The audit objective was to assess the effectiveness of the Attorney-General’s Department’s design of the Data Retention Industry Grants program, including performance monitoring, reporting, evaluation and assurance arrangements.

Summary and recommendations

Background

1. Telecommunications data is important to law enforcement and national security investigations. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Act) introduced a mandatory data retention scheme applying to telecommunications service providers. The Act was introduced to address:

  • a long-term decline, and inconsistency, in industry retention of data;
  • a long-term increase in the importance of access to data; and
  • an increasingly high-risk operational environment.

2. The nature of the data required to be retained1 differs depending on the type of telecommunications services offered. Service providers are required to secure the retained data by encrypting it and protecting it from unauthorised interference or access.

3. The data retention obligations came into effect on 13 October 2015. Providers that were fully compliant by that date were able to submit a Statement of Work outlining the steps they had taken to become compliant. Otherwise, an 18 month implementation period enabled service providers to apply for approval of a Data Retention Implementation Plan, or obtain an exemption from, or variation to, the data retention obligations.

4. In October 2014, when deciding to legislate for a mandatory data retention regime, the government decided to pay a ‘reasonable portion’ of industry’s implementation costs.2 After receiving further advice from departments, in April 2015 the government decided to establish a demand-driven grants program that would fund 50 per cent of the mid-point of an estimate of industry’s capital cost of implementing a mandatory data retention regime. The program had a budget of $131.3 million.3

5. The program was intended to make a one-off contribution towards existing service providers’ costs in adjusting to meet the new obligations, supporting the industry to adjust to a new regulatory baseline. New entrants to the market were expected to be compliant and, as such, ongoing funding was not considered necessary.

6. Program guidelines were issued on 8 December 2015. Applications were able to be lodged between 7 January 2016 and 23 February 2016. A total of 210 applications were received. Of those, 15 applications were later withdrawn and 15 were assessed as ineligible.4

7. In August 2016, 180 grants totalling $128.4 million were awarded by the Attorney-General. Grant agreements were subsequently signed with 175 of the 180 successful applicants, involving a total grant value of $127.9 million. As at the beginning of June 2018:

  1. the amount of grant funding had been reduced in aggregate by $4.4 million for 19 providers5 (resulting in a revised total program value of $123.5 million);
  2. $122.7 million in grant payments had been made, of which $736,149 was later recovered from two providers (as their reported costs were less than the first instalment payment they had received) with a further $467,000 yet to be recovered (from two providers that have gone into liquidation — see footnote 5);
  3. grant reporting had been finalised and final payments made to 170 providers. One payment of $22,089 remains to be made.

8. The implementation period ended on 13 April 2017. From that date all service providers must be fully compliant with their data retention obligations (except to the extent that they have an approved exemption from, or variation to, those obligations).

9. The Attorney-General’s Department (AGD)6 was responsible for the design and implementation of the Data Retention Industry Grants Program (DRIGP). AGD was assisted by:

  • a Data Retention Implementation Working Group established in 2014 to support engagement between the telecommunications industry and the Government on the implementation of data retention obligations;
  • the Business Grants Hub within the Department of Industry, Innovation and Science (DIIS) whose responsibilities included promotion of the program, provision of contact services to handle inquiries from telecommunications providers, application receipt and assessment, funding agreement negotiation and management, grant payments and compliance activities; and
  • PricewaterhouseCoopers (PwC), with whom AGD entered into various consulting contracts.

10. In May 2018 responsibility for the DRIGP was transferred from AGD to the Department of Home Affairs (DHA). DIIS retained responsibility for administering the grant funding agreements (at the time of the transfer, this consisted of two remaining grant payments). The findings, conclusions and recommendations made in this performance audit report are directed at AGD as: the program was designed and implemented under the grants administration framework of that department; and AGD was responsible for the approval of $122.4 million in grant payments under the program.

Rationale for undertaking the audit

11. The program was selected for audit to examine subsidies for industry to comply with new statutory obligations as well as due to Parliamentary interest. Specifically:

  • the Joint Committee of Public Accounts and Audit has indicated an interest in ongoing scrutiny of Attorney-General’s Department’s (AGD) grants administration practices following earlier Australian National Audit Office (ANAO) audits of two grant programs administered by AGD (Safer Streets, Report 41 of 2014–15, and Living Safe Together, Report 12 of 2016–17); and
  • the Parliamentary Joint Committee on Intelligence and Security’s February 2015 advisory report on the Bill to implement mandatory data retention included a recommendation on the design of the model for awarding grant funding to service providers.

Audit objective and criteria

12. The objective of the audit was to assess the effectiveness of the Attorney-General’s Department’s design of the Data Retention Implementation Grants Program, including its performance monitoring, reporting, evaluation and assurance arrangements.

13. To form a conclusion against the audit objective, the Australian National Audit Office (ANAO) adopted the following high level criteria:

  • Was an appropriate design process established to support the achievement of the Government’s objectives?
  • Were sound performance monitoring, reporting, evaluation and assurance arrangements established?

Conclusion

14. The design of the Data Retention Industry Grants Program by the Attorney-General’s Department was not fully effective. While funding was provided to each eligible provider that applied, in aggregate the department has funded 79 per cent of provider costs, substantially above the 50 per cent level identified as reasonable when the decision was taken to establish the program, with some providers having all their costs paid for by the government.7

15. A single round grants program was established to give effect to the decision that the Australian Government pay a reasonable portion of the telecommunications industry’s costs of implementing the legislated mandatory data retention scheme. The design of the program exposed the Australian Government to the risk that it would make a more generous contribution than the 50 per cent of total industry costs the government had considered reasonable. This risk was realised:

  • the amount of funding awarded represented 65 per cent of the aggregate of providers’ cost estimates included in their applications for grant funding (involving increased grant funding of $28 million compared with funding 50 per cent of estimated industry costs); and
  • the proportion of costs being met by the Australian Government increased to 79 per cent compared with that expected when funding was awarded as a result of actual costs reported by providers being, in aggregate, $39.9 million less than had been estimated by providers when they applied for funding. This included 26 providers where the Australian Government fully funded the data retention implementation costs reported by those providers (involving $23.0 million in funding) notwithstanding that the program guidelines had stated that the Australian Government would not fully fund any provider. On average, the Australian Government contributed 82 per cent towards each provider’s reported actual costs.

16. Implementation of the program was not to an appropriate standard having regard to the risks involved and the policy outcomes being sought. In particular:

  • conflicts of interest were not well managed;
  • there were significant errors and delays in the development and signing of grant agreements; and
  • the grant reporting arrangements, and their administration, provide a low level of assurance.

Supporting findings

Program design

17. Options considered for providing funding to industry were a grants program, licence fee reductions, concessional loans or taxation changes.

18. Attorney-General’s Department contracted a consultant to estimate the capital costs to industry of implementing mandatory data retention. A February 2015 estimate (of between $188.8 million and $319.1 million, with a mid-point of $254 million) informed a decision that the Australian Government would implement a grant program to support 50 per cent of the mid-point estimate. Better data was obtained from industry in early 2016 through the grant application process. Implementation estimates provided by eligible providers totalled $198.5 million, or $55.4 million lower than the mid-point of the earlier estimate. Attorney-General’s Department decided that the consultant should not reflect this data in its final report and the amount of grant funding made available was also not revised. The data from eligible providers that applied for funding would have supported a reduction of $28 million (22 per cent) in program funding whilst still meeting 50 per cent of estimated industry costs (as earlier agreed by the government).

19. Clear and comprehensive program guidelines were developed and issued.

20. In a number of respects, the departmental advice on the program funding model was well considered. The advice addressed the risks associated with basing grant amounts on provider cost estimates, and proposed that these risks be managed by obtaining data from applicants that would allow ‘typical’ implementation costs to be estimated as a key input to determining individual grant amounts. A key risk that was not adequately addressed related to the potential for government estimates of typical implementation costs for individual providers to be greater than the provider’s own estimate of those costs.

21. The program funding model was not used to determine each individual grant amount. Application of the funding model would have seen many telecommunications service providers receiving grant amounts well in excess of their estimated costs. Minimum ($10,000) and maximum (80 per cent of the provider’s cost estimate) grant parameters were established to prevent this result. An iterative process was then employed to re-allocate $88.4 million in grant funding to other eligible applicants.

22. Eligible telecommunications services providers were awarded $128.4 million in grant funding. This represented 65 per cent of the aggregate of those providers’ cost estimates included in their applications for grant funding. There was no documented consideration, or departmental advice to the Attorney-General, about the merits of constraining the amount of grant funding awarded to 50 per cent of estimated costs (on an industry-wide basis). Limiting grant expenditure to 50 per cent of the aggregated estimated costs of industry applicants would have saved $28 million in Australian Government expenditure.

23. As at the beginning of June 2018, reporting from providers awarded grant funding is that the cost to industry of implementing mandatory data retention was $154.7 million. The Australian Government paid grants of $122.7 million to those providers, meaning the Australian Government has met 79 per cent of industry’s reported upfront capital costs of achieving compliance with the data retention obligations.

Program implementation

24. There was no probity plan in place for the program. An assurance plan was prepared, but it was not implemented in full. In addition, the risks associated with conflicts of interest were not well managed, particularly in relation to the consulting firm contracted to assist with the design of the program and with the assessment of applications for funding.

25. The program risk assessment concluded that the program represented a medium risk and a low risk grant agreement was used, this was not inconsistent with guidance. At an individual provider level, one-sixth of providers were identified as presenting a higher risk, to be managed through additional reporting.

26. There were considerable delays in the execution of funding agreements, resulting mainly from the re-issuing of incorrect funding agreements. It took 10 months for all funding agreements to be executed, and all first instalment grant payments to be made. Some funding recipients received first instalment grant payments after data retention obligations came into effect on 13 April 2017, while other providers entered into funding agreements after this date. Delays were incurred due to the need to rectify the issuing of incorrect funding agreements.

27. The reporting arrangements, and their administration by the Department of Industry, Innovation and Science, relied heavily on statements made by funding recipients, and therefore provide a low level of assurance.

28. There is insufficient evidence yet available to demonstrate that the providers awarded grant funding are meeting their data retention obligations such that law enforcement agencies are now able to obtain the data they need. An effectiveness review is to be conducted in 2019.

Recommendations

Recommendation no.1

Paragraph 2.41

Where the Australian Government decides to make a contribution to project costs (rather than fully fund costs) AGD design and administer grant programs in a way that reflects and preserves the intended cost sharing arrangements.

Attorney-General’s Department response: Agreed.

Department of Industry, Innovation and Science response: Agreed.

Recommendation no.2

Paragraph 3.20

AGD design grant programs for probity, including putting in place appropriate mechanisms for identifying and actively managing conflicts of interest.

Attorney-General’s Department response: Agreed.

Department of Industry, Innovation and Science response: Agreed.

Recommendation no.3

Paragraph 3.35

When employing a grants hub to contract with entities to deliver grant programs on its behalf, AGD agree with the department providing the hub service performance indicators relating to the accuracy and timeliness with which grant agreements will be drafted, negotiated and finalised.

Attorney-General’s Department response: Agreed.

Department of Industry, Innovation and Science response: Agreed.

Recommendation no.4

Paragraph 3.54

AGD determine the nature, content and frequency of reporting requirements for grant programs proportional to the risks involved and policy outcomes being sought.

Attorney-General’s Department response: Agreed.

