Introduction

1.1 Services Australia¹ is responsible for the design, development, delivery, co-ordination and monitoring of government services and payments relating to social security, child support, students, families, aged care and health programs^.2 Services Australia delivers payments and services to and on behalf of 34 Australian Government entities. In a 2019 Institute of Public Administration speech, the Prime Minister articulated that the thinking behind establishing Services Australia was that ‘the Australian people need to be at the centre of [Australian Public Service] (APS) service delivery’.³ Putting Australians at the centre of APS service delivery, and the government priority for excellence in service delivery, extends to providing access to reliable services in a more timely and efficient way, and making better use of technology that is designed around user needs. Delivering on this objective relies on service delivery innovation and system redevelopment.⁴

1.2 Services Australia is managing an information and communications technology (ICT) change program that is being implemented in the Welfare Payment Infrastructure Transformation (WPIT) Programme. The WPIT Programme includes redevelopment of ICT systems (delivering new technology) and the redevelopment of business processes (operating structure, business rules and processes). The ICT stream is redeveloping the welfare payment system through a program of work that involves retaining and enhancing the functionality of existing elements of the system, adding new elements to the system, as well as replacing or decommissioning elements of the system.

1.3 The WPIT Programme started in July 2015 and was scheduled to run over five separate tranches until July 2022. The original estimated cost of the program was around $1.5 billion over seven years. Program funding was provided on a tranche-by-tranche basis with Services Australia returning to Government prior to the start of each new tranche, reporting on deliverables achieved to date and outlining more detailed plans for the next tranche. Appendix 2 sets out the timing of each tranche and the system redevelopment work coverage planned to be undertaken.

1.4 This is the first in a planned series of performance audits. In this audit, the Australian National Audit Office (ANAO) examined whether Services Australia appropriately managed risks to operating the current welfare payment system during the redevelopment process, and whether Services Australia appropriately prepared to transition to the future welfare payment system.⁵

1.5 The ANAO reviewed welfare payment system arrangements during the period of audit fieldwork from July 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).⁶ The ANAO did not examine Services Australia’s management of system operating risks after the activation of the Emergency Response Plan. This includes the reported decisions and actions taken by Services Australia to enhance the technical capacity to support the increased number of welfare claims, such as performance enhancements to systems such as myGov, and the implementation of streamlined online claims.⁷ The ANAO’s performance audit of Services Australia’s COVID-19 measures and enterprise risk management examines whether Services Australia effectively manages risks related to the rapid preparation for and delivery of COVID-19 economic response measures.

The current welfare payment system

1.6 Services Australia provides welfare support through more than one hundred types of entitlement payments and services, including Jobseeker, Youth Allowance and Austudy for students, the Disability Support Pension and the Age Pension. The welfare payment system incorporates the detailed legislative and policy rules that use customer circumstances to determine eligibility and entitlement for each type of support, including where people receive more than one type of support or where multiple family members receive support.⁸

The technology mix

1.7 The current welfare payment system evolved from a system implemented in the 1980s. The system’s foundation is Model 204 (M204) — a database management system operating on IBM Z13 mainframe technology.

1.8 Business rules supporting Centrelink payment eligibility assessments and entitlement calculations are hard-coded into the Income Security Integrated System (ISIS), which operates using M204.⁹ ISIS has multiple elements, including those that are used to capture customer data, and operates with other systems to make welfare payments. A key element of the system is the Entitlement Calculation Engine, which uses business rules and circumstance data to calculate customer entitlements.

1.9 Services Australia has calculated that each day approximately 62 million transactions use M204 and ISIS to access and update customer data.¹⁰ A contracted service provider undertakes supply and maintenance of the M204 database software, along with periodic enhancements to M204 and continued integration with newer technology.

1.10 Prior to the WPIT Programme, Services Australia modernised and streamlined staff and customer online access by linking ISIS to SAP Customer Relationship Management (CRM). Assessments of customer eligibility and entitlement are determined in ISIS as the ‘source of truth’ and replicated in SAP CRM.

1.11 The current welfare payment system includes a mix of older and newer elements, with ISIS forming the central element. Elements of this system will form part of the future system (see Figure 1.1).

Figure 1.1: Conceptual model of the current welfare payment system showing planned changes

Source: ANAO representation of a Services Australia diagram.

Governance of the current welfare payment system

1.12 Oversight of the welfare payment system is covered by Services Australia’s strategic governance arrangements. The Executive Committee, the most senior governance committee, comprises the Chief Executive Officer (CEO) and direct reports, and meets weekly to provide strategic advice and decision making support to the CEO. Supporting the Executive Committee, the Implementation Committee (see Figure 1.2) provides oversight and direction to agency programs and projects, including the WPIT Programme.

Figure 1.2: Implementation Committee structure

Source: ANAO, based on information provided by Services Australia.

1.13 The Implementation Committee meets monthly to:

• provide strategic direction to, and monitor key strategic issues and risks for, new and existing programs and projects which are high risk or critical to Government, including advice on the agency’s ability to deliver across ICT and business;
• report to the Executive Committee and the CEO on emerging issues and pressures in relation to significant change initiatives impacting the department;
• provide advice to the Executive Committee on the status of agency priorities by actively monitoring the agency’s new and existing projects and programs, to make sure they continue to align with and reflect government policies and priorities;
• play a key role in identifying emerging risks and constraints in the agency’s ability to deliver outcomes, and in managing the cumulative effect (including across groups and programs) of implementation timeframes; and
• provide recommendations to the Executive Committee on issues relating to budget, benefits realisation and prioritisation.

1.14 The Chief Information Officer (CIO) is responsible for Services Australia’s ICT operations and systems development work, including the current welfare payment system. National Managers, who report through their General Managers to the CIO, are technical owners of the various components of ICT systems, and have responsibilities set out in a suite of ICT policies endorsed by the CIO. The WPIT Programme is managed by the Deputy CEO Transformation Projects (see paragraph 1.19).

Welfare payment system redevelopment

Why did Services Australia want to replace the current system?

1.15 In the 2013–2014 Budget, Government authorised ‘a first pass business case to identify options for the upgrade or replacement’ of ISIS.¹¹ In February 2014, the National Commission of Audit recommended that Government redevelop, simplify, and consider outsourcing part or all of the welfare payment system.¹² In November 2014, Services Australia advised Government that the current welfare payment system was dated, complex and costly to administer. Services Australia advised that continuing with the current system was not an option due to increasing risk of service delivery failure (overpayments, failed and incorrect payments, service disruptions and fraud), and inability to cost effectively introduce more innovative welfare policy, including opening up services for contested delivery.

1.16 Services Australia advised Government that existing technology would not support future policy needs or expectations, including digital end-to-end service delivery, with almost all transactions currently requiring staff intervention. Services Australia advised that implementing new policy on the current system was increasingly expensive and slow, even for simple changes.

What was the system redevelopment strategy?

1.17 In February 2015, Government agreed to the WPIT Programme to deliver new technology and broader transformational change to Centrelink-related operating structure, business rules and processes. The WPIT Programme was planned to run from 1 July 2015 to 30 June 2022. At its inception, the WPIT Programme aimed to redevelop the welfare payment system over five tranches (see Appendix 2), offset by ongoing returns to government of $312 million per annum from year eight, and conclude with decommissioning ISIS by 30 June 2022. Each tranche commenced when the former tranche concluded.

