Introduction

1.1 Australian Government entities use credit cards to support timely and efficient payment to suppliers of goods and services. ‘Corporate credit cards’ include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).¹⁰ Other forms of credit used by Australian Government entities include credit vouchers (such as Cabcharge).

Australian Government framework for using credit cards

1.2 The Commonwealth Resource Management Framework governs how Australian Government entities use and manage public resources. The cornerstone of the framework is the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

1.3 Section 57 of the PGPA Act and section 21A of the Public Governance, Performance and Accountability Rule (PGPA Rule) authorise corporate Commonwealth entities (CCEs) to borrow money if: it is obtaining credit by credit card, voucher or other credit facility; and the borrowed amount is repaid within 90 days. For each form of credit card or credit voucher, there should be an overarching borrowing agreement rather than separate borrowing arrangements for individual cards.

1.4 The PGPA Act sets out general duties of accountable authorities and officials of Australian Government entities.¹¹ Relevant to credit card use, officials have a duty not to improperly use their positions to gain or seek to gain a benefit or advantage for themselves or others; or to cause detriment to the Commonwealth, entity, or others.¹² Further, the duties of an accountable authority include:

1. governing an entity in a way that promotes the proper use and management of public resources¹³; and
2. establishing and maintaining appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.¹⁴

1.5 Under subsection 20A(1) of the PGPA Act, an accountable authority may give instructions (referred to as accountable authority instructions) to entity officials about any matter relating to the finance law. The Department of Finance has published model accountable authority instructions, which include model instructions for the use of credit cards (see Box 1) as well as suggestions for additional instructions on credit card use.¹⁵

1.6 The PGPA Act and model accountable authority instructions include other content relevant to credit card use, particularly on spending public money, and official travel.

• Section 23 of the PGPA Act gives accountable authorities powers to approve commitments of ‘relevant money’ and enter into arrangements (which includes procuring goods and services with credit cards).¹⁶ Accountable authorities usually delegate these powers to entity officials, specifying delegation limits for officials in certain work groups based on their position and the category of spending. While the PGPA Act does not require separate and prior approval before entering into a spending arrangement, section 18 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires officials with spending delegations to make a written record of their approval for a commitment as soon as practicable and to follow any directions or instructions of the accountable authority. The model accountable authority instructions suggest additional instructions could include: the circumstances in which approval is required; who has authority to approve different types of commitments; appropriate approval processes; and how to ensure spending commitments would be a proper use of public resources.
• When Australian Government officials travel for business purposes, they are generally required to use whole-of-government coordinated procurement arrangements. These arrangements encompass: domestic and international air services; travel management services; accommodation program management services; travel and card related services; and car rental services. Under the arrangements, entities must make payments for flights, domestic accommodation and car rental through an account with a credit provider.¹⁷ Entities can also allow their officials to use a ‘companion’ MasterCard (available through the Diners Club arrangement) to pay for meals, incidentals and general purchasing.

1.7 The Australian Government’s Supplier Pay On-Time or Pay Interest Policy requires non-corporate Commonwealth entities to make eligible payments valued under $10,000 by payment card (which includes by credit card), and to establish and maintain internal policies and processes to facilitate the timely payment of suppliers using payment cards.¹⁸ The policy also encourages payment card use for other payments. The NDIA has decided to implement the requirement by including it in the NDIA Finance Policies (see paragraph 2.45).

National Disability Insurance Agency’s use of credit cards

1.8 The National Disability Insurance Agency (NDIA) is the Australian Government entity responsible for delivering the National Disability Insurance Scheme (NDIS).¹⁹ The NDIA is established under section 117 of the National Disability Insurance Scheme Act 2013 (NDIS Act). The NDIA is a corporate Commonwealth entity and is subject to the PGPA Act. The Board of the NDIA is the accountable authority.

1.9 In 2022–23, the NDIA reported that it had 5,328 ongoing and 324 non-ongoing staff. As at 30 June 2023, the NDIA reported it had staff at 162 locations.

1.10 For 2021–22 and 2022–23, the NDIA’s total credit card expenditure was approximately $6.7 million, comprising 11,925 transactions. For the same period, the NDIA’s total travel expenditure was approximately $9.1 million, representing 8,509 trips. Credit card and travel expenditure both represented one per cent or less of the NDIA’s supplier expenses in each year.²⁰ Table 1.1 and Table 1.2 below provide a breakdown of these statistics for each financial year.

Table 1.1: NDIA credit card expense statistics 2021–22 and 2022–23

Note a: Total supplier expenses for 2021–22 was $480.3m and $604.0m for 2022–23.

Source: ANAO analysis of NDIA data.

Table 1.2: NDIA travel expense statistics 2021–22 and 2022–23

Note a: Travel expenditure approval and acquittal includes airfares, accommodation, car rental and travel allowance. Airfares, accommodation and car rental are paid through an account with a credit provider (see paragraph 1.6). Travel allowance (TA) is paid to the traveller to cover the cost of meals and incidentals while on business travel. For APS employees, TA is paid through payroll; for contractors, reimbursements are claimed through their labour hire agency.

Note b: Total supplier expenses for 2021–22 was $480.3m and $604.0m for 2022–23.

Source: ANAO analysis of NDIA data.

1.11 Services Australia provides ‘Travel Services’ and ‘Credit Card Management’ services for the NDIA under shared services arrangements (see paragraphs 2.4 to 2.8).

Rationale for undertaking the audit

1.12 The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and to the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.²¹

1.13 In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.²² The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.²³

1.14 Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.²⁴ The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions²⁵ and ineffective controls in the management of the use of credit cards.²⁶ This audit provides Parliament with assurance that the NDIA is effectively managing corporate credit cards in accordance with legislative and the NDIA’s policy requirements.

1.15 This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:

• National Disability Insurance Agency (NDIA);
• Federal Court of Australia;
• Australian Research Council; and
• Productivity Commission.

Audit approach

Audit objective, criteria and scope

1.16 The objective of the audit was to assess the effectiveness of the NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

1.17 To form a conclusion against the objective, the ANAO examined:

• whether the NDIA has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
• whether the NDIA has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.

1.18 The audit focused on management and use of credit cards, including travel approval and acquittals, in the 2021–22 and 2022–23 financial years.

1.19 The audit did not assess vendor cards (such as travel cards and fuel cards) or management of credit vouchers such as Cabcharge. The audit did not assess the effectiveness of shared service arrangements between the NDIA and Services Australia.

Audit methodology

1.20 The audit methodology included:

• review of legislative, policy and internal frameworks guiding the use of corporate credit cards;
• review of NDIA and Services Australia documentation including policies and procedures, risks registers, training material and reporting;
• analysis of NDIA and Services Australia data, including publicly reported information and data obtained during the audit; and
• meetings with NDIA and Services Australia staff.

1.21 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $498,000.

1.22 The team members for this audit were Tracey Martin, Sonya Carter, Benedict Xu-Holland, Shelley Yin, Aiden Williams, David Vandersee, James Baker, Andrew Yam, Kristian Marchiori and Alexandra Collins.

