Introduction

1.1 Since its emergence in late 2019, coronavirus disease 2019 (COVID-19) has become a global pandemic that is impacting on human health and national economies On 21 January 2020 the Australian Government listed COVID-19 as a disease of pandemic potential under the Biosecurity Act 2015.²The World Health Organisation declared COVID-19 to be a ‘public health emergency of international concern’ on 30 January 2020.

1.2 From February 2020, the Australian Government commenced the introduction of a range of policies and measures in response to the emergence of COVID-19. On 18 March 2020, in response to the pandemic in Australia, the Governor-General of the Commonwealth of Australia declared that a human biosecurity emergency exists.³

1.3 The Australian Government’s health and economic response has included:

• travel restrictions and international border control and quarantine arrangements;
• delivery of substantial economic stimulus, including financial support for affected individuals, businesses and communities; and
• support for essential services and procurement of critical medical supplies.

1.4 With the release of 2020–21 Budget on 6 October 2020, the Australian Government reported it had committed $507 billion in overall support since the onset of the pandemic, including $272 billion over five years (2019–20 to 2023–24) in direct economic and health support.

1.5 The government’s Stimulus package 1, announced on 12 March 2020, provided $17.6 billion to ‘keep Australians in jobs, keep businesses in business and support households and the Australian economy’.⁴ This package included:

• $700 million to temporarily increase the instant asset write off threshold and expand access;
• $3.2 billion for a time limited 15 month investment incentive;
• $6.7 billion to provide temporary cash flow support to small businesses;
• $1.3 billion to support small businesses to support the jobs of around 120,000 apprentices and trainees;
• $4.8 billion to provide a one-off $750 stimulus payment to pensioners, social security, veteran and other income support recipients and eligible concession card holders; and
• $1 billion to support those sectors, regions and communities that have been disproportionately affected.

1.6 Stimulus package 2, announced on 22 March 2020⁵, provided $66.1 billion, including, over the forward estimates, an estimated:

• $14.1 billion for a new time-limited coronavirus supplement to temporarily increase income support payments for eligible recipients (and related initiatives);
• $4 billion for a further $750 payment to pensioners, social security, veteran and other income support recipients and eligible concession card holders;
• $1.2 billion for early release of superannuation;
• $876 million to reduce social security deeming rates⁶ (initially announced 12 March with further reduction announced 22 March);
• $31.9 billion (including the value of the related measure announced on 12 March) to temporarily boost cash flow for small and medium sized businesses;
• up to $20 billion for the Coronavirus SME⁷ Guarantee Scheme; and
• $715 million in support for Australian airlines and airports as announced on 18 March 2020.⁸

1.7 Stimulus package 3, announced on 30 March 2020⁹, provided $130 billion for a new JobKeeper payment with eligible workers to receive a flat payment of $1500 per fortnight through their employer, before tax. As part of this package the government also announced its decision to temporarily relax the partner income test for the JobSeeker payment (effective 27 April 2020).

Services Australia COVID-19 stimulus measures

1.8 The government’s economic stimulus packages set out financial assistance to be provided to Australians that included temporarily increased income support payments and payments to support households, to be delivered by Services Australia (or the agency)¹⁰:

• Temporary coronavirus supplement — a fortnightly payment of $550 made to eligible income support payment recipients and concession card holders. This payment was announced as part of the government’s stimulus package 2, was to last for an initial period of six months and was not subject to income testing.
• Economic support payment — two payments of $750 made to eligible existing income support payment recipients and concession card holders. The first payment (announced in stimulus package 1) was made from 31 March 2020. The second payment (announced in stimulus package 2) was made from 13 July 2020.
• A reduction to the upper and lower social security deeming rates (announced as part of stimulus package 1 and revised for stimulus package 2), required Services Australia to make system level changes to apply the revised rates for income test purposes and to assess eligibility for the Commonwealth Seniors Health Card. The Social Security (Deeming Threshold Rates) Determination 2020 came into effect on 1 May 2020.

1.9 Services Australia delivers payments on behalf of 34 Australian Government entities. In addition to social security and welfare assistance under the Centrelink master program, Services Australia delivers payments and services related to the Medicare and Child Support programs as well as payments and services with other departments such as the Department of Health. A range of additional policy decisions and legislative changes required Services Australia to make adjustments to it operational processes. Key decisions and changes are set out in Table 1.1.

1.10 On 21 July 2020 the government announced changes to the social security income support measures introduced in response to COVID-19. These changes are listed in Appendix 2 of this report.

Table 1.1: Selected decisions and changes impacting Services Australia operational processes

Note a: Pandemic Leave Disaster Payments were made available to residents of Victoria from 5 July 2020 to 4 February 2021. Subsequent government decisions made these payments available to residents of Tasmania (from 22 August 2020 to 22 February 2021), Western Australia (from 11 September 2020 to March 10 2021) and New South Wales (from 17 September to 16 March 2021).

Source: ANAO review of government decisions and Services Australia documentation

1.11 The economic impact of COVID-19, combined with the measures to expand eligibility to social security, saw the weekly number of JobSeeker payment recipients rise from 807,291 on 13 March 2020 to 1,649,794 by 15 May 2020.

Figure 1.1: Weekly total combined JobSeeker payment recipients 13 March 2020^a to 2 October 2020^b

Note a: Data series is taken from 3 April 2020. The number of JobSeeker payment recipients on 13 March 2020 is included for reference (as this date is subsequent to the government’s announcement of Stimulus package 1 on 12 March 2020).

Note b: Standard Population reporting includes the following recipients: Recipients of Newstart Allowance/JobSeeker Payment and Youth allowance (Other) who are determined to be current (that is entitled to be paid) on the Centrelink payment system. JobSeeker Payment replaced Newstart Allowance from 20 March 2020. Existing Newstart Allowance recipients at this date were transitioned to JobSeeker Payment.

Source: Services Australia administrative data.

1.12 To deliver the new measures, Services Australia had to scale up its workforce to meet increased applicant demand and apply social distancing requirements at customer-facing and internal agency work sites in accordance with recommended health requirements.

1.13 Services Australia is required to manage its business-as-usual commitments which involved processing: 5 million social security and welfare claims; 433 million Medicare services claims; and $203.7 billion in payments, in 2019–20.

Services Australia funding to support its response

1.14 Services Australia was appropriated an additional $521 million departmental funds in the Appropriation (Coronavirus Economic Response Package) Act (No. 1) 2019-2020 and Appropriation Act (No.5) 2019–20 against its single outcome:

Outcome 1: Support individuals, families and communities to achieve greater self‐sufficiency; through the delivery of policy advice and high quality accessible social, health and child support services and other payments; and support providers and businesses through convenient and efficient service delivery.

Table 1.2: Services Australia 2019–20 COVID-19 funding and drawdown

Source: Federal Register of Legislation (https://www.legislation.gov.au/), Drawdown and unspent based on Services Australia documentation.

1.15 The explanatory memorandum to the Coronavirus Economic Response Package bill outlined that the additional Services Australia departmental funding was to facilitate stimulus and other payments, and to meet the cost of processing additional Medicare benefits as part of COVID-19 pathology testing. The explanatory memorandum to the Appropriation Bill (No. 5) outlined that the additional Services Australia departmental funding was to increase the capacity of Services Australia to meet the additional workload caused by COVID-19.

Key Commonwealth requirements on risk management

1.16 Under the Public Governance Performance and Accountability Act 2013 (PGPA Act), the accountable authority must establish and maintain appropriate systems of risk oversight, management and internal control for the entity. The Commonwealth Risk Management Policy sets out the government’s expectations for Commonwealth entities in undertaking the business of government. Risk is defined as the ‘effect of uncertainty on objectives’ and risk management as the ‘coordinated activities to direct and control an organisation with regard to risk’.

1.17 The goal of the Commonwealth Risk Management Policy is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making. Where systematic management of risk is embedded in key business processes, entities can tailor the existing risk management systems and practices to a level that is commensurate with the scale and nature of the risk profile.

Rationale for undertaking the audit

1.18 The COVID-19 pandemic and the pace and scale of the Australian Government’s response impacts on the risk environment faced by the Australian public sector. This audit is one of five performance audits conducted under phase one of the ANAO’s multi-year strategy that will focus on the effective, efficient, economical and ethical delivery of the Australian Government’s response to the COVID-19 pandemic. Two of the phase one audits focus on risk management in two frontline entities — the Australian Taxation Office and Services Australia — and provide assurance that the new and increased risks to sound public administration, and the proper use of public resources posed by the rapid implementation of COVID-19 measures, have been effectively considered and managed. In addition, this audit will assist all Commonwealth entities to consider the effectiveness of their own arrangements in identifying and responding to the challenges and risks associated with the rapid implementation of initiatives.

Audit approach

Audit objective, criteria and scope

1.19 The objective of the audit was to assess whether Services Australia had effectively managed risks related to the rapid preparation for and delivery of COVID-19 economic response measures. To form a conclusion against the audit objective, the ANAO adopted the following high level criteria:

• Was effective preparation for delivery of the COVID-19 response measures undertaken when the global pandemic was declared to be a human biosecurity emergency and economic measures were announced?
• Were risks related to the rapid implementation of the new measures identified, addressed and communicated?
• Have implementation risks been reviewed and monitored?

Audit methodology

1.20 The audit methodology involved:

• reviewing entity documentation;
• examining data and systems testing related to the deployment of workforce resources and changes to business rules; and
• interviews with staff from relevant business areas.