1.18 Services Australia has changed the WPIT Programme schedule, with extensions to tranches one, three and four and merging tranches four and five. The revised schedule remained within the original seven-year timeframe. Changes to the tranches included deferring work on some deliverables to later tranches. These changes increase the importance of managing risks to the current welfare payment system during the redevelopment process, particularly if it remains in operation longer than originally anticipated. Figure 1.3 illustrates the timeline for the WPIT Programme.

Figure 1.3: Timeline of the WPIT Programme

Source: ANAO, based on a Services Australia diagram.

Governance of the WPIT Programme

1.19 The WPIT Programme is managed by the Deputy CEO Transformation Projects, and WPIT Programme governance arrangements are set out at Figure 1.4, including:

• the Programme Architecture Working Group, established to provide strategic guidance on program architecture and assurance that business and technology transformation structure design aligns to and delivers program outcomes;
• the Business Transformation Advisory Group and the WPIT Strategic Advisory Committee (with representatives from Services Australia’s policy partner agencies) advising the Programme Control Board;
• the Programme Control Board, which sets the direction and drives program outcomes, supported by committees and working groups, and reporting to Services Australia’s Executive Committee;
• the Implementation Committee also reporting to the Executive Committee (see paragraph 1.12); and
• reporting to the Finance and Government Services Ministers, who also receive advice from their appointed WPIT Expert Advisory Group.¹³

Figure 1.4: WPIT governance structure

Source: ANAO representation of a Services Australia diagram.

Previous reviews and internal audits

1.20 The WPIT Programme is subject to the Department of Finance Gateway Review process. To date, four Gateway reviews have been undertaken, and the next is due by September 2020.¹⁴

1.21 Services Australia commissioned seven reviews of the WPIT Programme over 2016 to 2018 that examined governance, program management and risk management arrangements.

1.22 A separate review of the WPIT Programme¹⁵ found in August 2018 that the program ‘is a necessary investment … will deliver reasonable value for government’ and ‘is the most appropriate vehicle to effect this transformation’ in delivery of welfare payments and services. The review made 16 recommendations focused on strengthening program delivery to maximise its value, all of which were accepted by Services Australia.

1.23 Services Australia completed internal audits between July 2015 and June 2019 that assessed various aspects of:

• ICT management relevant to the operation of the current welfare payment system, including access control, incident management, change management, user acceptance testing, information security and workforce planning; and
• the WPIT Programme, including program management and governance, risk management, program assurance and data migration.

1.24 The ANAO has not previously performance audited the welfare payment system redevelopment program.¹⁶

Rationale for undertaking the audit

1.25 The primary basis for the WPIT Programme was that the current welfare payment system could not continue operating and required replacement. Advice to government indicated a number of risks to operating and adapting the system, as required to meet changing policy requirements. The ANAO examined Services Australia’s management of these system operating risks during the redevelopment process.

1.26 The replacement of some or all of a major ICT system also requires entities to manage risks around planning transition to the future system. This includes designing a future system that delivers the key functions of the current system, decommissioning replaced elements of the current system, and preserving the future use and value of information stored in the current system.

1.27 A number of Australian Government agencies operate and may need to replace some or all of a major ICT system, and face similar risks.

Audit approach

Audit objective, criteria and scope

1.28 The audit objective was to assess whether Services Australia appropriately managed risks to operating the current welfare payment system and appropriately prepared to transition to the future system. To form a conclusion against the audit objective, the following high-level criteria were adopted:

• Did Services Australia appropriately manage risks to operating the current welfare payment system?
• Did Services Australia appropriately prepare to transition to the future welfare payment system?

1.29 The audit focused on the welfare payment system, and did not examine the management of ICT systems supporting other government programs or corporate activities.

Audit methodology

1.30 The ANAO:

• examined documentary evidence from Services Australia;
• observed aspects of the welfare payment system; and
• considered oral and written evidence from key management personnel from Services Australia.

1.31 The audit was open to citizen contributions, and received one contribution.

1.32 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $550,406.

1.33 The team members for this audit were Christopher Swain, Nathan Callaway, Steven Kouparitsas, Barbara Das, Emily Kilpatrick and Peta Martyn.

2.1 During the system redevelopment process, Services Australia has needed to manage risks to operating the current welfare payment system. This system will need to continue to make welfare payments until the new elements are fully operational and superseded elements are decommissioned, originally planned for June 2022.¹⁷

2.2 Services Australia’s Technology Plan 2016–20 stated that:

During our digital transformation, we must still maintain our core systems. So we must work at two speeds across the department, one focused on stability and the other on agility. This will ensure that we maintain the quality, reliability and stability of our core systems while we support agile digital transformation through technology.

2.3 In 2015, Services Australia advised Government of a number of risks to operating the welfare payment system due to its age and complexity, including increasing cost, slower policy change implementation and potential service failure. The 2015 Gateway Review similarly described the system as ‘outdated and nearing end of life’. The 2016 business case for funding stated that:

It is not an option to continue to operate and maintain the current welfare payments system. It is not sufficiently responsive to Commonwealth policy directions and must be redeveloped to provide modern payment and claims processing. It also generates increasing risk of overpayments, failed and incorrect payments, service outages and disruptions, and fraud.

2.4 The ANAO examined whether Services Australia appropriately managed these risks to operating the welfare payment system — to ensure the system will continue to function throughout the redevelopment process. Specifically, the ANAO examined whether Services Australia:

• established and maintained an appropriate risk management framework for the welfare payment system — to ensure that risks to operating the system could be assessed, controlled and monitored;
• appropriately managed risks to the operation of the welfare payment system — to ensure the system could continue operating until it is decommissioned; and
• appropriately managed risks associated with adapting the welfare payment system — to ensure the system can continue to support changing policy and legal requirements until it is decommissioned.

Did Services Australia establish and maintain an appropriate risk management framework for the welfare payment system?

2.5 An appropriate system of risk oversight and management allows entities to effectively assess, control and monitor risks in order to achieve their business objectives. The Public Governance, Performance and Accountability Act 2013 (PGPA Act) prescribes that all Commonwealth entities must establish and maintain an appropriate system of risk oversight and management. The Commonwealth Risk Management Policy¹⁸ provides guidance to Commonwealth entities on implementing these systems, including for establishing a risk management framework.

2.6 Services Australia managed information technology-related risks at the entity and group levels and in July 2019 revised its approach to enterprise risk management. A new risk model was endorsed, and included seven risk categories subject to quarterly reporting to the Executive Committee. The ICT risks to the welfare payment system are covered in the enterprise risk category, ‘Payments and services—Risks to the agency delivering correct payments, and Whole-of-Government services, platforms and systems’. Following the endorsement of the new risk model, Services Australia approved and promulgated a revised Enterprise Risk Management Policy and Enterprise Risk Management Framework in February 2020.

2.7 The CIO Group is responsible for the operation and risk management of ICT systems across Services Australia, including the various elements that comprised the welfare payment system. CIO Group risk management, monitoring and quarterly reporting informed the monitoring of the payments and services entity-level risk category.

