Audit snapshot

Why did we do this audit?

  • This is the one of a series of credit card audits to be tabled by the ANAO in 2023–24.
  • The misuse of Australian Government credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities.
  • The robustness of controls to detect and prevent misuse of credit cards and action taken on non-compliance are indicative of an entity’s culture and integrity.
  • Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions and ineffective controls in the management of the use of credit cards.

Key facts

  • The NDIA provided 246 individual staff with corporate credit cards between July 2022 and June 2023 (4.4 per cent of the NDIA workforce).
  • The NDIA reported 6,881 credit card transactions in 2022–23 and Services Australia managed, on behalf of the NDIA, 5,498 trips by NDIA staff in 2022–23.

What did we find?

  • The National Disability Insurance Agency’s (NDIA) management of the use of corporate credit cards has been partly effective.
  • The NDIA has largely fit-for-purpose policies and procedures to manage the issue, return and use of credit cards, except for managing positional authority risks. Shared risks with Services Australia are not effectively managed and there is limited reporting on credit card use to senior leaders.
  • The NDIA has partly implemented effective preventive and detective controls and processes to manage non-compliance. There was under-reporting of credit card misuse identified during quality assurance reviews.

What did we recommend?

  • There were eight recommendations to the NDIA and one recommendation to both the NDIA and to Services Australia.
  • The NDIA agreed to all recommendations. Services Australia agreed to the recommendation.

$6.7m

in credit card expenditure between 1 July 2021 and 30 June 2023.

55

instances of credit card non compliance were recorded by the NDIA between 1 July 2021 and 30 June 2023.

17,810

daily assurance checks of credit card transactions were completed between 1 July 2021 and 30 June 2023.

Summary and recommendations

Background

1. The Department of Finance’s Resource Management Guide 206 defines a ‘corporate credit card’ as a credit card used by Commonwealth entities to obtain goods and services on credit.1 Credit cards are used by Australian Government entities to support timely and efficient payment of suppliers for goods and services.2 For the purposes of the Public Governance, Performance and Accountability Act 2013, credit cards include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).

2. For 2021–22 and 2022–23, the National Disability Insurance Agency’s (NDIA’s) total credit card expenditure was approximately $6.7 million, comprising 11,925 transactions. For the same period, the NDIA’s total travel expenditure was approximately $9.1 million, representing 8,509 trips. Credit card and travel expenditure both represented one per cent or less of the NDIA’s supplier expenses in each year.3

Rationale for undertaking the audit

3. The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.4

4. In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.5 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.6

5. Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.7 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions8 and ineffective controls in the management of the use of credit cards.9 This audit provides Parliament with assurance that the NDIA is effectively managing corporate credit cards in accordance with legislative and the NDIA’s policy requirements.

6. This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:

  • National Disability Insurance Agency (NDIA);
  • Federal Court of Australia;
  • Australian Research Council; and
  • Productivity Commission.

Audit objective and criteria

7. The objective of the audit was to assess the effectiveness of the NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

8. To form a conclusion against the objective, the ANAO examined:

  • whether the NDIA has effective arrangements in place to manage the issue, return, and use of corporate credit cards; and
  • whether the NDIA has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.

Conclusion

9. The NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements has been partly effective. The NDIA has established controls that were not robustly implemented to provide sufficient assurance to the NDIA Board that fraud risks are being managed.

10. The NDIA has partly effective arrangements in place to manage the issue, return and use of corporate credit cards. The NDIA’s senior leadership team and the Board have limited oversight of credit card management and use, including for travel. Reporting of use and non-compliance is provided to Financial Control Branch within the Chief Finance Officer Division, and non-compliance incidents are reported to the Risk Advisory Branch. Financial authorisations for Services Australia to enter into borrowing arrangements on the NDIA’s behalf were not in place. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no shared risk register or approach with Services Australia. The NDIA has largely fit-for-purpose policy and procedures and training to support use of credit cards, except for not addressing positional authority risks.

11. The NDIA has implemented partly effective controls and processes for management and control of corporate credit cards. Preventive controls were partly implemented, with cards issued to Senior Executive Service (SES) officers without line manager endorsement, credit limits that were not consistent with NDIA policies and the NDIA not utilising merchant blocking technology. Detective controls were partly effective in supporting detection of credit card misuse, and travel approval and acquittal non-compliance. Travel by Board members, and travel and credit card expenditure by the CEO and SES officers, was often approved by a staff member junior to the traveller or credit cardholder and did not address positional authority risk. The NDIA’s policies permit discretion when identifying and recording non-compliance during a quality assurance review, leading to under-reporting of non-compliance. The NDIA has partly implemented effective controls for managing non-compliance. The NDIA does not monitor the timeliness of travel acquittals, use its system to record all instances of travel non-compliance or take action in response to most identified travel non-compliance.

Supporting findings

Credit card arrangements

12. The NDIA has not delegated authority for Services Australia to enter into borrowing arrangements on its behalf. The NDIA reports regularly on use and management of credit cards (including non-compliance) at the responsible branch level. Credit card and travel non-compliance are aggregated with other instances of non-compliance with finance law, diminishing the NDIA Board and Senior Leadership Team’s understanding of fraud, risk and integrity implications arising from non-compliance. In relation to the delivery of shared services by Services Australia, the NDIA receives quarterly non-compliance reports for travel by NDIA staff and an annual assurance statement relating to Services Australia’s controls environment. (See paragraphs 2.4 to 2.24)

13. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no evidence of consideration of credit cards or travel within the Chief Financial Officer’s divisional risk register. There is no shared risk register or approach with Services Australia for shared services provided. (See paragraphs 2.25 to 2.41)

14. Accountable Authority Instructions (AAIs) and the NDIA Finance Policies are reviewed annually and are largely consistent with Australian Government guidance on managing credit cards. Policies and procedures do not address positional authority considerations for the acquittal of the Board and CEO’s credit card and travel expenditure. (See paragraphs 2.42 to 2.57)

15. The NDIA staff applying for a credit card are required to complete online training, which covers all responsibilities and policy requirements, prior to being issued with the card. When it is recommended staff complete refresher training following instances of non-compliance, this does not always occur. Line manager reviewers of credit card acquittals, travellers and travel spending approvers are not required to complete training. (See paragraphs 2.58 to 2.61)

Management and control of credit cards

16. Controls relating to the issue of credit cards were generally operating as intended, except that line managers did not endorse Senior Executive Service officer credit card applications. The NDIA does not have assurance that credit limits are applied consistent with policy requirements. The NDIA does not use merchant blocking to prevent misuse. The NDIA cancelled and suspended cards for staff who had left the NDIA or were on long term leave following annual reviews of ongoing business need for the card, indicating that other preventive controls were not operating as intended. (See paragraphs 3.4 to 3.20)

17. The NDIA has implemented detective controls for credit cards including credit card acquittal by cardholders, review by line managers and a quality assurance review process. The NDIA’s policies do not provide guidance on detecting the splitting of a transaction to remain under the relevant credit card limit. For a sample of 117 transactions, ANAO identified 18 instances of potentially split transactions, and 20 credit card acquittals of the CEO and SES where the approving officer was junior to the credit cardholder, introducing positional authority risk. In 2021–22 and 2022–23, daily assurance checks resulted in requests for supporting documentation from credit cardholders for four per cent of all credit card transactions. In 2021–22 and 2022–23, the ANAO identified 11 credit card transactions which occurred where the NDIA policies required the credit card be suspended, and one where the policies required the credit card be cancelled. (See paragraphs 3.21 to 3.46)

18. The NDIA implemented detective controls for travel approvals including travel acquittal by travellers, review by delegates and quality assurance processes. For a sample of 93 trips, 24 travel requests were not submitted within required timeframes, 10 trips did not have supporting documentation, and 18 trips were not acquitted within required timeframes. The delegate was junior to the traveller for 51 trips by the CEO and Board, introducing positional authority risk. Services Australia made 30 recommendations to the NDIA to address travel related non-compliance identified by quality assurance processes. The NDIA did not respond to Services Australia or implement the recommendations. (See paragraphs 3.21 to 3.46)

19. The NDIA records credit card non-compliance by specific categories, including accidental private use. Reported instances of travel non-compliance did not reconcile. The NDIA recorded action taken in relation to credit card non-compliance, including recovery of personal expenditure and recommendation of further training. The NDIA did not record any actions taken in response to recommendations made by Services Australia to remedy travel non-compliance. For the one instance of travel non-compliance recorded in the NDIA’s internal reporting, the action taken was to inform the staff member of the policy requirements. (See paragraphs 3.47 to 3.64)

Recommendations

Recommendation no. 1

Paragraph 2.11

The National Disability Insurance Agency establishes a financial authorisation to support the borrowing undertaken by Services Australia on its behalf under the shared services arrangements.

National Disability Insurance Agency response: Agreed.

Recommendation no. 2

Paragraph 2.19

The National Disability Insurance Agency’s (NDIA’s) Board receive and consider complete and accurate reporting of non-compliances with finance law and NDIA policies, including for credit card and travel expenditure.

National Disability Insurance Agency response: Agreed.

Recommendation no. 3

Paragraph 2.35

The National Disability Insurance Agency clearly articulate in approved risk registers the reasons for risk ratings and incorporate effective controls and mitigations so that risk is managed within approved tolerance levels, consistent with the Agency’s Risk Management Guide.

National Disability Insurance Agency response: Agreed.

Recommendation no. 4

Paragraph 2.38

Services Australia and the National Disability Insurance Agency approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.

National Disability Insurance Agency response: Agreed.

Services Australia response: Agreed.

Recommendation no. 5

Paragraph 2.53

The National Disability Insurance Agency (NDIA) address positional authority risk relating to the approval of the NDIA Board Chair, NDIA Board members and CEO credit card expenditure and travel, by requiring that:

  1. expenditure made by or on behalf of the NDIA Board Chair be approved by a deputy or other NDIA Board member;
  2. expenditure made by or on behalf of the NDIA Board members (other than the Chair) be approved by the NDIA Board Chair; and
  3. expenditure made by or on behalf of the NDIA CEO be approved by the NDIA Board.

National Disability Insurance Agency response: Agreed.

Recommendation no. 6

Paragraph 3.8

The National Disability Insurance Agency introduce controls to:

  1. prevent the activation or use of new or replacement credit cards until cardholders have acknowledged receipt of the card and confirm they will comply with NDIA policy; and
  2. require approval from the supervising Senior Executive Service (SES) officer for all credit card applications by SES officers, consistent with the NDIA’s policy requirements.

National Disability Insurance Agency response: Agreed.

Recommendation no. 7

Paragraph 3.37

To support accountability and separation of duties, the National Disability Insurance Agency introduce additional assurance processes for cardholder transactions in the Chief Financial Officer Division and Financial Control Branch.

National Disability Insurance Agency response: Agreed.

Recommendation no. 8

Paragraph 3.40

The National Disability Insurance Agency (NDIA) develop guidance on steps for identification of all types of credit card non-compliance with the NDIA Finance Policies, and a system for reporting all non-compliance, including those that are rectified as part of the quality assurance process.

National Disability Insurance Agency response: Agreed.

Recommendation no. 9

Paragraph 3.53

The National Disability Insurance Agency introduce a quality assurance process to cross check reports for completeness and accuracy with other relevant information sources, document identified discrepancies and remedial action taken.

National Disability Insurance Agency response: Agreed.

Summary of entity responses

20. The proposed audit report was provided to the NDIA and an extract was provided to Services Australia. The entities’ summary responses are reproduced below. The entities’ full responses are included at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed at Appendix 2.

National Disability Insurance Agency

The National Disability Insurance Agency (NDIA) welcomes the ANAO’s analysis that the level of non-compliance across the Agency is minor and that no significant non-compliances, or instances of fraud, were identified.

The NDIA notes the ANAO’s reference to discretion in relation to the reporting of compliance and disputes the reference to under-reporting of misuse. Discretion is applied where it is identified that additional documentation is required, should additional documentation not be provided a non-compliance is recorded.

The NDIA notes the ANAO’s reference to “junior staff” approving Board and CEO travel. This reference related to a historical administrative arrangement undertaken by an SES Band 2 to provide approvals for CEO travel and credit card expenditure. The NDIA notes the CEO does not currently hold a credit card.

The NDIA notes the ANAO’s comments on reporting of use and non-compliance are only provided to the Agency Budget and Financial Control Branch. All non-compliances are reported to the Agency’s Risk Management Branch on a monthly basis for inclusion in whole-of-Agency compliance reporting.

The NDIA acknowledges the recommendations and the opportunities for improvement. The NDIA has commenced action in line with our responses to the recommendations. Noting the above, and the extant sound governance and controls relating to credit card and travel administration, the NDIA suggests that the use of corporate credit cards is effective rather than partly effective.

ANAO comment on the National Disability Insurance Agency’s response

21. The approval of a credit cardholder’s acquittal or travel by an officer junior to the cardholder or traveller, even if the approver is an SES officer, introduces positional authority risk (see paragraphs 3.25 and 3.30). The NDIA has not developed appropriate policies or procedures to manage this risk (see paragraph 2.52).

22. The absence of criteria or guidance for identifying and recording credit card non-compliance, detected during the daily quality assurance checks, is discussed at paragraphs 3.34 and 3.43. The audit identified instances of transactions that were potentially split, IT assets purchased without approval, credit card acquittals not completed within required timeframes, lack of required documentation and use of credit card while on leave contrary to policy requirements (see paragraphs 3.22, 3.23 and 3.25). None of these instances were reported by the NDIA as non-compliance.

23. Credit card non-compliances were reported in the financial system (see paragraph 3.47), this does not include all non-compliance detected by quality assurance processes (see paragraph 3.35). Only credit card and travel non-compliances recorded in the financial system are reported to the Risk Advisory Branch (see paragraphs 2.17 and 3.51, and footnotes 47 and 81).

Services Australia

Services Australia (the Agency) notes the audit findings and the recommendation for the Agency and the National Disability Insurance Agency (NDIA) to approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.

