Key issues
Introduction
3.1
This chapter outlines two key issues arising from the evidence received
in relation to the terms of reference of the inquiry. These include:
-
the effectiveness of controls in relation to credit and other
transaction cards; and
-
the governance framework for credit and other transaction cards.
Effectiveness of controls
3.2
Controls on credit and other transaction cards may operate in two ways:
controls that are designed to ensure that the individual using the card is the
authorised cardholder; and those that are designed to ensure that authorised
cardholders use the card in accordance with policy and procedures designated by
the organisation, or a broader accountable authority, such as the Commonwealth.
Controls act to either prevent or detect the misuse of cards, intentional or
otherwise.
3.3
The ANAO audit found that Defence had identified some risks and some
controls on the use of credit and transaction cards in the Department's fraud
control plans. However, the audit found that the suite of preventative controls
was incomplete and of limited effectiveness. Controls had either been
inconsistently applied or simply not implemented. The audit canvassed a range
of issues around preventative controls, with this inquiry focusing on two of these
in particular: merchant blocking and cash advances.
3.4
The audit also found that while some detective controls had been
implemented, the effectiveness of these controls was undermined by a lack of
rigour or systematic application. In particular, the ANAO report highlighted that
Defence had not drawn on available management information to monitor and
analyse credit or transaction card activity. The audit identified various transactions
where analysis of available information could have helped identify and manage
risks. The committee explored related concerns extensively with Defence during
the inquiry, including:
- instances of non-compliance with Defence and Commonwealth policies and
procedures, particularly in relation to traffic infringements and Austender;
and
- claims of seasonality in routine payments, with ad hoc changes to card
limits for apparently predictable operating costs.
3.5
The inquiry was particularly concerned by the apparent 'softness' in the
acquittals process for transactions using virtual and physical cards,
particularly in relation to cash advances and electronic transfers.
Travel and purchase cards
3.6
Defence travel cards (DTCs) are issued by Defence under the
whole-of-government (WOG) arrangements established by the Department of Finance.[1]
Defence assumes all personnel need to travel and so all personnel who meet the
legal requirements for card access are routinely issued with a DTC. In 2014-15,
Defence was responsible for 41 per cent of all Commonwealth expenditure on travel
cards, an amount of some $286.7 million. In comparison to other Commonwealth
entities, Defence spent a proportionately greater expenditure on car rental,
taxi travel and cash advances through the travel card.[2]
3.7
Arrangements for Defence purchase cards are managed independently by
Defence, separate from the WOG arrangements for travel cards. Purchase cards
are intended to be utilised by Defence personnel to buy goods and services
under $10,000, reflecting the high volume, low-level transactions considered
routine to Defence's purchasing environment, and as recommended by Department
of Finance guidelines. The ANAO audit found that Defence spent between $10 and
$40 million each month using the purchasing cards over the three years covered
by the audit.
Controls on what is purchased:
merchant blocking
3.8
All merchants are assigned an identifier code, which is utilised when
credit and other transaction cards are used to make a payment. Blocking is a
control where transactions against certain merchant codes are automatically prevented,
or blocked. It prevents the card user from transactions against merchants which
are considered to offer goods and services outside the usual purview of Defence
and for which the card user could not assume to have the authority or approval
to transact.
3.9
Defence acknowledged that at the time of the audit, only one merchant
category was blocked on the DTC.[3]
However, although this block had been in place for eight years, the ANAO found
24 transactions, at a cost of $15,000, against this merchant category during
the audit, indicating that the block had been ineffectively applied. In
addition, the ANAO found that no categories were blocked on the Purchase Card, and
there were 1900 transactions by Purchase Card in the same category at a cost of
$3.3million.