2.8 The CIO approved annual group-level risk management plans which were updated two to three times a year. In June 2020, the CIO Group risk management plan was revised to reflect the new entity-level risk approach. The CIO Group’s revised risk management plan includes additional risks that more clearly reflect the broad range of ICT risks to the welfare payment system.

2.9 CIO Group’s 2019-20 risk management plan clearly allocated responsibilities:

The CIO is accountable for the successful management of operational risk at the Group level, with the responsibility for the effective management of individual risks resting with allocated General Managers – or the Chief Information Security Officer, for ICT Security risks…National Managers own individual controls and treatments, and they are responsible for ensuring their effectiveness in mitigating aspects of the targeted risk.

2.10 The ANAO did not examine the full operation of the controls and monitoring framework implemented to support CIO Group’s risk management plan that applied to the overall ICT environment. Instead, the ANAO examined Services Australia’s management of key operational risks to the welfare payment system. The management of risks to the operations and adaptation of the welfare payment system are discussed in the chapter paragraphs that follow.

2.11 Related gaps in documentation to support the assessment of risk and the identification of controls to mitigate assessed risk for key systems within Services Australia’s ICT environment were reported in the ANAO’s May 2020 Interim Report on Key Financial Controls of Major Entities.¹⁹ This suggests that there would be benefit in Services Australia reviewing system level risk management approaches.

Did Services Australia appropriately manage risks to the operation of the welfare payment system?

2.12 Services Australia provided advice to Government that ‘the current welfare payments system is dated, complex, costly to administer’ and that it ‘generates increasing risk of overpayments, failed and incorrect payments, service outages and disruptions, and fraud’. In order to assess whether Services Australia appropriately managed these risks to the operation of the welfare payment system during the redevelopment process, the ANAO examined:

• payment correctness — whether Services Australia appropriately managed risks to the system making payments correctly;
• system availability — whether Services Australia appropriately managed risks to the system being available to process and make payments;
• resilience — whether Services Australia appropriately managed cyber security and disaster recovery preparedness risks;
• capability management — whether Services Australia appropriately managed risks to hardware and software assets and workforce capability; and
• operating cost — whether Services Australia appropriately managed risks associated with the cost of operating the welfare payment system.

Payment correctness

2.13 Payment correctness measures whether customers receive payments free of administrative and/or processing errors. Services Australia also uses an internal measure of ‘payment accuracy’ that includes both payment correctness and client error.

2.14 In the 2019–20 Corporate Plan, Services Australia identified ‘risks to the department delivering correct payments, and Whole-of-Government services, platforms and systems’. This was assessed in internal documents as ‘a risk that the department does not maintain the integrity of payments, including paying the right amount to the right person’, with one of 12 potential causes being that ‘systems do not process payments consistent with legislative or regulatory requirements’.²⁰ For individual welfare payment programs, Services Australia developed Payment Accuracy Risk Management (PARM) plans, which assessed key payment accuracy risks to the program, including the risk of system failure. The PARM plans for the top five programs by gross payments in 2018–19 were examined. All plans identified, analysed and evaluated a number of payment accuracy risks, including the potential for the system to fail to process or assess correctly.²¹ None of the PARM plans examined identified the failure of the system to process correctly as a significant causal factor for any actual payment inaccuracies.

2.15 The process to control and treat payment correctness risks in the welfare payment system was set out in the Administered Assurance Framework, which established roles and responsibilities, including the requirement for a risk management plan for each administered payment, for controls and treatments to be implemented, and assurance activity to be conducted. Each of the PARM plans examined included a process to assess the effectiveness of current risk controls and propose additional risk treatments to ensure payment correctness. None of the PARM plans examined required additional risk treatments due to a system failure to process or assess correctly, although new system functionality was identified as a potential means to improve information used to determine eligibility and entitlement.

2.16 The Administered Assurance Framework set out monitoring processes, including pre-payment testing (for third party payments or unusual payment types), post-payment transaction testing, and the Random Sample Survey — which reviewed the accuracy and correctness of over 22,000 payments each year. Services Australia had appropriate processes to review payment correctness risks, including the Payment Integrity Conformance Programme²², internal audits, ICT quality assurance, and requirements to provide financial information and annual financial statement representations and assurance to those Australian Government entities on whose behalf it administers welfare payments, including payment integrity assurance for each payment type.²³

2.17 Services Australia has a performance target that greater than or equal to 95 per cent of customers receive payments free of administrative and/or processing errors.²⁴ This performance target had been published since at least the 1999–2000 Annual Report, was considered and re-endorsed in 2012 and has been endorsed since.²⁵ In the 2018–19 Annual Report, Services Australia reported that 98.3 per cent of Centrelink customer payments were delivered correctly. Services Australia stated that the errors in the remaining 1.7 per cent of payments were mainly due to incomplete processing by staff (86 per cent), rather than incorrect system processing (seven per cent). Aggregate payment correctness outcomes exceeded the overall performance target set by Services Australia. Payment outcomes demonstrated that Services Australia appropriately managed payment correctness risks associated with the welfare payment system.

System availability

2.18 Services Australia set a performance target that systems that support 24/7 customer access are available 98 per cent of the time.²⁶ This performance measure excluded scheduled maintenance periods, and only applied to online self-service access elements of the welfare payment system.

2.19 The CIO Group risk management plan identified, analysed and evaluated system availability risks at the enterprise level — broadly covering all ICT systems including various elements of the welfare payment system. As the welfare payment system uses shared infrastructure, system availability risks to shared infrastructure used by the welfare payment system were controlled and treated through a centralised process.

2.20 Services Australia put in place a process to monitor and review system availability. Services Australia stated that system availability of the M204 platform was monitored 24/7, and a system of controls, alerts, procedure statistics and dashboards is used, along with other methods for monitoring availability. System monitoring technologies enabled the availability and response times of specific business services to be verified, and Services Australia reported that in 2018–19 the ‘average number of priority one incidents was 0.4 per month’.²⁷ Services Australia had a post-incident review process that covered system availability risks.

2.21 The 2018–2019 Annual Report stated that systems that support 24/7 customer access were available 99 per cent of the time (excluding scheduled maintenance periods) — however, as noted above, this did not cover all elements of the welfare payment system.²⁸ Services Australia stated that over the same period, the welfare payment system experienced 34.1 days of planned and 9.4 days of unplanned outages, which meant the system was not available 2.6 per cent of the time due to unplanned outages.

Resilience

Cyber security governance framework

2.22 The Directive on the Security of Government Business requires non-corporate Commonwealth entities such as Services Australia to apply the Protective Security Policy Framework (PSPF) as it relates to their risk environment. The PSPF requires each entity to maintain the confidentiality, integrity and availability of all official information, and sets out core and supporting requirements for information security.²⁹ The core requirements include assessing cyber security risk in accordance with the Information Security Manual (ISM), certifying and accrediting ICT systems, and implementing ISM strategies to mitigate cyber security incidents.³⁰ The ANAO examined Services Australia’s cyber security documentation and management frameworks, and did not test the technical effectiveness of cyber security controls as part of this audit.³¹

2.23 Services Australia referred to the PSPF and ISM, as well as the National Institute of Standards and Technology and Trusted Digital Identity Framework, for standards and guidelines and maintained a suite of internal cyber security policies. The Chief Information Security Officer within the CIO Group is responsible for cyber security, and works with multi-disciplinary teams involving business, assurance and ICT subject matter experts during system upgrades. From December 2019, a Cyber Assurance Program of Work detailed system owners responsible for accepting residual risk for individual elements of systems, including those comprising the welfare payment system.