1.21 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $447,000.

1.22 The team members for this audit were Tracy Cussen, Fraser McEachan, Christine Preston, Michael Fitzgerald, Taela Edwards and Peta Martyn.

2.1 To assess whether Services Australia effectively prepared for the delivery of the COVID-19 economic stimulus measures the ANAO examined:

• the business processes and procedures Services Australia had in place prior to 18 March 2020, when the global pandemic was declared to be a human biosecurity emergency, and how those processes and procedures were adapted to the circumstances;
• the governance arrangements Services Australia put in place to oversee its response; and
• the mobilisation of resources to deliver the measures.

Did Services Australia appropriately build on its existing emergency response framework to respond to the pandemic?

2.2 Services Australia’s 2019–20 Corporate Plan references the ability to quickly mobilise in response to emergencies and changing government priorities as one key focus of its workforce in the context of its service delivery responsibilities.¹¹

2.3 Services Australia (or the agency) has developed a range of business processes and guidance material aimed at supporting emergency responses. These processes cover:

• emergency management;
• business continuity management;
• pandemic planning; and
• risk management (covered in chapter three of this report).

Emergency management

2.4 Services Australia has an ongoing role in supporting government emergency responses and also participates in state, territory and local recovery committees.¹² In 2018–19 the agency managed emergency events across multiple states and territories including administering disaster assistance payments for three emergencies across three Australian States. When the pandemic was declared in March 2020, Services Australia was providing payments and services to eligible recipients and communities in response to bushfires in disaster declared areas.

2.5 The agency’s Emergency Management Framework (updated May 2018) provides an overview of the agency’s approach to emergency management, with a focus on prevention, preparedness, response and recovery. A Preparedness Framework (updated March 2018) is intended to support the agency to ‘effectively and efficiently respond to emergency events, while maintaining business continuity’.

2.6 The agency’s Emergency Management Operational Guide is intended to support the agency’s Emergency Management Framework. This guide states:

The core function of the Emergency Management role is to organise the agency’s response to crises, such as terrorist acts and natural disasters, and to manage agency resources to deliver related payments and services on behalf of the Australian Government.

2.7 Collectively these frameworks and guidance identify key areas and capabilities required to efficiently mobilise and deploy resources in response to an emergency (and cover ICT, workforce resourcing, clear communication channels, and service delivery rapid response), and identify key roles and responsibilities.

2.8 The agency maintains a list of internal staff, updated annually, who may volunteer as an ‘Emergency Reserve’ to assist response efforts. These volunteer staff may undertake business-as-usual roles when mobilised in an emergency (including in service centres or smart centres) or be deployed to impacted communities (for example to recovery centres). In 2018–19 there were 4,933 staff registered for the Emergency Reserve, and no staff were deployed in that year. Services Australia advised the ANAO that the Emergency Reserve was not used as the primary method to identify staff to be mobilised or re-deployed during its COVID-19 response: ‘other staff attributes, such as existing skill set (telephony/processing), availability and/or workload balancing across the agency, were the primary factors in determining surge personnel’.

2.9 Governance committees the agency may stand up or participate in during an emergency event are also documented across the agency’s emergency management guidance. The agency’s Emergency Response and Recovery Committee is identified as being responsible for the overall ‘command, control and coordination’ of the agency’s response and recovery at a national level’. The ERRC’s terms of reference were updated in January 2020 with meetings focussed on the pandemic commencing in March 2020 (see also paragraph 2.26).

Business Continuity Management

2.10 Services Australia’s approach and plans to manage business disruptions at an entity-wide level are documented in:

• Business Continuity Plan Framework (most recently received Executive Committee endorsement in April 2020); and
• Business Continuity Plan for Services Australia 2020 (most recently updated in April 2020). While not yet endorsed, Services Australia advised the ANAO this plan is the version currently in use.

2.11 Under this framework all divisions within the agency are required to undertake a Business Impact Analysis to determine and prioritise functions within the division and assess the consequences over time to the agency that would result from the loss or disruption to a function. The framework requires divisions with identified critical functions to have a Business Continuity Plan that informs the approach for recovery. Critical functions are defined by the agency as functions that, if disrupted would have extreme consequence on the agency’s ability to delivery payments and services to the community within 24 hours of the disruption occurring.¹³ Guidance is included on the processes involved in developing a business continuity plan and key components that must be included.

2.12 Services Australia advised the ANAO that Business Impact Analyses exist for all divisions as per the agency’s structure as at 31 March 2020. Business Continuity Plans were developed for the 18 divisions with identified critical functions. Of these plans, all but two were first developed in 2020 and 10 were still in draft form.

Pandemic planning

2.13 In March 2020 Services Australia updated its Pandemic Action Plan, developed and endorsed a pandemic operational plan and drafted a pandemic risk management plan.

2.14 The pandemic action plan:

• identifies the agencies’ specific responsibilities in the event of a pandemic (including supporting community recovery; delivering government payments and services; maintaining surge capacity to facilitate operation of the national call centre¹⁴; and maintaining business-as-usual);
• identifies high level roles within the agency, including strategic actions and relevant stakeholders corresponding to four stages during a pandemic: prevention; preparedness; response; and recovery; and
• references the Emergency Response Plan for Communicable Disease Incidents of National Significance: National Arrangements (National CD Plan) maintained by the Department of Health that aims to establish an agreed national approach to the management of communicable diseases within Australia.¹⁵

2.15 The pandemic operational plan states its purpose includes: maintaining continuity of payments; minimising staff and customer exposure; maintaining critical infrastructure; and developing proportionate response strategies to guide effective decision making as the pandemic escalates.

2.16 The operational plan is set out to provide phased action as the impact of coronavirus changes over time from low to high based on documented assumptions. Assumptions include that a pandemic can start small and increase over time and that any response may need to be maintained for months.

2.17 The draft pandemic risk management plan identified four key risks against three risk categories:

• Customers — Reducing burden;
• Payments & Services Infrastructure — BAU Maintain effective functioning;
• Payments & Services Infrastructure — WOG response Maintain effective functioning; and
• Staff - Maintain work health and safety.

2.18 This plan documents controls and treatments against each of the four risks and identifies specific agency business areas responsible for these controls and treatments.

2.19 This plan states that pandemic planning is needed for the agency to ‘be scalable in [its] ability to respond to service delivery and workforce impacts of levels greater than 20%’. In September 2020 Services Australia advised that:

Greater than 20% in this context relates to the agency’s ability to absorb more than 20% in a loss of our business and still maintain business continuity. If this reaches higher than 20% then the agency would need to consider options about how we do our business and what tolerances we could withstand in relation to our business impacts.

2.20 The plan did not rate risks according to their likelihood and severity, or assess against agency risk tolerances. Services Australia advised the ANAO in September 2020 that the draft pandemic risk management plan was not finalised and that ‘due to the nature of the pandemic … was considered to be more of a risk statement which was more appropriate to the needs of the situation’.

2.21 Collectively Services Australia’s pandemic planning does not fully consider the level of action required from the agency to manage a pandemic on the scale of COVID-19. The plans are focused on responding at an operational level drawing on business continuity and emergency responses. In leveraging off these planning documents surge capacity principally considers minimising impacts on business-as-usual and providing services, for example relief payments, on behalf of other entities. The planning documents do not fully reflect the potential scale of impact on Services Australia’s staff and consequential capacity to deliver. While providing support to whole-of-government responses is identified, the potential for government to require the agency to lead aspects of that response and the scale and pace of that response are not fully envisaged. While Services Australia adapted its actions to meet the demands of the government response, supporting planning documents could be strengthened to account for the evolving nature of pandemics.

2.22 In February 2018 an internal audit was completed which aimed to assess the activities the then Department of Human Services had completed and was continuing to complete to maintain the currency of the Pandemic Action Plan and strengthen its preparedness of the impacts on a pandemic outbreak. The audit found a number of areas where the department’s pandemic risk management planning could be strengthened including by re-examining:

• the assumption in relation to staff absentee rates during a pandemic;
• consideration of critical dependencies or specific areas of higher risk to the department that may require the development of targeted continuity strategies. For example, local geographic areas where a pandemic could have a wider scale impact on the department (such as Canberra) or personnel whose absence would result in a greater impact on the department’s ability to deliver its critical services (such as the department’s ICT or service delivery staff); and
• the impact on the department should the department be required to have a role in a whole-of-government pandemic response, to include service delivery surge capacities to meet demand in combination with reduced staffing levels due to the pandemic.

2.23 The internal audit concluded that:

Although the department has established the Pandemic Action Plan (and sub plans) the department does not have a strategic approach to regularly test and exercise the plans, and there is a risk that the department is not sufficiently well prepared to effectively respond to and recover from a declared pandemic.

2.24 In May 2020, Services Australia engaged an external consultant to validate key action and risk plans underpinning the agency’s response to COVID-19 and develop a suite of documents which included:

• a guide for addressing outstanding internal audit recommendations relating to pandemic planning;
• an executive guide for how to manage risk in a pandemic;
• a draft, Services Australia Pandemic Risk Management Plan;
• a gap analysis of the response set against best practice principles; and
• a proposed normative model for pandemic response.

2.25 The agency’s pandemic action plan identifies the need for a post-implementation review to be completed during the ‘recovery’ stage to ‘evaluate response and identify gaps and/or opportunities for improvement.’ The ANAO suggests that, in undertaking this review, Services Australia include consideration of actions taken in response to the internal audit report and consultancy report findings.

