Background

1. The Public Service Act 1999 (PS Act) requires that Australian Public Service (APS) employees, agency heads and statutory office holders abide by the APS Code of Conduct. The APS Code of Conduct, consistent with duties under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), require officials to declare the receipt of gifts, benefits and hospitality. Collectively, these requirements establish obligations for officials and Commonwealth entities in relation to how they manage the provision and receipt of gifts, benefits and hospitality.

2. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person.¹ The National Anti-Corruption Commission Act 2022 also contains provisions against conduct that adversely affects (or could adversely affect) the honest and impartial exercise of any public official’s powers, functions or duties.²

3. The Australian Public Service Commission (APSC) publishes Guidance for Agency Heads — Gifts and Benefits. The principles underpinning this guidance are that:

• agency heads are meeting public expectations of integrity, accountability, independence, transparency and professionalism in relation to gifts and benefits; and
• there is consistency in relation to agency heads’ management of gifts and benefits across APS agencies and Commonwealth entities and companies.

4. The Department of the Treasury (Treasury) is a non-corporate Commonwealth entity. Treasury is the government’s lead economic advisor, providing advice to the government and implementing policies and programs to achieve strong and sustainable economic and fiscal outcomes for Australians.³

Rationale for undertaking the audit

5. Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person, or to cause, or seek to cause, detriment to the entity, the Commonwealth, or any other person. Public service entities must meet public expectations of integrity, accountability, independence, transparency, and professionalism. Acceptance of a gift or benefit that relates to an official’s employment can create a real or apparent conflict of interest that should be avoided.⁴

6. Public confidence in Commonwealth entities and the APS can be damaged when gifts and benefits that create a conflict of interest are accepted or not properly declared. APSC states in its publication, APS Values and Code of Conduct in practice, that the risk of the appearance of a conflict can be damaging to public confidence:

The appearance of a conflict can be just as damaging to public confidence in public administration as a conflict which gives rise to a concern based on objective facts.⁵

7. This audit provides assurance to the Parliament that Treasury has complied with gifts, benefits and hospitality requirements.

Audit objective and criteria

8. The objective of the audit was to assess whether Treasury had complied with gifts, benefits and hospitality requirements.

9. To form a conclusion against the objective, the ANAO adopted the following two high-level audit criteria.

• Did Treasury have effective arrangements in place to manage gifts, benefits and hospitality?
• Were Treasury’s controls and processes for gifts, benefits and hospitality operating effectively in accordance with policies and procedures?

10. The audit examined the management of gifts, benefits and hospitality within Treasury over the period 1 July 2021 to 30 September 2023.

Conclusion

11. Treasury has been largely effective in complying with its gifts, benefits and hospitality requirements. Shortcomings in the alignment of Treasury’s internal policy to APSC requirements, training and education arrangements for Treasury’s statutory office holders, and processes not detecting non-compliance reduced the effectiveness of arrangements.

12. Treasury has established largely effective arrangements for managing gifts, benefits and hospitality. Treasury has a system, policies and training to support officials in their management of gifts, benefits and hospitality. The policy applies to all Treasury officials. The policy is aligned to the requirements of APSC Guidance for Agency Heads — Gifts and Benefits, with the exception of requirements for declaring and reporting the receipt of hospitality. As a result, Treasury has reduced the transparency in public reporting for hospitality that has been received by officials. Not all statutory office holders that are officials of Treasury are provided guidance and training in relation to gifts, benefits and hospitality.

13. The operating effectiveness of Treasury’s processes and controls for gifts, benefits and hospitality is partly effective. Training and education arrangements that had been implemented for internal staff were operating effectively. Training and education arrangements were not provided to all statutory office holders of Treasury. Treasury made a decision in 2022 not to implement detective controls such as proactive compliance monitoring so Treasury is reliant on the self-declaration of officials that receive gifts, benefits and hospitality. Treasury processes had not identified two instances of non-compliance with Treasury’s internal policy requirements and a further 10 instances of non-compliance with the PGPA Act and APSC Guidance for Agency Heads — Gifts and Benefits.

Supporting findings

Arrangements for managing gifts, benefits and hospitality

14. Treasury has established arrangements for identifying and managing risks associated with the acceptance and provision of gifts, benefits and hospitality. Treasury’s risk management policy and framework outline the requirements for assessing risks and provide related guidance. Treasury has undertaken a fraud and corruption risk assessment at an entity-level and risk assessments for each of its groups. These risk assessments have considered gifts, benefits and hospitality. There is an opportunity to specifically articulate operational controls which are of relevance to gifts, benefits and hospitality rather than only high-level enterprise controls as expressed in the Fraud Risk Assessment. (See paragraphs 2.6 to 2.12)

15. Treasury has developed policies and procedures for officials regarding the acceptance of gifts, benefits and hospitality. These policies and procedures reference other relevant departmental policy including the conflict of interest policy. These policies and procedures align with the APSC Guidance for Agency Heads — Gifts and Benefits with the exception of the processes to declare and approve the receipt of hospitality. (See paragraphs 2.13 to 2.22)