2.24 Services Australia assessed the risk that ‘the department does not make payments and deliver services, including through ICT systems’ and that ‘the department does not protect information from unauthorised access, use or release’. The December 2018 CIO Group operational risk management plan assessed that ‘there is a risk that customer personal and official information is compromised’, and identified potential causes including that ‘security policies and practices are not adhered to or are inadequate’ and that ‘systems and ICT-based services are not designed, configured or operated in a secure manner’. Both the strategic and operational assessments were generic to all ICT systems, not system-specific.

2.25 There was no cyber security risk treatment plan — or system security plan — specific to each of the elements of the welfare payment system. However, Services Australia self-assessed that it ‘has measures in place for the underpinning components including monitoring of vulnerabilities and appropriate patching, monitoring of system administrative and privileged access, and penetration testing of outward facing systems’. The ANAO did not separately audit the accuracy of this self-assessment, or its applicability to the welfare payment system.

2.26 The CIO Group risk management plan outlined 10 generic controls and five additional generic treatments intended to reduce enterprise-level cyber security residual risks from ‘high’ to ‘medium’. Controls included ‘a rolling process of system certification and accreditation’ under the PSPF — assessed as an effective control — and that ‘systems compliance is maintained with relevant Cyber Security related policies and standards’ including the ISM — assessed as mostly effective but in need of review.

2.27 In May 2016 an internal audit of system accreditation across Services Australia found that six of 118 systems across the agency had current accreditation, and 109 systems had never been accredited. In February 2019, an internal audit found that 21 systems were accredited. Services Australia’s self-assessment of risk control effectiveness was inaccurate in light of the lack of cyber security risk assessment or accreditation for the welfare payment system, and internal audit findings that most systems across the agency did not have accreditation.

2.28 On 26 November 2019, Services Australia finalised a System Assurance Program 2020–2022 that set out a schedule for accrediting various systems, including those comprising the welfare payment system. The program outlined initial accreditation but did not cover reaccreditation requirements. The System Accreditation Policy was later updated on 17 March 2020, introducing four accreditation levels and a risk-based method for determining which accreditation level to apply to a system or element of a system. The System Accreditation Policy assigns various elements of responsibility for accreditation to the Chief Information Officer, Chief Information Security Officer, the Assurance Director, system owners and business owners.

2.29 The ANAO examined the accreditation status of the welfare payment system in June 2020 and found:

• a number of key elements (including ISIS and SAP CRM) were not accredited or under accreditation, but accreditation was planned to be undertaken in the System Assurance Program 2020-2022;
• fourteen elements of the welfare payment system were at various stages of accreditation, of which seven were accredited (including three that were accredited more than one year after a risk assessment was conducted, and one accreditation that has since expired);
• risk assessments were conducted by reference to internal policies and ISO 31000 risk frameworks and not ISM controls or control effectiveness; and
• for accredited systems, risk controls were documented and assigned owners, and appropriate certification and accreditation authorities approved residual risk.

2.30 Despite identifying strategic cyber security risks and assessing the generic operational cyber security risk context as ‘high’ in 2018, Services Australia did not cyber security risk assess, certify or accredit all elements of the welfare payment system as required by the PSPF.³²

2.31 The 2018–19 PSPF Assessment Report prepared by Services Australia on 3 October 2019 did not assess security accreditation for ICT systems. A recent external assessment had not been conducted of the effectiveness of controls listed in the Top Four and Essential Eight strategies for all elements of the welfare payment system. Previous internal audit reports of ICT systems found the implementation status of the Top Four strategies at Services Australia was lower than what had been self-assessed by the agency.

2.32 The ANAO May 2020 Interim Report on Key Financial Controls of Major Entities reported a related new moderate audit finding on IT Security Governance — relating to gaps in documentation to support the assessment of risk and the identification of controls to mitigate assessed risks; accreditation or risk assessments for critical financial systems that had not been updated in the last two years; and security and user access related observations across multiple applications. The ANAO recommended that governance and monitoring processes are strengthened to include the review and reporting of adherence to Services Australia’s Cyber Security Information Services Manual.³³

Disaster recovery preparedness

2.35 Services Australia had enterprise-level disaster recovery arrangements, including an ICT Infrastructure Disaster Recovery Plan (DRP) that covered all ICT systems including the welfare payment system. An ICT disaster would be declared in defined and exceptional circumstances including the loss of one or both data centres, and other major outages would be covered by the DHS ICT Incident Management Process — although this document was in draft form and other groups were not consulted during its development. A major outage or disaster would potentially have impacts across the agency. Services Australia manages disaster recovery coordination through the ICT Response and Recovery Committee that has a direct relationship with the Agency’s Emergency Response and Recovery Committee.

2.36 Services Australia assessed that ‘there is a risk that the department does not make payments and deliver services, including through ICT systems’. The CIO Group operational risk management plan identified that ‘There is a risk that availability of ICT services and systems cannot be maintained or their performance does not meet agreed service level’, and identified as a potential cause of this risk if ‘appropriate business continuity and disaster recovery measures are not in place and tested’. Services Australia stated that ‘the existing ICT Disaster Recovery Plan provides the direction for restoration of services’.

2.37 Services Australia had critical backup data capabilities maintained in two data centres in close proximity to each other, which increased the vulnerability of the system to location-specific or provider-specific risks. This proximity did not provide appropriate geographic dispersion as required by the ISM. A risk assessment commissioned by the contracted service provider assessed a range of hazards as presenting no or low or assumed low likelihood of operational interruption, but did not evaluate the risk ratings by reference to the lower risk of geographically dispersed sites. Both data centres were security recertified in December 2019. In addition to the two data centres, Services Australia also maintained a data vault in a third location.³⁴ The ANAO examined disaster recovery arrangements at one of the data centres, and brought certain physical security deficiencies to the attention of Services Australia.

2.38 Services Australia undertook system element level disaster recovery testing. The CIO Group had a disaster recovery test program and a business continuity exercise program, which included the SAP CRM. Services Australia applied risk management standards to entity-level disaster recovery preparedness, and managed disaster recovery and business continuity as a specialist risk category.³⁵

Capability

Hardware and software assets

2.39 The CIO is responsible for ICT capability risks, and manages risks relating to hardware and software capability through maintenance agreements. Services Australia maintained an ICT Infrastructure Capacity Plan and a 2019–20 Capital Plan.

2.40 The CIO Group risk management plan identified risks including Strategic Risk 8 ‘Failure to Develop and Maintain Sufficient ICT Capability to Meet Current and Future Business Needs’. For the generic ICT environment, Services Australia stated that ‘Infrastructure capacity is guided by an ICT Capacity Plan … informed through regular monitoring of usage, and forecasting of future performance and capacity needs based on workload, storage and contingency requirements’. However, Services Australia assessed this control as ‘only partially effective’ and needing review.

