- The DTA's procurement of digital and ICT-related services
Auditor-General Report No. 5 2022–23
Introduction
Background
3.1The audited entity was the Digital Transformation Agency (DTA). The DTA was established in 2016 to replace its predecessor, the Digital Transformation Office. According to its corporate plan, the DTA aims to be a trusted adviser on digital and ICT investment decisions, as well as to simplify digital procurement and reduce costs for the Commonwealth.
3.2Procurement is a core function of the DTA. As such, the audit aimed to assess the effectiveness of the DTA's procurement of ICT-related services through an examination of the DTA's procurement framework, its procurement activity and its contract management.
Audit findings
3.3Auditor-General Report No. 5 of 2022-23, Digital Transformation Agency’s Procurement of ICT-Related Services examined a sample of nine procurements undertaken between 1 July 2019 and 30 June 2021. The procurements were selected on the basis of risk, value, and relevance. They included seven of the DTA's nine highest value procurements over this period. Seven of the procurements used the DTA's Digital Marketplaces panel, with one each of the remaining two being limited tender and open tender procurements.
3.4The audit found that none of the nine procurements were effective. The DTA's implementation and oversight of its procurement framework was found to be weak, the agency did not follow its internal policies and procedures, and there were weaknesses in its governance, oversight and probity arrangements.
3.5None of the 9 procurements complied fully with the Commonwealth Procurement Rules (CPRs). Approach to market and tender evaluation processes were not conducted effectively, and its contract management performance was not effective and fell short of ethical requirements.
3.6The ANAO made nine recommendations, eight of which were addressed to the DTA and one of which was addressed to the Australian Government. The DTA agreed to all eight recommendations.
Chapter overview
3.7This chapter discusses key findings from the audit as well as the actions taken by the DTA’s in response. In particular, it considers:
- the DTA’s procurement governance and oversight arrangements
- the DTA’s procurement planning and approaches to market
- the DTA’s tender evaluation processes
- contract management, and
- procurement culture at the DTA.
Governance, oversight, and probity
Governance and oversight of procurement
3.8The audit report found that the DTA had established appropriate governance and oversight arrangements for procurement, but that their application was not systematic. This section outlines the governance and oversight mechanisms relating to procurement which were in place at the DTA, including its Executive Board and Audit Committee, as well as the frameworks which were intended to manage procurement risk and probity.
3.9The DTA had established procurement governance mechanisms which were compliant with the Commonwealth Procurement Rules (CPRs) and the Public Governance, Performance and Accountability Act 2013 (the PGPA Act). Section 20A of the PGPA Act permits an entity to give instructions to its officials ‘about any matter relating to the finance law’.
3.10The DTA had established Accountable Authority Instructions in line with the PGPAAct and the Department of Finance’s further guidance in Resource Management Guide 206. The instructions required officials to comply with the CPRs, the PGPA Act and the Public Governance, Performance and Accountability Rule 2014 (the PGPA Rule).
3.11The DTA had also established finance policies on various procurement methods, operational guidelines on the PGPA Act, a Probity Guideline and conflict of interest declaration policy, as well as a Fraud and Corruption Control Plan. The ANAO noted that ‘these policies and guidance were largely appropriate and available to staff on the DTA intranet’.
3.12The DTA had also established appropriate internal governance mechanisms, particularly as they related to risk management. The main governance forum was the Executive Board, which met monthly. The terms of reference for the Executive Board was to ‘determine strategic direction, manage overall performance, and provide advice on the administration and operations of the DTA’ including the ‘development and implementation of systems, processes, and internal controls for the management of the DTA’s risks’.
3.13The DTA had also established an Audit Committee as required under section 17 of the PGPA Rule. The Audit Committee’s written charter indicated that the committee would ‘review and provide advice on the appropriateness of the DTA’s: risk management framework; articulation of key roles and responsibilities relating to risk management; and approach to managing the entity’s key risks, including those associated with projects and program implementation’.
3.14The audit report noted, however, that ‘the DTA has not been following its internal policies and procedures, and there are weaknesses in its governance, oversight and probity arrangements for procurements’. One such weakness was that the Executive Board did not actively manage risks arising from the DTA’s procurement activity:
In 2020–21, the Executive Board did not consider procurements or provide advice on managing procurement risk. The DTA’s 2020–21 Corporate Plan stated that the DTA actively manages risks at its Executive Board meetings. However, risk management was not included as an agenda item for any of the Executive Board meetings in 2020–21.
