Background

1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.¹ Credit cards are used by Commonwealth entities to support timely and efficient payment of suppliers for goods and services.² For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).

2. The Australian Research Council (ARC) reported 140 staff in 2021–22 and 167 staff in 2022–23. Forty-three staff (30.7 per cent) in 2021–22 and 49 staff (29.3 per cent) in 2022–23 held corporate credit cards. Credit card expenditure in 2021–22 was $226,860.22 (from 441 transactions) and in 2022–23 was $411,957.31 (from 1,417 transactions). Total credit card expenditure over the two financial years was $638,817.53 (from 1,858 transactions). The number of transactions increased between the two financial years, due to the influence of the COVID-19 pandemic, which limited staff travel and hospitality during 2021–22. Credit card and travel expenditure represented 5.16 per cent and 16.93 per cent of ARC’s supplier expenses in 2021–22 and 2022–23.³

Rationale for undertaking the audit

3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.⁴

4. In describing the role of Senior Executive Service (SES) officers, the APSC states that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.⁵ The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.⁶

5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.⁷ The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority for approving credit card transactions⁸ and ineffective controls to manage the use of corporate credit cards.⁹ This audit was conducted to provide the Parliament with assurance that the ARC is effectively managing corporate credit cards in accordance with legislative and entity requirements.

6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements audit series are the:

• Australian Research Council;
• Federal Court of Australia;
• National Disability Insurance Agency; and
• Productivity Commission.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the ARC’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

8. To form a conclusion against the objective, the ANAO examined:

• whether the ARC has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
• whether the ARC has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.

Conclusion

9. The ARC was largely effective in managing the use of corporate credit cards for official purposes in accordance with legislative and entity requirements. Better implementation of preventive and detective controls could improve the ARC’s assurance over its corporate credit card use.

10. The ARC’s arrangements for managing the issue, return and use of corporate credit cards were largely effective. Documentation of policies and procedures could be improved and the ARC has not tested all risk controls related to credit cards. The ARC did not respond to parliamentary questions on notice with accurate information on credit card use.

11. The implementation of the ARC’s preventive and detective controls was partly effective in controlling risk. Controls were not always implemented in accordance with policy. Although the ARC had identified 10 instances of non-compliance that did not align with policies and procedures in 2021–22 and 2022–23, the ANAO identified 83. Positional authority risks were not directly addressed and there was no analysis of usage trends to improve the effectiveness of controls. The ARC has documented processes for managing non-compliance. This does not include detail on the processes for managing repeated instances of non-compliance.

Supporting findings

Arrangements for managing corporate credit cards

12. Risks related to credit card misuse are contained in the ARC’s Fraud Control Plan. Credit card compliance is reviewed through an annual CEO compliance review and a compliance survey every four months. There are opportunities for the ARC to improve the identification and management of controls around duplicate transactions. (See paragraphs 2.4 to 2.24)

13. The ARC’s policies and procedures for the issue, return and use of credit cards included coverage of requirements within accountable authority instructions and other policies. There is scope to improve documentation of policies and procedures. Policies and procedures were not reviewed and updated in line with the ARC’s timeframes. Language in the documents could be strengthened. (See paragraphs 2.25 to 2.43)

14. The ARC Credit Card Procedure and acquittal form provide details for acquittal. The cardholder agreement form outlines the credit card usage requirements. The ARC provides mandatory Fraud Awareness and Commonwealth Resource Management Framework e-learning to all staff and access to relevant webinars on fraud and scams. (See paragraphs 2.44 to 2.45)

15. The ARC has arrangements for monitoring and reporting on the issue, return and use of credit cards. The finance team monitors statements and acquittals on an ongoing basis and can produce reports on issue, return and use of cards through the HSBC Online Portal, as required. The ARC reports on credit card use as part of the annual CEO compliance review and monitors credit card compliance. The ARC reported on credit card issue and use when requested by Parliament, which included an overstatement for two questions on notice. (See paragraphs 2.46 to 2.54)

Controls and processes for corporate credit cards

16. Preventive controls implemented by the ARC could be strengthened by consistency in documentation. Documentation of expenditure type and credit card limits in the initial application process is not completed in line with policies and procedures. There is no process in place to periodically review cardholders with monthly credit limits above the policy-defined limits. Cancellation practice did not align with policies and procedures. (See paragraphs 3.4 to 3.20)

17. ARC reviews, acquits and verifies transactions manually each month. The supporting evidence required for all expenditure is not consistently provided to the delegate for approval. The ARC’s process for tracking travel approvals is inconsistent. The ARC implemented an Official Hospitality and Gifts Policy in June 2023. The ARC has not directly addressed positional authority risk. (See paragraphs 3.21 to 3.45)

18. The ARC has a process to manage instances of non-compliance, however this process under-identified instances of non-compliances during 2021–22 and 2022–23. The ARC identified 10 instances of non-compliance that did not align with policies and procedures, compared with the ANAO’s identification of 83. The ARC has not established preventive and detective processes to periodically analyse usage trends to detect patterns across its corporate credit card and Diners Club virtual card expenditure. The policy and procedure require immediate reporting of credit card misuse; it does not include detail on the processes for managing repeated instances of non-compliance. (See paragraphs 3.46 to 3.54)

Recommendations

Summary of entity response

19. The proposed audit report was provided to the ARC. The ARC’s summary response is reproduced below. Its full response is included at Appendix 1. Improvements observed by the ANAO during the course of the audit are at Appendix 2.

The Australian Research Council (ARC) welcomes the Australian National Audit Office’s (ANAO) report and accepts the recommendations made for the agency.

The report finds that the ARC is effective overall in managing the use of corporate credit cards in accordance with legislative and entity requirements and the issue, return and use of corporate credit cards. The ANAO’s review of all credit card transactions for the audit period (2021–22 to 2022–23) also revealed no instances of fraud or deliberate misuse.

The report does identify areas for improvement and makes three recommendations where the ARC can take steps to further strengthen its policies, processes, and controls. The ARC agrees with, and will take steps to implement, these recommendations.

Key messages from this audit for all Australian Government entities

20. This audit is part of a series of audits that apply a standard methodology to corporate credit card management in Commonwealth entities. The four entities included in the ANAO’s 2023–24 corporate credit card management series are the:

• Australian Research Council;
• Federal Court of Australia;
• National Disability Insurance Agency; and
• Productivity Commission.

21. Key messages from the ANAO’s series of credit card management audits will be outlined in an Insights product available on the ANAO website.

Introduction

1.1 Australian Government entities use credit cards to support timely and efficient payment to suppliers of goods and services. ‘Corporate credit cards’ include charge cards (such as Visa, Mastercard, Diners Club and American Express cards) and vendor cards (such as travel and fuel cards).¹⁰ Other forms of credit used by Australian Government entities include credit vouchers (such as Cabcharge e-tickets).

Australian Government framework for using credit cards

1.2 The Commonwealth Resource Management Framework governs how Australian Government entities use and manage public resources. The cornerstone of the framework is the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

1.3 Under section 56 of the PGPA Act, the Minister for Finance has delegated the power to enter into a limited range of borrowing agreements to the accountable authorities¹¹ of non-corporate Commonwealth entities.¹² This includes the power to enter into an agreement for the issue and use of credit cards, providing money borrowed is repaid within 90 days.

