Chapter 3

Key issues

Introduction

3.1        This chapter outlines two key issues arising from the evidence received in relation to the terms of reference of the inquiry. These include:

  1. the effectiveness of controls in relation to credit and other transaction cards; and
  2. the governance framework for credit and other transaction cards.

Effectiveness of controls

3.2        Controls on credit and other transaction cards may operate in two ways: controls that are designed to ensure that the individual using the card is the authorised cardholder; and those that are designed to ensure that authorised cardholders use the card in accordance with policy and procedures designated by the organisation, or a broader accountable authority, such as the Commonwealth. Controls act to either prevent or detect the misuse of cards, intentional or otherwise.

3.3        The ANAO audit found that Defence had identified some risks and some controls on the use of credit and transaction cards in the Department's fraud control plans. However, the audit found that the suite of preventative controls was incomplete and of limited effectiveness. Controls had either been inconsistently applied or simply not implemented. The audit canvassed a range of issues around preventative controls, with this inquiry focusing on two of these in particular: merchant blocking and cash advances.

3.4        The audit also found that while some detective controls had been implemented, the effectiveness of these controls was undermined by a lack of rigour or systematic application. In particular, the ANAO report highlighted that Defence had not drawn on available management information to monitor and analyse credit or transaction card activity. The audit identified various transactions where analysis of available information could have helped identify and manage risks. The committee explored related concerns extensively with Defence during the inquiry, including:

  1. instances of non-compliance with Defence and Commonwealth policies and procedures, particularly in relation to traffic infringements and Austender; and
  2. claims of seasonality in routine payments, with ad hoc changes to card limits for apparently predictable operating costs.

3.5        The inquiry was particularly concerned by the apparent 'softness' in the acquittals process for transactions using virtual and physical cards, particularly in relation to cash advances and electronic transfers.

Travel and purchase cards

3.6        Defence travel cards (DTCs) are issued by Defence under the whole-of-government (WOG) arrangements established by the Department of Finance.[1] Defence assumes all personnel need to travel and so all personnel who meet the legal requirements for card access are routinely issued with a DTC. In 2014-15, Defence was responsible for 41 per cent of all Commonwealth expenditure on travel cards, an amount of some $286.7 million. In comparison to other Commonwealth entities, Defence spent a proportionately greater expenditure on car rental, taxi travel and cash advances through the travel card.[2]

3.7        Arrangements for Defence purchase cards are managed independently by Defence, separate from the WOG arrangements for travel cards. Purchase cards are intended to be utilised by Defence personnel to buy goods and services under $10,000, reflecting the high volume, low-level transactions considered routine to Defence's purchasing environment, and as recommended by Department of Finance guidelines. The ANAO audit found that Defence spent between $10 and $40 million each month using the purchasing cards over the three years covered by the audit.

Controls on what is purchased: merchant blocking

3.8        All merchants are assigned an identifier code, which is utilised when credit and other transaction cards are used to make a payment. Blocking is a control where transactions against certain merchant codes are automatically prevented, or blocked. It prevents the card user from transactions against merchants which are considered to offer goods and services outside the usual purview of Defence and for which the card user could not assume to have the authority or approval to transact.

3.9        Defence acknowledged that at the time of the audit, only one merchant category was blocked on the DTC.[3] However, although this block had been in place for eight years, the ANAO found 24 transactions, at a cost of $15,000, against this merchant category during the audit, indicating that the block had been ineffectively applied. In addition, the ANAO found that no categories were blocked on the Purchase Card, and there were 1900 transactions by Purchase Card in the same category at a cost of $3.3million.

3.10      When questioned by the ANAO on these inconsistencies during the audit, Defence could not retrieve the paperwork which explained their rationale for blocking this category or for the absence of blocks generally. In explanation, Defence told the ANAO:

...Generally, they did not have blocked merchant categories because of inconsistencies in merchant categories when compared to the goods and services actually provided by the merchant.[4]

3.11      However, in response to the draft audit report, Defence assured the audit team that, in accord with the new governance arrangements, Defence had now introduced and applied merchant blocking as a dedicated control:  two new merchant categories were blocked on both travel cards and purchase cards and another 50 merchant categories are monitored routinely.[5] This was confirmed by Defence's submission to the inquiry which provided lists of blocked merchants.[6]

