Introduction

1.1 The Department of Defence (Defence) may require its personnel to travel in order to perform their duties. Where Australian Public Service (APS) employees⁴ are required to travel on Defence business, Defence’s policy is that it will provide its employees with the facility to meet reasonable travel costs on the basis that they neither gain nor lose financially.

1.2 Defence’s APS employees can claim allowances as specified in the Defence Enterprise Agreement.⁵ Payments are made through the Defence Travel Card (DTC)⁶, Defence’s payroll system and Defence’s financial management information system, depending on the type of allowance and whether the traveller has a DTC.⁷

1.3 Defence expended $246 million on travel in 2017–18 and $237 million in 2016–17⁸, reflecting Defence’s large, dispersed and mobile workforce.⁹ These amounts reflect expenditure by Australian Defence Force personnel and APS employees for flights, accommodation, car hire and the majority of travel allowances incurred during official travel.¹⁰

Expenditure on allowances claimed for business travel

1.4 Defence’s financial management information system identifies expenditure of approximately $93 million in 2017–18 and $90 million in 2016–17 on allowances paid to Australian Defence Force personnel and APS employees travelling on official business. These amounts include travel allowances claimed for meals and incidentals¹¹, part day travel¹², and the use of a private motor vehicle. Of these amounts, approximately 20 per cent is claimed by APS employees ($17,802,059 in 2017–18 and $17,587,409 in 2016–17 as set out in Table 1.1).

Table 1.1: Estimate of travel allowances paid to Australian Public Service employees in Defence (July 2016 to June 2018)

Note a: Defence defines incidentals as minor expenses incurred casually and in addition to the amounts provided for meals.

Note b: Used when the employee does not hold a DTC, or when the card is not accepted.

Note c: This total is net of refunded, repaid, and disputed transactions during the period, which appear as negative amounts in each of the three systems listed.

Note d: The reasons travel allowance amounts reported are estimates rather than actuals, and the criteria and method used to compile information for this set of transactions, are outlined in Appendix 3.

Source: ANAO analysis of Defence data.

1.5 Three Defence Groups have responsibility for various aspects of travel allowance administration:

• Defence People Group manages the personnel policy aspects of travel, and processing of allowances paid through Defence’s payroll system.
• Defence Estate and Infrastructure Group manages Defence’s implementation of Whole-of-Government Travel arrangements, maintains Defence’s travel budget tools, provides procedural guidance on travel through its intranet site, and provides travel booking services for Australian Defence Force conditions of service, courses and long term international postings travel.
• Defence Finance Group manages DTCs, the credit card management system, and the payment of travel allowances through the financial management information system.¹³

1.6 Defence’s management of travel was examined in 2015 through the Review of Red Tape in Defence. Defence agreed to all 20 recommendations aimed at improving the management of travel in Defence.¹⁴

Rationale for undertaking the audit

1.7 The administration of employee allowances is a routine corporate function undertaken by government sector entities. Effective arrangements for the administration of allowances support entities to demonstrate the proper use of public money.

1.8 This audit focused on travel allowances, rather than all allowances paid to Defence’s APS employees as originally outlined in the ANAO’s 2017–18 Annual Audit Work Plan, because:

• the results of an audit focusing on common allowances paid to public sector employees were expected to be useful to all government sector entities;
• Defence has identified the fraudulent use of a Defence credit card (including the DTC) as a Defence-wide risk; and
• testing conducted by the ANAO in the course of auditing Defence’s financial statements in recent years identified non-compliance with regard to travel allowance payment approvals.

1.9 Auditor‐General Report No.33 2015–16, Defence’s Management of Credit and other Transaction Cards (which included the DTC) found that Defence did not have a complete and effective set of controls to manage the use of credit and other transaction cards. In May 2017, the Parliament’s Foreign Affairs, Defence and Trade References Committee expressed interest in the Auditor-General following up on the recommendations made in that audit report.¹⁵ This audit includes an examination of Defence’s implementation of the two recommendations made in the previous audit report that are applicable to the DTC.

Audit approach

Audit objective, criteria and scope

1.10 The objective of this audit was to assess the effectiveness of Defence’s administration of travel allowances paid to its APS employees. To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria:

• Defence has appropriate arrangements that support accurate payments of travel allowances to eligible APS staff; and
• Defence has effective arrangements in place to provide assurance over the payment of travel allowances to APS staff.

1.11 This performance audit focuses on Defence’s systems and processes to support travel allowance payments made to Defence’s APS employees during the period 1 July 2016 to 30 June 2018. The audit examined three types of travel allowance payments: meals and incidentals, motor vehicle, and part day travel. The rates for each type of allowance are outlined in Appendix 2.

Audit methodology

1.12 In undertaking the audit, the ANAO:

• reviewed relevant Defence policy, procedure and process documentation;
• interviewed key Defence personnel including: staff from Defence’s People, Finance, and Estate and Infrastructure Groups; and
• extracted travel allowance transactions paid to APS employees between 1 July 2016 and 30 June 2018 from Defence’s credit card management, financial management information, and payroll systems, and examined the supporting records for a sample of those transactions. The purpose was to determine rates of compliance with relevant legislation, policies and procedures. Results from the testing of the sample did not support the use of the results as the basis of an audit conclusion as there was a higher non-compliance rate than expected when the sample was selected. However, the results provide an indication of the rate of non-compliance. The sample methodology and the results of testing are discussed in Appendix 3.

1.13 The audit was conducted in accordance with the ANAO Auditing Standards at a cost to the ANAO of $367,700.

1.14 The team members were Jennifer Myles, Kim Murray and Sally Ramsey.

Has Defence established arrangements for the administration of travel allowances?

