Introduction

1.1 The Australian Taxation Office (ATO) is the principal revenue collection agency of the Australian Government. Its purpose is ‘to contribute to the economic and social wellbeing of Australians by fostering willing participation in the tax, superannuation and registry systems.’⁵

1.2 Having strong organisational capability, including information and communication technology (ICT) capability, directly contributes to delivering the ATO’s purpose and activities. The ATO’s 2024–25 Corporate Plan outlined six key activities including that ‘Our technology and digital services deliver a reliable and contemporary client experience.’ The Corporate Plan also identified six key areas of focus including ‘enhancing cyber security’ and ‘strengthening the value of data and digital’.⁶

1.3 The ATO has identified strategic risks related to technology and data including where ATO cannot develop and maintain a contemporary suite of technologies for the community and staff.⁷ To manage these technology risks the ATO is taking a number of actions, including investment, across its technology environment. This included procurements for a range of IT managed services between 2022–2024.

Legislative and policy requirements for procurement

1.4 The ATO is a non-corporate Commonwealth entity, that operates under the PGPA Act. The ATO must comply with the Commonwealth Procurement Rules (CPRs) and Digital Sourcing Contract Limits and Reviews Policy.

Commonwealth Procurement Rules

1.5 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Minister for Finance issues the CPRs, which govern how entities buy goods and services.⁸ Achieving value for money in procurements is the core rule of the CPRs. The CPRs include specific requirements for: planning (including defining goals, estimating value and managing procurement risks); encouraging competition, including approaching the market with open tenders except in specific circumstances; conducting tender processes; acting ethically, including managing conflict of interest and treating tenderers equitably and fairly; and public reporting.

1.6 When undertaking procurement non-corporate Commonwealth entities:

• must comply with a procurement-connected policy (such as the Environmentally Sustainable Procurement Policy⁹ or the Indigenous Procurement Policy¹⁰) where the policy indicates that it is applicable to the procurement process (CPRs paragraph 4.9)¹¹;
• must use coordinated procurement arrangements (CPRs paragraph 4.12)¹²; and
• can procure cooperatively from an existing contract such as a standing offer notice for a panel arrangement where certain conditions are satisfied (CPRs paragraphs 4.13 to 4.15).¹³

Digital sourcing policies

1.7 The Australian Government Digital Sourcing Contract Limits and Reviews Policy was introduced in February 2020 and aimed to break up large contracts across government to reduce risk in digital programs; increase competition in the market; include access for various sized business; and to increase flexibility. The policy applies to non-corporate Commonwealth entities and contains three main requirements for contracts signed from 1 February 2020:

• contracts must not exceed $100 million exclusive of GST (including all extensions);
• contracts must not exceed a three-year initial term; and
• contract extension options must not exceed three years and can only be used after a review of contractor performance and deliverables.

IT Strategic Sourcing Program

1.8 Five of the ATO’s largest IT managed services contracts (worth $225 million a year) were due to expire between 2023 and 2025. These contracts represented about 50 per cent of ATO’s annual IT spend. The contracts were progressively put in place from 2009 with no further extension options past 2024 for four contracts, and 2025 for one contract. Table 1.1 provides an overview of these contracts, including their term, value and number of extensions and amendments as at 17 February 2025. The contracts are presented in the order that they were due to expire.

Table 1.1: Expiring IT managed services contracts, as at 17 February 2025

Note a: Available from https://www.tenders.gov.au/Cn/Show/644e4468-a7f9-7c14-61a3-2389cb361bc1 [accessed 17 February 2025].

Note b: Available from https://www.tenders.gov.au/Cn/Show/ae7046f3-9a1c-435f-be77-24de7b9018cd [accessed 17 February 2025].

Note c: Amendments made between September and December 2024 extended the contract end date from 31 December 2024 to 30 June 2025.

Note d: Available from https://www.tenders.gov.au/Cn/Show/8927561b-9e05-723d-5479-9ce74a45d38b [accessed 17 February 2025].

Note e: Available from https://www.tenders.gov.au/Cn/Show/896c317c-ec22-8479-e83c-147480f1dfe0 [accessed 17 February 2025].

Note f: Available from https://www.tenders.gov.au/Cn/Show/81e6bf0c-998e-8b80-d311-e04d85837b19 [accessed 17 February 2025].

Source: ANAO analysis of AusTender records.

1.9 These contracts provided and operated the technology that underpinned the ATO’s core business of revenue collection, superannuation systems, future business registry services and staff access. The contracts related to systems and services that support almost every part of the ATO’s business internally, and the services that the ATO provides to its clients such as IT infrastructure, hardware, software, and services.

1.10 The IT Strategic Sourcing Program (ITSSP) was established in February 2021 to strategically plan how the ATO would procure services at end of life of these contracts to best support and deliver a reliable and contemporary digital experience for clients and staff. The ATO did not seek additional funding for the program through the Federal Budget.

1.11 On 4 May 2021, the ATO announced on its website and AusTender that ‘it would soon be approaching the market to procure a significant range of IT managed services’ through the ITSSP. The ATO conducted redesign and planning activities in 2021 and 2022, including market research and a request for information (RFI).¹⁴

IT Strategic Sourcing Program procurements

1.12 When procuring services at end of life of IT contracts, the ATO was required to comply with the Digital Sourcing Contract Limits and Review Policy. On 23 November and 6 December 2021 the Assistant Treasurer (ATO portfolio minister) and the Minister for Employment, Workplace, Skills, Small and Family Business (minister responsible for the Digital Transformation Agency), respectively, granted the ATO an exemption from the capped value policy requirement of the Whole of Government Digital Sourcing Contract Limits and Review Policy, which requires all IT contracts to be under $100 million exclusive of GST (see paragraph 1.7).¹⁵ A condition of the exemption was ‘that the ATO provides [to the Digital Transformation Agency] an assessment of how value for money has been delivered in the initial term of each contract, prior to exercising the relevant extension option’.

1.13 A notice was issued on AusTender on 24 February 2022 to invite industry participants to a strategic industry briefing, held on 9 March 2022. Industry was advised that the five expiring contracts had been broken into nine market aligned service bundles, and that these bundles would be taken to market across seven requests for tender (RFTs), see Figure 1.1.¹⁶ The RFTs would be released in three waves.¹⁷

1.14 The first RFT was released on 11 March 2022, the final RFT closed on 25 November 2022. From the seven RFTs, eight contracts were executed with seven suppliers between 15 December 2022 and 20 June 2024.¹⁸ The Mainframe RFT resulted in two separate contracts for Mainframe Hardware and Mainframe Services.¹⁹ Four contracts have been varied.²⁰ As at 24 February 2025, the total value of amendments made was $33.23 million, with $22.20 million attributable to Cyber Augmentation Services.²¹

1.15 The contracts have an initial term of three years, except for Mainframe Hardware which has an initial term of five years.²² As at 24 February 2025 on AusTender the total reported contract value for these eight contracts is $548.57 million for the initial term. The total estimated value for the ITSSP contracts is $2,536 million if extension options to 10 years are exercised.

1.16 Table A.1 in Appendix 3 provides an overview of the RFTs and resulting contracts, including timing, value of the contracted services, successful suppliers and type of procurement.

1.17 Once each new contract was executed, the ATO, the new supplier and the previous supplier entered a transition period. Transition periods were 15 months per wave, with transition to be completed before 1 January 2025. As outlined in the ATO’s internal Transition Strategy, transition was expected to cost between $70 million and $121 million in total for the ITSSP.

Advisor procurements

1.18 Each of the ITSSP procurement processes was supported by external advisors. The ATO engaged six external advisors, referred to as ‘advisor contracts’ in this report. The total value of the advisor contracts is estimated to be $88.11 million.

1.19 Table 1.2 provides an overview of the resulting contracts, including timing, value of the contracted services, successful suppliers, panel and standing offer details and type of procurement. The table presents the advisor procurements in the order the services commenced.

Rationale for undertaking the audit

1.20 The ATO was procuring IT managed services as a material portion of its IT contract arrangements are due to expire. It was estimated that new contracts would be valued at $2,536 million over 10 years if contract extension options are used (see paragraph 1.15). These contracts affect all ATO staff, clients and service delivery.

1.21 A cross entity audit of Establishment and Use of ICT Related Procurement Panels and Arrangements that included ATO was tabled in August 2020. That audit identified issues with ATO’s IT procurement, including that ATO did not meet the conditions for limited tender (including that there was no evidence of market research and that advice regarding risks to achieving value for money was not provided to the delegate), and that there was no or insufficient documentation of value for money and risk management, including probity risk management.

1.22 This audit provides assurance to Parliament about the ATO’s compliance with the Commonwealth Procurement Rules for the procurement of IT managed services.

Audit approach

Audit objective, criteria and scope

1.23 The objective of the audit was to assess the effectiveness of ATO’s procurement of IT managed services.

1.24 To form a conclusion against the objective, the following criteria were adopted.

• Has the ATO established sound governance arrangements for the IT managed services procurements?
• Has the ATO conducted the procurements in compliance with Commonwealth Procurement Rules and other requirements?

1.25 The audit focused on the procurements of: Enterprise Operations and Technical Enablement (Accenture); Mainframe Hardware (IBM) and Mainframe Services (DXC); the sourcing partner (ISG); and legal advisor (Sparke Helmore). The audit did not examine ATO’s administration or management of its IT or advisor contracts.

Audit methodology

1.26 The audit methodology involved:

• examining ATO records²³;
• reviewing AusTender records; and
• meetings with relevant ATO officers and personnel contracted by ATO to support the procurement of IT managed services.

1.27 The audit was open to public contributions. The ANAO did not receive any contributions.

1.28 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $489,600.

1.29 The team members for this audit were Tracey Martin, Sonya Carter, Alexandra Collins and Corinne Horton.

2.1 Sound governance and oversight arrangements help ensure that procurements are undertaken effectively and ethically and achieve value for money outcomes. Governance includes systems and processes for decision-making, risk management, oversight arrangements and reporting.

2.2 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), an accountable authority of an Australian Government entity has a duty to establish and maintain appropriate systems of risk oversight and management, and internal controls, including measures to ensure that officials comply with the finance law, such as the Commonwealth Procurement Rules (CPRs).²⁴

2.3 Adequate planning assists in achieving the efficient, effective, ethical and economical procurement practices required under the PGPA Act and the CPRs (CPRs paragraphs 6.1 to 6.5). Market research and sounding can provide valuable information to assist in developing insights about what the market can offer, to make the subsequent procurement process more focussed and efficient, and to deliver improved outcomes. Market research and sounding should be commensurate with the scale, scope and risk of a procurement (CPRs paragraph 6.2).

Has the ATO established appropriate oversight arrangements for the IT managed services procurements?

Governance arrangements

2.4 The ITSSP applied the ATO’s program management methodology, which requires a:

• senior accountable officer (SAO)²⁵ to be assigned to a program;
• program manager²⁶ to be appointed; and
• program management office²⁷ to be established.

2.5 A governance structure may also include a program board (for complex programs)²⁸ and reporting to ATO Executive and Finance²⁹ committees, and other committees. A core design team (with capabilities required to support delivery)³⁰ may be formed to support the program manager. The ATO’s guidance indicates that the most appropriate governance structure depends on the risk and complexity of the change being delivered.

2.6 Consistent with the ATO’s program management methodology, the governance structure for the ITSSP included a delegate (the Chief Information Officer (CIO)) as the senior accountable officer, supported by a steering committee³¹, program manager, program management office and core design team. There were also a series of working groups at the project level.

2.7 The governance structure and supporting policies and procedures changed for each stage of the program³²: planning, procurement and transition to business as usual. Appendix 4 provides an overview of the ITSSP governance structure for the transition stage.

