Please direct enquiries relating to reports through our contact page.
The objective of the audit was to assess the effectiveness of the Department of Immigration and Border Protection's (DIBP’s) management of the Central Movement Alert List (CMAL) system, having particular regard to the recommendations contained in Audit Report No. 35 of 2008–09.
1. The Central Movement Alert List (CMAL) is an electronic watch list, containing information about individuals who pose either an immigration or national security concern to the Australian Government as well as information on lost, stolen or fraudulent travel documents. It is an integral part of Australia’s layered approach to border security, identifying people of concern prior to their arrival at the border. CMAL is managed by the Department of Immigration and Border Protection (DIBP).1
2. Australia’s universal visa system requires non-Australian citizens or permanent residents intending to enter or transit through Australia to obtain either a visa or an Electronic Travel Authority. All travellers entering Australia are therefore checked against CMAL, usually at several points along the travel pathway and generally at some distance from the physical border. CMAL information is also taken into account when DIBP assesses applications for Australian citizenship.
3. Passenger movements into and out of Australia are increasing annually: from approximately 17 million per annum in 2000–01 to almost 30 million in 2011–12. This number is expected to rise to 50 million per annum by 2020.2 DIBP will need to have the capability and capacity to meet the challenges presented by these expected demands.
4. CMAL comprises two databases, the Person Alert List (PAL) and the Document Alert List (DAL). The PAL database stores the biographical details of identities of concern and DAL is a list of lost, fraudulent or stolen travel documents.3 DIBP advised that, as at 30 November 2013 the CMAL database:
5. PAL records are categorised according to the reason for listing the identity—the alert reason code (ARC). There are 19 ARCs with each being categorised as high, medium or low risk. The national security ARC contains the largest single set of records and comprises approximately half the PAL database.
6. Using name matching software, the CMAL system queries its data holdings and identifies and presents potential or likely matches for Border Operations Centre (BOC) staff to assess. Potential match cases (amber status) are resolved by DIBP’s BOC match case analysts to be either red or green.4 When assessing visa or citizenship applications the DIBP decision maker must take this information into account before proceeding further.5
7. In addition to DIBP, there are several Australian government agencies with an interest in CMAL. These include the:
These agencies either directly list alerts, contribute information for the listing of alerts or, in the case of Customs, manage incoming passenger movements on behalf of DIBP.
8. DIBP’s management of CMAL is undertaken within the context of the system’s dual immigration and border security functions. Whole-of-government initiatives focused on the development of an integrated border security alert strategy are currently under consideration. The multi-agency Border Management Group (BMG)6, established in 2009 and chaired by Customs, is responsible for undertaking the detailed work required to implement, review and evaluate strategic border management planning activity, which may include CMAL. DIBP’s strategic management of CMAL can be expected to take into acount any whole-of-government strategies for the protection of Australia’s borders.
9. CMAL was introduced progressively in 2008 and 2009, replacing the previous decentralised Movement Alert List (MAL) system as the operational database.7 Successive reviews of MAL had judged it to be conceptually sound, but had also identified a number of operational and management deficiencies.8 The Wheen review, undertaken in 2003, in particular found that:
10. The Wheen review also identifed the future need for MAL to have the capability to incorporate new technologies, such as biometrics as valuable additions in the identification of people of concern.
11. The ANAO undertook a performance audit of the management of the MAL in 2008–09.9 This audit also confirmed that MAL was conceptually sound and that the Department had managed an extended period of growth in records. However, the lack of strategic or management planning for the database and the poor quality of the data contained within it, particularly its ‘completeness, quality and currency’, compromised the system’s effectiveness. MAL quality assurance and performance and management reporting arrangements were highlighted as requiring attention, as were the procedures governing the listing of Australian citizens on MAL. The ANAO made five recommendations (outlined in Appendix 2) to improve the administration of the MAL database.