Were governance and oversight arrangements established and/or adjusted?

2.26 At the outset of the COVID-19 pandemic, Services Australia’s Emergency Response Recovery Committee (ERRC) had already been activated in order to respond to the 2019-20 bushfires. ERRC meetings focused on the pandemic commenced from 10 March 2020.

2.27 From early March 2020 Services Australia activated existing committees or established new arrangements to oversee its agency-level response to the pandemic and to implement the government’s economic stimulus measures including:

• ICT Response and Recovery Committee — activated 6 March to ‘manage the technical aspects of planning for the pandemic’. The committee met four times between 6 March and 26 March and discussed availability of ICT stock, results of system pressure testing, and system capacity.
• Health and Aged Care Pandemic Committee — established 17 March to manage service delivery of critical functions across its Health and Aged Care program, oversee the return of services and inform the agency’s pandemic response..
• COVID-19 Taskforce — established 18 March to provide general coordination, identify critical functions and oversee initial work health and safety matters. This taskforce concluded operation on 16 April 2020 and was replaced by a transition team.
• Operational Headquarters (HQ) — established on 25 March and led by the CEO with assistance from an Emergency Recovery Director, its purpose is to serve as the agency’s central contact and coordination point with ‘clear lines of accountability, authority and centralised information gathering and communications’.

2.28 Figure 2.1 depicts some of the key events that transpired between late February and March 2020 and the timing of key actions taken by the agency.

Figure 2.1: Early government announcements and Services Australia actions

Source: Services Australia documentation.

2.29 From late March 2020 adjustments to governance arrangements were made to form the ongoing oversight of Services Australia’s COVID-19 response. These arrangements positioned the agency’s Executive Committee at the centre of its response with senior executive staff from across the APS seconded to the agency to increase capacity and ensure relevant subject matter expertise.

2.30 The governance model (see Figure 2.2) facilitated regular communication between the agency’s executive. Key executive roles include those with responsibility for actions that directly impact on enterprise risks including payments and services, service delivery policy, safe working and service environment, and change implementation (see paragraph 3.3).

2.31 The agency’s executive met with its minister and the Secretary of the Department of Social Services regularly including at daily minister meetings. To support the implementation of the economic stimulus measures, a COVID-19 Stimulus Multi-disciplinary Team and a Command Centre were established.

2.32 Whole-of-government connections were enabled through representation by the agency’s Chief Operating Officer at the Chief Operating Officer’s (COO) Committee which includes Chief Operating Officers from across the APS (see paragraph 2.44).¹⁶

2.33 In mid-April 2020 an operational decision-making policy was developed for documenting Ministerial and Senior Executive decisions made during COVID-19 with the aim of establishing a consolidated repository for all significant COVID-19 related decisions across the agency.

Executive Committee

2.34 The agency’s Executive Committee, chaired by the CEO was responsible for overall strategic direction, priorities, monitoring performance and risks, and ensuring accountability and regulatory requirements were met.

2.35 The Executive Committee met 90 times from 2 March to 30 September 2020. The ANAO reviewed 43 Executive Committee meeting records covering this period. The committee was regularly attended by Executive Committee members¹⁷ as well as observers who included the Chief of Staff for the CEO, the Emergency Recovery Director and a representative from the COVID-19 Taskforce.

2.36 Meetings minutes captured key areas of discussion as well as key actions agreed. Regular agenda items included:

• CEO update;
• workforce mobilisation;
• operational matters;
• emerging issues; and
• payment processing metrics.

Minister meetings

2.37 The ANAO reviewed records of daily minister meetings held between 1 April and 12 June 2020. While attendance was not recorded, meeting minutes reflect input from the Minister, Secretary of the Department of Social Services (or representative), the CEO and other relevant Services Australia Executive officers including the Emergency Recovery Director, a COVID-19 Taskforce representative and the Deputy CEO of Customer Service Delivery.

2.38 Key areas of discussion included:

• updates on the progress of claims processing;
• strategies being considered to improve the delivery of measures;
• timeframes for systems improvements;
• workforce needs;
• targets and key performance indicators; and
• the Minister’s reporting requirements —a daily report containing a range of operational and workforce mobilisation data.

2.39 Further information about risks and issues discussed at the Executive Committee and daily minister meetings is at paragraphs 3.29 and 3.34–3.35.

Stimulus Multi-disciplinary Team and Command Centre

2.40 To implement the stimulus payments a Stimulus Multi-disciplinary Team (MDT) was established to manage the design and delivery of the stimulus packages and a Command Centre was established to manage and authorise the release of system changes required to support the stimulus payments, with representation across Services Australia business groups and divisions.

2.41 Meeting records indicate that the Stimulus MDT met 38 times between 16 March and 18 May. From 15 April, status reports were produced which tracked Services Australia’s progress toward implementing the stimulus measures against a timeline which documented key dates for the implementation of the stimulus packages and process changes supporting their implementation. Reports also included a register which captured issues, risks and key decisions. The forum resumed under the name COVID-19 Closure MDT on 16 June 2020 and as at 28 September, 30 COVID-19 Closure MDT meetings have been held.

2.42 Status reports show that the Command Centre met 21 times between 10 April and 22 May. As at 24 September 2020, a further five meetings had been held. The Command Centre used a dashboard report with traffic light markers to show the progress of implementing key deliverables. A log was maintained of risks, issues, actions and key decisions, and progress was tracked against a timeline.

2.43 Status reports show that a number of officers attending Command Centre meetings also attended Executive Committee meetings and there was also an overlap of officers attending both the Command Centre and Stimulus Multi-disciplinary Team meetings, enabling issues to be communicated across the different groups.

COO Committee

2.44 The Chief Operating Officer’s (COO) Committee was formally established by the APS Secretaries Board on 12 February 2020 with the primary roles of managing whole-of-government operational implementation matters and driving delivery of agreed initiatives under the Government’s APS reform agenda, in line with the direction set by the Secretaries Board.

2.45 Attendance records show that Services Australia was represented on the COO Committee meetings held between February and July 2020. The COO committee discussed a range of COVID-19 related matters including:

• updates from the Chief Medical Officer;
• APS Business continuity in relation to COVID-19;
• national cabinet announcements;
• workforce management;
• managing public facing activities; and
• managing critical functions.

Operational Policy for Documenting Decisions

2.46 In mid-April 2020, Services Australia developed an operational policy for documenting Ministerial and Senior Executive decisions made during COVID-19. The policy identified that every Senior Executive officer in Services Australia was accountable for ensuring that the policy was implemented effective from 16 April 2020 and outlines the requirements for file-noting decisions that had not been properly documented prior to 16 April and going forward. It also requires all Senior Executive officers to document decisions in a formal brief or email.

2.47 The policy identified that all COVID-19 actions requiring a Ministerial decision must be submitted to the Minister’s Office through normal Ministerial and Parliamentary process. Mechanisms are also identified for providing Ministerial visibility of internal decisions which included:

• providing a Ministerial Submission;
• emailing the Minister’s office;
• verbal conversation with Minister or Minister’s Office; and
• daily Minister meeting or Daily Situational Report to the Minister.

2.48 It also outlined acceptable mechanisms for documenting decisions requiring CEO approval during COVID-19 which included:

• CEO Brief – for matters where the CEO was exercising a legal role as Accountable Authority or making a decision consistent with legal obligations;
• CEO Email – for matters of a more operational nature; and
• for matters agreed during Executive Committee meetings – record of meetings and actions maintained by Secretariat.

2.49 A decisions assurance report produced on 8 May 2020 contains a total of 56 decisions made, with the earliest decision recorded in the register recorded as agreed on 23 March 2020.

Were required resources identified and made available?

2.50 Announcements of the government’s economic stimulus measures were made with the knowledge that these would lead to a consequential increase in the demand on Services Australia’s information communication technology (ICT) systems, processing and telephony services. The agency was appropriated additional funds to assist with the increased workload (as noted at paragraph 1.15). The introduction of social distancing guidelines also required Services Australia to make adjustments to its public facing and internal work sites.

2.51 Services Australia’s draft Pandemic Risk Management Plan identifies that a key risk is:

Access to payments and services are compromised due to inability to fulfil normal payment and services requirements [due to] insufficient supply of staff or assets or ICT functionality or absence impacts.

2.52 To mitigate this risk, Services Australia initiated uplifts to its workforce, ICT, and physical (for example equipment and facilities) resourcing capabilities. The ANAO examined how Services Australia identified its resourcing needs and whether resources were made available with a focus on workforce resources.

Workforce resourcing

2.53 Correspondence between Services Australia officials on 18 March 2020 documented a predicted shortfall of 1,779 full-time equivalent staff to deal with expected increase in demand for income support payments by operational service delivery across claims processing, telephony and face-to-face services. This forecast was based on average weekly inflow of JobSeeker payment claims of around 15,400. By 7 April 2020 Services Australia was forecasting a weekly inflow (for week ending 10 April) of 285,000 JobSeeker payment claims and adjusted its resourcing need estimates accordingly. On 14 April 2020, the Australian Public Service Commission briefed the Assistant Minister to the Prime Minister and Cabinet:

Services Australia is forecasting up to 10,000 staff may be needed to ensure Jobseekers get payment promptly. The staff will be involved in telephony and processing associated with claims.