The Agency acknowledges the requirement under the Commonwealth Risk Management Policy 2023 (the Policy) for entities to collaborate to manage shared risks and will work with the NDIA through existing bilateral governance arrangements to further strengthen risk management between the agencies in respect of corporate credit card and travel arrangements.

Key messages from this audit for all Australian Government entities

24. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Group title

Governance and risk management

Key learning reference
  • The active management of control frameworks on a risk basis enables accountable authorities to have confidence that risks do not expose their entities to integrity risks. Non-compliance in the management or use of credit cards may provide accountable authorities with an indicator of potential fraud and corruption risk within their entities.
  • Entities should clearly document what constitutes a non-compliant transaction and how these transactions are to be recorded, and report summary information on credit card non-compliance, including travel, to the accountable authority, executive and relevant governance committees.
  • Entities should include a rolling program of internal audits that examine key internal controls on a periodic basis.
Group title

Records management

Key learning reference
  • Entities must maintain complete and accurate records of key contractual arrangements with suppliers, including shared services arrangements provided by the Australian Government.
Group title

Engagement with the audit process

Key learning reference
  • Entities whose operations, activities and performance are the subject of ANAO audits should demonstrate a working knowledge or appreciation of the role of the ANAO in supporting accountability and transparency in the Australian Government sector through independent reporting to Parliament. This includes establishing working arrangements with the ANAO commensurate with the Auditor-General’s powers to enable the audit process to be efficient and effective for both the audited entity and the ANAO.

1. Background

Introduction

1.1 Australian Government entities use credit cards to support timely and efficient payment to suppliers of goods and services. ‘Corporate credit cards’ include charge cards (such as VISA, Mastercard, Diners and American Express cards) and vendor cards (such as travel cards and fuel cards).10 Other forms of credit used by Australian Government entities include credit vouchers (such as Cabcharge).

Australian Government framework for using credit cards

1.2 The Commonwealth Resource Management Framework governs how Australian Government entities use and manage public resources. The cornerstone of the framework is the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

1.3 Section 57 of the PGPA Act and section 21A of the Public Governance, Performance and Accountability Rule (PGPA Rule) authorise corporate Commonwealth entities (CCEs) to borrow money if: it is obtaining credit by credit card, voucher or other credit facility; and the borrowed amount is repaid within 90 days. For each form of credit card or credit voucher, there should be an overarching borrowing agreement rather than separate borrowing arrangements for individual cards.

1.4 The PGPA Act sets out general duties of accountable authorities and officials of Australian Government entities.11 Relevant to credit card use, officials have a duty not to improperly use their positions to gain or seek to gain a benefit or advantage for themselves or others; or to cause detriment to the Commonwealth, entity, or others.12 Further, the duties of an accountable authority include:

  1. governing an entity in a way that promotes the proper use and management of public resources13; and
  2. establishing and maintaining appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.14

1.5 Under subsection 20A(1) of the PGPA Act, an accountable authority may give instructions (referred to as accountable authority instructions) to entity officials about any matter relating to the finance law. The Department of Finance has published model accountable authority instructions, which include model instructions for the use of credit cards (see Box 1) as well as suggestions for additional instructions on credit card use.15

Box 1: Model accountable authority instructions for credit card use — corporate Commonwealth entities

You may only use a credit card, credit card number or credit voucher that has been issued to you or that you are specifically authorised to use. You must:

  • ensure that any corporate credit cards or credit vouchers issued to you are stored safely and securely;
  • ensure that your use of a corporate credit card or credit voucher is consistent with any approval given, including any conditions of the approval;
  • consider whether using a corporate credit card or credit voucher would be a proper use of public resources (for example, whether it would be the most cost-effective payment option in the circumstances); and
  • ensure that any requirements in accountable authority instructions — approval and commitment of relevant money, have been met before using a corporate credit card or credit voucher to commit relevant money.

1.6 The PGPA Act and model accountable authority instructions include other content relevant to credit card use, particularly on spending public money, and official travel.

  • Section 23 of the PGPA Act gives accountable authorities powers to approve commitments of ‘relevant money’ and enter into arrangements (which includes procuring goods and services with credit cards).16 Accountable authorities usually delegate these powers to entity officials, specifying delegation limits for officials in certain work groups based on their position and the category of spending. While the PGPA Act does not require separate and prior approval before entering into a spending arrangement, section 18 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires officials with spending delegations to make a written record of their approval for a commitment as soon as practicable and to follow any directions or instructions of the accountable authority. The model accountable authority instructions suggest additional instructions could include: the circumstances in which approval is required; who has authority to approve different types of commitments; appropriate approval processes; and how to ensure spending commitments would be a proper use of public resources.
  • When Australian Government officials travel for business purposes, they are generally required to use whole-of-government coordinated procurement arrangements. These arrangements encompass: domestic and international air services; travel management services; accommodation program management services; travel and card related services; and car rental services. Under the arrangements, entities must make payments for flights, domestic accommodation and car rental through an account with a credit provider.17 Entities can also allow their officials to use a ‘companion’ MasterCard (available through the Diners Club arrangement) to pay for meals, incidentals and general purchasing.

1.7 The Australian Government’s Supplier Pay On-Time or Pay Interest Policy requires non-corporate Commonwealth entities to make eligible payments valued under $10,000 by payment card (which includes by credit card), and to establish and maintain internal policies and processes to facilitate the timely payment of suppliers using payment cards.18 The policy also encourages payment card use for other payments. The NDIA has decided to implement the requirement by including it in the NDIA Finance Policies (see paragraph 2.45).

National Disability Insurance Agency’s use of credit cards

1.8 The National Disability Insurance Agency (NDIA) is the Australian Government entity responsible for delivering the National Disability Insurance Scheme (NDIS).19 The NDIA is established under section 117 of the National Disability Insurance Scheme Act 2013 (NDIS Act). The NDIA is a corporate Commonwealth entity and is subject to the PGPA Act. The Board of the NDIA is the accountable authority.

1.9 In 2022–23, the NDIA reported that it had 5,328 ongoing and 324 non-ongoing staff. As at 30 June 2023, the NDIA reported it had staff at 162 locations.

1.10 For 2021–22 and 2022–23, the NDIA’s total credit card expenditure was approximately $6.7 million, comprising 11,925 transactions. For the same period, the NDIA’s total travel expenditure was approximately $9.1 million, representing 8,509 trips. Credit card and travel expenditure both represented one per cent or less of the NDIA’s supplier expenses in each year.20 Table 1.1 and Table 1.2 below provide a breakdown of these statistics for each financial year.

Table 1.1: NDIA credit card expense statistics 2021–22 and 2022–23

 

2021–22

2022–23

Number of cardholders that used the credit card to make payments

231

246

Number of credit card transactions

5,044

6,881

Total credit card expenditure

$3.0m

$3.7m

Average value of credit card transactions

$595

$538

Credit card expenditure as a proportion of total supplier expensesa

0.6%

0.6%

     

Note a: Total supplier expenses for 2021–22 was $480.3m and $604.0m for 2022–23.

Source: ANAO analysis of NDIA data.

Table 1.2: NDIA travel expense statistics 2021–22 and 2022–23

 

2021–22

2022–23

Number of staff that travelled

1,215

1,845

Number of trips (travel)

3,011

5,498

Total travel expenditurea

$2.9m

$6.2m

Average cost per trip

$963

$1,128

Travel expenditure as a proportion of total supplier expensesb

0.6%

1.0%

     

Note a: Travel expenditure approval and acquittal includes airfares, accommodation, car rental and travel allowance. Airfares, accommodation and car rental are paid through an account with a credit provider (see paragraph 1.6). Travel allowance (TA) is paid to the traveller to cover the cost of meals and incidentals while on business travel. For APS employees, TA is paid through payroll; for contractors, reimbursements are claimed through their labour hire agency.

Note b: Total supplier expenses for 2021–22 was $480.3m and $604.0m for 2022–23.

Source: ANAO analysis of NDIA data.

1.11 Services Australia provides ‘Travel Services’ and ‘Credit Card Management’ services for the NDIA under shared services arrangements (see paragraphs 2.4 to 2.8).

Rationale for undertaking the audit

1.12 The misuse of corporate credit cards, whether deliberate or not, has the potential for financial losses and reputational damage to government entities and to the Australian Public Service. The Australian Public Service Commission (APSC) states that:

establishing a pro-integrity culture at the institutional level means setting a culture that values, acknowledges and champions proactively doing the right thing, rather than purely a compliance-driven approach which focuses exclusively on avoidance of wrong doing.21

1.13 In describing the role of Senior Executive Service (SES) officers, the APSC state that the SES ‘set the tone for workplace culture and expectations’, they ‘are viewed as role models of integrity’ and ‘are expected to foster a culture that makes it safe and straightforward for employees to do the right thing’.22 The New South Wales Independent Commission Against Corruption identifies organisational culture and expectations as a key element in preventing corruption and states:

[T]he way that an agency’s senior executives, middle managers and supervisors behave directly influences the conduct of staff by conveying expectations of how staff ought to act. This is something that affects an agency’s culture.23

1.14 Deliberate misuse of a corporate credit card is fraud. The National Anti-Corruption Commission’s Integrity Outlook 2022/23 identifies fraud, which includes the misuse of credit cards, as a key corruption and integrity vulnerability.24 The Commonwealth Fraud Risk Profile indicates that credit cards are a common source of internal fraud risk. Previous ANAO audits have identified issues in other entities relating to positional authority in approvals of credit card transactions25 and ineffective controls in the management of the use of credit cards.26 This audit provides Parliament with assurance that the NDIA is effectively managing corporate credit cards in accordance with legislative and the NDIA’s policy requirements.

1.15 This audit is one of a series of compliance with credit card requirements that apply a standard methodology. The four entities included in the ANAO’s 2023–24 compliance with credit card requirements series are the:

  • National Disability Insurance Agency (NDIA);
  • Federal Court of Australia;
  • Australian Research Council; and
  • Productivity Commission.

Audit approach

Audit objective, criteria and scope

1.16 The objective of the audit was to assess the effectiveness of the NDIA’s management of the use of corporate credit cards for official purposes in accordance with legislative and entity requirements.

1.17 To form a conclusion against the objective, the ANAO examined:

  • whether the NDIA has effective arrangements in place to manage the issue, return and use of corporate credit cards; and
  • whether the NDIA has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.

1.18 The audit focused on management and use of credit cards, including travel approval and acquittals, in the 2021–22 and 2022–23 financial years.

1.19 The audit did not assess vendor cards (such as travel cards and fuel cards) or management of credit vouchers such as Cabcharge. The audit did not assess the effectiveness of shared service arrangements between the NDIA and Services Australia.

Audit methodology

1.20 The audit methodology included:

  • review of legislative, policy and internal frameworks guiding the use of corporate credit cards;
  • review of NDIA and Services Australia documentation including policies and procedures, risks registers, training material and reporting;
  • analysis of NDIA and Services Australia data, including publicly reported information and data obtained during the audit; and
  • meetings with NDIA and Services Australia staff.

1.21 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $498,000.

1.22 The team members for this audit were Tracey Martin, Sonya Carter, Benedict Xu-Holland, Shelley Yin, Aiden Williams, David Vandersee, James Baker, Andrew Yam, Kristian Marchiori and Alexandra Collins.

2. Arrangements for managing corporate credit cards

Areas examined

This chapter examines whether the National Disability Insurance Agency (NDIA) had effective arrangements in place to manage the issue, return, and use of corporate credit cards.

Conclusion

The NDIA has partly effective arrangements in place to manage the issue, return and use of corporate credit cards. The NDIA’s senior leadership team and the Board have limited oversight of credit card management and use, including for travel. Reporting of use and non-compliance is provided to Financial Control Branch within the Chief Finance Officer Division, and non-compliance incidents are reported to the Risk Advisory Branch. Financial authorisations for Services Australia to enter into borrowing arrangements on the NDIA’s behalf were not in place. The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no shared risk register or approach with Services Australia. The NDIA has largely fit-for-purpose policy and procedures and training to support use of credit cards, except for not addressing positional authority risks.

Areas for improvement

The ANAO made five recommendations aimed at establishing a financial authorisation to support borrowing undertaken by Services Australia on behalf of the NDIA (paragraph 2.11); achieving greater transparency via additional reporting on credit card and travel non-compliance (paragraph 2.19); ensuring risk registers comply with relevant policy (paragraph 2.35); agreeing and managing shared risk with Services Australia (paragraph 2.38); and managing positional authority risks relating to the approval of the NDIA Board and CEO expenses (paragraph 2.53).

The ANAO also suggested two opportunities for improvement relating to the referencing of legislation in financial delegation tables and reviewing its Accountable Authority Instructions (AAIs) and Finance Policies for consistency with the Australian Government guidance; and introducing an alternative delegate for credit card applications from staff within the Financial Control Branch, including Senior Executive Service officers.

2.1 If Australian Government officials deliberately misuse corporate credit cards, they are committing fraud. Other risks of credit card use include: inadvertent personal use; unauthorised or inappropriate work use; incorrect charging by merchants; and external fraud enabled by stolen credit card details.

2.2 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), an accountable authority of an Australian Government entity has a duty to establish and maintain appropriate systems of risk oversight and management and internal control, including measures to ensure that officials comply with the finance law.27

2.3 In addition, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) establishes a requirement for an accountable authority to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.28 Specific requirements of the Australian Government’s Fraud Rule include:

  • conducting regular fraud risk assessments and developing and implementing a fraud control plan that deals with identified risks;
  • establishing appropriate preventive controls (which should include fit-for-purpose policies and procedures and effective training and education arrangements); and
  • establishing appropriate monitoring and reporting arrangements.

Does the NDIA have appropriate arrangements for oversight of the issue, return and use of corporate credit cards?