1.4 The PGPA Act sets out general duties of accountable authorities and officials of Australian Government entities. Relevant to credit card use, officials have a duty not to improperly use their positions to gain or seek to gain a benefit or advantage for themselves or others, or to cause detriment to the Commonwealth, entity, or others.¹³ Further, the duties of an accountable authority include:

1. governing an entity in a way that promotes the proper use and management of public resources¹⁴; and
2. establishing and maintaining appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.¹⁵

1.5 Under subsection 20A(1) of the PGPA Act, an accountable authority may give instructions (referred to as accountable authority instructions) to entity officials about any matter relating to the finance law. The Department of Finance has published model accountable authority instructions, which include model instructions for the use of credit cards (see Box 1) as well as suggestions for additional instructions on credit card use.¹⁶

1.6 The PGPA Act and model accountable authority instructions include other content relevant to credit card use, particularly on spending public money, official hospitality, and official travel.

• Section 23 of the PGPA Act gives accountable authorities powers to approve commitments of ‘relevant money’ and enter into arrangements (which includes procuring goods and services with credit cards).¹⁷ Accountable authorities usually delegate these powers to entity officials, specifying delegation limits for officials in certain work groups based on their position and the category of spending. While the PGPA Act does not require separate and prior approval before entering into a spending arrangement, section 18 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires officials with spending delegations to make a written record of their approval for a commitment as soon as practicable and to follow any directions or instructions of the accountable authority. The model accountable authority instructions suggest additional instructions could include: the circumstances in which approval is required; who has authority to approve different types of commitments; appropriate approval processes; and how to ensure spending commitments would be a proper use of public resources.
• Official hospitality involves using public resources — generally, by entering arrangements under section 23 of the PGPA Act — to provide hospitality to persons other than entity officials to support the achievement of Australian Government objectives. The model accountable authority instructions suggest additional instructions could include: what is considered official hospitality; who can approve it; recordkeeping and reporting processes; whether delegates can approve official hospitality if they may personally benefit from it; and whether alcohol can be provided and what rules, if any, apply to the provision of alcohol.
• When Australian Government officials travel for business purposes, they are generally required to use whole-of-government coordinated procurement arrangements. These arrangements encompass: domestic and international air services; travel management services; accommodation program management services; travel and card related services; and car rental services. Under the arrangements, entities must make payments for flights, domestic accommodation and car rental through an account with a credit provider.¹⁸ Entities can also allow their officials to use a ‘companion’ MasterCard (available through the Diners Club arrangement) to pay for meals, incidentals and general purchasing.

1.7 The Australian Government’s Supplier Pay On-Time or Pay Interest Policy requires non-corporate Commonwealth entities to make eligible payments valued under $10,000 by payment card (which includes by credit card), and to establish and maintain internal policies and processes to facilitate the timely payment of suppliers using payment cards.¹⁹ The policy also encourages payment card use for other payments (such as payments valued over $10,000).

Overview of the Australian Research Council

1.8 Under the PGPA Act, the Australian Research Council (ARC) is classified as a non-corporate Commonwealth entity (a Commonwealth entity that is not a body corporate).²⁰ It was established as an independent body under the Australian Research Council Act 2001 and reports to the Minister for Education. The ARC’s purpose is ‘[t]o help shape the Australian research system for the benefit of the nation by enabling world-leading research, fostering research quality, impact and translation, and safeguarding research integrity’.²¹

1.9 The ARC reported 140 staff in 2021–22 and 167 staff in 2022–23. The ARC’s office is located in Canberra.

Australian Research Council’s use of credit cards

1.10 The ARC used two types of credit cards in 2021–22 and 2022–23:

• Diners Club virtual card — for the purposes of booking travel as per Whole of Australian Government Travel Arrangements; and
• HSBC corporate credit cards — for procurement and travel-related expenses.

1.11 The ARC’s expenditure on corporate credit cards in 2021–22 and 2022–23 is set out in Table 1.1. The number of transactions increased between the two financial years, due to the effect of the COVID-19 pandemic, which limited staff travel and hospitality during 2021–22. The ARC does not use other types of cards, such as fuel cards.

Table 1.1: Credit cards in use, transactions and expenditure, 2021–22 and 2022–23

Source: ANAO analysis of ARC data.

1.12 Figure 1.1 shows total HSBC corporate credit card expenditure by classification level.

Figure 1.1: HSBC corporate credit card expenditure by classification level in 2021–22 and 2022–23

Source: ANAO analysis of ARC credit card transaction reports.

1.13 Table 1.2 outlines the total number of vendors to which the ARC made payments in 2021–22 and 2022–23 and the expenditure as a proportion of the total suppliers expenses.

Table 1.2: Credit card usage by vendor in 2021–22 and 2022–23

Note a: Total suppliers expenses for 2021–22 were $4,397,000 and for 2022–23 were $2,433,000.

Source: ANAO analysis of ARC data.

1.14 Figure 1.2 outlines the expenditure based on the top 10 merchants. Canberra Airport Pty Ltd is the ARC’s lessor for its premises. Canberra Airport Pty Ltd represented the highest total credit card expenditure, at a total expense of $50,146.02 for 2021–22 and 2022–23. Credit card payments to Canberra Airport Pty Ltd related to parking and venue hire.²²

Figure 1.2: Breakdown of HSBC expenditure based on top ten merchants in 2021–22 and 2022–23

Source: ANAO analysis of ARC data.

Rationale for undertaking the audit

1.15 The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.²³

1.16 In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.²⁴ The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.²⁵

1.17 Deliberate misuse of a corporate credit card is fraud. The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous audits have identified issues in other entities relating to positional authority in approvals of credit card transactions²⁶ and ineffective controls in the management of the use of credit cards.²⁷ This audit was conducted to provide the Parliament with assurance that the ARC is effectively managing corporate credit cards in accordance with legislative and entity requirements.

Audit approach

Audit objective, criteria and scope

1.18 The objective of the audit was to assess the effectiveness of the ARC’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

1.19 To form a conclusion against the objective, the ANAO examined:

• whether the ARC has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
• whether the ARC has implemented effective controls and processes for corporate credit cards in accordance with its policies and procedures.

1.20 The audit focused on the ARC’s management and use of credit cards, including travel approval and acquittals, in the 2021–22 and 2022–23 financial years.

1.21 There were no transactions on Cabcharge or other vendor cards in 2021–22 and 2022–23.

Audit methodology

1.22 The audit methodology included:

• review of legislative and entity frameworks guiding the use of corporate credit cards;
• review of the ARC’s documentation, including policies and procedures, risks registers, training material and reporting;
• analysis of the ARC’s data, including publicly reported information and data obtained during the audit; and
• meetings with the ARC staff.

1.23 The audit was conducted in accordance with the ANAO Auditing Standards at a cost to the ANAO of approximately $316,510.

1.24 The team members for this audit were Elvira Manjaji-Baxter, Raza Gulani, Benedict Xu-Holland, Kayla Hurley, Eb Chomkul and David Tellis.

2.1 If Australian Government officials deliberately misuse corporate credit cards, they are committing fraud. Other risks of credit card use include: inadvertent personal use; unauthorised or inappropriate work use; incorrect charging by merchants; and external fraud enabled by stolen credit card details.

2.2 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), an accountable authority of an Australian Government entity has a duty to establish and maintain appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.²⁸

2.3 In addition, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) establishes a requirement for an accountable authority of a non-corporate Commonwealth entity to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.²⁹ Specific requirements of the Australian Government’s Fraud Rule include:

• conducting regular fraud risk assessments and developing and implementing a fraud control plan that deals with identified risks;
• establishing appropriate preventive controls (which should include fit-for-purpose policies and procedures and effective training and education arrangements); and
• establishing appropriate monitoring and reporting arrangements.

Have appropriate arrangements been established for managing risks associated with use of corporate credit cards within the ARC?

Enterprise risk management arrangements

2.4 The ARC has a risk framework in place which is supported by processes and documents that set out general requirements and minimum standards that need to be considered when implementing the risk framework. Documents supporting the risk framework include:

• ARC Fraud Control Plan 2020–22 and 2022–24;
• ARC Risk Management Policy (April 2021);
• ARC Risk Management Plan and Toolkit (April 2021); and
• ARC Chief Executive Instructions (September 2018 and May 2023), which adopt the Accountable Authority Instructions (AAIs).

