Background

Australian Government agencies have a responsibility to protect the resources they manage on behalf of all Australians. These resources are considerable. For example, in 2005–06 the general government sector¹ held assets worth $206 billion.² Australian Government agencies also generate and hold extensive information relating to their activities, which they need to safeguard for privacy, commercial, and other reasons.

Protective security describes the policies and practices used by an agency to protect its resources, including the official information it generates and receives. A sound protective security environment is an important element in the management of an agency's human, information and physical resources.³ The Protective Security Manual (PSM) is the main source of protective security policies, principles and responsibilities for Australian Government agencies. The PSM provides guidance on the policies and practices important in the development of an effective protective security function. It also prescribes the minimum protective security standards for Australian Government agencies to maintain.

Contracting is an integral part of the way Australian Government agencies conduct business. In 2005–06, Australian Government agencies entered into around 48 000 contracts worth $14.8 billion to provide a variety of business and administrative services across the range of activities.⁴ Given the large number of contractors providing services to Australian Government agencies, and the extensiveness of their access to these agencies' assets and information, it is important that agencies manage security risks associated with the use of contractors.

When engaging in procurement and contracting activities, Australian Government agencies must act in accordance with the policy framework contained in the Commonwealth Procurement Guidelines (CPGs). Additionally, they must adhere to the legislative requirements and standards encompassed in a range of Australian Government general policies. Protective security is one of these general policies,⁵ and the PSM is the source of further guidance. The PSM specifies, in Part F, that Australian Government agencies are responsible for managing security issues and risks, including the risk of unauthorised access to, or the loss of, security classified information, involved in the use of contractors.

For the purposes of this audit, procurement refers to agencies' efforts to arrange for the purchase of services, up to and including the point of signing a contract. Contracting refers to the delivery of these services by the provider, subsequent to their appointment. As such:

• procurement incorporates: planning the purchase; approaching the market; evaluating tender responses; and executing the contract (including establishing security requirements in the contract); and
• contracting incorporates: providing security training to contractors; managing the contractors' performance, including their adherence to relevant security requirements; and the mechanisms used to identify, report and record the details of any security breaches by contractors.

Audit approach

The objective of this audit was to evaluate whether selected Australian Government agencies were effectively managing security risks arising from the use of contractors. To address this objective, the audit evaluated relevant policies and practices in the audited agencies against a series of minimum requirements in the management of security issues in procurement and contracting activity. These minimum requirements were developed from the guidance and standards contained in the PSM and also from the ANAO's previous protective security audits.

The audit focused on two broad types of contracting arrangements: contracting of security functions; and contracting of any service or business function that requires, or which has the potential to require, contractors to access sensitive or security classified information.

The following Australian Government agencies were involved in this audit:

• Australian Customs Service (Customs);
• Commonwealth Superannuation Administration (ComSuper);
• Department of Finance and Administration (Finance); and
• Department of Foreign Affairs and Trade (DFAT).

In addition, the Attorney-General's Department, which is responsible for the maintenance of the PSM and for providing advice on contemporary protective security policies and practices, was consulted during the audit.

Audit conclusion

Overall, the ANAO concluded that the audited agencies were effectively managing security risks during the procurement phase when contracting-out security functions or functions that may require contractors to access sensitive information. However, the audit identified scope to improve the management of security risks once contractors had been appointed.

While the audited agencies typically could have improved guidance to staff about addressing security risks in procurement, the agencies, nevertheless, generally adequately considered security risks when: planning procurements; approaching the market; executing contracts; and, to a lesser extent, evaluating tenders.

The audited agencies generally provided adequate security awareness training programmes for new contractors. Overall, however, they could have improved processes and practices to: ensure that appointed contractors attended security training; monitor contractors' adherence to security requirements in contracts; and reassess security risks in contracts when circumstances changed substantially, or when contracts were extended significantly beyond their original life.

The ANAO found that at the four audited agencies, there was a record of only one recent security breach involving a contract examined during the audit. While this suggests that contractors may have largely adhered to security requirements, the ANAO notes that security breaches are sometimes not reported. In this regard, one of the audited agencies did not have a system to effectively monitor and report such incidents.

