Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on the Australian Commission for Law Enforcement Integrity
01/08/2017
Integrity of Australia's border arrangements

JACKSON, Ms Deborah, Executive Director, Performance Audit Services Group, Australian National Audit Office

MORRIS, Mr Andrew, Acting Group Executive Director, Performance Audit Services Group, Australian National Audit Office

Committee met at 09:01

CHAIR ( Senator McKenzie ): I declare open this public hearing of the Parliamentary Joint Committee on the Australian Commission for Law Enforcement Integrity. The committee is hearing evidence for its inquiry into the integrity of Australia's border arrangements. The committee's proceedings today will be broadcast on the APH website. I remind witnesses that in giving evidence to the committee they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee, and such action may be treated by the parliament as a contempt. It is also a contempt to give false or misleading evidence to a committee. The committee prefers evidence to be given in public, but under Senate resolutions you have the right to request to be heard in camera, and that is obviously a decision for the committee. If you do think you may need to go in camera today, please bring it to the attention of our secretariat. I remind committee members and officers that the Senate has resolved that an officer of a department of the Commonwealth should not be asked to give opinions on matters of policy and shall be given reasonable opportunity to refer questions asked of the officer to superior officers or to a minister. This resolution prohibits only questions asking for opinions on matters of policy and does not preclude questions asking for explanations of policies or factual questions about when and how policies were adopted. With the formalities over, I welcome everyone here today, especially representatives from the ANAO. You've provided submission no. 3. Are there any amendments or additions to that submission?

Mr Morris : No.

CHAIR: I now invite you to make an opening statement, then we'll go to questions.

Mr Morris : Thank you, Chair and committee members, for the opportunity of allowing us to provide evidence today. The ANAO has not carried out an audit of the integrity of Australia's seaport and airport borders, but a few performance audits have referred to corruption risk within Commonwealth entities. As such, this statement and our evidence today will be largely based on the findings of five performance audit reports conducted since 2010-11 that refer to corruption risk within Commonwealth entities. These five reports areThe Australian Border Force's use of statutory powers,2016-17; Screening of international mail, 2013-14;Policing at Australian international airports, the same year; Management of detained goods, 2012-13; and Management of the Aviation and Maritime Security Identification Card schemes, 2010-11.

Most recently, the ANAO assessed the establishment and administration of the Australian Border Force's framework to ensure the lawful exercise of powers in accordance with applicable legislation. The Australian Border Force's use of statutory powers report noted that, while the Department of Immigration and Citizenship was finalising profiles for each of its enterprise risks, the profile at that time relating to unlawful or inappropriate use of coercive powers conflated this risk with integrity and corruption risks, which have different internal controls. The audit concluded that the department's enterprise risk management framework did not adequately address the risk of officers using coercive powers unlawfully or inappropriately. The ANAO recommended that the department develop and disseminate a separate enterprise risk profile relating to the risk of officers exercising powers unlawfully or inappropriately due to inadequate guidelines, training or supervision rather than corruption.

In 2013-14 the ANAO audited the screening of international mail and policing of Australian international airports. During the screening of international mail audit, the Australian Federal Police advised the ANAO that it had not identified any instances of corruption in international mail, but that organised crime employs sophisticated methods to circumvent screening and law enforcement efforts. The report noted that the Department of Agriculture and the former Australian Customs and Border Protection Service had agency-wide risk plans that outlined staffing-related challenges at the border, such as corruption, and some of the mitigation strategies in place to manage these challenges. Customs, Agriculture and the Australian Federal Police had advised the ANAO that they had not identified any cases where staff working in international mail had been corrupted or had colluded with organised crime.

