Introduction

1.1 Australia’s pest and disease status supports healthy ecosystems, agricultural productivity and access to premium trade markets.

1.2 Biosecurity risks are, however, increasing. The volume of people, mail and cargo entering Australia was expected to nearly double from 2015 to 2030 (prior to the COVID-19 pandemic), and the rate at which pests and diseases spread between countries is increasing.⁴ This has resulted in an increased number of pests and diseases reaching Australia.⁵

1.3 In recent years, Australia has experienced a number of plant and animal pest and disease outbreaks, such as Panama disease affecting bananas, fall armyworm affecting up to 350 plant species⁶, and white spot disease affecting prawns.⁷ Current risks to Australia include the potential incursion of species such as Giant African Snails, diseases such as African swine fever, and the risk of disease outbreak through introduced species such as the Asian honeybee.⁸

1.4 In 2020, the Centre of Excellence for Biosecurity Risk Analysis estimated that without any biosecurity intervention, newly introduced pests and diseases would cause $672 billion in damages to Australia over the next 50 years.⁹ Effective biosecurity measures are important to protect Australia’s pest and disease status, and therefore prevent economic impacts as well as damage to Australian ecosystems and communities.

The Biosecurity Act 2015

1.5 In June 2016, the Australian Government introduced a new biosecurity legislative framework, including the Biosecurity Act 2015 (the Act). Under the Act, biosecurity risk is defined as the likelihood of pests and diseases entering, establishing or spreading in Australian territory and causing harm to animal, plant and human health, the environment and the economy.

1.6 To manage the risk of pests and diseases entering Australia, the Act contains a number of requirements that entities¹⁰ travelling or bringing goods to Australia must comply with. The requirements include:

• entering Australia through designated areas;
• providing accurate information about goods or entities entering Australia;
• not bringing prohibited goods to Australia; and
• complying with specified conditions when importing certain goods or undertaking approved biosecurity risk management activities.

1.7 The Department of Agriculture, Water and the Environment (the department) is responsible for administering the Act, including managing non-compliance with biosecurity requirements. The department’s focus is on matters relating to the national border, with states and territories responsible for biosecurity activities within their borders.¹¹

1.8 The Act provides a range of regulatory tools designed to enable efficient and effective management of non-compliance with biosecurity requirements, targeted to the level of risk.¹² Tools available to respond to non-compliance include monitoring and investigation powers, engagement and education, administrative actions (such as varying, suspending or revoking permissions), civil sanctions and criminal prosecution.

Biosecurity regulation

1.9 The department manages non-compliance with biosecurity requirements relating to the national border across multiple routes (known as ‘pathways’) through which pests or diseases may enter Australia. Table 1.1 provides a summary of the five primary pathways and the department’s regulatory activities in those pathways.

Table 1.1: Biosecurity pathways and their regulation

Note a: Containerised cargo is transported in shipping containers. Break-bulk is a commodity loaded in individual packages that are not in shipping containers, such as drums of oil or bags of coffee. Bulk cargo is an unpackaged commodity that is transported in the hold in large quantities, such as fuel, coal or iron ore.

Note b: Letter class mail includes items such as letters, postcards, brochures, books and magazines. Non-letter class is further split into parcels, express mail and other articles.

Note c: Conveyances are vehicles used to transport goods and entities to Australia.

Source: ANAO based on Department of Agriculture, Water and the Environment information.

1.10 To manage Australia’s animal and plant health status and protect it from the impact of exotic pests and diseases, the department was allocated $776.8 million (this includes funding for activities where costs are recovered from entities) and an average staffing level of 3738 in 2020–21.¹³ This funding and staffing includes aspects of the department’s work beyond managing biosecurity non-compliance, including responding to biosecurity outbreaks, export assistance, and research into biosecurity and plant and animal health.

Previous reviews

1.11 Australia’s approach to biosecurity management has been the subject of several major reviews, which are summarised in Table 1.2. A common theme identified across reviews is that reform and continued improvement is required to ensure biosecurity management remains effective in the future.

Table 1.2: Major reviews of Australia’s management of biosecurity

Note a: R Beale, J Fairbrother, A Inglis and D Trebeck, One Biosecurity – A working partnership, 2008. p. ix.

Note b: Auditor-General Report No.34 2016–17 Implementation of the biosecurity legislative framework, p. 8.

Note c: W Craik, D Palmer and R Sheldrake, Priorities for Australia’s biosecurity system, 2017, p. 1.

Note d: The Northern Australia Quarantine Strategy was established to provide an early warning system for exotic pest and disease detections across northern Australia and address biosecurity risks facing the region.

Note e: Commonwealth Scientific and Industrial Research Organisation, Australia’s Biosecurity Future, 2020, pp. ii–iii.

Source: ANAO based on publically available information.

Rationale for undertaking the audit

1.12 In the face of rising biosecurity risks due to increasing global trade and travel (prior to the COVID-19 pandemic), effective arrangements to respond to non-compliance with biosecurity requirements are necessary to manage the risk of plant and animal pests and diseases entering Australia. This audit will provide assurance over the establishment of an effective risk-based approach to respond to non-compliance while minimising the impact on compliant entities, and over the effective implementation of the regulatory tools available to manage non-compliance under the Act.

1.13 This audit topic was identified as an audit priority for 2019–20 by the Joint Committee of Public Accounts and Audit, the House Standing Committee on Agriculture and Water Resources and the Senate Rural and Regional Affairs Committee.

Audit approach

Audit objective, criteria and scope

1.14 The objective of the audit was to assess the department’s effectiveness in responding to non-compliance with plant and animal biosecurity requirements.

1.15 To form a conclusion against the audit objective, the following criteria were adopted.

• Has an appropriate compliance framework been established?
• Are there appropriate arrangements to detect non-compliance?
• Is the use of regulatory tools in response to non-compliance effective?

1.16 The scope of the audit focused on the department’s arrangements to identify and respond to non-compliance with plant and animal biosecurity requirements. This included: planning, intelligence, risk assessment, performance measurement, the conduct of detection activities, and the use of regulatory tools in response to identified non-compliance.