3.12      However, when the committee questioned Defence on these matters during the public hearing on 7 April, Defence asserted that the nature of the work in Defence can seem '...a bit unusual for corporate entities and other government departments'. It might require activities in locations which are considered unusual by those outside the department but in fact, 'represent valid procurement of approved goods and services within the guidelines'.[7]

Controls on access to cash advances on travel cards

3.13      As part of negotiated conditions of employment, Defence personnel can access cash through the Defence travel cards to withdraw allowances for meals and incidentals, although Defence policy encourages use of the DTC to pay the supplier direct for the expenses which these entitlements are expected to meet.[8] Once travel is approved, subject to travel taking place as approved, cash withdrawal requires no separate authorisation. Cash advanced to Defence travellers totalled $52 million, comprising 7.5 per cent of all Commonwealth entity travel card expenditure in the audit period. Defence travellers accounted for almost all this amount comprising 97 per cent of all cash advances across government using the travel card.[9]

3.14      The ANAO audit found that, whilst Defence had identified that the ‘single greatest risk to the (Defence Travel Card) Program is the unauthorised use of cash’, the Defence Card Management System (CMS) was singularly not ‘well suited’ to acquitting cash in advance.[10] The ANAO identified a range of practices around the use of the Defence travel card which it considered 'difficult to reconcile with Defence policy'.[11] Consequently, a chief concern for the committee was the arrangements for accessing cash and the corresponding controls around the acquittal process. Two examples identified by the ANAO report highlight this concern: the amount of interest generated through cash advances, and that the amount of cash advanced can be greater than entitlements indicate. In both instances, the committee was concerned by the apparent 'softness' of the acquittal process.

3.15      Observing that cash advanced for travel allowances can amount to large sums, particularly for longer trips, the ANAO reviewed the top 30 individual withdrawals between the six months of January and June 2015. These transactions showed a range between just under $8500 to $42,384. As Defence agreed during the hearings, cash withdrawals on the Travel cards carry a charge, in most cases, of 1.75 per cent of the value of the withdrawal.[12] The ANAO found that in 2014-15, Defence personnel withdrew $50,761,587 using the DTC at an approximate further cost of $888,328 through interest charges on cash advances to Defence.[13]

3.16      The ANAO also found that, in practice, Defence personnel accessed cash from the travel card greater than the amount allocated as allowances for meals and incidentals. An audit sample showed that 37 per cent of withdrawals either exceeded the approved amount for meals and incidental allowances and no receipts or other support documentation was provided to show that actual expenditure was incurred; or insufficient documentation was provided to determine the values of approved meals and incidentals.[14]

3.17      The sample suggested that personnel were withdrawing cash not only for meals and incidentals but also for a further part of their approved travel, such as accommodation, training or other costs which Defence policy expects to be paid either centrally, through virtual card payments, or through other payment means such as purchase orders in response to an invoice.

3.18      At the hearing, the committee asked Defence to explain why Defence personnel needed cash for travel, when other entities do not access cash for their travel entitlements and especially when, as Defence agreed, acquitting cash advances is 'risky' practice?[15] The committee asked, what, in particular, makes Defence so different to all the other departments that its personnel require access to cash to travel?

3.19      Defence explained that access to cash was a condition of service for all ADF and APS personnel in Defence. However, it was 'a requirement on all officers' to seek appropriate approval for travel through the department's online travel calculator, and acquit appropriately through the after-travel certification.[16] In instances where travel varied from the approved circumstance, it was incumbent upon the officer travelling to advise the department and reimburse funds accordingly, as necessary. If the department found an officer had not repaid excess travel funds, a debit note would be issued. 

3.20      When the Committee asked the department the value of overpayments in travel allowances, and how many debit notes the department had issued in relation to non-acquitted cash advances, Defence was unable to respond.

3.21      The committee explored one of the specific examples identified by the audit and asked Defence to explain the circumstances surrounding the cash withdrawal of $42,384. The department advised it had not investigated the report, and instead responded:

I suspect that that is a case where people stepped outside of the guideline and took cash for elements that should be covered in the whole of government travel arrangements, that is, hotels, airfares and that sort of thing.[17]

3.22      When the committee asked why a relevant supervisor or person approving travel did not also take an interest in staff travel acquittals, Defence explained that although a delegate might have overall management responsibility, the primary responsibility lies with the individual to acquit their travel.[18] Their does not appear to be any independent verification or spot checks to confirm that a transaction was validly acquitted:

There is a requirement to acquit your transactions, which requires you to log into the system and look at them... the duties of officials requires them to put the right due diligence in to checking that their accounts are correct.[19]

3.23      The committee was concerned about what this example illustrated for the overall system for monitoring acquittals. It appeared there was no mechanism or 'red flag' to prompt an internal audit review of the transaction even when, as in this case, the rationale put forward was that it was likely the transaction was contrary to Defence policy guidelines. The main concern is that Defence's Acting Chief Finance Officer and the First Assistant Secretary, Financial Services, did not know of the irregularity until it was raised by the ANOA audit, and even then, Defence did not investigate the matter further when it was brought to its attention.