Department of Industry, Innovation and Science response: Agreed.

Summary of entity responses

29. A copy of the proposed audit report was provided for comment to AGD, DIIS and DHA. Comments on the proposed report were provided by the three departments and are included at Appendix 1. Summary responses were also provided by AGD and DIIS, as follows.

Attorney-General’s Department

The Attorney-General’s Department welcomes the ANAO’s audit report into the Data Retention Industry Grants Program. The department accepts the four recommendations relating to program design and delivery, and the management of conflicts of interest. The department is committed to best practice in grants administration, and to continuous improvement in our delivery of such programs. We have commenced implementation of the recommendations and will continue improvements for any future grants programs.

Department of Industry, Innovation and Science

The Department of Industry, Innovation and Science (the department) acknowledges the ANAO’s report on the Administration of the Data Retention Industry Grants Program. The department notes that the program presented a number of challenges given that key design decisions had already been reflected in legislation prior to this department’s involvement. This placed a number of constraints on our delivery of the program, required complex administrative processes to be put in place to support its delivery, and reduced opportunities for streamlining and adoption of standard business processes that exist through the Business Grants Hub.

30. An extract of the proposed report was provided to PwC.

Key learnings for all Australian Government entities

Below is a summary of key learnings, including instances of good practice, which have been identified in this audit that may be relevant for the operations of other Commonwealth entities.

Program design

1. Background

Introduction of mandatory data retention requirements

1.1 Telecommunications data is important to law enforcement and national security investigations. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Act) introduced a mandatory data retention scheme applying to telecommunications service providers. The Act was introduced to address:

  • a long-term decline, and inconsistency, in industry retention of data;
  • a long-term increase in the importance of access to data; and
  • an increasingly high-risk operational environment.

1.2 The nature of the data required to be retained8 differs depending on the type of telecommunications services offered. Service providers are required to secure the retained data by encrypting it and protecting it from unauthorised interference or access.

1.3 The data retention obligations came into effect on 13 October 2015. Providers that sought funding under the Data Retention Industry Grants Program and were fully compliant by that date were able to submit a Statement of Work outlining the steps they had taken to become compliant. Otherwise, an 18 month implementation period enabled service providers to apply for approval of a Data Retention Implementation Plan, or obtain an exemption from, or variation to, the data retention obligations.

1.4 The implementation period ended on 13 April 2017. From that date all service providers must be fully compliant with their data retention obligations (except to the extent that they have an approved exemption from, or variation to, those obligations).

Data Retention Industry Grants Program

1.5 In October 2014, when deciding to legislate for a mandatory data retention regime, the government agreed that the Australian Government would pay a ‘reasonable portion’ of industry’s implementation costs.9 In introducing the Bill for the Act, the Government indicated that it expected to make a ‘substantial contribution’ to the cost of implementation of the scheme.

1.6 After receiving further advice from departments, in April 2015 the government decided to establish a demand-driven grants program that would fund 50 per cent of the mid-point of an estimate of industry’s capital cost of implementing a mandatory data retention regime. The program had a budget of $131.3 million.10

1.7 The program was intended to make a one-off contribution towards existing service providers’ costs in adjusting to meet the new obligations, supporting the industry to adjust to a new regulatory baseline. New entrants to the market were expected to be compliant and, as such, ongoing funding was not considered necessary.

1.8 The Attorney-General’s Department (AGD)11 was responsible for the design and implementation of the Data Retention Industry Grants Program (DRIGP). AGD was assisted by:

  • a Data Retention Implementation Working Group established in 2014 to support engagement between the telecommunications industry and the Government on the implementation of data retention obligations;
  • the Business Grants Hub within the Department of Industry, Innovation and Science (DIIS)12 whose responsibilities included promotion of the program, provision of contact services to handle inquiries from telecommunications providers, application receipt and assessment, funding agreement negotiation and management, grant payments and compliance activities. A Memorandum of Understanding13 between the two departments signed in February 2016 set out that fees of $2.8 million would be payable to DIIS over three financial years where 210 applications were received (excluding a further fee of $223,000 that would be payable for an optional evaluation in 2019–20); and
  • PricewaterhouseCoopers (PwC), with whom AGD entered into various consulting contracts (with an aggregate value of $387,945) to:
    • cost a data retention regime (which informed decisions on the quantum of funding to be made available to industry by way of grants);
    • advise on audit, risk and assurance strategies for the program; and
    • apply the program’s funding model to eligible applicants as a key input in determining the amount of each grant.

1.9 Program guidelines were issued on 8 December 2015. Applications were able to be lodged between 7 January 2016 and 23 February 2016.

1.10 A total of 210 applications were received. Of those, 15 applications were later withdrawn and 15 were assessed as ineligible. Seven were assessed as ineligible because they did not submit an implementation plan or submitted it late, another two did not have an agreed plan and a further six applicants were assessed to not meet other eligibility criteria, including not having an eligible service.

1.11 In August 2016, 180 grants totalling $128.4 million were awarded by the Attorney-General. Grant agreements were subsequently signed with 175 of the 180 successful applicants, involving a total grant value of $127.9 million. The grants were payable in two instalments, the first upon the signing of the funding agreement and the second after the provider had met its grant reporting obligations. As at the beginning of June 2018:

  • the amount of grant funding had been reduced in aggregate by $4.4 million for 19 providers14 (resulting in a revised total program value of $123.5 million);
  • $122.7 million in grant payments had been made, of which $736,149 was later recovered from two providers (as their reported costs were less than the first instalment payment they had received) with a further $467,000 yet to be recovered (from two providers that have gone into liquidation — see footnote 14);
  • grant reporting had been finalised and final payments made to 170 providers. In January 2018, eight grant reports had yet to be obtained, or the assessment of reports completed, involving potential second payments of $482,170, by 4 June 2018, only one second payment, of $22,089 remains outstanding.

1.12 In May 2018 responsibility for the Data Retention Industry Grants Program was transferred to the Department of Home Affairs. DIIS retained responsibility for administering the grant funding agreements (at the time of transfer, this consisted of two remaining grant payments). The findings, conclusions and recommendations made in this performance audit report are directed at AGD as: the program was designed and implemented under the grants administration framework of that department; and AGD was responsible for the approval of $122.4 million in grant payments under the program.

Audit rationale and approach

1.13 The program was selected for audit to examine subsidies for industry to comply with new statutory obligations as well as due to Parliamentary interest. Specifically:

  • the Joint Committee of Public Accounts and Audit has indicated an interest in ongoing scrutiny of AGD’s grants administration practices following earlier ANAO audits of two grant programs administered by AGD (Safer Streets, Report 41 of 2014–15, and Living Safe Together15, Report 12 of 2016–17); and
  • the Parliamentary Joint Committee on Intelligence and Security’s February 2015 advisory report on the Bill to implement mandatory data retention included a recommendation on the design of the model for awarding grant funding to service providers.

Audit objective, criteria and scope

1.14 The objective of the audit was to assess the effectiveness of the Attorney-General’s Department’s design of the Data Retention Industry Grants Program, including its performance monitoring, reporting, evaluation and assurance arrangements.

1.15 To form a conclusion against the audit objective, the Australian National Audit Office (ANAO) adopted the following high level criteria:

  • Was an appropriate design process established to support the achievement of the Government’s objectives?
  • Were sound performance monitoring, reporting, evaluation and assurance arrangements established?

1.16 The scope of the audit included an examination of the Attorney-General’s Department’s design of the program and the arrangements established by the department to: monitor, report and evaluate the performance of the program; and provide assurance that the program was being delivered as intended and the grant recipients were meeting their obligations.

Audit methodology

1.17 The audit’s methodology included:

  • examination and analysis of documentation relating to the Data Retention Industry Grants Program;
  • review and analysis of departmental data related to costings, models and grant administration; and
  • examination of emails and interviews with relevant departmental officers.

1.18 The audit was conducted in accordance with the ANAO Auditing Standards at a cost to the ANAO of approximately $402,000.

1.19 The team members for this audit were Hannah Conway, Amanda Reynolds and Brian Boyd.

2. Program design

Areas examined

The ANAO examined whether the program was appropriately designed.

Conclusion

A single round grants program was established to give effect to the decision that the Australian Government pay a reasonable portion of the telecommunications industry’s costs of implementing the legislated mandatory data retention scheme. The design of the program exposed the Australian Government to the risk that it would make a more generous contribution than the 50 per cent of total industry costs the government had considered reasonable. This risk was realised:

  • the amount of funding awarded represented 65 per cent of the aggregate of providers’ cost estimates included in their applications for grant funding (involving increased grant funding of $28 million compared with funding 50 per cent of estimated industry costs); and
  • the proportion of costs being met by the Australian Government increased to 79 per cent compared with that expected when funding was awarded as a result of actual costs reported by providers being, in aggregate, $39.9 million less than had been estimated by providers when they applied for funding. This included 26 providers where the Australian Government fully funded the data retention implementation costs reported by those providers (involving $23.0 million in funding) notwithstanding that the program guidelines had stated that the Australian Government would not fully fund any provider. On average, the Australian Government contributed 82 per cent towards each provider’s reported actual costs.
Area for improvement

The ANAO made one recommendation relating to improved design and administration of partner funding arrangements in situations where the Australian Government has decided to make a contribution toward project costs (rather than fully fund those costs).

What alternatives to a grant program were considered?

Options considered for providing funding to industry were a grants program, licence fee reductions, concessional loans or taxation changes.

2.1 Advice from Attorney-General’s Department (AGD) to the government in April 2015 was that ‘general advice’ from the Department of Finance was that a grants program was a preferable approach to industry licence fee reductions, concessional loans or taxation changes. In December 2017, AGD advised the ANAO that:

AGD officials met with a cross section of Department of Finance representatives to discuss funding options. Following discussion of the Government’s objectives and exposition of the various means of providing Commonwealth funds to industry the Department of Finance advised that a grants program was most appropriate. The discussions were held face-to-face and formal minutes were not taken. Rather, the advice received was directly incorporated into advice to Government, and is reflected in contemporaneous documents.

How was the amount of available grant funding determined?

Attorney-General’s Department contracted a consultant to estimate the capital costs to industry of implementing mandatory data retention. A February 2015 estimate (of between $188.8 million and $319.1 million, with a mid-point of $254 million) informed a decision that the Australian Government would implement a grant program to support 50 per cent of the mid-point estimate. Better data was obtained from industry in early 2016 through the grant application process. Implementation estimates provided by eligible providers totalled $198.5 million, or $55.4 million lower than the mid-point of the earlier estimate. Attorney-General’s Department decided that the consultant should not reflect this data in its final report and the amount of grant funding made available was also not revised. The data from eligible providers that applied for funding would have supported a reduction of $28 million (22 per cent) in program funding whilst still meeting 50 per cent of estimated industry costs (as earlier agreed by the government).

2.2 A key design issue for any grant program is the amount of funding that should be made available. The decision on the amount of grant funding to be made available through the Data Retention Industry Grants Program (DRIGP) was informed by work AGD commissioned from consulting firm PricewaterhouseCoopers (PwC) to estimate the cost to industry of implementing mandatory data retention.16 The various estimates are illustrated in Figure 2.1.

Figure 2.1: Estimates of industry costs and quantum of grant funding ($ millions)

 

Source: ANAO analysis of AGD records.