16. Treasury has developed policies and procedures for officials regarding the provision of gifts, benefits and hospitality. These policies and procedures align with the APSC Guidance for Agency Heads — Gifts and Benefits and also reference other relevant departmental policy including the conflict of interest policy. Treasury policy refers to the application of guidance provided by the Department of Foreign Affairs and Trade (DFAT) in relation to the provision of gifts by officials posted overseas. (See paragraphs 2.23 to 2.27)

17. Treasury maintains mandatory training packages which include responsibilities and expectations for officials relating to gifts, benefits and hospitality. There are mechanisms in place to monitor mandatory training completion and follow-up non-compliance with training requirements. While Treasury provides onboarding material to officials noting requirements to comply with the PGPA Act, Treasury does not have arrangements for statutory office holders (that are Treasury officials) to ensure consistency in the training and education arrangements made available to them. The Treasury Secretary has completed all mandatory training and completion of mandatory training modules by other Treasury staff ranges from 89 per cent to 92 per cent. (See paragraphs 2.28 to 2.43)

18. Treasury has implemented arrangements to support the reporting of the public register for gifts and benefits in accordance with APSC Guidance for Agency Heads — Gifts and Benefits. Treasury does not provide periodic reporting to internal governance committees on matters relating to gifts, benefits and hospitality, or have a formalised framework for monitoring compliance against internal policy requirements. (See paragraphs 2.44 to 2.49)

Implementation and effectiveness of arrangements for managing gifts, benefits and hospitality

19. Treasury’s preventative controls include its operational guidelines and online training modules. Access to the training modules was not provided to all statutory office holders that are officials of the department. Not all statutory office holders that had access to the training arrangements had completed the online training modules. (See paragraphs 3.2 to 3.20)

20. Treasury has not implemented detective controls that are specifically for the purpose of monitoring compliance with requirements for the receipt and provision of gifts, benefits and hospitality. Treasury has detective controls that can indirectly support the identification of non-compliance with related requirements. This includes assessing corporate credit card transactions and obtaining annual conflict of interest declarations from officials. (See paragraphs 3.21 to 3.35)

21. There were no documented processes for managing identified instances of non-compliance relating to gifts, benefits and hospitality. Treasury has not previously identified instances of non-compliance relating to gifts, benefits and hospitality so the effectiveness of related processes for managing non-compliance were unable to be assessed. (See paragraphs 3.36 to 3.38)

22. Treasury has not developed an evidence-based assurance framework that considers gifts, benefits and hospitality. The inclusion of gifts, benefits and hospitality in Treasury’s Financial Framework Assurance Plan was considered following a prior internal audit and decision was made by Treasury that no further assurance processes were required. (See paragraphs 3.39 to 3.40)

Recommendations

Summary of entity response

23. The proposed audit report was provided to the Department of the Treasury. The summary response to the report is below and the full response is at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.

Department of the Treasury

Treasury welcomes this report and thanks the ANAO for their professional and collaborative approach to this audit. Treasury is committed to ensuring full compliance and transparency with regard to gifts, benefits and hospitality and accepts the recommendations provided by the ANAO. Treasury has already implemented changes as per recommendations 2 and 4 and will consider how best to implement recommendations 1 and 3. Implementation and closure of these recommendations will be monitored by our Audit and Risk Committee.

Treasury notes the instances of non-compliance (relating to non-declaration of gifts) identified by the ANAO were not significant in nature, nor do they suggest a systemic issue with regard to the declaration of gifts received. The minor misalignment with the Australian Public Service Commission gifting guidelines, which created the non-compliance, has been rectified and Treasury has amended its public gift register to include the 4 gifts identified in this report as non-compliant.

Treasury will continue to ensure our internal policies and systems continue to mature and function effectively.

Key messages from this audit for all Australian Government entities

24. This audit is one of a series of gifts, benefits and hospitality audits that apply a standard methodology to selected entities’ compliance with gift, benefits and hospitality requirements. The three entities included in the ANAO’s gifts, benefits and hospitality series are:

• Department of the Treasury;
• Australian Communications and Media Authority; and
• Murray-Darling Basin Authority.

25. Key messages from the ANAO’s series of gifts, benefits and hospitality audits will be outlined in an Insights product available on the ANAO website.

Background

1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.¹ Credit cards are used by Commonwealth entities to support timely and efficient payment of suppliers for goods and services.² For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).

2. The Productivity Commission (the Commission) uses corporate credit cards for official purchases under $10,000, including for procurement, domestic taxi, and travel purposes. For 2021–22 and 2022–23, the Commission’s total credit card expenditure was approximately $1.5 million, comprising 6,884 transactions. Credit card expenditure represented 18 per cent of the Commission’s supplier expenses across the two years.³

Rationale for undertaking the audit

3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrongdoing.⁴

4. In describing the role of Senior Executive Service (SES) officers, the APSC states that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.⁵ The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.⁶

5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.⁷ The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority for approving credit card transactions⁸ and ineffective controls to manage the use of credit cards.⁹ This audit was conducted to provide the Parliament with assurance that the Commission is effectively managing corporate credit cards in accordance with legislative and entity requirements.