2.54 Services Australia drew on three primary sources to increase its workforce. These sources were: internal redeployment; APS redeployment; and labour hire/service delivery partner¹⁸ hires. Collectively these workforce sources enabled Services Australia to:

• redeploy existing staff into JobSeeker payment claims processing full time.
• extend hours for employment services and triage queues (in place from 23 March 2020);
• undertake 24/7 processing by service delivery partners; and
• move newly trained staff into critical roles.

Internal redeployments

2.55 Services Australia COVID-19 Taskforce meeting records show that a meeting was scheduled on 19 March with all agency Deputy CEOs to finalise high level critical functions and non-critical functions and identify staff that could be re-deployed and work from home. A plan identifying critical roles across Services Australia functions (for example, aged care, pharmaceutical benefits, Medicare and Centrelink payments, e-business, child support and social work services) was prepared. This plan identified the minimum staff required to continue delivering these critical functions.

2.56 Services Australia undertook an agency wide processing skills survey for non-service delivery staff. The skills survey was conducted in March 2020 in the form of a short questionnaire asking staff to identify what programs (for example student payments, JobSeeker payment, etc.) they had experience processing, and when they had last done any processing work. The skills survey identified 3,224 staff from across the agency outside operational service delivery with identified program skills to process claims.

2.57 Services Australia reporting records that 3,414 staff were internally re-deployed between 29 February and 28 April 2020 to meet additional demand.

APS redeployment

2.58 From the onset of the COVID-19 pandemic, the APS workforce had to adapt within a short timeframe to a new operating environment and position itself to handle a surge in demand for government services.¹⁹ The APS Commissioner stood up the Workforce Management Taskforce on 24 March 2020 to coordinate the deployment of APS staff to critical functions. On 26 March 2020 the Prime Minister issued a direction to agency heads, under section 21 of the Public Service Act 1999, requiring information to be provided to the Taskforce on critical functions and staff available for deployment.²⁰

2.59 Within Services Australia this initiative was referred to initially as APS1000 and later as APS2000 to indicate increased resourcing requirements. APS2000 focused on redeploying staff from across the APS to Services Australia to facilitate processing of claims for support payments including JobSeeker.

• The first surge request from Services Australia to the APSC Workforce Management Taskforce came on 21 March 2020 for 100 staff to provide assistance with processing JobSeeker payment claims.
• The request was increased to 5,000 staff on 25 March 2020, and subsequently revised to 1,000 and then 2,000 as Services Australia reassessed its resourcing needs and capacity to source staff through other mechanisms (such as direct labour hire).

2.60 ANAO analysis indicates that, as at 30 September 2020, the Workforce Management Taskforce had identified 4,098 APS staff for potential deployment to Services Australia from other entities to support COVID-19 related functions. Services Australia records indicate that the total number of APS 2000 secondees reached 2,309 by the end of April 2020. This figure includes ‘active’ staff and those awaiting training prior to being deployed.

2.61 As shown in Figure 2.3, the number of active deployments peaked in early May 2020. The average length of deployment to Services Australia was 40 days, with the longest deployment 123 days. The number of staff active at Services Australia decreased as home agencies began to transition staff back to workplaces in early June. Based on available data, APS 6 employees were the largest cohort of deployed APS staff, followed by the Executive Level (EL) 1, APS 4 and APS 5 cohorts (see Figure 2.4).

Figure 2.3: Number of deployed APS staff ‘active’ at Services Australia, 14 April to 30 September 2020^a

Note a: ‘Active’ refers to staff who were on-boarded and actively undertook work or were in training.

Source: ANAO analysis of Services Australia data.

Figure 2.4: APS staff deployed to Services Australia, by classification level, as at 30 September 2020^a

Note a: Based on available classification data for 1,443 active deployed staff. Services Australia’s data did not include classification levels for all deployed APS staff.

Source: ANAO analysis of Services Australia data.

Labour hire and service delivery partners

2.62 Services Australia entered into labour hire arrangements to engage external non-APS staff, using its active merit list, temporary employment register (for irregular intermittent employees (IIE)) and existing contract arrangements with service delivery partners (see footnote 18).

2.63 As at 31 March 2020 the agency’s internal reporting indicated that the target for total staff from these sources (excluding internal and external APS redeployments) was 5000 and that as at 7 May 2020 7429 staff had been recruited (see Figure 2.5).

Figure 2.5: Services Australia staff hire excluding internal and external APS redeployment

Note a: IIE is irregular intermittent staff.

Source: Services Australia data.

2.64 Services Australia data from 29 February to 30 September 2020 indicates that a total of 12,373 staff were engaged to meet peak demand, comprising:,

• 3,414 internal redeployments;
• 2,185 APS redeployments (does not include staff in training);
• 3,125 labour hires; and
• 2,103 service delivery partner hires.

2.65 Due to fluctuations in staffing across this timeframe the total headcount increased by 7,595 between 29 February and 28 April 2020 (peak demand) taking total Services Australia staff numbers from 34,985 to 42,580 over the same period. As at 30 September 2020, headcount was 38,161. These figures include all ongoing/non-ongoing staff, APS secondees, labour hire and service delivery partner staff but do not include internal redeployments. A breakdown of Services Australia staffing from 29 February to 30 September 2020 is at Appendix 3.

Monitoring workforce resourcing and impacts

2.66 Services Australia monitored on-boarding of new staff and redeployment in a ‘mobilisation dashboard’ and provided data in reports presented to its Minister.

2.67 The number of staff available (at a point in time) was used to model impacts on workload over time. For example, as at 7 April 2020 Services Australia was forecasting a weekly inflow of 285,000 JobSeeker payment claims. Forecast weekly operational staffing (across processing and telephony) was 11,505. Based on projected incoming claims volumes, processing throughput and claims on hand timeframes, Services Australia estimated (on 27 April 2020) that the backlog of claims on hand would be dealt with by 7 May 2020.

2.68 Services Australia data shows that as at 7 May 2020, the cumulative JobSeeker claims finalised since 16 March 2020 was 1,053,717, with 113,864 claims on hand (see Figure 2.6).

Figure 2.6: Cumulative claims on hand and completed, as at 7 May 2020

Source: Services Australia data.

2.69 Services Australia identified a number of risks associated with the rapid on-boarding and redeployment of staff and documented these risks in two risk management plans — the first focused on call centre service delivery partners and the second on APS re-deployment. Increased risk to payment accuracy (due to on-boarding large numbers of inexperienced staff) and internal fraud were key risks considered in these plans.

2.70 To improve the efficiency of training processes the agency executives met to discuss how to expand its training pipeline and considered a range of options to condense training including utilising training facilitators from the broader APS. To manage additional training needs, all non-essential learning and development²¹ was placed on hold from 16 April 2020 until 1 July 2020 to ensure all essential training could be provided.

2.71 Meeting records indicate that Services Australia recognised the need to expand the number of staff conducting quality assurance work, as a consequence of the increase in new processing staff. The total staff trained to conduct quality assurance work across all claim types rose from 1,961 as at 23 March 2020 to 3,263 as at 1 August 2020. Staff with quality assurance training specific to the JobSeeker payment rose from 707 as at 23 March 2020 to 1,983 as at 1 August 2020.

2.72 Services Australia provided access to fraud awareness training to ongoing and non-ongoing staff. Staff completions numbers are presented in Table 2.1.

Table 2.1: Fraud related training completions, 1 March to 30 September 2020

Note a: Data is a headcount of all APS and non-APS employees that completed training over the timeframe. It does not include employees that did not pass and/or those that cancelled attendance after self-nominating. Employees may have completed/attended a course more than once.

Note b: A new fraud indication module was implemented on 1 July 2020 and replaced the former Fraud Awareness Induction and Unauthorised Access and Misuse of Information modules.

Note c: Services Australia advised the ANAO that the Mandatory Refresher Program module ‘includes training on privacy, security, fraud and unauthorised access, and was completed by some staff as induction during the COVID–19 emergency response period’.

Source: Services Australia data.

ICT resourcing

2.73 Additional ICT infrastructure needs including hardware, and the need for additional virtual private networks (VPN) capability to support an increasing number of officers working remotely were discussed throughout March 2020. In late March, Services Australia reported internally that:

• VPN capacity was being increased from 10,000 to 30,000 users; and
• additional mobile devices had been ordered and a ‘factory line’ was to be used to enable devices to be delivered to staff with 1000 devices per day being built.

2.74 Services Australia was also required to scale up ICT capability to support the large number of systems changes to roll out the COVID-19 measures within required timeframes and to deal with the increase in transactions. Following the government’s announcement of the coronavirus supplement on 22 March 2020, customers experienced degraded performance and outages on Centrelink services including myGov, Express Plus Centrelink and Centrelink Online Services during peak periods. A major incident review was completed by Services Australia which identified that the unprecedented volume of transactions was the cause, with service stability restored at close of business on 31 March 2020. The agency identified that during the incident:

• peak workload was three times the volume of normal transactions;
• myGov concurrent users reached 300,000 - pre COVID-19 was 10,000;
• over one million new JobSeeker payment claims were received; and
• approximately 35,000 JobSeeker payment claims were processed per day.

2.75 The review concluded that there was insufficient notice to allow technical teams to prepare the systems to cope with the increased demand, and the number of customer requests exceeded the systems’ capacity. To address the increase in customer demand, the review identified that the agency implemented changes on a daily basis to provide incremental improvements. These included configuring the network to increase throughput, improving application performance, and increasing server capacity.