2.3 A draft report was provided to AGD on 23 October 2014. That report included a ‘preliminary estimate’ that indicated the implementation cost to industry of the proposed regime was between $152.3 million and $394.9 million. There were significant caveats placed on this estimate, reflecting the short period of time available to undertake the work (three weeks) which had impacted on the number of telecommunications providers able to provide input to the development of the estimates, uncertainty about the specific data requirements and practical application of the proposed regime and uncertainties about the number of internet service providers.

2.4 The government decided later in October 2014 that the Australian Government would pay a ‘reasonable portion’ of the telecommunications industry’s capital establishment costs, with the details to be decided after further industry consultation.

2.5 Subsequent to PwC producing the draft report, the proposed Bill to introduce mandatory data retention became publicly available. AGD then requested that PwC:

  • further consult with industry to narrow the overall cost range for implementation of the mandatory data retention scheme. These further consultations were to be informed by the Bill, Explanatory Memorandum and Exposure Draft regulation, as well as additional legal and technical guidance developed by AGD; and
  • develop a funding model for the allocation of grant funding to individual telecommunications providers.

2.6 A final report on costings and funding model issues was provided to AGD, dated 12 February 2015. It stated that the upfront capital cost to business of the proposed mandatory data retention regime that PwC had been able to quantify was between $188.8 million and $319.1 million in nominal terms, with a mid-point of $254 million.17

2.7 This work was relied upon18 to advise the government in April 2015 that the government should fund 50 per cent of the mid-point of the estimated capital cost to industry of implementing a mandatory data retention regime. Other options presented to the government were funding 40 per cent or 25 per cent of the mid-point of the estimated range of costs to industry. An option of funding 75 per cent of the mid-point of the estimated range of industry costs was also canvassed, with the government advised that this would exceed what could be considered a reasonable contribution.

2.8 The government agreed to a grant program to support 50 per cent of the mid-point of the estimated costs to industry, with a funding model for the program to be developed. Allowing for price indexation over the envisaged three financial years in which grant payments were budgeted to be made, the 50 per cent funding package was budgeted to cost $128.4 million in grants with a further $2.9 million budgeted for the design and implementation of the grant program.

2.9 At the request of AGD, in June 2016 PwC produced a draft report updating its estimate of the cost to industry of the mandatory data retention regime. This report drew on data submitted by telecommunications service providers in their grant applications (specifically, each applicant’s estimate of the cost of implementing the data retention regime). It estimated the upfront cost to eligible industry applicants of implementing mandatory data retention at $198.5 million (which was the aggregate of the estimated costs submitted by each of the 180 services providers that were eligible for a grant, see paragraphs 2.31 to 2.32). This suggested that a program to fund 50 per cent of industry costs would have involved awarding grants of up to $100.4 million19, a reduction of $28 million (22 per cent).

2.10 An earlier draft of this report, provided to AGD in September 2015, had included the estimated upfront cost to industry previously provided in February 2015 (see paragraph 2.6) of between $188.8 million and $319.1 million, with a mid-point of $254 million. AGD instructed PwC to finalise the September 2015 version of the report (which based its cost estimate on ‘scaled up’ estimates provided by a sample of service providers), not the June 2016 version (which was supported by better data, sourced from the cost estimates provided by all eligible grant applicants as part of their application for the grant).20 The report was finalised in August 2016.

Were appropriate program guidelines developed?

Clear and comprehensive program guidelines were developed and issued.

2.11 Central to the planning of a granting activity, and a key obligation under the Commonwealth Grants Rules and Guidelines, is the development of program guidelines.

2.12 AGD engaged with the Data Retention Implementation Working Group (see paragraph 1.8) and the Department of Communications and the Arts when developing the program guidelines. This was in addition to the consultation with central agencies that is required by the grants administration framework. The development of the guidelines also reflected the program funding model parameters agreed to by the government (see paragraph 2.18).

2.13 Draft guidelines were provided to the Attorney-General on 3 December 2015. They were issued by the Attorney-General on 8 December 2015.

2.14 The guidelines provided a reasonable basis for the implementation of the program. This included specifying:

  • the purpose of the grants (to assist eligible providers meet their data retention obligations);
  • a program objective (to assist eligible providers meet their obligations by making a contribution to the typical up-front costs of compliance);
  • the amount of funding that was available (up to $128.4 million);
  • roles and responsibilities;
  • the application process including the deadline for submitting applications;
  • eligibility requirements;
  • an outline of the assessment process and how the amount of individual grants would be determined;
  • funding terms and conditions; and
  • departmental contact details for any inquiries or complaints.

2.15 A Customer Information Guide was also prepared. The purpose of this guide was to provide assistance to providers with completing their grant applications. Providers were informed that the Guide should be read in conjunction with the program guidelines and that, in the event of any inconsistency, the program guidelines prevailed.

Was well considered advice provided on the program funding model?

In a number of respects, the departmental advice on the program funding model was well considered. The advice addressed the risks associated with basing grant amounts on provider cost estimates, and proposed that these risks be managed by obtaining data from applicants that would allow ‘typical’ implementation costs to be estimated as a key input to determining individual grant amounts. A key risk that was not adequately addressed related to the potential for government estimates of typical implementation costs for individual providers to be greater than the provider’s own estimate of those costs.

2.16 In its advisory report on the Bill to implement mandatory data retention, the Parliamentary Joint Committee on Intelligence and Security recommended that the model for funding service providers:

  • provide sufficient support for smaller service providers, who may not have sufficient capital budgets or operating cash flow to implement data retention, and privacy and security controls, without up-front assistance;
  • minimise any potential anti-competitive impacts or market distortions;
  • account for the differentiated impact of data retention across different segments of the telecommunications industry;
  • incentivise timely compliance with their data retention obligations;
  • provide appropriate incentives for service providers to implement efficient solutions to data retention;
  • not result in service providers receiving windfall payments to operate and maintain existing, legacy systems; and
  • take into account companies that have recently invested in compliant data retention capabilities in anticipation of the Bill’s passage.

2.17 Consistent with the Government response to the Committee report, these seven factors were taken into account in the design of the program’s funding arrangements. AGD also had regard to the Commonwealth Grant Rules and Guidelines and advice it had obtained in June 2015 from PwC on funding model options.

2.18 In September 2015 AGD advised the Attorney-General on the recommended funding model for the program. This involved:

  • a single round grants program with all eligible applicants to receive a one-off grant21;
  • linking the program eligibility criteria to industry’s obligations and statutory process established by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015;
  • individual grant amounts to be arrived at by scoring applicants on their enterprise size and key business characteristics (to be provided by telecommunications service providers in their grant applications). These characteristics had been identified by PwC as the necessary inputs to identify the ‘typical’ financial impact of implementing the data retention obligations; and
  • providers being unlikely to receive grant amounts that cover the entire sum of their assessed actual cost of compliance.

2.19 AGD further advised that the proposed model was an alternative to distributing grant funding as a percentage of applicants’ actual implementation costs. AGD advised the Attorney-General that it would have been ‘disproportionately costly [for the department] to validate’ applicant cost estimates.22 AGD also viewed the proposed model as a way of mitigating risks associated with providers under- or over-estimating their costs.

2.20 The advice addressed one of the risks from adopting AGD’s recommended approach to calculating grant amounts. Specifically, it outlined that the key variables proposed for scoring the impact of implementing the obligations came from ‘a limited sample of industry data’ such that ‘a weighting for each variable cannot be determined until data from all grant applicants is collected’. AGD flagged that this reduced the level of transparency about the assessment process that could be provided but that this could be addressed by providing information about the operation of the model to eligible applicants after the assessment process was complete.

2.21 AGD did not identify in its advice that there was a risk that the funding model could result in proposed grant amounts significantly in excess of applicant cost estimates. This risk was realised (see paragraphs 2.26 to 2.28).

2.22 In October 2015, the Attorney-General approved the funding model recommended by AGD. Agreement to the model was also subsequently obtained from the Prime Minister and the Minister for Communications and the Arts.

Was the program funding model used to calculate individual grant amounts?

The program funding model was not used to determine each individual grant amount. Application of the funding model would have seen many telecommunications service providers receiving grant amounts well in excess of their estimated costs. Minimum ($10,000) and maximum (80 per cent of the provider’s cost estimate) grant parameters were established to prevent this result. An iterative process was then employed to re-allocate $88.4 million in grant funding to other eligible applicants.

2.23 As a demand-driven grant program, all eligible applicants were able to share in the up to $128.4 million in grant funding that was made available. The program guidelines issued by the Attorney-General on 8 December 2015 outlined that the model for deciding upon the amount of funding to be paid to each eligible applicant would involve scoring each application against two weighted criteria (see Table 2.1). The guidelines further outlined that:

The Program Delegate [within AGD] will advise the Minister on appropriate minimum and maximum grant amounts, and the overall distribution of program funding based on Eligible Applicant scores, to ensure that the funding allocation is consistent with the Program objectives and does not exceed the appropriation for the Program i.e. up to $128.4 million. Note that funding allocations will not be linked to actual cost but to typical implementation cost, and do not reimburse full costs but are a financial contribution to the typical up-front costs of compliance.

Table 2.1: Funding model

 

Criterion 1: Enterprise Scale

Criterion 2: Typical Implementation Impact

Description:

The size of the applicant as determined by gross annual revenue for the most recent full financial year. Businesses with an annual gross revenue of up to $3 million will receive a score of 1 to 25 points (with the smallest businesses receiving the most points). This criterion was aimed at lending support to small business.

Derived from calculating the typical cost of achieving compliance based on the analysis of information provided by all eligible applicants on the cost of compliance and subsequent weighting of the following variables:

  • number of eligible services;
  • types of eligible services;
  • number of subscribers;
  • gross annual revenue (turnover) for the most recent financial year; and
  • anticipated data storage required to meet the data retention obligations, as at 13 April 2017.

Weighting:

25% of total score.

75% of total score.

Assessment performed by:

AusIndustry and AGD.

PwC

     

Source: ANAO analysis of program guidelines.

2.24 AGD provided PwC with a dataset including the following fields that were collected from provider applications:

  • provider information (applicant name23, application number, Data Retention Implementation Plan reference number);
  • service provision (including the number of eligible services and a list of eligible service types);
  • financial information (such as sales revenue turnover);
  • Enterprise Score scale;
  • number of subscribers;
  • anticipated data storage volume; and
  • total estimated project cost.

2.25 PwC used a technique called multivariate regression to estimate the Typical Implementation Impact score.24 A total score out of 100 was then calculated by adding the Enterprise Scale score and the Typical Implementation Impact score. The total of the scores allocated across all Eligible Applicants was 7006, an average (mean) score per provider of 38.92 out of 100. The proposed methodology then involved dividing the available grant funding linearly across these scores, with each point being worth $18,321.