2.1 If Australian Government officials deliberately misuse corporate credit cards, they are committing fraud. Other risks of credit card use include: inadvertent personal use; unauthorised or inappropriate work use; incorrect charging by merchants; and external fraud enabled by stolen credit card details.

2.2 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), an accountable authority of an Australian Government entity has a duty to establish and maintain appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.²⁷

2.3 In addition, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) establishes a requirement for an accountable authority to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.²⁸ Specific requirements of the Australian Government’s Fraud Rule include:

• conducting regular fraud risk assessments and developing and implementing a fraud control plan that deals with identified risks;
• establishing appropriate preventive controls (which should include fit-for-purpose policies and procedures and effective training and education arrangements); and
• establishing appropriate monitoring and reporting arrangements.

Does the NDIA have appropriate arrangements for oversight of the issue, return and use of corporate credit cards?

Shared services arrangements

2.4 The NDIA has engaged Services Australia to provide ‘Travel Services’ and ‘Credit Card Management’ under shared services arrangements. The NDIA retains responsibility for ensuring staff comply with relevant policy and procedures. Credit card and travel expenditure are operating costs paid by the NDIA from its departmental appropriation.²⁹

2.5 In 2021–22 and 2022–23, Services Australia provided the following credit card services on behalf of the NDIA: interacting with the credit provider; supporting the issuance and return of credit cards; and uploading transaction data from the credit provider to the NDIA’s information technology systems. The NDIA manages applications for credit cards, sets credit limits, requests credit card cancellation or suspension, reviews credit card use, oversees acquittals and manages non-compliance.

2.6 The Department of Finance established and manages the Whole of Australian Government Travel Arrangements (the Travel Arrangements).³⁰ The objective of the Travel Arrangements are to reduce travel costs, decrease administrative costs, simplify processes and optimise savings. As a corporate Commonwealth entity (CCE), the NDIA has elected to use the Travel Arrangements.³¹ Under the Travel Arrangements, payment services, such as for official airfares, accommodation and car rental expenses³², are made through Diners Club.³³ Services Australia provides all travel services on behalf of the NDIA. The NDIA manages a pre-approval process for travel and undertakes limited quality assurance processes that only examine lowest practical airfare.

2.7 The Department of Finance’s Shared Services Arrangement Guide 04/2017: Governance (Assurance) Framework states (paragraph 6):

The duties of the accountable authority are not abrogated when utilising shared arrangements – the accountable authority remains responsible for managing public resources for which it is responsible, including when those resources are in the custody of other parties. When working with others, accountable authorities are encouraged to impose the minimum compliance and reporting requirements needed to support the proper use and management of public resources for which they are responsible.

2.8 As Services Australia delivers aspects of credit card and travel services on the NDIA’s behalf, effective oversight of these functions by the NDIA is essential for providing assurance to the NDIA Board that it is meeting its responsibilities under the PGPA Act.

Financial authorisations

2.9 The NDIA’s HR Delegations, Accountable Authority Instructions and Financial Authorisations Manual dated July 2022 (the AAIs³⁴) authorise the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) to enter into borrowing arrangements for the issue and use of cards and credit vouchers by Agency officials (see paragraph 1.3). Under the shared services arrangements with the NDIA, Services Australia has entered into borrowing arrangements with ANZ for credit cards and Diners Club for travel which facilitate the services provided to the NDIA.³⁵ The NDIA has not delegated to Services Australia the power to enter into borrowing arrangements to support Services Australia’s signing of participant agreements with ANZ and Diners Club on its behalf. In the absence of such delegation (see paragraph 1.3), Services Australia does not have the legal authority to enter into a borrowing agreement on the NDIA’s behalf.

2.10 Between 1 July 2021 and 30 June 2023, there was no evidence of a memorandum of understanding or deed of participation between the NDIA and the Department of Finance to support the NDIA’s participation in the Travel Arrangements.³⁶ A participant agreement between the NDIA and Diners was signed by a Services Australia officer in October 2020. The signed copy of the Deed between Services Australia and ANZ for the credit card facilities is incomplete.³⁷ On 29 April 2024 the NDIA commenced the process of creating a legal relationship between itself and ANZ, utilising a clause in the Deed between Services Australia and ANZ.

Reporting

Board, committee and senior management reporting

2.13 In monthly financial reporting to the Board and Senior Leadership Team (SLT)³⁸ there is a line item for the expenditure on travel and hospitality. In 2021–22 and 2022–23, the Board’s risk subcommittee received Chief Risk Officer reports which contained aggregate details of non-compliance with finance law and AAIs. The SLT received Chief Risk Officer reports until November 2022. The report does not specify non-compliance attributable to credit card use or travel by NDIA staff.

PGPA compliance survey reporting

2.14 The NDIA surveys Senior Executive Service (SES) officers on a quarterly basis to identify and report non-compliance with the PGPA Act within their respective branches. A key control identified in the Financial Control Branch’s draft risk register is the annual briefing on the results of the survey for the CEO and the Risk Advisory Branch.³⁹ The NDIA did not consistently provide quarterly, half yearly or annual briefings to the CEO for the period 1 July 2021 to 30 June 2023 in relation to the results of the PGPA compliance surveys.

2.15 Where briefs were prepared for the CEO, they were either in draft, not signed or did not contain important information such as a title, who the brief was for, and who had prepared and cleared the brief. The reports and briefs on PGPA compliance included the number of credit card and travel non-compliances reported by the SES officers by quarter and financial year (see paragraph 3.49). Non-compliance for travel and credit cards in 2022–23 was rated green, which is low risk. PGPA survey compliance results were not provided to the Board in 2021–22 and 2022–23, except for advising the Board that the PGPA compliance survey was conducted and ‘the Agency continues to remain compliant with the majority of PGPA Act related obligations’.

Branch level reporting

2.16 A weekly credit card report is provided to the Branch Manager, Financial Control. It contains information and summary statistics on transactions and expenditure, acquittals, non-compliance, and credit card management (for example, new and cancelled cards). The report tracks a range of metrics including: transaction volumes over the past four years; unacquitted transactions greater than 25 days; transactions and spend for each month (see Figure 2.1); trend of non-compliance over the previous twelve weeks; and non-compliance over the past three years (see Figure 2.2). The report can be filtered by group, division and branch and whether the non-compliance was self-reported or detected through daily assurance reviews.⁴⁰

Figure 2.1: Monthly credit card expenditure by year, July 2020 to June 2023

Source: ANAO analysis of NDIA weekly credit card reports.

Figure 2.2: Non-compliant credit card transactions reported by month, July 2020 to June 2023

Source: ANAO analysis of NDIA weekly credit card reports.

2.17 The Financial Control Branch provides monthly incident reports to the Risk Advisory Branch, that include details of incidents of non-compliance with the NDIA Finance Policies and remedial action taken (see paragraph 2.30). Only credit card and travel non-compliance reported in the financial system are included in these reports (see paragraphs 3.34, 3.35, 3.47 and 3.51).