Policing at Australian international airports mentions corruption in the context of complaints against police. None of the 69 established conduct issues finalised in 2012-13 related to corruption. Further, the report noted that the number of established conduct issues was small. For the management of detained goods audit, the ANAO examined the effectiveness of the Customs and Border Protection Service arrangements for managing the safe and secure storage and disposal of detained goods. The audit concluded that, although the Customs and Border Protection Service framework to control and account for detained goods was generally sound, the implementation of some key controls by staff at various facilities fell short of the agency's requirements, reducing the overall effectiveness of the framework and its security environment.

Finally, in 2010-11 the ANAO examined the management of the Aviation and Maritime Security Identification Card schemes. At the time of the audit, the arrangements put in place by the then Department of Infrastructure and Transport and the Attorney-General's Department to administer the schemes reflected legislative requirements and facilitated the timely issue of security cards; however, some of the risks associated with the delivery model could have been better managed by the Department of Infrastructure and Transport. These risks related primarily to issuing bodies and visitor management and were inherent in the devolved nature of the schemes. We would be happy to answer any questions the committee may have.

Mr ZAPPIA: Thank you for your submissions thus far. In your report, you talk about the Australian postal service and some concerns you have with Australia Post about the screening of mail. To your knowledge has there been any change as a result of your own report?

Mr Morris : Not to our knowledge. We haven't followed that report up explicitly, so we're not completely aware of what they've done since then. You would have to ask the department.

Mr ZAPPIA: And there have been no subsequent audits by ANAO?

Mr Morris : No.

Mr ZAPPIA: You have concerns about the coercive powers, particularly of the Customs staff, at airports and so on. To your knowledge have there been any instances of failures to comply with instructions which led to failed prosecutions as a result of Australian Border Force officers carrying out potentially unlawful searches?

Ms Jackson : As noted in the report, we identified a number of searches that were potentially unlawful because officers were not authorised to conduct those searches. Five of the 42 external, internal, medical or body scan searches we looked at we considered to be unlawful because the officers that conducted them, as I said, were uncertified. We did not pursue the outcomes of that, so I don't know if there were any resulting prosecutions.

Mr ZAPPIA: To your knowledge did those officers know they were uncertified?

Ms Jackson : I don't have that information. We were looking at DIBP's controls, processes and procedures, so we didn't survey the officers themselves.

Mr ZAPPIA: Do you know if any action was subsequently taken by the department to ensure that officers who carry out such searches are indeed authorised?

Ms Jackson : Yes, we do. As a result of the audit, the ANAO made a number of recommendations and suggestions, and the department provided assertions to us that they would be following up with the particular issues we raised. That was in both the unlawful and inappropriate searches we identified.

Mr ZAPPIA: How many of those were you able to detect?

Ms Jackson : In terms of unlawful, we had a sample size of 69 searches in total, 42 of those required that officers be certified, and we found that five were not. In terms of inappropriate searches, where officers needed to be trained in order to be certified to do those searches, of the sample of 69, 20 had at least one officer not certified to do that search.

Mr ZAPPIA: Lastly, going back to the Australia Post situation, am I correct, in reading your report, to suggest that, in years gone by, all mail items were scanned?

Ms Jackson : Yes.

Mr ZAPPIA: And that's not the case now?

Ms Jackson : Yes. There is a risk-based approach.

Senator BILYK: In the Managing compliance with visa conditions audit report of 2015-16, you found weaknesses in almost all aspects of the Department of Immigration and Border Protection's arrangements for managing compliance issues and conditions. Are you able to talk to us about those weaknesses and whether anything has been done to rectify those situations?

Mr Morris : We can talk to them. We haven't followed that audit up. Towards the end of that audit, the Department of Immigration and Border Protection was providing assertions of the work they were doing to strengthen their processes. Some of it was in basic administration processes such as record-keeping, clear policies and procedures, training of staff in visa arrangements, quality assurance mechanisms, following up recommendations from previous audit reports and reviews to strengthen aspects of the visa compliance process, and the risk approach to visa compliance, both in managing complaints and in undertaking field work. There were also inconsistencies between regions in how some of the compliance activities were being undertaken. That, to us, was the gamut of the administration, and there were significant areas for improvement on all of those elements, but we haven't followed that up since 2015. When we did the audit, the department was at that stage one year through a two-year process to integrate Australian Border Force. It was a time of transition, and we know they had quite a number of processes in place to strengthen their visa administration, including in risk and compliance, but we haven't followed it up since that date.

