Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Auditor-General—Audit report No. 45 for 2021-22—Performance audit—Effectiveness of the management of contractors—Department of Veterans’ Affairs: Department of Veterans’ Affairs


Download PDF Download PDF

The Auditor-General Auditor-General Report No. 45 2021-22 Performance Audit

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

Department of Veterans’ Affairs

Australian National Audit Office

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

2

© Commonwealth of Australia 2022

ISSN 1036-7632 (Print) ISSN 2203-0352 (Online) ISBN 978-1-76033-759-9 (Print) ISBN 978-1-76033-760-5 (Online)

Except for the content in this document supplied by third parties, the Australian National Audit Office logo, the Commonwealth Coat of Arms, and any material protected by a trade mark, this document is licensed by the Australian National Audit Office for use under the terms of a Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/au/.

You are free to copy and communicate the document in its current form for non-commercial purposes, as long as you attribute the document to the Australian National Audit Office and abide by the other licence terms. You may not alter or adapt the work in any way.

Permission to use material for which the copyright is owned by a third party must be sought from the relevant copyright owner. As far as practicable, such material will be clearly labelled.

For terms of use of the Commonwealth Coat of Arms, visit the It’s an Honour website at https://www.pmc.gov.au/government/its-honour.

Requests and inquiries concerning reproduction and rights should be addressed to:

Senior Executive Director Corporate Management Group Australian National Audit Office GPO Box 707 Canberra ACT 2601

Or via email: communication@anao.gov.au.

Audi

tor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

3

Canber

ra ACT

29 June 2022

Dear Mr President Dear Mr Speaker

In accordance with the authority contained in the Auditor-General Act 1997, I have undertaken an independent performance audit in the Department of Veterans’ Affairs. The report is titled Effectiveness of the Management of Contractors — Department of Veterans’ Affairs. Pursuant to Senate Standing Order 166 relating to the presentation of documents when the Senate is not sitting, I present the report of this audit to the Parliament.

Following its presentation and receipt, the report will be placed on the Australian National Audit Office’s website — http://www.anao.gov.au.

Yours sincerely

Grant Hehir Auditor-General

The Honourable the President of the Senate The Honourable the Speaker of the House of Representatives Parliament House Canberra ACT

Audi tor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

4

AUD ITING FOR AUSTRALIA

The Auditor-General is head of the Australian National Audit Office (ANAO). The ANAO assists the Auditor-General to carry out his duties under the Auditor-General Act 1997 to undertake performance audits, financial statement audits and assurance reviews of Commonwealth public sector bodies and to provide independent reports and advice for the Parliament, the Australian Government and the community. The aim is to improve Commonwealth public sector administration and accountability.

For further information contact: Australian National Audit Office GPO Box 707 Canberra ACT 2601

Phone: (02) 6203 7300 Email: ag1@anao.gov.au

Auditor-General reports and information about the ANAO are available on our website: http://www.anao.gov.au

Audit team Jarrad Hamilton Hugh Balgarnie James Wright Georgia Johnston

Michael Brown Helen Sellers Sally Ramsey

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

5

Contents Summary and recommendations .................................................................................................................... 7

Background ............................................................................................................................................... 7

Conclusion ................................................................................................................................................. 9

Supporting findings .................................................................................................................................. 10

Recommendations ................................................................................................................................... 12

Summary of entity responses .................................................................................................................. 12

Key messages and observations ............................................................................................................ 13

Audit findings .............................................................................................................................................. 15

1. Background ............................................................................................................................................. 16

Introduction .............................................................................................................................................. 16

Reviews and inquiries into the APS’s use of contractors ........................................................................ 22

Department of Veterans’ Affairs workforce.............................................................................................. 29

Previous audits and reports ..................................................................................................................... 31

Rationale for undertaking the audit ......................................................................................................... 32

Audit objective, criteria and scope ........................................................................................................... 33

2. Framework for using contractors ............................................................................................................. 35

Does DVA guidance provide clarity regarding the different personnel types, including contractors? ........................................................................................................................................ 35

Does DVA provide guidance on determining whether there is an operational requirement for the use of contractors? ............................................................................................................................. 36

3. Arrangements for engaging contractors .................................................................................................. 40

Does DVA have a contracting suite that is tailored for the use of contractors? ...................................... 41

Does DVA have fit-for-purpose arrangements for inducting contractors? .............................................. 44

Has DVA established arrangements for the engagement of contractors that support compliance with PSPF Policy 12: Eligibility and suitability of personnel? ............................................................. 50

4. Arrangements for managing contractors ................................................................................................. 58

Has DVA clearly documented its requirements and expectations regarding the management and oversight of contractors? .................................................................................................................... 59

Has DVA established arrangements for the management of contractors that support compliance with PSPF Policy 13: Ongoing assessment of personnel? ................................................................ 61

Has DVA established arrangements for the separation of contractors that support compliance with PSPF Policy 14: Separating personnel?..................................................................................... 65

5. Observations and key messages on the selected agencies’ management of contractors ..................... 71 Data availability and transparency .......................................................................................................... 71

Ethical and personnel security requirements .......................................................................................... 73

Parliamentary committee and other review recommendations ............................................................... 74

Key messages from this audit series for all APS agencies ..................................................................... 74

Appendices ................................................................................................................................................. 77

Appendix 1 Entity responses ................................................................................................................. 78

Appendix 2 Performance improvements observed by the ANAO .......................................................... 80

Appendix 3 Measures for reporting on workforce size ........................................................................... 82

Appendix 4 DVA labour hire and contractor data as at 30 June 2021 ................................................... 83

Appendix 5 Essential Elearning Plan module structure ......................................................................... 85

Auditor-General Report No.45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

 The Australian Public Service (APS) workforce

strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS personnel. The approach adopted by the APS has been the subject of ongoing parliamentary interest.

 This is one of a series of three performance

audits undertaken to provide independent assurance to Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce.

 DVA has established largely

fit-for-purpose policies and processes for the management of contractors and can demonstrate the effectiveness of some but not all aspects of its arrangements. There remains scope to improve implementation of aspects of Policy 12 of the Protective Security Policy Framework (PSPF) relating to the eligibility and suitability of personnel, PSPF Policy 13 relating to the ongoing assessment of personnel, and PSPF Policy 14 relating to separating personnel.

 The Auditor-General made three

recommendations aimed at ensuring that: DVA’s policies and processes, in respect to the contracted workforce, address all requirements of PSPF Policy 12, 13 and 14; and that DVA embeds processes to support the implementation of requirements under PSPF Policy 13 and 14.

 The Department of Veterans’ Affairs (DVA)

external workforce comprises consultants, independent contractors and labour hire.  The top three contractor activities reported by

DVA in 2021 were ‘Service Delivery’, ‘Health’, and ‘Project and Program’.

1778

DVA’s APS workforce at 30 June 2021 (headcount).

2000

DVA’s external workforce at 30 June 2021 (headcount).

1287

DVA’s contractor workforce at 30 June 2021 (headcount). Represents 34.1 per cent of the total DVA workforce.

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

7

Summary and recommendations

Background 1. The Australian Public Service Commission (APSC) has reported that as at 31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.1 APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.2

2. APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’3

3. Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, the APSC has stated that:

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.4

4. Additionally, the APSC has published guidance in the form of Guiding principles for agencies when considering the use of SES contractors5 relating to the use of contractors in APS Senior

1 Australian Public Service Commission, APS Employment Data 31 December 2021 [Internet], 25 March 2022, available from https://www.apsc.gov.au/employment-data/aps-employment-data-31-december-2021 [accessed 20 May 2022]. The number of APS agencies differs from the total number of Australian Government entities and companies, as not all employ staff under the Public Service Act 1999. The Department of Finance reported a total of 187 Australian Government entities and companies as at 19 April 2022. See https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 10 June 2022].

The APSC data indicates that the number of ongoing (permanent) APS employees as at 31 December 2021 was 136,284. Ongoing employees made up 87.5 per cent of the APS workforce. There were also 19,512 non-ongoing APS employees at 31 December 2021. Non-ongoing employees in the APS are employed for a specified term, or for the duration of a specified task, or to perform duties that are irregular or intermittent (casual). Of all non-ongoing employees at 31 December 2021, 10,816 (55.4 per cent) were employed for a specified term or the duration of a specified task, and 8,696 (44.6 per cent) were employed on a casual basis. 2 Key elements of the framework are the APS Values (set out in section 10 of the PS Act), APS Employment

Principles (in section 10A), APS Code of Conduct (in section 13) and the Australian Public Service Commissioner’s Directions about the APS Values and employment matters made under sections 11 and 11A. 3 Department of Finance, Contract Characteristics [Internet], available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-

characteristics [accessed 20 January 2022]. 4 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-

strategy-2025 [accessed 6 January 2022]. 5 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, available from https://www.apsc.gov.au/working-aps/aps-employees-

and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

8

Executive Service (SES) roles.6 Similar guidance has not been issued for entities when considering the use of contractors for non-SES level roles.

5. The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. These decisions must consider:

• the Commonwealth Procurement Rules (CPRs), which establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement;

• the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security7; and

• entity-specific procurement and contract management arrangements which may be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines.

6. As at 30 June 2021, the Department of Veterans’ Affairs (DVA) workforce included 1287 contractors, representing 34.1 per cent of its total workforce of 3778. DVA’s contractor workforce performs work in most parts of the entity.8

Rationale for undertaking the audit

7. The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years.9

8. This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. DVA was selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits

6 The SES is established by section 35 of the PS Act, which states that the function of the SES is to provide APS-wide strategic leadership. 7 Attorney-General’s Department, About PSPF [Internet], available from https://www.protectivesecurity.gov.au/about [accessed 27 January 2022]. 8 Refer to Appendix 4 for further detail on DVA’s contractor workforce. 9 These reviews and inquiries, discussed in Chapter 1 at paragraphs 1.14-1.24, include the: 2015 report of the

Independent Review of Whole-of-Government Internal Regulation; 2017 to 2019 Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into Australian Government Contract Reporting — Inquiry based on Auditor-General's report No. 19 (2017-18); 2019 report of the Independent Review of the APS; 2021 second interim report of the Senate Select Committee on Job Security; and 2021 report on the Senate Finance and Public Administration References Committee Inquiry into the Current Capability of the APS.

Summary and recommendations

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

9

in this series review the management of contractors by the Department of Defence and Services Australia.

Audit objective and criteria

9. The objective of the audit was to examine the effectiveness of DVA’s arrangements for the management of contractors.

10. To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has DVA established a fit-for-purpose framework for the use of contractors?

• Does DVA have fit-for-purpose arrangements for the engagement of contractors?

• Has DVA established fit-for-purpose arrangements for the management of contractors?

Conclusion 11. DVA has established largely fit-for-purpose policies and processes for the management of contractors and can demonstrate the effectiveness of some but not all aspects of its arrangements. There remains scope to improve implementation of aspects of Policy 12 of the Protective Security Policy Framework (PSPF) relating to the eligibility and suitability of personnel, PSPF Policy 13 relating to the ongoing assessment of personnel, and PSPF Policy 14 relating to separating personnel.

12. DVA has established a fit-for-purpose framework for the use of contractors. Enterprise-level guidance sets out the different personnel types, including contractors, and provides instructions for determining whether there is an operational requirement for the use of contractors.

13. DVA has established largely fit-for-purpose arrangements for the engagement of contractors. These arrangements include a contracting suite that is tailored for the use of contractors and induction training covering expected behaviours and standards from relevant Commonwealth legislation and DVA policy. While DVA collects data to monitor the completion of training, there is opportunity for DVA to improve its arrangements for annual follow-up checks. As at 22 December 2021, 44 per cent of contractors had not completed all modules of the mandatory induction program. DVA has established arrangements (policy, processes and monitoring) that largely support compliance with PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors, except for establishing a policy to support compliance with Supporting Requirement 1(c) and Supporting Requirement 2(d)(ii) of Policy 12.

14. DVA has established largely fit-for-purpose arrangements for the management of contractors. Guidance on departmental requirements and expectations regarding the oversight (supervision) of contractors is outlined in a Blended Workforce Guide and Induction Booklet, and DVA has established a Procurement and Contract Management Framework. However, the framework does not cover contract management and DVA provides guidance for its contract managers through intranet links to a contract management best practice guide and the Department of Finance’s Australian Government Contract Management Guide. DVA has established arrangements (policy, processes and monitoring) for the management of contractors that largely support compliance with the requirements of PSPF Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel, except for the following. DVA policy does not address:

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

10

• PSPF Policy 13 Supporting Requirement 1(a)(iii) relating to monitoring and reporting of conditional clearances, and Supporting Requirement 1(a)(iv) relating to annual review of eligibility waivers; and

• PSPF Policy 14 Supporting Requirement 1(c) relating to providing receiving entities with relevant security information, and Supporting Requirement 3 relating to the assessment of risk in instances where it is not possible to undertake required separation procedures.

15. DVA has established arrangements to monitor compliance with PSPF requirements and has identified, through this work, that the following processes have not been effectively implemented: advising separating personnel of their ongoing security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and processes to ensure that separating personnel are complying with their separation obligations, particularly regarding the return of equipment.

Supporting findings

Framework for using contractors

16. DVA guidance provides clarity regarding the different personnel types, including contractors. (See paragraphs 2.3-2.4)

17. DVA’s Strategic Workforce Plan recognises its external workforce as part of its workforce mix and outlines operational requirements for its contractor workforce at a strategic level. DVA has delegated responsibility for engaging contractors to business areas and line managers and has developed a Blended Workforce Guide to provide operational-level guidance on the type of work that contractors would typically be expected to undertake. (See paragraphs 2.5-2.19)

Arrangements for engaging contractors

18. DVA’s contracting suite documentation includes clauses that align with the behavioural requirements and expectations that contractors are expected to meet when working with the department. Contract documentation underpinning DVA’s standing panel arrangements — which represented 73 per cent of DVA’s contractor workforce expenditure for 2020-21 — include clauses to support contractor compliance with all mandatory policies. (See paragraphs 3.3-3.14)

19. DVA has developed requirements and guidance for the induction of contractors, including training courses that cover expected behaviours and standards from relevant Commonwealth legislation and DVA policy. Managers are responsible for monitoring contractors’ completion of mandatory training. Recent (May 2022) DVA data for the completion of mandatory training indicates improvement following the introduction of a new course in April 2022, after DVA identified that the previous fraud awareness training course had been left off its learning management system, DVAtrain. DVA data as at 22 December 2021 showed that 56 per cent of contractors had completed all modules of the mandatory induction program. The completion rate prior to the inclusion of the new training module on DVAtrain indicates that there is opportunity for DVA to improve its arrangements for annual follow-up checks. (See paragraphs 3.15-3.35)

20. DVA has documented policies and processes that support compliance with most requirements of PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors. DVA does not have policies or processes in place to obtain an individual’s agreement to comply with

government policies, standards, protocols and guidelines that safeguard resources from harm, as

Summary and recommendations

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

11

required under Supporting Requirement 1(c) of PSPF Policy 12. DVA has established a delegation arrangement for waiving citizenship requirements that does not align with Supporting Requirement 2(d)(ii) of PSPF Policy 12. (See paragraphs 3.36-3.50)

21. DVA has in place assurance mechanisms to monitor contractor compliance with the requirements of PSPF Policy 12. Specifically, Services Australia provides DVA with daily updates on the completion of processes required under Policy 12 when onboarding contractors and DVA has established a quality checking plan. Services Australia and DVA are also establishing an annual assurance statement process through which Services Australia will confirm that the services delivered under bilateral arrangements meet DVA expectations. The first statement is to cover 2021-22. (See paragraphs 3.51-3.62)

Arrangements for managing contractors

22. DVA has established a Procurement and Contract Management Framework, however the ANAO’s review of this framework indicates that it does not cover contract management. DVA provides guidance for contract managers through a link on its intranet to a contract management

best practice guide and a link to the Department of Finance’s Australian Government Contract Management Guide. Guidance on DVA requirements and expectations regarding the oversight (supervision) of contractors is outlined in DVA’s Blended Workforce Guide and Induction Booklet. While DVA offers contract management training to all staff, it does not mandate or monitor contract management training for its personnel who manage contracts and contractors. (See paragraphs 4.3-4.14)

23. DVA has established policies and processes that support compliance with most requirements of PSPF Policy 13 for contractors. DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Policy 13 Supporting Requirement 1(a)(iii). Further, DVA’s Personnel Security Protocol does not cover two requirements of PSPF Policy 13 Supporting Requirement 1(a)(iv), relating to: the annual review of eligibility waivers; or review before revalidation of a security clearance, and prior to any proposed position transfer. (See paragraphs 4.15-4.18)

24. DVA has established arrangements to monitor and report on compliance with PSPF Policy 13. Through these arrangements, DVA has identified that annual security checks on security cleared personnel are not institutionalised and that clearances were not held by some contractors in roles with clearance requirements. (See paragraphs 4.19-4.31)

25. DVA has established policies and processes that support compliance with most requirements of PSPF Policy 14: Separating personnel for contractors. DVA has not established policies or processes that outline a requirement for DVA to: provide receiving entities with relevant security information, as required under PSPF Policy 14 Supporting Requirement 1(c); or undertake a risk assessment to identify security implications in instances where it is not possible to undertake separation procedures, as required under PSPF Policy 14 Supporting Requirement 3. (See paragraphs 4.32-4.36)

26. DVA has established a Security Quarterly Assurance Plan which includes assurance activities to support compliance with PSPF Policy 14. DVA’s assurance activities indicate that the following processes are not being implemented effectively: advising separating personnel of their ongoing

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

12

security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and ensuring that separating personnel are complying with their separation obligations, particularly regarding the return of equipment. DVA’s assurance activities identified instances where contractor personnel had not returned equipment to DVA upon separation, and found that 81 per cent of separating personnel did not complete DVA’s mandatory cessation checklist. (See paragraphs 4.37-4.50)

Recommendations

Recommendation no. 1 Paragraph 3.47 The Department of Veterans’ Affairs address its non-compliance with PSPF Policy 12: Eligibility and suitability of personnel Supporting

Requirement 1(c) and Supporting Requirement 2(d)(ii) in its policies and processes.

Department of Veterans’ Affairs response: Agreed

Recommendation no. 2

Paragraph 4.24

The Department of Veterans’ Affairs:

(a) address its non-compliance with PSPF Policy 13: Ongoing assessment of personnel Supporting Requirement 1(a)(iii) and Supporting Requirement 1(a)(iv), in its policies and processes; and

(b) embed processes to conduct annual security checks with all security cleared personnel, as required under PSPF Policy 13 Supporting Requirement 1(a)(ii).

Department of Veterans’ Affairs response: Agreed

Recommendation no. 3 Paragraph 4.41 The Department of Veterans’ Affairs: (a) address its non-compliance with PSPF Policy 14: Separating

personnel Supporting Requirement 1(c) and Supporting Requirement 3 in its policies and processes; and (b) embed processes to debrief separating personnel who have access to sensitive or security classified information, including

advising them of their continuing obligations and obtaining their acknowledgement of these obligations, as required under PSPF Policy 14 Supporting Requirement 1(b).

