Background

1. Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.¹

2. The Australian Government defines fraud as:

Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.²

3. Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).³ The Australian Government’s requirements for fraud control apply to both internal and external fraud risks. The 2024 Commonwealth Fraud and Corruption Control Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.⁴

4. The audit examines fraud control arrangements in the National Health and Medical Research Council (the NHMRC). The NHMRC administers the Medical Research Endowment Account (MREA) to provide assistance for public health and medical research and training, primarily through grant programs.

5. The NHMRC also manages grants through the Medical Research Future Fund (MRFF) on behalf of the Department of Health and Aged Care (Health) pursuant to a shared services agreement.

Rationale for undertaking the audit

6. Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.⁵ All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the NHMRC’s fraud control arrangements.

8. To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud risks?
• Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud?
• Has the NHMRC appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?

Conclusion

9. The NHRMC’s fraud control arrangements are partly effective. The NHMRC has appropriate mechanisms in place for internal fraud control, but there are inadequate mechanisms in place to prevent, detect and investigate fraud risks relating to grant recipients.

10. The NHMRC has established partly appropriate arrangements to oversee and manage fraud risks. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework is aligned with the 2017 Commonwealth Fraud Control Framework. The agency has established largely appropriate oversight arrangements for the management of fraud risks. The Audit and Risk Committee did not provide independent advice to the accountable authority on the appropriateness of the system of risk management. The NHMRC’s 2023–2025 Fraud and Corruption Risk Assessment includes risks relating to its core business, the administration of grant funding. The Fraud and Corruption Control Plan is largely appropriate for internal fraud risks. It falls short of appropriately managing external fraud risks relating to the NHMRC’s administration of grant funding. The NHMRC has not identified and assessed all external fraud risks relating to grant funding. The NHMRC’s risk assessment of grant related fraud risks is not based on all relevant information. Most of the controls for grant related fraud risks rely on the cooperation of, or untested assurances from, the grant recipients. The NHMRC has not established mechanisms to review the effectiveness of the controls listed in the 2023–2025 Fraud and Corruption Risk Assessment.

11. The NHMRC has established partly effective mechanisms to prevent fraud and promote a culture of integrity. The NHMRC included preventative controls for all risks identified in its Fraud and Corruption Control Risk Assessment. The controls have not been assessed for their appropriateness or effectiveness. Fraud awareness training and relevant resources are provided to all staff. External stakeholders are made aware of the NHMRC’s processes for managing fraud risks through various publications on its website. The NHMRC’s monitoring of compliance with annual fraud awareness training provides reasonable assurance to the accountable authority of the completion rate. No arrangements have been put in place to ensure that the NHMRC staff who identify, assess and manage fraud risks or investigate suspected fraud have the relevant training or qualifications or undertake ongoing professional development.

12. The NHMRC has established partly appropriate mechanisms to detect and respond to fraud. The NHMRC has not assessed the appropriateness or effectiveness of the detective controls listed for the internal and external fraud risks identified in its 2023–2025 Fraud and Corruption Control Plan. The detective controls relating to the NHMRC’s administration of grants do not provide the NHMRC with assurance on the level of compliance with reporting and investigation obligations placed on grant recipients under the NHMRC’s funding agreements. By not requiring that investigations by grant recipients are undertaken by a qualified investigator, the NHMRC’s procedures are inconsistent with the 2017 Commonwealth Fraud Control Framework. The fraud and misconduct registers maintained by the NHMRC are not consistent with each other and do not contain sufficient information to support informed decision-making and continuous improvement activities. The NHMRC reported one instance of significant non-compliance and advised the minister that it recovered grant funding associated with the one case where fraud was substantiated in 2022–23 and 2023–24.

13. The NHMRC’s preparations for the commencement of the revised Commonwealth Fraud and Corruption Policy on 1 July 2024 have been largely appropriate, with change management activities yet to be delivered. The NHMRC included a definition of corruption and reporting and referral obligations to the National Anti-Corruption Commission in its 2023–2025 Fraud and Corruption Control Framework. No corruption related risks were added to the Fraud and Corruption Control Plan at this time. The NHMRC developed an implementation plan and, as at 1 July 2024, had developed a draft framework and a plan to achieve compliance with the new policy. Over the period 2024 to 2026, the NHMRC plans to review grant fraud risks and test the controls for selected grant fraud risks, including risks with high risk ratings.

Supporting findings

Oversight and management of fraud risks

14. The NHMRC established a Fraud and Corruption Framework that covers key elements of the 2017 Commonwealth Fraud Control Framework. Senior officials were assigned responsibility for fraud control activities and a Fraud and Corruption Control Officer (FCCO) was appointed. The NHRMC’s Executive Board is responsible for, and the Audit and Risk Committee (ARC) provides assurance over, risk management including fraud. Both the Executive Board and the ARC reviewed the NHMRC’s fraud and corruption control policy. The procedures for dealing with alleged grant fraud are incomplete. They do not effectively support the NHMRC to conduct fraud risk assessments based on all available information and data, or to fulfil its obligations for specific grants administered under the shared services agreement with the Department of Health and Aged Care. The ARC did not seek further information on the effectiveness of controls following consideration of the reports of instances of suspected fraud. The ARC’s advice to the Chief Executive Officer (CEO) relied on assertions from management that the agency complies with the Commonwealth Risk Management Policy and the Commonwealth Fraud Control Framework. (See paragraphs 2.2 to 2.15)

15. The NHMRC undertook fraud risk assessments in 2019 and 2023. The 2019 fraud risk assessment was not updated following the launch of a new grants management IT system. The 2023–2025 Fraud and Corruption Risk Assessment included risks related to the NHMRC’s administration of grants which is one of the agency’s core functions. The risk assessment utilises the risk matrix for likelihood and consequence set out in the enterprise risk management framework. The relationship between accepted risk ratings and the NHRMC’s tolerances for specific risk categories is not documented. The NHMRC’s ARC did not consider the 2023–2025 Fraud and Corruption Control Plan in assessing the appropriateness of the 2024–25 internal audit work program. (See paragraphs 2.16 to 2.38)

16. The NHMRC’s 2023–2025 Fraud and Corruption Control Plan included 27 fraud risks, seven of which related to external risks. Responsibility for managing each of the controls was not listed in the 2023–2025 Fraud and Corruption Risk Assessment. Controls for internal risks are more clearly aligned with the identified risks than those listed for external risks in the 2023–2025 Fraud and Corruption Control Plan. The non-mandatory reporting to the NHMRC of all instances of alleged fraud, including where it relates to research misconduct, limits the information that the NHMRC has regard to when conducting risk assessments for external fraud risks. The NHMRC has not established appropriate mechanisms to gain assurance over all grant recipients’ compliance with the terms of funding agreements or MREA grant recipients’ responses to the annual self-assessment compliance survey. Both of these are listed as controls for external risks related to the NHMRC’s administration of grant programs. Except for specific ICT controls, the NHMRC has not established a mechanism to review the effectiveness of controls listed in the 2023–2025 Fraud and Corruption Risk Assessment. (See paragraphs 2.39 to 2.62)

Fraud prevention and integrity culture

17. The NHMRC’s 2023–2025 Fraud and Corruption Control Risk Assessment includes preventative controls for all identified risks. Preventative controls for internal fraud risks directly relate to the cause of the risk. Preventative controls for external fraud risks largely relate to education and guidance materials for grant recipients and expected compliance with the NHMRC funding agreement. The NHMRC has not assessed the appropriateness and effectiveness of its preventative controls for fraud risks. Fraud risks are considered in the development of new grant guideline opportunities. The fraud risks were not reviewed following a change in ICT systems or based on the results of the annual compliance review for grant recipients. There are inconsistencies in the NHMRC’s procedures for staff on preventing, detecting and dealing with fraud. The NHMRC’s strategies to mitigate the risk of fraud are stronger for internal fraud risks than external fraud risks. (See paragraphs 3.2 to 3.24)

18. The NHMRC has fraud related guidance materials on its intranet. Fraud awareness training must be completed by staff upon commencement with the entity and refreshed on an annual basis. As at 30 June 2024, 189 of 244 staff had completed fraud awareness training, representing 77.5 per cent of the NHMRC’s total workforce. One of six senior executive service officers had completed this training. The NHMRC publishes its Research Integrity and Misconduct Policy on its website, which includes a section on fraud and other misconduct. The NHMRC’s website also allows anonymous reports of fraud to be provided. The NHMRC has not evaluated the effectiveness of its fraud awareness training. (See paragraphs 3.25 to 3.35)

19. The NHMRC does not carry out fraud investigations and has no qualified investigators. It does not oversee fraud investigations conducted by grant recipients or gain assurance they have been undertaken by qualified investigators. The NHMRC’s staff who identify, assess and manage fraud risks do not have the relevant fraud control training or qualifications. The NHMRC does not have a plan in place for the professional development of staff involved in fraud and corruption activities. (See paragraphs 3.36 to 3.46)

Fraud detection and response

20. The NHMRC listed detective controls for all but two of the risks identified in the 2023–2025 Fraud and Corruption Control Risk Assessment. Detective controls for internal fraud risks directly relate to the cause of the risk. Detective controls for external fraud risks largely require the cooperation of grant recipients. Except for limited testing of ICT controls, the NHMRC has not assessed the appropriateness and effectiveness of its detective controls for fraud risks. The NHMRC has processes in place to receive anonymous reports of alleged fraud. A 2023–24 audit of grant applications prior to the award of funding identified 11 applications which were ineligible that had not been detected during the NHMRC’s standard application review processes. The fraud risk assessment was not updated following the outcome of this audit. (See paragraphs 4.2 to 4.21)

21. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework contains a flowchart of the steps to be undertaken following notification of a suspected fraud. These processes do not relate to instances of suspected fraud by a grant recipient as they are not investigated by the NHMRC. The funding agreements between the NHMRC and grant recipients do not provide the NHMRC with complete information in relation to suspected frauds. The NHMRC’s fraud registers do not contain sufficient information of the investigation or decision-making process. For the one case between 2022–23 and 2023–24 where an allegation of suspected fraud was substantiated after investigation by the grant recipient, the NHMRC did not report the incident to the Australian Federal Police (AFP). The NHMRC recovered $2.6 million in relation to this fraud case. (See paragraphs 4.22 to 4.37)

22. The NHMRC has complied with its reporting obligations in its annual report and to the Australian Institute of Criminology. For the only substantiated fraud in 2022–23 and 2023–24, the NHMRC briefed the Minister for Health and Aged Care following a press release by the relevant grant recipient. The NHMRC has arrangements in place with Health for the management of suspected fraud and other research misconduct. The NHMRC maintains fraud risk registers as well as misconduct and integrity registers, with a separate register developed for each year. These registers do not include detailed information about the incidents and are not consistent with each other. (See paragraphs 4.38 to 4.53)

Preparation for the revised Commonwealth Fraud and Corruption Control Framework 2024

23. The NHMRC’s 2023–2025 Fraud and Corruption Control Framework reflects the establishment of the National Anti-Corruption Commission in July 2023 and relevant reporting and referral requirements. In February 2024 the NHMRC developed an implementation plan, with key milestones and deadlines, for the commencement of the 2024 Commonwealth Fraud and Corruption Policy. As at July 2024 the NHMRC had prepared a draft updated framework and plan to satisfy the requirements of the 2024 Commonwealth Fraud and Corruption Policy. The NHMRC has not developed a plan to put the revised Policy into action, including the delivery of change management activities. (See paragraphs 5.2 to 5.10)

24. The NHMRC plans to review ten grant fraud risks and to test the controls for four grant fraud risks over the period 2024 to 2026. (See paragraphs 5.11 to 5.15)

Recommendations

Summary of entity response

25. The proposed audit report was provided to the NHMRC. The NHMRC’s full response is provided below.

The National Health and Medical Research Council (NHMRC) takes its responsibilities in relation to fraud and corruption risk seriously. We welcome the ANAO’s review of the efficacy of our systems and processes to prevent, detect and respond to this risk.

A small statutory authority within the Health and Aged Care portfolio, NHMRC funds the highest quality health and medical research and training, and issues guidelines and advice on the prevention, diagnosis and treatment of disease, the provision of health care and on ethical issues relating to health. NHMRC is committed to continuous improvement across all its endeavours and recognises that ensuring the effective and efficient discharge of our responsibilities is fundamental to maintaining community confidence in the health and medical research that underpins Australia’s health care system.

NHMRC accepts the audit findings, conclusions and recommendation and considers that this audit outcome presents an opportunity to further strengthen our management of fraud and corruption risk. NHMRC agrees with all five audit recommendations and will progress implementation with the guidance of our Executive Board and with quality assurance oversight from our independent Audit and Risk Committee.

Background

1. Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.¹

2. The Australian Government defines fraud as:

Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.²

3. Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).³ The Australian Government’s requirements for fraud control apply to both internal and external fraud risks. The 2024 Commonwealth Fraud and Corruption Control Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.⁴

4. This audit examines fraud controls arrangements in the Department of Health and Aged Care (the department), using the Indigenous Australians’ Health Programme as a case study of how the arrangements are applied.

Rationale for undertaking the audit

5. Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.⁵ All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.

6. The Indigenous Australians’ Health Programme was selected as a case study to assess the department’s fraud control arrangements, due to the program’s size, variety of funded activities, and opportunity it presented to assess the department’s fraud control arrangements as they related to grants administration. The Indigenous Australians’ Health Programme is the department’s main overarching Aboriginal and Torres Strait Islander health program.⁶ The program funds initiatives to increase access to health care and improve the health of Aboriginal and Torres Strait Islander people, and represents the Australian Government’s largest direct expenditure on Indigenous primary healthcare.⁷

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the Department of Health and Aged Care’s fraud control arrangements, with a specific focus on the Indigenous Australians’ Health Programme.

8. To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud risks?
• Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud?
• Has the department appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?

Conclusion

9. The department had partly effective fraud control arrangements in 2022–23 and 2023–24. Key deficiencies included the lack of a current fraud risk assessment at the enterprise level, fraud risk assessments for departmental programs, and recent testing of fraud control effectiveness. The department undertook an organisational change process in 2023–24 that has the potential to improve its fraud governance and controls. Planning for the commencement of the 2024 Commonwealth Fraud and Corruption Control Framework was appropriate.

10. The department established partly appropriate arrangements to manage and oversee fraud risks in 2022–23 and 2023–24. There were appropriate governance and oversight arrangements for fraud control, except that consideration of fraud risks was limited to one of 39 internal audits conducted in the period. There was a largely appropriate fraud control policy framework. Fraud risks were assessed at the enterprise level. These risks were not consistently assessed at the divisional or program level (including for the Indigenous Australians’ Health Programme). Enterprise level fraud risks were not reviewed regularly. There was a fraud control plan, which was not supported by a current fraud risk assessment, regular review, or testing of fraud control effectiveness.

11. The department’s mechanisms to prevent fraud and to promote a culture of integrity were largely appropriate. The department established preventative controls for fraud. The effectiveness of preventative controls was not tested in accordance with the department’s fraud control plan. The department established largely appropriate mechanisms to promote internal and external fraud awareness. Not all fraud control officials and investigators attained the required minimum vocational qualifications.

12. The department’s mechanisms to detect and respond to fraud were partly appropriate. Planned testing of the effectiveness of detective controls in 2022–23 and 2023–24 was incomplete. Detective controls were primarily reactive in the form of referrals and tip-offs. As at June 2024 the department was putting in place measures to increase its use of proactive detective controls such as data analytics. Mechanisms to investigate and respond to fraud, including policies and procedures, were developing as part of an organisational change process. In 2022–23 and 2023–24, the department took ‘no further action’ on all closed fraud referrals and tip-offs relating to the Indigenous Australians’ Health Programme. Recorded decision-making in relation to these matters did not fully comply with investigations procedures. The department established largely appropriate mechanisms to record and report fraud.

13. Planning for the commencement of the 2024 Commonwealth Fraud and Corruption Framework was appropriate. There was a fit-for-purpose implementation plan. Although the department was not fully prepared in accordance with its implementation plan on 1 July 2024, most elements were completed or in progress. In early July 2024 the department established a framework to support the periodic testing of fraud controls.

Supporting findings

Oversight and management of fraud risks

14. Roles and responsibilities for fraud control were assigned; there were committees with fraud oversight; and the accountable authority was kept informed. There was organisational change in 2023–24 with regard to line management arrangements. As at June 2024 roles and responsibilities were evolving and fraud control policies needed to be updated to reflect this. (See paragraphs 2.2 to 2.16)

15. The department identified and assessed fraud risks at the enterprise level. This had not been reviewed in accordance with 2017 Commonwealth guidance (which suggested as better practice, a review at least every two years). Fraud risks were not consistently considered as part of divisional and business planning. For 2024–25 divisional planning, the department introduced a requirement that division heads certify that they have considered fraud and corruption risks in developing their divisional plans. Fraud risks for Indigenous Australians’ Health Programme grant programs were not consistently assessed at the design stage. One of 39 internal audits completed in 2022–23 and 2023–24 considered fraud. (See paragraphs 2.17 to 2.36)

16. The department had a fraud control plan, which was not informed by a current fraud risk assessment. The fraud control plan was not regularly reviewed. As at May 2024, 32 per cent of fraud control owners identified in the enterprise fraud and corruption risk register had left the department. Fraud control activities outlined in the fraud control plans were not fully implemented. The department tested the effectiveness of controls when developing its enterprise fraud and corruption risk assessment in 2022. Six-monthly testing of the effectiveness of controls (as required under the fraud control plan) was not done. The department finalised a mechanism for the regular, ongoing controls testing in July 2024. (See paragraphs 2.39 to 2.51)

Fraud prevention and integrity culture

17. The department established preventative controls for fraud risks, including instructions and procedures to assist officials to prevent, detect and deal with fraud. Mechanisms to ensure fraud risk is considered in planning and conducting entity activities were inconsistently implemented. The department tested the effectiveness of its preventative controls for enterprise fraud risks in 2021. Although the Fraud and Corruption Control Plan 2021–2023 required that controls be tested every six months, preventative controls for enterprise-level fraud risks were not tested after 2021 (except for Community Grants Hub fraud risks in 2022). The 2021 testing found that 57 per cent of the preventative controls for enterprise fraud risks were effective and 43 per cent were partly effective. Treatments were developed to address partly effective controls. (See paragraphs 3.2 to 3.12)

18. Mechanisms were implemented to promote staff awareness of what constitutes fraud. Fraud awareness and integrity training were mandatory for all staff and completion rates were reported to executive and oversight committees. Reported completion rates in 2023 and 2024 ranged from 84 to 88 per cent overall. The department promoted fraud awareness to external parties through outreach activities, although grant opportunity guidelines and grant agreements for the Indigenous Australians’ Health Programme did not all refer to fraud. The effectiveness of measures to promote fraud awareness internally and externally was largely not evaluated. (See paragraphs 3.15 to 3.22)

19. The department’s fraud control and investigation functions were centralised in the Fraud and Integrity Branch in April 2024. As at June 2024, 80 per cent of investigators and 76 per cent of officials undertaking fraud control activities had the appropriate qualifications. There was no framework for ongoing professional development. (See paragraphs 3.24 to 3.30)