The NDIA has not delegated authority for Services Australia to enter into borrowing arrangements on its behalf. The NDIA reports regularly on use and management of credit cards (including non-compliance) at the responsible branch level. Credit card and travel non-compliance are aggregated with other instances of non-compliance with finance law, diminishing the NDIA Board’s and Senior Leadership Team’s understanding of fraud, risk and integrity implications arising from non-compliance. In relation to the delivery of shared services by Services Australia, the NDIA receives quarterly non-compliance reports for travel by NDIA staff and an annual assurance statement relating to Services Australia’s controls environment.

Shared services arrangements

2.4 The NDIA has engaged Services Australia to provide ‘Travel Services’ and ‘Credit Card Management’ under shared services arrangements. The NDIA retains responsibility for ensuring staff comply with relevant policy and procedures. Credit card and travel expenditure are operating costs paid by the NDIA from its departmental appropriation.29

2.5 In 2021–22 and 2022–23, Services Australia provided the following credit card services on behalf of the NDIA: interacting with the credit provider; supporting the issuance and return of credit cards; and uploading transaction data from the credit provider to the NDIA’s information technology systems. The NDIA manages applications for credit cards, sets credit limits, requests credit card cancellation or suspension, reviews credit card use, oversees acquittals and manages non-compliance.

2.6 The Department of Finance established and manages the Whole of Australian Government Travel Arrangements (the Travel Arrangements).30 The objective of the Travel Arrangements are to reduce travel costs, decrease administrative costs, simplify processes and optimise savings. As a corporate Commonwealth entity (CCE), the NDIA has elected to use the Travel Arrangements.31 Under the Travel Arrangements, payment services, such as for official airfares, accommodation and car rental expenses32, are made through Diners Club.33 Services Australia provides all travel services on behalf of the NDIA. The NDIA manages a pre-approval process for travel and undertakes limited quality assurance processes that only examine lowest practical airfare.

2.7 The Department of Finance’s Shared Services Arrangement Guide 04/2017: Governance (Assurance) Framework states (paragraph 6):

The duties of the accountable authority are not abrogated when utilising shared arrangements – the accountable authority remains responsible for managing public resources for which it is responsible, including when those resources are in the custody of other parties. When working with others, accountable authorities are encouraged to impose the minimum compliance and reporting requirements needed to support the proper use and management of public resources for which they are responsible.

2.8 As Services Australia delivers aspects of credit card and travel services on the NDIA’s behalf, effective oversight of these functions by the NDIA is essential for providing assurance to the NDIA Board that it is meeting its responsibilities under the PGPA Act.

Financial authorisations

2.9 The NDIA’s HR Delegations, Accountable Authority Instructions and Financial Authorisations Manual dated July 2022 (the AAIs34) authorise the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) to enter into borrowing arrangements for the issue and use of cards and credit vouchers by Agency officials (see paragraph 1.3). Under the shared services arrangements with the NDIA, Services Australia has entered into borrowing arrangements with ANZ for credit cards and Diners Club for travel which facilitate the services provided to the NDIA.35 The NDIA has not delegated to Services Australia the power to enter into borrowing arrangements to support Services Australia’s signing of participant agreements with ANZ and Diners Club on its behalf. In the absence of such delegation (see paragraph 1.3), Services Australia does not have the legal authority to enter into a borrowing agreement on the NDIA’s behalf.

2.10 Between 1 July 2021 and 30 June 2023, there was no evidence of a memorandum of understanding or deed of participation between the NDIA and the Department of Finance to support the NDIA’s participation in the Travel Arrangements.36 A participant agreement between the NDIA and Diners was signed by a Services Australia officer in October 2020. The signed copy of the Deed between Services Australia and ANZ for the credit card facilities is incomplete.37 On 29 April 2024 the NDIA commenced the process of creating a legal relationship between itself and ANZ, utilising a clause in the Deed between Services Australia and ANZ.

Recommendation no.1

2.11 The National Disability Insurance Agency establishes a financial authorisation to support the borrowing undertaken by Services Australia on its behalf under the shared services arrangements.

National Disability Insurance Agency response: Agreed.

2.12 The NDIA will work with Services Australia to review the establishment of arrangements and financial authorisations to support any borrowing arrangements undertaken by Services Australia on NDIA’s behalf.

Reporting

Board, committee and senior management reporting

2.13 In monthly financial reporting to the Board and Senior Leadership Team (SLT)38 there is a line item for the expenditure on travel and hospitality. In 2021–22 and 2022–23, the Board’s risk subcommittee received Chief Risk Officer reports which contained aggregate details of non-compliance with finance law and AAIs. The SLT received Chief Risk Officer reports until November 2022. The report does not specify non-compliance attributable to credit card use or travel by NDIA staff.

PGPA compliance survey reporting

2.14 The NDIA surveys Senior Executive Service (SES) officers on a quarterly basis to identify and report non-compliance with the PGPA Act within their respective branches. A key control identified in the Financial Control Branch’s draft risk register is the annual briefing on the results of the survey for the CEO and the Risk Advisory Branch.39 The NDIA did not consistently provide quarterly, half yearly or annual briefings to the CEO for the period 1 July 2021 to 30 June 2023 in relation to the results of the PGPA compliance surveys.

2.15 Where briefs were prepared for the CEO, they were either in draft, not signed or did not contain important information such as a title, who the brief was for, and who had prepared and cleared the brief. The reports and briefs on PGPA compliance included the number of credit card and travel non-compliances reported by the SES officers by quarter and financial year (see paragraph 3.49). Non-compliance for travel and credit cards in 2022–23 was rated green, which is low risk. PGPA survey compliance results were not provided to the Board in 2021–22 and 2022–23, except for advising the Board that the PGPA compliance survey was conducted and ‘the Agency continues to remain compliant with the majority of PGPA Act related obligations’.

Branch level reporting

2.16 A weekly credit card report is provided to the Branch Manager, Financial Control. It contains information and summary statistics on transactions and expenditure, acquittals, non-compliance, and credit card management (for example, new and cancelled cards). The report tracks a range of metrics including: transaction volumes over the past four years; unacquitted transactions greater than 25 days; transactions and spend for each month (see Figure 2.1); trend of non-compliance over the previous twelve weeks; and non-compliance over the past three years (see Figure 2.2). The report can be filtered by group, division and branch and whether the non-compliance was self-reported or detected through daily assurance reviews.40

Figure 2.1: Monthly credit card expenditure by year, July 2020 to June 2023

Figure 2.1 is a graph showing trend in the monthly total credit card expenditure in 2020–21, 2021–22 and 2022–23. The graph shows that monthly expenditure was generally the same or more in 2022–23 than in prior years ranging between $200,000 and $400,000, except for June 2022 where expenditure spiked at $623,500.

Source: ANAO analysis of NDIA weekly credit card reports.

Figure 2.2: Non-compliant credit card transactions reported by month, July 2020 to June 2023

Figure 2.2 is a graph showing trends in the in number of credit card non-compliances on a monthly basis in 2020–21, 2021–22 and 2022–23. The graph shows that the number of non-compliances varied between zero and six each month across the  years, except for September to November 2020 where non-compliances ranged between 6 and 11.

Source: ANAO analysis of NDIA weekly credit card reports.

2.17 The Financial Control Branch provides monthly incident reports to the Risk Advisory Branch, that include details of incidents of non-compliance with the NDIA Finance Policies and remedial action taken (see paragraph 2.30). Only credit card and travel non-compliance reported in the financial system are included in these reports (see paragraphs 3.34, 3.35, 3.47 and 3.51).

2.18 The volume and nature of reported non-compliance is discussed at paragraph 3.47, with Senior Executive Services (SES) officers responsible for 17 instances. The weekly credit card reports do not identify actions to be taken, or those taken, except for the recovery of monies relating to personal use of credit cards. The Board, SLT and CEO do not receive reporting on the level and nature of credit card and travel non-compliance, or actions taken in response to non-compliance. This reduces the Board’s visibility of non-compliance and the effectiveness of internal controls, impacting the Board’s ability to understand and manage fraud and integrity risks.

Recommendation no.2

2.19 The National Disability Insurance Agency’s (NDIA’s) Board receive and consider complete and accurate reporting of non-compliances with finance law and NDIA policies, including for credit card and travel expenditure.

National Disability Insurance Agency response: Agreed.

2.20 The NDIA already undertakes reporting of significant non-compliance to the Board. During the period subject to the ANAO’s review, there were no identified instances of significant non-compliance related to credit card and travel expenditure.

2.21 The NDIA propose to continue this approach focused on reporting significant non-compliance or instances of fraud to the Board.

ANAO comment on the NDIA’s response

2.22 The lack of adequate reporting to the Board is set out in paragraph 2.18. The NDIA does not have guidance on determining ‘significant non-compliance’ relating to credit card use. In the absence of such guidance, the NDIA’s response does not indicate how it will implement the agreed recommendation. Credit card quality assurance procedures establish a model that takes action based on the number of credit card non-compliances (see paragraph 3.56). The highest threshold for taking action is when a cardholder has had five non-compliances recorded against them over a 12-month period, irrespective of the dollar value of any non-compliance. In such circumstances the cardholder’s line manager is asked to provide reasons why the card should not be suspended or cancelled depending on the circumstances. Action taken in response to identified non-compliance is set out in paragraphs 3.57 to 3.60.

Reporting from Services Australia

2.23 Services Australia provides the NDIA with a quarterly compliance report for travel by NDIA staff. The report includes: assessment of compliance against the Travel Arrangements and NDIA policies41 and identified non-compliance; and the number of open, unapproved and unacquitted trips. The report includes recommendations for process improvements and actions to be taken by the NDIA in relation to identified non-compliance. The reports state there was a ‘high degree’ of compliance, against a scale of ‘high degree’, ‘reasonable degree’ and ‘limited degree’. The quarterly travel compliance report is unsigned in half of the reports in 2021–22 and 2022–23. The report, or a summary of its contents, is not provided to SLT or the Board. All eight quarterly reports between 1 July 2021 and 30 June 2023 reported non-compliance (see Table 3.3); the six reports between 1 October 2021 and 31 March 2023 sought the NDIA’s advice regarding recommendations for action. The NDIA did not respond to Services Australia’s recommendations.

2.24 The primary assurance mechanism under the shared services arrangements involves the Chief Financial Officer of Services Australia providing a letter to the Chief Financial Officer of the NDIA each financial year. The letter outlines: the financial assurance processes undertaken for financial information provided by Services Australia to the NDIA; and accounting systems, controls and any relevant audit findings. The 2021–22 and 2022–23 letters concluded an appropriate controls framework was in place, with no known deficiencies in the internal controls relevant to the NDIA and no relevant audit findings.

Have appropriate arrangements been established for managing risks associated with use of corporate credit cards within the NDIA?

The NDIA’s fraud risk register does not list credit cards or travel as a cause of fraud risk. There is no evidence of consideration of credit cards or travel within the Chief Financial Officer’s divisional risk register. There is no shared risk register or approach with Services Australia for shared services provided.

Internal risk management

2.25 The NDIS Risk Management Rules42 require the NDIA to have a risk management framework, strategy, culture, structure, and practices in place to monitor and manage material risks for the agency. The NDIA has a Risk Management Strategy dated September 202043, a Risk Management Guide dated November 2019 and publishes its strategic risks in its corporate plan.44

2.26 The NDIA is required to comply with the Fraud Rule45 and states in its Fraud and Corruption Control Plan (July 2023) that the agency voluntarily complies with the better practice of both the Fraud Policy and Fraud Guidance.

2.27 Personal use of credit cards, fraudulently claiming travel entitlements, and accounting fraud (including misappropriation) are examples of internal fraud listed in the NDIA’s Fraud and Corruption Control Plan. Reported non-compliance for both credit cards and travel represent less than one per cent of transactions in the period 1 July 2021 to 30 June 2022 (see paragraphs 2.60 and 2.61).

2.28 The NDIA’s current fraud risk register (2022) includes the fraud risk category of ‘financial misappropriation’ (trusted insiders).46 Credit cards and travel may be a cause of this fraud risk but are not specifically listed as such. The NDIA’s previous fraud risk register (dated December 2019) included credit cards as a source of the financial misappropriation risk. The Board’s Risk Committee was advised by management that the 2022 fraud risk register consolidated risks from 13 to six to ‘clearly identify the key fraud and corruption risks’, ‘identify the cohorts that perpetrate fraud and corruption on the Scheme’ and ‘remove reference to current risks that are in fact causes’.

2.29 A paper presented to the Risk Committee in November 2022 stated that a fraud risk dashboard would be developed and incorporated into quarterly Chief Risk Officer (CRO) reporting. No dashboard was included in subsequent reports to the Board.

2.30 On a monthly basis, the Financial Control Branch provides to the Risk Advisory Branch the details of incidents of non-compliance with the NDIA Finance Policies and remedial action taken.47 There is no definition of an incident, or relevant categories of non-compliance. Forty out of 85 incidents reported in 2022–23 were credit card non-compliances, primarily personal use. There was one incident related to travel which was travel not authorised prior to travelling.

2.31 In the absence of a description of the risk categories or references to credit card processes in the related control description, there is no evidence that the risks relating to the management and use of credit cards, including travel, were considered in the development of the CFO Division’s risk register. No likelihood or consequence ratings are provided in the register, nor does it specify dates of review or assessment of control effectiveness. There was insufficient documentation to demonstrate when the NDIA commenced use of the draft CFO register.

2.32 The draft risk register for the Financial Control Branch, within the CFO Division, contains risks and controls relating to credit card and travel as set out in Table 2.1. There was not a finalised risk register in 2021–22 and 2022–23.

Table 2.1: Risks and controls for credit cards and travel in the Financial Control Branch draft risk register

Risk

Control

Inappropriate or fraudulent use of Agency or scheme funds

Individual transaction monitoring

Annual credit card review

Credit card non-compliance reporting

Non-compliance with regulatory reporting requirements

Process to monitor and report on travel including review of [Services Australia’s] data and monthly reporting

   

Source: NDIA’s internal risk documentation.