2.5 Elements of the risk framework most relevant to credit card risk are the ARC’s risk register and the ARC Credit Card Policy; through which the ARC has explicitly considered actions to mitigate credit card risk.

Fraud control plan and fraud risk register

2.6 The ARC Fraud Control Plan’s purpose is to ‘provide policy direction, instructions and procedural guidelines for fraud control by ARC officials’ to meet the requirements of the PGPA Act.

2.7 The ARC Fraud Control Plan includes the Risk Analysis Matrix, which describes a ‘Low rating’ as meeting the ARC’s risk appetite. The ARC has ‘zero tolerance’ for fraudulent activities.

2.8 The ARC has combined its operational and fraud risks into a single risk register, which the ARC advised the ANAO in April 2024 is reviewed twice a year. The risk register has a dedicated section for credit cards that identifies:

• risk owners at a business unit as the Corporate Services Branch and at an individual-level, the Chief Financial Officer;
• risk event, causes and impacts;
• whether something is a ‘fraud risk’;
• risk levels, likelihood and consequence of occurrence;
• whether an incident had actually occurred;
• controls in place;
• shared risks; and
• residual ratings.

2.9 Table 2.1 outlines the seven credit card-related risks identified in the ARC’s risk register and the ARC’s assessment of inherent risk levels and the corresponding residual risk levels. The ARC advised the ANAO in April 2024 that it assesses the residual risk levels, twice a year, against the implemented controls and mitigations consistent with the ARC’s Fraud Control Plan.

2.10 Two inherent risks were assessed as ‘Medium’. All seven residual risk ratings were ‘Low’. The ARC evaluates residual risks based on its assessment of controls implemented to manage risks. These controls include:

• a dedicated finance team reviewing all statements and reconciliations;
• the approvals processes;
• credit card limits; and
• controls in place by the bank.

Table 2.1: Credit-card related risks and ARC-identified risk level

Note a: The ARC Risk Register identified controls to reduce this risk from medium to low: a small number of people with access who review reconciliations; appropriate fraud awareness training and instructions signed by cardholders; approvals processes; low card limits; CFO only verifying all cards issued; banks monitoring out of the ordinary transactions and PIN authorisation required for over-the-counter transactions.

Note b: The ARC Risk Register identified controls to reduce this risk from medium to low: approvals processes, the finance section checking all reconciliations, including checking receipts; low card limits; and bank controls that block same value transactions made by the same merchant within a short time frame.

Source: ANAO analysis of the ARC risk register.

2.11 The ARC’s risk register considers credit card risks associated with travel.

• Controls to prevent fraudulent credit card travel transactions are: travel movement requisitions; and credit card reconciliations needing approval by supervisors.
• The register considers the risk of fraudulent purchases caused by staff members using the ARC credit card to purchase meals or incidentals when they have been paid travel allowance.
• The controls for fraudulent purchases caused by staff members using the credit card when they should use travel allowance are:
  • credit card reconciliations are approved by the cardholder’s supervisor and reviewed by the Finance Section;
  • travel requires a travel acquittal; and
  • low card limits are in place.

2.12 There are examples of inconsistencies on the ARC’s risk documents for credit cards.

• In the risk register, ‘Fraudulent purchases and transactions’ was marked as ‘FALSE’ under ‘fraud risk’.
• The ARC Risk Analysis Matrix states ‘low risks…do not require further attention’, and is inconsistent with the statement ‘periodic confirmation that controls continue to be in place and are effective’.³⁰

Risk mitigation

2.13 The ARC Credit Card Policy states that staff are not to obtain cash advances. The check box on initial credit card — HSBC applications can be selected to prevent this. HSBC confirmed to the ARC in February 2024 that cash advances are blocked regardless of the check box control; and cash advances are blocked for all current cardholders.

2.14 Merchant blocking can be used to prevent the misuse of corporate credit cards and minimise fraud risks by excluding classes of transactions from high-risk vendors. The ARC does not block merchant types, and it has advised the ANAO in February 2024 that blocking specific merchants would introduce more risk as some merchant types are broader than others.³¹ The ARC considers misuse of credit card details by merchants as a risk in the risk register, however there is no documented risk assessment that takes into account the risk around blocking certain merchant types.

2.15 The ANAO identified one instance where a risk control had not been tested. A credit card risk control listed in the ARC risk register stated the credit card provider will block same value transactions made by the same merchant ‘within a short time frame’ to reduce the risk of duplicate transactions. The ANAO identified one occasion where payments from the same merchant, for the same amounts were made on the same day.³² Despite being valid transactions, these were not identified by the ARC or blocked by HSBC.

2.16 The ARC Credit Card Policy considers risk mitigation through five scenarios where a credit card could be cancelled:

• the cardholder ceases employment with the ARC;
• the cardholder no longer requires the card because of a change of duties or position;
• the cardholder fails to comply with any CEO Directions, ARC’s policies or procedures relating to the use of the credit card;
• requested to do so by a supervisor, director or the Chief Financial Officer (CFO) or Deputy Chief Financial Officer (DCFO); or
• the credit card has not been used for more than twelve months.

Compliance review

2.17 The ARC finance team conducts ongoing transactional checks and an annual review of credit card compliance, which is documented as part of the annual CEO compliance review.

2.18 The ARC requires its executive level and senior executive staff to complete a compliance survey every four months. The compliance survey has two questions about awareness of:

• personal purchases on their corporate credit card; or
• failure to follow the ARC Credit Card Policy and Procedures.

2.19 The ARC advised the ANAO in April 2024, responses to the survey are analysed by the finance team and CFO and reported to the ARC Audit and Risk Committee. Two instances where a corporate credit card was accidentally used for personal purchases were reported through the compliance survey and included in the annual CEO compliance review 2021–22. There were no instances reported in 2022–23.

2.20 In its annual CEO compliance review, the ARC stated that preventive and detective controls are in place and:

ongoing testing [and] checking is conducted on compliance with financial delegations, and compliance with the delegation to sign contracts, upon transaction entry to the contracts register and upon processing claims for payment. Any issues identified are recorded in the Financial Non-Compliance Register or Late Payment of Invoices Register.

2.21 Incidents of non-compliance identified by the ARC have been included in the risk register.

Audit Committee and Management-Initiated Review

2.22 The ARC’s Audit and Risk Committee provides oversight of the entity’s enterprise risk management framework for identification and management of financial risks, including fraud. The ARC’s Fraud Control Plan identifies reviews and internal audits as a way to minimise the impact of fraud. The ARC’s Audit and Risk Committee is provided with information on credit card risk, but there was no mention of credit card risk in the ARC audit committee minutes beyond consideration of the annual compliance reporting.³³

2.23 An internal audit was completed in 2021–22 on the ARC risk management framework to review arrangements for reporting and monitoring of operational risks that exceed the ARC’s risk appetite. The internal audit did not directly considered credit card risk, but stated that ‘the ARC’s overall approach to undertaking the review process provides adequate assurance that it is complying with its financial management obligations under Finance Law’. There were no internal audits on credit card compliance in 2022–23.

2.24 McGrath Nicol completed a series of risk workshops in June 2022, as part of the management-initiated review of the ARC’s fraud control arrangements. The aim of the review was to understand the level of fraud risk and control awareness by its staff. The review identified controls and gaps for a number of scenarios with a risk of occurrence (inappropriate disclosure to grant recipients, inappropriate use of Government assets). The misuse of credit cards and unauthorised purchases was considered as a specific scenario. The credit card scenario noted a control which limited transactions to $5,000, contradicting the ARC Credit Card Policy that sets transaction limits by the classification level of individual cardholders.