Department of Veterans’ Affairs response: Agreed

Summary of entity responses 27. DVA’s summary response is provided below and its full response is included at Appendix 1. An extract of this report was sent to the APSC. The APSC’s summary response is provided below and its full response is included at Appendix 1.

DVA’s summary response

The Department of Veterans’ Affairs (DVA) welcomes the ANAO findings and recommendations. The ANAO report acknowledges that DVA has established policies and processes that largely support

Summary and recommendations

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

13

compliance with the Personnel Security requirements of the Protective Security Policy Framework (PSPF). DVA is reassured that the findings largely mirror areas for improvement identified in our annual self-assessed maturity report to Government; that at a ‘Developing’ level the entity’s security maturity is defined as providing substantial protection of our people, information and assets.

The Department acknowledges the ANAO’s findings in the report and agrees with the recommendations. Work is planned for 2022-23 to review and update personnel security policies and protocols to enhance maturity with the PSPF requirements, and work has already commenced to identify technological solutions to brief personnel and obtain and record acknowledgement of specific obligations in line with PSPF requirements surrounding engagement and separation of personnel.

APSC’s summary response

The Australian Public Service Commission (APSC) acknowledges the extract of the Proposed Audit Report on the 'Effectiveness of the Management of Contractors' provided for comment.

The APSC recognises the importance of robust workforce planning through implementation of the APS Workforce Strategy 2025. This includes strengthening APS capability, and the strategic use of mixed models of employment, to ensure agencies achieve their outcomes.

Whilst no recommendations are directed toward the APSC, the Commission will consider any relevant findings following the audit's completion.

28. At Appendix 2, there is a summary of improvements that were observed by the ANAO during the course of the audit.

Key messages and observations 29. This is one of a series of three performance audits undertaken to provide independent assurance to Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. As well as DVA, the ANAO has examined the effectiveness of the management of contractors by the Department of Defence10 and Services Australia.11

30. Chapter 5 of this audit report sets out high-level observations and key messages for all Australian Public Service agencies following the ANAO’s examination of the three selected agencies’ management of contractors. The observations focus on: data availability and transparency issues relating to the contractor workforce; and the application of ethical and personnel security requirements to the contractor workforce.

10 See Auditor-General Report No.43 2021-22 Effectiveness of the Management of Contractors — Department of Defence. 11 See Auditor-General Report No.44 2021-22 Effectiveness of the Management of Contractors — Services Australia.

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

15

Audit findings

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

16

1. Background

Introduction 1.1 The Australian Public Service Commission (APSC) has reported that as at 31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.12 APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.13

1.2 APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’14

1.3 In summary, Finance’s guidance states that services performed by a contractor are under the supervision of the entity, which specifies how the work is to be undertaken and has control over the final form of any resulting output. The output of a contractor is produced on behalf of the entity and the output is generally regarded as an entity product. In contrast, performance of consultancy services is left largely up to the discretion and professional expertise of the consultant, performance is without the entity's direct supervision, and the output reflects the independent views or findings of the consultant. While the output of a consultant is produced for the entity, the output may not belong to the entity. Box 1 below sets out the contract characteristics, identified in Finance guidance, that help entities distinguish between contractors and consultants.

12 Australian Public Service Commission APS Employment Data 31 December 2021 [Internet], 25 March 2022, available from https://www.apsc.gov.au/employment-data/aps-employment-data-31-december-2021 [accessed 20 May 2022]. The number of APS agencies differs from the total number of Australian Government entities and companies, as not all employ staff under the Public Service Act 1999. The Department of Finance reported a total of 187 Australian Government entities and companies as at 19 April 2022. See https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 10 June 2022].

The APSC data indicates that the number of ongoing (permanent) APS employees as at 31 December 2021 was 136,284. Ongoing employees made up 87.5 per cent of the APS workforce. There were also 19,512 non-ongoing APS employees at 31 December 2021. Non-ongoing employees in the APS are employed for a specified term, or for the duration of a specified task, or to perform duties that are irregular or intermittent (casual). Of all non-ongoing employees at 31 December 2021, 10,816 (55.4 per cent) were employed for a specified term or the duration of a specified task, and 8,696 (44.6 per cent) were employed on a casual basis. 13 Key elements of the framework are the APS Values (set out in section 10 of the PS Act), APS Employment

Principles (in section 10A), APS Code of Conduct (in section 13) and the Australian Public Service Commissioner’s Directions about the APS Values and employment matters made under sections 11 and 11A. 14 Department of Finance, Contract Characteristics [Internet], available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-

characteristics [accessed 20 January 2022].

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

17

Box 1: Department of Finance guidance—characteristics of consultancy and non-consultancy contracts

Contractors—characteristics of non-consultancy contracts (only some may apply):

Nature of Services:

• Services performed are the day-to-day duties of the entity - e.g. a recruitment firm providing personnel to fill a temporary vacancy for a personal assistant, or in a program area. The skills required to perform the services would normally be maintained within the entity.

• Involves professional or expert services to implement an existing proposal or strategy - e.g. training specialists to deliver training in line with an existing strategy.

Direction and Control:

• Services are performed under supervision of the entity. The entity specifies how the work is to be undertaken and has control over the final form of any resulting output.

• Professional or expert services provided under non-consultancy contracts are generally delivered without a high level of supervision and direction from the entity, however, the output produced will not necessarily represent the independent views of the service provider - i.e. the entity controls the form of the output.

• The output is being produced on behalf of the entity.

• The output is generally regarded as an entity product.

Integration or Organisation Test:

• Work is an integral part of the entity's business.

Use of Equipment and Premises:

• The entity provides all equipment and supplies.

• The Contractor will usually be engaged to work in the entity's premises.

Remuneration:

• Remuneration is based on the time worked, usually calculated on an hourly rate.

Consultants—characteristics of consultancy contracts

Nature of Services:

• Involves specialist professional knowledge or expertise that may not be maintained in-house.

• There is a need for independent research or assessment.

• Involves development of an intellectual output, e.g. research, evaluation, advice, and recommendations, to assist with entity decision-making.

• Involves a one-off task, a set of tasks or irregular tasks (making employment of permanent staff impractical or undesirable).

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

18

Direction and Control:

• Performance of the services is left largely up to the discretion and professional expertise of the consultant.

• Performance is without the entity's direct supervision.

• The output reflects the independent views or findings of the individual or organisation.

• The output is being produced for the entity.

• The output may not belong to the entity.

Integration or Organisation Test:

• Work performed is an accessory to the entity's business.

Use of Equipment and Premises:

• The Consultant provides their own equipment.

• The Consultant may work from their own premises for some or all of the assignment.

Remuneration:

• Consultancy payments are usually made when agreed milestones are reached or when a task or project is completed.

Source: Department of Finance, Contract Characteristics, available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-characteristics [accessed 20 January 2022].

1.4 Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, in respect to the mix between APS and non-APS personnel, the APSC has stated that:

The APS continues to deploy a flexible approach to resourcing that strikes the balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers collaborate to deliver outcomes within agencies.

A mixed workforce approach will continue to be a feature of APS workforce planning. Non-APS workers, when used effectively in appropriate circumstances, can provide significant benefits to agencies and help them achieve their outcomes. Non-APS workers can also provide access to specialist and in-demand skills to supplement the APS workforce in peak times in business cycles. There will be a need for APS agencies to access skills, capability or capacity differently, including through contractors and consultants, or through external partnerships with academia or industry. There may also be a need to engage with industry to develop skills and capabilities to drive delivery of programs across the service. The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

19

A professional public service harnesses skills, expertise and capacity from a variety of sources to deliver services as priorities arise. We must focus on understanding and removing barriers to external mobility and encouraging the mobilisation of skills from both across and outside the APS.15

1.5 In addition, the APSC has published guidance relating to the use of contractors in APS Senior Executive Service (SES) roles.16 In its Guiding principles for agencies when considering the use of SES contractors17, the APSC states that:

To meet their business needs, agency heads have the flexibility to engage individuals by the most appropriate means to ensure their agency is best placed to deliver for the Australian public. These guiding principles are designed to assist agencies when considering the appropriateness of using a contractor for a Senior Executive Service (SES) equivalent role and to ensure that appropriate governance arrangements are in place.

For the purposes of these principles, an ‘SES contractor’ is an SES-equivalent (e.g. equivalent work value, duties, responsibility, and accountability), contracted by an APS agency via a recruitment agency or third party as an integrated part of the agency’s senior leadership workforce. That is, the agency will have no direct employment relationship under the PS Act with the SES contractor.

1.6 The APSC has stated that the purpose of the principles is ‘to provide APS agencies with considerations when seeking to go beyond the APS employment framework for senior executive capabilities’.18 Box 2 below sets out the considerations identified in the APSC guidance.

Box 2: APSC guidance—considerations when using an SES contractor to fill a role

Before using an SES contractor to fill a role, agencies should satisfy themselves that there is a genuine operational requirement for an SES contractor.

• Consideration should be given to the range of employment options available under the PS Act, including temporary employment, before an SES contractor is sourced.

• This includes considering whether the operational requirement is better suited to a short-term consultant (e.g. where a specific skillset is needed for a short time for a single project or deliverable, without integration into the leadership of an agency) or should be filled by an SES employee engaged under the PS Act that is part of the leadership of an agency.

− Agencies should note that section 10A of the PS Act recognises that the usual basis of employment is as an ongoing APS employee.

15 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-strategy-2025 [accessed 6 January 2022].

16 The SES is established by section 35 of the PS Act, which states that the function of the SES is to provide APS wide strategic leadership. 17 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, available from https://www.apsc.gov.au/working-aps/aps-employees-

and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021]. 18 ibid., paragraph 1.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

20

• SES contractors may be required in a range of circumstances, such as where a person holds specialised experience, skills and capabilities unable to be sourced from the market through general recruitment at that point in time.

• In some cases, an agency’s overall business model may require a combination of SES contractors and SES employed under the PS Act as part of their workforce composition.

Agencies should ensure their systems, infrastructure, contracts and governance are appropriate to manage using SES contractors. This includes ensuring that:

• SES contractors are suitably inducted into the agency and provided with all relevant information and training relating to exercising their responsibilities in the role.

• SES contractors understand the ethical obligations of their role. SES contractors should be expected to model and promote the highest standards of ethics and integrity in the unique context of the APS operating environment.

− SES contractors are not employed under the PS Act but should be held to similar standards of behaviour as set out in the APS Values and Code of Conduct.

• SES contractors facilitate and contribute appropriate knowledge transfer and capability growth within the agency.

Under subsection 78(8) of the PS Act, if it is proposed that an SES contractor will exercise delegated functions or powers, consent must be sought from the APS Commissioner before any functions or powers are delegated to the SES contractor.

• Agencies should consider their own internal agency delegations and ensure that they reflect any such powers.

Source: Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors, 14 May 2021, paragraphs 5-7, available from https://www.apsc.gov.au/working-aps/aps-employees-and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

1.7 The APSC guidance states that the APSC will collect data on SES contractors, and that for the purposes of reporting, an SES contractor is a person undertaking SES equivalent work who is not engaged under the PS Act or an agency’s enabling legislation.19 As at 8 March 2022 the APSC had not published data on SES contractors. The APSC advised the ANAO on 3 March 2022 that there were 40 SES contractors in the APS as at 31 October 2021.

1.8 The APSC has not issued guiding principles for the use of non-SES contractors in APS agencies.20

19 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, paragraph 8, available from https://www.apsc.gov.au/working-aps/aps-employees-and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

20 The APSC advised the ANAO in June 2022 that: The Commission notes that the procurement of labour hire and contractor services is not considered employment of personnel under the Public Service Act 1999. Rather, APS agencies must follow the CPRs when procuring these services and seek guidance from the Department of Finance. We note that the report makes multiple references to the Commission not issuing guiding principles for the use of non-SES contractors in APS agencies. As a point of correction, it is not part of the APSC remit to Footnote continued on the next page…

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

21

1.9 The APSC and Finance guidance may be supplemented at the entity-level by internal guidance on the different personnel types and how to decide whether there is an operational requirement for the use of non-APS personnel such as contractors.

1.10 The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. The Commonwealth Procurement Rules (CPRs) establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement. Entity-specific procurement and contract management arrangements may also be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines. Contract managers must implement applicable internal requirements and the CPRs and associated requirements set by Finance. Non-APS personnel must comply with their contractual obligations and any applicable management, oversight and behavioural requirements.

1.11 Non-APS personnel may be ‘officials’ under section 13 of the PGPA Act, in which case they must comply with the finance law in addition to their contractual obligations and applicable entity requirements.21 The finance law includes the PGPA Act, the Public Governance, Performance and

Accountability Rule 2014 (PGPA Rule), entity AAIs, and other legal and policy frameworks — including the whole-of-government procurement, grants, advertising and risk management frameworks. All personnel exercising delegated power under the PGPA Act or other legislation must also comply with the requirements attaching to those delegations.

1.12 Entities’ management of their non-APS personnel is subject to the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security.22 The PSPF policies under the ‘personnel security’ outcome outline how to screen and vet personnel and contractors to assess their eligibility and suitability. They also cover how to assess the ongoing suitability of entity personnel to access government resources and how to manage personnel separation.23 Entity compliance with the three personnel security policies under the PSPF ‘ensures its employees and contractors are suitable to access Australian Government resources, and meet

provide guiding principles for the use of non-SES contractors. It is a matter for the Department of Finance and the report should reflect this. The Australian Public Service Commissioner’s functions include monitoring, reviewing and reporting on effective performance of the APS. The Contractors in the Senior Executive Service (SES) guidance was created in support of this function as the SES provide APS-wide strategic leadership of the highest quality and are responsible for ensuring effective performance, which extends to SES contractors. 21 The definition of an ‘official’ and the duties of officials are discussed in Department of Finance, General duties

of officials: Resource Management Guide No.203 [Internet], November 2016, available from https://www.finance.gov.au/government/managing-commonwealth-resources/general-duties-officials-rmg-203 [accessed 27 January 2022]. 22 Attorney-General’s Department, About PSPF [Internet], available from

https://www.protectivesecurity.gov.au/about [accessed 27 January 2022]. 23 Attorney-General’s Department, Personnel security [Internet], available from https://www.protectivesecurity.gov.au/policies/personnel-security [accessed 27 January 2022]. The applicable PSPF policies are: Policy 12: Eligibility and suitability of personnel; Policy 13: Ongoing

assessment of personnel; and Policy 14: Separating personnel.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

22

an appropriate standard of integrity and honesty’.24 The policies and their core requirements are outlined in Figure 1.1 below.

Figure 1.1: PSPF personnel policies and core requirements

Source: Protective Policy Security Framework, Personnel Security, available from https://www.protectivesecurity.gov.au/policies/personnel-security [accessed 3 December 2021].

1.13 Under the PSPF, all agencies must develop their own protective security policies and processes. The Department of Veterans’ Affairs (DVA) has developed its own security policies and processes, which are available on its intranet.

Reviews and inquiries into the APS’s use of contractors

2015 report of the Independent Review of Whole-of-Government Internal Regulation

1.14 The 2015 Independent Review of Whole-of-Government Internal Regulation (the Belcher Review)25 observed the impact of a number of APS legislative and reporting requirements26, which the review considered to have:

created a recruiting environment where entities tended to engage staff through a particular employment category that may not align with their business needs. For example: … contractors hired individually, or through firms, are excluded from ASL [Average Staffing Level] and headcount reporting. While a valid engagement option, it may present longer term issues regarding

24 ibid.

25 Barbara Belcher, Independent Review of Whole-of-Government Internal Regulation Report to Secretaries Committee on Transformation, Volume 2 Assessment of key regulatory areas [Internet], August 2015, available from https://www.finance.gov.au/sites/default/files/2020-05/independent-review-of-whole-of-government-internal-regulation-volume-2-report.pdf [accessed 7 December 2021].

The review was commissioned to critically assess and recommend modification to government regulations. 26 ibid., p. 154.

•Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets). •Entities must use the Australian Government Security Vetting Agency

to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

PSPF Policy 12: Eligibility and suitability of personnel

•Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.

PSPF Policy 13: Ongoing assessment of personnel

•Each entity must ensure that separating personnel have their access to Australian Government resources withdrawn, and are informed of any ongoing security obligations.

PSPF Policy 14: Separating personnel

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

23

organisational capacity and knowledge management, and may be a more expensive option in the longer run.27

1.15 Box 3 below contains an excerpt from a Parliamentary Library research paper on public sector staffing and resourcing, which addresses the ASL concept and related issues.28

Box 3: Public sector staffing and resourcing (Staffing, contractors and consultancies)— Parliamentary Library, October 2020—excerpt

When discussing public sector employees, the budget papers use the average staffing level (ASL), a method of counting that adjusts for casual and part-time staff in order to show the average number of full-time equivalent employees. ASL is almost always a lower figure than a headcount of actual employees (the Australian Public Service Commission uses the headcount method).a

In the 2015-16 Budget, the Government undertook to maintain the size of the general government sector (GGS), excluding military and reserves, at around or below the 2006-07 ASL of 167,596. Agency Resourcing: Budget paper No. 4: 2020-21 indicates that this objective has been achieved over the years prior to the COVID-19 pandemic.

Note a: ANAO comment: the APSC has stated that ‘ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.’ See Appendix 3 of this audit. Source: Philip Hamilton, Public sector staffing and resourcing (Staffing, contractors and consultancies), Parliamentary

Library Research Publications, October 2020, available from https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/Budge tReview202021/PublicSectorStaffingResourcing [accessed 27 January 2022].

2019 report of the Independent Review of the APS

1.16 The 2019 Our Public Service, Our Future: Independent Review of the Australian Public Service (the Thodey Review) also considered the non-APS workforce.29 The Thodey Review commented that:

Labour contractors and consultants are increasingly being used to perform work that has previously been core in-house capability, such as program management. Over the past five years, spending on contractors and consultants has significantly increased while spending on APS employee expenses has remained steady.30

1.17 The Thodey Review published data (see Figure 1.2 below) based on submissions to the Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into Australian Government Contract

27 ibid., p. 156. 28 See also Appendix 3 of this audit on average staffing level and headcount. 29 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service [Internet], 13 December 2019, pp. 185-87, available from

https://www.pmc.gov.au/sites/default/files/publications/independent-review-aps.pdf [accessed 28 January 2022]. The review examined the governing legislation, capability, culture and operating model of the APS. 30 ibid., p. 185.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

24

Reporting - Inquiry based on Auditor-General's report No. 19 (2017-18).31 The Thodey Review stated that submissions to the JCPAA inquiry ‘revealed that [the] spend on contractors more than doubled across a sample of 24 agencies between 2012-13 and 2016-17.’32

31 The JCPAA initiated its inquiry in December 2017 to consider Auditor-General Report No. 19 2017-18 Australian Government Procurement Contract Reporting. This information report contained ANAO analysis of publicly available data published by the Department of Finance on public sector procurement contracting activity. See the ANAO submission to the inquiry, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9/Submissions [accessed 4 February 2022].