2.8 During the planning stage a probity governance structure was set out in the probity plan (July 2021). Probity governance is discussed further in paragraph 3.58 of this report.

2.9 During the procurement stage the ATO determined that additional governance arrangements were necessary, consistent with procurement guidance.³³ The ATO determined that as the nature of the ITSSP procurements were complex, evaluation and negotiation governance structures were developed.

• The evaluation governance structure, depicted in Figure 2.1, comprised evaluation teams reporting to an evaluation committee, and the evaluation committee reporting to the delegate through the steering committee.
• The negotiation structure, depicted in Figure 2.1, comprised negotiation teams reporting to negotiation leads who reported to the evaluation committee, and the evaluation committee reports to the delegate through the steering committee.

Figure 2.1: Procurement evaluation governance and negotiation personnel structure

Note: Advisors include the Program Sponsor and Program Directors. Advisory roles for the evaluation included the evaluation coordinator, bundle facilitator, procurement lead, procurement advisor, probity advisor, sourcing advisor, legal advisor, technical advisor and financial advisor.

Source: ATO’s Evaluation Plan June 2022 and ITSS Negotiation Plan Final V1.0 2022Aug25.

2.10 The ATO applies a single Contract Management Plan to all contracts managed by IT Commercial Services. The plan sets out governance arrangements including roles and responsibilities, contract administration and financial management arrangements. All ITSSP contracts are listed as in scope in the Contract Management Plan.³⁴ For each individual contract, a contract overview is developed and attached to the Contract Management Plan.³⁵ Contract overviews were available for all ITSSP contracts.

Steering committee

2.11 In February 2021 a steering committee was formed to support the delegate in overseeing the ITSSP.³⁶ The ATO developed and updated the terms of reference for the committee as necessary to ensure they remained fit for purpose.³⁷ Committee membership changed over time, with a core membership of the Chief Information Officer (CIO) as chair, and other members at the SES Band 2 level including the Chief Financial Officer (CFO) and Deputy Commissioners with IT responsibilities. Until May 2023 a senior executive from the Digital Transformation Agency was also a member.³⁸ Between February 2021 and September 2024 the steering committee met 84 times.

2.12 The delegate is the decision-maker for a procurement. Documents such as the market engagement plan and procurement plans were addressed to the delegate for approval.³⁹ The steering committee was to endorse documents prior to seeking delegate approval. In some cases it was not clear from approvals sought and provided whether the delegate was approving reports and other ITSSP documentation as a member of the steering committee or as the delegate (see paragraphs 2.54, 3.92 and 3.17). For example, when seeking approval for documents such as the market engagement and procurement plans an email was sent to the steering committee asking for approval (not endorsement), the delegate was included in these emails as a member and chair of the steering committee. The delegate responded to the emails sent providing approval. By comparison, for the selected ITSSP procurements, for commitments to spend money and contract approval minutes the delegate was not asked to respond to steering committee emails, a separate email was sent after steering committee endorsement had been provided.

2.13 All versions of the steering committee terms of reference also included provisions that indicated decisions would be made by consensus. For example, the chair’s responsibilities included ‘Facilitating Decision making as the Program Senior Responsible Officer and Delegate. Decisions will be made by consensus. Where a consensus is not possible, the Chair will coordinate a decision’. Consensus decision-making is inconsistent with the delegate exercising their decision-making powers in accordance with the PGPA Act.

Core design team

2.16 At the March 2021 steering committee meeting the CIO asked that a design authority be established to oversee the operating model, with Deputy Commissioner oversight of what services were to be outsourced. At the April 2021 meeting the steering committee established a terms of reference for the core design team that set out its purpose, membership, meeting frequency, forward meeting schedule and team. Its purpose was to act as a design authority for the future outsourcing model, and was assigned a program of work. The team was a recommendation and endorsement body; it did not have decision-making authority.

Working groups

2.17 The ATO established working groups at the project level (for example, for individual procurements and legal and commercial services) to support project delivery through the three stages of the ITSSP.

Delegations

2.18 The Commissioner for Taxation delegated the powers of PGPA Act subsection 23(3) (the power to make a commitment to spend money) and section 110 (the power to delegate that commitment) to the CFO.⁴⁰ In May 2020, the CFO sub-delegated their powers under subsection 23(3) of the PGPA Act to ‘spending delegates’.⁴¹ ATO’s Chief Executive Instructions (CEIs) sets out the role and scope of the spending delegate.

• ‘Only certain officials (referred to as “spending delegates”) have been delegated the power to approve spending on behalf of the ATO by the CFO. Spending delegates cannot sub-delegate their spending delegation power to anyone else.’
• ‘Delegations are attached to the spending delegate’s position number. The scope of delegation is limited to a specific spending power (category of expenditure), direction (additional instructions) and spending limit (inclusive of GST).’

2.19 Between 16 December 2020 and 29 May 2024, there were 34 versions of the schedules to the CFO’s May 2020 delegation instrument.⁴²

2.20 All officials have the power to enter into and vary a contract or arrangement. Prior to entering into or varying a contract or arrangement, the official must obtain approval from the appropriate ‘spending delegate’.

Roles and responsibilities clearly specified and implemented

2.21 Roles and responsibilities were set out across a range of documents.

• Overarching roles and responsibilities for the program were set out at a high level in the ATO project management methodology and in the ITSSP structure diagram for the planning stage of the ITSSP presented in steering committee papers.
• Roles and responsibilities for the steering committee were set out in the terms of reference.
• The procurement plan (including probity roles and responsibilities in the probity plan), evaluation plans, negotiation plans and a transition roles and responsibilities document (and transition plan) set out roles and responsibilities for the ITSSP (referring to the program management methodology roles and responsibilities for further information).

Risk management

2.22 The ATO’s program management methodology requires program risk and issue management to operate within the ATO Risk Management Framework. The ATO’s risk management policy and procedures includes the Risk Management Chief Executive Instruction (see paragraph 2.36), an Enterprise Risk Management Framework (1 June 2020) and supporting guidance. For procurement, additional guidance includes risk assessment templates, a risk help card and supporting tools. A risk assessment must be attached to the procurement plan.

2.23 The ITSSP Risk Management Plan (August 2023) established arrangements for managing risk in accordance with the ATO’s Enterprise Risk Management Framework and Risk Management CEI. ITSSP and transition risk registers were maintained for the program.⁴³ Table A.2 in Appendix 5 provides an overview of risk approaches and assessments for the ITSSP by stage.

2.24 The approach to risk management and its evolution though the stages of the procurement may have benefited from establishing a risk framework and management plan for the program during the planning stage (a risk register was in place during planning).

Oversight and reporting arrangements

2.25 To support management of the ITSSP, the steering committee monitored a program schedule. An initial schedule was developed in March 2021 to plan start-up, tranche 1 (operating model, service design and sourcing strategy), tranche 2 (procurement) and tranche 3 (transition and service transformation). The schedule covered the period 2021–21 to 2024–25; it was expected that the transition and transformation of ITSSP would be complete by June 2024.

2.26 The schedule was refined and updated over time.⁴⁴ ITSSP timeframes for tranche 2 (procurement) and tranche 3 (transition and transformation) were extended, with program closure scheduled for December 2025. All procurements were completed by 20 June 2024. Figure 2.2 provides an overview of the ITSSP schedule as at 6 May 2024.

Status reporting

2.27 The ATO’s program management methodology requires program status reporting to occur at a minimum on a monthly basis and to be endorsed by the program board (for the ITSSP the steering committee was a sub program board, see footnote 31). Except for March and May 2022, at least one program status report was provided to the steering committee every month between April 2021 and September 2024 consistent with the minimum monthly requirement.

2.28 The ITSSP risk management plan (August 2023) requires fortnightly reporting of risk and treatments to the steering committee for residual risks rated high and above (from August 2023).⁴⁵ The steering committee was provided with fortnightly extracts of risks from the ITSSP program level risk register where risks were rated at or above high. The ITSSP risk management plan reporting requirements were met, with fortnightly reporting occurring between September 2023 and September 2024. The steering committee played a role in the treatment of some severe risks. Some risk treatments included the ITSSP reporting about readiness to the Tax Time Steering Committee. Risks were not required to be escalated to Enterprise Solutions and Technology (EST) leadership group to be completed, as after treatment risks were at a level that could be managed by the steering committee. Since 17 May 2024 the overall status of the ITSSP has been tracking at ‘amber’ or ‘red’ with key risks and pressures relating to resources, budget and defects.

Financial reporting

2.29 The ATO’s program management methodology requires program and project financials to be reviewed regularly, projected overspends to be escalated early and appropriate action taken, and financial verification to be sought through ATO Finance for financial matters.

2.30 Funding for the program was released for a program tranche by financial year. The ATO Finance Committee approved program budgets. The steering committee monitored the program budget and received reporting on cost estimates and budget versus actual expenditure. Projected overspends were escalated through the steering committee to the Finance Committee when additional funds were needed and cost reduction strategies were not sufficient. As at 24 December 2024, the estimated cost for the program between 2020 and 2025, was $182.2 million.⁴⁶ The ATO funded the program through its annual departmental appropriation.

2.31 The steering committee received reports on estimated cost savings. For example, in May 2024 the steering committee was advised that the new contracts represented a cost saving of $15.4 million over 3 years and $105.9 million over six years.

Has the ATO established a fit-for-purpose procurement framework?

Chief Executive Instructions

2.32 Section 20A of the PGPA Act states:

The accountable authority of a Commonwealth entity may, by written instrument, give instructions to an official of the entity about any matter relating to the finance law.

2.33 The ATO policy framework sets out that CEIs are issued⁴⁷:

• under section 20A of the PGPA Act by the Commissioner; and
• for the purpose of subsection 13(5) of the Public Service Act 1999 (PS Act) by Second Commissioners, the Chief Operating Officer, Chief Information Officer and Deputy Commissioners.⁴⁸

2.34 The policy framework notes that business line content owners (relevant Executive Level 2 officers or Assistant Commissioners) are responsible for maintaining currency of CEIs and provide approval of non-material updates for CEIs. ‘Non-material updates include: grammatical changes, rewording for clarity, movement of content between CEI and guidelines and repairing broken links.’

2.35 A procurement CEI was issued in July 2014. It was approved by the Commissioner on 30 June 2014. The Commissioner approved an updated and renamed CEI for procurement and contract management in March 2023. Purchasing obligations and requirements are set out in the procurement and contract management CEI and the committing money and approving spending CEI.⁴⁹

2.36 Other CEIs also address procurement.

• The conflicts of interest CEI was updated five times between May 2020 and April 2024. Four versions of the CEI were approved at an Executive Level 2 level and one by a Deputy Commissioner. Under this CEI officials are required to manage conflicts of an ongoing or temporary nature for procurement activities. An official’s interests should be assessed and reassessed to identify conflicts.
• A security CEI was updated in July 2020 and October 2023. Three deputy commissioners approved each version of the CEI. Under this CEI, when conducting a procurement ATO officials must engage with security areas to manage security supply chain risks.
• A risk management CEI was updated in December 2018, it was approved by the Commissioner in November 2018. The Commissioner approved an update to the CEI in January 2023. It requires risk management to be embedded into all ATO activities. The procurement and contract management CEI provides a link to the risk management CEI.

2.37 The procurement and contract management, risk management and committing money and approving spending CEIs state they were issued under the section 20A of the PGPA Act. The conflict of interest and the security CEIs state that they were issued for the purpose of the PS Act subsection 13(5).