2.18 The volume and nature of reported non-compliance is discussed at paragraph 3.47, with Senior Executive Services (SES) officers responsible for 17 instances. The weekly credit card reports do not identify actions to be taken, or those taken, except for the recovery of monies relating to personal use of credit cards. The Board, SLT and CEO do not receive reporting on the level and nature of credit card and travel non-compliance, or actions taken in response to non-compliance. This reduces the Board’s visibility of non-compliance and the effectiveness of internal controls, impacting the Board’s ability to understand and manage fraud and integrity risks.

Reporting from Services Australia

2.23 Services Australia provides the NDIA with a quarterly compliance report for travel by NDIA staff. The report includes: assessment of compliance against the Travel Arrangements and NDIA policies⁴¹ and identified non-compliance; and the number of open, unapproved and unacquitted trips. The report includes recommendations for process improvements and actions to be taken by the NDIA in relation to identified non-compliance. The reports state there was a ‘high degree’ of compliance, against a scale of ‘high degree’, ‘reasonable degree’ and ‘limited degree’. The quarterly travel compliance report is unsigned in half of the reports in 2021–22 and 2022–23. The report, or a summary of its contents, is not provided to SLT or the Board. All eight quarterly reports between 1 July 2021 and 30 June 2023 reported non-compliance (see Table 3.3); the six reports between 1 October 2021 and 31 March 2023 sought the NDIA’s advice regarding recommendations for action. The NDIA did not respond to Services Australia’s recommendations.

2.24 The primary assurance mechanism under the shared services arrangements involves the Chief Financial Officer of Services Australia providing a letter to the Chief Financial Officer of the NDIA each financial year. The letter outlines: the financial assurance processes undertaken for financial information provided by Services Australia to the NDIA; and accounting systems, controls and any relevant audit findings. The 2021–22 and 2022–23 letters concluded an appropriate controls framework was in place, with no known deficiencies in the internal controls relevant to the NDIA and no relevant audit findings.

Have appropriate arrangements been established for managing risks associated with use of corporate credit cards within the NDIA?

Internal risk management

2.25 The NDIS Risk Management Rules⁴² require the NDIA to have a risk management framework, strategy, culture, structure, and practices in place to monitor and manage material risks for the agency. The NDIA has a Risk Management Strategy dated September 2020⁴³, a Risk Management Guide dated November 2019 and publishes its strategic risks in its corporate plan.⁴⁴

2.26 The NDIA is required to comply with the Fraud Rule⁴⁵ and states in its Fraud and Corruption Control Plan (July 2023) that the agency voluntarily complies with the better practice of both the Fraud Policy and Fraud Guidance.

2.27 Personal use of credit cards, fraudulently claiming travel entitlements, and accounting fraud (including misappropriation) are examples of internal fraud listed in the NDIA’s Fraud and Corruption Control Plan. Reported non-compliance for both credit cards and travel represent less than one per cent of transactions in the period 1 July 2021 to 30 June 2022 (see paragraphs 2.60 and 2.61).

2.28 The NDIA’s current fraud risk register (2022) includes the fraud risk category of ‘financial misappropriation’ (trusted insiders).⁴⁶ Credit cards and travel may be a cause of this fraud risk but are not specifically listed as such. The NDIA’s previous fraud risk register (dated December 2019) included credit cards as a source of the financial misappropriation risk. The Board’s Risk Committee was advised by management that the 2022 fraud risk register consolidated risks from 13 to six to ‘clearly identify the key fraud and corruption risks’, ‘identify the cohorts that perpetrate fraud and corruption on the Scheme’ and ‘remove reference to current risks that are in fact causes’.

2.29 A paper presented to the Risk Committee in November 2022 stated that a fraud risk dashboard would be developed and incorporated into quarterly Chief Risk Officer (CRO) reporting. No dashboard was included in subsequent reports to the Board.

2.30 On a monthly basis, the Financial Control Branch provides to the Risk Advisory Branch the details of incidents of non-compliance with the NDIA Finance Policies and remedial action taken.⁴⁷ There is no definition of an incident, or relevant categories of non-compliance. Forty out of 85 incidents reported in 2022–23 were credit card non-compliances, primarily personal use. There was one incident related to travel which was travel not authorised prior to travelling.

2.31 In the absence of a description of the risk categories or references to credit card processes in the related control description, there is no evidence that the risks relating to the management and use of credit cards, including travel, were considered in the development of the CFO Division’s risk register. No likelihood or consequence ratings are provided in the register, nor does it specify dates of review or assessment of control effectiveness. There was insufficient documentation to demonstrate when the NDIA commenced use of the draft CFO register.

2.32 The draft risk register for the Financial Control Branch, within the CFO Division, contains risks and controls relating to credit card and travel as set out in Table 2.1. There was not a finalised risk register in 2021–22 and 2022–23.

Table 2.1: Risks and controls for credit cards and travel in the Financial Control Branch draft risk register

Source: NDIA’s internal risk documentation.

2.33 The Financial Control Branch draft risk register did not contain⁴⁸: risk cause and impact statements; likelihood and consequence ratings; an assessment of the effectiveness of current controls at managing risk within the NDIA’s risk appetite and tolerance levels⁴⁹; and mitigations. The risk relating to credit cards was assessed as low and the risk relating to travel was assessed as medium (the reason for this assessment is not documented). The NDIA advised the ANAO in September 2023 that the Financial Control Branch risk register is reviewed annually. There is no evidence of review of the register or the effectiveness of controls.

2.34 The NDIA advised the ANAO in September 2023 that it has not undertaken internal audits of any credit card or travel related risks since 2019. Credit card and travel related risks are also not addressed in the NDIA’s 2023–24 internal audit work program.

Shared risk management

2.37 The Commonwealth Risk Management Policy 2023 (the Policy) requires that ‘entities must collaborate to manage shared risks’.⁵⁰ The Policy is recommended as best practice for the NDIA, as a corporate Commonwealth entity. The Policy is mandatory for Services Australia, as a non-corporate Commonwealth entity. The NDIA and Services Australia have a draft shared risk plan (dated March 2022) for the risks arising out of the shared services arrangements. The plan contains four risks, three rated medium and one rated low. The risks are: existing IT systems cannot support shared services arrangements (medium); shared services arrangements are not supported by the executive (medium); consuming entities reduce or eliminate consumption of shared services (medium); and service standards for shared services are not achieved (low). The NDIA and Services Australia have not documented how credit cards or travel related risks fall within the defined risk categories and whether effective mitigation strategies have been implemented.

Has the NDIA developed fit-for-purpose policies and procedures for the issue, return and use of corporate credit cards?

