Introduction

Australian Digital Health Agency

1.1 The Australian Digital Health Agency (ADHA) was established in January 2016 as a corporate Commonwealth entity under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 (the ADHA Rule). ADHA is responsible for supporting digital health initiatives including My Health Record, telehealth⁶ and electronic prescriptions.⁷ The functions of ADHA include to coordinate and implement a National Digital Health Strategy. On 22 February 2024 ADHA released the National Digital Health Strategy 2023–2028 to guide the development of digital health products and services. ⁸

1.2 ADHA is jointly funded by the Australian Government and the states and territories. In 2023–24 ADHA’s expenditure was estimated to be $352 million. In the 2023–24 federal Budget ADHA received $413.3 million over two years for My Health Record (MHR) operations and initiatives and $325.7 million over four years for investment in ADHA’s capabilities. In the 2024–25 federal Budget a further $57.4 million was allocated to continue initiatives under the Health Delivery Modernisation Program⁹ and to update MHR. As at 30 June 2023 ADHA had 412 staff located in Brisbane, Sydney and Canberra.

1.3 The ADHA Rule establishes the ADHA board (the board) as the accountable authority and sets out the functions and powers of the board and Chief Executive Officer (CEO). The CEO is responsible for the day-to-day administration of ADHA and takes directions from the board.

My Health Record

1.4 My Health Record is a national public system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient. The MHR system was established by the Department of Health and Ageing in 2012.¹⁰ Section 3 of the My Health Records Act 2012 (MHR Act) states that the goals of MHR are to overcome fragmentation and improve the availability and quality of health information; reduce adverse medical events and the duplication of treatment; and improve the coordination and quality of health care provided by different healthcare providers. Consumers and healthcare providers can access and upload clinical and Medicare¹¹ documents to MHR.¹²

1.5 As the MHR system operator since July 2016, ADHA is responsible for functions specified in section 15 of the MHR Act. These include maintaining a service that allows information in different repositories to be connected to registered health care recipients and facilitating the retrieval of such information when required. Auditor-General Report No. 13 2019–20 Implementation of the My Health Record System concluded that the implementation of MHR was largely effective and made five recommendations, all of which were agreed to by ADHA.¹³

1.6 From 2020 ADHA delivered a range of MHR-related measures to respond to the COVID-19 pandemic including: provision of pathology reports and results;.access to an immunisation history statement and proof of immunisation; and a COVID-19 dashboard showing immunisation, medicines, allergies and adverse reactions. ADHA reported that as at March 2024 there were more than 23.8 million My Health records (of which 98 per cent contained data) and over 1.2 billion uploaded documents.¹⁴

1.7 The MHR ‘national infrastructure’ is comprised of the IT systems and supports enabling the flow of information in and out of the MHR system. These include an Application Programming Interface (API) gateway to integrate the different software used by healthcare providers and consumers to connect to the MHR system (Figure 1.1).

Figure 1.1: My Health Record national infrastructure^a

Note a: Other related service components include hosting services, maintenance and support, the National Authentication Service for Health, the Health Identifiers Service and the National Clinical Terminology Service.

Source: ANAO analysis.

Procurement of My Health Record

1.8 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Finance Minister issues the Commonwealth Procurement Rules (CPRs), which govern how entities buy goods and services. ADHA has been subject to the CPRs since 1 January 2018.¹⁵

1.9 The Department of Health and ADHA used IT supplier contracts to implement the MHR. The largest contract is for the National Infrastructure Operator (NIO). The NIO contract was first executed with Accenture Australia Holdings Pty Ltd (Accenture) on 27 June 2012 for a total value of $47 million to 30 June 2014.

• The 2012 contract was due to expire on 30 June 2014, with an option to extend for three further periods of two years each (that is, to 30 June 2020). In 2014, the Department of Health exercised the first extension option to 30 June 2016, increasing the contract value by $49 million. In 2015, the Department of Health exercised the second extension option to 30 June 2018, increasing the value by $87 million. In 2017, ADHA exercised the third extension option to 30 June 2020, increasing the value by $159 million. Between 2012 and 31 December 2017, an additional $164 million was added through 21 other contract variations under the existing term of the contract, bringing the total cumulative value of the contract to $506 million as at 31 December 2017.
• As the maximum aggregate term of eight years under the 2012 contract was due to conclude on 30 June 2020, ADHA undertook a procurement process in 2019. The 2019 procurement was awarded to Accenture through a direct source limited tender, and was implemented through an amendment to the 2012 contract. The 2019 amendment included an option to extend the 2012 contract for two periods of one year each (that is, to 30 June 2022). On exercising these options, $82 million¹⁶, was added to the contract, bringing the total cumulative value of the contract to $588 million.
• As the additional aggregate term of two years was due to conclude on 30 June 2022, ADHA undertook a second procurement process in 2022. The 2022 procurement was awarded to Accenture through a direct source limited tender, and was implemented through a further amendment to the 2012 NIO contract. The 2022 amendment included an additional term of three years (that is, to 30 June 2025), and added $105 million, bringing the total cumulative value of the contract to $693 million.
• Between January 2018 and 31 December 2023, ADHA varied the contract amount and conditions within the existing contract term on six other occasions. The net amount added to the contract totalled $53 million across the six variations, bringing the total cumulative value of the contract to $746 million.

1.10 The audit covers the management of contractual arrangements with Accenture from 1 January 2018 to 31 December 2023. Figure 1.2 shows NIO contract extensions and variations since 1 January 2018, as well as contracting to other vendors to provide some national infrastructure services from July 2021.

Figure 1.2: NIO contract variations, January 2018 to December 2023

Source: ANAO analysis of NIO contracts.

1.11 In July 2019 ADHA commenced the National Infrastructure Modernisation (NIM) Program. Advice to the board stated the purpose of the NIM Program was to ‘manage the activities, timeframes and resourcing required to replace the NIO contract’ and to ‘oversee the delivery of the capabilities, solutions, engagement and operationalisation of modernisation of the infrastructure underpinning the MHR system’. The 2022 contract amendment with Accenture allowed for a ‘multi-vendor approach’ to the MHR NIO. In 2021 ADHA contracted vendors other than Accenture to provide some NIO services which were either previously provided by Accenture under the 2012 NIO contract or were new services (Table 1.1).¹⁷

1.12 Between 2018–19 and 2022–23, MHR national infrastructure-related expenditure totalled $408.2 million, of which $295.6 million (72 per cent) were paid to Accenture as the NIO.

Table 1.1: MHR national infrastructure provider expenditure, 2018–19 to 2022–23 ($million)

Note a: AusTender contract notice CN3589159. Since 27 October 2023 Services Australia has provided call centre services under a separate contract with ADHA (CN4027950).

Note b: AusTender contract notice CN3843536.

Note c: AusTender contract notice CN3791712.

Note d: AusTender contract notice CN3827223. Expenditure in 2019–20 and 2020–21 relates to healthcare information provider service product development and support services.

Source: ANAO analysis of ADHA purchase orders.

Rationale for undertaking the audit

1.13 The Australian Digital Health Agency reports that approximately 23.8 million Australians had a My Health record as at March 2024.¹⁸ It is estimated that $2 billion has been invested in the My Health Record system.¹⁹

1.14 There has been parliamentary interest in government procurement.²⁰ Procurement of large public IT systems can raise risks relating to obsolescence, security and interoperability. This audit provides assurance to the Australian Parliament about whether ADHA has effectively managed MHR procurement.

Audit approach

Audit objective, criteria and scope

1.15 The objective of the audit was to assess the effectiveness of the Australian Digital Health Agency’s procurement and contract management of the My Health Record National Infrastructure Operator.

1.16 To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria.

• Does ADHA have a fit-for-purpose governance framework for contract management and procurement?
• Has ADHA managed the My Health Record National Infrastructure Operator contracts effectively?
• Has ADHA conducted procurements of the My Health Record National Infrastructure Operator effectively?

1.17 The audit scope includes ADHA’s contract management and procurement processes for MHR NIO contracts with Accenture since 2019. The audit scope did not include the effectiveness of other MHR procurements or of MHR implementation more broadly.

Audit methodology

1.18 The audit methodology included:

• visits to ADHA offices and meetings with entity officials;
• meeting with Accenture;
• review of ADHA data, documentation, policies and procedures;
• review of AusTender records; and
• examination of Accenture reporting to ADHA.

1.19 The audit was open to public contributions. The ANAO did not receive any contributions.

1.20 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $759,400.

1.21 The team members for this audit were April Howley, Kai Swoboda, Thea Ingold, Callum Mann, Katiloka Ata, Bezza Wolba, Jade Koay, Ketan Doshi and Christine Chalmers.

2.1 A sound governance framework helps ensure that procurements and contract management are undertaken effectively and ethically, achieving value for money outcomes. The Australian Government Contract Management Guide notes that contract governance includes systems and processes for decision making; and oversight arrangements and reporting.²¹

Are there fit-for-purpose procurement and contract management policies and guidance?

Accountable Authority Instructions

2.2 Accountable Authority Instructions assist accountable authorities in meeting their general duties under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and establishing appropriate internal controls for their entity. The Department of Finance (Finance) provides guidance on Accountable Authority Instructions.²²

2.3 Between June 2018 and April 2023, ADHA had five versions of Accountable Authority Instructions. The June 2018 and August 2018 Accountable Authority Instructions were approved by the Chief Executive Officer (CEO) instead of the accountable authority (the board). The April 2021, April 2022 and April 2023 Accountable Authority Instructions were approved by the Chair of the board.

2.4 The three versions of the Accountable Authority Instructions issued between April 2021 and April 2023 outlined the key duties and responsibilities of officials under the PGPA Act. The three versions state that officials must comply with the PGPA Act, Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) and Commonwealth Procurement Rules (CPRs).

Procurement and contract management policies and guidance

2.5 In May 2021 ADHA published procurement policies, guidance and templates on its intranet under the ‘BuyRight’ framework.²³ The linked policies included: a procurement policy (approved on 2 August 2018 and revised on 13 December 2023); a procurement manual (September 2018)²⁴; a procurement complaints handling policy and procedure (September 2020); and other specific procurement guidance (such as ‘How to develop performance measures’ (August 2022), and ‘How to achieve value for money’ (August 2022)). BuyRight guidance for contract managers outlined the steps involved in managing a contract including contract administration, roles and responsibilities, risk assessments and contract extensions. The coverage of ADHA’s contract management guidance is consistent with the Australian Government Contract Management Guide, except that it does not provide information about the legislative framework, using advisors and unintentional contract variations through conduct. In December 2021 ADHA developed a policy and procedure to manage administrative approvals, financial approvals and board reporting for medium to high-risk procurement and contracts.