3.24      Defence responded that it ran a range of checks on both purchase and travel cards, looked for unusual transactions, blocked merchants, unusual amounts and places, and used techniques unique to Defence because of 'the nature of the business'.[20] However, the committee was not reassured by Defence's claim that because there was 'no evidence of fraud' in the majority of cases, the system was working.[21]

3.25      The examples illustrated by the audit and raised by the committee suggested otherwise. Defence had not adequately responded to criticism that 'a very high number of transactions... are signed off by the individual incurring expenses', with essentially no other checks on the integrity of the transactions.[22] The cost of advancing cash to Defence personnel for travel incurred over $880,000 in interest charges to the Department. The committee was not reassured why Defence persisted with such a risky practice, especially in the absence of independent checks on travel acquittals. The committee did not find Defence's repeated explanation that because cash was ' a longstanding and...very popular part of people's conditions of service' persuasive, nor that the cost to the Commonwealth was justified.[23]

Controls on access to cash advances on purchase cards

3.26      The committee was concerned by the ANAO audit's findings in relation to the absence of controls over the authorisation of cash access on purchase cards. Cash withdrawn on a purchase card is an advance of relevant money under the PGPA and requires authorisation under the Defence Accountable Authority Instructions. Until the audit, the card supplier had issued access to cash at the request of cardholders and without confirming the approval/authorisation of the relevant Defence delegate.

3.27      Defence advised the committee that authorisation to access cash now requires the written approval of the relevant Group or ADF Services CFO based on a justified business case.[24] This change was introduced as part of the new governance arrangements introduced following the audit. The committee was satisfied that this oversight had been addressed. However, it remained concerned by the interest charges generated by cash advances and the potential this represented for waste of Commonwealth monies.

3.28      The ANAO tested a small sample of cash withdrawals using purchase cards and found multiple withdrawals of substantial amounts to pay merchants for goods and services. There were numerous examples identified by the audit of cash withdrawals on purchase cards where card use was not consistent with Defence policy. The hearing with Defence highlighted one particular example of concern.[25]

3.29      The audit uncovered one case which showed a series of three cash withdrawals of $99,999 by the same Defence official on the same day to pay the same supplier. The audit revealed that these were part of a succession of cash withdrawals to the value of $879,000 over 10 days by the same official. After being alerted by the audit, Defence investigated the card holder's purchasing activities further. It found that the cardholder had withdrawn over $1.147 million to pay suppliers, primarily to purchase rations for a planned military training exercise in Queensland.[26] These transactions were electronic transfers rather than physical cash withdrawals. Defence advised that such transactions are identified and treated as cash withdrawals by the bank and in reports received by Defence. These specific transactions attracted interest as a cash advance of $18,278.[27]

3.30      When questioned by the committee, Defence acknowledged that this case was an instance of bad decision-making by the individual concerned:

The person who was running that part of the exercise, in terms of rations and other sorts of provision for the exercise and making payments, decided, without the right sort of advice and without seeking advice, for instance, from the CFO or the finance team, that it would be a good idea to make those payments through electronic funds transfers - through credit card - rather than in our usual way of paying those sorts of account by raising a purchase order and paying through an invoice, which would have been our advice.[28]

3.31      Defence explained that whilst an individual had clearly made a 'bad decision', the subsequent internal investigation by Defence's audit team showed that the purchase was within approvals and therefore appropriate.[29] The individual had merely chosen the wrong method of payment, rather than engaging in any fraudulent activity. While Defence admitted that the transactions were a breach of policy and bad administration, it told the committee on a number of occasions that the purchase fell within the approvals process.[30]

3.32      The committee's concerns with this example cover three main issues:

  1. the lack of controls to prevent this choice of payment method for an event that was both 'predicted and predictable', rather than 'unusual or an emergency' circumstance;[31]
  2. an apparent lack of regard for departmental 'policy, procedures and guidelines...or prudent practice' given the interest charges generated by the choice of payment method;[32] and
  3. whether the Department had taken steps to both prevent this kind of 'bad decision' occurring again and to ensure that if it did, Defence would know about it through its own analytics, rather than rely on a subsequent audit to uncover the irregularity.