1.17 The audit scope did not include: human biosecurity activities (including in relation to the COVID-19 pandemic), or other biosecurity activities such as responding to pest and disease outbreaks, granting permits, cost recovery, and determining what can be imported to Australia.

Audit methodology

1.18 The audit methodology included examination of departmental documentation, policies and records, control testing over information systems, and interviews with departmental staff.

1.19 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $613,301.

1.20 The team members for this audit were Jacqueline Hedditch, Isaac Gravolin, Sam Khaw, Ben Thomson, Corne Labuschagne and Michael White.

2.1 A compliance framework is a set of plans, policies or procedures that establish the approach taken to manage compliance. An appropriate compliance framework assists regulators to gather and use intelligence, target their efforts at the areas of highest risk of non-compliance, and plan for and measure their achievement of objectives.

2.2 To assess whether the department has established an appropriate compliance framework, the ANAO examined whether:

• intelligence is gathered and managed effectively;
• there is an appropriate framework to identify and manage risks;
• the approach to managing compliance is supported by appropriate plans and strategies;
• there are appropriate arrangements with partner agencies; and
• an appropriate performance framework has been established.

Is intelligence gathered and managed effectively?

2.3 Regulatory intelligence involves analysing data and information to generate insights to support the approach to managing non-compliance.¹⁴ To be effective, regulatory intelligence should be supported by appropriate plans and policies, appropriate arrangements to collect and store data and information, and be analysed and distributed in a way that meets decision-makers’ needs.

Intelligence plans, policies and procedures

2.4 The department does not currently have finalised plans, policies or procedures for gathering or managing biosecurity intelligence, though some supporting documentation has been recently completed.¹⁵ This limits assurance that intelligence is gathered and managed in a way that is consistent with departmental requirements. In addition, the absence of intelligence policies means that the department is not meeting section 2.6 of the Australian Government Investigations Standards¹⁶:

Where relevant, agencies should have a policy outlining the use of intelligence in identifying conduct which allegedly, apparently or potentially breaches the law.

2.5 The department commenced or committed to developing an intelligence plan or strategy in 2011, 2013, 2016, 2017 and 2019, including in response to an agreed recommendation from the Interim Inspector-General of Biosecurity.¹⁷ This did not result in an implemented intelligence plan or strategy. The department commenced development of a new strategy in 2020, with the strategy in draft as at March 2021.

Information collection

2.6 Collecting regulatory information from a range of reliable sources assists regulators to ensure insights generated from intelligence are accurate. Relevant sources for the department’s biosecurity regulation include information from its own activities and information gathered by other government agencies and biosecurity regulators.

Internally sourced information

2.7 The department captures a range of information from its own activities, including records of identified non-compliances and regulatory actions taken against non-compliant entities. However, the value of this information for intelligence is limited by the quality and structure of data entered into the department’s systems.

2.8 While there are largely appropriate controls in place to ensure the integrity of data once entered into systems, internal documents and reviews indicate that data entered for travellers, mail and cargo is subject to data quality issues. These include missing or incorrect details for: entities¹⁸; imported cargo¹⁹; detected cargo non-compliances; the reasons, application and results of biosecurity treatments for cargo²⁰; scanned documents²¹; and infringement notices.

2.9 The department undertakes monthly data reviews for the systems used for managing mail and travellers, to ensure an ‘acceptable level of data integrity and user confidence’.²² The department was unable to provide evidence of any similar approach to quantify or improve data quality for cargo systems, despite the known issues.

2.10 The issues with cargo data quality have impacted the department’s ability to provide timely and accurate intelligence to support the department’s regulation. For example, the department was unable to confirm the identity of an importer of illegal animal hides for ‘almost a month after the import’ due to incorrect information recorded in cargo systems.

2.11 Even where information is accurately entered, its value may be limited by the structure of collected data. Key information (such as reasons for non-compliance and actions taken in response, import permits, and passport numbers) is stored in free-text format, which has resulted in inconsistent formatting and contents, and has prevented analysis.

Externally sourced information

2.12 There are a range of external sources that possess information relevant to the department’s biosecurity compliance activities. In particular, the Department of Home Affairs (Home Affairs) is the primary holder of information about travellers and goods entering Australia. Other potential sources include state and territory biosecurity agencies, and Commonwealth regulatory and enforcement agencies.

Department of Home Affairs

2.13 The department has arrangements to request information from Home Affairs, to automatically transfer some cargo data from Home Affairs to departmental systems, and for officials to access Home Affairs’ systems through the Border Intelligence Fusion Centre.²³

2.14 However, the department is currently unable to collect some datasets from Home Affairs, despite both parties committing to a framework for ‘bulk data sharing’.²⁴ This includes datasets on cargo, travellers and mail that were not flagged as being of biosecurity concern or inspected by the department.²⁵ It is also unable to collect datasets on some traveller and mail characteristics, such as country of birth, visa sub-class and mail contents and destinations.

2.15 These datasets have been identified by the department as something that would improve its regulation, including its ability to identify and target non-compliance (see paragraphs 2.44 and 2.49). However, departmental systems are unable to store the information due to its ‘protected’ classification.²⁶ The department has commenced at least four projects since 2017 to work with Home Affairs to collect this information, but these have not yet been successful.

Other Commonwealth agencies and states and territories

2.16 The department collects information from other Commonwealth agencies on individual issues, entities or instances of non-compliance through ad hoc communication channels. This information has been used to gather a more complete intelligence picture around individual biosecurity issues. However, without structured arrangements setting out when and what information should be shared, there is a risk that information received will be reactive and dependent on personal relationships, and therefore be limited in its ability to support the identification of non-compliance trends.

2.17 The department has agreed to a protocol on data and information sharing with state and territory biosecurity agencies. The protocol requires the department to maintain a register of shared data, and states information and data sharing is ‘essential’ and ‘needed to prevent, mitigate and manage … biosecurity risks’. However, the department does not maintain a register of shared information and data, limiting its ability to understand what information is being collected from states and territories and how it is used.

Information storage

2.18 An April 2019 document identified 56 different systems used in the management of biosecurity. The majority of these systems do not communicate or have compatible data. In addition, key information is stored in isolated intranet sites²⁷ and spreadsheets.