2.26 In aggregate, the 180 eligible providers estimated their costs of implementation to be $198.5 million. As outlined in Table 2.2, it was common for the modelled costs to be significantly different to the estimates submitted by applicants. Of note was that:

  • typical implementation costs for 82 providers estimates were modelled to be significantly lower than the provider had estimated, for example:
    • one provider had estimated its costs to be $157,000 with the modelling indicating typical implementation costs 69 per cent lower at $49,012 and the funding model proposing a grant of $813,537. In April 2017, the provider reported to the Department of Industry, Innovation and Science (DIIS) that its actual costs were $142,241 (9 per cent less than had been estimated); and
    • one provider had estimated its costs to be $61.4 million with the modelling suggesting its costs should be 90 per cent lower, at $5.95 million, with the application of the funding model proposing a grant of $956,679. Actual costs of $29.9 million were reported to DIIS;
  • in contrast, typical implementation costs for 86 providers were modelled to be significantly higher than their submitted estimates, for example:
    • a provider that estimated its costs to be $5,625 had its costs modelled to be more than five times higher (at $32,579) with the application of the funding model then proposing a grant of $505,970. The provider reported to DIIS that its actual project costs were the same as its estimate; and
    • another provider had estimated its costs to be $34,202 had its costs modelled to be $278,092, more than 700 per cent higher with the application of the funding model proposing a grant of $597,871. Actual costs of $33,856 were reported to DIIS.

Table 2.2: Applicant estimated costs and modelling of typical implementation costs

Cohort

# Providers

Aggregate of applicant estimates

Aggregate of modelled costs

Difference

Providers where the modelled costs was more than 10% less than the applicant’s estimate

86 (48%)

$107.1 million

$24.3 million

-$82.8 million

Providers where the modelled cost was within 10% of the applicant’s estimate

12 (7%)

$2.1 million

$2.1 million

$25 752

Providers where the modelled cost was more than 10% higher than the applicant’s estimate

82 (46%)

$89.4 million

$180.1 million

+$90.7 million

         

Source: ANAO analysis of AGD and DIIS data.

2.27 PwC reported to AGD that dividing the up to $128.4 million in available grant funding amongst the 180 eligible applicants based on the resulting scores would have resulted in ‘perverse outcomes’. In particular:

  • the highest ranking provider in terms of points would be awarded a grant which would reimburse only two per cent of its estimated costs; and
  • 88 per cent of providers would receive a grant amount higher than their estimated costs. Specifically, these grants would have ranged from one per cent higher than the applicant’s estimated costs to 16,782 per cent higher than the applicant’s estimated costs.

2.28 AGD and PwC considered various options to address this situation. The approach recommended to, and agreed by, the Attorney-General involved:

  • a minimum grant amount of $10,000 — which only had a direct effect on the three applicants that had estimated costs less than this amount. Under the modelling these providers would have been awarded grants significantly in excess of their estimated costs25;
  • a maximum grant of 80 per cent of an applicant’s estimated cost. This resulted in 158 eligible applicants having their grant amount reduced compared to the amount calculated by the modelling. The value of these reductions aggregated to $88.4 million;
  • allocating the remaining funds iteratively amongst the remaining 19 eligible applicants as depicted in Figure 2.2. The iterative allocation process employed to allocate the funding had not been foreshadowed in the program guidelines (the guidelines had provided for minimum and maximum grant amounts to be established). This process increased the amount of grant funding for 19 applicants in aggregate by more than seven-fold (from $14.4 million to $104.7 million). Of the 19 applicants:
    • 17 received a grant representing 80 per cent of their estimated costs; and
    • two received a grant at below the cap of 80 per cent (the amounts represented 47 per cent and 64 per cent of their estimated costs).

Figure 2.2: Iterative allocation process

An image of a circular flow chart showing the iterative allocation process of funding. The process began by considering the set of provider’s receiving less than the eighty per cent of their estimated costs. The residual funds available to the grant program were then allocated to each of these providers, proportional to their total points score. Providers were still limited by the eighty per cent threshold, so if the proportional allocation resulted in a breach of the eighty per cent threshold the additional funds over the threshold formed the pool for the next iteration. This process commenced until there was no funding left in the pool.

Source: PwC report of 7 July 2016.

2.29 The approach adopted meant that the funding model published in the program guidelines was not being employed.

How much were the grants awarded expected to contribute to industry’s costs?

Eligible telecommunications services providers were awarded $128.4 million in grant funding. This represented 65 per cent of the aggregate of those providers’ cost estimates included in their applications for grant funding. There was no documented consideration, or departmental advice to the Attorney-General, about the merits of constraining the amount of grant funding awarded to 50 per cent of estimated costs (on an industry-wide basis). Limiting grant expenditure to 50 per cent of the aggregated estimated costs of industry applicants would have saved $28 million in Australian Government expenditure.

2.30 The ‘up to’ $128.4 million in grant funding that was made available reflected the Government decision to meet 50 per cent of the mid-point of estimated range of industry implementation costs (see paragraph 2.7) as it had decided to make a ‘reasonable’ or ‘substantial’ contribution to those costs (see paragraph 1.5).

2.31 In aggregate, the cost estimates of the 210 applicants totalled $226.3 million. Fifteen applicants later withdrew their applications and a further 15 were assessed as ineligible. The cost estimates for the remaining 180 eligible applications aggregated to $203.9 million.

2.32 Cost estimates submitted by applicants were considered as part of the assessment of applications. During the assessment process, 35 applicants revised their estimates. This comprised 28 applicants that reduced their cost estimates by a total of $5.6 million and seven that increased their estimates by a total of $254,925 (resulting in a net overall reduction of $5.4 million). The aggregate of the final cost estimates for the 180 eligible applicants totalled $198.5 million.26 This was $55.5 million (22 per cent) lower than the $254 million mid-point estimate used to budget the amount of grant funding to be made available.

2.33 On 24 August 2016, the Attorney-General approved recommendations from AGD that involved $128.4 million in grant funding being awarded to 180 eligible telecommunications service providers. There was no documented consideration by AGD, or advice to the Attorney-General, as to the merits of reducing the amount of grant funding to be awarded to an amount that was 50 per cent of total costs estimated by eligible applicants. This would have offered the potential to reduce Australian Government expenditure by $28 million to $100.4 million.27 In July 2018, AGD advised the ANAO that ‘it consistently understood the Government’s decision to be to allocate a fixed amount to contribute to industry costs, rather than meeting a percentage of total implementation costs’.28

2.34 Modelling was undertaken of capping the Australian Government contribution at 70 per cent, 75 per cent and 80 per cent of each grant applicant’s estimated costs. There was no documented consideration, or advice from AGD to the Attorney-General, as to whether this would result in the program funding more than the 50 per cent of total industry estimated costs. This was the case notwithstanding that the government had decided that the Australian Government contribution across the program should be 50 per cent of estimated industry costs and the Attorney-General’s advice that funding 75 per cent of industry costs would not have been reasonable.29 In July 2018, AGD advised the ANAO that:

The Department notes its view that the Government decision allocated a fixed funding pool.30 Moreover the Department did not read the Government’s decision as indicating that meeting 75 per cent of costs was unreasonable, but rather a pool based on 75 per cent of estimated costs would be too significant as a total contribution, noting the potential for over-estimation of costs.

How much has the Australian Government contributed to industry’s reported actual costs?

As at the beginning of June 2018, reporting from providers awarded grant funding is that the cost to industry of implementing mandatory data retention was $154.7 million. The Australian Government paid grants of $122.7 million to those providers, meaning the Australian Government has met 79 per cent of industry’s reported upfront capital costs of achieving compliance with the data retention obligations.

2.35 The program guidelines had stated that grant funding allocations would be a financial contribution towards the costs of compliance and, accordingly, would not fully meet the costs of individual providers.

2.36 The reporting framework established by AGD with DIIS enabled AGD to be informed of progress of the program, in particular the number of funding agreements executed and grant funds paid. In November 2017, AGD advised the ANAO that this enabled it to evaluate the extent to which the program was contributing to the upfront capital costs of achieving compliance with data retention obligations.

2.37 The grant agreements specified the Australian Government funding as a fixed amount. This exposed the Australian Government to risk in circumstances where providers had overestimated their implementation costs. A better approach, consistent with the intention that the program meet a ‘reasonable portion’ of industry costs rather than fully meet any provider’s costs31, would have been to specify the grant amount as being a fixed percentage of eligible actual expenditure subject to a cap (being the grant amount approved by the Attorney-General). Other grant programs audited by the ANAO that have involved the Australian Government making a contribution to project costs (rather than fully funding projects) have drafted their agreements in a way that maintains the relative contributions of the Australian Government and the project proponent in circumstances where costs are less than estimated at the time funding was awarded.

2.38 As at the beginning of June 2018, AGD and DIIS had accepted grant reports from, and finalised grant payments to, 170 providers. As outlined in Table 2.3, it was quite common for providers to either under- or over-estimate their implementation costs. The quantum of over-estimations ($43.3 million) was considerably greater than the quantum of under-estimations ($3.0 million). Had grant funding been capped at the lesser of the amount approved by the Attorney-General and 80 per cent of reported actual implementation costs (80 per cent being the cap decided upon when grant funding amounts were calculated — see paragraph 2.28) a saving of $10.7 million would have been realised in relation to those 170 providers.

Table 2.3: Reported final costs compared with estimated costs

Cohort

# Providers

Aggregate of applicant estimates

Aggregate of reported actual costs

Difference

Actual costs more than estimated

65

$16.5m

$19.5m

$3.0m

Actual costs same as estimated

16

$65.9m

$65.9m

Nil

Actual costs less than estimated

89

$112.0m

$68.7m

$43.3m

Total

170

$194.4m

$154.1m

$40.3m

         

Source: ANAO analysis of AGD and DIIS data.

2.39 Where reported actual costs were less than the grant amount, the amount of the second milestone payment was adjusted such that total grant funding was reduced to match 100 per cent of the reported actual costs. This meant that those providers were not required to make a financial contribution to the costs of implementing mandatory data retention as the government made a 100 per cent contribution. This approach was to the detriment of providers that had underestimated their costs when applying for funding (as the proportion of their actual costs the Australian Government was meeting reduced because the grant amount, based on their original estimate of costs, was for a fixed amount32) and favoured those providers that had overestimated their costs. For example:

  • a provider was awarded a grant of $28.8 million calculated as being 47 per cent of its estimated project costs of $61.4 million. Its reported actual cost was just under half the costs estimated when funding was awarded.33 The grant funding paid of $28.8 million meant the provider contributed very little to the cost of implementing mandatory data retention;
  • a provider that was awarded a $168,000 grant calculated as 80 per cent of its estimated costs, reported that its actual costs were less than had been estimated as it had insourced some work it had envisaged contracting out and did not require new hardware as had been originally budgeted for. The reported actual costs were fully met by the grant funding such that it made no financial contribution to the cost of implementing mandatory data retention; and
  • another provider that was awarded a grant calculated as 80 per cent of its estimated costs had its grant reduced to match its reported actual expenditure (which was $4 million less than had been budgeted), meaning the Australian Government fully funded the work. The provider’s final report stated as follows:

    The overall actual project cost came in some $3.925 million below the budget forecast from 2015. This also meant that the actual expenditure was some $234,359 below the approved total maximum grant amount.

    The difference between budget forecast and actual can be explained by the following key points.

    Approximately $3 million of direct labour budget was unspent. This was due to savings in efficiency of deliverables, as well as an untouched management reserve.

    Hardware savings of ~$1 million was a result of changes required to the strategic build scheduling. Due to improved timing efficiency, these costs have since been incorporated into the build, rather than as a change, thus the change cost was not incurred. Software costs ended higher than original forecast once networks storage requirements were implemented.