3.33      Defence explained to the committee that as a result of their internal investigations the department had taken a range of steps, both with the specific contract management cell and for the specific individual concerned:

[Defence has] updated their standard operating procedures...instigated training such as carrying out basic procurement, consolidation of complex procurement, management of contracts, effective contract management and operational contract management..(and undertook)...internal reviews of contracting processes. The official involved has undertaken a number of additional courses such as 'managing money in accordance with the rules', 'accountability', 'your responsibility', 'completing procurement forms', 'responsive record keeping' and 'objective use of training'.[33]

3.34      Defence, however, confirmed that its analytics would not have uncovered this irregularity through existing processes, explaining, somewhat inconsistently, that as 'there was no fraud' the transactions would not have attracted attention under Defence's administrative processes.[34]

The role of the independent reviewer

3.35      The committee drew Defence's attention to its concern over the risk posed by the absence of an independent 'second person' check in the acquittals process. At the time of the ANO audit, one on the key controls which Defence relied on to ensure cash advances on purchase cards were acquitted appropriately was the independent review—or second person check—between the cardholder and their CMS supervisor. The ANAO had independently identified from the literature that a 'second-person check' or independent review to verify a transaction was considered by the audit industry to be one of the most effective controls available to ensure the proper use of relevant monies.[35]

3.36      Yet, the ANAO found that this control was no longer in use by Defence. The opportunity for authentic verification of the high volume of transactions in Defence's unique work environment introduced a range of challenges which were not being adequately addressed. Chief amongst these concerns were:

3.37      These last two concerns made it difficult, in practice, to dispute a transaction which the card holder had accepted.

3.38      Whilst Defence sought to address these concerns in the new governance framework for credit cards introduced in response to the audit, the specific provisions addressing the independent reviewer (the CMS Supervisor) controls subsequently disappeared from the governance framework attached to Defence's written submission to the inquiry.[36] It appears that Defence has now removed this control from its processes.[37] The control has been removed even though Defence's submission to this inquiry indicates that the risk of unauthorised use of a Defence credit card remains.

3.39      The Enterprise Wide Defence Credit Card Fraud Risk Assessment notes that the 'Card Management Supervisor acquittal' is scheduled to be removed with the introduction of automated transaction loads.[38] Defence will instead, implement forensic, exception-based reporting to mitigate the risk.[39] However, in a second attachment to the Defence submission, the Credit Card and Defence Financial Risk Controls Framework Work Plan for 2016-2017, says that:

With the imminent removal of the requirement for CMS Supervisors to approve transactions in the CMS system, it has been directed that additional tests need to be developed to provide assurance over the transactions. One of these is a commitment to test every card at least once per year. This will add significant workload and requires additional resources and support.[40] 

3.40      Defence is yet to advise whether additional resources and support have been assigned to implement the forensic, exception-based reporting, which Defence has asserted will mitigate the risk of removing one of the industry-recognised best practice controls.

Detective controls on purchase cards

3.41      Whilst the purchase card is subject to many of the same concerns canvassed regarding the travel cards, the inquiry highlighted three areas of concerns over the rigor of detective controls in relation to purchase cards:

  1. the payment of traffic infringements in contravention of Defence policy;
  2. expenditure inconsistent with AusTender guidelines; and
  3. seasonal patterns to spending which may indicate potential waste or poor planning.
Traffic infringements

3.42      Defence policy states that drivers are personally liable for all fines or penalties for traffic and driving infringements and offences imposed by civilian police and state and territory authorities arising out of use of a Defence vehicle. However, in its review of purchase card transactions, the ANAO audit found fifty transactions to the value of $35,000 where Defence paid fines to a state or territory authority for traffic infringements such as driving in a T-way or speeding in a school zone. There were also instances where Defence not only paid the initial infringement fine, but also paid subsequent fines imposed when fines were not paid by due dates because drivers were not identified and nominated by Defence.

