Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Implementation of Procurement Reforms: Digital Transformation Agency and Department of Finance

Please direct enquiries through our contact page.
Audit snapshot
Why did we do this audit?
- Auditor-General Report No.5 2022–23 Digital Transformation Agency’s procurement of ICT related-services found that the Digital Transformation Agency’s (DTA) procurement of ICT-related services was ineffective.
- The Joint Committee of Public Accounts and Audit (JCPAA) conducted an inquiry into procurement including the Auditor-General’s report and recommended a follow up audit on DTA’s procurement reforms.
- This audit assessed if the Department of Finance (Finance) and the DTA successfully implemented the 11 JCPAA and Auditor-General recommendations. A sample of four DTA procurements was assessed to determine the success of the DTA’s procurement reforms and its processes to achieve value for money.
Key facts
- The four sampled DTA procurements assessed in this audit with start dates in 2023–24, had a combined reported value of $2.1 million.
What did we find?
- The DTA has been partly effective in implementing its procurement reforms.
- Of the two JCPAA recommendations, the DTA implemented one and largely implemented the other.
- The DTA largely implemented six of the eight Auditor-General recommendations and partly implemented two recommendations.
- Finance implemented the one selected Auditor-General recommendation.
- The DTA was partly effective in conducting procurement processes to achieve value for money.
What did we recommend?
- There were five recommendations to the DTA aimed at improving the DTA’s arrangements for implementing recommendations and procurement practices.
- The DTA agreed with the recommendations.
6 out of 8
Auditor-General recommendations were largely implemented by the DTA.
1 out of 4
delegates for the sampled procurements completed a conflict-of-interest declaration.
Summary and recommendations
Background
1. Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services (Auditor-General Report No. 5 2022–23) assessed the effectiveness of the Digital Transformation Agency’s (DTA’s) procurement of ICT-related services. The audit report was tabled in the Parliament in September 2022 and concluded that the DTA’s:
- procurement of ICT-related services had been ineffective for nine procurements examined by the Australian National Audit Office (ANAO);
- implementation and oversight of its procurement framework had been weak;
- conduct of procurements had not been effective and its approach fell short of ethical requirements; and
- the DTA’s management of contracts for the procurements examined was not effective.1
2. Auditor-General Report No. 5 2022–23 included nine recommendations. Eight were directed to the DTA and were agreed to. These recommendations were aimed at improving compliance with the Commonwealth Procurement Rules (CPRs) and ensuring officials have a sufficient understanding of procurement requirements (see Appendix 3, Table A.3 for full details of the recommendations). The remaining recommendation (Recommendation 5) was directed to the Australian Government. The Department of Finance (Finance), as the entity with responsibility for administering the procurement framework, ‘noted’ rather than agreed or disagreed to the recommendation, which is normal practice for these types of recommendations.2
3. On 30 September 2022, the Joint Committee of Public Accounts and Audit (JCPAA) commenced an inquiry into Commonwealth procurement to ‘with a view to improving the culture of how procurement rules and guidelines are implemented across the Australian Public Service.’3
4. In August 2023, the JCPAA tabled Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement (Report 498). Report 498 included 19 recommendations. Recommendations 11 and 13 are in the scope of this audit (see Appendix 3, Table A.3). These recommendations related to the DTA updating the JPCAA on the progress of improvements to its procurement processes and its audit committee reviewing procurement risk and controls; and the DTA ensuring that procurement is subject to the agency’s internal audit program. The DTA agreed to these recommendations in January 2024.4
Rationale for undertaking the audit
5. Parliamentary committee and Auditor-General reports provide recommendations to address identified risks related to the successful delivery of government outcomes. The appropriate and timely implementation of agreed recommendations is an important part of realising the full benefit of a parliamentary inquiry or ANAO audit and demonstrating accountability to the Parliament. This audit provides assurance to the Parliament as to whether the recommendations directed to the DTA and the one recommendation directed to the Australian Government5 were implemented, as agreed, and whether the procurement reforms were successful.
6. The JCPAA recommended in Report 498 that:
the Australian National Audit Office consider conducting a follow up audit within three years of the tabling of this report to determine the success or otherwise of the Digital Technology Agency’s procurement reforms.6
7. The ANAO agreed to the recommendation in December 2023 and advised the JCPAA that ‘The ANAO will include a follow-up audit on the Digital Transformation Agency’s procurement processes in the ANAO’s 2024–25 Annual Audit Work Program.’7
Audit objective and criteria
8. The objective of the audit was to assess the effectiveness of the implementation of procurement reforms by the DTA and Finance following on from Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT-related services.
9. To form a conclusion against the audit objective, the following high-level criteria were adopted.
- Have the DTA and Finance effectively implemented selected Joint Committee of Public Accounts and Audit and Auditor-General recommendations?
- For a sample of procurements, has the DTA conducted an effective procurement process to achieve value for money?
Procurements examined in this audit
10. The ANAO selected a sample of four procurements (one procurement resulted in two separate contracts) undertaken by the DTA with AusTender8 publication dates ranging from March to July 2024. The details of the procurements and contracts are outlined in Table 3.1.
11. The sample did not include procurements related to whole-of-government arrangements, which are set up for Commonwealth entities to use when procuring certain goods or services.9 The DTA advised the ANAO in August 2024 that the reforms relating to the implementation of recommendations had not been applied to the DTA’s whole-of-government procurement activities.10 This is discussed further in paragraphs 2.26 to 2.30.
Conclusion
12. The DTA has been partly effective in implementing its procurement reforms. The improvements expected through the implementation of recommendations have not yet been embedded and do not yet ensure that the DTA’s procurement processes fully comply with the Commonwealth Procurement Rules (CPRs) and their intent of achieving value for money. The ANAO observed improvements in the DTA’s internal procurement activities when compared to Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services. Areas for improvement remain, including ensuring that policies and procedures are followed and newly implemented arrangements are effective. Finance has implemented the one recommendation made to the Australian Government in Auditor-General Report No. 5 2022–23.
13. The DTA and Finance had elements of implementation plans and monitored the implementation of selected recommendations, however neither assigned risk ratings to the recommendations. Of the two selected JCPAA recommendations, the DTA implemented one and largely implemented the other. Of the eight selected Auditor-General recommendations, six were largely implemented and two were partly implemented. Improvements expected through the implementation of recommendations have not been fully embedded. The DTA’s arrangements for closing parliamentary committee and Auditor-General recommendations were not fit for purpose and resulted in the recommendations being closed and reopened between August 2023 and September 2024. The DTA’s Audit and Risk Committee (ARC) raised concerns with the DTA’s advice to the JCPAA in January 2024 that the recommendations had been implemented. Finance implemented the one selected Auditor-General recommendation and closed the recommendation in accordance with its internal requirements.
14. The DTA was partly effective in conducting procurement processes to achieve value for money. Improvements introduced by the DTA in response to the recommendations from Auditor-General Report No. 5 2022–23 were partly embedded. The DTA partly complied with selected requirements of the CPRs and for two of the four sampled procurements decision-making was not sufficiently accountable and transparent. For the sampled four procurements, the DTA’s planning and approaches to market were largely appropriate. There were shortcomings in the DTA’s processes to identify, analyse, allocate and treat risk during the procurements. The DTA’s Probity Guidelines were not adhered to and the conduct of one procurement fell short of ethical standards as established in the CPRs where suppliers undergoing evaluation were not treated equitably. For two of the four procurements, documentation in evaluation reports fell short of the expectations established in the CPRs in terms of the consideration of value for money. AusTender reporting for all four procurements contained incorrect information. For one contract, two of four payments were not paid within the agreed payment terms and one payment was made to an incorrect bank account of the supplier. One contract was extended when there was no provision for extension. One amendment did not have the appropriate documented delegate approval before being executed and one amendment was executed after the contract expired.
Supporting findings
Implementation of recommendations
15. For the selected JCPAA and Auditor-General recommendations, the DTA assigned responsible officers, set timeframes and established action items to support the implementation of the recommendations. The DTA did not assign risk ratings, which would help to prioritise resources and identify business impacts if the recommendations were not implemented as intended.
16. For the one selected Auditor-General recommendation, Finance assigned responsibility for implementation, established a timeframe and identified action items to support the implementation. Finance did not assign a risk rating. (See paragraphs 2.2 to 2.8)
17. The DTA monitored the implementation of the two selected JCPAA recommendations and eight selected Auditor-General recommendations. The DTA implemented one of two JCPAA recommendations within the planned timeframe. The DTA did not implement the eight selected Auditor-General recommendations within the planned timeframes.
18. Finance monitored the implementation of the one selected Auditor-General recommendation and implemented the recommendation in accordance with the planned timeframe. (See paragraphs 2.9 to 2.21)
19. The DTA implemented one of the two selected JCPAA recommendations and largely implemented the other. For the eight selected Auditor-General recommendations, the DTA largely implemented six and partly implemented two recommendations.
20. The DTA did not have documented closure processes for parliamentary committee and Auditor-General recommendations, which are important to ensure agreed recommendations are implemented in full and required improvements are embedded. The Auditor-General recommendations were closed in August 2023 and the DTA advised the JCPAA in January 2024 that the recommendations had been implemented. In March 2024, the DTA’s ARC requested that the Auditor-General recommendations be reopened. The recommendations were closed a second time without documented support from the DTA ARC in September 2024.
21. Finance implemented the one selected Auditor-General recommendation. The recommendation was closed in accordance with Finance requirements. (See paragraphs 2.22 to 2.43)
Procurement processes and value for money
22. Planning considerations were documented for three of the four sampled procurements.
23. Planning documentation for the limited tender office fitout procurement did not document the evaluation criteria, the planned evaluation process, procurement risk, justification for the suppliers to be approached or the proposed evaluation panel.
24. There were shortcomings in the DTA’s processes to identify, analyse, allocate and treat risk for the sampled procurements due to deficiencies with the DTA’s risk management guidance and its application of this guidance in practice.
25. Evaluation panel members for two of the four sampled procurements completed conflict-of-interest declarations after signing the evaluation report. One of the four sampled procurement delegates, who are authorised to make decisions and take action on behalf of the DTA, completed a conflict-of-interest declaration and recorded it in the register, as required by DTA policy. The conduct of one procurement fell short of ethical standards established in the CPRs as suppliers undergoing evaluation were not treated equitably.
26. For two of the four procurements, documentation in evaluation reports fell short of the expectations established in the CPRs in terms of the consideration of value for money. Unsuccessful tenderers were notified and debriefs provided upon request in three of the four selected procurements.
27. Contract details for the procurements were published on AusTender within the required 42 day period. One contract amendment was reported 187 days late. AusTender reporting for all four procurements contained incorrect information.
28. There were deficiencies in maintaining complete procurement records relating to aspects of planning, management of conflicts of interests and value for money assessments. (See paragraphs 3.3 to 3.79)
29. The DTA obtained delegate approval to enter into the original five procurement contracts.
30. All contracts supporting the procurements were amended. One contract was extended when there was no provision to extend the contract. For another contract, the decision to vary the contract was documented after the variation had been executed. One variation was executed after the previous contract had expired, which is inconsistent with Finance’s guidance.
31. Advice to delegates (decision-makers) did not demonstrate how the preferred tenderers represented value for money in two of the four sampled procurements. For one of the four procurements, it was not documented how a conflict of interest was managed for all stages of the procurement activity.
32. For four of five contracts reviewed, the DTA’s payments to suppliers were timely and accurate. The DTA’s payment records were complete. For one contract, two of four payments were not paid within the agreed payment terms and one payment was made to an incorrect bank account of the supplier. (See paragraphs 3.80 to 3.107)
Recommendations
Recommendation no. 1
Paragraph 2.38
The Digital Transformation Agency strengthen its arrangements for implementation of parliamentary committee and Auditor-General recommendations by:
- documenting arrangements for implementation planning, monitoring, independent oversight and closure of recommendations; and
- establishing a requirement for Audit and Risk Committee scrutiny of recommendations prior to formal closure, and for consideration to be clearly documented.
Digital Transformation Agency response: Agreed.
Recommendation no. 2
Paragraph 3.42
To ensure conflicts of interest are identified and effectively managed, the Digital Transformation Agency establish a clear requirement that all procurement delegates make activity-specific conflict-of-interest declarations for each procurement activity in which they are involved and that they are included in the conflict-of-interest register.
Digital Transformation Agency response: Agreed.
Recommendation no. 3
Paragraph 3.51
In finalising the implementation of the recommendations from Auditor-General Report No. 5 2022–23, the Digital Transformation Agency should strengthen its probity arrangements by ensuring all:
- officials involved in procurements receive training on probity requirements; and
- delegates are provided with assurance that officials involved in a procurement process have complied with the Commonwealth Procurement Rules ethical requirements and the DTA’s probity requirements prior to approval.
Digital Transformation Agency response: Agreed.
Recommendation no. 4
Paragraph 3.91
The Digital Transformation Agency strengthen its arrangements for contract amendments by:
- establishing clear guidance on internal requirements for contract amendments, including within the DTA’s delegation instrument; and
- ensuring contract variations are documented in compliance with section 18 of the Public Governance, Performance and Accountability Rule 2014.
Digital Transformation Agency response: Agreed.
Recommendation no. 5
Paragraph 3.98
The Digital Transformation Agency strengthen procurement decision-making practices by ensuring delegates consider the completeness and quality of documented advice regarding value for money before providing approval for the commitment of public money.
Digital Transformation Agency response: Agreed.
Summary of entity response
33. Extracts of the proposed report were provided to the DTA and Finance. Summary responses from the entities are reproduced below. Full responses are in Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Digital Transformation Agency
The Digital Transformation Agency (DTA) acknowledges the ANAO’s report and observation that improvements have been made in the DTA’s internal procurement activities, noting that there are still areas we can improve on.
The DTA welcomes the ANAO’s conclusion that for the procurements examined, planning and approaches to market were largely appropriate, and our practice of seeking quotations from multiple suppliers to promote competition was sound. However, the DTA considers the overall conclusion of “partly effective” does not reasonably reflect the significant efforts applied to improve procurement practices nor the reflection of substantially implementing the original recommendations.
Regarding the labour hire procurement, the DTA asserts that contact with one supplier was to address a specific ambiguity rather than to provide any unfair advantage. We are actively tightening our processes to ensure more consistent and equitable supplier engagement in future procurements.
The DTA accepts all five ANAO recommendations and has already initiated the corresponding improvements. This approach will facilitate the effective integration of enhanced processes and controls, ensuring their proper operation as intended.
Department of Finance
The Department acknowledges the opportunity to comment on the report, noting the Department was provided with an extract only.
The Department welcomes the finding that the sampled recommendation for which the Department was responsible has been implemented.
The Department continues to mature its planning and implementation of recommendations, including integrating a residual risk rating into implementation requirements, and Ongoing work to publish guidance and templates reflecting better practice, including the assignment of action ownership.
The Department notes the guidance contained in this report and acknowledges the opportunity to continuously improve in line with this and related audit reports.
Key messages from this audit for all Australian Government entities
34. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.
Governance and risk management
Procurement
1. Background
Introduction
1.1 Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services (Auditor-General Report No. 5 2022–23) assessed the effectiveness of the Digital Transformation Agency’s (DTA’s) procurement of ICT-related services. The audit report was tabled in the Parliament in September 2022 and concluded that the DTA’s:
- procurement of ICT-related services had been ineffective for nine procurements examined by the Australian National Audit Office (ANAO);
- implementation and oversight of its procurement framework had been weak;
- conduct of procurements had not been effective and its approach fell short of ethical requirements; and
- the DTA’s management of contracts for the procurements examined was not effective.11
1.2 Auditor-General Report No. 5 2022–23 included nine recommendations, of which eight were directed to the DTA and were agreed to. These recommendations were aimed at improving compliance with the Commonwealth Procurement Rules (CPRs) and ensuring officials have a sufficient understanding of procurement requirements (see Appendix 3, Table A.3) for full details of the recommendations). The remaining recommendation (Recommendation 5) was directed to the Australian Government. The Department of Finance (Finance), as the entity with responsibility for administering the procurement framework, ‘noted’ rather than agreed or disagreed to the recommendation, which is normal practice for these types of recommendations.12
Parliamentary inquiry
1.3 On 30 September 2022, the Joint Committee of Public Accounts and Audit (JCPAA) commenced an inquiry into Commonwealth procurement ‘with a view to improving the culture of how procurement rules and guidelines are implemented across the Australian Public Service.’13
1.4 In August 2023, the JCPAA tabled Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement (Report 498). Report 498 included 19 recommendations. Recommendations 11 and 13 are in the scope of this audit (see Appendix 3, Table A.3). These recommendations related to the DTA updating the JPCAA on the progress of improvements to its procurement processes and its audit committee reviewing procurement risk and controls; and the DTA ensuring that procurement is subject to the agency’s internal audit program. The DTA agreed to these recommendations in January 2024.14
Rationale for undertaking the audit
1.5 Parliamentary committee and Auditor-General reports provide recommendations to address identified risks related to the successful delivery of government outcomes. The appropriate and timely implementation of agreed recommendations is an important part of realising the full benefit of a parliamentary inquiry or ANAO audit and demonstrating accountability to the Parliament. This audit provides assurance to the Parliament as to whether the recommendations directed to the DTA and the one recommendation directed to the Australian Government15 were implemented, as agreed, and whether the procurement reforms were successful.