Fraud detection and response

20. The department established detective controls for fraud, primarily confidential reporting of tip-offs. For grants administered through the Community Grants Hub, there were arrangements in place with the Department of Social Services to escalate fraud risks and incidents. There were 12 potential fraud tip-offs and escalations relating to the Indigenous Australians’ Health Programme in 2022–23 and 2023–24. Proactive detective controls, such as data analytics, were developing. The department tested the effectiveness of its detective controls for enterprise fraud risks in 2021. Although the Fraud and Corruption Control Plan 2021–2023 required that controls be tested every six months, detective controls for enterprise-level fraud risks were not tested after 2021 (except for 2022 testing of Community Grants Hub fraud risks). The 2021 testing found that 65 per cent detective controls were effective and 35 per cent were partly effective. Treatments were developed to address partly effective controls. (See paragraphs 4.2 to 4.18)

21. Between February 2023 and April 2024, previously devolved investigative functions were centralised in one branch. Documented procedures to support the investigative function were developing and at 30 June 2024 were not fully compliant with Australian Government Investigations Standard, consistent across different investigative functions or types of external fraud, or finalised. The audit examined 12 fraud referrals and tip-offs relating to the Indigenous Australians’ Health Programme that were made in 2022–23 and 2023–24. One allegation was not assessed, and as at July 2024, two matters had not been finalised. Decisions to take no further action on the remaining nine fraud matters were largely documented. Decisions were not made by officials with the appropriate level of seniority in seven of nine matters. There were no referrals to the Australian Federal Police for the Indigenous Australians’ Health Programme in 2022–23 and 2023–24. Case management system records did not include estimates of loss to fraud for non-health provider benefit external fraud matters, and these were not included in the department’s response to the Australian Institute of Criminology’s Fraud Census. It is therefore not possible for the department to assure itself that it has taken reasonable measures to recover financial losses caused by external fraud in a number of the department’s programs. (See paragraphs 4.19 to 4.41)

22. The department had standard operating procedures to collect and manage fraud information, although many were in draft form as at June 2024. Procedures for recording information in a fraud case management system did not require the linkage of matters with programs, obscuring visibility of program-related fraud matters by responsible officials. This practice is inconsistent with divisional responsibility for fraud control activities and controls. The department completed the annual Fraud Census reporting requirements for 2022–23 with inaccuracies. The department established a process to identify matters representing significant non-compliance with finance law that should be reported to relevant ministers, and no fraud matters were reported in 2022–23 or 2023–24. The accountable authority certified in the annual report that the department has taken all reasonable steps to deal with fraud. The Secretary’s certification was supported by assurances from the Audit and Risk Committee. In 2022–23 and 2023–24 the Audit and Risk Committee did not implement all of its planned activities in relation to fraud controls, and in assuring the accountable authority on the effectiveness and appropriateness of the department’s fraud control arrangements, it largely relied on management representations. Disclosures about fraud matters were made to other entities in relation to internal and external health provider fraud. (See paragraphs 4.44 to 4.59)

Preparation for the 2024 Commonwealth Fraud and Corruption Control Framework

23. The department developed an implementation plan to prepare for the Commonwealth Fraud and Corruption Control Framework. Education and awareness activities were delivered, and existing governance arrangements were assessed and considered suitable to meet the requirements of the new framework. On 1 July 2024 the department published revised governance documents to meet requirements of the new framework. Of 10 implementation plan activities due to be completed by 30 June 2024, nine had been delivered by early July. The one exception was a revised Enterprise Fraud and Corruption Risk Assessment. (See paragraphs 5.2 to 5.7)

24. A fraud and corruption control testing framework was finalised on 4 July 2024. (See paragraphs 5.8 to 5.10)

Recommendations

Summary of entity response

25. The proposed audit report was provided to the Department of Health and Aged Care. The Department of Health and Aged Care’s summary response to the audit is provided below and its full response is at Appendix 1.

The Department of Health and Aged Care (the department) welcomes the findings in the report and accepts the recommendations directed to the department. The department is committed to effective implementation of Australian National Audit Office (ANAO) recommendations and has already taken steps to address the issues identified in this audit.

It was pleasing to note the ANAO found the fraud control policy framework largely appropriate and that the audit acknowledged the work the department has done to strengthen its fraud management, in particular by consolidating all fraud functions into a dedicated branch. These arrangements are continuing to be strengthened as the branch streamlines and matures its operations, uplifts capability and enhances its governance.

The audit found some areas for improvement, including how the department assesses fraud risk and tests fraud controls, and ensuring currency of qualifications of its fraud control and investigations officials. To address these findings, the department has commenced a review of its enterprise fraud and corruption risk assessment, commenced targeted pressure testing activities, and established a capability framework for its staff. Regular updates of the progress of this work will be provided to the department’s Audit and Risk Committee over the 2024–25 financial year.

Background

1. Income management is a key activity listed in the Department of Social Services’ (the department’s) Corporate Plan 2022–23.¹ Income management² is a ‘tool that helps people budget their welfare payments and ensures they are getting the basic essentials of life, such as food, housing, electricity and education’.³

2. On 23 May 2021, the Australian Labor Party made an election commitment to abolish the Cashless Debit Card (CDC) program if it were elected to govern. The CDC program facilitated a portion of a participant’s income support payment being allocated to a restricted bank account, accessed by a debit card which did not allow cash withdrawals, or the purchase of alcohol, gambling or cash-like products. The proportion of income was prescribed by legislation. The CDC program had a legislated end date of 31 December 2022.⁴ On 3 June 2022, the Minister for Social Services issued a press release stating she had held discussions with the department on the cessation of the CDC program.⁵ The Social Security (Administration) Amendment (Repeal of Cashless Debit Card and Other Measures) Bill 2022 (the Bill) contained legislative amendments to abolish the CDC and implement a new form of income management, the Enhanced Income Management program, on 6 March 2023. The Bill was passed on 28 September 2022 and the relevant provisions establishing the Income Management Program came into effect on 1 October 2022.⁶

3. CDC participants from the Northern Territory, Cape York and Doomadgee regions were required by legislation to transfer to the Enhanced Income Management program. Participants from Bundaberg, Hervey Bay, the Goldfields, Ceduna and East Kimberley regions were exited from the CDC program and could voluntarily become a participant of Enhanced Income Management.

4. As at 30 September 2022 the department recorded there were 16,616 participants on the CDC program. The department recorded that 4,039 participants were transferred from the CDC program to the Enhanced Income Management program as at 10 March 2023, with 181 of these participants (4.5 per cent) voluntarily choosing to participate in the program. The CDC participants who were not mandated to transfer to the Enhanced Income Management program or who did not volunteer to transfer, did not continue with any form of income management.

5. Services Australia was allocated funding in the October 2022–23 Federal Budget to support the cessation of the CDC program, including the procurement and supply of the new card and the banking and telephony services to support the transition from the CDC program to Enhanced Income Management.

6. Appendix 3 sets out the timeline of key dates for the cessation of the CDC program and the introduction of Enhanced Income Management.

Rationale for undertaking the audit

7. This audit provides assurance to the Parliament on the effectiveness of the management of the transition from the CDC program to the Enhanced Income Management program.

8. The ANAO undertook two previous performance audits of the CDC program. Auditor-General Report No. 1 2018–19 The Implementation and Performance of the Cashless Debit Card Trial examined the department’s implementation and evaluation of the CDC trial.⁷ The audit found that while the department largely established appropriate arrangements to implement the CDC trial, its approach to monitoring and evaluation was inadequate. It was therefore difficult to conclude if the CDC trial was effective in achieving its objective of reducing social harm and whether the card was a lower cost welfare quarantining approach.

9. Auditor-General Report No. 29 2021–22 Implementation and Performance of the Cashless Debit Card Trail — Follow-on examined the effectiveness of the department’s administration of the CDC program.⁸ The audit found that the department’s administrative oversight of the CDC program was largely effective, however the department had not demonstrated that the CDC program was meeting its intended objectives.

Audit objective and criteria

10. The objective of the audit was to assess the effectiveness of the transitional arrangements from the CDC program to the Enhanced Income Management program.

11. To form a conclusion against the objective, the following high level criteria were applied:

• Did the department have effective oversight of the transition arrangements?
• Was the design of the Enhanced Income Management program based on appropriate advice and evidence?
• Did Services Australia undertake the procurement process for the Enhanced Income Management program in accordance with the Commonwealth Procurement Rules?

Conclusion

12. The transitional arrangements from the Cashless Debit Card program to the Enhanced Income Management program were largely effective. Robust program monitoring and performance measurement to inform future policy design has not been implemented and no evaluation plan has been developed for the Enhanced Income Management program.

13. The department had largely effective oversight of the transition arrangements.

14. The department established an internal branch to deliver the transition activities and coordinate activities across the Australian Government and utilised the existing joint steering committee with Services Australia, established under the bilateral arrangements, to oversee the transition. The governance arrangements would have been enhanced with appropriate record keeping practices and defined reporting responsibilities. There was regular reporting on operational matters and participation rates to the executives of the department and Services Australia. There was no evidence that shared risks rated ‘high’ on the joint risk register with Services Australia were escalated in accordance with the department’s Risk Management Framework.

15. The department design of the Enhanced Income Management program was largely based on appropriate advice and evidence. There was no evidence the design was informed by ANAO performance audit reports on the Cashless Debit Card (CDC) program, or evaluations and lessons learned from the CDC program. The department’s program monitoring and performance measurement is not sufficiently robust to inform future policy design. No evaluation plan has been developed for the Enhanced Income Management program.

