Title Auditor-General—Audit report No. 43 for 2021-22—Performance audit—Effectiveness of the management of contractors—Department of Defence: Department of Defence
Source Both Chambers
Date 26-07-2022
Parliament No. 47
Tabled in House of Reps 27-07-2022
Tabled in Senate 26-07-2022
Parliamentary Paper Year 2022
Parliamentary Paper No. 180
Paper Type Auditor-General's Report
Disallowable No
Journals Page No. 25
Votes Page No. 68
House of Reps DPL No. 27
System Id publications/tabledpapers/c5709372-272e-4e22-98f6-8aeb9f974443


Auditor-General—Audit report No. 43 for 2021-22—Performance audit—Effectiveness of the management of contractors—Department of Defence: Department of Defence

The Auditor-General Auditor-General Report No. 43 2021–22 Performance Audit

Effectiveness of the Management of Contractors — Department of Defence

Department of Defence

Australian National Audit Office

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

2

© Commonwealth of Australia 2022

ISSN 1036–7632 (Print) ISSN 2203–0352 (Online) ISBN 978-1-76033-755-1 (Print) ISBN 978-1-76033-756-8 (Online)

Except for the content in this document supplied by third parties, the Australian National Audit Office logo, the Commonwealth Coat of Arms, and any material protected by a trade mark, this document is licensed by the Australian National Audit Office for use under the terms of a Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/au/.

You are free to copy and communicate the document in its current form for non-commercial purposes, as long as you attribute the document to the Australian National Audit Office and abide by the other licence terms. You may not alter or adapt the work in any way.

Permission to use material for which the copyright is owned by a third party must be sought from the relevant copyright owner. As far as practicable, such material will be clearly labelled.

For terms of use of the Commonwealth Coat of Arms, visit the It’s an Honour website at https://www.pmc.gov.au/government/its-honour.

Requests and inquiries concerning reproduction and rights should be addressed to:

Senior Executive Director Corporate Management Group Australian National Audit Office GPO Box 707 Canberra ACT 2601

Or via email: communication@anao.gov.au.

Audi

tor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

3

Canber

ra ACT

29 June 2022

Dear Mr President Dear Mr Speaker

In accordance with the authority contained in the Auditor-General Act 1997, I have undertaken an independent performance audit in the Department of Defence. The report is titled Effectiveness of the Management of Contractors — Department of Defence. Pursuant to Senate Standing Order 166 relating to the presentation of documents when the Senate is not sitting, I present the report of this audit to the Parliament.

Following its presentation and receipt, the report will be placed on the Australian National Audit Office’s website — http://www.anao.gov.au.

Yours sincerely

Grant Hehir Auditor-General

The Honourable the President of the Senate The Honourable the Speaker of the House of Representatives Parliament House Canberra ACT

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

4

AUDITING FOR AUSTRALIA

The Auditor-General is head of the Australian National Audit Office (ANAO). The ANAO assists the Auditor-General to carry out his duties under the Auditor-General Act 1997 to undertake performance audits, financial statement audits and assurance reviews of Commonwealth public sector bodies and to provide independent reports and advice for the Parliament, the Australian Government and the community. The aim is to improve Commonwealth public sector administration and accountability.

For further information contact: Australian National Audit Office GPO Box 707 Canberra ACT 2601

Phone: (02) 6203 7300 Email: ag1@anao.gov.au

Auditor-General reports and information about the ANAO are available on our website: http://www.anao.gov.au

Audit team

Simon Gregor James Woodward James Wright Michael Brown

Georgia Johnston Natalie Whiteley Kim Murray Sally Ramsey

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

5

Contents Summary and recommendations .................................................................................................................... 7

Background ............................................................................................................................................... 7

Conclusion ................................................................................................................................................. 9

Supporting findings .................................................................................................................................. 10

Recommendations ................................................................................................................................... 12

Summary of entity responses .................................................................................................................. 12

Key messages and observations ............................................................................................................ 12

Audit findings .............................................................................................................................................. 15

1. Background ............................................................................................................................................. 16

Introduction .............................................................................................................................................. 16

Reviews and inquiries into the APS’s use of contractors ........................................................................ 23

Defence’s workforce ................................................................................................................................ 29

Previous audits and reports ..................................................................................................................... 33

Rationale for undertaking the audit ......................................................................................................... 35

2. Framework for using contractors ............................................................................................................. 37

Does Defence guidance provide clarity regarding the different personnel types, including contractors? ....................................................................................................................................... 37

Does Defence provide guidance on determining whether there is an operational requirement for the use of contractors? ....................................................................................................................... 40

3. Arrangements for engaging contractors .................................................................................................. 44

Does Defence have a contracting suite that is tailored for the use of contractors? ................................ 45 Does Defence have fit-for-purpose arrangements for inducting contractors? ........................................ 51 Has Defence established arrangements for the engagement of contractors that support compliance with PSPF Policy 12: Eligibility and suitability of personnel? .......................................... 57

4. Arrangements for managing contractors ................................................................................................. 63

Has Defence clearly documented its requirements and expectations regarding the management and oversight of contractors? ............................................................................................................. 64

Has Defence established arrangements for the management of contractors that support compliance with PSPF Policy 13: Ongoing assessment of personnel? ............................................. 67

Has Defence established arrangements for the separation of contractors that support compliance with PSPF Policy 14: Separating personnel? ................................................................. 70

5. Observations and key messages on the selected agencies’ management of contractors ..................... 76 Data availability and transparency .......................................................................................................... 76

Ethical and personnel security requirements .......................................................................................... 78

Parliamentary committee and other review recommendations ............................................................... 79

Key messages from this audit series for all APS agencies ..................................................................... 79

Appendices ................................................................................................................................................. 81

Appendix 1 Entity responses ................................................................................................................. 82

Appendix 2 Performance improvements observed by the ANAO .......................................................... 84

Appendix 3 Measures for reporting on workforce size ........................................................................... 85

Appendix 4 Defence’s decision-making process for the engagement of contractors ............................ 86 Appendix 5 Training requirements for contractors ................................................................................. 87

Auditor-General Report No.43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

 The Australian Public Service (APS) workforce

strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS personnel. The approach adopted by the APS has been the subject of ongoing parliamentary interest.

 This is one of a series of three performance

audits undertaken to provide independent assurance to Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce.

 Defence has established fit-for-purpose

policies and processes for the management of contractors. However, Defence cannot demonstrate the effectiveness of its arrangements, in the absence of entity-level assurance based on a systematic approach to monitoring and reporting on implementation.

 The Auditor-General made one

recommendation aimed at ensuring that Defence has arrangements in place, in respect to the contracted workforce, to adequately support compliance with Protective Security Policy Framework (PSPF) Policy 14: Separating personnel and obtain assurance that PSPF Policy 14 is being met.

 Defence’s external workforce comprises

consultants, contractors and outsourced service providers.

 The top five contractor activities reported by

Defence in 2021 and 2022 were ‘Project Management’, ‘Information Technology’, ‘Platform or Fleet Sustainment and Maintenance’, ‘Other’, and ‘Administration’.

78,063 Defence APS and ADF workforce reported in its March 2022 external workforce census (Full-Time

Equivalent, or FTE).

34,880 Defence external workforce reported in the March 2022 census (FTE estimate).

8311

Contractor workforce reported in the March 2022 census. Represents 7.4 per cent of the total Defence workforce (FTE estimate).

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

7

Summary and recommendations

Background 1. The Australian Public Service Commission (APSC) has reported that as at

31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.1 APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.2

2. APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’3

3. Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, the APSC has stated that:

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.4

4. Additionally, the APSC has published guidance in the form of Guiding principles for agencies when considering the use of SES contractors5 relating to the use of contractors in APS

1 Australian Public Service Commission, APS Employment Data 31 December 2021 [Internet], 25 March 2022, available from https://www.apsc.gov.au/employment-data/aps-employment-data-31-december-2021 [accessed 20 May 2022]. The number of APS agencies differs from the total number of Australian Government entities and companies, as not all employ staff under the Public Service Act 1999. The Department of Finance reported a total of 187 Australian Government entities and companies as at 19 April 2022. See https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 10 June 2022]. The APSC data indicates that the number of ongoing (permanent) APS employees as at 31 December 2021

was 136,284. Ongoing employees made up 87.5 per cent of the APS workforce. There were also 19,512 non-ongoing APS employees at 31 December 2021. Non-ongoing employees in the APS are employed for a specified term, or for the duration of a specified task, or to perform duties that are irregular or intermittent (casual). Of all non-ongoing employees at 31 December 2021, 10,816 (55.4 per cent) were employed for a specified term or the duration of a specified task, and 8,696 (44.6 per cent) were employed on a casual basis. 2 Key elements of the framework are the APS Values (set out in section 10 of the PS Act), APS Employment

Principles (in section 10A), APS Code of Conduct (in section 13) and the Australian Public Service Commissioner’s Directions about the APS Values and employment matters made under sections 11 and 11A. 3 Department of Finance, Contract Characteristics [Internet], available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-

characteristics [accessed 20 January 2022]. 4 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-

strategy-2025 [accessed 6 January 2022]. 5 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, available from https://www.apsc.gov.au/working-aps/aps-employees-

and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

8

Senior Executive Service (SES) roles.6 Similar guidance has not been issued for entities when considering the use of contractors for non-SES level roles.

5. The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. These decisions must consider:

• the Commonwealth Procurement Rules (CPRs), which establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement;

• the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security7; and

• entity-specific procurement and contract management arrangements which may be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines.

6. Defence has advised the Parliament that its contractor full-time equivalent (FTE) component — as reported in its March 2021 external workforce census of consultants, contractors and outsourced service providers — was 6810 FTE or 6.2 per cent of the total Defence workforce.8 Defence’s contractor workforce performs work in most parts of the entity. The March 2022 external workforce census recorded 8311 FTE or 7.4 per cent of the total Defence workforce.

Rationale for undertaking the audit

7. The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years.9

8. This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. Defence was

6 The SES is established by section 35 of the PS Act, which states that the function of the SES is to provide APS-wide strategic leadership. 7 Attorney-General’s Department, About PSPF [Internet], available from https://www.protectivesecurity.gov.au/about [accessed 27 January 2022]. 8 This was a response to a question on notice from Senator Ayres on 31 August 2021 asking Defence to provide

‘Other Contractors; headcount and FTE’. 9 These reviews and inquiries, discussed in Chapter 1 at paragraphs 1.14–1.24, include the: 2015 report of the Independent Review of Whole-of-Government Internal Regulation; 2017 to 2019 Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into Australian Government Contract Reporting — Inquiry based on

Auditor-General's report No. 19 (2017–18); 2019 report of the Independent Review of the APS; 2021 second interim report of the Senate Select Committee on Job Security; and 2021 report of the Senate Finance and Public Administration References Committee Inquiry into the Current Capability of the APS.

Summary and recommendations

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

9

selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits in this series review the management of contractors by the Department of Veterans’ Affairs and Services Australia.

Audit objective and criteria

9. The objective of the audit was to examine the effectiveness of Defence’s arrangements for the management of contractors.

10. To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has Defence established a fit-for-purpose framework for the use of contractors?

• Does Defence have fit-for-purpose arrangements for the engagement of contractors?

• Has Defence established fit-for-purpose arrangements for the management of contractors?

Conclusion 11. Defence has established fit-for-purpose policies and processes for the management of contractors. However, Defence cannot demonstrate the effectiveness of its arrangements, in the absence of entity-level assurance based on a systematic approach to monitoring and reporting on implementation.

12. Defence has established a fit-for-purpose framework for the use of contractors. Enterprise-level guidance sets out the different personnel types, including contractors, and provides instructions for determining whether there is an operational requirement for the use of contractors on a case-by-case basis.

13. Defence has largely fit-for-purpose arrangements for the engagement of contractors. Defence has established standing offer arrangements for engaging contractors, and a contracting suite has also been developed and tailored for their engagement. Defence has established arrangements to support incoming contractors to understand their obligations and to support compliance with the majority of Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel requirements, but is not well-placed to provide assurance, at the enterprise level, that these arrangements are being consistently implemented when contractors are engaged.

14. Defence’s arrangements for the management of contractors are partly fit-for-purpose. Defence has documented its requirements and expectations regarding the management and oversight (supervision) of contractors. The Defence Security Principles Framework (DSPF) establishes arrangements that support compliance with the requirements of Protective Security Policy Framework (PSPF) Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel. Defence reporting on compliance with PSPF Policy 13 and Policy 14 indicates that implementation of Defence’s arrangements has been inconsistent across the department. Internal audits and assessments also indicate that implementation of Defence’s PSPF Policy 14 arrangements is not fully effective across the department.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

10

Supporting findings

Framework for using contractors

15. Defence guidance provides clarity regarding the different personnel types, including contractors. (See paragraphs 2.3–2.16)

16. Defence provides guidance, principally through the Contractor Engagement Governance Framework, on the process for engaging a contractor. The framework applies to all Defence personnel and aids compliance with the Secretary’s Accountable Authority Instructions (AAIs). The framework requires officials to undertake a structured assessment of operational requirements, on a case-by-case basis, when deciding to use a contractor. (See paragraphs

2.17– 2.30)

Arrangements for engaging contractors

17. Defence has established standing offer arrangements and a contracting suite that is tailored for engaging contractors for a range of services. To aid the selection and tailoring of contract templates Defence has established a Contract Template Selection and Tailoring Guide. The eight standing offer arrangements and contracting templates reviewed by the ANAO included clauses addressing, as necessary, the mandatory workplace requirements highlighted in Defence’s fact sheet titled Obligations of Contractors, Consultants and Outsourced Service Providers working in Defence. (See paragraphs 3.3–3.25)

18. Defence has fit-for-purpose arrangements for inducting contractors. However, the department’s ability to determine the effectiveness of these arrangements is impacted by the lack of systematic monitoring and reporting on compliance with the arrangements, and inconsistent practice across the Defence Groups and Services. Defence has established induction requirements for contractors and there is mandatory training covering all policies and processes that contractors, other than those designated as prescribed officials, are obliged to comply with according to the contractor specific guidance. The guidance does not refer to record-keeping training which, according to Defence policy documents, is mandatory for users of Defence’s record keeping system. An e-learning platform has been established to support personnel to obtain and maintain their training requirements, and contract managers are responsible for monitoring contractors’ completion of mandatory training. Some Defence Groups and Services have established additional processes at the Division level or below for monitoring the completion and maintenance of mandatory training requirements. Defence does not review data on completion rates for mandatory induction training for Other Defence Support (ODS) personnel, which is a workforce category that includes contracted personnel. (See paragraphs 3.26–3.44)

19. Defence has established arrangements to support compliance with the majority of requirements in PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors. The arrangements include policies and processes to conduct pre-employment screening of contractors and to undertake standardised vetting as required by PSPF Policy 12. Defence has decided to not use the Document Verification Service as required by the PSPF, and has not mandated its use in the Defence Security Principles Framework. (See paragraphs 3.45–3.51)

20. Defence has established arrangements for reporting on its compliance with the requirements of PSPF Policy 12 for all personnel. Reporting is focused on security clearances as

Summary and recommendations

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

11

all Defence employees (APS/ADF) are required to have, at a minimum, a baseline clearance. However, not all contractors require a security clearance and Defence is not well placed to provide assurance, at the enterprise level, that PSPF Policy 12 has been met in respect to contractors having been pre-screened appropriately if a security clearance is not required. Defence was unable to provide the ANAO with figures for Designated Security Assessment Position numbers at each clearance level and how many were filled by contractors. Defence advised that these positions were managed within the Group or Service and were not centrally reported. (See paragraphs 3.52–3.56)

Arrangements for managing contractors

21. Defence has documented its requirements and expectations regarding the management and oversight of contractors. Much of Defence’s guidance is framed for officials managing contracts that are valued above $200,000, and which are complex and/or of long duration. It is not apparent which parts of this guidance should be applied specifically when managing contractors as defined in Defence’s Accountable Authority Instructions (AAIs), particularly where the contract value is below $200,000. Training is available for officials who manage contracts and contractors, however it is not mandatory and is not monitored or reported on systematically. (See paragraphs 4.4–4.16)

22. Defence has established arrangements to support compliance with the requirements of PSPF Policy 13: Ongoing assessment of personnel, in the DSPF. Defence’s policies address all aspects of the core PSPF requirement and apply to all Defence personnel, including contractors. Defence has also included clauses in contracting templates requiring ongoing compliance with the DSPF. However, these arrangements are compromised by inconsistent implementation. Defence reporting on compliance with PSPF Policy 13 indicates that implementation of the arrangements has been inconsistent across the department, with scope identified to improve the awareness of security officers of the need to conduct annual security checks. (See paragraphs 4.17–4.27)

23. Defence has established arrangements to support compliance with the requirements of PSPF Policy 14: Separating personnel, in the DSPF. Defence reporting on compliance with PSPF Policy 14, and internal audits and assessments, indicate that implementation of Defence’s arrangements has been inconsistent and is not yet effective across the department. Internal audits finalised in May 2021 and March 2022 identified weaknesses in how the security policies had been disseminated to the operational level. There is also scope for the Defence Contract Management Handbook to better support contract managers at the end of a contract, by including processes to address the PSPF Policy 14 requirements in the relevant checklist. (See paragraphs 4.28–4.45)

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

12

Recommendations

Recommendation no. 1

Paragraph 4.46

The Department of Defence, in respect of the contracted workforce:

• establish arrangements to better support compliance with PSPF Policy 14: Separating personnel; and

• monitor the effectiveness of arrangements to obtain assurance that PSPF Policy 14 is being met.

Department of Defence response: Agreed.

Summary of entity responses 24. Defence’s summary response is provided below and its full response is included at Appendix 1. An extract of this report was sent to the APSC. The APSC’s summary response is provided below and its full response is included at Appendix 1.

Defence’s summary response

Defence welcomes the ANAO Audit Report into the Effectiveness of the Management of Contractors and agrees to the recommendation which relates to Defence establishing arrangements relating to contractors, which would better support compliance with Protective Security Policy Framework (PSPF) Policy 14: Separating personnel.

Defence is committed to strengthening and standardising the processes and controls for the management of contractors, particularly regarding adherence to PSPF Policy 14: Separating personnel. Defence is currently reviewing the Defence Contract Management Framework, and will include necessary references to security policies and guidance, to ensure a more consistent and standardised delivery at the operational level of these security policies, and also support better assurance and reporting capabilities.

APSC’s summary response

The Australian Public Service Commission (APSC) acknowledges the extract of the Proposed Audit Report on the 'Effectiveness of the Management of Contractors' provided for comment.

The APSC recognises the importance of robust workforce planning through implementation of the APS Workforce Strategy 2025. This includes strengthening APS capability, and the strategic use of mixed models of employment, to ensure agencies achieve their outcomes.

Whilst no recommendations are directed toward the APSC, the Commission will consider any relevant findings following the audit's completion.

25. At Appendix 2, there is a summary of improvements that were observed by the ANAO during the course of the audit.

Key messages and observations 26. This is one of a series of three performance audits undertaken to provide independent assurance to Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. As well as Defence, the ANAO has

Summary and recommendations

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

13

examined the effectiveness of the management of contractors by Services Australia10 and the Department of Veterans’ Affairs.11

27. Chapter 5 of this audit report sets out high-level observations and key messages for all Australian Public Service agencies following the ANAO’s examination of the three selected agencies’ management of contractors. The observations focus on: data availability and transparency issues relating to the contractor workforce; and the application of ethical and personnel security requirements to the contractor workforce.

10 See Auditor-General Report No.44 2021–22 Effectiveness of the Management of Contractors — Services Australia. 11 See Auditor-General Report No.45 2021–22 Effectiveness of the Management of Contractors — Department of Veterans’ Affairs.

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

15

Audit findings

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

16

1. Background

Introduction 1.1 The Australian Public Service Commission (APSC) has reported that as at 31 December 2021, the Australian Public Service (APS) employed 155,796 people across 97 APS agencies.12 APS employees are employed under the Public Service Act 1999 (the PS Act), which establishes the APS and is the basis of the regulatory framework applying to it.13

1.2 APS agencies can, and do, utilise a mixed workforce of APS and non-APS personnel to deliver their purposes. Non-APS personnel include contractors and consultants. Department of Finance (Finance) guidance indicates that the difference between a contract for services and a contract for consultancy services ‘generally depends on the nature of the services and the level of direction and control over the work that is performed to develop the output.’14

1.3 In summary, Finance’s guidance states that services performed by a contractor are under the supervision of the entity, which specifies how the work is to be undertaken and has control over the final form of any resulting output. The output of a contractor is produced on behalf of the entity and the output is generally regarded as an entity product. In contrast, performance of consultancy services is left largely up to the discretion and professional expertise of the consultant, performance is without the entity's direct supervision, and the output reflects the independent views or findings of the consultant. While the output of a consultant is produced for the entity, the output may not belong to the entity. Box 1 below sets out the contract characteristics, identified in Finance guidance, that help entities distinguish between contractors and consultants.

12 Australian Public Service Commission APS Employment Data 31 December 2021 [Internet], 25 March 2022, available from https://www.apsc.gov.au/employment-data/aps-employment-data-31-december-2021 [accessed 20 May 2022]. The number of APS agencies differs from the total number of Australian Government entities and companies, as not all employ staff under the Public Service Act 1999. The Department of Finance reported a total of 187 Australian Government entities and companies as at 19 April 2022. See: https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 10 June 2022]. The APSC data indicates that the number of ongoing (permanent) APS employees as at 31 December 2021

was 136,284. Ongoing employees made up 87.5 per cent of the APS workforce. There were also 19,512 non-ongoing APS employees at 31 December 2021. Non-ongoing employees in the APS are employed for a specified term, or for the duration of a specified task, or to perform duties that are irregular or intermittent (casual). Of all non-ongoing employees at 31 December 2021, 10,816 (55.4 per cent) were employed for a specified term or the duration of a specified task, and 8,696 (44.6 per cent) were employed on a casual basis. 13 Key elements of the framework are the APS Values (set out in section 10 of the PS Act), APS Employment

Principles (in section 10A), APS Code of Conduct (in section 13) and the Australian Public Service Commissioner’s Directions about the APS Values and employment matters made under sections 11 and 11A. 14 Department of Finance, Contract Characteristics [Internet], available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-

characteristics [accessed 20 January 2022].

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

17

Box 1: Department of Finance guidance—characteristics of consultancy and non-consultancy contracts

Contractors—characteristics of non-consultancy contracts (only some may apply):

Nature of Services:

• Services performed are the day-to-day duties of the entity — e.g. a recruitment firm providing personnel to fill a temporary vacancy for a personal assistant, or in a program area. The skills required to perform the services would normally be maintained within the entity.