Types of travel allowances paid by Defence

2.1 Depending on the destination, duration and means of official travel, Defence may pay its APS employees:

• A part day travel allowance.¹⁶
• An amount to cover the costs of meals and incidentals.¹⁷
• A motor vehicle allowance if a private vehicle is used.¹⁸

2.2 The rates for travel allowances are set and reviewed by the Secretary of Defence for Defence’s APS employees, and the Remuneration Tribunal for the Secretary of Defence.¹⁹

Arrangements for the administration of travel allowances

2.3 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) enables the Secretary of Defence (the entity accountable authority) to delegate authority to enter into commitments to spend relevant (public) money, including for official travel.

2.4 Defence’s Accountable Authority Instructions are issued by the Secretary of Defence under the authority of section 20A of the PGPA Act. Accountability Authority Instruction 2 — Approval and Commitment of Relevant Money relates to the spending of public money by Defence officials. The Instruction specifies that when approving commitments of relevant money, delegates are to ensure that:

• sufficient funds are available within the relevant budget;
• the proposed commitment promotes value for money; and
• approvals for proposed commitments are properly recorded.

2.5 Defence’s Financial Delegations Manual is managed by the Defence Finance Group. It specifies the requirement for delegates to comply with the Accountable Authority Instructions and to record and retain documentation of any exercise of a financial delegation. This is to be done by signing, dating and printing their name, position title and position number, in respect to each commitment of relevant money.

2.6 The Defence Finance Group is responsible for the management of DTCs, the credit card management system, and the payment of travel allowances through the financial management information system.²⁰

2.7 Defence People Group is responsible for processing travel allowances paid through Defence’s payroll system and the management of travel policy. The Group provides guidance documents on:

• Duty Travel²¹;
• Part Day Travel Allowance;
• Travel Time; and
• Motor Vehicle Allowance.

2.8 Defence Estate and Infrastructure Group is responsible for managing the operational aspects of Defence travel including but not limited to: Defence’s implementation of Whole-of-Government Travel arrangements; maintaining Defence’s travel budget calculators; and providing procedural guidance on travel through its intranet site and support through the Defence Service Call Centre and Customer Service Centres on bases to assist Defence APS staff with travel queries.

2.9 The Review of Red Tape in Defence (2015) recommended that, as part of the implementation of an electronic travel management system, travel policy and its administration should become the clear responsibility of one area of Defence. Implementation of a travel requisition and expense management system was ‘paused’ in March 2019 and subsequently ‘ceased’.²² The three Defence Groups continue to have responsibility for various aspects of travel policy and administration.

2.10 In June 2019 Defence informed the ANAO that:

As a result of this audit, Defence established a Travel Board in May 2019 to bring together the Defence groups responsible for overseeing travel expenditure. The Board will govern travel policy, controls processes and compliance. It will report to the organisation’s Enterprise Business Committee and Defence Committee on progress made in improving travel administration, compliance and performance across the business.

2.11 In June 2019, Defence informed the ANAO that the:

• Travel Board consists of four representatives from Defence’s Finance, People, and Estate and Infrastructure Groups;
• terms of reference for the Travel Board have not been finalised; and
• Travel Board has met four times to date but there are no meeting minutes or documented outcomes.

Approval of travel proposals and claims for associated travel allowances

2.12 For the payment of travel allowances, Defence seeks to achieve compliance with the PGPA Act, Accountable Authority Instructions and Financial Delegations Manual through the completion and approval of travel proposals.

2.13 Defence requires travel proposals to be documented using tools such as Defence’s travel budget calculators, iTravel²³ and other forms. These tools capture information about the: travel purpose; schedule; estimated cost including travel allowances; approvals; and after travel certification, where required.

2.14 Allowances are calculated based on the planned travel dates, times and method of transport.²⁴ Depending on the travel allowance, the traveller may also be required to complete additional forms to support their claim.

2.15 Figure 2.1 illustrates Defence’s travel allowance approval process for its APS employees.

Figure 2.1: Defence travel allowance approval process for APS employees

Source: ANAO summary of Department of Defence’s policy, guidance, forms, fact sheets and other documents intended to guide the claiming and processing of travel allowance payments.

Payment of travel allowances

2.16 Figure 2.2 illustrates Defence’s process for APS employees to access approved travel allowances.

Figure 2.2: Defence’s process for claiming approved travel allowances

Source: ANAO summary of Department of Defence’s policy, guidance, forms, fact sheets and other documents intended to guide the claiming and processing of travel allowance payments.

Has Defence provided accurate guidance to APS employees about travel allowances, including eligibility criteria?

Travel guidance material

2.17 The Review of Red Tape in Defence (2015) described Defence’s travel policy and procedure framework as a ‘frightening smorgasbord of documents’ and concluded that Defence personnel needed a single source of travel policy and procedure advice.²⁵

The Department badly needs a streamlined, simple policy guidance document in plain English on Official Travel and the use of DTCs in place of the current multiple policy documents, instructions and regulations relating to travel. This should be a consolidated statement of Defence travel policy that is concise, in plain English, and no more than a few pages in length.

2.18 Recommendation 19 of the Review was that Defence produce a ‘single, brief policy guidance document in plain English on Official Travel and the use of DTCs’. Defence agreed to this recommendation and reported to the Enterprise Business Committee²⁶ that this recommendation was completed on 14 February 2018.

2.19 Defence could not provide the ANAO with a single, brief policy guidance document in plain English on ‘Official Travel and the use of Defence Travel Cards’ as recommended by the 2015 Review of Red Tape in Defence, and was unable to demonstrate that this work had been undertaken. Defence’s collection of policies, procedures and tools remains fragmented, with three Defence groups responsible for managing elements of the multiple guidance documents and forms relating to the approval and payment of travel allowances. Some travel allowance guidance is reproduced in multiple documents.