Accountable authority instructions

2.42 The NDIA’s AAIs sets out the financial expenditure limits delegated by the Board to NDIA officials and staff. The AAIs are accessible to NDIA staff on the intranet. The AAIs direct NDIA staff to the Finance Policies – Supporting the Accountable Authority Instructions (NDIA Finance Policies) dated November 2022 for information relating to legislative and policy requirements for the use of credit cards and travel arrangements. The financial delegations table within the AAIs does not refer to relevant sections of the PGPA Act that support the delegations, as recommended by the Department of Finance’s model AAIs for CCEs in Resource Management Guide (RMG) 206 (the model AAIs). The NDIA’s Finance Policies set out requirements and processes for: credit card issue, return and use; official travel; and approval of spending money.

2.43 The AAIs and Finance Policies are reviewed yearly. The NDIA’s AAIs and Finance Policies are largely consistent with the guidance contained in the model AAIs, with requirements relating to safe and secure credit card storage and only using credit cards issued to the individual or authorised to be used by the individual not explicitly included.

2.45 RMG 417, Supplier Pay On-Time or Pay Interest Policy, requires card cards to be used for payments valued below $10,000 (see paragraph 1.7). This policy applies to non-corporate Commonwealth entities. The NDIA has chosen to implement the requirement by including it in the NDIA Finance Policies (see paragraph 3.19). While RMG 417 indicates that eligible payments may include payments made as a result of purchase orders, the NDIA excludes use of the credit card for these payments.

Procedures for credit card management and use

2.46 To support the implementation of the Finance Policies, the NDIA has developed a range of procedures for credit card management and use. These procedures are supplemented by Services Australia guidance for credit card acquittals and supervisor review, and travel. These procedures and guidance are available on the intranet for staff to access. The NDIA prepared procedures were reviewed annually.

2.47 The ANAO assessed whether procedures were consistent with the NDIA Finance Policies for selected credit card and travel requirements and found that:

• 14 out of 31 core credit card requirements tested from the NDIA’s Finance Policies were reflected in the procedures (with inconsistencies between the Finance Policy and standard operating procedures noted in five of these); and
• nine out of 11 core travel requirements tested from the NDIA’s Finance Policies were reflected in the travel guidance.

Issuing credit cards

2.48 The NDIA Finance Policies require an applicant for a credit card to submit a business case for why the card is required, satisfy the employment eligibility criteria⁵¹ and complete an online training module. Endorsement of the credit card application is required from the applicant’s ‘line manager’ (Executive Level 1 or above), and the performance reporting team in the Financial Control Branch before it is approved by the Branch Manager Financial Control. Where an applicant is from the Financial Control Branch, endorsement and approval may be limited to approval by the Branch Manager without an independent assessment of the application. Cardholders must acknowledge receipt of a new (or replacement) credit card and confirm ‘you have received the Commonwealth Corporate Credit Card and PIN and agree to use the card in accordance with credit card section of the Finance policy’. Credit cards are activated when they are registered by Services Australia.

Cancelling or suspending credit cards

2.50 The NDIA Finance Policies included several requirements for credit card cancellation or suspension.

• ‘A credit card will be cancelled in the following circumstances: the cardholder leaves the Agency; the cardholder changes jobs within the Agency and no longer requires the credit card (or their new SES does not approve the retention of the card); and the cardholder has been instructed to surrender the credit card.’
• When the credit card has been cancelled, the cardholder must destroy the credit card as soon as possible and complete the online request to cancel the card.
• ‘If a credit card is lost or stolen, the cardholder must immediately cancel it with the card issuer and inform relevant branches within both NDIA and Services Australia of the circumstances resulting in the loss or theft.’
• ‘Cardholders taking leave for greater than six weeks must submit a request to enable the limit on their credit card to be reduced to $1 during their leave.’
• Since December 2021 if the card has not been used in accordance with the policy it may be temporarily suspended or cancelled.⁵²
• ‘A review of cardholders is undertaken annually to ensure valid reasons exist for card retention.’

Acquittal and travel approvals mechanisms

2.51 Acquittals for credit card transactions and travel (and travel approvals⁵³) are undertaken by the cardholder or traveller in the NDIA’s finance and human resources system.⁵⁴ For credit cards, the line manager position for reviewing the credit card acquittal is automatically allocated to the supervisor recorded in the system. As part of the acquittal process for travel, the traveller selects to whom the acquittal will be work flowed for review or approval.⁵⁵

2.52 The NDIA Finance Policies did not specify the process for travel pre-approval or review of credit card and travel acquittals for the CEO and Board Members. The Board does not pre-approve the Chair or Board members travel expenses; they are approved by NDIA staff with a classification between Executive Level 2 and SES Band 2.⁵⁶ The Board Chair does not review or pre-approve the CEO’s credit card and travel expenses; they are reviewed or approved by the Chief People Officer (an SES Band 2 who reports to the Chief Operating Officer).⁵⁷ There is no evidence the potential for positional authority risk related to credit card use, including travel, has been appropriately assessed and managed (see paragraph 2.51 (approvals mechanisms), paragraphs 3.24 and 3.25 (credit card acquittal), and paragraphs 3.26 and 3.30 (travel approvals)).⁵⁸

Non-compliance

2.56 The NDIA Finance Policies define credit card misuse.

• Purchases relating to: scheme participant or provider related expenses; clothing which uses the NDIA’s branding or logo; NDIA assets without the approval from the CFO or the Chief Information Officer (CIO) in the case of ICT equipment and software; commercial accommodation costs (unless the NDIA’s accommodation broker provides written confirmation they are unable to provide accommodation); airline tickets; security deposits when checking into accommodation; or for a deposit where the balance is to be paid by a purchase order.
• Study expenses ‘where reimbursement has been agreed to under the Study and Professional Development Support Policy.’
• Splitting of payments on a transaction to circumvent transactional limits or procurement requirements.
• Purchase of ‘personal items, goods or services (including loans, borrowings or payment of private accounts)’ or accruing ‘cardholder loyalty programs, rewards points or discount vouchers for personal use’.
• Paying for ‘expenditure already provided for by an allowance (i.e. ‘double dipping’)’.

2.57 The NDIA Finance Policies indicate that travel non-compliance includes trips undertaken without approval in place, acquittals are not submitted on time, contracted suppliers have not been used and travel is not in accordance with policy.

Has the NDIA developed effective training and education arrangements to promote compliance with policy and procedural requirements?

Credit card training

2.58 Since August 2020, the NDIA Finance Policies require credit card applicants to complete online training prior to being issued with a credit card. Cardholders are not required to complete refresher training. Training for credit cardholders addresses all cardholder responsibilities and requirements; training does not assess the cardholder’s understanding. Credit card training does not include the timeframe within which a credit cardholder’s line manager or SES must complete a review of credit card acquittals. Training is not required for line managers and SES with approver and reviewer responsibilities.