1.6 The JCPAA recommended in Report 498 that:
the Australian National Audit Office consider conducting a follow up audit within three years of the tabling of this report to determine the success or otherwise of the Digital Technology Agency’s procurement reforms.16
1.7 The ANAO agreed to the recommendation in December 2023 and advised the JCPAA that ‘The ANAO will include a follow-up audit on the Digital Transformation Agency’s procurement processes in the ANAO’s 2024–25 Annual Audit Work Program.’17
Audit approach
Audit objective, criteria and scope
1.8 The objective of the audit was to assess the effectiveness of the implementation of procurement reforms by the DTA and Finance following on from Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s procurement of ICT-related services.
1.9 To form a conclusion against the audit objective, the following high-level criteria were adopted.
- Have the DTA and Finance effectively implemented selected Joint Committee of Public Accounts and Audit and Auditor-General recommendations?
- For a sample of procurements, has the DTA conducted an effective procurement process to achieve value for money?
Procurements examined in this audit
1.10 The ANAO selected a sample of four procurements (one procurement resulted in two separate contracts) undertaken by the DTA with AusTender18 publication dates ranging from March to July 2024. The details of the procurements and contracts are outlined in Table 3.1.
1.11 The sample did not include procurements related to whole-of-government arrangements, which are set up for Commonwealth entities to use when procuring certain goods or services.19 The DTA advised the ANAO in August 2024 that the reforms relating to the implementation of recommendations had not been applied to the DTA’s whole-of-government procurement activities.20 This is discussed further in paragraphs 2.26 to 2.30.
Audit methodology
1.12 The audit methodology included:
- reviewing entity documentation such as internal guidance, management reports, audit and risk committee papers, meeting minutes, and other supporting evidence relevant to the scope of this audit; and
- conducting meetings with relevant DTA and Finance senior officials and officers involved in the implementation of recommendations and procurement activities.
1.13 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $857,000.
1.14 The team members for this audit were Grace Guilfoyle, James Sheeran, Jo Rattray-Wood, Irena Robertson, Pam O’Connor, Elias Alikhani, Alannah Perry, Malinda Donny and Susan Drennan.
2. Implementation of recommendations
Areas examined
This chapter examines whether the Digital Transformation Agency (DTA) and the Department of Finance (Finance) effectively implemented selected Joint Committee of Public Accounts and Audit (JCPAA) and Auditor-General recommendations.
Conclusion
The DTA and Finance had elements of implementation plans and monitored the implementation of selected recommendations, however neither assigned risk ratings to the recommendations.
Of the two selected JCPAA recommendations, the DTA implemented one and largely implemented the other. Of the eight selected Auditor-General recommendations, six were largely implemented and two were partly implemented. Improvements expected through the implementation of recommendations have not been fully embedded.
The DTA’s arrangements for closing parliamentary committee and Auditor-General recommendations were not fit for purpose and resulted in the recommendations being closed and reopened between August 2023 and September 2024. The DTA’s Audit and Risk Committee (ARC) raised concerns with the DTA’s advice to the JCPAA in January 2024 that the recommendations had been implemented.
Finance implemented the one selected Auditor-General recommendation and closed the recommendation in accordance with its internal requirements.
Areas for improvement
The ANAO made one recommendation to the DTA aimed at documenting and strengthening arrangements for implementing parliamentary committee and Auditor-General recommendations.
The ANAO identified three opportunities for improvement relating to: assignment of risk ratings to parliamentary committee and Auditor-General recommendations; implementing the Auditor-General recommendations within the scope of this audit to all procurement activities conducted by the DTA; and establishing assurance mechanisms to ensure all relevant staff complete procurement-related training.
2.1 Previous ANAO audits relating to the implementation of parliamentary committee and Auditor-General recommendations have identified that the successful implementation of recommendations requires:
- effective implementation planning;
- having systems in place to monitor and track the implementation of recommendations; and
- oversight and assurance of implementation.21
Did the DTA and Finance develop fit-for-purpose implementation plans for each of the selected recommendations?
For the selected JCPAA and Auditor-General recommendations, the DTA assigned responsible officers, set timeframes and established action items to support the implementation of the recommendations. The DTA did not assign risk ratings, which would help to prioritise resources and identify business impacts if the recommendations were not implemented as intended.
For the one selected Auditor-General recommendation, Finance assigned responsibility for implementation, established a timeframe and identified action items to support the implementation. Finance did not assign a risk rating.
2.2 Timely and effective implementation of recommendations is facilitated by fit-for-purpose implementation plans that clearly identify the intent of the recommendations and associated actions, set clear responsibilities and timeframes for addressing required actions and measures of success and/or outcomes to be realised.22 Where implementation plans are not prepared, past audit evidence indicates that actions are not always implemented to address the identified issue, not implemented in a timely way, or not implemented at all.23 Determining what constitutes fit for purpose will depend on the size of the entity, the nature of its business, its governance structure, and the number and frequency of recommendations requiring attention.
2.3 Table 2.1 outlines the ANAO’s assessment of the DTA’s and Finance’s practices for implementation planning for JCPAA and Auditor-General recommendations.
Table 2.1: Assessment of implementation planning practices for JCPAA and Auditor-General recommendations, as at May 2025
ANAO’s assessment of implementation planning practices |
DTAa |
Financea |
Does the entity develop implementation plans for recommendation implementation? |
▲b |
▲c |
Does the entity assign responsibility for recommendation implementation? |
▲ |
◆ |
Does the entity set timeframes for recommendation implementation? |
▲ |
◆ |
Does the entity assign risk ratings for recommendation implementation? |
■ |
■c |
Does the entity establish action items for recommendation implementation? |
▲ |
▲c |
Key: ■ No documented requirement and no practice established ▲ No documented requirement but practice established ◆ Requirement is documented and practice established
Note a: For the DTA, the ANAO examined implementation planning practices for the two JCPAA and eight Auditor-General recommendations in scope for of this audit. For Finance, the ANAO examined implementation planning practices for the one Auditor-General recommendation (made to the Australian Government and implemented by Finance) in scope for this audit.
Note b: The DTA did not have a documented requirement to develop an implementation plan for JCPAA and Auditor-General recommendations. Given the details captured in the DTA’s recommendation tracking documents contained components commonly found in an implementation plan (see paragraph 2.5), the ANAO considered that there was an established practice for implementation planning.
Note c: During the period that Finance was implementing the selected Auditor-General recommendation, there were no documented requirements in place for implementation plans, risk ratings or the establishment of action items for the open recommendations. Given the details captured in Finance’s audit recommendations tracker contained components commonly found in implementation plans, the ANAO considered that there was an established practice for implementation planning. Finance advised the ANAO in November 2024 that it assigned risk ratings to ANAO and JCPAA recommendations following a review of open recommendations (see Table A.2). As at June 2025, finalisation of an implementation plan template and supporting guidance remained underway.
Source: ANAO analysis of DTA and Finance documentation.
Digital Transformation Agency
2.4 The DTA does not have a documented policy or procedure to guide the implementation of JCPAA and Auditor-General recommendations. The DTA advised the ANAO on 28 October 2024 that the internal audit manual ‘has some high level information on closure of recommendations’, and later advised the ANAO in December 2024 that:
Due to the timing of development, the internal audit manual was not used in the process of identifying, responding to, implementation planning, [or] implementation of the recommendations from the ANAO.
2.5 The DTA’s recommendation tracking spreadsheets contained components commonly found in an implementation plan. This included details of the assigned responsible officers24, implementation due dates, and action items.
2.6 Risk ratings were not assigned to the 10 selected JCPAA and Auditor-General recommendations. Assigning risk ratings can help identify the impact on the entity if recommendations are not implemented. The DTA advised the ANAO in November 2024 that the DTA Executive Board considered the implementation of recommendations to be a high priority.25 The DTA further advised the ANAO in May 2025 that ‘for the DTA, any recommendations from ANAO and JCPAA were of great significance, which in practice translated to being a default high risk rating for the DTA.’
Opportunity for improvement
2.7 The DTA establish a requirement to assign risk ratings to parliamentary committee and Auditor-General recommendations to assist in the prioritisation of resources and identify business impacts if the recommendations were not implemented as intended.
Department of Finance
2.8 During a previous ANAO performance audit, a recommendation was made to Finance to strengthen its internal planning arrangements for the implementation of agreed parliamentary committee and Auditor-General recommendations.26 As at June 2025, implementation of this recommendation was still underway (see Table 2.1). Finance recorded the one selected Auditor-General recommendation in its audit recommendations tracker. Finance identified the assigned action officer, responsible officer, and recorded comments on the planned implementation timeframes and action items, and progress to implement the recommendation.27 Finance did not assign a risk rating. Finance advised the ANAO in November 2024 that risk ratings were assigned to ANAO and JCPAA recommendations following a review of open recommendations (see Appendix 2, Table A.2).
Did the DTA and Finance effectively monitor the implementation of selected recommendations?
The DTA monitored the implementation of the two selected JCPAA recommendations and eight selected Auditor-General recommendations. The DTA implemented one of two JCPAA recommendations within the planned timeframe. The DTA did not implement the eight selected Auditor-General recommendations within the planned timeframes.
Finance monitored the implementation of the one selected Auditor-General recommendation and implemented the recommendation in accordance with the planned timeframe.
2.9 Effective monitoring requires oversight arrangements and an approach that accurately tracks progress and records the actions of the business area, or individual, responsible for implementing a recommendation. Where an audit committee has a role in monitoring the implementation of recommendations28, entities should provide the committee with sufficient and appropriate information to enable the committee to provide informed advice and assurance to the accountable authority regarding the implementation of individual recommendations.
Digital Transformation Agency
Monitoring
2.10 The DTA does not have documented arrangements in place for monitoring JCPAA and Auditor-General recommendations. The DTA provided updates to its ARC29 and Executive Board on progress toward implementation of the recommendations.
2.11 Between August 2023 and November 2024, the DTA’s ARC was provided with four progress updates on JCPAA Recommendation 11 and seven updates on Recommendation 13. The DTA’s ARC received evidence of implementation for the two selected JCPAA recommendations. At its 27 March 2024 meeting, the DTA ARC received a copy of the letter sent to the JCPAA that evidenced the implementation of JCPAA Recommendation 11. For JCPAA Recommendation 13, the ARC received separate briefs on the internal audit program, which reflected the work that the DTA was doing to include an audit topic on procurement in the program.30
2.12 Progress updates to the DTA ARC on the Auditor-General recommendations commenced in September 2022 in the form of verbal updates. Between November 2022 and November 2024, the DTA ARC received written updates for all selected recommendations. This included information on the implementation status, responsible officers, due dates, and written advice on progress.31 For the JCPAA recommendations, the ARC received evidence of implementation for all Auditor-General recommendations.
2.13 Between June 2023 and November 2024, the DTA’s Executive Board considered a summary of JCPAA and Auditor-General recommendations. Two summaries included information on the progress of the closure process involving the ARC (see Table 2.6) and three updates on the progress of an April 2024 management initiated review on procurement, which assessed the implementation of recommendations from Auditor-General Report No. 5 2022–23 and found that none of the recommendations had been implemented.32 The DTA provided updates on the implementation of all Auditor-General recommendations to the responsible Minister.
Timeliness
2.14 The DTA addressed JCPAA Recommendation 11 within the six-month timeframe required by the JCPAA.33 JCPAA Recommendation 13 had a due date set by the DTA of 30 November 2023. The DTA advised the ANAO in May 2025 that ‘The actions [for this recommendation] were substantively in place as the DTA Strategic Internal Audit Plan was finalised in October 2023 which included the planned internal audit on procurements.’ The DTA reported to the ARC in November 2024 that this recommendation was proposed for closure, citing a completion date of 30 June 2024 (seven months after the DTA’s original due date). The DTA advised the ANAO in November 2024 that:
We have treated this as an ongoing matter and further actioned the internal audit side by including a procurement audit in the 2023-24 Strategic Internal Audit Plan (SIAP) for 2023-24 (finalised in October 2023), as well as future internal audit outlooks for 2024-25 and 2025-26 on procurement topics.
2.15 The DTA did not implement the eight Auditor-General recommendations within the original planned timeframe of 9.3 months. The DTA first closed the Auditor-General recommendations in August 2023, after they had been open for 11.1 months. The recommendations were subject to further reviews of their closure reports, with the final closure being approved by the Chief Audit Executive (CAE) in September 2024, 24.1 months after Auditor-General Report No. 5 2022–23 tabled. Recommendation closure is discussed in Table 2.6.
Department of Finance
Monitoring
2.16 Finance’s Legal and Assurance Branch is responsible for monitoring JCPAA and Auditor-General recommendations and maintains an audit recommendations tracker.34 Action officers are required to submit implementation progress updates for discussion at Finance’s ARC35, which are approved by the allocated responsible officer and collated by officials in the Legal and Assurance Branch.
2.17 Finance’s ARC monitored the implementation of the recommendation through progress reporting at nine of 10 meetings held between November 2022 and September 2024 (the period during which the recommendation was open).36 Written progress updates were provided to the ARC on seven occasions for the recommendation. These updates focused on the planned implementation timeframes. Details on the specific actions taken to implement the recommendation were provided at the time the recommendations were proposed for closure.37
2.18 Finance’s Performance and Risk Committee (PRC) was established in February 2023 as a subcommittee of Finance’s Executive Board.38 Under its March 2023 terms of reference, one of the PRC’s responsibilities is to provide oversight of ‘internal business improvement activities and recommendations arising from internal audit (and external audit as appropriate), ensuring responsibility for business improvements and resource implications are assessed, considered and progressed as appropriate’.
2.19 Finance’s Assurance and Risk Standard Operating Procedure states that from November 2023, the PRC would ‘play a key role in overseeing the response and implementation to recommendations’. Finance advised the ANAO in December 2024 that ‘Reporting on open external audit recommendations was incorporated into Assurance Reporting to the Performance and Risk Committee in February 2024, May 2024 and August 2024.’ The PRC received updates at these meetings on the recommendation as part of a quarterly assurance report, which indicated that the recommendation was open and stipulated the responsible business area for implementing the recommendation. The recommendation was reported to the PRC as closed in October 2024. The updates did not contain information on progress towards implementation or documentation supporting the closure of the recommendation.
Timeliness
2.20 As discussed in paragraph 1.2, the one selected Auditor-General recommendation was made to the Australian Government in September 2022. Finance ‘Noted’ the recommendation and advised that it ‘will consider options for entities to report on how many suppliers have been approached from a standing offer arrangement, and options to enhance functionality for reporting contract notices from standing offers in future updates to AusTender’.39
2.21 In November 2022, Finance commenced reporting the recommendation as ‘open’ to the Finance ARC (see paragraph 2.17). In August 2023, Finance advised the ARC that the recommendation would take until 2025 to implement. The planned implementation timeframe for the recommendation was later changed to July 2024, which was met.
Were the selected recommendations implemented in full, and closed in accordance with requirements?
The DTA implemented one of the two selected JCPAA recommendations and largely implemented the other. For the eight selected Auditor-General recommendations, the DTA largely implemented six and partly implemented two recommendations.
The DTA did not have documented closure processes for parliamentary committee and Auditor-General recommendations, which are important to ensure agreed recommendations are implemented in full and required improvements are embedded. The Auditor-General recommendations were closed in August 2023 and the DTA advised the JCPAA in January 2024 that the recommendations had been implemented. In March 2024, the DTA’s ARC requested that the Auditor-General recommendations be reopened. The recommendations were closed a second time without documented support from the DTA ARC in September 2024.
Finance implemented the one selected Auditor-General recommendation. The recommendation was closed in accordance with Finance requirements.
2.22 Effective and timely implementation of agreed recommendations contributes to realising the full benefit of a parliamentary committee inquiry or an ANAO audit and demonstrates accountability to the Parliament.40 When recommendations have been implemented, it is important they are formally closed and that prior to closure, evidence of implementation is subject to an appropriate level of scrutiny to ensure recommendations have been implemented in full and in accordance with the intent of the recommendation.41 Closing recommendations prevents recommendations from remaining unresolved and promotes accountability by confirming that entities have addressed identified issues.
2.23 The ANAO assessed the implementation status for the 11 selected JCPAA and Auditor-General recommendations. The categories for assessment are outlined in Table 2.2.