2.19 It is important to store collected information in a way that facilitates access and analysis if it is to effectively inform the approach to regulation.²⁸ Without the ability to integrate data between different systems and information sources, the department’s ability to obtain a complete intelligence picture is limited.

2.20 The department has identified this issue in multiple reviews and documents, and has initiated projects to improve its systems and access to information (Table 2.1). While some projects have delivered improvements, there remain limitations to the department’s ability to access data and integrate information.

Table 2.1: Outcome of projects to improve information integration across systems

Note a: The department’s system for managing investigations into non-compliance is not accessible. Other information stored on departmental intranet sites, such as the department’s records of all non-compliance, have not yet been integrated into the models.

Source: ANAO based on Department of Agriculture, Water and the Environment information.

Intelligence products

2.21 For stored information to be useful, it should be analysed and disseminated to decision-makers in a way that meets their needs and supports decision-making. This includes tactical decisions about individual entities or instances of non-compliance, through to strategic decisions about the overall approach to biosecurity.

Identification of needs

2.22 While intelligence products²⁹ are developed in response to requests, the department has not yet completed a process to identify and prioritise the intelligence needs of decision-makers.³⁰ This limits its assurance that it is producing the intelligence products that will most effectively support key decisions. This is reflected in internal documents that indicate some decision-makers do not feel they receive intelligence that meets their needs. For example:

• an August 2019 minute stated that ‘…information and intelligence that can assist with the prioritisation of activities is not readily available’; and
• a December 2019 report stated that risk owners ‘…are not informed by a comprehensive intelligence picture or profile in the way that would be of significant benefit’.

Intelligence products coverage

2.23 To determine whether the department’s intelligence products effectively support the range of biosecurity regulatory decisions being made, the ANAO examined all 34 completed intelligence products that commenced between 1 July 2019 and 30 June 2020.³¹

2.24 While the department produced a range of intelligence products to support tactical and operational decision-making, it did not use collected information to develop intelligence products that support strategic decision-making. Of the 34 products examined by the ANAO, three provided strategic-level intelligence. These three products were based on publicly available information and did not use information collected from other agencies or the department’s own regulation. Themes from the strategic products have been reflected in high-level strategic discussions but have not yet resulted in changes to the department’s approach to regulating biosecurity.³²

2.25 The department had commenced work on an additional 14 strategic intelligence products at the time of audit fieldwork. This reflects the ongoing development of the department’s strategic intelligence capability, after it commenced strategic intelligence work in 2019.

2.26 While producing an increased number of strategic intelligence products will better support strategic decision-making in future, they should make use of information from the department’s regulation, as well as open source information.

Is there an appropriate framework to identify and manage risks?

2.28 Regulators with clear and comprehensive processes to assess risk are positioned to allocate their resources towards those areas of greatest impact. Appropriate risk assessment processes support the department to: compare risk across the biosecurity system and target efforts accordingly; identify and respond to emerging and priority risks; and understand which entities within a pathway to focus on.

2.29 The Australian Government has committed to a risk-managed approach to biosecurity regulation.³³ Effective implementation of such an approach will be important to manage increasing biosecurity risk in the future — the department predicted in 2017 that, under current regulatory strategies, unmitigated risks will increase 70 per cent and costs 50 per cent by 2025.³⁴

System-wide risk framework

2.30 While the department has adopted risk-based approaches to some individual components of biosecurity regulation (see paragraphs 2.35–2.54), it does not have a framework to assess and manage risk across the entire biosecurity system. There is no established process to assess the level of risk posed by each biosecurity pathway and target activities at those pathways accordingly.

2.31 The absence of a framework to manage risk across the biosecurity system has been identified internally and externally. This includes once in 2008, twice in 2015 and twice in 2020. There have been multiple attempts or commitments to implement such a framework, including in 2009, 2010, 2012, 2016, 2017, and ongoing at the time of audit fieldwork in March 2021. These did not result in an implemented framework, despite some producing tools that could be used to assess risk across the biosecurity system, including comparing the risk of different pathways (see Appendix 2).³⁵

Identifying emerging and priority risks

2.32 Without a framework to manage risk across the biosecurity system, there is no established process to determine risk tolerances or departmental priorities. This has resulted in internally identified issues, with 2019 departmental documents noting that priorities ‘changed rapidly over time’ and varied between working areas.

2.33 The department identified 12 priority biosecurity risks in August 2020.³⁶ No structured or documented process was used for this risk assessment. In addition, it lacked several elements of better practice risk assessment³⁷, including: defined criteria for evaluating risks and establishing tolerances; analysis of risks before treatments are applied; and arrangements for monitoring and review. This limits the department’s assurance that the assessment accurately captured key risks.

2.34 A departmental review stated in November 2020 that ‘biosecurity risk governance is currently ineffective’, noting this results in communication breakdowns between operational and policy areas and decreases the ability to proactively manage risks.

Pathway risk assessments

2.35 As outlined in Table 1.1, the department manages non-compliance with biosecurity requirements across multiple pathways through which pests and diseases may enter Australia, including cargo, travellers, mail, conveyances and approved arrangements.

2.36 The department’s approach to assessing risk varies across each pathway. It agreed to establish a ‘standard approach to risk pathway mapping and decision-making’ in response to a July 2020 Inspector-General of Biosecurity recommendation³⁸, but this had not commenced as at February 2021.

2.37 The ANAO examined the department’s approach to each of these pathways, with the results detailed below. The department does not assess the likelihood of non-compliance in the cargo pathway, with only the consequences of non-compliance assessed. The processes for travellers, mail, conveyances and approved arrangements were partially appropriate but had key limitations to their ability to accurately identify risks.

Cargo

2.38 The department’s process for assessing risk in the cargo pathway does not consider the likelihood of non-compliance by different entities. The department does, however, assess whether correctly declared cargo may be associated with a higher risk of pests and diseases, by examining whether import declarations specify goods of potential biosecurity concern.³⁹

2.39 The absence of a process to assess the likelihood of non-compliance for cargo is despite a departmental intelligence report noting in 2020 that non-compliance such as product substitution and fraudulent documentation ‘are enduring vulnerabilities of the cargo import pathway’. Without such a process, Australia is vulnerable to the entry of pests or diseases through non-compliant cargo.