3.43      The Defence Fraud Control Directorate reported that the reasons given by individuals or their work units for non-payment of fines include that the infringements occurred during charity events (implying that members were contributing as official representatives of Defence and thus the obligation to pay the fine referred back to the department); that local base instructions ‘did not advise’ Defence drivers not to drive in a T-way; and that the identified member was visiting a fellow Defence member in hospital due to an injury sustained during a workplace incident and therefore, the oversighting officer felt that Defence should carry the fine.

3.44      At ANAO’s instigation, Defence identified 119 traffic infringements paid by purchase cards between July 2012 and November 2015. Consequently, Defence's First Assistant Secretary, Audit and Fraud Control, wrote to the Chiefs of Services in January 2016 seeking an ‘assessment of the effectiveness of the management of traffic fines’. Defence assured the audit team that it had 'strengthened its analytics function' and would ‘monitor relevant merchant categories' including examining cash withdrawals and traffic fines on a monthly basis.

3.45      During the inquiry, Defence agreed that the fact that a number of drivers who incurred fines were not identified was unacceptable. Defence advised that all infringements reported by the audit had been investigated, with reimbursement or other remediation effected in all but 15 such infringements.

Inconsistencies with AusTender

3.46      Since 2007 all Commonwealth entities are required to publish details of procurement contracts and entity agreements above the value of $10,000 and report these within 42 days. The ANAO audit reviewed Defence's largest 100 payments, ranging between $97,000 and $691,700 on the purchase card. It found numerous examples where procurement appeared to be inconsistent or contrary to the AusTender guidelines. These included issues such as:

  1. contract values reported on AusTender are incorrect;
  2. reporting occurs outside the timeframe;
  3. payments are incorrectly blocked from AusTender by CMS users;
  4. payments are not reported on AusTender;
  5. payments are recorded under the wrong supplier; and
  6. 1000 pairs of Purchase Card payments, which, on face value, should have been reported to AusTender were not because they were split into amounts less than $10,000.

3.47      It has previously come to light during an estimates hearing in October 2016 that a Defence staff member had purchased a large number of pairs of boots at a cost of $160,000 through a series of multiple transactions under $10,000 on his purchase card. Investigations revealed that it was an authorised purchase by the logistics officer who had purchased the boots for the use of Duntroon staff. The committee was concerned that the series of multiple transactions, each just below $10,000, over a short space of time and totalling a significant sum of money, did not trigger any 'red flags' in Defence's system.

Seasonal patterns of expenditure

3.48      The ANAO audit identified seasonal patterns of expenditure for goods and services in May-June of each financial year, with corresponding evidence of requests to increase credit card limits which enabled card holders to exhaust budget allocations before the end of year financial cut-off. This was justified as routine expenses, such as regular utilities payments, stationery and furniture. Whilst the purchases may have been in accord with authorised approvals, the pattern of seasonal spending, in conjunction with one-off increases in card limits, indicated this could be a routine practice to exhaust budget allocations as the financial year drew to a close. There was also a suggestion that the payments were split to avoid Austender requirements.

3.49      The audit finding raised questions for the Committee about the efficiency and effectiveness of annual planning and expenditure, which Defence at the hearing was unable to address with confidence. When questioned by the Committee on the audit findings, Defence challenged the audit's interpretation that seasonality on card purchases was common, or, if it occurred, indicated an intention to exhaust budget allocations before the end of financial year in ways that were not economic or inefficient.

3.50      Defence claimed that the 'seasonality in purchase cards follows the natural ups and down in the business cycle'.[41] Further, the Acting CFO explained: 'even if there may be a spike in the level of expenditure in those last few months...it is in low value items...86% of the transactions on defence purchasing card are for $2,000 or less.'[42]

3.51      Rather than reassuring the committee, Defence's responses reinforced the committee's concern about Defence's approach to credit card expenditure. As the Chair, Senator Gallacher, indicated:

I would have thought that would have meant that fraud control, risk processes, algorithm and analytics would have been in place since 2009 and we would not be having this inquiry. But they were not put in place in 2009 and in 2016, we saw an audit report which raised really big questions about those other 14 percent of transactions.[43]

3.52      The Defence acting CFO asserted that despite the audit's findings, Defence did have controls in place, noting that:

I appreciate that we spend more on credit cards ...but... as a percentage of our entire spend as a department, it is actually only two percent of our entire appropriation in any given year.[44]

3.53      This did not reassure the Committee Chair, who pointed out:

I think that you should have the strongest and the best controls of any department because you do more of it. You should have the algorithms; you should have the analytics. You should have the credit card issues giving you top services because you are paying them a fee.[45]

3.54      In an attempt to reassure the Committee, Defence indicated that, following the audit, Defence had introduced a rolling program and monthly analytics. In this process, Defence routinely review all purchases to ensure they are made with the requisite approval to make sure that purchases are cost-effective within a budgeted plan. Had Defence found any expenditure which 'we considered did not represent a cost-effective way of doing business or that perhaps represented people trying to rush with undue haste to spend their budget, we would investigate that'.[46]

3.55      When asked by the Committee to explain the particular circumstances outlined in the audit report in relation to the matter of seasonality, Defence advised that they had not investigated the matter, even though the ANAO report had brought it to their attention over a year ago.