3.10
When questioned by the ANAO on these inconsistencies during the audit, Defence
could not retrieve the paperwork which explained their rationale for blocking
this category or for the absence of blocks generally. In explanation, Defence told
the ANAO:
...Generally,
they did not have blocked merchant categories because of inconsistencies in
merchant categories when compared to the goods and services actually provided
by the merchant.[4]
3.11
However, in response to the draft audit report, Defence assured the
audit team that, in accord with the new governance arrangements, Defence had
now introduced and applied merchant blocking as a dedicated control: two new
merchant categories were blocked on both travel cards and purchase cards and
another 50 merchant categories are monitored routinely.[5]
This was confirmed by Defence's submission to the inquiry which provided lists
of blocked merchants.[6]
3.12
However, when the committee questioned Defence on these matters during
the public hearing on 7 April, Defence asserted that the nature of the work in
Defence can seem '...a bit unusual for corporate entities and other government
departments'. It might require activities in locations which are considered
unusual by those outside the department but in fact, 'represent valid procurement
of approved goods and services within the guidelines'.[7]
Controls on access to cash advances
on travel cards
3.13
As part of negotiated conditions of employment, Defence personnel can access
cash through the Defence travel cards to withdraw allowances for meals and
incidentals, although Defence policy encourages use of the DTC to pay the
supplier direct for the expenses which these entitlements are expected to meet.[8]
Once travel is approved, subject to travel taking place as approved, cash withdrawal
requires no separate authorisation. Cash advanced to Defence travellers
totalled $52 million, comprising 7.5 per cent of all Commonwealth entity travel
card expenditure in the audit period. Defence travellers accounted for almost
all this amount comprising 97 per cent of all cash advances across government
using the travel card.[9]
3.14
The ANAO audit found that, whilst Defence had identified that the ‘single
greatest risk to the (Defence Travel Card) Program is the unauthorised use of
cash’, the Defence Card Management System (CMS) was singularly not ‘well
suited’ to acquitting cash in advance.[10]
The ANAO identified a range of practices around the use of the Defence travel card
which it considered 'difficult to reconcile with Defence policy'.[11]
Consequently, a chief concern for the committee was the arrangements for accessing
cash and the corresponding controls around the acquittal process. Two examples identified
by the ANAO report highlight this concern: the amount of interest generated
through cash advances, and that the amount of cash advanced can be greater than
entitlements indicate. In both instances, the committee was concerned by the
apparent 'softness' of the acquittal process.
3.15
Observing that cash advanced for travel allowances can amount to large
sums, particularly for longer trips, the ANAO reviewed the top 30 individual
withdrawals between the six months of January and June 2015. These transactions
showed a range between just under $8500 to $42,384. As Defence agreed during
the hearings, cash withdrawals on the Travel cards carry a charge, in most
cases, of 1.75 per cent of the value of the withdrawal.[12]
The ANAO found that in 2014-15, Defence personnel withdrew $50,761,587 using
the DTC at an approximate further cost of $888,328 through interest charges on
cash advances to Defence.[13]
3.16
The ANAO also found that, in practice, Defence personnel accessed cash
from the travel card greater than the amount allocated as allowances for meals
and incidentals. An audit sample showed that 37 per cent of withdrawals either
exceeded the approved amount for meals and incidental allowances and no
receipts or other support documentation was provided to show that actual
expenditure was incurred; or insufficient documentation was provided to
determine the values of approved meals and incidentals.[14]
3.17
The sample suggested that personnel were withdrawing cash not only for
meals and incidentals but also for a further part of their approved travel,
such as accommodation, training or other costs which Defence policy expects to
be paid either centrally, through virtual card payments, or through other
payment means such as purchase orders in response to an invoice.
3.18
At the hearing, the committee asked Defence to explain why Defence
personnel needed cash for travel, when other entities do not access cash for
their travel entitlements and especially when, as Defence agreed, acquitting
cash advances is 'risky' practice?[15]
The committee asked, what, in particular, makes Defence so different to all the
other departments that its personnel require
access to cash to travel?
3.19
Defence explained that access to cash was a condition of service for all
ADF and APS personnel in Defence. However, it was 'a requirement on all
officers' to seek appropriate approval for travel through the department's
online travel calculator, and acquit appropriately through the after-travel
certification.[16]
In instances where travel varied from the approved circumstance, it was
incumbent upon the officer travelling to advise the department and reimburse
funds accordingly, as necessary. If the department found an officer had not
repaid excess travel funds, a debit note would be issued.
3.20
When the Committee asked the department the value of overpayments in
travel allowances, and how many debit notes the department had issued in
relation to non-acquitted cash advances, Defence was unable to respond.
3.21
The committee explored one of the specific examples identified by the
audit and asked Defence to explain the circumstances surrounding the cash withdrawal
of $42,384. The department advised it had not investigated the report, and
instead responded:
I
suspect that that is a case where people stepped outside of the guideline and
took cash for elements that should be covered in the whole of government travel
arrangements, that is, hotels, airfares and that sort of thing.[17]
3.22
When the committee asked why a relevant supervisor or person approving
travel did not also take an interest in staff travel acquittals, Defence
explained that although a delegate might have overall management
responsibility, the primary responsibility lies with the individual to acquit
their travel.[18]
Their does not appear to be any independent verification or spot checks to
confirm that a transaction was validly acquitted:
There
is a requirement to acquit your transactions, which requires you to log into
the system and look at them... the duties of officials requires them to put the
right due diligence in to checking that their accounts are correct.[19]
3.23
The committee was concerned about what this example illustrated for the
overall system for monitoring acquittals. It appeared there was no mechanism or
'red flag' to prompt an internal audit review of the transaction even when, as
in this case, the rationale put forward was that it was likely the transaction was
contrary to Defence policy guidelines. The main concern is that Defence's
Acting Chief Finance Officer and the First Assistant Secretary, Financial
Services, did not know of the irregularity until it was raised by the ANOA audit,
and even then, Defence did not investigate the matter further when it was
brought to its attention.