2.41 On a quarterly basis, Services Australia monitored and reported on the hardware capacity of key elements of the welfare payment system (including SAP CRM and ISIS). This reporting covered capacity utilisation, and identified issues with recommendations for action. This monitoring and reporting could be improved by linkage to assessed capability risks specific to the welfare payment system. However, there was a process to monitor and review individual contracts for hardware and software capability — the ANAO examined contract management plans for hardware and software vendors, and found these included processes to monitor contractual obligations. The ANAO did not audit if the processes to monitor contractual obligations were implemented.

Workforce capability

2.42 The Strategic Workforce Plan 2017–2019 recognised a number of ICT capabilities amongst the top ten critical job roles, which it described as ‘the highest risk roles that will affect the department’s ability to meet business outcomes’. The 2019–2023 Strategic Workforce Plan similarly assessed workforce risks at an entity level, including for the ICT workforce. The CIO Group risk management plan identified the risk at the group level that ‘our workforce will lack the skills and positive commitment required to support achievement of the department’s strategic priorities’, analysed this as a ‘Medium’ risk, and evaluated that it was within tolerance but further treatment was desired. In 2015, Services Australia developed a Strategic Workforce Sub-Plan and People Strategy 2015–2019 specific to the WPIT Programme.

2.43 Separately to identifying the critical ICT roles and workforce risks in workforce plans, Services Australia defined its workforce capability requirements quantitatively through the annual internal budget process, but did not define and document qualitative requirements — such as the skills, knowledge and attributes required to operate the current welfare payment system. While Services Australia stated that ‘We do not believe we have capability risks “above tolerance”’, it did not compare the numbers, skills, knowledge or attributes of staff against targets set in a workforce plan for the system.

2.44 One workforce capability risk control in the CIO Group risk management plan was a CIO Group Strategic Workforce Sub-Plan, described as a partially effective control needing review. In October 2017, a Gateway Review recommended planning for the future-state ICT workforce as a matter of priority. In July 2018, Services Australia advocated closure of this recommendation, following modelling of the expected impact of system redevelopment from the WPIT Programme on the workforce numbers and skill mix, and development of an ‘immediate and longer term strategic approach to allocate workforce resources’. By March 2019, an internal audit found that ICT strategic ‘workforce planning and management practices are predominantly short-term, budget driven resource plans as opposed to longer term strategic workforce plans’ and made four recommendations to improve workforce planning. In January 2020, Services Australia commenced a risk assessment for the current welfare payment system with a CIOG Core Legacy Systems Workforce Strategy.

Operating cost

2.45 The CIO Group operational risk management plan assessed that ‘there is a risk that we do not operate in an optimal and cost-effective manner’. The 2019 Gateway Review also stated that ‘with multiple legacy systems, contracts and support arrangements in place, the department has unnecessary and duplicated costs in delivery services’. Services Australia stated that ‘…to manage costs at a unique service level in a very large and complex organisation requires a sophisticated level of activity based costing, which in itself is very expensive to implement and maintain. Services Australia can look to other similar organisations to ascertain best and most appropriate practice. Services Australia does use benchmarking to measure the cost performance of its ICT’.

2.46 Services Australia provided the ANAO with an indicative 2018–19 point in time estimate of the cost of maintaining ISIS and various system elements as in the order of $98 million each year. While Services Australia stated that it tracks overall ICT expenditure, it cannot disaggregate all of the system element costs and did not monitor the cost of operating the current welfare payment system. These costs could include hardware and software capital costs and depreciation, expenses for employees working on the system, costs associated with operating the system, costs associated with changing the system, and amounts paid to contractors. As a result, Services Australia was unable to breakdown these costs, monitor trends over time, or assess the ongoing value for money of this expenditure.

Did Services Australia appropriately manage risks associated with adapting the welfare payment system?

2.53 In parallel to the redevelopment process under the WPIT Programme, Services Australia has needed to adapt the welfare payment system to changing requirements. These changes can be planned — for example changing legislative and policy requirements, remediation and system fixes in response to a problem or incident, or recurrent payment rate changes related to the Consumer Price Index — or unplanned, for example in response to an emergency. These ‘business as usual’ changes are separate from system redevelopment under the WPIT Programme.

2.54 In order to assess whether Services Australia appropriately managed risks associated with adapting the welfare payment system during the redevelopment process, the ANAO examined four areas of operational risk relating to adaptation:

• anticipation — whether Services Australia established processes to anticipate and plan for changing requirements;
• clarity — whether Services Australia established and maintained a clear change management process;
• responsiveness — whether Services Australia changed the system within planned timeframes and budgets; and
• improvisation — whether Services Australia appropriately adapted the system to unexpected situations or circumstances.

2.55 The ANAO examined two data sets throughout to test the audit criteria:

• changes — a sample of 25 changes from a total of 1000 changes extracted for the period from 1 November 2018 to 31 October 2019 (referred to in the paragraphs that follow as 1000 changes when referencing the full population, and 25 changes when referencing the sampled changes); and
• projects — six closed projects from a total of 60 closed projects for the period from 1 July 2017 to 30 June 2019, including the Energy Assistance Program one-off top-up payment project (referred to in the paragraphs that follow as 60 closed projects when referencing the full population, and six closed projects when referencing the sampled projects).³⁶

Anticipation

2.56 Services Australia initially assesses the costs associated with proposed changes initiated internally or externally from policy agencies, such as the cost to change business processes and change the system. Once approved, changes are managed as projects under the Project Management Framework. Over the period from 1 July 2017 to 31 December 2019, Services Australia costed 588 initial assessments of new initiatives, of which 134 (22.8 per cent) had ICT impacts — 156 of the total initiatives received endorsement (26.5 per cent).

2.57 The process to anticipate and plan for system changes includes mechanisms to engage with internal and external stakeholders. Under the Project Management Framework, all projects must develop a project management plan and a business requirements statement, which form the main communication channel between the CIO Group and other business areas. The ANAO examined one change project — the Energy Assistance Program one-off top-up payment project — and found that a stakeholder engagement plan had been prepared, and system managers and business managers held frequent meetings and exchanged information during the project to refine costings and business requirements.

Clarity

2.58 An entity-wide ICT change management process was documented in the ICT Change Management Process, Project Management Framework and the ICT policy ‘Manage ICT Changes’. The documented process aligned to better practice industry guidance³⁷, clearly defined types of changes, outlined the objectives of changes, provided functional overviews including roles and responsibilities, and included step-by-step processes.

2.59 The ANAO examined key ICT change policy documents and found that:

• the ICT Change Management Process set out a risk management process for changes and assigned risk ownership and responsibility;
• the Project Management Framework required all projects to have an endorsed risk management plan; and
• the ICT policy ‘Manage ICT Changes’ required that ‘processes relevant to ICT change management must treat priority risks’.

2.60 Each of the 25 changes examined complied with the policy and procedure, including an assessment of the complexity of a change, and a risk and impact assessment. Each of the six closed projects examined had a risk management plan.