E-tickets and Cabcharge Fastcards

3.56      Whilst the Defence travel card is the preferred mode of payment for travel, Defence policy allows Cabcharge and E-tickets to be used in defined and limited circumstances.[47] Defence policy requires that the use of Cabcharge FastCard and E-tickets is limited to recruits, trainees, students and members under 18years of age. Apart from these users, it is expected that all Defence personnel will use the travel card for taxi fares and car hire. The benefit to Defence and the Commonwealth of using the travel card is that there is no administrative surcharge fee.

3.57      Whilst expenditure against Cabcharge Fastcard and E-tickets is not high (less than $4500 for the three years covered by the audit), the ANAO found that Defence had not exercised adequate control over the issuing or use of FastCards or E-tickets. The audit found that there was no system in place, and little capacity to routinely monitor and manage the risk presented by the use of these cards.

3.58      The ANAO report found that central units in Defence did not know who Defence had issued Cabcharge to, how many or when. Although Defence decided to terminate Cabcharge ‘some years ago’, ‘a number’ remained on issue at the time of the audit.[48] Defence did not know how many e-ticket accounts it held with Cabcharge even though the ANAO identified records of 261,158 taxi trips at a total cost of $16.28m over the three years of the audit. In addition, some 303 accounts were opened without proper authority, in contravention of Commonwealth policy that only a person delegated by the Finance minister may enter into a borrowing arrangement on behalf of the Commonwealth.

3.59      Defence admitted to the ANAO that there were concerns over a number of high-cost fares and the lack of justification for their use. Identified issues included:

  1. the use of E-tickets used when travel cards could have been used, with the 100 most expensive taxi fares incurred on e-tickets;
  2. the costs of these fares ranged between $425 and $840 for single fares; and
  3. a select group of 12 taxis each undertook 500 or more trips for Defence, many of them over long distances and at unusual hours.

3.60      The committee did not receive a clear explanation of these matters from Defence.

Fuel cards

3.61      The committee took an interest in the management of fuel cards, in light of the now-notorious instance of fraud, at a cost of $585,000 to the Commonwealth arising through inadvertent access to two fuel cards, gained by a person outside Defence, from a vehicle first garaged for repairs, then sold. This history framed the committee's exploration of issues around fuel card management and use, and the risk of fraud.

3.62      The ANAO audit found that the new arrangements under the whole of government fleet supply contract have allowed Defence to implement improved controls over its management and use of fuel cards. Whilst Defence's past management, as measured by overfill of fuel tanks and the frequency of odometer readings, reflected an 'ill-disciplined approach', the audit reported signs of (possible) improvements based on the odometer readings drawn between November 2015 and January 2016.[49] Although the number and volume of overfills was substantial in 2014-2015, it ‘declined in the last six months of available records’.

3.63      Defence advised the committee that with the movement to new arrangements with SG Fleet, they have now instituted routine training on the use of fuel cards; and that a 'red flag' or exception report, is triggered by irregularities in the operation of the vehicle fleet. Defence was also able to reassure that committee that it had investigated and remedied the majority of outstanding traffic infringements which the ANAO audit had identified as paid by Defence cards in contravention of Defence policy.

3.64      Defence reassured the committee that controls had been implemented under the new arrangements with the SG Fleet, which had led to improvements. This included the introduction of daily exception reports, triggered by more than three suspicious overfills per vehicle, which requires the responsible unit transport supervisor to explain the discrepancy in writing. This, alongside the introduction of PINs for each fuel card (assigned to a vehicle) and work tickets for staff assigned to a vehicle, had strengthened Defence's capacity to identify and detect misuse or fraud. In addition to implementing new controls, Joint Logistics is also developing a series of training programs in collaboration with the Defence Learning Branch, which will be standardised across Defence.