2.20 As at 22 February 2019, documentation relating to travel allowance payments in Defence remained extensive and included:

• four high level policy documents;
• three joint directives;
• seven policy guidance documents;
• 16 intranet pages;
• 15 fact sheets;
• two quick guides;
• two check lists; and
• 27 DTC and credit card management system guidance documents, fact sheets and instructions.²⁷

2.21 The ANAO reviewed these documents and found the following examples of gaps, inconsistencies and ambiguities.²⁸

International travel approval

2.22 The Defence Travel intranet website contains conflicting information about forms required for international travel proposals and references to out-of-date Defence documents:

• ‘Quick Guide for Short-term Duty Overseas Travel’ specifies that travellers must complete the following forms: Overseas Visit Authority; and Overseas Travel Budget Calculator or iTravel.
• Fact sheet ‘International — Short-term Duty Overseas Travel — Before you Travel’ states travellers must complete the following forms: Overseas Visit Authority; Overseas Travel Budget Calculator or iTravel; and Notification of Proposed Overseas Travel.
• Intranet page ‘International Travel Policy’ also specifies that international travel must be approved on the Overseas Visit Authority form, but that other simplified, local forms can be used.²⁹ This page does not mention the Overseas Travel Budget Calculator, iTravel or the Notification of Proposed Overseas Travel form.
• Fact sheet ‘International — Short-term Duty Overseas Travel Overview’ does not specify which forms to complete and refers to the Defence Enterprise Agreement 2012–14 and the Defence Workplace Relations Manual (archived 2017).

2.23 Defence’s information on International Travel delegations also varies and is not always consistent with Joint Directive 27/2012³⁰, which specifies the following approval requirements for international travel:

• officers below the level of Group Head and Service Chief may not approve overseas travel for more than two Defence personnel.
• Group Head or Service Chiefs may, in exceptional circumstances, give written personal permission for groups of up to five travellers.
• the Secretary and Chief of the Defence Force are the sole authorities for a group constituting more than five people.

2.24 The Joint Directive states that relevant Defence Instructions and forms associated with overseas travel were to be amended accordingly. This has not been done in all cases.

2.25 Defence Travel’s fact sheet ‘Approval Requirements for Official International Travel’ (8 March 2017) and the Overseas Visit Authority (13 February 2017) have incorporated the requirements of Joint Directive 27/2012, specifying the following approval requirements:

• up to two people — Senior Executive Service level 2 or equivalent;
• up to five people — Group Heads or Service chiefs in exceptional circumstances; and
• more than five people — Secretary or the Chief of the Defence Force.

2.26 However, other guidance documents available on the Defence Travel website have not incorporated the requirements of the Joint Directive. The website includes intranet page ‘International Travel Policy’ and fact sheet ‘International — Short-term Duty Overseas Travel Overview’ (4 August 2016), which state that the ‘Section 23 Commitment Approver for official international travel is at the Two-Star or Senior Executive Service Band 2 level.’ These guidance documents do not include the additional requirements for multiple travellers specified in Joint Directive 27/2012. Given that the Overseas Visit Authority is not specified as a mandatory form in some guidance provided on the Defence Travel website, travellers who choose not to use this form may not be aware of these additional approval requirements.

2.27 Of 46 international travel allowance claims reviewed by the ANAO, 11 (24 per cent) were not approved, or not approved by at least a Two-Star or Senior Executive Service Band 2 level officer, making them non-compliant with Defence’s internal policies and procedures.

After travel certification

2.28 After travel certification is incorporated in some travel budget calculators, to be completed by the traveller under specific circumstances.³¹ The Defence Travel website (intranet) page titled ‘After Travel Domestic and International’ contains the following conflicting statements on the need to complete the after travel certification:

• Travellers, upon completion of official travel, will only be required to complete the after travel certification where there is a change to the approved travel plan that:
  • increases the original budget; or
  • decreases the original budget and results in an amount needing to be repaid.
• Where the traveller has used either a Budget Calculator or iTravel to do their budget, the traveller is to complete the after travel certification section.
• Travellers using iTravel to create their budget are to complete the after travel certification section on the Trip Budget.
• For overseas Training and Education organised by Defence Travel - Travellers are to complete a PY083-1 Certification (Acquittal) and the PY083 Travel Diary.³²

2.29 APS employees’ completion of the certification varied across the sample of transactions reviewed by the ANAO. Some travellers completed the after travel certification even though no changes to the approved travel plan were made. There were also instances where changes to the approved travel plan occurred but the after travel certification was not completed.

iTravel form

2.30 The iTravel trip budget form does not include a space for the approver (the Secretary’s delegate) to include their position number. Documentation of the approver’s position number is a requirement of Defence’s Financial Delegations Manual.

Motor Vehicle Allowance

2.31 Policy guidance issued by Defence People Group for use of an employee’s own motor vehicle states that Defence will not accept any responsibility for financial liability or loss which may be incurred by an employee involved in an accident, or as a result of theft or damage, while using their own vehicle for business purposes. The policy requires supervisors to sight proof of the driver’s licence, registration and ‘adequate insurance’ for the vehicle being used. This information is not readily accessible from the Defence Travel website and is not included in any of the forms or guidance documents on the Defence Travel website used to claim motor vehicle allowance (Domestic Travel Budget Calculator or the Cost Comparison form).

2.32 The ANAO reviewed 20 motor vehicle allowance payments and found no evidence that employees provided licence, registration and insurance information to their supervisor or the travel approver when proposing to undertake travel using a private vehicle. Defence should consider the implications of non-compliance with the policy and the merits of introducing compliance checks in this area.

2.33 The travel budget calculator and the Delegate Checklist for Own Means Travel (Use of own Conveyance) refer to the Defence Workplace Relations Manual, which was archived on 30 September 2017. A Defence intranet search in February 2019 for the Manual redirects users to the People Connect web page, which does not contain any reference to Motor Vehicle Allowance.