3.24
Defence responded that it ran a range of checks on both purchase and
travel cards, looked for unusual transactions, blocked merchants, unusual
amounts and places, and used techniques unique to Defence because of 'the
nature of the business'.[20]
However, the committee was not reassured by Defence's claim that because there
was 'no evidence of fraud' in the majority of cases, the system was working.[21]
3.25
The examples illustrated by the audit and raised by the committee suggested
otherwise. Defence had not adequately responded to criticism that 'a very high
number of transactions... are signed off by the individual incurring expenses',
with essentially no other checks on the integrity of the transactions.[22]
The cost of advancing cash to Defence personnel for travel incurred over $880,000
in interest charges to the Department. The committee was not reassured why
Defence persisted with such a risky practice, especially in the absence of
independent checks on travel acquittals. The committee did not find Defence's
repeated explanation that because cash was ' a longstanding and...very popular part
of people's conditions of service' persuasive, nor that the cost to the
Commonwealth was justified.[23]
Controls on access to cash advances
on purchase cards
3.26
The committee was concerned by the ANAO audit's findings in relation to
the absence of controls over the authorisation of cash access on purchase cards.
Cash withdrawn on a purchase card is an advance of relevant money under the PGPA
and requires authorisation under the Defence Accountable Authority
Instructions. Until the audit, the card supplier had issued access to cash at
the request of cardholders and without confirming the approval/authorisation of
the relevant Defence delegate.
3.27
Defence advised the committee that authorisation to access cash now
requires the written approval of the relevant Group or ADF Services CFO based
on a justified business case.[24]
This change was introduced as part of the new governance arrangements
introduced following the audit. The committee was satisfied that this oversight
had been addressed. However, it remained concerned by the interest charges
generated by cash advances and the potential this represented for waste of
Commonwealth monies.
3.28
The ANAO tested a small sample of cash withdrawals using purchase cards
and found multiple withdrawals of substantial amounts to pay merchants for
goods and services. There were numerous examples identified by the audit of
cash withdrawals on purchase cards where card use was not consistent with
Defence policy. The hearing with Defence highlighted one particular example of
concern.[25]
3.29
The audit uncovered one case which showed a series of three cash
withdrawals of $99,999 by the same Defence official on the same day to pay the same
supplier. The audit revealed that these were part of a succession of cash
withdrawals to the value of $879,000 over 10 days by the same official. After
being alerted by the audit, Defence investigated the card holder's purchasing
activities further. It found that the cardholder had withdrawn over $1.147
million to pay suppliers, primarily to purchase rations for a planned military
training exercise in Queensland.[26]
These transactions were electronic transfers rather than physical cash
withdrawals. Defence advised that such transactions are identified and treated
as cash withdrawals by the bank and in reports received by Defence. These specific
transactions attracted interest as a cash advance of $18,278.[27]
3.30
When questioned by the committee, Defence acknowledged that this case was
an instance of bad decision-making by the individual concerned:
The
person who was running that part of the exercise, in terms of rations and other
sorts of provision for the exercise and making payments, decided, without the
right sort of advice and without seeking advice, for instance, from the CFO or
the finance team, that it would be a good idea to make those payments through
electronic funds transfers - through credit card - rather than in our usual way
of paying those sorts of account by raising a purchase order and paying through
an invoice, which would have been our advice.[28]
3.31
Defence explained that whilst an individual had clearly made a 'bad
decision', the subsequent internal investigation by Defence's audit team showed
that the purchase was within approvals and therefore appropriate.[29]
The individual had merely chosen the wrong method of payment, rather than engaging
in any fraudulent activity. While Defence admitted that the transactions were a
breach of policy and bad administration, it told the committee on a number of
occasions that the purchase fell within the approvals process.[30]
3.32
The committee's concerns with this example cover three main issues:
- the lack of controls to prevent this choice of payment method for an
event that was both 'predicted and predictable', rather than 'unusual or an
emergency' circumstance;[31]
-
an apparent lack of regard for departmental 'policy, procedures and
guidelines...or prudent practice' given the interest charges generated by the
choice of payment method;[32]
and
-
whether the Department had taken steps to both prevent this kind of 'bad
decision' occurring again and to ensure that if it did, Defence would know
about it through its own analytics, rather than rely on a subsequent audit to
uncover the irregularity.