Physical resourcing

2.76 Physical resourcing changes were planned to support social distancing and hygiene, including:

• more regular office space cleaning, and a plan to scale-up cleaning as the threat escalated;
• protective screens were procured for face-to-face sites; and
• plans were developed to support staff to configure their workstations to comply with 1.5 metre social distancing requirements.

2.77 Overall, around 96 per cent of the $345.2 million departmental funds Services Australia was appropriated to assist with its increased workload and resourcing scale-up (see Table 1.2) were categorised as ICT or staffing costs (see Table 2.2).

Table 2.2: 2019–20 COVID-19 spend by category

Note a: Services Australia has contracts with three companies that provide a workforce for Services Australia activities — Datacom, Serco and Stellar.

Source: Services Australia documentation.

3.1 Services Australia’s approach to risk management comprises three elements:

• Risk Management Policy (March 2020) — sets out key accountabilities and the Chief Executive Officer’s (CEO) appetite for risk;
• Enterprise Risk Management Model (July 2019) — sets out the principles for the quarterly reporting of key risks by the Deputy CEO’s to the Executive Committee and CEO and provides guidance on the identification and reporting of interdependent and shared risks; and
• Risk Management Framework (March 2020) — sets out operational risk management, processes and standards.

3.2 The agency’s risk appetite statement reflects that risk appetite will vary according to the activity and must be measured and proportionate:

Delivering on our vision, to provide customer-centred, trusted services that are respectful, simple, helpful and transparent, requires us to accept and encourage more risks to allow us to embrace new opportunities and technologies. We actively seek to remove complexity for our customers, ensuring they receive the right payment and level of service regardless of their situation.

We recognise that our appetite for risk varies according to the activity undertaken, and that accepting these risks is always based on good professional judgement, with decisions being appropriately documented. This requires all staff to understand both the potential benefits and risks before activities are agreed, and that sensible measures are in place to mitigate and manage these risks.

Our appetite for risk must be measured and in proportion with the benefits we seek to deliver on behalf of the Australian Government. Staff are encouraged to actively engage and manage risk in an ethical manner in line with our risk appetite and tolerance statement.

3.3 Services Australia’s risk management model defines enterprise risks as ‘those that if realised will have a significant negative or positive impact on the agency, Chief Executive or Minister’. The agency’s enterprise risk categories, as defined in its 2019–20 Corporate Plan and enterprise risk model²² are:

• Payments and services — risks to the department delivering correct payments, and whole-of-government services, platforms and systems;
• Customer experience — risks to customer experience and trust;
• Service delivery policy —risks to the department’s ability to influence and simplify policy to meet customer and department needs;
• Safe working and service environment — risks to ensuring a safe environment for staff, customers and visitors;
• Ethics and conduct — risks to ethical conduct and the effective management and monitoring of information, assets and resources;
• Culture and capability fit for the future — risks to the department’s desired culture and the ability to attract, retain, develop and effectively allocate workforce capabilities; and
• Change implementation — risks to the effective and efficient delivery of change initiatives.²³

3.4 Services Australia’s risk management process involves identifying, assessing controlling, communicating, monitoring and reporting risks driven by Deputy Chief Executive Officers who are accountable for the day-to-day management of risk in their groups. The agency has a range of guidance material, templates and tools to assist officials to consider risk and prepare risk management plans. Deputy Chief Executive Officers review their group’s risks on a quarterly basis to identify and report any enterprise risks to the Chief Executive Officer, through the Executive Committee.

3.5 The ANAO examined whether risks related to the implementation of the government’s economic stimulus measures were identified and assessed, mechanisms were in place to modify these risks and whether the risks were communicated

Were new or changed risks identified and assessed?

3.6 Services Australia’s focus in implementing the government’s economic stimulus measures was on delivering payments in a timely manner. Key risks to achieving this outcome were related to the following enterprise risk categories:

• Payments and services — in particular managing the risk of major system outages;
• Safe working and service environment — in particular to meet social distancing requirements; and
• Change implementation — in particular the rapid design and delivery of new business processes, staff procedures and ICT systems to give effect to new policy.

3.7 Services Australia also considered flow-on risks. Flow-on risks arose from changes to systems and processes made by Services Australia in order to implement the measures and impacts on the internal controls environment. For example, in order to meet the demand for services, Services Australia needed to temporarily increase its workforce which in turn resulted in flow-on risks to payment accuracy and quality resulting from a large number of relatively inexperienced claims processing staff being on-boarded. In order to reduce contact to meet demand on services and social distancing expectations, Services Australia reduced the use of face-to-face identity verification processes, leading to additional fraud risk exposure.

Identification of risk

3.8 Services Australia drafted a revised pandemic risk management plan in March 2020 and documented key risk considerations, controls, treatments and responsible business areas (see also paragraph 2.17).

3.9 The draft pandemic risk management plan considered how to manage:

• access to payments and services that are compromised due to inability to fulfil normal payment and services requirements (including mutual obligations, proof of identity, high demand or surges in demand);
• day-to-day service delivery functions that are compromised as a result of isolated/geographic/national pandemic incidents (including face-to-face, telephony, impacts for vulnerable customers);
• capacity to deliver payment and services activities for whole-of-government pandemic responses (including National Call Centre capacity, cyber attack and jurisdictional lockdown restrictions); and
• the health and wellbeing of staff and customers (including diagnosis/isolation, transport, caring responsibilities, building and equipment hygiene, staff with pre-existing conditions).

3.10 Services Australia also developed risk management plans (RMP) specific to its COVID-19 response. These plans considered risks that may arise from:

• failure to deliver the stimulus measures, incorrect payments, ineffective staff and customer communication, internal and external fraud, and safety of staff and customers — COVID-19 Stimulus Projects 1–3 RMP (May 2020);
• altered internal and external fraud controls for identity verification, on boarding of new staff and payment eligibility — Fraud RMP – Economic Support Payment and Temporary COVID-19 Supplement RMP (April 2020);
• face-to-face services being unavailable or significantly reduced in relation to customer volumes, timeframes, cyber security, system capacity and system stability — COVID-19 Identity Verification RMP (June 2020);
• the APS2000 initiative which was intended to redeploy staff from within the Australian Public Service (including existing APS contractors) and considered risks related to customer and workforce safety, payment correctness, fraud, implementation timeliness and information management and reporting — APS2000 Taskforce RMP (May 2020); and
• maintaining contractual arrangements for provision of telephony services by service delivery partners — Services Australia / Service Delivery Partner Covid-19 response RMP (March 2020).

3.11 These RMPs covered risks specific to the COVID-19 response, and business-as-usual risks that changed (either in likelihood or consequence) as a result of COVID-19 impacts, or as a result of COVID-19 activity (for example as a result of standing up additional staff and adjusting operational procedures). These plans were endorsed after a large amount of Services Australia activity was underway, and in some cases, after it had largely been delivered.

3.12 The agency maintained group and divisional risk management plans as a business-as-usual activity. The ANAO reviewed two of the agencies’ seven group risk management plans and noted that the impact of COVID-19 had been considered. In one of these, group RMPs controls were adjusted to account for COVID-19 and in the second RMP, delays to some identified actions were attributed to COVID-19.

Assessment of risk

3.13 Services Australia’s risk management process sets out that once risks are identified, they are to be documented, analysed and evaluated. The ANAO assessed the content of the five COVID-‍19 specific RMPs pertaining to the stimulus projects identified in paragraph 3.10.

3.14 These risk management plans were completed using the agency’s standard risk management template and included overviews of the strategic context, and for each identified risk the following content:

• enterprise risk category;
• potential causes and consequences of the risk;
• list of existing controls, owners and statement of effectiveness;
• current likelihood, consequence and risk level rating;
• risk owner and whether the risk level is accepted; and
• noted proposed treatments or ‘what could be introduced to better manage this risk’, leading to a residual likelihood, consequence and risk rating.

3.15 The current risk level was assessed on the basis of the likelihood and consequences of the risk occurring using the agency’s risk assessment matrix set out in Table 3.1.²⁴

Table 3.1: Services Australia risk assessment matrix — negative consequences

Source: ANAO review of Services Australia risk management plans.

3.16 Across the five RMPs, a total of 39 risks were documented and assessed with a current risk rating ranging from ‘low‘ to ‘high’. Table 3.2 depicts the total number of risks documented across these RMPs, by enterprise risk category and the assessed current risk rating following the agency’s assessment of the effectiveness of the existing controls and the current likelihood and consequences of the risk occurring.

Table 3.2: Risk rating in selected risk management plans by enterprise risk category

Note a: The Service Delivery Partner Covid-19 response RMP did not assign risks to the enterprise risk categories.

Source: ANAO analysis of selected Services Australia risk management plans.

Welfare payment systems access management

3.17 To support the COVID–19 initiatives, Services Australia made changes to its IT general control environment, through system changes to enable the payment of stimulus funding and the granting of additional system access for staff assisting with the processing of claims. As part of the year-end financial statements audit (year ending 30 June 2020) the ANAO reviewed IT general controls and key governance and assurance processes established by Services Australia to manage these changes. This included a review of risk management processes around the provisioning access to IT Welfare payment systems. ANAO notes the following weaknesses in risk management processes:

• adequate assessment and capture of the risks of the provisioning IT access changes;
• risks were not updated or reassessed post the initial COVID period with regards to the provisioning IT access; and
• documentation of key decisions, including authorisation and approvals of the system access changes was not in accordance with Services Australia’s operational policy.

3.18 While compensating system controls continued to remain in place, weaknesses in risk management processes increases the risk of fraudulent, unauthorised or erroneous transactions being processed, and an increased risk of such transaction not being detected in a timely manner.