2.33 The Financial Control Branch draft risk register did not contain48: risk cause and impact statements; likelihood and consequence ratings; an assessment of the effectiveness of current controls at managing risk within the NDIA’s risk appetite and tolerance levels49; and mitigations. The risk relating to credit cards was assessed as low and the risk relating to travel was assessed as medium (the reason for this assessment is not documented). The NDIA advised the ANAO in September 2023 that the Financial Control Branch risk register is reviewed annually. There is no evidence of review of the register or the effectiveness of controls.

2.34 The NDIA advised the ANAO in September 2023 that it has not undertaken internal audits of any credit card or travel related risks since 2019. Credit card and travel related risks are also not addressed in the NDIA’s 2023–24 internal audit work program.

Recommendation no.3

2.35 The National Disability Insurance Agency clearly articulate in approved risk registers the reasons for risk ratings and incorporate effective controls and mitigations so that risk is managed within approved tolerance levels, consistent with the Agency’s Risk Management Guide.

National Disability Insurance Agency response: Agreed.

2.36 The NDIA will clearly articulate the reasons for risk ratings and incorporate effective controls and mitigations within approved risk registers in compliance with the Agency Risk Management Guide. The NDIA will consider suitable operating procedures and system enhancements to reach this objective.

Shared risk management

2.37 The Commonwealth Risk Management Policy 2023 (the Policy) requires that ‘entities must collaborate to manage shared risks’.50 The Policy is recommended as best practice for the NDIA, as a corporate Commonwealth entity. The Policy is mandatory for Services Australia, as a non-corporate Commonwealth entity. The NDIA and Services Australia have a draft shared risk plan (dated March 2022) for the risks arising out of the shared services arrangements. The plan contains four risks, three rated medium and one rated low. The risks are: existing IT systems cannot support shared services arrangements (medium); shared services arrangements are not supported by the executive (medium); consuming entities reduce or eliminate consumption of shared services (medium); and service standards for shared services are not achieved (low). The NDIA and Services Australia have not documented how credit cards or travel related risks fall within the defined risk categories and whether effective mitigation strategies have been implemented.

Recommendation no.4

2.38 Services Australia and the National Disability Insurance Agency approve a shared risk register and implement agreed management plans for identified risks related to the shared services arrangements.

Services Australia’s response: Agreed.

2.39 Services Australia (the Agency) recognises the importance of effectively managing shared risks, consistent with the requirements of the Commonwealth Risk Management Policy 2023. The Agency will work collaboratively with the National Disability Insurance Agency through existing bilateral governance arrangements to identify and document shared risks, controls, control gaps and accountability for managing risks, inclusive of the administration of corporate credit card and travel arrangements between the agencies.

National Disability Insurance Agency’s response: Agreed.

2.40 The NDIA will work with Services Australia to identify shared risks. Once identified, the risks and plans to address them will be documented. This risk information will be complemented by agency-specific risk information and plans.

2.41 The NDIA will collaborate with Services Australia to ensure a common view of the control environment, including the development of appropriate plan(s) to manage the risk to addressing identified control gaps. The NDIA will discuss shared risks regularly at established governance forums, with a focus on identifying and addressing control gaps.

Has the NDIA developed fit-for-purpose policies and procedures for the issue, return and use of corporate credit cards?

Accountable Authority Instructions (AAIs) and the NDIA Finance Policies are reviewed annually and are largely consistent with Australian Government guidance on managing credit cards. Policies and procedures do not address positional authority considerations for the acquittal of the Board and CEO’s credit card and travel expenditure.

Accountable authority instructions

2.42 The NDIA’s AAIs sets out the financial expenditure limits delegated by the Board to NDIA officials and staff. The AAIs are accessible to NDIA staff on the intranet. The AAIs direct NDIA staff to the Finance Policies – Supporting the Accountable Authority Instructions (NDIA Finance Policies) dated November 2022 for information relating to legislative and policy requirements for the use of credit cards and travel arrangements. The financial delegations table within the AAIs does not refer to relevant sections of the PGPA Act that support the delegations, as recommended by the Department of Finance’s model AAIs for CCEs in Resource Management Guide (RMG) 206 (the model AAIs). The NDIA’s Finance Policies set out requirements and processes for: credit card issue, return and use; official travel; and approval of spending money.

2.43 The AAIs and Finance Policies are reviewed yearly. The NDIA’s AAIs and Finance Policies are largely consistent with the guidance contained in the model AAIs, with requirements relating to safe and secure credit card storage and only using credit cards issued to the individual or authorised to be used by the individual not explicitly included.

Opportunity for improvement

2.44 To assist officials of the National Disability Insurance Agency (NDIA) to understand their delegated authorisations and responsibilities, there is an opportunity for the NDIA to refer to the relevant legislation in authorisation tables within the Accountable Authority Instructions (AAIs) and review its AAIs and Finance Policies for consistency with the model AAIs.

2.45 RMG 417, Supplier Pay On-Time or Pay Interest Policy, requires card cards to be used for payments valued below $10,000 (see paragraph 1.7). This policy applies to non-corporate Commonwealth entities. The NDIA has chosen to implement the requirement by including it in the NDIA Finance Policies (see paragraph 3.19). While RMG 417 indicates that eligible payments may include payments made as a result of purchase orders, the NDIA excludes use of the credit card for these payments.

Procedures for credit card management and use

2.46 To support the implementation of the Finance Policies, the NDIA has developed a range of procedures for credit card management and use. These procedures are supplemented by Services Australia guidance for credit card acquittals and supervisor review, and travel. These procedures and guidance are available on the intranet for staff to access. The NDIA prepared procedures were reviewed annually.

2.47 The ANAO assessed whether procedures were consistent with the NDIA Finance Policies for selected credit card and travel requirements and found that:

  • 14 out of 31 core credit card requirements tested from the NDIA’s Finance Policies were reflected in the procedures (with inconsistencies between the Finance Policy and standard operating procedures noted in five of these); and
  • nine out of 11 core travel requirements tested from the NDIA’s Finance Policies were reflected in the travel guidance.
Issuing credit cards

2.48 The NDIA Finance Policies require an applicant for a credit card to submit a business case for why the card is required, satisfy the employment eligibility criteria51 and complete an online training module. Endorsement of the credit card application is required from the applicant’s ‘line manager’ (Executive Level 1 or above), and the performance reporting team in the Financial Control Branch before it is approved by the Branch Manager Financial Control. Where an applicant is from the Financial Control Branch, endorsement and approval may be limited to approval by the Branch Manager without an independent assessment of the application. Cardholders must acknowledge receipt of a new (or replacement) credit card and confirm ‘you have received the Commonwealth Corporate Credit Card and PIN and agree to use the card in accordance with credit card section of the Finance policy’. Credit cards are activated when they are registered by Services Australia.

Opportunity for improvement

2.49 The National Disability Insurance Agency could introduce an alternative delegate for credit card applications from staff within the Financial Control Branch, including Senior Executive Service officers, to reduce risk.

Cancelling or suspending credit cards

2.50 The NDIA Finance Policies included several requirements for credit card cancellation or suspension.

  • ‘A credit card will be cancelled in the following circumstances: the cardholder leaves the Agency; the cardholder changes jobs within the Agency and no longer requires the credit card (or their new SES does not approve the retention of the card); and the cardholder has been instructed to surrender the credit card.’
  • When the credit card has been cancelled, the cardholder must destroy the credit card as soon as possible and complete the online request to cancel the card.
  • ‘If a credit card is lost or stolen, the cardholder must immediately cancel it with the card issuer and inform relevant branches within both NDIA and Services Australia of the circumstances resulting in the loss or theft.’
  • ‘Cardholders taking leave for greater than six weeks must submit a request to enable the limit on their credit card to be reduced to $1 during their leave.’
  • Since December 2021 if the card has not been used in accordance with the policy it may be temporarily suspended or cancelled.52
  • ‘A review of cardholders is undertaken annually to ensure valid reasons exist for card retention.’
Acquittal and travel approvals mechanisms

2.51 Acquittals for credit card transactions and travel (and travel approvals53) are undertaken by the cardholder or traveller in the NDIA’s finance and human resources system.54 For credit cards, the line manager position for reviewing the credit card acquittal is automatically allocated to the supervisor recorded in the system. As part of the acquittal process for travel, the traveller selects to whom the acquittal will be work flowed for review or approval.55

2.52 The NDIA Finance Policies did not specify the process for travel pre-approval or review of credit card and travel acquittals for the CEO and Board Members. The Board does not pre-approve the Chair or Board members travel expenses; they are approved by NDIA staff with a classification between Executive Level 2 and SES Band 2.56 The Board Chair does not review or pre-approve the CEO’s credit card and travel expenses; they are reviewed or approved by the Chief People Officer (an SES Band 2 who reports to the Chief Operating Officer).57 There is no evidence the potential for positional authority risk related to credit card use, including travel, has been appropriately assessed and managed (see paragraph 2.51 (approvals mechanisms), paragraphs 3.24 and 3.25 (credit card acquittal), and paragraphs 3.26 and 3.30 (travel approvals)).58

Recommendation no.5

2.53 The National Disability Insurance Agency (NDIA) address positional authority risk relating to the approval of the NDIA Board Chair, NDIA Board members and CEO credit card expenditure and travel, by requiring that:

  1. expenditure made by or on behalf of the NDIA Board Chair be approved by a deputy or other NDIA Board member;
  2. expenditure made by or on behalf of the NDIA Board members (other than the Chair) be approved by the NDIA Board Chair; and
  3. expenditure made by or on behalf of the NDIA CEO be approved by the NDIA Board.

National Disability Insurance Agency response: Agreed.

2.54 The NDIA will clearly outline the approvals required for CEO and Board Members’ credit card and travel expenditure, noting the CEO does not currently hold a credit card.

2.55 The NDIA will determine the most appropriate place to document this information (i.e. policy or the Accountable Authority Instructions).

Non-compliance

2.56 The NDIA Finance Policies define credit card misuse.

  • Purchases relating to: scheme participant or provider related expenses; clothing which uses the NDIA’s branding or logo; NDIA assets without the approval from the CFO or the Chief Information Officer (CIO) in the case of ICT equipment and software; commercial accommodation costs (unless the NDIA’s accommodation broker provides written confirmation they are unable to provide accommodation); airline tickets; security deposits when checking into accommodation; or for a deposit where the balance is to be paid by a purchase order.
  • Study expenses ‘where reimbursement has been agreed to under the Study and Professional Development Support Policy.’
  • Splitting of payments on a transaction to circumvent transactional limits or procurement requirements.
  • Purchase of ‘personal items, goods or services (including loans, borrowings or payment of private accounts)’ or accruing ‘cardholder loyalty programs, rewards points or discount vouchers for personal use’.
  • Paying for ‘expenditure already provided for by an allowance (i.e. ‘double dipping’)’.

2.57 The NDIA Finance Policies indicate that travel non-compliance includes trips undertaken without approval in place, acquittals are not submitted on time, contracted suppliers have not been used and travel is not in accordance with policy.

Has the NDIA developed effective training and education arrangements to promote compliance with policy and procedural requirements?

The NDIA staff applying for a credit card are required to complete online training, which covers all responsibilities and policy requirements, prior to being issued with the card. When it is recommended staff complete refresher training following instances of non-compliance, this does not always occur. Line manager reviewers of credit card acquittals, travellers and travel spending approvers are not required to complete training.

Credit card training

2.58 Since August 2020, the NDIA Finance Policies require credit card applicants to complete online training prior to being issued with a credit card. Cardholders are not required to complete refresher training. Training for credit cardholders addresses all cardholder responsibilities and requirements; training does not assess the cardholder’s understanding. Credit card training does not include the timeframe within which a credit cardholder’s line manager or SES must complete a review of credit card acquittals. Training is not required for line managers and SES with approver and reviewer responsibilities.

2.59 For the approved credit card applications between 1 July 2021 and 30 June 2023, all applicants advised that they had completed training. Applicant’s statements about training completion are supported by the training records for 1 July 2021 to 30 June 2023.59

2.60 The NDIA advised the ANAO in September 2023 that refresher training is recommended to staff following instances of non-compliance. The NDIA’s records indicate that of the 42 staff (including 14 SES officers and the CEO) who had recorded one or more non-compliance in 2021–22 and 2022–23 (see paragraph 3.47), 13 staff (including two SES officers and the previous CEO) were asked to undertake relevant training. Seven (including one SES officer) of the 13 completed training after the incident (only two completed within three months of the incident). Between 1 July 2021 and 30 June 2023 there were 55 non-compliances reported by the NDIA (see paragraph 3.49), this represents less than one per cent of the 11,925 credit card transactions in this period (see paragraph 1.10). Quality assurance processes indicate that there is considerable under-reporting of non-compliance with the NDIA Finance Policies (see paragraph 3.35 and Table 3.2), indicating further training may be of benefit to cardholders and line managers.

Travel training

2.61 The NDIA does not require travellers or delegates responsible for pre-approving and approving travel expenditure to complete travel training. Between 1 July 2021 and 30 June 2023 there was 74 reported instances of non-compliance, this represents less than one per cent of the 8,509 trips in this period (see paragraph 1.10).

3. Management and control of corporate credit cards

Areas examined

This chapter examines whether the National Disability Insurance Agency (NDIA) has implemented effective controls and processes for corporate credit cards in accordance with their policies and procedures.

Conclusion

The NDIA has implemented partly effective controls and processes for management and control of corporate credit cards. Preventive controls were partly implemented, with cards issued to Senior Executive Service (SES) officers without line manager endorsement, credit limits that were not consistent with NDIA policies and the NDIA not utilising merchant blocking technology. Detective controls were partly effective in supporting detection of credit card misuse, and travel approval and acquittal non-compliance. Travel by Board members, and travel and credit card expenditure by the CEO and SES officers, was often approved by a staff member junior to the traveller or credit cardholder and did not address positional authority risk. The NDIA’s policies permit discretion when identifying and recording non-compliance during a quality assurance review, leading to under-reporting of non-compliance. The NDIA has partly implemented effective controls for managing non-compliance. The NDIA does not monitor the timeliness of travel acquittals, use its system to record all instances of travel non-compliance or take action in response to most identified travel non-compliance.