3.33
Defence explained to the committee that as a result of their internal
investigations the department had taken a range of steps, both with the
specific contract management cell and for the specific individual concerned:
[Defence
has] updated their standard operating procedures...instigated training such as
carrying out basic procurement, consolidation of complex procurement,
management of contracts, effective contract management and operational contract
management..(and undertook)...internal reviews of contracting processes. The
official involved has undertaken a number of additional courses such as
'managing money in accordance with the rules', 'accountability', 'your
responsibility', 'completing procurement forms', 'responsive record keeping'
and 'objective use of training'.[33]
3.34
Defence, however, confirmed that its analytics would not have uncovered
this irregularity through existing processes, explaining, somewhat
inconsistently, that as 'there was no fraud' the transactions would not have
attracted attention under Defence's administrative processes.[34]
The role of the independent
reviewer
3.35
The committee drew Defence's attention to its concern over the risk
posed by the absence of an independent 'second person' check in the acquittals
process. At the time of the ANO audit, one on the key controls which Defence
relied on to ensure cash advances on purchase cards were acquitted
appropriately was the independent review—or second person check—between the
cardholder and their CMS supervisor. The ANAO had independently identified from
the literature that a 'second-person check' or independent review to verify a
transaction was considered by the audit industry to be one of the most
effective controls available to ensure the proper use of relevant monies.[35]
3.36
Yet, the ANAO found that this control was no longer in use by Defence. The
opportunity for authentic verification of the high volume of transactions in
Defence's unique work environment introduced a range of challenges which were
not being adequately addressed. Chief amongst these concerns were:
-
the routine process for authorising the independent reviewer permits
the card holder to designate their own supervisor, increasing the risk of
collusion or fraud between individuals;
-
a designated supervisor may be both distant from and unfamiliar
with the actual nature of the work for which the claimed transaction occurred,
making it difficult to challenge a transaction's authenticity; and
-
a designated supervisor was commonly junior in status to the card
holder who undertook the transaction.
3.37
These last two concerns made it difficult, in practice, to dispute a
transaction which the card holder had accepted.
3.38
Whilst Defence sought to address these concerns in the new governance
framework for credit cards introduced in response to the audit, the specific
provisions addressing the independent reviewer (the CMS Supervisor) controls
subsequently disappeared from the governance framework attached to Defence's
written submission to the inquiry.[36]
It appears that Defence has now removed this control from its processes.[37]
The control has been removed even though Defence's submission to this inquiry
indicates that the risk of unauthorised use of a Defence credit card remains.
3.39
The Enterprise Wide Defence Credit Card Fraud Risk Assessment notes that
the 'Card Management Supervisor acquittal' is scheduled to be removed with the
introduction of automated transaction loads.[38]
Defence will instead, implement forensic, exception-based reporting to mitigate
the risk.[39]
However, in a second attachment to the Defence submission, the Credit Card and
Defence Financial Risk Controls Framework Work Plan for 2016-2017, says that:
With
the imminent removal of the requirement for CMS Supervisors to approve
transactions in the CMS system, it has been directed that additional tests need
to be developed to provide assurance over the transactions. One of these is a
commitment to test every card at least once per year. This will add significant
workload and requires additional resources and support.[40]
3.40
Defence is yet to advise whether additional resources and support have
been assigned to implement the forensic, exception-based reporting, which
Defence has asserted will mitigate the risk of removing one of the industry-recognised
best practice controls.
Detective controls on purchase
cards
3.41
Whilst the purchase card is subject to many of the same concerns canvassed
regarding the travel cards, the inquiry highlighted three areas of concerns over
the rigor of detective controls in relation to purchase cards:
- the payment of traffic infringements in contravention of Defence policy;
-
expenditure inconsistent with AusTender guidelines; and
-
seasonal patterns to spending which may indicate potential waste or poor
planning.
Traffic infringements
3.42
Defence policy states that drivers are personally liable for all fines
or penalties for traffic and driving infringements and offences imposed by
civilian police and state and territory authorities arising out of use of a Defence
vehicle. However, in its review of purchase card transactions, the ANAO audit found
fifty transactions to the value of $35,000 where Defence paid fines to a state
or territory authority for traffic infringements such as driving in a T-way or speeding
in a school zone. There were also instances where Defence not only paid the initial
infringement fine, but also paid subsequent fines imposed when fines were not
paid by due dates because drivers were not identified and nominated by Defence.