3.15In relation to the DTA’s Audit Committee, the ANAO noted that the committee had reviewed a one-page report on the DTA’s risk controls and had noted that a Risk Policy and Framework and an Enterprise Risk Management plan were 'in place but not yet mature'. However, ‘[t]here was no evidence in the Audit Committee papers that the Audit Committee considered or provided advice on risks relating to the procurement of ICT-related services during the period examined by this audit.
3.16The DTA also had a risk management policy for employees, and had made the policy and associated guidance material available on the DTA intranet:
The DTA had the following risk policies and guidance in place and accessible to staff on the DTA intranet:
- Managing risk’ - an intranet page on identifying, reporting and escalating risk;
- ‘Risk management process’ - an intranet page about the process; and
- a template for a risk and control register, with a risk matrix and guidance on ‘how to conduct a risk assessment’ and ‘how to approach the risk register’.
- In spite of this, however, the audit found that only two of the nine procurements examined by the ANAO had prepared risk assessments, and that ‘neither risk assessment was consistent with DTA guidance on how to assess and rate risk'. As such, the ANAO recommended that the DTA act to ensure procurement risks are being properly monitored, managed and escalated.
- The DTA addressed this recommendation by implementing a ‘compensating control’ in an effort to treat procurement risks:
… effective 17 June 2022, the Head of Corporate was authorised as a central point of control for all planned procurements before approaches to market are undertaken by delegates to ensure ... [p]rocurement risks are identified and either mitigated or escalated to the delegate for consideration and action.
3.19The DTA also implemented a procurement checklist to assist its staff in ensuring proper process is followed in future procurements:
A Procurement Checklist is required to be completed and accompany each procurement. The completed checklist will be captured with the relevant procurement and kept as an appropriate record.
The DTA’s management of probity
3.20Department of Finance procurement guidance material notes that probity is ‘the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process’.
3.21The audit report highlighted a number of problems in how the DTA managed probity, particularly in the implementation of its fraud management policy and its management of conflicts of interest.
3.22Section 10 of the PGPA Rule requires entities to take all reasonable measures to prevent, detect and deal with fraud, including by fraud risk assessments, fraud control plans, fraud awareness and prevention training, and fraud detection mechanisms.As noted above, the DTA's Accountable Authority Instructions had a section on fraud control and it had established a Fraud and Corruption Control Plan.
3.23However, the DTA did not follow its fraud plan. An instance of potential fraud was examined in 2020-21 after concerns were raised by the DTA's procurement team. The incident involved the engagement of contractors by an official who did not declare an existing relationship with the successful contractors.
3.24According to the DTA’s fraud control plan, the incident should have been investigated according to the Australian Government Investigation Standards. Instead, an 'initial assessment' was conducted by the company contracted to manage the DTA's internal audit program. The DTA did not conduct any further investigation following this initial assessment.
3.25The ANAO concluded that the DTA did not take appropriate action following this initial assessment report. As such it recommended that the DTA require all employees to complete fraud awareness and procurement training and strengthen its processes to ensure that potential fraud and probity breaches are properly investigated.
3.26In response, the DTA submission noted that:
Commencing from the 2022-2023 performance cycle, mandatory education and training for Fraud Awareness and Commonwealth Resource Management training are now formally linked to satisfactory performance of employees’ substantive position. Employees will be deemed as not meeting expectations until such time as they have completed the mandated training.
3.27The DTA’s management of broader probity concerns was also imperfect. The CPRs state that officials undertaking procurements must act ethically, which includes recognising and dealing with actual, potential and perceived conflicts of interest. The Probity Guideline established by the DTA included principles such as ‘fairness and impartiality, consistency and transparency of process; security and confidentiality; and identification and resolution of actual or perceived conflicts of interest’ and required that DTA officers undertaking a procurement sign a ‘Declaration of Acknowledgement and Agreement to the DTA Probity Guideline’.
3.28In spite of this, however, the ANAO found that none of the officials involved in the nine procurements examined in the audit report had signed a declaration.
3.29The ANAO also noted that although the Probity Guideline mentioned the use of procurement and evaluation plans, it did not mention probity plans. None of the nine procurements examined by the ANAO had a probity plan.