2.38 Paragraph 110(2)(aa) of the PGPA Act states ‘However, the accountable authority of a non-corporate Commonwealth entity may not delegate any of the accountable authority’s powers, functions or duties under: … (aa) section 20A (which is about accountable authority instructions)’. CEIs that are not issued and approved by the accountable authority have not been appropriately authorised or approved.

2.39 Section 29 of the PGPA Act and sections 12 to 16A of the PGPA Rule impose requirements relating to conflict of interest. Under section 20A of the PGPA Act the Commissioner has the power to give written instructions about any matter relating to finance law. The Commissioner has the authority to give directions relating to conflict of interest. Subsection 13(5) of the PS Act is an obligation imposed on employees to comply with directions and not a power to issue directions or instructions.⁵⁰

2.40 To avoid confusion, instructions made under section 20A of the PGPA Act should be called accountable authority instructions or Commissioner’s instructions. Directions made under the PS Act should be named to be clearly distinguishable from accountable authority instructions.

2.41 The ATO’s procurement and contracts CEI aligns with the CPRs.

Procedures and guidance

2.44 The ATO’s officials must follow guidelines issued by the CFO that support the procurement and contract management CEI, and ATO’s procurement guidance and direction provided by Strategic Procurement and Contracts (SPC) branch.⁵¹ The ATO’s risk-based approach to procurement requires that all procurements valued at $80,000 and above must be undertaken in conjunction with the SPC branch.

2.45 The CEIs, and procurement guidance and templates, are available to staff on the ATO intranet. The ATO intranet instructs staff that where there is an existing arrangement in place, it must be used.⁵² Guidance and templates are available to staff for procurements below $80,000. If a procurement exceeds $80,000, staff are required to contact SPC branch. To determine which approach applies to a procurement, ATO’s guidance provides a process flow to support decision-making (see Figure 2.3).

Figure 2.3: ATO process flow for selecting a procurement method

Source: ATO, Determine your procure approach guidance, p. 2.

2.46 The ATO has developed a suite of procurement procedures, guidance and templates for low, medium and ‘high touch’ procurements and panel arrangements. The high touch procedures and guidance applied to the IT managed services procurements (see Table A.1 in Appendix 3), and the purchase from a panel procedure applied to the advisor procurements (see Table 1.2). The panel and high touch procedures align with the CPRs.

2.47 Procedures and guidance cover the four stages of a procurement: planning, approach to market, evaluation of suppliers and entering into an arrangement to procure the goods and services. At each stage procedures and guidance provided opportunities for delegates and staff to make decisions that reflected the scale, scope and risk of the procurement. Table 2.1 provides an overview of key procedures and guidance for high touch and panel procurements.

Table 2.1: Key procedures and guidance for high touch and panel procurements

Source: ATO documentation.

2.48 To support staff undertaking procurement the ATO developed checklists of key steps to undertake and records to keep for low, medium and high touch and panel procurements.

Procurement framework for IT managed services procurements

2.49 The ITSSP Procurement Plan approved in March 2022 articulated the procurement approach and how the IT managed services procurements would be managed during the approach to market phase. The ITSSP steering committee, established in February 2021, managed IT strategic sourcing at the program level and oversaw the implementation of the plan to meet procurement objectives, outcomes and timelines. The ITSSP applied the existing ATO procurement framework to the IT managed services procurements, tailoring its approach based on the scale, scope and risk of the ITSSP.

2.50 When procuring services at end of life of IT contracts, the ATO was required to comply with the Digital Sourcing Contract Limits and Review Policy. On 23 November and 6 December 2021 the Assistant Treasurer (ATO portfolio minister) and the Minister for Employment, Workplace, Skills, Small and Family Business (minister responsible for the Digital Transformation Agency), respectively, granted the ATO an exemption from the capped value policy requirement of the Whole of Government Digital Sourcing Contract Limits and Review Policy which requires all IT contracts to be under $100 million (see paragraphs 1.7 and 1.12).⁵³

Did the ATO undertake appropriate planning to inform the design of the IT managed services procurements?

2.51 The CPRs include specific requirements for planning including defining goals, estimating value and managing procurement risks. There are also requirements for approaching the market.

Annual procurement plan

2.52 To provide the market with early advice of potential procurement opportunities, the CPRs require that an entity must maintain on AusTender a current annual procurement plan (APP). An APP was in place at the time of the ITSSP commencement which generally complied with the CPRs. By publishing the advance notice on 4 May 2021 on AusTender the ATO provided the market notice of the upcoming ITSSP procurements. The ATO complied with paragraphs 7.8 and 7.9 of the CPRs in relation to the APP addressing the ITSSP.

Request for information and research supporting strategy development

Request for information

2.53 Market research and sounding can provide valuable information to assist in developing insights about what the market can offer, to make the subsequent procurement process more focussed and efficient and to deliver improved outcomes. Market research and sounding should be commensurate with the scale, scope and risk of a procurement (CPRs paragraph 6.2), be properly planned and have a clear outcome in mind, as it incurs costs for the entity and suppliers.

2.54 In early April 2021 the ATO commenced planning for early market engagement. On 17 June 2021, the steering committee and delegate approved the Market Engagement Plan. The plan recommended conducting a market engagement process for ITSSP by issuing an RFI via AusTender. It set out a market engagement method, timetable⁵⁴, analysis process, risk management arrangements, probity arrangements and the RFI to be released via AusTender.⁵⁵ The purpose of the RFI was:

to inform the sourcing strategy and bundling options. The RFI will allow the ATO to consider how best to bundle the required services and subsequently approach the market in order to take advantage of best offerings in the marketplace, thereby maximising value for money to the Commonwealth.

2.55 The RFI was open to the market between 18 June and 15 July 2021, with 179 suppliers downloading the RFI material, 74 attending a virtual industry briefing, and 32 providing responses within the comment period. Of the 32 responses, 11 were from incumbent suppliers and 21 from organisations that were not existing suppliers to the ATO. Twelve respondents were invited to workshops with the ATO.

2.56 Prior to the RFI closing, the RFI analysis plan was approved on 13 July 2021 by the ITSSP delegate. The plan set out the arrangements for probity, ethics and fair dealing, roles and responsibilities of analysis personnel, and the analysis and reporting process. The purpose of the plan included analysing responses to ‘inform the services bundling strategy, leading to the production of appropriately scoped Requests For Tender (RFT)s.’

2.57 On 8 October 2021, the Early Market Engagement Summary Report was circulated to the steering committee for approval. The early market engagement process was closed following the steering committee approval of the report on 28 October 2021. The report presented the outcomes of the analysis in relation to: bundling; insourced, outsourced or hybrid models; governance; security; flexible infrastructure; hybrid infrastructure; field services; service desk; end user experience; commercial alignment; and as-a-service pricing models.

2.58 The Early Market Engagement Summary Report informed bundling decisions including the services that may be sought and bundle composition. The steering committee members including the delegate were briefed on the report prior to approval. The report provided sufficient advice to the delegate on RFI outcomes to inform procurement planning.

Other research activities

2.59 To support the development of the procurement strategy the ATO undertook other research activities.

• ‘Like-sized’ agency analysis — Its purpose was to understand how a selection of large corporates⁵⁶ and other Australian Government agencies⁵⁷ approach their sourcing eco-system.
• A market comparison report — The purpose of the report was for ‘in-scope contracts to identify what ATO could reasonably expect the prices to be if they were to take the services to market as they are currently prescribed in the contract. Savings outlined in the report will be used as key inputs into the ISG base case.’
• ATO Future State Services Model (High Level Design) Report — To develop ‘a high-level design for the Future Services Model (FSM) which proposes a re-defined portfolio of services for consumption by the ATO.’ The proposed bundling in the FSM will be used to develop the requests for tender for the ITSSP.
• ATO Strategic Sourcing Program Horizon Scan — The scan was conducted to inform the ITSSP target state options. Its purpose included: identifying ‘anticipated and emerging trends in the broader technology environment that may influence the ATO’s sourcing decisions’; and providing an ‘initial analysis on key considerations (including risks and opportunities) relevant to the ATO’s sourcing program’.
• Base case summary and savings estimate — To reconcile the financial base case for the ITSSP with the five-year IT sustainment forecast determined in March 2021.
• Traceability — ‘A traceability matrix from the old contracts was created to ensure that no existing requirements were accidentally omitted’.

2.60 Reports from these research activities supported decision-making for the procurement strategy. The steering committee, and delegate, received walk throughs and copies of these reports during the planning phase. These research reports were attached to the ITSSP procurement plan (see paragraph 2.67).

Lessons learned

2.61 When planning for the procurement the ATO considered and applied lessons learned from the Managed Network Services (MNS) procurement. Lessons considered included:

• allowing more time for large procurements to define clear requirements and allow sufficient time for the market to respond (to be incorporated in the tranche plan);
• seconding or recruiting service owners early to inform a clear tender scope, and support evaluation, negotiation and transition;
• conduct an initial probity risk assessment to clearly set out controls such as for information security and incumbent probity plans (this includes reference to a program funded probity advisor); and
• set savings targets as part of the base case (to be delivered by the sourcing partner).

Procurement strategy and plans

2.62 A procurement strategy and a procurement plan are both essential components of a procurement process. The procurement plan is a key document used for endorsement of the procurement and approval of approach to market. It sets out the procurement objectives and method, the process to be followed, and risks to be addressed.⁵⁸ ATO guidance requires that a procurement plan must be completed for panel and high touch procurements, and approved by the PGPA delegate.⁵⁹

Procurement strategy

2.63 The procurement strategy was informed by market testing and other research. On 9 October 2021, the steering committee, which includes the delegate, discussed the adoption of a phased approach to taking bundles to market. In support of the phased approach the committee referenced lessons learned (from MNS and ATO’s previous experience following implementation of these contracts where significant rework was required) and the market engagement and technology horizon research. The committee also discussed the need to balance the costs of administering more contracts, where there are more bundles. The steering committee approved the strategy to take nine bundles to market on 26 October 2021.

2.64 The procurement strategy was set out in the ITSSP procurement plan. The ITSSP procurement plan was approved on 10 March 2022 (prior to the first approach to market being released).

2.65 The strategy set out the procurement approach for the ITSSP procurement bundles. The procurement approach includes an open approach to market for each bundle, with the bundles to be released in three waves. The ITSSP plan covers the approach for all bundles (see Figure 2.4), with bundle specific information included in an appendix for each bundle. Appendices for two of the nine bundles were approved as part of the ITSSP plan; appendices for the remaining bundles were to be approved prior to the bundle being released to market.

2.66 The ITSSP plan provided:

• an overview of the market research completed;
• policy requirements (including PGPA Act and the CPRs, Indigenous Procurement policy, public interest certificates, the digital sourcing framework and exemption for the ITSSP, whole of government panels⁶⁰, modern slavery, ATO policy⁶¹, ministerial updates and advance notice);
• an overview of the evaluation process, noting that an evaluation plan was being developed;
• for maintenance and regular review of the risk register;
• an overview of probity arrangements including reference to the attached probity plan;
• quality assurance arrangements; and
• other considerations.

2.67 Attachments to the ITSSP procurement plan included market research reports, ITSSP key risks and their treatments and an ITSSP probity plan. The probity plan was separately approved (discussed at paragraph 3.57).

Procurement plans for individual procurements

2.68 The EOTE procurement plan was included as an appendix to the ITSSP procurement plan approved in March 2022 (prior to the first approach to market being released). The Mainframe procurement appendix was added in April 2022, and approved by the delegate prior to the Mainframe approach to market in April 2022.