12. Following the tabling of the audit report in May 2009, the Joint Committee of Public Accounts and Audit, (JCPAA), considered the report as part of its ongoing review of the Auditor-General’s reports. The JCPAA recommended that the department report back within six months identifying ‘instances where MAL had alerted its decision makers to information that has been the reason, or part of the reason, for decisions on visa and citizenship applications’. The department provided the JCPAA with information primarily relating to the 2009–10 financial year, that it considered demonstrated CMAL’s contribution to Australia’s border protection strategy at that particular point in time.10 The Committee also proposed that the department implement the ANAO recommendations in relation to the recording of Australian citizens on the system.11
13. The objective of the audit was to assess the effectiveness of DIBP’s management of the CMAL system, having particular regard to the recommendations contained in Audit Report No. 35 of 2008–09.
14. In order to form a conclusion against the audit objective, the ANAO examined the department’s:
15. CMAL is a key instrument used by DIBP to manage the entry into and presence in Australia of non-citizens who are of concern for immigration or border security reasons. CMAL information is taken into account when a person applies for a visa to come to Australia, to cross its borders, or applies for Australian citizenship. CMAL contains more than two million records and generates more than 300 000 match cases per month. While CMAL is managed by DIBP, the effectiveness of its operations is affected by, and is important to, the activities of other Australian Government agencies, particularly those concerned with border security, national security and law enforcement such as Customs, ASIO and the AFP respectively.
16. The ANAO’s 2008 audit and subsequent JCPAA review encouraged improvements to the administration of CMAL through recommendations relating to the management of the population of the database, data quality measurement and review, performance reporting, quality assurance mechanisms, and the development of policies and procedures for listing Australians on MAL. The audit also noted that DIBP had no strategic plan for managing CMAL.
17. CMAL works effectively at an operational processing level. Centralised data input has seen the overall data quality of CMAL improve, particularly for more recent records and around 92 per cent of records now meet DIBP’s minimum data standards. System updates have also delivered improved technical functionality and DIBP’s centralised data matching expertise, together with upgraded data matching rules, now provide a high degree of data matching accuracy. DIBP has also developed a close and effective relationship with its key external stakeholders, particularly ASIO and Customs.
18. However, DIBP’s strategic management arrangements for CMAL still require development. There has been no strategic planning undertaken to guide the future direction of CMAL nor is there a clearly stated strategic objective for CMAL. Whole-of-government discussions have taken place in recent years to develop an integrated border security alert capability, through the establishment of a National Targeting Centre, that will have ramifications for the operation of CMAL. DIBP also needs to consider how it will manage CMAL in the years ahead for its own immigration purposes. In particular, technological advances in biometrics now make identification of individuals less dependent on biodata and intelligence gathering.
19. While rules for alert reason category (ARC) ownership are set out in the CMAL PAM3, the ownership of CMAL data and consequential responsibility for data quality and integrity are unresolved issues. Addressing these issues, at both the data input stage and through the ongoing review of CMAL records, is important for the operational effectiveness and longer term sustainability of CMAL. Further, until DIBP develops cost effective arrangements to measure CMAL’s outcomes and its impact on visa and citizenship decisions, the department will not be in a position to report on the system’s outcomes and its contribution to Australia’s border security arrangements.
20. In addition, progress in implementing the recommendations in the 2008 audit report has been slow. Of the five recommendations from the 2008 audit, only two recommendations have been implemented. Arrangements for instances where Australian citizens may appear on CMAL (Recommendation 2) are now well managed and subject to regular review. Data quality has improved markedly and CMAL’s reliability and client service is regularly measured and reported (Recommendation 4).
21. The status of the recommendations which have not been implemented after more than four years is as follows:
22. Given the centrality of CMAL information, there is a compelling case for the department to provide a stronger focus on its strategic positioning, in particular CMAL data ownership and quality control and performance reporting. The ANAO has made four recommendations aimed at strengthening DIBP’s management of CMAL.