As part of its inquiry the JCPAA requested details of expenditure on contractors, consultants and labour hire workers from selected government entities. The JCPAA asked these entities for the following information in respect to non-consultancy services: • Contractors directly procured by the entity for labour (for the provision of either long or short term

additional labour capacity) and on-hire contractors. • A list of the top three categories of work for which contractors have been most frequently engaged, for each of the past five financial years [2012-13, 2013-14, 2014-15, 2015-16, 2016-17]. • Provide expenditure figures on contractors for each of the past five financial years, including a

breakdown of expenditure against the top three categories of work. Entity responses to the JCPAA are available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9/Submissions [accessed 4 February 2022]. The JCPAA issued a statement on 11 April 2019 stating that the committee had decided not to issue a report

based on the inquiry. The statement is available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9 [accessed 28 January 2022]. 32 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service [Internet], 13 December 2019, p. 186, available from https://www.pmc.gov.au/sites/default/files/publications/independent-review-aps.pdf [accessed 28 January 2022].

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

25

Figure 1.2: Thodey Review — percentage change in spend on employees, labour contractors and consultancy contract notices

Source: Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, p. 186.

1.18 The Thodey Review further observed that:

The use of labour contractors and consultancy services warrants specific discussion. About a quarter of the submissions [to the review] commented on their use. Most expressed concern about the growing size of the APS’s external workforce and the negative effect on in-house capability. Data on this topic, as is the case with many APS-wide workforce matters, are not gathered or analysed centrally and are often inadequate. For example, the number of contractors and consultants working for the APS is not counted and data on expenditure are inconsistently collected across the service. Data insights that would shed light on whether contractors or consultants met objectives are not routinely aggregated. This makes it difficult to assess the value of external providers relative to in-house employees or to infer the effect on APS capability.33

There is clearly benefit in the APS leveraging the best external capability. It is not possible to have expertise in everything in-house and external providers can be the most efficient way of delivering the best advice, services or support. But the use of external capability needs to be strategic and well-informed, meaning that the APS:

33 ibid., p. 185.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

26

• makes decisions on the use of external capability by reference to a whole-of-service workforce strategy that identifies the core capabilities the APS should invest in building in-house - with external capability used to perform non-core or variable work activity;

• manages use of external capability closely, from the contract design stage through to performance of the prescribed tasks; and

• ensures that all arrangements lead to a transfer of knowledge to the APS.

At all stages the APS should be focused on achieving value for money and better outcomes.

The APS needs to find the right balance between retaining and developing core in-house capability and leveraging external capability to ensure a sustainable and efficient operating model for the decades ahead. To do this effectively, two traditionally autonomous parts of agencies — HR and procurement — must work closely together.34

October 2021 second interim report of the Senate Select Committee on Job Security

1.19 In October 2021, the Senate Select Committee on Job Security released its second interim report, Insecurity in publicly-funded jobs.35 The report examined employment arrangements across the public sector. Drawing on the Thodey Review and JCPAA inquiry, the committee stated that:

the utilisation of labour contractors and consultants has increased markedly in recent years. Across a sample of 24 agencies, spending on contractors has more than doubled over the period between 2012-13 and 2016-17. Furthermore, information sourced from AusTender indicated that the total value of consultant contracts across the APS increased from $386 million to $545 million during the same four year period.36

1.20 In common with the Thodey Review37, the committee was critical of data collection relating to the non-APS workforce:

Neither the Australian Public Service Commission (APSC), nor the Department of Finance, was able to confirm how many people engaged through labour hire or other external contracting

34 ibid., p. 187. 35 Senate Select Committee on Job Security, Second interim report: insecurity in publicly-funded jobs [Internet], October 2021, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Job_Security/JobSecurity/Second_Inte

rim_Report [accessed 4 February 2022]. The report is part of a wider inquiry into job security. The committee was established to examine and report on the impact of insecure or precarious employment. The committee’s first interim report (June 2021) examined ‘on-demand platform work’ in Australia. A third interim report (November 2021) examined labour

hire and contracting, with a specific focus on the mining, agriculture, transport and distribution sectors. A fourth interim report (February 2022) examined a number of remaining issues such as casual work, and focused on the retail and hospitality sectors. The committee’s final report (March 2022) related to a possible matter of parliamentary privilege. 36 ibid., paragraph 11.14. ANAO comment: the AusTender data drawn upon in the second interim report was sourced from the Thodey

Review. See Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, 13 December 2019, p. 186. 37 See paragraphs 1.16-1.18 of this audit.

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

27

arrangements are working within the Australian Public Service. This data is not collected, and neither agency provided an explanation for why this is the case.38

1.21 The committee made the following recommendation on this matter:

The committee recommends that the Australian Government requires:

• the Australian Public Service Commission to collect and publish agency and service-wide data on the Government's utilisation of contractors, consultants, and labour hire workers;

• the Department of Finance to regularly collect and publish service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment; and

• labour-hire firms to disclose disaggregated pay rates and employee conditions.39

November 2021 report on the Senate Finance and Public Administration References Committee Inquiry into the Current Capability of the APS

1.22 In November 2021 the Senate Finance and Public Administration References Committee reported on its Inquiry into the Current Capability of the Australian Public Service.40 The matter referred to the committee for inquiry and report was as follows41:

The current capability of the Australian Public Service (APS) with particular reference to:

(a) the APS’ digital and data capability, including co-ordination, infrastructure and workforce;

(b) whether APS transformation and modernisation projects initiated since the 2014 Budget have achieved their objectives;

(c) the APS workforce; and

(d) any other related matters.

38 Senate Select Committee on Job Security, Second interim report: insecurity in publicly-funded jobs [Internet], October 2021, paragraph 11.13, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Job_Security/JobSecurity/Second_Inte rim_Report [accessed 4 February 2022]. See also paragraphs 12.12-12.15 and 15.22-15.25.

39 ibid., paragraph 15.26. 40 Senate Finance and Public Administration References Committee, The current capability of the Australian Public Service (APS) [Internet], November 2021, inquiry page available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_and_Public_Administration/C

urrentAPSCapabilities [accessed 2 December 2021]. The inquiry examined the current capability of the APS with particular reference to: the APS’ digital and data capability, including co-ordination, infrastructure and workforce; whether APS transformation and modernisation projects initiated since the 2014 Budget have achieved their objectives; the APS workforce;

and any other related matters. 41 ibid., paragraph 1.1.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

28

1.23 The committee drew on data in the Thodey Review42 and JCPAA inquiry43, and in an effort to ascertain the scale of labour hire usage across the APS44, requested staffing profile information from agencies across all portfolios.45 The committee observed that:

The responses received indicated that agencies had differing methods of collecting data, and that many agencies did not collect data that allowed them to disaggregate the numbers of labour hire workers from other contractors.

For example, some agencies advised that their recordkeeping systems did not or could not differentiate between contractors directly procured by the agency (e.g. independent contractors), and workers procured through labour hire firms.46

1.24 The committee made 13 recommendations, including the following recommendations on data collection and reporting:

• the annual employee census conducted by the APSC ahead of the State of the Service report be expanded to include all labour hire staff who have been engaged on behalf of the APS in that calendar year (recommendation 5);

• the APSC collect and publish standardised agency and service-wide data on the Australian Government’s utilisation of contractors, consultants, and labour hire workers (recommendation 6); and

• the Department of Finance regularly collect and publish annually service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment for each role (recommendation 8).

42 ibid., paragraphs 2.12-2.19. 43 ibid., paragraphs 5.28-5.29. 44 The committee recorded at paragraph 3.61 of its November 2021 report that this followed receipt of APSC advice that the APSC did not collect data on the number of labour hire workers used by agencies to

supplement their workforces. The APSC confirmed that it only collected data in relation to public servants and people employed under the PS Act, and that data on labour hire was held by agencies. See Senate Finance and Public Administration References Committee, APS Inc: undermining public sector capability and performance [Internet], November 2021, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportsen/024628/toc_pdf/APSIncunderminingp ublicsectorcapabilityandperformance.pdf;fileType=application%2Fpdf [accessed 8 February 2022]. 45 The committee recorded at paragraph 3.67 of its November 2021 report that it asked for:

1) The staffing profile for the agency as at 1 July 2021, broken down into: a) APS ongoing employees: headcount and Average Staffing Level (ASL); b) APS non-ongoing employees: headcount and ASL; c) Labour hire staff: headcount and Full-Time Equivalent (FTE); and d) Other contractors: headcount and FTE.

2) The percentage of staff engaged through labour hire arrangements as a percentage of total agency headcount. 3) The total value of labour hire contracts entered into between 1 January 2021 and 30 June 2021. 46 Senate Finance and Public Administration References Committee, APS Inc: undermining public sector

capability and performance [Internet], November 2021, paragraphs 3.68-3.69, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportsen/024628/toc_pdf/APSIncunderminingp ublicsectorcapabilityandperformance.pdf;fileType=application%2Fpdf [accessed 8 February 2022].

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

29

Department of Veterans’ Affairs workforce 1.25 DVA is a non-corporate Commonwealth entity.47 In its 2020-21 annual report, DVA stated that its purpose is to:

support the wellbeing of those who serve or have served in the defence of our nation, and their families, by:

• partnering with organisations and individuals to help design, implement and deliver effective programs and benefits, which enhance wellbeing of veterans and their families; and

• providing and maintaining war graves and delivering meaningful commemorative activities to promote community recognition and understanding of the service and sacrifice of veterans.48

1.26 DVA’s key functions include: delivering income and disability support to veterans and their dependents; providing access to general medical, hospital and community care and support; providing and maintaining war graves; and delivering commemorative services.49 To deliver its key functions, DVA has an approved average staffing level (ASL) of resources in the Portfolio Budget Statements (PBS). The actual APS workforce is reported on in the DVA annual report each year. Table 1.1 below sets out DVA’s allocation and utilisation of its ASL, over three years.

Table 1.1: DVA’s average staffing level (ASL)

Category 2018-19 2019-20 2020-21

Budget estimatea 1796 1615 1615

Actualb 1709 1625 1613

Note a: Budget Estimate data is sourced from DVA’s Portfolio Budget Statements (PBS). Note b: Actual workforce data is sourced from DVA’s annual reports, reported as FTE (over the financial year). This differs from the figures in Table 1.2 which are reported by headcount. Source: Department of Veterans’ Affairs Portfolio Budget Statements and annual reports for 2018-19, 2019-20 and

2020-21

1.27 DVA’s Strategic Workforce Plan 2019-23 recognises its contingent workforce as an integrated part of its blended workforce. DVA has defined three types of contingent workforce resources utilised by the agency: consultants, independent contractors, and labour hire.50 Box 4 below sets out the contingent workforce definitions used by DVA that have the characteristics of a ‘contractor’ discussed earlier in paragraphs 1.2-1.3 and Box 1.

47 DVA is part of the Defence portfolio. Its Secretary is the Agency Head under the PS Act and the accountable authority under the PGPA Act. As a non-corporate Commonwealth entity under the PGPA Act, DVA is not a body corporate. 48 Department of Veterans’ Affairs, Annual Report 2020-21 [Internet], available from

https://www.transparency.gov.au/annual-reports/department-veterans-affairs/reporting-year/2020-21-38 [accessed 24 February 2022]. Also see: Department of Veterans’ Affairs Portfolio Budget Statements 2021-22 [Internet], p. 20, available from https://www.transparency.gov.au/sites/default/files/dva-pbs-21-22.pdf [accessed 7 March 2022]. 49 ibid.

50 DVA has defined these contingent workforce resources in its Blended Workforce Guide, discussed further in paragraph 2.16.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

30

Box 4: Definitions of types of contingent workforce resources utilised by DVA that have the characteristics of a contractor

Independent contractor

Typically, independent contractors run their own business. They are often contracted by the department to provide a service for a fixed term (i.e. to undertake a specific project or task). In most cases an independent contractor in DVA:

• Works under the direction of an APS employee.

• Has freedom in the way they work (i.e. they may not necessarily work on the department’s premises, or work specific hours).

• Can work for a variety of clients at one time.

• Is paid a fee for their services, not a wage or salary.

• Is not entitled to paid leave or other employee entitlements.

• Is not covered by DVA’s workers’ compensation.

• Is not supplied through a labour hire company or a labour hire panel.

Labour hire

‘Labour hire’ (LH) occurs when the department contracts a labour hire provider/recruitment company usually through a panel arrangement (e.g. Hays, Hudsons, SOS Recruitment, etc.) to supply workers for a specific time or project.

Typical characteristics of LH arrangements include the following:

• A LH provider will direct their LH staff to work for the department for a period which may range from a single day to a number of years. The department pays the LH provider, who in turn pays its staff.

• LH staff are not public servants. They are not employed by the department or the Australian Public Service (APS), nor does the Public Service Act 1999 (PS Act) apply to them. However, it is important that all members of the department’s workforce continue to work collaboratively, consistent with the APS Code of Conduct and DVA’s Cultural Vision.

• LH staff are engaged for a variety of workforce solutions, including meeting a short term work requirement or providing a specialist skillset. Use of LH enables staffing needs to be met where funding is available but Average Staffing Level (ASL) headcount pressures limit available recruitment options.

• LH staff perform work which can be viewed as either generalist/administrative (e.g. Claims Officer, Frontline Customer Service) or specialised (e.g. Social Worker, Change Manager, Project Manager, Business Analyst, Medical Adviser).

Source: Department of Veterans’ Affairs, Blended Workforce Guide. DVA’s Blended Workforce Guide also states that a consultant is: ‘a person engaged by the department, according to a contract for services.’ The Blended Workforce Guide identifies the following characteristics for consultants: they do not work under the direction of an APS employee; they are not covered by DVA’s workers’ compensation; they have a defined area for investigation and reporting and sometimes own the product of that consultancy; they provide specialist advice or answers to specific questions; and the outcomes of the advice are normally expressed as recommendations in a report.

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

31

1.28 This audit has focused on members of DVA’s contingent workforce engaged as an ‘independent contractor’ and ‘labour hire’ as defined in Box 4 above.51 DVA’s workforce data indicates that these personnel types perform work in key functions across the department.52

Contractor numbers in the Department of Veterans’ Affairs

1.29 Table 1.2 below sets out DVA’s workforce headcount by category, over three years.

Table 1.2: DVA’s workforce headcount at 30 June 2019, 2020 and 2021

Workforce category Headcount at

30 June 2019

Headcount at

30 June 2020

Headcount at

30 June 2021

APS full-time 1408 1488 1437

APS part-time 206 191 182

APS non-ongoing (including casual employees)

67 71 159

APS Total 1681 1750 1778

Labour hirea 775 960 1096

Independent contractora 302 213 191

Total workforce (APS/contractor/labour hire)

2758 2923 3065

Note a: See definitions in Box 4 above. Source: Department of Veterans’ Affairs.

1.30 DVA advised the Senate Finance and Public Administration Legislation Committee in September 2021 that it spent $123.3 million on labour hire staff in 2020-21. Further information on the characteristics of the 1287 contractors and labour hire personnel DVA engaged as at 30 June 2021 is at Appendix 4, including the organisational group and job families they worked in.

Previous audits and reports 1.31 Agencies’ management of their contracted workforce is considered when necessary in the conduct of ANAO audit and assurance work. Examples of ANAO performance audits which have considered the management of a contracted workforce include:

51 For the purpose of this audit, both independent contractor and labour hire personnel are referred to as ‘contractors’, as these two personnel types are contracted personnel engaged pursuant to a contract to perform a role that is part of the operations of the agency. Taken together, these two groups align with the definition of ‘contractor’ used by the ANAO in related audits of the management of contractors in the Department of Defence and Services Australia. This approach enables broad comparison of the arrangements for the management of contractors across the three ANAO audits. 52 As at 30 June 2021, independent contractors and labour hire personnel worked in the following job families:

Accounting and Finance, Administration, Communications and Marketing, Health, Human Resources, ICT, Information and Knowledge Management, Legal and Parliamentary, Monitoring and Audit, Organisational Leadership, Project and Program, Research, Service Delivery and Strategic Policy. Sixty-one labour hire and contractor personnel did not have a specified job family. See additional detail at Appendix 4 of this audit.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

32

• Auditor-General Report No.2 2017-18 Defence’s Management of Materiel Sustainment53;

• Auditor-General Report No.38 2017-18 Mitigating Insider Threats through Personnel Security54;

• Auditor-General Report No.28 2018-19 Management of Smart Centres’ Centrelink Telephone Services — Follow-up55;

• Auditor-General Report No.1 2021-22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 156;

• Auditor-General Report No.4 2021-22 Defence’s Contract Administration — Defence Industry Security Program57; and

• Auditor-General Report No. 6 2021-22 Management of the Civil Maritime Surveillance Services Contract.58

1.32 The ANAO has prepared two information reports on procurement activity in the Australian public sector, which have included publicly available information on consultants:

• Auditor-General Report No.19 2017-18 Australian Government Procurement Contract Reporting; and

• Auditor-General Report No.27 2019-20 Australian Government Procurement Contract Reporting Update.

1.33 These information reports presented publicly available data from public sector procurement activity in a number of ways.59 The publicly available data includes entity reporting on contracts relating to consultancies, including consultancy contract value.

Rationale for undertaking the audit 1.34 The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years, discussed above at paragraphs 1.14-1.24.

53 In particular, paragraphs 5.11-5.16, as well as Box 5, discussing Defence’s engagement of contracted industry expertise to support implementation of the First Principles Review in relation to sustainment. 54 In particular, paragraphs 2.77-2.81 of that report. 55 In particular, paragraph 3.28 and Table 3.3 of that report discussed the Department of Human Services’

arrangements for supporting performance and quality improvements for contracted personnel. 56 In particular, pages 61-66 of the report documented specific probity issues identified in the course of the audit which related to the management of probity in the program, including by contracted personnel, and which required attention. 57 This audit concluded that Defence’s administration of contractual obligations relating to the Defence Industry

Security Program were partially effective. 58 The audit examined whether contract managers were appropriately trained and experienced. 59 These information reports were neither an audit nor an assurance review, and no conclusions or opinions were presented.

Background

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

33

1.35 This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. DVA was selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits in this series review the management of contractors by the Department of Defence and Services Australia.

Audit objective, criteria and scope 1.36 The objective of the audit was to examine the effectiveness of DVA’s arrangements for the management of contractors.

1.37 To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has DVA established a fit-for-purpose framework for the use of contractors?

• Does DVA have fit-for-purpose arrangements for the engagement of contractors?

• Has DVA established fit-for-purpose arrangements for the management of contractors?

1.38 The audit examined DVA’s framework of policies, plans, processes and guidance that apply to its use, engagement and day-to-day management of contractors.

1.39 The audit did not examine:

• the specific procurement arrangements through which particular contractors or outsourced service providers are engaged, or the assessment of the value-for-money aspect of specific decisions to engage such personnel instead of APS personnel;

• performance management in terms of specific contracted deliverables as this is part of the management of a contract; or

• the vetting process for contractors undertaken by the Australian Government Security Vetting Agency (AGSVA).60

Audit methodology

1.40 Audit procedures included discussions with relevant DVA officials and an examination of the following DVA documentation:

• plans, forecasts and management decisions about DVA’s workforce use;

• guidance available to assist officials’ decision making on whether to engage a contractor instead of an APS resource, including the information provided to delegates regarding such choices;

• DVA’s contracting mechanisms that are available for the engagement of contractors;

• documentation that sets out mandatory training requirements, processes and completion reports for induction training;

60 Since AGSVA was established in 2010, the Australian National Audit Office (ANAO) has conducted three performance audits of personnel security arrangements, as effective arrangements underpin the protection of the Australian Government’s people, information and assets: Auditor-General Report No.45 2014-15 Central Administration of Security Vetting; Auditor-General Report No.38 2017-18 Mitigating Insider Threats through Personnel Security; and Auditor-General Report No.21 2020-21 Delivery of Vetting Services - Follow up.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

34

• policies, processes and reporting that supports DVA’s compliance with PSPF policies 12-14 that relate to the onboarding, ongoing management (including where staff move within the entity) and offboarding of contracted staff; and

• management reports as evidence of the application of DVA’s framework for the management of contractors.