3.30The DTA’s Probity Guideline also set out conditions for the employment of probity advisers, suggesting that they should be employed for any of the DTA’s high risk, high value procurements. However:
Higher value procurements did not have a probity advisor, and the DTA did not make risk-based decisions on whether to appoint a probity advisor. As the DTA did not assess the risk for seven of the procurements examined, the ANAO could not assess whether these procurements should have had a probity advisor according to DTA policy.
3.31The most basic element of the management of probity in procurements is the management of actual or perceived conflicts of interest. Poor practice in managing actual, potential or perceived conflicts is corrosive to trust in an entity’s procurement processes. The DTA’s Accountable Authority Instructions and Probity Guideline laid out policies for the disclosure of conflicts. The Accountable Authority Instructions said that all officials ‘must disclose material personal interests in line with Commonwealth and DTA policy and operational guidelines’, while the Probity Guideline required officials involved in open tender procurements to complete activity-specific interest declarations:
The DTA Probity Guideline further states that all DTA officers and contractors (‘DTA Affiliates’) involved in an open tender procurement must complete and sign a declaration of interests and disclosure statement (the guideline does not discuss limited tender procurements).
3.32However, for eight of the nine procurements examined in the audit report there was no evidence of activity-specific declarations being completed by officials involved in the procurement.
3.33The DTA maintained a separate system of conflict of interest declarations for Senior Executive Service (SES) level employees. General interest declarations were maintained for all the SES involved in the nine procurements, but declarations for specific years were not retained on file:
The DTA Accountable Authority Instructions state that the Human Resources Director ‘must maintain a register of all material personal interests that relates to the affairs of the DTA in accordance with these instructions’. In April 2022, the DTA advised the ANAO that it does not maintain a register of declared personal interests.
3.34Consequently, the ANAO recommended that the DTA establish an internal control to ensure that procuring officials complete activity specific declarations, and that the DTA maintains a register of declared interests.
3.35In response, the DTA noted that a central point of control had been established to manage conflict of interest declarations:
… the Head of Corporate, as the central point of control, is ensuring activity-specific declarations of interest are made for all procurements after 17 June 2022. It is intended that this control will transition directly to delegates at the point at which improved procurement practices are demonstrated by the business areas and officials involved in procurements.
3.36In addition, the DTA said that a central register of declarations has been created and is held on the DTA's record management platform.
3.37Mr George-Philip De Wet, the DTA’s Head of Corporate, told the Committee that one of the effects of the procurement checklist introduced at the DTA in response to the audit is to help DTA staff understand their probity requirements:
… the procurement checklist, in addition to the procurement and probity policy update, which will be released next week, is helping delegates understand what appropriate behaviour is in the context of tender evaluations. One of those examples is that what the checklist is requiring delegates or responsible contract managers to do is undertake a conflict of interest both prior to a release of a procurement to market and then, depending on who responds from the market, an updated conflict of interest should they know, be related to or have a financial interest in any of those who respond.
Procurement planning and approaches to market
3.38This section considers the DTA’s procurement planning and approaches to market, in particular the DTA’s failure to estimate value for money, to conduct risk assessments as required by the CPRs, and the DTA’s use of panels.
3.39The audit found a range of problems with the DTA’s procurement planning:
Procurements did not comply with CPR requirements to: estimate the value of the procurement prior to determining the procurement approach; assess risks to the procurement; and maintain appropriate records of the approach to market. Further, the DTA’s frequent direct sourcing of suppliers using panel arrangements such as the Digital Marketplace does not support the intent of the CPRs.
3.40A core aim of public sector procurement as laid out in the CPRs is achieving value for money. However, the DTA frequently did not include value for money considerations in its procurement planning. Out of the nine procurements examined, the ANAO found that ‘value for money was mentioned in the procurement planning documentation for only one of the procurements examined’.
3.41The CPRs require entities to estimate the maximum value of a procurement in the planning stage, so that an appropriate decision on the procurement method can be made - procurements above a certain threshold ($80,000 for non-construction procurements) must be conducted by open tender. The audit report noted that:
For five of the nine procurements examined, the DTA did not estimate the maximum value of procurements before a decision was made on the procurement method (of the five, two related to the COVID-19 pandemic response). For the four procurements that included an estimate on the maximum value, only one procurement (Record Management Software) included records to show that this estimation included all of the elements required by the CPRs.