2.40 The department has commenced projects to better assess risk in the cargo pathway. These projects have either not yet been completed or apply only to specific areas of the cargo pathway.

• Two initiatives have been implemented to identify importers with a history of compliance.⁴⁰ These initiatives do not apply to all goods⁴¹ and only apply where cargo would otherwise be subject to mandatory intervention.
• A project was commenced in 2018 to quantify the level of risk associated with 16 different types of goods, and to address ‘critical policy application issues’ including the absence of a ‘defined risk tolerance policy or approach’. This project ceased after assessing the risk associated with one good. No actions were taken in response to that assessment.
• A pilot of machine learning algorithms in 2020 indicated that they could more accurately predict non-compliance than current techniques.⁴² The department is planning to implement this approach more broadly across the cargo pathway.
• A project is underway to identify cargo types with a low risk of non-compliance, allowing activities to be better targeted at risk. However, the progress of this project has been hindered by data quality issues preventing accurate risk identification.

Travellers

2.41 There is no established process to assess risk for sea travellers.⁴³

2.42 Air traveller risk assessment is conducted through statistical analysis of the frequency that air travellers have been found to have undeclared high-risk goods against four characteristics (citizenship, age, gender, flight number). Risk assessment is used to compare travellers within each individual flight, and to compare the risk of different flights within each airport.

2.43 The department does not analyse the comparative risk posed by travellers at different airports, to enable it to target efforts at airports associated with higher risk travellers. In addition, while traveller risk assessments have been reviewed periodically, the department has not yet completed a policy for when risk assessments should be reviewed to ensure they remain current.

2.44 The accuracy of the risk assessment is limited by the department’s inability to access additional data held by Home Affairs (paragraph 2.14).⁴⁴ Departmental documentation notes that ‘due to limited data sets, [risk assessments] are broad and a large number of compliant travellers are intervened with unnecessarily whilst high risk travellers may be missed’, and that prioritising inspection according to the assessment will perform ‘slightly better than random selection’.

Mail

2.45 The department assesses risk in the mail pathway by analysing data on the frequency that mail has been found to contain high risk goods against three characteristics (gateway, country of origin, mail class). This analysis is used to identify which groups of individual mail items are higher risk. It can also provide information on which mail centres pose a higher level of risk.

2.46 The department plans to review its mail risk assessments annually, with reviews having been completed in 2016, 2017, twice in 2019⁴⁵, and 2020. These risk assessments do not include letter-class mail, with separate reviews in 2011, 2015, and 2020 finding that letters posed a lower risk compared to other mail classes.

2.47 The accuracy of mail risk assessment is impacted by variations in mail volume estimates. Information from Australia Post on total mail volumes is used to calculate the expected probability of non-compliance. Large variations between the department’s and Australia Post’s mail volume estimates⁴⁶ in 2016–17 and 2017–18 resulted in a number of groups with high rates of undeclared biosecurity risk material not being assessed.⁴⁷

2.48 The department took action to improve mail volume data in 2017, but variations have since increased. Departmental mail volume estimates were 16.5 million (21.2 per cent) greater than Australia Post’s in 2020.⁴⁸

2.49 The department’s inability to use data from customs declarations held by Home Affairs (see paragraph 2.14) further limits the accuracy of the assessment.⁴⁹ A 2017 document noted that the inability to use customs data to enable informed and precise risk assessment places the department ‘…behind most developed nations’. While the impacts of not using this data have been identified, the department has not yet been able to use it for risk assessment.⁵⁰

Conveyances

2.50 The risk of commercial sea vessels is assessed using an automated risk assessment program. The assessment is based on a range of inputs, including the pre-arrival reporting of the vessel, vessel characteristics, and the vessel’s history (including compliance history). This program generates a risk rating and ranks each vessel in a port. It does not allow the department to identify the level of risk posed by different ports.

2.51 The department has not reviewed the risk assessment program to ensure it is still targeted at areas of highest risk since implementation in 2016, despite agreeing to do so in response to an internal audit recommendation in 2018. The department closed this recommendation without completing the review, noting that it considers a review should be undertaken in 2021.⁵¹

2.52 There is no process to assess, review or target biosecurity risk for non-commercial vessels and commercial or non-commercial aircraft. The department agreed to a recommendation to establish such a process for non-commercial vessels in response to a 2018 internal audit. The department also closed this recommendation, despite it not being completed.

Approved arrangements

2.53 Once arrangements⁵² are approved, the department assesses them to be one of two risk levels⁵³, based on the compliance history of the arrangement and whether the arrangement has been recently established or changed. Other factors, such as the potential consequences of non-compliance or the compliance history of the arrangement’s industry, are not considered.⁵⁴

2.54 The department committed to considering additional risk factors as part of a review of its risk framework for approved arrangements, in response to a recommendation from the Inspector-General of Biosecurity in 2019.⁵⁵ The department was unable to provide evidence that this work has been undertaken, despite closing the recommendation.

Is compliance management supported by appropriate plans?

2.56 Establishing and implementing appropriate plans supports regulators to deliver a regulatory approach that achieves desired outcomes. Effective planning and implementation is particularly important to guide the biosecurity reforms that have been identified as necessary to maintain Australia’s pest and disease status into the future (see paragraph 1.10). This includes plans to establish the general approach to regulating biosecurity, as well as specific project plans to reform individual elements of the biosecurity system.

Planning framework

2.57 Following the commencement of the Biosecurity Act 2015 (the Act), the department began developing a planning framework to guide its regulation. This included a policy statement (the Biosecurity Compliance Statement 2016) to outline its regulatory approach, a strategy to establish its long-term direction, and an annual biosecurity plan to establish yearly focuses. The current status of each is included below (Table 2.2).

Table 2.2: Implementation of biosecurity planning and strategy framework

Legend: ◆ Implemented and updated; ▲ Implemented but not updated; ■ Not implemented

Note a: Department of Agriculture and Water Resources, Biosecurity Compliance Statement [internet], 2016, available from https://www.agriculture.gov.au/biosecurity/legislation/compliance/biosecurity-compliance-statement [accessed 12 January 2021].