• Involves professional or expert services to implement an existing proposal or strategy — e.g. training specialists to deliver training in line with an existing strategy.

Direction and Control:

• Services are performed under supervision of the entity. The entity specifies how the work is to be undertaken and has control over the final form of any resulting output.

• Professional or expert services provided under non-consultancy contracts are generally delivered without a high level of supervision and direction from the entity, however, the output produced will not necessarily represent the independent views of the service provider — i.e. the entity controls the form of the output.

• The output is being produced on behalf of the entity.

• The output is generally regarded as an entity product.

Integration or Organisation Test:

• Work is an integral part of the entity's business.

Use of Equipment and Premises:

• The entity provides all equipment and supplies.

• The Contractor will usually be engaged to work in the entity's premises.

Remuneration:

• Remuneration is based on the time worked, usually calculated on an hourly rate.

Consultants—characteristics of consultancy contracts

Nature of Services:

• Involves specialist professional knowledge or expertise that may not be maintained in-house.

• There is a need for independent research or assessment.

• Involves development of an intellectual output, e.g. research, evaluation, advice, and recommendations, to assist with entity decision-making.

• Involves a one-off task, a set of tasks or irregular tasks (making employment of permanent staff impractical or undesirable).

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

18

Direction and Control:

• Performance of the services is left largely up to the discretion and professional expertise of the consultant.

• Performance is without the entity's direct supervision.

• The output reflects the independent views or findings of the individual or organisation.

• The output is being produced for the entity.

• The output may not belong to the entity.

Integration or Organisation Test:

• Work performed is an accessory to the entity's business.

Use of Equipment and Premises:

• The Consultant provides their own equipment.

• The Consultant may work from their own premises for some or all of the assignment.

Remuneration:

• Consultancy payments are usually made when agreed milestones are reached or when a task or project is completed.

Source: Department of Finance, Contract Characteristics, available from https://www.finance.gov.au/government/procurement/buying-australian-government/contract-characteristics [accessed 20 January 2022].

1.4 Workforce planning and management is the responsibility of each APS agency head. In the APS Workforce Strategy 2025, in respect to the mix between APS and non-APS personnel, the APSC has stated that:

The APS continues to deploy a flexible approach to resourcing that strikes the balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers collaborate to deliver outcomes within agencies.

A mixed workforce approach will continue to be a feature of APS workforce planning. Non-APS workers, when used effectively in appropriate circumstances, can provide significant benefits to agencies and help them achieve their outcomes. Non-APS workers can also provide access to specialist and in-demand skills to supplement the APS workforce in peak times in business cycles. There will be a need for APS agencies to access skills, capability or capacity differently, including through contractors and consultants, or through external partnerships with academia or industry. There may also be a need to engage with industry to develop skills and capabilities to drive delivery of programs across the service. The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.

Ensuring agencies take a structured approach to the use of non-APS employees—including considering where work would be best delivered by an APS employee—and knowledge transfer and capability uplift arrangements is a key element of successful mixed workforce models, which are already being used by agencies across the APS.

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

19

A professional public service harnesses skills, expertise and capacity from a variety of sources to deliver services as priorities arise. We must focus on understanding and removing barriers to external mobility and encouraging the mobilisation of skills from both across and outside the APS.15

1.5 In addition, the APSC has published guidance relating to the use of contractors in APS Senior Executive Service (SES) roles.16 In its Guiding principles for agencies when considering the use of SES contractors17, the APSC states that:

To meet their business needs, agency heads have the flexibility to engage individuals by the most appropriate means to ensure their agency is best placed to deliver for the Australian public. These guiding principles are designed to assist agencies when considering the appropriateness of using a contractor for a Senior Executive Service (SES) equivalent role and to ensure that appropriate governance arrangements are in place.

…

For the purposes of these principles, an ‘SES contractor’ is an SES-equivalent (e.g. equivalent work value, duties, responsibility, and accountability), contracted by an APS agency via a recruitment agency or third party as an integrated part of the agency’s senior leadership workforce. That is, the agency will have no direct employment relationship under the PS Act with the SES contractor.

1.6 The APSC has stated that the purpose of the principles is ‘to provide APS agencies with considerations when seeking to go beyond the APS employment framework for senior executive capabilities’.18 Box 2 below sets out the considerations identified in the APSC guidance.

Box 2: APSC guidance—considerations when using an SES contractor to fill a role

Before using an SES contractor to fill a role, agencies should satisfy themselves that there is a genuine operational requirement for an SES contractor.

• Consideration should be given to the range of employment options available under the PS Act, including temporary employment, before an SES contractor is sourced.

• This includes considering whether the operational requirement is better suited to a short-term consultant (e.g. where a specific skillset is needed for a short time for a single project or deliverable, without integration into the leadership of an agency) or should be filled by an SES employee engaged under the PS Act that is part of the leadership of an agency.

− Agencies should note that section 10A of the PS Act recognises that the usual basis of employment is as an ongoing APS employee.

15 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-strategy-2025 [accessed 6 January 2022].

16 The SES is established by section 35 of the PS Act, which states that the function of the SES is to provide APS wide strategic leadership. 17 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, available from https://www.apsc.gov.au/working-aps/aps-employees-

and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021]. 18 ibid., paragraph 1.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

20

• SES contractors may be required in a range of circumstances, such as where a person holds specialised experience, skills and capabilities unable to be sourced from the market through general recruitment at that point in time.

• In some cases, an agency’s overall business model may require a combination of SES contractors and SES employed under the PS Act as part of their workforce composition.

Agencies should ensure their systems, infrastructure, contracts and governance are appropriate to manage using SES contractors. This includes ensuring that:

• SES contractors are suitably inducted into the agency and provided with all relevant information and training relating to exercising their responsibilities in the role.

• SES contractors understand the ethical obligations of their role. SES contractors should be expected to model and promote the highest standards of ethics and integrity in the unique context of the APS operating environment.

− SES contractors are not employed under the PS Act but should be held to similar standards of behaviour as set out in the APS Values and Code of Conduct.

• SES contractors facilitate and contribute appropriate knowledge transfer and capability growth within the agency.

Under subsection 78(8) of the PS Act, if it is proposed that an SES contractor will exercise delegated functions or powers, consent must be sought from the APS Commissioner before any functions or powers are delegated to the SES contractor.

• Agencies should consider their own internal agency delegations and ensure that they reflect any such powers.

Source: Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors, 14 May 2021, paragraphs 5–7, available from https://www.apsc.gov.au/working-aps/aps-employees-and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

1.7 The APSC guidance states that the APSC will collect data on SES contractors, and that for the purposes of reporting, an SES contractor is a person undertaking SES equivalent work who is not engaged under the PS Act or an agency’s enabling legislation.19 As at 8 March 2022 the APSC had not published data on SES contractors. The APSC advised the ANAO on 3 March 2022 that there were 40 SES contractors in the APS as at 31 October 2021.

1.8 The APSC has not issued guiding principles for the use of non-SES contractors in APS agencies.20

19 Australian Public Service Commission, Guiding principles for agencies when considering the use of SES contractors [Internet], 14 May 2021, paragraph 8, available from https://www.apsc.gov.au/working-aps/aps-employees-and-managers/senior-executive-service-ses/senior-executive-service-ses/contractors-senior-executive-service [accessed 3 December 2021].

20 The APSC advised the ANAO in June 2022 that: The Commission notes that the procurement of labour hire and contractor services is not considered employment of personnel under the Public Service Act 1999. Rather, APS agencies must follow the CPRs when procuring these services and seek guidance from the Department of Finance. We note that the report makes multiple references to the Commission not issuing guiding principles for the use of non-SES contractors in APS agencies. As a point of correction, it is not part of the APSC remit to Footnote continued on the next page…

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

21

1.9 The APSC and Finance guidance may be supplemented at the entity-level by internal guidance on the different personnel types and how to decide whether there is an operational requirement for the use of non-APS personnel such as contractors.

1.10 The engagement and management of non-APS personnel occurs through procurement action by entities and their contract management processes, rather than the PS Act. The Commonwealth Procurement Rules (CPRs) establish the whole-of-government procurement framework, including mandatory rules with which officials must comply when performing duties related to procurement. Entity-specific procurement and contract management arrangements may also be contained in Accountable Authority Instructions (AAIs) made under section 20A of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act, which is the basis of the Australian Government’s finance law) and in entity policies and guidelines. Contract managers must implement applicable internal requirements and the CPRs and associated requirements set by the Department of Finance. Non-APS personnel must comply with their contractual obligations and any applicable management, oversight and behavioural requirements.

1.11 Non-APS personnel may be ‘officials’ under section 13 of the PGPA Act, in which case they must comply with the finance law in addition to their contractual obligations and applicable entity requirements.21 The finance law includes the PGPA Act, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), entity AAIs, and other legal and policy frameworks — including the whole-of-government procurement, grants, advertising and risk management frameworks. All personnel exercising delegated power under the PGPA Act or other legislation must also comply with the requirements attached to those delegations.

1.12 Entities’ management of their non-APS personnel is subject to the Protective Security Policy Framework (PSPF), which sets out government protective security policy across the following outcomes: security governance, information security, physical security and personnel security.22 The PSPF policies under the ‘personnel security’ outcome outline how to screen and vet personnel

and contractors to assess their eligibility and suitability. They also cover how to assess the ongoing suitability of entity personnel to access government resources and how to manage personnel separation.23 Entity compliance with the three personnel security policies under the PSPF ‘ensures its employees and contractors are suitable to access Australian Government resources, and meet

provide guiding principles for the use of non-SES contractors. It is a matter for the Department of Finance and the report should reflect this. The Australian Public Service Commissioner’s functions include monitoring, reviewing and reporting on effective performance of the APS. The Contractors in the Senior Executive Service (SES) guidance was created in support of this function as the SES provide APS-wide strategic leadership of the highest quality and are responsible for ensuring effective performance, which extends to SES contractors. 21 The definition of an ‘official’ and the duties of officials are discussed in Department of Finance, General duties

of officials: Resource Management Guide No.203 [Internet], November 2016, available from https://www.finance.gov.au/government/managing-commonwealth-resources/general-duties-officials-rmg-203 [accessed 27 January 2022]. 22 Attorney-General’s Department, About PSPF [Internet], available from

https://www.protectivesecurity.gov.au/about [accessed 27 January 2022]. 23 Attorney-General’s Department, Personnel security [Internet], available from https://www.protectivesecurity.gov.au/policies/personnel-security [accessed 27 January 2022]. The applicable PSPF p olicies are: Policy 12: Eligibility and suitability of personnel; Policy 13: Ongoing

assessment of personnel; and Policy 14: Separating personnel.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

22

an appropriate standard of integrity and honesty’24. The policies and their core requirements are outlined in Figure 1.1 below.

Figure 1.1: PSPF personnel policies and core requirements

Source: Protective Policy Security Framework, Personnel Security, available from https://www.protectivesecurity.gov.au/policies/personnel-security [accessed 3 December 2021].

1.13 Under the PSPF, all agencies must develop their own protective security policies and processes. Defence has developed the Defence Security Principles Framework (DSPF).25 The DSPF is principles-based and forms part of Defence’s administrative policy framework. It applies to all Defence personnel. In respect to contractors, Defence advised the ANAO that the DSPF applies ‘to person/s engaged under a contract where it is a term of that contract or they are employed by, or through, a Defence Industry Security Program (DISP) member’.

24 Ibid.

25 The DSPF comprises security principles and expected outcomes. The principles are supported by enterprise-wide Controls that provide additional processes and instructions to interpret and apply the Principles. DSPF Enterprise-wide Controls are developed by internal Control Owners.

•Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets). •Entities must use the Australian Government Security Vetting Agency

to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

PSPF Policy 12: Eligibility and suitability of personnel

•Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.

PSPF Policy 13: Ongoing assessment of personnel

•Each entity must ensure that separating personnel have their access to Australian Government resources withdrawn, and are informed of any ongoing security obligations.

PSPF Policy 14: Separating personnel

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

23

Reviews and inquiries into the APS’s use of contractors

2015 report of the Independent Review of Whole-of-Government Internal Regulation

1.14 The 2015 Independent Review of Whole-of-Government Internal Regulation (the Belcher Review)26 observed the impact of a number of APS legislative and reporting requirements27, which the review considered to have:

created a recruiting environment where entities tend to engage staff through a particular employment category that may not align with their business needs. For example: … contractors hired individually, or through firms, are excluded from ASL [average staffing level] and headcount reporting. While a valid engagement option, it may present longer term issues regarding organisational capacity and knowledge management, and may be a more expensive option in the longer run.28

1.15 Box 3 below contains an excerpt from a Parliamentary Library research paper on public sector staffing and resourcing, which addresses the ASL concept and related issues.29

Box 3: Public sector staffing and resourcing (Staffing, contractors and consultancies)— Parliamentary Library, October 2020—excerpt

When discussing public sector employees, the budget papers use the average staffing level (ASL), a method of counting that adjusts for casual and part-time staff in order to show the average number of full-time equivalent employees. ASL is almost always a lower figure than a headcount of actual employees (the Australian Public Service Commission uses the headcount method).a

In the 2015–16 Budget, the Government undertook to maintain the size of the general government sector (GGS), excluding military and reserves, at around or below the 2006–07 ASL of 167,596. Agency Resourcing: Budget paper No. 4: 2020–21 indicates that this objective has been achieved over the years prior to the COVID-19 pandemic.

Note a: ANAO comment: the APSC has stated that ‘ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.’ See Appendix 3 of this audit. Source: Philip Hamilton, Public sector staffing and resourcing (Staffing, contractors and consultancies), Parliamentary

Library Research Publications, October 2020. Available from https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/Budge tReview202021/PublicSectorStaffingResourcing [accessed 27 January 2022].

26 Barbara Belcher, Independent Review of Whole-of-Government Internal Regulation Report to Secretaries Committee on Transformation, Volume 2 Assessment of key regulatory areas [Internet], August 2015, available from https://www.finance.gov.au/sites/default/files/2020-05/independent-review-of-whole-of-government-internal-regulation-volume-2-report.pdf [accessed 7 December 2021].

The review was commissioned to critically assess and recommend modification to government regulations. 27 ibid., p. 154. 28 ibid., p. 156. 29 See also Appendix 3 of this audit on average staffing level and headcount.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

24

2019 report of the Independent Review of the APS

1.16 The 2019 Our Public Service, Our Future: Independent Review of the Australian Public Service (the Thodey Review) also considered the non-APS workforce.30 The Thodey Review commented that:

Labour contractors and consultants are increasingly being used to perform work that has previously been core in-house capability, such as program management. Over the past five years, spending on contractors and consultants has significantly increased while spending on APS employee expenses has remained steady.31

1.17 The Thodey Review published data (see Figure 1.2 below) based on submissions to the Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into Australian Government Contract Reporting – Inquiry based on Auditor-General's report No. 19 (2017–18).32 The Thodey Review stated that submissions to the JCPAA inquiry ‘revealed that [the] spend on contractors more than doubled across a sample of 24 agencies between 2012–13 and 2016–17.’33

30 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service [Internet], 13 December 2019, pp. 185–87, available from https://www.pmc.gov.au/sites/default/files/publications/independent-review-aps.pdf [accessed 28 January 2022]. The review examined the governing legislation, capability, culture and operating model of the APS. 31 ibid., p. 185. 32 The JCPAA initiated its inquiry in December 2017 to consider Auditor-General Report No. 19 2017–18

Australian Government Procurement Contract Reporting. This information report contained ANAO analysis of publicly available data published by the Department of Finance on public sector procurement contracting activity. See the ANAO submission to the inquiry, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9/Submissions [accessed 4 February 2022]. As part of its inquiry the JCPAA requested details of expenditure on contractors, consultants and labour hire

workers from selected government entities. The JCPAA asked these entities for the following information in respect to non-consultancy services: • Contractors directly procured by the entity for labour (for the provision of either long or short term additional labour capacity) and on-hire contractors. • A list of the top three categories of work for which contractors have been most frequently engaged, for

each of the past five financial years [2012–13, 2013–14, 2014–15, 2015–16, 2016–17]. • Provide expenditure figures on contractors for each of the past five financial years, including a breakdown of expenditure against the top three categories of work. Entity responses to the JCPAA are available from

https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9/Submissions [accessed 4 February 2022]. The JCPAA issued a statement on 11 April 2019 stating that the committee had decided not to issue a report based on the inquiry. The statement is available from

https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/AGReport1 9 [accessed 28 January 2022]. 33 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, 13 December 2019, p. 186, available from

https://www.pmc.gov.au/sites/default/files/publications/independent-review-aps.pdf [accessed 28 January 2022].

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

25

Figure 1.2: Thodey Review — percentage change in spend on employees, labour contractors and consultancy contract notices

Source: Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, p. 186.

1.18 The Thodey Review further observed that:

The use of labour contractors and consultancy services warrants specific discussion. About a quarter of the submissions [to the review] commented on their use. Most expressed concern about the growing size of the APS’s external workforce and the negative effect on in-house capability. Data on this topic, as is the case with many APS-wide workforce matters, are not gathered or analysed centrally and are often inadequate. For example, the number of contractors and consultants working for the APS is not counted and data on expenditure are inconsistently collected across the service. Data insights that would shed light on whether contractors or consultants met objectives are not routinely aggregated. This makes it difficult to assess the value of external providers relative to in-house employees or to infer the effect on APS capability.34

…

There is clearly benefit in the APS leveraging the best external capability. It is not possible to have expertise in everything in-house and external providers can be the most efficient way of delivering the best advice, services or support. But the use of external capability needs to be strategic and well-informed, meaning that the APS:

34 ibid., p. 185.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

26

• makes decisions on the use of external capability by reference to a whole-of-service workforce strategy that identifies the core capabilities the APS should invest in building in-house — with external capability used to perform non-core or variable work activity;

• manages use of external capability closely, from the contract design stage through to performance of the prescribed tasks; and

• ensures that all arrangements lead to a transfer of knowledge to the APS.

At all stages the APS should be focused on achieving value for money and better outcomes.

The APS needs to find the right balance between retaining and developing core in-house capability and leveraging external capability to ensure a sustainable and efficient operating model for the decades ahead. To do this effectively, two traditionally autonomous parts of agencies — HR and procurement — must work closely together.35

October 2021 second interim report of the Senate Select Committee on Job Security

1.19 In October 2021, the Senate Select Committee on Job Security released its second interim report, Insecurity in publicly-funded jobs.36 The report examined employment arrangements across the public sector. Drawing on the Thodey Review and JCPAA inquiry, the committee stated that:

the utilisation of labour contractors and consultants has increased markedly in recent years. Across a sample of 24 agencies, spending on contractors has more than doubled over the period between 2012–13 and 2016–17. Furthermore, information sourced from AusTender indicated that the total value of consultant contracts across the APS increased from $386 million to $545 million during the same four year period.37

1.20 In common with the Thodey Review38, the committee was critical of data collection relating to the non-APS workforce:

Neither the Australian Public Service Commission (APSC), nor the Department of Finance, was able to confirm how many people engaged through labour hire or other external contracting

35 ibid., p. 187. 36 Senate Select Committee on Job Security, Second interim report: insecurity in publicly-funded jobs [Internet], October 2021, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Job_Security/JobSecurity/Second_Inte

rim_Report [accessed 4 February 2022]. The report is part of a wider inquiry into job security. The committee was established to examine and report on the impact of insecure or precarious employment. The committee’s first interim report (June 2021) examined ‘on-demand platform work’ in Australia. A third interim report (November 2021) examined labour

hire and contracting, with a specific focus on the mining, agriculture, transport and distribution sectors. A fourth interim report (February 2022) examined a number of remaining issues such as casual work, and focused on the retail and hospitality sectors. The committee’s final report (March 2022) related to a possible matter of parliamentary privilege. 37 ibid., paragraph 11.14. ANAO comment: the AusTender data drawn upon by the second interim report was sourced from the Thodey

Review. See Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service, 13 December 2019, p. 186. 38 See paragraphs 1.16–1.18 of this audit.

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

27

arrangements are working within the Australian Public Service. This data is not collected, and neither agency provided an explanation for why this is the case.39

1.21 The committee made the following recommendation on this matter:

The committee recommends that the Australian Government requires:

• the Australian Public Service Commission to collect and publish agency and service-wide data on the Government's utilisation of contractors, consultants, and labour hire workers;

• the Department of Finance to regularly collect and publish service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment; and

• labour-hire firms to disclose disaggregated pay rates and employee conditions.40

November 2021 report on the Senate Finance and Public Administration References Committee Inquiry into the Current Capability of the APS

1.22 In November 2021 the Senate Finance and Public Administration References Committee reported on its Inquiry into the Current Capability of the Australian Public Service.41 The matter referred to the committee for inquiry and report was as follows42:

The current capability of the Australian Public Service (APS) with particular reference to:

(a) the APS’ digital and data capability, including co-ordination, infrastructure and workforce;

(b) whether APS transformation and modernisation projects initiated since the 2014 Budget have achieved their objectives;

(c) the APS workforce; and

(d) any other related matters.

39 Senate Select Committee on Job Security, Second interim report: insecurity in publicly-funded jobs [Internet], October 2021, paragraph 11.13, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Job_Security/JobSecurity/Second_Inte rim_Report [accessed 4 February 2022]. See also paragraphs 12.12–12.15 and 15.22–15.25.

40 ibid., paragraph 15.26. 41 Senate Finance and Public Administration References Committee, The current capability of the Australian Public Service (APS) [Internet], November 2021, inquiry page available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_and_Public_Administration/C

urrentAPSCapabilities [accessed 2 December 2021]. The inquiry examined the current capability of the APS with particular reference to: the APS’ digital and data ca

pability, including co-ordination, infrastructure and workforce; whether APS transformation and modernisation projects initiated since the 2014 Budget have achieved their objectives; the APS workforce; and any other related matters. 42 ibid., paragraph 1.1.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

28

1.23 The committee drew on data in the Thodey Review43 and JCPAA inquiry44, and in an effort to ascertain the scale of labour hire usage across the APS45, requested staffing profile information from agencies across all portfolios.46 The committee observed that:

The responses received indicated that agencies had differing methods of collecting data, and that many agencies did not collect data that allowed them to disaggregate the numbers of labour hire workers from other contractors.