3.42The CPRs also require entities to ‘establish processes to identify, analyse, allocate and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement’.
3.43The audit found that ‘[f]or seven of the nine procurements examined, the DTA had not undertaken a risk assessment … This included three procurements related to the COVID-19 pandemic response. Neither of the two risk assessments that had been completed was consistent with DTA guidance on how to assess and rate risk’.
3.44The planning of the limited tender procurement examined by the ANAO also did not comply with the CPRs. The DTA approached a single supplier for this procurement and reported on AusTender that it had conducted this procurement under paragraph10.3.e of the CPRs, which allows limited tenders for non-construction procurements worth more than $80,000 for ‘continuing services for existing … software services’.
3.45According to the CPRs, procurements that use the paragraph 10.3.e exemption must be accompanied by a statement specifying ‘the circumstances and conditions that justified the use of limited tender, and … a record demonstrating how the procurement represented value for money’. The DTA did not prepare such a statement:
For the procurement … the DTA had not prepared a written report or a statement indicating the circumstances and conditions that justified the use of limited tender or that demonstrated how the procurement represented value for money in the circumstances.
3.46The audit report also found issues with the DTA’s planning for panel procurements. The DTA is a frequent user of the Digital Marketplace panel - an online marketplace for digital and ICT services created under the 2015 National Innovation and Science Agenda. The ANAO examined seven Digital Marketplace panel procurements constituting seven of the DTA's nine highest value procurements for 2019-20 and 2020-21.
3.47Problems were identified with the conduct of all seven of these procurements:
- in four of the seven procurements, only one supplier was approached. In two cases the approach was made directly (i.e. outside the panel) despite being listed on AusTender as 'open tender' procurements on the basis that they used the panel.
- Multiple suppliers were approached for the remaining three Digital Marketplace procurements. However, for two of these, the procurement was on the Digital Marketplace for only three days, despite the CPRs specifying a minimum of 25 days, and one of the successful suppliers knew about the procurement at least one week before the opportunity was published.
- In one procurement, the DTA approached 16 suppliers and received five responses which were evaluated and recommended a supplier identified. After the evaluation panel had made its recommendation, a direct approach was made to one supplier. When it provided a proposal, it was not compared to any of the previously received offers but was accepted anyway. The contract was later varied four times to more than 8.5 times its original value.
- In light of these findings the ANAO recommended that the DTA align its approach to market processes with the requirements of the CPRs. It suggested that the DTA should particularly focus on ensuring the expected value of procurements is estimated before a decision on the procurement method is made, that the DTA identify, analyse and treat procurement risks, and that the DTA properly maintain procurement documentation in line with scale, scope and risk.
- In response, the DTA pointed to its newly implemented Procurement Checklist, noting that ‘it ensures the proposed procurement has an appropriate procurement plan and evaluation criteria in place’. The DTA submission also noted that it is developing a ‘more detailed procurement process’ which will capture more relevant information at the planning stage.
- In relation to the DTA’s misuse of panel arrangements, the DTA’s Chief Executive Officer, Mr Chris Fechner, told the Committee that panels ‘are a valuable construct, but they need to be used more effectively’:
The DTA is a very firm believer in the panel construct. When we do our panels we create a baseline value for money by understanding the capabilities, the skills, the experience and the unit rates of the panel providers that go in a particular category. We are absolutely agreeing with the ANAO that we need to demonstrate more broad use of panels rather than a single provider on those panels. They do represent a baseline. I believe they represent a value floor, not a value ceiling. We are looking at making changes to go into those.
3.51The DTA submission noted that some panels, especially those for ICT-related services, have a large number of members, and argued that ‘[a]pproaching a significant number of sellers (when not commensurate with the risk of the procurement) can leave procurement officials inundated with questions, responses and evaluations, leaving them overwhelmed’.
3.52Along similar lines, Mr Fechner told the Committee that:
Some of those categories have many, many sellers—in some cases, over a thousand. Going to over a thousand for a particular category is not an efficient use of time. It's a high expense for vendors to respond to something, where there is a very low likelihood of them actually achieving it.