2.40 The 172 providers had reported total implementation costs of $154.3 million. Total grants of $122.4 million had been paid to those providers, meaning the Australian Government has contributed in aggregate 79 per cent of industry’s reported implementation costs. On average, the Australian Government contributed 81 per cent towards each of the 172 provider’s reported actual costs. This included 26 providers where the grant fully met the provider’s reported actual costs (which aggregated to $23.0 million), meaning the provider reported not making any financial contribution towards the cost of implementing mandatory data retention. This was inconsistent with the program guidelines, which had stated that grant funding allocations would not fully meet the costs of individual providers.

Recommendation no.1

2.41 Where the Australian Government decides to make a contribution to project costs (rather than fully fund costs) AGD design and administer grant programs in a way that reflects and preserves the intended cost sharing arrangements

AGD response: Agreed.

2.42 The department is committed to best practice in grants administration, and to continuous improvement in our delivery of such programs.

2.43 I note however that the rationale for this recommendation characterises the Government’s decision to support industry as making a contribution in terms of a proportion of the actual cost of implementation. The Government committed to making a ‘substantial contribution’ to industry costs. It is the department’s view that, having identified an appropriate cap on the total contribution (calculated as a percentage of total estimated costs of compliance), the Government decided to allocate that amount in full. That is, the Government decided that the proportion of 50 per cent of estimated costs of compliance at that time would be the total contribution to be made to deliver on its commitment to make a ‘substantial contribution’.

2.44 The report suggests that the funding pool could have been reduced to ensure that grants did not exceed 50 per cent of applicants’ estimated costs, based on updated estimates from PwC that used figures provided by individual companies during the grants application process. However, the total funding pool was based on estimates available at the time the decision was made. The decision of Government did not contemplate an adjustment of the total funding pool with a view to reducing individual grants. Accordingly, the department considered the clear intent of Government to be allocation of the entire funding pool to industry.

DIIS response: Agreed.

2.45 The Business Grants Hub grant opportunity guidelines, grant agreements and reporting templates are designed to ensure that co-contributions are made in line with government expectations. For this program, the key design decisions had already been determined and legislation was already in place when the Attorney-General’s Department (AGD) brought the program to the department. This included the process for managing data retention implementation plans, statements of work and processes around the allocation of grant funding.

3. Program implementation

Areas examined

The ANAO examined the implementation of the program, including the performance monitoring, reporting, evaluation and assurance arrangements.

Conclusion

Implementation of the program was not to an appropriate standard having regard to the risks involved and the policy outcomes being sought. In particular:

  • conflicts of interest were not well managed;
  • there were significant errors and delays in the development and signing of grant agreements; and
  • the grant reporting arrangements, and their administration, provide a low level of assurance.
Areas for improvement

The ANAO made three recommendations aimed at better management of probity, improvements to the development and signing of grant agreements, and implementing stronger grant reporting arrangements. There would also be benefits in Attorney-General’s Department’s (AGD) Grant Administration Guide being expanded to require that conflicts of interest for departmental staff be addressed during the design phase of a grant program (not just when staff are assessing grant applications).

Was an appropriate probity framework in place?

There was no probity plan in place for the program. An assurance plan was prepared, but it was not implemented in full. In addition, the risks associated with conflicts of interest were not well managed, particularly in relation to the consulting firm contracted to assist with the design of the program and with the assessment of applications for funding.

3.1 AGD recognised that the Data Retention Industry Grants Program (DRIGP):

  • is high profile, and was subject to significant public, media and industry scrutiny;
  • involves significant public expenditure to support implementation of a critical, statutorily mandated technical capability; and
  • represented a higher risk given AGD did not possess extensive experience in implementing programs with this level of technical complexity, and ANAO performance audit activity had identified shortcomings in the department’s grants administration.

3.2 AGD did not develop a probity plan for the program. In October 2017, AGD provided the ANAO with a copy of the Assurance Plan for the program and at the same time advised the ANAO that:

there was no single probity document for the DRIGP, but rather that probity and assurance issues were considered at various stages of design and implementation.

Assurance Plan

3.3 Across July and August 2015 AGD conducted a procurement process to engage a consultant to provide advice on audit, risk and assurance strategies to inform the design and administration of the program. The value of the contract was $38,990.

3.4 The procurement process involved AGD seeking quotes from two of the 171 firms included on a consultancy and business services panel established in 2013 by the then Australian Customs and Border Protection Service (ACBPS).34 One of the two firms had already been engaged by AGD to cost a data retention scheme (see paragraphs 1.8 and 3.13). AGD did not document any consideration of the risks involved in having the same firm engaged for these two activities (AGD was specifically seeking independent advice). This firm was the successful panellist and was subsequently engaged.

3.5 The consultant prepared an Assurance Plan for the Program. The Plan was approved by AGD on 17 November 2015. Its purpose was to document the assurance roles, responsibilities and processes in place to ensure AGD had adequate assurance coverage over its key controls and, in turn, the management of the identified eight key Program risks.

3.6 The Plan identified the level of assurance provided by existing controls, as well as six ‘future assurance priorities’. Those priorities were to be implemented by no later than January 2016 in order to provide an overall high level of assurance. Two of these priorities were35:

  • Preparation of a ‘Quality Assurance Plan’ in relation to the calculation by AGD’s ‘Independent Consultant’ of the grant amounts that were to be paid.36 The Quality Assurance Plan was supposed to be incorporated into the contract with AGD’s contracted consultant, but the ANAO was unable to locate a copy of this Plan or records evidencing its implementation. On 14 November 2017, the ANAO sought from AGD a copy of the Quality Assurance Plan. AGD’s 21 December 2017 response to the ANAO advised that ‘while a specific “Quality Assurance Plan” as noted on page 2 (section 1.3) of the Assurance Plan was not created, the Department put numerous measures in place and actively monitored both the input and output data of the funding model as envisaged by the Assurance Plan.’ AGD also provided the ANAO with copies of relevant records, including evidence of its assessment of the inputs to, and outputs from, the PwC model.
  • A tailored ‘DRIGP Compliance Plan’, including quality assurance roles/processes to ensure correct and consistent application of procedures. On 14 November 2017, the ANAO sought assistance from AGD in locating a copy of the Compliance Plan. On 21 December 2017, AGD advised the ANAO that ‘while a designated DRIGP Compliance Plan as noted on page 2 (section 1.3) of the Assurance Plan was not created, those same compliance activities envisaged were expressly included in the MOU’ with the Department of Industry, Innovation and Science (DIIS).37 AGD also provided the ANAO with copies of records evidencing the related interactions with DIIS. The ANAO’s analysis is that the approach taken fell short of that envisaged in the proposed DRIGP Compliance Plan. In particular, the approach taken did not include ‘target numbers, methodologies, resourcing and training requirements’ for compliance activities in the five specified areas of ‘education’, ‘compliance monitoring’, ‘substantiation activities’, ‘forensic audits’ and ‘technical evaluations for high risk grantees’. Some consequences of this shortcoming are discussed at paragraphs 3.49 to 3.52 and paragraph 3.58.

Conflicts of interest

3.7 AGD’s Grant Administration Guide, published in July 2014, includes a section on dealing with conflicts of interest. It requires that:

  • prior to the commencement of the assessment process, departmental staff who will be involved in the assessment process should complete an AGD grant program conflict of interest declaration form. These forms are to be lodged with an appropriate officer who can identify any conflicts of interest and put in place management strategies to appropriately deal with them; and
  • staff remain alert to conflict of interest issues throughout the grants administration process and inform their supervisor of any concerns regarding conflicts of interest that may arise after the staff member completes their original conflict of interest declaration form.

3.8 There would be benefits in AGD’s Grant Administration Guide being expanded to require that conflicts of interest also be addressed during the design phase of a grant program.

3.9 The DRIGP program guidelines included a section titled ‘Disclosure of interest’. This section stated that AGD and DIIS had procedures for managing conflicts of interest by departmental staff, technical experts and other third parties involved in assessment and applying the funding model. This was to include:

  • departmental officers and staff of the Independent Consultant (PwC) being required to make conflict of interest declarations; and
  • where a conflict was determined to be material in nature, the affected person was to be excluded from the eligibility and assessment processes for the program.
Departmental officers

3.10 Conflict of interest declarations were obtained for the majority of AGD staff involved with the program. Conflict of interest declarations were not obtained for five staff, including three Senior Executive Service (SES) officers (who had completed a general declaration of interests required of all SES officers). Two SES officers complied with both the general obligation to disclose their interests as well as completing the grant program conflict of interest declaration. For one of those SES officers this latter declaration was not timely (it was not completed until 30 March 2016, by which time assessments were well underway).

3.11 For two thirds of those instances where a staff member had disclosed a conflict of interest, AGD records included consideration of whether any management action was required. In the remaining instances AGD advised the ANAO in November 2017 that there were no records of management’s consideration. AGD further advised that the disclosure had been discussed with the staff member and a decision taken that no management action was required.

Consultants

3.12 There were significant shortcomings in how AGD addressed conflicts of interest in the five DRIGP connected procurements of PwC.

3.13 Three of the procurements were for costing of a data retention regime (which informed key decisions on the design of the program, in particular the quantum of funding to be made available to industry by way of grants).38 They covered the period 25 September 2014 to 31 August 2015. AGD records did not evidence that it had addressed conflicts of interest in the procurement process or, once PwC had been engaged, obtained any conflict of interest declarations (so as to identify if any action was required to manage any identified conflicts).

3.14 The fourth procurement occurred in August 2015 and resulted in the preparation of an Assurance Plan for the program (see paragraphs 3.3 and 3.5). Both of the firms approached to quote for this consulting opportunity stated to AGD that they had no conflicts of interest. The Work Order subsequently issued by AGD did not require the completion of any conflict of interest declarations.

3.15 In December 2017, AGD advised the ANAO that, for those four procurements, AGD ‘did not obtain additional conflict of interest declarations from PwC’ as AGD considered there was ‘limited scope for the consultant to encounter a conflict of interest’. Instead AGD relied upon conflict of interest clauses included in the relevant panel deeds. Both deeds39 included a warranty that no conflict existed or was likely to arise and that, if a conflict subsequently arose, PwC would provide immediate notification, make full disclosure and take steps to deal with the conflict.

3.16 AGD’s advice to the ANAO did not acknowledge that conflict of interests existed, as a result of PwC having:

  • various telecommunications service providers as clients. AGD records state that PwC had identified Telstra as the only potential conflict of interest prior to its engagement. Those records further outline that, two weeks after AGD decided to engage PwC, PwC identified that ‘several’ smaller internet service providers are also PwC clients and therefore represented possible sources of conflicts of interest. AGD records of its resulting meeting with PwC stated that the department was assured that steps had been taken to mitigate any potential conflicts ‘including treating all project information as in confidence and accessed on a needs-to-know basis’. This approach did not address the risk that telecommunications services provider clients of PwC would benefit from higher cost estimates in PwC’s three engagements relating to estimating the data retention regime’s cost to industry (as a result of a greater amount of grant funding being made available); and
  • a relationship with a vendor of data retention solutions in the Australian market. Concerns about the conflict of interest represented by this relationship were raised with AGD in June 2015 by the Communications Alliance40 as well as by a company developing a data retention software solution. At that time, AGD had been concerned that PwC’s access to industry costing information could provide an unfair competitive advantage over other vendors in the market (a matter that another vendor had raised with AGD). A further risk related to the PwC costing advice being relied upon to decide the amount of grant funding that would be made available to telecommunications service providers, potentially to be spent on purchasing the data retention software solution from the vendor with which PwC has a strategic alliance.41

3.17 The fifth procurement involved analysis of eligible grant applications so as to apply the program’s funding model to determine the amount of each grant (this role is referred to in the program guidelines as the ‘Independent Consultant’).42 In December 2017, AGD advised the ANAO that, as this:

procurement involved the development of a funding model for the grants program, AGD took additional steps to manage the risk of any conflict of interest by PwC, given the likelihood of pre-existing relationships between PwC and telecommunications providers. Specifically, para 7 of the procurement approval minute noted the risk of conflict of interest and advised the decision maker that specific measures were included in the work order to address it. As you note, the work order required an undertaking from PwC that it have in place appropriate conflict of interest policies. PwC wrote to AGD on 20 January 2016 confirming these arrangements. This letter was annexed to the work order, which AGD signed on 27 January 2016 […] The signing of the work order constitutes AGD’s acceptance of PwC’s arrangements.