Areas for improvement

The ANAO made four recommendations aimed at the NDIA: preventing the activation or use of new or replacement credit cards until cardholders have acknowledged receipt of the card, and requiring supervising SES officer endorsement for all SES credit card applications (see paragraph 3.8); introducing additional quality assurance processes for cardholder transactions in the Financial Control Branch (paragraph 3.37); developing guidance on identifying and reporting all types of credit card non-compliance (paragraph 3.40); and introducing a quality assurance process for travel non-compliance (paragraph 3.53).

The ANAO also suggested one opportunity for improvement for the NDIA to develop guidance on requirements for credit card application business cases.

3.1 Preventive controls work by reducing the likelihood of inappropriate credit card use before a transaction has been completed. Preventive controls for credit cards can include: policies and procedures; education and training; deterrence messaging; declarations and acknowledgements; blocking certain categories of merchants; issuing cards only to those with an established business need; placing limits on available credit; and limiting the availability of cash advances.

3.2 Detective controls work after a credit card transaction has occurred by identifying if there is a risk that it may have been inappropriate. Detective controls for credit cards can include: regular review processes (with segregation of duties between cardholder and reviewer); exception reporting; fraud detective software; tip-offs and public interest disclosures; monitoring and reporting; and audits and reviews.60

3.3 When detective controls identify instances of potential fraud or non-compliance, entities should have effective processes in place for managing investigations and implementing follow-up actions (such as further training, sanctions, or referral to law enforcement agencies).

Has the NDIA implemented effective preventive controls on the use of corporate credit cards?

Controls relating to the issue of credit cards were generally operating as intended, except that line managers did not endorse Senior Executive Service officer credit card applications. The NDIA does not have assurance that credit limits are applied consistent with policy requirements. The NDIA does not use merchant blocking to prevent misuse. The NDIA cancelled and suspended cards for staff who had left the NDIA or were on long term leave following annual reviews of ongoing business need for the card, indicating that other preventive controls were not operating as intended.

Issuing cards

Credit cards

3.4 The NDIA’s Finance Policies and procedures for issuing cards are outlined at paragraph 2.48. There were 86 online credit card applications completed between 20 August 2021 and 30 June 2023, and five credit card applications made and approved by email between 1 July 2021 and 20 August 2021.61

3.5 The 86 online applications, of which 82 were approved, largely complied with the NDIA Finance Policies and procedures.

  • There were insufficient records to confirm the eligibility assessments undertaken when approving the applications.
  • There were 16 (19 per cent) applications from SES officers that did not have SES line manger endorsement. In November 2023 the NDIA advised the ANAO that SES applications flow directly to the Branch Manager Financial Control for approval, without requiring endorsement from their supervising SES officer.
  • Of the approved applications, six (seven per cent) had business cases that only referred to the applicant’s level and that the credit card was needed for their role, without any further information provided.

3.6 The NDIA does not have sufficient records to assess whether email applications were completed in accordance with the NDIA Finance Policies and procedures.

Opportunity for improvement

3.7 The National Disability Insurance Agency could develop guidance on how to determine if a business case in support of a credit card application is appropriate. This will assist potential applicants and their line managers in preparing applications.

Recommendation no.6

3.8 The National Disability Insurance Agency introduce controls to:

  1. prevent the activation or use of new or replacement credit cards until cardholders have acknowledged receipt of the card and confirm they will comply with NDIA policy; and
  2. require approval from the supervising Senior Executive Service (SES) officer for all credit card applications by SES officers, consistent with the NDIA’s policy requirements.

National Disability Insurance Agency: Agreed.

3.9 The NDIA will explore options and work with Services Australia and ANZ to keep a card inactive or reduce the card limit to $1 until the cardholder has confirmed it has been received.

3.10 In March 2024, the NDIA made updates to the Financial Management Compliance System (FMCS) workflow to capture SES line manager approval. This is now captured and recorded prior to the application being approved by the Branch Manger Agency Budget and Financial Control.

Travel

3.11 Credit cards were not issued to NDIA staff for use for travel. Instead, under the shared services arrangements and the Whole of Australian Government Travel Arrangements (the Travel Arrangements) (see paragraphs 1.6 and 2.6), for each of the core services (accommodation, airfares and vehicle rentals) a credit card was established by Services Australia with Diners Club to be used for paying such expenditure related to NDIA staff travel.

Cancelling and suspending cards

Credit cards

3.12 To establish if the NDIA’s Finance Policies and procedures for cancelling and suspending cards (see paragraph 2.50) were effectively implemented, the ANAO examined credit cards cancelled and suspended in 2021–22 and 2022–23. There were: 84 requests to cancel credit cards; seven replacement card requests; nine suspension requests due to extended leave; and three notifications of change of branch and applications to keep a credit card. The NDIA largely complied with its policies and procedures for cancelling and suspending credit cards.

  • Credit cards were not suspended or cancelled in any of the 55 instances of non-compliance, which related to 62 transactions (see Table 3.4 and Table 3.562, and paragraphs 3.55 to 3.60 for further discussion of non-compliance).
  • There was no evidence of how many of the 84 requests to cancel cards were due to staff being instructed to cancel their credit card, noting the NDIA’s annual credit card reviews led to 37 (44 per cent) cancellations in the period examined (see paragraph 3.13).
  • For lost cards there was insufficient information to determine if reporting was timely. All cardholders verified the last five transactions on their credit card were valid when reporting a lost or stolen card.
  • The evidence provided did not demonstrate that three (33 per cent) of the nine credit cards suspended had the cardholder’s credit limit reduced to one dollar for the period of leave (see paragraph 3.17). One cardholder submitted a request to suspend their credit card 23 days after the leave period commenced.
  • It took between five and 38 days to approve change of branch requests.

3.13 In 2021–22 and 2022–23, the NDIA completed annual reviews of cardholders for the purpose of determining if there is an ongoing business need for the credit card. The standard operating procedure does not specify whether SES officers are included in this review and if so, who is required to verify the ongoing business need for their relevant card.63

  • In 2021–22 the NDIA made a decision to cancel 13 of 237 credit cards (including the card for one staff member who had left the entity and two that were on leave).
  • In 2022–23 the NDIA made a decision to cancel 24 of 234 credit cards (including the cards for one staff member who had left the entity and three that were on leave).
Travel

3.14 Credit cards were not issued to NDIA staff for travel (see paragraph 3.11).

Managing transactions

Credit cards

3.15 Merchant blocking can be used to prevent the misuse of corporate credits and minimise fraud risks by excluding classes of transactions, for example from gambling or dating and escort agency vendors.64 The NDIA Finance Policies do not include merchant blocking for credit cards or travel.

3.16 The NDIA Finance Policies prescribe a standard monthly limit for credit cards of $20,000 (including GST) with a limit of $9,999 (including GST) per transaction. The CEO and the CFO can approve increases to transaction and monthly limits in the event of exceptional circumstances and the request must be supported by a business case.65

3.17 The NDIA does not assure itself that credit limits are consistent with the NDIA Finance Policies. In August 2023, the NDIA provided the ANAO with an extract of all credit card limits since 1 July 2021 — there were 212 credit cardholders listed, all were unique cardholders. The NDIA provided annual review data for 2021–22 and 2022–23. In December 2023, Services Australia provided the ANAO with the NDIA’s credit card listing including credit limits for 215 active cards. The ANAO compared the Services Australia list of credit card limits to the lists of credit limits provided by the NDIA. Table 3.1 shows the rates of compliance with the NDIA Finance Policies for the monthly and transaction limits of NDIA credit cards as recorded by the NDIA and Services Australia. The results in Table 3.1 demonstrate that the NDIA Finance Policies are not consistently applied.

Table 3.1: Comparison of NDIA and Services Australia credit limit data and compliance with NDIA Finance Policies

 

NDIA data for all cards between 1 July 2021 and 30 June 2023

Services Australia credit limit data for active credit cards at December 2023

Number of credit cards

212

215

Monthly limit consistent with policy

212 (100%)a

214 (99.5%)b

Transaction limit consistent with policy

212 (100%)

88 (41%)c

     

Note a: Annual credit card reviews (see paragraph 3.12 and 3.13) identified a further three officers that had a monthly credit limit set at $1 during the period 1 July 2021 to 30 June 2022.

Note b: Monthly transaction limits were set at $1 for two credit cards, $0 for one credit card, $20,000 for 211 credit cards and $1,000,000 for one credit card.

Note c: Transactions limits were set at $10,000 for 125 credit cards, $9,999 for 88 credit cards, $1,000 for one credit card and $250,000 for one credit card.

Source: ANAO analysis of NDIA and Services Australia data.

Travel

3.18 Credit limits for travel were managed by Services Australia and not examined as part of the audit.

Using credit cards to make payments under $10,000

3.19 The NDIA Finance Policies require that low value items (generally less than $10,000 including GST) should be purchased using a corporate credit card (see paragraph 2.45).

3.20 The NDIA established a direct payment tracker in December 2022 to record applications for an alternative payment method to credit card payments. The tracker contained 47 requests; eight were withdrawn, one request was being assessed and 38 were approved. Under the NDIA Finance Policies and procedures, the Branch Manager Financial Control has responsibility for approving applications. The ANAO examined four applications between December 2022 and September 2023, the Branch Manager Financial Control approval was provided for each application.

Has the NDIA implemented effective detective controls on the use of corporate credit cards?

The NDIA has implemented detective controls for credit cards including credit card acquittal by cardholders, review by line managers and a quality assurance review process. The NDIA’s policies do not provide guidance on detecting the splitting of a transaction to remain under the relevant credit card limit. For a sample of 117 transactions, ANAO identified 18 instances of potentially split transactions, and 20 credit card acquittals of the CEO and SES where the approving officer was junior to the credit cardholder, introducing positional authority risk. In 2021–22 and 2022–23, daily assurance checks resulted in requests for supporting documentation from credit cardholders for four per cent of all credit card transactions. In 2021–22 and 2022–23, the ANAO identified 11 credit card transactions which occurred where the NDIA policies required the credit card be suspended, and one where the policies required the credit card be cancelled.

The NDIA implemented detective controls for travel approvals including travel acquittal by travellers, review by delegates and quality assurance processes. For a sample of 93 trips, 24 travel requests were not submitted within required timeframes, 10 trips did not have supporting documentation, and 18 trips were not acquitted within required timeframes. The delegate was junior to the traveller for 51 trips by the CEO and Board, introducing positional authority risk. Services Australia made 30 recommendations to the NDIA to address travel related non-compliance identified by quality assurance processes. The NDIA did not respond to Services Australia or implement the recommendations.

Credit card acquittal

Cardholder acquittal

3.21 The NDIA Finance Policies require cardholders to take the following steps when acquitting credit card transactions.

  • Transactions must be acquitted within 35 days of the date of purchase (the receipt date). Prior to December 2021, credit card acquittals were to be completed in 28 days of the date of purchase.
  • The credit cardholder must attach all required supporting documentation at the time of acquittal, including: a valid tax invoice for all purchases valued at or over $82.50 (including GST)66; a receipt or proof of purchase for all purchases below $82.50 (including GST); or a declaration where a tax invoice is unavailable.
  • Cardholders must report all unauthorised and unrecognised transactions immediately to relevant branches within the NDIA and Services Australia. Cardholders must ‘follow up with suppliers’ if they identify duplicate transactions or incorrect charges.
  • Accidental private expenditure is considered non-compliant and should be reported as soon as possible.

3.22 To establish if the NDIA’s Finance Policies and procedures for credit card acquittal were effectively implemented, the ANAO selected a sample of 117 credit card transactions between 1 July 2021 and 30 June 2023 (of which 16 were CEO and 42 were SES officers transactions). The NDIA partly complied with these requirements.

  • Four transactions were not acquitted within required timeframes.
  • One transaction did not have required supporting documentation attached.
  • Three of the six disputed transactions were identified by the same cardholder as possibly fraudulent transactions. For all disputed transactions ANZ or the supplier credited the NDIA for the amount of the transaction.
  • Nine transactions were reported as personal use, of which six transactions were made by the CEO or SES officers. In all nine cases the cardholder repaid the value of the transaction.
  • Eighteen transactions that were potentially ‘split transactions’, of which six transactions were made by the SES officers.67
  • Eight IT equipment purchases without supporting approvals, of which two transactions were made by the CEO or an SES officer.
  • Three transactions relating to travel, one for accommodation charges that was reported by the SES cardholder as being incorrectly charged by the vendor and two for airfares which had been self-reported by the cardholder.

3.23 The ANAO’s review of all transactions between 1 July 2021 and 30 June 2023 identified: eleven transactions that occurred when a staff member was on leave for six weeks or more (of which eight transactions were made by SES cardholders); and one transaction that occurred following the SES staff member’s departure from the agency. These transactions include four uber or taxi trips while a staff member was on leave without pay, and one transaction for a subscription that occurred after the staff member had left the organisation. These transactions had not been identified by the NDIA as non-compliant with the NDIA Finance Policies. The NDIA advised the ANAO in January 2024 that ‘all expenditure was work related and approved by their line managers. There is no indication that these transactions are inappropriate in nature.’

Line manager approval of acquittal

3.24 The NDIA Finance Policies require line managers to review and approve the cardholder’s acquittal within seven calendar days and ensure:

  • all transactions are for NDIA purposes;
  • all supporting documentation (such as invoices and approvals) is attached;
  • no payments have been inappropriately split to avoid the cardholder’s transaction limit or procurement requirements; and
  • all private expenditure is identified, reported in the financial system as non-compliant and acquitted as private expenditure (a type of non-compliance), triggering the recovery process.

3.25 To establish if the NDIA’s Finance Policies and procedures for line manager review of credit card acquittals were effectively implemented, the ANAO examined a sample of 117 credit card transactions.