Table 2.2: Implementation status of recommendations — ANAO assessment categories
Category |
Explanation |
Not implemented |
There is no supporting evidence that the agreed action has been undertaken, or the action taken does not address the intent of the recommendation as agreed. |
Partly implemented |
The action taken was considerably less extensive than the recommendation agreed, as:
|
Largely implemented |
The action taken was less extensive than the recommendation as agreed, as:
|
Implemented |
There is supporting evidence that the agreed action has been undertaken and the action met the intent of the recommendation as agreed. |
Implementation ongoing |
There is supporting evidence of ongoing action to implement the recommendation and the entity considers that implementation is in progress or ongoing. |
Source: ANAO documentation.
2.24 Table 2.3 outlines the ANAO’s assessment of the DTA and Finance’s implementation of recommendations against the intention of the original recommendation and compared with the entities recorded status.
Table 2.3: Implementation status of recommendations — summary of entity and ANAO assessments
Recommendation numbera |
Entity |
Entity response |
Status recorded by entity |
ANAO assessment |
Joint Committee of Public Accounts and Audit, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement |
||||
11 |
DTA |
Agreed |
Implemented |
Largely implementedb |
13 |
Agreed |
Implemented |
Implemented |
|
Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services |
||||
1 |
DTA |
Agreed |
Implemented |
Largely implementedb |
2 |
Agreed |
Implemented |
Largely implementedb |
|
3 |
Agreed |
Implemented |
Partly implementedb |
|
4 |
Agreed |
Implemented |
Largely implementedb |
|
6 |
Agreed |
Implemented |
Largely implementedb |
|
7 |
Agreed |
Implemented |
Largely implementedb |
|
8 |
Agreed |
Implemented |
Largely implementedb |
|
9 |
Agreed |
Implemented |
Partly implementedb |
|
Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services |
||||
5 |
Finance |
Noted |
Implemented |
Implemented |
Note a: The details of each recommendation are provided in Appendix 3.
Note b: Highlighted yellow shading indicates that the ANAO’s assessment differed from the entity’s assessment for the recommendations.
Source: ANAO analysis.
Digital Transformation Agency
JCPAA recommendations
2.25 The ANAO’s assessment differed from the DTA’s assessment of the selected JCPAA recommendations, as outlined in Table 2.4.
Table 2.4: Joint Committee of Public Accounts and Audit, Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement — ANAO assessment of DTA implementation, at May 2025
Selected recommendation |
ANAO assessment |
Recommendation 11 The Committee recommends that the Digital Technology Agency provide an update to the Committee five months from the tabling of this report on the progress of its improvements to its procurement processes, including:
DTA assessment: Implemented. |
Largely implemented The DTA provided the JCPAA with an update in January 2024, within the required timeframe. The DTA advised the JCPAA in its update that: The DTA has addressed the recommendations within JCPAA Report 498 and has implemented recommendations from the Australian National Audit Office (ANAO) [Auditor-General Report No. 5 2022–23]. The DTA’s update to the JCPAA included information on actions taken in response to each of the eight Auditor-General recommendations. A management initiated review on procurement (discussed in paragraph 2.13 and Table 2.6) was completed in April 2024 and found that none of the Auditor-General recommendations had been fully implemented. At the March 2024a meeting, the DTA’s ARC raised concerns with the accuracy of the response the DTA provided to the JCPAA and the lack of oversight of the closure process and requested that the recommendations be reopened (see Table 2.6). In September 2024, the DTA provided another version of the closure reports for the Auditor-General recommendations to the DTA ARC. In November 2024, after receiving further supporting documentation, the DTA ARC noted that management had formally closed the Auditor-General recommendations. There was no record that the ARC supported closure of the recommendations. The timeline for closing the JCPAA and Auditor-General recommendations is discussed in Table 2.6. See Appendix 3 for more information on the intention of this recommendation. |
Note a: While the management initiated review was finalised in April 2024, an earlier version was discussed at the March 2024 DTA ARC meeting.
Source: ANAO analysis of DTA documentation.
Auditor-General recommendations
2.26 Tabling in the Parliament of an agreed response to a parliamentary committee or Auditor-General recommendation is a formal commitment by the government or an entity to implement the recommended action. The Parliament’s expectation is that the entity makes improvements that address the deficiency identified. Agreement to implement recommendations should not be qualified.
2.27 The DTA advised the ANAO in August 2024 that changes made in response to the selected JCPAA and Auditor-General recommendations were limited to the DTA’s internal procurement activities and were not implemented for DTA procurement activities relating to the establishment of whole-of-government procurement arrangements.42 When the DTA’s ARC received updates on implementation progress, it did not receive explicit advice explaining the limitations to the extent of the DTA’s implementation of procurement reforms across the organisation.43 The DTA advised the ANAO in May 2025 that:
the agency’s administration of its whole-of-government sourcing responsibilities is structurally separated from corporate/internal procurement functions with wholly separate policies and procedures including extensive specialist legal, commercial and probity support. The DTA’s view is that no qualification on the scope of the recommendations was needed as the findings and recommendations were not developed based on any assessment or audit activity of these arrangements.44
2.28 Parliamentary committee inquiry reports and Auditor-General reports identify risks to the successful delivery of outcomes and provide recommendations to address them. Entities should ensure that the risks or issues that led to recommendations being made are addressed across all their operations. Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) establishes a ‘duty to establish and maintain systems relating to risk and control’ for accountable authorities.45 Accountable authorities require assurance that the underlying risks and issues that have resulted in recommendations being made are addressed and improvements have been embedded across the entity.
2.29 Recommendations are made to an entity, not a structure within it. Establishment and administration of procurement panels and arrangements are subject to the procurement framework, which includes the Commonwealth Procurement Rules (CPRs). Paragraph 2.2 of the CPRs states that ‘Officials from non-corporate Commonwealth entities … must comply with the CPRs when performing duties related to procurement.’ Many of the risks relating to recommendations made in Auditor-General Report No. 5 2022–23 apply to the DTA’s procurement-related activities at an enterprise level, including relating to whole-of-government procurement arrangements.
2.30 The DTA advised the ANAO in August 2025 that ‘Considerations of the applicability of those recommendations across the organisation, including the DTA’s whole-of-government procurement activities has occurred at the business unit level.’ The DTA provided the ANAO with an assessment of the applicability of the recommendations to the DTA’s whole-of-government procurement activities in August 2025.
Opportunity for improvement
2.31 The DTA could assess how the matters identified in this audit are relevant at the enterprise level and implement Auditor-General recommendations directed to the DTA at the enterprise level, and document where there are exceptions.
2.32 The ANAO’s assessment differed from the DTA’s assessment of the selected Auditor-General recommendations, as outlined in Table 2.5.
Table 2.5: Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services — ANAO assessment of DTA implementation, at May 2025
Selected recommendation |
ANAO assessment |
Recommendation 1 The Digital Transformation Agency implement a system of risk management that ensures procurement risks are being monitored, managed and escalated appropriately. DTA assessment: Implemented. |
Largely implemented The DTA has established guidance for risk management processes and requires DTA officials to complete a mandatory procurement checklist, including a risk assessment template. The ANAO identified inconsistencies in the terminology and requirements in the DTA’s risk management guidance documents that were in effect when the DTA closed the recommendation in November 2024. Deficiencies in the 2024 guidance affected the effectiveness of all risk assessments conducted for the four sampled procurements (see paragraphs 3.25 to 3.28). As at May 2025, the DTA had made improvements to the risk management process and commenced addressing the issues identified by the ANAO during the course of this audit. The DTA updated its risk assessment template, risk management policy and risk management framework. Deficiencies remain due to inconsistencies across guidance for how procurement risks should be managed depending on the residual risk rating (see paragraph 3.27). |
Recommendation 2 The Digital Transformation Agency:
DTA assessment: Implemented. |
Largely implemented
|
Recommendation 3 The Digital Transformation Agency:
DTA assessment: Implemented. |
Partly implemented
The intent of the recommendation was to ensure that the DTA is effectively managing actual, potential and perceived COI when conducting procurements. See Appendix 3 for more information on why this recommendation was made. |
Recommendation 4 The Digital Transformation Agency align its approach to market processes with the Commonwealth Procurement Rules, with a focus on:
DTA assessment: Implemented. |
Largely implemented
|
Recommendation 6 The Digital Transformation Agency improve its tender evaluation processes to:
DTA assessment: Implemented. |
Largely implemented
|
Recommendation 7 The Digital Transformation Agency improve its procurement processes to ensure decision-makers are provided complete advice, including information on risk and how value for money would be achieved. DTA assessment: Implemented. |
Largely implemented DTA records state that this recommendation was addressed by: the Chief Operating Officer (COO) and the CPT providing advice to officials conducting procurements and monitoring of risk and value for money justification; delivery of relevant training; and requirements to complete mandatory templates and engage with the CPT. All procuring officials are required to engage with the CPT where advice can be provided for procurements over $10,000. The DTA updated its procurement documentation and implemented templates to assist in planning and conducting procurements. The templates include a procurement checklist, procurement and evaluation plan and evaluation report. The tender evaluation report requires value for money justification to be provided to the delegate before the evaluation report is approved. These are required to be completed for all procurements over $10,000. The DTA advised the ARC in March 2023 that ‘The COO and Corporate Procurement team are monitoring risk and value for money justifications for all internal procurement activities.’ As outlined in paragraphs 3.94 to 3.95, evaluation reports for two of the four procurements did not demonstrate how the preferred supplier represented value for money. For one procurement, advice to the delegate did not accurately represent the steps taken regarding probity. |
Recommendation 8 The Digital Transformation Agency:
DTA assessment: Implemented. |
Largely implemented
|
Recommendation 9 The Digital Transformation Agency strengthen its internal guidance and controls to ensure officials do not vary contracts to avoid competition or obligations and ethical requirements under the Commonwealth Procurement Rules. DTA assessment: Implemented. |
Partly implemented The closure report for this recommendation stated that:
The procurement checklist requires the CPT to be contacted at various points in the process of planning and conducting a procurement process. The checklist does not explicitly mention varying contracts. The DTA advised the ANAO in May 2025 that advice and guidance from the CPT to procuring officials is delivered both verbally and in writing as part of the procurement process. The DTA has not strengthened its written guidance on varying contracts to avoid competition or obligations and ethical requirements under the Commonwealth Procurement Rules. A briefing provided to DTA senior management in September 2024 stated that ‘Variations are required to be approved by the COO.’ This requirement is not captured in the DTA’s procurement guidance. DTA records state ‘Only a small number of variations have occurred since September 2022, with justifications being scrutinised prior to action.’ Of the four sampled procurements, all contracts have been amended (seven amendments in total), with five amendments related to extending the contract, increasing the contract value, or both. Of the seven amendments, two were approved by the COO before the amendment was signed. While no instances were identified in the four sampled procurements of contracts being varied to avoid competition or obligations and ethical requirements under the CPRs, risks remain due to the lack of clear documented processes and guidance relating to contract variations. See Table A.3 in Appendix 3 for more information on why this recommendation was made. |
Note a: The internal audit report included three recommendations, which were closed in August 2023.
Source: ANAO analysis of DTA documentation.
2.33 The DTA advised the ANAO in May 2025 that as part of ‘procurement uplift’ activities, it would:
Develop new training module for all non-SES staff, complementing APS foundational courses in Fraud and Corruption, Integrity in the APS and Commonwealth Resource Management and ensuring all staff understand procurement requirements.
Ensuring all relevant staff complete procurement-related training is important to successfully building capability.
Opportunity for improvement
2.34 The DTA establish assurance mechanisms to ensure all relevant staff complete procurement-related training.
Closure
2.35 Throughout 2023 and 2024, the DTA engaged in discussions with its ARC on an appropriate closure process for Auditor-General recommendations. In July 2024, the DTA documented closure processes for internal audit recommendations in the DTA’s internal audit manual. The internal audit manual does not explicitly state that these processes apply to external recommendations such as parliamentary committee or Auditor-General recommendations. As discussed in paragraph 2.4, the DTA advised the ANAO in December 2024 that the audit manual was not followed for the implementation of Auditor-General recommendations. In practice, the DTA’s process for closing Auditor-General recommendations was aligned to the internal audit manual. Under the July 2024 internal audit manual, the recommendation closure process included the preparation of closure report forms, with supporting evidence, and requires approval from the responsible officer and from the CAE.46 The internal audit manual states that:
The decision to close an audit recommendation is a management decision … Closures will be reported at the next ARC meeting. The ARC will provide independent oversite [sic] of closure requests and if they have any concerns about closure, they will advise the CAE [Chief Audit Executive] of their opinion. Should an instance arise where their concerns have been raised with the CAE and the ARC believes that the closure of an audit recommendation exposes the DTA to unreasonable risk, the Chair will discuss their concerns with the CEO at their private meeting after each ARC meeting.
2.36 The timeline for the DTA’s closure of the JCPAA and Auditor-General recommendations is outlined in Table 2.6.
Table 2.6: Timeline for closing the JCPAA and Auditor-General recommendations
Date |
Description of event |
August 2023 |
|
December 2023 |
|
January 2024 |
|
March 2024 |
|
June 2024 |
|
July 2024 |
|
September 2024 |
|
October 2024 |
|
November 2024 |
|
February 2025 |
|
April 2025 |
|
Note a: The DTA’s response to the JCPAA is available at Parliament of Australia, Government Response Executive Minute Digital Transformation Agency - Report 498 - Recommendations 11 and 13, Parliament of Australia, Canberra, 2024, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public _Accounts_and_Audit/CommonwealthProcurement/Government_Response [accessed 16 September 2025].
Note b: A senior responsible officer is an Executive Board member with overall responsibility for the implementation of the recommendation.
Source: ANAO review of DTA documentation.
2.37 The closure processes, while matching the process outlined in the DTA’s internal audit manual for the Auditor-General recommendations (see paragraph 2.35), did not support the effective implementation of recommendations. There is no record that the ARC supported the closure of the JCPAA or Auditor-General recommendations. The DTA ARC’s oversight role would be enhanced by it scrutinising implementation of recommendations prior to their closure by management and clearly documenting whether or not it supports recommendation closure.
Recommendation no.1
2.38 The Digital Transformation Agency strengthen its arrangements for implementation of parliamentary committee and Auditor-General recommendations by:
- documenting arrangements for implementation planning, monitoring, independent oversight and closure of recommendations; and
- establishing a requirement for Audit and Risk Committee scrutiny of recommendations prior to formal closure, and for this consideration to be clearly documented.
Digital Transformation Agency response: Agreed.
2.39 The DTA is strengthening its internal arrangements for the implementation of parliamentary committee and Auditor-General recommendations by developing documented processes for implementation planning, monitoring, independent oversight and closure of recommendations. This will include arrangements established to assign risk ratings, implementation timeframes, key actions for implementation, implementation action owner and monitoring and closure requirements.
2.40 The DTA has established an independent monitoring control around the DTA’s closure of recommendations, with our internal audit provider performing independent verification of the DTA’s implemented actions and assess whether the risk has been appropriately and sustainably mitigated, including obtaining evidence of periodic control execution where possible. This will form part of the DTA’s formal arrangements for closure of recommendations and presented to the Audit and Risk Committee for consideration prior to any formal closure of recommendations.
Department of Finance
2.41 Finance implemented the one selected Auditor-General recommendation made to the Australian Government. Finance implemented a new reporting field for contract notices on AusTender for ‘suppliers invited’. For contracts entered into from 1 July 2024, if a procurement was limited tender or through a standing offer arrangement, entities have been required to identify the number of suppliers invited to participate in the procurement process. The reporting field became mandatory for entities from 1 July 2025. Finance advised the ANAO in August 2025 that ‘100% of entities that are required to report on AusTender are reporting on the new fields from 1 July 2025.’ Finance also updated its Resource Management Guide 423: Procurement Publishing and Reporting Obligations to reflect the changes to reporting requirements.
Closure
2.42 Finance closed the Auditor-General recommendation in accordance with its documented requirements by preparing closure reports in June 2024 that summarised the action taken to implement and close the recommendation.47 The closure reports referenced evidence of implementation and included comments from Finance’s internal audit provider, noting the evidence provided and advising support for closure. The Head of Internal Audit indicated support for closure and this was recorded in Finance’s audit recommendations tracker. The responsible officer approved the closure reports in August 2024. In September 2024, the closure reports were provided to Finance’s ARC, which endorsed the closure of the recommendation.
2.43 Finance’s closure process for Auditor-General recommendation involves internal assurance arrangements that allows for the scrutiny of implementation activities. Undertaking an assurance process before closing a recommendation can support entities to consider whether a recommendation has been implemented in full and in accordance with the intent of the recommendation.
3. Procurement processes and value for money
Areas examined
This chapter examines whether the Digital Transformation Agency (DTA) conducted effective procurement processes to achieve value for money.
Conclusion
The DTA was partly effective in conducting procurement processes to achieve value for money. Improvements introduced by the DTA in response to the recommendations from Auditor-General Report No. 5 2022–23 were partly embedded. The DTA partly complied with selected requirements of the Commonwealth Procurement Rules (CPRs) and for two of the four sampled procurements decision-making was not sufficiently accountable and transparent.