2.69 The procurement plan appendices describe key elements such as: the bundle background including estimated contract value for three- and 10-year terms; an overview of the statement of requirements; a proposed timetable; and evaluation criteria (weighted⁶² and unweighted⁶³). Attachments to the plan appendices included in principle budget approval; IT Procurement Government Forum (ITPGF) approval; the public interest certificate; the full statement of bundle requirements and bundle owner endorsement; and bundle owner approval for evaluation criteria.

2.70 The ITSSP procurement plan states that ‘the evaluation will use separate Evaluation Teams for the technical, commercial and financial evaluations for each bundle RFT. For RFTs containing more than one bundle, the evaluation of each bundle may have two pricing outcomes; one based on the pricing for that bundle only; and one for bundled pricing where offered’ (evaluation is discussed further at paragraphs 3.19 to 3.48).

2.71 For the strategic sourcing advisor procurement, a procurement plan was approved in November 2020. There was no procurement plan developed for the legal services procurement.

3.1 The CPRs govern how entities buy goods and services, including requirements and recommendations for approaching the market, conducting evaluations and achieving value for money.

3.2 To assess whether the IT managed services procurements were conducted in compliance with CPRs and other requirements, the ANAO examined a selection of IT managed service procurements (see Table A.1 in Appendix 3) and advisor procurements (see Table 1.2). The procurements selected were (see paragraph 1.25):

• Mainframe: this includes mainframe hardware and services, as well as Mainframe as a service;
• Enterprise Operations and Technical Enablement (EOTE);
• Strategic sourcing partner procurement⁶⁵; and
• Legal services partner.

Did the ATO conduct the approach to market processes in compliance with the CPRs?

Approach to market overview

IT managed service procurements

3.3 For IT managed service procurements, an IT Strategic Sourcing Program (ITSSP) procurement plan was approved prior to the approach to market in March 2022. The procurement plan proposed an open approach through seven RFTs (see paragraph 2.65). Detailed plans were included as appendices to the ITSSP procurement plan for each RFT, including estimated value, timeframes, statements of requirement and evaluation criteria. The EOTE plan was approved by the delegate in March 2022 and the Mainframe plan was approved in April 2022 (prior to the Mainframe approach to market), see paragraph 2.68.

3.4 Table 3.1 shows that, consistent with the procurement plan, the ATO adopted open approaches to market for all IT managed services procurements. The ATO published RFTs on AusTender between 11 March 2022 and 16 September 2022, with the final RFT closing on 25 November 2022 (see Appendix 3).

Table 3.1: IT managed services requests for tender

Note a: No shading indicates that the item was not selected for detailed examination by the ANAO.

Note b: Grey shading indicates that the item was selected for detailed examination by the ANAO.

Note c: The procurement was reported on AusTender as a limited tender procurement from standing offer notice SON3933978, IBM Whole of Government Arrangement 2.0. This arrangement is mandatory for all Commonwealth entities. Commonwealth entities are required to first conduct an open approach to market, if IBM is the preferred supplier Commonwealth entities can then negotiate a work order with IBM under this standing offer arrangement.

Source: ANAO analysis of AusTender and ATO records.

Advisor procurements

3.5 Procurement plans for advisor procurements were developed and approved independent of each other. There was no overarching strategy for advisor procurements. For the strategic sourcing advisor procurement, a procurement plan was approved in November 2020, proposing a request for quote from the Digital Marketplace Panel 1.0 (see paragraph 2.71).⁶⁶ There was no procurement plan developed for the legal services procurement.

3.6 Table 3.2 shows that the ATO procured from established panels for all advisor procurements; each of these panels were established through an open approach to market. The ATO issued requests for quote (RFQs) between 2 December 2020 and 15 October 2021, with the final RFQ closing on 25 October 2021. The request for quote method and timing for the strategic sourcing partner advisor procurement was consistent with the procurement plan.

Approach to market compliance with requirements

3.7 The ATO was largely compliant with the CPRs and other requirements in relation to the ATO’s approach to market processes. Table 3.3 shows the overall level of compliance of the ATO with the CPRsand ATO’s requirements for open tender approaches to market and procurement from standing offer notices for the selected procurements.

Table 3.3: Assessment of approach to market documentation for selected ITSSP and advisor procurements

Key: ◆ Fully compliant or fully met ▲ Partly compliant or partly met ■ Not compliant or not met

Note a: Division 2 of the CPRs does not apply to standing offers.

Note b: Where the evaluation criteria or the relative importance of the criteria changes from the RFT to the evaluation plan or evaluation report it is non-compliant with paragraph 10(6)(d) of the CPRs (see paragraphs 3.25 and 3.26).

Note c: A sufficient number of competitive tenders is consistent with an open, fair and non-discriminatory procurement see CPRs paragraph 4.4 ‘Should’, 5.1 and 10.8 ‘Must’.

Note d: For Mainframe Services and Mainframe Hardware, the statement of requirements in the procurement plan were in draft.

Source: ANAO analysis of ATO records.

3.8 The detail of the areas not fully met or compliant are described below.

• Legal services request documentation gave an overview of the roles to be undertaken but not a complete description. The legal services procurement RFQ did not include weightings for evaluation criteria.
• There were changes in content from the draft statement of requirements attached to the procurement plan to the versions published on AusTender for EOTE, Mainframe Hardware and Mainframe Services. The Mainframe statements of requirements were marked as draft in the procurement plan.
• There is a trademarked name mentioned in the statement of requirements for Mainframe Hardware, which is not consistent with paragraph 10.12 of CPRs.

Open, fair, and non-discriminatory procurement approach

3.9 Except for the legal services procurement, the approach for the selected ITSSP procurements and strategic sourcing partner was generally open, fair and non-discriminatory.

Mainframe hardware procurement

3.10 The Mainframe Hardware components of the Mainframe procurement received three proposals from two providers. The ATO advised the ANAO on 18 July 2024 that this is due to the limited market for compatible solutions. There was an open approach to market for Mainframe Hardware, and the evaluation process recommended IBM as the preferred tenderer leading to negotiation under limited tender arrangements in accordance with the IBM Whole of Government Arrangement 2.0. Reporting this as a limited tender on AusTender is good practice in line with paragraph 9.13 of the CPRs.

Legal services procurement

3.11 For the legal services advisor procurement, the Whole of Australian Government Legal Services Panel was used. As a non-corporate Commonwealth entity, this panel was mandatory for ATO when purchasing domestic external legal services.

3.12 On 26 July 2021 an officer from the ITSSP emailed the ATO’s Office of General Counsel (OGC) to ask for a specific person to be engaged due to previous experience and current work with the ATO.⁶⁷ Prior to going to market the ATO did not estimate the cost of the procurement, determine the size, scale and scope of the procurement to inform the design of the procurement approach, or develop a procurement plan, which is inconsistent with ATO policy and procedures (see paragraph 2.62).

3.13 Achieving value for money is the core rule of the CPRs. Approaching multiple suppliers generates competitive tension, helps drive value for money, enables greater transparency and fairness, and is consistent with the intent of the CPRs. The OGC approached one provider (Sparke Helmore) from the panel for the ITSSP legal services, asking for availability of the specific person and likely cost.⁶⁸ Approaching one supplier does not demonstrate better practice and is inconsistent with the intent of the CPRs. The request for quote did not include evaluation criteria and there is no evidence of evaluation planning, which is inconsistent with ATO policy and procedures.

3.14 On 30 July 2021, Sparke Helmore provided a quote of $665,500. There is no evidence of evaluation of the quote.⁶⁹ An Executive Level 2 (EL2) from the ATO OGC was asked to approve $250,000 to engage Sparke Helmore to provide legal services for the ITSSP.⁷⁰ The ATO advised Sparke Helmore on 6 August 2021 that $250,000 was approved. There is no documented rationale for seeking approval of an amount less than the quote or evidence of negotiation or consultation with the Sparke Helmore in relation to the amount approved. There is no documentation of the approval or a work order with Sparke Helmore for $250,000. In September 2024, the ATO advised the ANAO verbal approval was provided. This does not comply with paragraph 7.2 of the CPRs, where officials must maintain adequate records of a procurement, or section 18 of the Public Governance, Performance and Accountability (PGPA) Rule 2014.⁷¹

3.15 Contrary to requirements set out in the ATO’s purchase from a panel procedure a work order was not drafted and executed for the legal services procurement. The first purchase order for legal services was approved on 5 October 2021 for $900,000 by the ATO General Counsel (the delegate was advised the amount reflected estimated expenditure for 2021–22). By September 2024 this arrangement was amended 11 times (see Table 3.9), and the ATO had committed $10.9 million for ITSSP legal services. From 1 July 2022, the CPRs (paragraph 9.14) outline that for procurements from standing offers (such as the legal services panel), ‘To maximise competition, officials should, where possible, approach multiple potential suppliers on a standing offer’. On 2 August 2022, the ATO reported the third of 11 amendments to the legal services contract notice.⁷² This amendment increased the total value of services from $1.5 million to $1.7 million. The contract notice further increased in value by around $9.2 million to a total of $10.9 million, after the CPRs was amended to include paragraph 9.14.

3.16 Between July and December 2023, Enterprise Solutions and Technology (EST), Strategic Procurements and Contracts (SPC) and OGC collectively conducted an internal governance review into the external legal services provided to support the implementation of the ITSSP. The review considered whether some of the services could be provided by the OGC, whether there was appropriate governance in place, including monitoring value for money and to determine the preferred model going forward. The review concluded that ‘The ATO is receiving appropriate levels of legal services support from its external legal service providers in relation to the rollout of the ITSSP. Whilst the financial commitment is material and the vast majority of the work is being done by one law firm, it is reasonable in the circumstances.’

Record keeping

3.17 Appropriate records were maintained for the selected ITSSP procurements for the approach to market including a procurement plan, endorsement of the approach to market, and records of approach to market documentation, briefings to industry, industry questions and ATO responses to questions, and tender responses. There was no delegate approval (separate from the approval given as the Chair of the steering committee) of the approach to market for selected ITSSP procurements. The bundle owner approved the evaluation criteria and the statement of requirements.

3.18 The ATO maintained records for the strategic sourcing partner procurement, including a procurement plan, records of the published opportunity and responses received. For the legal services procurement, the ATO did not develop a procurement plan, including evaluation criteria for this procurement.

Did the ATO conduct the tender evaluation processes in compliance with the CPRs?

Evaluation planning, process and criteria considerations

3.19 Except for the legal services procurement, the selected ITSSP procurements and the strategic sourcing partner procurement were compliant with:

• CPR requirements for evaluation of open tenders (paragraphs 4.5 and 7.12 of the CPRs); and
• selected ATO requirements for the evaluation planning stage for procurements from standing offer arrangements.

Evaluation plans

3.20 In May 2022, the ATO developed an overall evaluation plan for the ITSSP, with appendices for each bundle, including for the Mainframe and EOTE procurements.⁷³ It was approved in June 2022 by the steering committee and delegate. The evaluation plan was updated throughout 2022 and into 2023 for any changes to the evaluation process, and to add new appendices for RFTs as they were approved for approaching the market. Mainframe and EOTE appendices were added in June 2022, prior to the closing of those RFTs on AusTender.⁷⁴

3.21 An evaluation plan was developed and approved for the strategic sourcing advisor procurement. This was approved on 18 December 2020, two days after the RFT closed on 16 December 2020. No evaluation plan was developed for the legal services procurement.

Evaluation process

3.22 For the selected ITSSP procurements, a staged evaluation process was undertaken, which is outlined in the ITSSP evaluation plan and procurement plan, shown in Appendix 6.

3.23 The Mainframe procurement included extra steps to compare options. The Mainframe tender was split into three portions: Mainframe as a Service (Option 1), Mainframe Hardware (Option 2a), and Mainframe Services (Option 2b). This enabled the ATO to mix and match these portions following a value for money assessment. To enable this, separate assessments were undertaken for Mainframe Hardware, Mainframe Services and Mainframe as a Services, with a consolidated evaluation conducted and report prepared to compare options.