3.43
The Defence Fraud Control Directorate reported that the reasons given by
individuals or their work units for non-payment of fines include that the infringements
occurred during charity events (implying that members were contributing as
official representatives of Defence and thus the obligation to pay the fine
referred back to the department); that local base instructions ‘did not advise’
Defence drivers not to drive in a T-way; and that the identified member was visiting
a fellow Defence member in hospital due to an injury sustained during a
workplace incident and therefore, the oversighting officer felt that Defence
should carry the fine.
3.44
At ANAO’s instigation, Defence identified 119 traffic infringements paid
by purchase cards between July 2012 and November 2015. Consequently, Defence's
First Assistant Secretary, Audit and Fraud Control, wrote to the Chiefs of
Services in January 2016 seeking an ‘assessment of the effectiveness of the
management of traffic fines’. Defence assured the audit team that it had
'strengthened its analytics function' and would ‘monitor relevant merchant
categories' including examining cash withdrawals and traffic fines on a monthly
basis.
3.45
During the inquiry, Defence agreed that the fact that a number of
drivers who incurred fines were not identified was unacceptable. Defence advised
that all infringements reported by the audit had been investigated, with
reimbursement or other remediation effected in all but 15 such infringements.
Inconsistencies with AusTender
3.46
Since 2007 all Commonwealth entities are required to publish details of
procurement contracts and entity agreements above the value of $10,000 and
report these within 42 days. The ANAO audit reviewed Defence's largest 100
payments, ranging between $97,000 and $691,700 on the purchase card. It found
numerous examples where procurement appeared to be inconsistent or contrary to
the AusTender guidelines. These included issues such as:
- contract values reported on AusTender are incorrect;
-
reporting occurs outside the timeframe;
-
payments are incorrectly blocked from AusTender by CMS users;
-
payments are not reported on AusTender;
-
payments are recorded under the wrong supplier; and
-
1000 pairs of Purchase Card payments, which, on face value, should have
been reported to AusTender were not because they were split into amounts less
than $10,000.
3.47
It has previously come to light during an estimates hearing in October
2016 that a Defence staff member had purchased a large number of pairs of boots
at a cost of $160,000 through a series of multiple transactions under $10,000
on his purchase card. Investigations revealed that it was an authorised purchase
by the logistics officer who had purchased the boots for the use of Duntroon
staff. The committee was concerned that the series of multiple transactions,
each just below $10,000, over a short space of time and totalling a significant
sum of money, did not trigger any 'red flags' in Defence's system.
Seasonal patterns of expenditure
3.48
The ANAO audit identified seasonal patterns of expenditure for goods and
services in May-June of each financial year, with corresponding evidence of requests
to increase credit card limits which enabled card holders to exhaust budget
allocations before the end of year financial cut-off. This was justified as routine
expenses, such as regular utilities payments, stationery and furniture. Whilst
the purchases may have been in accord with authorised approvals, the pattern of
seasonal spending, in conjunction with one-off increases in card limits,
indicated this could be a routine practice to exhaust budget allocations as the
financial year drew to a close. There was also a suggestion that the payments
were split to avoid Austender requirements.
3.49
The audit finding raised questions for the Committee about the
efficiency and effectiveness of annual planning and expenditure, which Defence at
the hearing was unable to address with confidence. When questioned by the Committee
on the audit findings, Defence challenged the audit's interpretation that
seasonality on card purchases was common, or, if it occurred, indicated an
intention to exhaust budget allocations before the end of financial year in
ways that were not economic or inefficient.
3.50
Defence claimed that the 'seasonality in purchase cards follows the
natural ups and down in the business cycle'.[41]
Further, the Acting CFO explained: 'even if there may be a spike in the level
of expenditure in those last few months...it is in low value items...86% of the
transactions on defence purchasing card are for $2,000 or less.'[42]
3.51
Rather than reassuring the committee, Defence's responses reinforced the
committee's concern about Defence's approach to credit card expenditure. As the
Chair, Senator Gallacher, indicated:
I
would have thought that would have meant that fraud control, risk processes,
algorithm and analytics would have been in place since 2009 and we would not be
having this inquiry. But they were not put in place in 2009 and in 2016, we saw
an audit report which raised really big questions about those other 14 percent
of transactions.[43]
3.52
The Defence acting CFO asserted that despite the audit's findings, Defence
did have controls in place, noting that:
I
appreciate that we spend more on credit cards ...but... as a percentage of our
entire spend as a department, it is actually only two percent of our entire
appropriation in any given year.[44]
3.53
This did not reassure the Committee Chair, who pointed out:
I think that you should have the strongest and the best
controls of any department because you do more of it. You should have the
algorithms; you should have the analytics. You should have the credit card
issues giving you top services because you are paying them a fee.[45]
3.54
In an attempt to reassure the Committee, Defence indicated that, following
the audit, Defence had introduced a rolling program and monthly analytics. In
this process, Defence routinely review all purchases to ensure they are made
with the requisite approval to make sure that purchases are cost-effective
within a budgeted plan. Had Defence found any expenditure which 'we considered
did not represent a cost-effective way of doing business or that perhaps
represented people trying to rush with undue haste to spend their budget, we
would investigate that'.[46]
3.55
When asked by the Committee to explain the particular circumstances
outlined in the audit report in relation to the matter of seasonality, Defence advised
that they had not investigated the matter, even though the ANAO report had brought
it to their attention over a year ago.