16. Services Australia’s limited tender procurement for the Enhanced Income Management program was largely compliant with the Commonwealth Procurement Rules (CPRs). Probity and conflicts of interest were managed largely in accordance with the CPRs and policy requirements. Services Australia’s engagement with Indue Limited (Indue) during the response period for the request for quote was not consistently documented. Advice to decision-makers was sufficiently detailed and largely documented appropriately. The evaluation committee’s assessment of value for money was informed by expert advice and provided to the delegate. The benchmarking activity due to be undertaken in June 2023, that was a significant factor in Services Australia achieving a value for money outcome, commenced seven months later than the timeframe set out in the contract with Indue.

Supporting findings

Did the Department of Social Services have effective oversight of the transition arrangements?

17. The department established an internal branch, known as the Taskforce, to coordinate activities between the department, Services Australia and the National Indigenous Australians Agency (NIAA), during the transition period. The effectiveness of the Taskforce’s activities would have been enhanced by appropriate record keeping practices. The department utilised an existing joint steering committee with Services Australia, established under the bilateral arrangements, to oversee the transition. The department established a joint risk register to manage shared risks with Services Australia which was reported to the joint steering committee. There was no evidence the joint steering committee monitored progress against the department’s strategy or project management plan for the transition. The Taskforce provided regular reporting on operational matters and participation rates to the department’s and Services Australia’s executives. (See paragraphs 2.3 to 2.42)

18. The department and Services Australia developed a joint risk register for shared risks relating the transition. Each identified risk was accompanied by a risk assessment. The review, amendment and approval of the joint risk registers was not consistently documented. Risks relating to the application of product level blocking technology to the Enhanced Income Management program were not documented in the joint risk register between June 2022 to June 2023. There was no evidence that any of the eight risks rated ‘high’ were escalated in accordance with the department’s Risk Management Framework (RMF). (See paragraph 2.43 to 2.64)

Was the design of the Enhanced Income Management program based on appropriate advice and evidence?

19. The department advised the Australian Government that the Enhanced Income Management program was designed to address community concerns about the proposed legislation to abolish the CDC program, particularly in relation to participants returning to use the older technology offered for the BasicsCard Income Management program. The department provided risk based advice on the date for implementation of the transition to the Enhanced Income Management program. There is no evidence that the design of the Enhanced Income Management program was informed by ANAO audit recommendations, evaluations or lessons learned from the CDC program or other relevant programs. (See paragraphs 3.3 to 3.17)

20. The department’s Corporate Plan contains a performance measure related to participants using their account following the transition from the CDC program to the Enhanced Income Management program. No additional key performance indicators or performance measures have been established. The department regularly monitors data on participant numbers and geographical location and Services Australia produces monthly reporting on the product level blocking used to prevent the sale of restricted items. Services Australia’s reporting does not include all merchants operating product level blocking technology. No evaluation plan was developed for the Enhanced Income Management program. (See paragraphs 3.18 to 3.44)

Did Services Australia undertake the procurement process for the Enhanced Income Management program in accordance with the Commonwealth Procurement Rules?

21. Approval from the Deputy Chief Executive Officer (Deputy CEO) and Services Australia’s Executive Committee for the limited tender issued was appropriately documented. Services Australia engaged a probity advisor and established a probity protocol to support the limited tender process. A conflicts of interest register was established. An assessment of the two declared potential conflicts was not documented. The delegate did not complete a conflict of interest declaration for the procurement activity. Services Australia did not document all interactions with the tenderer during the request for quote response period. (See paragraphs 4.4 to 4.28)

22. The tender evaluation report documented the committee’s assessment of the response to the request for quotation. The spending proposal provided to the delegate summarised the outcomes of the contract negotiations and the reasons for the recommendation to award the contract. (See paragraphs 4.29 to 4.44)

23. The evaluation committee documented its technical, pricing and risk assessment of Indue’s response to the request for quotation and how the outcome of the contract negotiations demonstrated achievement of value for money. The evaluation committee’s assessment was informed by the technical analysis undertaken by a pricing expert who compared Indue’s proposal with the similar services provided under the contract with the Department of Social Services. Services Australia commenced the benchmarking review seven months later than stated in the contract with Indue. (See paragraphs 4.45 to 4.60)

Recommendations

Summary of entity response

24. The proposed audit report was provided to the department and Services Australia. The department and Services Australia’s summary responses are reproduced below. The full responses from both entities are at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.

Department of Social Services

The Department of Social Services (the Department) acknowledges the insights and opportunities for improvement outlined in the Australian National Audit Office (ANAO) report on Transitional Arrangements for the Cashless Debit Card (CDC).

The Department welcomes the ANAO’s conclusion that the transitional arrangements from the CDC to the enhanced Income Management (IM) program were largely effective. The Department accepts the conclusion relating to the need to strengthen program monitoring and performance measurement to inform future policy design, as well as the need to implement an evaluation plan for the enhanced IM program.

The Department agrees with all four Recommendations and acknowledges the suggested opportunities for improvement and has taken steps to address these matters.

Services Australia

Services Australia (the Agency) notes the overall finding that the transitional arrangements for the Cashless Debit Card program to the Enhanced Income Management program were largely effective, and that the Agency’s limited tender procurement was largely compliant with the Commonwealth Procurement Rules.

The Agency will continue to work with the Department of Social Services to further strengthen our governance and performance monitoring arrangements related to the Enhanced Income Management program.

Background

1. Evaluation is a structured assessment of the value of government programs or activities, aimed at supporting improvement, accountability, and decision-making throughout the policy cycle. Pilot programs are small-scale tests or trials of programs with the aim of informing future decision-making.

2. The Public Governance, Performance and Accountability Act 2013 (the PGPA Act) requires the accountable authority of a Commonwealth entity to measure and assess the performance of the entity in achieving its purposes¹, and that a minister must not approve expenditure unless satisfied that the expenditure would be an efficient, effective, economical and ethical use of public money.²

3. In 2019, the Australian Government released the Independent Review of the Australian Public Service³, which recommended that the APS embed a culture of evaluation and learning from experience to underpin evidence-based policy and delivery (Recommendation 26). The Australian Government agreed in part to this recommendation.⁴ The Minister for Finance endorsed a Commonwealth Evaluation Policy⁵ and Resource Management Guide 130 Commonwealth Evaluation Toolkit⁶ (the Toolkit) on 1 December 2021. The Toolkit provides a principles-based approach for the conduct of evaluations. It applies to all Commonwealth entities and companies subject to the PGPA Act.

Rationale for undertaking the audit

4. Pilot programs are trial programs of limited size that are used to decide whether a proposed policy should be adopted, and what adjustments should be made before adoption. Monitoring and evaluation are critical components of a pilot to support an assessment of the program or activity’s impact and efficiency.

5. The audit involved the examination of five Australian Government pilot programs across the Department of Health and Aged Care (Health), the Department of Home Affairs (Home Affairs), and the Department of Veterans’ Affairs (DVA). The pilots ranged in length from two to three years. The audit provides assurance to the Parliament over the appropriateness of frameworks for evaluation, and the adequacy of evaluation of pilot programs.

Audit objective and criteria

6. The objective of the audit was to assess the effectiveness of the evaluation of selected Australian Government pilot programs.

7. To form a conclusion against this objective, the following high-level criteria were adopted:

• Do the selected entities have governance arrangements in place to support effective program evaluation?
• Was the evaluation approach for the selected pilot programs robust?
• Was pilot program reporting and advice to government appropriate?

Conclusion

8. The evaluation of the selected Australian Government pilot programs was mixed. Health’s evaluation of the Take Home Naloxone pilot was largely effective, and the evaluation of the Kava pilot was partly effective. DVA’s evaluation of the Wellbeing and Support Program pilot was largely effective, and the evaluation of the Non-Liability Rehabilitation pilot was partly effective. Home Affairs’ evaluation of the Skilled Refugee Labour Agreement pilot was partly effective.

9. Health and DVA have largely effective governance arrangements to support the evaluation of pilot programs. Home Affairs has partly effective arrangements. Health and DVA have strengthened their governance arrangements through the updating or development of entity-specific frameworks, guidance, and training on what, when and how to conduct an evaluation. Home Affairs does not have entity-specific evaluation guidance. Evaluation culture is maturing within Health and DVA, and is immature at Home Affairs. Pilot programs are only referenced in DVA’s entity-specific guidance.

10. The evaluation planning and approach for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot were largely robust, including appropriate stakeholder engagement and relevant ethics approvals. Planning for the evaluation of Health’s Kava pilot did not identify the risk that ethics approval may not be granted for one of the planned qualitative analysis methods, and there was a lack of baseline evidence to support the planned evaluation methodology. The effectiveness of planning for the evaluation of DVA’s Non-Liability Rehabilitation pilot was reduced as the analytical methodologies were not documented, and no external stakeholders were consulted. Home Affairs did not complete its planning for, or undertake, a robust evaluation for the Skilled Refugee Labour Agreement pilot. All evaluation plans and approaches could have been enhanced by a greater focus on the availability of data and an assessment of the proper use of public money.

11. Health’s evaluation reporting and advice to the Australian Government for the Take Home Naloxone pilot was largely effective, with the recommendations made to expand the naloxone pilot largely informed by the lessons learnt from the evaluation. Health’s evaluation reporting and advice to the Australian Government for the Kava pilot was partly effective as neither the evaluation report nor recommendations on the continuation of the pilot have been provided to the Australian Government. The evaluation report for DVA’s Wellbeing and Support Program pilot was largely effective. There was no evidence of DVA advising the Australian Government on the evaluation findings and impact on future program design. The evaluation for the Non-Liability Rehabilitation pilot has not yet commenced, and reporting and advice to the Australian Government on the mid-pilot review was partly effective. Home Affairs’ evaluation reporting and advice to the Australian Government for the Skilled Refugee Labour Agreement pilot was partly effective, with outputs rather than pilot outcomes analysed and reported to the minister.