3.18 The Work Order issued by AGD required PwC to have appropriate policies and procedures in place so as to ‘ensure any advice provided to the Department will not favour, or create the apprehension of favouring service providers with which PwC might have other contracts or professional relationships.’ The response AGD received was a letter advising that PwC would ‘ensure that Specified Personnel outlined in the Order do not undertake work for telecommunications businesses participating in the Data Retention Industry Grants Program for the period of the contract (to 30 April 201643 [a period of three months]).’ AGD records did not include any analysis of the adequacy of this response.

3.19 The ANAO’s analysis was that AGD’s approach to this issue:

  • was inconsistent with the requirements outlined in the program guidelines issued by the Attorney-General. Specifically, the guidelines had stated personnel of the Independent Consultant would make conflict of interest declarations and, where it was determined a conflict of interest was material in nature, the person involved was to be excluded from the assessment processes;
  • was inconsistent with the program’s Assurance Plan, which had identified ‘conflicts of interest not managed by the Independent Consultant’ as a ‘Key Program Risk’ with controls that were to include contractual requirements concerning the use and ownership of data, and the signing of conflict of interest declarations44; and
  • increased risk as AGD did not consistently de-identify data from applicants before it was provided to PwC for analysis.45 Notwithstanding that this occurred, the report produced by PwC included the following statement:

    PwC was not supplied with the Provider names or any other identifying information as part of this dataset. This was to ensure that the modelling process and the consequent allocation of funds were done without reference to, or knowledge of, the identity of individual providers.

Recommendation no.2

3.20 AGD design grant programs for probity, including putting in place appropriate mechanisms for identifying and actively managing conflicts of interest.

AGD response: Agreed.

3.21 The department is undertaking a review of its Conflict of Interest guidance and procedures. This will result in a comprehensive handbook and a new conflict reporting system.

3.22 I note the ANAO’s observation that the majority of departmental staff involved with the program completed conflict of interest declarations. With regard to managing PwC’s potential conflicts of interest, the department relied upon statements by the firms requested to quote the work that they did not have conflicts of interest. Contractual requirements for each panel also included that conflicts of interest be adequately managed by the contractor. In procurement of the funding model report, the department took additional measures to address a potential for a perception of conflict that had been identified by Communications Alliance. Noting the importance of not only of avoiding actual conflict, but also the possibility of a perception of potential conflict, my department will seek specific and explicit additional assurances, both at the commencement and during the course of an assignment, for future programs and monitor compliance.

DIIS response: Agreed.

3.23 Business Grants Hub arrangements are designed to appropriately manage conflicts of interest, both on the part of applicants/grantees and of the Commonwealth, in line with the requirements in the Commonwealth Grants Rules and Guidelines.

Were appropriate funding agreements established?

The program risk assessment concluded that the program represented a medium risk and a low risk grant agreement was used, this was not inconsistent with guidance. At an individual provider level, one-sixth of providers were identified as presenting a higher risk, to be managed through additional reporting.

3.24 AGD, in conjunction with the Department of the Prime Minister and Cabinet46 and the Department of Finance (Finance), undertook a program risk assessment. AGD accepted a medium risk for the program, whilst noting that Finance believed the program to be high risk.

3.25 As one of the Australian Government’s initiatives to reduce red tape, Finance has developed a whole-of-government grant agreement template to be used by entities when entering into low risk grants. The low risk grant agreement template includes a standard set of 20 terms and conditions (covered in two-pages). The DRIGP program level risk assessment of medium or high risk, meant that the low risk grant agreement should not have been used for DRIGP. It was used, following advice from DIIS to AGD that:

[…] the DoF [Department of Finance] risk tool uses three tests to determine whether or not you should use the low risk template. The programme passes the first and third test but fails the second (the overall risk rating) but the use of the word ‘should’ is permissive and gives us latitude.

3.26 Such an approach is not inconsistent with Finance guidance. DIIS determined after reviewing AGD’s risk assessment summary, which rated the program risk as medium, that the funding agreement was not a relevant control for the AGD identified risks. As such, DIIS determined that a low risk grant agreement was appropriate. DIIS further observed that any adverse perceptions that resulted from the low risk agreement being used would be mitigated. Specifically, ‘large grantees will be subjected to an “enhanced compliance” regime through the contract’. In this respect, following assessment by DIIS and AGD47, 27 funding providers48 were identified as ‘high risk’. The risk treatment applied was to require that, in addition to the standard reporting required of all funding recipients, a financial expenditure report would be required to be submitted and accepted before the second instalment payment would be made.

3.27 Separately, seven providers (including two identified as high risk) required additional conditions to be included in their agreement so as to manage risks identified during the assessment process. The risk treatment involved those providers being required to provide a statutory declaration to ‘confirm an assertion that that applicant made regarding the work to be carried out with grant funding.’

Were agreements signed and first instalment payments made in a timely manner?

There were considerable delays in the execution of funding agreements, resulting mainly from the re-issuing of incorrect agreements. It took 10 months for all funding agreements to be executed and all first instalment grant payments to be made. Some funding recipients received first instalment grant payments after data retention obligations came into effect on 13 April 2017, while other providers entered into funding agreements after this date. Delays were incurred due to the need to rectify the issuing of incorrect funding agreements.

3.28 A funding recommendations briefing was provided to the Attorney-General on 18 August 2016. This was two months later than planned due to the 2016 Federal election. By this date, providers had less than eight months to be fully compliant with their data retention obligations. The design of the program included payment of the first instalment (of 50 per cent of the grant amount) upon execution of the funding agreement.

Figure 3.1: Timeline of key program events

An image that shows the key events relevant to the grant program. Milestones depicted are: -	Grant guidelines issued 8 December 2015; -	Application period was from 15 January 2016 through to 23 February 2016. -	Application assessments commenced 23 February 2016, and ceased with the announcement of outcomes 5 September 2016; -	During the application assessment period, a double dissolution of parliament was announced (9 May 2016) and  the Election 2016 Return of Writs occurred 8 August 2016.  -	Compliance with data retention obligations was required by 13 April 2017.

Source: ANAO analysis of AGD and DIIS records.

3.29 The MoU between AGD and DIIS outlined that DIIS was responsible for preparing funding agreements with each successful applicant, and coordinating the signing of the agreements by the funding recipient and AGD. The MoU included a general performance measure for DIIS’ program delivery activities of meeting ‘required timeframes’ but a specific target for the finalisation and signing of agreements was not set by AGD.

3.30 The first agreements were finalised and signed by both the funding recipient and AGD on 4 October 2016, some six weeks after the funding decisions were made, and some six months before compliance with data retention obligations was required.

3.31 On 10 October 201649, it was identified that there were one or more errors in each of the grant agreements that had been sent to providers for signature. The types of errors, which varied between agreements, included incorrect and incomplete clauses and incorrect definitions of the activity for which grant funding had been awarded.50 AGD asked that the errors be corrected. An internal DIIS investigation into the errors, completed in February 2017, noted that ‘issues arising with the generated agreement documents were corrected manually’ and when issues were discovered ‘they were dealt with on an ad hoc basis without a full review of the template to determine the extent of the issues.’ On 22 November 2016 AGD informed DIIS that it was ‘disappointed’ that the error had not been corrected and there were now 86 executed agreements with incorrect grant conditions. It was identified that there were a further 79 agreements that had been issued to funding recipients that also contained errors but which had not yet been signed.

3.32 So as to minimise the disruption to the 79 affected funding recipients while it decided what to do in relation to agreements already executed, AGD directed DIIS to reissue correct versions to those providers where AGD had not yet executed the funding agreements. Of these 79 recipients, 40 had already returned a signed original agreement to DIIS. There was an average 24 day delay between the AGD decision to reissue the incorrect and unexecuted agreements and for those 40 funding recipients to re-sign.51 The delay caused by the reissuing and re-signing of funding agreements delayed the release of funding for these 40 grant applicants. AGD continued to execute agreements within 14 days of recipient signature, with the first milestone payment processed on average 14 days after execution.

3.33 After DIIS obtained legal advice on 6 December 2016, regarding the funding agreements with errors, a decision was taken by AGD on 3 January 2017, nearly three months after the issue was first identified, that agreements with errors that had already been executed should be reissued, re-signed and re-executed. Of the 86 affected providers, 85 (99 per cent) had received their first instalment payment of 50 per cent of the grant amount based on an agreement with one or more errors. AGD prepared a strategy that outlined the approach agreed with DIIS for communicating with grantees about the reissue of funding agreements.

3.34 As illustrated by Figure 3.2, it took until mid-April 2017 for all affected agreements to be reissued and signed by both the funding recipient and AGD. Figure 3.2 also illustrates that it took until mid-June 2017, two months after providers were required to be compliant with the data retention obligations, for all funding agreements to be signed.

Figure 3.2: Execution Dates of funding agreements

A bar graph showing the number of agreements executed on each day, stratified by whether the execution was an initial execution, a re-execution, or where it was an agreement where errors were corrected before execution. Paragraph 3.32 explains further.

Source: ANAO analysis of AGD and DIIS records.

Recommendation no.3

3.35 When employing a grants hub to contract with entities to deliver grant programs on its behalf, AGD agree with the department providing the hub service performance indicators relating to the accuracy and timeliness with which grant agreements will be drafted, negotiated and finalised.

AGD response: Agreed.

3.36 As one of the initially identified consuming agencies, the department is committed to transitioning all existing, non-exempt grant programs to the Community Grants Hub by 30 June 2019. That process entails each program area entering into a Grant Round Management Plan with the Hub for any upcoming funding round, including specific Establishment Phase information that sets timelines for the issuing of grant agreements by the Hub, their negotiation and execution by the parties and return to the Hub prior to the release of funds.

3.37 I note that the department considers it should be able to rely on advice and processes from specialist grants hubs. The efficiencies intended to be achieved by the establishment of the grants hubs would not be realised if such services cannot be relied upon.

3.38 The report notes a low risk grant agreement was used despite the program having been assessed as representing a medium or high level of risk. The low risk grant template was selected on advice from DIIS that it was suitable for the administration of this program. The department nevertheless took further measures to manage risk, establishing a detailed risk assessment process to identify higher risk grant recipients based on both quantitative and qualitative analysis. These grantees were then subject to enhanced reporting requirements and other measures to treat or mitigate identified risks. Paragraph 3.22 of the report notes that the department of Finance had preference for a higher risk treatment of the program as a whole. While the department of Finance held such a preference, they also found the mitigations for high risk grantees to be sound.