1.41 The audit was open to contributions from the public. The ANAO received and considered two submissions.

1.42 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $342,000.

1.43 The team members for this audit were Jarrad Hamilton, Hugh Balgarnie, James Wright, Georgia Johnston, Michael Brown, Helen Sellers and Sally Ramsey.

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

35

2. Framework for using contractors

Areas examined This chapter examines whether the Department of Veterans’ Affairs (DVA) has established a fit-for-purpose framework for the use of contractors.

Conclusion DVA has established a fit-for-purpose framework for the use of contractors. Enterprise-level guidance sets out the different personnel types, including contractors, and provides instructions for determining whether there is an operational requirement for the use of contractors.

2.1 As discussed in paragraph 1.4, the APS Workforce Strategy 2025 released by the Australian Public Service Commission (APSC), identifies that an important element of successful mixed workforce models is a ‘structured approach to the use of non-APS employees’ which includes Australian Public Service (APS) agencies ‘considering where work would be best delivered by an APS employee.’ The strategy also states that:

The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.61

2.2 This chapter considers the framework established by DVA to guide decisions to use contractors. The ANAO examined whether guidance had been developed and issued by DVA, that:

• provided clarity about the different personnel types that are utilised as DVA’s external workforce, including the definition of ‘contractor’, so the most appropriate option is selected for a particular role; and

• assisted officials to determine whether there is an operational requirement for the use of contractors to support the efficient and effective use of resources.

Does DVA guidance provide clarity regarding the different personnel types, including contractors?

DVA guidance provides clarity regarding the different personnel types, including contractors.

2.3 DVA has provided internal guidance regarding the different personnel types. This guidance is accessible through DVA’s Blended Workforce Guide, which provides guidance for managers of staff in DVA. This guidance is available on DVA’s intranet and includes the definitions for the three types of contingent workforce utilised by the agency: consultants; independent contractors; and labour hire.62

61 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-strategy-2025 [accessed 6 January 2022].

62 DVA’s definitions are set out in Box 4 of this audit. Consultants are outside the scope of this audit.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

36

2.4 DVA also utilises a list which includes definitions for the 11 workforce types (cohorts) utilised by Services Australia in addition to its APS workforce.63 Reference to this list is necessary for the purposes of categorising DVA’s workforce for entry into Services Australia’s SAP system.64 The definitions of ‘contractor’ and ‘labour hire’ on Services Australia’s list are largely consistent with the definitions of ‘independent contractor’ and ‘labour hire’ adopted in DVA’s guidance for managers.

Does DVA provide guidance on determining whether there is an operational requirement for the use of contractors?

DVA’s Strategic Workforce Plan recognises its external workforce as part of its workforce mix and outlines operational requirements for its contractor workforce at a strategic level. DVA has delegated responsibility for engaging contractors to business areas and line managers and has developed a Blended Workforce Guide to provide operational-level guidance on the type of work that contractors would typically be expected to undertake.

2.5 DVA has set out guidance on determining whether there is an operational requirement for the use of contractors in the following documents:

• the Strategic Workforce Plan 2019-2023 and the June 2021 interim update to this plan; and

• the Blended Workforce Guide.

Strategic workforce planning

2.6 DVA’s Strategic Workforce Plan 2019-2023 recognises its contingent (including contractor) workforce as part of its workforce mix and sets out how DVA expects to use contingent workforce personnel over time and across different functions. The operating environment and risks to the successful delivery of DVA’s purpose are considered in the plan(discussed further below). A shorter version of the Strategic Workforce Plan is available on DVA’s intranet. DVA advised that this shorter version was disseminated to staff, to provide high-level guidance around operational requirements for the use of contractors.

2.7 The 2021 interim update to the Strategic Workforce Plan describes the operational environment as follows:

Using [the] business-sourced operating models to envision the future state required by DVA to deliver on its strategy, and meet future challenges, and addressing Enterprise Risk 6: The ability to provide a professional engaged and flexible workforce, the Enterprise Strategic Workforce Plan (the Plan) provides a workforce capacity and capability assessment of DVA in its journey. It considers the requirements to maintain business as usual outcomes, effectively respond with a surge workforce to priorities such as disaster relief and Royal Commission support, whilst transforming for the future.

The Government’s response to the June 2019 Productivity Commission Report, A Better Way to Support Veterans, the Independent Review of the Australian Public Service (APS), the impact of

63 Refer to Auditor-General Report No.44 2021-22 Effectiveness of the Management of Contractors — Services Australia. 64 Services Australia provides corporate services to DVA as part of a shared service agreement established in May 2018. Services Australia’s SAP system is used to provide corporate human resource management services

to DVA. Refer to paragraph 3.39 for further detail.

Framework for using contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

37

COVID on DVA’s workforce, the establishment of a Royal Commission into Defence and veteran suicide, and the continuing relationship of DVA with Services Australia have the potential to impact upon the operation of DVA.

Effective workforce planning is essential to a successful transformation, and during a Royal Commission environment strategic workforce planning and management will be key to DVA’s capability and capacity in responding to the Commission while consolidating a transformation program and maintaining BAU [Business as Usual].

Another critical factor guiding DVA’s workforce plan is the Average Staffing Level (ASL) cap which governs APS staffing. ASL figures are dictated by claims submitted by Veterans and their families and services delivered to veterans and their families. For the 2020-21 FY, DVA’s ASL cap is 1,615. For the 2021-22 FY, DVA’s budget-adjusted ASL cap is 2,062.65 … Given the pronounced capability and sourcing risks, targeted interventions will be required to ensure the right capabilities are retained, transitioned, developed and sourced to maintain business continuity whilst shifting to DVA’s Future BOM [business-sourced operating model].

2.8 The Strategic Workforce Plan identifies the contingent workforce as one of five risk themes under the heading ‘The right skills’. The plan sets out the following:

To achieve DVA’s strategic intent, the workforce will need to be adaptive to change and uplifted in critical skills. Building this workforce will require effective talent management, supported by strategic sourcing decisions such as utilising APS or contingent labour.

2.9 A mitigation to address the contingent workforce risk has been outlined and was identified as a priority in both the original plan and the interim update. The mitigation was:

Strengthen contractual agreements between contingent labour and APS

Develop contractual agreements with recruitment agencies to improve contingent workforce agreements, including robust knowledge transfer requirements for contingent workforce service agreements and complementary development services.

2.10 DVA advised the ANAO in March 2022 that:

In early 2020 an internal review of the labour hire processes in DVA was undertaken by PSB [People Services Branch] in light of the mitigation strategy outlined in the Strategic Workforce Plan. The review found a large number of labour hire agencies were being used by the different DVA Business Areas.

On the basis of activity over the period July 2017-February 2020 and following input from Business Areas, a list of Preferred Providers66 was established for all labour hire recruitment activity.

2.11 The June 2021 interim update of the Strategic Workforce Plan indicated that DVA planned to deliver a revised plan over the next six months to:

provide deep analysis of use of contingent labour, workforce in front facing positions, and surge vs specialist workforce.

65 ANAO comment: as part of the 2021-22 Budget, DVA received additional funding of $98.5 million and funding for more than 440 additional APS staff to address claim waiting times over the next two years. DVA advised the Parliament’s Foreign Affairs, Defence and Trade Legislation Committee on 27 October 2021 that it was in the process of filling these positions by converting labour-hire staff to ongoing APS positions. The 2022-23 Budget included an additional $22.8 million over two years to further boost claims processing capability. 66 ANAO comment: DVA’s preferred provider arrangements are discussed in paragraph 3.8.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

38

2.12 DVA advised the ANAO in April 2022 that the next review and update of the Strategic Workforce Plan is to be presented to DVA’s Executive Management Board in the second half of 2022.67

Supporting workforce planning documents

2.13 DVA’s Strategic Workforce Plan outlines the requirements for its contractor workforce at an entity level. To support the Strategic Workforce Plan, DVA has developed divisional and operational workforce plans. Figure 2.1 below outlines how these documents form DVA’s workforce planning model.

Figure 2.1: Workforce planning in the Department of Veterans’ Affairs

Source: DVA’s Strategic Workforce Plan 2019-2023.

2.14 DVA’s divisional workforce plans set out the workforce planning environment at that organisational level. The divisional workforce plans are supported by operational workforce plans that include further detail on initiatives and workforce considerations at the divisional level and below.

2.15 DVA advised the ANAO in June 2022 that:

Due to resourcing issues, enterprise level project management of the Divisional and Operational plans was not undertaken and therefore it is unclear how much of the implementation has been completed.

67 DVA advised the ANAO in February 2022 that ‘following the release of the Plan in 2019, there was an organisational wide restructure which saw the Workforce Planning team disbanded. The function has remained un-resourced since this time, however PSB [People Services Branch] are currently trying to recruit for this role. Once this role is filled, PSB will develop a plan to update the Strategic Workforce Plan.’ DVA subsequently advised the ANAO in May 2022 that ‘one role has been filled (the staff member commenced with DVA at the end April 2022).’

Framework for using contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

39

Blended Workforce Guide

2.16 DVA advised the ANAO in December 2021 that the decision to engage contractors is delegated to business areas and line managers. DVA has developed a Blended Workforce Guide for managers, to provide guidance on the type of work that contractors (independent contractors and labour hire staff) would typically be expected to undertake. The guide states that:

Labour hire staff are engaged for a variety of workforce solutions, including meeting a short term work requirement, or providing a specialist skillset. Use of labour hire enables staffing needs to be met where funding is available but Average Staffing Level (ASL) headcount pressures limit available recruitment options.

Labour hire staff bring a variety of skills, capabilities and experiences to the department. They also bring a ‘fresh set of eyes’ to the way we do things offering opportunities to learn and expand our understanding of systems, processes and approaches.

Labour hire staff perform work which can be viewed as either generalist/administrative (e.g. Claims Officer, Frontline Customer Service) or specialised (e.g. Social Worker, Change Manager, Project Manager, Business Analyst, Medical Adviser).

2.17 In relation to independent contractors, the guide states that:

They are often contracted by the department to provide a service for a fixed term (i.e. to undertake a specific project or task).

2.18 DVA advised the ANAO in February 2022 that it:

is currently in the process of developing Standard Operating Procedures (SOP) for contingent labour hire to further assist hiring business areas with the decision making and process around engaging and managing labour hire.

The SOP will cover:

• Definition of labour hire, contractors & consultants

• Role and responsibilities

• Points of contact

• Mandatory processes, procedures and templates

• Required documentation standards

• Compliance monitoring activities.

2.19 DVA advised the ANAO in April 2022 that these SOPs were still under development.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

40

3. Arrangements for engaging contractors

Areas examined This chapter examines whether the Department of Veterans’ Affairs (DVA) has fit-for-purpose arrangements for the engagement of contractors.

Conclusion DVA has established largely fit-for-purpose arrangements for the engagement of contractors. These arrangements include a contracting suite that is tailored for the use of contractors and induction training covering expected behaviours and standards from relevant Commonwealth legislation and DVA policy. While DVA collects data to monitor the completion of training, there is opportunity for DVA to improve its arrangements for annual follow-up checks. As at 22 December 2021, 44 per cent of contractors had not completed all modules of the mandatory induction program. DVA has established arrangements (policy, processes and monitoring) that largely support compliance with Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel when it engages contractors, except for establishing a policy to support compliance with Supporting Requirement 1(c) and Supporting Requirement 2(d)(ii) of Policy 12.

Recommendation and areas for improvement The ANAO has recommended that DVA update its policies and processes to address PSPF Policy 12: Eligibility and suitability of personnel.

There is also an opportunity for DVA to improve its annual follow-up checks in order to provide assurance to senior management that contractors are completing mandatory induction training within the required timeframes.

3.1 DVA’s contracting templates, standing offer arrangements, induction arrangements and arrangements to support compliance with PSPF Policy 12: Eligibility and suitability of personnel are the primary mechanisms through which the department ensures that contractors are obliged to comply with DVA’s policies and Commonwealth legislation, understand these obligations, and are suitable to access DVA’s information.

3.2 To form a view on the fitness-for-purpose of DVA’s arrangements for engaging contractors, the ANAO examined the standing offer arrangements and contracting templates used for engaging contractors. Well-designed arrangements, contracting templates and clauses help operationalise requirements and assist officials to consistently apply them at the point of engagement. They also document the expectations placed on contractors and provide a basis for managing performance and non-compliance. Contracting documentation and templates available through panel arrangements (see paragraphs 3.8-3.10), covering 73 per cent of DVA’s contractor workforce

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

41

expenditure for 2020-2168, were reviewed by the ANAO to establish whether DVA included clauses requiring the contracted personnel to meet performance standards and comply with DVA’s policies and Commonwealth legislation. In addition, the ANAO examined:

• the induction arrangements established to help contractors understand their responsibilities and how to meet their obligations when working for DVA; and

• the policies and processes in place to ensure that the eligibility and suitability of contractors to access Australian Government resources has been established at engagement, as required by PSPF Policy 12: Eligibility and suitability of personnel.69 Monitoring and reporting on compliance with the policy was also examined.

Does DVA have a contracting suite that is tailored for the use of contractors?

DVA’s contracting suite documentation includes clauses that set out the behavioural requirements and expectations that contractors are expected to meet when working with the department. Contract documentation underpinning DVA’s standing panel arrangements — which represented 73 per cent of DVA’s contractor workforce expenditure for 2020-21— include clauses to support contractor compliance with all mandatory policies.

3.3 The engagement of a contractor is a procurement process and requires the establishment of a contract between DVA and the contractor or the contractor’s employer. DVA has delegated responsibility for the engagement of contractors to business areas.

3.4 DVA has set out guidance for the engagement of contractors in a workflow document and a checklist available on its intranet. These documents also outline the process for engaging contractor personnel in DVA. Figure 3.1 below illustrates the key steps in this process.

68 DVA advised the ANAO that: ‘A small amount of Labour Hire staff are engaged outside of these panel arrangements. This is undertaken in circumstances where specialist skills are required that cannot be sourced by our usual panel arrangements.’ DVA identified two main panels that support these arrangements: the Defence Support Services Panel (which provides program management, commercial services, and authoring and writing services); and the Digital Transformation Authority Digital Marketplace Panel (which provides ICT specialist services). The ANAO examined the standing offer arrangements for these panels and found they were broadly consistent with the three main panel arrangements considered in detail by the ANAO in paragraphs 3.8-3.14. These additional arrangements were not subject to the same level of audit testing as the three main panel arrangements used by DVA. 69 The PSPF defines ‘personnel’ as employees and contractors, including secondees and any service providers that

an entity engages. See PSPF Policy 12: Eligibility and suitability of personnel, v.2018.3 [Internet], available from https://www.protectivesecurity.gov.au/publications-library/policy-12-eligibility-and-suitability-personnel [accessed 27 September 2021].

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

42

Figure 3.1: Process set out in DVA’s guidance on how to engage a contractor

Source: ANAO summary of DVA documentation.

3.5 Contractors and labour hire personnel engaged by DVA ‘generally work side by side with other departmental staff’ or under the direction of an APS employee. DVA’s policies set out the behavioural requirements and expectations that contractors are expected to meet when working with the department. These policies cover: conduct and behaviour; work health and safety; personnel security; privacy; fraud; and conflict of interest.

3.6 The ANAO examined the guidance and support available to the three DVA business areas with the largest cohorts of contractors: the Client Engagement and Support Services division; the Client Benefits division; and the Mental Health and Wellbeing division. These business areas collectively employed 942 contractors, representing 73 per cent of DVA’s total contractor workforce as at 30 June 2021.

3.7 These business areas have established dedicated recruitment teams. DVA advised the ANAO that these teams were established in order to deliver a more consistent and efficient approach to onboarding contractors and to reduce the administrative burden on staff within business areas.70 These teams have developed their own guidance to support the engagement of contractors. The ANAO examined guidance for the engagement of contractors established by these business areas and found that the guidance was consistent with entity-level guidance.

70 The dedicated recruitment teams for the three business areas examined were established in: January 2019 (Client Benefits Division); mid-2019 (Mental Health and Wellbeing Services Division); and August 2021 (Client Engagement and Support Services Division).

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

43

Contracting suite

3.8 DVA uses three main panel arrangements to source labour hire staff. These panels were established by the Australian Digital Health Agency, Australian Federal Police, and Australian Taxation Office. Each panel arrangement establishes a Deed of Standing Offer.71 DVA has established arrangements with 16 preferred labour hire recruitment agencies when engaging labour hire staff. For the three deeds of standing offer reviewed by the ANAO (one example for each panel) the broad contractual arrangements between the contracting entity and labour hire recruitment agencies were outlined.

3.9 Each Deed of Standing Offer available through these panel arrangements is supported by customised work order templates that are available on DVA’s intranet for contract managers to use when engaging labour hire staff. The work order templates include work level standards outlining the work performance expectations of labour hire staff and include DVA’s pre-populated agency details.

3.10 For contractors engaged outside of labour hire arrangements, such as independent contractors (as defined in Box 4 in Chapter 1), DVA has established a centrally managed process for preparing contracts and providing advice on the procurement process. For these arrangements, DVA requires that its officials utilise the Commonwealth Contracting Suite.72

Analysis of deeds of standing offer and work order templates

3.11 As discussed in paragraph 3.2, the documents available under the panel arrangements identified above covered 73 per cent of DVA’s contractor workforce expenditure in 2020-21. The ANAO examined the three Deed of Standing Offer documents and work order templates to establish whether they included clauses to require labour hire or contractor personnel to comply with DVA’s policies and processes73, and to meet performance standards.

3.12 The ANAO’s review of these documents found that all three deeds included clauses requiring compliance with all relevant processes and guidelines required by DVA.74 All three deeds also include clauses addressing non-compliance with required performance standards and

71 A standing offer arrangement consists of a Deed of Standing Offer for each supplier under the panel. Where there are multiple suppliers under a standing offer arrangement it is commonly called a panel. Generally, the Deed of Standing Offer will be the same for each supplier. See: Department of Finance, Using an Existing Standing Offer [Internet], available from

https://www.finance.gov.au/government/procurement/buyright/using-existing-standing-offer#:~:text=A%20standing%20offer%20arrangement%20consists,the%20same%20for%20each%20supplier [accessed 7 March 2022]. 72 The Commonwealth Contracting Suite is a suite of contracting forms to assist Commonwealth Government

officials prepare procurement documentation. The Commonwealth Contracting Suite reflects Government policy to streamline business between the public and private sector. Standard terms and consistency of procurement documentation is intended to make it easier for suppliers to do business with the Commonwealth. See: Department of Finance, Commonwealth Contracting Suite — Frequently Asked Questions (FAQs)

[Internet], available from https://www.finance.gov.au/government/procurement/commonwealth-contracting-suite-frequently-asked-questions-faqs [accessed 17 March 2022]. 73 This includes: conduct and behaviour policies; work health and safety policies; personnel security policies; privacy policies; fraud policies; and conflict of interest policies. 74 These policies are outlined in paragraph 3.5.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

44

non-compliance with mandatory polices referred to in the contract, including the option of termination of services on the basis of convenience or default.

