Electronic Travel Authority Follow-up Audit
The objective of this audit is to examine DIAC's implementation of the nine recommendations made in the earlier audit. The audit has also taken into account changed circumstances since the original audit. These include a heightened security environment after 11 September 2001 and the results of other relevant ANAO performance audit and financial statement work. The audit also examined ETA decision-making processes to gain assurance about its robustness in a changing risk environment. This issue came to attention in recent audits of visa management processes.
The Electronic Travel Authority
Any non-citizen who wishes to visit Australia must have a valid visa. Most visitors use an Electronic Travel Authority (ETA) visa, obtained from the Department of Immigration and Citizenship (DIAC). ETAs are available to visitors from a limited range of ‘low risk' countries and are obtained quickly and conveniently, by computer, from their overseas location.
DIAC designed the ETA in the 1990s, when there was pressure to make international travel easier and the security environment was more benign. Adopting the ETA allowed Australia to maintain its universal visa system while making it easier for visitors to get a visa and, in addition, allowing Australians easier access to some overseas countries.
The ANAO completed a performance audit of the ETA and its supporting systems in July 1999.1 It concluded that the ETA system is an innovative, Australian developed system which had the support of the travel industry, delivered efficiencies and made issuing visas more effective. The ANAO made nine recommendations to improve DIAC's administration of the ETA. They related to IT security; management of data; relationships with travel agents and other third parties involved in delivering the ETA; and contract and financial management. DIAC accepted all recommendations.
Audit objective and scope
The objective of this audit is to examine DIAC's implementation of the nine recommendations made in the earlier audit. The audit has also taken into account changed circumstances since the original audit. These include a heightened security environment after 11 September 2001 and the results of other relevant ANAO performance audit and financial statement work.
The audit also examined ETA decision-making processes to gain assurance about its robustness in a changing risk environment. This issue came to attention in recent audits of visa management processes.
The ANAO concluded that DIAC had implemented the recommendations from the earlier audit. Six had been fully implemented, one substantially implemented and two partially implemented. Set out below in the key findings are the original recommendations as agreed by DIAC, and a summary of the ANAO's assessment of progress against each.
In implementing the recommendations and revising arrangements DIAC has improved its administration of the ETA. Two areas relating to the original audit warrant further attention. These concern completing work to improve the robustness of DIAC's computer link with its contractor and specifying, in its Memorandum of Understanding with Customs, performance information for passenger processing.
The ANAO considers that there are opportunities for improvement in ETA decision-making processes. These reflect areas where regulations and administrative practice are no longer fully aligned. DIAC has undertaken to review the ETA regulations with a view to aligning policy and practice.
The ANAO also considers that the completeness of data entered into the Movement Alert List (MAL)2 would be improved if DIAC introduced a programme of quality assurance. This would give the department greater confidence in its decision-making when assessing ETA applications. In addition, DIAC could improve compliance by ETA visa-holders visiting Australia by ensuring that they are more aware of their visa conditions. DIAC has advised it will review ways to better inform clients about visa conditions.
ETA computer system security (Chapter 2)
Original recommendation 1: The ANAO recommends that, to ensure that the required level of security is achieved for the ETA information technology environment, DIAC develop and institute appropriate:
- change and password control procedures;
- UNIX security policies and procedures;
- telecommunications and mainframe security procedures; and
- procedures which ensure ongoing review of the ETAS [ETA System] security arrangements to provide assurance about the required level of security.
DIAC has substantially implemented this recommendation. It has proceeded appropriately after the original audit by:
- satisfying itself that its contractor had addressed all of the specific IT security matters raised; and
- basing its subsequent Security Risk Management Plan on the requirements of Australian Government standards set out in Australian Government Information Technology Security Manual—Australian Communication—Electronic Security Instruction 33 (ACSI 33). Work has begun but is not yet complete on one of the recommendations set out in that plan to implement redundancy in its communications links.
DIAC has advised that the ETA system has not been subject to substantial security violations and is performing with a high degree of reliability. It has begun work to upgrade its computer link with its contractor to improve the robustness of that link. It has yet to implement a capacity to verify independently the system performance information provided by its contractor.