Supporting findings

Governance arrangements

12. The Commonwealth Evaluation Toolkit provides appropriate high-level guidance to support entities in determining what programs or policies should be evaluated and when. It provides limited guidance on conducting an economic evaluation, including any assessment of cost effectiveness of implementation, and does not include a requirement for all pilots to be evaluated.

• With the exception of DVA’s Non-Liability Rehabilitation pilot, at the time the other examined pilots commenced, only Health had established internal evaluation guidance.
• In November 2023, Health published a revised evaluation strategy which specifies roles and responsibilities and includes a tiered system for identifying evaluation priorities across the department.
• Since the commencement of the Wellbeing and Support Program pilot, DVA developed a framework which supports when and what to evaluate based on program characteristics, timing and capability. In August 2023, DVA introduced a framework for the planning, monitoring and evaluation of its health and wellbeing programs, which includes roles and responsibilities.
• Home Affairs does not have an entity-specific approach to determining when and what to evaluate.
• Each entity has an internal evaluation team to provide guidance and support on evaluation practice.

(See paragraphs 2.7 to 2.58)

13. Health and DVA have policies and guidance materials for how to conduct program evaluations. Only Health has guidance on when economic evaluation should be undertaken and the guidance is limited. Training on evaluation practices is provided at Health and DVA. Attendance is not consistently monitored. Home Affairs has no entity-specific guidance on conducting evaluations, and no training programs available to staff. (See paragraphs 2.59 to 2.69)

Evaluation approach

14. Planning for evaluation, including stakeholder engagement, was completed for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot. Planning for stakeholder engagement for evaluation of Health’s Kava pilot did not account for the risk that ethics approval may not be granted and the resulting impact on the planned analysis and evaluation methodology. The effectiveness of planning for the evaluation of DVA’s Non-Liability Rehabilitation pilot was reduced as the methodologies to be used were not documented, and no external stakeholders were consulted. Home Affairs did not complete its planning for the evaluation for the Skilled Refugee Labour Agreement pilot. While data sources were identified within the evaluation plans that were developed, one or more planned data sources within each pilot were not available for the evaluation, and this risk had not been identified. (See paragraphs 3.6 to 3.52)

15. The evaluation methodologies used for three out of the five pilots examined were largely consistent with the Toolkit. For the evaluations conducted, all could have been strengthened with a greater focus on baseline data, control group outcomes, and an assessment of the proper use of public money. Ethics approvals were obtained for Health’s Take Home Naloxone pilot and DVA’s Wellbeing and Support Program pilot. The ethics approval sought for Health’s Kava pilot was not granted and no alternative strategy was developed to obtain information that was critical to the evaluation. DVA’s Non-Liability Rehabilitation pilot evaluation plan did not include a consideration of ethics approval and the post-implementation review has not yet been undertaken. As Home Affairs did not conduct an evaluation of its pilot, there was no methodology applied, or consideration of the need for ethics approval. (See paragraphs 3.53 to 3.80)

Reporting and advice to the Australian Government

16. The analysis of pilot evaluation outcomes for Health’s pilots and DVA’s Wellbeing and Support Program pilot were largely fit for purpose, with the evaluation reports documenting the application of statistical methods to provide defensible findings and make recommendations on the basis of the analysis completed. The evaluation of DVA’s Non-Liability Rehabilitation pilot has not yet commenced. Home Affairs’ reporting of outputs of the Skilled Refugee Labour Agreement pilot did not contain fit-for-purpose analysis and does not satisfy the requirements of evaluation reporting in the Commonwealth Evaluation Toolkit. (See paragraphs 4.5 to 4.33)

17. Advice provided by Health to the Australian Government in relation to the Take Home Naloxone pilot was appropriate, including the lessons learnt from the pilot. The recommendation to expand the pilot into different environments was partly informed by evaluation. Health has not provided advice to the Australian Government on the findings of the evaluation or lessons learnt in relation to the Kava pilot. DVA did not advise the Minister for Veterans’ Affairs on the evaluation findings or lessons learnt for future program delivery for the Wellbeing and Support Program pilot. Home Affairs’ advice to the Australian Government for the continuation of the Skilled Refugee Labour Agreement pilot was not informed by an evaluation. (See paragraphs 4.34 to 4.52)

Recommendations

Summary of entity responses

18. The proposed audit report was provided to Health, DVA, Home Affairs and the Department of the Treasury. Letters of response provided by each entity are included at Appendix 1. The summary responses provided are included below. The improvements observed by the ANAO during the course of this audit are at Appendix 2.

Department of Health and Aged Care

The Department of Health and Aged Care welcome the findings, in the report and accept the recommendation directed to the department. The department is committed to implementing the recommendations effectively and has already taken steps to address issues identified in this audit.

The ANAO found the department has largely effective governance arrangements to support evaluation. The audit also found the department’s evaluation culture is maturing, including:

• updating our guidance and training on what, when and how to conduct an evaluation.
• establishing the role of Chief Evaluation Officer to provide strategic oversight of evaluation activities and to engage with other Senior Executive to champion evaluation as part of policy design and program management.

The department notes the finding on the need to develop better guidance on conducting economic evaluations or other means of assessing the proper use of public money.

Since the audit was conducted, the department has launched its Strategic Investment Framework, which makes sure our policy and program officers embed evaluation and evidence within all programs. The Framework will ensure investments are supported by robust, evidence-based program evaluation and target funding to high-value programs aligned with priority areas.

The department notes that the audit on the Kava Pilot Program was undertaken while the pilot period was still under way, and certain aspects of the pilot, including recommendations to Government on the future of the Program, are yet to be finalised.

The department is building its in-house evaluation capability through a range of initiatives including:

• implementing the new Evaluation Strategy 2023-26
• developing a suite of departmental-specific tools and resources to support high-quality evaluation.
• partnering with Australian Centre for Evaluation in Treasury and leveraging opportunities to showcase in-house impact evaluation capability.

Department of Veterans’ Affairs

The Department of Veterans’ Affairs (DVA) welcome the ANAO recommendations. The ANAO report acknowledges that DVA has established policies and processes that largely support compliance with the Commonwealth Evaluation Policy (the Policy).

The Department acknowledge and agree with the ANAO’s recommendations. Work is planned for 2024 to review and update the relevant policies and protocols to enhance maturity with the Commonwealth Evaluation Policy requirements, and work has already commenced to implement these enhancements.

Department of Home Affairs

The department agree with the recommendations, and as part of its ongoing efforts to strengthen evaluation, acknowledge the benefits of a more robust evaluation culture to inform Government decision-making.

The department continues to leverage Commonwealth resources and materials to assist in guiding staff on how an evaluation should be carried out. To supplement the Commonwealth Evaluation Toolkit, the department is developing additional resources to assist staff in determining when, and to what extent, an evaluation should be conducted.

The department is monitoring the outcomes of the Skilled Refugee Labour Agreement to build a sufficient evidence base to assess the viability and future scalability of the program. The department’s advice to Government on the future of the Skilled Refugee Labour Agreement Pilot will be informed by an evaluation consistent with the Commonwealth Evaluation Policy.

Department of the Treasury

Treasury welcomes the report and agrees with the recommendation to update guidance in the Commonwealth Evaluation Toolkit (the Toolkit). Specifically, Treasury will update the Toolkit to include a definition of a ‘pilot’, and provide guidance on: economic evaluation, evaluation of pilots, and governance arrangements for cross-entity evaluations.

Treasury’s guidance on whether spending represents an appropriate use of public money will focus on (and be limited to) guidance on economic evaluation methods, and other fit-for-purpose evaluation approaches. The broader importance of appropriately using public money is well addressed through the suite of guidance administered by the Department of Finance to support resource management and therefore will not be duplicated through Treasury materials.

Treasury will recommend, but not mandate, that all pilots are subject to evaluation consistent with the principles-based Commonwealth Evaluation Policy, which recommends that responsible managers need to determine robust, proportional evaluation approaches for specific pilots or programs.

The Department of the Treasury is committed to continuous improvement of the Evaluation Toolkit. Planned enhancements will include more practical guidance on analytical methods, including economic evaluation, and effective governance arrangements that can help to improve the way Commonwealth entities assess implementation, measure the impact of government programs, and frame policy decisions.

Background

1. New and emerging technologies play an important role in delivering digital services for Australian Government entities. As the development, integration and use of technology increases, so does the number of possible entry or weak points that malicious cyber actors can exploit. This is commonly referred to as the ‘attack surface’.¹ It is important that Australian Government entities continue to uplift their cyber security maturity and implement arrangements to manage cyber security incidents² effectively. The ability to maintain business continuity following a cyber security incident is critical to ensuring the continued provision of government services.

2. Australian Government entities are attractive, high-value targets for a range of malicious cybercriminals because they hold the personal and financial information of Australians.³ In 2022–23, approximately 31 per cent of cyber security incidents reported to the Australian Signals Directorate (ASD) were from non-corporate Commonwealth entities. Over 40 per cent of these cyber security incidents were coordinated, low-level malicious cyberattacks directed specifically at the Australian Government, government shared services, or regulated critical infrastructure.⁴ Ransomware was the most destructive cybercrime threat in 2022–23⁵ and continues to pose considerable risk to Australian Government entities, businesses and individuals.

Rationale for undertaking the audit

3. On 22 November 2023, the Australian Government released the 2023–30 Australian Cyber Security Strategy which outlines a forecast approach towards uplifting Australia’s cyber resilience as well as ‘[building] … national cyber readiness [and] proactively identifying and closing gaps in … cyber defences and incident response plans’.