3.13 The work order templates have been customised by DVA to include work level standards for contractors performing roles at the APS1 to EL2 level, that are consistent with the expectations for equivalent-level APS staff. The work level standards outline the nature of the work typically expected at each level including the: degree of complexity, autonomy and judgement required; level of technical or policy proficiency; level of personnel management; and degree of public contact.

3.14 DVA’s contracting suite documentation includes clauses that set out the behavioural requirements and expectations that contractors are expected to meet when working with the agency.

Does DVA have fit-for-purpose arrangements for inducting contractors?

DVA has developed requirements and guidance for the induction of contractors, including training courses that cover expected behaviours and standards from relevant Commonwealth legislation and DVA policy. Managers are responsible for monitoring contractors’ completion of mandatory training. Recent (May 2022) DVA data for the completion of mandatory training indicates improvement following the introduction of a new course in April 2022, after DVA identified that the previous fraud awareness training course had been left off its learning management system, DVAtrain. DVA data as at 22 December 2021 showed that 56 per cent of contractors had completed all modules of the mandatory induction program. The completion rate prior to the inclusion of the new training module on DVAtrain indicates that there is opportunity for DVA to improve its arrangements for annual follow-up checks.

3.15 The induction process for contractors is outlined in DVA’s Induction Booklet75, and includes a mandatory induction program with online training modules on risk, fraud awareness, security and APS Values. Further, DVA’s Blended Workforce Guide advises DVA officials that:

Induction (including Security onboarding and meeting the Secretary/Deputy Commissioner) should be undertaken by all new members of the department’s workforce, regardless of the nature or duration of their employment.

Other training should be managed on a case-by-case basis…

3.16 The ANAO’s review of contract documentation under the panel arrangements used by DVA (discussed at paragraph 3.8) found that, in addition to requiring compliance with all relevant processes and guidelines required by DVA:

• the Deed of Standing Offer available under the Australian Digital Health Agency panel included a clause stating that the provider must conduct inductions with contractor staff relating to conditions of employment and relevant workplace health and safety requirements for the agency; and

• the Deed of Standing Offer available under the Australian Taxation Office panel included a clause requiring the service provider to provide training and development.

75 The Induction Booklet was developed in September 2019 and was last updated in March 2022.

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

45

Mandatory induction and refresher training programs

3.17 DVA advised the ANAO in December 2021 that all new staff, including contractors, are required to complete DVA’s Essential Elearning Plan (EEP). New staff are to be automatically assigned to the EEP on commencement.76 DVA further advised that it has in place three versions of the EEP:

• EEP — Standard: comprising ten modules that most staff complete, including labour hire/contractors;

• EEP — Contractors & Labour Hires: this program is for labour hires/contractors exempted from the standard EEP due to the short-term nature of their hire. It consists of four modules from the standard EEP77; and

• EEP — Clinical Advisers: this program is only applicable to Clinical Advisers from the Chief Health Officer Division and consists of six modules from the standard EEP.

3.18 DVA staff must complete the relevant mandatory induction program within three months of their commencement with the department, and complete mandatory refresher training every one or two years.78

3.19 DVA advised the ANAO that DVA business areas may also have additional induction requirements for new staff, in addition to the corporate offerings identified above. These business-specific induction programs remain the responsibility of relevant business areas to enforce/monitor.79

3.20 In addition to setting out mandatory induction training, DVA’s Induction Booklet includes checklists to: familiarise new starters with DVA, including DVA’s relevant integrity and professional standards; gain IT systems access; complete mandatory security briefings; cover off learning and development requirements; and set up performance management agreements. In relation to ongoing training requirements, the Induction Booklet states that all DVA employees:

have a responsibility to ensure their skills remain relevant, however your manager has an obligation to provide learning and development opportunities as required.

3.21 The ANAO reviewed the content of the mandatory induction program to assess the extent to which expected behaviours and standards from mandatory DVA policies were covered by the training. The results of the analysis are summarised below in Table 3.1.

76 DVA has identified, through its Security Quarterly Action Plan activities, that new starters are not always added. This is discussed further in paragraph 3.60. 77 DVA advised the ANAO that managers must apply for a waiver for staff to complete this version of the EEP instead of the Standard version. DVA further advised that no waivers were provided in 2020-21. The modules

are: Security Awareness DVA-Induction; Security Awareness quiz; Code of Conduct Essentials; and Work Health and Safety. 78 The required completion timeframes for induction and ongoing refresher training depend on the specific module. See Appendix 5 for further detail on the completion timeframes, EEP module structure and module

review dates. 79 For example, the Client Benefits Division established a series of training logbooks to monitor training progress and completion for new delegates processing veteran claims. The logbooks provide for progress to be recorded by the trainee and their mentor (including completion of required e-learning and face-to-face

training) and for manager approval to be obtained before the training is recorded as complete.

Table 3.1: ANAO analysis of DVA mandatory induction training for contractors — coverage of contractor obligations

DVA contractors must comply with these obligationsa

Mandatory induction course

Conduct and Behaviour Work Health and Safety

Personnel Security

Privacy

Fraud and Corruption

Conflict of Interest

Security Awareness DVA - Inductionb    

DVA Security Awareness Quiz    

Financial Principles  

Code of Conduct Essentials  

Work Health and Safety 

Information and Records Awareness 

Introduction to Risk Management  

Performance Management 

Fraud Awareness at DVA 

Integrity in the APS 



Note a: Ticks in this table indicate that the training course includes material covering DVA policy requirements. Note b: The Security Awareness DVA - Induction module is only completed upon induction. The DVA Security Awareness Quiz serves as the refresher course for this module. DVA advised that if staff fail the DVA Security Awareness Quiz, they are required to recomplete the Security Awareness DVA - Induction module. Source: ANAO analysis of DVA documentation.

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

47

3.22 As illustrated in Table 3.1, DVA’s mandatory induction training for contractors covers the agency’s mandatory policies for all personnel including contractors. However, the ANAO’s analysis identified that:

• The Security Awareness DVA - Induction module and the Work Health and Safety module did not cover working from home arrangements. There is opportunity for DVA to review the content of these modules to ensure that induction training covers the additional risks posed by remote working arrangements; and

• the Performance Management module does not include content relating to the incorporation of ongoing suitability assessments in annual performance discussions. DVA’s Personnel Security Protocol80 states that managers must embed security considerations into their annual performance appraisals by seeking confirmation from staff that they have reported changes of circumstances, if any. This requirement is discussed in Chapter 4 (paragraphs 4.19-4.23).

Monitoring the completion of training

3.23 Staff completion of the mandatory induction program is captured through the department’s Learning Management System (DVAtrain).

3.24 The ANAO examined DVAtrain data on the completion of mandatory induction modules by labour hire employees as at 22 December 2021. Of the 1076 labour hire personnel recorded in DVAtrain as at 22 December 2021, 602 (56 per cent) had completed the entire mandatory induction course or were still within the allowable timeframe for completion.

3.25 Figure 3.2 (below) illustrates the number of labour hire personnel that had completed each module of the mandatory induction program as at 22 December 2021. As shown in Figure 3.2, the completion rate of the ‘Fraud Awareness at DVA’ module was lower than the completion rates for

the other nine modules. Of the 1076 labour hire personnel engaged by DVA as at 22 December 2021, 490 (46 per cent) had completed the fraud awareness module. Completion rates across the other nine modules were 76 per cent or higher.

3.26 DVA advised the ANAO in June 2022 that the ‘Fraud Awareness at DVA’ module commenced on 18 December 2020, replacing ‘Fraud Awareness’ and ‘Fraud Control in DVA’ modules which were decommissioned due to Adobe Flash not being supported on DVAtrain. DVA further advised that:

The decommissioning of the two unsupported modules (“Fraud Awareness” and “Fraud Control in DVA”) on 01/01/2021, resulted in the new “Fraud Awareness at DVA” (HTML5 version) being inadvertently left off of the EEP on DVA-Train.

Both the Fraud Awareness and Fraud Control in DVA modules remained referenced (during this time) in the DVA Induction Booklet (attached) and was an expected requirement of on-boarding.

When the business area (the newly established Fraud Strategy and Prevention Section) became aware of the matter, they requested [that] the People and Services Branch reinstate the module to the EEP on DVA-Train on 21/09/2021.

80 The Personnel Security Protocol reviewed by the ANAO was released by DVA in November 2018 and was updated in November 2019.

Figure 3.2: DVA mandatory induction modules — completion rates for labour hire as at 22 December 2021

Note: As shown in the figure above, of the 1076 labour hire staff recorded in DVAtrain as at 22 December 2021, between 1000-1010 labour hire personnel have a completion status recorded for each of the modules. The variation in total labour hire personnel assigned to each module reflects labour hire staff on different versions of the EEP. DVA advised the ANAO that 53 staff had not activated their DVAtrain account by logging in and 14 personnel had not been automatically assigned to an EEP. Note: ‘Within allowance’ refers to modules that are not complete but are still within the allowable timeframes for completion (refer to paragraph 3.18). Source: ANAO analysis of DVA data.

875 861

992

879

818

490

830 837

905

871

105 110

18

122 116

494

124 106

74

101

28 39

1

66

16

54 65

21 38

0

200

400

600

800

1000

1200

Integrity in the APS Code of Conduct

Security Induction

Security Quiz Financial Principles Fraud Awareness

Information and Records Awareness

Intro. to Risk Management Performance Management

WHS

Complete Not complete Within allowance

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

49

3.27 DVA provided the ANAO with updated DVAtrain data as at 18 May 2022, which indicated that of the 1099 labour hire personnel recorded in DVAtrain, 896 (82 per cent) had completed the entire mandatory induction course or were still within the allowable timeframe for completion. The increase in the overall course completion rate since 22 December 2021 followed the introduction of a new ‘Fraud and Corruption Control in DVA’ course replacing the previous ‘Fraud Awareness at DVA’ module, discussed at paragraph 3.26. The new module was introduced in late April 2022 and staff are allowed two months to complete the module. As such, all DVA staff were within the allowable timeframe for completion of the module during the course of the audit. The ANAO did not examine the implementation of the new fraud awareness module.

3.28 DVA’s Induction Booklet states that managers are responsible for providing their staff with ‘all relevant and necessary on the job training’. DVA advised the ANAO that:

DVAtrain automatically sends emails to both staff and Managers when EEP components are due for completion. Managers can review the training progress of their staff, and typically do so through regular catch ups as per DVA’s Performance Management Framework. Managers can access the training records of their staff at any time through DVAtrain.

3.29 DVA further advised that there is currently no notification from DVAtrain for managers when a course has not been completed before the due date, and that:

There is currently no centralised monitoring undertaken to ensure that all managers are appropriately discharging their managerial responsibilities, however PSB does provide yearly “EEP Completion Reports” to Division Heads, who typically cascade findings to relevant Branch Heads to address any issues that have been identified.81

3.30 The ANAO did not examine the extent to which DVA contract managers or the supervisors of contractors across DVA undertook monitoring activities to confirm contract compliance with induction requirements. While current DVA data indicates improvement due to the recent introduction of a new mandatory training course, DVA’s December 2021 data (see paragraph 3.24) indicates that there is an opportunity for DVA to improve its arrangements for annual follow-up checks, to provide assurance to senior management that contractors are completing mandatory induction training. Completion of mandatory induction training supports contractors to understand their obligations.

Contractors with financial delegations

3.31 DVA’s Accountable Authority Instructions (AAIs) state that:

If you are a contractor and occupy a staff role, and you have been prescribed as an official on the Department’s Prescribed Officials Delegations Register for the purposes of the Commonwealth Resource Management Framework, you must:

a) comply with the PGPA Act and these AAIs; and

b) comply with DVA-related policies and procedures; and

c) hold and exercise only those financial delegations that have been allocated under the arrangements entered into for undertaking the duties as defined in your contract or job role description.

81 DVA provided an example of this process occurring for March 2022. DVA was unable to provide examples of this process occurring prior to the commencement of the audit.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

50

3.32 DVA’s Financial Delegations instrument outlines what financial delegations are available to staff, including Prescribed Officials. DVA’s Prescribed Officials Delegations Register indicates that, as of 16 March 2022, there were 113 contractors identified as Prescribed Officials. Of the 113 contractors with financial delegations, 82 (73 per cent) were at the APS3 level.

Contractors with Human Resource delegations

3.33 HR delegations are not outlined in DVA’s AAIs. DVA’s Blended Workforce Guide states that:

Non-APS staff performing duties equivalent to APS6 or higher may be able to exercise HR delegations applicable to their role where there is a demonstrated business need. This will enable non-APS staff to approve time sheets, leave and general HR requests in a team management capacity.

It is important to note that non-APS staff are not able to approve matters under the Public Service Act or subordinate legislation (Regulations, Commissioner’s Directions and Classification Rules). These pieces of legislation largely cover matters that non-APS staff will not be overseeing, such as the engagement and termination of employees, review of actions and imposing sanctions for breaches of the code of conduct.

3.34 In December 2019, DVA’s Executive Management Board endorsed a proposal that non-APS personnel equivalent to the APS EL1 level and above be permitted to exercise HR delegations applicable to their role, where there is a demonstrated business need. Internal advice stated that:

This was in recognition of a growing number of non-APS staff being engaged to positions that manage teams, however not being able to exercise HR delegations. Team members were submitting leave, timesheets and other HR requests to more senior DVA managers for approval.

3.35 In December 2020, these delegations were extended to include non-APS personnel equivalent to the APS6 level, in recognition of staff in client facing business areas performing team leader roles.82 DVA advised the ANAO in May 2022 that there were 48 non-APS staff managing a total of 382 staff across DVA staff as at 5 April 2022. DVA further advised that ‘there is no additional mandatory training for contractors holding HR delegations’ outside of the Essential Elearning Plan discussed in paragraph 3.17.

Has DVA established arrangements for the engagement of contractors that support compliance with PSPF Policy 12: Eligibility and suitability of personnel?

DVA has documented policies and processes that support compliance with most requirements of PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors. DVA does not have policies or processes in place to obtain an individual’s agreement to comply with government policies, standards, protocols and guidelines that safeguard resources from harm, as required under Supporting Requirement 1(c) of PSPF Policy 12. DVA has established a delegation arrangement for waiving citizenship requirements that does not align with Supporting Requirement 2(d)(ii) of PSPF Policy 12.

82 DVA noted that there was only one APS6 equivalent who was seeking approval to exercise HR delegations at the time DVA sought to extend the HR delegations.

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

51

DVA has in place assurance mechanisms to monitor contractor compliance with the requirements of PSPF Policy 12. Specifically, Services Australia provides DVA with daily updates on the completion of processes required under Policy 12 when onboarding contractors and DVA has established a quality checking plan. Services Australia and DVA are also establishing an annual assurance statement process through which Services Australia will confirm that the services delivered under bilateral arrangements meet DVA expectations. The first statement is to cover 2021-22.

3.36 Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel83 sets out ‘the pre-employment screening processes and standardised vetting practices to be undertaken when employing personnel and contractors.’ Policy 12 has the following core requirements:

Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets).

Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

3.37 The policy states that pre-employment screening is the primary activity used to mitigate an entity’s personnel security risks. Entities may use security clearances where they need additional assurance of the suitability and integrity of personnel. This could be for access to security classified information, or to provide greater assurance for designated positions. Under the policy:

Entities must undertake pre-employment screening, including:

• verifying a person’s identity using the Document Verification Service84;

• confirming a person’s eligibility to work in Australia; and

• obtaining assurance of a person’s suitability to access Australian Government resources, including their agreement to comply with the government’s policies, standards, protocols and guidelines that safeguard resources from harm.

3.38 In its mandatory annual report to the Attorney-General’s Department (AGD) in 2018-19, DVA self-assessed its security maturity against PSPF Policy 12 requirements as ‘developing’. In its 2019-20 and 2020-21 reports, DVA lifted its maturity rating for PSPF Policy 12 to ‘managing’.85

83 Protective Security Policy Framework (PSPF), Policy 12: Eligibility and suitability of personnel, v.2018.3 [Internet], available from https://www.protectivesecurity.gov.au/publications-library/policy-12-eligibility-and-suitability-personnel [accessed 27 September 2021].

84 ANAO comment: the service is a national online system that allows organisations to check whether the biographic information on a customer’s identity documents match with the original record. The service is a secure system that operates 24/7 and matches key details contained on Australian-issued identifying credentials. 85 Under the PSPF maturity assessment model, ‘developing’ means: ‘Substantial implementation of the PSPF.

Protective security requirements not fully implemented into business practices. ‘Managing’ means: ‘Complete and effective PSPF implementation. Protective security requirements integrated into business practices.’ See: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019-20 [Internet], p. 2, available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-

20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

52

Arrangements for conducting pre-employment screening and standardised vetting

3.39 DVA utilises a shared services arrangement with Services Australia for the onboarding of DVA contractors. This arrangement is supported by a Statement of Intent and a Corporate Shared Services Schedule which outlines the agreed services being provided to DVA.86 These services include:

• verifying identity and Australian citizenship;

• assessing work rights where required;

• submitting and reviewing results of the National Coordinated Criminal History Check; and

• notifying DVA Security of Disclosable Court Outcomes.

3.40 DVA has established an Agency Security Plan that sets out the arrangements for protective security within DVA. The Agency Security Plan includes an overview of DVA’s security threats, risk appetite, investigations processes for security incidents, and an outline of governance mechanisms against PSPF core requirements. This document was last reviewed in November 2019.87 DVA advised the ANAO in April 2022 that an updated Agency Security Plan is scheduled to be delivered by June 2022.

3.41 DVA’s Personnel Security Protocol sits under the Agency Security Plan and sets out what DVA must do to meet PSPF Policy 12. This policy applies to DVA’s workforce, including contractors, and was last updated in November 2019.

3.42 Table 3.2 below outlines the requirements of PSPF Policy 12 that are to be established by DVA and the arrangements DVA has established for pre-employment screening processes and standardised vetting practices when engaging contractors.

86 The Statement of Intent is an agreement between Services Australia and DVA that sets out the intentions of the agencies in committing to a continued government partnership arrangement through which Services Australia supports the delivery of current and future DVA business requirements. The Corporate Shared Services Schedule sits under the Statement of Intent and outlines the agreed services to be provided by Services Australia. DVA has additional services schedules that sit under the Statement of Intent for ICT Services, Program Delivery, Data Exchange and myGov. 87 PSPF Policy 3: Security planning and risk management (Requirement 1) mandates that security plans (and

supporting security plans) are reviewed at least every two years. Policy 3 also states that a security plan is a ‘living’ document and requires review and adjustment to ensure the goals and management of security risks keeps pace with changes in the entity and with emerging threats. DVA’s Agency Security Plan is informed, in part, by DVA’s Security Risk Management Plan. The most recent version of the Security Risk Management Plan covers the period 2013-15.