  • For five sample transactions (of which three were made by SES officers) the line manager did not review the acquitted transaction within the prescribed time period.
  • The NDIA does not hold sufficient records to determine whether transactions were returned to the cardholder for correction.
  • For four transactions the seniority of the line manager could not be determined. Where seniority could be determined, the ‘line manager’ approver was junior to the cardholder for 20 transactions (16 of which related to the Chief People Officer (CPO), SES Band 2, reviewing acquittals of the CEO and four related to the CPO reviewing the acquittal from SES Band 3 officers, see paragraph 2.52), and the cardholder and line manager were at the same level for two transactions.

Travel approval and acquittal

Travel requests and traveller acquittals

3.26 The NDIA Finance Policies require travellers to obtain approval to travel prior to travel commencing and to acquit travel expenses once travel is completed. Key policy requirements include:

  • travel must only be booked after written approval has been obtained from the appropriate delegate;
  • all trips must be documented accurately in the finance and human resources system and approved in that system by the appropriate delegate before commencement of the trip68;
  • staff must ensure that expenses, including all relevant documentation, are added to the trip record prior to approval; and
  • all trips must be acquitted in the finance and human resources system within 14 days after the travel has been completed.

3.27 Controls over workflows for travel approval and acquittals were designed effectively. In November 2023, Services Australia advised the ANAO that if a travel request exceeded the CEO’s delegation it would workflow to the CEO and it is expected that the CEO would then take the matter to the Board and once Board approval is received, would complete the approval. There was no travel that exceeded the CEO’s delegation in 2021–22 and 2022–23.69

3.28 To establish if the policies for travel pre-approval and cardholder acquittal were effectively implemented, the ANAO examined a sample of 93 trips (including 23 trips by SES officers, 26 trips by the CEO and 25 trips by Board members). The NDIA partly complied with key internal policy requirements.

  • The NDIA did not maintain records of travel pre-approvals centrally or attach them as supporting documentation to the travel approval in the finance and human resources system. For example, there were seven instances of private motor vehicle use by non-SES staff in the travel sample; in all instances pre-approvals were not attached to the trip record in the finance and human resources system.70
  • Ten trips did not have supporting documentation, of which two related to SES officers and one to the CEO.
  • Eighteen trips did not have supporting information uploaded before the trip commenced, of which five related to travel by the CEO, three by Board members, and five by SES officers. A further 17 trips had additional supporting information uploaded after the trip commenced or concluded, of which six related to Board members, seven related to the CEO and two related to SES officers.
  • Twenty-four trips were submitted in the finance and human resources system by the traveller after the trip was commenced (including four submitted on the day the trip commenced). Fourteen of these trips related to travel by the CEO or NDIA Board members. Where trips were not submitted before travel commenced, late requests ranged from the day travel commenced to 204 days after travel commenced.
  • One trip within the sample was acquitted before it was completed.
  • Eighteen trips were acquitted more than 14 days (up to 317 days) after travel was completed, of which five related to Board members, seven related to the CEO and four related to SES officers. Thirty-six trips had more than one acquittal workflow, and two trips had six acquittal workflows.71
Delegate approval of travel

3.29 To establish if the policies for delegate approval of travel acquittals were effectively implemented, the ANAO examined a sample of 93 trips (see paragraphs 3.26 and 3.28). The NDIA partly complied with these requirements.

  • Thirty-one trips were approved after the trip commenced (including five that were approved on the day the trip commenced, and two trips that were cancelled). Of the 31, 15 of the trips related to travel by the CEO or Board members. Where trips were not approved before travel commenced, late approvals ranged from the day travel commenced to 204 days after travel commenced. Forty-four trips had more than one approval workflow, one trip had seven approvals.72
  • Services Australia provided a current and historical list as at 20 November 2023 of spending approvers recorded in the finance and human resources system (see footnote 55). Comparing these lists to travel approvers in the travel sample indicates that an incomplete list was provided or that the controls in the finance and human resources system were not working as intended. For example, two travel approvers, including the CEO, were not included in the current or previous list.

3.30 Separate to the issue of whether someone was validly recorded as a travel delegate in the finance and human resources system, the ANAO assessed whether the delegate who approved a trip had the appropriate financial delegation at the time of the recorded approval based on their recorded employment classification and the financial delegations contained in the NDIA HR Delegations, Accountable Authority Instructions and Financial Authorisations Manual (for the relevant version issued between October 2020 and July 2022).

  • The delegate’s classification could not be determined for one sample item as the delegate was not listed as an employee in HR records.
  • The delegate ‘travel approver’ was junior to the traveller for 51 trips (see paragraph 2.52 and footnotes 56 and 57: 26 of these were approvals of CEO travel by the Chief People Officer; and a further 25 of these were approvals of Board Chair or Board members travel by NDIA staff with a classification between Executive Level 2 and SES Band 2).
  • The delegate and the traveller were at the same level for 16 trips (15 of these related to an SES Band 2 officer).
  • One approver was not a delegate.

Quality assurance reviews

Credit cards

3.31 The credit card processing team, Financial Control Branch, complete daily checks of all credit card transactions acquitted by the credit cardholder (they are described as quality assurance checks). The checks include verifying correct coding of the transactions, compliance with the credit card policy73 and that correct documentation is attached. There is no independent process for assurance over transactions recorded by credit cardholders within the branch. The results of these checks are maintained in a monthly spreadsheet and non-compliance is reported in the weekly credit card report provided to the Branch Manager Financial Control.

3.32 In 2021–22 and 2022–23, daily assurance checks were completed for 7,632 and 10,178 credit card transactions, respectively.74 Table 3.2 provides the results of the daily assurance verification process recorded by the credit card processing team, by financial year, excluding non-compliance with credit card policy that does not relate to coding or attaching a relevant invoice or other required information.

Table 3.2: Daily assurance check results between 1 July 2021 and 30 June 2023

Daily assurance check outcomea

Number in 2021–22

Number in 2022–23

Total

Pass (no issues identified)

3,847

6,134

9,981

Updated general ledger code

622

581

1,203

Updated tax code

314

376

690

Updated tax and general ledger code

107

81

188

Itemised transaction

59

77

136

Requested invoice

207

299

506

Request financial system identifier

9

22

31

Request additional information

0

3

3

Request approval

0

1

1

Repostb

2,467

2,604

5,071

Total

7,632

10,178

17,810

       

Note a: Transactions that are not compliant with relevant policy requirements, other than where an invoice was not provided, are not recorded as an outcome for the daily assurance check. For example, instances of non-compliance relating to transaction splitting or accruing loyalty points.

Note b: When there is an adjustment to an acquittal (such as to the tax code or cost centre) the transaction will update and repost overnight, and appears again in the report. The transaction is noted as a ‘Repost’ to indicate a daily assurance check has previously been completed.

Source: ANAO analysis.

3.33 There is no documented methodology for assessing the appropriate use of credit cards for payments less than $10,000 (including GST) and promoting compliance with these requirements under the NDIA’s policy. Assessing payments under $10,000 is not explicitly listed as a check performed as part of the daily assurance checks conducted by the credit card processing team (see paragraph 3.19).

3.34 The daily assurance procedure does not set criteria or provide guidance on how to identify and record credit card non-compliance (such as transaction splitting, see footnote 73) when completing the daily check. Instead, the procedure relies on staff member’s knowledge of the credit card policy. The procedures also provide for discretion in reporting non-compliance. The daily assurance procedure advises the credit card processing team:

Discretion is used when deciding whether there is a non-compliance of policy. For example, if a cardholder has not attached the correct invoice, this can be requested via feedback to the cardholder before proposing a non-compliance be recorded.

3.35 Daily assurance checks identified 506 instances (four per cent) across 11,925 transactions (see paragraph 1.10) where required invoices were not attached as part of the acquittal process. None of these instances were reported as non-compliance, see Table 3.4.

3.36 Other daily processes such as credit card acquittal reminders and weekly reporting identify where credit cardholders do not complete acquittals within 35 days of the transaction (that is, the acquittal is non-compliant). Weekly reports identified no instances of acquittals not occurring within 35 days of the transaction in 2021–22, and five instances in 2022–23.

Recommendation no.7

3.37 To support accountability and separation of duties, the National Disability Insurance Agency introduce additional assurance processes for cardholder transactions in the Chief Financial Officer Division and Financial Control Branch.

National Disability Insurance Agency response: Agreed.

3.38 The NDIA will introduce additional controls and assurance processes for transactions made by staff within Chief Financial Officer Division and Agency Budget and Financial Control Branch.

3.39 The NDIA notes there are no separation of duties issues, as neither the members of the Performance Reporting team nor the Branch Manager Agency Budget and Financial Control have currently been issued a credit card.

Recommendation no.8

3.40 The National Disability Insurance Agency (NDIA) develop guidance on steps for identification of all types of credit card non-compliance with the NDIA Finance Policies, and a system for reporting all non-compliance, including those that are rectified as part of the quality assurance process.

National Disability Insurance Agency response: Agreed.

3.41 The NDIA has guidance for identifying all types of credit card non-compliance and records those identified in its Financial Management Compliance System (FMCS). Reporting on all non-compliances is provided to Risk Management Branch on a monthly basis.

3.42 The NDIA will review its standard operating procedure and finance policy in relation to using discretion when a tax invoice is not initially attached to the transaction during the acquittal process. The intent of the quality assurance process is to encourage and assist with compliance in instances of incomplete documentation.

ANAO comment on the NDIA’s response

3.43 The absence of criteria or guidance for identifying and recording credit card non-compliance, detected during the daily quality assurance checks, is discussed at paragraph 3.34. The audit identified instances of transactions that were potentially split, IT assets purchased without approval, credit card acquittals not completed within required timeframes, lack of required documentation and use of credit card while on leave contrary to policy requirements (see paragraph 3.22, 3.23 and 3.25). None of these instances were reported by the NDIA as non-compliance.

3.44 Daily assurance checks identified 506 instances where required invoices were not attached as part of the acquittal process (see paragraph 3.35). None of these instances were reported as non-compliance, see Table 3.4.

Travel

3.45 Services Australia developed an updated version of the Travel Compliance Framework and Policy in June 2020, however it was not approved.75 Services Australia applied the unapproved version of the Travel Compliance Framework and Policy dated June 2020 during the course of the audit. Services Australia staff conduct monthly76, quarterly77 and annual compliance audits on the NDIA’s recorded travel.78 Where non-compliance is identified, the details are recorded in the non-compliance spreadsheet for reporting in quarterly compliance reports (see paragraph 2.23).

3.46 Table 3.3 provides the results of the travel compliance audits recorded by Services Australia in the quarterly compliance reports provided to the NDIA (see paragraph 2.23), by financial year. In 2021–22 and 2022–23, there were no reported instances of non-compliance involving: claiming private motor vehicle when there is a Hertz rental; reunion trips; or the business case. Of the 33 non-compliances identified, Services Australia made 30 recommendations in an attachment to the quarterly compliance reports to the NDIA to address travel non-compliance (in one instance this related to SES non-compliance involving private motor vehicle allowance). The NDIA did not respond to Services Australia or implement recommendations (see paragraph 2.23 and 3.64). There were insufficient records to determine the level of the traveller for the three travel non-compliances where a recommendation was not made.

Table 3.3: Travel non-compliance reported in quarterly compliance reports between 1 July 2021 and 30 June 2023

Type of non-compliance reported

Total 2021–22

Total 2022–23

Total

Accommodation allowance

1

0

1

Business class airfarea

6

8

14

Private motor vehicle

7

6

13

Combined private and official travel

1

0

1

Weekend travel

2

1

3

AOT ancillary charges

0

1

1

       

Note a: NDIA staff must use the Travel Arrangements to book air travel. This includes booking the lowest practical fare in economy class unless there is an approved business case or entitlement to travel business class.

Source: ANAO analysis.

Does the NDIA have effective processes for managing identified instances of non-compliance?

The NDIA records credit card non-compliance by specific categories, including accidental private use. Reported instances of travel non-compliance did not reconcile. The NDIA recorded action taken in relation to credit card non-compliance, including recovery of personal expenditure and recommendation of further training. The NDIA did not record any actions taken in response to recommendations made by Services Australia to remedy travel non-compliance. For the one instance of travel non-compliance recorded in the NDIA’s internal reporting, the action taken was to inform the staff member of the policy requirements.

Recording and reporting on non-compliance

Credit cards

3.47 Between 1 July 2021 and 30 June 2023, 55 instances (involving 42 cardholders, including 14 at SES or CEO level, see paragraph 2.60) of credit card non-compliance were reported in the financial system (this does not include all non-compliance detected by quality assurance processes, see paragraphs 3.34 and 3.35).79 There were ten cardholders with more than one instance of non-compliance, including one cardholder with four, and another with three (three of the ten cardholders were SES officers and one was the previous CEO). These instances of non-compliance related to 62 transactions. Instances of non-compliant transactions by nature of the non-compliance reported are shown in Table 3.4.

Table 3.4: Instances of credit card non-compliance recorded in the financial system between 1 July 2021 and 30 June 2023

Type of non-compliance

Number in financial system 1 July 2021 to 30 June 2023

Accidental private use of corporate card

28

Accrued cardholder loyalty rewards points

5

Corporate credit card used for a security deposit

1

Payment associated with a multiple-payment contract which exceeds the credit card transactional limit

4

Payment was split to circumvent credit card transactional limit

7

Purchase of airline tickets outside of the Travel Arrangements

1

Purchase of an Agency asset without the approval from the CFO or CIO in the case of ICT equipment and software

2

Purchase of meals while in receipt of a travel allowance

2

Transaction not acquitted within 35 days

5

Total

55

   

Source: ANAO analysis of NDIA data.

3.48 The total number of instances of non-compliance reported in weekly reports in 2021–22 was 15, and in 2022–23 was 39. In 2022–23 weekly reporting also indicated the source of non-compliance identification: 24 self-reported and 15 identified through quality assurance processes. Weekly reporting indicated the most common type of non-compliance in both financial years was accidental personal use and split transactions. The number of credit card non-compliance reported in weekly reports was largely consistent with non-compliance reported in the financial system, noting there is a timing difference between the two information sources.