Has the ARC developed fit-for-purpose policies and procedures for the issue, return and use of corporate credit cards?

Policies and procedures

2.25 The ARC has policies and procedures to cover the issue, return and use of credit cards. During 2021–22 and 2022–23 the following were in place:

• ARC Credit Card Policy (March 2010 and February 2023) for HSBC corporate credit cards;
• ARC Credit Card Procedure (March 2021) for HSBC corporate credit cards;
• ARC Chief Executive Instructions (September 2018 and May 2023);
• ARC Financial Delegations Matrix;
• ARC Financial Delegations Guidance (December 2022);
• ARC Travel Policy (January 2020 and December 2022);
• ARC Official Hospitality Guidelines (April 2019); and
• ARC Official Hospitality and Gifts Policy (June 2023).

2.26 Policies and procedures met the requirements of the AAIs for non-corporate Commonwealth entities set out by the Department of Finance (see Box 1). Policies did not explicitly include the AAI requirement to ensure individual card use, but the ARC uses a form to gain approval before using another person’s credit card.³⁴ The form was last updated in 2014 and the requirement to use the form is not documented in policies or procedures.

2.27 The ARC Financial Delegations Matrix was in use during 2021–22 and 2022–23. This assigned financial delegations for approval of types of transactions over $150. Transactions, in accordance with the ARC Credit Card Policy, up to $150 do not require delegate approval. The ARC Financial Delegations Matrix assigned approval delegation for purchases related to hospitality and gifts, overseas travel and IT assets.

2.28 Figure 2.1 outlines policies and procedures in place during 2021–22 and 2022–23. There were policies and procedures which were not reviewed by the scheduled review date:

• ARC Credit Card Policy — HSBC 1.0 was due for review in February 2022. The new version 2.0 was in place in February 2023;
• ARC Credit Card Procedure — HSBC 1.0 was due for review in February 2022;
• ARC Fraud Control Plan — 2020–22 was due for review in May 2022. The new 2022–24 version was in place in August 2022;
• ARC Official Hospitality Guidelines — 1.0 was due for review in April 2020. It was subsequently replaced with the ARC Official Hospitality and Gifts Policy in June 2023; and
• ARC Travel Policy — 3.1 was due for review in January 2021. The new version was in place in December 2022.

2.29 The following policies and procedures were implemented during 2022–23:

• ARC Financial Delegations Guidance 1.0 —in place December 2022;
• Standard Operating Procedure — Cabcharge 1.0 was in place from March 2023; and
• ARC Official Hospitality and Gifts Policy 1.0 — in place June 2023.

2.30 The following policies were implemented after 2022–23:

• ARC Credit Card Policy — Diners Club Virtual Card Number 1.0, from November 2023; and
• ARC Financial Delegations Policy 1.0, from November 2023.

Figure 2.1: Summary of the ARC policies and procedures in place during 2021–22 and 2022–23

Source: ANAO analysis of ARC policies and procedures.

2.31 The ANAO identified language, such as ‘may’; and examples of instructions in the ARC Credit Card Policy and Procedures that were not followed in practice:

• ‘[t]he card is not transferable and may be cancelled by ARC Finance’ when ‘[t]he Cardholder ceases employment with the ARC’;
• ‘Credit Card Coordinator will lock the card in the Finance safe’³⁵; and
• ‘the supplier is then contacted to verify they are a legitimate business’.

Issue

2.33 Eligibility requirements for credit card applications are identified and documented in the ARC Credit Card Policy. These apply to ongoing and non-ongoing employees and eligible contractors, with a ‘genuine business need’. This business need is identified in the ARC Credit Card Policy to facilitate payment for minor purchases and travel expenditure. Cardholders are required to sign the Corporate Credit Card Agreement, which sets out cardholder responsibilities and terms of use, including limits.

2.34 The ARC has a procedure for the issue of corporate credit cards. The ARC Credit Card Procedure requires the supervisor, Executive Level 2 or higher (or equivalent) to send a recommendation to the Credit Card Coordinator, that the ARC staff member requires an HSBC corporate credit card. The procedure states that the recommendation should include what the card is to be used for (travel, purchasing or both) and the credit limits to be applied. The ARC Credit Card Policy requires all requests for the issue of a corporate credit card to be approved by the CFO or DCFO after director or branch manager approval. Once approved, the Credit Card Coordinator makes arrangements to issue corporate credit cards, including preparing an application form for completion by the proposed cardholder.

2.35 Once an HSBC corporate credit card is received by the Credit Card Coordinator after approval, the Corporate Credit Card Agreement is signed by the cardholder, who then takes possession of the card. The agreement requires the cardholder to acknowledge that the card will be used for either travel-related expenditures or minor purchases and identifies the monthly financial limit and transaction limit. The agreement seeks the cardholder to acknowledge that they have understood the following:

• ARC Corporate Credit Card Policy — HSBC;
• ARC Corporate Credit Card Procedure — HSBC;
• ARC Travel Policy;
• ARC Chief Executive Instructions; and
• HSBC Corporate Card and HSBC Business Card — User Condition of Use.

Use

Corporate credit cards

2.36 Arrangements are in place for corporate credit card and travel delegations, approvals and authorisations. The ARC Financial Delegations Matrix and ARC Financial Delegations Guidance determine approval levels for certain types of transactions over $150 (also refer to paragraph 2.27 for amounts up to $150). The policy and procedure set requirements for approvals and pre-approvals. The $150 amount that can be approved by delegates, as described in the ARC Financial Delegations Matrix, is not included in the policy and procedure; or the ARC Financial Delegations Guidance.

2.37 The ARC Credit Card Procedure requires cardholders to take the following steps when acquitting credit card transactions. Key requirements include:

1. matching the supporting documentation for the transaction (for example, the tax invoice or receipt) to the statement;
2. completing a credit card reconciliation form;
3. each purchase on the statement needs to be coded to the appropriate general ledger account and cost centre codes; and
4. reconciliations must be submitted to the ARC finance team by the deadline unless an alternative arrangement has been agreed by the ARC finance team.

2.38 The credit cardholder must attach all required supporting documentation at the time of acquittal.

Travel

2.39 The Department of Finance established and manages the Whole of Australian Government Travel Arrangements (Travel Arrangements).³⁶ The objectives of these arrangements are to reduce travel costs, decrease administrative costs, simplify processes and optimise savings.³⁷ Under the Travel Arrangements payments, such as for official airfares, accommodation and car rental expenses, are made through Diners Club. Other arrangements include travel through QBT; airfares purchased from a panel of 18 airlines; accommodation purchased through AOT; and vehicle rental services purchased through Hertz.³⁸

2.40 The ARC implemented Diners Club virtual card from 2010, without a Diners Club card policy. Diners Club virtual cards are not individually issued to ARC staff. Instead, a single virtual Diners Club card is managed by the ARC’s finance team for travel-related payments, such as airfares, accommodation, and vehicle rental expenses; and other travel-related costs booked through the Travel Arrangements. Travel was booked under Travel Arrangements, with the Diners Club card, as per the ARC Travel Policy. Executive assistants used individual travel spreadsheets as a tool to ensure travel policies, including approval procedures are followed.

Return

2.41 On cessation of employment, the employee is required to complete an exit notification form managed by the human resources team. The form requires the cardholder to confirm the return of their credit card.

2.42 A corporate credit card may be cancelled under certain circumstances. The ARC CEIs require ‘review [of] patterns of usage with a view to cancelling infrequently used cards’. The ARC advised the ANAO in November 2023 that usage trends are not reviewed.