6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:

• Productivity Commission (the Commission);
• Australian Research Council;
• Federal Court of Australia; and
• National Disability Insurance Agency.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the Commission’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

8. To form a conclusion against the objective, the ANAO examined:

• whether the Commission has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
• whether the Commission has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.

Conclusion

9. The Commission’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective, as there were weaknesses in its implementation of preventive and detective controls and monitoring and reporting arrangements.

10. The Commission’s arrangements for managing the issue, return and use of corporate credit cards were partly effective. The Commission has considered risks associated with the use of corporate credit cards within its fraud control framework and identified relevant controls. Policies and procedures were largely fit for purpose, but eligibility criteria for issuing cards and information on providing supporting documentation for low value transactions (under $82.50) could be improved. The Commission did not have structured training and education arrangements in place to promote compliance with credit card policy and procedural requirements. The Commission’s credit card register was incomplete and inaccurate, and monitoring and reporting on credit card use was not regular and systematic. The Commission did not respond to Parliamentary questions on notice with accurate reporting on credit card use.

11. The Commission’s controls and processes for managing credit card issue, usage and return were partly effective in controlling the risk of credit card misuse. Preventive controls were not effective in preventing non-compliant taxi card transactions. There were weaknesses in detective controls relating to the provision of supporting documentation when reconciling taxi transactions. Positional authority risks could be better managed by clarifying delegation and approval requirements for senior executive cardholders. While the Commission has recovered funds from cardholders where instances of personal misuse have been identified, it has not documented its processes for escalating and managing identified non-compliance.

Supporting findings

Arrangements for managing corporate credit cards

12. The Commission had identified threats relating to credit card misuse and relevant controls in its fraud control plan. Assessment of these threats in the fraud risk register had not been informed by systematic controls testing. The Commission undertook an internal audit in 2022 that found significant gaps and weaknesses in its credit card controls and took action to address these findings. (See paragraphs 2.4 to 2.11)

13. The Commission’s policies and procedures for the issue, return and use of credit cards included coverage of core requirements within the Commission’s accountable authority instructions and other policies. Eligibility criteria for issuing credit cards and information on the need for supporting documentation for transactions under $82.50 could be improved. (See paragraphs 2.12 to 2.30)

14. While the Commission had published relevant policies and procedures on its intranet, it did not provide structured training and education to promote compliance with corporate credit card policy and procedural requirements. (See paragraphs 2.31 to 2.33)

15. The Commission’s cardholder register was incomplete and inaccurate and did not include sufficient details on the issue and return of cards. Reporting on the use of credit cards has occurred on an ad-hoc basis, with monitoring capability limited by the current financial management system in use. Detailed reporting on credit card non-compliance has not been provided to the Commission’s executive management, diminishing its understanding of fraud, risk and integrity implications arising from non-compliance. While the Commission reported on credit card issue and use when requested by Parliament, there were errors in its reporting. (See paragraphs 2.34 to 2.45)

Controls and processes for corporate credit cards

16. Preventive controls implemented by the Commission could be improved by strengthening visibility of cardholder spending and transaction limits. Preventive controls for hospitality and catering expenditure, purchases covered by whole-of-government arrangements, and to prevent non-compliant taxi card transactions were not operating effectively. Positional authority risks could be further managed through clarifying delegation and approval requirements for senior executive cardholders. (See paragraphs 3.4 to 3.30)

17. The Commission’s finance team reviews, acquits and verifies transactions manually each month. The Commission has not developed an approach to retaining and storing receipts for all taxi card transactions, which heightens the risk of errors, irregularities and fraud going undetected. (See paragraphs 3.31 to 3.41)

18. The Commission’s credit card control framework could be strengthened to ensure it identifies all potential instances of non-compliance. While the Commission has recovered funds from cardholders where instances of personal misuse have been identified, it has not documented its processes for escalating and managing identified non-compliance.(See paragraphs 3.43 to 3.50)

Recommendations

Summary of entity response

19. The proposed audit report was provided to the Productivity Commission. The Commission’s summary response is reproduced below. Its full response is included at Appendix 1. Improvements observed by the ANAO during the course of the audit are listed at Appendix 2.

The Commission is committed to improving the management of corporate credit cards, agrees with all six recommendations put forward by the ANAO, and appreciates the additional improvement opportunities. The Commission acknowledges the work undertaken by the ANAO to prepare the report and their constructive engagement with us during the audit.

Key messages from this audit for all Australian Government entities

20. This audit is part of a series of audits that applies a standard audit methodology to corporate credit card management in Commonwealth entities. The four entities included in the ANAO’s 2023–24 corporate credit card management series are the:

• Productivity Commission;
• Australian Research Council;
• Federal Court of Australia; and
• National Disability Insurance Agency.

21. Key messages from the ANAO’s series of credit card management audits will be outlined in an Insights product available on the ANAO website.