Governance framework

3.65      As outlined in Chapter 1, Defence is subject to the PGPA, which establishes the responsibilities and duties of all non-corporate Commonwealth entities to ensure the proper use of relevant monies. As the largest and most well-resourced entity in the Commonwealth, the task facing Defence in its management of the financial resources at its disposal is considerable.

3.66      Good governance in the public sector comprises both performance and compliance. It encompasses how the entity manages its overall performance and the delivery of goods, services and programs—as well as how it ensures it meets the requirements of the law, regulations, published standards and community expectations of probity, accountability and openness.[50]

3.67      As the policy guidance set by the Commonwealth resource management framework acknowledges:

Public sector governance encompasses leadership, direction, control and accountability, and assists an entity to achieve its outcomes in a way that enhances confidence in the entity, its decisions and its actions. Good public sector governance is about getting the right things done in the best possible way, and delivering that standard of performance on a sustainable basis.[51]

New credit card governance framework

3.68      In response to the emerging audit findings, Defence introduced new governance arrangements for credit and other transaction cards. The primary intent was to improve monitoring and control arrangements.[52] Defence also advised the ANAO, after the final audit was complete, that it 'now undertakes a range of analytical activities to investigate expenditure on a regular basis, including forensic accounting work and a newly developed credit card work program'.[53] The ANAO audit noted that the introduction of new governance arrangements would 'require ongoing senior leadership attention to firmly establish'.

3.69      There were three related issues. Firstly, the audit identified many examples of card use contrary to Defence policy and procedures—yet none of these were identified by Defence's routine monitoring and analytics. Secondly, many of these shortcomings in card use identified by the audit could be traced to risks already identified, either internally or externally, sometimes years earlier. Yet, Defence had not put in place the recommended or agreed changes until compelled to do so by the audit findings. And thirdly, there were instances cited by the ANAO audit which indicated that Defence had reported to the Senate (or Parliament) that such changes had been introduced when the changes had not been implemented at the time the ANAO completed the audit. Often, it was not until the ANAO audit raised concerns that Defence instigated changes.

Defence's response to card use contrary to Defence policy and procedures

3.70      A majority of issues raised by the inquiry related to occasions where individuals, with or without authority, used a card in ways which were contrary to Defence, or Commonwealth, policy and procedures.

3.71      On more than one occasion during the hearing, Defence argued that, although the matters raised by the committee appear to demonstrate card use which is outside or contrary to Defence policy and procedures, this was not the case. For example, in a discussion about controls to block specific merchants, an official asserted that Defence was 'unique' and that staff often undertook activities that 'can appear to be perhaps, some sort of recreational activity quite often related to training and development and those sorts of transactions' but are 'perfectly within the guidelines' in venues, such as golf clubs, that 'corporate entities or other government departments might find unusual'. And in fact, 'we have not found anything that you would put into the fraudulent or suspected category'.

3.72      In relation to the $1.147 million purchase of rations for a planned military training exercise which incurred interest charges of $18,278, Defence repeatedly asserted that it was simply 'an inappropriate choice of payment method...a bad decision by an individual'. In this case, the committee was not reassured by Defence's explanation. Even if the choice of payment method was not fraudulent, the question remains whether it was an appropriate use of public money.  

3.73      As the Commonwealth resource management framework advises, the government has a responsibility to ensure resources are allocated efficiently and effectively because it is handling taxpayers' money.[54] This responsibility is devolved across all government entities, including Defence, through the Public Governance Act (PGPA). It is the responsibility of all officials working in Defence to apply practices and procedures in their day to day operations which meet the governance standards set by the PGPA.[55]

3.74      To achieve these standards, there needs to be effective training for individuals as well as strong organisational leadership in place. Whilst the recommendations of the First Principles Review clearly address the leadership of Defence, the instances reported by the ANAO audit where cards appeared to be used either in ignorance of, or disregard for, Defence policy and procedures point to the need for Defence to strengthen the level of information and training for individuals issued with a credit or transaction card.

3.75      While the role of training and education was outside the scope of the ANAO audit, the Defence submission advised that a training program around the use of credit and other transaction cards is in place and that information on obligations and responsibilities, particularly the prevention of fraud, is provided routinely through the Defence newsletter, Ethics matters.

3.76      Defence advised the committee that a new training program on fuel cards had been one of the key strategies implemented to strengthen the effective application of controls around fuel cards and fleet management. 