Senator BILYK: Do you generally do follow-ups? You do lots of reports, so I'm just wondering. I don't actually know all that much about how you work.

Mr Morris : We do follow-ups. We would do 48, nearly 50, performance reports a year, and there would be three or four follow-ups, typically, in that year. Some of them might be broad within a portfolio; some might be of a specific program that we looked at that had a number of recommendations and a number of weaknesses That is one that may be followed up in the future. We don't have it on the audit work program at the moment, but it's one that, when we did the audit, we had in mind that we might follow up, and we will get to that for next year's program.

Senator BILYK: Do you think that the weaknesses identified with respect to the management of compliance with visa conditions present a threat at all to the integrity of our borders?

Mr Morris : It would present a threat. The question is always: how significant is that threat? To some extent we're going to the department to ask, from the top down, what they think the compliance gap is or the integrity gap is. They weren't able to provide us with that information. We weren't able to do that work ourselves, so we would say, yes, there is some threat there, but we don't know what the scale of it is. I think that's some of the work the department should do so that they know the extent of resources that they should be applying to that risk. Also, they can do some more work on their risk evaluation analysis to see where those resources should best be placed.

Senator BILYK: When you make recommendations, what strength do they have? Are departments bound by your recommendations? Can they decide not it take any notice of them? Does the minister decide what happens?

Mr Morris : The department decides. At the time of the recommendations, they'll agree, agree with qualification or disagree. If they agree, we expect they will implement the recommendations in a timely way, which takes into account their other priorities. Those recommendations are also considered by the internal audit function of that department. For Immigration, they'll track those recommendations to see whether or not they have been signed off by the business-as-usual unit as being implemented. Sometimes it's quality assurance by the internal audit over that. Then there is another process for us to come back separately and have a look at those recommendations. What we have often found in the past is that most of the recommendations signed off will have been implemented. When we go and have a look, there will be a percentage of those that we think are not fully implemented and that there is a bit of work still to do. That is not particularly in that report, but it will be—

Senator BILYK: When you find that the recommendations haven't been done, what sort of pathway do you take? Do you just talk to the department or do you talk to the minister?

Mr Morris : It will be a part of another report that is tabled. The work we do will be part of another audit, and we'll have like a status report. If there were seven recommendations, we might say that five have been implemented, one hasn't and one has been partially implemented. We'd get some feedback from the department at that stage about what they want to do with those recommendations. Sometimes they are overtaken by facts. In certain circumstances, they're not relevant anymore. Sometimes the department comes back and says, 'Yes, we're still going to implement that recommendation,' and they explain how that's going to be done.

Ms Jackson : We also might reference previous recommendations or themes we've noted in other reports that may not be directly relevant to the previous topic but that may be a theme that we've noticed. For example, in The Australian Border Force's use of statutory powers report, we make reference to the Department of Immigration and Border Protection's record keeping and note that we have had similar findings in a number of reports, and we list those reports. We talk about five different reports where we've had the same findings coming up again and again, and that there's a theme there about poor administration. That might be another way we address it.

The other way that we try to encourage acceptance of recommendations is, of course, through parliamentary committees. Parliamentary committees will be asking Immigration, for example, or whatever agency it might be, about the implementations of recommendations. Key to that is the Joint Committee of Public Accounts and Audit, but also other committees such as yourselves.

Senator BILYK: So when you do these reports and find these failings, do you make any determination about whether it's a staffing level issue, if there are not enough staff, or that staff aren't trained properly? How do you do that—or what do you do in those respects?