2.6 The August 2018 procurement policy (to be reviewed by 31 May 2019), September 2018 manual (to be reviewed by 31 May 2019), September 2020 complaints handling policy and procedure (each to be reviewed by 20 September 2021), and December 2021 medium to high-risk procurement and contract management policy and procedure (to be reviewed by 1 December 2022) were not reviewed in accordance with review requirements, despite changes to the CPRs during the period. In December 2023 ADHA completed a review of policies which identified that 59 documents had not been reviewed in line with specified review dates.

2.7 ADHA’s contract management guidance provides that ‘generally’ a contract management plan should be developed for procurements over $10,000. A ‘contract classification guide’ (October 2019) assists ADHA staff to classify contracts to ‘identify a suitable level of contract management planning’. Contracts are classified as complex/strategic under this framework based on factors including value ($1 million or more), strategic importance to ADHA and nature of contract deliverables. A September 2023 internal audit report on contract management practices, which examined four contracts²⁵, found that ‘interviewed contract managers generally demonstrated sufficient level of awareness of the Agency’s contract management requirements’ and made four recommendations to improve contract management governance, including to change the threshold for developing a contract management plan. ADHA agreed with the recommendations and intended to address them by March 2024. In May 2024 ADHA advised the ANAO that implementation was ongoing and recommendations would be completed between 30 May 2024 and 30 September 2024.

2.8 There are separate contract management plan templates for routine/transactional contracts and strategic/complex contracts. For contracts classified as strategic/complex, it is mandatory for staff to use the relevant contract management plan template. The strategic/complex template covers: delegates, roles and responsibilities, key stakeholders and stakeholder communication, conditions of the contract, subcontracting arrangements, payment conditions, deliverables, milestones, key performance indicators, performance monitoring, supplier’s obligations, compliance requirements, transition arrangements, reporting requirements, audit requirements, contract meetings, risk assessment and issues management, contract review, dispute resolution, contract termination and contract renewal or extension. The template states that, depending on the nature and complexity of the contract, a probity plan might be attached. The template does not cover conflict of interest arrangements.

2.9 In March 2022 ADHA developed the ‘Information Technology Support Management framework’ to support the move to a multi-vendor environment (see paragraph 3.29). The purpose of the framework was described as being to prioritise resources; empower staff; enhance service delivery, information sharing and collaboration ‘at the right levels’; facilitate monitoring and management of service level agreements; clarify roles and responsibilities between ADHA and service providers; and ensure timely escalation of issues and continuous improvement. The framework was updated five times between 2 March 2022 and 28 September 2023, including to reflect ‘audit findings’, with another review scheduled for December 2023. The review did not occur and in March 2024 ADHA advised the ANAO that the framework will be reviewed before December 2024.

Procurement and contract management training

2.10 ADHA’s procurement area provides non-mandatory training for staff on procurement and contract management. A training session was held for staff when the BuyRight system was introduced in May 2021, which 241 staff attended. In June 2023 the procurement area delivered contract management training, which was attended by 60 ADHA staff. ADHA provided evidence of staff attendance at other training sessions held in 2023 covering BuyRight, financial literacy and procurement.

Probity policies

Conflict of interest

2.11 The Australian Public Service (APS) Code of Conduct requires that APS employees take reasonable steps to avoid any real or apparent conflict of interest.²⁶ Where conflicts cannot be avoided, the APS Code of Conduct, PGPA Act, and PGPA Rule require that employees must disclose details of any material personal interest.²⁷ The APS Commission states that entities may choose to require written declarations of interest of employees at particular risk of conflict of interest, such as those involved in procurement.²⁸ The CPRs state that officials undertaking a procurement must recognise and deal with actual, potential and perceived conflicts of interest.²⁹ Finance guidance on ethics and probity in procurement states that:

Persons involved in the tender process, including contractors … should make a written declaration of any actual, potential or perceived conflicts of interests prior to taking part in the process. These persons should also have an ongoing obligation to disclose any conflicts that arise through until the completion of the tender process.³⁰

2.12 Although ADHA’s procurement policy does not mention conflicts of interest, other procurement guidance addresses this.

• The procurement manual (which was in force between August 2018 and December 2023) required officials involved in procurement to recognise and deal with conflicts of interest. The procurement manual stated that where a conflict of interest was declared, the person’s manager would decide how it would be managed, which could include divesting the interest, removal from the procurement process or seeking manager approval to continue. The procurement manual did not indicate whether ‘nil’ declarations were required.
• As at February 2024 ADHA’s BuyRight framework (which replaced the guidance in the procurement manual from 13 December 2023) included procurement-specific conflict of interest obligations in two different tender evaluation plan templates. One of the templates does not clearly indicate whether ‘nil’ declarations are required from ADHA employees involved in the procurement.³¹
• Contract management guidance on BuyRight states that in setting up contract administration, any conflict of interest declarations are to be provided. It also states that reminders of these obligations are to be included in meeting agendas if appropriate. Similar information is not included in the strategic/complex contract management plan template.

2.13 ADHA has had a general conflict of interest policy since June 2019 that is accessible to staff on its intranet.³² Senior Executive Service (SES) officers must make a declaration (including of nil interests) on appointment, annually, and if any material change. Non-SES staff must make a declaration if aware of a ‘real, apparent or potential’ conflict. The conflict of interest policy specifically deals with procurements, noting that ‘The purchase and disposal of goods and services across the public sector, including managing tenders and contracts, is considered an area of high risk for conflict of interest situations.’ The conflict of interest policy states:

In all cases, the procurement manager, steering group or advisory committee responsible for the procurement must have a mechanism in place to ensure that conflicts of interests are declared by all involved with the project’s decision-making and assessment processes.

2.14 Tender evaluation panel members are required by the conflict of interest policy to declare conflicts to the tender evaluation panel chair. Furthermore, the conflict of interest policy states that a ‘Confidentiality, Privacy and Conflict of Interest Deed Poll’ must be completed and signed by all delegates, tender evaluation team members and advisors. The Deed Poll requires a ‘nil’ declaration (that is, the signatory must warrant that no conflict of interest exists or is likely to arise in the performance of work associated with the procurement, or to detail any potential conflicts). The conflict of interest policy specifies conflict of interest requirements for contractors and consultants.

2.16 The conflict of interest policy does not apply to ADHA’s board. The board’s conflict of interest requirements are set out in the board’s charter.³³ Board members are required to make a declaration of interests upon their appointment and then annually, with declared interests and management plans recorded in a register. In addition to periodic declarations, board members are required to give notice to the chair of the board of an interest relating to a meeting agenda, which are to be recorded in the meeting minutes.

Gifts and benefits

2.17 The CPRs state that officials conducting procurements must act ethically throughout a procurement, including ‘by not accepting inappropriate gifts or hospitality’.³⁴ Finance guidance states that: ‘officials must not accept hospitality, gifts or benefits from any potential suppliers’.³⁵

2.18 The ADHA procurement manual in force until December 2023 stated that as a general rule, gifts or hospitality should be refused. The procurement policy did not refer to gifts and benefits until updated in December 2023. The BuyRight framework refers to gifts and benefits in the context of contract management, where it notes ‘the Contract Manager should avoid accepting gifts or benefits from the supplier, including substantial hospitality’.

2.19 ADHA has had a general gifts and benefits policy since June 2019.³⁶ As at February 2024, personnel were required to ‘ensure no conflict of interest exists or could be perceived to exist from the acceptance of a gift or benefit’. The gifts and benefits policy (as at February 2024) required ADHA officials to declare all gifts which are not an ‘inconsequential gift or benefit’. The policy did not define ‘inconsequential’, did not specify a timeframe in which declarations should occur, and did not specify whether unaccepted gifts must be declared. The gifts and benefits policy did not include procurement-specific requirements but did reference the CPRs, and stated that a branch manager or division head can apply additional gifts and benefits requirements where a procurement is being undertaken or a contract being managed. ADHA updated the gifts and benefits policy in March 2024. In the updated version, the reference to ‘inconsequential’ gift or benefit has been removed and there is a requirement for publication and maintenance of a register of gifts and benefits accepted by the agency head or officials that are valued at more than $100. The March 2024 policy states that the register must be updated within 31 days of receiving a gift or benefit.

2.20 As at December 2023 ADHA’s internal gifts and benefits register contained a total of 40 entries. The first entry was dated September 2016 and the last entry was dated November 2023.

2.21 APSC guidance³⁷ states that agency heads must update a public gifts and benefits register quarterly or within 31 days of receiving a gift or benefit, and include any ‘nil’ declaration on the register where they have not accepted any gifts during the reporting period. The APSC guidance required agencies to publish their first register by 31 January 2020.

• In accordance with APSC guidance, ADHA’s gifts and benefits policy requires a public register for gifts and benefits accepted by the CEO valued at more than $100 to be published on ADHA website quarterly. The policy did not refer to the 31-day timeframe for declarations until amended in March 2024.
• As at 1 February 2024, the first register published by ADHA was for April–June 2020, and the last update was for July–September 2023.³⁸

Are there fit-for-purpose oversight arrangements for procurement and contract management?

2.23 ADHA has a centralised area for procurement activity, the Procurement and Financial Governance section, with five staff. The section provides advice, training and support to business areas, which are responsible for procurement and contract management activities. For the My Health Record (MHR) National Infrastructure Operator (NIO) contract, the responsible business area is the Technology Planning and Delivery Branch. The August 2019 and June 2022 NIO procurements (see paragraph 1.9) were managed by this branch.

2.24 The ADHA board has delegated certain powers, including to enter into a contract through a procurement, to the CEO through a delegation instrument issued under section 17 of the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 (ADHA Rule). The delegation includes financial limits on the CEO’s power to enter into contracts without the board’s approval. The CEO can authorise officials to spend money and enter into contracts under section 53 of ADHA Rule. Authorisation instruments were in place from March 2017.

2.25 Under section 18 of the ADHA Rule, the board consists of a Chair and at least six, and not more than 10, other members. The number of board members may fall below seven members for a period of not more than six months. Between November 2023 and 17 January 2024, the board was comprised of five members including the Chair. On 18 January 2024 and 26 February 2024, two new members were appointed, bringing the total number of members to seven as required under the ADHA Rule. As at February 2024 the board had experience across healthcare professions, health policy and management. The board has four advisory committees: Clinical and Technical; Jurisdictional; Consumer; and Privacy and Security.