3.39 I acknowledge the delays and errors in the signing of funding agreements. However, the suggestion that providers were therefore delayed in receiving their first instalments of grant funding does not reflect certain practical delays inherent in a program of this size such as delay by the grantee in executing agreements, or the transfer of grant agreements between grantees, DIIS and the department. The department worked with DIIS to ensure that the effect of errors on grant recipients was minimised. This included prioritising the re-issuing of funding agreements that were yet to be executed to ensure initial payments could be made as soon as possible. These agreements were all re-issued by DIIS within two weeks of AGD approving AusIndustry to do so. Once this had occurred, the department and DIIS focussed on resolving the problems with those funding agreements which had already been executed, with initial payments made, where the effect on the grantee would be less. AusIndustry have advised that all such agreements were re-issued over the course of two days in January 2017.

3.40 More specific performance indicators regarding the execution of funding agreements may have better managed expectations between the department and DIIS, but such measures could not have prevented the human errors made by DIIS which have been noted in the report.

DIIS response: Agreed.

3.41 The Business Grants Hub service delivery arrangements have matured since we commenced delivery of the Data Retention Industry Grants Program on behalf of AGD. Our standard services schedule sets out the deliverables for each program and includes performance indicators around timeliness. The standard schedule is currently being reviewed to include additional indicators in relation to the quality of services provided.

Did the grant reporting arrangements provide adequate assurance?

The reporting arrangements, and their administration by the Department of Industry, Innovation and Science, relied heavily on statements made by funding recipients, and therefore provide a low level of assurance.

Progress reports

3.42 The Customer Information Guide issued with the Program Guidelines advised grant applicants that ‘you must submit progress reports as described in the grant agreement at least once every 6 months detailing the progress towards completing the activities in your project.’ The progress reports were to be in addition to a final report required in order to receive the second (and final) grant payment.

3.43 None of the funding agreements issued to any provider included the requirement for progress reports to be provided every six months.

Final reports and second instalment payments

3.44 The reporting requirements placed on funding recipients were tailored according to whether data retention work had already been completed or not, the assessed level of risk of the provider and to manage risks identified during the assessment process through provision of a statutory declaration (see paragraph 3.27). Figure 3.3 illustrates the reporting requirements associated with the second instalment payments.

Figure 3.3: Reporting requirements of grantees

A diagram setting out the different reporting requirements for the 175 successful grantees. A distinction is first made between grant applications submitted on the premise of a ‘Data Retention Implementation Plan (DRIP)’, where applicants have an approved data retention implementation plan for work to be completed to achieve compliance with data retention obligations, and those grant applications with a Statement of Work, where applicants have an approved statement of work for work already completed on meeting data retention obligations between 30 October 2014 and 13 October 2015. A further distinction is made based on a risk assessment of the grantee. 26 DRIP grantees were assessed as High Risk, 7 grantees were assessed as requiring additional condition (in the form of statutory declarations) and 133 were assessed as Normal Risk. For the Statement of Work grantees, one was assessed as High Risk, and 10 were assessed as Normal Risk. In order to receive the second milestone payment, the 26 High Risk DRIP grantees were required to submit a ‘Financial Expenditure Report’ and a ‘Final Report’. The 7 DRIP grantees subject to ‘additional requirements’ were required to submit a ‘Final Report’ as were the 133 ‘Normal Risk’ DRIP grantees. The Statement of Work grantee assessed as High Risk was required to provide a ‘Financial Expenditure Report’ and a ‘Declaration of Compliance’. The 10 Normal Risk Statement of Work grantees were required to submit a Declaration of Compliance. After the second milestone payment DRIP grantees were all required to submit a Declaration of Compliance.

Source: ANAO analysis of AGD and DIIS records.

Note: Number of grantees does not add to 175, as 2 of grantees who were subject to ‘additional conditions’ were also assessed as high risk and so are included in both categories.

3.45 The majority of providers (164 or 94 per cent) were to receive their second instalment payment before they had declared that they complied with the data retention obligations. Rather, they could receive their second payment so long as they reported to DIIS that their expenditure was at least equal to the grant amount, or they satisfied DIIS that they were committed to spending at least the grant amount.

3.46 The Final Expenditure Reports proved to be useful in the administration of grants to those providers assessed as high risk. By 1 December 2017 all 27 high risk providers had submitted their expenditure report. For 17 providers (65 per cent), consideration of the report lead to DIIS or AGD asking for further information. Two of those inquiries led to a reduction in the amount of expenditure accepted as relating to implementation of the data retention obligations. In both instances, the providers received more than 80 per cent of their accepted actual costs.

3.47 The only reductions in grant amounts related to 18 providers that reported having spent less than the grant amount. For 16 of those providers their second instalment payment was reduced. For two, the reported underspend meant that they had to repay a significant proportion of the first instalment payment (and did not receive any of the second instalment).

3.48 As noted at paragraph 3.6, AGD did not prepare a compliance plan for the program that included target numbers, methodologies, resourcing and training requirements for compliance activities in relation to compliance monitoring, substantiation activities and forensic audits.

3.49 There were 26 providers52 who reported that their actual expenditure was identical to the grant amount (that is, the provider reported making no financial contribution to the costs of complying with its obligations) and, consequently, less than they had estimated when applying for funding. Four of those (15 per cent) were subject to further inquiries but the other 22 (85 per cent) were not.

3.50 Where an expenditure report was not required, it was significantly less likely for any questions to be asked before the second instalment payment was made. Specifically, there were 12 providers (8 per cent of the 144 providers that were not required to provide an expenditure report) where further inquiries were made. One of these was a provider with an approved Data Retention Implementation Plan (DRIP) who reported that the cost of implementing data retention was identical to the estimate it included with its application for funding (as expenditure to date was less than the grant amount, the follow-up action involved obtaining assurance from the provider that it would spend at least the grant amount, in order to provide sufficient basis for paying out the grant in full). There were nine other providers with a DRIP that reported their actual costs of implementation as being the same as their estimated costs. No further inquiries were made with those providers to be satisfied as to the veracity of the reported expenditure.

3.51 It would have been reasonable to expect that, for the 11 providers awarded funding on the basis of having already completed work (that is, they were awarded funding on the basis of a completed Statement of Work) where reporting has been completed and all grant payments made, actual costs would be the same as their estimated costs. This was the case for six providers. Three other providers reported actual costs 20 per cent, 25 per cent and 47 per cent lower than stated when they applied for grant funding (two of these were subject to further inquiries, with one provider confirming to DIIS that all costs incurred had been reported, and the other remains under investigation). Another two providers reported actual costs 36 per cent and 133 per cent higher than the figure included in their grant application. There were no further inquiries undertaken in relation to either provider.

3.52 As outlined in Figure 3.3, all providers awarded funding on the basis of a DRIP were required to submit a Final Report that identified that each eligible service was compliant and, where compliance was reported, to ‘attach documents that represent verification that you have the capacity to retain data required’ by the legislation.53 Final Reports have been obtained from 162 of those providers, with 158 providers stating that each eligible service was compliant. Compliance with the requirement to attach documentation demonstrating compliance was poor. Specifically:

  • 53 providers (34 per cent) attached documentation. The documentation from providers was referenced in DIIS’ assessment of the reporting from seven of those providers (13 per cent). Those assessments formed the basis of DIIS’ recommendations to AGD that the second instalment payment be made; and
  • 105 providers (66 per cent) did not attach documentation as required by the Final Report template. DIIS sought a Declaration of Compliance from one provider, and confirmation from a second provider that eligible services not listed in the Final Report were also compliant. DIIS did not require any of the other funding recipients to provide documentation demonstrating their capacity to meet their data retention obligations before finalising its assessment and recommending to AGD that the second instalment be paid.54

3.53 The Final Reports also sought information such as sales revenue, number of employees and contractors, taxable income and an outline of project outcomes and objectives. Little of this data collected in the Final Reports was referenced by DIIS in its recorded assessments. DIIS advised ANAO that this data was collected to contribute to DIIS’ data warehouse to provide business intelligence for broader reporting purposes. This data has not been sought by AGD and was not used for any report verification or assurance purposes.

Recommendation no.4

3.54 AGD determine the nature, content and frequency of reporting requirements for grant programs proportional to the risks involved and policy outcomes being sought.

AGD response: Agreed.

3.55 The department is committed to appropriate and proportionate management of grants programs and expenditure of Commonwealth funds in line with government intent and community expectations. The recommendations in this report will inform future improvements to grants program procedures.

3.56 I note however that there are inherent limitations on the level of reporting that can reasonably be imposed on a fixed non-acquittal entitlement-based program, particularly one of a highly technical nature such as the Data Retention Industry Grants Program. Highly onerous reporting requirements would necessarily impose a significant regulatory burden, ultimately reducing the value of the capital assistance to industry and undermining the ability to achieve the program’s policy intent.

DIIS response: Agreed.

3.57 The Business Grants Hub design frameworks identify program and project risks as one of the key elements to be considered in the design of programs, including payment arrangements, frequency of reporting, evidence requirements and assurance activities.

Are providers meeting their data retention obligations?

There is insufficient evidence yet available to demonstrate that the providers awarded grant funding are meeting their data retention obligations such that law enforcement agencies are now able to obtain the data they need. An effectiveness review is to be conducted in 2019.

3.58 In terms of whether funded providers are complying with their data retention obligations:

  • by 13 April 2017, 122 providers had provided a declaration as to the quantum of funds they had spent on achieving the capacity to comply with their data retention obligations. A further 51 providers provided a declaration between 17 April 2017 and 2 February 201855;
  • the Customer Information Guide (see paragraph 2.15) informed providers that the assurance requirements for larger projects and/or projects deemed to be higher risk may include a technical evaluation which would be at the provider’s expense. The purpose of a technical evaluation was to verify that a provider had undertaken the activities identified in the grant agreement and had the capacity to retain the relevant data for the eligible services provided for a minimum period of two years. As discussed at paragraph 3.6, AGD did not prepare a compliance plan for the program that included target numbers, methodologies, resourcing and training requirements for assurance activities such as technical evaluations. No technical evaluations have been undertaken; and
  • the MoU required AGD to inform DIIS, within 10 business days, of any instances reported to AGD by law enforcement agencies of a provider not complying with the data retention obligations so that DIIS could take appropriate action (such as varying the agreement or recovering grant funds). AGD records did not include any instances of a law enforcement agency reporting non-compliance.

3.59 ANAO sought advice from AGD whether, as a result of the program, law enforcement and national security agencies are better able to obtain the data they need from funded telecommunications providers. In December 2017, AGD advised the ANAO that:

We consider evaluation of the broader data retention policy objectives to be outside the scope of the audit, noting that the grants programme was not designed to achieve compliance with data retention obligations, but rather make a direct contribution towards compliance costs. The outcome you reference in the programme guidelines of ‘The telecommunications industry has the necessary technical capability to comply with data retention obligations under the Act’ links to the provision of funding to build the necessary technical capability. The outcome for the grants programme was not compliance with legislative obligations. To the extent it assists we have nevertheless set out below some general information on our policy evaluation work.