3.24 The strategic sourcing partner procurement followed a similar model to the broader ITSSP and had less stages, commensurate with the ATO’s assessment of the reduced complexity of the procurement. This was outlined in the strategic sourcing partner evaluation plan. No evaluation occurred for the legal services procurement.

Evaluation criteria

3.25 The evaluation plan outlines the evaluation criteria, and weighting and ranking scale for each criteria. Consistent with ATO requirements, the evaluation plan also details the scoring and how the criteria will be assessed. Where the evaluation criteria or the relative importance of the criteria changes from the RFT to the evaluation plan or evaluation report it is non-compliant with paragraph 10(6)(d) of the CPRs.

3.26 The evaluation criteria for the IT managed services procurements and advisor procurements were consistent between the procurement plan, RFT and evaluation plan, apart from:

• additional granular detail in the evaluation plan regarding the percentage weighting for sub-criteria was not included in the RFT for both ITSSP procurements; and
• the desirable criteria listed in the evaluation plan is not consistent with the wording in the RFT for the strategic sourcing procurement.

3.27 Table 3.4 outlines that evaluation criteria were relevant. Procurement connected policies were not included as evaluation criteria or addressed elsewhere for the strategic sourcing procurement. No evaluation criteria were developed for the legal services procurement.

Evaluation reports, notifying tenderers and record keeping considerations

3.28 The ATO was largely compliant with the CPRs and ATO’s requirements when conducting the evaluation. Areas that were not fully met or compliant are discussed at paragraphs 3.29 to 3.48. Table 3.4 shows the ATO’s overall level of compliance with the CPRs and the ATO’s high touch and panel procurement procedures and guidance.

Table 3.4: Assessment of evaluation process for the ITSSP and advisor procurements

Key: ◆ Fully compliant or fully met ▲ Partly compliant or partly met ■ Not compliant or not met

Note a: Division 2 of the CPRs do not apply to standing offers.

Note b: This includes records and information such as the evaluation plan, evaluation criteria, the evaluation report, consideration of value for money and tenderer debriefings.

Note c: A work order was not entered into for the initial term of services provided for the legal services advisor. The provider was advised they were successful on 6 August 2021; the AusTender notice was published on 21 October 2021 reflecting the amount approved by the delegate on 5 October 2021. There is no work order for services agreed on 5 October 2021.

Source: ANAO analysis of ATO records.

Evaluation process

3.29 The evaluations were conducted consistent with the evaluation plan apart from the strategic souring partner procurement, where the evaluation report described a three stage process undertaken, while the evaluation plan described a two stage evaluation process. An initial screening step was added for the evaluation. Consistency of evaluation criteria and relative importance is discussed at paragraph 3.26.

3.30 The evaluation committee for the sourcing partner procurement assessed two tenders as not meeting requirements but these tenders were progressed to evaluation. One tenderer did not provide references and another tenderer did not provide resumes.⁷⁵

3.31 The approach taken for the legal services procurement did not consider the scale and scope of services required, as it did not have an evaluation process, evaluation report, or evaluation criteria, noting that the contract value reported on AusTender as at February 2025 was $10.9 million.

3.32 The evaluation process for the Mainframe Hardware procurement recommended IBM as the preferred tenderer leading to negotiation under limited tender arrangements in accordance with the mandatory IBM Whole of Government Arrangement 2.0.

• Under the Whole of Government Arrangement there was an initial contract term of five years with five one year extension options.
• The Mainframe Hardware RFT included an initial contract term of three years, with three additional extensions consisting of three, two and two years each.

Tender evaluation process conducted in a timely manner

3.33 Table 3.5 and Table 3.6 show the time taken to evaluate and negotiate contracts, and the variance between the planned and actual date to enter into a contract or work order.

Table 3.5: Timeframes for evaluation of IT managed services procurement

Key: ◆ Before or by planned date

▲ Less than six months after planned date

■ More than six months after planned date

Note a: RFT close date to execute contract date.

Source: ANAO analysis.

Table 3.6: Timeframes for evaluation of advisor procurements

Key: ◆ On or before planned date

▲ Less than six months after planned date

■ More than six months after planned date

Note a: The planned contract start date was ‘as soon as possible’.

Note b: A work order was not entered into for the initial period of services being provided, see paragraphs 3.14 and 3.15.

Source: ANAO analysis.

3.34 The ITSSP procurement plan indicated that evaluation of the tenders ‘are anticipated to be assessed within 12 weeks of each relevant bundle RFT closing.’ For the EOTE procurement, there was extra time taken to evaluate and negotiate the procurement, in total 24 months. This was against an original schedule set out in the procurement plan, where evaluation was scheduled to be completed by September 2022 and the contract was to commence February 2023. The actual completion dates for these milestones were August 2023 and June 2024 respectively.⁷⁶

3.35 The ATO advised that the reasons for the extended time taken include:

• an unexpected sequential negotiation with two shortlisted providers (when shortcomings became apparent in the first shortlisted tender during negotiation)⁷⁷; and
• a six month pause to conduct a probity review (discussed further in paragraph 3.99).⁷⁸

3.36 As part of the process the ATO conducted briefings with successful and unsuccessful tenderers (see paragraphs 3.43 and 3.44). An EOTE tenderer in their debrief mentioned: ‘There is lack of communication to the market. It has been almost two years without any communication until the contract has been awarded’. Other tenderers queried in their debriefs why the evaluation process took a long time.

3.37 Processes also ran over the expected time for Mainframe procurement. The original schedule set out in the procurement plan included evaluation to be completed by October 2022 and the contract was to commence in March 2023. The actual dates for these milestones were February and March 2023 for evaluation completion, and July and August 2023 for contract commencement. Mainframe Hardware and Mainframe Services procurements took a total of 13 and 14 months respectively. Feedback from unsuccessful tenderers included that ‘the procurement timelines were quite long with long periods of quiet times … it would be good to provide regular updates, so service providers know what is going on’.

3.38 The ITSSP steering committee and delegate were aware of the overrun for both of the selected procurements, through regular program status reports and briefings to the former and current Commissioners as delegates for the EOTE procurement.

3.39 The plan for the strategic sourcing partner procurement did not set measurable milestones for completion of evaluation and commencement of the contract (see Table 3.6, note a). The ITSSP steering committee and delegate were advised that the strategic sourcing partner commenced on 6 April 2021 in the first program status report (dated 9 April 2021).

Notifying and debriefing tenderers

3.40 The CPRs state at paragraph 7.17 that:

Following the rejection of a submission or the award of a contract, officials must promptly inform affected tenderers of the decision. Debriefings must be made available, on request, to unsuccessful tenderers outlining the reasons the submission was unsuccessful. Debriefings must also be made available, on request, to the successful supplier(s).

3.41 Consistent with the CPRs, the RFT documentation for the selected ITSSP procurements outlined in the conditions for tender that ‘tenderers will be notified following the rejection of their tender or the award of the contract.’

3.42 The ATO notified all successful tenders and offered a debrief for the selected ITSSP procurements. The ATO notified tenderers after the contract was awarded, although for EOTE some tenderers were notified during the final negotiation stage. There were delays in advising certain tenderers, inconsistent with paragraph 7.17 of the CPRs.

• In the EOTE procurement, a tender submission was set aside prior to evaluation in July 2022, and the unsuccessful tenderer was not advised until February 2024. Another tender was excluded from further evaluation and assessed as unsuccessful in December 2022. This tenderer was advised in February 2024.
• Contract approval minutes were approved for Mainframe Hardware in July 2023, and for Mainframe Services in August 2023, with the tenderers advised in July and August 2023. One tender was excluded from further evaluation in March 2023 for Mainframe Services. The tenderer was advised August 2023.

3.43 Debriefs were conducted for three tenderers for Mainframe in September 2023. There is no evidence of which tenderers requested a debrief for the Mainframe procurement. Four providers requested tender debriefs for EOTE (including the successful provider) in February and June 2024. These debriefs occurred in July 2024.

3.44 Unsuccessful tenders for the sourcing partner procurement were advised promptly (the decision made and unsuccessful tenderers advised in March 2021), and offered debriefs. Four tenders requested debriefs and these were provided in April and May 2021, after the contract started, consistent with the CPRs.

Record keeping and AusTender reporting requirements

3.46 Paragraph 7.18 of the CPRs states that ‘relevant entities must report contracts and amendments on AusTender within 42 days of entering into (or amending) a contract if they are valued at or above the reporting threshold.’ The ATO met this requirement for the selected ITSSP procurements. The ATO met this requirement for four of the six advisor procurements. Legal services (76 days to publish from advice to supplier to commence) and project management procurements (51 days to publish from contract start date) took longer than 42 days to publish.

3.47 The CPRs require that appropriate records are maintained (CPRs paragraphs 7.2 to 7.5). Paragraph 7.2 indicates that ‘officials must maintain for each procurement a level of documentation commensurate with the scale, scope and risk of the procurement.’

3.48 Except for the legal services procurement, the ATO has generally maintained appropriate records for the selected ITSSP and advisor procurements. Reports were drafted at each evaluation step, an overall RFT evaluation report was developed, and minutes were recorded for the evaluation committees, including where consensus evaluation has occurred. Insufficient records were retained in some instances.

• There was no record of assessment of the ‘quote’ provided for the legal procurement.
• Assessor scoring sheets for Mainframe and EOTE were not consistently completed for all criteria for all assessors. This was an ATO requirement as per the high touch procurement guidance.

Did the ATO appropriately manage probity risks during the procurement processes, including identifying and managing conflicts of interest?

ATO probity requirements

3.49 Paragraph 6.6 of the CPRs outlines that officials must act ethically throughout the procurement, including seeking appropriate internal or external advice when probity issues arise. The Department of Finance guidance, Ethics and Probity in Procurement, indicates that ‘for higher risk (typically higher cost and complexity procurements run via open tender), it is appropriate to implement more rigor in dealing with suppliers. This may include formalised approaches to handling requests from suppliers, specified probity roles and utilising additional expertise where necessary’.⁷⁹

3.50 To support probity arrangements, the ATO developed general probity guidance, including:

• a probity decision map to determine the most appropriate probity approach;
• a probity plan template⁸⁰; and
• mandatory probity eLearning or probity briefing.⁸¹

3.51 The high touch procurement guidance detailed specific probity processes tools including documenting a probity plan using the probity plan template, conducting and maintaining a record of probity briefings; appointing an external probity advisor⁸²; and maintaining a probity register.⁸³

Appointment of an external probity advisor

3.52 The Department of Finance guidance, Ethics and Probity in Procurement, indicates that the probity advisor should be independent of the procurement process. For example, it states that:

• a benefit of engaging an external probity advisor is ‘receiving advice independent of the process’; and
• ‘probity experts should be independent and free from conflicts of interest’.

3.53 The ATO engaged external probity services for the ITSSP.⁸⁴ The services included providing probity advice, compliance assurance, process assurance, working as part of the procurement team, and undertaking administrative activities. Being embedded in the team and undertaking administrative activities has the potential to undermine independence of the probity advisor, whose role should be at arm’s length.

3.54 Roles that impacted the probity advisor’s independence included: developing the probity plan; maintaining probity risk register; developing and managing conflict of interest (CoI) and probity registers; administration of the incumbent service provider probity plans; and having a decision-making role in resolving probity issues as ATO’s officials remain accountable for the proper conduct of procurement activities.