4. Australian Government entities are expected to be ‘cyber exemplars’, as they receive, process and store some of Australia’s most sensitive data to support the delivery of essential public services.⁶ Whilst there were reported improvements from 2022, ASD’s 2023 Cyber Security Posture Report highlighted that the overall maturity level across entities remained low in 2023.⁷

5. Previous audits conducted by the ANAO identified low levels of cyber resilience in entities. Low levels of cyber resilience continue to make entities susceptible to cyberattack and reduce business continuity and recovery prospects following a cyber security incident. An entity’s preparedness to respond to and recover from a cyberattack is a key part of cyber resilience. This audit was conducted to provide assurance to Parliament about the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents.

Audit objective, criteria and scope

6. The objective of this audit was to assess the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents in accordance with the Protective Security Policy Framework (PSPF) and relevant ASD Cyber Security Guidelines.

7. To form a conclusion against the audit objective, the following high-level criteria were adopted:

• Do the Australian Transaction Reports and Analysis Centre (AUSTRAC) and Services Australia have appropriately designed and implemented cyber security incident management procedures?
• Have AUSTRAC and Services Australia effectively implemented cyber security incident management processes for investigating, monitoring and responding to cyber security incidents?
• Have AUSTRAC and Services Australia effectively implemented recovery processes that mitigate disruptions during and after cyber security incidents?

Engagement with the Australian Signals Directorate

8. Independent timely reporting on the implementation of the cyber security policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. Previous ANAO reports on cyber security have drawn to the attention of Parliament and relevant entities the need for change in entity implementation of mandatory cyber security requirements, at both the individual entity and framework levels.

9. In preparing audit reports to the Parliament on cyber security in Australian Government entities, the interests of accountability and transparency must be balanced with the need to manage cyber security risks. ASD has advised the ANAO that adversaries use publicly available information about cyber vulnerabilities to more effectively target their malicious activities.

10. The extent to which this report details the cyber security vulnerabilities of individual entities was a matter of careful consideration during the course of this audit. To assist in appropriately balancing the interests of accountability and potential risk exposure through transparent audit reporting, the ANAO engaged with ASD to better understand the evolving nature and extent of risk exposure that may arise through the disclosure of technical information in the audit report. This report therefore focusses on matters material to the audit findings against the objective and criteria and contains less detailed technical information than previous audits. Detailed technical information flowing from the audit was provided to the relevant accountable authorities during the audit process to assist them to gain their own assurance that their remediation plans are focussed on improving cyber resilience as required and support reliable reporting through the existing cyber security policy framework.

Conclusion

11. The implementation of arrangements by AUSTRAC and Services Australia to manage cyber security incidents has been partly effective. Neither entity is well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident.

AUSTRAC

12. AUSTRAC has partly effective cyber security incident management procedures for investigating, monitoring and responding to cyber security incidents. It has established management structures and a framework of procedures to support these processes. It has not detailed the responsibilities for its Chief Information Security Officer (CISO), its approach to continuous monitoring and improvement reporting, or defined timeframes for reporting to stakeholders.

13. AUSTRAC has partly implemented effective response processes that mitigate disruptions during and after cyber security incidents. It has established a Security Information and Event Management (SIEM) solution and processes for reporting cyber security incidents. The coverage of log events is not in accordance with ASD’s Cyber Security Guidelines. AUSTRAC does not have an event logging policy and does not document its analysis of all cyber security events.

14. AUSTRAC has procedures to support its cyber security incident recovery processes. These procedures do not include the security and testing of backup solutions, nor detail the systems, applications and servers supporting critical business processes. AUSTRAC performs recovery of backups as part of business area requests. It does not perform testing of restoration of backups for disaster recovery purposes.

Services Australia

15. Services Australia is partly effective in its design of cyber security incident management procedures. It has established a framework of procedures and an incident response plan. It has not documented an approach to threat and vulnerability assessments. Services Australia does not have a policy covering the management of cyber security incidents.

16. Services Australia has partly effective cyber security incident response procedures for investigating and responding to cyber security incidents. It has procedures for managing data spills, malicious code infections and external instructions. It has implemented a Security Information and Event Management (SIEM) solution and a systematic approach to monitoring and prioritisation of alerts. Services Australia has not established a timeframe for triage and escalation activities nor a process for analysing archived SIEM data. Services Australia has not defined an approach for cyber security investigations.

17. Services Australia has partly implemented effective recovery processes that mitigate disruptions during and after cyber security incidents. It has developed business continuity and disaster recovery plans and implemented regular backups. Its plans do not include all systems and applications supporting critical business processes and it does not test the recoverability of backups.

Supporting findings

AUSTRAC

18. AUSTRAC has established management structures and responsibilities for managing cyber security incidents. However, it has not documented the assigned responsibilities for its CISO although the CISO is empowered to make decisions. AUSTRAC has documented a framework of procedures for cyber security risk and incident management. However, it does not detail a process for reviewing, updating and testing its cyber security incident management procedures, nor has it implemented a security maturity monitoring plan that details an approach that defines a continuous improvement cycle as well as reporting to management. AUSTRAC has developed reporting processes for significant or reportable cyber security incidents. AUSTRAC does not document cyber security incident meetings, nor has it defined timeframes for reporting to relevant stakeholders. (See paragraphs 2.6 to 2.32)

19. AUSTRAC has reporting processes for reporting significant or reportable cyber security incidents to internal and external stakeholders. These processes do not include the engagement of relevant expertise in other business areas, such as legal advisors, and do not ensure the integrity of evidence supporting cyber security investigations. AUSTRAC has documented cyber security incident monitoring and response procedures. It has not developed an event log policy for handling and containing malicious code infections or intrusions, or containment actions in the event of a data spill. AUSTRAC has implemented a Security Information and Event Management (SIEM) solution. Its coverage of event logs is not in accordance with ASD’s Cyber Security Guidelines. It undertakes an analysis of event logs and escalates significant or reportable cyber security incidents to management and relevant external stakeholders. It does not record or document its analysis of non-significant cyber security events, nor has it defined timeframes for triage and escalation activities. AUSTRAC is able to analyse data within its SIEM solution, it does not have a process for retrieving and analysing production and archived SIEM data. (See paragraphs 2.33 to 2.65)

20. AUSTRAC has documented procedures to support its cyber security incident recovery processes. These procedures do not include the security and testing of backup solutions, nor detail the systems, applications and servers supporting critical business processes. AUSTRAC has not tested the recoverability of its systems and applications supporting critical business processes. It has not included all relevant systems, including the tools used for managing backups, within disaster recovery testing schedules and security policies. AUSTRAC is not well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident. AUSTRAC has primary and secondary data centres to support its approach to regular backups. AUSTRAC performs recovery of backups as part of business area requests. It does not perform testing of restoration of backups for disaster recovery purposes. It does not have a process for extracting and analysing production and archive backup data. AUSTRAC’s incident reports include post-incident learning and post-remediation analysis. These reports are not used to review or update existing cyber security recovery procedures, with potential improvements highlighted in these reports not being considered for incorporation into existing cyber security documentation. (See paragraphs 2.66 to 2.93)

Services Australia

21. Services Australia has established management structures and responsibilities for its management of cyber security incidents. It has not documented an approach to threat and vulnerability assessments, nor does it have a policy covering the management of cyber security incidents but it does have a security maturity monitoring plan although this does not detail an approach that defines a continuous improvement cycle as well as reporting to management. Services Australia has developed a cyber security incident response plan and a trusted insider program. However, its trusted insider program has not considered input from other business areas, such as its legal function. Services Australia’s critical asset and data registers do not have complete information on critical systems and data assets. Services Australia has documented a framework of procedures for cyber security risk and incident management. However, it does not detail a process for reviewing, updating and testing its cyber security incident management procedures. Services Australia has reporting processes that provide regular reporting of cyber security incidents, including significant or reportable cyber security incidents, to internal and external stakeholders. It has not defined the timeframes for reporting to relevant stakeholders and the consideration of engaging other relevant expertise, such as legal advisors, during reporting processes. (See paragraphs 3.6 to 3.44)

22. Services Australia has documented its approach for managing data spills, malicious code infections and intrusions. It has not established processes for reviewing, updating and testing these cyber security incident response procedures. Services Australia has implemented a Security Information and Event Management (SIEM) solution and developed a systematic approach to the monitoring and prioritisation of security alerts. Services Australia has an Event Logging and Monitoring Policy. It has not established processes for extracting, retrieving and analysing archived SIEM data, nor has it defined the timeframe requirements for triage and escalation activities. Services Australia has not defined an approach for cyber security investigations. (See paragraphs 3.45 to 3.73)

23. Services Australia has not defined an approach to digital preservation related to cyber security incidents and regular backups and nor does it have business continuity or disaster recovery plans that address all systems, including the systems which support the critical recovery processes. It is not well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident. Services Australia has processes for performing regular backups. These processes do not include all platforms and Services Australia does not test the restoration of data, applications and settings from backups as part of disaster recovery exercises. Services Australia has not appropriately documented an embedded post-incident learning approach following a cyber security incident. Services Australia has not established a process that leverages post-incident learnings to review and improve the effective implementation of arrangements to manage cyber security incidents. (See paragraphs 3.74 to 3.103)

Recommendations

Summary of entity responses

24. The proposed audit report was provided to AUSTRAC and Services Australia. The entities’ summary responses are reproduced below. Their full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.

AUSTRAC

AUSTRAC welcomes the review and the opportunity to reflect on its processes and procedures for managing cybersecurity incidents. AUSTRAC maintains that our processes to date have enabled effective management of cyber security incidents if and as they occur, involving prioritisation, escalation and seeking internal and external expertise to inform AUSTRAC’s effective cyber security incident response. AUSTRAC welcomes the ANAO’s recommendations, which will support AUSTRAC to strengthen our approach to cybersecurity incident management through greater clarity and certainty provided by documenting much of our existing approach and enhancing it where gaps have been identified. In response to the recommendations, AUSTRAC will update key incident response plans and documents, as well as develop testing schedules consistent with our risk profile and appetite and operational requirements.