Note b: The department published Commonwealth Biosecurity 2030 on 26 May 2021, which is intended to establish a strategic roadmap for biosecurity. As this occurred after the conclusion of audit fieldwork, it was not examined as part of the audit; Department of Agriculture, Water and the Environment, Commonwealth Biosecurity 2030 [internet], 2021, available from https://www.agriculture.gov.au/sites/default/files/documents/commonwealth-biosecurity-2030.pdf [accessed 1 June 2021].

Note c: Department of Agriculture and Water Resources, Biosecurity Compliance Plan 2016–17 [internet], 2017, available from https://www.agriculture.gov.au/biosecurity/legislation/compliance/biosecurity-compliance-plan [accessed 12 January 2021].

Note d: For example, since the publication of the plan, the department has implemented a new reporting system for non-commercial sea vessels, implemented a system to reduce inspections for highly compliant cargo importers, and increased penalties for non-compliant entities, including visa cancellations. In addition, international trade and travel patterns have altered significantly following the outbreak of COVID-19.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

2.58 Without a current plan or strategy to guide its biosecurity regulation, there is a risk that the department’s activities are not coordinated in way that will achieve agreed biosecurity outcomes. This has been noted by the department, with internal documents stating that the absence of a biosecurity strategy inhibits the ‘realisation of a stronger biosecurity system’.

Individual reform plans

Implementation of the biosecurity legislative framework

2.60 The ANAO previously examined the early implementation of the Biosecurity Act 2015 and found that the arrangements established up to that point effectively supported the implementation of the legislative framework in accordance with legislative timeframes.⁵⁶ However, the department is unable to demonstrate that some subsequent activities necessary to ‘achieve the benefits of implementing the Biosecurity Act’ have been completed.

2.61 The final stage of the biosecurity legislation implementation program⁵⁷, intended to complete the remaining deliverables, was not formally undertaken. Instead, four projects of uncompleted work were transitioned to business as usual⁵⁸, despite the final program overview report noting that the status of the program was ‘at risk’ and ‘close monitoring of the risks and issues highlighted in the report [is] required’. The ANAO identified the following issues with the oversight of these activities under business as usual.

• A review that was intended to verify that all deliverables had been accepted by business-as-usual owners did not verify the acceptance of the deliverables.
• Departmental documents do not demonstrate whether intended activities have been fully completed for three of the four projects transitioned to business-as-usual.⁵⁹

2.62 In addition, planned reporting was not completed. From a framework of seven performance measures designed to assess whether the benefits of the legislation had been realised, five were determined to require ongoing reporting following the transition to business-as-usual as their benefits were yet to be realised.⁶⁰ The department was unable to provide evidence of this reporting, despite agreeing to the recommendation to implement the framework in the previous ANAO audit.⁶¹ Specific measures relating to the use of regulatory tools are discussed further in paragraphs 4.71–4.72.

System developments

2.63 The department has commenced a range of information system developments to address identified issues that prevented systems from supporting a risk-based operating environment. These include: inefficient business processes; poor quality data and unlinked systems limiting the ability to extract and analyse information; inability to share and aggregate data with states and territories to confirm pest and disease statuses; and an inability to manage some critical biosecurity functions (such as monitoring off-shore threats). See paragraphs 2.18–2.20, 3.50–3.51 and 4.10–4.14 for more information on identified system deficiencies.

2.64 The primary system development project was the Biosecurity Integrated Information System (BIIS) program. The program commenced in 2016 and received $30.9 million in funding. It included the development of a single integrated workflow solution to replace a range of existing biosecurity import systems and allow staff to operate through a single interface when conducting biosecurity activities, such as scheduling, undertaking, and recording results of inspections and audits of travellers, mail, cargo and approved arrangements.

2.65 The BIIS program, which was scheduled to be completed by January 2020, has been allocated $26 million more than the original funding amount to 2020–21 and is not yet completed, with only partial delivery of intended benefits (see paragraphs 3.51 and 4.12). Deliverables have been changed and no longer meet some identified needs from the business case, including development of a single integrated biosecurity import system with a single interface (described as ‘imperative’ in the business case), with key systems no longer included.⁶² Departmental reporting does not clearly demonstrate when these changes were documented or approved by senior officials, or clearly outline what business requirements had changed.

2.66 The department has commenced a range of other system development projects, some of which include deliverables originally in-scope for the BIIS program. The ANAO identified a range of issues with reporting and documentation for the BIIS program and other system development projects that may limit their ability to deliver intended benefits, including:

• regular changes in scope, time, and cost;
• deficiencies in reporting against scope, time and cost⁶³;
• a lack of reporting on alignment and achievement of originally intended benefits, including potential impacts on original benefits due to changes in scope; and
• limited evidence of action in response to risks with high ratings or requiring urgent action.

2.67 In addition, there is no overarching development strategy or system architecture. Without this, there is a lack of evidence of coordination and prioritisation to target projects at areas of greatest need, avoid duplication, leverage off other projects, and maximise collective benefits.

Have appropriate arrangements been established with partner agencies?

2.69 The department’s management of biosecurity interacts with and relies on a number of other agencies. Key agencies for the regulation of biosecurity are outlined below.

• Home Affairs — responsible for international goods and entities entering Australia.
• Department of Health (Health) — responsible for human biosecurity policy.
• Australia Post — responsible for international mail.
• State and territory biosecurity agencies — responsible for biosecurity within their borders.

2.70 Establishing formal agreements, communication arrangements, and arrangements for managing shared risks will support the maximisation of benefits with other agencies.

Formal agreements

2.71 Formal agreements with other agencies, such as memoranda of understanding, play a key role in establishing and clarifying how agencies work together. The department has established agreements with all key agencies.

2.72 Agreements with partner agencies appropriately specify the roles and responsibilities of each agency. Some agreements have not been reviewed within specified timeframes, or do not include a schedule for review.⁶⁴ Notably, an agreement between Australia Post, Home Affairs and the department regarding international mail has not been updated since 2009, despite substantial change in the mail pathway⁶⁵ and the commencement of the Biosecurity Act 2015.