Record keeping

2.34 Defence’s Accountable Authority Instructions and Financial Delegations Manual are clear about the requirement to record proposed financial commitments and retain documentation when exercising delegations. Defence Finance Group guidance states that the relevant approved travel budget calculator and associated travel documentation must be retained on an official file and remain easily accessible for seven years from the end date of travel. None of the travel approval forms or calculators remind the traveller or approver of the requirement to maintain approval records. The requirement to maintain records is included in some guidance documents but responsibility for doing so is not clear. The following documents do not refer to the requirement to maintain records:

• Fact sheet — Travel Approval;
• Fact sheet — Travel Values and Principles;
• Fact sheet — In-Principle and Section 23 Commitment Approver Approval; and
• Defence travel budget calculators.

2.35 Records of approved travel are not held centrally. Defence relies on individuals or individual business areas to maintain sufficient records to demonstrate that travel costs were appropriate and authorised. The ANAO found that records requested as part of this audit for a sample of travel allowance transactions were, in many cases, not easily accessible.³³ In 21 per cent of cases a valid delegate approval could not be provided (see Table 3.2, which summarises the results of ANAO sample testing).

Defence Travel intranet site

2.36 In April 2019, in the course of this audit, Defence Travel implemented a new intranet site, known as TravelConnect. The ANAO reviewed the guidance material provided on TravelConnect and found that a number of out-of-date references have been removed and accessibility and clarity of information has been improved. Some inconsistencies have been addressed — for example, the after travel certification guidance issue has been resolved. However, gaps, duplication and inconsistencies remain.

2.37 To promote compliance as expected under PGPA Act section 15, Defence should undertake a thorough review of its guidance to eliminate existing gaps, duplication and inconsistency and establish a process to ensure that guidance to employees is updated to reflect future policy changes accurately. Further, Defence should implement what it advised the Enterprise Business Committee that it had already done.

Has Defence assessed the risks associated with the payment of travel allowances and identified risk-based controls to manage them?

3.1 Defence’s Joint Directive on the Management of Risk in Defence (JD 30/2015) establishes the core principles for risk management in Defence, and requires that decisions on risk be evidence-based; result in actions that are realistic and affordable; and subject to active and regular review.

Risks relating to travel allowances paid through the Defence Travel Card

3.2 The primary method of payment for travel allowances is the DTC (see Table 1.1). Defence’s current (May 2018) Fraud and Corruption Control Plan identifies the fraudulent use of credit cards (including the DTC) as a Defence-wide risk.³⁴ The Plan nominates Defence’s Chief Finance Officer as the risk steward and identifies three key controls that Defence uses to manage the risks of misuse of the DTC:

• management oversight;
• regular reconciliation of expenditure; and
• regular review.

3.3 In March 2018, Defence Finance Group’s Enterprise Wide Defence Credit Cards Fraud Risk Assessment (current as at June 2019)³⁵ assigned a ‘high’ risk rating to each of the following three risks, based on the controls in place at that time:

• Risk 1.1.1 Fraudulent use of a Defence credit card by the Cardholder or Third party;
• Risk 1.2.1 Unauthorised use of a Defence credit card by cardholder; and
• Risk 1.4.1 Fraudulent use of Cabcharge FLEXeTICKETs/ E-Tickets.

3.4 The March 2018 risk assessment identified one proposed control for both risk 1.1.1 and 1.2.1 which, if implemented, was expected to reduce the residual risk to ‘medium’. The proposed control was:

Commence targeted, in depth analysis of specific issues each month. Designed to complement the DAA/Systeam process [credit card sample testing program], and address emerging and likely areas of risk.

3.5 The March 2018 risk assessment documented that the residual risk for 1.4.1 was assessed as ‘medium’ without any additional controls being proposed or implemented.

3.6 On 13 March 2019, Defence Finance Group reported to the Defence Enterprise Business Committee on the ‘Risk Based Approach to Financial Compliance’. The report included commentary and recommendations on improving compliance around travel and purchasing cards. As part of its report, Defence Finance Group recommended the Committee note, among other matters:

• that ‘while no individual high risk areas within financial management decision making have been identified, there are a number of areas of medium risk…’;
• that ‘[Defence Finance Group] is considering structural changes to the [financial compliance] testing program that will align it to focus on areas of higher risk to the organisation’; and
• ‘four short term control options that will assist in mitigating risks associated with the use of travel and purchasing cards’.

3.7 Defence Finance Group did not reflect in its 13 March 2019 report to the Enterprise Business Committee that the use of credit cards had been assessed as presenting ‘high’ risks. The recommendation provided to the Committee — that it note that ‘no individual high risk areas within financial management decision making have been identified’ — was inconsistent with the department’s assessment of credit card fraud risk that was current at that time.³⁶ In June 2019, Defence advised the ANAO that the recommendation made to the Enterprise Business Committee ‘relates to financial management decision making in context of the overall financial risks impacting the organisation and was not reflective or limited to the credit cards residual risk post-mitigation’. Defence further advised that ‘the comment was made giving consideration to the work that had been undertaken to mitigate some of the risks’, and ‘the [Committee] was not advised that a number of actions designed to reduce the identified high risk in relation to credit card misuse had not been fully implemented’.

3.8 As discussed, the ratings for risks 1.1.1 and 1.2.1 were adjusted from ‘high’ (inherent risk) to ‘medium’ (residual risk) based on the expected impact of proposed controls. Defence’s mitigation strategy relies on the successful implementation of the proposed controls, including the effectiveness of additional compliance activities implemented in September and December 2018 (see Table 3.1 below), and the short-term controls referred to in the March 2019 report to the Enterprise Business Committee.

Risks relating to travel allowances paid through Defence’s payroll system

3.9 Part day travel allowances and motor vehicle allowances are paid through Defence’s payroll system and are the responsibility of Defence People Group. Defence People Group’s March 2018 Fraud and Corruption Risk Assessment identifies allowance fraud by APS and Australian Defence Force personnel as a risk. The risk assessment and related controls focus on all types of allowances paid through the payroll system. The plan identifies the following controls relevant to travel allowances:

• Delegation approval required; and
• Eligibility of leave and allowances are checked prior to processing.