Services Australia

Services Australia (the Agency) notes the audit findings and the recommendations for the Agency associated with improving the management of cyber security. The Agency agrees with the recommendations, and will work towards further strengthening controls in the identified areas.

The Agency takes its responsibility to safeguard the personal information and data of its customers very seriously, as well as the need to ensure continuity of the essential services and payments that the Agency provides. I consider that the implementation of the recommendations contained in the report will support the Agency in achieving those outcomes. 

Background

1. My Health Record (MHR) is a national public system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.¹ The My Health Records Act 2012 (MHR Act) states that the goals of MHR are to overcome fragmentation and improve the availability and quality of health information; reduce adverse medical events and the duplication of treatment; and improve the coordination and quality of health care provided by different healthcare providers.²

2. The Australian Digital Health Agency (ADHA) was established as a corporate Commonwealth entity in 2016, at which time it became MHR system operator.

3. MHR ‘national infrastructure’ is comprised of the IT systems and support enabling the flow of information in and out of the MHR system. The Department of Health and Aged Care and ADHA used IT supplier contracts to implement MHR national infrastructure. The largest contract is for the National Infrastructure Operator (NIO), which is responsible for operation, maintenance, support and integration of MHR national infrastructure.

4. The NIO contract was first executed with Accenture Australia Holdings Pty Ltd (Accenture) on 27 June 2012 for a total value of $47 million to 30 June 2014. As at February 2024, arrangements with Accenture totalled $746 million for MHR NIO services between 2012 and 2025.

Rationale for undertaking the audit

5. The Australian Digital Health Agency reports that approximately 23.8 million Australians had a My Health record as at March 2024.³ It is estimated that $2 billion has been invested in the My Health Record system.⁴

6. There has been parliamentary interest in government procurement.⁵ Procurement of large public IT systems can raise risks relating to obsolescence, security and interoperability. This audit provides assurance to the Australian Parliament about whether ADHA has effectively managed MHR procurement.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the Australian Digital Health Agency’s procurement and contract management of the My Health Record National Infrastructure Operator.

8. To form a conclusion against the objective, the ANAO adopted the following high-level criteria.

• Does ADHA have a fit-for-purpose governance framework for contract management and procurement?
• Has ADHA managed the My Health Record National Infrastructure Operator contracts effectively?
• Has ADHA conducted procurements of the My Health Record National Infrastructure Operator effectively?

Conclusion

9. ADHA’s procurement and contract management of the My Health Record National Infrastructure Operator has been partly effective. Effectiveness has been diminished by poor procurement planning and failure to observe core elements of the Commonwealth Procurement Rules.

10. ADHA’s governance framework for contract management and procurement is largely fit for purpose. There are policies and guidance for procurement and contract management, although probity guidance could be improved. Management and oversight arrangements for procurements and contract management are largely appropriate. Internal audit coverage of procurement has been limited.

11. ADHA’s management of the National Infrastructure Operator contract has been partly effective. The identification and assessment of commercial risk has been limited. The effectiveness of day-to-day administration of the contract is diminished by contract management planning that is not fully fit for purpose. Contract variations within the existing contract term have been made with insufficient assessment of risk, consideration of materiality and justification of value for money. The management of contract performance has not utilised all available levers under the contract.

12. ADHA has not conducted procurements of the National Infrastructure Operator contract effectively. ADHA’s planning and decisions about how to approach the market for the contract in 2019 and 2022 were deficient. For both sole source limited tender procurements, ADHA’s conduct of limited tender processes under Division 1 of the Commonwealth Procurement Rules (including demonstrating value for money, managing probity and public procurement reporting) was also deficient.

Supporting findings

Governance framework for procurement

13. ADHA provides procurement and contract management training to staff and has policies and guidance for procurement and contract management. Although there are policies and guidance, these are not always reviewed in accordance with requirements. There are policies relevant to managing conflicts of interest in procurement and contract management, although instructions are inconsistent across policy documents. There is a policy relevant to managing gifts and benefits which lacked specificity but has been improved. Chief Executive Officer (CEO) gifts and benefits declarations are not always timely. (See paragraphs 2.2 to 2.21)

14. Business areas are responsible for procurement and contract management and are supported by a central procurement area. The board approves contracts above a certain value threshold and delegates the power to enter into a contract to the CEO for other contracts. There are CEO authorisation instruments to allow officials to conduct procurements and enter into contracts. From April 2021 there was regular reporting to the board on complex and high-risk procurement. The internal audit program has considered contract management but has had limited coverage of procurement. An Audit and Risk Committee has included procurement issues in its reporting to the board but has not provided advice about the sufficiency of controls over procurement risks. (See paragraphs 2.23 to 2.30)

Contract management

15. In addition to a quarterly strategic risk assessment which includes consideration of My Health Record and the National Infrastructure Operator, risk assessments specifically related to ADHA’s commercial relationship with Accenture were conducted in 2016, 2019, 2020 and 2022. The quality of the risk assessments varied. Although a 2021 contract management plan assessed the overall risk for the National Infrastructure Operator contract as ‘medium’, it provided no information to justify this overall rating, no indication if this risk assessment exceeded its risk appetite, and no description of or treatments for specific risks. ADHA did not re-assess contract risk on five of the six occasions when the contract with Accenture was varied during an existing contract term between 2018 and February 2024. ADHA assessed risk on two occasions when the contract with Accenture was varied through a procurement, although the quality of risk assessment for one procurement was poor. The terms and conditions of the National Infrastructure Operator contract address a range of commercial and security risks. (See paragraphs 3.3 to 3.16)

16. The effectiveness of contract administration has been diminished by the following.

• There is a National Infrastructure Operator contract management plan. The plan has not been reviewed as required and does not contain some of the required information. There are no instructions to officials about how and when to assess contract risk.
• The National Infrastructure Operator contract with Accenture was amended eight times between January 2018 and February 2024 largely to fund My Health Record system enhancements, including six amendments (valued at $54 million) executed during the term of the existing contract. For the six contract amendments, ADHA did not document value for money considerations.
• ADHA did not review the contractor’s performance when it exercised an option to extend the contract.
• ADHA held strategic and operational meetings with the contractor, but these were not always at the specified frequency. Not all specified meeting types took place and some meeting types took place that were not specified.
• Officials managing the National Infrastructure Operator contract did not adhere to the ADHA’s records management policies. (See paragraphs 3.17 to 3.34)

17. Although there is evidence of ADHA conducting reviews and requiring some National Infrastructure Operator deliverables to be resubmitted, ADHA has not reviewed contract reporting deliverables as required. Contract and contract management plan provisions to support performance management have rarely or never been used (benchmarking, annual performance reviews and audits) or have not been used as planned (issues monitoring). A request for updated My Health Record system architecture in August 2019 in preparation for approaching the market for the National Infrastructure Operator in June 2020 coincided with the commencement of a dispute between ADHA and Accenture about system architecture documentation. The dispute was not resolved until March 2023. The practice of advance payment for services before delivery weakens ADHA’s leverage in managing performance. ADHA has invoked contract provisions that penalise the contractor for failing to meet certain service levels. (See paragraphs 3.36 to 3.59)

Procurement processes

18. Planning and approach to market processes for the 2019 and 2022 procurements of the National Infrastructure Operator were deficient.

• Procurement plans were not approved before procurement decisions were made.
• Risk associated with a direct source limited tender was not well assessed for the 2019 procurement but was assessed for the 2022 procurement.
• For the 2019 and 2022 procurements, ADHA justified not going to open market using limited tender conditions listed in the Commonwealth Procurement Rules, however there were weaknesses in how conditions were justified, approved, implemented and reported. In particular, the use of paragraph 10.3b of the CPRs (‘when, for reasons of extreme urgency brought about by events unforeseen by the relevant entity, the goods and services could not be obtained in time under open tender’) was inappropriate.
• In making procurement planning decisions, relevant information (including performance issues) was not appropriately considered by the decision-maker. (See paragraphs 4.3 to 4.36)

19. Cost and other factors, including Accenture’s experience as the National Infrastructure Operator, were considered in the decision to award a contract ‘extension’ to Accenture in 2019 and 2022. However, the accountable authority made the decision without fully considering Accenture’s performance history and ADHA did not document a clear value for money assessment for either procurement. Approvals were given by officials with appropriate authority and were appropriately documented. The approach to declaring potential conflicts of interest did not comply with ADHA policy and program-specific probity obligations were unclear. ADHA partly complied with AusTender reporting requirements. (See paragraphs 4.40 to 4.68)

Recommendations

20. This report makes 13 recommendations to ADHA.

Summary of entity response

21. The proposed audit report was provided to ADHA. ADHA’s summary response to the audit is provided below and its full response is at Appendix 1.

As the Report highlights, the My Health Record System (MHR) is a national public system supporting coordination and quality clinical decision making and provides health information for 23.7 million Australians where and when they need it.

MHR has been operating successfully for over a decade – delivering secure, reliable health information, with choice and privacy firmly in the hands of Australians. The Agency welcomes the key Report finding that governance frameworks and contract management approaches for MHR are largely fit for purpose.

During the pandemic, when Australian communities were at highest risk, MHR was upgraded to provide rapid access to COVID test results and vaccination certificates as part of the national effort to protect Australians and support freedom of movement. During this period system stability and reliability were priorities in procurement approaches taken.

The Agency accepts the ANAO’s recommendations on strengthening approval and review processes and record keeping across the procurement and contract management lifecycle and has significantly augmented these areas over the last three years. This includes successful complex IT infrastructure modernisation through competitive procurements that have reduced single vendor dependency. Further modernisation work is underway to deliver greater health information sharing and more connected care across the health system.