Ms Jackson : Certainly, if it's a training issue, that would be something that we would look at. That's a theme that's come up in several of these reports that Andrew has discussed today. In terms of staffing levels, the position of the ANAO is generally that resourcing decisions within a department are up to the department. It's up to the department to decide the best use of its resources. Unless it's starkly obvious that there's a resourcing level issue, we probably wouldn't note that. But we might, for example, discuss what impact changes in staffing have had over time.

Mr Morris : Yes, that's right. Again, we usually look at a reasonably narrow slice of the department, not the whole department, so we're not well placed to say whether there should be a greater number of resources or if there should be more resources into this particular element of administration. It's up to the department to figure out how it becomes effective in administering that element and how it gains efficiencies in doing that.

Senator BILYK: And when you recommend more training, or decide that people haven't had enough training, do you actually look at training modules or do you just let the departments come up with their own training modules?

Mr Morris : We're not specifying how they do the training. We'll just have a look at—

Senator BILYK: You're just saying there's a need for it.

Mr Morris : Yes. We think the department or agency entity is better placed to figure out what that would be. We're just saying in general if there's a weakness in training, it should be rectified. If there's a weakness in policies or procedures, they're not clear and there should be processes in place to make them more readily available. They're the sorts of things that are coming up in these border integrity audits quite regularly.

Senator BILYK: Do you think the failings that you picked up in report No. 13 of 2015-16 are serious enough to make it difficult for DIBP to effectively respond to integrity threats to the visa system?

Mr Morris : It certainly makes it more difficult if staff aren't aware of what the policies and procedures are. If there has been little compliance activity, they don't flow through to the next compliance and risk activity. If areas in one geographical place in Australia are doing things less well than areas in other places in Australia, and if those lessons aren't being learned, all of those areas are making the administration a little less effective and the attempts to increase integrity are a little less effective. So, again, we're not exactly sure of the scale of it. When we're looking at the corruption part of it—the internal trusted insider, or whatever—we're not seeing big numbers there. Obviously they are in existence, and there have certainly been cases in Immigration back to 2013. The numbers we have seen are fairly small, and that's why they've only been a fairly small part of the audits we've been doing. But there is a relationship between the processes of looking at internal corruption and the broader compliance to the extent that the broader compliance processes are effective, and that's got to support the corruption work. We've found that there is scope to improve the broader compliance activities and there is scope to improve the corruption area as well.

Senator BILYK: In regard to policing at Australia's international airports, you did a report, No. 23 of 2013-14, and you found that:

The organisational arrangements in place at airports are sound, with a clear command structure at each airport headed by an Airport Police Commander.

Obviously that didn't include Hobart?

Mr Morris : I would have to take that on notice, sorry.

Senator BILYK: Well, there are no AFP at Hobart airport. I'm presuming we're talking about AFP here.

Mr Morris : Yes.

CHAIR: Can we clarify that, because some of the issue seems to be the coordination between, in the past, different jurisdictions at an operational level. Can you clarify whether the airport police commander is AFP or the state police office?

Mr Morris : This is AFP we're talking about here.

Senator BILYK: But, if I can continue, the report did however suggest that police resourcing levels at airports had not been based on:

An explicit assessment of the inherent security risks presented by each airport and the nature and level of criminality …

At the time of the audit, the AFP advised that it was developing a model to take into account all relevant factors in determining staffing levels at each airport. Have you revisited this issue at all to determine whether staffing levels now take into account security risks for each airport?

Mr Morris : No. Similarly to the international mail one, we haven't followed the audit up specifically to know what's happened subsequently.

Senator BILYK: Okay. I'm just a bit concerned that there is no AFP at Hobart Airport and hasn't been for a couple of years. I will take that up in a different environment.

CHAIR: Just in terms of the screening of international mail, could the weaknesses identified in the ANAO report of 2013-14 be exploited by organised crime groups?

Ms Jackson : There is certainly a risk that they could be, yes.