2.43 Policies and procedures were in place to cover issue, use and return of credit cards. There are elements of processes that are not documented, these are the:

• process of applying for a new credit card on the HSBC portal;
• tracking process for pre-approvals for assets;
• timeframes for reconciliations; and
• recording of travel approvals through individual spreadsheets by executive assistants.

Has the ARC developed effective training and education arrangements to promote compliance with policy and procedural requirements?

Credit card training

2.44 The ARC has training and education arrangements in place for cardholders and supervisors. The ARC Credit Card Procedure and acquittal form both describe the process for acquittal. The ARC advised the ANAO in December 2023 that training is provided one-on-one as needed. The ARC provides risk and fraud e-learning to all the ARC staff to ensure they understand their responsibilities under the PGPA Act; and HSBC — the credit card provider — provides relevant webinars on common types of fraud and scams.

2.45 A Fraud Awareness and Commonwealth Resource Management Framework e-learning course is available in the ARC’s LearnHub (an online training platform) and comprises mandatory training for all staff. In calendar year 2022 and 2023, completion rates were 99 per cent and 97 per cent, respectively. The ARC advised the ANAO in April 2024 that it obtains these levels of completion through active follow-up and that lack of completion by staff members was due to long-term leave. One staff member did not complete the mandatory training in 2022 and four staff members in 2023. The ARC advised the ANAO in April 2024 that reminder emails were sent to staff members that had not completed the training. There was no evidence to demonstrate how this was managed when the staff members continued to remain non-compliant.

Does the ARC have appropriate arrangements for monitoring and reporting on the issue, return and use of credit cards?

Monitoring issue and return

2.46 The ARC uses the HSBC Online Portal to track and report on issued and cancelled corporate credit cards as required. The register provides details on:

• cardholder details;
• credit card number;
• credit card expiry;
• credit limit;
• current balance; and
• credit card open and close date.

Monitoring use and reporting

Internal reporting

2.47 The ARC reports on credit card use to the CEO, as part of the annual financial statement process. The finance team tracks statements and acquittals and can draw reports from the HSBC Online Portal, although these procedures are not documented. Reports required outside of the annual compliance review process are drawn from the online portal as required.

2.48 The ARC reported four credit card-related incidents in the relevant period, of two types (personal misuse and purchase of an asset without pre-approval), through the annual CEO compliance review. These were entered into the risk register as risk events that had occurred. Additional non-compliances with policy were noted in the annual CEO compliance review. In the annual CEO compliance review 2021–22, the results of the annual sampling of credit card transactions (three sampled per month) identified one instance where the transaction was not acquitted properly; but this was not linked to the risk register. The information was presented in the report in an aggregated way, and did not identify details of the sample transactions used to complete the review.

2.49 The HSBC Online Portal allows the ARC to track returned credit cards. The ARC advised the ANAO in April 2024 that credit cards were cancelled due to staff leaving, surrendered voluntarily due to lack of use, or staff reporting cards as ‘lost or stolen’.

Reporting to Parliament on corporate credit card use

2.50 The ARC provided responses to a series of questions on notice on credit card issue and use to the Standing Committee on Education and Employment following Senate Estimates hearings in 2022–23 and 2023–24. The ARC’s responses to a selection of questions are outlined in Table 2.2 (see Appendix 3 for the complete set of questions).

Table 2.2: ARC responses to Senate Estimates questions on notice on credit cards^a

Note a: Figures reported in this table are GST inclusive.

Note b: Consists of purchase of two iPhones ($3,916.65), 12 headsets ($2,212.55) and a repaid personal transaction ($50.23).

Note c: Consists of purchase of two iPhones ($3,916.65), 12 headsets ($2,212.55) and repaid personal transactions of two employees ($50.23 and $85.79).

Note d: The ANAO queried a possible discrepancy in the calculations. The ARC confirmed in April 2024 there was an error in the calculations of the total amount of purchases made contrary to policy. The amount should equate to $6,179.43, which was an overstatement of $86.57. One purchase related to a personal transaction of $50.23 (see paragraph 3.46) and was repaid. The remaining two purchases ($3,916.65 and $2,212.55) were reported as minor assets without pre-approval from CFO. The ARC advised Parliament in its question on notice response that these were ‘a proper use of resources’, but ‘not in accordance with agency policy’ and ‘[c]orrective action was undertaken and all ARC Officials were reminded about the Agency’s policy in relation to the purchase of assets which requires the Chief Financial Officer to provide approval prior to an acquisition being made by credit card.’

Note e: The ANAO queried a possible discrepancy in the calculations. The ARC confirmed in April 2024 there was also an error in the calculations of the total amount of purchases made contrary to policy. The amount should equal $6,265.22, which was an overstatement of $86.78.

Source: Senate Estimates question on notice database.

2.51 The ARC’s responses to Senate Estimate questions reported the non-compliance identified through the ARC’s internal review process. The values reported to Parliament were inaccurate, resulting in an overstatement of the actual expenditure.³⁹ The ARC advised the ANAO in May 2024 this was due to human error.

2.52 The ANAO identified that the ‘purchases’ reported in the questions on notice were the equivalent of 10 HSBC corporate credit card transactions. The ARC advised the ANAO in June 2024 that it had grouped transactions related to the same events and reported them as ‘purchases’ in the responses to questions on notice.

2.53 In the 2022–23 Supplementary Budget Estimates, the ARC reported three ‘purchases’ as contrary to policy, grouped as iPhones, headsets and personal misuse (meal purchase). These ‘purchases’ consisted of five HSBC corporate credit card transactions.

2.54 In the 2023–24 Budget Estimates, the ARC reported an additional illegitimate ‘purchase’ grouped as another personal use (taxi fare). This additional ‘purchase’ comprised a further five transactions.

3.1 Preventive controls work by reducing the likelihood of inappropriate credit card use before a transaction has been completed. Preventive controls for credit cards can include policies and procedures; education and training; deterrence messaging; declarations and acknowledgements; blocking certain categories of merchants; issuing cards only to those with an established business need; placing limits on available credit; and limiting the availability of cash advances.

3.2 Detective controls work after a credit card transaction has occurred by identifying if there is a risk that it may have been inappropriate. Detective controls for credit cards can include: regular review processes (with segregation of duties between cardholder and reviewer); exception reporting; fraud detection software; tip-offs and public interest disclosures; monitoring and reporting; and audits and reviews.

3.3 When detective controls identify instances of potential fraud or non-compliance, entities should have effective processes in place for managing investigations and implementing follow-up actions (such as further training, sanctions, or referral to law enforcement agencies).

Has the ARC implemented effective preventive controls on the use of corporate credit cards?

Issuing credit cards

3.4 The ARC’s Credit Card Policy and Procedure for issuing cards are outlined at paragraph 2.33 to 2.35. The procedure states that the delegate’s recommendation to issue a new corporate credit card should include what the card is to be used for (travel, purchasing or both) and the credit limits to be applied. None of the emails recommending a new corporate credit card addressed these requirements. Despite this, the credit card applications have both expenditure types ticked and credit limits set based on the monthly credit limit identified for each officer role in the ARC Credit Card Policy.

3.5 From April 2020, the ARC changed its provider from ANZ to HSBC through a bulk submission and opened 33 new HSBC corporate credit cards. At the point of bulk transfer, the ARC advised the ANAO in May 2024 that ‘individual credit card applications were not required and Corporate Credit Card Agreements and monthly credit limits and transaction limits were carried over from previous ANZ corporate credit card’. There is no evidence of any review to change credit limits when cardholders change roles.