2.26 The ADHA board must approve procurements above a certain value ($5 million as at February 2024). ADHA has had a policy since April 2021 requiring complex and high-risk procurements to be reported to the board every six months. These reports have been provided at the required frequency and include high-level updates on current contract status and procurement activity.

2.27 ADHA contracts out its internal audit function to Axiom Associates.³⁹ Recent internal audits have covered contract management but not procurement. In the three years to 2023–24, contract management internal audits comprised: NIO operational practices and procedures (2021–22, see paragraph 3.4); the multi-vendor environment (2022–23); and contract management practices (2023–24).⁴⁰ The Joint Committee of Public Accounts and Audit noted in August 2023 that especially where entities are engaging in significant or complex procurements, audit committees should provide increased scrutiny of these activities and consider the prioritisation of procurement in the entity’s program of internal audit.⁴¹

2.29 ADHA’s Audit and Risk Committee (ARC) has three members. The ARC met seven times in 2021–22, eight times in 2022–23 and four times between July and December 2023.⁴² During this period, the ARC considered reports on high risk and/or high value contracts and procurement at five meetings, prior to the submission of these reports to the board. The ARC considered the internal audit on NIO operational practices and procedures at its meeting on 16 March 2022 and the internal audit on contract management practices at its meeting on 15 November 2023. The ARC monitors the status of the implementation of internal audit recommendations. In November 2023 the ARC considered a report on the ‘Strategic Control Review Program’, which assessed the effectiveness of controls for contract management and procurement.⁴³

• Contract management was assessed to be ‘largely effective’ based on the outcomes of the internal audit on contract management practices and a model assessing vendor performance to be implemented in September/October 2023.⁴⁴
• Procurement was assessed as ‘partly effective’ based on the currency of the policy available to staff and the lack of second line assurance activities to ensure ADHA staff are complying with ADHA’s procurement policy and the CPRs.

2.30 Between 1 January 2018 and 30 December 2023 the ADHA board met 60 times and received an update from the ARC Chair at 27 of these meetings. The updates for eight meetings included commentary on procurement or contract management issues, including where the ARC had received briefings on an internal audit or sought more detailed advice from management on lessons learned from MHR-related procurement activity. The ARC endorsed two reports prepared for the board on high risk/high value contracts. In the period there was one specific reference to the NIO procurement for an April 2019 board meeting. The ARC did not report to the board on the adequacy of controls for procurement risks.

3.1 The Commonwealth Procurement Rules (CPRs) state that contract management is important in achieving the objectives of a procurement.⁴⁵ The Department of Finance (Finance) states that good contract management is an essential component in achieving value for money. Finance defines contract management as: ‘all the activities undertaken by an entity, after the contract has been signed or commenced, to manage the performance of the contract (including any corrective action) and to achieve the agreed outcomes’.⁴⁶ Contract management includes: day-to-day contract administration (including records management); and performance management (measuring, monitoring, and assessing against agreed performance measures and deliverables to enable early warning of, and response to, performance issues).⁴⁷ The CPRs require entities to consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract.⁴⁸

3.2 The 2012 NIO contract with Accenture Australia Holdings Pty Ltd (Accenture) (see paragraph 1.9) included general terms and conditions, a statement of requirement, performance standards, charges and payments, and 12 schedules covering additional requirements.

Is there effective identification and assessment of National Infrastructure Operator contract risk?

3.3 ADHA’s risk management framework requires risk assessments to be undertaken when conducting ‘significant procurement activities’. Since September 2023, ADHA’s risk management toolkit incorporates examples of how to assess procurement risks and establish appropriate controls including through contract management.

3.4 A February 2022 internal audit report (see paragraph 2.27) found that ‘while basic elements of the NIO contract are being effectively managed, they are not adequate, given the scale and complexity of the NIO contract, and the ongoing allocation of key contract deliverables to new vendors’. Of the report’s three recommendations, two related to risk management: assess and document risk-based assurance processes that are coordinated across ADHA to gain independent assurance over key contract deliverables and emerging risks for the NIO contract; and enhance processes to specifically assess, control and treat shared risks within a multi-vendor environment.

3.5 ADHA first conducted a risk assessment relating to the commercial arrangement with Accenture in July 2016 when the contract was novated to ADHA from the Department of Health. The ‘Initial Risk Profile’ used a templated risk tool to determine the level of risk associated with the contract. This found that elements of the contract were potentially high risk including the value, complexity, technology and reputational consequences. The ‘supplier’ element was rated as low risk because ‘there are multiple suppliers in the marketplace with the required skills and experience’. The risk assessment template required content to be added for high-risk elements, including to indicate that ADHA’s central procurement and contract management area had been consulted, the central procurement area’s comments, further identified risks, and actions to be undertaken to address the risks. None of these fields were completed.

3.6 ADHA has assessed strategic risks each quarter since April 2018. Strategic risk assessments are reviewed by the board, the Audit and Risk Committee and the Senior Executive Committee, which supports the CEO.⁴⁹ The strategic risk assessments establish risk owners, sources and consequences for each strategic risk, likelihood, controls and residual risks. From December 2022, ADHA identified four strategic risks: design, data, delivery and agency. MHR and the NIO were considered at a high level in the analysis of strategic risks.

• Operational risks associated with MHR expansion were considered in the strategic risk register from 2019.
• Aligning NIO risk management practice with ADHA frameworks was identified as a risk treatment in the strategic risk report considered by the board in June 2020.
• An ‘Operational Contracting and Procurement Risk Assessment’ (also called an ‘NIO Risk, Issue and Dependency Register’) was completed in September 2020 by ADHA’s central procurement area and included in ADHA’s broader strategic risk register. Listed risks (of which there were 32, including nine ‘very high’ to ‘extreme’) were operational in nature, with treatments and controls primarily relating to technical IT system features. The register was not updated after October 2020.
• ADHA and NIO security operations teams monitoring the security of MHR was identified as a risk treatment in the strategic risk report considered by the board in July 2021.
• Unsuccessful negotiation of an NIO extension beyond June 2022 was identified as a risk in the strategic risk report considered by the board in April 2022.

3.7 Between 2018 and 2023, five of the six variations (under the existing contract term) to the conditions and value of the 2012 NIO contract with Accenture (as described in paragraph 1.9 and Figure 1.2) did not incorporate any analysis of contract risk. Advice to the ADHA CEO for the variation executed on 12 June 2019 included a risk management plan. The plan identified seven risks, each of which had a likelihood, consequence and risk rating and treatment. There were five ‘medium’ and two ‘medium to high’ risks. Proposed treatments included contract terms, exercise of contract terms (such as the termination of advance prepayments and use of audits), management procedures, stakeholder communications, monitoring and reporting.

3.8 The ADHA board considered risks when approving 2019 and 2022 limited tender procurements to ‘extend’ the contract with Accenture (see paragraph 1.9). In relation to the 2019 procurement, the board considered a limited risk assessment on 6 December 2018 and 20 June 2019. A more thorough risk assessment was conducted for the 2022 procurement (see paragraphs 4.10 to 4.12 for a discussion of these risk assessments).

3.9 A June 2021 contract management plan noted that the overall residual risk rating for the NIO contract was ‘medium’. Reference was made to the July 2016 ‘Initial Risk Profile’ and the September 2020 ‘Operational Contracting and Procurement Risk Assessment’, however no further risk analysis was completed and no justification was provided for the overall ‘medium’ risk rating.

3.10 The NIO contract management plan notes that the contractor (Accenture) is required to deliver a ‘Contract Risk and Issue Management Tool’, which defines the approach the contractor uses to identify risks that may impact on MHR national infrastructure operations, maintenance and support. The contract management plan states that the tool is required to be reviewed annually. Since the novation of the contract to ADHA in 2016, the tool has been provided by the contractor and updated largely as required. The Accenture risk management plan states that ADHA is responsible for reviewing the identified risks and proposed strategies to manage the risks. ADHA has not reviewed the risks and treatments as required by the NIO contract management plan.

3.12 The Australian Government Contract Management Guide states that contract managers should consider all aspects of the contract to assess risk exposure, and provides a list of common sources of contract risk.⁵⁰ The ANAO examined the most recent version (as at February 2024) of the NIO contract against a selection of risk sources. The contract variation executed in June 2022 included a range of provisions to manage risks (see Appendix 3).

National Infrastructure Operator security risk management

3.13 Auditor-General Report No. 13 2019–20 Implementation of the My Health Record System found that ADHA had largely appropriate systems to manage cyber security risks to the MHR core infrastructure, except that its management of shared cyber security risks and oversight processes should be improved.⁵¹ The report included five recommendations (all agreed by ADHA) to improve risk management and education, including two relevant to the NIO.⁵² ADHA’s Audit and Risk Committee closed the recommendations on 30 September 2021.

3.14 The Protective Security Policy Framework (PSPF) sets out the Australian Government’s protective security policy.⁵³ The PSPF is generally not mandatory for corporate Commonwealth entities, however the Intergovernmental Agreement on National Digital Health 2018–2022 required ADHA to comply with the Australian Government’s security and design standards, which include the PSPF.⁵⁴ The CPRs, which apply to ADHA as a prescribed entity (see paragraph 1.8), state that ‘[r]elevant entities should consider and manage their procurement security risk, including in relation to cyber security risk, in accordance with the Australian Government’s [PSPF]’.⁵⁵ This requirement is included in the ADHA’s Agency Security Plan, dated 5 July 2022.

3.15 The PSPF comprises five principles, and 16 core policies across four outcomes (security governance, information security, personnel security and physical security). The first outcome of security governance includes seven of the 16 policies: the role of the accountable authority (policy 1), management structures and responsibilities (policy 2), security planning and risk management (policy 3), security maturity monitoring (policy 4), reporting on security (policy 5), security governance for contracted goods and service providers (policy 6) and security governance for internal sharing (policy 7).