2.73 Reviewing and updating arrangements would provide greater assurance that agreements with partner agencies remain current and effectively support biosecurity interactions.

Communication arrangements

2.74 Effective communication arrangements support agencies to receive relevant information, and coordinate with and benefit from activities undertaken by each other.

2.75 The department commits to the sharing of information in all agreements with key agencies. Information is shared on request with Commonwealth agencies about individual issues (see paragraphs 2.13–2.17). While the department informed the ANAO it shares information with states and territories, it was unable to provide evidence.

2.76 The department has established ongoing arrangements to meet with all key agencies. Records of these meetings document: collaboration on issues and initiatives; information sharing and updates on work that may affect other agencies; the resolution of issues between agencies; and planning to align future work and deliver mutual benefits.

Shared risks

2.77 Shared risks are risks that are common to multiple agencies, which must be mitigated to enable each agency to discharge its responsibilities. The Commonwealth Risk Management Policy requires agencies to implement arrangements to understand and contribute to the management of shared risks.⁶⁶

2.78 Shared risks may arise through entities or goods that pose a plant or animal biosecurity risk (shared with the states and territories) as well as a human biosecurity risk (shared with Health) or a risk to border security (shared with Home Affairs).

2.79 The department does not have established arrangements to assess or manage shared risks relating to its regulation of biosecurity. Agreements with other agencies do not identify shared risks or specify how they are to be managed.

2.80 Understanding and managing shared risk is important for effective program design and implementation.⁶⁷ The framework to assess and manage risk across the biosecurity system outlined in Recommendation no.2 (paragraph 2.55) should include arrangements to assess and document risks shared with other agencies and the controls in place for those risks.

Has an appropriate performance framework been established?

2.81 A key element of regulatory governance is the establishment of an appropriate performance framework that provides information about whether the regulator is achieving its intended results. This should include external performance measures to provide information about the achievement of its purpose to Parliament and other stakeholders, and internal performance measures to inform officials about the effectiveness of their regulatory approach.

External performance information

Commonwealth performance framework

2.82 The Commonwealth performance framework requires entities to establish, as part of their annual corporate plans, their purpose and performance measures to measure their performance in achieving that purpose.⁶⁸ Results against these measures are required to be provided in their annual performance statements, to provide accountability to the Parliament and public.

2.83 The department’s 2020–21 corporate plan separates its purpose⁶⁹ into five different objectives, one of which focuses on biosecurity (manage biosecurity risks to Australian agriculture, the environment and our way of life).⁷⁰ Three performance measures are established under this objective, relating to meeting regulatory timeframes, compliance rates, and the development of further performance measures.⁷¹ The ANAO assessed these measures against the requirements established in the Commonwealth performance framework and accompanying guidance.⁷²

2.84 While one measure provided information about compliance rates for two of the five biosecurity pathways, the measures do not facilitate a full assessment of the department’s effectiveness in managing biosecurity risk. The measures do not provide efficiency information. These limitations prevent the performance measures from accomplishing their aim of providing information about the achievement of the department’s purposes⁷³ or about the achievement of the objectives of the Biosecurity Act 2015.

2.85 In addition, the measures only partially met the requirements of relating to the department’s objective, or being reliable, verifiable, and unbiased. The primary limitations were a lack of information about what would be measured and the inclusion of activities not related to the biosecurity objective (such as export activities, logging, and water efficiency). The measures also did not meet the requirement of containing qualitative as well as quantitative information, but did meet the requirement of enabling an assessment of performance over time.

2.86 The department is aware of the absence of information on the effectiveness of its biosecurity regulation, with a 2019 report noting that there is ‘no broader assessment of whether the regulatory systems are delivering the outcomes intended’. To address this issue, the department has committed to develop a performance framework to assess the outcomes of the national biosecurity system.⁷⁴ In June 2020, a Centre of Excellence for Biosecurity Risk Analysis (CEBRA) report delivered a set of potential measures for the national biosecurity performance framework.⁷⁵ A full national biosecurity performance framework based on these measures is intended to be developed by mid-2021.⁷⁶

Regulator performance framework

2.87 The regulator performance framework, released in October 2014, requires Commonwealth regulators to publish annual self-assessments on their performance against six performance indicators.⁷⁷ These indicators are designed to encourage regulators to take a risk-based approach that minimises impact on regulated entities, and do not assess the achievement of regulatory outcomes (as per the Commonwealth performance framework, above). As at March 2021, the department has released self-assessments for each year from 2015–16 to 2018–19.

2.88 The ANAO examined the department’s 2018–19 self-assessment of its biosecurity regulation, and found it did not enable a reliable assessment of regulatory performance. Performance targets used vague language that did not enable an objective assessment of their achievement, and it was unclear how achievement against the targets was to be measured.⁷⁸ Reporting against the targets was not reliable, as it only involved descriptions of activities taken by the department. The Inspector-General of Biosecurity has discussed the reliability of the assessment, stating it was ‘substantially inconsistent with … industry feedback’.⁷⁹

Internal performance information

2.89 Internal monitoring of performance using well-defined measures can be a valuable source of information for a regulator on its strategies and areas for improvement.

2.90 The department does not have formalised internal performance measures on the effectiveness or efficiency of its overall regulation of biosecurity. While there are measures or management-level reporting for individual pathways (discussed below), these are often incomplete or disjointed. This limits their ability to facilitate a view of the effectiveness or efficiency of the regulation of biosecurity as a whole.

2.91 For the individual pathways of cargo, conveyances and approved arrangements, there are no performance measures, despite CEBRA developing potential measures for those pathways in 2016.⁸⁰ There are reporting arrangements for management-level information, such as the number of inspections undertaken and non-compliance rates. This reporting, while potentially a useful input for decision-makers, does not facilitate a full assessment of the department’s effectiveness in managing the risk of pests and diseases entering Australia through those pathways.

2.92 Performance measures have been established for the traveller and mail pathways (including compliance levels before and after passing through biosecurity control). However, the measures lack targets, and departmental documents indicate that they are not used to inform the department’s regulation. For example, a 2018 internal audit found that mail performance measures ‘do not support the assessment or improvement of operations’. The department was unable to demonstrate any use of the measures to inform changes to its regulatory approach.