Managing transactions

Monthly credit limits

3.6 The ARC Credit Card Policy sets out the monthly credit limits based on the cardholder’s position. The policy requires that any variation to the standard limits must be supported by genuine business need and approved by the responsible delegate and the Chief Financial Officer (CFO) or Deputy Chief Financial Officer (DCFO). The monthly credit limits were documented in its credit card register for each cardholder. During 2021–22 and 2022–23, 13 credit cards had the credit limit set above the policy-defined limits. One of these cardholders had written approval to increase the limit above the policy-defined limit of $5,000 to a credit limit of $30,000 due to business need.

3.7 Among several risk events identified in the ARC risk register, two risk events — ‘Fraudulent purchases and transactions on Corporate Credit Card’ and ‘Unauthorised transactions and expenditure being charged to credit card’ — are rated as a ‘Medium’ risk and the control identified for both risks is to ensure ‘low card limits’ (refer to Table 2.1). There is no process in place to periodically review cardholders with monthly credit limits above the policy-defined limits.

Transaction limits

3.9 The ARC Credit Card Policy from March 2010 until January 2023 specifies a transaction limit of $5,000 for cardholders at the position of director and above. All other cardholders have a transaction limit of $2,000 (see Table 3.1). There is no evidence of delegate approval to allow any cardholder to exceed the policy-defined transaction limit during March 2010 to January 2023. HSBC credit cards do not have the option to set a transaction limit, therefore the transaction limit column was removed from the updated policy in February 2023. This change was not assessed against the ARC Risk Register.

Table 3.1: Number of transactions above limit between 2021–22 and 2022–23

Source: ANAO analysis of ARC data.

Pre-approval for credit card purchases

3.10 Pre-approval and documentation of rationale for expenditure is a key control to ensure purchases are appropriate and can withstand public scrutiny.

3.11 The ARC’s Chief Executive Instructions (CEIs) state that staff must ‘use any mandated whole-of-government [procurement] arrangement’. The ARC Credit Card Policy states that:

• ‘procurements must not be made on credit card, regardless of dollar value, unless written approval has been provided by the CFO or DCFO:
• purchase of an asset;
• procurement of consultancy services;
• venue hire. Credit cards may, however, be used for holding deposits on venue hire, although this is an interim measure only and must be followed by a formal contract; and
• stationery’.

3.12 Analysis of the ARC’s HSBC corporate credit card transactions shows that there were no transactions related to mandated whole-of-government procurement arrangements.

Merchant with highest credit card payments over the period of this audit

3.13 Canberra Airport Pty Ltd represented the highest total credit card expenditure during 2021–22 and 2022–23 (see Figure 1.2). The total expenditure was $50,146.02 during 2021–22 and 2022–23; 82.6 per cent was for pre-paid car parking payments and 17.4 per cent for venue hire.

3.14 The ARC provides parking to all staff and this has been an ongoing arrangement since 2010.⁴⁰ Each year, parking permits are renewed in the month of September.

3.15 There are two variants of general parking permits available for the ARC employees:

1. Paid through invoice: parking permits purchased on an annual basis and paid monthly. The ARC purchased 65 up-front parking permits in 2021–22 (valued at $22,625.03) and 2022–23 (valued at $22,544.81).
2. Paid through corporate credit cards: parking permits that consist of general parking permits that are purchased as required through a pre-paid parking card ‘topped-up’ using a corporate credit card by the facilities management team. The ARC had 41 of these parking permits in 2021–22 and 50 in 2022–23. In 2021–22 the pre-paid parking payments represented 5.2 per cent of all HSBC credit card transactions (valued at $10,839.50) and in 2022–23 it represented 17.5 per cent of all HSBC credit card transactions (valued at $39,306.52).

3.16 The ARC declared in 2021–22 and 2022–23 that the car parking provided does not meet the conditions necessary to be considered for car parking fringe benefit, rather they are residual benefits and exempt from Fringe Benefit Tax (FBT). The yearly declaration, signed by the CFO, requires an assessment and calculation by the ARC against the Australian Taxation Office’s conditions related to car parking fringe benefits.⁴¹

Return and cancelling cards

3.17 The ARC Credit Card Procedure states that the cards not being used for more than twelve months may be cancelled by the ARC finance team. The ANAO analysed the credit card register of all credit cards from the HSBC Online Portal to identify credit cards that were not used for more than 12 months. The details of credit cards not used for a period of more than 12 months by the ARC is provided in Table 3.2. Fifty-one per cent of credit cards in 2021–22 and 22 per cent in 2022–23 were not used. The ARC advised the ANAO in April 2024 that during 2021–22, the ARC was working under the COVID-19 pandemic conditions and therefore unused credit cards were not closed. Seven credit cards were not used over 24 months. Two of these cardholders were at Executive Level 1 and five cardholders were at Executive Level 2.

Table 3.2: Credit cards not used for a period of more than 12 months

Source: ANAO analysis of ARC data.

3.18 Eighteen staff ceased employment with the ARC who held a corporate credit card, during 2021–22 and 2022–23. The ANAO conducted testing of the exit notification forms. Twelve exit notification forms were provided by the ARC for review; the ARC could not find the remaining six forms. Six exit notification forms were signed by the employee alone, four forms were signed by both the employee and supervisor, and two were not signed by either the employee or supervisor. The exit forms recorded the return of credit cards and if all outstanding invoices were paid.

3.19 The ARC finance team manages the credit card list on the HSBC Online Portal to close credit cards upon an employee’s exit. Five credit cards were closed before the employee’s exit date. Four cards were closed on the day of the employee’s exit date. Nine credit cards (50 per cent) were closed after the person left the ARC within an average of 5.6 working days. There were two credit cards identified with 103 working days and 16 working days between the employee leaving the ARC and the credit card cancellation. The credit cards were not used between the exit dates and card cancellation date.

Has the ARC implemented effective detective controls on the use of corporate credit cards?

3.21 Detective controls work after a transaction has occurred by identifying if there is a risk that it may have been inappropriate.⁴²

Cardholder verification

Corporate credit cards

3.22 The ARC Credit Card Policy and Procedure do not provide guidance to cardholders who are unable to obtain a tax invoice. Four staff members have completed nine statutory declaration forms to declare the receipts were not available.⁴³

3.23 The ARC Credit Card Procedure states that cardholders are responsible for all transactions charged to their card. Unauthorised transactions fall into two categories.

• Transactions that the cardholder has charged to the card that are not deemed official approved expenditure, such as personal expenditure. In this case, ‘expenditure relating to these transactions will typically require the cardholder to repay the ARC for the expenditure’.
• Transactions that have been charged to the card unknown to the cardholder. These types of transactions should be immediately reported. In this case, ‘a dispute will need to be completed and submitted to the card company but if the transactions appear to be perpetual the card may also need to be cancelled’.

3.24 The ANAO analysed all HSBC credit card transactions from 2021–22 and 2022–23. The ARC’s total HSBC credit card expenditure was $430,835.79, comprising 1,467 transactions. All HSBC credit card transactions provided by the ARC matched with the monthly statements from the HSBC Online Portal.

3.25 Eighty-five per cent of the ARC’s HSBC credit card expenditure in 2021–22 related to procurement expenses and in 2022–23, 58 per cent of the ARC credit card expenditure related to travel as employees reinitiated travel post-COVID-19 pandemic. A breakdown of these transactions is provided in Table 3.3.

3.26 Approximately five per cent (21 in 2021–22 and 55 in 2022–23) of all transactions were undertaken over the weekend. All weekend transactions either related to approved travel (nine in 2021–22 and 46 in 2022–23) or periodic subscription payments falling over the weekend.

Table 3.3: Corporate credit card — HSBC transactions related to procurement and travel in 2021–22 and 2022–23

Source: ANAO analysis of ARC data.

Travel approvals

3.27 Based on the Whole of Australian Government Travel Arrangements (Travel Arrangements)⁴⁴, the ARC requires its travellers to take the following steps in gaining approval to travel before travel starts; and to acquit travel expenses once travel is complete.