3.10 The ANAO’s review of 73 part day travel and motor vehicle allowance payments identified 18 (25 per cent) payments for which Defence could not provide a valid travel approval — that is, a travel proposal document, signed by an appropriate delegate of the Secretary prior to travel.³⁷

Defence’s risk-based sampling for credit card transactions

3.11 As noted in Auditor-General Report No.33 2015–16 Defence’s Management of Credit and other Transaction Cards, independent review of credit card transactions is a strong detective control on credit card misuse, widely practised in organisations that use corporate credit cards. Awareness of processes for independent review of credit card expenditure may also have some deterrent benefit. In October 2016, Defence removed its requirement for the review and approval of all credit card transactions by someone other than the cardholder. In place of this control, Defence’s Finance Group introduced a credit card testing program.

3.12 In December 2016, Defence informed its Audit and Risk Committee that Defence had implemented ‘an ICT solution providing review of 100 per cent of Defence Credit Card Transactions’.³⁸ In fact, a September 2017 Defence internal audit report noted that the earliest iteration of this credit card transaction testing program was implemented in February 2017. Defence informed the ANAO that the program typically queries the transactions of around six cardholders per week (300 per year). As noted previously, as at January 2019, 15,383 Defence APS employees held a (Diners) DTC and 2,297 Defence APS employees also held a (Mastercard) DTC.

3.13 In December 2018, Defence Finance Group reported to the Enterprise Business Committee that the ‘Defence Credit Card sample testing program was updated from the beginning of the 2017–18 financial year to a new risk-weighted sample’ based methodology. The reported purpose of the program is to provide an estimate of the rate of non-compliance (Table 3.1 summarises key features of the program). Defence has not assessed whether the credit card sample testing program is effective in estimating the rate of non-compliance.

3.14 In September 2018, Defence Finance Group commenced a new compliance program to detect fraudulent cash credit card transactions. The primary catalyst for the program was one particular fraud incident that was reported to Defence’s Audit and Fraud Control Division in March 2018 by the individual’s work area.³⁹ Defence has identified some residual risks and issues in relation to credit card transactions that are not being sampled for potential fraud through Defence’s credit card testing activities. In May 2019 Defence informed the Defence Audit and Risk Committee that Defence Finance Group intends to examine these areas when resources allow, and that the credit card testing program is expected to evolve over time to address areas of emerging and ongoing risk.

Has Defence implemented appropriate and effective controls to ensure payment accuracy and the recipient’s eligibility for travel allowances claimed?

3.15 Preventative controls are intended to reduce the likelihood of Defence paying an unauthorised or incorrect allowance. Detective controls are intended to detect an unauthorised or incorrect allowance transaction after it occurs.⁴⁰ Defence has developed a number of preventative and detective controls relating to the payment of travel allowances to eligible employees.

Preventative controls

3.16 Defence’s primary preventative control is the use of travel budget calculators and associated forms to calculate allowances and record travel proposals and approvals. Travel budget calculators automatically calculate the amount of travel allowance payable and must be approved by an appropriate delegate of the Secretary before travel is booked.

3.17 The ANAO reviewed 296 Defence APS travel allowance transactions. Defence could not provide documented approval by an appropriate delegate of the Secretary for 63 (21 per cent) of these transactions.

3.18 APS employees’ knowledge of, and adherence to, Defence’s policies and processes for travel allowances is another preventative control. As discussed in paragraphs 2.17 to 2.35, Defence’s complex and fragmented collection of policies, procedures and tools, makes it difficult for Defence employees to access appropriate guidance, and there are inconsistencies in the guidance provided. Defence has not developed the simplified policy guidance recommended by the 2015 Review of Red Tape in Defence (see Appendix 4, recommendation 19).

3.19 Defence informed the ANAO that the following additional preventative controls are in place:

• The mandatory Fraud and Integrity Awareness training program that all Defence personnel are required to complete every two years. Defence reported that as of 23 August 2018, 87,199 Defence personnel (including Australian Defence Force, APS and Reservists or approximately 90 per cent of the Defence workforce) had been recorded as competent for the fraud and integrity awareness mandatory training. Defence informed the ANAO that as at 27 February 2019, 82,453 (84.4 per cent) Defence personnel had been recorded as competent.
• Default card expenditure limit of $10,000 per day.⁴¹
• Automatic Teller Machine (ATM) cash withdrawal limits of $1,000 per day; $3,000 per week; and $10,000 per month.⁴²
  • The ANAO identified 36 individual cash transactions over $1,000 withdrawn by APS employees from ATMs in the period 1 July 2016 to 30 June 2018.⁴³
• Cash withdrawal from over-the-counter outlets (for example, Travelex), limited to $10,000 per day.

3.20 Awareness of detective controls, which are discussed below, may also act as a preventative control by deterring personnel from committing fraud. Defence’s Financial Management Manual alerts employees to the existence of assurance and compliance activities conducted by the Defence Finance Group, and that cardholders may be required to provide documentation for review at any time.

Detective controls

Travel allowances accessed through the Defence Travel Card

3.21 Defence Finance Group conducts compliance activities on credit card transactions, which may include DTC transactions by APS employees (Table 3.1).

3.22 In May 2019, Defence informed its Audit and Risk Committee that:

• some residual risks and issues in relation to credit card transactions are not being sampled for potential fraud through Defence’s credit card testing activities;
• the value of credit card fraud cases has increased since the removal of the CMS supervisor acquittal process in late 2016 due to delays in detection and lack of sufficient management oversight in the control framework design (prior to late 2018); and
• it is expected that the credit card compliance activities will evolve over time to ensure that areas of emerging and ongoing risk are appropriately mitigated’.

Travel allowances accessed through the Financial Management Information System

3.23 Travel allowances accessed via the financial management information system represent a relatively small proportion of travel allowances (see Table 1.1). They may be examined through internal audits or other management initiated reviews. However, there is no specific program of regular targeted testing of these payments.