23. Strategic planning for CMAL requires DIBP to incorporate two distinct but related considerations: border security activity across government and immigration matters. Border protection is a significant priority for government and CMAL is currently a key feature of Australia’s approach. Such activities as the development of an integrated border security alert strategy, culminating in the establishment of a National Targeting Centre, which focuses on passenger risk assessment, will impact on CMAL operations. DIBP will need to be responsive to such whole-of-government initiatives and their potential impact as well as planning for the incorporation of technological advances to keep CMAL sustainable into the future.
24. To date, no strategic plan has been prepared to guide the management and development of CMAL in meeting its border security and immigration objectives. Such a plan would identify the primary purpose of the database and the operational, managerial and technological elements necessary to achieve that purpose. In developing a strategic plan for CMAL, DIBP will need to take into account both the system’s expected role in future whole-of-government border security arrangements as well as potential technological developments within DIBP, such as the greater use of biometric technologies.
25. The 2008 audit recommended that DIBP develop a plan to provide for the population, maintenance and review of the MAL database, to which DIBP agreed. The plan was aimed at improving data quality through:
26. The plan as recommended has not been produced. However, some elements of the intended plan appear in the CMAL PAM3, DIBP’s policy and procedures manual for staff.
27. The CMAL PAM3 sets out the categories of Alert Reason Codes (ARCs) as well as the policy guidance and operational rules for each ARC. ARC ownership is formally assigned to the relevant DIBP policy and operational area. ARC ownership includes responsibility for managing the alert records and maintaining the accuracy and currency of the listings. However, in practice, few ARC owners were aware of, or performed, all of their responsibilities.12 It was only during the audit that DIBP convened a forum for ARC owners so that members could gain a better understanding of their responsibilities and discuss issues of mutual concern with the CMAL systems areas. To meet the requirements of DIBP policies and the intent of the ANAO’s 2008 audit recommendation, particularly in relation to the quality of incoming proposed alerts and of existing data holdings, ARC owners should take a more active role in the management of their ARCs.
28. DIBP’s management and oversight of the implementation of the 2008 audit’s five recommendations was only partially effective. Initially, DIBP sought to establish a CMAL Audit Response Steering Group, but the group was not formally established and no meeting of the group took place. At various times, DIBP provided advice to its audit committee, to the ANAO and to the JCPAA, that the recommendations had been wholly or substantially implemented. However, this advice was overly positive.13
29. DIBP’s audit committee did not make sufficient inquiries to adequately validate management assertions about progress against the recommendations, before ceasing to monitor their implementation. DIBP has advised that its audit committee processes have been amended, with the implementation of a control framework for managing all ANAO recommendations in the future to test the business area’s statement that the implementation has been completed.
30. The 2008 audit found that the ‘completeness, quality and currency of MAL data had been an enduring problem for DIAC’, principally as a result of the ability for DIBP staff around the network to access MAL directly to propose new alerts and amend or update alert records. This widespread direct access made it difficult for the department to control data quality. Under CMAL arrangements, proposed alerts are submitted by DIBP staff via the Remote Input Function (RIF) and these are checked centrally by the BOC for compliance with minimum data standards (MDS) before listing. DIBP updated its MDS in mid‑2011, although data deficient14 alerts will still be listed if there is a business case to do so.
31. The ANAO’s analysis of the CMAL database showed that there has been an improvement in the quality of CMAL records since 2008–09. The department attributes this improvement to the revised MDS and centralised control over alert creation and amendment. ANAO testing showed that only 2.2 per cent of records did not meet the data standards applicable in 2008–0915, compared with 19.9 per cent of records as at July 2008. DIBP’s current MDS impose more stringent requirements than those required prior to September 2011.16
32. DIBP’s CMAL records are not subject to any systematic review process even though records may remain on CMAL for lengthy periods (up to 120 years). There are operational benefits in the department developing a review policy and systematic review program, to confirm or expire existing records17, and to upgrade data deficient records, so that they do not impede the efficient operation of CMAL or cause unnecessary inconvenience for travellers. Older records, which constitute around 80 per cent of all CMAL records, are more likely to be data deficient than records entered since 2011, when the revised standards were introduced. The implementation of an effective review strategy would also assist DIBP to better manage any risks associated with its ‘legacy’ records.