E-tickets and Cabcharge Fastcards
3.56
Whilst the Defence travel card is the preferred mode of payment for
travel, Defence policy allows Cabcharge and E-tickets to be used in defined and
limited circumstances.[47]
Defence policy requires that the use of Cabcharge FastCard and E-tickets is
limited to recruits, trainees, students and members under 18years of age. Apart
from these users, it is expected that all Defence personnel will use the travel
card for taxi fares and car hire. The benefit to Defence and the Commonwealth of
using the travel card is that there is no administrative surcharge fee.
3.57
Whilst expenditure against Cabcharge Fastcard and E-tickets is not high
(less than $4500 for the three years covered by the audit), the ANAO found that
Defence had not exercised adequate control over the issuing or use of FastCards
or E-tickets. The audit found that there was no system in place, and little
capacity to routinely monitor and manage the risk presented by the use of these
cards.
3.58
The ANAO report found that central units in Defence did not know who
Defence had issued Cabcharge to, how many or when. Although Defence decided to
terminate Cabcharge ‘some years ago’, ‘a number’ remained on issue at the time
of the audit.[48]
Defence did not know how many e-ticket accounts it held with Cabcharge even
though the ANAO identified records of 261,158 taxi trips at a total cost of
$16.28m over the three years of the audit. In addition, some 303 accounts were
opened without proper authority, in contravention of Commonwealth policy that only
a person delegated by the Finance minister may enter into a borrowing arrangement
on behalf of the Commonwealth.
3.59
Defence admitted to the ANAO that there were concerns over a number of
high-cost fares and the lack of justification for their use. Identified issues
included:
- the use of E-tickets used when travel cards could have been used, with
the 100 most expensive taxi fares incurred on e-tickets;
-
the costs of these fares ranged between $425 and $840 for single fares;
and
-
a select group of 12 taxis each undertook 500 or more trips for Defence,
many of them over long distances and at unusual hours.
3.60
The committee did not receive a clear explanation of these matters from
Defence.
Fuel cards
3.61
The committee took an interest in the management of fuel cards, in light
of the now-notorious instance of fraud, at a cost of $585,000 to the Commonwealth
arising through inadvertent access to two fuel cards, gained by a person
outside Defence, from a vehicle first garaged for repairs, then sold. This
history framed the committee's exploration of issues around fuel card
management and use, and the risk of fraud.
3.62
The ANAO audit found that the new arrangements under the whole of
government fleet supply contract have allowed Defence to implement improved controls
over its management and use of fuel cards. Whilst Defence's past management, as
measured by overfill of fuel tanks and the frequency of odometer readings,
reflected an 'ill-disciplined approach', the audit reported signs of (possible)
improvements based on the odometer readings drawn between November 2015 and
January 2016.[49]
Although the number and volume of overfills was substantial in 2014-2015, it
‘declined in the last six months of available records’.
3.63
Defence advised the committee that with the movement to new arrangements
with SG Fleet, they have now instituted routine training on the use of fuel
cards; and that a 'red flag' or exception report, is triggered by
irregularities in the operation of the vehicle fleet. Defence was also able to
reassure that committee that it had investigated and remedied the majority of
outstanding traffic infringements which the ANAO audit had identified as paid
by Defence cards in contravention of Defence policy.
3.64
Defence reassured the committee that controls had been implemented under
the new arrangements with the SG Fleet, which had led to improvements. This
included the introduction of daily exception reports, triggered by more than
three suspicious overfills per vehicle, which requires the responsible unit
transport supervisor to explain the discrepancy in writing. This, alongside the
introduction of PINs for each fuel card (assigned to a vehicle) and work
tickets for staff assigned to a vehicle, had strengthened Defence's capacity to
identify and detect misuse or fraud. In addition to implementing new controls,
Joint Logistics is also developing a series of training programs in
collaboration with the Defence Learning Branch, which will be standardised
across Defence.