3.28 The ARC implemented Diners Club virtual card in 2010, requiring all staff to use corporate credit cards for all expenses related to travel, including airfares, car hire and accommodation.⁴⁵ Once a staff member receives approval from a delegate, the approval is recorded in the travel movement spreadsheet managed by executive assistants or branch coordinators. Each trip has a unique trip identifier that is required to book travel via the Travel Arrangements (this links to the travel platform, Diners Club virtual card and HSBC corporate credit cards). All those responsible for travel reservations (executive assistants or branch coordinators) use their own tracking sheet to record approval details for individual travellers.

3.30 In 2021–22 and 2022–23, the ARC’s total travel expenditure through Diners Club virtual card was $207,981.74 consisting of 391 transactions, representing 96 trips.⁴⁶ A breakdown of transactions by financial year is provided in Table 1.1.

Verifying transactions

Acquittal receipts

3.31 The ARC Credit Card Procedure require cardholders to complete a credit card reconciliation form. The credit card reconciliation form requires a signature of the delegate. The ARC Credit Card Policy requires relevant supervisors and financial delegates to take the following steps when reviewing cardholder acquittals of credit card transactions. Key requirements include:

1. relevant supervisors and financial delegates must sign the credit card reconciliation form before submission of a copy of these documents to the ARC finance team;
2. all tax invoices and receipts should go to the ARC finance section. An electronic copy of the reconciliation form must also be sent to the finance section; and
3. supervisors are responsible for ensuring that cardholders under their supervision perform the credit card reconciliation in a timely manner.

3.32 The ANAO conducted testing of all 1,467 transactions to test the acquittals of credit card transactions. Table 3.4 outlines the proportion of transactions approved with a signed credit card reconciliation form. The proportion of transactions approved by the delegate without the delegate signing the credit card reconciliation form was 89.1 per cent in 2021–22 and 85.9 per cent in 2022–23. From July 2021 to June 2023, 99.8 per cent of transactions were reviewed and approved via email only, which was inconsistent with the policy. In total, 13.1 per cent had credit card reconciliation forms signed and 86.7 per cent were approved with an unsigned credit card reconciliation form.

Table 3.4: Transaction acquittal in 2021–22 and 2022–23

Source: ANAO analysis of ARC data.

3.33 The ARC Credit Card Policy requires that ‘cardholders must keep a tax invoice or receipt for every transaction made on the credit card’. The ARC Credit Card Procedure states ‘relevant Supervisors/Financial Delegates must sign the Credit Card Reconciliation form prior to submission of a copy of these documents along with all Tax Invoices and receipts’. ANAO analysis of the ARC’s HSBC corporate credit card transactions identified 95.8 per cent of transactions in 2021–22 and 2022–23 were supported by evidence, in line with the acquittal processes (see Table 3.5). In 2021–22, 4.7 per cent and in 2022–23, 3.9 per cent of the transactions were not supported by evidence provided to the delegate for approval.

Table 3.5: Acquittal receipts in 2021–22 and 2022–23

Note a: Excluding overseas transaction fees and where a statutory declaration was made. The remaining 95.8 per cent of transactions were supported by evidence in line with the acquittal process.

Note b: Overseas transaction fees were applied by HSBC and appeared on the HSBC transaction statements.

Source: ANAO analysis of ARC data.

Travel acquittals

3.35 ANAO analysis of the ARC’s compliance with its policies and procedures for travel acquittals considered:

• Diners Club virtual card transaction statements;
• travel-related HSBC corporate credit card transactions; and
• travel pre-approvals.

3.36 A unique trip identifier, called ‘movement requisition’, is allocated for each instance of travel. All Diners Club transactions could be linked to a movement requisition and all movement requisitions could be linked to a travel pre-approval.

3.37 Out of 1,467 HSBC corporate credit card transactions, 46.8 per cent were for travel-related expenses. The ANAO assessed these as part of the whole examination of the HSBC corporate credit card transactions. Table 3.6 includes all identified instances of non-compliance with internal policies and procedures, including travel-related transactions.

CEO transactions

3.38 The CEO’s transactions are approved by either the CFO or the branch manager Corporate Services. The CEO undertook 115 transactions valued at $13,615.27 over 2021–22 and 2022–23. Eighty transactions were related to travel. Sixteen transactions were not supported by receipts for car parking and taxi fares, which equates to 19.3 per cent of total instances of non-compliance (see Table 3.6). Seven transactions with an average value of $21.50 were for business catering and stakeholder management from the cafeteria on the ground floor of the ARC office. The ARC Official Hospitality Guidelines define business catering as:

morning or afternoon teas, light lunches associated with agency meetings, conferences, seminars, training courses, etc and is not official hospitality.

3.39 Positional authority and the risk of inappropriate positional authority between an approver and applicant are not explicitly addressed in the ARC’s risk management documents.⁴⁷ Previous ANAO audits have identified risks in relation to positional authority.⁴⁸ The ARC advised the ANAO in January 2024 that a ‘one-up’ in level policy approval is in place. Neither the ARC’s Financial Delegations Matrix, nor the ARC’s Financial Delegations Policy outlines the ‘one-up’ requirement. The ARC Financial Delegations Matrix allows for approvers to be at the same level as the applicant, or at a lower level. The ANAO’s analysis identified that CEO acquittals were approved by either the Branch Manager Corporate Services, an SES Band 1 or the CFO, an EL2.⁴⁹

3.40 During 2021–22 and 2022–23 one example was identified where a direct report had witnessed their manager’s statutory declaration for an HSBC corporate credit card transaction without a supporting receipt, incorrectly citing the capacity in which they were witnessing the statutory declaration.⁵⁰ The ARC advised the ANAO in April 2024, the witnessing officer was qualified to witness the statutory declaration as a Commonwealth employee with five or more years of service on the date of witnessing.

Official hospitality

3.42 The ARC implemented an Official Hospitality and Gifts Policy in June 2023. Prior to this, the ARC had an Official Hospitality Guidelines and Procedures (the guidelines) that were last updated in April 2019. The guidelines distinguish official hospitality from business catering as follows:

Official hospitality refers to the expenditure on meals or entertainment for a purpose consistent with the Australian Research Councils (ARC) business objectives. ARC employees should recognise that the use of public money for such purposes has the potential to draw criticism in the public arena and should therefore be publicly defensible.

Before seeking approval for official hospitality, officers must satisfy themselves that the expenditure is not business catering.

3.43 The ARC’s CEIs restrict approval of expenditure on official hospitality to:

• program, services or policy launches;
• hospitality associated with advisory committee functions;
• major, foreseeable events associated with the progress or promotion of the ARC’s business;
• hospitality that promotes or supports a government policy objective, service or program;
• hospitality that facilitates the conduct of public business; or
• hospitality at functions for officials in recognition of significant events, such as awards or presentations, where this has been approved by one of the delegates; and
• detailed conditions in the ARC’s Official Hospitality Guidelines (NOTE: tips/gratuities are not to be paid).

3.44 Official hospitality requires pre-approval on a form, whereas ‘business catering’ does not. The ARC’s CEIs identifies official hospitality which ‘generally involves the use of public resources to provide hospitality to persons other than entity officials to facilitate the achievement of one or more Commonwealth objectives’. The ANAO identified one ‘gift’ transaction that did not meet the requirements in the guidelines (see Table 3.6).

3.45 ANAO analysis of the ARC’s HSBC corporate credit card transactions in 2021–22 and 2022–23 identified 33 instances that the ARC determined did not require pre-approval (amounting to $4,055.79) as they were categorised as ‘business catering’. Twelve instances (amounting to $489.93), provided for persons other than entity officials. There were seven transactions determined not to require pre-approval related to items for an official ceremony, even though under the ARC’s CEIs, approval is required for ‘hospitality at functions for officials in recognition of significant events, such as awards or presentations, where this has been approved by one of the delegates’.