2.59 For the approved credit card applications between 1 July 2021 and 30 June 2023, all applicants advised that they had completed training. Applicant’s statements about training completion are supported by the training records for 1 July 2021 to 30 June 2023.⁵⁹

2.60 The NDIA advised the ANAO in September 2023 that refresher training is recommended to staff following instances of non-compliance. The NDIA’s records indicate that of the 42 staff (including 14 SES officers and the CEO) who had recorded one or more non-compliance in 2021–22 and 2022–23 (see paragraph 3.47), 13 staff (including two SES officers and the previous CEO) were asked to undertake relevant training. Seven (including one SES officer) of the 13 completed training after the incident (only two completed within three months of the incident). Between 1 July 2021 and 30 June 2023 there were 55 non-compliances reported by the NDIA (see paragraph 3.49), this represents less than one per cent of the 11,925 credit card transactions in this period (see paragraph 1.10). Quality assurance processes indicate that there is considerable under-reporting of non-compliance with the NDIA Finance Policies (see paragraph 3.35 and Table 3.2), indicating further training may be of benefit to cardholders and line managers.

Travel training

2.61 The NDIA does not require travellers or delegates responsible for pre-approving and approving travel expenditure to complete travel training. Between 1 July 2021 and 30 June 2023 there was 74 reported instances of non-compliance, this represents less than one per cent of the 8,509 trips in this period (see paragraph 1.10).

3.1 Preventive controls work by reducing the likelihood of inappropriate credit card use before a transaction has been completed. Preventive controls for credit cards can include: policies and procedures; education and training; deterrence messaging; declarations and acknowledgements; blocking certain categories of merchants; issuing cards only to those with an established business need; placing limits on available credit; and limiting the availability of cash advances.

3.2 Detective controls work after a credit card transaction has occurred by identifying if there is a risk that it may have been inappropriate. Detective controls for credit cards can include: regular review processes (with segregation of duties between cardholder and reviewer); exception reporting; fraud detective software; tip-offs and public interest disclosures; monitoring and reporting; and audits and reviews.⁶⁰

3.3 When detective controls identify instances of potential fraud or non-compliance, entities should have effective processes in place for managing investigations and implementing follow-up actions (such as further training, sanctions, or referral to law enforcement agencies).

Has the NDIA implemented effective preventive controls on the use of corporate credit cards?

Issuing cards

Credit cards

3.4 The NDIA’s Finance Policies and procedures for issuing cards are outlined at paragraph 2.48. There were 86 online credit card applications completed between 20 August 2021 and 30 June 2023, and five credit card applications made and approved by email between 1 July 2021 and 20 August 2021.⁶¹

3.5 The 86 online applications, of which 82 were approved, largely complied with the NDIA Finance Policies and procedures.

• There were insufficient records to confirm the eligibility assessments undertaken when approving the applications.
• There were 16 (19 per cent) applications from SES officers that did not have SES line manger endorsement. In November 2023 the NDIA advised the ANAO that SES applications flow directly to the Branch Manager Financial Control for approval, without requiring endorsement from their supervising SES officer.
• Of the approved applications, six (seven per cent) had business cases that only referred to the applicant’s level and that the credit card was needed for their role, without any further information provided.

3.6 The NDIA does not have sufficient records to assess whether email applications were completed in accordance with the NDIA Finance Policies and procedures.

Travel

3.11 Credit cards were not issued to NDIA staff for use for travel. Instead, under the shared services arrangements and the Whole of Australian Government Travel Arrangements (the Travel Arrangements) (see paragraphs 1.6 and 2.6), for each of the core services (accommodation, airfares and vehicle rentals) a credit card was established by Services Australia with Diners Club to be used for paying such expenditure related to NDIA staff travel.

Cancelling and suspending cards

Credit cards

3.12 To establish if the NDIA’s Finance Policies and procedures for cancelling and suspending cards (see paragraph 2.50) were effectively implemented, the ANAO examined credit cards cancelled and suspended in 2021–22 and 2022–23. There were: 84 requests to cancel credit cards; seven replacement card requests; nine suspension requests due to extended leave; and three notifications of change of branch and applications to keep a credit card. The NDIA largely complied with its policies and procedures for cancelling and suspending credit cards.

• Credit cards were not suspended or cancelled in any of the 55 instances of non-compliance, which related to 62 transactions (see Table 3.4 and Table 3.5⁶², and paragraphs 3.55 to 3.60 for further discussion of non-compliance).
• There was no evidence of how many of the 84 requests to cancel cards were due to staff being instructed to cancel their credit card, noting the NDIA’s annual credit card reviews led to 37 (44 per cent) cancellations in the period examined (see paragraph 3.13).
• For lost cards there was insufficient information to determine if reporting was timely. All cardholders verified the last five transactions on their credit card were valid when reporting a lost or stolen card.
• The evidence provided did not demonstrate that three (33 per cent) of the nine credit cards suspended had the cardholder’s credit limit reduced to one dollar for the period of leave (see paragraph 3.17). One cardholder submitted a request to suspend their credit card 23 days after the leave period commenced.
• It took between five and 38 days to approve change of branch requests.

3.13 In 2021–22 and 2022–23, the NDIA completed annual reviews of cardholders for the purpose of determining if there is an ongoing business need for the credit card. The standard operating procedure does not specify whether SES officers are included in this review and if so, who is required to verify the ongoing business need for their relevant card.⁶³

• In 2021–22 the NDIA made a decision to cancel 13 of 237 credit cards (including the card for one staff member who had left the entity and two that were on leave).
• In 2022–23 the NDIA made a decision to cancel 24 of 234 credit cards (including the cards for one staff member who had left the entity and three that were on leave).

Travel

3.14 Credit cards were not issued to NDIA staff for travel (see paragraph 3.11).

Managing transactions

Credit cards

3.15 Merchant blocking can be used to prevent the misuse of corporate credits and minimise fraud risks by excluding classes of transactions, for example from gambling or dating and escort agency vendors.⁶⁴ The NDIA Finance Policies do not include merchant blocking for credit cards or travel.

3.16 The NDIA Finance Policies prescribe a standard monthly limit for credit cards of $20,000 (including GST) with a limit of $9,999 (including GST) per transaction. The CEO and the CFO can approve increases to transaction and monthly limits in the event of exceptional circumstances and the request must be supported by a business case.⁶⁵

3.17 The NDIA does not assure itself that credit limits are consistent with the NDIA Finance Policies. In August 2023, the NDIA provided the ANAO with an extract of all credit card limits since 1 July 2021 — there were 212 credit cardholders listed, all were unique cardholders. The NDIA provided annual review data for 2021–22 and 2022–23. In December 2023, Services Australia provided the ANAO with the NDIA’s credit card listing including credit limits for 215 active cards. The ANAO compared the Services Australia list of credit card limits to the lists of credit limits provided by the NDIA. Table 3.1 shows the rates of compliance with the NDIA Finance Policies for the monthly and transaction limits of NDIA credit cards as recorded by the NDIA and Services Australia. The results in Table 3.1 demonstrate that the NDIA Finance Policies are not consistently applied.

Table 3.1: Comparison of NDIA and Services Australia credit limit data and compliance with NDIA Finance Policies

Note a: Annual credit card reviews (see paragraph 3.12 and 3.13) identified a further three officers that had a monthly credit limit set at $1 during the period 1 July 2021 to 30 June 2022.

Note b: Monthly transaction limits were set at $1 for two credit cards, $0 for one credit card, $20,000 for 211 credit cards and $1,000,000 for one credit card.