3.53However, Mr Fechner noted that the DTA has nonetheless made changes to how it uses panels in response to the ANAO’s findings:
If we are considering using panel arrangements, we've now made changes to ensure that we have a broad selection of panel participants that go into them, as per the recommendations. In selecting those panel participants, we're looking at people who have the skills and experience to help deliver on the outcome and we're assessing them against their value for money as per what has been set up in the panels associated with their … ratings for value for money. We're looking at it outcome first - competition and use in the marketplace.
Tender evaluation
3.54In addition to these problems identified with the DTA’s approaches to market, the audit report identified problems with the DTA’s tender evaluation processes. These included the DTA’s failure to develop tender evaluation plans, the absence of fit for purpose tender evaluation criteria, limited consideration of the extent to which tenders represented value for money, and the DTA’s failure to keep adequate records of tender evaluations.
3.55The CPRs specify the steps that a tender evaluation process should include:
The CPRs recommend that entities use relevant evaluation criteria to enable the proper identification, assessment and comparison of submissions on a fair, common and appropriately transparent basis. The CPRs state that evaluation criteria should be included in request documentation and that entities must consider relevant financial and non-financial costs and benefits of each submission.
3.56The DTA’s internal procurement policies specify that officials should make tender evaluation plans for panel procurements and for more complicated small to medium procurements. The procurement plan should set out the procurement needs and ensure the compliance with the rules set out in the CRPs. The ANAO found that of the eight relevant procurements examined by the audit, only two had a tender evaluation plan. Further, these evaluation plans were not approved until after the market had been approached.
3.57Under DTA policy, limited tender procurements should have a limited tender procurement plan. However, the audit found that:
The one limited tender procurement examined by the ANAO did not have a tender procurement plan. The DTA advised the ANAO it was unable to locate any documentation relating to the initial approach to market for this procurement.
3.58Six of the procurements had evaluation reports that showed evidence of evaluation criteria, but the ANAO found that only three of the criteria were fit for purpose. The other three used ‘generic criteria … without specifying how these criteria would be assessed’. Two of the three procurements with fit for purpose evaluation criteria did not include them in the request documentation for potential tenderers.
3.59As noted above, achieving value for money is the primary aim of the CPRs. However, the audit found that the DTA did not consistently consider value for money in evaluating tenders. Five of the nine procurements examined considered value for money, one included partial consideration, and three did not have any documentation relating to value for money considerations. Four of the procurements were awarded to contractors who were paid hourly or daily rates in excess of the maximum rate approved for that seller on the Digital Marketplace.
3.60The ANAO also found that the DTA did not retain appropriate records of its tender evaluation processes:
For six of the examined procurements, the DTA did not maintain appropriate records of the evaluation phase, such as a record of evaluation criteria, how value for money was considered and an evaluation report … For three of the examined procurements, the DTA had maintained most of the key records, but evaluation criteria and tenderer debriefings were not always documented.
3.61The ANAO therefore recommended that the DTA align its tender evaluation processes with the CPRs and incorporate evaluation criteria to assist it to identify, assess and compare tenders fairly and transparently.
3.62In response, the DTA pointed to its procurement checklist as a control that 'strengthens the DTA's requirements to develop appropriate evaluation plans and criteria prior to seeking delegate approval to approach to market.' It further noted that 'continued guidance is being provided by Corporate Procurement to staff undertaking procurement activities to ensure that evaluations are occurring on a consistent basis’.
3.63Mr de Wet told the Committee that centralised assessment of procurement processes is also helping to address the DTA’s shortcomings in tender evaluation:
… the evaluation centrally in relation to those tender evaluations is my team offering advice to the business area undertaking those procurements and then being very clear on scale, scope, complexity and value in the contextualisation of risk related to those procurements.
3.64Finally, the DTA noted that it is consulting Department of Finance guidance on tender evaluations to improve its processes:
The DTA will assess its current tender evaluation processes and how these align with the Department of Finance’s tender evaluation processes with a view to improving the processes going forward. This work is yet to commence in the context of dealing with more urgent implementation requirements of the report.
Contract management
3.65This section considers the DTA’s contract management. In particular, the use of contract management plans, contract performance risk management, the DTA’s payment controls, and its use of contract variations.
3.66Contract management is a key element of achieving value for money in procurements. According to the ANAO:
Procurement should be seen in a whole-of-life context, from the initial tender of the goods/service to negotiation and finalisation of a contract and planning for what occurs next. A procurement process that results in a favourable contract does not actually achieve value for money if a contractor fails to perform in accordance with the terms of the contract.