3.1 The department undertakes activities to detect non-compliance with biosecurity requirements across multiple pathways through which pests or diseases may enter Australia (Table 1.1). These pathways include cargo, travellers, mail, conveyances and approved arrangements.

3.2 Establishing appropriate arrangements to detect non-compliance in each pathway allows the department to identify and prevent the entry of biosecurity risks to Australia. It also supports further regulatory action in response to identified non-compliance.

3.3 To assess whether there are appropriate arrangements to detect non-compliance, the ANAO examined whether detection activities are: appropriately targeted; supported by appropriate procedures and systems; conducted in accordance with legislative and procedural requirements; and effective at identifying non-compliance.

Are detection activities appropriately targeted?

3.4 Targeting activities towards identified areas of high risk allows regulators to maximise impact and reduce intervention with compliant entities.⁸¹ To effectively target biosecurity detection activities at areas of high risk, the department should have arrangements to ensure its resources: are allocated to each pathway in proportion to their level of risk; are targeted at high-risk items⁸² or entities within pathways; and can be effectively targeted at emerging and priority risks.

Allocation of resources to pathways

3.5 As noted in paragraph 2.30, there are no arrangements to assess the level of risk associated with each pathway. In the absence of such an assessment, there is no framework to ensure the level of resources allocated to each pathway is proportionate to risk. In addition, desired levels of detection have not been established (see paragraph 3.82) to support the targeting of detection activities to pathways.

3.6 Similarly, there is no documented framework to align the resources allocated to different areas within pathways (such as different airports, seaports or mail centres) to their level of risk. Risk is considered when establishing new ports, and resourcing may be allocated to support specific activities associated with biosecurity risk (such as specific funding to respond to African swine fever). However, resourcing within pathways does not, by default, include a consideration of risk.

3.7 This leaves the department unable to demonstrate that it is targeting its resources at the areas where they are most effective at managing the risk of a pest or disease entering Australia. As noted in a 2019 review of potential vulnerabilities to the biosecurity system, the department has adopted a ‘low intervention’ approach for some areas of pathways, despite ‘unknown risks’.⁸³

Targeting of items and entities within pathways

3.8 The ANAO examined the department’s arrangements to target its detection activities at individual items and entities within pathways. Each pathway has established mechanisms to target some detection activities at individual items or entities identified as higher risk (however, as discussed in paragraph 2.37, the effectiveness of these risk assessments is limited).

3.9 The most common way that activities are targeted is through the application of ‘profiles’. Profiles flag items based on whether they match criteria identified as representing higher risk. Profiles may be applied manually by staff or automatically by departmental and partner agency systems. Flagged items and entities are referred to biosecurity officers for further intervention.

3.10 Some components of pathways do not have arrangements to target detection activities at risk. In addition, even where profiles or other mechanisms are in place, there are limitations in their implementation that prevent them from being fully targeted at risk, as discussed below.

Cargo

3.11 The department targets its cargo detection activities primarily through the use of automated profiles.⁸⁴ Profiles assess the nature of imported goods and refer those that may be a biosecurity risk for inspection. As per the risk assessment (paragraph 2.38), these profiles principally target the risk of pests and diseases associated with specific types of goods, and not entities with a higher likelihood of non-compliance. Supplementary targeting methods are described in paragraph 3.14.

3.12 Profiles operate differently depending on the value of the goods.

• For goods over $1000, profiles identify biosecurity risk material by requiring importers to answer automated questions based on the tariff⁸⁵ declared (for example, ‘do the goods contain any bark?’).⁸⁶
• For goods under $1000, profiles search a free-text goods description entered by importers for words that may indicate biosecurity risk (for example, ‘pork’ or ‘raw’).⁸⁷ As noted by the Inspector-General of Biosecurity in 2020⁸⁸, free-text descriptions limit the effectiveness of this process, as descriptions may not be accurate or recorded in a useful format.⁸⁹

3.13 Departmental records indicate its target of reviewing 1200 profiles⁹⁰ per financial year since 2015–16 has been met. However, there is no current schedule for when and which profiles should be reviewed, despite a 2016 policy requiring a review schedule to maintain ‘a contemporary and integrated approach to cargo profiling’. Attempts to establish a schedule have been limited by departmental staff who were responsible for the associated risk indicating ‘they did not have full oversight of their profiles so it was difficult to determine which profiles required review’.

3.14 Additional targeting mechanisms have been established to supplement profiles. There are established processes to automatically refer cargo associated with specific entities, such as those with a history of known or suspected non-compliance. Importers with a history of compliance will be referred at a lower rate for certain types of goods (see paragraph 2.40). The department also automatically refers cargo for inspection from countries at a higher risk of certain pests and diseases, and cargo that is to be transported to rural locations within Australia.

3.15 Once cargo is referred, the department undertakes procedures based on the import conditions for the goods in question⁹¹, as well as any additional biosecurity risks identified. These procedures include document assessment⁹², and may include physical inspection of the goods and shipping container depending on the import conditions or results of the document assessment.

Travellers

Sea travellers

3.16 In the absence of a departmental risk assessment process (paragraph 2.41), sea travellers are inspected based on the judgement of individual officers. Procedural guidance states officers should assess and verify the level of risk posed by cruise ship travellers, but does not clearly specify how this should be done.⁹³ The determination of whether vessel crew members are inspected is based on the goods declared by the operator of the incoming sea vessel.

Air travellers

3.17 Detection activities are targeted at individual air travellers through a combination of manual procedures and the application of automated profiles or other alerts.

3.18 Manual risk identification procedures are undertaken at airports to target high risk travellers. Travellers are referred for screening if the biosecurity officer considers that their incoming passenger card⁹⁴, response to questioning, or other characteristics⁹⁵ indicate they may be carrying biosecurity risk material. Screening may occur through detector dog, x-ray or full baggage inspection, at the judgement of the biosecurity officer. The department has implemented guidance to support these decisions.

3.19 Automated profiles, implemented in 2018, automatically refer travellers who match identified risk characteristics (paragraph 2.42) for full baggage inspection. Previous manual processes limited the complexity of profiling options and the number of travellers that could be profiled. While automated profiling represents an opportunity for improvement on manual systems, the limitations outlined in Table 3.1 restrict its ability to effectively target detection activities.