3.16 This audit did not examine ADHA’s compliance with the PSPF overall, or with the whole outcome of security governance, but did examine ADHA’s compliance with two elements of policy 6, as policy 6 is specifically focused on procured goods and services. The core requirement (B.1) of Policy 6 is that: ‘Each entity is accountable for the security risks arising from procuring goods and services and must ensure contracted providers comply with relevant PSPF requirements’.⁵⁶ The ANAO examined compliance with two supporting requirements (B.2) of Policy 6: consideration of security risks in procurement activities and consideration of security risks in contract terms (Table 3.1). The ANAO did not examine the other Policy 6 supporting requirements as they were either beyond the scope of this audit or not relevant, namely: 3(a) (ensuring that security controls included in the contract are implemented, operated and maintained by the contacted provider and associated subcontractor); 3(b) (management of any changes to the provision of goods or services, and reassessment of security risks); and 4 (implementation of appropriate security arrangements at completion or termination of a contract).

Table 3.1: Compliance of NIO contract with selected supporting requirements of PSPF Policy 6

Key: ◆ Compliant ▲ Partly compliant ■ Non-compliant.

Note a: The Australian Signals Directorate (ASD) performs evaluations for products used to protect data classified as SECRET and TOP SECRET. For an organisation seeking to procure evaluated products, the Common Criteria’s Certified Products List contains a list of products that have been evaluated, certified and recognised. The ASD Guidelines for Evaluated Products recommend that high assurance evaluations be sought from the Australian Signals Directorate for the provision of equipment used to protect SECRET data and the Common Criteria’s Certified Products List is considered when ensuring the integrity and authenticity of applications and ICT equipment provided by the contractor. See ASD, Guidelines for evaluated products, available at https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-evaluated-products [viewed 10 February 2024]. The contract does not address high assurance evaluations. The ADHA advised the ANAO in February 2024 that as the ADHA’s data was rated to a maximum of ‘protected’, this was not relevant to the contract.

Source: PSPF Policy 6 and ANAO analysis of ADHA documentation, including the latest variation of the NIO Accenture contract as at February 2024, which is to 30 June 2025.

Has the National Infrastructure Operator contract been administered effectively?

Contract management planning

3.17 A contract management plan for the NIO contract was first established in 2016 and last amended in June 2021. The 2021 NIO contract management plan was required to be reviewed by 30 June 2022 or at the next contract variation. The NIO contract was varied on 26 June 2022, however as at February 2024 the 2021 contract management plan had not been reviewed.

3.18 As described at paragraph 2.8, the contract management plan template includes a list of required content. The 2021 NIO contract management plan includes a range of information consistent with this template including governance arrangements for contract management; deliverables; standards; performance monitoring arrangements; and payments. However, the 2021 contract management plan content does not fully align with the template.

• While the NIO contract management plan specifies the reporting deliverables that will be used for the performance assessment against service levels, it does not list the clauses of the NIO contract relating to performance obligations or what actions are to be taken if there is underperformance.
• The NIO contract management plan specifies that ADHA has the power to conduct audits under the contract but does not elaborate on when or how these are to occur.
• The NIO contract management plan refers to termination/step-in clauses, but does not include any detail on any processes to be followed including notice periods, show cause notices and any other invitations to remedy defects.
• The NIO contract management plan refers to a register of variations and extensions executed from 1 July 2016 and includes a flow chart of the ADHA’s approach to managing variations, but does not list the contract requirements for implementing a variation or contract closure.
• The contract management plan should include a link to the risk management plan and details of risk identification, analysis and management. As noted at paragraph 3.9, the 2021 NIO contract management plan included a link to 2016 and 2020 risk assessments, which were out of date and lacking in detail, and the contract management plan did not provide justification for the overall ‘medium’ risk rating. No specific guidance or instructions about how to assess and manage risk are addressed in the contract management plan.

3.19 The NIO contract management plan does not refer to, or provide instructions for, several key contract provisions:

• undertaking ‘benchmarking’ of the standards of delivery and costs of services⁵⁷;
• arrangements relating to subcontractors and subcontracting;
• dispute resolution; or
• the contractor contributing to an annual review undertaken by ADHA of contractor performance, complaints, issues and incidents that may contribute to ADHA’s consideration of options that may be exercised under the contract.

Management of contract variations

3.21 The Australian Government Contract Management Guide states that:

An entity should not seek or allow a contract variation where it would amount to a significant change to the contract or significantly vary the scope of the contract if it could reasonably be determined that: a. other potential suppliers may have responded differently to the amended contract scope in the tendering process which may have produced a different value for the money outcome, or b. the variation may compromise the original procurement’s value for money assessment. Entities may allow minor contract variations, where these do not negatively affect the achievement of value for money in the contract.⁵⁸

3.22 The guide notes that the need for a variation may arise due to unexpected events (including delays in delivery); changes in technology; changes in legislation or policy; minor changes to the organisation’s requirements; changes in key personnel; changes in delivery method or location; changes to milestone delivery dates; fluctuation in demand for the goods or services; and other factors that affect contract delivery. Entities should document decision making to ensure the contract still presents value for money and the decision is defensible.⁵⁹

3.23 As noted at paragraph 1.9, as at December 2023 the NIO contract had been amended eight times since January 2018, of which six amendments were executed during the term of an existing contract largely to provide for additional funding for MHR system enhancements (Table 3.2). Although advice was provided to the ADHA board or CEO about the reason for the expenditure, ADHA did not document its consideration of whether the contract still presented value for money, or whether the changes involved were sufficiently ‘minor’ to warrant not returning to market.

Table 3.2: NIO contract variations under existing term, January 2018–December 2023^a

Note a: Two NIO contract variations following on from procurement processes, and which altered the term of the contract, are considered separately in Chapter 4.

Note b: AusTender contract notice CN3612552.

Note c: Not reported on AusTender.

Note d: National Infrastructure Documentation is explained further at paragraph 3.49.

Note e: Not reported on AusTender.

Note f: AusTender contract notice CN3612552-A2.

Note g: AusTender contract notice CN3612552-A3.

Note h: AusTender contract notice CN3612552-A4.

Source: ANAO analysis of contract variations.

3.24 Each of the six variations were formalised through a deed of variation that was executed by the ADHA CEO and Accenture, and which incorporated amended schedules as required. At the time, the ADHA board had delegated to the CEO authority to enter into contracts up to $3.5 million, and for variations of the NIO contract up to $15 million provided the varied amount was within the expenditure previously approved by the board (see paragraph 2.24). Documentation provided to the CEO recommending the execution of each contract variation referenced earlier board approvals of additional contract expenditure.⁶⁰ Committed expenditure, whilst remaining within the total expenditure approved by the board, exceeded the approved expenditure on two occasions⁶¹ by a total of $10.9 million when broken down by financial year. Advice to the board seeking approval for the additional expenditure and to the CEO for contract execution did not include reconciliations of previously approved and actual expenditure.

3.25 As a corporate Commonwealth entity, ADHA was ‘encouraged’ to adhere to the Australian Government’s Digital Sourcing Contract Limits and Reviews Policy from 1 February 2020. The policy requires a contractor’s performance and deliverables to be reviewed prior to the exercise of an extension option.⁶² As noted in Figure 1.2, ADHA exercised an extension option on the NIO contract with Accenture once after 1 February 2020: on 26 February 2021 (to 30 June 2022). The advice to the CEO to exercise the extension option did not refer to a review of the contractor’s performance and deliverables.

Meetings with the contractor

3.28 The Australian Government Contract Management Guide notes that a contract management plan may contain a schedule of meetings.⁶³ ADHA’s contract management plan template for strategic/complex contracts requires a schedule of contract meetings to be detailed, including meeting attendees.

3.29 ADHA has established regular meetings with the NIO contractor through the NIO contract and contract management plans.

• The NIO contract includes provisions that require the contractor to participate in certain meetings including weekly operational meetings, quarterly contract meetings and other meetings as identified by ADHA from time to time, or as requested by the contractor.
• The 2021 NIO contract management plan specifies 12 different types of meetings, their purpose, attendees and frequency. The plan does not include requirements about how meetings are administered such as recording minutes and actions.
• The ‘Information Technology Support Management framework’ (IT Support Management framework) implemented in March 2022 (see paragraph 2.9) specifies strategic, tactical and operational-level meetings, each with a mandated frequency. The framework incorporates similar types of meetings to those in the 2021 NIO contract management plan, but also includes six ‘multi-vendor’ meetings involving the NIO. Of the 13 meeting types, the framework establishes terms of reference for 10 and requires minutes and actions to be recorded for three. It establishes secretariat arrangements for each meeting type.

3.30 Meeting records have been inconsistently maintained, and there are limited meeting records for meetings held between September 2021 and September 2022. Of the 13 meeting types specified in the March 2022 IT Support Management framework: one of three that required meeting minutes maintained meeting records; and three of 10 that did not require meeting minutes were held. Of the remaining meeting types, there is no evidence that they were held. Meeting records relating to the NIO contract since the implementation of the IT Support Management framework show that some meetings have not been held at the required frequency. One meeting that is held is not captured in the framework.

3.31 In February 2024 ADHA advised the ANAO that it was holding eight types of meetings with Accenture at regular intervals (weekly, fortnightly and monthly) and two types of meetings involving Accenture and other vendors. Of these 10 meeting types, four were specified in the IT Support Management framework. As at February 2024 the framework was last updated on 11 November 2023.

Records management

3.33 ADHA’s ‘Chief Transformation Officer’ approved an information governance framework in November 2018. A key part of the framework is a records management policy (November 2018). ADHA implemented the Agency Records Management System (ARMS) on 30 September 2021. The records management policy was amended on 12 August 2022 to specify that the ‘default’ electronic document and records management system is ARMS and that ‘all business areas must use ARMS to store their documents’, unless an exception has been appropriately agreed. ADHA training in 2023 notes that ‘use of ARMS for all record keeping purposes is a mandatory obligation for all staff’.

3.34 The ANAO observed that while ADHA contract management staff maintained records related to the contract, some records were contained within the ‘Collaborate’ system (see paragraph 3.41) and on the ADHA’s ‘Sharepoint’ system, rather than in ARMS.

Has contract performance been managed effectively?

3.36 The role of a contract manager is to ensure the supplier is meeting its obligations under the contract — including that goods or services are received on time, within budget and in compliance with contract specifications. Performance management should take place throughout the life of the contract and be based on the performance framework included in the contract.⁶⁴ The 2021 NIO contract management plan notes that performance management involves: performance monitoring; conducting audits; monitoring of issues, incidents and problems; escalation process; and termination/step-in.

Performance monitoring

3.37 The 2021 contract management plan states that the ADHA contract manager is responsible for performance monitoring, with performance assessed against service level agreements as determined by three monthly MHR NIO reports: operations report⁶⁵; participation report⁶⁶; and security monitoring and diagnostics report.⁶⁷ The contract management plan states that people in certain positions (e.g. the ‘contract manager’) are to validate each report, however two positions are not aligned to a position in ADHA’s organisational structure.