For example, some agencies advised that their recordkeeping systems did not or could not differentiate between contractors directly procured by the agency (e.g. independent contractors), and workers procured through labour hire firms.47

1.24 The committee made 13 recommendations, including the following recommendations on data collection and reporting:

• the annual employee census conducted by the APSC ahead of the State of the Service report be expanded to include all labour hire staff who have been engaged on behalf of the APS in that calendar year (recommendation 5);

• the APSC collect and publish standardised agency and service-wide data on the Australian Government’s utilisation of contractors, consultants, and labour hire workers (recommendation 6); and

• the Department of Finance regularly collect and publish annually service-wide expenditure data on contractors, consultants, and labour hire workers, including the cost differential between direct employment and external employment for each role (recommendation 8).

43 ibid., paragraphs 2.12–2.19. 44 ibid., paragraphs 5.28–5.29. 45 The committee recorded at paragraph 3.61 of its November 2021 report that this followed receipt of APSC advice that the APSC did not collect data on the number of labour hire workers used by agencies to

supplement their workforces. The APSC confirmed that it only collected data in relation to public servants and people employed under the PS Act, and that data on labour hire was held by agencies. See Senate Finance and Public Administration References Committee, APS Inc: undermining public sector capability and performance [Internet], November 2021, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportsen/024628/toc_pdf/APSIncunderminingp ublicsectorcapabilityandperformance.pdf;fileType=application%2Fpdf [accessed 8 February 2022]. 46 The committee recorded at paragraph 3.67 of its November 2021 report that it asked for:

1) The staffing profile for the agency as at 1 July 2021, broken down into: a) APS ongoing employees: headcount and Average Staffing Level (ASL); b) APS non-ongoing employees: headcount and ASL; c) Labour hire staff: headcount and Full-Time Equivalent (FTE); and d) Other contractors: headcount and FTE.

2) The percentage of staff engaged through labour hire arrangements as a percentage of total agency headcount. 3) The total value of labour hire contracts entered into between 1 January 2021 and 30 June 2021. 47 Senate Finance and Public Administration References Committee, APS Inc: undermining public sector

capability and performance [Internet], November 2021, paragraphs 3.68–3.69, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportsen/024628/toc_pdf/APSIncunderminingp ublicsectorcapabilityandperformance.pdf;fileType=application%2Fpdf [accessed 8 February 2022].

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

29

Defence’s workforce 1.25 The Department of Defence (Defence) is a non-corporate Commonwealth entity.48 The department’s purpose is to ‘defend and protect Australia and advance its strategic interests.’ Defence’s performance statements framework lists two outcomes and 21 key activities that contribute to the successful delivery of the department’s purpose.49

1.26 Defence’s Strategic Workforce Plan (2016–2026) stated that the ‘integrated Defence workforce’ comprises:

• members of the Australian Defence Force (ADF), including the Permanent and Reserve Forces;

• employees of the APS;

• contractors engaged by Defence for specific roles; and

• Defence industry contractors who are engaged to deliver outsourced services.

1.27 To deliver its key activities, Defence has an approved workforce allocation for APS and ADF resources in the Portfolio Budget Statements (PBS). The actual APS and ADF workforce is reported on in the Defence annual report each year. Table 1.1 below sets out Defence’s workforce allocation and utilisation over three years.

Table 1.1: Defence’s budgeteda and actualb APS and ADF workforce

Workforce 2018–19 2019–20 2020–21

APS

Budget estimate 16,373 16,272 16,313

Actual 15,925 16,129 16,454

ADF

Budget estimate 59,794 60,090 60,826

Actual 58,380 59,109 60,330

Total

Budget estimate 76,167 76,362 77,139

Actual 74,305 75,238 76,784

Note a: Budget Estimate data is sourced from Defence Portfolio Budget Statements. All numbers for the full-time workforce elements represent average full-time equivalents (FTE) at the government approved strength for each year. Note b: Actual workforce data is sourced from Defence annual reports, reported as average FTE over the financial

year.

Source: Department of Defence Portfolio Budget Statements and annual reports for 2018–19, 2019–20 and 2020–21.

1.28 The 2016–2026 strategic workforce plan also stated that ‘Defence’s strategic objectives are enabled by a sufficient supply of appropriately skilled and highly performing people.’

48 The Department of Defence is part of the Defence portfolio. Its Secretary is the Agency Head under the PS Act and the accountable authority under the PGPA Act. The Secretary and Chief of the Defence Force (CDF) jointly manage Defence as a diarchy. The term ‘diarchy’ reflects the individual and joint accountabilities of the Secretary and CDF in ensuring that Defence meets Australian Government requirements. The manner in which the diarchy operates is described in directions given to the Secretary and CDF by the Defence Minister. 49 This structure is consistent across 2020–21 and 2021–22. See: Department of Defence, Annual Report 2020–21 [Internet], p. 10, available from

https://www.defence.gov.au/about/information-disclosures/annual-reports [accessed 18 February 2022]. Also see: Department of Defence Portfolio Budget Statements 2021–22 [Internet], p. 24, available from https://defence.gov.au/Budget/21-22/2021-22_Defence_PBS_02_Defence.pdf [accessed 7 March 2022].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

30

1.29 Defence advised the ANAO in March 2022 that a new Defence Strategic Workforce Plan 2021–2040 was approved by the Secretary and Chief of the Defence Force on 2 March 2022 and a text only version was released within Defence on 1 April 2022. It states that:

Defence’s integrated workforce includes military members working in a wide range of service patterns through the Total Workforce System (TWS), ongoing and non-ongoing civilian employees working both full-time and part-time, and an external workforce working under a wide variety of arrangements.

1.30 Box 4 below sets out Defence’s definitions that have the characteristics of a ‘contractor’ discussed in paragraphs 1.2–1.3 and Box 1.

Box 4: Definitions of types of external workforce resources utilised by Defence that have the characteristics of a contractor

Contractor

A contractor is a person engaged by Defence under a contract for skills that would normally be maintained in the Australian Public Service (APS) or Australian Defence Force (ADF) workforce. The person is performing duties required on a temporary basis, or is engaged as a short term measure while more enduring arrangements are put in place such as recruiting an ADF member or APS employee. The person is engaged to perform day-to-day duties of Defence. The person works largely under the supervision of an APS employee or ADF member. Defence specifies how the work is to be undertaken. The resulting output is produced on behalf of Defence and is generally regarded as a Defence product. The person’s remuneration is based on the time worked, usually calculated on an hourly or daily rate. Defence generally provides the necessary equipment and supplies.

Outsourced Service Provider (OSP)

Defence has made a decision that the function is to be performed by an external service provider on a long term or permanent basis. It involves skills or expertise that are not required to be maintained by APS or ADF in Defence. Performance of the services is left largely up to the discretion and professional expertise of the provider. Typically, service standards or performance indicators are agreed as part of the contracting process and monitored periodically. The resulting output is produced for Defence as a customer. Remuneration is paid when milestones are reached or a task is completed, or periodically for the provision of ongoing services such as maintenance, cleaning or travel bookings. The provider generally supplies their own equipment and supplies.

Source: Department of Defence, Accountable Authority Instructions (AAI) Glossary, 15 July 2020. The Glossary also states that ‘Consultants are individuals, partnerships or corporations engaged to provide professional, independent and expert advice or services. It involves the engagement of expert professional skills to investigate or diagnose a defined issue or problem, to carry out defined research, reviews or evaluations or provide independent advice, information or creative solutions to assist in management decision making. Performance of the services is at the discretion and professional expertise of the consultant, with Defence providing oversight. The consultant’s output reflects the independent views or findings of the individual or organisation and generally belongs to Defence.

Contractor numbers in Defence

1.31 Defence undertakes an External Workforce Census of consultants, contractors and outsourced service providers (OSP). The census was first undertaken in July 2019 and has

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

31

subsequently been undertaken in March 2020, September 2020, March 2021 and March 2022.50 A decision was made by the department’s Defence Committee in May 2021 to undertake the census annually rather than biannually. Defence has stated that:

The Census is an opportunity for Defence to collate a reasonable estimate of the resources engaged through external service providers to support delivery of Defence outcomes.51

1.32 Noting that the external workforce census is considered to provide only a ‘reasonable estimate,’ the ANAO asked Defence to confirm whether other Defence data sets might help identify, with greater precision, the number of contractors working within Defence.52 Defence was unable to direct the ANAO to any system(s) or dataset(s) that might provide further accuracy. Defence advised the ANAO that the Defence ICT system, for example, is not able to generate a report that specifically separates ‘contractor’ network access from all other users.53 Further, data held on finance systems is by contract, with each contract relating to one or more contractors. The impacts of these data limitations are discussed further in the relevant sections of this audit report.

1.33 The 2021 census results indicated that at the time of the census (March 2021) Defence had total resourcing of 109,626 full-time equivalent (FTE) personnel54, which comprised 16,313 APS, 60,826 permanent ADF and 32,487 external workforce personnel, including 6810 contractors.55 These figures indicate that the external workforce (see Box 4 above and Table 1.2 below) represented approximately 30 per cent of Defence’s human resourcing on an FTE basis, with contractors comprising 6.2 per cent of the total Defence workforce.

50 Defence advised the ANAO in December 2021 that the External Workforce Census and the External Service Provider expenditure review (used for reporting consultancy and non-consultancy expenditure in Defence’s annual report) are the whole-of-Defence processes that review contractor FTE and expenditure, each completed annually. Defence’s reported consultancy expenditure in 2020–21, as set out in the Defence Annual Report on pages 274–75 for that financial year, was $127,343,541 (GST inclusive) and non-consultancy expenditure reported was $27,012,913,250 (GST inclusive). See: Defence, Annual Report 2020–21 [Internet], available from

https://www.defence.gov.au/about/information-disclosures/annual-reports [accessed 1 April 2022]. 51 Information on the census is available from Department of Defence, Defence External Workforce Census, Defence, available from https://www.righttoknow.org.au/request/6547/response/18196/attach/5/Defence%20FOI%20049%202021%

20Document%20for%20Release.pdf [accessed 25 February 2022]. 52 Such as Defence HR systems, financial reporting and accounting systems, learning management systems, or ICT systems including databases of non-APS/ADF users with network access. 53 In February 2022 Defence advised the ANAO that: ‘concerning general network access, Defence users are,

very broadly, divided into three cohorts - Defence APS, ADF and “other”. Contractors fall into the “other” category and while Defence can generate a report specifying the number of “other” users with network access during specified periods through a range of methods, there is no capability to separate “other” into its constituent parts e.g. contractor, consultant, secondee, etc.’ Defence further advised that it takes into account a range of factors when granting network access, including

duration of employment. However, for users with limited term access, there is no requirement to provide a specialist type of access for a contractor and therefore no enduring data point that Defence can draw from or track. 54 Full Time Equivalent (FTE) is a measure of employee numbers used by both private and public sector organisations. The APSC has stated that FTE ‘is a count of all hours worked at a point in time and then converted to the number of full-time staff. For example, two staff each working 0.6 days per week would be counted as 1.2 FTE.’ See Appendix 3 of this audit. 55 The March 2021 census captured external workforce resources during the week of 1–5 March 2021.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

32

1.34 The most recent census results indicate that at the time of the census (March 2022) Defence had total resourcing of 112,943 FTE personnel, which comprised 16,595 APS, 61,468 permanent ADF and 34,880 external workforce personnel, including 8311 contractors.56 These figures indicate that the external workforce represented approximately 31 per cent of Defence’s human resourcing on an FTE basis, with contractors comprising 7.4 per cent of the total Defence workforce.

1.35 Defence budgets for its ADF workforce on an average funded strength (AFS) basis and for the APS workforce on an average staffing level (ASL) basis.57 Workforce planning is based on average funded strength for the ADF and average staffing level for the APS for the financial year.58 Defence uses actual FTE, which is paid strength on a particular date, to provide the most accurate indicator of current staffing levels.

1.36 Defence has advised the Parliament that the contractor FTE component, as reported in the March 2021 census, was 6810 FTE or 6.2 per cent of the total Defence workforce (permanent and reserve ADF and APS).59 Table 1.2 below sets out Defence’s publicly reported APS, ADF and external workforce by category at the time of each census.

Table 1.2: Defence’s workforce as reported in censuses of the external workforce

Workforce category

July 2019 March 2020 September 2020 March 2021 March 2022

APS 15,951 16,255 16,503 16,313 16,595

ADF 58,691 58,926 60,505 60,826 61,468

Contractor 4669 5361 5646 6810 8311

Consultant 250 255 284 314 370

Outsourced service provider (OSP) 18,405 23,017 25,710 25,363 26,199

Total workforce 97,966 103,814 108,648 109,626 112,943

Note: The external census reports from which these figures are drawn state that these figures are FTE based. Defence advised the ANAO in March 2022 that: ‘July 2019 to Sept 2020, ADF and APS data is AFS and ASL at a point in time comparable to the time of the Census. From March 2021, the ADF and APS figures are Guidance figures sourced from 2020–21 PBS to ensure alignment with publicly available information.’ March 2022 ADF and APS figures are planned workforce allocation figures sourced from the 2021–22 PBS. Source: Defence documentation.

1.37 Defence’s contractor workforce performs work in most parts of the entity.

56 The March 2022 census captured external workforce resources during the week of 28 February to 4 March 2022. 57 AFS is the average number of full-time equivalent permanent force members and reservists on Continuous Full-Time Service paid over a number of pay periods commencing from the start of a financial year. See: Department of Defence, Annual Report 2020–21, p. 110 [Internet], available from

https://www.defence.gov.au/about/information-disclosures/annual-reports [accessed 31 March 2022]. See also: Auditor-General Report No.44 2016–17 Army’s Workforce Management [Internet], published 27 March 2017, available from https://www.anao.gov.au/work/performance-audit/armys-workforce-management [accessed 31 March 2022]. 58 ibid.

59 This was a response to a question on notice from Senator Ayres on 31 August 2021 asking Defence to provide ‘Other Contractors; headcount and FTE’.

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

33

• Defence’s March 2021 external workforce census identified the top five primary activities conducted by contractors (accounting for approximately 83 per cent of Defence’s contractor workforce) as ‘Project Management’ (25 per cent), ‘Information Technology’ (18 per cent), ‘Platform or Fleet Sustainment and Maintenance’ (17 per cent), ‘Other’ (16 per cent), and ‘Administration’ (7 per cent).60

• The most recent (March 2022) external workforce census identified the top five primary activities conducted by contractors (accounting for approximately 82 per cent of Defence’s contractor workforce) as ‘Project Management’ (27 per cent), ‘Information Technology’ (18 per cent), ‘Other’ (16 per cent), ‘Platform or Fleet Sustainment and Maintenance’ (12 per cent), and ‘Administration’ (9 per cent).61

Previous audits and reports 1.38 Agencies’ management of their contracted workforce is considered when necessary in the conduct of ANAO audit and assurance work. Examples of ANAO performance audits which have considered the management of a contracted workforce include:

• Auditor-General Report No.2 2017–18 Defence’s Management of Materiel Sustainment62;

• Auditor-General Report No.38 2017–18 Mitigating Insider Threats through Personnel Security63;

• Auditor-General Report No.28 2018–19 Management of Smart Centres’ Centrelink Telephone Services — Follow-up64;

• Auditor-General Report No.1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1 (see Box 5 below)65;

60 For the March 2021 external workforce census, the ‘Other’ category was comprised of a range of contractor services including: psychology services; the Defence Export Advocate; corporate support functions, including strategy development and business management system optimisation and modelling; engineering and technical support; research and analysis; external board member services; and business advisor services. ANAO analysis of the raw census data indicated that other primary activity categories accounting for one or

more per cent of Defence’s contractor workforce as recorded in the 2021 census were ‘Education & Training’ (two per cent), ‘Finance’ (one per cent), ‘Logistics’ (five per cent), ‘Procurement’ (two per cent), and ‘Science and technology’ (three per cent). 61 For the March 2022 external workforce census, the ‘Other’ category was comprised of a range of contractor

services including: corporate support functions, including business management system optimisation and modelling; engineering and technical support; research and analysis; business advisor services; risk assurance and audit; and workforce supplementation. ANAO analysis of raw census data indicated that other primary activity categories accounting for one or more

per cent of Defence’s contractor workforce as recorded in the 2022 census were ‘Communications and Media’ (one per cent), ‘Education & Training’ (2 per cent), ‘Finance’ (one per cent), ‘Logistics’ (four per cent), ‘Procurement’ (three per cent), and ‘Science and Technology’ (five per cent). 62 In particular, paragraphs 5.11–5.16, as well as Box 5 of that report, discussed Defence’s engagement of contracted industry expertise to support implementation of the First Principles Review in relation to sustainment. 63 In particular, paragraphs 2.77–2.81 of that report. 64 In particular, paragraph 3.28 and Table 3.3 of that report discussed the Department of Human Services’ arrangements for supporting performance and quality improvements for contracted personnel. 65 In particular, pages 61–66 of that report.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

34

• Auditor-General Report No.4 2021–22 Defence’s Contract Administration — Defence Industry Security Program66; and

• Auditor-General Report No.6 2021–22 Management of the Civil Maritime Surveillance Services Contract.67

1.39 Examples of the issues identified in Auditor-General Report No.1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1, are set out in Box 5 below.

Box 5: Defence’s management of its contractor workforce

During the course of the audit, a number of specific probity issues were identified which related to the management of probity in the program (including by contracted personnel) and which required attention. As discussed at pages 61–66 of the audit report, these issues pertained to the management of:

• conflicts of interest;

• use of panel arrangements for the program;

• gifts and hospitality; and

• the use of official information.

Defence agreed to an ANAO recommendation that it: review its probity arrangements for the program, particularly with respect to its use of contractors, and apply lessons learned to similar programs; and develop more robust processes for on-boarding contractors, including ensuring awareness of probity and information security requirements.

Further, the ANAO reported that Defence’s program change arrangements gave rise to both real and perceived conflicts of interest, as contractors were involved in the department’s substantive decision-making processes relating to their contracts, including contract variations with financial consequences for the Commonwealth. Defence agreed to an ANAO recommendation that it review program decision-making arrangements to ensure they avoid such real and perceived conflicts of interest.

1.40 The ANAO has prepared two information reports on procurement activity in the Australian public sector, which have included publicly available information on consultants:

• Auditor-General Report No.19 2017–18 Australian Government Procurement Contract Reporting; and

• Auditor-General Report No.27 2019–20 Australian Government Procurement Contract Reporting Update.

66 This audit concluded that Defence’s administration of contractual obligations relating to the Defence Industry Security Program were partially effective. 67 The audit examined whether contract managers were appropriately trained and experienced.

Background

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

35

1.41 These information reports presented publicly available data from public sector procurement activity in a number of ways.68 The publicly available data includes entity reporting on contracts relating to consultancies, including consultancy contract value.

Rationale for undertaking the audit 1.42 The APS workforce strategy states that the APS will continue to deploy a flexible approach to resourcing that strikes a balance between a core workforce of permanent public servants and the selective use of external expertise. This will mean a continuing mixed workforce approach, where APS employees and non-APS workers are used to deliver outcomes within agencies. In this context, the strategy highlights the value of ensuring that agencies take a structured approach to the use of non-APS employees. The approach adopted by the APS and its agencies has been the subject of ongoing parliamentary interest, with a number of reviews and parliamentary committee inquiries undertaken in recent years, discussed above at paragraphs 1.14–1.24.

1.43 This audit is one of a series of three performance audits undertaken to provide independent assurance to the Parliament on whether entities have established an effective framework for the management of the contracted element of their workforce. Defence was selected as one of the APS agencies in this audit series as it is a large and regular user of non-APS personnel. The other audits in this series review the management of contractors by the Department of Veterans’ Affairs and Services Australia.

Audit objective, criteria and scope

1.44 The objective of the audit was to examine the effectiveness of Defence’s arrangements for the management of contractors.

1.45 To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Has Defence established a fit-for-purpose framework for the use of contractors?

• Does Defence have fit-for-purpose arrangements for the engagement of contractors?

• Has Defence established fit-for-purpose arrangements for the management of contractors?

1.46 The audit examined Defence’s framework of policies, plans, processes and guidance that apply to its use, engagement and day-to-day management of contractors.

1.47 The audit did not examine:

• the specific procurement arrangements through which particular contractors or outsourced service providers are engaged, or the assessment of the value-for-money aspect of specific decisions to engage such personnel instead of APS personnel;

• performance management in terms of specific contracted deliverables as this is part of the management of a contract; or

68 These information reports were neither an audit nor an assurance review, and no conclusions or opinions were presented.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

36

• the vetting process undertaken by the Australian Government Security Vetting Agency (AGSVA).69

Audit methodology

1.48 Audit procedures included discussions with relevant Defence officials and an examination of the following Defence documentation.

• Plans/forecasts/management decisions about workforce use.

• Guidance available to assist officials’ decision-making on whether to engage a contractor instead of an APS resource, including the information to be provided to delegates regarding such choices.

• The whole-of-Defence contracting mechanisms that are available for the engagement of contractors.

• Documentation that sets out mandatory training requirements and processes.

• Policies, processes and reporting that supports Defence’s compliance with PSPF policies 12–14 that relate to the onboarding, ongoing management (including where staff move within the entity) and offboarding of contracted staff.

• Management reports as evidence of the application of the Defence framework for the management of contractors.

1.49 The audit was open to contributions from the public. No submissions were received.

1.50 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $517,860.

1.51 The team members for this audit were Simon Gregor, James Woodward, James Wright, Michael Brown, Georgia Johnston, Natalie Whiteley, Kim Murray and Sally Ramsey.

69 Since AGSVA was established in 2010, the Australian National Audit Office (ANAO) has conducted three performance audits of personnel security arrangements, as effective arrangements underpin the protection of the Australian Government’s people, information and assets: Auditor-General Report No.45 2014–15 Central Administration of Security Vetting; Auditor-General Report No.38 2017–18 Mitigating Insider Threats through Personnel Security; and Auditor-General Report No.21 2020–21 Delivery of Vetting Services – Follow up.

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

37

2. Framework for using contractors

Areas examined This chapter examines whether the Department of Defence (Defence) has established a fit-for-purpose framework for the use of contractors.

Conclusion Defence has established a fit-for-purpose framework for the use of contractors. Enterprise-level guidance sets out the different personnel types, including contractors, and provides instructions for determining whether there is an operational requirement for the use of contractors on a case-by-case basis.