Vulnerability to Fraud

3.77      Whilst the ANAO audit did not identify specific instances of fraud, it did refer some cases to the Defence Fraud Control and Investigation Branch for further investigation. The audit also expressed concern at Defence's level of exposure to fraud, given the absence of effective controls and the lack of rigor in Defence's monitoring systems.[56] The Australian Payments Clearing Association provided additional information to the inquiry which shows an increase in 'Card Not Present' or virtual card fraud in Australia.[57] The Australian Institute of Criminology also provided evidence to the inquiry on the level of fraud identified within Commonwealth entities.[58] This evidence suggests that, given the identified lack of rigour and absence of effective controls, Defence is vulnerable, particularly in relation to CNP fraud. As the largest Commonwealth agency in relation to expenditure through credit cards, this is a risk to manage. [59]

3.78      The committee sought clarification from Defence's Military Justice Directorate on the processes and options available for bringing disciplinary or other charges related to the misuse of credit and other transaction cards. The Director of Military Justice is an independent statutory role, which reports quarterly to the Minister and the Service Chiefs.

3.79      The committee was particularly interested in the deterrence value represented by publicising convictions. The inquiry was advised that the Military Justice Court is a public court and its cause lists, although not as open as a civilian list, are publicised by the Registrar through the services newsletters. The Director's annual reports, which record annual convictions, are submitted to parliament and are available publicly.

3.80       The Directorate advised the inquiry that the number of convictions for fraud were comparatively low and most of the convictions in the previous year related to fraud for allowances and benefits rather than credit and transaction card use. The Director was of the view that the extent of card fraud was low, possibly because of the amount of training on ethics and fraud prevention.

Triggers for change

3.81      There were a number of occasions identified by the ANAO audit where, despite Defence's own identification of risk, proposed changes to manage risk did not eventuate. For example, the audit found that Defence had identified an array of risks and proposed various controls in its 2009 fraud control plan, yet it was not until the ANAO audit in 2016 identified shortcomings arising from these very risks that Defence implemented controls, through its new governance framework, to address them.[60]

3.82      When the committee asked Defence to explain why controls were not instituted until 2016, when risk had been identified in 2009, Defence was unable to provide an explanation. In response to a question about why a risk identified in 2009 was not addressed until 2016, a Defence official responded:

I am not aware. I was not involved. And Ms Diamond was not involved in the administration of credit cards at that time. What we have done is this: we reacted during the development of the audit report to strengthen the controls, to review the limits and to put in place the sorts of measures we now have.[61]

3.83      This was not the only occasion where Defence was reluctant to take responsibility for shortcomings identified by the ANAO audit. There was more than one instance where Defence had made assurances to the Senate that it had undertaken change, yet the audit found that changes had not been put in place. For example, Defence had advised a supplementary estimates hearing as early as November 2013 that card merchant blockings had been put in place. However, as outlined by the audit, merchant blocking was not established until after the audit presented its findings in 2016.

3.84      Another example related to fuel card management. Defence advised the Senate (in June 2015) that ‘an arms-length’ assurance framework, which included compliance testing, had been in place since April 2015. However, the ANAO audit found that the effectiveness of the framework could not be determined until it was tested across all bases—which did not begin until September 2015 and was scheduled for completion by June 2016.

3.85      One major challenge for Defence is overcoming a history of institutional inertia when it involves implementing significant organisational change. As the First Principles Review acknowledged:

The current organisational model and processes are complicated, slow and inefficient in an environment which requires simplicity, greater agility and timely delivery. Waste, inefficiency and rework are palpable. Defence is suffering from a proliferation of structures, processes and systems with unclear accountabilities. These in turn cause institutionalised waste, delayed decisions, flawed execution, duplication, a change-resistant bureaucracy, over-escalation of issues for decision and low engagement levels amongst employees.[62]

3.86      Whilst the First Principles Review acknowledged that it had not considered the transactional work, such as that encompassed by credit and other transaction cards, the review did observe:

Our experience, as well as others we have spoken to, suggest that routine administrative transactions such as travel, accounts payable and computer support involve unnecessary dense manual processes and rework. Poor processes have clearly been established and inefficiencies abound. Such transactional work, especially when it is poorly done, is a distraction from the Defence mission.[63]

3.87        The Review's observations, and the principles on which they are based, are as relevant to the governance of credit and other transaction cards as they are to Defence's investment in its defence capability.

Navigation: Previous Page | Contents | Next Page