Travel allowances accessed through the payroll system

3.24 Travel allowances accessed via the payroll system also represent a relatively small proportion of travel allowances paid to APS employees (see Table 1.1). Requests for part day travel allowance are processed by the traveller through a self-service function that requires manager approval. Requests for payment of motor vehicle allowance are submitted via email to Defence’s pay centre. Defence informed the ANAO that authority for the payment must be provided before processing. Defence could not provide an appropriate travel approval for 19 (26 per cent) out of 73 sample travel allowance transactions reviewed by the ANAO, which were paid through Defence’s payroll system (see Table 3.2).

ANAO testing

Defence travel allowance transaction testing

3.25 As part of this audit, the ANAO reviewed a sample of travel allowances paid to APS employees to assess their compliance with relevant legislation, policies and procedures. The ANAO requested Defence records to support the payment of 332 randomly selected travel allowance transactions across the three payment types for the period 1 July 2016 to 30 June 2018. Thirty-six transactions were found to be unrelated to travel allowances and therefore removed from the sample. The ANAO tested the remaining 296 travel allowance transactions.

3.26 The purpose of the testing was to check each transaction for compliance with Defence’s travel approval process as described in paragraphs 2.12 to 2.14 and figures 2.1 and 2.2 of this audit report. Such testing would provide an indication of whether: preventative controls were effective in ensuring employees follow Defence’s processes, and whether detective controls detect non-compliance with those processes.

3.27 For each travel allowance transaction examined, the ANAO tested for a valid travel approval as this is required for all travel allowances claims.⁴⁴ Table 3.2 details the results of the ANAO’s testing.

Table 3.2: Travel allowance compliance 1 July 2016 to 30 June 2018

Source: ANAO analysis of Defence data.⁴⁵

3.28 Defence was unable to provide evidence that the necessary approvals had been obtained for 21 per cent of the transactions reviewed. The testing indicates that Defence travel allowances are not being managed in accordance with the approval requirements of Defence’s Accountability Authority Instructions or Financial Delegations Manual.

Defence credit card transaction testing

3.29 As a result of the findings in Auditor-General Report No. 33 of 2015–16, and concerns expressed by the Parliament’s Foreign Affairs, Defence and Trade References Committee in May 2017⁴⁶, the ANAO expanded its testing of credit card transactions as part of its audit of Defence’s financial statements, and made a number of observations, including:

• in 2016–17, five out of 31 (16 per cent) of the sampled transactions were found to be in breach of section 23 of the PGPA Act and Defence’s Travel & Purchasing Policy;
• in 2017–18, seven out of 67 (10 per cent) of the sampled transactions were found to be in breach of section 23 of the PGPA Act and Defence’s Travel & Purchasing Policy; and⁴⁷
• in 2018–19, eight out of 26 (30 per cent) of the sampled transactions did not have sufficient documentation to support the payment.⁴⁸

Has Defence implemented relevant review and audit recommendations?

Review of Red Tape in Defence (2015)

3.30 In 2015, Defence engaged a consultant to examine ways to streamline and improve routine transactions, including travel. This need had been identified in the First Principles Review of Defence. The resulting report, Review of Red Tape in Defence (August 2015), made 42 recommendations, 20 of which related to Defence’s administration of travel. The Secretary agreed to implement these 20 recommendations in September 2015.

3.31 The 20 recommendations were divided into two sets:

• set 1 (recommendations 1 to 10) related to the implementation of a fully integrated and automated electronic travel management system; and
• set 2 (recommendations 11 to 20) were to be implemented immediately to improve the existing system in the interim.

3.32 On 12 December 2018, Defence reported to the Defence Enterprise Business Committee that it had completed ten recommendations: five recommendations from set 1 and five from set 2. The ANAO assessed that, of the 10 recommendations reported as completed, five have not yet been implemented. (See Appendix 4 for the status of recommendations).

Defence’s implementation of the Travel and Expense Management project

3.33 The Review of Red Tape in Defence concluded that Defence travel processes were overly complicated, labour intensive and paper-based rather than electronic. It recommended Defence move to an automated travel processing system that:

• is fully integrated electronically with all relevant parts of the organisation and the travel contractor;
• uses the DTC as the sole payment mechanism; and
• is supported by a strong audit system to ensure compliance.

3.34 Defence chose Concur (a SAP-owned system) to deliver on this recommendation, which is the foundation for implementing many of the other travel related recommendations in the review.⁴⁹ The system is known as the Travel and Expense Management system.

3.35 In October 2016, Defence’s Chief Information Officer Group developed a draft business case for the implementation of the Travel and Expense Management project, which identified a target implementation date of 30 June 2017. On 20 December 2016, the Minister for Defence approved funding of $11.9 million (including $2.3 million contingency) for the acquisition of the system, with initial travel capability to be implemented by January 2017. The Minister’s approval indicates that the acquisition of the proposed solution was expected to:

• meet the travel and expense management recommendations contained in the Review of Red Tape in Defence; and
• address the issues identified in Auditor-General Report No. 33 2015–16, Defence’s Management of Credit and other Transaction Cards (May 2016).

3.36 In December 2018, the completion date for the project was scheduled as 7 November 2019. By February 2019, the completion date had slipped to 6 April 2020, three years later than originally envisaged and reported to the Minister for Defence.

3.37 In December 2018, Estate and Infrastructure Group provided a largely positive report to the Enterprise Business Committee, stating that:

• the project had spent $6.718 million of the $9.615 million budget⁵⁰;
• due to project delays, $4.046 million in subscription fees were yet to be paid;
• performance issues had largely been resolved;
• testing had confirmed the system was working on Defence’s network;
• the schedule would be re-baselined to reflect project delays; and
• a detailed evaluation of the project would be undertaken in early 2019 leading to recommendations on the way forward.