33. The 2008 audit found that there was a lack of performance information to demonstrate CMAL’s effectiveness in visa and citizenship decisions, and there was little management information on data quality, client service and system reliability. Despite CMAL’s significance to border security, DIBP still does not routinely collect performance information on the role CMAL plays in visa and citizenship decisions.
34. In 2010, DIBP undertook an exercise to assess CMAL’s effectiveness in the context of visa and citizenship applications, where it was possible to identify that CMAL information was a factor in the decision making process. This process was largely manual and resource intensive. The exercise identified that, between November 2008 and October 2010, 201 532 individual clients had been matched to an alert. In 78 per cent of these cases (156 520), the decision maker chose not to seek an override and declined the citizenship or visa outcome. In 22 per cent of cases (45 012), the decision maker chose to override the red status and continue the visa or citizenship application process.
35. This exercise provided helpful performance information about the extent to which CMAL information had been a factor in visa and citizenship decsions. However, it has not been repeated and, in the absence of any alternative arrangement, there is no information available to provide insights into CMAL’s current contribution to Australia’s border security arrangements. While recognising there is a cost associated with collecting such information, there would be benefit in DIBP building on this baseline data and investigating stream-lined and cost effective options for obtaining information about CMAL’s contribution to Australia’s border security. This information would assist DIBP to better advise the Government and Parliament and also provide a basis for more informed decision making in relation to CMAL. The ANAO notes that for some years DIBP has been attempting to develop its performance reporting capability through the department’s business intelligence data warehouse, but completion of the project has stalled. This capability, when completed, would enable DIBP to deliver targeted performance information.
36. DIBP currently reports some management information, principally through routine reports that focus on statistical information and particularly the accurate matching of clients to CMAL data. The monthly statistical report also provides data on incoming, completed and cancelled match cases, the breakdown of completed match cases and the count of true match cases. DIBP also investigates missed matches if and when they come to light. From January 2010 until February 2011, nine missed matches were detected and individually investigated, with reports going to the Secretary and the Director-General of ASIO.18 In all instances, the missed matches were the result of human error and changes were made to BOC procedures.
37. While there is a balance to be struck between the relative costs and benefits of preparing management information, DIBP could make greater use of CMAL’s existing capability to produce more insightful management reports to complement the current data analysis reports. For example, additional reports of potential benefit to management could include analysis of override data, which is where the decision maker, having checked CMAL, decides to proceed with the visa or citizenship application, notwithstanding the information contained in CMAL. The ANAO analysis of override data showed that low and medium risk ARCs were overridden more frequently than high risk ARC alerts, a finding indicative of a system working effectively. The override data also shows that some alerts have consistently high rates of overrides, suggesting that their ongoing inclusion in CMAL could warrant review by DIBP. For example, since 2011, alert matches for debts to the Commonwealth have been overridden by decision makers in over 55 per cent of cases.
38. DIBP has sought to integrate CMAL data into its corporate data warehouse19, to enhance its performance reporting capability. Integration involves a three stage process, with stage one, incorporation of CMAL data, having been completed in 2013. Notwithstanding early advice to Parliament that full integration would be complete by June 2010, stages two and three (integration with other DIBP warehouse data and the development of a new reporting capability respectively), are yet to be funded.
39. External and internal systems quality assurance mechanisms have been put in place for CMAL. A Memorandum of Understanding (MOU) between Customs and DIBP contains an Annex which includes formal system reporting requirements against key performance indicators (KPIs). These formal reports have been under development for several years. Whilst DIBP considers that the current monitoring and reporting arrangements are effective and any systems malfunctions are advised to DIBP within appropriate timeframes, management assurance would be enhanced by implementing the formal reporting arrangements.
40. Within DIBP, the principal systems monitoring mechanism is an Application Monitoring and Reporting Plan, produced monthly and comprising information on CMAL response times and availability of key service delivery webpages, such as adding a PAL or DAL record, assessing a match or searching for a MAL status, to CMAL users. The report provides internal stakeholders, including senior mangement, with performance reports on CMAL transactions against key performance indicators, particularly time responsiveness. Examination by the ANAO of performance reports from January to June 2013 inclusive showed that these reports provided assurance that CMAL is reliable and responsive to users.