2.1 As discussed in paragraph 1.4, the APS Workforce Strategy 2025 released by the Australian Public Service Commission (APSC) identifies that an important element of successful mixed workforce models is a ‘structured approach to the use of non-APS employees’, which includes Australian Public Service (APS) agencies ‘considering where work would be best delivered by an APS employee.’ The strategy also states that:

The use of non-APS employees, including labour hire, contractors and consultants, brings different opportunities and risks for APS agencies to manage. Agencies relying on mixed workforce arrangements need to take an integrated approach to workforce planning that includes and best utilises their non-APS workers. This is particularly important where key deliverables are specifically reliant on this non-APS workforce.70

2.2 This chapter considers the framework established by Defence to guide decisions to use contractors. The ANAO examined whether guidance had been developed and issued by Defence, that:

• provided clarity about the different personnel types that are utilised as Defence’s external workforce, including the definition of ‘contractor’, so the most appropriate option is selected for a particular role; and

• assisted officials to determine whether there is an operational requirement for the use of contractors to support the efficient and effective use of resources.

Does Defence guidance provide clarity regarding the different personnel types, including contractors?

Defence guidance provides clarity regarding the different personnel types, including contractors.

2.3 Defence has provided guidance regarding the different personnel types in:

• a glossary of terms underpinning the Accountable Authority Instructions (AAIs); and

• the Defence Strategic Workforce Plan 2016–2026.

70 Australian Public Service Commission, Delivering for Tomorrow: APS Workforce Strategy 2025 [Internet], 18 March 2021, p. 27, available from https://www.apsc.gov.au/initiatives-and-programs/aps-workforce-strategy-2025 [accessed 6 January 2022].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

38

2.4 These documents are accessible through the Defence intranet and are referenced in related documents authorised by Defence’s senior leaders.

Glossary of terms underpinning the Accountable Authority Instructions

2.5 The Chief Finance Officer issued a glossary of terms on 15 July 2020 to support compliance with the Secretary’s Accountable Authority Instructions (AAIs). The glossary includes the definition of a contractor set out in Box 4 (Chapter 1).

Defence Strategic Workforce Plan 2016–2026

2.6 The purpose of the Defence Strategic Workforce Plan (2016–2026) was to identify ‘how Defence will deliver the workforce that is required now and in the future’. The plan outlined a need to ‘Optimise the workforce mix of ADF, APS, contractors and Defence industry to achieve highest value’ and identifies contractors and Defence industry as ‘Fundamental Inputs to Capability’. In outlining Fundamental Inputs to Capability planning considerations, the plan noted workforce resource considerations include contractor funding. The plan referred to Defence having an ‘integrated workforce’ which consists of ‘military (Permanent and Reserve Forces) and civilian (APS and contractor) workforces.’

2.7 The plan outlined an intended ‘future state’ for the integrated workforce in which ‘Contractors are used to supplement permanent workforces to provide expertise and skill where the workforce mix is required to deliver capability.’ In the ‘future state’, contractors are described as providing: ‘strategic advisory partnerships’; ‘specialist advice in areas where Defence does not have expertise’; and ‘specialist functions where Defence is unable to find internal resources.’

2.8 One of the risks to successful workforce management identified in the plan was:

Failure to effectively plan and manage the integrated workforce (ADF, APS and contractors). A short term, highly segregated view of this workforce will no longer suffice.

2.9 The plan included the following definition of a contractor:

A person who is engaged by Defence and represents a business resource and is subject to direct management by Defence and excludes contracts for outsourced services.

2.10 At the time the plan was published (2016), the use of contractors was concentrated in Estate and Infrastructure Group71, Capability Acquisition and Sustainment Group (CASG), and the Chief Information Officer Group.

2.11 Defence advised the ANAO in February 2022 that a new strategic workforce plan was being finalised during the course of this audit:

The Defence Strategic Workforce Plan 2021–2040 is an update to the extant Defence Strategic Workforce Plan 2016–2020, prepared in concert with the 2020 Force Structure Plan. The update details objectives for building the Defence workforce capacity to support more complex capabilities, new platforms, and emerging capabilities, such as those identified under AUKUS … the plan emphasises the importance of better integrating Defence’s internal and external workforces through a range of actions. Defence is finalising the Defence Strategic Workforce

71 Estate and Infrastructure Group became Security and Estate Group on 1 December 2021.

Framework for using contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

39

Plan 2021–2040 and its release will be aligned with any Government announcements related to workforce requirements associated with the 2020 Force Structure Plan.72

2.12 The new Defence Strategic Workforce Plan 2021–2040 sets out that it:

establishes enterprise level workforce objectives that must be met to support DSU20 [2020 Defence Strategic Update]

…

[and] details specific workforce challenges and enterprise-level objectives required to secure Defence’s workforce needs.73

2.13 The new plan does not define the term ‘contractor’ or refer to the AAI definition. This approach departs from that adopted in the previous plan (discussed in paragraph 2.9).

2.14 The new plan also sets out that:

Defence must continue to rebalance and redefine employment methods to expand its workforce pool while remaining within financial allocations. Defence will adjust its workforce mix of APS, ADF, contractors, consultants and academia through workforce planning and management initiatives that ensure the Defence workforce is cost effective and sustainable. This will require changes to the mix of workforce types and numbers, across Defence and within Domains, to meet the capability priorities and schedule outlined in FSP20 [2020 Force Structure Plan].

…

The contractor workforce, and the competition both with it and for its services, is not wholly within Defence’s influence. Aggregate demand for contracted labour from public sector agencies and Defence industry makes it complex to assure contractor supply.

The contracted workforce is an important resource for supplementing Defence’s internal workforce, although in some cases it is an unsustainable capability solution. In these cases, successfully balancing short term workforce needs with long term capability requirements requires careful management.

2.15 The enterprise level objectives referred to in the new strategic workforce plan are discussed below at paragraphs 2.23–2.24.

2.16 In summary, Defence has provided clear, accessible guidance regarding the different personnel types, including contractors, in the glossary to the AAIs. While the previous version of the strategic workforce plan also defined the different personnel types, the updated plan does not include a definition or a reference to the AAI definition, which reduces clarity.

72 Department of Defence, 2020 Force Structure Plan [Internet], available from https://www.defence.gov.au/about/publications/2020-force-structure-plan [accessed 1 April 2022]. 73 Department of Defence, 2020 Defence Strategic Update [Internet], available from https://www.defence.gov.au/about/publications/2020-defence-strategic-update [accessed 1 April 2022].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

40

Does Defence provide guidance on determining whether there is an operational requirement for the use of contractors?

Defence provides guidance, principally through the Contractor Engagement Governance Framework, on the process for engaging a contractor. The framework applies to all Defence personnel and aids compliance with the Secretary’s Accountable Authority Instructions (AAIs). The framework requires officials to undertake a structured assessment of operational requirements, on a case-by-case basis, when deciding to use a contractor.

2.17 Defence has provided the following guidance to its officials about the operational requirements for the use of contractors, to inform their decision-making.

Accountable Authority Instructions (AAIs)

2.18 Defence’s AAI 2: Spending Defence Money — Procurement states that:

Contractors, Consultants and Outsourced Service Providers (CCOSPs)

37. The need to engage a CCOSP occurs because Defence does not have internal staff resources to fulfil a business need. CCOSP engagements are often linked to workforce planning considerations, particularly when the need is likely to be ongoing. SES Band 1/1 Star level or above officials are in the best position to make workforce planning decisions.

Strategic workforce planning and forecasting of operational requirements

2.19 The Defence Strategic Workforce Plan (2016–2026) sets out that:

The Defence workforce is large, complex and dynamic. The internal workforce comprises around 100,000 military and Australian Public Service personnel whose skills are categorised into hundreds of occupational groupings. This workforce is supported by contractors and Defence Industry, and all are recognised as components of Fundamental Inputs to Capability. The mix of military, Australian Public Service and contractor workforce is continually adjusted in response to preparedness requirements, force design reviews and emerging capability requirements identified in the Defence White Paper.

Planning and managing this workforce requires an integrated, enterprise approach to recruiting, career and talent management, workforce mobility, education and training, learning and development, transition and re-engagement, and partnering with external organisations.

2.20 The plan did not step through a structured approach to the use of non-APS employees at an entity level, as suggested by the APSC in the APS Workforce Strategy 2025, but did identify a need for such an approach.

2.21 Defence does not forecast the proportion of its workforce that will be comprised of an external workforce, including contractors, across its forward plans. The ANAO asked if Defence’s workforce planning and forecasting incorporates the external workforce, including the use of staff and services obtained using contracts. Defence advised the ANAO in October 2021 that:

Framework for using contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

41

the Enterprise Business Committee74 required Defence People Group to develop an enhanced workforce planning and forecasting process including external workforce as part of Defence’s contractor governance framework.75 Confirmation could be done with each Group and Service, if they have their own contractor workforce forecasting program.

2.22 Defence People Group further advised the ANAO in October 2021 that:

Defence workforce planning and forecasting considers two separate resourcing allocations, (1) workforce allocations approved by Government for both Australian Defence Force and Defence Australian Public Service personnel that equate to an average funded number of people, with Defence maintaining workforce guidance trails that track all decisions made by Government and (2) monetary allocations managed in the same way as any budgeted amount that may be utilised for workforce, including for external workforce. For example, a monetary allocation could be for payment of reserve force personnel, for engagement of different types of contracted personnel, or allocated to a capability program via the Integrated Investment Portfolio and then ultimately distributed to workforce.

For both types of resourcing allocations, management, including workforce planning and forecasting, is conducted at several different levels that are related to the management delegation of the allocation. Forecasting occurs at those same levels, and may be short term (current financial year) or long term (against different future scenarios looking up to 40-50 years ahead). Budgetary provision for external workforce is included in Suppliers expenses, not Employee Expenses budgets or workforce guidance trails.

Workforce Planning Branch in Defence People Group regularly forecasts anticipated achievement against the Government approved workforce allocations76 … utilising discrete event simulation ... While these forecasts do not specifically include external workforce they do provide an indication of whether supplementation in the form of external workforce may be required in the future.

2.23 Defence’s Strategic Workforce Plan 2021–2040 sets out the following objectives, to be achieved by Quarter 4 2022, in relation to implementing a more structured approach to planning and managing the internal and external workforces:

1.3 Implement a research approach that produces a more sophisticated and granular understanding of the labour market and workforce mix options, to enhance workforce planning capabilities across the enterprise.

74 ANAO comment: the committee is described by Defence as responsible for exercising strategic control and assurance over the management of the Defence organisation and is focused on ensuring that enterprise strategy, capability and resources are aligned with government policy and legislative requirements. See Department of Defence, Defence Enterprise Committees [Internet], available from https://defence.gov.au/Decisions.asp [accessed 24 January 2022]. 75 ANAO comment: ANAO review of Enterprise Business Committee outcomes found that this task was jointly

assigned to Defence People Group and Capability Acquisition and Sustainment Group in July 2017. 76 ANAO comment: Defence advised the ANAO in May 2022 that: When referring to the entire workforce, as in this case, Defence uses more general terms like ‘Government approved workforce allocations’ to capture all workforce elements. The definition of—

and calculations related to—ASL are based on a 37.5 hour working week. The ADF has radically different conditions of service compared to the APS including working hours that vary substantially from one situation to another, so ADF workforce strength is measured in Average Funded Strength (AFS) rather than ASL.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

42

1.4 Deliver and sustain an Enterprise Resource Planning system (and associated systems) that enables sophisticated workforce planning for internal and external workforces.77

2.24 Defence advised the ANAO in March 2022 that Objectives 1.3 and 1.4 in the Strategic Workforce Plan 2021–2040 were identified as:

the two key actions required to enable a more structured approach to planning and managing the internal/external workforce mix.

Contractor Engagement Governance Framework

2.25 In November 2018, Defence released the Contractor Engagement Governance Framework.78 The accompanying announcement stated that the framework ‘implements an Enterprise Business Committee directive to strengthen workforce planning governance when considering the engagement of Contractors, Consultants and Outsourced Service Providers’.

2.26 The framework sets out that:

This Framework applies to all Defence officials and requires officials to undertake structured and careful assessments of workforce requirements when deciding whether engaging a Contractor is the soundest strategy.

2.27 The framework is to support structured decision-making about the use of contractors at the local level, on a case-by-case basis. The key features of the framework are set out in Box 6 below.

Box 6: Defence’s Contractor Engagement Governance Framework

The key features of Defence’s Contractor Engagement Governance Framework are that it:

• establishes the process to assist Defence officials decide whether the procurement of a Contractor should be undertaken;

• includes a definition of the term ‘Contractor’; and

• reiterates the requirements set out in Defence Accountable Authority Instruction (AAI) 2 – Spending Defence Money – Procurement that:

− the approval of an SES or star-ranked official (SES/Star) must be obtained and documented, before approaching the market to engage a Contractor.a

77 ANAO comment: Defence advised the ANAO in April 2022 that: Defence workforce including ADF, APS and contracted workforce will be supported in ERP [Enterprise Resource Planning system] through an interim solution in Tranche 1B due for delivery in 2023, with the full realisation of the human resource solution to be delivered in Tranche 3. Government has approved funding for Release 1–5 of Tranche 3 (T3A) and the funding for the further Releases 6–10 (T3B) will be known in Q3 2023. Human resource foundational data is being accomplished in Tranche 1B; however Tranche 3 is broken into 10 releases that will be delivered out to 2027/28 and will include a full range of human resource functionality (including: positions, people, skills and qualifications, core human resources, performance management, learning, recruiting and on - boarding, workforce planning and workforce analytics with further scope to be determined). Most notably, core human resource functions across the Defence workforce will be realised in Tranche 3 Release 2 currently due for delivery Q2 2024 with workforce planning scheduled for delivery in Release 3 Q4 2024. 78 Defence officials were informed of the release of the framework, as approved by the Associate Secretary, in a

Defence-wide communication released by the First Assistant Secretary, Procurement and Contracting on 8 November 2018.

Framework for using contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

43

− the Secretary must be advised before approaching the market when a Contractor's estimated daily rate is at or above $4,500 (including GST).

Note a: Defence provided the ANAO with an example of how this could be done. An electronic form had been introduced for this purpose in August 2020 (‘AF043 - SES or Star Approval to Engage a Contractor, Consultant or Outsourced Service Provider (CCOSP)’). Use of the form is not mandatory. Source: Defence documentation.

2.28 The process for deciding whether to engage a contractor is set out in a fact sheet — titled Engaging Contractors, Consultants and Outsourced Service Providers–Decision Making Governance — which includes a series of steps with guiding questions, and a decision tree to support Defence officials in their decision-making and in documenting the decision. The guidance is summarised in Appendix 4.

2.29 The announcement mentioned in paragraph 2.25 stated that framework requirements had been reflected in updates to the Defence Procurement Policy Manual (DPPM), the complex procurement guide, the simple procurement process tool and the AE643 Defence Purchasing Form. For example, the DPPM, which documented Defence’s procurement framework until mid–2021, stated that:

It is best practice to seek approval to undertake a process to procure a Contractor, Consultant, or Outsourced Service Provider prior to approaching the market. Should approval be sought as part of the commitment of relevant money, and the approval is not given, this may be a breach of CPR

10.35, which limits the ability of Defence officials to cancel a procurement once the process has been undertaken.

Defence officials should refer to the Glossary – Accountable Authority Instructions and Defence Financial Delegations for the definition of Contractors, Consultants and Outsourced Service Providers. Defence officials should refer to the Engaging Contractors, Consultants and Outsourced Service Providers – Decision Making Governance Fact Sheet for further guidance on the evidence required to justify the procurement of Contractors, Consultants or Outsourced Service Providers.79

2.30 The Defence Procurement Manual (DPM), issued on 1 July 2021, superseded the DPPM. It incorporates much of the guidance in the DPPM, including the AAI requirement that at a minimum, SES Band 1 / 1 Star approval is required if engaging a CCOSP. Defence Procurement Policy Directives previously set out in the DPPM have been largely incorporated into Defence’s Procurement and Contracting Requirements issued on 1 July 2021, which are to be read in conjunction with the DPM.

79 Department of Defence, Defence Procurement Policy Manual, Version 1.9, 26 February 2021, p. 43 [Internet], available from https://www.defence.gov.au/sites/default/files/2021-04/External%20DPPM.pdf [accessed 28 February 2022]. As of 9 June 2022, Defence had not posted the Defence Procurement Manual on its external website. Defence Procurement Policy Directive D10, at p. 42 of the DPPM, stated that: ‘When undertaking a process to

procure a Contractor, Consultant or Outsourced Service Provider, Defence officials must: obtain and document approval from a Defence official at the Senior Executive Service (SES) Band 1 / 1 Star level or above prior to or as part of the approval of the commitment of relevant money for the proposal; and advise the Secretary when the daily rate of the Contractor, Consultant or Outsourced Service Provider is at or above $4,500 (including GST).’

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

44

3. Arrangements for engaging contractors

Areas examined This chapter examines whether the Department of Defence (Defence) has fit-for-purpose arrangements for the engagement of contractors.

Conclusion Defence has largely fit-for-purpose arrangements for the engagement of contractors. Defence has established standing offer arrangements for engaging contractors, and a contracting suite has also been developed and tailored for their engagement. Defence has established arrangements to support incoming contractors to understand their obligations and to support compliance with the majority of Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel requirements, but is not well-placed to provide assurance, at the enterprise level, that these arrangements are being consistently implemented when contractors are engaged.

Areas for improvement The ANAO identified two areas for improvement. These related to the inclusion of a reference to mandatory record keeping training requirements in Defence guidance on engaging contractors, and the provision of assurance that contractors are meeting mandatory induction requirements.

3.1 Defence’s contracting templates, standing offer arrangements, induction arrangements and arrangements to support compliance with PSPF Policy 12: Eligibility and suitability of personnel are the primary mechanisms through which the department ensures that contractors are obliged to comply with Defence policies and Commonwealth legislation, understand their obligations and are suitable to access Defence information.

3.2 This chapter considers the arrangements established by Defence for engaging contractors. To form a view on the fitness-for-purpose of Defence’s arrangements for engaging contractors, the ANAO examined the standing offer arrangements and contracting templates used for engaging contractors. Well-designed arrangements, contracting templates and clauses help operationalise requirements and assist officials to consistently apply them at the point of engagement. They also document the expectations placed on contractors and provide a basis for managing performance and non-compliance. In addition, the ANAO examined:

• the induction arrangements established to help contractors understand what their responsibilities are and how to meet their obligations when working for Defence; and

• the policies and processes in place to ensure that the eligibility and suitability of contractors to access Australian Government resources has been established at engagement, as required by PSPF Policy 12: Eligibility and suitability of personnel.80 Monitoring and reporting on compliance with the policy was also examined.

80 The PSPF defines ‘personnel’ as employees and contractors, including secondees and any service providers that an entity engages: PSPF Policy 12: Eligibility and suitability of personnel, v.2018.3 [Internet], available from https://www.protectivesecurity.gov.au/publications-library/policy-12-eligibility-and-suitability-personnel [accessed 27 September 2021].

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

45

Does Defence have a contracting suite that is tailored for the use of contractors?

Defence has established standing offer arrangements and a contracting suite that is tailored for engaging contractors for a range of services. To aid the selection and tailoring of contract templates Defence has established a Contract Template Selection and Tailoring Guide. The eight standing offer arrangements and contracting templates reviewed by the ANAO included clauses addressing, as necessary, the mandatory workplace requirements highlighted in Defence’s fact sheet titled Obligations of Contractors, Consultants and Outsourced Service Providers working in Defence.

3.3 The engagement of a contractor is a procurement process and requires the establishment of a contract between Defence and the contractor or the contractor’s employer. As discussed in Chapter 2 at paragraphs 2.29–2.30, the Defence Procurement Policy Manual (DPPM) and its replacement, the Defence Procurement Manual (DPM), have included high-level guidance and directions relating to decision-making by Defence officials to procure a contractor, consultant or outsourced service provider. The DPPM stated that:

the endorsed Defence contracting templates have been drafted and are regularly updated to give effect to applicable Commonwealth legislation and policy (including the CPRs), and applicable Defence policy. These templates have been developed to assist Defence officials to comply with applicable legislation and policy requirements if used for the purposes for which they are intended.81

3.4 Similarly, the DPM states that the templates:

are regularly updated to ensure that they comply with all applicable legislation and policy requirements. If used for the purposes for which they intended, these templates can assist Defence officials with compliance with these requirements.

Guidance on the selection of contracting mechanisms to engage contractors

3.5 Defence’s Accountable Authority Instruction (AAI) 2: Spending Defence Money— Procurement states that82:

18. You must:

(a) ensure a proposed arrangement is a procurement;

(b) comply with the CPRs;

81 Department of Defence, Defence Procurement Policy Manual, Version 1.9, 26 February 2021, p. 6 [Internet], available from https://www.defence.gov.au/sites/default/files/2021-04/External%20DPPM.pdf [accessed 28 February 2022]. As of 9 June 2022, Defence had not posted the Defence Procurement Manual on its external website. 82 Department of Defence, Accountable Authority Instruction (AAI) 2: Spending Defence Money—Procurement,

1 February 2022. ANAO comment: the current version of AAI 2 came into effect on 1 February 2022, replacing the 1 July 2021 version. Paragraph 18, item c. in the 1 July 2021 version required Defence officials to ‘use endorsed contracting templates unless otherwise approved by Defence Commercial Division’. Paragraph 31 in the July

2021 version stated: ‘For panels/standing offer arrangements established by Defence you must use that arrangement unless a Group Head or Service Chief has approved otherwise or you are procuring from an indigenous supplier.’

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

46

(c) use an endorsed Defence contracting template. Where an endorsed Defence contracting template would normally be used but is not used, or is modified in a material respect, you must engage with Defence Legal consistent with Defence Instruction Administrative Policy;

…

21. Where the goods and services you are procuring are covered by a mandated whole of government arrangement you must use that arrangement. Exemptions can only be granted jointly by the Minister for Defence and the Finance Minister where a special need for an alternative process can be demonstrated or the coordinated procurement allows for an alternative approach.

22. You must consider opportunities for Indigenous suppliers and comply with all mandatory requirements within the Indigenous Procurement Policy.

…

31. You must use panels83/standing offer arrangements established by Defence unless:

(a) you are using a whole of government arrangement;

(b) you are using an Indigenous supplier in accordance with the Indigenous Procurement Policy; or

(c) a Group Head or Service Chief has approved otherwise or paragraphs 21 and 22 of this AAI apply to your procurement.

3.6 Defence has approved work order templates for procurement (which includes engaging contractors) undertaken using an existing panel arrangement. Defence advised the ANAO in October 2021 that:

Defence engages contractors through whole of government mandated panels … other agencies’ panels that allow ‘piggybacking’, and internal Defence panels such as the Major Service Provider (MSP) Panel, the Defence Services Support (DSS) Panel, the Eminent Persons Panel and the Negotiation Services Standing Offer Panel.