For the sampled four procurements, the DTA’s planning and approaches to market were largely appropriate. There were shortcomings in the DTA’s processes to identify, analyse, allocate and treat risk during the procurements. The DTA’s Probity Guidelines were not adhered to and the conduct of one procurement fell short of ethical standards as established in the CPRs where suppliers undergoing evaluation were not treated equitably.
For two of the four procurements, documentation in evaluation reports fell short of the expectations established in the CPRs in terms of the consideration of value for money. AusTender reporting for all four procurements contained incorrect information. For one contract, two of four payments were not paid within the agreed payment terms and one payment was made to an incorrect bank account of the supplier.
One contract was extended when there was no provision for extension. One amendment did not have the appropriate documented delegate approval before being executed and one amendment was executed after the contract expired.
Areas for improvement
The ANAO made four recommendations to the DTA aimed at: establishing conflict-of-interest declaration requirements for procurement delegates; strengthening probity arrangements through training and assurance; strengthening arrangements for contract amendments; and ensuring delegates consider the completeness and quality of documented advice.
The ANAO identified six opportunities for improvement. These related to: improving planning documentation for limited tender procurements; periodically reviewing risk management guidance; strengthening guidance relating to incumbency risk; ensuring value for money assessments directly address the cost of tenders; enhancing AusTender reporting; and improving guidance regarding payment of suppliers.
3.1 The ANAO assessed a sample of four procurements48 to determine whether:
- the DTA complied with selected requirements of the Commonwealth Procurement Rules (CPRs); and
- actions taken by the DTA, in response to the selected Joint Committee of Public Accounts and Audit (JCPAA) and Auditor-General recommendations (see Appendix 3), had been applied in practice.
3.2 The details of the four procurements are outlined in Table 3.1.
Table 3.1: Selected procurements and associated contracts
Procurement |
AusTender Contract Notice (CN) number |
Contract start date |
Contract end date |
Procurement method |
Original Value reported on AusTender at August 2024 ($) |
Value reported on AusTender at April 2025 ($) |
Reuse assessment |
CN4042607 |
18 March 2024a |
22 May 2024a |
Open tender via the Digital Marketplace Panel 1.0 |
451,000 |
451,000 |
Cloud native secure internet gateway |
CN4044822 |
5 April 2024 |
5 April 2025 |
Open tender via the Cloud Marketplaceb |
388,960 |
777,920 |
Labour hire |
CN4076272 |
5 July 2024 |
7 July 2025 |
Open tender via the Digital Marketplace Panel 1.0 |
340,000 |
340,000 |
CN4076862 |
8 July 2024 |
8 July 2025c |
146,544 |
286,272 |
||
Office fitout |
CN4076895 |
22 May 2024 |
1 July 2024 |
Limited tender |
247,996.40 |
284,412.88d |
Note a: As at 16 January 2025, the contract period reported on AusTender was 25 March 2024 to 24 May 2024, which differed from the contract.
Note b: The cloud native secure internet gateway procurement was incorrectly reported on AusTender as having been from the Digital Marketplace panel.
Note c: The original contract end date was 8 January 2025.
Note d: The contract value was $284,442.88.
Source: AusTender and DTA documentation.
Has the DTA complied with selected requirements of the Commonwealth Procurement Rules (CPRs)?
Planning considerations were documented for three of the four sampled procurements.
Planning documentation for the limited tender office fitout procurement did not document the evaluation criteria, the planned evaluation process, procurement risk, justification for the suppliers to be approached or the proposed evaluation panel.
There were shortcomings in the DTA’s processes to identify, analyse, allocate and treat risk for the sampled procurements due to deficiencies with the DTA’s risk management guidance and its application of this guidance in practice.
Evaluation panel members for two of the four sampled procurements completed conflict-of-interest declarations after signing the evaluation report. One of the four sampled procurement delegates, who are authorised to make decisions and take action on behalf of the DTA, completed a conflict-of-interest declaration and recorded it in the register, as required by DTA policy. The conduct of one procurement fell short of ethical standards established in the CPRs as suppliers undergoing evaluation were not treated equitably.
For two of the four procurements, documentation in evaluation reports fell short of the expectations established in the CPRs in terms of the consideration of value for money. Unsuccessful tenderers were notified and debriefs provided upon request in three of the four selected procurements.
Contract details for the procurements were published on AusTender within the required 42 day period. One contract amendment was reported 187 days late. AusTender reporting for all four procurements contained incorrect information.
There were deficiencies in maintaining complete procurement records relating to aspects of planning, management of conflicts of interests and value for money assessments.
3.3 To assess the DTA’s compliance with selected requirements of the CPRs for the four sampled procurements, the ANAO reviewed the DTA’s:
- procurement planning and approach to market considerations;
- risk management;
- probity management;
- tender evaluation and value for money assessments;
- notifying and debriefing tenderers;
- AusTender reporting; and
- recordkeeping.
3.4 The ANAO had regard to whether actions taken by the DTA in response to the selected JCPAA and Auditor-General recommendations (see Appendix 3) had been applied in practice, where applicable.
Procurement planning and approach to market considerations
3.5 Fit-for-purpose planning aims to achieve the efficient, effective, ethical and economical procurement practices required under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the CPRs.49 Of the eight Auditor-General recommendations directed to the DTA in Auditor-General Report No. 5 2022–23, two related to effective planning for procurements.50
3.6 For the four sampled procurements, the ANAO assessed whether the DTA:
- established a procurement plan for each procurement;
- estimated the value of the procurement;
- undertook a procurement approach that encouraged competition; and
- established evaluation criteria that enabled comparison of submissions and supported the achievement of value for money outcomes.
3.7 Table 3.2 outlines the outcomes of the assessment.
Table 3.2: Assessment of procurement planning and approach to market considerationsa
Procurement |
Procurement plan |
Estimated value of procurement (CPRs 9.2–3) |
Procurement approach encouraged competition (CPRs 5.1b) |
Evaluation criteria that enable comparison of submissionsc and support value for money |
Reuse assessment |
● |
● |
● |
● |
Cloud native secure internet gateway |
● |
● |
● |
● |
Labour hire |
● |
● |
● |
● |
Office fitout |
◑ |
● |
● |
◑ |
Key: ◯ Not met or not compliant ◑ Partly met or partly compliant ● Fully met or fully compliant
Note a: Only the ‘estimated value of procurement’ and ‘procurement approach encouraged competition’ columns of the table are mandatory CPR requirements for all procurements. Others are considered better practice or were requirements introduced by the DTA.
Note b: Paragraph 5.1 of the CPRs states ‘Competition is a key element of the Australian Government’s procurement framework. Effective competition requires non-discrimination and the use of competitive procurement processes.’
Note c: Paragraph 7.12 of the CPRs states ‘Relevant entities should include relevant evaluation criteria in request documentation to enable the proper identification, assessment and comparison of submissions on a fair, common and appropriately transparent basis’. This is better practice not a requirement.
Source: ANAO analysis of DTA information.
Procurement plans
3.8 As outlined in Table 2.5 and in response to Auditor-General Recommendation 5, the DTA introduced a mandatory procurement checklist, and procurement and evaluation plan, which are required to be completed for all procurements and must be approved by the relevant delegate.51 These documents are developed by the relevant business area with advice from the DTA’s Corporate Procurement Team.
3.9 The mandatory procurement checklist was completed for three of the four sampled procurements.52 The reuse assessment, cloud native secure internet gateway and labour hire procurements had Evaluation and Procurement plans approved by a delegate. For the limited tender office fitout procurement, a procurement plan was drafted but was not finalised. The DTA advised the ANAO in January 2025 that the plan was not considered appropriate for the procurement and was replaced by a minute to the relevant financial delegate.53 The minute included elements of the DTA Evaluation and Procurement Plan template but did not document the evaluation criteria, the planned evaluation process, procurement risk, justification for the suppliers to be approached and the proposed evaluation panel.
Opportunity for improvement
3.10 The DTA ensures planning documentation for limited tender procurements addresses key procurement considerations to provide transparency and assurance to the delegate regarding procurement processes.
Estimating the expected value
3.11 The CPRs allow for two procurement methods: open tender54 and limited tender.55 For procurements at or above the relevant procurement thresholds56, limited tender can only be conducted in accordance with the circumstances prescribed in paragraph 10.3 of the CPRs, or when a procurement is exempt in accordance with Appendix A to the CPRs.57 The CPRs require that ‘the expected value of a procurement must be estimated before a decision on the procurement method is made.’58 Part of Recommendation 4 from Auditor-General Report No. 5 2022–23 related to estimating the expected value of procurements before determining the procurement method.59
3.12 The expected value of each of the four sampled procurements was estimated prior to the DTA approaching the market. The four sampled procurements were identified by the DTA as being greater than the $80,000 threshold for open tender.60 For the office fitout procurement, the minute to the delegate noted that the estimated value was below the $7.5 million threshold for procurements of construction services, which meant a limited tender approach was permissible under the CPRs. As all four procurements had an estimated value greater than $200,000, the Australian Government’s Indigenous Procurement Policy Mandatory Set Aside did not apply.61
Encouraging competition
3.13 The CPRs state that ‘Competition is a key element of the Australian Government’s procurement framework. Effective competition requires non-discrimination and the use of competitive procurement processes.’62 The reuse assessment and labour hire procurements were undertaken through the Digital Marketplace panel and the cloud native secure internet gateway procurement was undertaken through the Cloud Marketplace panel.63 These panels are ‘standing offers’.64 Paragraph 9.12 of the CPRs states: ‘Procurements from an existing standing offer are not subject to the rules in Division 2 of these CPRs. However, these procurements must comply with the rules in Division 1.’ The CPRs further state: ‘To maximise competition, officials should, where possible, approach multiple potential suppliers on a standing offer.’65
3.14 For the reuse assessment and the labour hire procurements, all suppliers in the relevant category of expertise were provided the opportunity to submit a tender.66 The DTA’s engagement with one of the potential suppliers in the labour hire procurement reduced the effect of competition in that procurement process (see paragraphs 3.45 to 3.51). For the cloud native secure internet gateway procurement, nine suppliers on the Cloud Marketplace panel were provided the opportunity to submit a tender.
3.15 The number of suppliers approached and the number of responses received for the three panel procurements are outlined in Table 3.3.
Table 3.3: Number of suppliers approached and responses received for each panel procurement
|
Reuse assessment |
Cloud native secure internet gateway |
Labour hire |
Number of suppliers approached |
170 |
9 |
1,614 |
Number of complete responses receiveda |
5 |
4 |
98 |
Note a: Responses that were blank or incomplete were not included in the total. The DTA advised the ANAO in May 2025 that supplier ‘responses … may appear blank if they are incomplete when the ATM [approach to market] closes’.
Source: ANAO analysis of the DTA and AusTender data.
3.16 The office fitout procurement was conducted via a limited tender approach. The minute to the delegate seeking approval to approach the market indicated that the estimated value was below the threshold for limited tender procurement of construction services, which was consistent with the CPRs.67 The minute included a list of potential suppliers but did not explain how the potential suppliers had been identified.68 The delegate for the procurement was advised that five suppliers would be approached whereas four suppliers were actually approached69, with two suppliers providing a response.
Evaluation criteria that supported value for money outcomes
3.17 Paragraph 7.12 of the CPRs states:
Relevant entities should include relevant evaluation criteria in request documentation to enable the proper identification, assessment and comparison of submissions on a fair, common and appropriately transparent basis.
3.18 Establishing an evaluation plan that includes evaluation criteria assists in promoting equitable treatment of suppliers and transparency. Part of Recommendation 6 in Auditor-General Report No. 5 2022–23 was that the DTA ‘incorporate evaluation criteria to better enable the proper identification, assessment and comparison of submissions on a fair and transparent basis.’70
3.19 The three panel procurements71 included evaluation criteria in the procurement and evaluation plans prior to approaching the market. Two of those procurements also included the evaluation criteria in the request documentation.72
3.20 The DTA’s development of evaluation criteria would enable the identification, assessment and comparison of submissions on a fair and transparent basis. The CPRs provide a non-exhaustive list of factors that must be considered when assessing value for money. These factors include fitness for purpose, a potential supplier’s experience and performance history, flexibility, environmental sustainability and whole-of-life costs. The criteria the DTA developed primarily related to supplier capability and capacity to fulfil the procurement requirement. Tender evaluation is discussed in paragraphs 3.55 to 3.68.
Risk management
3.21 Paragraph 8.2 of the CPRs states that:
Relevant entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract.73
3.22 Auditor-General Report No. 5 2022–23 included two recommendations relating to the DTA’s management of procurement risks.74 Table 2.5 details the ANAO’s assessment of the DTA’s implementation of these recommendations.
3.23 The DTA’s Risk Management Policy and procurement checklist requires that a risk assessment is conducted for procurements, including:
- identifying risks and associated controls;
- allocating risk and treatment owners; and
- managing, treating, and escalating residual risks as prescribed.
3.24 The DTA’s compliance with these requirements is summarised in Table 3.4.
Table 3.4: Assessment of compliance with DTA risk management requirements
Procurement |
Risk assessment completed using DTA risk template |
Risks, risk owners, and risk treatment owners identified |
Risk assessment consistent with DTA risk management policy |
Risk management and treatment compliant with DTA requirements |
Reuse assessment |
● |
● |
◑ |
◯ |
Cloud native secure internet gateway |
● |
● |
◑ |
◯ |
Labour hire |
● |
● |
◑ |
◯ |
Office fitout |
● |
● |
◑ |
◯ |
Key: ◯ Not met or not compliant ◑ Partly met or partly compliant ● Fully met or fully compliant
Source: ANAO analysis of DTA documentation.
3.25 The DTA completed a risk assessment using its prescribed risk assessment template for all procurements. In each risk assessment, risks, risk owners75 and treatment owners76 were identified. For three of the four procurements, risk assessments were assigned inherent risk ratings in accordance with DTA guidance.
3.26 There were shortcomings in the DTA’s processes to identify, analyse, allocate and treat procurement-related risks due to deficiencies and inconsistencies within the DTA’s risk management guidance and its application of this guidance in practice. For example, the DTA’s guidance contained conflicting information on how risks should be analysed to identify a suitable risk rating and to appropriately manage, treat and escalate the risk. In practice, one risk assessment was completed with incorrect ratings. For three of the four risk assessments, there was no documented evidence of risk treatment or review activity as prescribed by DTA’s risk management process. The DTA advised the ANAO in December 2024 that ‘there was no requirement to implement risk treatment actions’.77
3.27 As at April 2025, the DTA has implemented revised risk management guidance, including an updated risk assessment template, risk management policy, and risk management framework document. The ANAO identified improvements in the DTA’s guidance, such as improved matrices for assessing risks, revised requirements around risk treatment and monitoring during procurement activities, and new instructions on how to complete the template. Deficiencies remain due to inconsistencies between the risk assessment template, the risk management policy and the risk management framework regarding how procurement risks should be managed depending on the residual risk rating.
Opportunity for improvement
3.28 To support the implementation of the revised risk management framework, the DTA could periodically review the risk management guidance to ensure consistency and obtain assurance that guidance is fit for purpose for procurement activities.
Probity management
3.29 Effective conflict-of-interest (COI) management is essential and should be a central component of an entity’s integrity framework. Poor practice, or the perception of it, in the management of COIs undermines trust and confidence in an entity’s activities. The Australian Public Service (APS) Code of Conduct, which is set out in section 13 of the Public Service Act 1999, requires APS employees to take reasonable steps to avoid any real or apparent COI.
3.30 Paragraph 6.6 of the CPRs states that:
officials undertaking procurement must act ethically throughout the procurement. Ethical behaviour includes:
a. dealing with potential suppliers, tenderers and suppliers equitably, including by seeking appropriate internal or external advice when probity issues arise;
b. carefully considering the use of public resources78
3.31 Paragraph 6.7 of the CPRs states that ‘Officials undertaking procurement must seek to prevent corrupt practices by recognising and dealing with actual, potential and perceived conflicts of interest and not accepting inappropriate gifts or hospitality’. Recommendation 3 in Auditor-General Report No. 5 2022–23 related to the DTA establishing ‘an internal control to ensure that officials directly involved in procurements make activity-specific declarations of interest; and … maintain[ing] a register of declared interests’.
3.32 The DTA established a DTA Probity Guideline (Probity Guideline), which was approved by the Chief Financial Officer in December 2022. The Probity Guideline outlines: probity principles79; probity-specific roles and responsibilities of personnel involved in procurement; and requirements for declaring and managing COI and ensuring confidentiality. The Probity Guideline states that:
All Officials participating in a Procurement will be required to agree to, and satisfy the principles and protocols set out in this Probity Guideline (Guideline) before undertaking any Procurement-related activities.
3.33 The Probity Guideline provides four templates as appendices. These are:
- Appendix A — Declaration and Agreement to the DTA Probity Guideline;
- Appendix B — Conflict of Interest (APS Employee);
- Appendix C — Conflict of Interest (Contractors); and
- Appendix D — Deed of Confidentiality.