3.49 The 54 instances80 of non-compliance in 2021–22 and 2022–23 PGPA survey results (see paragraphs 2.14 and 2.15) align with the 54 non-compliances reported in weekly reporting. However, it does not align with the 55 credit card non-compliances recorded in the financial system. The inconsistency in total number of non-compliance reported reflects timing differences between the final weekly report and the end of financial year, and report parameters that extracted items that were finalised (had action taken) in the period rather than occurred in the period for non-compliance reports.

Travel

3.50 The NDIA does not collate information on travel non-compliance and reconcile it into summary reports.

3.51 There is conflicting information relating to travel non-compliance in the following sources:

  • Monthly incident reporting by the Financial Control Branch to the Risk Advisory Branch in 2022–23 included one instance of travel non-compliance (see paragraphs 2.30), where the travel was not approved in the finance and human resources system prior to the trip.81 There were no instances reported in 2021–22.
  • The NDIA monthly ‘travel slides’ provided to the Branch Manager Financial Control and Chief Financial Officer reported in June 2022 26 trips were not compliant with the Travel Arrangements’ Lowest Practical Fare (LFP); and in June 2023 that 13 trips were not compliant with LFP.82
  • Services Australia’s quarterly reporting on travel non-compliance (see Table 3.3) indicates that there were up to 33 instances of non-compliance between 1 July 2021 and 30 June 2023. Services Australia does not examine or report on compliance with Lowest Practical Fare.
  • PGPA compliance survey results reported travel non-compliance of zero in 2021–22 and one in 2022–23 (see paragraph 2.15).

3.52 With the exception of one instance of non-compliance included in the incident reporting, there is no reporting on aspects of travel policy non-compliance relating to where travel was not approved before commencing travel, acquittals and review were not timely, or travel and acquittals were not approved by an appropriate spending approver.

Recommendation no.9

3.53 The National Disability Insurance Agency introduce a quality assurance process to cross check reports for completeness and accuracy with other relevant information sources, document identified discrepancies and remedial action taken.

National Disability Insurance Agency response: Agreed.

3.54 The NDIA will review quality assurance processes to improve the analysis and review of periodic reporting received from Services Australia.

Action taken in response to non-compliance

Credit cards

3.55 The NDIA Finance Policies provide for the NDIA to take a range of actions in response to credit card misuse. If a cardholder misuses their credit card potential action against the cardholder can include: the card being cancelled; disciplinary action; repayment of card expenditure (which can be deducted from salary); and penalties under legislation including the Criminal Code Act 1995.

3.56 Credit card quality assurance procedures, rather than the NDIA Finance Policies, describe the action to be taken based on the number of credit card non-compliances:

  • when a cardholder has had three non-compliances recorded against them over a 12-month period, the Branch Manager Financial Control will issue a warning to the cardholder and their line manager; and
  • when a cardholder has had five non-compliances recorded against them over a 12-month period, the Branch Manager Financial Control will issue an email to the cardholder’s line manager requesting reasons why the card should not be suspended or cancelled depending on the circumstances.

3.57 Over the period 1 July 2021 to 30 June 2023, ten cardholders had more than one instance of non-compliance, one cardholder had four instances of non-compliance. Table 3.5 summarises the action taken by type of non-compliance, as it was recorded in the financial system.

Table 3.5: Action taken by type of credit card non-compliance

Type of non-compliance

NDIA’s reported action taken

Number of non-compliances

Accidental private use of corporate card

Private expenses on corporate credit card acquitted in the Essentialsa system as private use.

28

Private amount recovered from cardholder.

27

Private amount recovered from supplier (reversed).

1

Accrued cardholder loyalty rewards points

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

5

Corporate credit card used for a security depositc

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance Policy reference.

1

Payment associated with a multiple-payment contract which exceeds the credit card transactional limit

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

Purchase order created for remaining procurement.

4

Payment was split to circumvent credit card transactional limit

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

7

Purchase of airline tickets outside of the Travel Arrangements

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

1

Purchase of an Agency asset without the approval from the CFO or CIO

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

2

Purchase of meals while in receipt of a travel allowance

Private expenses on corporate credit card acquitted in the Essentialsa system as private use.

Private amount recovered from cardholder.

Cardholder advised of non-compliance and travel policy reference and procedure.

2

Transaction not acquitted within 35 days

Non-compliance raised in FMCS.b

Cardholder advised of non-compliance and finance policy reference.

Transaction acquitted.

5

     

Note a: Essentials is the NDIA’s finance and human resources system.

Note b: FMCS is the Financial Management Compliance System, it is referred to as the financial system in this report.

Note c: A security deposit for accommodation should be paid through the Travel Arrangements.

Source: ANAO analysis of NDIA data.

3.58 In addition to these actions, of the 42 staff that recorded instances of non-compliance, the NDIA also recorded recommending 13 staff undertake relevant training in relation to 16 non-compliances (see paragraph 2.60). Of these 13 staff, seven completed training after the non-compliance (only two completed training within three months of the incident).

3.59 The NDIA has not recorded the following types of action taken in response to non-compliance in 2021–22 or 2022–2383:

  • disciplinary action;
  • cancelled or suspended credit cards; and
  • referring matters to the fraud team for investigation.

3.60 The recovery of personal use expenditure on credit cards is reported on a weekly basis. The NDIA recovered $1,000.08 across nine of the 10 instances of personal use in 2021–22 (in two of the 10 instances the cardholder was the CEO), and $829.65 across 18 of the 19 instances of personal use in 2022–23 (in nine of the 19 instances the cardholder was an SES officer).84

Travel

3.61 The NDIA Finance Policies provide for the NDIA to recover the amount for non-compliant travel expenditure from the relevant employee and refer suspected fraud or misconduct for further investigation.

3.62 Services Australia’s Travel Compliance Framework and Policy (June 2020), includes the following responses to non-compliance:

  • recover expenses where private travel exceeds business travel in line with the NDIA Finance Policies, in line with permanent relocation policy and for reunion trips;
  • suspected incidents of fraud are escalated within Services Australia and recorded in the quarterly compliance report; and
  • traveller is notified of non-compliance and action taken to make trip compliant; where the traveller has three identical types of non-compliance, escalate to traveller’s delegate or SES, or retraining may be provided or a breach is raised.

3.63 Monthly incident reporting by the Financial Control Branch in 2022–23 included one instance of travel non-compliance, where the travel was not approved in the finance and human resources system prior to the trip. In this instance the recorded resolution was to inform the staff member entering the travel in the human resources system of the policy requirement.

3.64 Over the period 1 July 2021 to 30 June 2023, Services Australia made 30 recommendations to the NDIA in relation to travel non-compliance (paragraph 3.46). Table 3.6 summarises the action recommended by type of non-compliance, as it was recorded in reporting from Services Australia to the NDIA.85 The NDIA did not respond to Services Australia or implement recommendations. In December 2023, the NDIA advised the ANAO that there were no instances requiring NDIA response or intervention (see paragraphs 2.23 and 3.46).

Table 3.6: Action recommended by type of travel non-compliance, quarterly travel reports between 1 July 2021 and 30 June 2023

Type of non-compliance

Recommended action

Number of non-compliances

Business class airfare

Traveller educated, no further action (no additional cost to entity)

5

Traveller educated, no further action

8

Private motor vehicle use, without supporting documentation

Traveller on leave, recommend no further action

1

Traveller on leave, hold recovery until return

1

No comprehensive insurance, recommend claim removed and raise overpayment

6

No documents, remove claim, automatic overpayment raised

1

Traveller left agency, no further action

1

No comprehensive insurance, remove claim and claim on tax

1

Traveller on leave, not submitted documentation, cancel

1

Combined private and official travel, and weekend travel

Traveller unaware of policy, has been re-educated

1

Traveller re-educated

1

Traveller unaware of policy, has been re-educated and advised to make themselves familiar with policy

1

Coding corrected and overpayment raised

1

Ancillary charges

Traveller on long service leave and retiring, $5 uneconomical to pursue, no further action

1

     

Source: ANAO analysis of NDIA data.

Appendices

Appendix 1 Entity responses

Page one of the response from the NDIS. A summary of the response can be found in the summary and recommendations chapter.

Page one of the response from the Services Australia. A summary of the response can be found in the summary and recommendations chapter.

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

  • strengthening governance arrangements;
  • introducing or revising policies, strategies, guidelines or administrative processes; and
  • initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

  • On 29 April 2024 the NDIA commenced the process of creating a legal relationship between itself and ANZ, utilising a clause in the Deed between Services Australia and ANZ (see paragraph 2.10).
  • The NDIA and the Department of Finance executed a Participant Deed in November 2023 specifying the Travel Arrangements they will utilise (footnote 36).

Footnotes

1 Department of Finance, Resource Management Guide (RMG) 206 Model Accountable Authority Instructions for corporate Commonwealth entities, Finance, Canberra, April 2023, p. 36.

15 Suggestions include instructions on: whether cards can be used for coincidental private expenditure or cash withdrawals; when different types of cards can be used; transaction limits; requirements for cardholders to acknowledge possession and responsibilities; how and when reconciliations occur; documentation requirements for acquitting transactions; any additional approvals required (such as approval of cardholders’ own travel expenses); how cards are to be stored; and requirements to return cards when no longer required.

2 Credit cards are referred to as payment cards in the Department of Finance’s RMG 417, Supplier Pay On-Time or Pay Interest Policy, Finance, Canberra, 1 July 2022.

3 For 2021–22 and 2022–23, the NDIA’s total supplier expenses was reported as $1,084.3 million.

4 Australian Public Service Commission (APSC), State of the Service Report 2019–20, APSC, Canberra, 2021, available from https://www.apsc.gov.au/state-service/state-service-report-2019-20/chapter-2-supporting-recovery/pro-integrity-culture [accessed 21 March 2024].

5 APSC, Fact sheet: Upholding integrity, APSC, Canberra, 2021, available from https://www.apsc.gov.au/working-aps/integrity/integrity-resources/fact-sheet-upholding-integrity [accessed 18 March 2024].

6 New South Wales Independent Commission Against Corruption (NSW ICAC), Organisational culture and expectations, NSW ICAC, NSW, available from https://www.icac.nsw.gov.au/prevention/foundations-for-corruption-prevention/organisational-culture-and-expectations [accessed 18 March 2024].

7 National Anti-Corruption Commission (NACC), Integrity Outlook 2022/23, NACC, Canberra, 2023, p. 5, available from https://www.nacc.gov.au/resource-centre/reports [accessed 9 May 2024].

8 These audits included: Auditor-General Report No. 30 2022–23 Probity Management in Financial Regulators — Australian Prudential Regulation Authority, ANAO, Canberra, 2023, paragraphs 2.82 to 2.86; Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission, ANAO, Canberra, 2023, paragraphs 2.69 to 2.76; Auditor-General Report No. 38 2022–23 Probity Management in Financial Regulators — Australian Competition and Consumer Commission, ANAO, Canberra, 2023, paragraphs 22, 2.99, and 2.106 to 2.111; and Auditor-General Report No. 1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1, ANAO, Canberra, 2021, paragraphs 4.30 and 4.42.

9 These audits included: Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission, paragraph 4.81; and Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, ANAO, Canberra, 2019, paragraphs 18, 2.71 to 2.76, 2.89 to 2.91, and 3.77 to 3.97.

10 Department of Finance, Resource Management Guide (RMG) 206 Model Accountable Authority Instructions for corporate Commonwealth entities, Finance, Canberra, April 2023, p. 36.

11 Accountable authorities are responsible for the operations of Australian Government entities and can be individuals (such as Secretaries or Chief Executive Officers) or groups of individuals (such as governing boards). Officials include employees, officers or members of Australian Government entities (including directors and statutory office holders). Accountable authorities are also officials under the PGPA Act.

12 PGPA Act, section 27.

13 PGPA Act, paragraph 15(1)(a).

14 PGPA Act, section 16. Under paragraph 19(1)(e) of the PGPA Act, an accountable authority must notify the responsible minister of any significant issues affecting the entity, including any significant non-compliance with the finance law.

  • Section 8 of the PGPA Act provides that ‘finance law’ means the PGPA Act, or the rules made under section 101 of the PGPA Act, or any instrument made under the PGPA Act, or an Appropriation Act.
  • Department of Finance, Notification of significant non-compliance with finance law, RMG 214 (paragraphs 8, 9 and 10) sets out that significant non-compliance is determined by the accountable authority based on the specific circumstances, and can include high volume, high value or systemic issues reflecting internal control shortcomings or serious fraudulent activity by officials.

16 Relevant money is money that the Commonwealth or a corporate Commonwealth entity holds as cash or in a bank account.

17 Diners Club Pty Limited (Diners Club) was the credit provider under the travel and procurement payment services deed. On 1 June 2022, National Australia Bank Limited (NAB) acquired Diners Club Pty Ltd in Australia (Diners Club). From 24 November 2023, the travel and procurement payment services deed was novated to NAB.

18 Payment card is defined as a credit card, debit card, charge card or any other type of Commonwealth issued card, including virtual card, that is authorised to pay suppliers for goods and services received at the point of sale. An eligible payment is defined as a payment with a value less than $10,000 (inclusive of GST and merchant service fees) due to a supplier that is not associated with a multiple-payment contract or standing offer arrangement. The requirement only applies when the supplier can accept and request payment via payment card and merchant service fees charged are reasonable and sufficiently disclosed. Department of Finance, RMG 417, Supplier Pay On-Time or Pay Interest Policy, Finance, Canberra, 1 July 2022.

19 The NDIS was established in 2013 under the National Disability Insurance Scheme Act 2013 (NDIS Act). Functions of the NDIA are set out in section 118 of the NDIS Act.

20 For 2021–22 and 2022–23, total supplier expenses was reported as $1,084.3 million.

21 Australian Public Service Commission (APSC), State of the Service Report 2019–20, APSC, Canberra, 2021, available from https://www.apsc.gov.au/state-service/state-service-report-2019-20/chapter-2-supporting-recovery/pro-integrity-culture [accessed 21 March 2024].