3.7 Defence further advised the ANAO in March 2022 that it engages contractors through the Information and Communications Technology Panel Arrangement, and that this panel and those referred to in its October 2021 advice were ‘the primary mechanism for engaging contractors.’ In May 2022 Defence clarified its March 2022 advice as follows:

83 ANAO comment: A panel arrangement is a way to procure goods or services regularly acquired by entities. In a panel arrangement, suppliers have been appointed to supply goods or services for a set period of time under agreed terms and conditions, including agreed or indicative pricing in some cases. Once a panel has been established, an entity may then purchase directly from the panel by approaching one or more suppliers. Each purchase from a panel represents a separate procurement process. When accessing a panel, an official must be able to demonstrate value for money has been achieved for each engagement. Procurements from existing panels are not subject to the rules in Division 2 of the Commonwealth Procurement Rules. However, these procurements must still comply with the rules in Division 1. A contract (often referred to as a Work Order or an Official Order) is formed under a Panel each time an entity purchases goods or services under the panel arrangement. A panel cannot be used to purchase goods or services that fall outside the scope of the arrangement. Any other service outside of the Panel provided by that business would need to be procured via a different procurement process. Source: Department of Finance, Procuring from a Panel – Panels 101 [Internet], available from

https://www.finance.gov.au/government/procurement/buying-australian-government/procuring-panel-panels-101 [accessed 14 January 2022].

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

47

AAI 2, para 31 requires ‘…You must use panels/standing offer arrangements established by Defence unless…’. Given Defence panels exist, such as the Major Service provider, Defence Support Services and Information and Communications Technology Provider Arrangement, these are the primary mechanisms for engaging contractors.

3.8 Endorsed Defence contracting templates such as the Australian Standard for Defence Contracts (ASDEFCON) suite are generally only used to engage contractors if:

• a mandated Whole-of-Government arrangement does not exist;

• an internal Defence panel is not available or appropriate; and

• an exemption for using the Commonwealth Contracting Suite (CCS) does not apply or the procurement is above the threshold.84

3.9 Defence has issued a Contract Template Selection and Tailoring Guide.85 The stated purpose of the guide is ‘to provide guidance to personnel conducting procurements. The guide is aimed at assisting with the selection of an appropriate contracting template and outlining the process for tailoring the selected template’. The intended user group of the guide is stated to be ‘Defence staff and external agencies intending to use the associated Australian Standard for Defence Contracts (ASDEFCON) templates’.86

3.10 The guide includes decision trees to aid selection of an appropriate contract template. The contract templates that the decision trees identify as relevant for engaging contractors are discussed below.

Engagements valued at less than $200,000

3.11 Consistent with Defence’s Accountable Authority Instructions, the guide instructs officials to use a suitable standing offer or panel arrangement that covers the identified need (which would include a Whole-of-Government Arrangement) if one exists.

3.12 If a suitable standing offer panel is not available, the guide states that officials must use the Commonwealth Contracting Suite (CCS) for procurements valued at less than $200,000, unless the procurement has been assessed as exempt from this requirement by applying the Defence specific Commonwealth Contracting Suite Decision Tree.87

84 Non-corporate Commonwealth entities must use the CCS when purchasing goods or services valued under $200,000 (GST inclusive) where a formal contract is required, except where a specific exemption listed. See: Department of Finance, RMG No. 420 Mandatory use of the Commonwealth Contracting Suite for procurement under $200,000 [Internet], Resource Management Guides, available from https://www.finance.gov.au/publications/resource-management-guides/mandatory-use-commonwealth-contracting-suite-procurement-under-200000-rmg-420 [accessed 1 April 2022]. The CCS, which is administered by Finance, does not, for example, reference Defence specific policy such as

the Defence Industry Security Program (DISP). See: Auditor-General Report No.4 2021–22 Defence’s Contract Administration — Defence Industry Security Program, footnote 27. 85 Department of Defence, Contract Template Selection and Tailoring Guide, ASDEFCON Suite of Tendering and Contracting Templates [Internet], available from https://www.defence.gov.au/sites/default/files/2020-

06/ctstg_version_2_1-9-8605.pdf. Version 2.1 of the guide, which was released in April 2016, remains extant guidance and was available on Defence’s intranet as of March 2022. 86 How these templates apply to the engagement of contractors is discussed further at paragraphs 3.11–3.16. 87 The CCS Decision Tree is a smart form that includes policy and process considerations in the correct order to

assess if the CCS is right for a procurement.

Footnote continued on the next page…

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

48

Engagements valued at more than $200,000

3.13 If a suitable standing offer panel is not available and the procurement is valued at greater than $200,000 in value, the guide instructs officials to use a service based ASDEFCON template.88

3.14 The Defence Procurement and Contracting Requirements89 state that officials must do the following.

• Consider using the CCS for procurements valued between $200,000 and $1 million (GST inclusive).

• Use ‘an endorsed Defence contracting template if one exists for the type of procurement being undertaken’ if the CCS is unsuitable, or the procurement is valued at or above $1 million (GST inclusive).

3.15 Defence has developed and maintains two main approved suites of contracting templates for contracts valued at $200,000 or greater. These are:

• Australian Standard for Defence Contracting (ASDEFCON) suite of contract templates, administered within CASG90; and

• Defence Facilities and Infrastructure suite of contract templates, administered within Defence’s Security and Estate Group.91

3.16 In summary, Defence has established a range of contracting arrangements and templates that can be used to engage contractors. Selection of the most appropriate contract is guided by whether an appropriate existing panel arrangement exists, the value of the procurement and the nature of the services being provided. Defence has a range of procurement policy and guidance documents which assist in selecting the most appropriate arrangement.

See: Department of Finance, Commonwealth Contracting Suite (CCS) [Internet], Procurement, available from https://www.finance.gov.au/government/procurement/commonwealth-contracting-suite-ccs [accessed 11 February 2022]. 88 The guide sets out that the following templates may be used for the non-ma

teriel procurement of services:

ASDEFCON (Shortform Services), including its modified Form AC565, Eminent Persons Engagement Agreement, ASDEFCON (Services) and ASDEFCON (Standing Offer for Services). 89 This is discussed at paragraph 2.30. 90 In December 2020, the Minister for Defence Industry announced a review of the ASDEFCON templates. In December 2021, the minister announced that the review had been completed. See: Department of Defence, ASDEFCON and Defence Procurement Review [Internet], 23 December 2021, available from https://www.minister.defence.gov.au/sites/default/files/fact_sheet_-_asdefcon_and_defence_procurement_review_2.pdf [accessed 7 February 2022]. The resultant report made seven recommendations aimed at reducing the time taken to get to contract and Gate 2 submissions to government; improving communication with Defence industry; ensuring an ‘agile template and process’, developing a contractor accreditation program; ensuring Defence is able to deploy a sufficient number of personnel with commercial expertise across the required range of procurements; improving guidance, training and consistency in Defence capability acquisition; and developing more agile and cost effective approaches to market. See: Department of Defence, ASDEFCON and Defence Procurement Review 2021 [Internet], available from https://www.minister.defence.gov.au/sites/default/files/asdefcon_and_defence_procurement_review_2021. pdf [accessed 7 February 2022]. 91 Estate and Infrastructure Group became Security and Estate Group on 1 December 2021.

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

49

Contracts establish obligations of contractors when working with Defence

3.17 Defence has prepared a fact sheet — titled Obligations of Contractors, Consultants and Outsourced Service Providers working in Defence — which ‘provides guidance for Contractors, Consultants and Outsourced Service Providers (“CCOSPs”) and the Defence personnel managing them, on their mandatory obligations when working in Defence.’

3.18 The fact sheet, last updated in July 2021, states that:

In the Defence environment, CCOSPs and Defence Officials must comply with obligations prescribed in Commonwealth legislation, Defence policy and its associated controls. CCOSPs’ contracts of engagement are generally the basis for Defence’s control and oversight of outsourced functions, and should contain all relevant obligations.

3.19 The fact sheet further states that:

These obligations include the requirements for CCOSPs to comply with:

• Accountable Authority Instructions (AAIs) and Financial Delegations policy (FINMAN)92;

• Procurement policy;

• Security policy;

• Work Health and Safety (WHS) policy;

• Public Interest Disclosure scheme;

• managing and reporting of fraud, unacceptable behaviour, Notifiable Incidents and incident reporting policies; and

• probity controls and integrity policies, including those prescribing management of conflicts of interest, post separation employment, and gifts, hospitality and sponsorship.93

3.20 In relation to these obligations, Defence advised the ANAO in March 2022 that the fact sheet:

identifies a number of obligations for CCOSPs to comply with based on their contract, role, status (for example, Prescribed Official94) and law. The list does not mean that all obligations apply to each CCOSP, which is why they are not included in all templates.

3.21 The ANAO reviewed the clauses in eight Defence standing offer arrangements and contracting templates used to engage contractors, for their alignment with the obligations Defence

92 ANAO comment: Defence advised the ANAO in March 2022 that FINMAN had been superseded by the Defence Financial Delegations on 1 July 2020. 93 ANAO comment: these obligations are intended to mirror the expectations placed on Defence’s APS personnel and form part of the induction requirements that apply to all personnel. 94 ANAO comment: this refers to persons who are considered to be officials under the Public Governance,

Performance and Accountability Act 2013. Such persons may, for example, exercise powers under delegation.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

50

has highlighted in the fact sheet.95 The ANAO did not test whether relevant clauses have been included in actual contracts or work orders established by Defence.96

3.22 Each standing offer arrangement and contract template reviewed by the ANAO contained clauses covering all or most of the mandatory requirements highlighted in the fact sheet relevant to the type of engagement. There were three documents which did not include a reference to the Public Interest Disclosure scheme.

3.23 Defence advised the ANAO in March 2022 that:

the Factsheet is not intended to create any obligations that do not already exist in AAI 2 (if the contractor is a prescribed official), Defence templates and under legislation. A service provider under a Commonwealth contract can make a PID [Public Interest Disclosure] under the legislation and this requirement does not need to be in their contract to do so. The general drafting principle in Defence is that legislative requirements are generally only referenced in Defence templates if the legislation requires the contractor to perform work and this work may have a cost associated with it.

3.24 Defence further advised the ANAO in April 2022 that:

Defence originally promulgated PID requirements as an internal policy instruction (interim Defence Instruction (General) 45-8). This DI(G) was cancelled as it repeated the legislation. When the DI(G) was cancelled, the templates that referenced this policy were updated to refer to the PID legislation instead, which as advised, may not have been necessary as a service provider under a Commonwealth contract can make a PID under the legislation without this reference being in their contract. While the exclusion of references to PID in some templates and standing offer arrangements does not create any risk for Defence, for consistency Defence may update our templates in the future to remove all references to PID.

3.25 The standing offer arrangements and contract templates reviewed by the ANAO also included performance management frameworks, including specific termination clauses to manage non-compliance with required performance standards and mandatory policies referred to in the contract.

95 The ANAO did not review the Commonwealth Contracting Suite templates as Defence does not control the content of those templates. The ANAO reviewed the following Defence standing offer arrangements: ASDEFCON (Standing Offer for Services), Version 2.5, 15 October 2019; Defence Support Services Panel Deed, 27 February 2020; Enterprise

Support Services Agreement, January 2018; Information Communications Technology Provider Arrangement Deed, January 2019. The ANAO reviewed the following contracting templates: ASDEFCON (Services) Version 3.0, 17 December 2019; ASDEFCON (Shortform Services), Version 2.3, 24 June 2019; Defence Facilities and Infrastructure (Project

Management/Contract Administration), 20 July 2020; and Defence Facilities and Infrastructure (Short Form Consultancy), July 2020. The conditions of contract document(s) were reviewed for contracting templates. For the standing offer arrangements, the overarching agreement or deed and terms and conditions documents were reviewed. The

Enterprise Support Serves Agreement (ESSA) is the overarching arrangement under which the four Major Service Provider (MSP) consortia are engaged by CASG. 96 Such analysis was not possible due to Defence’s systems not being able to facilitate drawing a sample of contractors with contracts under the various arrangements to enable testing of individual contracts.

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

51

Does Defence have fit-for-purpose arrangements for inducting contractors?

Defence has fit-for-purpose arrangements for inducting contractors. However, the department’s ability to determine the effectiveness of these arrangements is impacted by the lack of systematic monitoring and reporting on compliance with the arrangements, and inconsistent practice across the Defence Groups and Services. Defence has established induction requirements for contractors and there is mandatory training covering all policies and processes that contractors, other than those designated as prescribed officials, are obliged to comply with according to the contractor specific guidance. The guidance does not refer to record-keeping training which, according to Defence policy documents, is mandatory for users of Defence’s record keeping system. An e-learning platform has been established to support personnel to obtain and maintain their training requirements, and contract managers are responsible for monitoring contractors’ completion of mandatory training. Some Defence Groups and Services have established additional processes at the Division level or below for monitoring the completion and maintenance of mandatory training requirements. Defence does not review data on completion rates for mandatory induction training for Other Defence Support (ODS) personnel, which is a workforce category that includes contracted personnel.

Induction requirements and training for contractors

3.26 In terms of whole-of-Defence induction requirements, Defence advised the ANAO in December 2021 that:

a number of resources, policies and training are available on the Defence Protected Environment for all Defence personnel, including Contracted staff, to undertake and/or review to ensure that they are complying with the standards and key expected behaviours of Defence.

3.27 Defence has established an online learning platform accessible to all Defence personnel (including contractors) named ‘Campus’. Defence advised the ANAO in December 2021 that mandatory annual/biannual courses covering the following aspects of key expected behaviours and standards were available on Campus: Annual Security Awareness; Workplace Behaviour; Fraud and Integrity; and Work Health and Safety for Defence. The enterprise-level policies that these courses relate to, the induction training requirements and the timeframes for completion are set out in Appendix 5.

3.28 In addition, Defence advised that courses covering the following matters were also available to contractors on ‘Campus’: Conflict Resolution for Managers; Procurement Essentials and Contract Management; Introduction to Finance in Defence; Objective User Training97; and Responsible Record Keeping.

3.29 The ANAO reviewed the content of the mandatory annual courses and additional courses referred to in Defence’s December 2021 advice to the ANAO on contractor induction, to assess the extent to which the obligations referred to in the fact sheet (see paragraphs 3.17–3.25) have been covered. The results of the analysis are summarised below in Table 3.1.

97 Objective is Defence’s electronic document and records management system.

Table 3.1: ANAO analysis of Defence’s mandatory induction and additional training — coverage of contractor obligations as referred to in the fact sheet

Defence contractors must comply with these obligationsa

Induction course

AAIs and FINMANc Procurement policyc

Security policy

Work Health and Safety (WHS) policy

Public Interest Disclosure scheme

Management and reporting of fraud, unacceptable

behaviour, Notifiable Incidents and incident

reporting

Probity controls and integrity policies

Annual Mandatory Trainingb

1. Security Awareness 

2. Workplace Behaviour Mandatory Awareness 

3. Fraud and Integrity Awarenessd   

4. Work Health and Safety for Defence 

Additional Training

1. Conflict Resolution

2. Conflict Resolution for Managers

3. Procurement Essentials and Contract Management 

4. Introduction to Finance in Defence 

5. Objective User Training

6. Responsible Recordkeeping

Note a: Ticks in this table indicate that the training course includes material covering an obligation referred to in Defence’s fact sheet Obligations of Contractors, Consultants and Outsourced Service Providers working in Defence (CCOSPs). Note b: Defence advised the ANAO in May 2022 that: ‘Contractors and External Service Providers (ESPs) are required to meet Defence workplace pre-requisites and adhere to relevant Government policies and legislation. This includes training in workplace practices and Defence Values. Defence requires that these occur to an accepted

Defence standard. However, responsibility for the provision of this type of training does not necessarily lie with Defence and therefore needs to be clearly articulated in any contractual arrangements. If considered appropriate, Contractors and ESPs are able to undertake the mandatory awareness programs either by attending the awareness sessions or completing the training online through Campus.’ Training requirements for contractors, as set out in Defence enterprise-level policy, can be found at Appendix 5. Note c: Obligations pertaining to Defence’s AAIs, FINMAN and procurement policy are noted in the CCOSP fact sheet as relevant only to contractors who are designated as

‘prescribed officials’. Defence advised the ANAO in March 2022 that FINMAN was superseded by the Defence Financial Delegations on 1 July 2020. Note d: Defence advised the ANAO in February 2022 that the mandatory Fraud and Integrity Awareness training course on ‘Campus’ covers the Public Interest Disclosure Scheme (PID) and that this course was available to contractors during the period December 2021–January 2022. Defence further advised that the training ‘provides basic information about the PID Act and its purpose, protections available to disclosers, how to report to an Authorised Officer and where to find more detailed

information.’

Source: ANAO analysis of Defence documentation.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

54

3.30 The ANAO’s review of the courses referred to in Defence’s December 2021 advice (discussed in paragraph 3.26) found that the contractor obligations referred to in the CCOSP fact sheet were covered by mandatory and additional training courses available on the ‘Campus’ learning platform.

3.31 ANAO review of the Defence intranet and the relevant Campus course description found that the Responsible Recordkeeping course, which covers ‘essential Records Management Principles’ and ‘key Records Management legislation’ was mandatory for all new Objective users.98 There would be benefit in updating the CCOSP fact sheet, which provides guidance on the engagement of contractors, to include a reference to record-keeping expectations.

Monitoring the completion of training

3.32 In respect to monitoring the completion of mandatory training requirements, Defence People Group advised the ANAO in December 2021 that:

Campus courses are available to all Defence Personnel and Contractors. Learning is recorded on Campus where the training has been conducted on Campus.

…

Training completion is recorded within Campus and the Contractor can provide a print screen of their completion records to their supervisor via email or the supervisor can request a report from Campus.’99

3.33 The ANAO examined Defence’s ability to obtain high-level data of contractor compliance with induction requirements. Defence advised the ANAO in March 2022 that:

Defence’s Campus’ system identifies individuals from a ‘person number’, reflected as either an Other Defence Support (ODS) or a PMKeyS (Personnel Management Key Solution) number. These numbers are obtained directly from the Everybody Database (EBDB) or PMKeyS respectively.

3.34 Defence does not use this data to inform itself of the completion of mandatory training by personnel with ODS numbers. Doing so may provide insight as to effectiveness of the current control (checking by the supervisor) that underpins assurance that mandatory training is completed by contractors as expected.

3.35 Defence advised the ANAO in February 2022 that:

the ODS database purpose is specifically to record all external personnel (contractors, consultants, external service providers) with network account access. [emphasis in original]

98 As discussed in paragraphs 3.27–3.28, Defence advised the ANAO in December 2021 that this training was not mandatory. 99 Reports include the following fields: Division; Person Number (ODS/PMKeyS); Name; Email; Course Number; Course Name; and Last Completion Date. ANAO comment: for example, the Defence Safety Manual sets out in relation to work health and safety

training: 8. For workers without a PMKeyS record, such as ADF cadets, contractors and volunteers, work health and safety training is to be verified, recorded and maintained in accordance with Defence records management policy and their Defence contracts. 14. Commanders/managers and supervisors…have a responsibility to: 14.1. ensure training records for workers without PMKeyS access are verified, updated and maintained.

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

55

Defence Learning Branch can provide records for learning completed on Campus via the Digital Learning Solutions Hosting Platforms team. Any training in progress is recorded as either ‘registered’ or ‘completed’ and include both start and finish dates.

Self-generated completion print screen reports/certificates are available to contractors on Campus.

Contract managers are able to submit a request for manual reporting of mandatory training for contractors they supervise.

3.36 Defence advised the ANAO in March 2022 that:

an automated capability to disaggregate contractors from all other ODS users is not available … Defence is exploring options to disaggregate contactor data in the implementation of the Enterprise Resource Planning program. Defence may be in a position to implement this activity following ERP implementation.100

3.37 In March 2022, Defence finalised an internal audit titled Enterprise Resource Planning (ERP) Program.101 The objective of the audit was to assess the Chief Information Officer Group’s management of the ERP Program. The audit also considered the planned activities to address issues raised by Auditor-General Report No.1 2021–22 Defence’s Administration of Enabling Services – Enterprise Resource Planning Program: Tranche 1. The audit concluded that:

while the ERP Program has designed a number of key controls in support of governance, security and procurement processes, there is limited operating effectiveness and non-conformance with these controls.

3.38 In relation to the implementation of Recommendation 2 of Auditor-General Report No. 1 2021–22, the audit stated that:

Audit confirmed that for contractor on-boarding arrangements, training templates have been updated meeting the requirements for Recommendation 2.b. However, whilst the processes have been updated, compliance and monitoring of these processes remains low with ongoing issues of completion of mandatory training courses including a 66% completion rate for Annual Security Awareness and 11% completion of the Awareness of Probity in Defence Procurement.102

3.39 More broadly, the internal audit observed ‘significant non-conformance with training requirements of contracted and ERP Commercial staff working on the ERP Program’:

Only 13 out of 57 individuals in the selected sample were fully compliant with the training required for their respective role in the Program.103 Sample testing found that only 33% of contractors had completed the Introduction to Finance in Defence course. Course completion for the ERP

100 ANAO comment: Defence’s ERP program involves the streamlining of Defence business processes associated with hundreds of separate Defence ICT applications. See: Auditor-General Report No.1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1. 101 The audit was conducted on Defence’s behalf by Axiom Associates Pty Ltd. The audit was presented to the

Defence Audit and Risk Committee on 7 April 2022. 102 Auditor-General Report No. 1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1. ANAO comment: the report noted that ‘completion rates were based on sample testing. Annual Security

Awareness training completion as at 2 November 2021 … Awareness of Probity training completion as at 25 November 2021’. The report also noted that of the 24 sampled individuals, eight had never completed the Annual Security Awareness course. 103 Department of Defence, Enterprise Resource Planning (ERP) Program, March 2022. The audit notes that

sample-based testing was conducted using Campus course completion records as at 25 November 2021.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

56

Commercial team was performed on a population basis and identified that only 2 of the 7 ERP Commercial staff were fully compliant with training requirements. Notably, within the ERP Commercial team, only 43% had completed the Introduction to Finance in Defence course and 29% had completed the Awareness of Probity in Defence Procurement course.

3.40 Relevant to the engagement and induction of contractors, the internal audit recommended that:

The ERP Program:

(a) ensure that all existing Program team members complete the Defence mandatory training requirements and the training specific to their role; and

(b) develop ongoing monitoring of Campus course completion for new starters.

3.41 Induction supports contractors to understand their obligations, both in terms of policy and behavioural expectations, when working with Defence. To support a common understanding of these obligations across Defence, there would be merit in Defence establishing a mechanism to provide enterprise-level assurance that contractors have addressed mandatory induction requirements.