Note c: Transactions limits were set at $10,000 for 125 credit cards, $9,999 for 88 credit cards, $1,000 for one credit card and $250,000 for one credit card.

Source: ANAO analysis of NDIA and Services Australia data.

Travel

3.18 Credit limits for travel were managed by Services Australia and not examined as part of the audit.

Using credit cards to make payments under $10,000

3.19 The NDIA Finance Policies require that low value items (generally less than $10,000 including GST) should be purchased using a corporate credit card (see paragraph 2.45).

3.20 The NDIA established a direct payment tracker in December 2022 to record applications for an alternative payment method to credit card payments. The tracker contained 47 requests; eight were withdrawn, one request was being assessed and 38 were approved. Under the NDIA Finance Policies and procedures, the Branch Manager Financial Control has responsibility for approving applications. The ANAO examined four applications between December 2022 and September 2023, the Branch Manager Financial Control approval was provided for each application.

Has the NDIA implemented effective detective controls on the use of corporate credit cards?

Credit card acquittal

Cardholder acquittal

3.21 The NDIA Finance Policies require cardholders to take the following steps when acquitting credit card transactions.

• Transactions must be acquitted within 35 days of the date of purchase (the receipt date). Prior to December 2021, credit card acquittals were to be completed in 28 days of the date of purchase.
• The credit cardholder must attach all required supporting documentation at the time of acquittal, including: a valid tax invoice for all purchases valued at or over $82.50 (including GST)⁶⁶; a receipt or proof of purchase for all purchases below $82.50 (including GST); or a declaration where a tax invoice is unavailable.
• Cardholders must report all unauthorised and unrecognised transactions immediately to relevant branches within the NDIA and Services Australia. Cardholders must ‘follow up with suppliers’ if they identify duplicate transactions or incorrect charges.
• Accidental private expenditure is considered non-compliant and should be reported as soon as possible.

3.22 To establish if the NDIA’s Finance Policies and procedures for credit card acquittal were effectively implemented, the ANAO selected a sample of 117 credit card transactions between 1 July 2021 and 30 June 2023 (of which 16 were CEO and 42 were SES officers transactions). The NDIA partly complied with these requirements.

• Four transactions were not acquitted within required timeframes.
• One transaction did not have required supporting documentation attached.
• Three of the six disputed transactions were identified by the same cardholder as possibly fraudulent transactions. For all disputed transactions ANZ or the supplier credited the NDIA for the amount of the transaction.
• Nine transactions were reported as personal use, of which six transactions were made by the CEO or SES officers. In all nine cases the cardholder repaid the value of the transaction.
• Eighteen transactions that were potentially ‘split transactions’, of which six transactions were made by the SES officers.⁶⁷
• Eight IT equipment purchases without supporting approvals, of which two transactions were made by the CEO or an SES officer.
• Three transactions relating to travel, one for accommodation charges that was reported by the SES cardholder as being incorrectly charged by the vendor and two for airfares which had been self-reported by the cardholder.

3.23 The ANAO’s review of all transactions between 1 July 2021 and 30 June 2023 identified: eleven transactions that occurred when a staff member was on leave for six weeks or more (of which eight transactions were made by SES cardholders); and one transaction that occurred following the SES staff member’s departure from the agency. These transactions include four uber or taxi trips while a staff member was on leave without pay, and one transaction for a subscription that occurred after the staff member had left the organisation. These transactions had not been identified by the NDIA as non-compliant with the NDIA Finance Policies. The NDIA advised the ANAO in January 2024 that ‘all expenditure was work related and approved by their line managers. There is no indication that these transactions are inappropriate in nature.’

Line manager approval of acquittal

3.24 The NDIA Finance Policies require line managers to review and approve the cardholder’s acquittal within seven calendar days and ensure:

• all transactions are for NDIA purposes;
• all supporting documentation (such as invoices and approvals) is attached;
• no payments have been inappropriately split to avoid the cardholder’s transaction limit or procurement requirements; and
• all private expenditure is identified, reported in the financial system as non-compliant and acquitted as private expenditure (a type of non-compliance), triggering the recovery process.

3.25 To establish if the NDIA’s Finance Policies and procedures for line manager review of credit card acquittals were effectively implemented, the ANAO examined a sample of 117 credit card transactions.

• For five sample transactions (of which three were made by SES officers) the line manager did not review the acquitted transaction within the prescribed time period.
• The NDIA does not hold sufficient records to determine whether transactions were returned to the cardholder for correction.
• For four transactions the seniority of the line manager could not be determined. Where seniority could be determined, the ‘line manager’ approver was junior to the cardholder for 20 transactions (16 of which related to the Chief People Officer (CPO), SES Band 2, reviewing acquittals of the CEO and four related to the CPO reviewing the acquittal from SES Band 3 officers, see paragraph 2.52), and the cardholder and line manager were at the same level for two transactions.

Travel approval and acquittal

Travel requests and traveller acquittals

3.26 The NDIA Finance Policies require travellers to obtain approval to travel prior to travel commencing and to acquit travel expenses once travel is completed. Key policy requirements include:

• travel must only be booked after written approval has been obtained from the appropriate delegate;
• all trips must be documented accurately in the finance and human resources system and approved in that system by the appropriate delegate before commencement of the trip⁶⁸;
• staff must ensure that expenses, including all relevant documentation, are added to the trip record prior to approval; and
• all trips must be acquitted in the finance and human resources system within 14 days after the travel has been completed.

3.27 Controls over workflows for travel approval and acquittals were designed effectively. In November 2023, Services Australia advised the ANAO that if a travel request exceeded the CEO’s delegation it would workflow to the CEO and it is expected that the CEO would then take the matter to the Board and once Board approval is received, would complete the approval. There was no travel that exceeded the CEO’s delegation in 2021–22 and 2022–23.⁶⁹

3.28 To establish if the policies for travel pre-approval and cardholder acquittal were effectively implemented, the ANAO examined a sample of 93 trips (including 23 trips by SES officers, 26 trips by the CEO and 25 trips by Board members). The NDIA partly complied with key internal policy requirements.

• The NDIA did not maintain records of travel pre-approvals centrally or attach them as supporting documentation to the travel approval in the finance and human resources system. For example, there were seven instances of private motor vehicle use by non-SES staff in the travel sample; in all instances pre-approvals were not attached to the trip record in the finance and human resources system.⁷⁰
• Ten trips did not have supporting documentation, of which two related to SES officers and one to the CEO.
• Eighteen trips did not have supporting information uploaded before the trip commenced, of which five related to travel by the CEO, three by Board members, and five by SES officers. A further 17 trips had additional supporting information uploaded after the trip commenced or concluded, of which six related to Board members, seven related to the CEO and two related to SES officers.
• Twenty-four trips were submitted in the finance and human resources system by the traveller after the trip was commenced (including four submitted on the day the trip commenced). Fourteen of these trips related to travel by the CEO or NDIA Board members. Where trips were not submitted before travel commenced, late requests ranged from the day travel commenced to 204 days after travel commenced.
• One trip within the sample was acquitted before it was completed.
• Eighteen trips were acquitted more than 14 days (up to 317 days) after travel was completed, of which five related to Board members, seven related to the CEO and four related to SES officers. Thirty-six trips had more than one acquittal workflow, and two trips had six acquittal workflows.⁷¹

Delegate approval of travel

3.29 To establish if the policies for delegate approval of travel acquittals were effectively implemented, the ANAO examined a sample of 93 trips (see paragraphs 3.26 and 3.28). The NDIA partly complied with these requirements.