3.19 The ANAO recommended that Services Australia ‘strengthen risk management processes for identifying and approving significant IT system changes, including for system access, extensions and removal, and include this as part of the business continuity process so that during an emergency or a rapid implementation environment there are clear lines of approval and associated assessment of risks is undertaken’.

3.20 Services Australia acknowledged that risk assessment documentation processes may not have been as detailed due to the rapid response to the COVID-19 pandemic. Services Australia advised that it will ensure that appropriate documentation processes are in place for business continuity purposes and that risk management processes are well documented for the rollback of system access changes. Services Australia is of the view that the risks were managed closely throughout the pandemic, noting that no changes were made to the Services Australia IT general control environment. As a result, the Agency does not support that the audit finding posed a moderate business or financial management risk.

Were there processes to identify and implement measures to modify risk?

3.21 Service’s Australia’s risk management approach indicates that once risks are identified and the current risk rating assessed, they are evaluated to determine whether the risk is to be treated.

3.22 Of the 39 risks identified across the five risk management plans examined by the ANAO, 37 risks had identified treatments. Of the two risks where no treatments were identified, one risk related to meeting a production delivery timeframe was ‘closed’ following delivery. The second risk, related to payment accuracy and quality was documented in the APS2000 RMP. The risk was documented as ‘accepted’ by the Services Australia Deputy CEO Customer Service Delivery and the RMP, as a whole, was endorsed by the Department of Social Services Acting Chief Operating Officer.²⁵

3.23 Of the 39 risks identified across the five RMPs nine risks were ‘not accepted’ with a status of ‘open’, and for each of these risks one or more treatments were identified. In all cases the treatments had been recorded as ‘implemented’, ‘de-scoped’ (that is, assessed as no longer being required) or ‘on hold’ based on other priorities, or implementation was being planned.

3.24 Services Australia’s risk management framework indicates that the purpose of treating a risk is to ‘develop more effective options for controlling risk’. Once a treatment is applied the ‘residual risk rating’ is assessed and can inform an overall assessment of whether the risk can be accepted by the responsible SES officer. Residual risk ratings, after treatment, were documented for the 37 risks with identified treatments. Of these 37 risks: 16 had a residual rating of ‘low’; 15 had a residual rating of ‘medium’; and six risks remained ‘high’. Two of these ‘high’ risks were ‘closed’. The four ‘open’ risks with a residual rating of high relate to the enterprise risk categories ‘safe working and service environment’ (one risk) and ‘ethics and conduct’ — specifically risks of fraud (three risks). These risks remain high as the health risks posed by the coronavirus are ongoing and the inherent risk of fraud is increased due to policy and program changes endorsed by government, such as temporary changes to identity verification procedures, and decisions made by Services Australia, for example reducing controls over IT systems access. The additional treatments identified to address the fraud risks are designed to detect and disrupt fraud, having taken account of preventive measures already in place.

3.25 The ANAO also examined the draft pandemic risk management plan to assess whether there was evidence that implementation was recorded for the 64 identified treatments. In almost all cases there was evidence that the treatments had been implemented, de-scoped or implementation was being planned.

Were risks communicated?

3.26 The agency developed a stakeholder engagement and communication plan for the COVID-19 economic stimulus measures, as required under its project management framework. This plan documents internal personnel and external parties²⁶ and identifies the manner and content of communications to be maintained including:

• their information needs;
• engagement methods (meetings, emails, phone contact, reporting);
• activities (for example briefs/reports to be provided, role in respect of signing off and endorsing project documents etc.); and
• frequency of contact (daily, weekly, monthly, as required).

3.27 The agency developed schedules for communications, including:

• a communications schedule for CIO and project management office — this schedule noted the officers responsible for daily outputs intended to provide information about ICT changes, outages, risks and issues, daily performance and priorities for the following day; and
• an ‘order of business’ — outlining the updates/reports to be provided to the Minister for Government Services, COO Committee (see paragraph 2.44), and to Services Australia’s CEO, Taskforce, all SES and all staff messaging.

3.28 The agency created a COVID-19 intranet page. This page provides information and links to staff about workplace health and safety and updates on service centre operations, including closures. Regular messages to staff from the CEO also provided updates on the agency’s COVID-19 response.

Internal communication of risk

3.29 The agency’s executive, including its CEO, participated in daily meetings and received briefings and reports. The minutes from these daily meetings reflect discussion of a range of risks and issues, decisions made and associated actions. Risks discussed included:

• scaling up the workforce and consequential training needs;
• workplace health and safety needs including social distancing and face-to-face service delivery;
• project timeframes, deliverables and implementation status;
• system load issues;
• service delivery performance; and
• fraud, integrity and security issues.

3.30 The agency’s audit committee was given a verbal COVID-19 update at its March, May and July 2020 meetings. Updates covered ‘current and emerging issues affecting the agency’ including:

• advice on delivery of the stimulus packages;
• workforce capability and mobilisation;
• approaches to protect staff and customer health and safety; and
• effects on Services Australia IT systems.

3.31 At the July 2020 audit committee meeting two reports were presented providing updates on:

• work health and safety, including actions being taken to address COVID-19 related risks; and
• program and project risks, including information on how COVID-19 was impacting on business-as-usual program and projects across the agency.

3.32 The financial statements sub-committee of the audit committee was given an update at its August 2020 meeting on the agency’s spend of the $521 million appropriation (referred to in paragraph 1.14 and Table 1.2).

3.33 Services Australia updated guidance material for processing staff. The revised materials cover questions customers may have as well as information on how staff can consider risks, for example the risk of identity fraud, while conducting processing activities.

External communication of risk

3.34 The ANAO reviewed daily minister meeting records from 1 April to 12 June 2020. Meeting records capture the minister’s reporting requirements being discussed, agreements to decisions made about issues such as reporting arrangements, service centre closures and system changes. The minister also requested, and was provided, ‘deep dive’ briefs on a range of topics including managing the intersections between JobSeeker and JobKeeper payments to prevent overpayment, myGov enhancements, stimulus package 2 and COVID-19 medium term responses and priorities.

3.35 The Minister for Government Services was briefed on the residual risks the agency was actively managing associated with the implementation of the COVID-19 stimulus measures on 14 April 2020. These risks were:

• failure to deliver key measures;
• failure to deliver services to the Australian public;
• reduced integrity of payments made;
• failure to appropriately communicate change to customers and staff; and
• an increase in the instance of fraud (both internal and external arising from the changes).

3.36 Risk details, controls and ratings were documented in the brief and noted by the minister.

3.37 The Department of Social Services endorsed the APS2000 risk management plan (see paragraph 3.22). The department’s Secretary, or a departmental representative, attended daily meetings of the Services Australia Executive Committee, and was briefed on risks at these meetings.

3.38 Issues and progress in relation to the implementation of the measures was also discussed with other entities, including the Department of Education, Skills and Employment and Department of Health in a range of forums.

3.39 In a rapidly changing environment, there is also an obligation on administering entities to clearly explain the elements of new initiatives and programs, including to potential applicants. Changes to program/payment eligibility, obligations or requirements can pose risks to applicants (for example accruing unanticipated debt). While the ANAO did not examine the quality of communications to potential JobSeeker payment applicants we observed that:

• Services Australia developed communication material for customers and liaised with the Ombudsman’s office to review the clarity of these communications.
• Services Australia had communicated information through its podcasts.²⁷ Topics included information about deeming and revaluation of financial assets, child care subsidy, family payments and scams.

4.1 Review and monitoring activities are important during rapid implementation to ensure that practical problems do not reduce the intended outcomes. Tight delivery timeframes may increase risks in circumstances where standard due diligence and planning is streamlined or not undertaken. To assess Services Australia’s risk review and monitoring actions, the ANAO:

• identified whether implementation targets and/or deliverables associated with the new measures were set and monitored;
• examined whether risk management plans, implementation risks and enterprise risks were reviewed;
• identified whether service demand and delivery was monitored; and
• examined the activities and planning being undertaken by Services Australia to transition from the immediate response and the extent to which the agency has planned for future reviews.

Were implementation risks monitored?

Targets and deliverables for the new measures

4.2 Services Australia developed project management plans for the economic stimulus measures. These plans identified the key deliverables and associated timeframes to deliver the economic support payment and coronavirus supplements announced in the government’s stimulus packages 1–3.

4.3 The timeframes for the actions required to be taken by Services Australia were driven by the commencement date of the applicable period for government decisions (see Table 1.1). Services Australia maintained a record of key government decisions that included:

• details of the decision (as a brief summary);
• the applicable time period;
• relevant responsible entity;
• the date of the decision; and
• instrument (legislation, policy, ministerial order).

4.4 Implementation progress was monitored daily by the Stimulus Multi-disciplinary Team (see paragraphs 2.40 to 2.43). Timeframes for ICT system changes were monitored and issues, risks and actions were recorded in daily summaries of these meetings. Project closure reports have been scheduled for November 2020 and January 2021.

4.5 On 20 April 2020 an internal expectation that staff who had completed training ‘should now be able to process 10 claims per day’ was noted in the Executive Committee meeting minutes. This expectation was monitored by Services Australia and was not achieved in the sample of processing records reviewed by the ANAO. As at 15 May 2020, the cumulative daily claims processed per person was 8.5.