Group/Service specific induction arrangements

3.42 Defence Groups and Services104 may establish induction requirements for contracted personnel that are in addition to the requirements established at the enterprise level. The Groups and Services that responded105 to an ANAO information request on contractor induction

requirements advised the ANAO that any additional role and/or location-specific training required of contractors as part of their onboarding was to be set out in the contract under which they were engaged.

3.43 The ANAO also sought information from each of the Groups and Services on monitoring and reporting in place in relation to contractor completion of induction and training requirements. Five of the eight Groups which responded, and all three Services, advised that they did not conduct monitoring and reporting of contractor completion of mandatory induction and training requirements and referred to Campus learning records, with contract managers identified as responsible for ensuring completion.106

3.44 Those Groups and Services which did report conducting monitoring and reporting provided examples of arrangements at the Division level or below to ensure contractors were completing induction and training requirements (see Box 7).

104 There are currently 11 Defence Groups and three Services. The three Services are Army, Navy and Air Force. The Groups are: Australian Defence Force Headquarters; Chief Information Officer Group; Defence People Group; Defence Executive Support; Security and Estate Group; Defence Finance Group; Defence Science and Technology Group; Capability Acquisition and Sustainment Group; Joint Capabilities Group; Strategy, Policy and Industry Group; and Defence Intelligence Group. 105 The ANAO did not receive responses from Strategy, Policy and Industry Group; Defence Intelligence Group;

and Defence Science and Technology Group. 106 The Groups and Services which reported that they did not conduct monitoring or reporting of contractor completion of mandatory induction and training requirements outside of Campus learning records and/or contract manager oversight were: Air Force; Army; Navy; Chief Information Officer Group; Defence People

Group; Capability Acquisition and Sustainment Group; Associate Secretary Group; and Defence Finance Group.

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

57

Box 7: Examples of arrangements established in Groups and Services for monitoring and reporting on contractors’ completion of induction requirements

Joint Health Command (JHC) advised the ANAO in January 2022 that:

The ADFHS [Australian Defence Force Health Services] Contract requires a “JHC Ready” form to be submitted to the Joint Health Unit Commanding Officer detailing all required pre-commencement activities (training) have been completed. If not complete the JHU CO [Commanding Officer] can approve a JHC Ready Waiver (if requested). The Contractor (Bupa) is required to track all CHP [Contracted Health Professional] training and is subject to credentialing audits. The JHU [Joint Health Unit] also has a responsibility to ensure all CHP are in-date for regular training.

Security and Estate Group’s (SEG) Directorate of Specialist Contract Support advised the ANAO in February 2022 that:

BSMIC [Base Services, Management, Integration and Coordination] monitor it [on-boarding and training] by undertaking an assurance activity which will request EMOS [Estate Maintenance and Operations Services] to show us their evidence i.e. registers stating when their personnel undertook mandatory training and whether it is current or not.

Joint Logistics Command (JLC) provided evidence to the ANAO in February 2022 that it maintains a register recording the completion of the Divisional requirement for contractors to undertake or provide evidence of completion in the last 12 months of the mandatory Annual Security Awareness training course and courses on assessing and protecting official information and cyber security awareness. This register also recorded Designated Security Assessed Position (DSAP) numbers, position security clearance requirements, granted clearance levels, dates of clearances being granted and revalidation dates.

The Vice Chief of the Defence Force Executive (VCDF) advised the ANAO in February 2022 of monitoring processes at the Division level, which included a ‘March In’ checklist used in the Force Integration and Force Design Divisions to record contractor completion of mandatory induction and training requirements. The checklist, provided to the ANAO, requires supervisors to sign off that these requirements have been met and is provided to the relevant Director.

Source: Defence advice.

Has Defence established arrangements for the engagement of contractors that support compliance with PSPF Policy 12: Eligibility and suitability of personnel?

Defence has established arrangements to support compliance with the majority of requirements in PSPF Policy 12: Eligibility and suitability of personnel when it engages contractors. The arrangements include policies and processes to conduct pre-employment screening of contractors and to undertake standardised vetting as required by PSPF Policy 12. Defence has decided to not use the Document Verification Service as required by the PSPF, and has not mandated its use in the Defence Security Principles Framework.

Defence has established arrangements for reporting on its compliance with the requirements of PSPF Policy 12 for all personnel. Reporting is focused on security clearances as all Defence employees (APS/ADF) are required to have, at a minimum, a baseline clearance. However, not

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

58

all contractors require a security clearance and Defence is not well placed to provide assurance, at the enterprise level, that PSPF Policy 12 has been met in respect to contractors having been pre-screened appropriately if a security clearance is not required. Defence was unable to provide the ANAO with figures for Designated Security Assessment Position numbers at each clearance level and how many were filled by contractors. Defence advised that these positions were managed within the Group or Service and were not centrally reported.

3.45 Protective Security Policy Framework (PSPF) Policy 12: Eligibility and suitability of personnel107 sets out ‘the pre-employment screening processes and standardised vetting practices to be undertaken when employing personnel and contractors.’ Policy 12 has the following core requirements:

Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets).

Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

3.46 The policy states that pre-employment screening is the primary activity used to mitigate an entity’s personnel security risks. Entities may use security clearances where they need additional assurance of the suitability and integrity of personnel. This could be for access to security classified information, or to provide greater assurance for designated positions. Under the policy:

Entities must undertake pre-employment screening, including:

• verifying a person’s identity using the Document Verification Service108;

• confirming a person’s eligibility to work in Australia; and

• obtaining assurance of a person’s suitability to access Australian Government resources, including their agreement to comply with the government’s policies, standards, protocols and guidelines that safeguard resources from harm.

3.47 In its mandatory annual report to the Attorney-General’s Department (AGD) in 2018–19, 2019–20 and 2020–21, Defence self-assessed its security maturity against PSPF Policy 12 requirements as ‘developing’. Defence also reported that it was taking steps to lift its security maturity to ‘managing’.109

107 Protective Security Policy Framework (PSPF), Policy 12: Eligibility and suitability of personnel, v.2018.3 [Internet], available from https://www.protectivesecurity.gov.au/publications-library/policy-12-eligibility-and-suitability-personnel [accessed 27 September 2021].

108 ANAO comment: the service is a national online system that allows organisations to check whether the biographic information on a customer’s identity documents match with the original record. The service is a secure system that operates 24/7 and matches key details contained on Australian-issued identifying credentials. 109 Developing means: ‘Substantial implementation of the PSPF. Protective security requirements not fully

implemented into business practices’. Managing means: ‘Complete and effective PSPF implementation. Protective security requirements integrated into business practices.’ Source: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019–20, p. 2 [Internet], available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-

20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

59

Arrangement for conducting pre-employment screening and standardised vetting

3.48 The relevant parts of the Defence Security Principles Framework (DSPF) implementing PSPF Policy 12 are DSPF Principle 40 and associated Control 40.1. The Principle and the Control set out requirements in relation to: security clearances including pre-employment screening, citizenship requirements, and eligibility waivers; and identified positions and recording security clearance requirements for these positions. DSPF Control 40.1 states that there is ‘no minimum level of security clearance for Defence industry and contractors. Clearance requirements for Defence industry and contractors are determined on the basis of their need to access classified information, networks, assets or secure areas’.

3.49 Defence advised the ANAO in February 2022 that:

A security clearance is not required to access information that does not have a security classification, including Official or Official: Sensitive information. For this type of information, routine employment screening is sufficient. Because of this there may be examples of staff on Defence premises who do not require a clearance due to the nature or location of their employment. For example, these could include hospitality services, or scribing services where information is unclassified and the engagement is very short.

3.50 Table 3.2 below outlines the requirements of PSPF Policy 12 that are to be established by Defence and the arrangements Defence has established for pre-employment screening processes and standardised vetting practices when engaging contractors.

3.51 In summary, while Defence has established policies and processes to support compliance with PSPF Policy 12 when engaging contractors, it does not use the Document Verification Service as required by the PSPF for pre-screening processes and neither do the employers of its contractors. As noted in Table 3.2, there is no DSPF requirement to use the service.

Table 3.2: Defence policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 12: Eligibility and suitability of personnel

PSPF Policy 12 core requirement B.1

Defence arrangements

Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets)

• Defence advised the ANAO in November 2021 that ‘Pre-employment screening for contractors is the responsibility of the contractors’ employers.’

− As at November 2021, to obtain DISP membership, entities needed to meet the DISP eligibility and suitability requirements, which included minimum requirements for Entry Level governance, personnel security, physical security and information/cyber security set out in Annex B of DSPF Control 16.1.a The Entry Level personnel security requirements in Annex B required applicants to provide a description of employment screening practices and identified AS 4811–2006 Employment Screening as the minimum standard for all new recruitments.

• Defence advised the ANAO in February 2022 that:

− ‘DISP members are to provide assurance that pre-employment screening responsibilities have been completed successfully for relevant personnel prior to engagement, and acknowledge this on the DISP membership application form (AE250)’.

○ In February 2022 Defence issued an updated Control 16.1, which set out that to be eligible for DISP membership the entity must as

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

60

PSPF Policy 12 core requirement B.1

Defence arrangements

a minimum ‘establish, and be able to maintain, the security standards for their requested level of membership (refer Annex A)’, including the minimum Entry Level requirements. The Entry Level requirements in the new Annex A to Control 16.1 require entities to establish and maintain policies and processes in accordance with AS4811–2006 Employment Screening standards, including employment screening practices. The new Annex A requires DISP members to provide to Defence a copy of employment screening and management processes for personnel working with or on Defence-related work.b

− ‘The application of pre-screening checks for non-DISP members is the responsibility of the local work area.’

− ‘While pre-employment screening/employment checks are the responsibility of [the] contractors’ employer, Defence Security Division would not expect companies to use the Document Verification Service, because the Australian Government Protective Security Policy Framework (PSPF) is designed for non-Corporate Commonwealth entities to implement.'

• Defence advised the ANAO in March 2022 that:

− ‘all Defence employees [APS/ADF] are required to have a baseline clearance, as a result the DSPF does not address [the] document verification system separately as documents checks are incorporated into the baseline clearance process’; and

− ‘there are internal security checks as part of the processes for accessing Defence facilities (Defence Common Access Card requests) and systems (DPN/DSN accounts), which require checks of identity documentation and security records.’

• The DSPF sets out requirements for waiving eligibility requirements including specific requirements for citizenship and uncheckable background waivers.c The Defence clearance sponsor is responsible for ensuring that, where they are required, eligibility waivers are authorised.

Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards

• Defence has established standardised vetting arrangements for contractors, with the Australian Government Security Vetting Agency (AGSVA) to conduct personnel security vetting.

• In terms of ensuring that contractors hold the necessary clearances for the positions they are filling, Control 40.1, paragraph 105 of the internal version of the DSPF states that ‘All Defence positions requiring a security clearance above BASELINE are to be managed as designated security assessment positions (DSAPd) and recorded with the level of clearance in a DSAP register’. Control 16.1 states that it is a responsibility of security officers to maintain the DSAP list.

Note a: DSPF Control 16.1 and its associated annexes is available publicly at:

https://www.defence.gov.au/security/industry/eligibility#:~:text=Control%2016.1%20of%20the%20DSPF,risks %20when%20engaging%20with%20Defence [accessed 25 March 2022]. Note b: Auditor-General Report No. 4 2021–22 Defence’s Contract Administration – Defence Industry Security Program (DISP) found that ‘Defence contract managers do not have visibility of Defence’s DISP membership data, and

must request this information from the DISP administration team’. Defence advised the ANAO in March 2022 that it had developed a membership profile template to enable this, and expected to share the template and a document titled Principles for Considering Vendor Security Risks with contracting authorities shortly. Defence

Arrangements for engaging contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

61

further advised in March 2022 that the profile advises a contracting authority that an entity has met the required DISP standard, which includes employment screening. The document titled Principles for Considering Vendor Security Risks outlines five security risk principles intended to assist Defence to make informed decisions and support the development of robust security risk assessments. Note c: Defence advised the ANAO in March 2022 that there were currently 116 active citizenship waivers sponsored

by Defence, of which 68 waivers are for Defence contractors, and that AGSVA reports on all active citizenship waivers on a quarterly basis to the Defence Security Committee. Defence’s advice noted that AGSVA’s reporting to this committee is by waiver sponsorship and does not indicate whether the waiver is for contractor or other type of employee. Defence further advised that all active citizenship waivers are reviewed and approved annually by AGSVA. Note d: The DSPF defined a DSAP as follows: A DSAP is defined in the Crimes Act 1914 as ‘a position in a

Commonwealth Authority which the head of the authority has determined to be a designated security position whose duties are likely to involve access to national security information classified as secret or top secret’. Defence did not hold records that supported reporting to the ANAO on the number of contractors who are DSAPs at each level at a point in time. Source: ANAO analysis of Defence documentation.

Arrangements for monitoring and reporting that requirements of PSPF Policy 12 have been addressed when contractors have been engaged

3.52 Box 8 below sets out Defence’s current approach to compiling its annual self-assessment of compliance with PSPF Policy 12. Defence’s assessment is approved by the Secretary and Chief of the Defence Force (CDF) and submitted to AGD.

Box 8: Arrangements for monitoring and reporting on compliance with PSPF Policy 12

Defence’s Chief Security Officer assists Defence’s Accountable Authority to meet the annual PSPF reporting obligation which includes providing an enterprise-wide view of Defence’s security risk to the Defence Security Committee.a

In November 2021, Defence advised the ANAO that:

Defence is still in the process of determining how our internal security reporting processes and governance structures can be best utilised to meet the requirements of the PSPF self-assessment report. Consequently, we have used different processes for the periods referenced [2018–19, 2019– 20, 2020–21].

Defence’s annual PSPF self-assessments are underpinned by annual reports from DSPF Control Owners, who are the officials assigned accountability and authority to manage a specific defence security risk. A DSPF Control Owner’s annual report is to advise the Defence Security Committee on control effectiveness, with effectiveness determined through a combination of assurance activity and security incident data.b

Commencing with the 2019–20 reporting year, Defence supplemented its annual Control Owner reporting with reporting from Defence’s Executive Security Advisors (ESAs), who are responsible for supporting their Defence Group or ADF Service senior management to assess and manage security risks. Responses to the ESA Security Maturity Questionnaire inform Defence senior management about the assurance activities undertaken in the Groups and Services to support PSPF compliance. Responses for 2020–21c stated that assurance activities in place in the Groups and Services include active maintenance and regular review of DSAP lists, including periodic security audits; review of clearances to ensure they are appropriate and reflect positional security requirements; and the raising of corrective action reports in relation to identified deficiencies. Responses also indicated that the Groups and Services undertake varying assurance activities in

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

62

relation to Policy 12, with some Groups and Services reporting more robust assurance activities than others.

Note a: The Defence Security Committee provides the primary oversight of the DSPF. Note b: For DSPF Principle 40 the Control Owner Report for 2019–2020 set out that assurance activities included AGSVA performing data reviews on the eVetting system, conducting a positive vetting (PV) cease batch procedure to cease clearances that met set criteria, and analysis of security incident data. The 2020–2021 Control Owner Report for

DSPF Principle 40 noted ongoing certification under the ISO9001 Quality Management System, a review of Defence Industry Security Program policy, and support to the broader Defence Security Strategy development as other measures implemented within the broader Defence security environment to assure the effectiveness of Principle 40. Defence advised the ANAO in March 2022 that ‘AGSVA cease batch procedures [currently] covered all clearance levels’. Note c: Defence advised the ANAO in March 2022 that: ‘At the time of the 2020/21 reporting there were 14 ESAs appointed

(each Group or Service is responsible for appointing their own ESA under the DSPF) and 11 ESA responses were received. Additional ESA input was provided directly into the Defence response by (then) DS&VS [Defence Security and Vetting Service], but was not formally recorded as an ‘ESA response’ as DS&VS was producing the Defence response. ESA reporting was not mandatory, and two Defence ESAs did not respond to the request for input or follow-up requests. These ESAs were considered to have provided a NIL response.’

3.53 Defence has established a framework and processes for monitoring and reporting on its level of maturity against PSPF Policy 12. Internal reporting does not differentiate between contractors, APS and ADF personnel. Defence advised the ANAO in March 2022 that:

It is the responsibility of the Contract Manager to ensure contractor compliance with contract security requirements, this information is not centrally recorded. If the contractor is a Defence Industry Security Program member the contractor security officer is obligated to report any security non-compliance as are any Defence Security Officers involved in the delivery/management of the project to Defence Security.

3.54 The ANAO sought data on the number of Designated Security Assessed Positions (DSAPs) that were filled by contractors. Defence was unable to provide the ANAO with figures for DSAP numbers at each clearance level and how many DSAPs were filled by contractors. Defence advised that DSAPs are managed within the Group or Service and are not centrally reported.

3.55 In respect to the requirement set out in DSPF Control 40.1 (discussed in Table 3.2 above) to manage Defence positions requiring a security clearance above the BASELINE level as DSAPs, Defence advised the ANAO in March 2022 that:

The Defence Security Policy Framework does not require the use of DSAPs. Position clearance requirements are flexibly managed by Departmental clearance sponsors based on operational requirements and risk levels. Some Groups and Services have designed DSAPs in specific areas, primarily for the management of TSPV [Top Secret Positive Vetting] positions, but these DSAPs are managed within the Group or Service and are not centrally reported.

3.56 In summary, there are arrangements in place across Defence to support compliance with most aspects of PSPF Policy 12. However, Defence is not well placed to assure itself at an enterprise level that PSPF Policy 12 has been met, as Designated Security Assessed Positions (DSAPs) are managed at the Group or Service level and are not centrally reported.

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

63

4. Arrangements for managing contractors

Areas examined This chapter examines whether the Department of Defence (Defence) has established fit-for-purpose arrangements for the management of contractors.

Conclusion Defence’s arrangements for the management of contractors are partly fit-for-purpose. Defence has documented its requirements and expectations regarding the management and oversight (supervision) of contractors. The Defence Security Principles Framework (DSPF) establishes arrangements that support compliance with the requirements of Protective Security Policy Framework (PSPF) Policy 13: Ongoing assessment of personnel and PSPF Policy 14: Separating personnel. Defence reporting on compliance with PSPF Policy 13 and Policy 14 indicates that implementation of Defence’s arrangements has been inconsistent across the department. Internal audits and assessments also indicate that implementation of Defence’s PSPF Policy 14 arrangements is not fully effective across the department.

Recommendations and areas for improvement The ANAO has recommended that Defence establish arrangements to better support compliance with PSPF Policy 14: Separating personnel.

The ANAO has suggested that there would be merit in Defence: providing guidance to support managers and supervisors of contractors across the broad range of arrangements Defence uses to engage non-APS personnel; improving the awareness of Security Officers of the need to conduct annual security checks; and reviewing the Defence Contract Management Handbook to better support contract managers at the end of a contract, by including processes to address the PSPF Policy 14 requirements in the relevant checklist.

4.1 Once engaged by Defence, the ongoing management of contractors involves:

• day-to-day oversight of the contractor and management of the contract to ensure that contracted outcomes are being delivered as required;

• assessment and management of the ongoing suitability of the contractor to access Australian Government resources; and

• withdrawing access and managing any ongoing risks at the end of the contract.

4.2 The effective management of contractors supports both the achievement of contracted outcomes and Defence’s ability to address the national security challenges outlined in the 2020 Defence Strategic Update110 through the management of personnel security risks.

4.3 The ANAO examined the following to form a view on the fitness-for-purpose of Defence’s arrangements for the management of contractors.

• Documentation promulgated to officials to inform them of Defence’s requirements and expectations for the management of contractors and the training that was available to support implementation of the guidance.

110 See paragraph 2.12.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

64

• Policies and processes for ensuring the ongoing suitability of contracted personnel to access Australian Government resources, as required by PSPF Policy 13: Ongoing assessment of personnel, and monitoring and reporting on compliance.

• Policies and processes for contracted personnel to have their access withdrawn and to be informed of any ongoing security obligations, as required under PSPF Policy 14: Separating personnel, and monitoring and reporting on compliance.

Has Defence clearly documented its requirements and expectations regarding the management and oversight of contractors?

Defence has documented its requirements and expectations regarding the management and oversight of contractors. Much of Defence’s guidance is framed for officials managing contracts that are valued above $200,000, and which are complex and/or of long duration. It is not apparent which parts of this guidance should be applied specifically when managing contractors as defined in Defence’s Accountable Authority Instructions (AAIs), particularly where the contract value is below $200,000. Training is available for officials who manage contracts and contractors, however it is not mandatory and is not monitored or reported on systematically.

4.4 The Defence Contract Management Handbook states that:

Defence is the Commonwealth’s largest procurer of goods and services. Defence procurements comprise thousands of transactions and involve billions of dollars annually. For instance, in 2016/17, Defence spent over $32 billion (or around 70% of the Commonwealth’s total annual procurement expenditure).111

As such, contracting is an integral part of the way Defence conducts business. Contracting activities range from straightforward procurements that can be made, for example, using a government credit card or purchase order, through to highly complex, innovative long-term projects involving a number of interdependent contractual arrangements.

Therefore, it is important that contract management personnel have the necessary capabilities, supported by standardised tools, templates and systems, to assist in effectively managing the contracts for which they are responsible. It is also important that industry should be able to deal with Defence in a consistent way across all sectors of Defence business activity.112

4.5 Depending on the specific contracting arrangements adopted, the management of a contractor may involve multiple people with differing responsibilities — such as managing the contract and supervising the contractor’s work on a day-to-day basis. Clarity regarding the roles and responsibilities of each party helps officials to understand what is expected of them.

4.6 To assess whether Defence has clearly documented its requirements and expectations regarding the management and oversight of contractors, the ANAO:

• reviewed the framework that documents the requirements and expectations for managers; and

111 ANAO comment: According to AusTender data Defence spent over $37 billion in 2020–21 (or around 53 per cent of Commonwealth’s total annual procurement expenditure). 112 Department of Defence, Defence Contract Management Handbook, version 1.0, 2 July 2018 (in effect as at 22 February 2022), paragraphs 39–41.

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

65

• reviewed the training available to managers.