22. An extract of the proposed report was provided to Accenture Australia Holdings Pty Ltd. Accenture’s full response is provided at Appendix 1.

Background

1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.¹ Credit cards are used by Australian Government entities to support timely and efficient payment of suppliers for goods and services.² For the purposes of the Public Governance, Performance and Accountability Act 2013, credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).

2. For 2021–22 and 2022–23, the National Disability Insurance Agency’s (NDIA’s) total credit card expenditure was approximately $6.7 million, comprising 11,925 transactions. For the same period, the NDIA’s total travel expenditure was approximately $9.1 million, representing 8,509 trips. Credit card and travel expenditure both represented one per cent or less of the NDIA’s supplier expenses in each year.³

Rationale for undertaking the audit

3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.⁴

4. In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.⁵ The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.⁶

5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.⁷ The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions⁸ and ineffective controls in the management of the use of credit cards.⁹ This audit provides Parliament with assurance that the NDIA is effectively managing corporate credit cards in accordance with legislative and the NDIA’s policy requirements.

6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:

• National Disability Insurance Agency (NDIA);
• Federal Court of Australia;
• Australian Research Council; and
• Productivity Commission.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

8. To form a conclusion against the objective, the ANAO examined:

• whether the NDIA has effective arrangements in place to manage the issue, return, and use of corporate credit cards; and
• whether the NDIA has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.

Conclusion

9. The NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective. The NDIA has established controls that were not robustly implemented to provide sufficient assurance to the NDIA Board that fraud risks are being managed.

10. The NDIA has partly effective arrangements in place to manage the issue, return and use of corporate credit cards. The NDIA’s senior leadership team and the Board have limited oversight of credit card management and use, including for travel. Reporting of use and non-compliance is provided to Financial Control Branch within the Chief Finance Officer Division, and non-compliance incidents are reported to the Risk Advisory Branch. Financial authorisations for Services Australia to enter into borrowing arrangements on the NDIA’s behalf were not in place. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no shared risk register or approach with Services Australia. The NDIA has largely fit-for-purpose policy and procedures and training to support use of credit cards, except for not addressing positional authority risks.

11. The NDIA has implemented partly effective controls and processes for management and control of corporate credit cards. Preventive controls were partly implemented, with cards issued to Senior Executive Service (SES) officers without line manager endorsement, credit limits that were not consistent with NDIA policies and the NDIA not utilising merchant blocking technology. Detective controls were partly effective in supporting detection of credit card misuse, and travel approval and acquittal non-compliance. Travel by Board members, and travel and credit card expenditure by the CEO and SES officers, was often approved by a staff member junior to the traveller or credit cardholder and did not address positional authority risk. The NDIA’s policies permit discretion when identifying and recording non-compliance during a quality assurance review, leading to under-reporting of non-compliance. The NDIA has partly implemented effective controls for managing non-compliance. The NDIA does not monitor the timeliness of travel acquittals, use its system to record all instances of travel non-compliance or take action in response to most identified travel non-compliance.

Supporting findings

Credit card arrangements

12. The NDIA has not delegated authority for Services Australia to enter into borrowing arrangements on its behalf. The NDIA reports regularly on use and management of credit cards (including non-compliance) at the responsible branch level. Credit card and travel non-compliance are aggregated with other instances of non-compliance with finance law, diminishing the NDIA Board and Senior Leadership Team’s understanding of fraud, risk and integrity implications arising from non-compliance. In relation to the delivery of shared services by Services Australia, the NDIA receives quarterly non-compliance reports for travel by NDIA staff and an annual assurance statement relating to Services Australia’s controls environment. (See paragraphs 2.4 to 2.24)

13. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no evidence of consideration of credit cards or travel within the Chief Financial Officer’s divisional risk register. There is no shared risk register or approach with Services Australia for shared services provided. (See paragraphs 2.25 to 2.41)

14. Accountable Authority Instructions (AAIs) and the NDIA Finance Policies are reviewed annually and are largely consistent with Australian Government guidance on managing credit cards. Policies and procedures do not address positional authority considerations for the acquittal of the Board and CEO’s credit card and travel expenditure. (See paragraphs 2.42 to 2.57)

15. The NDIA staff applying for a credit card are required to complete online training, which covers all responsibilities and policy requirements, prior to being issued with the card. When it is recommended staff complete refresher training following instances of non-compliance, this does not always occur. Line manager reviewers of credit card acquittals, travellers and travel spending approvers are not required to complete training. (See paragraphs 2.58 to 2.61)

Management and control of credit cards

16. Controls relating to the issue of credit cards were generally operating as intended, except that line managers did not endorse Senior Executive Service officer credit card applications. The NDIA does not have assurance that credit limits are applied consistent with policy requirements. The NDIA does not use merchant blocking to prevent misuse. The NDIA cancelled and suspended cards for staff who had left the NDIA or were on long term leave following annual reviews of ongoing business need for the card, indicating that other preventive controls were not operating as intended. (See paragraphs 3.4 to 3.20)

17. The NDIA has implemented detective controls for credit cards including credit card acquittal by cardholders, review by line managers and a quality assurance review process. The NDIA’s policies do not provide guidance on detecting the splitting of a transaction to remain under the relevant credit card limit. For a sample of 117 transactions, ANAO identified 18 instances of potentially split transactions, and 20 credit card acquittals of the CEO and SES where the approving officer was junior to the credit cardholder, introducing positional authority risk. In 2021–22 and 2022–23, daily assurance checks resulted in requests for supporting documentation from credit cardholders for four per cent of all credit card transactions. In 2021–22 and 2022–23, the ANAO identified 11 credit card transactions which occurred where the NDIA policies required the credit card be suspended, and one where the policies required the credit card be cancelled. (See paragraphs 3.21 to 3.46)

18. The NDIA implemented detective controls for travel approvals including travel acquittal by travellers, review by delegates and quality assurance processes. For a sample of 93 trips, 24 travel requests were not submitted within required timeframes, 10 trips did not have supporting documentation, and 18 trips were not acquitted within required timeframes. The delegate was junior to the traveller for 51 trips by the CEO and Board, introducing positional authority risk. Services Australia made 30 recommendations to the NDIA to address travel related non-compliance identified by quality assurance processes. The NDIA did not respond to Services Australia or implement the recommendations. (See paragraphs 3.21 to 3.46)

19. The NDIA records credit card non-compliance by specific categories, including accidental private use. Reported instances of travel non-compliance did not reconcile. The NDIA recorded action taken in relation to credit card non-compliance, including recovery of personal expenditure and recommendation of further training. The NDIA did not record any actions taken in response to recommendations made by Services Australia to remedy travel non-compliance. For the one instance of travel non-compliance recorded in the NDIA’s internal reporting, the action taken was to inform the staff member of the policy requirements. (See paragraphs 3.47 to 3.64)

Recommendations

Summary of entity responses

20. The proposed audit report was provided to the NDIA and an extract was provided to Services Australia. The entities’ summary responses are reproduced below. The entities’ full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.

National Disability Insurance Agency

The National Disability Insurance Agency (NDIA) welcomes the ANAO’s analysis that the level of non-compliance across the Agency is minor and that no significant non-compliances, or instances of fraud, were identified.

The NDIA notes the ANAO’s reference to discretion in relation to the reporting of compliance and disputes the reference to under-reporting of misuse. Discretion is applied where it is identified that additional documentation is required, should additional documentation not be provided a non-compliance is recorded.

The NDIA notes the ANAO’s reference to “junior staff” approving Board and CEO travel. This reference related to a historical administrative arrangement undertaken by an SES Band 2 to provide approvals for CEO travel and credit card expenditure. The NDIA notes the CEO does not currently hold a credit card.

The NDIA notes the ANAO’s comments on reporting of use and non-compliance are only provided to the Agency Budget and Financial Control Branch. All non-compliances are reported to the Agency’s Risk Management Branch on a monthly basis for inclusion in whole-of-Agency compliance reporting.

The NDIA acknowledges the recommendations and the opportunities for improvement. The NDIA has commenced action in line with our responses to the recommendations. Noting the above, and the extant sound governance and controls relating to credit card and travel administration, the NDIA suggests that the use of corporate credit cards is effective rather than partly effective.

ANAO comment on the National Disability Insurance Agency’s response

21. The approval of a credit cardholder’s acquittal or travel by an officer junior to the cardholder or traveller, even if the approver is an SES officer, introduces positional authority risk (see paragraphs 3.25 and 3.30). The NDIA has not developed appropriate policies or procedures to manage this risk (see paragraph 2.52).

22. The absence of criteria or guidance for identifying and recording credit card non-compliance, detected during the daily quality assurance checks, is discussed at paragraphs 3.34 and 3.43. The audit identified instances of transactions that were potentially split, IT assets purchased without approval, credit card acquittals not completed within required timeframes, lack of required documentation and use of credit card while on leave contrary to policy requirements (see paragraphs 3.22, 3.23 and 3.25). None of these instances were reported by the NDIA as non-compliance.

23. Credit card non-compliances were reported in the financial system (see paragraph 3.47), this does not include all non-compliance detected by quality assurance processes (see paragraph 3.35). Only credit card and travel non-compliances recorded in the financial system are reported to the Risk Advisory Branch (see paragraphs 2.17 and 3.51, and footnotes 47 and 81).

Services Australia

Services Australia (the Agency) notes the audit findings and the recommendation for the Agency and the National Disability Insurance Agency (NDIA) to approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.

The Agency acknowledges the requirement under the Commonwealth Risk Management Policy 2023 (the Policy) for entities to collaborate to manage shared risks and will work with the NDIA through existing bilateral governance arrangements to further strengthen risk management between the agencies in respect of corporate credit card and travel arrangements.