Review of risk management plans, implementation risks and impacts on enterprise risks

4.6 Services Australia established mechanisms to record implementation risks and associated actions:

• a risk register for the project plans to deliver the stimulus measures was maintained;
• a risk register for business integrity risks (including compliance and fraud) was maintained;
• an operational policy to document expectations for recording ministerial and Senior Executive Service decision-making during COVID-19 was developed that applied from 16 April 2020 with processes for capturing decisions made before this date, and a record of these decisions was provided to the executive (see paragraphs 2.46 to 2.49);
• KPMG was contracted to conduct ‘Go Live’ assurance reviews prior to major IT system releases. This requirement was built into the project plans for each of the major delivery milestones which included a readiness indicator for ‘a Go/No Go release implementation’; and
• activation plans were documented for critical ongoing business functions including aged care and health payments, noting the key actions required to enable these functions to continue to function at an acceptable level following an event of disruption.

4.7 Each of the COVID-19 specific risk management plans (RMPs) articulated implementation risks and four of the five plans identified a risk management plan review date. Review timeframes ranged from 3 weeks to one month from endorsement of the plan. While the review timeframes were only met for one of the RMPs, there was evidence of ongoing consideration and review of risks including by the Executive Committee and minister (as described at paragraphs 3.29 and 3.34).

• Three of the five RMPs, identified in the ANAO sample, have been reviewed. The Stimulus Project 1-3 was reviewed monthly as scheduled, from May–October 2020. The APS2000 RMP was reviewed in October 2020. It was originally scheduled to be reviewed on 31 May 2020. The Service Delivery Excellence Service Delivery Partners RMP was reviewed in October 2020. The initial RMP did not have a review date.
• The COVID-19 Identity Verification RMP has been superseded, with the identity verification work having been rolled into a larger digital identity project. Project workbooks (prepared throughout June–October) identify key actions and decisions and strategic risks with mitigations identified and documented. The original RMP was scheduled to be reviewed on 16 July 2020.
• The treatments and controls described in the Fraud RMP were reviewed and updated in June 2020 and October 2020.. A comprehensive review of the Fraud RMP is in process in light of the policy changes which took effect on 25 September 2020.²⁸ The initial fraud RMP was scheduled to be reviewed on 15 May 2020.

4.8 Services Australia completed post incident reviews in relation to system response disruptions including disruptions to the myGov server due to increased demand (see paragraphs 2.74–5). The pandemic action plan and business continuity plans outline the requirement to conduct these reviews.

4.9 Services Australia’s risk management approach (described from paragraph 3.1) sets out the agency’s approach to monitoring enterprise risks through the quarterly reporting of significant risks to the Executive Committee and also requires urgent risks to be reported to the Executive outside the quarterly reporting process. The agency’s enterprise level risk tolerance is documented as well as the process for managing residual risks that sit outside of tolerances which require the accountable authority‘s approval to proceed:

Any residual risk to the left of the risk tolerance level range require no further investment in additional controls or mitigation treatments. If appropriate there may be an opportunity to remove or amend current controls.

Any residual risk within the risk tolerance range are within acceptable levels, however a risk management plan approved by the relevant senior manager is still required.

Any residual risk that sits to the right of the risk tolerance range is outside of tolerance and if no further controls can be identified to reduce the residual rating to within tolerance, accountable authority approval is required to proceed.

4.10 Risk reports on enterprise level risks were provided to Services Australia’s Executive Committee in June and August 2020. In relation to COVID-19 risks, the June 2020 report noted that ‘the Agency’s response to the COVID-19 pandemic frequently required the CEO to operate outside of the agreed risk tolerances (but in line with the risk appetite set in the Risk Management Policy)’. The minister had also been advised in an April 2020 brief that ‘a high risk environment is expected to apply to the delivery of the majority of the social services and familiar programs for the foreseeable future’.

4.11 As already noted in this report (see paragraphs 3.29 and 3.34–5), both the minister and Executive Committee were provided daily advice and reports related to the agency’s response to the pandemic and implementation of the COVID-19 economic stimulus measures. At the 15 June 2020 Executive Committee meeting, the Deputy CEOs were asked to revise their group risk management plans for consideration by the committee in the August quarterly risk report.

4.12 The papers for the 17 August 2020 Executive Committee meeting included an agency-level risk register based on risks identified in group risk management plans and the agency risk profile. It was recommended that the committee agree to the Deputy CEOs seeking assurance that controls identified in their group plans are effectively managing their group risks. A report on control effectiveness was due to be provided to the enterprise risk management team by 16 October 2020. A quarterly report, including revised risk ratings, was provided to the Enterprise Business and Risk Committee, on 23 November 2020.

Service demand and delivery

4.13 Service demand and delivery was monitored daily. Daily situation reports provided to the minister, demonstrate monitoring of payment delivery and other key performance indicators. Data monitored and reported included:

• user figures for Centrelink digital service offers (Centrelink Online, Centrelink Express Plus and myGov);
• percentage of claims started versus submitted;
• telephony performance (including telephony key performance indicators);
• face-t- face service delivery figures;
• outstanding debt arrangements; and
• completed claims (including performance against key performance indicator).

4.14 Figures 4.1–4.4 represent examples of service delivery demand monitored by Services Australia.

4.15 Figure 4.1 shows daily Jobseeker claims on hand, claims completed and cumulative claims completed between 1 March 2020 and 30 September 2020. Between 1 March and 24 March Jobseeker claims on hand grew from 18,325 to 65,252 claims. Claims on hand numbers continued to rise between 25 March and 9 April where they peaked at 443,507. Over the month of September the average claims on hand was 18,937. The cumulative claims completed between 1 March 2020 and 30 September 2020 totalled approximately 1.76 million.

Figure 4.1: Jobseeker claims on hand and completed between 1 March and 20 September 2020

Source: Services Australia data

4.16 The volume of calls answered for Social Security and Welfare telephony staff peaked at 136,997 calls on 20 April 2020.

Figure 4.2: Volume of calls answered by Services Australia between 2 March and 30 September 2020

Source: Services Australia data

4.17 The peak users for Centrelink Online Service Offer for the period of 1 March 2020 through to 30 September 2020 were highest for all Centrelink Online Service offerings in late March 2020.

Figure 4.3: Users for Centrelink Online Service Offer for the period 1 March to 30 September 2020

Source: Services Australia data.

4.18 Figure 4.4 shows the average daily face-to-face contacts for the period January to September for both 2019 and 2020.

Figure 4.4: Average daily face-to-face contacts for the period January to September 2019 and 2020

Source: Services Australia data.

Has Services Australia planned for the transition to a post COVID-19 response environment?

4.19 On 18 February 2020 the Department of Health released the Australian Health Sector Emergency Response plan for Novel Coronavirus.²⁹ This plan sets out three discrete stages for the pandemic response — ‘initial action’ (activated on 17 February 2020), ‘targeted action’³⁰ (activated on 15 March 2020 and still in effect as at 26 October 2020) and ‘stand down’. Services Australia articulated its agency settings as:

• ‘response state’ —initial actions and early implementation (27 March to 7 May 2020);
• ‘steady response state’— ongoing actions (8 May to 17 May 2020 and reinstated due to COVID-19 circumstances in Victoria from 29 July to 9 August 2020); and
• ‘readiness state’ — indicating a state of preparedness to respond to the situation as it changes (18 May 2020 to 28 July 2020 and reinstated from 10 August 2020).

4.20 In September 2020 Services Australia advised the ANAO that since May 2020 the agency has been in a state of ‘steady response and readiness’ due to differential impacts of COVID-19 on Victoria (requiring ‘steady response’) and other jurisdictions (at a ‘readiness’ state).

4.21 The agency’s pandemic operational action plan states that ‘as the pandemic progresses there will be a point at which the Agency will change from a pandemic response to a recovery phase. At this time, plans will be in place to turn functions back on that have been temporarily switched off or ceased³¹, and for staff to return to their pre-pandemic duties’. Services Australia has taken steps to adjust its governance and reporting arrangements and to resume activities and functions that were suspended. This section of the chapter reports on ongoing work being conducted by Services Australia in relation to:

• adjusted governance and reporting arrangements;
• closure activities;
• workforce management;
• workforce and customer health and safety;
• resumption of mutual obligations;
• debt recovery;
• identity verification;
• compliance activities; and
• lessons learned.

Adjusted governance and reporting arrangements

4.22 Services Australia advised the ANAO that the COVID-19 taskforce established to oversee initial implementation and delivery of the government’s economic stimulus measures was disbanded on 16 April 2020 and re-named as a transition team to indicate the shift from a ‘response’ state and transition to a state of ‘readiness’. As the agency has moved from its initial ‘response’ and ‘steady response’ states to its ‘readiness’ state³², it adjusted its executive and ministerial meeting schedule (see Table 4.1).

Table 4.1: Meeting frequency during COVID-19

Note a: Response state – 27 March 2020 to 7 May 2020.

Note b: Steady response state – 8 May 2020 to 17 May 2020 and 29 July 2020 to 9 August 2020.

Note c: Readiness state – 18 May 2020 to 28 July 2020 and 10 August 2020 to current.