Framework documenting the requirements and expectations of managers

4.7 Defence has documented its requirements and expectations regarding the management and oversight of contractors in policies, processes and guidance for contract managers that are available on Defence’s intranet. These documents set out:

• the roles and responsibilities of contract managers113;

• standardised policies and processes for managing contracts in the agency;

• standardised tools to assist contract managers to fulfil their responsibilities including contract administration, division of responsibility and risk management; and

• a range of policies, processes and guidance for supervisors, including the day-to-day management of induction, performance, security, financial delegations, conduct and behaviour, onboarding and offboarding.114

4.8 Defence has also established procurement and contracting support functions. These include:

• Procurement and Contracting Support Officers who can be contacted via telephone or email (contact details are listed on the ‘Contract Management Advice and Support’ page on Defence’s intranet); and

• a Commercial Division Helpdesk which is part of the Commercial Centre of Expertise operated by Defence’s Capability Acquisition and Sustainment Group (CASG).

4.9 Defence guidance on procurement support, including contract management, also outlines a number of helpdesks and mailboxes available to support contract managers.115

4.10 Much of Defence’s guidance is framed for officials managing contracts that are valued above $200,000, and which are complex and/or of long duration. While this guidance can also be useful

113 The Defence Contract Management Handbook states that: ‘If the function [contract management] is carried out by more than one person, the person responsible and accountable for a contract and its performance rests with the Commonwealth Representative under the contract (the “contract owner”).’ 114 The ANAO reviewed the following Defence policies, processes and guidance for contract managers: Defence

– Accountable Authority Instruction 2, 29 June 2021 (updated 1 February 2022); Defence Procurement Manual, 1 July 2021; Complex Procurement Guide, 1 October 2020; CASG [Capability Acquisition and Sustainment Group] Contract Management Policy Instruction, 2 July 2018; Defence Contract Management Framework, including the Defence Contract Management Handbook; ASDEFCON Commercial Handbooks (Insurance, Liability, Liquidated Damages, Securities, and Technical Data and Intellectual Property); Simple Procurement Process Tool; and CASG fact sheet Obligations of Contractors, Consultants and Other Service Providers. The Defence Contract Management Handbook sets out that the role of contract manager includes: monitoring

contract performance and compliance; responsibility for contract governance, which includes managing contractor performance within limits of authorisation by the contract owner; accountability for contract administration over the contract management life cycle; and responsibility for conducting post contract evaluation and identifying and communicating lessons learned. 115 These include the: Procurement Professionalisation Help Desk (for training related queries); ASDEFCON and

Contracting Initiatives Helpdesk; ASDEFCON SOW [statement of work] Support mailbox; Performance Based Contracting Centre of Expertise; Evaluation and Negotiation Centre of Expertise; eProcurement mailbox; CASG Legislative Reporting mailbox; Non-Material Procurement mailbox; CIOG Procurement Advice mailbox; Defence Estate Quality Management System mailbox; Requests for CASG Legal Advice mailbox; CASG Legal Panel mailbox (for external legal services); and Defence Professional Services Panel mailbox (for services including probity services).

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

66

for smaller procurement activities, it is not apparent which parts should be applied specifically when managing contractors as defined in Defence’s AAIs, particularly where the contract value is below $200,000. Defence advised the ANAO in April 2022 that:

Defence does not have specific guidance for managing “contractors” below $200,000 … Defence has contract management guidance that applies broadly to contract management.

4.11 There would be merit in Defence establishing guidance to support the managers and supervisors of contractors across the broad range of arrangements Defence uses to engage non-APS personnel.

Training for contract managers about managing and oversighting contractors

4.12 The Defence Contract Management Handbook states that it:

has been designed for a broad range of contract management personnel with varied contract management capabilities. It is important to complement the knowledge and guidance provided in this Handbook with relevant training and, where necessary, a professionalisation program.’

4.13 In relation to training requirements for contract managers, Defence (CASG) advised the ANAO on 30 November 2021 that:

Defence does not require mandatory minimum training or refresher training specifically for contract managers. However, Defence does offer the following contract management training as a part of the Commercial Function training offering for Defence. Awareness of contract manager training and requirements are regularly communicated across Defence (including across related job families) through the Defence Commercial training service offer and related communications. This is a Defence-wide offering:

• Certification IV in Procurement and Contracting especially Stream 3 – Contract Management

• Certification IV in Procurement and Contracting Refresher

• Effective Contract Management – Two day training

• Performance Based Contracting Awareness

• Performance Based Contracting (PBC) for Practitioners

• Contract Risk Training (CRT) Module 2: ASDEFCON Technical Data/Intellectual Property

• Contract Risk Training (CRT) Module 5: ASDEFCON Liability

• Contract Law Essentials.

4.14 Defence further advised the ANAO on 30 November 2021 that:

Defence does not mandate contract management training for contract related positions, however, the completion of contract related training and experiential requirements are managed through the individual position requirements and included and reviewed in individual staff performance agreements.

Defence has no central monitoring or reporting for the completion of contract management training.

4.15 As noted in paragraph 3.28 there is a training course — Procurement Essentials and Contract Management — available on Defence’s online learning platform, ‘Campus’. In relation to oversight

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

67

of completion of this training, as stated at paragraph 3.32, Defence advised the ANAO that training completion is recorded within Campus and that reports on completion records can be requested from Campus.

4.16 Defence further advised the ANAO in March 2022 that it offers an Effective Contract Management Course. While targeted to Defence officials at the APS 6 and EL1 level, other APS levels and EL2s can attend. The course:

provides practical contract management program to assist the learning and development of officers involved in the management of complex contracts, but can be applied to all levels of contract management for Defence officials. A component of the course material deals with the day to day management of contractors including … planning and managing contracts and covers general principles of contract management including planning, key contractual obligations and identifying and managing stakeholder’s relationships including contractor performance.

Has Defence established arrangements for the management of contractors that support compliance with PSPF Policy 13: Ongoing assessment of personnel?

Defence has established arrangements to support compliance with the requirements of PSPF Policy 13: Ongoing assessment of personnel, in the Defence Security Principles Framework (DSPF). Defence’s policies address all aspects of the core PSPF requirement and apply to all Defence personnel, including contractors. Defence has also included clauses in contracting templates requiring ongoing compliance with the DSPF. However, these arrangements are compromised by inconsistent implementation. Defence reporting on compliance with PSPF Policy 13 indicates that implementation of the arrangements has been inconsistent across the department, with scope identified to improve the awareness of security officers of the need to conduct annual security checks.

4.17 When personnel (including contractors) are engaged, entities must ensure that the eligibility and suitability requirements that were established prior to commencement continue to be met. This entity responsibility is set out in PSPF Policy 13: Ongoing assessment of personnel. The purpose of the policy is to describe how entities maintain confidence in the suitability of their personnel to access Australian Government resources and manage the risk of malicious or unwitting insiders. The core requirement of PSPF Policy 13 is that ‘each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.’

4.18 In its 2018–19, 2019–20, and 2020–21 self-assessments of its maturity against PSPF Policy 13 requirements, submitted to the Attorney-General’s Department (AGD), Defence rated its maturity level as ‘developing’. Each year, Defence has reported that it is taking steps to move its maturity level to ‘managing’.116

116 Developing means: ‘Substantial implementation of the PSPF. Protective security requirements not fully implemented into business practices’. Managing means: ‘Complete and effective PSPF implementation. Protective security requirements integrated into business practices.’ Source: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019–20,

p. 2 [Internet], available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

68

4.19 To examine whether Defence has established arrangements for the management of contractors that support compliance with PSPF Policy 13, the ANAO reviewed arrangements for assessing and managing the ongoing suitability of contractors and for sharing relevant information of security concern.

Arrangements for assessing and managing the ongoing suitability of contractors and sharing relevant information

4.20 DSPF Principle 40 and associated Control 40.1 set out requirements for the ongoing management of security clearances. Table 4.1 below outlines the results of the ANAO’s review of Defence policies and processes that support compliance with relevant DSPF requirements in the context of the engagement of contractors in Defence.

4.21 In summary, Defence has established policies to support compliance with the requirements of PSPF Policy 13, in the DSPF. Defence’s policies address all aspects of the core PSPF requirement and apply to all Defence personnel, including contractors. Defence has also included clauses in contracting templates requiring ongoing compliance with the DSPF.

Table 4.1: Defence policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 13: Ongoing assessment of personnela

PSPF Policy 13 core requirement B.1

Defence arrangements

Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.

• Roles and responsibilities for assessing and managing the ongoing suitability of contractors and for sharing relevant information of security concern are set out in the Defence Security Principles Framework (DSPF), including:

− Clearance holders are required to advise the Australian Government Security Vetting Agency (AGSVA) of any changes in personal circumstances (Control 40.1, page 17).

− Clearance sponsors (which may be the contracted entity or Defence for contracted personnel) are responsible for the ongoing management of their security cleared personnel:

○ including annual review of DSAPs and eligibility waivers (Control 40.1, pages 6 and 21); and ○ monitoring security attitudes and behaviours and prompt reporting to AGSVA of noticeable changes in attitude and behaviour,

security incidents, or incidents that may be a security concern (Control 40.1, pages 17–18).

− Clearance sponsors are to ensure that their security cleared staff report changes in their circumstances to AGSVA (Control 40.1, page 18).

− Defence personnel are to report to AGSVA any security concerns that they hold about a current or former clearance holder (Control 40.1, pages 17–18).

− AGSVA conducts revalidations at scheduled intervals and considers if situations arise that may be a security concern significant enough to warrant a clearance holder’s ongoing suitability to be reassessed (known as a ‘review for cause’).

• AGD and Defence have developed the Personnel Security Risk Information Sharing Framework. AGSVA’s implementation of the framework facilitates

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

69

PSPF Policy 13 core requirement B.1

Defence arrangements

the sharing of security information about personnel who hold a security clearance issued by the AGSVA, or who are currently undergoing vetting.b

• Four of the eight standing offer arrangements and contracting templates reviewed by the ANAO (discussed at paragraphs 3.21–3.25) required the contractor to comply with DSPF requirements for individuals and/or DSPF requirements pertaining to the Defence Industry Security Program. The remainder set out protective security and information security requirements consistent with the DSPF.

Note a: Compliance reporting to AGD on PSPF Policy 13: Ongoing Assessment relates to the whole of Defence. Defence is not expected to provide specific information relating to PSPF compliance for contractors. Note b: The development of the framework was discussed in Auditor-General Report No. 21 2020–21 Delivery of Security Vetting Services Follow-up. See paragraphs 3.28–3.35 of that report. The report noted that the

framework was being implemented in phases and that implementation was in progress in relation to Negative Vetting 2 and Positive Vetting clearances, with Baseline and Negative Vetting 1 clearances to be considered in future phases. Defence’s 2019–2020 PSPF self-assessment reported that implementation in Defence as part of Phase Two of framework rollout had commenced in July 2020 with the inclusion of one Service and one Group. Defence advised the ANAO in March 2022 that: ‘AGSVA continues to implement the Personnel Security Risk Information Sharing Framework within Defence and the wider Government. Entities, including Defence Groups and Services, are briefed into the Framework when AGSVA identifies a potential risk to be shared. AGSVA is now sharing risks identified at all clearance levels.’ Source: ANAO assessment of Defence documentation.

Arrangements for monitoring and reporting that the ongoing suitability of contractors has been assessed and managed

4.22 In its 2018–19, 2019–20 and 2020–21 PSPF compliance self-assessment reports to AGD, Defence stated that AGSVA had policies and processes in place to receive information on, assess, respond and manage the ongoing suitability of clearance holders, including continued suitability to retain existing security clearances. As discussed in Chapter 3 at Box 8, Defence’s annual PSPF assessments are supported by annual reports from DSPF Control Owners on the effectiveness of their control. Effectiveness is determined through a combination of assurance activity and security incident data117, supplemented by reporting from Defence Executive Security Advisers (ESAs).

4.23 Defence’s ESA Security Maturity Questionnaire responses for 2020–21 reported that Groups and Services conducted a range of assurance activities in relation to PSPF Policy 13. For example: active maintenance and review at regular intervals of Defence Security Assessed Position lists; Protective Security Self Assessments118; centralised management within the Groups or Services of eligibility waivers and regular reassessment of waivers; regular security clearance reviews; and audits.

4.24 ESA responses also identified a number of weaknesses, including: ‘no Group-wide approach to annual security reviews’; ‘limited oversight at the Group level’; and ‘not having received returns on compliance from a number of areas within the Group’. Further, ESAs identified that Security Officers at various levels had differing levels of understanding of their responsibilities under the DSPF and PSPF. The implications of Security Officers not understanding their responsibilities, as

117 See Box 8 for examples of assurance activities reported in the 2020–2021 Control Owner Report for DSPF Principle 40. 118 Defence advised in March 2022 ‘that Self assessments can be performed at any level as required or directed, although …“line areas” conducting this activity is common example of this assurance activity.’

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

70

noted by ESAs, included: ‘a lack of reporting around changes in circumstances for clearance holders’. Defence reported in its 2020–21 PSPF compliance report to AGD that ‘the requirement for Security Officers to conduct annual security checks with their personnel is not widely known nor enforced.’

4.25 In addition to the above, in its 2020–21 PSPF self-assessment Defence reported substantial compliance with the obligations pertaining to sharing relevant information of security concern. ESA responses, consistent with the self-assessment, reported advising AGSVA of changes of circumstances for security cleared personnel.

4.26 In summary, Defence has identified weaknesses in its arrangements for monitoring compliance with PSPF Policy 13. There would be merit in Defence reviewing whether adequate assurance is obtained regarding implementation of the policies and processes.

4.27 Defence’s reporting to management and associated assurance activities in relation to compliance with PSPF Policy 13 does not differentiate between the personnel types that make up Defence’s workforce, including contractors. Defence therefore cannot assess, for risk management purposes, trends by personnel type.

Has Defence established arrangements for the separation of contractors that support compliance with PSPF Policy 14: Separating personnel?

Defence has established arrangements to support compliance with the requirements of PSPF Policy 14: Separating personnel, in the DSPF. Defence reporting on compliance with PSPF Policy 14, and internal audits and assessments, indicate that implementation of Defence’s arrangements has been inconsistent and is not yet effective across the department. Internal audits finalised in May 2021 and March 2022 identified weaknesses in how the security policies had been disseminated to the operational level. There is also scope for the Defence Contract Management Handbook to better support contract managers at the end of a contract, by including processes to address the PSPF Policy 14 requirements in the relevant checklist.

4.28 When individuals (including contractors) permanently or temporarily leave their employment with an entity, entities are required to take steps to mitigate risks that Australian Government resources will be accessed by individuals without permission or that ongoing security obligations are not met. These requirements are set out in PSPF Policy 14: Separating personnel. Policy 14 states that:

Each entity must ensure that separating personnel:

(a) have their access to Australian Government resources withdrawn;

(b) are informed of any ongoing security obligations.

4.29 In its 2018–19, 2019–20, and 2020–21 self-assessment of maturity against PSPF Policy 14 requirements, submitted to AGD, Defence rated its maturity level as ‘developing’.119

119 Developing means: ‘Substantial implementation of the PSPF. Protective security requirements not fully implemented into business practices’.

Footnote continued on the next page…

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

71

4.30 To examine whether Defence had established arrangements for the management of contractors that support compliance with PSPF Policy 14, the ANAO reviewed Defence’s arrangements for:

• withdrawing access and informing separating contractors of any ongoing security obligations; and

• obtaining assurance that access has been withdrawn and briefings provided to separating contractors.

Arrangements for managing access and ongoing security obligations of separating contractors

4.31 DSPF Principle 40 and associated Control 40.1 set out requirements for the separation of personnel, transfer of clearance sponsorship, and cancellation of clearances. Table 4.2 below outlines the results of the ANAO’s review of Defence policies and processes that support compliance with the relevant DSPF requirements in the context of the engagement of contractors in Defence.

4.32 In summary, Defence has established policies and processes to support compliance with the requirements of PSPF Policy 14, in the DSPF. Defence has also included clauses in contracting templates requiring ongoing compliance with the DSPF. An internal audit published in May 2021 identified weaknesses in how the security policies had been disseminated to the operational level. There is scope for the Contract Management Handbook to better support contract managers at the end of the contract, by including processes to address the PSPF Policy 14 requirements in the relevant checklist.

Source: Attorney-General’s Department, Protective Security Policy Framework Assessment Report 2019–20, p. 2 [Internet], available from https://www.protectivesecurity.gov.au/system/files/2021-06/pspf_2019-20_consolidated_maturity_report.pdf [accessed 9 December 2021].

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

72

Table 4.2: Defence policies and processes that apply to contractors and support compliance with the core requirements of PSPF Policy 14: Separating Personnel for separating contractors

PSPF Policy 14 requirement B.1

Defence arrangements

Each entity must ensure that separating personnel:

a) have their access to Australian Government resources withdrawn, and

b) are informed of any ongoing security obligations.

• Defence has established arrangements to support compliance with the requirements of PSPF Policy 14. The DSPF outlines policies for:

− Removing access to agency resources (including IT systems, devices and building passes) for separating personnel (Control 18.1, pages 3– 5,12–14; Control 74.1, pages 19–20).

○ For example, Control 18.1 stipulates that system owners are required to conduct regular reviews to ensure system access is required, and if not, revoke access.

− Informing separating personnel of ongoing security obligations as part of the security debriefing process (Control 40.1, page 20).

• In order to meet Policy 14 as operationalised in the DSPF, Defence has established controls around systems access specific to particular systems, which apply to contractors. For example, there is automatic annual deactivation of users’ ‘Researcher Access’ to Objective.a

• Defence advised the ANAO in March 2022 that: ‘When personnel and/or contractors leave Defence, they, or their supervisor, are required to record the departure in the My Account Management Online (MAMO) portal – which triggers system access removal.’

• The Contract Management Handbook informs contract managers that Defence personnel must comply with legislation and government policy that applies to public sector procurement and contracting. The handbook states that contract teams should consider and manage risks in relation to ‘security requirements’ during transition. However, the contract closure checklist does not refer to the PSPF Policy requirements or DSPF controls (such as Control 18.1 regarding removal of access from ICT systems and devices).

• An internal audit published in May 2021 identified weaknesses in how the policy had been disseminated to the operational level (discussed further in paragraphs 4.36–4.39 below).

• All eight standing offer arrangements and contracting templates reviewed by the ANAO (discussed at paragraphs 3.21–3.25) required the contractor to comply with DSPF requirements for individuals and/or DSPF requirements pertaining to the Defence Industry Security Program or set out protective security and information security requirements consistent with the DSPF.

Note a: Objective is Defence’s electronic document and records management system. Source: ANAO analysis of Defence documentation.

Arrangements for monitoring and reporting that the requirements of PSPF Policy 14 have been met when contractors are separating

4.33 Defence noted in its 2020–21 PSPF self-assessment report to AGD that:

the majority of security off-boarding procedures occur at the local level with limited integrated oversight across Defence to confirm these processes are being followed fully. Internal assessments and Defence Audit Branch Audits indicate that Security Officers, supervisors and managers may

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

73

not be familiar with security off-boarding processes and hence are not ensuring these occur, or conducting a risk assessment if a member leaves before security debriefing can occur.

4.34 Defence ESA Security Maturity Questionnaire responses for 2020–21 reported that assurance activities in relation to Policy 14 that were in place in the Groups and Services included: recording of separation of clearance holders in security registers, and regular system access audits. ESA’s responses also identified the following weaknesses around the effective management of separating contracted personnel.

• There were deficiencies in governance of departure processes, attributed to security resourcing challenges. For example, the implications of Security Officers not understanding their responsibilities noted by ESAs (discussed in paragraph 4.24) included a ‘lack of debriefs for exiting personnel’.

• There was a lack of awareness of how many personnel with clearances sponsored by Defence had ceased engagement and re-engaged with another entity without a change in clearance sponsor, or been re-engaged within Defence in another capacity. This lack of awareness creates the potential for instances where a clearance might be retained and continue to be sponsored by the individual’s previous Group or Service.

• AGSVA may not be contacted regarding separation/discharge.

• There was limited visibility of processes at the Group or Service level.

• There had been a lack of process regarding the need for security risk assessments where no debriefing is conducted, and no current means of assuring this.

4.35 Of the 11 Groups and three Services in Defence (at the time of 2020–21 reporting), three Groups reported ‘full’ implementation of debriefing and removal of access120, and two Groups and two Services reported ‘substantial’ implementation.121

4.36 The ANAO analysed users’ access to ROMAN122 for the period 1 July 2021 to 30 November 2021 to assess whether user accounts remained active subsequent to the user departing from Defence. The ANAO identified that 1447 user accounts were not removed or suspended subsequent to the user’s departure from Defence. Of the active accounts identified, 1357 related to users who terminated prior to 2020–21. The ANAO performed further audit procedures to confirm whether any of the users accessed the system subsequent to departure from Defence. It was confirmed that no users had accessed their ROMAN account subsequent to departure.

Internal audits

4.37 In May 2021, Defence finalised an internal audit titled ‘Managing the risk of theft of Information by staff / contractors leaving Defence.’123 The objective of the audit was to assess the appropriateness of preventative, detective and corrective controls mitigating the risk of staff and/or

120 Defence Science and Technology Group; Strategy, Policy and Industry Group; and Estate and Infrastructure Group. 121 Air Force; Navy; Defence Intelligence Group; and Chief Information Officer Group. 122 The Resource and Output Management and Accounting Network (ROMAN) is Defence’s core financial

management and information system. 123 Department of Defence, Managing the risk of theft of Information by staff / contractors leaving Defence, Defence Audit and Risk Committee, 20 May 2021. The audit was conducted on Defence’s behalf by Axiom

Associates Pty Ltd.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

74

contractors in the process of leaving Defence inappropriately using Defence systems to access and/or transfer information out of the Defence environment. The audit concluded that:

Defence does not have sufficient controls in place to prevent, detect and mitigate the risk that staff and/or contractors leaving Defence inappropriately use Defence systems. There are different processes in place across Defence for ADF, APS and contractors, with the audit finding that the processes for the removal of systems access are ineffective, increasing the opportunity for theft of information.

4.38 The audit identified a lack of consistency in how off-boarding occurred for ADF members, APS staff and contractors. Both system-based processes and manual processes were used. The report noted that:

Access management for contractors is impacted by contractors working across multiple areas within Defence, potentially at the same time. Processes in place for the management of contractor access changes and removal are not governed by a single policy or process. While guidance material exists, these materials differ in content and expectations across Groups within Defence. Each contract manager is required to maintain processes to manage the provision, change or removal of access for contract staff.

A Defence wide contractor off-boarding checklist has been created by CIOG [Chief Information Officer Group] and shared with CASG [Capability Acquisition and Sustainment Group] and Defence Legal for review. This however remains in draft and has not been shared more broadly within Defence. Further, this had not been shared with the [internal] audit team as at 29 March 2021.