41. DIBP’s major external stakeholders are Customs, ASIO, the AFP and DFAT. DIBP’s relationships with Customs and ASIO have been formalised in MOUs that set out the broad framework of the relationship.20 The department works closely with ASIO on issues concerned with national security and with Customs on issues concerned with incoming passenger processing. DIBP has formal and informal meetings on a regular basis with Customs and ASIO at strategic and operational levels. Both agencies expressed positive views about DIBP’s management of the respective relationships.
42. The department’s dealings with the AFP and DFAT are intermittent and focussed on specific ARC categories within the database, such as Interpol listings of serious criminals (AFP), United Nations travel sanctions, war crimes and weapons of mass destruction (DFAT). The department’s relationship with these two agencies is in the process of being formalised. The AFP has developed a User Agreement covering the Interpol rules, which is currently with DIBP for its consideration. Formal agreement negotiations are currently being conducted with DFAT.
43. Generally Australian citizens are free to enter and leave Australia at will. However, in 2008, there were 772 Australians listed on MAL. The 2008 audit found that ‘the policy on the inclusion of Australians on MAL was not currently coherent or complete’21 and recommended that DIBP clarify the circumstances under which an Australian citizen is listed on CMAL, update related policy and procedural guidelines and review its holdings of Australian citizens.
44. There are now clear guidelines in the CMAL PAM3 for listing Australian identities and documents on CMAL, as well as specific instructions in each ARC category, advising staff whether Australians can be listed under a specific ARC. Listings of Australians are confined to three ARCs only, national security, organised immigration malpractice and ‘surrender Australian travel document’.22 Further, the department conducts six monthly reviews of Australians on CMAL and by May 2013, the number of Australians listed on CMAL had reduced by 600, to 172.
45. There are also approximately 10 500 children listed on CMAL in all except one ARC.23 Listings of children arise for generally the same reasons that adults are listed, except for ARC08, child custody concerns. Some listings result from the fact that they are simply a member of a family. For example United Nations travel sanctions will apply to the whole family, and DIBP lists children where there is a debt to the Commonwealth but that debt may have been incurred by a parent. Just over 2 500 children are listed under health concerns and almost 3 000 children are listed under child custody concerns. In addition, 1 315 children are listed on CMAL for debts to the Commonwealth (ARC12).
46. In general, children listed on CMAL will remain on the system for extensive time periods, with only child custody records expiring at the age of 18 years. To manage the potential long-term client service impacts of listing children on CMAL, there would be benefit in DIBP clarifying the circumstances where it is appropriate to list children on CMAL and developing appropriate policy guidance.
47. DIBP provided the following summary comment to the audit report:
My department welcomes the audit as an opportunity to refine the performance of the Central Movement Alert List (CMAL) and further enhance the effectiveness of this vital layer of Australia's Border Security framework.
As part of the multi layered approach to Border Security, CMAL is an integral part of the department's visa and citizenship processing and the key mechanism for identifying potential travellers of concern including national security risks. It is a complex system which is well embedded into Immigration processes and, as identified in the audit, is effective for these operational purposes. The four recommendations are agreed.