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

53

Table 3.2: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 12: Eligibility and suitability of personnel

PSPF Policy 12 core requirement B.1 DVA’s arrangements

Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets)

DVA’s Blended Workforce Guide states that prior to commencement, all staff must have completed and cleared DVA’s ‘Pre-commencement Checking Process’ to allow physical access to departmental premises and ICT systems.

DVA’s Personnel Security Protocol requires that all new engagements undertake a National Police Records Check.

DVA does not have a policy or procedure in place to obtain an individual’s agreement to comply with government’s policies, standards, protocols and guidelines that safeguard resources from harm. This is required under Supporting Requirement 1(c) of PSPF Policy 12.

DVA’s Non-Australian Citizens Assessment Protocol identifies that all final decisions on engagement of non-Australian contractors will be undertaken by the Director, Integrity and Security as a delegate of the Secretary. PSPF Policy 12 Supporting Requirement 2(d)(ii) requires that the Accountable Authority consider and accept the risk of waiving the citizenship requirement, or delegate this decision to the Chief Security Officer. The decision to waive citizenship requirements is a significant security decision and PSPF 12 does not provide for this decision to be delegated to positions other than the Chief Security Officer position.a

The Deeds of Standing Offer under which DVA’s labour hire workforce are engaged all require contractors to comply with policies around security, and the onboarding of personnel.

Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards

DVA’s Personnel Security Policy states that the agency uses AGSVA to conduct vetting for security clearances.b

Note a: DVA advised the ANAO in March 2022 that DVA ‘considers the security delegation of this decision making by the Chief Security Officer (CSO) to Security Advisors (in this instance the EL2 Director of Security) to be compliant with, and in the spirit of PSPF requirements.’ DVA also noted that PSPF Policy 2: Management structures and responsibilities states that: ‘the CSO is empowered to appoint security advisors…[and] is encouraged to…ensure delegations allow security advisors to undertake specific action in line with the policy of the entity’. In DVA’s PSPF maturity self-assessments submitted to AGD, DVA reported one non-citizenship waiver in 2019-20 and nil waivers in 2020-21. Note b: Services Australia submits security clearance requests to AGSVA on behalf of DVA. Source: ANAO assessment of DVA documentation.

3.43 In summary, DVA has policies and processes in place to address most requirements in PSPF Policy 12. The requirements not addressed in DVA’s Personnel Security Protocol relate to: obtaining an individual’s agreement to comply with government policies, standards, protocols and guidelines that safeguard resources from harm, as required under Supporting Requirement 1(c) of PSPF Policy 12; and a delegation arrangement for waiving citizenship requirements that does not align with Supporting Requirement 2(d)(ii) of PSPF Policy 12.

3.44 DVA advised the ANAO that:

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

54

The PSPF recommendation that entities are encouraged to seek an agreement to comply with government policies as part of the pre-employment eligibility process is not a mandatory requirement of the PSPF, rather reflects better practice.

3.45 The ANAO sought advice from AGD as to whether the requirement was mandatory or not. AGD advised that:

We can confirm that as part of the pre-employment screening requirement in Policy 12, it is mandatory for entities to obtain a person’s agreement to comply with the government’s policies, standards, protocols and guidelines that safeguard resources from harm. The PSPF does not mandate the form of that agreement, but it is recommended that entities obtain that agreement by asking a person to sign an undertaking to that effect.

3.46 The PSPF is an Australian Government policy, which means that non-corporate Commonwealth entities, including DVA, must apply the framework to the extent consistent with legislation.88

Recommendation no. 1 3.47 The Department of Veterans’ Affairs address its non-compliance with PSPF Policy 12: Eligibility and suitability of personnel Supporting Requirement 1(c) and Supporting Requirement 2(d)(ii) in its policies and processes.

Department of Veterans’ Affairs response: Agreed

3.48 DVA acknowledges the opportunity to enhance internal policies and practices in addressing the specific requirement to seek individual’s agreement to comply with government’s policies, standards, protocols and guidelines that safeguard resources from harm at the time of engagement.

3.49 Two improvements have been identified to address this:

1. Pre-engagement processes are being reviewed as part of the workflow Docusign project to improve on-boarding and ensure all required documentation is agreed to and signed by relevant parties.

2. A planned review is also scheduled for DVA’s Personnel Security Protocol and Non-Australian Citizens Assessment Protocol for the 2022-23 Financial Year. DVA does not normally engage non-Australian citizens, being the outlying exception to standard practice, however this work will clarify DVA’s policy positions on the highlighted requirements, and review the decision roles and levels for eligibility waivers.

3.50 These improvements are expected to be completed by 31 December 2022.

88 Attorney-General’s Department, Entities that must follow the PSPF [Internet], available from https://www.protectivesecurity.gov.au/about/applying-protective-security-policy-framework [accessed 6 April 2022].

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

55

Arrangements for monitoring and reporting that requirements of PSPF Policy 12 have been addressed when contractors have been engaged

Shared Services assurance arrangements

3.51 A DVA and Services Australia Partnership Forum (DSPF) was established in March 2016. The DSPF oversees delivery against the Statement of Intent and addresses critical strategic and operational issues impacting the health of the partnership between the two agencies. The DSPF receives updates from operational sub-committees including the Shared Services Committee that oversees corporate shared services. The DSPF last met in August 2021. DVA advised that future meetings have been postponed and the DSPF is now undergoing a review.89

3.52 Under the Corporate Shared Services Schedule, Services Australia is required to perform relevant checks, as discussed in paragraph 3.37, and advise DVA of the outcome.90 The Corporate Shared Services Schedule also provides for monthly reporting from Services Australia which includes the number of pre-employment checks processed for the month and the cumulative total for the financial year.

3.53 DVA uses a tracking spreadsheet to monitor progress in its onboarding of personnel. The spreadsheet is sent back-and-forth between Services Australia and DVA on a daily basis. DVA updates the spreadsheet with information it has provided to Services Australia such as noting the date that pre-employment documentation was submitted to Services Australia, and Services Australia updates the spreadsheet based on the status of Services Australia’s screening tasks. DVA advised the ANAO that it uses the monthly reporting from Services Australia, discussed above, to validate the number of pre-employment checks recorded in the tracking spreadsheet. DVA advised the ANAO in March 2022 that:

The purpose of the daily excel tracker sent between DVA PSB [People Services Branch] and Services Australia (SAu) is to ensure accuracy across all contractors onboarding information between both teams.

3.54 Services Australia provides dashboard reporting to the DSPF that includes the number of DVA personnel (including contractors) onboarded by Services Australia and relevant management projects and activities, including any issues raised via the tracking spreadsheet.

Annual Assurance Statement

3.55 Commencing in 2021-22, Services Australia intends to provide DVA with an Annual Assurance Statement (AAS), aligning its approach to assurance reporting across all key partner

89 DVA advised the ANAO in May 2022 that it had a meeting scheduled in June 2022 to ‘develop the scope, design and membership of the DSPF and related framework’ and that ‘the next meeting of the DSPF will not be agreed upon until after this meeting’. DVA further advised that its Shared Services and Technology Branch will ‘facilitate regular operational meetings with PSB [People Services Branch] and Services Australia to track progress of existing service issues and requests…[and]…escalate any service issues with serious business impacts with Services Australia and/or through our management channels.’ 90 Auditor-General Report No. 30 2019-20 Bilateral Agreement Arrangements Between Services Australia and

Other Entities found that approaches for managing bilateral arrangements between Services Australia and DVA were partially effective. The audit noted opportunities for improvement in the arrangements between Services Australia and DVA, including a stronger focus on managing risk by Services Australia and DVA, and the inclusion of review, roles and responsibilities, performance measures and risk management in bilateral agreement documents.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

56

entities. A proposed approach to developing the AAS was introduced by Services Australia to the DSPF in August 2021.91 The DSPF noted the anticipated benefits of the AAS:

An AAS provides objective-level assurance against the strategic principles outlined in the Statement of Intent and complements existing financial assurance frameworks. An AAS will also increase visibility of programme performance and service delivery commitments.

3.56 DVA has been engaged in the design of the statement. A draft statement was shared with stakeholders in DVA for review and feedback in October 2021. DVA has identified that the benefits of the AAS will include: the provision of confirmation that services delivered under bilateral arrangements meet the expectations of DVA and support financial and non-financial reporting; and identification of risks that extend beyond a single entity.

Security Quarterly Action Plan

3.57 In 2020-21 DVA established a Security Quarterly Action Plan (SQAP), comprising a range of annual assurance activities planned for each of the 16 PSPF policies. The SQAP is set out in a spreadsheet that is updated throughout the year to reflect progress against planned activities, including findings, remediation actions, and opportunities for process improvements. DVA advised the ANAO that prior to 2020-21:

DVA’s security assurance activities were predominantly ad-hoc requests from DVA governance committees, and therefore not routinely planned or documented.

3.58 The SQAP forms part of the evidence for auditing and maturity reporting for a given PSPF cycle. DVA has stated in the SQAP that:

As a general rule, PSPF Reporting should be the primary SQAP Activity of Q1, as it provides considerable weight for prioritisation and identification of actions for the forward work plan.

It is important to monitor 'BAU' work being undertaken … to identify actions that should be recorded in the SQAP, and trigger a re-prioritisation of existing SQAP activities.

3.59 DVA advised the ANAO that the current process for identifying activities for inclusion in the SQAP includes: review of previous SQAP findings; relevant audit findings; PSPF Maturity reporting; peer review; and Security Committee review.

3.60 The ANAO reviewed the 2020-21 and 2021-22 SQAPs and identified four review activities that were completed relating to PSPF Policy 12.

• A review in 2021-22 of whether security clearances held by personnel met the security clearance requirements of their role. The review identified 29 personnel holding positions requiring an NV1 security clearance or above, who were not recorded as holding a valid security clearance. Mitigation involved a number of activities including: initiating the security clearance process; upgrading clearance levels; transferring sponsorship from

91 DVA advised the ANAO that this project will contribute to the implementation of Recommendation no.1 from Auditor-General Report No. 30 2019-20 Bilateral Agreement Arrangements Between Services Australia and Other Entities, which recommended that Services Australia works with other Australian Government partner entities to ensure that bilateral agreements include statements committing to cooperatively communicating and managing risks associated with the delivery of the program or service.

Arrangements for engaging contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

57

other entities; resolving errors in HR SAP records; and downgrading or removing a clearance requirement from the position to reflect the role requirements.

• A review in 2020-21 on the currency of security clearance waivers which found that all identified waivers were either completed or still within the timeframe for annual review. There was a recommendation to create standard operating procedures for this process.

• Two reviews of the ten most recently employed staff and contractors to ensure pre-employment screening, clearance and induction were completed.

− The first review was conducted in quarter two of 2020-21 and found that: all ten staff had undertaken a police check; only one staff member required a clearance for their position and the clearance process had been initiated; and the induction completion status could not be determined for nine staff.92

− The second review was conducted in quarter three of 2020-21 and found that: one staff member did not have the required clearance for their position (this person’s clearance process was initiated to remediate the finding); and four new starters were not captured in the induction process. A review of induction systems to capture missing staff, and create consistent records, was recommended.93

3.61 DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each meeting.94 The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A summary of outcomes from the 2020-21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021-22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021-22 SQAP was provided to DVA’s Audit Committee in March 2022.

3.62 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 12.

92 DVA was unable to provide records to explain why the induction completion status could not be determined for the nine staff. 93 DVA advised the ANAO in April 2022 that ‘DVA Security have commenced work on the creation of a central register…which records all new DVA personnel (including contractors), their start date, date the DVA Security

Email Induction…is sent, and the date completed’. 94 The Security Committee’s purpose is to ensure a consistent and integrated approach to managing all aspects of protective security in DVA. It is scheduled to meet quarterly and its business includes aligning DVA practices with the PSPF and monitoring activities to improve compliance.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

58

4. Arrangements for managing contractors

Areas examined This chapter examines whether the Department of Veterans’ Affairs (DVA) has established fit-for-purpose arrangements for the management of contractors.

Conclusion DVA has established largely fit-for-purpose arrangements for the management of contractors. Guidance on departmental requirements and expectations regarding the oversight (supervision) of contractors is outlined in a Blended Workforce Guide and Induction Booklet, and DVA has established a Procurement and Contract Management Framework. However, the framework does not cover contract management and DVA provides guidance for its contract managers through intranet links to a contract management best practice guide and the Department of Finance’s Australian Government Contract Management Guide. DVA has established arrangements (policy, processes and monitoring) for the management of contractors that largely support compliance with the requirements of Protective Security Policy Framework (PSPF) Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel, except for the following. DVA policy does not address:

• PSPF Policy 13 Supporting Requirement 1(a)(iii) relating to monitoring and reporting of conditional clearances, and Supporting Requirement 1(a)(iv) relating to annual review of eligibility waivers; and

• PSPF Policy 14 Supporting Requirement 1(c) relating to providing receiving entities with relevant security information, and Supporting Requirement 3 relating to the assessment of risk in instances where it is not possible to undertake required separation procedures.

DVA has established arrangements to monitor compliance with PSPF requirements and has identified, through this work, that the following processes have not been effectively implemented: advising separating personnel of their ongoing security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and processes to ensure that separating personnel are complying with their separation obligations, particularly regarding the return of equipment.

Recommendations The ANAO has made two recommendations aimed at aligning DVA’s policies and processes with the requirements of PSPF Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel.

4.1 Once engaged by DVA, the ongoing management of contractors involves:

• day-to-day oversight of the contractor and management of the contract to ensure that contracted outcomes are being delivered as required;

• assessment and management of the ongoing suitability of the contractor to access Australian Government resources; and

• withdrawing access and managing any ongoing risks at the end of the contract.

4.2 The ANAO examined the following to form a view on the fitness-for-purpose of DVA’s arrangements for the management of contractors.

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

59

• Documentation promulgated to officials to inform them of the agency’s requirements and expectations for the management of contractors and the training that was available to support implementation of the guidance.

• Policies and processes for ensuring the ongoing suitability of contracted personnel to access Australian Government resources, as required by PSPF Policy 13: Ongoing assessment of personnel, and monitoring and reporting on compliance.

• Policies and processes for contracted personnel to have their access withdrawn and to be informed of any ongoing security obligations, as required under PSPF Policy 14: Separating personnel, and monitoring and reporting on compliance.

Has DVA clearly documented its requirements and expectations regarding the management and oversight of contractors?

DVA has established a Procurement and Contract Management Framework, however the ANAO’s review of this framework indicates that it does not cover contract management. DVA provides guidance for contract managers through a link on its intranet to a contract management best practice guide and a link to the Department of Finance’s Australian Government Contract Management Guide. Guidance on DVA requirements and expectations regarding the oversight (supervision) of contractors is outlined in DVA’s Blended Workforce Guide and Induction Booklet. While DVA offers contract management training to all staff, it does not mandate or monitor contract management training for its personnel who manage contracts and contractors.

Framework documenting the requirements and expectations of contract managers

4.3 DVA has established the ‘Finance Business Rule: Procurement and Contract Management Framework’, which is available on DVA’s intranet and is intended to mitigate procurement and contract management risks identified by DVA.95 DVA advised the ANAO that:

The Procurement and Contract Management Framework was implemented to create a more transparent and centralised approach to procurement, strengthened by enhanced capabilities of all staff and embed processes for improved planning and quality documentation.

4.4 The ANAO’s review indicates that the framework covers procurement requirements, including the Commonwealth Procurement Rules and procurement pathways within DVA, but does not cover contract management.

4.5 The ANAO’s review of DVA’s Accountable Authority Instructions (AAIs) and Blended Workforce Guide found that there was no guidance in these documents on the responsibilities of its contract managers in: actively managing the contract to ensure the contract meets its objectives; monitoring the achievement of contract deliverables and budgets to ensure the department obtains value for money; and identifying, assessing and managing contract risks.

95 DVA identified the following risks: • no centralised picture of procurement and contract management; • potential lack of awareness among business areas of whole-of-government requirements; • no tracking of expenditure prior to contract commitment; and • no central registration of quality assurance checks.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

60

4.6 DVA advised the ANAO in February 2022 that it is:

currently in the process of developing Standard Operating Procedures (SOP) for contingent labour hire to further assist hiring business areas with the decision making and process around engaging and managing labour hire.

4.7 DVA has established an intranet page to provide procurement templates and guidance, including a link to the Department of Finance’s Australian Government Contract Management Guide.96 In relation to this guide, DVA advised the ANAO that:

The guide provides practical process guidance to support effective contract management at a practitioner level for Commonwealth entities. It is a resource DVA contract managers can access and refer to.

4.8 The intranet page also includes a link to a contract management best practice guide, developed by DVA, which outlines a summary of best practice for aspects of contract management including: risk management; performance management; financial management; and contract variations and amendments.

4.9 DVA has documented its requirements and expectations regarding the oversight (supervision) of contractors in the Blended Workforce Guide and Induction Booklet. This information is available on DVA’s intranet. These documents list the responsibilities of DVA’s managers, which include: reinforcing DVA’s Cultural Vision; establishing expectations and managing performance; leading knowledge sharing activities to maintain corporate knowledge; guiding new staff through the induction and orientation process, which includes mandatory training; and providing relevant and necessary on the job training.

Training for contract managers about managing and oversighting contractors

4.10 DVA advised the ANAO in March 2022 that:

DVA offers training to support the general uplift of contract and procurement skills across the department. Currently, we run the Procurement Essentials and Contract Management course for interested staff. This course is a one day workshop, and is owned and delivered by the APS Academy.97

4.11 DVA advised that this course is not mandatory but is available to all DVA staff. Courses conducted prior to this used a platform (Adobe Flash) that is no longer supported.

4.12 DVA also advised that:

DVA runs QUEST (Quarterly Update - Education, Support & Training) training to support the professional, technical and personal development for all delegates and service delivery staff in the Client Benefits Division, Client Engagement & Support Services Division, and the Mental Health &

96 Department of Finance, Contract Management Guide December 2020 [Internet], Finance, available from https://www.finance.gov.au/sites/default/files/2020-12/Contract%20Management%20Guide%20December%202020%20-%20Master.pdf [accessed 28 March 2022]. 97 ANAO comment: this course, delivered through the Australian Public Service Commission (APSC), is available

to all APS employees. The APSC states that participant benefits include: identify and apply agency-specific requirements, including agency AAIs, internal control mechanisms or operational guidelines, and the particular risk framework to procurement activities; and successfully manage contracts to deliver goods and/or services that achieve business/strategic outcomes.

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

61

Wellbeing Services Division. QUEST video #06 specifically refers (Procurement and Contract Management Framework). The QUEST program is compulsory for CBD and CESS staff.

4.13 The ANAO’s review of QUEST video program #06 found that the program covers DVA’s Procurement and Contract Management Framework. As discussed at paragraph 4.4, the ANAO’s review of the framework found that it covers procurement requirements but does not cover contract management.