ITSSP Probity Plan and arrangements

3.56 To support management of probity for the ITSSP the ATO: developed a probity plan and probity protocols; maintained a register of probity briefings; maintained a probity register; and maintained a register of probity cleared personnel (ATO staff and advisors).⁸⁵ Adopting these tools to manage ‘high touch’ procurements is consistent with ATO procurement guidance requirements. Except for four ITSSP probity protocols, all tools were in place prior to the first approach to market for IT managed services procurements.⁸⁶

ITSSP Probity Plan

3.57 The ITSSP Probity Plan was approved by ATO’s Chief Information Officer (CIO) in July 2021. The probity advisor developed the plan, it applied to the whole of the ITSSP (excluding the advisor procurements), and was not updated. The probity plan outlined the purpose of the plan, governance and accountability (including the probity advisor role), a high level CoI process, gifts, entertainment and hospitality, and approach for managing incumbent providers. The probity plan does not outline the process for identifying and managing probity issues, or the process staff should take to identify and report probity issues (see further details at paragraph 3.68). It also does not outline the ITSSP CoI process in detail.

3.58 The governance arrangements set out in the plan identify the ATO CIO, as the delegate, is ultimately responsible for probity within the ITSSP. The plan also outlined that the CIO was supported by the ITSSP steering committee⁸⁷, the ATO Procurement Practice Lead⁸⁸,the probity advisor⁸⁹ and the ITSSP Probity Governance Group.⁹⁰

3.59 The ITSSP Probity Plan established additional requirements for the program.

• The probity advisor was required to develop a probity risk register for the ITSSP. Both the ITSSP program level sourcing risk register and the ITSSP probity risk register contain 10 probity risks that are the same across both registers.⁹¹
• The probity advisor is required to prepare sign-off letters at key points of the ITSSP procurement activities. The probity sign off letters were provided for the selected ITSSP procurements for approach to market documentation, evaluation report, and negotiation outcome report and contract approval minute.⁹²
• The ATO assessed incumbent service providers and requested 13 providers prepare probity plans as their scope of services matched the ITSSP procurements.⁹³ The plans were to be agreed with the ATO and reviewed annually. Two of the 13 plans developed were agreed in the ITSSP Probity Governance Group minutes.⁹⁴ The ITSSP probity register contains a sheet for tracking the establishment and yearly updates of the incumbent probity plans. The probity register does not demonstrate that the incumbent probity plans had been approved or annually reviewed.⁹⁵

Advisor procurements probity plan

3.60 There was no probity plan for the selected advisor procurements. Probity requirements were not established for the legal services procurement. Probity requirements were detailed in the evaluation plan for the strategic sourcing partner procurement. The evaluation plan outlined that ‘All evaluation personnel will receive an email probity briefing before accessing Quote materials’. These briefing packages were provided as part of the conflict of interest email sent to evaluation personnel.

Probity training

3.61 Probity training for staff involved in the ITSSP included completing either the mandatory whole of ATO eLearn Probity in Procurement training or attending and maintaining a record of attending the ITSSP specific probity briefing (footnote 81), and recording in the probity register when personnel were probity cleared (paragraphs 3.50 and 3.56, and footnote 85). To establish if probity training and associated record keeping arrangements were effectively implemented, the ANAO examined a sample of 59 personnel comprised of 43 involved in the ITSSP and 16 in selected advisor procurements.⁹⁶ Table 3.7 shows ATO largely complied with key internal requirements for ITSSP procurements and strategic sourcing advisor procurement. The legal services procurement did not comply with key internal probity requirements.

Table 3.7: Probity training for selected ITSSP and advisor procurement personnel

Note a: Personnel were required to either complete the ITSSP specific probity briefings or the whole of ATO procurement probity e-training. The selected advisor procurements were completed prior to the introduction of the mandatory procurement probity e-training in December 2021.

Note b: The previous Commissioner did not attend a probity briefing or complete the training. The Commissioner for Taxation became the alternate delegate for the EOTE procurement in July 2023 (see paragraph 3.98). On commencement with the ATO, the new Commissioner completed the ITSSP specific probity briefing.

Note c: The probity cleared register was last updated on 3 May 2024. The former CIO was listed in the probity cleared register. He left the ATO prior to the register being updated.

Note d: All strategic sourcing partner personnel tested completed the probity briefing. One of the legal services procurement personnel completed the briefing after services commenced.

Source: ANAO analysis of ATO documentation.

Equitable treatment of potential suppliers and seek probity advice when required

3.62 Paragraph 6.6 of the CPRs outlines that officials undertaking procurements must deal with potential suppliers, tenderers and suppliers equitably. To assist with managing probity risks that may result in inequitable treatment of potential suppliers, a range of probity controls were put in place for the ITSSP.

3.63 As outlined above, a probity advisor was engaged for ITSSP (paragraph 3.53); a probity plan was developed for the ITSSP that included roles and responsibilities (paragraph 3.56); and a CoI process was undertaken (see paragraphs 3.69, 3.70 and 3.72). The ATO advised the ANAO in October 2024 ‘a single and consistent probity approach scaled for the largest and most complex procurement was used across all procurements as a deliberate strategy’.

3.64 Debriefs with tenderers were conducted when requested for the ITSSP procurements and the strategic sourcing partner procurement, see paragraph 3.42 and 3.43.⁹⁷

• The timing of feedback for the selected ITSSP procurements did not advantage suppliers who tendered for more than one bundle. Debriefs for the selected ITSSP procurements were provided: after the last ITSSP tenders closed in November 2022 (see Table A.1 in Appendix 3); in September 2023 for Mainframe (after the contracts were signed); and in February and June 2024 for EOTE. Five contracts had been signed by September 2023, and seven contracts were signed by April 2024 (see Table A.1 in Appendix 3).
• Debriefs for the strategic sourcing partner procurement were given in April and May 2021. This is prior to three advisor procurements seeking requests for quote.⁹⁸ Two suppliers who tendered for the strategic sourcing partner procurement were subsequently the successful tenderer in the financial assurance and program management advisor procurements.

Identification and management of probity issues

3.65 The ATO developed and maintained a probity register from October 2020. The register includes records of probity advice and incidents for the program, and any actions taken.

3.66 As at October 2024, 555 probity matters were recorded in the register, of which 16 related to the EOTE procurement and 19 related to the Mainframe procurement.

3.67 All documented probity issues had probity advice recorded in the register. There was no evidence of delegate approval of probity advice or actions, except for CoI.

3.68 The ITSSP Probity Plan did not outline a process for the management of probity issues. An ITSSP Probity mailbox address was included in the probity plan to use for reporting any probity issues. The plan did not specify what might be a reportable probity issue or provide examples. The probity protocols provided examples of probity issues and the likely treatments. When a probity issue was received, a probity advisor would review and provide advice, and record in the register any relevant email traffic and actions.

ATO’s conflict of interest arrangements

3.69 The ATO developed a CoI Chief Executive Instruction (CEI) and supporting guidance (see paragraph 2.36). The CEI indicates that the real, potential or perceived conflicts must be declared at the earliest opportunity through the ATO Integrity Register form. Conflicts must be re-assessed by staff when circumstances arise or change. A conflict management plan must be developed as part of the declaration. Once declared a decision-maker must make a decision about a conflict within fourteen calendar days. Decisions and conflict management plans are recorded in the CoI declaration. These requirements apply to both the ITSSP procurements and advisor procurements.

3.70 The ATO’s guidance for high touch procurements (see paragraph 3.51) required:

• each stakeholder in the procurement process to complete the probity eLearn or a probity briefing for high touch procurements prior to a declaration being made (see paragraphs 3.50 and 3.61 and Table 3.7);
• if a CoI is identified, it must be reported via the ATO Integrity Register form⁹⁹; and
• the procurement officer (in this case the probity advisor) must open the form and complete their recommendation before sending to the PGPA Act spending approval delegate for a decision (see paragraphs 2.18 to 2.20).

3.71 The ITSSP Probity Plan (July 2021) identified the CIO as the probity delegate for the ITSSP (see paragraph 3.58). In August 2024, the ATO advised that for the ITSSP, the Program Sponsor was the CoI delegate for non-SES staff and the supervisors of SES staff were the delegates for SES staff.

Conflict of interest process for the ITSSP

3.72 The ATO implemented CoI processes in addition to those described by the ATO’s CoI CEI and the ATO high touch procurement guidance.¹⁰⁰ Completion of the email process was required for a staff member or contractor to attend meetings or work on a procurement. The probity plan does not cover this additional requirement and does not set out the complete CoI process. There is no documentation that sets out the full CoI process.

• When staff members and advisors joined the program, an initial CoI declaration was requested by email. The person was asked to use the voting buttons to declare:
  • they did not have a CoI (vote ‘no’) and no further action was required; or
  • they did have a CoI (vote ‘yes’) and:
    • the staff member or advisor was required to complete the ATO Integrity Register form in accordance with the guidance;
    • the completed Integrity Register form was forwarded to the ITSSP probity advisor for recommendation on how to manage the conflict and recording in the ITSSP CoI register; and then
    • the delegate made a decision about the proposed management plan for the CoI.
• Staff members and advisors were required to respond to an annual redeclaration email. The redeclaration followed the process for the initial CoI declaration.
• Relevant staff members and advisors were asked to complete one or more redeclarations where they were involved in the evaluation or negotiation for an ITSSP procurement. What constitutes a relevant staff member had not been defined in ATO documents. The redeclaration followed the process for the initial CoI declaration.

3.73 Five ITSSP registers (some of which contain sub-registers) recorded the results of the CoI email process and approval of management plans where conflicts were declared. Shortcomings in the management of these registers impacted the ATO’s ability to effectively manage conflicts of interest.

• The ATO advised that the annual register was overwritten each year with the latest responses, so the record of annual redeclarations was incomplete.
• The maintenance of more than one register increases the risks to the completeness and accuracy of each register and identifying which register is the source of truth. It also makes it difficult to identify inconsistencies in the declaration and management of conflicts between registers.¹⁰¹
• Field names for some information recorded in the registers did not reflect what was recorded in that field.¹⁰²
• Cells within the registers were incomplete, for example, in some instances probity advisor recommendations and delegate decisions were not recorded.
• The registers did not contain an explanation of the purpose of the register and the process used to maintain the register. For example, when more than one declaration was sought for the negotiation processes there was no explanation of the reason for each subsequent declaration.¹⁰³
• The registers did not consistently record when a staff member commenced and left the ITSSP, and what their role was in relation to the ITSSP to assist with determining if a redeclaration should be sought.
• Incomplete information was copied from the ATO Integrity Register form to the Probity Register for tracking management of conflicts.

3.74 A similar process was undertaken for the strategic sourcing advisor procurement to identify potential, perceived or actual conflicts of interest. The CoI process was not documented in the evaluation plan or the procurement plan.

Conflict of interest declarations

ATO SES declarations

3.75 The ANAO examined the private interest declarations¹⁰⁴ of 14 SES officers (excluding the former CIO, whose declarations are discussed at paragraphs 3.84 to 3.99) relevant to the selected ITSSP and advisor procurements (footnote 96). Of the 14 SES officers:

• two declarations were not sufficiently detailed for the decision-maker to make a decision¹⁰⁵;
• conflict management plans generally contained sufficient detail since 2023;
• individuals and companies for whom officers had a conflict were named; and
• there was one officer who disclosed their shares, including the company and the quantum of shares in the earliest declaration.

ITSSP conflict of interest declarations

3.76 Declared conflicts of interest (including the probity advisor recommendation and a delegate decision about management of the conflict) were to be recorded in the ATO Integrity Register as well as across three sub-registers in the Probity Register to support day-to-day administration.