3.34 The Probity Guideline states that ‘In the course of an open tender Procurement, all involved Officials must complete, sign and lodge with DTA Corporate Procurement the undertakings and declarations’ in appendices A to D ‘unless the relevant Officials can establish, to the Responsible Person’s reasonable satisfaction’, that appropriate arrangements are already in place.80
3.35 In addition to the Probity Guideline, there is procurement and probity related guidance on the DTA’s intranet and in the mandatory procurement checklist. The DTA’s intranet guidance states that officials are to:
Complete a conflict-of-interest declaration, even if no conflicts exist. This needs to be completed by all officers involved in the procurement including the spending delegate, prior to the approach to market.81
3.36 The DTA officials involved in the four sampled procurements did not complete the Declaration and Agreement to the DTA Probity Guideline (Appendix A declaration) or the Deed of Confidentiality (Appendix D guideline). The DTA advised the ANAO in December 2024 that:
In practice the probity protocols and principles implemented for a Procurement will be dependent on the Procurement risk and value. Considering the risk and value of the sample set of Procurements it was not considered necessary for a “Declaration and Agreement to the DTA Probity Guideline” to be completed. 82
3.37 The DTA advised the ANAO in May 2025 that:
The assessment was not documented at the time. However, for the staff involved in the four sampled procurements, it was deemed sufficient to complete Conflict of Interest (COI) forms instead of confidentiality deeds.
3.38 DTA processes stipulate that completed COI declarations are to be provided to the DTA Corporate Procurement Team, which maintains the COI register. The DTA’s compliance with these requirements is summarised in Table 3.5.
Table 3.5: Assessment of compliance with DTA probity requirements
Procurement |
COI form completed by evaluation panel members |
COI form completed by delegate approver |
COI details included on COI Register |
COI management plan |
COI management plan followed |
Reuse assessment |
● |
● |
● |
N/A |
N/A |
Cloud native secure internet gateway |
● |
◯ |
◑ |
N/A |
N/A |
Labour hire |
◑ |
◯ |
◑ |
◑ |
◯ |
Office fitout |
◑ |
◯ |
◑ |
N/A |
N/A |
Key: ◯ Not met or not compliant ◑ Partly met or partly compliant ● Fully met or fully compliant
Source: ANAO analysis of DTA information.
3.39 Three COI declarations (two for the labour hire procurement and one for the office fitout procurement) were completed after the evaluation reports had been signed. The evaluation panel chair for the labour hire procurement signed a COI declaration four days after the evaluation report for the procurement was signed. Another panel member signed a COI declaration nearly six months after signing the evaluation report. Both officials identified potential COIs in their declarations relating to relationships with the incumbent contractor (see paragraph 3.45). The COI declaration for a panel member of the office fitout procurement was signed eight months after the evaluation report for the procurement was signed. No conflicts of interest were declared.
3.40 The reuse assessment procurement was the only procurement for which the delegate completed a COI declaration. The DTA advised the ANAO in January 2025 that ‘only delegates that are included in the evaluation process have signed and provided a COI [declaration]’. Procurement delegates approve ‘commitments of relevant money’ and are the key decision-maker in awarding contracts. If COI declarations are not completed by delegates, conflicts cannot be identified or managed.83
3.41 The reuse assessment was the only one of the four sampled procurements for which all conflict-of-interest forms were recorded in the COI register.84
Recommendation no.2
3.42 To ensure conflicts of interest are identified and effectively managed, the Digital Transformation Agency establish a clear requirement that all procurement delegates make activity-specific conflict-of-interest declarations for each procurement activity in which they are involved and that declarations are included in the conflict-of-interest register.
Digital Transformation Agency response: Agreed.
3.43 The DTA has established a clear requirement from May 2025 that all procurement delegates make activity-specific conflict of interest declarations for each procurement activity.
3.44 The DTA considers that the intention of the Commonwealth Procurement Rules, which requires “officials undertaking procurement must seek to prevent corrupt practices by recognising and dealing with actual, potential and perceived conflicts of interest…” has been met through its previous practices where all evaluation panel members and activity-specific advisors were required to make activity-specific conflict of interest declarations for each procurement activity. It will however be further strengthened through the activity-specific declarations for all procurement delegates.
Management of declared COIs
3.45 As discussed in paragraph 3.39, two of the three panel members (including the chair) for the labour hire procurement identified potential conflicts of interest in their COI declarations relating to having a working relationship with the incumbent contractor.85 Actions identified to manage these COIs included:
- the panel member being ‘removed from evaluating [the incumbent contractor’s] responses’; and
- the panel chair and panel member ‘Refrain[ing] from any discussions with [the incumbent contractor] and potential suppliers to ensure that all suppliers are evaluated fairly and equitably.’86
3.46 The panel member with the declared COI did not assess the incumbent contractor during the initial evaluation of written applications stage of the supplier evaluation process. There were no documented arrangements in place to manage the COI during the subsequent stages of the supplier evaluation process, which included an interview stage, ranking of suppliers post interview and the selection of the preferred suppliers.87 The evaluation panel member signed the evaluation report, which recommended that the DTA enter into contracts with two candidates, one of which was the incumbent contractor referred to in the COI declaration.
3.47 The hourly rate for the incumbent contractor recorded in the evaluation report provided to the delegate was lower than the rate included in the supplier’s response.88 Between the initial shortlisting of candidates and interview stage, the chair of the procurement panel (who also copied into the email the other panel member who declared a COI) wrote to the supplier proposing the incumbent candidate saying:
We had significant interest from the market for this role and have now finished our evaluation, we have shortlisted candidates for interviews and [the incumbent contractor] is one of the shortlisted candidates.
I did want to call out early the rate that was submitted for [the incumbent contractor] was very high. It was in the top 10% of rates submitted by the market, and a 13% increase from the current contract.
We recognise there is advantage being the incumbent and having familiarity with the project, however we would need to see a reduced rate to make a value for money recommendation to our delegate … I am happy to discuss further if you would like.
3.48 The DTA advised the ANAO in May 2025 that ‘the approach to the supplier set out in the email occurred in the context of their rate being outside the panel rate benchmark range’. This rationale was not supported by documented evidence and the evaluation report noted that, prior to evaluating supplier responses, a compliance assessment excluded candidates with ‘an hourly rate above $195 GST Inclusive.’ The candidate’s original hourly rate was $192.50 (GST inclusive).
3.49 DTA email correspondence from the panel chair stated that ‘Following the interviews I did ring the supplier as they didn’t respond to the [email], essentially re-iterating that the rate was not VFM, and we wanted to negotiate. They agreed to a decreased rate verbally, which ultimately ended up in the contract.’ The DTA advised the ANAO in May 2025 that the third evaluation panel member, the delegate and the DTA’s Corporate Procurement Team were not informed of the communication with the potential supplier.89 Advice to the delegate did not contain information on this negotiation and did not disclose the change in rate from the supplier’s initial submission.90 The DTA did not follow actions committed to as mitigation measures in the evaluation COI declarations and communication with the supplier was not documented and logged as required under DTA’s Probity Guideline.91 Entities’ management of conflict-of-interests declarations are critical to mitigate bias that could be introduced in a procurement activity.
3.50 As discussed in paragraph 3.30, paragraph 6.6 of the CPRs states that ‘officials undertaking procurement must act ethically throughout the procurement. This includes: … dealing with potential suppliers, tenderers and suppliers equitably, including by seeking appropriate internal or external advice when probity issues arise’. The DTA’s conduct of this procurement fell short of these standards established in the CPRs as other suppliers were not offered the opportunity to submit revised rates and were not provided with information on how their rates compared to those submitted by other potential suppliers.
Recommendation no.3
3.51 In finalising the implementation of the recommendations from Auditor-General Report No. 5 2022–23, the Digital Transformation Agency should strengthen its probity arrangements by ensuring all:
- officials involved in procurements receive training on probity requirements; and
- delegates are provided with assurance that officials involved in a procurement process have complied with the Commonwealth Procurement Rules ethical requirements and the Digital Transformation Agency’s probity requirements prior to approval.
Digital Transformation Agency response: Agreed.
3.52 The DTA is strengthening its probity arrangements and has already implemented the following actions:
- between May and August 2025, all DTA Senior Executive Service employees of the DTA have attended the Procurement for SES Delegate course available under the Commonwealth Procurement and Contract Management Training Suite which covers probity and integrity requirements for SES delegates.
A DTA specific procurement and Commonwealth Procurement Rules training module that includes requirements on probity during procurement processes is in development and will be rolled out as mandatory training for all DTA officials from September 2025, which will be in addition to the current mandatory training modules for Commonwealth Resource Management, Integrity in the APS and Fraud and Corruption. - the DTA’s procurement checklist now requires activity specific conflict of interest declarations to be made, prior to delegate approval of the procurement and evaluation plan. The evaluation template has also been updated to strengthen our requirements for information to be provided to the delegate on compliance with the Commonwealth Procurement Rules ethical requirements and the DTA’s probity requirements.
3.53 In May 2025, the DTA created a procurement factsheet that provides guidance on managing probity risks. The factsheet identified ‘Supplier Incumbency Risk: Where an existing supplier could gain an unfair advantage due to their prior involvement’ as an example of a probity risk. There was no further guidance provided on specific actions required to manage risks relating to the involvement of incumbent suppliers in procurement processes.
Opportunity for improvement
3.54 To ensure procurement processes are conducted fairly and in accordance with the Commonwealth Procurement Rules, the DTA could expand it guidance on supplier incumbency risk so it addresses how these risks are to be managed.
Tender evaluation and value for money assessments
3.55 The CPRs state that:
Achieving value for money is the core rule of the CPRs. Officials responsible for a procurement must be satisfied, after reasonable enquiries, that the procurement achieves a value for money outcome.92
3.56 In addition, the CPRs also state documentation should provide accurate and concise information on how value for money was considered and achieved.93
3.57 As discussed in paragraph 3.18, one element of Recommendation 6 in Auditor-General Report No. 5 2022–23 was that the DTA ‘incorporate evaluation criteria to better enable the proper identification, assessment and comparison of submissions on a fair and transparent basis’.
3.58 An evaluation report was prepared for each of the four sampled procurements. Evaluation reports for the three panel procurements included the evaluation panels’ assessment against the evaluation criteria established at the planning stage and was reflected in the request documentation for two procurements.94 For the reuse assessment and cloud native secure internet gateway procurements, there was a clear rationale for the evaluation panels’ recommendation for the preferred tenderer based on the value for money assessments documented in the respective evaluation reports.95
Labour hire procurement evaluation
3.59 The rationale for the ranking of candidates as part of the value for money assessment for the labour hire procurement was not documented. As outlined in Table 3.3, there were 98 responses to the approach to market for the procurement. The DTA assessed all responses. Scores against the combined ‘essential’ and ‘desirable’ evaluation criteria established in the procurement and evaluation plan for the top six shortlisted candidates were in the evaluation report.96 The DTA interviewed the shortlisted candidates and recorded further information on its assessment of the candidates in the evaluation report. As this additional information was not presented as a direct assessment against the defined ‘essential’ or ‘desirable’ evaluation criteria, comparison of shortlisted candidates on their suitability against the established evaluation criteria after the interview stage was not possible. The evaluation report included a record of candidates’ hourly rates but no indication of how differences between candidates, in terms of price or capabilities, affected value for money considerations.
3.60 There was an incumbent contractor in place at the time the DTA commenced a new procurement activity to continue services being provided through a new contract.97
- The incumbent contractor was shortlisted for an interview by the evaluation panel and ranked as the second highest candidate in terms of value for money in the evaluation report.
- The incumbent contractors’ hourly rate was significantly higher than the first and third ranked candidates and the evaluation report did not include an explanation of how this represented value for money.98 As discussed in paragraph 3.47, the hourly rate of the incumbent contractor recorded in the evaluation report provided to the delegate was lower than the rate included in the supplier’s response.99
-
The procurement and evaluation plan stated that the procurement was to engage one contractor for a proposed contract term of six months with two six month extension options. The recommendation from the evaluation panel, which the delegate accepted, was to award a 12-month labour hire contract to the candidate ranked second place (the incumbent contractor) and a six-month contract to the candidate ranked first.100 The initial values of the contracts were $340,000 and $146,544 respectively. No rationale for this recommendation was documented in the evaluation report. The DTA advised the ANAO in April 2025 that:
The decision to structure these contract offerings was influenced by business needs, continuity considerations, and value-for-money principles. While [the first ranked candidate] was ranked first in the evaluation, [the incumbent contractor’s] existing product knowledge and ability to maintain ongoing work without disruption made [them] the most suitable candidate for the long-term role. [The first ranked candidate’s] strong technical capability and cost-effective rate made [them] the best fit for the short-term engagement.
3.61 Advice to decision-makers is discussed in paragraphs 3.93 to 3.98.
Office fitout procurement evaluation
3.62 In the request for documentation101 issued to the four potential suppliers, the DTA advised that responses would be assessed on the ‘technical capabilities’ of:
- Generic design principles to be employed in the layouts and design of workstations and offices to enable easy/quick/inexpensive change, long life, and high durability.
- capability and capacity to provide the requirements.
- demonstrated experience in delivering the requirements.
- commitment to occupational health, safety, and environment.
3.63 Two of the four suppliers that were sent the request documentation provided a response. The tenderers were assessed against three of the four ‘technical capabilities’102, which were reflected as numbered criteria in the evaluation report:
- Criterion 1: Capability and capacity to provide the requirements;
- Criterion 2: Demonstrated experience in delivering the requirements; and
- Criterion 3: Commitment to occupational health, safety and environment.
3.64 Both tenderers scored equally on criteria two and three. The non-preferred tenderer was rated ‘poor’103 for criterion one because it ‘did not quote for video conferencing equipment’.104 The request documentation stated that ‘video conferencing facilities will need [to] be installed in conjunction with the DTA ICT team’.
3.65 The evaluation report stated that:
Whilst on face value [the non-preferred tender] portrayed a better value for money proposition, it had several exclusions that poised a significant risk to the project budget. These exclusions included the following
(i) Video conferencing
(ii) Consultants
(iii) Mechanical Designs
(iv) CDC105
(v) Certifications.
3.66 This was not consistent with documentation supplied by the tenderers. Neither tenderer quoted for mechanical designs and both tenderers quoted for a private certifier.
3.67 There was a significant difference in price between the two tenders. The preferred tenderer quoted $281,738 (excluding GST), of which $34,579 was for video conferencing equipment. The non-preferred tenderer quoted $162,406.74 (excluding GST). In the price evaluation section of the evaluation report there was no reference to the price of the non-preferred tender. The DTA advised the ANAO in December 2024 that given the non-preferred tender was rated poor in the technical assessment, no detailed price assessment of the non-preferred tender was required in accordance with the evaluation plan. The price evaluation section did not address the difference in cost of the preferred tender. It stated that the ‘initial quote is slightly higher than the DTA budget however, there are additional items outside scope that can be negotiated to lower expenditure to meet budget requirements.’106 The DTA acknowledged its documentation of assessments related to this procurement could be improved.
Opportunity for improvement
3.68 The DTA could take steps to ensure that value for money assessments directly address the cost contained within tenders to provide assurance to the delegate that value for money has been appropriately considered.
Notifying and debriefing tenderers
3.69 Paragraph 7.17 of the CPRs states:
Following the rejection of a submission or the award of a contract, officials must promptly inform affected tenderers of the decision. Notification should be provided in writing, and must be provided in writing if requested by the tenderer. Debriefings must be made available, on request, to unsuccessful tenderers outlining the reasons the submission was unsuccessful. Debriefings must also be made available, on request, to the successful supplier(s).107
3.70 Across the four procurements, all unsuccessful tenderers were notified and debriefs were provided upon request.
AusTender reporting
3.71 The CPRs require non-corporate Commonwealth entities to report on AusTender, contracts valued at or above $10,000 within 42 days of the contract being entered into.108 The four sampled procurements resulted in the creation of five contracts.109 All five contracts were published on AusTender within the required timeframe.110
3.72 For all sampled procurements, the DTA reported incorrect information on AusTender. Specifically:
- the reuse assessment procurement contract period was reported incorrectly111;
- the cloud native secure internet gateway procurement was reported as having occurred through the Digital Marketplace panel, rather than the Cloud Marketplace panel;
- one of the two labour hire contracts (CN4076862), which had no option to extend at the time of signing, was incorrectly reported on AusTender as having been extended for six months due to ‘Execution of option, extension, renewal, or other mechanism outlined when the contract was initially awarded’; and
- the office fitout procurement variation amount was reported incorrectly.112
3.73 The DTA incorrectly reported on AusTender that the limited tender office fitout procurement was exempt from the rules of Division 2 of the CPRs as it had an exemption under Appendix A:1 of the CPRs for ‘Leasing of immovable property or any associated rights’.113
3.74 On 5 February 2025, the DTA amended the contract notice on AusTender. The DTA removed reference to the exemption and reported that it had undertaken a limited tender procurement in accordance paragraph 10.3e of the CPRs (‘Additional deliveries by original supplier intended as replacement parts, extensions, or continuation for existing goods or services for compatibility’). As discussed in paragraph 3.12, limited tender was permissible because the services being procured met the definition of construction services and the value of the procurement was under $7.5 million and paragraph 10.3e of the CPRs did not apply. As at June 2025, AusTender had been corrected to provide the correct limited tender condition.