3.67A key element of effective contract management is a contract management plan. According to the ANAO:
A contract management plan should reflect the contract’s complexity and risk profile and contain key information about how the contract will be managed over its life to ensure that objectives are met and value for money is achieved. A contract management plan can include a summary of key activities to be completed, roles and responsibilities, identified risks and how these risks will be managed.
3.68None of the nine procurements examined by the ANAO had a contract management plan. The DTA relied instead on partial plans contained in contracts, requirements documents and seller proposals.
3.69Managing risks to contract delivery is a key element of contract management, since it increases the likelihood that an entity can prevent risks from occurring or minimise their consequences. However, none of the nine contracts had risk management plans, and the ANAO found that ‘[t]here was no evidence to indicate that the DTA was actively managing risks related to contract management for the examined procurements’.
3.70The ANAO also identified issues with the DTA’s payment controls:
The ANAO found issues with the timeliness, accuracy or record keeping of payments for eight of the nine procurements examined. For eight of the procurements there were instances of late payments, for one there were inaccurate payments, and for five there were incomplete records.
3.71Contract performance management was also identified as an issue by the ANAO. While performance expectations were specified in eight of the nine contracts reviewed, performance monitoring was less evident.
For three of the nine procurements examined, performance monitoring was documented through weekly status reports or other forms of milestone tracking prepared by contractors for the DTA. For two procurements, the DTA advised performance was monitored primarily through regular meetings with the contractor. For the two procurements related to the COVIDSafe App, the DTA was unable to produce any documentation to demonstrate that performance had been monitored.
3.72Five of the nine contracts did not link payment to contract performance (e.g. the achievement of contract milestones):
Invoices for four procurements … were for time charged by consultants on the project and were not linked to milestones or deliverables. The DTA did not have documentation to demonstrate how timesheets were verified for any of the procurements. For the COVIDSafe App Development procurement, the invoices did not include timesheets for time charged or consistently specify the milestones or deliverables completed under the work order or variation.
3.73On the basis of these findings, the ANAO recommended that the DTA improve its payment controls and implement an internal compliance review to ensure that the improvements were effective.
3.74The DTA submission noted that:
Since being implemented in February 2022, the AP Uplift program with the DTA's shared services provider, the Service Delivery Office has significantly reduced the need for manual data entry and increased the accuracy and ability to link invoices to relevant purchase orders … Month-end reconciliations and checks are being performed by the 7th working day after the month end as a checking process.
3.75That DTA submission also noted that ‘[t]he DTA's 2022-23 Internal Audit Work Program includes an internal audit focused on DTA payment controls to be conducted by the DTA's internal audit provider by Q4 of the 2022-23 financial year’.
3.76In relation to payments not being linked to contract performance, Mr Fechner told the Committee that the DTA is moving away from ‘time and materials’ based contract payments to a more outcomes-focused approach:
When looking at the outcomes, we are really trying to move away from time and materials. Time and materials is not an effective way except in various circumstances, where you are actually directing people specifically on what they're doing hour by hour. We're trying to get much more able to consider what it is we're meant to achieve and what that achievement is valued at.
3.77Throughout the inquiry the ANAO has highlighted the issue of inappropriate contract variations. The ANAO submission noted that:
The value of public funds committed through contract extensions is significant: AusTender reporting for 2021—22 shows roughly $29.8 billion of contract amendments, compared to roughly $50.9 billion of parent contracts. Entities should ensure that contract managers, and any individuals advising them, understand that contract extensions and variations that are inconsistent with the key procurement principles can be detrimental to the conduct of a transparent and accountable process and to the achievement of value for money for the taxpayer.
3.78The ANAO submission went on to note that:
The reports before the inquiry include examples where decisions to extend or vary contracts might be driven by convenience for entities and officials (sometimes termed ‘leveraging’ an existing contract) rather than an effort to get the best results for the Australian community. Auditor-General Report No.5 2022-23 Digital Transformation Agency’s Procurement of ICT-Related Services contains several examples where contract variations were used unethically and without adequate consideration of value for money.
3.79The audit report highlights one procurement, the DTA’s myGov Funding Case Support procurement, as an example of unethical contract leveraging. The contract was varied ten times over two years, increasing the value from approximately $120,000 to more than $4.9 million.