• There was a total of 233 potential, perceived or actual conflicts of interest recorded in the general ITSSP CoI register.
• For the EOTE procurement there were 23 conflicts recorded in the evaluation conflict register, and 22 in the negotiation CoI register.
• For the Mainframe procurement, there was 14 conflicts in the evaluation CoI register, and three in the negotiation CoI register.

ANAO analysis of ITSSP conflict of interest registers

3.77 A total of 1,274 staff and contractors were asked to complete an initial CoI voting button response for the ITSSP procurements.¹⁰⁶ To establish if CoI voting process was followed, the ANAO examined a sample of 43 personnel involved in the ITSSP procurements. The ATO largely implemented the CoI voting requirements for ITSSP procurements, except for instances where the process was not completed. This includes that a delegate did not complete an initial CoI declaration; no delegates for EOTE or Mainframe procurements were asked to complete a redeclaration at the evaluation stage; and instances where evaluation committee members did not respond to all redeclaration requests at the evaluation and negotiation stages.

3.78 In total 27 of the 43 officers reported needing to declare a CoI (in total 52 conflicts to declare) and/or had a CoI recorded in the probity register (in total of 88 conflicts were declared, with 33 of the conflicts declared at the evaluation or negotiation stage not relating to EOTE or Mainframe). Records of conflicts to be declared and conflicts recorded in the probity register could not be fully reconciled for all 27 officers, including where there were not matching entries in the relevant probity register for all conflicts to be declared, and conflicts reported in the probity register did not have a matching conflict the officer needed to declare from the email process.

3.79 Across these 27 officers who declared a CoI, records did not consistently demonstrate the process had been completed using the ATO Integrity Register form. For example, instances were observed where:

• officers who had reported that they had a conflict to declare had not completed ATO Integrity Register forms;
• forms did not document the manager or delegate review; and
• the quantum of shares was not disclosed (two officers, including the former CIO, that declared a shareholding did not report the quantum or value of the shareholding in all declarations).¹⁰⁷

ANAO analysis of strategic sourcing partner procurement conflict of interest process

3.80 For the sourcing partner advisor procurement, the ANAO examined a sample of 11 key personnel involved in evaluation.¹⁰⁸ The ATO largely implemented CoI voting requirements for sourcing partner procurements, apart from incomplete records of declaration emails received.

Management of conflicts of interest

3.81 The ATO has guidance for managers on the requirements of a good CoI management plan, including that it:

• be based on enough information to make informed decisions;
• include robust measures to remove or manage any identified conflicts¹⁰⁹; and
• be regularly discussed and reviewed, and adjusted as circumstances change.

3.82 The ATO applies a risk rating to conflicts without a formal risk assessment. In September 2024, the ATO advised the ANAO that the risk rating has regard to rating definitions set out in the ATO’s Enterprise Risk Management Framework. Testing of the conflict management plans recorded in the ATO Integrity Register for the 27 officers from the ITSSP sample (paragraphs 3.78 and 3.79) indicated for the 11 with conflicts declared since October 2023, the conflict management plans contained enough detail for the delegate to make a decision. Prior to October 2023 conflict management plans did not consistently contain enough detail for the delegate to make a decision. For example, management plans did not consistently contain adequate controls to address conflicts relating to shareholdings, prior employment and personal associations. Further, conflict management plans for similar conflicts (for instance professional association) were not standardised.

ITSSP delegate conflict of interest

3.83 RMG 206 states that ‘officials [are to] disclose material personal interests relating to the affairs of the entity (section 29 of the PGPA Act and sections 12 to 16D of the PGPA Rule). A similar requirement is contained in the Code of Conduct at subsection 13(7) of the Public Service Act 1999 (PS Act) for the Australian Public Service.’

3.84 The former CIO was a former managing director of Accenture and retained shares in Accenture during the procurements.¹¹⁰ Accenture was an incumbent ICT provider to the ATO at the commencement of the ITSSP.¹¹¹

3.85 Figure 3.1 provides a timeline of events related to the CoI for the EOTE procurement.

3.86 The former CIO made 13 annual declarations of private interest since 2015, and four ITSSP CoI declarations. There were inconsistent and incomplete details of declarations of conflicts and management plans in successive SES private interest declarations and ITSSP declarations and management plans. Issues with the private interest and ITSSP declarations include the size of shareholdings was not reported (for example, see paragraph 3.79), and personal relationships and previous employment were not always declared. The ATO did not have a full picture of the conflict, which influenced decisions made about managing the conflict.

• For 12 instances where a private interest was declared, no conflict management plan was provided for two instances (for one of the two instances, a field in the declaration indicated there was a conflict management plan in place; it was not documented). For the remaining 10 instances, inconsistencies were noted between the management plans which did not reflect changes in the relative risk, including whether the CIO would excuse himself as delegate or would delegate commercial arrangements to the CFO where Accenture was involved. A detailed management plan for this conflict was not in place until May 2023.
• For each of the three instances where a conflict was identified relating to the ITSSP, different management action was recorded.
  • In the first instance the management plan refers to ‘sufficient processes and steps’ before the CIO was involved as delegate. The Commissioner agreed to a co-delegate for all procurements of this nature, without including details of the how the co-delegate operates.
  • In the second instance there is reference to a management plan and mitigations that have been implemented. The plan states that the CIO will exclude himself from any procurement decisions.
  • In the third instance the probity advisor states that ‘I understand at an executive level, [the CIO], has an agreed management plan is in place’ (it is not documented for the purposes of managing the procurement), and the risk posed by the conflict is assessed as low based on the management plan, the ITSSP probity framework and the ITSSP governance framework. There is no evidence that the probity advisor sought details of the agreed management plan.

Timely declarations

3.87 The CoI CEI and procedures state that employees and contractors must ‘identify conflicts of interest at the earliest opportunity’. At the commencement of the ITSSP in February 2021, the CIO was the PGPA delegate and senior responsible officer for the Program. In March 2021, the CIO reported no CoI for the ITSSP in the initial voting response. Accenture participated in the initial market sounding exercise in July to August 2021. The CIO did not declare a conflict until the annual redeclaration in February 2022, in this declaration the conflict was reported as a perceived conflict. In September 2024, the ATO advised the ANAO that the conflict was well-known within the ATO as the CIO made 11 progressive declarations since 2015 about the conflict.

3.88 In the ATO’s CoI CEI and procedures, the SPC Branch has a role in reviewing procurement related conflicts of interest declarations, and conflict management plans and making recommendations to the delegate. In the ITSSP the external probity advisor undertook this role.¹¹² There is no evidence that the probity advisor was aware of private interest disclosure declarations made that were not attributed to the ITSSP and recorded in the ITSSP CoI register. Known conflict management plans are provided to Strategic Procurement and Contracts Branch, who discuss any known conflicts with procurement executive where necessary.

Managing the declared conflict

3.89 In response to the conflict declared in February 2022, it was proposed that the Chief Financial Officer (CFO) become an alternate delegate¹¹³ (this response is in line with the July 2021 conflict management plan for the SES declaration of private interests).¹¹⁴ The role and operation of the alternate delegate were not defined in the probity register. The ATO advised the ANAO in August 2024 that the alternate delegate would make decisions regarding evaluation and negotiation for the procurement. The ATO did not provide evidence of approval of the alternate delegate arrangement in response to the ITSSP declaration in February 2022.

3.90 In August 2024, the ATO advised the ANAO that the arrangement was formalised through modifications to the ITSSP evaluation plan in June 2022, prior to the EOTE tender closing. The final evaluation plan referred to the approving delegate as the CIO or the CFO. The approving delegate was required to manage conflicts of interest. It did not set out the circumstances that would lead to switching approving delegates from CIO to the CFO, or the circumstances under which the CIO’s role as approving delegate would recommence for a bundle.¹¹⁵ Where the CIO was not the approving delegate, the evaluation plan specified that the CIO would be the technical advisor for the evaluation as required.

3.91 The July and November 2023 versions of the terms of reference for the ITSSP steering committee included arrangements to manage the CIO’s CoI (see paragraphs 3.77 and 3.84 to 3.99).

• Where a conflict of interest exists, the Chief Information Officer delegates the role of Chair to one of the Deputy Commissioner Steering Committee members and abstains from endorsing.
• Extraordinary Steering Committee meeting will be arranged where the Chief Information Officer is absent.
• If approval to enter into contract and spend monies is required a delegate approval will be provided by the appropriate Second Commissioner (or above).

3.92 The CIO participated in the steering committee for the Program between 26 February 2021 and 19 April 2024 (chairing 51 of 73 meetings in this period and attending 53 meetings¹¹⁶). The CIO was not removed from decision-making for procurement decisions where Accenture was a potential tenderer or has tendered. For example, the CIO approved the following documents for the selected ITSSP procurements as delegate or as a member of the steering committee:

• the overall negotiation plan (June 2022) in response to an email asking for approval of the steering committee, when the evaluation plan required approval of the negotiation plan by the delegate;
• the EOTE Evaluation Report (9 December 2022) to recommend the shortlisting of Accenture and another supplier and the bundle negotiation directive as part of the steering committee (the former CIO noted the long-standing conflict, leaving final approval to the alternate delegate); and
• the mainframe services negotiation outcome report, contract approval minute and instrument of authorisation (August 2023), following steering committee approval, the delegate was asked separately to approve the report and minute as the delegate.

Reliance on other documentation to set out conflict or management plan

3.93 The CIO did not complete an ATO Integrity Register form (in Infopath, see footnote 99) for the February 2022 declaration. Subsequent ATO Integrity Register forms were recorded in the ATO Integrity Register (Infopath) for March 2023¹¹⁷ and May 2023¹¹⁸ (including a duplicate). The CIO’s declarations did not contain sufficient detail for the approver to make an informed decision¹¹⁹, and did not contain a sufficiently detailed management plan (except for management plans for private interest declarations in May and December 2023). This was not consistent with ATO guidance on conflict management plans. The March 2023 ITSSP management plan refers to the management plan for the SES private interest declarations. Where another document contains information relevant to a CoI declaration or management plan, the document should be clearly referenced including the date of the document and location of the document, and if there are circumstances where it will be superseded. Any referenced document should be made available to the ITSSP probity advisor and delegate to support informed probity advice and decision-making.

Inconsistent ITSSP and Integrity Register records of conflicts of interest

3.94 There are two CoI line items in the probity register for the CIO in August 2023 that are not supported by an ATO Integrity Register form; one relating to Accenture and one relating to another provider. These were both noted as actual conflicts.

SES private interest declarations

3.95 At the ATO, all SES, including the CIO, were required to declare their private interests annually. Annual private interest declarations were made by the CIO between November 2015 and December 2023. All annual declarations reflected a private interest in Accenture (that is, Accenture shares), except for the declaration made in 2017. The CIO left the ATO in April 2024.

3.96 The 2023–24 SES declaration (made in December 2023) contained more detail than previous declarations, including outlining that the shares held exceeded the CoI CEI reporting requirements for the percentage of total assets (see footnote 107). The December 2023 declaration contained a detailed management plan which included the following actions:

I will excuse myself from any evaluation on Accenture proposals and ensure the Chief Finance Officer oversees any procurement activity in consultation with another Group Head. The Chief Finance Officer will document decisions and provide visibility to the Commissioner of all procurement activity involving Accenture.

All procurement briefings and discussions will be handled by others or in the company of another member of the ATO Executive where they relate to Accenture.

Beyond initial procurement, ongoing relationship management and conflict resolution will be managed by the relevant SES contract manager and/or AC ATO procurement.

3.97 The former CIO’s declarations were inconsistent with what was declared, frequently did not contain sufficient detail (on who the provider was or on what types of private interests were involved) and did not contain a sufficiently detailed management plan (see paragraphs 3.86 and 3.93). This was not consistent with ATO guidance on conflict management plans and does not support effective management of the conflict.