There was considerable variation between the agencies in the extent to which they adhered to the minimum requirements for the management of security risks in procurement and contracting examined as part of this audit. The ANAO assessed one of the agencies as meeting virtually all of these requirements, two agencies as meeting most of these requirements, but the remaining agency as meeting few of these minimum requirements.

Amongst the audited agencies, the ANAO identified several practices that it considered to be good examples of managing security risks and issues involved in procurement and contracting activity. These practices included:

• one agency included a reference to its security policy on managing security risks in procurement activity in its procurement and contracting policy material;
• one agency included guidance notes in its model Request for Tender template to assist staff develop the security requirements and obligations to be imposed on prospective contractors;
• one agency required staff and contractors to acknowledge, in writing, their security responsibilities every year;
• two agencies had induction activities in individual work-areas to supplement agency-wide security awareness training programmes;
• two agencies required all staff and contractors to attend security awareness refresher training;
• one agency included details of attendance at security awareness training in reports to its executive; and
• at two agencies, contractors were required (and did) submit regular reports on progress or performance against security-related obligations.

Key Findings

Managing security issues in procurement

Policies and guidance material

Each of the audited agencies had promulgated a number of detailed procurement and contract-related policies and guidance material. In each case, this information included references to applicable legislation, regulations, and other relevant aspects of the Australian Government procurement policy framework (such as the CPGs). Generally, however, these procurement and contract-related policy documents contained only a limited amount of information on managing security issues and risks.

Three of the audited agencies did, however, include information on managing security issues and risks involved with procurement and contracting activities in their security policies. Of these, the ANAO considered that only one agency had properly addressed the scope of the PSM regarding the management of security issues in procurement and contracting activity.

Model tender and contract templates

Each of the audited agencies had developed model Request for Tender and contract templates and had made these available to staff involved in the engagement of contractors.

Three of the audited agencies' tendering templates contained details of, and obliged respondents to adhere to, applicable security requirements. For the most part, the audited agencies' model contract templates designed for use in the more-complex and higher-risk procurements contained clauses consistent with most of the requirements of the PSM (Part F—Security Framework for Procurement).

Procurement planning

At three of the audited agencies, nearly all of the procurement planning documentation examined contained an assessment of security issues relevant to the proposed procurement. In most cases, the assessments related to whether the contractor(s) would, or may, require access to security classified information, and also considered the attendant security clearance requirements. At the remaining agency, while procurement planning documentation considered a range of pertinent business risks, it did not specifically identify, or assess, security risks.

Approaching the market

Across the audited agencies, most of the Request for Tender or equivalent documentation examined during the audit contained references to the security requirements relevant to the proposed engagement. Typically, this documentation included a reference to the agency's security policies or instructions, and highlighted that the contractor would, or may, require access to security classified information and therefore would require a security clearance.

Evaluating tenders

The ANAO found that tender evaluation processes had properly considered the security requirements contained in documentation provided to the market in all but two of the 30 contracts examined in this part of the audit. In the two contrasting cases, the agencies relied solely on assurances from prospective contractors that security requirements had been met. The ANAO considered, in both of these cases that the agencies should have confirmed through review, or otherwise obtained positive assurance at the time of evaluation, that the security requirements had been properly met.

At three of the audited agencies the ANAO found that a member of the agency's protective security team had been involved, or consulted, in many of the tender evaluation processes examined. In the other cases examined at these agencies, the ANAO considered the staff involved in the evaluation process demonstrated a good understanding of the pertinent security issues and requirements. At the fourth agency, there was no evidence that tender evaluation processes had involved a person(s) with knowledge of protective security issues or standards.

Content of contracts

Overall, most of the contracts examined addressed most of the relevant requirements contained in the PSM. For example, all but one of the contracts reviewed were found to contain details of the security requirements relevant to the services being contracted-out. In addition, most of the contracts examined also stated that these security requirements could be amended during the life of the contact.

Despite the reasonably comprehensive coverage of security requirements in most of the contracts examined, around half of the contracts examined did not:

• contain a clause(s) dealing with the risk of access to the agency's information through a third party interest; and
• explicitly identify a breach of security requirements as a reason to terminate the contract.

One of the reasons why many contracts examined did not contain these two clauses is likely to be that most of the audited agencies' model contract templates did not contain these clauses.