3.75 The office fitout contract was varied twice. The first variation was reported on AusTender 229 days after that variation was signed, 187 days longer than the six week period allowed under the CPRs.114 The second variation was under the threshold for reporting on AusTender.115
3.76 Ensuring that reporting on AusTender is accurate and completed in a timely manner is important in supporting transparency and trust in government.
Opportunity for improvement
3.77 To support transparency, the DTA strengthen its assurance arrangements to ensure all information required to be reported on AusTender is done so accurately and in accordance with the Commonwealth Procurement Rules.
Maintaining records
3.78 The CPRs state that ‘Officials must maintain for each procurement a level of documentation commensurate with the scale, scope and risk of the procurement.’116 Paragraph 7.3 of the CPRs details the documentation that should be maintained.117 Effective records management is required by law and helps entities retain critical sources of evidence for robust public administration, responsive service delivery, and accountability to the Parliament and public.118
3.79 There were shortfalls identified with the DTA maintaining complete procurement records for the four sampled procurements, including:
- aspects of the procurement approach in the limited tender office fitout procurement (see paragraph 3.9);
- information on how COIs were managed (see Recommendation 3 in Table 2.5) and how a declared conflict of interest was managed in the labour hire procurement (see paragraphs 3.45 to 3.51);
- documentation of consideration of cost when assessing value for money for two of the four procurements examined could be improved (see paragraphs 3.59 to 3.68); and
- advice and decisions regarding the procurements were not always documented (see paragraphs 3.93 to 3.98).
Has decision-making been accountable and transparent?
The DTA obtained delegate approval to enter into the original five procurement contracts.
All contracts supporting the procurements were amended. One contract was extended when there was no provision to extend the contract. For another contract, the decision to vary the contract was documented after the variation had been executed. One variation was executed after the previous contract had expired, which is inconsistent with Finance’s guidance.
Advice to delegates (decision-makers) did not demonstrate how the preferred tenderers represented value for money in two of the four sampled procurements. For one of the four procurements, it was not documented how a conflict of interest was managed for all stages of the procurement activity.
For four of five contracts reviewed, the DTA’s payments to suppliers were timely and accurate. The DTA’s payment records were complete. For one contract, two of four payments were not paid within the agreed payment terms and one payment was made to an incorrect bank account of the supplier.
Approval arrangements
Original contracts
3.80 The accountable authority has a duty under section 15 of the PGPA Act to promote the proper use (that is, the efficient, effective, economical and ethical use) and management of public resources for which the accountable authority is responsible.119 This duty applies when approving commitments of relevant money. Under section 23 of the PGPA Act120, an accountable authority may enter into, vary and administer arrangements and approve commitments of relevant money. The Chief Executive Officer of the DTA, as the accountable authority, has delegated these powers to certain DTA officials and imposed conditions on their use. In accordance with subsection 18(1) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule)121, the delegate approving a commitment of relevant money must record in writing their approval as soon as practicable after giving it.
3.81 All four procurements had section 23 approval for the initial contract, in accordance with the DTA Financial Delegation.
Contract amendments
3.82 Recommendation 9 in Auditor-General Report No. 5 2022–23 related to the DTA ‘strengthen[ing] its internal guidance and controls to ensure officials do not vary contracts to avoid competition or obligations and ethical requirements under the Commonwealth Procurement Rules.’ As at May 2025, there were a total of seven amendments across the four sampled procurements. Amendments included contract extensions and variations to the contract end date, specified personnel, and increasing the contract value.
3.83 Of the seven amendments that required delegate approval:
- four received the required section 23 approval before the amendment was executed;
- one was approved when there was no option to extend the contract;
- one was approved for the correct amount after the contract amendment had been executed; and
- one was executed after the contract expired.
3.84 The DTA advised the ANAO in May 2025 that:
All DTA officials are appropriately delegated as per the DTA’s Financial Delegation Instrument … to enter and vary arrangements under section 23(1) of the PGPA Act.
3.85 The DTA’s 2021 and 2024 Financial Delegations describe a delegation of ‘Entering into and administering an arrangement’ under PGPA Act subsection 23(1) and give that power to all DTA staff members to the limit of a previously approved spending proposal. The descriptive wording in the delegation does not reference the power to ‘vary’ arrangements, although section 23(1) of the PGPA Act does (see Footnote 120). This inconsistency in the delegations should be rectified.
3.86 Finance guidance states that:
A contract must not be extended unless:
- it contains an option to extend,
- it is value for money to extend the contact and
- the contract has not yet expired.122
3.87 Finance guidance also states that:
An extension option must be exercised in accordance with the terms of the contract…
Extension options should not solely be exercised due to failure to appropriately plan procurement needs, continue supplier relationships, or with the intention of discriminating against a supplier or avoiding competition.123
3.88 One contract (CN4076862) for the labour hire procurement had an end date of 8 January 2025 with no provision to extend and no clauses relating to variation. Having no option to extend was acknowledged in the request to the DTA Chief Operating Officer to approve the variation.124 AusTender records show that on 16 December 2024, the contract end date was extended by six months, listing the amendment as ‘Execution of option, extension, renewal, or other mechanism outlined when the contract was initially awarded’.
3.89 There were two variations relating to the office fitout procurement. Neither was signed by the supplier and for the first variation DTA delegate approval was not appropriately documented before the amendment was executed. The section 23 approval was for less than the total variation amount125 and the delegate’s executive assistant documented the approval instead of the delegate.126 Approval for the full amount of the first variation was obtained 103 days after the variation was signed by the DTA. The second variation was signed after the previous contract had expired, which is inconsistent with Finance’s guidance.
3.90 As discussed in Table 2.5, a briefing provided to DTA senior management in September 2024 stated that ‘Variations are required to be approved by the COO.’ This requirement was not captured in the DTA’s procurement guidance.127 Of the seven variations, two were approved by the COO before the variation was signed, two were approved by the COO after the variation was signed and three were not approved by the COO.128
Recommendation no.4
3.91 The Digital Transformation Agency strengthen its arrangements for contract amendments by:
- establishing clear guidance on internal requirements for contract amendments, including within the Digital Transformation Agency’s delegation instrument; and
- ensuring contract variations are documented in compliance with section 18 of the Public Governance, Performance and Accountability Rule 2014.
Digital Transformation Agency response: Agreed.
3.92 The DTA has established clear guidance on contract amendment processes on its intranet in June 2025. This also includes requirements for officials that are approving commitments of relevant money to record the approval in writing as soon as practical after giving it, in accordance with section 18 of the Public Governance, Performance and Accountability Rule 2014.
Advice to decision-makers
3.93 Recommendation 7 in Auditor-General Report No. 5 2022–23 stated that ‘The Digital Transformation Agency improve its procurement processes to ensure decision-makers are provided complete advice, including information on risk and how value for money would be achieved.’
Advice on value for money
3.94 Paragraph 4.4 of the CPRs states that ‘Officials responsible for a procurement must be satisfied, after reasonable enquiries, that the procurement achieves a value for money outcome.’129
3.95 As discussed in paragraphs 3.59 to 3.68, it was not clear from the evaluation reports for the labour hire and office fitout procurements how the preferred tenderers represented value for money. Where advice received does not provide a clear basis for a decision on value for money, delegates should request clarification.
Advice on probity matters
3.96 Potential COIs were identified and declared by evaluation panel members on the labour hire procurement.130 The evaluation report stated that:
All panel members completed a conflict-of-interest declaration. [A panel member] identified a conflict-of-interest prior to evaluations. The Delegate was informed of this conflict and the proposals set out for managing the conflict.
3.97 At the time of the evaluation report being signed by evaluation panel members, two of the three evaluation panel members (including the panel chair) had not signed a COI declaration (see paragraph 3.39) and the DTA did not document how the delegate was informed of the conflict and the arrangements in place to manage it. The evaluation report did not document what arrangements, if any, were in place to manage the conflict after the initial shortlisting stage of the evaluation. As discussed in paragraphs 3.47 to 3.51, actions undertaken by the panel chair relating to one supplier were not appropriately documented and were not included in the report to the delegate.
Recommendation no.5
3.98 The Digital Transformation Agency strengthen procurement decision-making practices by ensuring delegates consider the completeness and quality of documented advice regarding value for money before providing approval for the commitment of public money.
Digital Transformation Agency response: Agreed.
3.99 The DTA agrees with the necessity for complete and quality documented advice regarding value for money to be provided to the procurement delegate.
3.100 The DTA notes that value for money considerations and justifications provided by the evaluation team are contained within the Evaluation Report for each procurement. Such information is provided to the delegate for approval prior to providing approval for the commitment of public money.
3.101 The Evaluation Reports also provides an outline of the evaluation process and findings to support the evaluation panel’s recommendation, based on technical, commercial and financial evaluation.
3.102 The DTA’s current approach requires that the Evaluation Report contain comprehensive and high-quality documentation regarding value for money. Ongoing training for DTA officials and SES delegates in procurement is designed to further support robust documentation and sound decision-making throughout the evaluation and approval process.
Contract payments
3.103 The Australian Government’s Supplier Pay On-Time or Pay Interest Policy (RMG 417), outlines that non-corporate Commonwealth entities ‘must make all payments to suppliers within the maximum payment terms, following the acknowledgement of the satisfactory delivery of goods or services and the receipt of a correctly rendered invoice’.131 The maximum payment terms are 20 calendar days, unless shorter maximum payment terms are agreed with the supplier. Recommendation 8 in Auditor-General Report No. 5 2022–23 related to the DTA’s arrangements for payments to suppliers.132
3.104 The DTA’s guidance states that invoices must be paid in accordance with the terms and timeframes set out in RMG 417. It further states that the DTA’s standard payment terms are generally 30 days from the invoice date and deviation from the DTA’s standard payment terms requires approval by the DTA’s Chief Financial Officer. The ANAO assessed whether the payments relating to the four sampled procurements: were paid by the invoice due date; were paid within the agreed or maximum payment terms; were for the correct amount; and whether the DTA maintained appropriate payment records for each payment (see Table 3.6).133 For three of the five contracts established, the DTA did not specify the payment terms in the written agreements.
Table 3.6: Assessment of contract payments
Procurement |
AusTender Contract Notice (CN) number |
Payments made by invoice due date |
Payments made within agreed or maximum payment terms |
Payments were accurate |
Appropriate payment records maintaineda |
Value of invoices ($) |
Reuse assessment |
CN4042607 |
◆ |
◆b |
◆ |
◆ |
451,000 |
Cloud native secure internet gateway |
CN4044822 |
◆ |
◆c |
◆ |
◆ |
292,457 |
Labour hired |
CN4076272 |
◆ |
◆b |
◆ |
◆ |
136,201 |
CN4076862 |
◆ |
◆b |
◆ |
◆ |
118,144 |
|
Office fitout |
CN4076895 |
■e |
▲f |
▲g |
◆ |
284,413 |
Key: ■ Not met or not compliant ▲ Partly met or partly compliant ◆ Fully met or fully compliant
Note a: This includes invoices, confirmation of goods receipt and payment receipts.
Note b: As no payment terms were specified in this contract, the maximum payment terms were 20 calendar days, as specified in RMG 417.
Note c: The agreed payment terms were 20 business days.
Note d: Two contracts were awarded and contract payments for both were assessed.
Note e: All four invoices were paid after the invoice due date (the average was 30.5 days after the invoice due date).
Note f: The agreed payment terms were 15 business days.
Note g: While all payment amounts were accurate, the DTA made a payment of $74,389.92 to the wrong bank account (see paragraph 3.106).
Source: ANAO analysis of DTA information.
3.105 For the four sampled procurements, the DTA maintained appropriate records of payments. For three of the four procurements, the DTA made payments by the invoice due date, within the agreed or maximum payment terms and payments were accurate.
3.106 For the office fitout procurement, the invoice due dates were different to the agreed payment terms specified within the contract. The DTA paid two of four invoices within the agreed payment terms and did not pay any invoices by the invoice due date. On 24 June 2024, one payment totalling $74,389.92 was made to an incorrect bank account.134 The DTA contacted the supplier on 9 July 2024 and requested the payment be returned to the DTA. DTA documentation stated that ‘all teams had been advised to be cautious in the future and carry out necessary checks before processing’. Following the DTA’s investigation into how to recover the payment, the DTA decided to not progress the remaining two invoices to the supplier until the $74,389.92 was recovered.135 After the funds were returned to the DTA on 11 September 2024, it took approximately one month for the DTA to reconcile payments and make the outstanding payments to the correct account. The supplier followed up with the DTA on three occasions to request the outstanding payments be made, including advising the DTA that legal action would be commenced if the payments were not settled.
Opportunity for improvement
3.107 The DTA update its guidance to ensure alignment with the Australian Government’s Supplier Pay On-Time or Pay Interest Policy (RMG 417) and that payment terms are specified in contracts with suppliers.
Appendices
Appendix 1 Entity responses
Digital Transformation Agency




Department of Finance

Appendix 2 Improvements observed by the ANAO
1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.
2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.
3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include
- strengthening governance arrangements;
- introducing or revising policies, strategies, guidelines or administrative processes; and
- initiating reviews or investigations.
4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.