CHAIR: On the spectrum of risk, where would you place it?

Ms Jackson : What we found in the audit is that the risk is low. Certainly the AFP would say that the risk is very low. At the time of the audit, Agriculture had not found any specific instances where those risks had been exploited. Customs had found two alleged thefts but were not able to identify the perpetrators.

CHAIR: Australia Post, who we heard from yesterday, has just employed a head of security who is charged with actually dealing with this particular issue and the concern around trusted insiders, because it doesn't sound like there was any focus on that. I know you are saying they didn't find it, but I would argue at the time they probably didn't have any process to look.

Ms Jackson : That may well be the case. I can only go on what we did at the time, and that was in 2013-14. I suppose the other thing that we noted also is that we did find some shortcomings in the screening processes to identify at-risk items by both Customs and Agriculture, which does suggest that there are vulnerabilities there. We noted that in the report. Having said that, the ANAO's estimates of the number of items that might be going through undetected are a very small proportion of the total cohort of 180-odd million mail items. The number of items that we estimate might be actually getting through are quite low, but absolutely there may well be risks there.

CHAIR: I just wanted to go to the Central Movement Alert List—the electronic watch list. It is managed by the Department of Immigration and Border Protection. Previous audits concluded it was conceptually sound but that:

… the lack of strategic or management planning for the database and the poor quality of the data contained within it, particularly its ‘completeness, quality and currency’, compromised the system’s effectiveness.

Let the Hansard show consistent nodding from the witnesses!

Also:

MAL quality assurance and performance and management reporting arrangements were highlighted as requiring attention, as were the procedures governing the listing of Australian citizens on MAL.

That's pretty damning when you think that that's the list we rely on around the country to be identifying people of concern. Can you outline for the committee the problems you identified with that system, in both its initial and follow-up audits?

Mr Morris : We might have to take that on notice, sorry. We haven't prepared on that audit as much as the other one. The reports are speaking for themselves. We haven't done work subsequent to the last audit.

CHAIR: So you haven't done any follow-up?

Mr Morris : Not since the previous one a couple of years ago.

CHAIR: In 2013-14?

Mr Morris : No, we haven't looked at it since.

CHAIR: Could we ask you for a follow-up, because that's pretty serious. Well, I find what you found in your audit concerning, and we will obviously follow-up with Immigration and Border Protection later on today, but it would be great if you could also—

Mr Morris : Yes, we can certainly take that on board. If you would like to write them in that regard, you can do that as well.

CHAIR: Great. Were these deficiencies serious enough to make the list ineffective as a means of tracking individuals who pose immigration or national security risks?

Mr Morris : Again, I would have to take that one on notice because we just haven't done the preparation on that audit for this one.

Ms Jackson : I was peripherally involved in this audit; but it was a couple of years ago, so forgive my memory. I would say that what we said in audit was that it didn't make the list ineffective but that there were deficiencies in the list, particularly around data. You mentioned, for example, citizens on the list who shouldn't have been. There were some data issues in terms of people's names not being identified. For example, if they had a middle initial that was different to another, they might be double counted or not counted at all—that sort of thing—but overall it didn't make the list ineffective.

CHAIR: Ms Jackson, how can you say that if the wrong people are on the list and the list doesn't include some people who should be on it? You only need one person of concern, with a national security risk, for some pretty bad stuff to happen.

Ms Jackson : That is a valid point, yes. I suppose we were looking at the totality. But, yes, I agree with you.

CHAIR: Having one person missing off the list, I would suggest, makes it ineffective as a system when you are looking at the risk for that list.

Ms Jackson : That's a valid point, but, as I said, we probably are not in the position to talk about the detail of it at the moment.

CHAIR: Alright. If you could take that on notice, and also whether those concerns have now been properly addressed. If you could, on notice, have a look and get back to me. I wanted to go to Audit report No. 39.