3.39 Between 2018 and 2023 Accenture provided all monthly operations, participation and security and diagnostics reports as required.

3.40 In addition to the monthly reports, ADHA receives other deliverables under the NIO contract and contract management plan. The 2021 NIO contract management plan specifies 34 deliverables that are to be reviewed by ADHA, of which 10 are to be reviewed annually, 19 are to be reviewed ‘as required’ and four are to be reviewed if part of a release report.⁶⁸

• Annual and other deliverables — These include handover plans, resourcing plans, system security plans, backup and recovery plans and intellectual property registers.
• Release reports — These are provided after enhancements to the MHR system.

3.41 Accenture uploads (and ADHA reviews) reports and other deliverables in a project management tool (Collaborate). Depending on the report or deliverable, specified business areas within ADHA are ’responsible for’, ‘accountable for’ or ‘informed of’ the report.⁶⁹ The NIO contract management team is responsible for identifying relevant business areas and adjusting the workflows in Collaborate accordingly. Reviews in Collaborate generate an auditable workflow. As at March 2024, while ADHA provided general information on its staff intranet about the purpose and access to Collaborate, standard operating procedures for the use of Collaborate were not documented.

3.42 The proportion of reviews of monthly reports that were conducted as required in 2022 and 2023 ranged from 45 per cent to 100 per cent, depending on the report, and whether the review was required to be done by the NIO contract management team or a different business area (Table 3.3). Of the annual and ‘as required’ contract deliverables listed in Collaborate, the contract management team reviewed none (of three) in 2022 and six (of 11) in 2023. There is a lack of controls to assure that reviews are being undertaken.

Table 3.3: Review of monthly and annual reporting deliverables, 2022 and 2023

Note a: Prior to November 2023, the monthly Security and Diagnostics reports were submitted and accepted by ADHA’s Cyber Security Operations team. In November and December 2023, the reports were submitted to the contract management team.

Note b: Annual and ‘as required’ deliverables stored in Collaborate in 2022 comprised the Continuous Improvement Register, Register of Assets and Capacity Plan.

Note c: More than one business area may be required to review a report.

Note d: More than one business area may be required to be informed about a report.

Note e: Annual and ‘as required’ deliverables stored in Collaborate in 2023 comprised the Continuous Improvement Register, NIO Handover Plan, Annual Configuration Report, NIO Security Operating Processes SOP Manual, Resourcing Plan, Backup and Recovery Plan, Register of Assets, Backup and Recovery Plan, Capacity Plan, System Security Plan and IP Register.

Note f: ADHA advised the ANAO in May 2024 that although there was no formal record that reports relating to June, July, August, September and October 2023 had been reviewed, these reports were discussed in the monthly meetings with Accenture and were a standing item on the agenda. No meeting minutes were taken, and there was no other evidence of review.

Source: ANAO analysis of ADHA review of monthly and annual reporting deliverables.

3.43 ADHA’s review of release reports has improved since 2022 (Table 3.4).

Table 3.4: Review of release reports, 2022 and 2023, as at February 2024

Key: ✔ Reviewed ✘ Not reviewed.

Note a: ‘Acceptance’ of a release report was not required until March 2023.

Note b: One of the two reports did not include a requirement to accept the report.

Source: ANAO analysis of ADHA review of release reports as at February 2024.

3.44 ADHA may require Accenture to resubmit reports before they are accepted. For the reports submitted between January 2022 and December 2023:

• of the 24 monthly operations reports, four were requested to be resubmitted prior to being accepted;
• of the 24 monthly participation reports, two were resubmitted prior to being accepted;
• of the 14 annual deliverables, five were resubmitted prior to being accepted; and
• of the 26 release reports submitted since July 2023, 14 were resubmitted prior to being accepted.

3.45 The February 2022 internal audit report (see paragraph 3.4) recommended that ADHA prioritise and monitor contract deliverables across business areas in an integrated manner.

3.47 Service levels are established against:

• user experience (business service availability, transaction responsiveness, monitoring and reliability, usability, clinical safety, incident management, service request management, and defect resolution);
• hosting infrastructure (failover services, software and equipment currency, configuration management, and capacity management); and
• operational service levels (problem management, security monitoring and diagnostics, and reporting).

3.48 Monthly operations reports indicated that Accenture met all required service levels⁷⁰ in 40 of the 60 months between January 2019 and December 2023 (Figure 3.1). During this period Accenture met production availability in 55 of the 60 months and system availability was 99.97 per cent over the 60-month period.

Figure 3.1: Accenture monthly service level performance^a, January 2019 to December 2023

Note a: Per cent of service levels achieved is calculated by dividing the number of service levels met by the total number of service levels met and not met. In September 2022 and January 2023, Accenture did not meet 100 per cent of service levels, however because the cause was external to the NIO they were not classified as a breach of service level.

Source: ANAO analysis of monthly operations reports.

3.49 As noted at paragraph 3.19, the NIO contract contains several provisions that relate to performance management that are not referred to in the NIO contract management plan. These provisions have been never or rarely used.

• Benchmarking⁷¹ — ADHA has not used these provisions at all in the timeframe examined by the ANAO (2018 to 2023).
• Annual review — A proposal for an annual review was considered by ADHA in April 2020. The annual review was not progressed.
• Dispute resolution clause — A ‘dispute’ is defined in the 2022 NIO contract as:

any disagreement or difference of opinion regarding an issue, incident or event concerning or adversely affecting, or that is reasonably likely in the opinion of a party to concern or adversely affect, the performance of the Contract.

• The NIO contract includes formal provisions relating to the resolution of disputes between ADHA and the contractor. The formal dispute resolution provisions have been used once. The dispute, which was raised in June 2019, was not resolved until March 2023.(see Box 1).⁷²

Audits

3.51 The 2021 NIO contract management plan states that ADHA may access the contractor’s premises to conduct audits in accordance with the contract. ADHA used these provisions to access Accenture’s premises on one occasion in 2019.

Monitoring of issues, incidents and problems

3.52 The 2021 NIO contract management plan states that ADHA maintains an issues register which ‘documents and tracks all issues through to resolution’. The issues register is linked into the contract management plan and is stored in a shared drive. The issues register is not regularly updated. As at February 2024 the register included six issues, five of which were raised or escalated in June and July 2020 and one which had ‘not yet been raised’. From October 2022, issues were tracked and closed using a different register.

Use of escalation process

3.53 The 2021 NIO contract management plan refers to a contract deliverable (‘MHR NIO Escalation Process’) and a link is provided to a shared drive folder. The escalation process describes the processes to be followed by the contractor to respond to different types of incidents (for example, MHR system outages) and the impact, duration or functionality associated with the incident.

Termination/step-in provisions

3.54 The 2021 NIO contract management plan states that two clauses within the NIO contract cover step-in (clause 46) and termination (clause 52) but does not include any detail on any processes to be followed (see paragraph 3.18). Under these clauses the ADHA can, subject to certain conditions, take control of the provision of services or terminate the contract. These clauses have not been utilised by ADHA.

Payments

3.55 Entities can limit financial risks by structuring payments so that they become due after the completion of services, delivery of goods or completion of activities.⁷³ By contrast, advance payments are amounts paid before a good or service is provided or delivered. Advance payment increases financial risk. In a 2022 procurement process for NIO services, one of four risks highlighted prior to a decision to conduct a sole source limited tender was ‘repudiation of the contract, with possible consequences including potential financial loss due to advance payment of contract fees’ (see paragraph 4.11).

3.56 ADHA has made advance payments to Accenture (in July of each year) since the contract was novated to ADHA in 2016–17.⁷⁴ In exchange for advance payment, Accenture agreed to a service level of 99.9 per cent system availability (compared to a previous agreed level of 99.5 per cent) and reduced charges. The variation still allowed charges to be invoiced in arrears but with a reversion to the previous service level of 99.5 per cent.

3.57 Figure 3.2 shows the proportion of advance payments made to Accenture for the NIO contract between 2018–19 and February 2024. The total amount of advance payments declined from $67 million in 2018–19 to $24 million in 2023–24. The proportion of payments that were advance payments declined from over 90 per cent in 2018–19 and 2019–20, to 81 per cent in 2020–21 and approximately 60 per cent in 2021–22, 2022–23 and 2023–24.

Figure 3.2: National Infrastructure Operator contract payments, 2018–19 to 2023–24^a

Note a: Expenditure to 9 February 2024.

Source: ANAO analysis of NIO contract invoices and ADHA reported NIO contract expenditure.

3.58 In 2023 advice requested by the CEO as to why prepayments were being made to Accenture, officials noted that the original rationale for advance payment was to ‘give Accenture sufficient resources to cover ongoing work’ for monthly operations, maintenance and support charges; and to achieve higher system reliability.⁷⁵ While the advance payment of monthly operational, maintenance and support charges was considered in contract negotiations with Accenture in 2022, the arrangement was retained following Accenture’s advice to ADHA that ‘[a]ll discounts have been subject to annual prepayment. Removing those terms will require re calculation and approval of the proposed discounts’.

3.59 Advance payment creates the risk of weaker leverage to enforce performance requirements. This risk is partly mitigated through the ability of ADHA to claim, at its sole discretion, ‘service credits’ against payments that are paid in arrears should Accenture fail to meet certain service levels. The value of service credits (the ‘service credit pool’) is the maximum amount that can be claimed by ADHA each month for underperformance. The leverage achieved through service credits is limited by the service credit pool being capped at 12 per cent of monthly support charges, and a requirement that no more than 20 per cent of the service credit pool can be assigned to each of 23 service level categories. Since January 2018 ADHA has claimed all applicable service credits for underperformance. Service credits have been claimed on 25 occasions and totalled $1.04 million to December 2023.

4.1 As noted at paragraph 1.9, the 2012 NIO contract between ADHA and Accenture Australia Holdings Pty Ltd (Accenture) has been amended twice since January 2018 following limited tender procurement processes: in 2019 and 2022 (Box 2).

4.2 Achieving value for money in procurements is the core rule of the Commonwealth Procurement Rules (CPRs). The CPRs include specific requirements for: planning (including defining goals, estimating value and managing procurement risks); approaching the market in open tenders except in specific circumstances; conducting tender processes; acting with probity; and public reporting.

Has Australian Digital Health Agency conducted effective planning and approaches to market?