Source: Documentation provided by Services Australia

4.23 On 31 August 2020, Services Australia published its 2020–21 Corporate Plan. The plan states that key deliverables in ‘digital experience’, ‘telephony’ and ‘policy and service delivery simplification’ will build on COVID-19 related process improvements (such as online identity processes). This plan also sets out the agency’s top eight risks, noting that these risks ‘consider the challenges posed by crisis or emergencies, such as the recent pandemic and bushfires’.³³ The agency’s top eight risks are:

• Government, Ministers, key government partners and the community have lost trust in the agency.
• The agency is unable to deliver required services.
• Major programs and projects do not deliver the intended outcomes.
• Inability to implement required change or program refinements.
• Failure to attract, retain and develop staff capabilities.
• Failure to support the safety and wellbeing of our staff.
• System outage(s) significantly disrupt access to payments and other critical services.
• Failure to maintain the integrity of customer data.³⁴

Closure activities

4.24 The agency commenced COVID-19 response stimulus project closure meetings with the Department of Social Services (DSS) in May 2020 to discuss anticipated future policies regarding COVID-19 measures in order to allow Service Australia to plan for service delivery. Eight meetings were recorded from 27 May to 30 June 2020. Minutes were not kept for meetings held during July until late August. Three meetings were recorded from 26 August to 9 September 2020.

4.25 A risk management plan was developed to support the resumption of business-as-usual, or new business-as-usual processes. The plan addresses failure to effectively close COVID-19 measures, incorrect payments, ineffective staff and customer communication, and internal and external fraud. Services Australia advised the ANAO that the plan was developed in June/July. It was reviewed and endorsed in September, and the next review date was 30 October 2020.

Workforce management

4.26 Since mid-May 2020 Services Australia has undertaken a gradual reduction to its staffing with redeployed APS staff returning to their home agencies. As at 30 September 2020, agency documents indicate internal APS 2000 redeployments were 297 from a peak of 2,185. At 11 June 2020 internal redeployments were 300 from a peak of 3,414. As at 7 September 2020, Services Australia was projecting 900 internal redeployments to assist the agency’s payments and integrity branch to undertake debt remediation and appeals activities.

4.27 In June and July 2020 the agency documented its forward workforce management plan for customer service delivery and payments and integrity. The customer service delivery plan considers workforce supply, demand and affordability across the 2020–21 financial year. Projected workforce supply shifts are documented by workforce type³⁵ and include an anticipated surge as the government’s JobKeeper payment program is phased out and some customers’ transition to JobSeeker payment. The payments and integrity plan considers workforce needs to complete refunds for the income compliance program³⁶ and remediation work, including in relation to the debt pause, to June 2021 and includes consideration of additional staff training required.

4.28 The agency has kept in place social distancing requirements in its service centres as required and advised the ANAO that safety measures have been put in place in these centres and that polycarbonate health and safety screens were procured and delivered to priority Service Centres by the end of July 2020.

4.29 The agency engaged Ernst and Young to conduct an assessment of existing work, health and safety (WHS) strategies, products and approaches. This assessment was intended to include the WHS response to COVID-19. A final draft for consultation dated 25 September 2020 was provided to Services Australia.

Resumption of mutual obligations

4.30 Services Australia began planning for a resumption to mutual obligations in June 2020. The government announced that mutual obligation requirements for job seekers would re-commence, in a limited capacity, from Tuesday 9 June 2020 and were reinstated from 4 August (excluding Victoria).³⁷

4.31 Services Australia developed a multi-stage project plan to assist for the resumption of mutual obligations. These plans covered: ICT system changes required; timeframes, business owners, testing to occur (before release); and internal messaging.

Debt recovery

4.32 On 3 April 2020 the government announced a pause on debt raising and recovery activity to October 2020. The agency subsequently paused its actions to issue debt notifications and recover debts but maintained raising debts within the IT system. In September 2020 the agency documented its forward workforce needs to resume activities following the anticipated conclusion of the government’s announced debt pause period. On 28 October the government announced that debt-raising activity would commence on 2 November 2020.

4.33 In the interim Services Australia has focused on preventive measures during the debt pause. Through SMS messages the agency has been making customers aware of their obligations and encouraging accurate reporting of income and circumstances.

Identity verification

4.34 In response to lockdown and social distancing requirements Services Australia introduced an interim identity verification process. This process relaxed some of the requirements normally in place, namely to conduct in-person facial recognition at service centres.

4.35 Services Australia identified the need to conduct ‘post claim reviews’ in its fraud risk management plan and identified that by 30 September 2020, it would have developed a process for a six month review of customer identities. Documentation reviewed by ANAO as at September 2020, indicated that a staged remediation approach had been considered.

4.36 Services Australia also worked with financial institutions regarding suspicious identities. This work includes risk profiling through identifying payments that may have been made to suspected fraudulent accounts.

4.37 In May 2020 the agency identified ten opportunities to leverage COVID-19 changes in the stand down phase to accelerate future service delivery model changes (see also paragraph 4.45). The first opportunity listed was a ‘further shift to online identity and CRN creation processes’. To do this the agency identified that it will need to invest in raising identity standards in online processes, and work with the Digital Transformation Agency (DTA) on integrated government approaches. Initial information from the DTA regarding steps for the development of a permanent solution for customers to create CRNs online had been received by Services Australia and the agency is working on a longer term digital identity solution. Services Australia’s Executive was advised in August 2020 that the agency’s interim solution (Connected-ID) would be reviewed in February 2021, in advance of a longer term solution expected to be available from June 2021.

Compliance activities

4.38 The May 2020 COVID-19 Stimulus Projects 1-3 Risk Management Plan states that ‘integrity practices have been paused, with planning underway with respect to future integrity activities with timeframes and interventions yet to be determined’. Services Australia advised the ANAO that the agency’s compliance telephony lines remained active to support customers who chose to continue reviews or activities underway prior to the government’s announcement of the debt pause.

4.39 In the context of responding to the COVID-19 pandemic, the Department of Social Services and Services Australia made a decision to not proceed with Trimester 3 of the Random Sample Survey (RSS) (the primary assurance mechanism or measuring Department of Social Services outlays). The decision was taken at Deputy Secretary level within DSS and Services Australia, informed by analysis indicating that payment accuracy could still be maintained. Trimester 3 would have operated between 1 March and 30 June 2020, with review interviews occurring over a six week period from 1 March to 12 April 2020. The sample would have been drawn from the start of the trimester period and many of the major changes such as the Coronavirus Supplement did not commence until 27 April 2020.

4.40 Services Australia Advised the ANAO that the random sample survey program for Trimester 1 2020–21 began on 10 July 2020 with a review of eleven payment types including the JobSeeker payment. Of the 7,194 reviews completed in Trimester 1 there were 2,603 reviews of the Jobseeker payment with 97.81 per cent payment correctness. Of the 57 errors, 54 were due to administrative staff errors and three were from administrative system errors.

4.41 In addition to changes in identity verification processes, the need to verify some claim requirements were relaxed where the evidence may be difficult to obtain. This occurred for verification of proof of rent payments, loss of employment (employment separation certificate), and relationship status. The temporary lowering of evidence verification standards in these circumstances relied on customer declarations and were assessed by the agency as a fraud risk. The agency is currently planning future integrity activities, such as post claim reviews for customers that were not required to verify their circumstances, with the timeframes and interventions yet to be determined.

4.42 Services Australia has been working with the Australian Taxation Office (ATO) regarding the risk of duplicate claims for the JobSeeker payment and the ATO administered JobKeeper payment. This has included cooperating to refine data matching activities. In July 2020 a program protocol for data matching was released, providing technical details on the data matching process.

4.43 Services Australia received initial JobKeeper payment data from the ATO on 18 May 2020. As at 24 July 2020 134,000 people identified as registered for JobSeeker payments that are also registered for JobKeeper payment. The data provides information about JobKeeper payment registration, but does not confirm that a JobKeeper payment has been made. Services Australia has used this information for targeted SMS communications informing customers of their requirement to report JobKeeper payment income. In line with the debt pause, no debts have been raised. Services Australia advised the ANAO that as at 9 September 2020, there have been 9,354 SMS or nudge letters sent to individuals and 2901 telephone contacts have been made with individuals.

4.44 The program protocol for data matching between Services Australia and the ATO states that the matching of JobKeeper payment data against social security payment data will be conducted on a regular basis commencing 18 May 2020. The program has been extended to 28 March 2021. A review of the data matching program is due to be conducted no later than six months after commencement (November 2020).

Lessons learned

4.45 In May 2020 the agency identified ten possible opportunities to leverage the temporary COVID-19 environment beyond the pandemic. Themes included a greater digital approach, faster processing, continued coordination with other agencies and improved data management.

4.46 In addition to the Services Australia whole of agency pandemic review described in chapter two of this report from paragraph 2.24, the agency commissioned a review of its health and aged care programs pandemic response. This review examined governance, processes and service changes. The review made four recommendations — two aimed at improving governance, one related to formalising the application of lessons learned and the final aimed at conducting scenario modelling. Services Australia agreed to the recommendations.

4.47 As noted previously in this report, Services Australia also undertook a major incident review of the myGov system degradation (see paragraphs 2.74–5) and a review of its workplace health and safety strategies (see paragraph 4.29). Services Australia also completed a review of its response to a site closure following reporting of a confirmed case of COVID-19.

Appendix 1 Entity response

Appendix 2 Changes to COVID-19 economic response social security measures

Source: M Klapdor, Changes to the COVID-19 social security measures: a brief assessment, Research Paper Series 2020–21, Parliamentary Library, Canberra, 30 July 2020; Department of Social Services, Coronavirus (COVID-19) information and support [Internet], https://www.dss.gov.au/about-the-department/coronavirus-covid-19-inform… [accessed 23 November 2020].

Appendix 3 Services Australia APS and non-APS staffing headcount