Ms Jackson : Sorry, I should say we wouldn't be in a position to follow-up with the department about whether or not the concerns that were raised in the report are now properly addressed. We would have to do an audit or follow-up audit. What we could do, and what we will take back, is to suggest that we actually put that on our forward audit work program.

CHAIR: Okay, we will go through the process. On Audit report No. 39: The Australian Border Force's use of statutory powers, are we able to talk about that one today?

Ms Jackson : Yes.

CHAIR: Excellent. That assessed:

… the establishment and administration of the Australian Border Force’s framework to ensure the lawful exercise of powers in accordance with applicable legislation.

You did answer some questions from Mr Zappia about the outcome of some of those unlawful searches, which is where I was going to go. Did we go to fraud control arrangements or report No. 3? No. Okay, we better do that. We just wanted to look at the fraud control framework by the AGD, examining the operation in Austrade, Department of Veterans' Affairs and Comcare. The audit concluded that the overall administration by AGD of the fraud control framework has been generally effective. It goes onto identify some of those issues, but there were some issues around the timeliness of submission of reports, compliance costs and information costs. I'm just wondering if the ANAO has done any audit work since this time, specifically on addressing the fraud control systems and agencies tasked with protecting the Australian border, such as Border Force?

Mr Morris : No, we haven't. We have had a topic on the program for a year or two to look at staff integrity measures in the Department of Immigration and Border Protection. We didn't do that in the last year or two to some extent because of other audit coverage of the Department of Immigration and Border Protection; but that audit is on our books to do this year, so that's one audit we will be looking to kick off.

CHAIR: That's the staff integrity one?

Mr Morris : Yes, the staff integrity one.

CHAIR: When is that due to be completed?

Mr Morris : We haven't commenced it yet. It is on our program—

CHAIR: To do this year?

Mr Morris : to do this year or at least to commence this year.

CHAIR: This calendar year or this financial year?

Mr Morris : To commence this financial year, so we don't have a date yet to say when it's going to start and when it's going to finish, but it is one—

CHAIR: But it will be done by June next year?

Ms Jackson : It may be started by then. That's what we are saying.

CHAIR: Sorry, when you said 'to be done this financial year', I assumed you meant completed. You meant started?

Ms Jackson : Yes, maybe started. I should mention that the reason why that one may be delayed slightly is because what we have done is commenced an audit of managing insider threats through personnel security, so we are looking at the vetting of personnel security within the APS. That audit will be done first and then we may do the specific one on managing insider threats that Andrew has spoken of.

Senator BILYK: Can you just explain a bit more what the vetting of personnel security actually means? Is that the HR people?

Ms Jackson : No, it's actually the Australian Government Security Vetting Agency and their role in the vetting of individuals for security clearances within the APS. We are also looking at a number of other entities that are exempt from those processes or can actually do their own vetting—so that includes people like the intelligence entities and Immigration, for example—and what their processes are and what their interactions are with the Australian Government Security Vetting Agency.

CHAIR: Would you be covering MSIC cards and ASIC cards?

Ms Jackson : No, we wouldn't. They don't fall under that regime.

Senator BILYK: A lot of them are done privately too.

Ms Jackson : Yes, that is a different process. It's actually APS officers or contractors to the Australian public service who are requiring clearances from baseline to positive vetting.

CHAIR: When is that planning to be finished?

Ms Jackson : April. I may be lying—bear with me for one moment. Yes, April.

CHAIR: Can you let the committee know when you have done that one and maybe give us a briefing at the time?

Ms Jackson : Absolutely. I'm happy to do so.

CHAIR: Does the ANAO have a view on how well suited the Commonwealth's fraud control framework is to combat the threat posed by criminal groups or corrupt officials?

Mr Morris : Well, not really. We haven't done an audit looking at that specifically, so I think we're not really well placed to provide an opinion on that.

CHAIR: Thank you very much, ANAO. We really appreciate your evidence today. There are a few questions on notice, but we look forward to receiving your responses.