Monitoring of contract manager training completion rates

4.14 As discussed in Chapter 3 (paragraphs 3.28-3.29), DVA advised the ANAO that: it is the responsibility of every manager to monitor and support their staff members to complete all training as required for the successful completion of their role; and there is currently no centralised monitoring undertaken to ensure that all managers are appropriately discharging these responsibilities.

Has DVA established arrangements for the management of contractors that support compliance with PSPF Policy 13: Ongoing assessment of personnel?

DVA has established policies and processes that support compliance with most requirements of PSPF Policy 13 for contractors. DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Policy 13 Supporting Requirement 1(a)(iii). Further, DVA’s Personnel Security Protocol does not cover two requirements of PSPF Policy 13 Supporting Requirement 1(a)(iv), relating to: the annual review of eligibility waivers; or review before revalidation of a security clearance, and prior to any proposed position transfer.

DVA has established arrangements to monitor and report on compliance with PSPF Policy 13. Through these arrangements, DVA has identified that annual security checks on security cleared personnel are not institutionalised and that clearances were not held by some contractors in roles with clearance requirements.

4.15 When personnel (including contractors) are engaged, entities must ensure that the eligibility and suitability requirements that were established prior to commencement continue to be met. This entity responsibility is set out in PSPF Policy 13: Ongoing assessment of personnel. The purpose of the policy is to describe how entities maintain confidence in the suitability of their personnel to access Australian Government resources and manage the risk of malicious or unwitting insiders. The core requirement of PSPF Policy 13 is that ‘each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.’

4.16 In its 2018-19, 2019-20, and 2020-21 self-assessment of its maturity against PSPF Policy 13 requirements submitted to the Attorney-General’s Department (AGD), DVA rated its maturity as ‘developing’.98

98 Under the PSPF maturity assessment model, ‘developing’ means: ‘Substantial implementation of the PSPF. Protective security requirements not fully implemented into business practices.’ See: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019-20 [Internet], p. 2, available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-

20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

62

Arrangements for assessing and managing the ongoing suitability of contractors and sharing relevant information

4.17 DVA’s Personnel Security Protocol and Managing Security Incidents Protocol apply to DVA’s workforce, including contractors, and set out what the agency must do to meet PSPF Policy 13. Table 4.1 (below) outlines the results of the ANAO’s review of DVA’s policies and processes for assessing and managing the ongoing suitability of contractors.

Table 4.1: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 13: Ongoing assessment of personnel

PSPF Policy 13 core requirement B.1 DVA arrangements

Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.

Roles and responsibilities for assessing and managing the ongoing suitability of contractors and for sharing relevant information of security concern are set out in DVA’s Personnel Security Protocol and Managing Security Incidents Protocol. DVA’s Personnel Security Protocol states that:

• assessing and managing ongoing suitability is best undertaken by line managers through performance reviews and observation and reporting;

• managers must embed security considerations into their annual performance appraisals by seeking confirmation from staff that they have reported changes of circumstances, if anya; and

• the Agency Security Advisor must be informed where any instance of a potential Security Breach, Security Violation, or impingement of the APS Code of Conduct has occurred.

DVA’s Managing Security Incidents Protocol states that DVA is required to forward any information that threatens or poses a risk to the interests of the department and the Australian Government.

DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Supporting Requirement 1(a)(iii).b

DVA’s Personnel Security Protocol does not cover the annual review of eligibility waivers, or review before revalidation of a security clearance, and prior to any proposed position transfer, as required under PSPF Supporting Requirement 1(a)(iv).c

Standing Deeds of Offer examined by the ANAO all required contractors to comply with policies around security, and access to information and premises.

Note a: PSPF Policy 13 Supporting Requirement 1(a)(ii) requires that entities must conduct annual security checks with all security cleared personnel. DVA’s security awareness training module highlights reporting requirements, including change of circumstance reporting. Note b: PSPF Policy 13 Supporting Requirement 1(a)(iii) requires that entities must monitor compliance with, and

manage risk in relation to, clearance maintenance requirements for security clearance holders granted a conditional security clearance and reporting non-compliance to the authorised vetting agency. Note c: DVA advised the ANAO that it has not sponsored security clearance eligibility waivers for contractors, and as such there has been no need to have a specific or DVA branded policy or procedure with regard to annual

reviews of them. In its 2020-21 self-assessment of its maturity against PSPF Policy 13 requirements submitted to AGD, DVA reported nil instances of where the accountable authority had waived the citizenship or checkable background requirements for any security clearances sponsored by the entity. DVA advised the ANAO in May 2022 that ‘the recording of nil against question 13.7 of the 2020- 21 PSPF report appears to be a clerical error’ as DVA had sponsored one citizenship eligibility waiver for an APS staff member as at 30 June 2021. Source: ANAO analysis of DVA documentation.

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

63

4.18 In summary, DVA has established policies and processes to support compliance with most of the core requirements of PSPF Policy 13. DVA’s policies and processes address most aspects of the PSPF requirements and apply to all personnel, including contractors. DVA’s Personnel Security Protocol does not cover monitoring and reporting arrangements for security clearance holders granted a conditional clearance, as required under PSPF Policy 13 Supporting Requirement 1(a)(iii). DVA’s Personnel Security Protocol also does not cover the annual review of eligibility waivers, or review before revalidation of a security clearance, and prior to any proposed position transfer, as required under PSPF Policy 13 Supporting Requirement 1(a)(iv).

Arrangements for monitoring and reporting that the ongoing suitability of contractors has been assessed and managed

4.19 PSPF Policy 13 Supporting Requirement 1(a)(ii) requires that entities must conduct annual security checks with all security cleared personnel. As stated in Table 4.1, DVA’s Personnel Security Protocol requires managers to embed security considerations into their annual performance appraisals. DVA advised the ANAO that:

The performance cycle has both a mid-cycle review conducted in March, and an end of cycle review conducted in September. This involves a verbal conversation between manager and staff member. Having these conversations or ‘checks’ with staff twice a year, exceeds the PSPF requirement for it to be done once a year, or ‘annually’.

The DVA Security Awareness training module, and Personnel Security Protocol provide guidance to Managers to support them in identifying changes and behaviours of concern with regard to personnel security, to assist with the biannual check conversations, and detect potential non-compliance with regard to clearance obligations.

4.20 The ANAO’s analysis of DVA’s mandatory training modules in Chapter 3 (paragraph 3.22) found that, while the Performance Management training module provides guidance in identifying changes and behaviours of concern with regard to personnel security, the module does not include content informing managers of their responsibility to incorporate ongoing suitability assessments into annual performance discussions.

4.21 DVA’s 2021-22 Security Quarterly Action Plan (SQAP) includes a future remediation activity involving work with DVA’s HR function to integrate annual security clearance checking into performance cycle assessments. This activity has no indicative timeframe for completion in the SQAP. DVA advised the ANAO in April 2022 that:

work has not commenced on this task to date. It is intended to be scheduled for completion in the following FY as part of the 2022-23 SQAP.

4.22 DVA reported in its 2020-21 self-assessment that:

As part of the revised Security Risk Management Plan, DVA Security will coordinate a Personnel Security Risk Assessment, with a view to updating policies and awareness to better address a consistent and monitored approach to clearance maintenance, reporting and aftercare management.

This is scheduled to be implemented by 30 June 2022, and will support DVA’s efforts to achieve a ‘Managing’ rating for the 2022-23 reporting period.

4.23 In summary, further work is required by DVA to embed security considerations into DVA annual performance appraisals. DVA has identified that its policy is not being implemented as

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

64

required, and it has established a schedule to update policies and raise awareness by 30 June 2022. DVA should update its senior executive and the PSPF policy owner on the status of this work, as part of its next annual report.

Security Quarterly Action Plan

4.27 As discussed in paragraphs 3.57 and 4.21, DVA has established a SQAP which is comprised of a forward work program of assurance activities by financial year to assess compliance with the PSPF, including Policy 13. The SQAP was established in 2020-21.

4.28 The ANAO reviewed the 2020-21 SQAP and identified the following assurance activities that were completed in relation to PSPF Policy 13.

• Review of a random 10 per cent of contractors in Designated Security Assessed Positions (DSAPs) to ensure clearances met role requirements. Of the 20 contractors reviewed in 2020-21, 14 had a suitable security clearance. Of the remaining six contractors, three had the security clearance process initiated99, two were identified as holding positions that no longer required security clearances, and one did not have an outcome recorded in the SQAP.

• Review of a random five per cent of DSAPs to assess the effectiveness of ongoing security clearance management and awareness arrangements. Of the eight positions reviewed in 2020-21, five positions were vacant, one position had an occupant whose clearance was being finalised, and two positions had occupants without security clearances.100 For the two positions that had occupants without security clearances, DVA emailed the relevant

99 That is, the three contractors (15 per cent of the contractors tested) did not hold the required clearance for the role. 100 That is, at the time of the review, three people holding DSAPs - of the eight DSAPs reviewed (37.5 per cent) - did not have the clearance required to hold the position.

Recommendation no. 2 4.24 The Department of Veterans’ Affairs:

(a) address its non-compliance with PSPF Policy 13: Ongoing assessment of personnel Supporting Requirement 1(a)(iii) and Supporting Requirement 1(a)(iv), in its policies and processes; and

(b) embed processes to conduct annual security checks with all security cleared personnel, as required under PSPF Policy 13 Supporting Requirement 1(a)(ii).

Department of Veterans’ Affairs response: Agreed

4.25 DVA acknowledges the opportunity to enhance internal policies and practices in addressing the specific supporting requirements of PSPF Policy 13 B.2 (a)(ii), (a)(iii) and (a)(iv).

4.26 A review of DVA’s Personnel Security Protocol is planned in 2022-23. This work will confirm DVA’s position on the requirements of PSPF Policy 13, and outline relevant roles and responsibilities for associated practices and procedures. The review is expected to be completed by 31 December 2022

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

65

staff advising them of the requirement to obtain a clearance and asking them to commence the clearance process.101

4.29 The 2021-22 SQAP also includes an activity to gain assurance over the extent to which changes in circumstances have been reported to the Australian Government Security Vetting Agency (AGSVA).

4.30 As discussed in paragraph 3.61, DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each Security Committee meeting. The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A

summary of outcomes from the 2020-21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021-22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021-22 SQAP was provided to DVA’s Audit Committee in March 2022.

4.31 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 13. Testing conducted by DVA during 2020-21 indicates that policies are not being implemented for contractors in roles with security clearance requirements. This situation requires further attention.

Has DVA established arrangements for the separation of contractors that support compliance with PSPF Policy 14: Separating personnel?

DVA has established policies and processes that support compliance with most requirements of PSPF Policy 14: Separating personnel for contractors. DVA has not established policies or processes that outline a requirement for DVA to: provide receiving entities with relevant security information, as required under PSPF Policy 14 Supporting Requirement 1(c); or undertake a risk assessment to identify security implications in instances where it is not possible to undertake separation procedures, as required under PSPF Policy 14 Supporting Requirement 3.

DVA has established a Security Quarterly Assurance Plan which includes assurance activities to support compliance with PSPF Policy 14. DVA’s assurance activities indicate that the following processes are not being implemented effectively: advising separating personnel of their ongoing security obligations, as required under PSPF Policy 14 Supporting Requirement 1(b); and ensuring that separating personnel are complying with their separation obligations, particularly regarding the return of equipment. DVA’s assurance activities identified instances where contractor personnel had not returned equipment to DVA upon separation, and found that 81 per cent of separating personnel did not complete DVA’s mandatory cessation checklist.

4.32 When individuals (including contractors) permanently or temporarily leave their employment with an entity, entities are required to take steps to mitigate risks that Australian Government resources will be accessed by individuals without permission or that ongoing security obligations are not met. These requirements are set out in PSPF Policy 14: Separating personnel. Policy 14 states that:

Each entity must ensure that separating personnel:

101 In May 2022, DVA advised the ANAO that the follow-up process resulted in one position being re-assessed as not requiring a security clearance and one staff member agreeing to re-submit their clearance paperwork.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

66

a) have their access to Australian Government resources withdrawn;

b) are informed of any ongoing security obligations.

4.33 In its 2018-19, 2019-20, and 2020-21 self-assessment of maturity against PSPF Policy 14 requirements, submitted to AGD, DVA rated its maturity level as ‘developing’.102

4.34 To examine whether DVA had established arrangements for the management of contractors that support compliance with PSPF Policy 14, the ANAO reviewed DVA’s arrangements for:

• withdrawing access and informing separating contractors of any ongoing security obligations; and

• obtaining assurance that access has been withdrawn and briefings provided to separating contractors.

Arrangements for managing access and ongoing security obligations of separating contractors

4.35 DVA’s Personnel Security Protocol applies to DVA’s workforce, including contractors, and sets out what the agency must do to meet PSPF Policy 14. Table 4.2 below outlines the results of the ANAO’s review of DVA’s policies and processes for managing access and ongoing security obligations of separating contractors.

102 Under the PSPF maturity assessment model, ‘developing’ means: ‘Substantial implementation of the PSPF. Protective security requirements not fully implemented into business practices.’ See: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019-20 [Internet], p. 2, available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-

20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

67

Table 4.2: DVA policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 14: Separating Personnel

PSPF Policy 14 requirement B.1

DVA arrangements

Each entity must ensure that separating personnel:

a) have their access to Australian Government resources withdrawn, and

b) are informed of any ongoing security obligations.

DVA’s Personnel Security Protocol does not outline a requirement to withdraw the access of separating personnel.

DVA’s ‘Offboarding procedures’ intranet site instructs separating contractors to complete the procedures through DVA’s offboarding workflow management system. As part of this process separating personnel must complete:

• Services Australia’s Employment Cessation Clearance form, which is sent to Services Australia to remove the contractor’s ICT access; and

• an Exit Checklist and declare, by signature, that relevant assets, including ID cards, building keys and ICT hardware, have been returned.

The ANAO’s audit of DVA’s 2020-21 financial statements raised a Category B finding which identified that DVA has no processes in place to identify users who had access to systems, applications and data repositories after terminations and had no process to monitor activities undertaken by these users. During the interim audit phase, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed that the approach outlined to address the issue appears reasonable.a

DVA’s Personnel Security Protocol states that separating personnel:

• must be advised of their ongoing security obligations and give acknowledgement of this through an Exit Checklist; and

• must undergo a separation debrief if they have had access to sensitive or security classified information.

DVA’s Personnel Security Protocol does not outline a requirement for DVA to provide receiving entities with relevant security information, including the outcome of pre-employment screening checks and any periodic employment suitability checks for separating staff. This is required under PSPF 14 Supporting Requirement 1(c).b

DVA’s Personnel Security Protocol does not outline a requirement to undertake a risk assessment to identify security implications in instances where it is not possible to undertake required separation procedures. This is required under PSPF 14 Supporting Requirement 3.

Standing Deeds of Offer examined by the ANAO required labour hire Service Providers to comply with policies around security and access to information and premises.

Note a: Refer to Auditor-General Report No. 32 2021-22 Interim Report on Key Financial Controls of Major Entities, paragraphs 3.4.18-3.4.20. Note b: DVA advised the ANAO that ‘the highly exceptional nature of this requirement, complex privacy issues and role of AGSVA has not necessitated a policy or procedure to address PSPF 14 1c’. Source: ANAO assessment of DVA documentation.

4.36 In summary, DVA has established policies and processes that largely support compliance with the core requirements of PSPF Policy 14. DVA has established arrangements to remove access to Australian Government resources and inform separating personnel of ongoing security

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

68

obligations. However, DVA has not established policies or processes that outline a requirement for DVA to provide receiving entities with relevant security information, as required under PSPF Policy 14 Supporting Requirement 1(c), or to undertake a risk assessment to identify security implications in instances where it is not possible to undertake required separation procedures as required under PSPF Policy 14 Supporting Requirement 3.

Arrangements for monitoring and reporting that the requirements of PSPF Policy 14 have been met when contractors are separating

4.37 In its 2020-21 self-assessment of maturity against PSPF Policy 14 requirements, submitted to AGD, DVA identified that:

further work is required to strengthen staff/contractor separating processes. Furthermore, it has been identified [that] risk assessments have only been conducted on an ad-hoc basis for these staff, and where a separation procedure was unable to be followed.

A Personnel Security Risk Assessment and planned review of the Personnel Security Protocol will mandate this practice, with processes being developed, in conjunction with Human Resources, to ensure a debrief will be a mandatory component of the separation checklist.103

4.38 PSPF Policy 14 Supporting Requirement 1(b) requires that entities debrief separating personnel who have access to sensitive or security classified information, including advising them of their continuing obligations under the Commonwealth Criminal Code and other relevant legislation, and obtain the person’s acknowledgement of these obligations. DVA advised the ANAO that:

DVA Security has been working with People Services Branch for several months (as part of their ‘Docusign’ project)104 to incorporate advising separating staff of secrecy/ongoing obligations regarding information security, and seek their acknowledgement.

4.39 In its 2020-21 self-assessment of maturity against PSPF Policy 14 requirements, DVA reported that:

DVA Security is revising the Agency Security Plan (ASP) and Security Risk Management Plan (SRMP), and participating in multi-disciplinary work-groups to ensure increases in the department’s maturity against this module.

4.40 DVA further advised the ANAO in March 2022 that the revision of the Agency Security Plan and Security Risk Management Plan:

is underway, although currently behind schedule owing to the culmination of staffing level shortages, increases in operational workload and an increasing number of ad-hoc priority requests relating to governance.

103 ANAO comment: DVA’s PSPF self-assessments for 2018-19 and 2019-20 noted similar issues. DVA’s PSPF self-assessment across all three years indicated that work was being undertaken to ensure that a debrief will be a mandatory component of the separation checklist. 104 ANAO comment: DVA commenced a pilot program for a workflow system (Docusign) in June 2021 to

automate the contractor separation process. DVA advised the ANAO in April 2022 that the project remains in a ‘soft-launch’ phase, pending DVA IT Security final approval for the use of the software across DVA.

Arrangements for managing contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

69

Recommendation no. 3 4.41 The Department of Veterans’ Affairs:

(a) address its non-compliance with PSPF Policy 14: Separating personnel Supporting Requirement 1(c) and Supporting Requirement 3 in its policies and processes; and (b) embed processes to debrief separating personnel who have access to sensitive or security classified information, including advising them of their continuing obligations

and obtaining their acknowledgement of these obligations, as required under PSPF Policy 14 Supporting Requirement 1(b).

Department of Veterans’ Affairs response: Agreed

4.42 DVA acknowledges the opportunity to enhance internal policies and practices in addressing the specific supporting requirements of PSPF Policy 14 highlighted above, however notes the difficulties and complexities involved for the majority of agencies in complying with the specific supporting requirement 1(c), particularly in the context of separating contractors, given the lack of a singular universal recruitment platform across government, and the diverse way in which contractors may commence working for a different agency. DVA is participating in work at a whole of government level to improve the sharing of information between agencies for this purpose.

4.43 Two initial improvements have been identified to address these recommendations:

1. Separation documentation already implemented through the workflow DocuSign software is being reviewed to ensure content is included informing separating personnel of ongoing security obligations and obtaining and recording the acknowledgement of relevant parties.