The Movement Alert List (Chapter 3)
Original recommendation 2: The ANAO recommends that DIAC develop standard operating procedures for:
- entering and following-up information provided by law enforcement agencies to provide adequate assurance of data quality; and
- reviewing new MAL entries on a risk managed basis to ensure information is relevant, adequate and listed correctly.
Original recommendation 3: To develop a cooperative and effective working relationship with law enforcement agencies, the ANAO recommends that DIAC establish formal liaison arrangements with these agencies, such as a forum on MAL-related issues or incorporate MAL into an appropriate, existing, discussion forum.
DIAC has fully implemented these recommendations.
DIAC has provided evidence of regular cooperation with law enforcement agencies through the Heads of Commonwealth Operational Law Enforcement Agencies (HOCOLEA) meetings and law enforcement working group meetings. In addition, it has also formalised its relationship with some law enforcement agencies through Memoranda of Understanding (MoU).
DIAC acknowledges that MAL data quality is a continuing challenge. However, the ANAO considers that DIAC has provided adequate evidence of progress in procedures for entering and reviewing MAL entries.3
DIAC and external parties (Chapter 4)
Original recommendation 4: The ANAO recommends that, to manage the quality of travel agents' contribution to the ETA system, DIAC should develop:
- a long-term strategy for providing guidance, training and support services to travel agents; and
- effective quality control processes to ensure data integrity.
DIAC has fully implemented this recommendation. ETA system [ETAS] training and support is readily available for both travel agents and airlines. Travel agents and airlines can access hard-copy and online information, and can discuss any issues with post staff, telephone help desk staff and Airport Liaison Officers [ALOs]. In addition, the introduction of a data validation screen was a useful step towards improving the integrity of data entered into ETAS.
Original recommendation 5: The ANAO recommends that DIAC negotiate a MoU or a service agreement with ETA airlines. This could cover issues such as: service standards; arrangements for reviewing these standards; the procedures and the circumstances for handling infringements; responsibilities of parties involved; and arrangements for ongoing training and support.
DIAC has fully implemented this recommendation. Advance Passenger Processing (APP) is now compulsory for all airlines flying to Australia and it is no longer necessary that DIAC have MoUs with these airlines. Airline infringements, which were growing in 1999, have dropped since APP became mandatory in 2003, and are no longer a substantial concern.
MoU with Customs
Original recommendation 6: The ANAO recommends that DIAC, in consultation with the Australian Customs Service, complete the development of a MoU or a service agreement to facilitate passenger processing at the primary line and to establish performance standards in relation to cost and quality of checks undertaken.
DIAC has partially implemented this recommendation. It introduced an MoU with Customs in 2002, and has activities such as joint training exercises in place, which should improve staff skills in passenger processing.
DIAC has not, however, established the recommended performance standards to assess passenger processing performance. The ANAO considers it is important to do this to provide DIAC with assurance that Customs is achieving the appropriate balance between timeliness and quality. This would also enable Customs to monitor its own performance.
Systems development processes (Chapter 5)
Original recommendation 8: The ANAO recommends that DIAC adopt a formal and visible approach to approval and accountability for future significant developments. This may include:
- reviewing the overall effectiveness of the systems development processes; and
- drawing out lessons for the future.
DIAC has partially implemented the original recommendation. Audit testing during the course of annual ANAO financial statements work for 2006–07 has found evidence of improvement to change management. However, IT project governance and systems development methodology remain critical issues, given the scale of DIAC's current IT developments and their importance in supporting DIAC's substantial change programme. These issues will continue to be examined as part of the ANAO's ongoing work on DIAC's financial statements, and will be reported in the ANAO's report on the financial statements of Australian Government entities.
Contract and financial management (Chapter 6)
Following the original audit in 1999, Audit Report No. 34 2005–06, Advance Passenger Processing (APP) also made a recommendation relevant to contract management. The APP system, developed as an enhancement to ETAS, allows the particulars of travellers to be checked before boarding at an overseas port. It was included as a variation to the ETA contract. In this audit, the ANAO considered the APP recommendation concurrently with Recommendation 7 of the original ETA audit.
Original recommendation 7: The ANAO recommends that, to ensure the Commonwealth's interests are adequately protected, DIAC:
- devote appropriately trained and experienced resources to managing its contract with [its contractor]; and
- seek revised contractual provisions at an opportune time that would better protect the Commonwealth interests, (for example, access to documents and systems and contingency provisions for accountability purposes).