2.61 There was a documented release management process that included the use of a release management tool, technical verification testing and business verification testing.³⁸ Services Australia uses test environments for ICT changes. Policies required ICT testing, including unit, system and integration testing and user acceptance testing.³⁹ The ANAO observed a major release over 6–8 December 2019, and found that:

• the release management process was followed, including segregation between the development and release management teams; and
• ICT testing demonstrated that quality assurance processes were followed.

2.62 Quality assurance policies and procedures had been followed in each of the 25 changes examined. However, test summary results were not stored in the change management tracking system for five out of 25 changes, and so were not available to delegates approving changes. An internal audit of Services Australia in June 2019 stated that Services Australia’s ‘ICT Change and Release management framework and controls were found to be well designed and aligned to better practice’.

Responsiveness

2.63 Services Australia implemented 56 of 60 closed projects (93 per cent) within planned timeframes. Of the four projects not implemented on time, two were due to delays in the passage of legislation that required a delay in the date the change was released. No explanation was recorded for the remaining two projects that were implemented late.

2.64 Services Australia implemented the majority of ICT change projects within agreed budgets, and overall expenditure on ICT changes was well within agreed budgets. 58 of the 60 closed projects (97 per cent) were implemented within the planned project budget. Total expenditure for the 60 closed projects was $160.6 million against a total budget of $211.6 million (76 per cent of the total budget).

2.65 A key basis outlined by Services Australia in its advice to Government for investing in the WPIT Programme was that the welfare payment system was ‘not sufficiently responsive to Commonwealth policy directions’. Services Australia was limited in its ability to conduct an examination of the difference between the timeliness and cost of ICT changes in the older and newer system elements of welfare payment system, as it did not maintain information or data that would enable it to determine the cost and time differentiation.

Improvisation

2.66 Services Australia defined emerging ICT issues that would need remediation, and assigned priorities to incidents and problems according to its internal policies. Emerging ICT issues are logged and incidents are tracked in the Service Manager software until they are resolved, for example by an ICT change. The ANAO examined all unresolved incidents and problems for the welfare payment system between 1 November 2018 and 11 December 2019, and found no priority 1 incidents remained unresolved, and the number of unresolved priority 2 incidents represented less than one per cent of the total logged incidents.

2.67 There were defined emergency change processes and there was a relatively low level of emergency changes compared to the total number of changes for the welfare payment system. The changes that the ANAO examined followed defined processes. For emergency changes, Services Australia followed the ICT Change Management Process. Emergency changes related to the welfare payment system accounted for only 36 out of the 1000 changes (3.6 per cent). This suggests a mature ICT environment as most changes are expected. The ANAO examined these emergency changes and found that all were approved in accordance with change management policies and procedures.

2.68 There were low rates of failed and abandoned changes due to the age or complexity of the system. Out of the 1000 changes to the welfare payment system, there were 18 failed changes (1.8 per cent) and 141 abandoned changes (14 per cent). The ANAO examined 59 of the 141 abandoned changes that occurred in the Families and Pensions program, as this program used both ISIS and SAP CRM. Seven changes (12 per cent of the 59 changes) were abandoned due to unforeseen system complexities, all of which were corrected by emergency fixes or included in other releases, resulting in no residual issues.

2.69 Other methods used by Services Australia to adapt the system to unexpected situations or circumstances were through the use of a system access role that allows authorised users to make changes directly to customer data, and workarounds. Services Australia’s use of this system access role regularly did not comply with ICT policy requirements in relation to the time allowed for access, and the scope of access. In June 2020, Services Australia amended the ICT policy requirements, removing the time limitations and scope restrictions on this system access role. User access is actively monitored by the Services Australia fraud team with respect to targeted fraud indicators, but Services Australia did not analyse whether all actions performed using this system access role were in accordance with the originally approved use. This could allow authorised users to make changes to system data resulting in welfare payments that are not in accordance with the approved change. Services Australia should actively monitor the use of this system access role.

2.70 A workaround is a manual processing method used by ICT or business areas when the ICT system is unable to be changed to support a business requirement. A manual workaround can result in a business process that will change either permanently or temporarily in response to an ICT change. A risk related to workarounds is that a sustained increase in the number of workarounds could escalate the manual processing requirements, cost and complexity of the system, and lead to perceptions that the welfare payment system is complex and needs to be replaced.

2.71 The ANAO examined two projects that required workarounds and found that while both projects identified the need for workarounds, only one partially assessed the consequences of the workaround — such as staff resources to conduct manual processing — and neither identified an end date for the workaround.

2.72 Services Australia did not track and monitor the use of workarounds, or take action over time to reduce the number of workarounds. If Services Australia does not manage workarounds effectively, the number of workarounds may increase over time, resulting in increases in manual processing requirements, cost, complexity and less efficiency due to the requirement for manual processing.

3.1 Services Australia is five years into a seven-year ICT change program to redevelop the welfare payment system that at program inception was planned to culminate in the decommissioning of a key element of the system – the Income Security Integrated System (ISIS) – by 30 June 2022.

3.2 The ANAO examined whether Services Australia appropriately prepared to transition to the future welfare payment system — to support improved welfare payment service delivery. The ANAO looked at the plans for transition to the future system, the process for designing the future system, and arrangements for data migration. Specifically, the ANAO examined whether Services Australia:

• established an appropriate transition planning framework — to manage the system transition risks and ensure that transition occurs in a controlled manner, and to realise the expected benefits of welfare payment system redevelopment;
• applied appropriate design processes to support transition planning — to ensure the future system improves welfare payment service delivery; and
• made appropriate arrangements for data migration — to properly use and manage the data to improve welfare payment service delivery and preserve the potential future use and value of this information.

Did Services Australia establish an appropriate transition planning framework?

3.3 The transition process involves redeveloping the current welfare payment system to the target state for the future system. This involves progressively replacing some elements of the current system and was originally planned to eventually involve decommissioning ISIS. Transition planning and risk management are critical to ensuring transition occurs in a controlled manner, and achieves the desired outcomes of welfare payment system redevelopment. The consequences of not managing transition risks in relation to system decommissioning include:

• process gaps, errors and system failure – when system elements are decommissioned before new system capability is effectively established;
• competing processes that do not work together and deliver unexpected results and processing errors – when system elements are decommissioned well after new system capability is effectively established; and
• changed system maintenance profile, increasing the ongoing management and overall system operating cost – if there are delays to new system capability being effectively established and system decommissioning during system redevelopment.

Transition planning framework

Program management methodology

3.4 To support the welfare payment system redevelopment program, Services Australia used the enterprise program management methodology. This included a manual, which documented the methodology, and supporting templates including a program management plan. The initial program management plan for the future welfare payment system was developed in February 2014, before the WPIT Programme commenced, with updated plans developed for each tranche of the program for subsequent years. Senior responsible officers at the Deputy CEO level approved each of the program management plans. Plans conformed to the requirements of the program management framework, and set out governance arrangements and assurance frameworks.