Procurement planning

4.3 Table 4.1 depicts ADHA’s compliance with the CPRs and ADHA procurement manual (see paragraph 2.5) requirements relating to planning.

Table 4.1: Assessment of procurement planning

Key: ◆ Compliant ▲ Partly compliant ■ Non-compliant

Source: CPRs, ADHA procurement manual and ANAO analysis of ADHA procurement documentation.

Consideration of value for money of procurement

4.4 ADHA did not consider whether outsourcing the NIO through a procurement process in 2019 represented value for money. In relation to the 2022 procurement process, ADHA considered options for future delivery of the NIO contract, including in-sourcing, in August 2019 and February 2020.

Procurement plans

4.5 In the 2017–18 Budget the Australian Government allocated $137.96 million to ADHA for ‘My Health Record – continuation and expansion’ and the government was informed that an approach to market to re-contest the NIO services was required to be completed by May 2019. The CPRs state that entities ‘must maintain on AusTender a current procurement plan containing a short strategic procurement outlook’ in order to ‘draw the market’s early attention to potential procurement opportunities’. It should include the subject matter of any ‘significant planned procurement and the estimated publication date of the approach to market’. Entities should update their plans regularly throughout the year. ADHA published some planned procurements on AusTender between 2018 and 2023, but these did not include the NIO.

4.6 The ADHA procurement manual in force until December 2023 required procurement plans to be completed for individual procurements. Where a limited tender was conducted⁷⁶, a limited tender procurement plan was to be completed and cleared by the director of ADHA’s central procurement area prior to being submitted for ‘process approval’ by the relevant senior executive and final approval by the relevant financial delegate. For the 2019 procurement, ADHA prepared a limited tender procurement plan, however approval of the plan was not obtained in accordance with the procurement manual⁷⁷ and was approved at the same time the procurement was finalised. ADHA did not prepare a 2022 procurement plan.

Defining goals and estimating value

4.7 The CPRs state that a thorough consideration of value for money begins by officials clearly understanding and expressing the goals and purpose of the procurement, and estimating the value of the procurement before a decision on the procurement method is made. The intent of this requirement is to ensure that the chosen procurement method is allowable and represents value for money. ADHA complied with the requirement to define goals and estimate value prior to conducting the limited tender procurement through advice to the board in 2019 and through advice to the Senior Executive Committee in 2022. However in 2022 the description of goals and estimation of value (‘$100 million+’) were provided approximately four months before the extension of the NIO contract with Accenture was executed, and did not inform the decision about the procurement method, which had already been decided. As at February 2024 ADHA did not have an internal procurement plan relating to the future of the NIO contract, due to expire on 30 June 2025.

Risk management

4.9 The CPRs state that procurements should ‘encourage appropriate engagement with risk’⁷⁸, and that entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement, including when making decisions.⁷⁹

4.10 For the 2019 procurement, assessment of risks was limited.

• A 6 December 2018 board paper assessed the risks of going to market for the NIO as medium to very high. An extension of the contract with Accenture was considered to mitigate these risks to allow ‘for operations, maintenance and support services to continue for MHR, and for ADHA to obtain the handover plan, detailed data collection and due diligence activities for the approach to market’. The board paper did not consider the risks related to a limited tender or extension of the contract with Accenture.
• A 20 June 2019 board paper seeking approval of an NIO contract ‘extension’ with Accenture, assessed the risk of extending the existing contract as low because: current service provided by Accenture was performed at a satisfactory level; termination clauses were included within the contract; and the Government had made a policy commitment to the ongoing support of the MHR. There was a short table with mitigation strategies for three risk categories: commercial, technology and integrity. The NID dispute (see Box 1) was not mentioned in the board paper.
• The 16 August 2019 procurement plan included a risk assessment, which only considered risks related to a contractual liability cap. A CEO approval cover sheet for the procurement plan and deed of variation did not include any discussion of risk.⁸⁰

4.11 For the 2022 procurement, a 24 March 2022 board paper included a more thorough risk assessment than in 2019. The risk assessment listed four ‘high’ or ‘very high’ risks, all of which exceeded the risk appetite and none of which were accepted:

• Risk 1 (‘very high’) — Expiry of the NIO contract and the contractor ceasing to provide the services, with possible consequences including legislative non-compliance, interruptions to the MHR system, and a requirement to engage a new provider ‘likely at significant financial cost’.
• Risk 2 (‘high’) — The ‘process of extension of the NIO contract’ with possible consequences including non-compliance with the PGPA Act, reputational damage, increased external scrutiny and increased financial cost for the MHR system ‘as a consequence of the Contractor’s negotiating position’.
• Risk 3 (‘high’) — Repudiation of the contract, with possible consequences including potential financial loss due to advance payment of contract fees, reputational damage due to service disruptions, and loss of oversight of sub-contractor deliverables.
• Risk 4 (‘high’) — (Loss of) service continuity, with possible consequences including service availability and system reliability issues, and reputational damage.

4.12 The 2022 risk management plan included, for each listed risk, the possible consequences, a likelihood and consequence rating, the risk appetite, existing controls, control effectiveness ratings, and control and treatment owners. The controls and treatments included ‘running a procurement process’, obtaining legal advice, a stakeholder communications plan, contract negotiations with Accenture, and exercising existing contractual performance standards and other contract clauses. Although the Accenture contract was re-negotiated at this time, no new contract conditions were proposed as risk treatments.

Approach to market processes

4.13 The CPRs state that for procurements at or above the relevant procurement threshold, limited tender can only be conducted in accordance with conditions listed in paragraph 10.3 or exemptions listed in Appendix A of the CPRs.⁸¹ The relevant procurement threshold is $80,000 for non-construction contracts.⁸² Table 4.2 shows the overall level of compliance by ADHA with the CPR requirement for limited tenders to meet certain conditions or exemptions.

Table 4.2: Assessment of approach to market processes

Key: ◆ Fully compliant ▲ Partly compliant ■ Non-compliant

Source: CPRs and ANAO analysis of ADHA procurement documentation.

4.14 ADHA decided to use a direct source limited tender for the NIO services in 2019 and 2022, in both instances considering only the incumbent provider (Accenture). On both occasions, the estimated value ($140 million in 2019 and ‘$100 million+’ in 2022) far exceeded the relevant procurement threshold for limited tender. ADHA was therefore required to justify the limited tender under one of the conditions listed in paragraph 10.3 or exemptions listed in Appendix A of the CPRs. The NIO services did not fall under the kinds of services listed in Appendix A.

2019 procurement

4.15 As noted at paragraph 4.5, in April 2017 ADHA had informed the Australian Government that an approach to market to re-contest the NIO services was required to be completed by May 2019. However, on 19 November 2018 ADHA asked the Minister for Health to ‘agree that ADHA will not approach the market to retender in early 2019, as previously noted’ and to ‘Note that the ADHA will extend the current contract with the [NIO provider] for a period of up to one year (with an additional one-year option)’. The submission stated that ADHA planned to conduct an ‘open design’ process in 2019.⁸³ The ministerial submission was marked ‘[No Further Action]’ by the Minister through the Minister’s office.

4.16 The ADHA board was informed in December 2018 that agreement was being sought from the Minister for Health not to approach the market in early 2019. The board also was informed that:

consultation with the Department of Finance (Finance) has confirmed that an extension [of the 2012 NIO contract with Accenture] would be considered reasonable in the circumstances and an available option to ADHA under the [CPRs] …The current advice (both from Finance as well as external legal advice … ) is that an extension is preferred as the current rights and obligations will be retained. Given the original market approach was open tender, an extension accommodates a previously open competitive bid process.⁸⁴

4.17 On 6 December 2018 the board agreed to ‘extend’ the 2012 NIO contract with Accenture for up to 24 months. The board noted that this was ‘ … consistent with Commonwealth Procurement Rules as confirmed by the Department of Finance’.

4.18 Other than a paper supporting the 6 December 2018 board decision that mentions paragraph 10.3b⁸⁵ as a condition for limited tender, documented decisions about the procurement between October 2018 and June 2019 did not refer to any paragraph 10.3 condition that permitted a limited tender.

4.19 The use of the paragraph 10.3b to justify a limited tender was inappropriate. As noted in at paragraph 4.15, consideration of a procurement process in preparation for the conclusion of the 2012 NIO contract was discussed with government as early as April 2017. The situation was not one of extreme urgency and the events were foreseeable. The justification to use direct source limited tender because a previous procurement process had been competitive was inappropriate and not consistent with the CPRs. Given that a contract variation needed to be negotiated with Accenture, it was not necessarily the case that the rights and obligations under the 2012 contract would be retained.

4.20 ADHA’s request for the external legal advice cited in the paper provided to the board on 6 December 2018 stated:

There is a significant deficiency of present system details, including architecture requirements for how [MHR] currently operates, which will preclude other vendors in the marketplace submitting a competitive proposal and reasonably being able to operate MHR …

However, there was no reference to the National Infrastructure Documentation (NID) dispute with Accenture (see paragraph 3.49 and Box 1) in the 6 December 2018 board paper, or its impact on procurement options.⁸⁶ The board was told that the contract ‘extension’ ‘will give … until 2022 to complete the procurement process and ensure a full and open dialogue with the community and industry on the future technology to support My Health Record’.

4.21 On 20 June 2019 the board again approved the ‘extension’ of the NIO contact with Accenture for up to 24 months. The paper seeking board approval did not reference a condition justifying limited tender. The paper stated that: ‘Consultation with Finance has confirmed that an extension to the current NIO Contract would be considered reasonable in the circumstances and an available option to the Agency under the [CPRs]’.⁸⁷ The 20 June 2019 board paper justified the direct source limited tender by stating that negotiating with the existing supplier involved ‘cost efficiencies’ and that a future MHR delivery model would be ‘very different’ and would ‘provide opportunity to market test and review alternate models to deliver cost efficiencies’.⁸⁸

4.22 The 16 August 2019 limited tender procurement plan noted the following three CPR conditions to justify limited tender.

• 10.3b — ‘when, for reasons of extreme urgency brought about by events unforeseen by the relevant entity, the goods and services could not be obtained in time under open tender’.
• 10.3.d.iii — ‘when the goods and services can be supplied only by a particular business and there is no reasonable alternative or substitute for one of the following reasons … due to an absence of competition for technical reasons’.
• 10.3.e — ‘for additional deliveries of goods and services by the original supplier or authorised representative that are intended either as replacement parts, extensions, or continuing services for existing equipment, software, services or installations, when a change of supplier would compel the relevant entity to procure goods and services that do not meet requirements for compatibility with existing equipment or services’.