Law enforcement and national security agencies have been able to access telecommunications data under Chapter 4 of the Telecommunications (interception and Access) Act 1979 (TIA Act) for many decades. The 2015 data retention amendments imposed obligations to retain specified telecommunications data for a period of two years, thereby requiring retention of prescribed data for a prescribed period and addressing variability in both the range of data retained and the period for which it was retained. The new data retention obligations were subject to an 18 month implementation period to afford providers the opportunity to build capability and adapt services to retain the required data. The period ended on 13 April 2017. Accordingly, a number of providers will have only commenced retaining the required data on 13 April 2017 and so will not have retained the full 2 years of data until 2019. A comprehensive assessment of the effectiveness of the regime would therefore be premature prior to 2019. Pursuant to the requirement under 187N of the TIA Act that a review of the data retention regime commence within two years of the implementation period, the Parliamentary Joint Committee on Intelligence and Security is scheduled to undertake a review of the TIA Act in 2019.

AGD has been consulting agencies on methods for measuring the effectiveness of the regime, in preparation for the 2019 review. The Department provided an update to relevant agencies on the progress of data retention implementation through the Interception Consultative Committee in March 2017. This included the circulation of two discussion papers regarding both overall compliance with the regime and the 2019 PJCIS review. AGD will continue to work closely with law enforcement and national security partners in preparation for the 2019 review.

Appendices

Appendix 1 Entity responses

Attorney-General’s Department

Attorney-General’s Department response letter

Attorney-General’s Department response letter page 2

Attorney-General’s Department response letter page 3

Attorney-General’s Department response letter page 4

Department of Industry, Innovation and Science

Department of Industry, Innovation and Science response letter

Department of Home Affairs

Department of Home Affairs response letter

Footnotes

1 The data retention obligations relate to information about a communication, not the content or substance of a communication.

2 Operational costs for telecommunications service providers responding to requests for data are to continue to be met on a no-profit no-loss basis by requesting agencies.

3 Comprising $128.4 million in grant funding and $2.9 million for program administration costs.

4 Seven were assessed as ineligible because they did not submit an implementation plan or submitted it late, another two did not have an agreed plan and a further six applicants were assessed to not meet other eligibility criteria, including not having an eligible service.

5 This was due to providers reporting actual implementation costs being less than the grant amount (16 providers), two providers being investigated for defrauding the Commonwealth in respect to the funds they had already been paid and a reduction in the grant amount due to a change in one provider’s business that substantially reduced its data retention obligations.

6 The Administrative Arrangements Order of December 2017 moved responsibility for national security and law enforcement policy and operations from AGD to the Department of Home Affairs.

7 The program guidelines approved by the Attorney-General stated that the Australian Government would not fully fund any provider.

8 The data retention obligations relate to information about a communication, not the content or substance of a communication.

9 Operational costs for telecommunications service providers responding to requests for data are to continue to be met on a no-profit no-loss basis by requesting agencies.

10 Comprising $128.4 million in grant funding and $2.9 million for program administration costs.

11 The Administrative Arrangements Order of December 2017 moved responsibility for national security and law enforcement policy and operations from the Attorney-General’s Department to the Department of Home Affairs.

12 The Business Grants Hub was launched on 1 July 2016 to provide design and delivery services for government grants programs.

13 On 7 March 2018, AGD advised the Joint Committee of Public Accounts and Audit that it had agreed to a recommendation (in the Committee’s Report 464) that it establish appropriate partnership agreements with the Grants Hubs. The AGD response referenced the agreement it had entered into with the Community Grants Hub operated by the Department of Social Services but did not mention the arrangement with DIIS.

14 This was due to providers reporting actual implementation costs being less than the grant amount (16 providers), two providers being investigated for defrauding the Commonwealth in respect to the funds they had already been paid and a reduction in the grant amount due to a change in one provider’s business that substantially reduced its data retention obligations.

15 On 7 March 2018, AGD advised the Joint Committee of Public Accounts and Audit that it had implemented the recommendation made by the ANAO in the audit of the Living Safe Together program.

16 Paragraph 3.13 outlines the procurement process employed and the approach taken by AGD to managing any conflicts of interest.

17 PwC informed AGD that its methodology used a variety of approaches to ‘scale up’ the cost estimates provided by some individual providers so as to provide a total cost to industry (for example, by market share, number of businesses etcetera).

18 A copy of the PwC report was also provided to the government.

19 Including indexation for budgetary purposes increases the funding from $99.25 million (50 per cent of $198.5 million) to $100.4 million.

20 AGD recorded the following rationale for finalising the earlier version of the report:

The latest version of PwC’s report [June 2016] is confusing and has limited use in the context of the PJCIS [Parliamentary Joint Committee on Intelligence and Security] review. The report imports data from grant applications, which applicants have submitted as part of the Data Retention Industry Grants Programme. The report does not discuss how or why PwC apply grants data. The report also does not discuss the limitations, strengths or weaknesses of the data. Without this additional information, the final cost estimates do not appear to be comprehensive or well thought out. […] this [September 2015] version provides a best estimate for a particular point in time. Having a separate estimate from grants data [which was used in the June 2016 version] will be useful when analysing costings in 2019 for the Parliamentary Joint Committee on Intelligence and Security review. While the underlying data for these estimates may not be as reliable as the grants data we now have, the report explains the way that PwC arrived at its estimate in a much more logical and cohesive manner.

21 The advice was that the program needed to have a single round with an inflexible closing date because each eligible applicant’s funding would be affected by its own final score, the spread of scores, and the total number of eligible applicants. This meant that grant amounts could not be allocated until all applications were received and assessed.

22 As it eventuated, applicant cost estimates were examined as part of the application assessment process (see paragraph 2.32).

23 See footnote 45.

24 The analysis found that, as independent variables to predict implementation costs, there was statistical significance for four of the variables set out in the program guidelines but that this was not the case for the ‘types of eligible services’ variable which was, as a result, allocated a weighting of zero in the PwC analysis.

25 With grant amounts of $505,970, $632,513 and $745,122.

26 AGD had advised PwC on 20 May 2016, that there were delays in providing PwC with the final applicant cost data for the funding model, as ‘a number of providers [15] are withdrawing due to having no obligations in the end, and a number of others are lowering their cost estimates [35] for a variety of reasons’. AGD further advised PwC that it expected the total funding request to reduce to ‘likely well below $220 million’.

27 Including indexation for budgetary purposes increases the funding from $99.25 million (50 per cent of $198.5 million) to $100.4 million.

28 As outlined at paragraph 1.6, the decision was to implement a grants program to support 50 per cent of the mid-point of industry’s estimated capital costs of implementing data retention, which had a budgeted impact of $128.4 million in grant funding. The published guidelines had identified the program funding as being ‘up to’ $128.4 million rather than as being fixed at the budgeted amount of $128.4 million.

29 See paragraph 2.7. The Attorney-General had observed at that time that funding 75 per cent of industry’s costs would exceed what could be considered either ‘reasonable’ or ‘substantial’.

30 See footnote 28.

31 See paragraphs 2.4, 2.7, 2.8 and 2.18.

32 For example, one of the providers awarded a grant calculated as 80 per cent of those costs reported actual costs that were significantly higher than estimated with the result that the grant represented 45 per cent of its reported costs.

33 The assessment of this application had observed that ‘costs associated with [the provider’s] plan are notably higher than for more complex plans of larger scale and scope elsewhere in the industry’.

34 AGD records outline that it was concerned that approaching more than two candidates would delay the progress of the procurement, and ‘there is some urgency in obtaining these services, as there is a need to provide funding to the industry as soon as possible, to allow the industry to begin constructing data retention solutions’. The deed ACBPS signed with PwC in August 2013 included ‘quality assurance services’ as one of the contracted services. The deed also stated that other Commonwealth entities could procure the contracted services using the ACBPS panel.

35 The other four priorities were: finalising application assessment procedures; development and implementation of staff training in relation to assessment, administration and compliance procedures; monitoring of staff training; and finalisation of program governance/reporting structures. These four priorities were completed through the finalised grant program guidelines and the MOU with DIIS for grant hub services.

36 The Plan was to address: data integrity checks by AGD over information inputs to the funding model calculations; validation and exception testing by AGD of funding model outputs/calculations; sample and exception testing of funding calculations; and roles, responsibilities and timeframes for AGD personnel.

37 The Assurance Plan timeframe involved the envisaged Compliance Plan being finalised in January 2016 but the MoU relied upon by AGD was not signed until 22 February 2016.

38 The original procurement involved AGD inviting quotes from six of the 32 suppliers on a Department of Communications panel with two responses received. There were then two extensions of the originally contracted work. The total contracted value of these three procurements was $234,140.

39 For the costing procurements, the July 2014 deed between PwC and the then Department of Communications and, for the fourth procurement, the August 2013 deed between PwC and Australian Customs and Border Protection Service.

40 Communications Alliance is a telecommunications industry body. Its membership is drawn from a cross-section of the communications industry, including carriers, carriage and internet service providers, content providers, equipment vendors, information technology companies, consultants and business groups.

41 On 10 April 2017, the provider that received the second largest DRIGP grant reported to DIIS that amounts payable to the vendor with which PwC has a strategic alliance ‘make up a large portion of our costs’.

42 AGD again used the Department of Communications panel, this time seeking quotes from five of the 32 firms on the panel. Three responses were received. The contract value was $114,815.

43 The ANAO’s analysis was that PwC’s work was not completed by 30 April 2016 and, the contract was extended to 30 June 2016, a period of 5 months. No corresponding action was taken in relation to PwC’s conflict of interest undertaking.

44 Similarly, the MoU that AGD signed with DIIS stated that there would be ‘mandatory COI disclosure and management provisions’ for the Independent Consultant.

45 In January 2016 PwC had proposed to AGD that applicant data be de-identified. On 25 February 2016 AGD provided PwC with data for all 210 applicants and later that day advised PwC that it had ‘forgot to remove the company names’ and asked PwC to ‘disregard’ this information in its analysis. Later submissions of datasets to PwC did not identify the applicant (but this could be ascertained by comparing the dataset provided on 25 February 2016 to later versions of the dataset as the unique identifier – the application number – was included in all versions of the dataset).

46 The Commonwealth Grant Rules and Guidelines require officials involved in the development of grant opportunity guidelines to complete a risk assessment of the grants and associated guidelines, in consultation with the Department of Finance and the Department of the Prime Minister and Cabinet.

47 The assessment involved consideration of proportionality (the grant amount) as well as project/activity characteristics (grant amount per gigabyte of storage, grant amount per subscriber, grant amount as a proportion of revenue, and gigabytes of storage per subscriber).

48 A grant agreement was entered into with 26 of these providers.

49 By that date, 53 agreements had been signed by the funding recipients, with 20 of those agreements executed by the Commonwealth.

50 For example, some agreements identified the funded activity as training to be delivered under the Skilling Australia’s Defence Industry (SADI) grants program administered by the Department of Defence. This program finished at the end of 2015–16.

51 This is in contrast to those 86 recipients who were asked to re-sign a reissued funding agreement after receiving their first grant instalment payment, where the delay between the decision to reissue and the recipients re-signing was an average of 40 days.

52 Paragraph 2.40 refers to 26 providers where the grant fully met the provider’s reported actual costs. This comprised 11 providers that reported their actual expenditure the same as the grant amount and 15 providers that reported actual expenditure less than the grant amount, which led to AGD reducing the grant amount to match the amount of reported expenditure.

53 A separate Declaration of Compliance from the grant recipients was to be provided ‘on achieving compliance with the Act’.

54 Instead of attaching documentation as was required, 17 referenced the separate Declaration of Compliance.

55 Both of the remaining two providers for which a funding agreement was signed are being investigated for defrauding the Commonwealth in respect to the funds they had already been paid.