. The company uses its internal annual work plan to manage its business. This plan incorporates streams of work from different funding sources, is updated in response to significant changes in work allocation, and is approved by the Minister for Education as the representative of the sole member of the company. Detailed planning about how work is to be undertaken is on a project-by-project basis, in accordance with AITSL’s Project Management Framework. In the absence of a framework that articulates the relationship between its planning documents, the AITSL Board lacks a basis to consider how new work will relate to the company’s existing priorities. (See paragraphs 2.4 to 2.15)
13. AITSL’s governance framework supports its work on national standards and frameworks through internal reporting arrangements. Project oversight is provided by an Operations Board, supported by a Project Steering Committee, with high-risk projects escalated to the Senior Executive Team. Project information and reporting was provided and considered at an appropriate level, in line with the provisions of the Project Management Framework. (See paragraphs 2.16 to 2.18)
14. AITSL‘s identification and management of risk is fit-for-purpose. The company has established an enterprise risk management policy, framework, and guide, as well as project risk identification and escalation procedures. These arrangements are being used to support AITSL’s work on national standards and frameworks. (See paragraphs 2.19 to 2.28)
15. AITSL’s arrangements for incorporating expert advice into decision-making about national standards and frameworks are generally sound and could be improved by providing information to expert standing committees about how their advice has been used. Of the expert standing committee agenda items relevant to national standards and frameworks, eight (19 per cent) School Leadership and Teaching Expert Standing Committee items and 14 (31 per cent) Teacher Education Expert Standing Committee items resulted in agreed actions. Other mechanisms for AITSL to access expertise, such as advisory bodies and procurement, are well-utilised. The Department of Education’s support for assessing the collective expertise of the Board to support appointments could be improved. (See paragraphs 2.29 to 2.45)
Developing, revising and supporting the implementation of national standards and frameworks
16. AITSL does not have an enterprise-wide consultation strategy or framework. The company’s approach to stakeholder engagement includes five standing stakeholder forums (four of which it convenes), project-specific engagement under its Project Management Framework, a stakeholder engagement survey, and other activities such as senior executive meetings and presentations. The company provides little written guidance for project managers about how engagement should be conducted. Project-specific consultations were largely consistent with better practice guidance in the APS Framework for Engagement and Participation standards. (See paragraphs 3.3 to 3.20)
17. As of December 2023, AITSL provides training, guidance and information to support the implementation of national standards and frameworks via six training courses and 774 digital tools and resources. These materials are appropriate in that they are well aligned to the national standards and frameworks and provide detailed and practical guidance on implementation. AITSL does not have an overarching strategy to consider how materials contribute to and are relevant to the implementation of the national standards and frameworks. (See paragraphs 3.21 to 3.32)
Measurement, monitoring, evaluation, and reporting
18. Education ministers have endorsed national quality assurance arrangements, which afford AITSL a role, in respect to initial teacher education (ITE) program accreditation. AITSL’s quality assurance arrangements for ITE are effective, but efforts to build on these have been limited. An effective approach to gain assurance about the ongoing currency and effectiveness of all agreed national standards and frameworks has not been established. There could be benefit to AITSL and education ministers having more information about the implementation of all national standards and frameworks to inform the need for and priority of revisions, especially the Australian Professional Standards for Teachers and Framework for Teacher Registration in Australia. (See paragraphs 4.2 to 4.12)
19. AITSL has established arrangements to measure, evaluate and report on its work on national standards and frameworks. Its performance measures are aligned with its purpose but performance information is not presented to allow readers to understand its limitations, or performance over time. The company can demonstrate the value of its work in most areas via evaluation, although reports and responses are of variable quality. The company has adhered to its reporting obligations since 2020–21 in all but one instance. (See paragraphs 4.13 to 4.36)
Recommendations
Recommendation no. 1
Paragraph 2.34
The Department of Education ensure briefing to its minister supports the minister’s consideration of the collective expertise of prospective Australian Institute for Teaching and School Leadership Board of Directors appointments.
Department of Education response: Agreed.
Recommendation no. 2
Paragraph 3.19
The Australian Institute for Teaching and School Leadership clearly document its approach to stakeholder engagement, including:
- its stakeholder engagement strategy; and
- guidance for project managers on planning, record keeping, documenting changes to plans during implementation, and providing feedback to stakeholders about how their input has been used.
Australian Institute for Teaching and School Leadership response: Agreed.
Recommendation no. 3
Paragraph 4.11
The Australian Institute for Teaching and School Leadership lead work to advise education ministers of the need for governments to develop an agreed approach and implementation plan to:
- regularly review national standards and frameworks;
- assure the currency and effectiveness of all currently agreed national standards and frameworks;
- provide reports resulting from this work to education ministers for consideration; and
- publish reports resulting from this work.
Australian Institute for Teaching and School Leadership response: Agreed.
Recommendation no. 4
Paragraph 4.23
The Australian Institute for Teaching and School Leadership review the company’s performance measures with particular attention to diversifying sources of performance information, and ensuring the outcomes of the company’s work are captured.