Governance framework
3.65
As outlined in Chapter 1, Defence is subject to the PGPA, which
establishes the responsibilities and duties of all non-corporate Commonwealth
entities to ensure the proper use of relevant monies. As the largest and most
well-resourced entity in the Commonwealth, the task facing Defence in its
management of the financial resources at its disposal is considerable.
3.66
Good governance in the public sector comprises both performance and
compliance. It encompasses how the entity manages its overall performance and
the delivery of goods, services and programs—as well as how it ensures it meets
the requirements of the law, regulations, published standards and community
expectations of probity, accountability and openness.[50]
3.67
As the policy guidance set by the Commonwealth resource management framework
acknowledges:
Public sector governance encompasses leadership, direction,
control and accountability, and assists an entity to achieve its outcomes in a
way that enhances confidence in the entity, its decisions and its actions. Good
public sector governance is about getting the right things done in the best
possible way, and delivering that standard of performance on a sustainable
basis.[51]
New credit card governance
framework
3.68
In response to the emerging audit findings, Defence introduced new
governance arrangements for credit and other transaction cards. The primary
intent was to improve monitoring and control arrangements.[52]
Defence also advised the ANAO, after the final audit was complete, that it 'now
undertakes a range of analytical activities to investigate expenditure on a
regular basis, including forensic accounting work and a newly developed credit
card work program'.[53]
The ANAO audit noted that the introduction of new governance arrangements would
'require ongoing senior leadership attention to firmly establish'.
3.69
There were three related issues. Firstly, the audit identified many examples
of card use contrary to Defence policy and procedures—yet none of these were
identified by Defence's routine monitoring and analytics. Secondly, many of
these shortcomings in card use identified by the audit could be traced to risks
already identified, either internally or externally, sometimes years earlier.
Yet, Defence had not put in place the recommended or agreed changes until
compelled to do so by the audit findings. And thirdly, there were instances cited
by the ANAO audit which indicated that Defence had reported to the Senate (or
Parliament) that such changes had been introduced when the changes had not been
implemented at the time the ANAO completed the audit. Often, it was not until
the ANAO audit raised concerns that Defence instigated changes.
Defence's response to card use
contrary to Defence policy and procedures
3.70
A majority of issues raised by the inquiry related to occasions where
individuals, with or without authority, used a card in ways which were contrary
to Defence, or Commonwealth, policy and procedures.
3.71
On more than one occasion during the hearing, Defence argued that,
although the matters raised by the committee appear to demonstrate card use
which is outside or contrary to Defence policy and procedures, this was not the
case. For example, in a discussion about controls to block specific merchants, an
official asserted that Defence was 'unique' and that staff often undertook
activities that 'can appear to be perhaps, some sort of recreational activity
quite often related to training and development and those sorts of
transactions' but are 'perfectly within the guidelines' in venues, such as golf
clubs, that 'corporate entities or other government departments might find
unusual'. And in fact, 'we have not found anything that you would put into the
fraudulent or suspected category'.
3.72
In relation to the $1.147 million purchase of rations for a planned
military training exercise which incurred interest charges of $18,278, Defence repeatedly
asserted that it was simply 'an inappropriate choice of payment method...a bad
decision by an individual'. In this case, the committee was not reassured by
Defence's explanation. Even if the choice of payment method was not fraudulent,
the question remains whether it was an appropriate use of public money.
3.73
As the Commonwealth resource management framework advises, the
government has a responsibility to ensure resources are allocated efficiently
and effectively because it is handling taxpayers' money.[54]
This responsibility is devolved across all government entities, including
Defence, through the Public Governance Act (PGPA). It is the responsibility of
all officials working in Defence to apply practices and procedures in their day
to day operations which meet the governance standards set by the PGPA.[55]
3.74
To achieve these standards, there needs to be effective training for
individuals as well as strong organisational leadership in place. Whilst the
recommendations of the First Principles Review clearly address the leadership
of Defence, the instances reported by the ANAO audit where cards appeared to be
used either in ignorance of, or disregard for, Defence policy and procedures
point to the need for Defence to strengthen the level of information and
training for individuals issued with a credit or transaction card.
3.75
While the role of training and education was outside the scope of the
ANAO audit, the Defence submission advised that a training program around the
use of credit and other transaction cards is in place and that information on
obligations and responsibilities, particularly the prevention of fraud, is
provided routinely through the Defence newsletter, Ethics matters.
3.76
Defence advised the committee that a new training program on fuel cards
had been one of the key strategies implemented to strengthen the effective
application of controls around fuel cards and fleet management.