3.80The DTA’s Corporate Finance team advised against several of these variations:
On 24 December 2020 … [a]n official in the corporate finance team raised concerns about this variation, stating:
The proposal is inconsistent with effective and ethical stewardship of public resources. I am also concerned that in mid-January, we will be asked for another increase. And then another. Until mysteriously, the total is equal to the excess amounts we were first offered and rejected as being unacceptable. It is unclear from the proposal what value is being added by the consultant, or what the consultant is doing, combined with a complete lack of tangible deliverables.
In August 2021, the procurement team asked in response to a request for a seventh variation ‘Why aren’t we conducting an approach to market (rather than leveraging the … contract)’?
3.81The audit report notes that in addition to these variations, ‘DTA senior officials attempted to vary the contract to include work on another project. The DTA’s finance and procurement team strongly advised against this’. In response, the contractor was engaged under a separate contract following a direct approach.
3.82In light of these issues, the ANAO recommended that the DTA strengthen internal controls to ensure contract variations are not used to avoid competition or the ethical requirements imposed on its officials by the CPRs.
3.83The DTA responded by noting that ‘The DTA Corporate Procurement team is currently reviewing all significant contracts to ensure these contracts are being managed effectively’.
3.84Mr Fechner told the Committee that the DTA had begun implementing controls to manage contracts across their whole life-cycle and returning to market rather than extending by default:
In terms of variations, the Audit Office has called out that we had far too many variations, and we agree with that. We are putting in controls that say the contract management functions are also tracked entirely across their life cycle. In the substance of work we're doing now, variations that are brought forward-we have in fact gone back to market instead of using variation. We're demonstrating a change in behaviour where we are going back and reassessing the value for money propositions rather than continuing on with services we already have.
3.85Mr de Wet elaborated, noting that the DTA’s focus is on ensuring variations are only used where there is a genuine need:
… what we are focusing on with contract managers - a variation is an allowable option within the CPRs, although it shouldn't be exercised lightly. The key focus there for us is: where a variation is a genuine requirement the business area still needs to determine that variation.
Procurement culture
3.86The procurement problems listed above range from the planning phase right through to the contract management phase, a fact which indicates deficiencies in the DTA’s procurement culture. In his evidence to the Committee, Mr Fechner acknowledged this issue and attributed it in part to a culture of expediency at the organisation:
I think that there was a high degree of focus on expediency in the activities, rather than a longitudinal understanding of what the effective processes needed to be ... Clearly, in hindsight and through evaluation, the processes that were actually used to manage these things were deficient, and we've spent quite a lot of time from June 2022 implementing new processes for our internal procurement.
3.87It is noteworthy that senior officials at the DTA failed to listen when internal advice from procurement experts raised serious questions about the DTA’s procurement process:
There was, periodically, evidence called out that other activities needed to be done to ensure that we were following up with the correct processes behind our procurements that we were doing at speed. And unfortunately, that work wasn't heeded as well as it should have been. We have now looked at remediations for that.
3.88Mr Fechner noted that the DTA is attempting to address this issue in part by the centralisation of responsibility for approving procurements:
The authorisation for the release of the procurement sits with the head of corporate and all controls need to be in place before those procurements are out, before they're awarded and as they are managed throughout the process.
3.89In terms of addressing the DTA’s procurement culture, Mr Fechner also pointed to improvements in its internal review processes and training of staff, as well as ongoing attention to the issue at the highest levels of the organisation:
In our internal audit program we've put both the procurement activities and our internal management framework on our order of functions within the annual audit plan. Within all of our performance management plans for staff we have the requirement for them to complete all of their mandatory training across not just the procurement domains but all of the control domains inside the DTA ... We have had deep discussions at our executive board around the controls that we need to have, not just now but ongoing, to ensure this never happens to us again.
3.90Mr de Wet argued that problems with the DTA’s procurement culture were not a result of malicious intent, and that senior leadership were helping to drive change at the organisation:
We don't believe that there was any malice in anything contained within the report, but it did also shine a light for us on the need (1) for senior leadership to model the correct behaviour, and (2) to make sure that our staff know what that looks like, and that we help them to do that, not just tell them how to do it.
3.91Mr de Wet went on to say that training has been an important part of cultural change at the DTA:
… we made sure that by the end of October-or it was perhaps the first week of November-all relevant delegates within the DTA who hold a financial delegation had completed the mandatory training. We have a suite of five areas of mandatory training that all staff are now required to complete to be deemed, in addition to performing the roles that they are employed to do, to be meeting the minimum requirements for how they do those things.