Australian Institute for Teaching and School Leadership response: Agreed.
Summary of entity response
20. The proposed audit report was provided to AITSL and an extract was provided to the Department of Education. The entities’ summary responses are reproduced below. Their full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.
Australian Institute for Teaching and School Leadership
AITSL welcomes the report of the ANAO performance audit, including its finding that the company’s administration of national standards and frameworks is largely effective, as well as its largely positive assessments against the high-level audit criteria. AITSL accepts all three recommendations to the company outlined in the report, and AITSL Management will commence work to implement these within the company’s relevant authorising and implementation environments.
AITSL will develop a stakeholder engagement strategy and improve written guidance for project managers, mainly by codifying existing effective practices and applying these consistently across all projects. AITSL will bring forward advice to education ministers on the development of an agreed approach and implementation plan to regularly review and assure the currency of national frameworks, subject to ministers’ agreement to an appropriate authorising environment and resourcing for this work. AITSL is currently reviewing its performance measures to better address the company’s intended impact and the outcomes of its work, as well as diversifying its sources of performance information.
AITSL also notes the opportunities for improvement as outlined in the report. AITSL Management will consider how they might be addressed within the company’s context. AITSL thanks the audit team for their engagement throughout the performance audit.
Department of Education
The Department of Education welcomes this report’s focus on AITSL’s role in administering National Standards and Frameworks.
As highlighted, the department plays a role in supporting AITSL in these responsibilities, primarily through advice provided to the Minister for Education that ensures the AITSL board possesses appropriate skills and expertise.
The department meets its formal obligations in this regard and agrees with the audit’s findings that it would be appropriate for the Minister to be provided with advice on the collective expertise of the board members when asked to consider new appointments. The department undertakes to ensure that future ministerial briefings on potential appointments include a skills matrix of all board members.
The department will also take action in relation to the audit’s suggested ‘opportunity for improvement’ by ensuring that future grant agreements require AITSL to provide a more detailed breakdown showing where expenditure will be allocated, and tracking this as the project progresses.
The department commits to requiring AITSL deliver more consistent and transparent reports and will provide guidance regarding its expectations.
Key messages from this audit for all Australian Government entities
21. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Policy/program design
Summary and recommendations
Background
1. The Growing Regions Program is an open, competitive grants program that provides grants to local government entities and eligible not-for-profit incorporated organisations for capital works projects that deliver community and economic benefits across regional and rural Australia. To be eligible, a project’s location must be outside the Greater Capital City Statistical Areas (GCCSA) as defined by the Australian Bureau of Statistics.1
2. The Australian Government has committed $600 million over three years from 2023–24 for the Growing Regions Program. The program will be conducted across two rounds with $300 million available in each round. Within each round, grants between $500,000 and $15 million will be awarded to eligible applicants to deliver priority community and economic infrastructure projects.
3. On 24 October 2022, the Minister for Infrastructure, Transport, Regional Development and Local Government (the minister) announced that following consultation and review of the funding process, the Australian Government would adopt a ‘new approach to restore accountability, transparency and fairness to regional infrastructure grant programs’. It was also announced that round six of the Building Better Regions Fund and the Community Development Grants program were being discontinued. Allocated funds from these programs were redistributed to the new programs in the October 2022–23 Federal Budget.
4. Round one of the Growing Regions Program opened on 5 July 2023 and received 650 applications with a total requested funding of $2.7 billion. The announcement of funding for round one was expected to be made in March 2024 with contract negotiations expected to be finalised by May 2024. The minister announced the funding for successful projects on 16 May 2024. The implementation of the Growing Regions Program has experienced delays impacting the opening of the full application process and the announcement of funding.
5. The Department of Infrastructure, Transport, Regional Development, Communications and the Arts (Infrastructure) is the Australian Government entity responsible for the Growing Regions Program. Infrastructure has engaged the Department of Industry, Science and Resources (DISR), through the Business Grants Hub, to administer the program.
Rationale for undertaking the audit
6. The Growing Regions Program is a new grants program and is one of the largest competitive grant programs administered by Infrastructure. The program also contains a new design feature — a two-stage assessment process with an expression of interest (EOI) stage assessed by a multi-party parliamentary panel.
7. Previous ANAO audits found deficiencies in Infrastructure’s implementation of regional grants programs including program design, providing information to the delegate, and transparency of decision-making. This audit provides assurance to the Parliament on the design of the Growing Regions Program and whether Infrastructure has implemented lessons learned from previous grants programs.
Audit objective and criteria
8. The objective of the audit was to assess the effectiveness of the design and planning of the Growing Regions Program.
9. To form a conclusion against the objective, the following high-level audit criterion was applied.
- Was the program effectively designed and planned?
10. The scope of this audit focused on the design and planning of the Growing Regions Program up until the opening of applications in July 2023. A second audit report is planned to table during 2024 focusing on the assessment of applications and the decision-making for the funding of projects.