22 APSC, Fact sheet: Upholding integrity, APSC, Canberra, 2021, available from https://www.apsc.gov.au/working-aps/integrity/integrity-resources/fact-sheet-upholding-integrity [accessed 18 March 2024].

23 New South Wales Independent Commission Against Corruption (NSW ICAC), Organisational culture and expectations, NSW ICAC, NSW, available from https://www.icac.nsw.gov.au/prevention/foundations-for-corruption-prevention/organisational-culture-and-expectations [accessed 18 March 2024].

24 National Anti-Corruption Commission (NACC), Integrity Outlook 2022/23, NACC, Canberra, 2023, p. 5, available from https://www.nacc.gov.au/resource-centre/reports [accessed 9 May 2024].

25 These audits included: Auditor-General Report No. 30 2022–23 Probity Management in Financial Regulators — Australian Prudential Regulation Authority, ANAO, Canberra, 2023, paragraphs 2.82 to 2.86; Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission, ANAO, Canberra, 2023, paragraphs 2.69 to 2.76; Auditor-General Report No. 38 2022–23 Probity Management in Financial Regulators — Australian Competition and Consumer Commission, ANAO, Canberra, 2023, paragraphs 22, 2.99, and 2.106 to 2.11; and Auditor-General Report No. 1 2021–22 Defence’s Administration of Enabling Services — Enterprise Resource Planning Program: Tranche 1, ANAO, Canberra, 2021, paragraphs 4.30 and 4.42.

26 These audits included: Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission, paragraph 4.81; and Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, ANAO, Canberra, 2019, paragraphs 18, 2.71 to 2.76, 2.89 to 2.91, 3.77 to 3.97.

27 PGPA Act, section 16.

28 PGPA Rule, section 10. This section of the PGPA Rule is referred to as the Fraud Rule.

29 Money is appropriated annually for the ordinary annual services of the government, including departmental supplier and other operating expenses for an entity. Department of Finance, Guide to Appropriations, Resource Management Guide 100, Finance, Canberra, 22 July 2022, available from https://www.finance.gov.au/publications/resource-management-guides/guide-appropriations-rmg-100 [accessed December 2023].

30 These arrangements are established through a coordinated procurement. Coordinated procurement refers to whole-of-government arrangements for procuring goods and services. Under the Commonwealth Procurement Rules (June 2023) corporate Commonwealth entities may opt-in to coordinated procurements.

31 Corporate Commonwealth entities can participate in these arrangements by completing a memorandum of understanding or a deed of participation with the Department of Finance.

32 Entities can, at their discretion, provide a Mastercard to travellers for meals and incidentals, and general purchasing expenditure.

33 Other arrangements include: travel is booked through QBT; airfares are purchased from a panel of 18 airlines; accommodation is purchased through AOT; and vehicle rental services are purchased through Hertz.

34 Accountable authorities may give instructions (referred to as accountable authority instructions) to officials of an entity about any matter relating to finance law (section 20A of the PGPA Act).

35 The Diners Club cards used for travel are virtual cards that are not issued to an individual.

36 From January 2021, under the Travel Arrangements: the NDIA was required to have either a memorandum of understanding or deed of participation with the Department of Finance (Finance) to participate in these travel arrangements. From September 2023, transition from Diners to National Australia Bank Limited (NAB) as the relevant provider for the Travel Arrangements (see footnote 17) commenced, leading to a refresh of documents under the Travel Arrangements, including deeds of participation. The NDIA and the Department of Finance executed a Participant Deed in November 2023 specifying the Travel Arrangements they will utilise.

37 Incomplete elements of the Deed included the contract date and the contract authority’s name and position.

38 Prior to March 2023, the SLT was known as the Executive Leadership Team (ELT).

39 This control was included in the draft risk register to treat two risks: ‘Non-compliance with regulatory reporting requirements’; and ‘Management of Agency and/or Scheme funds is based on inaccurate information or that does not comply with budgetary, regulatory or legislative requirements’. The draft risk register is discussed further at paragraph 2.32.

40 Quality assurance reviews are discussed at paragraphs 3.31 to 3.36.

41 For example, accommodation allowance is compliant with agreed rates, business airfares meet requirements in terms of staff level and flight duration, and a trip does not include claims for both private motor vehicle use and Hertz rental car costs.

42 The Risk Management Rules are a legislative instrument made by the Minister pursuant to section 125B of the National Disability Insurance Scheme Act 2013 (the NDIS Act).

43 The NDIA’s Risk Management Strategy states the list of strategic risks are to be approved by the Board annually. The NDIA’s risk appetite, to be approved by the Board annually, was ‘conservative’ for 2022–23.

44 The NDIA defines strategic risks as risks that could impact on the NDIA’s ability to execute the Corporate Plan. Strategic risks are reported to the Board by the ELT (and since March 2023 the SLT), and will be accompanied by material enterprise, group, divisional and project risks.

45 The Commonwealth Fraud Control Framework indicates that though corporate Commonwealth entities (CCEs) such as the NDIA are not bound by the fraud policy and guidance; they do however need to abide by the Fraud Rule at section 10 of the PGPA Act.

46 The Fraud Corruption Control Plan defines financial misappropriation (Trusted Insiders) as ‘manipulation and/or circumvention of agency processes, documentation and/or decisions for financial gain by Agency staff, contractors, or partners’.

47 Only credit card and travel non-compliances recorded in the financial system are reported to the Risk Advisory Branch by the Financial Control Branch (see paragraphs 2.17, 3.47, 3.51 and footnote 81).

48 The NDIA’s Risk Management Guide identifies these matters as key elements that should be included in Risk Action Plans developed by NDIA staff.

49 The credit card related controls are implemented through monitoring activities set out in policies and procedures.

50 Department of Finance, revised Commonwealth Risk Management Policy 2023, Element Six, Finance, Canberra, 2022, available from https://www.finance.gov.au/about-us/news/2022/revised-commonwealth-risk-management-policy-2023 and https://www.finance.gov.au/government/comcover/risk-services/management/commonwealth-risk-management-policy [accessed 18 March 2024].

51 An applicant for a credit card must be (a) an ongoing employee and not in probation period, unless approved by the CFO; (b) an non-ongoing employee with a contract greater than 12 months, unless approved by the CFO; or (c) an Executive Placement Program officer authorised by the CEO to approve NDIA expenditure.

52 Prior to December 2021, a credit card would be cancelled where: the corporate credit card has not been used in accordance with the policy; or continued incidents where the cardholder has not finalised the credit card acquittal process.

53 A traveller must submit a trip for approval in the NDIA’s finance and human resources system and have the trip approved prior to commencing travel.

54 Between March 2023 to September 2023, CEO pre-approval was required for all interstate travel. A pre-approval system was not introduced until 6 September 2023. Prior to the system being introduced, business areas were responsible for ensuring appropriate approval for travel, these pre-approvals were not captured in the finance and human resources system.

55 A financial delegation does not lead to an officer automatically being assigned the role of a spending approver in the finance and human resources system. Instead, an annual approved application must be submitted to the Services Australia travel team to be a travel spending approver.

56 The ANAO sampled 93 trips (see paragraph 3.28), including 25 trips by the current and previous Board Chair and acting Board Chair. Board members do not have a credit card.

57 The ANAO sampled: 117 credit card transactions (see paragraph 3.22), including 16 transactions made by the previous CEO and acting CEO; and 93 trips (see paragraph 3.28), including 26 trips by the current and previous CEO. The current CEO does not have a credit card.

58 Positional authority risk arises where subordinate officials are required to approve the expenses of senior officers and senior statutory officers. The ANAO made a recommendation to address positional authority at the Australian Competition and Consumer Commission, see Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission, paragraph 2.112.

59 For five applicants there were inconsistencies between the credit card applicants and credit training datasets indicating data integrity issues where the employee numbers in the application did not match the applicant’s employee number.

60 See Auditor-General Report No. 33 2015–2016 Defence’s Management of Credit Cards and Other Transaction Cards, ANAO, Canberra, 2016, paragraph 2.38.

61 Email approvals occurred during the change over to the NDIA’s financial system (between 1 July 2021 and 20 August 2021).

62 Credit cards may be cancelled or suspended where not used in accordance with policy (see paragraphs 3.55 and 3.56).

63 In the 2021–22 annual review, 59 of the 237 cardholders reviewed were SES officers or the CEO. In the 2022–23 annual review, 67 of 234 cardholders reviewed were SES officers. The current CEO commenced in October 2022 and does not have a credit card. No Board members had credit cards in 2021–22 or 2022–23.

64 Auditor-General Report No. 33 2015–16, Defence’s Management of Credit and Other Transaction Cards, paragraph 2.11.

65 Since December 2021, the Chief Financial Officer, Branch Manager Financial Control and Branch Manager Procurement and Corporate Services held higher transactional ($500,000 for the CFO and $250,000 for the Branch Managers) and monthly limits ($2 million for the CFO and $1 million for the Branch Managers). The NDIA Finance Policies state the limits are meant to only be exercised in exceptional circumstances. Between December 2021 and November 2022, the Director Finance also held increased monthly ($500,000) and transaction ($75,000) limits. Higher limits were introduced for business continuity purposes.

66 The Australian Taxation Office (ATO) set out requirements for a valid tax invoice including where goods or services are supplied for more than $82.50 (inclusive of GST), the vendor must provide a valid tax invoice within 28 days of the supply. ATO, Tax invoices, ATO, Canberra, available from https://www.ato.gov.au/businesses-and-organisations/gst-excise-and-indirect-taxes/gst/tax-invoices [accessed December 2023].

67 These transactions involved two or more payments by a credit cardholder on the same day, with a total value of $10,000 or more, made to the same vendor, for similar or the same services. Separate invoices may have been issued by the vendor on the same or different days. The NDIA policies did not define split transactions or provide guidance on how to detect split transactions during daily assurance processes (see paragraph 3.34).

68 The NDIA HR Delegations and Financial Authorisations, July 2022 provide for the CEO to approve international and domestic travel to the value of $50,000; and for domestic travel only, the Executive Leadership Team can approve up to $20,000, an SES Band 1 and 2 can approve up to $10,000 and an EL2 can approve up to $2,000. A financial delegation does not lead to an officer automatically being assigned the role of a spending approver in the finance and human resources system (see footnote 55).

69 The CEO’s travel delegation was $50,000 from September 2021, and $30,000 prior to September 2021. The highest expenditure approved for a single trip was $24,510 in 2021–22 and $20,584 in 2022–23.

70 The NDIA Finance Policies require non-SES staff to obtain pre-approval for private motor vehicle use for travel. Approval is contingent on demonstrating private motor vehicle use represents value for money.

71 More than one acquittal workflow will exist where changes are made to a trip record after the initial acquittal, this could include situations where additional expenses are identified, refunds or other adjustments occur.

72 More than one approval workflow will exist where changes are made to a trip record after the initial approval, this could include situations where additional expenses are identified or adjustments to approved expenses occur.

73 The NDIA’s weekly reporting procedures identify the following as common types of credit card related non-compliance breaches: splitting of invoice documentation, personal use of credit card, transactions not acquitted within 35 days, accommodation outside QBT without prior exemption, and purchase of Agency asset without CFO approval.

74 In 2021–22 and 2022–23, there were 5,044 and 6,881 credit card transactions (see Table 1.1), respectively.

75 In September 2023 a Shared Service Travel Compliance Framework for the NDIA was developed by Services Australia. It is largely consistent with Services Australia’s Travel Compliance Framework, exceptions include that it excludes quarterly audits on relocations, and sets out the NDIA’s responsibilities, such as to review, investigate and action (where appropriate) reports on non-compliance.

76 The monthly audit program includes checking on records of accommodation allowance, excess travel costs reimbursements to ensure they are genuine, open items cleared for reconciliation in the general ledger, non-compliant use of business class airfare, motor vehicle allowance supporting documentation and records are appropriate, travel over the weekend appropriately recognised and costs of private components of travel, and to ensure that where AOT ancillary charges are incurred (for example, mini bar, room service, breakfast) they are paid by the employee.

77 The quarterly audit program includes checking compliance of employee permanent relocation and reunion trips with policy and that there is appropriate recovery of costs.

78 Services Australia review staff separations on a weekly basis to disable staff profiles.

79 An instance of non-compliance refers to one or more credit card transactions by a cardholder that were non-compliant. In most cases, one transaction will equate to one instance of non-compliance. whereas in cases such as transaction splitting (where a payment is split into more than one transaction) multiple transactions may be recorded as one instance of non-compliance.

80 A further instance of non-compliance relating to the use of a credit voucher rather than a credit card was reported in the PGPA survey results in 2022–23.

81 Monthly incident reporting is based on non-compliance reported in the financial system (see paragraph 2.17).

82 The NDIA advised the ANAO in April 2024 that: the purpose of the travel slides is to highlight compliance for domestic travel with the Travel Arrangement’s Domestic Travel Policy across the NDIA. Commentary in the ‘travel slides’ states that these trips were ‘incorrectly coded to ‘outside of LFP policy’ policy code’ and instead should have been coded to compliant codes, and ‘records cannot be amended once a traveller chooses a policy code’. In November 2023, the NDIA advised the ANAO that 39 trips are compliant with the Travel Arrangement’s Domestic Travel Policy noting that these trips were incorrectly coded.

83 In April 2024, the NDIA advised the ANAO that there have been no instances of non-compliance that requires this type of action.

84 One (non-SES) cardholder took three months to make the repayment. The SES cardholder who had not made a repayment was invoiced $11.70 in June 2023. Repayment took two months. There was no evidence that repayment was monitored through weekly reports to the Branch Manager, Financial Control (see paragraphs 2.16 and 2.18).

85 Services Australia did not make a recommendation to the NDIA for every non-compliance reported in the quarterly compliance reports, see paragraph 3.46 and Table 3.3. This explains why the number of recommendations does not reconcile with the number of non-compliances reported.