4.23 The paragraph 10.3.d.iii and 10.3.e conditions for limited tender were documented and approved in the procurement plan in August 2019, which was well after the limited tender process had commenced. The conditions were never considered by the accountable authority. Although paragraphs 10.3.d.iii and 10.3.e refer to circumstances that could have applied to the MHR NIO context, no evidence to support the assertions were documented. The August 2019 procurement plan referred to ADHA not having been able to obtain NID reflecting the MHR baseline from Accenture in time to support a competitive procurement process (see Box 1). This was given as a reason for the direct source limited tender approach.

In recent months, ADHA team has been attempting to establish the MHR baseline to describe the current and future NIO environments in sufficient detail. The purpose of this has been to ensure that another provider could reasonably take over provision of the MHR System with continuity … Accenture have been engaged to provide the current environment baseline which they have advised is not available until April 2019. To facilitate the additional time needed and address the risk that another vendor cannot successfully take over the MHR services, a deed of variation to extend the NIO contract is proposed with Accenture.

4.24 The CEO approval cover sheet for the August 2019 procurement plan gave the following explanation for the limited tender direct source approach:

ADHA has established a program of work ([National Infrastructure Modernisation] Program) … it has been identified that continuation of the services to run My Health Record are required and service continuity must be maintained in parallel with the [NIM] Program activities. As a result, we will seek to vary the current NIO contact … with Accenture …

4.25 When conducting a limited tender above the relevant threshold, the relevant limited tender condition must be reported on AusTender.⁸⁹ ADHA did not report it.

2022 procurement

4.26 Following the 2019 direct source limited tender procurement, the ‘extended’ contract with Accenture was due to conclude on 30 June 2022 if all extension options were utilised. On 18 June 2020 the board approved discussions with Accenture about another possible contract ‘extension’ to mid-2023. On 18 February 2021 the board approved ‘the potential extension’ of the NIO contract ‘on a limited tender (direct source) basis’ for a period of up to 12 months through to 30 June 2024. On 13 October 2021 the board was provided with an update on contract negotiation goals. None of these board discussions included consideration of the justification for a limited tender approach in 2022.

4.27 On 22 December 2021 ADHA sought external legal advice regarding ‘extending’ the 2012 Accenture contract. The legal advice, which was provided on 17 March 2022, referenced ADHA being unable to obtain accurate and up to date MHR system architecture documentation resulting in delays to the National Infrastructure Program.

4.28 On 24 February 2022 the board was provided with an update on the negotiations with Accenture, which noted an intention to ‘extend’ the contract. The board discussion included no consideration of the justification for a limited tender approach or mention of the NID dispute and its ongoing ramifications for a competitive procurement process. The board was told that ADHA ‘currently is dependent on Accenture and the contract is in Accenture’s favour in terms of intellectual property’.

4.29 On 24 March 2022 the board was advised that advice on the legal risks of the limited tender approach had been sought, and that limited tender was an option as long as it was appropriately justified under the CPRs. The board considered two conditions as justification for a direct source limited tender. CPR paragraph numbers were not cited, however the conditions were those under paragraphs 10.3b (extreme urgency) and 10.3d.iii (no reasonable alternative).

4.30 The 24 March 2022 board paper does not mention the legal advice regarding the impact of the NID dispute with Accenture on the ability to go to open tender in 2022. The reasons given in the board paper for a limited tender process were: ‘the uncertainty surrounding funding for future NIM modernisation activities, including the upcoming Federal election’ and ‘Delays in the implementation of the NIM Program [which] extend the Agency’s reliance on the technology and system expertise that NIO provides under its current contract with the Agency.’ The paper concluded:

Given these issues and the centrality of the NIO contract for the continued secure and reliable operation of the MHR, the Agency is seeking to extend the current NIO contract through a limited tender process consistent with the [CPRs] … in the circumstances there is no reasonable alternative.

4.31 The minutes of the 24 March 2022 board meeting show the board was told ‘the option of going to market would involve significant time and resources and the intellectual property is with Accenture’. The NIO contract does not appear to create an intellectual property obstacle as it provides for a perpetual licence to ADHA to use software. The minutes do not record the board questioning the assertion that the intellectual property was with Accenture, or the flawed reasoning of minimising time and resources on a procurement process. The board minutes state that ‘ADHA is in the process of building a new environment with new vendors and it is understandable that the legacy vendors and architecture will need to be in place for a few more years’ and ‘ADHA is a small part of the total Commonwealth Accenture spend’.

4.32 Unlike the 2019 procurement (which involved two extension options of one year each for an aggregate additional contract period of two years), in 2022 a single three-year ‘extension’ was recommended to the board for approval. The board was told that annual renewals were undesirable due to the time and resources involved; potential negative impacts on Accenture providing ‘optimum services or resources’; Accenture using the one year renewals as an opportunity to ‘renegotiate rates each renewal’; and an Accenture commitment to ‘efficiency gains and improvements on the basis of a three year contract’.

4.33 On 3 June 2022 a briefing paper sought the CEO’s signature on the deed of variation to the NIO contract with Accenture to increase the contract value by $105,320,195 (inc. GST), with a three-year ‘extension’ to 30 June 2025. While the board minutes were attached, the CEO briefing paper does not set out the reason for limited tender.

4.34 The limited tender condition reported on AusTender for the 2022 procurement was paragraph 10.3e. This particular condition was never presented to, or approved by, the accountable authority of ADHA for the 2022 procurement.

4.36 Both the 24 March 2022 board and the 3 June 2022 CEO decisions to approve a limited tender in 2022 occurred after the limited tender process with Accenture had begun.

Has Australian Digital Health Agency conducted effective limited tender processes?

Limited tender processes

4.40 Procurements that are below a value threshold or meet one of the exemptions from open tender are not required to meet the requirements of Division 2 of the CPRs.⁹⁰ However, Division 1 of the CPRs applies to all procurements, including limited tenders. Division 1 of the CPRs states that procurement documentation should include the requirement, the process, how value for money was considered and achieved, relevant approvals, and the basis for relevant decisions.⁹¹ Ethical behaviour as it relates to a procurement is outlined in Division 1.⁹² Table 4.3 shows ADHA’s level of compliance with key CPR requirements for limited tender processes.

Table 4.3: Assessment of tender processes

Key: ◆ Fully compliant ▲ Partly compliant ■ Non-compliant

Source: CPRs, Australian Government Contract Management Guide and ANAO analysis of ADHA procurement documentation.

Demonstration of value for money

4.41 Division 1 of the CPRs states that ‘officials responsible for a procurement must be satisfied, after reasonable enquiries, that the procurement achieves a value for money outcome’.⁹³ As the NIO procurement was a direct source limited tender, there was no competitive pressure in 2019 or 2022, increasing the risk that value for money would not be achieved. In these circumstances, robust negotiations and benchmarking price can help to achieve and demonstrate value for money.

4.42 Both procurements involved contract negotiations with Accenture, although negotiation planning was stronger in 2022.

• 2019 procurement — There was a negotiation process with Accenture from 4 October 2018, however ADHA had no finalised negotiation strategy, tender request or tender response.
• 2022 procurement —There was a negotiation process with Accenture following 18 June 2020 board approval to begin discussions with Accenture about another possible ‘extension’ of the NIO contract to mid-2023 (see paragraph 4.26). ADHA began drafting a negotiation strategy in January 2021 and wrote to Accenture on 23 February 2021. Contract negotiation goals were considered by the board on 13 October 2021. In 2022 ADHA engaged a consultant to assist with the negotiations.⁹⁴ Between December 2021 and March 2022 ADHA had several discussions with Accenture about a possible ‘extension’ term. ADHA had planned to seek two single year options to extend, or a two-year extension (both would end June 2024). Accenture proposed two options: a one-year extension followed by two additional one-year extension options (option 1); or a single three-year extension (option 2) (both would end June 2025). On 16 March 2022 Accenture provided ADHA with a ‘limited tender response’ that outlined the two options. Only option 2 included a commitment to improve NID. As noted at paragraph 4.32, ADHA accepted option 2.

4.43 ADHA did not benchmark price for the 2019 procurement. Accenture’s 2022 limited tender response provided a rate card for systems improvements and operational management services, which it stated would be based on the Skills Framework for the Information Age (SFIA).⁹⁵ Accenture provided ADHA with a table showing previous Accenture rates (for 2021) and SFIA rates. For 57 per cent of roles, the 2021 Accenture rates were higher than the SFIA rates, and on average rates were 23 per cent higher. ADHA performed analysis on but did not negotiate the rates.

4.44 When assessing whether a procurement represents value for money, the CPRs state that price is not the sole factor. Officials ‘must consider the relevant financial and non-financial costs and benefits of each submission including but not limited to the … potential supplier’s relevant experience and performance history.’⁹⁶ As noted at paragraphs 4.15 to 4.34, many other factors besides cost, including Accenture’s experience as the NIO, were considered in the decision to award a contract ‘extension’ to Accenture in 2019 and 2022. However, as noted at paragraph 4.20 (for the 2019 procurement) and paragraph 4.28 (for the 2022 procurement), factors relating to Accenture’s performance history (the NID dispute) were not communicated to the board.

4.45 Advice provided to the board and CEO largely did not include a clear overarching assessment of value for money, and neither the board nor the CEO requested a value for money assessment prior to making their decisions. However, elements of a value for money assessment were provided.

• 2019 procurement — The papers supporting the 20 June 2019 board approval of the NIO contract ‘extension’ with Accenture (see paragraph 4.21) noted a negotiated annual saving of $8.2 million and a ‘satisfactory level’ of current service performance by Accenture. There was no value for money discussion in the cover sheet supporting the 16 August 2019 CEO approval of the deed of variation, however the attached limited tender procurement plan discussed value for money of a limited tender method of procurement.⁹⁷ The plan did not specifically discuss the value for money of the contract variation with Accenture.
• 2022 procurement — The board paper supporting the 24 March 2022 board approval of the NIO contract ‘extension’ with Accenture (see paragraph 4.29) compared the relative merits, savings and administrative benefits of the two contract term options. The paper supporting the 3 June 2022 CEO’s approval of the deed of variation (see paragraph 4.33) stated that as part of the contract negotiations ADHA had gained ‘concession’ (benefits) in relation to the contract. This included a new charging rate card for systems improvement work allowing comparison of market rates. The paper said this would give savings of approximately 17 per cent, although that would be partly lost through allowing Accenture to recover certain travel costs.