• Thirty-one trips were approved after the trip commenced (including five that were approved on the day the trip commenced, and two trips that were cancelled). Of the 31, 15 of the trips related to travel by the CEO or Board members. Where trips were not approved before travel commenced, late approvals ranged from the day travel commenced to 204 days after travel commenced. Forty-four trips had more than one approval workflow, one trip had seven approvals.⁷²
• Services Australia provided a current and historical list as at 20 November 2023 of spending approvers recorded in the finance and human resources system (see footnote 55). Comparing these lists to travel approvers in the travel sample indicates that an incomplete list was provided or that the controls in the finance and human resources system were not working as intended. For example, two travel approvers, including the CEO, were not included in the current or previous list.

3.30 Separate to the issue of whether someone was validly recorded as a travel delegate in the finance and human resources system, the ANAO assessed whether the delegate who approved a trip had the appropriate financial delegation at the time of the recorded approval based on their recorded employment classification and the financial delegations contained in the NDIA HR Delegations, Accountable Authority Instructions and Financial Authorisations Manual (for the relevant version issued between October 2020 and July 2022).

• The delegate’s classification could not be determined for one sample item as the delegate was not listed as an employee in HR records.
• The delegate ‘travel approver’ was junior to the traveller for 51 trips (see paragraph 2.52 and footnotes 56 and 57: 26 of these were approvals of CEO travel by the Chief People Officer; and a further 25 of these were approvals of Board Chair or Board members travel by NDIA staff with a classification between Executive Level 2 and SES Band 2).
• The delegate and the traveller were at the same level for 16 trips (15 of these related to an SES Band 2 officer).
• One approver was not a delegate.

Quality assurance reviews

Credit cards

3.31 The credit card processing team, Financial Control Branch, complete daily checks of all credit card transactions acquitted by the credit cardholder (they are described as quality assurance checks). The checks include verifying correct coding of the transactions, compliance with the credit card policy⁷³ and that correct documentation is attached. There is no independent process for assurance over transactions recorded by credit cardholders within the branch. The results of these checks are maintained in a monthly spreadsheet and non-compliance is reported in the weekly credit card report provided to the Branch Manager Financial Control.

3.32 In 2021–22 and 2022–23, daily assurance checks were completed for 7,632 and 10,178 credit card transactions, respectively.⁷⁴ Table 3.2 provides the results of the daily assurance verification process recorded by the credit card processing team, by financial year, excluding non-compliance with credit card policy that does not relate to coding or attaching a relevant invoice or other required information.

Table 3.2: Daily assurance check results between 1 July 2021 and 30 June 2023

Note a: Transactions that are not compliant with relevant policy requirements, other than where an invoice was not provided, are not recorded as an outcome for the daily assurance check. For example, instances of non-compliance relating to transaction splitting or accruing loyalty points.

Note b: When there is an adjustment to an acquittal (such as to the tax code or cost centre) the transaction will update and repost overnight, and appears again in the report. The transaction is noted as a ‘Repost’ to indicate a daily assurance check has previously been completed.

Source: ANAO analysis.

3.33 There is no documented methodology for assessing the appropriate use of credit cards for payments less than $10,000 (including GST) and promoting compliance with these requirements under the NDIA’s policy. Assessing payments under $10,000 is not explicitly listed as a check performed as part of the daily assurance checks conducted by the credit card processing team (see paragraph 3.19).

3.34 The daily assurance procedure does not set criteria or provide guidance on how to identify and record credit card non-compliance (such as transaction splitting, see footnote 73) when completing the daily check. Instead, the procedure relies on staff member’s knowledge of the credit card policy. The procedures also provide for discretion in reporting non-compliance. The daily assurance procedure advises the credit card processing team:

Discretion is used when deciding whether there is a non-compliance of policy. For example, if a cardholder has not attached the correct invoice, this can be requested via feedback to the cardholder before proposing a non-compliance be recorded.

3.35 Daily assurance checks identified 506 instances (four per cent) across 11,925 transactions (see paragraph 1.10) where required invoices were not attached as part of the acquittal process. None of these instances were reported as non-compliance, see Table 3.4.

3.36 Other daily processes such as credit card acquittal reminders and weekly reporting identify where credit cardholders do not complete acquittals within 35 days of the transaction (that is, the acquittal is non-compliant). Weekly reports identified no instances of acquittals not occurring within 35 days of the transaction in 2021–22, and five instances in 2022–23.

Travel

3.45 Services Australia developed an updated version of the Travel Compliance Framework and Policy in June 2020, however it was not approved.⁷⁵ Services Australia applied the unapproved version of the Travel Compliance Framework and Policy dated June 2020 during the course of the audit. Services Australia staff conduct monthly⁷⁶, quarterly⁷⁷ and annual compliance audits on the NDIA’s recorded travel.⁷⁸ Where non-compliance is identified, the details are recorded in the non-compliance spreadsheet for reporting in quarterly compliance reports (see paragraph 2.23).

3.46 Table 3.3 provides the results of the travel compliance audits recorded by Services Australia in the quarterly compliance reports provided to the NDIA (see paragraph 2.23), by financial year. In 2021–22 and 2022–23, there were no reported instances of non-compliance involving: claiming private motor vehicle when there is a Hertz rental; reunion trips; or the business case. Of the 33 non-compliances identified, Services Australia made 30 recommendations in an attachment to the quarterly compliance reports to the NDIA to address travel non-compliance (in one instance this related to SES non-compliance involving private motor vehicle allowance). The NDIA did not respond to Services Australia or implement recommendations (see paragraph 2.23 and 3.64). There were insufficient records to determine the level of the traveller for the three travel non-compliances where a recommendation was not made.

Table 3.3: Travel non-compliance reported in quarterly compliance reports between 1 July 2021 and 30 June 2023

Note a: NDIA staff must use the Travel Arrangements to book air travel. This includes booking the lowest practical fare in economy class unless there is an approved business case or entitlement to travel business class.

Source: ANAO analysis.

Does the NDIA have effective processes for managing identified instances of non-compliance?

Recording and reporting on non-compliance

Credit cards

3.47 Between 1 July 2021 and 30 June 2023, 55 instances (involving 42 cardholders, including 14 at SES or CEO level, see paragraph 2.60) of credit card non-compliance were reported in the financial system (this does not include all non-compliance detected by quality assurance processes, see paragraphs 3.34 and 3.35).⁷⁹ There were ten cardholders with more than one instance of non-compliance, including one cardholder with four, and another with three (three of the ten cardholders were SES officers and one was the previous CEO). These instances of non-compliance related to 62 transactions. Instances of non-compliant transactions by nature of the non-compliance reported are shown in Table 3.4.