Vulnerability to Fraud
3.77
Whilst the ANAO audit did not identify specific instances of fraud, it
did refer some cases to the Defence Fraud Control and Investigation Branch for further
investigation. The audit also expressed concern at Defence's level of exposure
to fraud, given the absence of effective controls and the lack of rigor in
Defence's monitoring systems.[56]
The Australian Payments Clearing Association provided additional information to
the inquiry which shows an increase in 'Card Not Present' or virtual card fraud
in Australia.[57]
The Australian Institute of Criminology also provided evidence to the inquiry
on the level of fraud identified within Commonwealth entities.[58]
This evidence suggests that, given the identified lack of rigour and absence of
effective controls, Defence is vulnerable, particularly in relation to CNP
fraud. As the largest Commonwealth agency in relation to expenditure through
credit cards, this is a risk to manage. [59]
3.78
The committee sought clarification from Defence's Military Justice
Directorate on the processes and options available for bringing disciplinary or
other charges related to the misuse of credit and other transaction cards. The
Director of Military Justice is an independent statutory role, which reports
quarterly to the Minister and the Service Chiefs.
3.79
The committee was particularly interested in the deterrence value
represented by publicising convictions. The inquiry was advised that the Military
Justice Court is a public court and its cause lists, although not as open as a
civilian list, are publicised by the Registrar through the services newsletters.
The Director's annual reports, which record annual convictions, are submitted
to parliament and are available publicly.
3.80
The Directorate advised the inquiry that the number of convictions for
fraud were comparatively low and most of the convictions in the previous year
related to fraud for allowances and benefits rather than credit and transaction
card use. The Director was of the view that the extent of card fraud was low,
possibly because of the amount of training on ethics and fraud prevention.
Triggers for change
3.81
There were a number of occasions identified by the ANAO audit where,
despite Defence's own identification of risk, proposed changes to manage risk
did not eventuate. For example, the audit found that Defence had identified an
array of risks and proposed various controls in its 2009 fraud control plan, yet
it was not until the ANAO audit in 2016 identified shortcomings arising from
these very risks that Defence implemented controls, through its new governance
framework, to address them.[60]
3.82
When the committee asked Defence to explain why controls were not
instituted until 2016, when risk had been identified in 2009, Defence was
unable to provide an explanation. In response to a question about why a risk identified
in 2009 was not addressed until 2016, a Defence official responded:
I am
not aware. I was not involved. And Ms Diamond was not involved in the
administration of credit cards at that time. What we have done is this: we
reacted during the development of the audit report to strengthen the controls,
to review the limits and to put in place the sorts of measures we now have.[61]
3.83
This was not the only occasion where Defence was reluctant to take
responsibility for shortcomings identified by the ANAO audit. There was more
than one instance where Defence had made assurances to the Senate that it had
undertaken change, yet the audit found that changes had not been put in place.
For example, Defence had advised a supplementary estimates hearing as early as
November 2013 that card merchant blockings had been put in place. However, as
outlined by the audit, merchant blocking was not established until after the audit
presented its findings in 2016.
3.84
Another example related to fuel card management. Defence advised the
Senate (in June 2015) that ‘an arms-length’ assurance framework, which included
compliance testing, had been in place since April 2015. However, the ANAO audit
found that the effectiveness of the framework could not be determined until it
was tested across all bases—which did not begin until September 2015 and was scheduled
for completion by June 2016.
3.85
One major challenge for Defence is overcoming a history of institutional
inertia when it involves implementing significant organisational change. As the
First Principles Review acknowledged:
The
current organisational model and processes are complicated, slow and
inefficient in an environment which requires simplicity, greater agility and
timely delivery. Waste, inefficiency and rework are palpable. Defence is
suffering from a proliferation of structures, processes and systems with
unclear accountabilities. These in turn cause institutionalised waste, delayed
decisions, flawed execution, duplication, a change-resistant bureaucracy,
over-escalation of issues for decision and low engagement levels amongst
employees.[62]
3.86
Whilst the First Principles Review acknowledged that it had not
considered the transactional work, such as that encompassed by credit and other
transaction cards, the review did observe:
Our
experience, as well as others we have spoken to, suggest that routine administrative
transactions such as travel, accounts payable and computer support involve
unnecessary dense manual processes and rework. Poor processes have clearly been
established and inefficiencies abound. Such transactional work, especially when
it is poorly done, is a distraction from the Defence mission.[63]
3.87
The Review's observations, and the principles on which they are
based, are as relevant to the governance of credit and other transaction cards
as they are to Defence's investment in its defence capability.
Navigation: Previous Page | Contents | Next Page