3.38 On 5 March 2019 Defence’s Chief Information Officer, Chief Finance Officer, and Deputy Secretary Estate and Infrastructure agreed to ‘pause’ the project due to ‘performance issues’, ‘security concerns’ and a ‘low confidence of success.’ On 12 June 2019, Defence provided the ANAO with advice confirming that: ‘following testing, this project has now ceased.’ No alternative system has been proposed at this time to implement the Review of Red Tape in Defence recommendations.

3.39 Defence advised the ANAO that verbal updates about the project had been provided to the Enterprise Business Committee in January, February, March and April 2019. Outcomes recorded by the Committee referred to schedule delays, complexity and challenges being discussed on 16 January and 6 March 2019. On 16 April 2019, verbal advice to the Committee referred to the progress of negotiations to cancel the project.

Defence’s Compliance Review of Card Management System Controls (September 2017)

3.40 Until October 2016, Defence’s card management system supervisors were responsible for checking and approving all transactions for the credit card holders under their supervision.

3.41 Recommendation 5 of the Review of Red Tape in Defence was to enable electronic self-acquittal of travel except where significant changes to the approved itinerary or costs had occurred. This recommendation was to be implemented as part of a fully integrated electronic travel management system and in conjunction with nine other recommendations, including an enhanced system of random audits.

3.42 Defence removed its requirement for the card management system supervisor to review and approve all credit card transactions in October 2016⁵¹, without implementing the accompanying recommendations.

3.43 In September 2017, an internal audit of credit card system controls found that Defence’s decision to remove the card management supervisor acquittal function in October 2016 was not supported by an adequate risk assessment. The report stated that:

Without an adequate risk assessment around the removal of the acquittal role, it is difficult to provide assurance that the risks mitigated by this role are still being [appropriately] mitigated post the removal.

Prior to the removal of the CMS supervisor acquittal function, the CMS supervisor was a main referral source for fraudulent and non-compliant transactions.⁵²

3.44 The internal audit made four recommendations and two suggestions. Defence Finance Group initially rejected the recommendations but later agreed to them in August 2018 and implemented additional credit card compliance activities in September and December 2018 (see Table 3.1).⁵³

3.45 In May 2019, Defence’s Quarterly Fraud Control Report, presented to the Defence Audit and Risk Committee, stated that:

• An increase in the value of credit card fraud cases following the removal of the CMS supervisor acquittal process in late 2016 has been identified.
• The value of this fraud is assessed as larger than traditionally experienced by Defence and post case analysis revealed an unreasonable delay in detection enabling the fraud to continue over a long period of time.
• Whilst the number of credit card fraud incidents remains the same, the number of cases with higher values has increased. Cases have increased to tens of thousands of dollars due primarily to delayed detection and a lack of sufficient management oversight in the control framework design (prior to late 2018) and exacerbated in some cases through local area practices.

Auditor-General Report No. 33 2015–16, Defence’s Management of Credit and other Transaction Cards (May 2016)

3.46 Auditor-General Report No.33 2015–16, Defence’s Management of Credit and other Transaction Cards concluded that Defence did not have a complete and effective set of controls to manage the use of credit and other transaction cards. The ANAO made two recommendations to improve Defence’s management of its credit cards, and to provide assurance that the control arrangements for credit cards are working as intended.⁵⁴

3.47 Following the presentation of the report in May 2016, Defence prepared a management action plan for the implementation of each of the ANAO recommendations. The plan noted that the actions required to implement Recommendations No. 1 and 2 were completed in January 2016 and March 2016 respectively.⁵⁵ Defence’s Audit and Fraud Control Division subsequently closed each recommendation in Defence’s Audit Recommendations Management System.

3.48 Boxes 1 and 2 below summarise the ANAO’s assessment of implementation activities. In summary, the ANAO assessed that Recommendation 1 has been partially implemented and Recommendation 2 has been progressively implemented since July 2017.

Does Defence provide assurance through internal and external reporting?

Internal management reporting

3.49 Defence does not provide consolidated reports on total travel allowance expenditure.⁵⁶ Defence makes travel allowance payments through three separate systems and does not clearly identify travel allowance payments in the payment systems (see Appendix 3). For example, in December 2018, a brief to the Secretary of Defence and the Chief of the Defence Force requested agreement to changes to motor vehicle allowances. The brief noted that an analysis and projected savings report, which Defence Finance Group had previously been tasked with providing, could not be provided because vehicle allowance expenditure is captured on separate systems across Defence and is often aggregated with other travel allowance payments.

Enterprise level assurance reporting

3.50 Defence prepares a number of reports to provide assurance to senior leadership and the audit committee about the administration of travel allowances:

• Defence Finance Group provides a quarterly financial compliance report to Defence’s Enterprise Business Committee. The report summarises the outcomes of the Group’s compliance activities.⁵⁷
• Defence Audit and Fraud Control Division provides quarterly updates to the Defence Audit and Risk Committee (DARC) about incidents (including fraud) reported to the Division. The reports include incident statistics such as the numbers of reported incidents, outcomes of selected Defence investigations, and the total value of fraud losses and recoveries across Defence.⁵⁸

3.51 This performance audit identified a number of instances where Defence reports to senior committees overstated the progress of activities intended to improve the administration of travel and credit cards. For example:

• Reporting to the Enterprise Business Committee in March 2019 did not reflect the high risk ratings attributed to the use of credit cards in Defence as reported in Defence Finance Group’s March 2018 Enterprise Wide Defence Credit Cards Fraud Risk Assessment (see paragraph 3.3).
• In December 2016, Defence advised the Defence Audit and Risk Committee that it had implemented a credit card transaction testing program. A Defence Internal Audit noted that the earliest iteration of that program was implemented in February 2017 (see paragraph 3.12).
• On 12 December 2018, reporting to the Enterprise Business Committee about the Travel and Expense Management project was largely positive, advising that previously reported performance issues had largely been resolved. On 5 March 2019 Defence’s Chief Information Officer, Chief Finance Officer, and Deputy Secretary Estate and Infrastructure agreed to ‘pause’ the project due to ‘performance issues’ and ‘security concerns’ and a ‘low confidence of success’ (see paragraphs 3.37 to 3.39). Defence subsequently ceased the project.
• Defence advised senior committees that agreed audit and review recommendations were complete. The ANAO has assessed that the recommendations had not yet been fully implemented at the time the advice was given (see paragraphs 3.32 and 3.48).