Commissioner as delegate and probity review

3.98 In July 2023, the steering committee approved a decision framework to strengthen the management of the CIO’s CoI, including raising the level of delegate from the CFO for approval to enter contract and spend public monies where a delegate conflict exists. The Commissioner for Taxation replaced the CFO as the alternative delegate for the EOTE procurement in July 2023, paused the EOTE procurement and requested a probity review.¹²⁰ In October 2023 the EOTE evaluation committee recommended selecting Accenture based on Best and Final Offers, and moving into negotiation. The Commissioner of Taxation was not asked to declare a CoI via the voting buttons for the ITSSP between July 2023 and February 2024.¹²¹

3.99 In August 2023, BellchambersBarrett was appointed to conduct a probity review to assess accountability and transparency of decisions within the process, and management of probity throughout the procurement lifecycle. The probity review, finalised in November 2023, found a lack of clarity and detail of the delegate’s shareholding in Accenture, which resulted in limited management of the conflict. Additionally, the probity review assessed the CIO’s CoI as an actual conflict, though it had been reported as a perceived conflict prior to this time.¹²² Recommendations from the review are included in Table A.3 in Appendix 8. The ATO agreed and partly implemented all recommendations from the review, including making changes in the ATO CoI guidance.

Was sufficiently detailed advice provided to decision-makers and was it appropriately documented?

Decision-making process

3.103 The IT Strategic Sourcing Program Steering Committee and the delegate were the decision-makers for the program.¹²³ Roles included:

• The delegate: making a commitment to spend money (PGPA Act subsection 23(3)); and approving the entering into contracts by signing the contract approval minute or evaluation report for the strategic sourcing partner procurement (PGPA Act, subsection 23(1)).¹²⁴
• The delegate is the final decision-maker for the evaluation and negotiation report, after being endorsed by the steering committee.¹²⁵

3.104 Except for the legal advisor procurement, for each procurement selected for detailed examination by the ANAO:

• an evaluation committee was established; and
• where necessary, a negotiation team was established.

3.105 The evaluation and negotiation structure for the ITSSP procurements are depicted in Figure 2.1.

Decision-making consistency with authority

3.106 The delegates for the selected ITSSP procurements were:

• the CIO (ITSSP delegate and senior accountable officer);
• the CFO (alternate delegate where the CIO had a CoI); and
• the Commissioner of Taxation (alternate delegate for EOTE procurement from July 2023).

3.107 For the selected ITSSP procurements, the contract approval minutes request approval from the PGPA Act subsection 23(1) and 23(3) delegate (see Table 3.8).

3.108 The delegate for the strategic sourcing partner was the Deputy Commissioner, Service Operations, and the evaluation report for the sourcing partner sets out the approvals under the PGPA Act.

3.109 Records of the delegate approval of the legal services procurement were incomplete and show that application of the delegate’s financial limits did not have regard to the total expected or actual contract value (including all variations).

• An email to an EL2 in ATO’s Office of General Counsel seeking approval of $250,000 and a subsequent email to Sparke Helmore indicates that an EL2 approved the first $250,000 for the legal services procurement in late July or early August 2021. The approval was not documented (paragraph 3.14). This approval reflected the limit of the officer’s delegation ($250,000) rather than the expected total value of the procurement ($665,500).
• The sixth and tenth amendments to the legal services contract increased the contract’s total value to $5.07 million and $10.01 million, respectively. The ATO General Counsel approved these amendments. The Acting Deputy Commissioner of ATO Corporate approved the eleventh amendment to the contract. These officers each had a financial delegation limit of $5 million. The Chief Operating Officer (SES Band 3) had a financial delegation to the limit of funds available and could approve spending proposals that exceeded $10 million. The Chief Operating Officer did not approve these amendments. The amount of each amendment was within the delegation limit of the approving officer.

3.110 The ATO’s Committing money and approving spending CEI requires when approving a change to an existing contract the spending delegate must ‘consider the entire arrangement to ensure it continues to represent value for money and proper use of ATO resources’ and ‘ensure that your position number has appropriate spending delegation for the additional amount’. This approach does not provide the delegate with full visibility over the total value of a contract to support managing the public resource properly.

Advice to decision-makers and approvals

3.112 The key reports produced during the procurement process for the selected ITSSP procurements were the evaluation report, the negotiation directive, the negotiation outcome report and the contract approval minute. Table 3.8 demonstrates, except for the legal services procurement, there was evidence of delegate approvals of key reports, complete and sufficient advice to the delegate (including recommendations, value for money and risk assessments, and pre-approvals and endorsements), and documentation of the assessment of value for money. The ATO sets out the processes for assessment of value for money in the ITSSP evaluation and negotiation plans¹²⁶ (the evaluation and negotiation processes are summarised in Appendix 6 and Appendix 7), and the strategic sourcing partner evaluation plan.

Table 3.8: Delegate approval of key planning, evaluation and contract minutes

Key: ✔ The element was in the document

✘ The element was not in the document or there was no document

Note a: For each gap identified during the evaluation process, the negotiation directive contributes to the value for money assessment to be undertaken during the negotiation process by establishing the best outcome, nominal outcome and walk away position for the ATO (see paragraph 3.113, Appendix 6 and Appendix 7).

Note b: The CIO approved the evaluation report and negotiation directive on 9 December 2022 noting that ‘I am forwarding my approval for this recognising that I have a long standing and declared CoI with one of the parties. I fully support that recommendations of the committee and will leave it to the delegate for final approval.’

Source: ANAO analysis.

Advice to decision-makers on value for money

Negotiation

3.113 The ATO developed gap lists during evaluation which were documented in the negotiation directives as critical issues and used to reduce risk. The ATO also developed three positions for each ITSSP procurements: best outcome; nominal outcome; and walk away position for ATO.

3.114 A Best and Final Offer (BAFO) process was undertaken in the EOTE procurement. In the Mainframe Services procurement, as there was only one shortlisted tender, a BAFO process was conducted for pricing. In Mainframe Hardware, as there was one shortlisted tenderer, and the RFT was for the supply (and support) of Hardware and Software and a BAFO was not conducted.

Value for money

3.115 Value for money was considered in all reports for the selected ITSSP procurements.

• Value for money was assessed during the evaluation process and outlined in the evaluation report. Value for money for ITSSP includes considerations of technical performance, assessment against the weighted and unweighted criteria, risk profile and price. This resulted in a ranking of tenders that demonstrated the best value for money.
• Advice about value for money was in the contract approval minute that went to the delegate and through the steering committee. The contract approval minute and attached negotiation outcome report outlined that the two selected ITSSP procurements assessed value for money following a BAFO process during negotiation and at the end of final negotiation. Any risk unable to be resolved during negotiation was presented to the delegate in the contract approval minute. Value for money issues raised in evaluation were managed as critical issues in the negotiation process. Two value for money checkpoints were conducted during negotiation in May 2024 for EOTE. A critical risk summary, including any residual risk, was detailed in the EOTE contract approval minute.

3.116 The EOTE procurement took over two years to progress through evaluation and negotiation. The ATO advice to the decision-maker about whether the preferred tendered would still provide the best value for money was incomplete. The ATO advised the ANAO in August 2024 that they considered whether rates offered by the preferred tenderer increased in line with Consumer Price Index (CPI), and concluded that the price increase was less than the increase in CPI. The ATO did not consider changes in the market dynamic at that time, including whether new entrants could have provided better value for money.

Cyber Augmentation Services

3.117 The Cyber Augmentation Services procurement was the first ITSSP contract to be amended. The Cyber Augmentation Services (CAS) procurement led to the first contract being signed in December 2022. The initial contract had a value of $6 million. Within six months the contract was varied to $17.11 million. Its value on 24 February 2025 was $28.16 million (see Table A.1 in Appendix 3).¹²⁷ The ATO advised the ANAO in August 2024 that the variation was consistent with the approach to market documentation and advised that additional services to a total contract value of $100 million (in line with the Digital Sourcing Policy) could be procured under the contract. The ATO advised these variations were actioned through non-standard services requests which included a value for money assessment.

Advisor procurements

3.118 Except for legal services, all advisor procurements have accessed available extension options. Legal services did not establish a work order when service provision commenced, so there were no options to access. Cost increases for most advisor procurements were out of proportion with the forecast maximum price at the time of approving the initial contract (increased from $19.06 million to $88.11 million) and options available (a total of 16 amendments through extensions options planned, with 37 amendments made by January 2025), see Table 3.9. In particular, the sourcing partner procurement increased from $13.11 million to $42.27 million, the financial assurance procurement increased from $1.02 million to $16.70 million, and legal services procurement increased from an initial quote of $665,000 to $10.90 million.¹²⁸ This indicates that whole of life costs estimates were incomplete at the time of procurement. Advice to delegates approving the evaluation reports and entering into the arrangement significantly underestimated the full value of the commitment and value for money assessments were not undertaken where costs exceeded forecast values.

Value for money in selected advisor procurements

3.121 The strategic sourcing partner procurement considered value for money in the evaluation report, which served as the contract approval and was provided to the delegate. Clarification emails were sent to the two highest scoring tenderers, seeking further clarification on resource availability and cost for the outlined business requirements, with both tenderers providing a response. A value for money assessment was conducted by the evaluation committee that assessed that two providers represented the best value for money. These providers were shortlisted. While one further tender was more competitive on price; it ranked significantly lower in the technical evaluation and had a higher risk profile.

3.122 The evaluation team conducted a further value for money assessment at negotiation. Three negotiation sessions were held with each shortlisted respondent, over the period 12 to 19 March 2021. The evaluation team recommendation that ISG represented the best value for money on the basis of score and risk. It also noted that the other shortlisted tenderer remained the lowest cost option and presented a viable alternative should the ATO be unable to enter into an arrangement with ISG.

3.123 In August 2024, the ATO advised the ANAO that legal services procurement achieved value for money as the contracted supplier was on the panel and offered services at or below rates set by the panel arrangement. The Whole of Australian government legal services panel guidance material indicated that ‘the Panel consists of LSPs [legal services practitioner] that have been assessed as providing value for money for the specific Practice Areas for which they have been selected.’ No assessment of value for money was completed by the ATO or provided to the decision-maker for the provision of legal advice for the ITSSP.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

5. The ATO updated the ITSSP transition risk register (see Table A.2 in Appendix 5) and probity registers in October 2024 (see paragraph 3.66).

Appendix 3 IT managed services requests for tender and new contracts

1. Table A.1 provides an overview of the IT Strategic Sourcing Program requests for tender (RFTs) and resulting contracts, including timing, value of the contracted services, successful suppliers and type of procurement. The table presents RFTs in the order they went to market.

Appendix 4 ITSSP transition governance structure

Appendix 5 Program and project risk assessments

1. Table A.2 provides an overview of risk approaches and assessments for the ITSSP by stage.

Table A.2: ATO risk assessments

Note a: Risk ratings from lowest to highest are: low; moderate; significant; high; severe and catastrophic. In the Transition Risk Management Plan the ITSSP established a risk tolerance of significant or below.

Note b: The register includes 10 probity risks.

Source: ANAO analysis.

Appendix 6 ITSSP evaluation process

Appendix 7 ITSSP negotiation process

Appendix 8 Probity review recommendations

1. Table A.3 outlines the recommendations of the probity review from November 2023.

Table A.3: Probity review recommendations

Source: BellchambersBarrett, Australian Taxation Office, IT Strategic Sourcing Program Enterprise Operational and Technical Enablement Bundle Final Probity Audit Report, 16 November 2023, p. 10.