Approval and contracting processes

4.47 In the 2019 and 2022 procurements, the accountable authority (the ADHA board) authorised the contract with Accenture being ‘extended’ and approved the expenditure. Under this authorisation the CEO signed and executed the variations to the NIO contact with Accenture. The approvals, and the basis for decisions, were undertaken by the official with appropriate authority and appropriately documented.

4.48 As noted at paragraph 1.9, the 2012 NIO contract with Accenture was amended following the 2019 and 2022 procurements using a deed of variation. The Australian Government Contract Management Guide states that:

You can only extend a contract if all of the following conditions are met: 1. the contract contains an (unused) option to extend 2. It is value for money to extend the contract and 3. the contract has not yet expired … If you do not meet the conditions for contract extension, seek legal advice. You may have the option to … Put in place a short-term contract to cover the period until you complete a new procurement process and establish a new contract … Extend a contract by variation before the contract end date for a short period of time where: a. the procurement process for a replacement contract is still ongoing and continuity of the supply of goods or services is essential or b. the scope and value of the contract remains largely the same. This can allow for finalisation of the contract when experiencing minor delays.⁹⁸

4.49 In December 2018 ADHA received external legal advice recommending the existing contract be varied rather than a new contract be negotiated because it would be likely to: consume less time and resources; reduce the possibility of the contractor raising new issues; and minimise the possibility of inconsistency or overlap.

4.50 In relation to the 2022 procurement, on 27 April 2022 ADHA sought advice from the Department of Finance about the potential further extension of the NIO contract under limited tender. On 4 May 2022 the Department of Finance responded that:

Contracts should not be extended by variation due to a failure to appropriately plan procurement needs, to continue supplier relations, or with the intention of discriminating against a supplier, avoiding competition, or to avoid obligations under the [CPRs]. Section 2.12 of the [CM Guide] provides guidance on managing contract variations. The purpose of the conditions under 10.2 of the CPRs is to allow a relevant entity to conduct a new procurement at or above the relevant procurement threshold through limited tender. They are not for the purpose of varying existing contracts …

4.51 On the same day a central procurement area officer advised their director that: ‘The key piece of advice here is that an existing contract established via open tender cannot be extended through variation using a limited tender condition.’ This advice was sought and received after the board decision on 24 March 2022 but before the CEO was asked to sign the contract variation on 3 June 2022. The briefing to the CEO does not mention the Department of Finance advice, and the board was not advised of it.

Management of probity

4.52 The CPRs state that procurements should be ethical.⁹⁹ Ethical procurement includes dealing with conflicts of interest; complying with all directions in relation to gifts and hospitality; and handling complaints effectively.¹⁰⁰

Probity plans, advisors and briefings

4.53 The Department of Finance guidance on ethics and probity in procurement states that:

A ‘probity adviser’ would typically advise on probity issues as they arise during a tender process, possibly in accordance with a probity plan that provides guidance on how probity is to be addressed during the procurement.¹⁰¹

4.54 ADHA did not have a probity plan specifically for the 2019 and 2022 NIO procurements. However, it had a probity framework for the NIM Program from September 2019 (NIM probity framework). The NIM probity framework covered procurements for the API Gateway and Cloud storage/hosting services and the 2022 NIO procurement. It did not cover the 2019 NIO procurement (which was concluded by 21 August 2019).

4.55 In addition to the NIM probity framework, Accenture developed an NIO probity plan (Accenture probity plan) in consultation with ADHA in 2018. The Accenture probity plan outlined how Accenture would manage any potential conflicts of interest arising from Accenture’s role as the NIO during NIM Program procurement processes. This included a separation between the Accenture’s NIO contract project team and NIM project team and a probity ‘screening process’¹⁰² conducted by Accenture. In August 2020 ADHA required Accenture to implement the probity controls in the Accenture probity plan. ADHA extended the Accenture probity plan in 2021.

4.56 In relation to the 2019 NIO procurement, an external probity adviser was appointed for the period 18 May 2018 to 30 June 2020.¹⁰³ The probity adviser provided advice on NIO matters, including the Accenture probity plan and probity arrangements. There is no evidence that the probity adviser provided advice specifically about the 2019 sole source limited tender NIO procurement. The same external probity adviser was appointed for the period of the 2022 procurement and provided probity advice relating to the NIM Program. The NIM probity framework states that a probity adviser was responsible for monitoring the probity framework’s implementation as well as providing guidance and advice on the NIM Program.

4.57 The NIM probity framework states ‘The Probity Adviser shall provide a briefing to all personnel involved in the [NIM] Program on their responsibilities in relation to their obligations under the Framework and other requirements when necessary.’ The procurement manager is responsible for maintaining a register of those who have attended a probity briefing. The NIM conflict register (see paragraph 4.61) notes the date staff were invited to attend a probity briefing and the date of attendance. Of the ADHA staff listed on the NIM conflict register, 74 (out of 319) had not attended a probity briefing as at October 2023.

Conflicts of interest

4.58 The NIM probity framework includes a flowchart of the required forms; a conflict of interest declaration template; and a checklist to assist staff to identify whether they have potential conflicted interests. The NIM probity framework requires all individuals involved in the procurement processes to declare existing or potential interests to the procurement manager. The flowchart attached to the framework states that a ‘conflict of interest form’ must be completed by staff. The conflict of interest declaration attached to the framework requires a positive declaration about whether or not a conflict of interest exists. The NIM probity framework does not refer to the ADHA June 2019 conflict of interest policy (which applied to both NIO procurements), which requires a conflict of interest deed poll to be completed and signed by all procurement delegates, tender evaluation team members and advisors (see paragraph 2.13).

4.59 In relation to the 2019 NIO procurement, the procurement plan stated that there was:

no conflict of interest between staff members of the Strategic Service Design and Delivery Branch or the Delegate and Accenture Australia Holdings Pty Ltd with regard to any part of this Limited Tender procurement process.

There are no records to support this statement. ADHA did not comply with the conflict of interest policy in the 2019 or 2022 NIO procurements; ‘confidentiality, privacy and conflict of interest’ deed polls were not completed by relevant staff members. ADHA did not fully comply with the NIM probity framework requirements in 2022; the conflict of interest declaration was not completed by all staff working on the 2022 limited tender procurement.

4.61 In September 2019 a register was established (NIM conflict register) under the NIM probity framework. The NIM conflict register covered the 2022 NIO procurement (and the 2021 procurements for the API Gateway and cloud storage services). It is unclear which declarations in the NIM conflict register related to the 2022 NIO procurement as the register was used for other activities. Between September 2019 and September 2022, 74 conflicts were recorded in the register, of which 28 related to Accenture. The interests declared were related to personal and professional relationships, and previous employment with Accenture. There were no declarations by four ADHA officials who were involved in the procurement and contract management of MHR — the Chief Financial Officer, the General Counsel, the Chief Operating Officer and a key staff member from the Technology Planning and Delivery branch.

4.62 The external probity adviser reviewed declarations relating to Accenture between March 2020 and August 2022. Nineteen ADHA staff were reminded of their obligations and provided copies of a probity briefing presentation and a guidance document. The external probity advisor recommended management action for nine other ADHA staff¹⁰⁴, however management plans were not developed.

4.63 Board meetings included declarations of interests as an agenda item for all meetings from April 2016 to September 2023. As required by the board charter, board meeting minutes detail the interests. Between 2016 and 2023 two board members declared interests related to the NIM Program. The first declarations were made at a June 2020 meeting and appropriate actions were taken. These same board members raised their interests in subsequent meetings and recused themselves for related agenda items, including discussions on the NIO contract cost.

Gifts and benefits

4.64 ADHA’s public gifts and benefits register for CEO declarations (see paragraph 2.21) has no entries relating to Accenture.¹⁰⁵ The internal gifts and benefits register for other agency personnel also has no entries relating to Accenture.

Procurement complaints handling

4.65 On 24 March 2022 the ADHA board was advised that the proposed contract ‘extension’ by limited tender may result in public criticism and noted that legal advice would be sought on issuing a Public Interest Certificate.¹⁰⁶ ADHA officials determined that a Public Interest Certificate was unnecessary, legal advice was not sought, and the matter was not brought back to the board. The ANAO found no evidence of complaints relating to the 2019 and 2022 NIO procurements.

Procurement reporting

4.66 ADHA must report all contracts and amendments on AusTender within 42 days of entering into or amending a contract for any non-construction services contracts valued at or above $80,000.¹⁰⁷ Entities are responsible for the completeness, accuracy and timeliness of notices published on AusTender.

4.67 As noted at paragraph 1.9, between January 2018 and December 2023, ADHA executed eight contract variations with Accenture above the reporting threshold of $10,000. Seven of these were required to be reported on AusTender within 42 days.¹⁰⁸ ADHA was non-compliant with AusTender reporting requirements, with some contract variations not separately reported, reporting occurring outside of the 42-day period and incorrect reporting of limited tender procurement conditions except in relation to the June 2019 variation (Table 4.4).

Table 4.4: AusTender reporting of National Infrastructure Operator contract variations

Key: ◆ Fully compliant ▲ Partly compliant ■ Non-compliant

Note a: AusTender contract notice CN3612552.

Note b: The AusTender reporting obligation arose when the extension options were exercised rather than when the variation allowing for the extension options was executed.

Note c: Combined with variation executed on 18 December 2020.

Note d: AusTender contract notice CN3612552-A2.

Note e: Combined with variation executed on 8 April 2021.

Note f: AusTender contract notice CN3612552-A3.

Note g: AusTender contract notice CN3612552-A4.

Note h: AusTender contract notices CN3612552-A5 and CN3902911.

Source: CPRs and ANAO analysis of AusTender reporting and executed NIO contracts.

4.68 For each contract awarded through limited tender, an official must prepare and appropriately file a written report that includes the value, a statement indicating the circumstance and conditions that justifies the use of limited tender, and a record demonstrating how the procurement represented value for money in the circumstances.¹⁰⁹ ADHA did not prepare these written reports for the 2019 and 2022 NIO procurements.

Appendix 1 Entity responses

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

Table A.1: Improvements observed by the ANAO

Appendix 3 National Infrastructure Operator contract provisions to manage risks

Note a: Risk sources and examples are drawn from Department of Finance, Contract Management Guide, Finance, 2023, pp. 14–15.

Source: ANAO analysis of National Infrastructure Operator contract executed 26 June 2022.