External reporting

3.52 The majority of Defence’s travel allowances are accessed through the DTC and included as part of broad expenditure reporting under the travel component of supplier expenses in Defence’s Annual Report.⁵⁹ Travel allowances paid through the payroll system are included as part of ‘other allowances’ in Defence’s Annual Report.⁶⁰ Travel allowances paid through the financial information and management system are reported according to the General Ledger account code supplied with the transaction.

3.53 As required by the Public Governance, Performance and Accountability Rule 2014, Defence’s 2016–17 and 2017–18 Annual Reports included a certification from the accountable authority that the Department had complied with the minimum standards for managing risk and incidents of fraud as set out in the Rule.

Appendix 1 Department of Defence response

Appendix 2 Defence APS domestic travel allowance rates 1 July 2016 to 30 June 2018

Table A.1: Defence APS domestic travel allowance rates 1 July 2016 to 30 June 2018

Note a: Allowance rates for Defence APS employees are varied from time to time. Variations occur through determinations made under the Defence Enterprise Agreement (for APS employees), and the Remuneration Tribunal for the Secretary of Defence.

The decisions to set and vary travel allowances for meals and incidentals take into account information on reasonable rates for domestic travel allowances as provided under the Australian Public Service Commission subscription service. Rates for these allowances vary depending on the salary level of the individual and the travel destination. Rates reported in this table are those applicable for domestic travel up to 21 days duration.

Each year the Australian Taxation Office publishes, in the form of Taxation Determinations, the amounts it considers reasonable amounts for travel allowance expenses. Taxation Determinations on reasonable travel allowance amounts are available from https://www.ato.gov.au/Business/PAYG-withholding/Payments-you-need-to-withhold-from/Payments-to-employees/Allowances-and-reimbursements/Travel-allowances/

Source: ANAO from Department of Defence documents.

Appendix 3 Criteria and method for identifying travel allowances paid to Defence’s Australian Public Service employees.

Limitations of Defence travel allowance data

1. Defence does not maintain a single source of travel allowance approvals.

2. Travel allowance General Ledger (GL) codes do not distinguish between allowances paid to APS and Australian Defence Force personnel.

3. Defence accounts for travel across a number of GL accounts depending on the purpose of travel and the nature of the expense.

4. The ANAO (with Defence’s assistance), constructed an approximate population of travel allowance payment transactions from:

1. Defence’s card management system (Defence Travel Card transactions);
2. Defence’s payroll system; and
3. Defence’s financial management information system.

Identifying travel allowance transactions from Defence systems

Defence card management system

5. Defence provided an extract of Defence Travel Card transactions associated with APS cardholders for the period 1 July 2016 to 30 June 2018.

6. The ANAO identified:

1. All cash withdrawals — as these are predominately related to meals and incidentals.
2. Non-cash transactions assigned to a GL code that included ‘allow’ in the GL code description field.

7. Resulting data set comprised 126,783 transactions totalling $38,929,015.

8. The ANAO subsequently found that the data set contained duplicate non-cash transactions. Duplication occurred when a transaction was coded to multiple GL accounts. For example, a transaction for $100, which included $25 for travel allowance and $75 for accommodation, would appear in the data set as 2 separate transactions for $100 against each GL account.⁶¹

9. The ANAO removed non-cash transactions from the data set.

10. Revised data set comprised 114,209 transactions totalling $34 million.

Defence payroll system

11. Defence provided an extract of motor vehicle allowance and part day travel allowance transactions made to APS employees for the period 1 July 2016 to 30 June 2018.

12. Resulting data set comprised 8,944 transactions totalling $1.09 million.

Defence financial management and information system

13. Defence provided an extract of payments to APS employees for the period 1 July 2016 to 30 June 2018.

14. ANAO identified travel allowances by GL account code.

15. Resulting data set comprised 452 transactions totalling $293,598.

Identifying a random sample of transactions for testing

16. The three data sets were treated as separate populations for the purposes of selecting an audit sample. The initial sample population comprised:

Table A.2: Initial sample population data sets

17. Supporting records for 332 samples, requested from Defence on 21 December 2018, were provided between 25 January 2019 and 5 June 2019.

18. Subsequently, non-cash CMS transactions, and a number of transactions for which supporting records had been received that were not travel related, were excluded. The revised sample population comprised:

Table A.3: Revised sample population data sets

Use of the sample to form a conclusion

19. Sample sizes were originally calculated based on an expected non-compliance rate of five per cent for allowances paid through the Defence payroll system and the Defence financial management and information system, and 15 per cent for allowances paid through the Defence Travel Card. The expected rate of non-compliance was based on testing by the ANAO in its audit of Defence’s 2017–18 financial statements. The actual rate of non-compliance for the samples tested was much higher than the expected rate, meaning that a much larger sample size would have been required to form a suitably precise conclusion on the level of non-compliance in the entire population. The ANAO determined not to expand the sample size as it was not necessary to meet the audit objective. Therefore, the sample results used in this report cannot be extrapolated to the entire population. However, the results of the testing conducted, in combination with other audit evidence obtained, provides suitable evidence of the existence of material non-compliance with relevant legislation, policy and procedure.⁶² This approach has been adopted in this report and results reported within the sample group should only be interpreted as individual examples of non-compliance.

Appendix 4 Defence’s reported progress against recommendations from the Review of Red Tape in Defence (2015) related to Defence’s administration of travel