Risk management methodology

3.5 An appropriate risk management framework supported the transition to the future welfare payment system. The program control framework and the enterprise risk management framework were consistent with applicable risk management standards. Both frameworks established governance arrangements for program risk management, including assigning responsibility for risk management within the program, and identifying responsibility for elements outside the program. The frameworks set out processes for:

• assessing program risk — identifying risks, analysing their likelihood and consequence, and evaluating them against risk tolerances, with critical program risks initially documented in a risk management plan, then migrated to a software tool that allowed for ongoing risk management;
• controlling program risk — defining controls and assessing their effectiveness, and assigning controls to owners, with controls documented in a risk register and owners assigned to each risk and control with defined responsibilities; and
• monitoring program risk — including risk tracking and escalation processes, with risks monitored on a monthly basis through the transition, and risk events documented through the Programme Status Report and reported to Programme Control Board and the Payment Reform Group Executive.

Managing transition to realise the benefits of welfare payment system redevelopment

3.6 Realising the full planned benefits of welfare payment system redevelopment depended on replacing and decommissioning ISIS, in particular savings associated with maintaining the future redeveloped system and not maintaining the current welfare payment system in parallel.

3.7 In 2014, Services Australia assessed the risk that the system would not able to be decommissioned on time as a ‘critical risk’⁴⁰, but downgraded this risk to not critical in July 2017 — after one of the fundamental planning assumptions of the WPIT Programme had been invalidated (that a single technology solution would be capable of replacing ISIS). The risk continued to be treated as a lower priority, and Services Australia suspended a decommissioning planning project in 2018 without a renewed risk assessment.

3.8 By November 2019, internal reports indicated the risk that the system would not be able to be decommissioned on time had become a realised issue with a ‘very high’ impact rating, and stated that decommissioning ‘is not achievable within the funding envelope or timeframe’. A process to ‘confirm if there is a credible decommissioning plan or whether gaps exist’ would not be undertaken until after new systems had been commissioned. Services Australia stated that this ‘occurred as a result of the underlying complexity of the ISIS replacement task and changes to the approach which could not have been anticipated at the outset’. This indicated that Services Australia would need to request more time and money from Government in order to achieve one of the original objectives of the WPIT Programme.

3.9 In June 2020, Services Australia identified that while ‘ISIS decommissioning is the main goal’, about 13 per cent of ISIS was estimated to be transitioned to SAP CRM and Payment Utility by the end of Tranche Three at 30 June 2020. A further 39 per cent of ISIS functionality was proposed to be transitioned in the scope of Tranche Four by 30 June 2022. Almost half of the decommissioning was not expected to be completed by the end of the program. Delays to replacement and decommissioning have put at risk the ability to deliver on the original objectives of the WPIT Programme, and delay or negate realisation of all the expected benefits of the welfare payment system redevelopment.

Did Services Australia apply appropriate design processes to support transition planning?

3.12 Documenting the functionality of the current welfare payment system, as well as any necessary workarounds, helps ensure that important functionality is replicated in the new system and any issues can be addressed. The design phase of an ICT change program informs the build phase, and is a key enabling process for the redevelopment of the future welfare payment system. The ANAO examined whether Services Australia:

• ensured that documented functionality of the current welfare payment system appropriately informed design of the future system; and
• established and applied appropriate design processes to enable the future welfare payment system.

3.13 The ANAO did not examine whether the design of the current or future system was appropriate and did not assess the effectiveness of program or project management.

Understanding the current system

3.14 The ANAO examined Services Australia’s documentation of system functionality for ISIS, as the key element of the welfare payment system being replaced. In January 2017, Services Australia introduced its current policies for documenting system functionality delivered through its ICT change projects and largely followed these policies from that point on.

3.15 Services Australia advised the ANAO that while it had recorded functionality in source code, there were historical gaps in its separate documentation of detailed functionality, dating back to the system’s introduction in the 1980s.

3.16 Changes to functionality have been documented since 2005, although some records were lost when word processing software changed, and documents were filed by change release rather than function. Attempts were made to develop complete specifications for some elements of ISIS, but this was not done consistently across the system due to cost. Instead, Services Australia relied on knowledgeable staff, a partially effective risk control due to the possibility that staff might leave, or that not all staff might understand the full functionality of the system. In order to manage documented system functionality gaps, as part of the ISIS transition planning from October 2019, Services Australia developed an inventory of ISIS. Services Australia acknowledged that additional early documentation of ISIS would have added value in understanding the transition pathway.

3.17 If Services Australia is still using ISIS following completion of the WPIT Programme, it may need to identify and address gaps in existing specification documentation to preserve its corporate knowledge of system functionality. Services Australia informed the ANAO that it did not consider investing in identifying and filling historical documentation gaps to be worthwhile as it expected the ISIS transition and decommissioning work to replace those components.

3.18 The ANAO also examined Services Australia’s approach to replicating system functionality for the Entitlements Calculation Engine (ECE) project, as it is a core component of the future welfare payment system and is intended to replace key ISIS functions.⁴¹ Services Australia documented initial approaches to extracting business rules from ISIS from 2016. Services Australia subsequently considered automated analysis of the source code in ISIS, which incorporates existing business rules, as the most practical approach to identifying the complete range of current functionality required to inform future requirements. In late 2019, Services Australia outsourced source code analysis as part of a contract to design and build the ECE.

Designing the future system

3.19 Services Australia’s approach to designing the future welfare payment system included developing design requirements in accordance with internal ICT project guidance. Services Australia’s business areas were involved in development and approval of user requirements and technical specification documents through consultation and, in some WPIT Programme projects, through roles on multi-disciplinary teams and in project governance roles. Issues raised during the program relating to timeliness of requirements development were managed through the WPIT Programme risk and issue management process.

3.20 Services Australia applied different methodologies — including waterfall and agile — to different elements of the welfare payment system redevelopment. For example, Services Australia’s approach to reengineering the Students payment process was undertaken using the Scaled Agile Framework for Enterprise⁴², designed for large scale software development. This iterative delivery approach did not require full upfront requirements development.

3.21 Services Australia planned for the ECE design work to be undertaken in later WPIT Programme tranches and for the new ECE system element to be selected by June 2018. A later project plan scheduled the decision for June 2019.

3.22 Services Australia entered into a contract in November 2019 for the ECE design and build, using the selected system solution and based on its existing knowledge of broader ISIS functionality. Detailed definition of functionality, incorporating all relevant business rules, was planned to occur broadly in tandem with future system build work over the period from 2020 to 2022. This will proceed following approval of an initial stage of the more detailed design work using Aged Pension business rules in June 2020.

3.23 The audit was not able to assess in detail the approach to designing the ECE for the new system as it was still in development. The remaining schedule for the ECE design and build is planned to be complete within the original program timeframe, by the end of June 2022.

3.24 In March 2019, Services Australia acknowledged that it had realised a strategic risk of not being able to meet its commitments to replace existing technology within expected time and budget allocations. Services Australia has not defined the technological end state or completed design of core components of the future system, including the ECE.

Did Services Australia make appropriate arrangements for data migration?

3.25 Services Australia identified that the future use and value of welfare payment information is of ‘paramount importance’ to service delivery and critical to achieving redevelopment objectives. The welfare payment system contains information about millions of Australians who have received welfare payments during the past 30 years.⁴³ This information is valuable, and essential to Services Australia’s strategy to improve access to data and analytics to support improved welfare payment service delivery. This strategy could allow policy agencies to obtain on-demand access to near-real time welfare delivery data, and allow citizens to view and download their information and transaction statements. This information is also likely to have high potential future use and value for purposes other than transactional service delivery — including as a primary data source for performance information, social welfare research, and archival or historical purposes.