4.39 The audit recommended that ‘CIOG continue with the development and implementation of an enterprise-wide Contractor off-boarding checklist, including standardisations of the contractor off-boarding process.’ The Management Action Plan for the audit presented to the Defence Audit and Risk Committee along with the audit outlined that the contractor off-boarding checklist was scheduled for completion by 30 June 2021 and that ‘CASG will be responsible for implementation of the product at the enterprise-wide level.’ The recommendation was closed on 6 August 2021. Defence advised the ANAO in March 2022 that:

Audit Branch closed this recommendation on the basis that CIOG has developed a contractor off-boarding checklist which has been implemented within CIOG. This contractor off-boarding checklist was not rolled out at the enterprise level as it was not deemed fit-for-purpose for all Groups/Services.

The checklist was not going to address the risk at the enterprise level. The risk associated with the off-boarding of APS, ADF and contractors goes beyond separation, and requires the consideration of the full lifecycle of a contractor, inclusive of on-boarding and throughout their contractual arrangements. As a result, the portion of the recommendation to develop an enterprise contractor off-boarding checklist has been superseded by Audit Task 22-010- Management of Post Separation Employment Risks and Issues which is currently underway. This audit will identify off-boarding policy and process improvements which will be implemented at the enterprise level.

4.40 The May 2021 internal audit surveyed 858 contract managers within CASG in October 2020. The majority of the 324 respondents were not aware of a policy or procedure relating to the off-boarding of contractors. The audit found that of the contract managers who responded: 43.7 per cent reported following a checklist; 32.5 per cent reported following other guidance local to their team; and 23.8 per cent reported they were not aware of any guidance on this issue.

Arrangements for managing contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

75

4.41 Defence advised the ANAO in May 2022 that it responded to the internal audit with ‘a series of control measures’, including ‘the implementation of a monthly network access audit.’

4.42 Further, the March 2022 Defence internal audit titled Enterprise Resource Planning (ERP) Program, discussed at paragraphs 3.37–3.39, found examples of system access not being revoked when individuals departed from Defence. The audit examined a sample of 22 off-boarded team members and identified six individuals (27 per cent), with no indication that they were still engaged by Defence, who had not had their Defence Protected Network (DPN, also known as Defence Protected Environment) access removed in a timely manner. Departure dates for these individuals

occurred in March 2021 (two instances), May 2021 (two instances), June 2021 (one instance) and August 2021 (one instance). A request to remove these individuals’ access to the Defence Protected Environment was submitted in September 2021, following audit queries.

4.43 The internal audit on the ERP Program recommended that:

The ERP Program (in consultation with Defence’s ICT Security Branch) take steps to revoke all access to Defence systems for all ERP Program team members who have left the Program and are no longer engaged by Defence.

4.44 Relevant to off-boarding, the internal audit also examined how the ERP Program managed assets issued to program staff, particularly in relation to early 2020, when a number of assets including laptops, DREAMS tokens124, internet routers and mobile phones were acquired and issued by the program. Defence identified that the approach to asset management within the program was ‘not appropriate’. Defence advised the ANAO in May 2022 that it responded to this internal audit with ‘a series of control measures’, including ‘a stocktake of mobile devices provided to personnel as a result of the initial COVID pandemic response.’

4.45 The Department is required to take steps to mitigate risks that Australian Government resources will be accessed without permission or that ongoing security obligations are not met, including when it utilises contractors. Defence has identified weaknesses in its current arrangements for managing separating personnel through its internal audit activity and reporting from Groups and Services that informs its mandatory PSPF self-assessment.

Recommendation no. 1 4.46 The Department of Defence, in respect of the contracted workforce:

• establish arrangements to better support compliance with PSPF Policy 14: Separating personnel; and

• monitor the effectiveness of arrangements to obtain assurance that PSPF Policy 14 is being met.

Department of Defence response: Agreed.

4.47 Defence agrees to the recommendation.

124 Defence Remote Electronic Access and Mobility Services (DREAMS) tokens are authentication tokens used by Defence personnel to access Defence’s Protected Network remotely.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

76

5. Observations and key messages on the selected agencies’ management of contractors

Summary This audit is one of a series of three performance audits in which the ANAO has examined the arrangements established by the Department of Defence (Defence), Department of Veterans’ Affairs (DVA) and Services Australia for the use, engagement and management of contractors against the same audit objective and criteria.

High-level observations made in this audit series and key messages for all Australian Public Service (APS) agencies are outlined in this chapter. The observations focus on: data availability and transparency issues relating to the contractor workforce; and the application of ethical and personnel security requirements to the contractor workforce.

Recommendations The Auditor-General has not made recommendations on data availability, transparency and ethical requirements in this audit series, noting that recommendations on these issues were directed to the Australian Public Service Commission (APSC) and/or the Department of Finance (Finance) by committees of the 46th Parliament and the 2019 Our Public Service, Our Future: Independent Review of the Australian Public Service (the Thodey Review).

Data availability and transparency

Observations

Data availability

Without a whole-of-APS approach to the collection and collation of data on the non-APS workforce involved in Australian government administration, each APS agency has discretion to define the non-APS personnel types it uses and to decide how data on its non-APS workforce is collected and collated. Variation in the definitions employed by APS agencies and differences in the collection and collation of relevant data means that standardised data is not available to support whole-of-APS reporting on the non-APS workforce.

Transparency

Data availability affects transparency to the Parliament and community on workforce arrangements used by the APS, and the capacity for agency-level and APS-wide workforce planning.

5.1 Audit work conducted across Defence, DVA and Services Australia identified different approaches to the collection and collation of data on the non-APS workforce. For example, DVA and Services Australia recorded each contractor or labour hire person in their systems, while Defence conducts an annual census which it advised provides a ‘reasonable estimate’ of the headcount of contractors it engages. The collection method adopted by the audited agencies impacted on their ability to report on the numbers of non-APS personnel – in terms of headcount and/or Full-Time Equivalent (FTE) – at a point in time and with confidence as to the completeness and accuracy of the data.

Observations and key messages on the selected agencies’ management of contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

77

5.2 Each agency examined by the ANAO had established its own definitions for various non-APS personnel types it procured.125 A summary of the number of non-APS personnel types that each entity had defined is set out in Table 5.1 below.

Table 5.1: Non-APS personnel types defined by the audited agencies

Entity Number and description of non-APS personnel types defined

Defence Three — contractor, consultant, and outsourced service provider.

Services Australia Ten — student placement, systems access only, contractor, labour hire, consultant, interpreter, service staff, outsourced (staff), non-APS secondee, and partner.

DVA Three — independent contractor, consultant, and labour hire.

Source: ANAO analysis of documentation from the Department of Defence, Services Australia and the Department of Veterans’ Affairs. Also see Box 4, Chapter 1 in this audit report and in Auditor-General Report No.44 2021–22 Effectiveness of the Management of Contractors — Services Australia and Auditor-General Report No.45 2021–22, Effectiveness of the Management of Contractors — Department of Veterans’ Affairs.

5.3 The data reviewed by the ANAO for this audit series (Table 5.2 below) shows that the number of contractors engaged by the audited agencies ranged from 7.4 per cent to 34.1 per cent of the agency’s total workforce. This data, and other information provided to the ANAO, indicates that there are a large number of contractors doing work in and as part of the operations of the audited agencies, alongside APS personnel, as part of a mixed workforce.

Table 5.2: Contractor and total workforce numbers advised by the audited agencies

Entity Workforce reporting

measurea

Number of contractors

Total

workforce Contractors as a percentage of total workforce

Defence FTE as at 4 March 2022 8311 112,943b 7.4%

Services Australia Headcount as at 30 June 2021 4269 44,061 9.7%

DVA Headcount as at

30 June 2021

1287 3778 34.1%

Note a: Entities do not use the same methods for counting contractors. FTE is a count of all hours worked at a point in time and then converted to the number of full-time staff. ‘Headcount’ is all people employed at the time of the snapshot and includes employees on extended leave. Refer Appendix 3: Measures for reporting on workforce size.

Note b: Includes APS, Australian Defence Force (ADF) and external workforce personnel (including contractors, consultants and other outsourced providers). Defence figures for the number of contractors and total workforce is an estimate. Source: Department of Defence external workforce census, March 2022 and DVA and Services Australia data as at

30 June 2021. The contractor headcount for Services Australia and DVA is the number of individuals categorised as ‘labour hire’ or ‘contractor’ in Services Australia’s ‘Contingent Workforce’ report. The ‘Contingent Workforce’ report is extracted from Services Australia’s Human Resource management system. The report identifies individuals that are not engaged by DVA/Services Australia as APS employees, who have access to entity systems.

125 See Box 4, Chapter 1 in each audit report.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

78

Ethical and personnel security requirements

Observations

Ethical requirements

In the absence of a whole-of-workforce ethical and integrity framework which covers both APS and non-APS personnel, the ethics and behaviours expected of the non-APS workforce involved in Australian government administration are being defined and managed in different ways, at an agency level. This is the case notwithstanding the fact that a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce.

Personnel security requirements

Entities’ management of their non-APS personnel is subject to the Protective Security Policy Framework (PSPF), which sets out government protective security policy outcomes, including for personnel security. To achieve compliance, agencies require a combination of relevant policies and processes, as well as monitoring and reporting arrangements to provide assurance that their policies and processes have been implemented.

5.4 In this audit series the ANAO observed that individual agencies determine the extent to which the ethical and integrity frameworks that apply to APS employees (which include the ethical requirements of the Public Service Act 1999 and the resource management requirements of the Public Governance, Performance and Accountability Act 2013) also apply to contractors and other non-APS personnel engaged by the agency. These decisions are captured in, and managed through, contracts rather than through the specialised human resources capabilities that have been established in agencies for the management of APS employees.

5.5 This discretionary approach applies in an agency operating environment where a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce. On that basis, the rationale for a discretionary approach is not clear.126 One risk of adopting a discretionary approach is that it may give rise to unequal behavioural expectations across personnel types within workplaces, and the risk of inconsistent management of personnel behaviours.

5.6 Across the audited agencies, each agency had established policies and processes for inducting contractors into the behaviours and expectations of the entity and relevant Commonwealth legislation. However, each of the selected agencies had scope to improve assurance about the completion of induction processes by contracted personnel.

5.7 Similarly, each of the audited agencies had mostly established policies and processes to comply with the personnel security requirements reviewed by the ANAO. These were PSPF policies 12 – 14 relating to the eligibility and suitability of personnel, the ongoing assessment of personnel, and the management of separating personnel. While clear and accessible policies and

126 Conversely, the adoption of a discretionary approach for non-APS personnel may suggest that the rationale for the ethical and behavioural frameworks applying to APS employees is historical and may not be considered a fit-for-purpose approach for all workforce types involved in Australian Government administration. In that case there is scope to consider the applicability of relevant frameworks from first principles, for the whole workforce involved in Australian government administration.

Observations and key messages on the selected agencies’ management of contractors

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

79

processes had been established for all personnel types for most requirements, assurance that implementation was effective was limited.

Parliamentary committee and other review recommendations 5.8 The Auditor-General has not made recommendations in this audit series on data collection and reporting relating to the non-APS workforce, and the application of ethical and integrity frameworks to non-APS personnel involved in Australian Government administration.

5.9 Recommendations on these issues were directed to the APSC and/or Finance by committees of the 46th Parliament and the Thodey Review.

5.10 The observations and recommendations of these Parliamentary committees and the Thodey Review are reported at paragraphs 1.14 – 1.24 of this audit report.

5.11 In addition, one part of recommendation 7 of the Thodey Review was that the ‘APSC and Finance ensure that all agencies extend APS integrity requirements to service providers, long-term APS contractors and consultants’.127 The Review included the following implementation guidance for this recommendation:

• Build on current measures — including incorporating the APS Values in contracts — in extending APS integrity arrangements to service providers, long-term APS contractors and consultants.

• Make APS integrity requirements standard contractual obligations for individuals or organisations accepting payment from the Commonwealth.128

Key messages from this audit series for all APS agencies 5.12 Below is a summary of key messages, including instances of good practice, which have been identified in this series of audits and may be relevant for the operations of other APS agencies.

Procurement • Each audited agency had established guidance to inform the use of contractors. The approach to guiding decisions was unique to each agency. Services Australia’s guidance reflected its workforce planning in the areas of its business that use the most contractors. Defence’s

guidance served to draw together the key matters to be considered when engaging a contractor.

• Each audited agency had established contracting templates, deeds and clauses to help operationalise agency requirements when engaging non-APS personnel.

Contract management • To support the effective management and supervision of contractors, each audited agency had considered the availability of training and guidance.

127 Department of the Prime Minister and Cabinet, Our Public Service, Our Future: Independent Review of the Australian Public Service [Internet], 13 December 2019, pages 113 and 307, available from https://www.pmc.gov.au/resource-centre/government/independent-review-australian-public-service [accessed 30 May 2022]. 128 The Australian Government’s 2019 response to the Thodey Review is available from

https://www.pmc.gov.au/resource-centre/government/delivering-for-australians [accessed 30 May 2022].

Audi

tor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

80

• Each audited agency had well-designed induction arrangements to assist contractors to understand their workplace obligations and the agency’s cultural and behavioural expectations. Monitoring the completion of induction requirements provides assurance that obligations and expectations are understood.

Governance • To be sure that policies and processes have been implemented as expected, assurance arrangements such as the Security Quarterly Action Plan approach established by DVA to check on the implementation of security requirements can assist.

Gran

t Hehir

Auditor-General

Canberra ACT 29 June 2022

Audi

tor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

81

Appendices

Audi

tor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

82

Appendix 1 Entity responses

Appendix 1

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

83

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

84

Appendix 2 Performance improvements observed by the ANAO

1. The fact that independent external audit exists, and the accompanying potential for scrutiny, improves performance. Program-level improvements usually occur: in anticipation of ANAO audit activity; during an audit engagement as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;

• initiating reviews or investigations; and

• introducing or revising policies or guidelines.

4. In this context, the below improvements were observed by the ANAO during the course of the audit. It is not clear if these actions and/or the timing of these actions were already planned before this audit commenced. The ANAO has not sought to obtain reasonable assurance over the source of these improvements or whether they have been appropriately implemented.

5. The following performance improvements were observed by the ANAO during the course of this audit.

• Defence issued a new version of Accountable Authority Instruction (AAI) 2: Spending Defence Money — Procurement on 1 February 2022, discussed at paragraph 3.5. The new version made clearer that Defence officials must use panels/standing offer arrangements established by Defence unless one of the exceptions documented in AAI 2 is applicable.

• Defence issued a new version of the fact sheet titled Engaging Contractors, Consultants and Outsourced Service Providers – Decision Making Governance on 7 February 2022, discussed at paragraph 2.28. The new version updated the fact sheet to align with the requirements of the version of Accountable Authority Instruction AAI 2 – Spending Defence Money – Procurement that was published on 1 February 2022.

• Defence released the Defence Strategic Workforce Plan 2021–2040 internally on 1 April 2022, which identified key objectives to be undertaken to develop a more structured approach to integrated workforce planning within Defence.

• Updates to the Defence Security Principles Framework, specifically to Control 16.1, were published on 17 February 2022, and a new Annex A to Control 16.1 was published on 4 March 2022. The new Annex A requires DISP members to provide to Defence a copy of employment screening and management processes for personnel working with or on Defence-related work.

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

85

Appendix 3 Measures for reporting on workforce size

1. The Australian Public Service Commission (APSC) provides the following information on measures used to report on workforce size.129

2. Each year a ‘snapshot’ of data concerning all Australian Public Service (APS) employees as at 30 June and 31 December is released by the APSC. The data is provided by agencies and is drawn from the Australian Public Service Employment Database. APS employment data includes:

• demographic variables including age, gender and work location;

• classification level of APS employees, from trainee to Senior Executive Service;

• diversity data including voluntary items self-reported by APS staff such as disability status, Indigenous status, and cultural diversity; and

• staff movements including engagements, separations and transfers between agencies.

3. The reported size of the APS workforce is a headcount of all people employed at the time of the snapshot. This figure does not adjust for hours worked and it includes any employees who are on extended leave (for 3 months or more), including those on maternity leave and leave without pay.

4. This figure is different to Average Staffing Level (ASL) data provided in the Federal Budget papers. The ASL counts staff for the time they work. For example, a full-time employee is counted as one ASL, while a part time employee who works three full days per week contributes 0.6 of an ASL. The ASL averages staffing over an annual period. It is not a point in time calculation.

5. The Government places a cap on ASL. This is applied across the General Government Sector (which incorporates all of the APS and a range of other government agencies). ASL caps are published in the Federal Budget Papers each year.

6. Another measure of employee numbers used by both private and public sector organisations is Full-Time Equivalent (FTE). This is a count of all hours worked at a point in time and then converted to the number of full-time staff. For example, two staff each working 0.6 days per week would be counted as 1.2 FTE.

129 Australian Public Service Commission, APS Employment Data [Internet], available from https://www.apsc.gov.au/employment-data [accessed 31 May 2022].

Appendix 4 Defence’s decision-making process for the engagement of contractors

Figure A.1: Defence’s decision-making process for the engagement of contractors

Step 1: Planning

• Determine desired task or outcome • Determine urgency and timeframe of completion • Determine if specialist

skills are required

Step 2: Current APS/ADF workforce

• Determine current capacity and capability within existing APS/ADF workforces

Reallocate or reprioritise current Branch jobs or functions to enable this job or function to the undertaken.

Step 3: Cost considerations

• Determine if industry or current APS/ADF workforce is the most efficient and effective method to achieve outcome • Determine estimated cost

and affordability within the current budget • Determine if this option ensures value for money

Is industry the right choice?

Step 4: Industry considerations

• Determine whether to engage a consultant, contractor, or outsourced service provider, per the definitions in the Defence Financial Delegations glossary

Step 5: Obtain approval

• Obtain SES Band 1 / 1 Star or higher approval

Is the daily rate of the contractor or consultant equal to or greater than $4500 (inc

GST)?

Step 6: Advise the Office of the Secretary

• The Secretary should be advised of the proposed rate as soon as Defence officials are aware it is likely to exceed $4500

Step 7: Undertake procurement process

• Must comply with Defence Financial Delegations, the AAIs and the DPM

Step 8: Obtain Section 23(3) Commitment Approval

• SES / Star official approval should be referenced or provided as part of the Section 23(3) commitment approval process.

Step 9: Complete MyFinance Portal or AE643 Defence Purchasing Form and sign the contract

• The Defence official should enter the SES/ Star procurement approver’s name and position number and attach the completed SES/Star Approval document to the AE643.

Yes

No

No

Yes

No

Yes

Do current

APS/ADF workforces have the capacity and capability to achieve the outcome?

Source: ANAO analysis of Department of Defence documents.

Auditor-General Report No. 43 2021–22

Effectiveness of the Management of Contractors — Department of Defence

87

Appendix 5 Training requirements for contractors

Table A.1: Training requirements for contractors in Defence enterprise-level policy

Source of requirement Requirement Timeframe for completion

Defence Records Management Policy

All Defence personnel are to manage their obligations when creating, capturing, controlling and disposing of Defence records across business environments and systems.

The policy applies to contractors if stated in the terms of the contract.

Training must be completed prior to using Defence’s record keeping system, Objective ECM. The policy directs readers to the Responsible Recordkeeping training.

Defence Security Principles Framework

Defence personnel and persons engaged under contract are to undertake suitable security training through:

• Annual Security Mandatory Awareness on Campus; and

• The appropriate document handling course.

Training must be completed annually after initial completion. Defence’s New Starters Guide, which is available on the Defence intranet recommends that supervisors and new starters discuss mandatory training requirements within two weeks of commencing employment at Defence. It references a ‘Suggested Training Schedule’. The suggested timeframe for completion of the Annual Security Awareness course in this document is ‘within 3 months of joining Defence’.

Defence Work Health and Safety Education, Awareness and Skilling Policya

All workers must be provided with appropriate and timely workplace work health and safety induction training.

Prior to, or within one week of, arrival in new Defence workplace.

New workers must complete mandatory work health and safety awareness training.b

As soon as possible and no later than 10 weeks after arrival in the Defence workplace, and annually thereafter.

All workers have a responsibility to:

• Participate in mandatory work health and safety awareness training programs as defined by Defence and their Group or Service.

• Participate in appropriate work health and safety education, instruction, courses or training provided to enable safe work performance

N/A: Puts obligation on worker, which includes contractors, to undertake the above training requirements from the policy.

Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence

88

Source of requirement Requirement Timeframe for completion

Defence Policy Guidance — Mandatory Awareness Programs; contractual arrangements, where considered appropriate.

Defence personnel are required to complete mandatory workplace behaviour awareness training. The Defence guidance on mandatory awareness programs sets out that: ‘Contractors and External Service Providers (ESPs) are required to meet Defence workplace pre-requisites and adhere to relevant Government policies and legislation. This includes training in equity and diversity, work health and safety and other workplace practices and Defence Values where appropriate ... [responsibility for training] needs to be clearly articulated in any contractual arrangements. If considered appropriate, Contractors and ESPs are able to undertake the mandatory awareness programs either by attending the awareness sessions or completing the training online through Campus.’The Campus course description for Mandatory Workplace Behaviour states: ‘This course fulfils annual Workplace Behaviour mandatory awareness requirements. This course is for all Defence members (ADF), Defence employees (APS), Australian Signals Directorate employees (ASD), and External Service Providers (ESP)’.

Training must be undertaken annually after initial completion. The suggested timeframe for completion of the Annual Security Awareness course is ‘within 3 months of joining Defence’.

Defence Policy Guidance — Mandatory Awareness Programs; contractual arrangements, where considered appropriate.

Defence advised the ANAO in January 2022 that all Defence personnel, including contracted service providers, are required to complete mandatory fraud and integrity awareness training at least every two years. As outlined above, the Defence guidance on mandatory awareness programs sets out that: ‘If considered appropriate, Contractors and ESPs are able to undertake the mandatory awareness programs either by attending the awareness sessions or completing the training online through Campus.’ Defence’s policy for mandatory training does not document a specific requirement for contractors to undertake fraud and integrity awareness training.

Training must be undertaken bi-annually after initial completion. The suggested timeframe for completion of the Annual Security Awareness course is ‘within 3 months of joining Defence’.

Note a: The policy sets out that it applies to all Defence workers, including ADF members, APS employees, ADF cadets, contractors and other persons. Note b: The Mandatory WHS Training page on the Defence intranet notes that completing the ‘Work Health and Safety for Defence’ program on Campus meets the annual work health and safety training requirement. Source: ANAO analysis of Department of Defence documentation.