Managing security issues in contracting

Orientation and training

At three of the audited agencies, contractors were required to attend the agency's formal security awareness training for ‘new starters'. However, one agency had only made it mandatory for new contractors to attend security awareness training in late-2006. At the remaining agency, although contractors were not required to attend security awareness training provided to ‘new starters', the agency advised the ANAO that they may have been provided a security briefing at the time they commenced work.

Overall, the ANAO found that the audited agencies were delivering security awareness training programmes that addressed most of the key security issues. For example, the training at each agency: explained the reasons why security awareness was important; promoted an understanding of the agency's security policies; and provided clarity on attendant roles and responsibilities.

At the time of the audit, each of the audited agencies had a range of processes for identifying those staff and contractors required to attend security awareness training. Each of the audited agencies also maintained records of those staff and contractors attending security awareness training. However, testing of attendance records has suggested that a significant number of contractors engaged under the contracts being examined may not have attended security awareness training.

Contract management

In three of the audited agencies, nearly all the contracts reviewed contained a clause(s) relating to the management of the contractor's performance. In the remaining agency, only four of the 13 contracts reviewed contained such a clause(s).

For the most part, contract management provisions in the contracts examined related to the provision of reports on, and the conduct of regular meetings about, the services being provided. Specifically, in relation to the management of security issues and requirements, the ANAO found that:

• several contracts at one agency listed penalties (other than terminating the contract) for the failure to meet security requirements;
• at one agency, all of the contracts provided that contractors must submit security reports and participate in security reviews, when requested to do so;
• several of the contracts examined at two agencies required the contractors to submit regular reports on security progress or performance; and
• six of the contracts examined at another agency required contractors to participate, at least annually, in reviews of the operation of security requirements.

Across the four audited agencies, the ANAO observed a variety of mechanisms to manage the performance of contractors. This included holding regular meetings, reviewing status reports, inspecting work and, in a few cases, monitoring results against service standards or key performance indicators. However, the use of such systematic mechanisms was not common or consistent.

The ANAO found, in only seven of the 43 contracts examined in this part of the audit, that agencies were systematically assessing security performance or measuring compliance with security requirements. Generally, the audited agencies indicated that security matters were only considered if, and when, matters arose. Some of the contract managers interviewed suggested they relied on the agency's broader security programs and policies to provide them assurance that security requirements were being complied with.

Review of security risks/requirements

While each of the audited agencies required risk assessments to be undertaken to support spending proposals related to contract extensions, none specifically addressed, in relevant policy documents, the need to consider security issues during such assessments. In addition, none of the agencies had policies requiring security risks to be reviewed when there has been a change in a contract's circumstances that is likely to affect these risks.

Fourteen of the contracts examined had either been extended beyond their original term, or the services being provided had been affected by a significant change in circumstances. The ANAO found, in only half of these cases, that the decision to extend or continue the contractual arrangement was supported by a re-assessment of the security risks and requirements involved.

Security incidents

Most of the contracts reviewed during the audit contained a clause(s) requiring the contractor to advise the agency of any security incidents. Three of the audited agencies had agency-wide processes for identifying, reporting, recording and monitoring breaches of security and other security incidents. The fourth agency did not have a system for effectively capturing details of security incidents.

Recommendations

The report makes two recommendations designed to improve the management of security issues in procurement and contracting. These recommendations are based on the findings of the fieldwork at the audited agencies; however, the ANAO considers that they are relevant to all Australian Government agencies.

Agencies' comments

Each of the audited agencies, together with the Attorney-General's Department, agreed with the recommendations in this report. The agencies' responses to each of the recommendations are shown in the body of the report. Where provided, agencies' general comments are shown at Appendix 2.

Footnotes

1 The general government sector comprises those Australian Government departments and agencies that provide non-market public services. They are predominantly funded through Parliamentary appropriations.

2 Commonwealth of Australia, Consolidated Financial Statements for the year ended 30 June 2006, December 2006, p. 76.

3 Attorney-General's Department, Protective Security Manual 2005, Commonwealth of Australia, p. A3.

4 Extracted from AusTender—Contracts Reported. Viewed at <www.contracts.gov.au&gt; on 17 April 2006.

5 Department of Finance and Administration, Financial Management Guidance No.10—Guidance on Complying with Legislation and Government Policy in Procurement, January 2005, p. 5.