APP Recommendation 3: To assist in protecting the interests of the Commonwealth in its dealings with external parties, the ANAO recommends that DIAC:
- identify its contract management risks relating to APP, analyse these risks, implement treatments, and monitor and review the success of its controls;
- consider developing a performance-based contract by linking its contractor's fee base to key performance areas and outcomes for APP;
- establish a performance management system relating to service levels for APP;
- maintain and organise contract-related documentation for easy and reliable access; and
- define processes and procedures to assist in managing contract variations relating to APP.
DIAC has fully implemented these recommendations. The ANAO's review of the new contract shows that it addresses the findings of both the original ETA audit and the subsequent APP audit. For example, the contract requires that appropriately trained and experienced resources manage the contract, and includes strengthened contingency provisions. During the audit's fieldwork, these contract management arrangements were being put in place.
Original recommendation 9: The ANAO recommends that DIAC establish procedures to enable it to verify that invoiced services have been delivered prior to certification of contract payments.
DIAC has fully implemented this recommendation. Under the new contract, invoices are simpler because charges have been streamlined into one agreed monthly service charge. In addition, an enhanced system enables DIAC staff to track the contractor's progress more easily when they are completing development tasks.
ETA decision-making and risk (Chapter 7)
The audit also examined ETA decision-making processes to gain assurance about its robustness in a changing risk environment. This came to attention in recent audits of visa management processes.
ETAs are available only to a selected group of ‘low-risk' countries, based on DIAC's risk-rating. Having a valid passport from one of those countries is a criterion that must be met by an applicant to be granted an ETA. When it receives an application from a person with an ETA-eligible passport, DIAC must make a decision, based on the information it gathers, whether to grant or refuse to grant an ETA visa. These decisions must be made in accordance with the Migration Act 1958 and Migration Regulations 1994. However, there are several areas where the requirements and administrative practice are no longer fully aligned, for example, the testing of the bona fides and the health status of applicants. DIAC has undertaken to review the regulations for the ETA with a view to bringing policy and practice into alignment.
Making visa-holders aware of their visa conditions (such as work rights while in Australia) is important in achieving compliance with those conditions. DIAC has acknowledged that ETA-holders, who form a quarter of the overstayer population, are currently unlikely to be aware of their visa conditions. DIAC has agreed to examine ways in which clients can be better informed about the conditions of their ETAs.
In examining ETA decision-making the ANAO found that DIAC does not quality assure the data it enters into MAL. The completeness of this data and promptness of data entry is important because DIAC uses MAL to help it decide whether ETA applicants satisfy regulatory criteria. The ANAO has recommended that DIAC undertake a programme of quality assurance in this area.
The Department welcomes the follow-up performance audit of the ETA and agrees with the two recommendations. The findings of the audit will be used to build on the ongoing work to enhance the ETA, and will contribute to the strengthening of it as a key plank of DIAC's layered approach to border management.
The ANAO report concluded that DIAC had implemented the recommendations from the earlier audit, while noting that more work is required in relation to some recommendations.
The ETA remains cutting edge technology in terms of visa facilitation and border security. Around 3.5 million ETAs are issued by Australia each year, with 26 million issued since the system was established in 1996.
The ETA system continues to provide benefits to all parties. DIAC is able to conduct the necessary checks as applicants make their travel plans, and applicants themselves have more certainty as they are granted a travel authority electronically before embarking on an international trip. In addition, airlines have seen their infringement fines (for bringing undocumented passengers to Australia) plummet.
Australia continues to be a pioneer in the electronic visa regime. Subsequent to the introduction of the ETA, eVisa arrangements were introduced for overseas students and working holiday makers who could apply online for a visa. The technology has been well received, vastly reducing waiting times and manual processing demands on DIAC staff, while security procedures have remained paramount.
We are also pleased to note that the ANAO has confirmed the Department's contract and financial arrangements with the service provider. The new contract provides DIAC with more certainty; greater flexibility; includes comprehensive service levels and enhanced governance arrangements.
1 ANAO Audit Report No.3 1999–2000 Electronic Travel Authority.
2 The Movement Alert List is a computer database that holds information about people and travel documents of immigration or security concern to Australia.
3 A potential performance audit of MAL to commence in 2007 is expected to examine in detail, inter alia, the issue of data quality within MAL.