2. A review of DVA’s Personnel Security Protocol is planned in 2022-23. This work will confirm DVA’s position on the requirements of PSPF Policy 14, and outline relevant roles and responsibilities for associated practices and procedures.

4.44 These improvements are expected to be completed by 31 December 2022.

Security Quarterly Action Plan

4.45 As discussed in paragraph 3.57, DVA has established a SQAP which is comprised of a forward work program of assurance activities by financial year to assess compliance with the PSPF, including Policy 14.

4.46 The ANAO reviewed the initial SQAP (2020-21) and identified one assurance activity related to PSPF Policy 14 — to review the ten most recent staff cessations to assess the extent to which advice to AGSVA and separation documents were complete. The review found that IT access and building access passes had been deactivated for all ten separated personnel. The review also noted that staff separation documents did not include questions related to security and recommended that security questions be included in separation documents to support compliance with PSPF Policy 14.

4.47 The ANAO also reviewed the 2021-22 SQAP and identified one completed assurance activity to review a sample of personnel separating from DVA. In March 2022, the DVA Security Committee

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

70

was advised that this review found that, of the 105 separated APS and labour hire personnel sampled, 81 per cent did not complete DVA’s cessation checklist, leaving an ‘unknown level of security risk regarding the return of assets and potential access to systems’.

4.48 Further, the review of separating personnel noted that ‘anecdotal evidence from DVA Security Incident Reports suggests that a number of ICT Assets (namely Surface Pros) have not been returned to the department, and in a number of the recorded instances, this has been due to contractor personnel not returning equipment upon separation from the department’. DVA advised the ANAO in June 2022 that ‘DVA assurance activities identified instances where contractor personnel had not returned equipment to DVA until after their separation.’ The 2021-22 SQAP includes further activity to assess the removal of clearance sponsorship, removal of IT access, return of assets, and debriefing on confidentiality requirements. The 2021-22 SQAP also includes an activity to review software introduced to automate the processing of separating personnel.

4.49 As discussed in paragraph 3.61, DVA’s Security Committee minutes indicate that protective security is a standing agenda item at each Security Committee meeting. The ANAO identified that a summary of outcomes from the SQAP is presented to DVA’s Security Committee each quarter. A summary of outcomes from the 2020-21 SQAP was also presented to DVA’s Integrity Sub-committee in March 2021. The proposed 2021-22 SQAP was presented to the Security Committee for noting in December 2021, and an update on outcomes from the 2021-22 SQAP was

provided to DVA’s Audit Committee in March 2022.

4.50 DVA’s SQAP activities are aligned to the core requirements of PSPF Policy 14.

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

71

5. Observations and key messages on the selected agencies’ management of contractors

Summary This audit is one of a series of three performance audits in which the ANAO has examined the arrangements established by the Department of Veterans’ Affairs (DVA), Department of Defence (Defence) and Services Australia for the use, engagement and management of contractors against the same audit objective and criteria.

High-level observations made in this audit series and key messages for all Australian Public Service (APS) agencies are outlined in this chapter. The observations focus on: data availability and transparency issues relating to the contractor workforce; and the application of ethical and personnel security requirements to the contractor workforce.

Recommendations The Auditor-General has not made recommendations on data availability, transparency and ethical requirements in this audit series, noting that recommendations on these issues were directed to the Australian Public Service Commission (APSC) and/or the Department of Finance (Finance) by committees of the 46th Parliament and the 2019 Our Public Service, Our Future: Independent Review of the Australian Public Service (the Thodey Review).

Data availability and transparency

Observations

Data availability

Without a whole-of-APS approach to the collection and collation of data on the non-APS workforce involved in Australian government administration, each APS agency has discretion to define the non-APS personnel types it uses and to decide how data on its non-APS workforce is collected and collated. Variation in the definitions employed by APS agencies and differences in the collection and collation of relevant data means that standardised data is not available to support whole-of-APS reporting on the non-APS workforce.

Transparency

Data availability affects transparency to the Parliament and community on workforce arrangements used by the APS, and the capacity for agency-level and APS-wide workforce planning.

5.1 Audit work conducted across DVA, Defence and Services Australia identified different approaches to the collection and collation of data on the non-APS workforce. For example, DVA and Services Australia recorded each contractor or labour hire person in their systems, while Defence conducts an annual census which it advised provides a ‘reasonable estimate’ of the headcount of contractors it engages. The collection method adopted by the audited agencies impacted on their ability to report on the numbers of non-APS personnel - in terms of headcount and/or Full-Time Equivalent (FTE) - at a point in time and with confidence as to the completeness and accuracy of the data.

Audi

tor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

72

5.2 Each agency examined by the ANAO had established its own definitions for various non-APS personnel types it procured.105 A summary of the number of non-APS personnel types that each entity had defined is set out in Table 5.1 below.

Table 5.1: Non-APS personnel types defined by the audited agencies

Entity Number and description of non-APS personnel types defined

Defence Three — contractor, consultant, and outsourced service provider.

Services Australia Ten — student placement, systems access only, contractor, labour hire, consultant, interpreter, service staff, outsourced (staff), non-APS secondee, and partner.

DVA Three — independent contractor, consultant, and labour hire.

Source: ANAO analysis of documentation from DVA, the Department of Defence and Services Australia. Also see Box 4, Chapter 1 in this audit report and in Auditor-General Report No.43 2021-22 Effectiveness of the Management of Contractors — Department of Defence and Auditor-General Report No.44 2021-22 Effectiveness of the Management of Contractors — Services Australia.

5.3 The data reviewed by the ANAO for this audit series (Table 5.2 below) shows that the number of contractors engaged by the audited agencies ranged from 7.4 per cent to 34.1 per cent of the agency’s total workforce. This data, and other information provided to the ANAO, indicates that there are a large number of contractors doing work in and as part of the operations of the audited agencies, alongside APS personnel, as part of a mixed workforce.

Table 5.2: Contractor and total workforce numbers advised by the audited agencies

Entity Workforce reporting

measurea

Number of contractors Total workforce Contractors as a percentage of

total workforce

Defenceb FTE as at 4 March

2022

8311 112,943 b 7.4%

Services Australia Headcount as at 30 June 2021

4269 44,061 9.7%

DVA Headcount as at

30 June 2021

1287 3778 34.1%

Note a: Entities do not use the same methods for counting contractors. FTE is a count of all hours worked at a point in time and then converted to the number of full-time staff. ‘Headcount’ is all people employed at the time of the snapshot and includes employees on extended leave. Refer Appendix 3: Measures for reporting on workforce size.

Note b: Includes APS, Australian Defence Force (ADF) and external workforce personnel (including contractors, consultants and other outsourced providers). Defence figures for the number of contractors and total workforce is an estimate. Source: Department of Defence external workforce census, March 2022 and DVA and Services Australia data as at 30

June 2021. The contractor headcount for Services Australia and DVA is the number of individuals categorised as ‘labour hire’ or ‘contractor’ in Services Australia’s ‘Contingent Workforce’ report. The ‘Contingent Workforce’ report is extracted from Services Australia’s Human Resource management system. The report identifies individuals that are not engaged by DVA/Services Australia as APS employees, who have access to entity systems.

105 See Box 4, Chapter 1 in each audit report.

Observations and key messages on the selected agencies’ management of contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

73

Ethical and personnel security requirements

Observations

Ethical requirements

In the absence of a whole-of-workforce ethical and integrity framework which covers both APS and non-APS personnel, the ethics and behaviours expected of the non-APS workforce involved in Australian government administration are being defined and managed in different ways, at an agency level. This is the case notwithstanding the fact that a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce.

Personnel security requirements

Entities’ management of their non-APS personnel is subject to the Protective Security Policy Framework (PSPF), which sets out government protective security policy outcomes, including for personnel security. To achieve compliance, agencies require a combination of relevant policies and processes, as well as monitoring and reporting arrangements to provide assurance that their policies and processes have been implemented.

5.4 In this audit series the ANAO observed that individual agencies determine the extent to which the ethical and integrity frameworks that apply to APS employees (which include the ethical requirements of the Public Service Act 1999 and the resource management requirements of the Public Governance, Performance and Accountability Act 2013) also apply to contractors and other non-APS personnel engaged by the agency. These decisions are captured in, and managed through,

contracts rather than through the specialised human resources capabilities that have been established in agencies for the management of APS employees.

5.5 This discretionary approach applies in an agency operating environment where a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce. On that basis, the rationale for a discretionary approach is not clear.106 One risk of adopting a discretionary approach is that it may give rise to unequal behavioural expectations across personnel types within workplaces, and the risk of inconsistent management of personnel behaviours.

5.6 Across the audited agencies, each agency had established policies and processes for inducting contractors into the behaviours and expectations of the entity and relevant Commonwealth legislation. However, each of the selected agencies had scope to improve assurance about the completion of induction processes by contracted personnel.

5.7 Similarly, each of the audited agencies had mostly established policies and processes to comply with the personnel security requirements reviewed by the ANAO. These were PSPF policies 12 - 14 relating to the eligibility and suitability of personnel, the ongoing assessment of personnel, and the management of separating personnel. While clear and accessible policies and

106 Conversely, the adoption of a discretionary approach for non-APS personnel may suggest that the rationale for the ethical and behavioural frameworks applying to APS employees is historical and may not be considered a fit-for-purpose approach for all workforce types involved in Australian Government administration. In that case there is scope to consider the applicability of relevant frameworks from first principles, for the whole workforce involved in Australian government administration.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

74

processes had been established for all personnel types for most requirements, assurance that implementation was effective was limited.

Parliamentary committee and other review recommendations 5.8 The Auditor-General has not made recommendations in this audit series on data collection and reporting relating to the non-APS workforce, and the application of ethical and integrity frameworks to non-APS personnel involved in Australian Government administration.

5.9 Recommendations on these issues were directed to the APSC and/or Finance by committees of the 46th Parliament and the Thodey Review.

5.10 The observations and recommendations of these Parliamentary committees and the Thodey Review are reported at paragraphs 1.14 - 1.24 of this audit report.

5.11 In addition, one part of recommendation 7 of the Thodey Review was that the ‘APSC and Finance ensure that all agencies extend APS integrity requirements to service providers, long-term APS contractors and consultants’.107 The Review included the following implementation guidance for this recommendation:

• Build on current measures — including incorporating the APS Values in contracts — in extending APS integrity arrangements to service providers, long-term APS contractors and consultants.

• Make APS integrity requirements standard contractual obligations for individuals or organisations accepting payment from the Commonwealth.108

Key messages from this audit series for all APS agencies 5.12 Below is a summary of key messages, including instances of good practice, which have been identified in this series of audits and may be relevant for the operations of other APS agencies.

Key messages for all Australian Public Service agencies Procurement • Each audited agency had established guidance to inform the use of contractors. The approach to guiding decisions was unique to each agency. Services Australia’s guidance reflected its

workforce planning in the areas of its business that use the most contractors. Defence’s guidance served to draw together the key matters to be considered when engaging a contractor.

• Each audited agency had established contracting templates, deeds and clauses to help operationalise agency requirements when engaging non-APS personnel.

Contract management • To support the effective management and supervision of contractors, each audited agency had considered the availability of training and guidance.

107 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service [Internet], 13 December 2019, pages 113 and 307, available from https://www.pmc.gov.au/resource-centre/government/independent-review-australian-public-service [accessed 30 May 2022]. 108 The Australian Government’s 2019 response to the Thodey Review is available from

https://www.pmc.gov.au/resource-centre/government/delivering-for-australians [accessed 30 May 2022].

Observations and key messages on the selected agencies’ management of contractors

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

75

• Each audited agency had well-designed induction arrangements to assist contractors to understand their workplace obligations and the agency’s cultural and behavioural expectations. Monitoring the completion of induction requirements provides assurance that obligations and expectations are understood.

Governance • To be sure that policies and processes have been implemented as expected, assurance arrangements such as the Security Quarterly Action Plan approach established by DVA to check on the implementation of security requirements can assist.

Gran

t Hehir

Auditor-General

Canberra ACT 29 June 2022

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

77

Appendices

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

78

Appendix 1 Entity responses

Appendix 1

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

79

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

80

Appendix 2 Performance improvements observed by the ANAO

1. The fact that independent external audit exists, and the accompanying potential for scrutiny, improves performance. Program-level improvements usually occur: in anticipation of ANAO audit activity; during an audit engagement as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;

• initiating reviews or investigations; and

• introducing or revising policies or guidelines.

4. In this context, the below improvements were observed by the ANAO during the course of the audit. It is not clear if these actions and/or the timing of these actions were already planned before this audit commenced. The ANAO has not sought to obtain reasonable assurance over the source of these improvements or whether they have been appropriately implemented.

5. The following performance improvements were observed by the ANAO during the course of this audit.

• DVA provided the ANAO with updated training data as at 18 May 2022, which indicated an increase in the overall course completion rate since 22 December 2021. The ANAO notes that this increase followed the introduction of a new ‘Fraud and Corruption Control in DVA’ course which replaced the previous ‘Fraud Awareness at DVA’ module, discussed at paragraphs 3.26-3.27. During the course of the audit, DVA identified that the previous fraud awareness training course had been left off DVAtrain, which is the department’s learning management system. The new training course was introduced in late April 2022 and staff are allowed two months to complete the module. As such, all DVA staff were within the allowable timeframe for completion of the module during the course of the audit.

• DVA has commenced work on the creation of a central register for all new DVA personnel to mitigate issues identified in the 2020-21 Security Quarterly Action Plan (see paragraph 3.60) and ensure that all staff complete security induction training. DVA advised the ANAO that the register will collect the date that new personnel commence employment and the date that their induction training is completed. DVA advised that it intends to monitor the register and follow-up when non-completion is identified.

Appendix 2

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

81

• DVA is currently developing standard operating procedures to assist business areas with the decision making and process around engaging and managing labour hire (see paragraph 4.6). These procedures are intended to cover: the definition of labour hire, contractors and consultants; roles and responsibilities; points of contact; and mandatory processes, procedures and templates.

Auditor-General Report No. 45 2021-22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

82

Appendix 3 Measures for reporting on workforce size

1. The Australian Public Service Commission (APSC) provides the following information on measures used to report on workforce size.109

2. Each year a ‘snapshot’ of data concerning all Australian Public Service (APS) employees as at 30 June and 31 December is released by the APSC. The data is provided by agencies and is drawn from the Australian Public Service Employment Database. APS employment data includes:

• demographic variables including age, gender and work location;

• classification level of APS employees, from trainee to Senior Executive Service;

• diversity data including voluntary items self-reported by APS staff such as disability status, Indigenous status, and cultural diversity; and

• staff movements including engagements, separations and transfers between agencies.

3. The reported size of the APS workforce is a headcount of all people employed at the time of the snapshot. This figure does not adjust for hours worked and it includes any employees who are on extended leave (for 3 months or more), including those on maternity leave and leave without pay.

4. This figure is different to Average Staffing Level (ASL) data provided in the Federal Budget papers. The ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part-time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.

5. The Government places a cap on ASL. This is applied across the General Government Sector (which incorporates all of the APS and a range of other government agencies). ASL caps are published in the Federal Budget Papers each year.

6. Another measure of employee numbers used by both private and public sector organisations is Full Time Equivalent (FTE). This is a count of all hours worked at a point in time and then converted to the number of full-time staff. For example, two staff each working 0.6 days per week would be counted as 1.2 FTE.

109 Australian Public Service Commission, APS Employment Data [Internet], available from https://www.apsc.gov.au/employment-data [accessed 31 May 2022].

Appendix 4 DVA labour hire and contractor data as at 30 June 2021

1. As at 30 June 2021, DVA’s records indicate that it had 1287 contractors and labour hire personnel. The following sections provide further information of the contractors and labour hire personnel including organisation group, and job family.

2. Figure A.1 illustrates the 1287 contractor and labour hire personnel as at 30 June 2021 by DVA organisational group. Of the 1287 contractor and labour hire personnel, the majority of personnel (942 personnel or 73.2 per cent) were employed in three organisational groups. DVA’s Mental Health and Wellbeing Services division accounted for 477 personnel (37.1 per cent), the Client Benefits Division accounted for 286 personnel (22.2 per cent) and the Client Engagement and Support Services division accounted for 179 personnel (13.9 per cent).

Figure A.1: DVA’s contractors and labour hire personnel as at 30 June 2021 by DVA organisational groupa

Note a: Other organisational unit fields include: ‘General Counsel’ (19 staff), ‘Veteran and Family Policy’ (22 staff), Veterans’ Review Board (4 staff) and 61 staff who did not have an allocated organisational group. Source: ANAO analysis of DVA data.

477

286

179

87

65 52 35

106

0

100

200

300

400

500

600

Mental Health & Wellbeing Services

Client Benefits Client

Engagement & Support Services

Chief Health Officer Chief Financial Officer

Commemorations & Transformation Chief Operating Officer

Other

3. Figure A.2 illustrates the 1287 contractor and labour hire personnel as at 30 June 2021 by DVA job family. Of the 1287 contractor and labour hire personnel, the majority — 960 personnel or 74.6 per cent — were employed in three job families. Service Delivery had 569 personnel (44.2 per cent), Health had 269 personnel (21 per cent) and Project and Program had 122 personnel (9.5 per cent).

Figure A.2: DVA’s contractors and labour hire personnel as at 30 June 2021 by job family.a

Note a: ‘Other’ job family categories include: ‘Accounting and Finance’ (18 staff), ‘Human Resources’ (12 staff), ‘Legal and Parliamentary’ (11 staff), ‘ICT’ (25 staff), ‘Monitoring and Audit’ (6 staff), 'Organisational Leadership’ (31 staff), ‘Strategic Policy’ (8 staff), and 6 staff who did not have an allocated job family. Source: ANAO analysis of DVA data.

569

269

122

72 57 47 34

117

0

100

200

300

400

500

600

Service Delivery Health Project and

Program

Communications & Marketing Administration Research Information & Knowledge

Management

Other

Auditor-General Report No. 45 2021-22

Effectiveness of the Management of Contractors — Department of Veterans’ Affairs

85

Appendix 5 Essential Elearning Plan module structure

Module Standard

EEP

Contractor and Labour Hire EEP

Clinical Advisor EEP

Mandatory completion timeframe (calendar

days)

Mandatory refresher period (years)

Publication datea

Security Awareness DVA-Induction   

10 N/A June 2020

Security awareness quiz  

b 15 1 June 2021

Financial Principles  84 2

October 2019

Code of Conduct Essentials   

15 2

December 2020

Work Health and Safety   

28 2 June 2019

Information and Records Awareness   84 2

November 2018

Introduction to Risk Management 

 84 2

October 2019

Performance Management 

84 2 May 2020

Fraud Awareness at DVA 

84 2 April 2022c

APSC Integrity in the APS 

 84 2 March 2021

Note a: DVA advised the ANAO in May 2022 of the publication dates of the modules, and further advised that the modules have not been reviewed since the publication date. Note b: DVA advised the ANAO in May 2022 that: ‘the Security Awareness Quiz module has not been included in the Clinical Advisors’ EEP as it was created after the EEP program was implemented. A decision on its inclusion

will be raised with the Business Area responsible for this module.’ Note c: A previous version of this module existed. See paragraphs 3.26-3.27. Source: ANAO analysis of DVA documentation.