Table 3.4: Instances of credit card non-compliance recorded in the financial system between 1 July 2021 and 30 June 2023

Source: ANAO analysis of NDIA data.

3.48 The total number of instances of non-compliance reported in weekly reports in 2021–22 was 15, and in 2022–23 was 39. In 2022–23 weekly reporting also indicated the source of non-compliance identification: 24 self-reported and 15 identified through quality assurance processes. Weekly reporting indicated the most common type of non-compliance in both financial years was accidental personal use and split transactions. The number of credit card non-compliance reported in weekly reports was largely consistent with non-compliance reported in the financial system, noting there is a timing difference between the two information sources.

3.49 The 54 instances⁸⁰ of non-compliance in 2021–22 and 2022–23 PGPA survey results (see paragraphs 2.14 and 2.15) align with the 54 non-compliances reported in weekly reporting. However, it does not align with the 55 credit card non-compliances recorded in the financial system. The inconsistency in total number of non-compliance reported reflects timing differences between the final weekly report and the end of financial year, and report parameters that extracted items that were finalised (had action taken) in the period rather than occurred in the period for non-compliance reports.

Travel

3.50 The NDIA does not collate information on travel non-compliance and reconcile it into summary reports.

3.51 There is conflicting information relating to travel non-compliance in the following sources:

• Monthly incident reporting by the Financial Control Branch to the Risk Advisory Branch in 2022–23 included one instance of travel non-compliance (see paragraphs 2.30), where the travel was not approved in the finance and human resources system prior to the trip.⁸¹ There were no instances reported in 2021–22.
• The NDIA monthly ‘travel slides’ provided to the Branch Manager Financial Control and Chief Financial Officer reported in June 2022 26 trips were not compliant with the Travel Arrangements’ Lowest Practical Fare (LFP); and in June 2023 that 13 trips were not compliant with LFP.⁸²
• Services Australia’s quarterly reporting on travel non-compliance (see Table 3.3) indicates that there were up to 33 instances of non-compliance between 1 July 2021 and 30 June 2023. Services Australia does not examine or report on compliance with Lowest Practical Fare.
• PGPA compliance survey results reported travel non-compliance of zero in 2021–22 and one in 2022–23 (see paragraph 2.15).

3.52 With the exception of one instance of non-compliance included in the incident reporting, there is no reporting on aspects of travel policy non-compliance relating to where travel was not approved before commencing travel, acquittals and review were not timely, or travel and acquittals were not approved by an appropriate spending approver.

Action taken in response to non-compliance

Credit cards

3.55 The NDIA Finance Policies provide for the NDIA to take a range of actions in response to credit card misuse. If a cardholder misuses their credit card potential action against the cardholder can include: the card being cancelled; disciplinary action; repayment of card expenditure (which can be deducted from salary); and penalties under legislation including the Criminal Code Act 1995.

3.56 Credit card quality assurance procedures, rather than the NDIA Finance Policies, describe the action to be taken based on the number of credit card non-compliances:

• when a cardholder has had three non-compliances recorded against them over a 12-month period, the Branch Manager Financial Control will issue a warning to the cardholder and their line manager; and
• when a cardholder has had five non-compliances recorded against them over a 12-month period, the Branch Manager Financial Control will issue an email to the cardholder’s line manager requesting reasons why the card should not be suspended or cancelled depending on the circumstances.

3.57 Over the period 1 July 2021 to 30 June 2023, ten cardholders had more than one instance of non-compliance, one cardholder had four instances of non-compliance. Table 3.5 summarises the action taken by type of non-compliance, as it was recorded in the financial system.

Table 3.5: Action taken by type of credit card non-compliance

Note a: Essentials is the NDIA’s finance and human resources system.

Note b: FMCS is the Financial Management Compliance System, it is referred to as the financial system in this report.

Note c: A security deposit for accommodation should be paid through the Travel Arrangements.

Source: ANAO analysis of NDIA data.

3.58 In addition to these actions, of the 42 staff that recorded instances of non-compliance, the NDIA also recorded recommending 13 staff undertake relevant training in relation to 16 non-compliances (see paragraph 2.60). Of these 13 staff, seven completed training after the non-compliance (only two completed training within three months of the incident).

3.59 The NDIA has not recorded the following types of action taken in response to non-compliance in 2021–22 or 2022–23⁸³:

• disciplinary action;
• cancelled or suspended credit cards; and
• referring matters to the fraud team for investigation.

3.60 The recovery of personal use expenditure on credit cards is reported on a weekly basis. The NDIA recovered $1,000.08 across nine of the 10 instances of personal use in 2021–22 (in two of the 10 instances the cardholder was the CEO), and $829.65 across 18 of the 19 instances of personal use in 2022–23 (in nine of the 19 instances the cardholder was an SES officer).⁸⁴

Travel

3.61 The NDIA Finance Policies provide for the NDIA to recover the amount for non-compliant travel expenditure from the relevant employee and refer suspected fraud or misconduct for further investigation.

3.62 Services Australia’s Travel Compliance Framework and Policy (June 2020), includes the following responses to non-compliance:

• recover expenses where private travel exceeds business travel in line with the NDIA Finance Policies, in line with permanent relocation policy and for reunion trips;
• suspected incidents of fraud are escalated within Services Australia and recorded in the quarterly compliance report; and
• traveller is notified of non-compliance and action taken to make trip compliant; where the traveller has three identical types of non-compliance, escalate to traveller’s delegate or SES, or retraining may be provided or a breach is raised.

3.63 Monthly incident reporting by the Financial Control Branch in 2022–23 included one instance of travel non-compliance, where the travel was not approved in the finance and human resources system prior to the trip. In this instance the recorded resolution was to inform the staff member entering the travel in the human resources system of the policy requirement.

3.64 Over the period 1 July 2021 to 30 June 2023, Services Australia made 30 recommendations to the NDIA in relation to travel non-compliance (paragraph 3.46). Table 3.6 summarises the action recommended by type of non-compliance, as it was recorded in reporting from Services Australia to the NDIA.⁸⁵ The NDIA did not respond to Services Australia or implement recommendations. In December 2023, the NDIA advised the ANAO that there were no instances requiring NDIA response or intervention (see paragraphs 2.23 and 3.46).

Table 3.6: Action recommended by type of travel non-compliance, quarterly travel reports between 1 July 2021 and 30 June 2023

Source: ANAO analysis of NDIA data.

Appendix 1 Entity responses

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• On 29 April 2024 the NDIA commenced the process of creating a legal relationship between itself and ANZ, utilising a clause in the Deed between Services Australia and ANZ (see paragraph 2.10).
• The NDIA and the Department of Finance executed a Participant Deed in November 2023 specifying the Travel Arrangements they will utilise (footnote 36).