3.26 The ANAO examined whether Services Australia made appropriate arrangements to migrate data⁴⁴ to the future welfare payment system — to properly use and manage the data to improve welfare payment service delivery and preserve the potential future use and value of this information. The ANAO did not examine initiatives to improve data governance or data analytics, either at an enterprise level or in relation to the welfare payment system, but instead examined data migration as an essential precondition to data governance and analytics.

Governance arrangements for data migration

Standards

3.27 Services Australia is required to manage information in the welfare payment system as a public resource⁴⁵, in accordance with legislative obligations⁴⁶, and to increase the future use and value of information.⁴⁷ Services Australia referred to appropriate privacy and archival standards and information management principles in data migration-related documents.

3.28 The current records authority permitting the destruction of records documenting the delivery and review of payment or non-payment services was approved in 2012. This was before the Digital Continuity 2020 Policy and other developments in data analytics increased the importance of managing information as an asset to ensure its future use and value. Services Australia should work with the National Archives of Australia to review and modernise the records authority to emphasise data retention and use, consistent with the Digital Continuity 2020 Policy.

Accountability

3.29 A Gateway Review in October 2017 found that it was ‘unclear who is responsible for identifying and prioritising data migration’ and recommended clarifying accountability for data quality and data migration decision-making. In response, in 2018 Services Australia created a Chief Data Officer (CDO) role outside the CIO Group and the WPIT Programme. While the CDO defines and is custodian of data standards, strategies, sources and models, project teams are required to use this documentation and are accountable for the data migration itself. The 2019 Gateway Review found that the 2017 recommendation had only been partially implemented and recommended that the WPIT Programme ‘engage the CDO to ensure that data management requirements are appropriately assessed’, and assigned this recommendation the highest level of urgency (critical).

3.30 Services Australia stated to the ANAO that in response to the 2019 Gateway Review, WPIT Programme project teams worked closely with the CDO, including having CDO representatives involved in reviews of the High Level Information Architecture and participating in the Technical Design Authority for the ECE. This alignment of data governance and program data migration decisions was underway in 2020. Services Australia identified in January 2020 that: ‘The CDO Division will establish and embed Data Governance for the enterprise. Once this strategic governance is established, [the WPIT Programme] must engage and leverage the governance processes to ensure sufficient oversight is applied to the significant shift of Centrelink data assets to future state. This operational level of governance must be clearly defined with respect to boundaries on both sides’.

Planning

3.31 Data migration was considered in high level architecture planning in 2018 and an initial data migration framework in 2019. However, detailed planning for data migration at the program level was deferred to later in the WPIT Programme and not funded. The project to plan and manage data migration commenced in 2018, and was discontinued after two months because of funding shortfalls across the program. The decision not to plan critical data migration activities until well into the final stage of transition significantly increased the risk that Services Australia would not preserve the potential future use and value of social welfare information.

3.32 In early 2020, Services Australia started drafting a planning framework that set out considerations and planning stages for data migration, along with transition risks. Around the same time, information architecture documents noted key architectural decisions that remain to be made, including a realisation path for key system elements, and a future state strategy for historical data. In June 2020, Services Australia stated that:

• the timing of data migration planning was impacted by shifts in the broader program scope. The original concept of implementing a new ‘industry vertical’ welfare payment system, which would have required wholesale data migration from ISIS to new system elements, was de-scoped in 2017 due to program time and cost constraints; and
• the definition of the data migration scope was accordingly delayed until it completed planning and procurement in 2019 to define the new proposed solution architecture. Services Australia also considered its low enterprise data management maturity prior to this time would have presented significant risks to data migration, and that detailed data migration planning should occur within the specific context of each project stream.

Implementation

3.33 Detailed data migration implementation is dependent on the design of the ECE⁴⁸ and the related data integration approach, which is expected to be complete by 30 June 2022. In the meantime, the welfare payment system requires temporary data replication between ISIS and SAP CRM and associated data quality remediation, and ISIS remains the master version of the data. An internal audit of data replication in May 2018 recommended improvements to oversight and accountability for data management and replication processes. The project established to implement these recommendations and oversee data migration was closed shortly after the audit report was presented to the Audit Committee and before the report’s recommendations were implemented.⁴⁹

3.34 Despite Services Australia recognising in April 2019 that ‘the department’s Data Management capability and maturity level is currently very low’, there was no central data migration work stream. Data migration, data quality and testing was the responsibility of individual projects within the WPIT Programme, which increased the risks that data migration and quality assurance would not be undertaken in a consistent manner. If data is not migrated into the future system or otherwise available, this could place the future use and value of this data at risk, and the contractual arrangements for the design of the ECE do not appear to fully mitigate this risk.

Data migration risk management

3.35 In 2015, the Risk Management Plan assessed ten critical risks to the WPIT Programme — but did not include data migration risks. By 2019, the Gateway Review stated that ‘there is a major risk arising from the migration of data from existing systems to any new delivery platform’ and noted concerns that there had been inadequate substantive action to determine the extent of data management requirements. Around the same time, Services Australia identified data migration risks in initial data migration framework and information architectural documents. However, these data migration risks were not subject to a systematic risk assessment process involving risk analysis and evaluation, and risks identified in the Gateway Review and other documents were not systematically analysed or evaluated. In June 2020, Services Australia stated that ‘There are no significant data migration risks…as there is no significant data migration in the scope of WPIT Programme to date, nor in the currently planned Tranche 4 scope’.

3.36 Individual projects identified data migration risks, but there was no systematic process of data migration risk identification or aggregation at the program level. This weakness in the risk identification process could result in data migration risks not being identified. Those risks that were identified at the project-level were analysed in terms of likelihood and consequence, but not evaluated against risk appetite or tolerance levels. This meant that these risks could not be appropriately prioritised for control and treatment.

3.37 Each of the project-level data migration risks the ANAO examined had one or more matching mitigations. However, the ANAO found that in two cases, serious risks to data migration were marked as ‘closed’ despite controls or treatments not being applied. These risks were that ‘a data migration strategy for all departmental applications and components that need to be decommissioned have not yet been defined’ and ‘the [WPIT] Programme may not fully align or support the [agency] Data Strategy’.

3.38 There was a process to monitor and review project-level data migration risks, all risks the ANAO examined had progress updates that reflected managerial oversight of the risk, and a number were closed after review. However, the closure of the project to plan and manage data migration (see paragraph 3.31) that was intended to ‘provide a centralised mechanism for the treatment of data risks within the WPIT Programme’ created a potential weakness in the monitoring and review of aggregated data migration risk.

Appendix 1 Entity response

Appendix 2 WPIT Programme schedule

1. Services Australia started the Welfare Payment Infrastructure Transformation (WPIT) Programme in July 2015 with the work and funding allocated to separate tranches. WPIT is due for completion in July 2022. The table below sets out the schedule and work originally planned for each tranche.

Note a: Establishing partnerships with vendors and validating the WPIT programme approach.

Source: ANAO, based on Services Australia documents.

2. Services Australia revised the schedule to extend Tranches One, Three and Four and to merge Tranches Four and Five while keeping within the original seven-year timeframe.