Table A.1: Improvements at the DTA observed by the ANAO
Action |
Report paragraph |
On 2 December 2024, an evaluation panel member, for a sampled procurement included in this audit, completed a conflict-of-interest declaration for a procurement where the evaluation report was signed on 10 April 2024. |
3.39 |
In February 2025, the DTA advised that the conflict-of-interest template was updated to remove redundant sign-off requirements and require the procuring delegate to approve the proposed resolution action when a conflict is declared. |
Relevant to 3.30–3.41 |
Between February and April 2025, the DTA updated its risk management guidance, including the procurement risk register and treatment plan template, the risk management policy, and the risk management framework. |
3.27 |
In May 2025, the DTA advised the ANAO that it updated its COI register to include the missing COI declarations from three of the sampled procurements. |
3.41 |
In May 2025, the DTA advised the ANAO that it had commenced an uplift of internal capability. The DTA advised that this includes:
|
Various |
As stated in the DTA CEO’s entity response contained in Appendix 1, the DTA has advised that the DTA’s ‘internal audit provider will continue their rolling audits of procurement activities, and we are further implementing monitoring controls around the DTA’s closure of audit recommendations’. |
Appendix 1 |
Table A.2: Improvements at Finance observed by the ANAO
Action |
Report paragraph |
In December 2024, Finance advised that in October to November 2024, it reviewed risk ratings for open JCPAA and Auditor-General recommendations. Following an assessment by Finance’s internal audit partner, Finance advised that it assigned risk ratings in the audit recommendations tracker for JCPAA and Auditor-General recommendations. |
Table 2.1 |
In April 2024, Finance advised that work to finalise an implementation plan template and supporting guidance was underway. |
Table 2.1 |
In April 2024, Finance advised that further work was underway to finalise internal and external guidance for officials responsible for monitoring agreed parliamentary committee and Auditor-General recommendations. |
2.16 |
In June 2025, Finance advised that they had developed a draft implementation plan template and guidance to support the implementation of their recommendations. |
2.8 |
Appendix 3 Recommendations included in the audit
Table A.3: The DTA agreed recommendations included in the audit and the DTA’s assessment of implementation
Recommendation number |
Recommendation |
ANAO’s summary of key findings from reports leading to the recommendation |
DTA’s assessment |
Joint Committee of Public Accounts and Audit, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement |
|||
11 |
The Committee recommends that the Digital Technology Agency provide an update to the Committee five months from the tabling of this report on the progress of its improvements to its procurement processes, including:
|
In Report 498, in paragraph 3.98, the JCPAA stated:
|
Implemented |
13 |
The Committee recommends that the Digital Transformation Agency’s audit committee review the agency’s procurement risk and its internal procurement controls, and ensure that procurement is a subject of the agency’s internal audit program. |
In Report 498, in paragraph 3.102, the JCPAA stated that the DTA’s audit committee:
|
Implemented |
Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services |
|||
1 |
The Digital Transformation Agency implement a system of risk management that ensures procurement risks are being monitored, managed and escalated appropriately. |
Paragraphs 2.21 to 2.31: while the DTA established guidance on risk management, the guidance was not applied systematically. The audit found:
|
Implemented |
2 |
The Digital Transformation Agency:
|
Paragraphs 2.32 to 2.45: the audit identified gaps in staff capability and understanding of procurement requirements and fraud processes. There was an incident of potential fraud and the DTA’s investigation was not undertaken in line with the DTA Fraud and Corruption Control Plan, which required use of the Australian Government Investigations Standards. There was no fraud incident register despite this being required by the DTA’s Fraud and Corruption Control Plan. There were low levels of DTA staff completion of voluntary fraud awareness training and mandatory procurement and finance training. |
Implemented |
3 |
The Digital Transformation Agency:
|
Paragraphs 2.57 to 2.68: the DTA’s procurement approach fell short of ethical standards and there were inadequate probity measures. For example, the DTA did not consistently require officials to declare activity-specific conflicts of interest, and no officials signed declarations related to probity for any of the nine procurements examined. In one procurement, where there was a potential probity breach, the delegate was not informed and the contract was varied a further two times. |
Implemented |
4 |
The Digital Transformation Agency align its approach to market processes with the Commonwealth Procurement Rules, with a focus on:
|
Paragraphs 3.2 to 3.33, including Table 3.1: none of the nine procurements’ approach to market processes fully complied with the Commonwealth Procurement Rules. For five procurements, the DTA did not estimate the maximum value of procurements before a decision was made on the procurement method. For seven procurements, the DTA did not undertake a risk assessment. The two completed risk assessments were not consistent with DTA guidance on how to assess and rate risk. The DTA did not maintain appropriate records of the approach to market for seven procurements. |
Implemented |
6 |
The Digital Transformation Agency improve its tender evaluation processes to:
|
Paragraphs 3.59 to 3.65, including Table 3.5: for six of the examined procurements, the DTA did not maintain appropriate records of the evaluation phase, such as a record of evaluation criteria, how value for money was considered and an evaluation report. For three of the examined procurements, the DTA maintained most of the key records, but evaluation criteria and tenderer debriefings were not always documented. |
Implemented |
7 |
The Digital Transformation Agency improve its procurement processes to ensure decision-makers are provided complete advice, including information on risk and how value for money would be achieved. |
Paragraphs 3.66 to 3.76, including Table 3.6: the ANAO found examples of the DTA not providing complete advice to decision-makers. Advice to decision-makers did not consistently provide a statement on how value for money was considered and achieved. Seven of the procurements examined did not have advice to decision-makers that included information on risks or how they would be managed. |
Implemented |
8 |
The Digital Transformation Agency:
|
Paragraphs 4.16 to 4.24, including Table 4.2: there were issues with the timeliness, accuracy or recordkeeping of payments for eight of the nine procurements examined. For eight of the procurements there were instances of late payments, for one there were inaccurate payments, and for five there were incomplete records. In one procurement, the ANAO identified two duplicate payments, which resulted in overpayments totalling $380,600. The ANAO found that there was a risk that overpayments could occur, particularly if DTA officials are not well trained or are not enforcing controls, and there was a risk of privileged users overriding controls. The ANAO identified that improvements could be made for training and management of internal payment controls such as contract management, cost centre reporting and monitoring of privileged users’ activity, and that the DTA should verify the effectiveness of its payment controls. |
Implemented |
9 |
The Digital Transformation Agency strengthen its internal guidance and controls to ensure officials do not vary contracts to avoid competition or obligations and ethical requirements under the Commonwealth Procurement Rules. |
Paragraphs 4.32 to 4.41, including Table 4.3 and Table 4.4: The DTA did not manage contracts effectively, leading to issues in achieving value for money. The DTA’s reporting of procurement activities lacked transparency, particularly in cases where non-competitive approaches were used. For example, the DTA directly sourced suppliers, which does not support the intent of the CPRs, including the achievement of value for money. In one case, the DTA changed the scope and substantially increased the value of the contract through 10 variations, without effective monitoring of performance against expectations. In this procurement, the DTA increased the contract value from $121,000 to almost $5 million over two years without adequate documentation or justification, indicating a lack of adherence to its own procurement policies and procedures. Finance guidance states that contracts should not be extended by variation due to a failure to appropriately plan procurement needs, to continue supplier relationships, or with the intention of avoiding competition or obligations under the CPRs.a |
Implemented |
Note a: Department of Finance, Contracts End Dates [Internet], available from https://www.finance.gov.au/government/procurement/buying-australian-government/contracts-end-dates [accessed 16 September 2025].
Source: JCPAA, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement (2023); Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services, ANAO, Canberra, (2022); and ANAO analysis.
Table A.4: Finance recommendations included in the audit and Finance assessment of implementation
Recommendation number |
Recommendation |
ANAO’s summary of findings leading to the recommendation |
Finance’s assessment |
Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services |
|||
5 |
The Australian Government implement reporting requirements for procurements from standing offers, such as panels, to provide transparency on whether an opportunity was open to all suppliers and, if not, how many suppliers were approached. |
Paragraphs 3.34 to 3.44: the audit identified that increased transparency on AusTender as to whether an opportunity was open to all suppliers on a panel, and the number of suppliers approached, would encourage entities to conduct competitive procurements and would help achieve value for money outcomes. |
Implemented |
Source: Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services, ANAO, Canberra, (2022); and ANAO analysis.
Footnotes
1 Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services, ANAO, Canberra, 2022, paragraphs 11–14, available from https://www.anao.gov.au/work/performance-audit/digital-transformation-agency-procurement-ict-related-services.
2 As discussed in paragraphs 2.20 and 2.21, the Department of Finance (Finance) reported the recommendation as ‘open’ to its Audit and Risk Committee from November 2022 and Finance’s response to a similar recommendation in Joint Committee of Public Accounts and Audit Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement (Recommendation 9) indicated that Finance agreed to implement the Auditor-General recommendation.
3 Joint Committee of Public Accounts and Audit (JCPAA), Parliament of Australia, Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement (2023), p. xi,available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Report [accessed 16 September 2025].
4 The Digital Transformation Agency’s (DTA’s) response is available at Parliament of Australia. Parliament of Australia, Government Response Executive Minute Digital Transformation Agency — Report 498 — Recommendations 11 and 13, Parliament of Australia, Canberra, 2024, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Government_Response [accessed 16 September 2025].
5 When the Auditor-General report was tabled in September 2022, the recommendation was made to the Australian Government and Finance ‘noted’ the recommendation, in accordance with normal practice.
6 JCPAA, Parliament of Australia, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement, (2023), available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Report [accessed 16 September 2025], p. xx.
7 Parliament of Australia, Executive Minute — Australian National Audit Office - Report 498 — Recommendations 12, 16 and 19, Parliament of Australia, Canberra, 5 December 2023, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Government_Response [accessed 16 September 2025].
8 AusTender ‘is the Australian Government’s procurement information system which provides centralised publication of Business Opportunities, Annual Procurement Plans and Contracts awarded’. See Australian Government, What is AusTender?, AusTender, Canberra, 2025, available from https://help.tenders.gov.au/getting-started-with-austender/what-is-austender/#:~:text=AusTender%20is%20the%20Australian%20Government%27s,Procurement%20Plans%20and%20Contracts%20awarded [accessed 16 September 2025].
9 The Australian National Audit Office’s (ANAO’s) 2022 audit (Auditor-General Report No. 5 2022–23) did not include procurements related to whole-of-government arrangements.
10 The DTA provided the ANAO with details of its assessment of the applicability of the recommendations to the DTA’s whole-of-government procurement activities in August 2025.
11 Auditor-General Report No. 5 2022–23 Digital Transformation Agency’s Procurement of ICT Related Services, ANAO, Canberra, 2022, paragraphs 11–14, available from https://www.anao.gov.au/work/performance-audit/digital-transformation-agency-procurement-ict-related-services.
12 As discussed in paragraphs 2.20 and 2.21, Finance reported the recommendation as ‘open’ to its Audit and Risk Committee from November 2022 and Finance’s response to a similar recommendation in JCPAA Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement (Recommendation 9) indicated that Finance agreed to implement the Auditor-General recommendation.
13 JCPAA, Parliament of Australia, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement, (2023), available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Report [accessed 16 September 2025], p. xi.
14 Parliament of Australia, Government Response Executive Minute Digital Transformation Agency—- Report 498 — Recommendations 11 and 13, Parliament of Australia, Canberra, 2024, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Government_Response [accessed 16 September 2025].
15 When the Auditor-General report was tabled in September 2022, the recommendation was made to the Australian Government and Finance ‘noted’ the recommendation, in accordance with normal practice.
16 JCPAA, Parliament of Australia, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement (2023), p. xx.
17 Parliament of Australia, Executive Minute — Australian National Audit Office — Report 498 — Recommendations 12, 16 and 19, Canberra, 5 December 2023, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Government_Response [accessed 16 September 2025].
18 AusTender ‘is the Australian Government’s procurement information system which provides centralised publication of Business Opportunities, Annual Procurement Plans and Contracts awarded’. See Australian Government, What is AusTender?, AusTender, Canberra, 2025, available from https://help.tenders.gov.au/getting-started-with-austender/what-is-austender/#:~:text=AusTender%20is%20the%20Australian%20Government%27s,Procurement%20Plans%20and%20Contracts%20awarded [accessed 16 September 2025].
19 The ANAO’s 2022 audit (Auditor-General Report No. 5 2022–23) did not include procurements related to whole-of-government arrangements.
20 The DTA provided the ANAO with an assessment of the applicability of the recommendations to the DTA’s whole-of-government procurement activities in August 2025.
21 Australian National Audit Office (ANAO), Audit Insights: Implementation of Recommendations, ANAO, Canberra, June 2021, available from https://www.anao.gov.au/work/insights/implementation-recommendations [accessed 16 September 2025].
22 ibid.
23 ibid.
24 JCPAA Recommendation 11 was assigned to the DTA Chief Operating Officer (COO) and JCPAA Recommendation 13 was assigned to the COO and the DTA Audit and Risk Committee (ARC). The DTA assigned three Auditor-General recommendations jointly to the COO and Chief Financial Officer (CFO) and five recommendations to the CFO. When the Auditor-General recommendation closure packs were presented to the DTA ARC in September 2024, the responsible officer had changed to the DTA CFO.
25 The Executive Board sets strategic direction, provides strategic leadership and monitors the performance of the DTA including overseeing corporate planning and monitoring of organisational risks. The Executive Board comprises the Chief Executive Officer, COO, General Manager Strategy Planning and Performance and General Manager Digital Investment Advice and Sourcing.
26 Auditor-General Report No. 17 2023–24 Implementation of Parliamentary Committee and Auditor-General Recommendations — Department of Finance, ANAO, Canberra, 2023, paragraph 2.28, available from https://www.anao.gov.au/work/performance-audit/implementation-parliamentary-committee-and-auditor-general-recommendations-department-of-finance [accessed 16 September 2025].
Auditor-General Report No. 17 2023–24 tabled on 22 February 2024 and contained a recommendation for Finance ‘to strengthen its internal planning arrangements for the implementation of agreed parliamentary committee and Auditor-General recommendations.’ In June 2025, Finance had a draft audit implementation plan and guidance document in place to support its implementation planning.
27 While Recommendation 1 from Auditor-General Report No. 17 2023–24 is still being implemented, documentation of timeframes and action items represents an improvement on practices observed in that Auditor-General report.
28 Audit committees frequently have a role in oversight of implementation of recommendations. The Department of Finance Resource Management Guide 202 includes a potential function of an audit committee being ‘satisfying itself that the entity has appropriate mechanisms for reviewing relevant parliamentary committee reports, external reviews and evaluations of the entity and implementing, where appropriate, any resultant recommendations.’
Department of Finance, A guide for non-corporate Commonwealth entities on the role of audit committees, Finance, Canberra, 2023 available from https://www.finance.gov.au/sites/default/files/2021-10/Guide%20for%20non-corporate%20Commonwealth%20entities%20on%20the%20role%20of%20audit%20committees_0.pdf [accessed 16 September 2025].
29 The DTA’s ARC Charter states that:
The committee will satisfy itself that the DTA has appropriate mechanisms for reviewing relevant parliamentary committee reports, external reviews and evaluations of the DTA and implementing, where appropriate, any resultant recommendations.
30 The ARC has a standing agenda item for internal audit updates.
31 Of these, there were 10 updates (one verbal and nine written) on seven of the eight selected Auditor-General recommendations; and 12 updates (one verbal and 11 written) for Recommendation 2.
32 All eight recommendations were closed in August 2023 and in January 2024, and the DTA advised the JCPAA that they had been implemented (see Table 2.4). As discussed in Table 2.6, in response to this management initiated review, the DTA’s ARC requested that the recommendations be reopened.
33 JCPAA Recommendation 11 was for the DTA to ‘provide an update to the Committee five months from the tabling of this report on the progress of its improvements to its procurement processes’. On 6 September 2023, the JCPAA Secretary confirmed in email correspondence with the DTA that the chair of the JCPAA ‘is happy for all responses to be within a six month time frame’. Therefore, the ANAO considered the required timeframe to be within six months of the tabling of the report.
34 The audit recommendation tracker is an electronic system used for monitoring JCPAA and Auditor-General recommendations. The system provides functionality to track the implementation of recommendations, including documenting responsible officers, risk ratings, due dates, updates provided by responsible officers and supporting attachments.
35 The Finance ARC is responsible for reviewing Finance’s system of internal control, including monitoring the implementation of agreed actions from external reviews, and provides independent advice to the accountable authority on the appropriateness of Finance’s system of internal control.
36 Finance advised the ANAO in April 2025 that for the one meeting where no update was provided, the item was not on the agenda.
37 After a recommendation is proposed for closure to the Finance ARC, the Finance ARC decides whether or not to endorse closure and the coordinating branch advises the relevant business area of the outcome. Finance’s recommendation closure processes are discussed in paragraphs 2.42 and 2.43.
38 Finance’s Executive Board has similar responsibilities to the DTA’s Executive Board (see footnote 25) and is comprised of the Secretary and Deputy Secretaries.
39 While Finance ‘noted’ the recommendation, Finance advised the JCPAA in response to a similar recommendation (Recommendation 9) in Report 498 that:
Finance agreed to previous recommendations to increase transparency on the number of suppliers invited to quote. Under the Buy Australian Plan, the Government will increase transparency by improving AusTender, requiring procuring officials to report their justification for exercising contract variations or extending contracts, and further information will be required regarding the procurement process, such as reporting the number of suppliers invited to participate in the procurement process.
Report 498 included 11 recommendations to Finance. See JCPAA, Parliament of Australia, Report 498: ‘Commitment issues’ — An inquiry into Commonwealth procurement (2023), available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Report [accessed 16 September 2025].
40 Auditor-General Report No. 14 2024–25 Implementation of Parliamentary Committee and Auditor-General Recommendations — Indigenous Affairs Portfolio, ANAO, Canberra, 2024, paragraph 3.3, available from https://www.anao.gov.au/work/performance-audit/implementation-of-parliamentary-committee-and-auditor-general-recommendations-indigenous-affairs [accessed 16 September 2025].
41 ibid., paragraph 2.36.
42 One of the DTA’s strategic objectives is to ‘Manage whole-of-government digital and ICT strategic sourcing and contracts.’ This involves undertaking procurement activities to establish and refresh whole-of-government ICT procurement arrangements, such as single sourcing arrangements and procurement panels. Digital Transformation Agency, Corporate Plan 2025-26, DTA, September 2025, available from https://www.dta.gov.au/corporate-plan-2025-26 [accessed 16 September 2025].
43 The DTA generally used inclusive terms such as ‘for all procurements’, ‘for each procurement’, and ‘for all officers involved in procurements’ when reporting to the ARC.
44 DTA’s establishment of whole-of-government procurement arrangements was reviewed in Auditor-General Report No. 4 2020–21 Establishment and Use of ICT Related Procurement Panels and Arrangements, ANAO, Canberra, 2020, available from https://www.anao.gov.au/work/performance-audit/establishment-and-use-ict-related-procurement-panels-and-arrangements [accessed 16 September 2025]. Auditor-General Report No. 4 2020–21 contained recommendations to the DTA that were specific to the establishment of procurement panels and arrangements and for procurement processes more broadly.
45 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) states that:
The accountable authority of a Commonwealth entity must establish and maintain:
- an appropriate system of risk oversight and management for the entity; and
- an appropriate system of internal control for the entity;
including by implementing measures directed at ensuring officials of the entity comply with the finance law.
46 The previous version of the internal audit manual (dated July 2023) did not refer to recommendation closure.
47 Finance prepared more than one closure report because Finance implemented this Auditor-General recommendation alongside recommendation 9 from JCPAA Report 498. This recommendation related to amending reporting requirements on AusTender for procurements, including from panels and standing offers, to show how many suppliers were invited to submit quotes, as recommended by the ANAO. Report 498 directed 11 recommendations to Finance, none of which were in the scope of this audit. Parliament of Australia, JCPAA Report 498: ‘Commitment issues’ - An inquiry into Commonwealth procurement, August 2023, paragraph 2.177, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/CommonwealthProcurement/Report [accessed 16 September 2025].