3.92He concluded by noting that cultural change will take time to become embedded at the DTA:
The audit report itself identified for us two things. One is the failure of process controls and record keeping, which is an operational thing that you can fix. You would have seen the details in our submission that we're going to deal with those problems, and we're dealing with those already. The cultural change is one that will take a slightly longer period.
Committee Comment
3.93The findings of this audit report give rise to serious concern. The ANAO found problems in nearly every aspect of the DTA’s procurement processes, from its governance and oversight to its procurement planning, execution and finally its contract management. Officials failed to follow the requirements of the CPRs or indeed of the DTA’s own internal policies and procedures.
3.94It is concerning a framework was in place that might have given rise to largely appropriate procurement practices, and the audit found that these governance and oversight arrangements were largely appropriate. But their implementation was imperfect, and officials often failed to follow the DTA’s policies and procedures. It is important that the DTA’s failure to manage procurement risk appropriately is addressed, and the DTA’s fraud and conflict of interest controls must also be more effective.
3.95Improvements must also be made in the way the DTA conducts its internal procurement activity. The agency failed to comply with the CPRs in its approaches to market, and its tender evaluation processes were also flawed. It should go without saying that this is unacceptable for an agency which aims to set the direction for Australian Government procurement of digital and ICT products and services.
3.96The Committee also expects to see improvements in the DTA’s contract management practices, particularly in the area of contact management plans and the identification of risks to contract performance. Contract variations must also be closely managed in light of their serious misuse. The Committee considers that the audit demonstrates the existence of significant problems in the DTA’s procurement culture.
3.97The Committee considers that the description of the culture as one of ‘expediency’ seriously understates and obfuscates the issues. That line managers were disregarding internal advice that their behaviour was unethical was deeply concerning.
3.98That said, the Committee appreciates and acknowledges the frankness with which the current management of the DTA acknowledged these issues throughout the inquiry which provides strong cultural signals to the organisation about what is expected under the obligations in the PGPA Act and the CPRs to spend public money effectively, efficiently, and ethically. However, the extent of the DTA’s deficiencies is significant and culture takes time and consistent effort to change. The Committee considers that the DTA should provide an update on how it is addressing the issues raised throughout this inquiry.
3.99The Committee recommends that the Digital Technology Agency provide an update to the Committee five months from the tabling of this report on the progress of its improvements to its procurement processes, including:
- its procurement governance and oversight, especially the management of procurement risk
- its management of probity, particularly its fraud and conflict of interest controls
- changes to its approach to market processes to meet its obligations under the Commonwealth Procurement Rules, including its use of procurement plans, risk assessments, and the appropriate use of panels
- improvements to its tender evaluation processes
- improvements to its contract management processes, particularly with respect to contract variations, and
- the keeping of appropriate records of all stages of a procurement, from planning to contract management.
- An ongoing concern arising from this inquiry is that even where the DTA had established proper policies and procedures in relation to its procurements, they were ignored by senior management and procuring officials. This does not give rise to confidence that the DTA is necessarily capable of implementing the reforms it has planned in response to the audit. At the very least it indicates that some verification of its efforts is warranted. The Committee therefore considers that there is merit in a follow up audit of the DTA’s ICT-related procurements so that the Parliament can be satisfied that the problems identified by the ANAO have been addressed, and that new problems have not arisen in the interim.
3.101The Committee recommends that the Australian National Audit Office consider conducting a follow up audit within three years of the tabling of this report to determine the success or otherwise of the Digital Technology Agency’s procurement reforms.
3.102Finally, and as noted in Chapter 2, the Committee is concerned at the failure of the DTA’s audit committee to identify and address the systemic issues with procurement at the agency. Where an entity engages in complex or significant procurement activity, that entity’s audit committee should increase its scrutiny of the entity's procurement risks and its procurement controls, and should oversee a program of internal audit that provides assurance over the procurement activity. Given the DTA’s significant noncompliance with the CPRs, in the Committee’s view the DTA’s audit committee should provide this assurance.
3.103The Committee recommends that the Digital Transformation Agency’s audit committee review the agency’s procurement risk and its internal procurement controls, and ensure that procurement is a subject of the agency’s internal audit program.