Does the ARC have effective processes for managing identified instances of non-compliance?

Recording and reporting on non-compliance

3.46 The ANAO analysis of the ARC’s HSBC credit card transactions in 2021–22 and 2022–23 identified a number of non-compliant transactions (see Table 3.6):

• Transactions without receipts: 61 transactions had receipts missing with an average transaction value of $61.47. Sixteen transactions were undertaken by the CEO (see paragraph 3.38).
• Incomplete statutory declarations: nine transactions with missing receipts were replaced by statutory declarations with an average transaction value of $61.02. There is no evidence of the ARC identifying or reporting on these missing receipts through the annual CEO compliance review. Six lacked the signature of the person making the declaration and the signature of the person observing the declaration being made.
• Personal transactions: eight transactions were identified as transaction mistakenly undertaken using the corporate credit card.
  • Two transactions by the same cardholder in the space of two days, mistakenly using the corporate credit card for a personal transaction at Woolworths. The two transactions totalled $134.85 and were paid back in full.
  • Six transactions were reported by two cardholders and were paid back in full. One transaction related to mistakenly using the corporate credit card for personal use to order food through Uber Eats, valued at $50.23. Five transactions, in the space of two days were mistakenly used for personal taxi travel. The ARC reported these transactions to Parliament through questions on notice (see paragraph 2.51).
• Gifts: One transaction for flowers at the value of $140.00.
• Asset purchase: four transactions related to purchase of two work iPhones with accessories ($3,916.65) and 12 headsets ($2,212.55) without prior approval from CFO or DCFO. The ARC reported these transactions through its annual CEO compliance review and parliamentary questions on notice (see Table 2.2).
• Venue hire: three transactions were for venue hire without evidence of pre-approval as required by the ARC Credit Card Policy. The value of the three transactions was $1,076.75.

Table 3.6: Instances of credit card non-compliance in 2021–22 and 2022–23

Note a: 385 transactions in 2021–22.

Note b: 1,082 transactions 2022–23.

Note c: The responsible delegate for the pre-approval of assets is the CFO or DCFO.

Source: ANAO analysis based on ARC data.

Fraud detection

3.47 The ARC primarily relies upon the cardholder, responsible manager and the ARC finance team to identify fraudulent transactions and potential non-compliance as part of the acquittal process.

3.48 There were no instances of non-compliance for travel pre-approvals. The ANAO identified 32 instances out of the 61 transactions without supporting evidence are for travel-related corporate credit card transactions and the ARC does not have a standardised method of tracking travel approval and acquittals (see paragraph 3.28). The 2022–23 CEO compliance review noted that staff were no longer required to acquit travel separately as expenditure was to be incurred and acquitted on the individual’s corporate credit card. There was no mention of travel in the annual CEO compliance review 2021–22.

Analysing trends

3.49 The ARC has not established processes to periodically analyse usage trends to detect patterns across its corporate credit card and Diners Club virtual card expenditure. It does not undertake regular data analysis to identify whether:

• expenditure incurred was appropriate for the purpose and reasonable;
• expenditure categories align with those allowed by the entity;
• purchase splitting and duplicate transactions are occurring;
• there are inconsistencies between expense descriptions and merchant codes; or
• transactions have occurred while cardholders are on leave of absence.

3.50 As noted at paragraph 2.17, the ARC’s finance team conducts ongoing transactional checks, which is not used for trend analysis to detect patterns of non-compliance with policy and procedure.

Management and escalation processes

3.52 All cardholders acknowledge the consequences for credit card misuse, through signing the cardholder agreement form. The ARC Credit Card Policy and Procedure requires immediate reporting of credit card misuse. It does not include detail on the processes for managing repeated instances of non-compliance.

3.53 The ANAO identified eight personal use transactions and all were repaid. The ARC advised the ANAO in June 2024 that cardholders were reminded of the requirement not to use a corporate credit card for personal use and the transactions were recorded in the non-compliance register (see paragraph 2.20).

3.54 The ANAO analysis did not identify any instances of disputed transactions identified by either cardholders or their supervisors.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• New ARC Financial Delegations Policy approved on 1 November 2023 (see paragraph 2.30).
• New policy to manage Diners Club virtual card approved 1 November 2023 (see paragraph 2.30).
• Confirmation obtained from HSBC that cash advances were blocked regardless of whether control box was selected by the ARC during the credit card application process (see paragraph 2.13).⁵¹
• To improve compliance with mandatory training the ARC now sends automated reminders to staff and draws regular reports through the ARC’s central learning management system (see paragraph 2.45).

Appendix 3 Questions on Notice relevant to credit card issue and use asked by the Parliament

1. Following the Supplementary Budget Estimates 2022–23, the Standing Committee on Education and Employment asked the Australian Research Council (ARC) the following Questions on Notice in relation to credit card issue and use:

1. How many credit cards are currently on issue for department or agency staff?
2. What was the value of the largest reported purchase on a credit card in financial year 2022/23 to date and what was it for?
3. How much interest was paid on amounts outstanding from credit cards in financial year 2022/23 to date?
4. How much was paid in late fees on amounts outstanding from credit cards in financial year 2022/23 to date?
5. What was the largest amount outstanding on a single card at the end of a payment period in financial year 2022/23 to date?
6. How many credit cards were reported as lost or stolen in financial year 2022/23 to date and what was the cost of their replacement?
7. How many credit card purchases were deemed to be illegitimate or contrary to department or agency policy in financial year 2022/23 to date? What was the total value of those purchases? How many purchases were asked to be repaid on that basis in financial year 2022/23 to date and what was the total value thereof? Were all those amounts actually repaid? If no, how many were not repaid, and what was the total value thereof?
8. What was the largest purchase that was deemed illegitimate or contrary to department or agency policy and asked to be repaid in financial year 2022/23 to date? What that amount actually repaid, in full? If no, what amount was left unpaid?
9. Are any credit cards currently on issue connected to rewards schemes? Do staff receive any personal benefit as a result of those reward schemes?
10. Can a copy of the department or agency’s staff credit card policy please be provided?

2. Following the Budget Estimates 2023–24, the Standing Committee on Education and Employment asked the ARC the following Questions on Notice in relation to credit card issue and use:

1. How many credit cards are currently on issue for department or agency staff?
2. What was the value of the largest reported purchase on a credit card in financial year 2022/23 to date and what was it for?
3. How much interest was paid on amounts outstanding from credit cards in financial year 2022/23 to date?
4. How much was paid in late fees on amounts outstanding from credit cards in financial year 2022/23 to date?
5. What was the largest amount outstanding on a single card at the end of a payment period in financial year 2022/23 to date?
6. How many credit cards were reported as lost or stolen in financial year 2022/23 to date and what was the cost of their replacement?
7. How many credit card purchases were deemed to be illegitimate or contrary to department or agency policy in financial year 2022/23 to date? What was the total value of those purchases? How many purchases were asked to be repaid on that basis in financial year 2022/23 to date and what was the total value thereof? Were all those amounts actually repaid? If no, how many were not repaid, and what was the total value thereof?
8. What was the largest purchase that was deemed illegitimate or contrary to department or agency policy and asked to be repaid in financial year 2022/23 to date? What that amount actually repaid, in full? If no, what amount was left unpaid?
9. Are any credit cards currently on issue connected to rewards schemes? Do staff receive any personal benefit as a result of those reward schemes?
10. Please provide a copy of the department or agency’s staff credit card policy.
11. Please denote any changes to this policy that have been made since February 2023.