Conclusion
11. The design of the Growing Regions Program was largely effective.
12. Infrastructure developed program objectives and outcomes that align with the overall government policy objective after capturing and documenting lessons learned from previous grants programs. Infrastructure consulted with stakeholders during the planning of the Growing Regions Program and met the mandatory requirements against the Commonwealth Grants Rules and Guidelines 2017 (CGRGs) for the grant opportunity guidelines.
13. Infrastructure’s design and planning work fell short in the following areas:
- Infrastructure developed targets for measuring the establishment and implementation of the program, however targets against the program objectives have not been developed. Infrastructure has not developed corporate performance measures for the program.
- The minister expressed a clear intention to have a two-stage assessment process with a panel assessing EOI applications, however planning work for this option was not undertaken. Not all identified risks were provided to the minister on the design of the program application process, particularly around introducing an EOI step assessed by a panel.
- Infrastructure has not met best practice principles of the CGRGs in terms of having clear assessment criteria, appropriate weighting for criteria and providing grant opportunity guidelines to stakeholders for consultation as planned.
Supporting findings
14. Infrastructure developed objectives and outcomes for the Growing Regions Program that align with the overall program objective agreed to by government. Infrastructure developed internal measures of success for the program but has not set measurable targets to determine if the objectives of the program are being met. There are also no corporate performance measures in place for the program. Infrastructure is working with the Business Grants Hub to collect data to report on program progress and outcomes.(See paragraphs 2.4 to 2.15).
15. During the planning of the Growing Regions Program, Infrastructure captured and documented lessons learned from previous grant programs. Infrastructure used the lessons learned to inform design features of the program, for example, the assessment criteria and the final decision-making processes. (See paragraphs 2.20 to 2.24).
16. Infrastructure planned and undertook consultation on the design principles and draft grant opportunity guidelines. Infrastructure engaged with and sought submissions from program stakeholders including Regional Development Australia, peak bodies and Local Government Associations. The outcomes of the consultations demonstrated that stakeholders supported Infrastructure’s proposed design principles. (See paragraphs 2.25 to 2.34).
17. Infrastructure provided advice to the minister on program design including: identifying the types of projects and applicants who would be eligible; options for the assessment process and merit criteria; and the role a panel could play in assessing applications. After the minister expressed a preference for a panel to assess the EOI, Infrastructure presented alternative delivery models for the program, including different options for panel arrangements. While Infrastructure’s planning processes had identified concerns over introducing an EOI assessed by a panel, all risks associated with this approach were not provided to the minister. Infrastructure’s design work relating to how a panel would assess an EOI stage and the engagement of a grants hub to administer the program was not thorough or timely. (See paragraphs 2.35 to 2.76).
18. The grant opportunity guidelines developed by Infrastructure addressed the two mandatory requirements of the CGRGs. The guidelines met the best practice principles except for not providing clear guidance and appropriately weighted criteria for the EOI process, and not providing the grant opportunity guidelines to stakeholders prior to or during consultations. The grant opportunity guidelines were approved on 5 May 2023 and published on GrantConnect on 8 May 2023. (See paragraphs 2.77 to 2.107).
Recommendations
Recommendation no. 1
Paragraph 2.16
The Department of Infrastructure, Transport, Regional Development, Communications and the Arts develops performance measures and targets to determine whether the program objectives of the Growing Regions Program are being met, and reported in its annual performance statements.
Department of Infrastructure, Transport, Regional Development, Communications and the Arts response: Agreed in principle.
Recommendation no. 2
Paragraph 2.53
The Department of Infrastructure, Transport, Regional Development, Communications and the Arts ensures future regional grants programs are informed by:
- appropriate information to decision-makers on all program risks; and
- timely planning to be able to provide clear advice to government.
Department of Infrastructure, Transport, Regional Development, Communications and the Arts response: Agreed in principle.
Summary of entity response
19. The proposed audit report was provided to Infrastructure and DISR. Infrastructure and DISR’s summary responses are reproduced below. The full responses from both entities are at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Department of Infrastructure, Transport, Regional Development, Communications and the Arts
The department welcomes the proposed report and the report’s overall conclusion that the design of the Growing Regions Program was largely effective.
The Growing Regions Program is a new regional infrastructure grant program which introduced new design features including place-based priority criteria and a multi-party parliamentary panel assessing the first stage expression of interest process. Some learning occurred with aspects of these new processes, which the department will incorporate into any future rounds of the Growing Regions Program and other relevant grant programs.
The department acknowledges the areas for improvement identified in the proposed report and agrees in principle with both recommendations.
Department of Industry, Science and Resources
The Department of Industry, Science and Resources acknowledges the Australian National Audit Office’s report on the Design of the Growing Regions Program.
The department notes the ANAO’s conclusion that the design of the Growing Regions Program was largely effective and met the mandatory requirements against the Commonwealth Grants Rules and Guidelines (CGRGs). The department notes the other areas identified for improvement.
As a shared service provider for Australian Government grants through the Business Grants Hub we will consider these key messages in the design and administration of future granting programs.
Key messages from this audit for all Australian Government entities
20. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.