48 One procurement resulted in two separate contracts being established.
49 References to the CPRs refer to the 1 July 2024 version of the CPRs. Similar requirements were in place in previous versions of the CPRs. When assessing procurements during the audit, the ANAO assessed against the requirements applicable at the time the procurement was undertaken.
50 These were: Recommendation 4, which addressed procurement method, risk management and record keeping; and Recommendation 6, which addressed the incorporation of evaluation criteria into evaluation processes, which are typically determined at the planning stage. See Appendix 3 for a complete list of recommendations. The ANAO’s assessment of the implementation status of these recommendations is in Table 2.5.
51 The procurement and evaluation plan template includes fields for:
- the requirement for the procurement;
- the estimated value of the procurement;
- evaluation criteria and evaluation process;
- suppliers to be approached and the justification for selecting them; and
- risk assessment outcomes.
52 The checklist for the cloud native secure internet gateway procurement had two incomplete steps.
53 The DTA had a limited tender procurement plan template available at the time of undertaking this procurement but this was not used. The template addresses significant elements of a limited tender procurement, including:
- what the requirement is and why the procurement is needed;
- documentation of market research and suitability assessment;
- justification for limited tender instead of undertaking an open (competitive) approach to the market;
- which CPR limited tender condition or Appendix A exemption applies; and
- previous engagements with a proposed supplier.
54 Finance, CPRs (1 July 2024), paragraph 9.8 states: ‘Open tender involves publishing an open approach to market and inviting submissions. This includes multi-stage procurements, provided the first stage is an open approach to market.’
55 ibid., paragraph 9.9 states: ‘Limited tender involves a relevant entity approaching one or more potential suppliers to make submissions, when the process does not meet the rules for open tender.
56 ibid., paragraph 9.7 states:
When the expected value of a procurement is at or above the relevant procurement threshold and an exemption in Appendix A is not applied, the rules in Division 2 must also be followed. The procurement thresholds (including GST) are:
- for non-corporate Commonwealth entities, other than for procurements of construction services, the procurement threshold is $80,000;
- for prescribed corporate Commonwealth entities, other than for procurements of construction services, the procurement threshold is $400,000; or
- for procurements of construction services by relevant entities, the procurement threshold is $7.5 million.
57 ibid., paragraph 10.3 lists circumstances where limited tender above the relevant threshold is allowable. Appendix A (p. 31) of the CPRs lists 17 kinds of goods and services that are exempt from the rules of Division 2 of the CPRs, and from some paragraphs of Division 1.
58 ibid., paragraph 9.2, p. 22.
59 The DTA’s procurement checklist and procurement and evaluation plan templates require an estimate of the expected value of a procurement to be made before a decision on the procurement method is made. The DTA’s requirements for estimation includes the factors outlined in the CPRs.
60 The reuse assessment procurement and evaluation plan included information on how the estimate was calculated.
61 The Australian Government’s Indigenous Procurement Policy Mandatory Set-Aside (MSA) ‘arrangements provide Indigenous SMEs with the opportunity to demonstrate value for money before the procuring official makes a general approach to the market.’ The MSA applies to: all remote procurements; and all other procurements wholly delivered in Australia where the estimated value of the procurement is between $80,000 - $200,000 (GST inclusive).
National Indigenous Australians Agency, Indigenous Procurement Policy, NIAA, Canberra, July 2025, available from https://www.niaa.gov.au/resource-centre/indigenous-procurement-policy [accessed 16 September 2025], p. 15. The $80,000 - $200,000 threshold was also contained in the previous version of the policy which was the version in place when these procurements were undertaken.
62 Finance, CPRs (1 July 2024), paragraph 5.1, p. 15.
63 Finance guidance states:
A panel arrangement is a way to procure goods or services regularly acquired by entities. In a panel arrangement, suppliers have been appointed to supply goods or services for a set period of time under agreed terms and conditions, including agreed pricing. Once a panel has been established, an entity may then purchase directly from the panel by approaching one or more suppliers.
Department of Finance, Procurement Process Consideration, Finance, Canberra, 2024,available at https://www.finance.gov.au/government/procurement/buying-australian-government/procuring-panel-panels-101, [accessed 16 September 2025].
64 Appendix B of the CPRs define standing offer as:
an arrangement setting out the terms and conditions, including a basis for pricing, under which a supplier agrees to supply specified goods and services to a relevant entity for a specified period.
Finance, CPRs (1 July 2024), Appendix B, p. 34.
65 ibid., paragraph 9.14, p. 23.
66 Suppliers on the Digital Marketplace panel are grouped in specified categories by area of expertise.
67 As discussed in footnote 56, paragraph 9.7 of the CPRs establishes the threshold for limited tender of construction services at $7.5 million.
68 A draft version of the procurement and evaluation plan stated that ‘A selection of suppliers have been identified based on previous experience of similar works conducted for the DTA and/or within the same building as advised by … Building Management’.
69 The DTA advised the ANAO in May 2024 that ‘The original number of 5 suppliers included one offshore based entity which was then disregarded.’
70 See Appendix 3 for the full recommendation.
71 These were the reuse assessment, cloud native secure gateway and labour hire procurements.
72 The cloud native secure internet gateway procurement request documentation included mandatory requirements that had similar technical requirements but did not contain the evaluation criteria in the evaluation plan. The evaluation used the requirements listed in the request documentation to assess supplier’s responses.
73 Finance, CPRs (1 July 2024), paragraph 8.2, p. 22.
74 These were Recommendation 1 and Recommendation 4 (see Appendix 3 for details).
75 Risk owners are accountable for managing, monitoring, reporting and escalating risks. Department of Finance, Commonwealth Risk Management Policy, Finance, Canberra, 2022, p. 4.
76 Treatment owners are responsible for implementing and monitoring treatments where the controls in place are ineffective and further mitigation activities are required. Department of Finance, Commonwealth Risk Management Policy, Finance, Canberra, 2022, p. 4.
77 Other examples of issues include:
- The DTA’s guidance contained inconsistencies in the risk matrix (likelihood and consequences) categories; and
- within all of the risk assessments, some or all risk categories either did not align with the Risk Management Policy or were not identified.
78 In addition, the Finance PGPA Glossary defines ethical, in relation to the proper use of public resources, as:
The extent to which the proposed use is consistent with the core beliefs and values of society. Where a person behaves in an ethical manner it could be expected that a person in a similar situation would undertake a similar course of action. For the approval of proposed commitments of relevant money, an ethical use of resources involves managing conflicts of interests, and approving the commitment based on the facts without being influenced by personal bias. Ethical considerations must be balanced with whether the use will also be efficient, effective and economical.
79 These are: fairness and impartiality; consistency and transparency of process; security and confidentiality; identification and resolution of actual or perceived conflicts of interest; compliance with legislative obligations and government policies as they apply to competitive tendering and contracting; and accountability.
80 In the Probity Guideline, the Responsible Person is defined as either the:
- Delegate
- Tender Evaluation Panel Chair
- Chief Financial Officer
- Assistant Director, Corporate Procurement or
- DTA Corporate Procurement Advisor
as appropriate to the individual circumstances and Procurement requirements.
81 The same information is included in the mandatory procurement checklist.
82 There was no evidence that relevant officials established that appropriate arrangements were already in place, in accordance with the requirements discussed in paragraph 3.34.
83 As discussed in paragraph 3.31, paragraph 6.7 of the CPRs states that ‘Officials undertaking procurement must seek to prevent corrupt practices by recognising and dealing with actual, potential and perceived conflicts of interest and not accepting inappropriate gifts or hospitality’.
84 The following were missing from the COI register: one COI declaration for the cloud native secure internet gateway procurement; two COI declarations for the labour hire procurement; and three COI declarations for the office fitout procurement.
85 As discussed in paragraph 3.39, the evaluation panel chair signed a COI declaration four days after signing the evaluation report. The other panel member’s COI declaration was signed six months after signing the evaluation report. The evaluation panel chair identified that they worked with the incumbent contractor but did not have a close working relationship with them and the evaluation panel member declared that they worked closely with the same contractor.
86 Other actions listed included maintaining communication with the delegate and other panel member to keep ‘everyone informed about the conflict of interest and the measures being taken to manage it’.
87 The ‘labour hire’ procurement resulted in contracts being awarded to two separate suppliers, which differed from the original intent of the procurement.
88 For the incumbent, the hourly rate reflected in the candidate’s response and the DTA’s detailed records of evaluation was $192.50 (GST inclusive). The evaluation report documented the candidate’s hourly rate was $170.00 (GST inclusive). There was no explanation provided in the evaluation report for why the rate changed between the evaluation assessment and the evaluation report. The contract with the supplier was at the lower rate of $170.00.
89 The DTA advised the ANAO in May 2025 that an ‘internal review’ was undertaken into this procurement. The ANAO did not assess this review.
90 Advice to the delegate regarding this matter is discussed further in paragraphs 3.96 to 3.97.
91 The Probity Guideline states that ‘All communication should be in writing, where practical, and limited to factual answers only and personal opinions should not be provided. Any verbal communications with Suppliers are to be noted and logged for future reference.’
92 Finance, CPRs (1 July 2024), paragraph 4.4, p. 12.
93 ibid paragraph 7.3, p. 18.
94 See paragraph 3.20.
95 For both procurements, the evaluation report documented consideration of the capability of the supplier to deliver the require services, price and risk consistent with the evaluation process.
96 There were three essential criteria and two desirable criteria defined.
97 This is also discussed in paragraphs 3.39 and 3.45 to 3.51. The incumbent’s contract was expiring and a new procurement activity was required under the CPRs.
98 The evaluation report documented that the first and third ranked candidates had hourly rates of $142 and $151.25, including GST respectively. The second ranked (incumbent) candidate’s hourly rate was $170, including GST.
99 For the incumbent, the hourly rate reflected in the candidate’s response and the DTA’s detailed records of evaluation was $175.00 (excluding GST). The evaluation report documented the candidate’s hourly rate was $170.00 including GST. There was no explanation provided in the evaluation report for why the rate changed between the evaluation assessment and the evaluation report. When engaged, the contract with the supplier was at the lower rate of $170.00.
100 The six-month contract was later extended for an additional six months when there was no provision for an extension provided in the contract (see paragraph 3.88).
101 The CPRs define request documentation as:
documentation provided to potential suppliers to enable them to understand and assess the requirements of the procuring relevant entity and to prepare appropriate and responsive submissions. This general term includes documentation for expressions of interest, open tender and limited tender.
See Finance, CPRs (1 July 2024), Appendix B, p. 34.
102 The DTA advised the ANAO in May 2025 that the fourth technical capability relating to the generic design principles ‘was not included as a criteria reflected in the evaluation report as the design of the office layout was provided by the DTA and the vendors were expected to provide a [sic] overall picture of how this would be factored into consideration.’
103 ‘Poor’ was defined as: ‘Credible but extremely limited. Response has minor omissions. Response demonstrates only a marginal capability, capacity and experience relevant to, or understanding of, the requirements of the evaluation criterion. Unacceptable risk.’
104 The unsuccessful tenderer received a score of 1 out of 5.
105 ‘CDC’ means a Complying Development Certificate.
106 Under a section called ‘Value for money considerations’, the evaluation report stated:
The panel considered the following points when assessing value for money:
- Meeting all items within project scope
- Meeting all obligations to meet building code and certification.
- Ability to deliver on time.
- Experience in delivery requirements.
107 A similar requirement existed in the CPRs effective 1 July 2022 which were applicable at the time of this procurement although notifications were not required to be in writing.
108 Finance, CPRs 1 July 2024 paragraph 7.18.
109 As discussed in paragraph 3.1 and Table 3.1, one of the three panel procurements resulted in the creation of two separate contracts.
110 The office fitout contract was initially published on AusTender within the required timeframe with an incorrect Australian Business Number. The DTA deleted this AusTender record and published a new contract notice outside of the 42 day timeframe.
111 The contract period was from 18 March 2024 to 22 May 2024. The contract period published on AusTender was 25 March 2024 to 24 May 2024.
112 The variation amount was $34,983.30 and the amount reported on AusTender was $36,416.48.
113 Appendix A of the CPRs outlines where certain procurements are exempt from the rules of Division 2 of the CPRs. Division 2 of the CPRs sets out additional rules for procurements at or above the relevant procurement threshold. The requirements of Division 2 of the CPRs did not apply to the office fit procurement as it was below the relevant procurement threshold of $7.5 million for procurement of construction services outlined in paragraph 7.18 of the CPRs. See Finance, CPRs (1 July 2024).
114 The DTA advised the ANAO in August 2025 that ‘the variation to this procurement was reported 187 days late due to the DTA resolving an incorrect payment prior to further invoice processing and reconciliation of total contract value.’ Contract payment issues for this procurement are discussed in paragraph 3.106.
115 The second variation was not required to be reported on AusTender as it was below the $10,000 reporting threshold in the CPRs. See Finance, CPRs 1 July 2024 paragraph 7.19.
116 ibid., paragraph 7.2, p. 18.
117 The CPRs 1 July 2024 paragraph 7.3 states that:
Documentation should provide accurate and concise information on:
- the requirement for the procurement;
- the process that was followed;
- how value for money was considered and achieved;
- relevant approvals; and
- relevant decisions and the basis of those decisions.
ibid., paragraph 7.3, p. 18.
118 Australian National Audit Office, Insights: Records Management, ANAO, Canberra, 2025, available from https://www.anao.gov.au/work/insights/records-management [accessed 16 September 2025].
119 Section 15 of the PGPA Act states that:
- The accountable authority of a Commonwealth entity must govern the entity in a way that:
- promotes the proper use and management of public resources for which the authority is responsible; and
- promotes the achievement of the purposes of the entity; and
- promotes the financial sustainability of the entity.
- In making decisions for the purposes of subsection (1), the accountable authority must take into account the effect of those decisions on public resources generally.
120 Section 23 of the PGPA Act states that:
- The accountable authority of a non-corporate Commonwealth entity may, on behalf of the Commonwealth:
- enter into arrangements relating to the affairs of the entity; and
- vary and administer those arrangements.
- An arrangement includes a contract, agreement, deed or understanding.
- The accountable authority of a non-corporate Commonwealth entity may, on behalf of the Commonwealth, approve a commitment of relevant money for which the accountable authority is responsible.
121 Under subsection 18(1) of the PGPA Rule:
If:
- the accountable authority of a Commonwealth entity is approving the commitment of relevant money for which the accountable authority is responsible; or
- an official of a Commonwealth entity is approving the commitment of relevant money for which the accountable authority of a Commonwealth entity is responsible;
then the accountable authority or official must record the approval in writing as soon as practicable after giving it.
122 Department of Finance, Contract Variations, Finance, Canberra, available at https://www.finance.gov.au/government/procurement/buyright/contract-variations [accessed 16 September 2025].
123 Department of Finance, Contract End Dates, Finance, Canberra, 2023, available at https://www.finance.gov.au/government/procurement/buying-australian-government/contracts-end-dates [accessed 16 September 2025].
124 The request also included the basis of the proposed variation, which was to allow transition to a subsequent arrangement and was approved.
125 The amount listed in the approval was $7,351.43 less than the amendment amount.
126 The delegate was copied into in the approval email. As discussed in footnote 121, subsection 18(1) of the PGPA Rule requires that the accountable authority or official record the approval in writing as soon as practicable. This requirement is also outlined in the DTA’s operational guidelines for approving spending, which states that ‘You cannot sub-delegate your delegation to someone else or authorise someone else to give approvals on your behalf’ and ‘Verbal approval for a spending proposal can be provided by a delegate, provided they document this approval in writing as soon as possible after giving it.’
127 This requirement was captured in a procurement factsheet created in May 2025. According to the factsheet, for variations ‘Following clearance by Corporate Procurement, the business case is submitted to the Chief Operating Officer (COO) for review and the procuring delegate for approval.’
128 The three variations not approved by the COO related to changes in specified personnel and the execution of an extension option.
129 Finance, CPRs (1 July 2024), paragraph 4.4, p. 12.
130 See paragraphs 3.39 and 3.45 to 3.51.
131 Department of Finance, Supplier Pay On-Time or Pay Interest Policy (Resource Management Guide 417), Finance, Canberra, 2020, available at https://www.finance.gov.au/publications/resource-management-guides/supplier-pay-time-or-pay-interest-policy-rmg-417 [accessed 16 September 2025].
132 Recommendation 8 stated:
The Digital Transformation Agency:
- improve its training and management of internal payment controls; and
- conduct an internal compliance review or audit within the next 12 months to verify the
effectiveness of its payment controls.
133 The ANAO examined payments for all invoices issued by the five suppliers up to 20 January 2025. Payments relating to the labour hire and cloud procurements were underway at the time of this report.
134 The payment was processed incorrectly to a bank account that the supplier believed had been closed. The supplier had provided a different bank account on the invoice provided to the DTA.
135 It was found that the bank account had not been closed and the supplier did have access to the funds.