48. DIBP’s full response is included at Appendix 1.
|
Recommendation No. 1 Paragraph 2.11 |
To strengthen the capacity of CMAL as a border security management tool, the ANAO recommends that the Department of Immigration and Border Protection develops a strategic plan to guide and manage the future direction of CMAL in both a departmental and whole-of-government context. DIBP response: Agreed |
|
Recommendation No. 2 Paragraph 2.38 |
To reinforce to Alert Reason Code owners their responsibility for CMAL data quality, the ANAO recommends that the relevant Alert Reason Code owner reviews proposals to:
DIBP response: Agreed |
|
Recommendation No. 3 Paragraph 3.25 |
To further improve the quality of CMAL alert records, the ANAO recommends that the Department of Immigration and Border Protection develops and implements a regular review program for CMAL records, on a risk management basis. DIBP response: Agreed |
|
Recommendation No. 4 Paragraph 4.21 |
To better demonstrate CMAL’s contribution to Australia’s border security arrangements, the ANAO recommends that the Department of Immigration and Border Protection investigates cost effective options for periodically identifying and reporting on those instances where CMAL data has been influential in visa and citizenship decisions. DIBP response: Agreed |
[1] The Department of Immigration and Citizenship (DIAC) became the Department of Immigration and Border Protection following the machinery of government changes in September 2013.
[2] DIAC, Annual Report 2011–12, p. 145.
[3] DAL documents can be either Australian or foreign documents. DFAT is notified of travel documents of concern by international partners and these may be listed on DAL.
[4] A CMAL green status means there is no information in CMAL which decision makers need to take into account in making their decsion to grant a visa or citizenship.
[5] A CMAL red status will not necessarily mean that entry to Australia or Australian citizenship will be denied; it is one piece of information considered by DIBP’s decision makers.
[6] The BMG has a membership of 12 border agencies, including DIBP.
[7] This report uses ‘CMAL’ to describe the current system and ‘MAL’ when talking about the database as it operated prior to the introduction of CMAL.
[8] Wheen D, Report of the Review of the Purpose, Architecture and Operation of the Movement Alert List (MAL), 12 August 2004. Similar findings were highlighted in by Sadleir D, Australia’s Entry Control Arrangements: A Review, January 1998 and Gerlach T, A Technical/Operational Review, April 2000.
[9] ANAO, Audit Report No. 35, 2008–09, Management of the Movement Alert List, 9 May 2009.
[10] DIBP, Executive Minute to JCPAA,Review of Auditor-General’s Reports tabled between February 2009 and September 2009.
[11] Joint Committee of Public Accounts and Audit, Report 417, Review of Auditor-General’s Reports tabled between February 2009 and September 2009. Parliamentary Paper 163 of 2010, tabled 22 June 2010.
[12] The ANAO conducted a survey of ARC owners to assess their level of engagement with CMAL. The responses to the survey showed that most ARC owners had limited awareness of their responsibilities as ARC owners and did not regularly engage with the CMAL system. Owners of high risk ARCs, such as ARC03, war crimes, were generally more closely engaged with their responsibilities than owners of low and medium risk ARCs.
[13] As previously noted the ANAO found that only two recommendations had been fully implemented, two partially implemented and one had not been implemented.
[14] ‘Data deficient’ alerts are those which do not meet the minimum data standards set out in the CMAL PAM3, but which are still listed because there is a degree of risk in not doing so. DIBP subsequently seeks to upgrade the data within the alert through intelligence gathering.
[15] Comparative data testing was undertaken on the copy of the database supplied as at November 2012. The 2008–09 audit undertook data testing as at July 2008.
[16] Based on records active in the database as at November 2012, 92 per cent of all records are compliant with the mandatory standards, and 80.0 per cent with ‘desirable’ standards. Desirable standards were introduced in 2011 and did not apply prior to that year.
[17] The removal of a redundant record from the database.
[18] No further missed matches were detected in the period between February 2011 and October 2013.
[19] The data warehouse, DIBP’s Business Intelligence Platform, is a data warehouse environment with the associated infrastructure and tools to facilitate the integration of data for management reporting.
[20] Detailed arrangements for the management of the IT relationship are contained within the IT annexes to the MOU.
[21] Op cit, p. 16.
[22] The ‘surrender Australian travel document’ is typically a relatively short term category, where Australians who have lost their passports or they have been stolen are listed until DFAT is able to update its passports system.
[23] This exception relates to the ARC covering the surrender of Australian travel documents. In many cases DIBP is bound by legislation or international treaties that do not separately distinguish children from their parents. For example, where the United Nations has imposed travel sanctions, the United Nations and DFAT will require the listing of the whole family, including children.