Table 3.1: Automated traveller profiling limitations

Note a: Flights assessed as high risk have a cap of 20, while flights assessed as low risk have a cap of five. Since 2018, caps have been increased for flights identified as having a high risk of carrying African swine fever.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

3.20 To supplement the use of profiles, the department has established automated processes to automatically refer travellers with a history of non-compliance for inspection, and to exclude travellers with a history of compliance.

3.21 The department has not yet implemented changes to allow it to continue using current automated profiling and referral processes following planned changes to the Department of Home Affairs’ (Home Affairs’) processes and systems.⁹⁶ These changes to Home Affairs’ systems were initially due for delivery in 2020, but have not been finalised as at January 2021.

Mail

3.22 The department targets its detection activities at individual items of mail through the use of profiles. Items that match profile criteria (assessed as representing higher risk; paragraph 2.45) are referred to the department by Australia Post to be screened. Letter class mail is not profiled or screened, in accordance with its assessed lower level of risk (paragraph 2.46).

3.23 The effectiveness of mail profiles is reduced by some identified risk groups not being fully screened.⁹⁷ In addition, while profiles were updated in 2020, they had not previously been updated since 2016, despite risk assessments having been conducted in 2017 and twice in 2019 (paragraph 2.46).

3.24 Mail referred to the department is screened using detector dog, x-ray or physical inspection with biosecurity officers manually assessing the risk of different mail items to determine the method of screening. Procedural guidance advises biosecurity officers to consider country of origin, seasonal and cultural events⁹⁸, visual assessment⁹⁹, and departmental alerts, as well as providing a list of considerations for each screening method. Past attempts to analyse the effectiveness and efficiency of different screening methods for different groups of mail were unable to be completed due to insufficient data.

3.25 As noted in a 2017 document, the department’s heavy reliance on manual processing to target its mail detection activities ‘poses challenges for timely and effective management of risks’. It relies on individual officer experience, capability and ability to remember the details of items of interest, and is limited in its ability to scale or keep up with increasing volumes.

3.26 The department has commenced projects to reduce its reliance on manual processing and increase its ability to target risk, including through the introduction of a 3D x-ray scanner and automated detection algorithms in Melbourne from 2019. A trial of these technologies found that they resulted in 6.8 times more seizures of risk material than previous scanners. An additional 3D x-ray scanner was installed in the Sydney mail facility in October 2020.

Conveyances

Aircraft and non-commercial sea vessels

3.27 For aircraft and non-commercial sea vessels, the department does not target its activities at risk. It inspects all aircraft and all non-commercial vessels. Without a documented risk assessment of aircraft and non-commercial vessels (paragraph 2.52), there is no assurance that this is an appropriate level of intervention. Departmental documents have stated that assessing the risk of non-commercial vessels and targeting inspection activities accordingly would improve its ‘…capacity to efficiently deploy staff’.

Commercial sea vessels

3.28 For commercial sea vessels, the department’s systems automatically target detection activities at risk in accordance with the results of its automated risk assessment program (see paragraph 2.50). Based on the results of the risk assessment, the system schedules different types of inspections to address the specific risks and requirements of each vessel. Scheduled inspections are prioritised between vessels in accordance with the level of risk.

3.29 The department has also established a scheme through which commercial vessels with a history of compliance that have not reported any biosecurity concerns are subject to a reduced inspection rate (60 per cent). This program was based on a project led by the Centre of Excellence for Biosecurity Risk Analysis (CEBRA), which showed that the likelihood of biosecurity risk material present on a commercial vessel can be predicted by the results of past inspections.¹⁰⁰

3.30 For the conduct of inspections, procedural guidance specifies minimum areas that must be inspected, suggests areas that should be inspected for vessels with past or current poor sanitation, and indicates where certain pests or diseases may be present. Follow-up inspections may be scheduled to ensure treatments in response to a previous inspection were effective in managing the risk.

Approved arrangements

3.31 The department’s primary approach to detecting non-compliance in approved arrangements¹⁰¹ is through departmental compliance audits.¹⁰² Audits are conducted at one of two frequencies — a ‘probationary’ audit rate (two audits per 180 days; for approved arrangements that were recently approved, changed, or found to be non-compliant) and a ‘low’ audit rate (one audit per year; for approved arrangements that have passed two probationary audits and all subsequent audits).¹⁰³

3.32 This process, as per the risk assessment process (paragraph 2.53), does not consider the potential consequences of non-compliance or other factors that may indicate an increased likelihood of non-compliance. A 2020 review noted that some departmental officials viewed the audit process as a ‘blunt instrument’ because they were ‘not risk-based’.

3.33 In addition, while the department can (and does) conduct both announced and unannounced audits, there is no policy for when each option should be used. As noted by the Inspector-General of Biosecurity in 2019¹⁰⁴, unannounced audits are more likely to provide an accurate representation of compliance.

3.34 Without an established policy for when unannounced audits should be used, there is limited assurance that they are used in a way that is effectively targeted at risk.

Responding to emerging threats

3.35 Where threats arise that are not adequately covered by existing controls, the department should have arrangements in place to enable it to identify and respond to them. The ANAO examined the department’s activities to identify and respond to threats not covered by existing controls, and its arrangements to reallocate resources to confirmed threats.

Targeted operations

3.36 The department undertakes desktop analysis and physical interventions known as targeted operations to support it to identify, understand and respond to potential emerging threats. Targeted operations disrupt or confirm known or suspected non-compliance of specific entities and areas, and also verify whether controls are effective in dealing with threats.

3.37 Targeted operations have been undertaken in accordance with plans established in 2018 and 2020, as well as in response to emerging issues and requests. The plans were informed by assessments of threats and vulnerabilities in 2016 and 2019. A policy for the use of targeted operations was finalised in December 2020, with procedural guidance not finalised.

3.38 Completed operations have primarily focused on the cargo pathway. Of the 35 operations completed between July 2016 and February 2021, 28 examined the cargo pathway, five examined air travellers, two examined approved arrangements, and two examined mail. None examined the conveyances pathway.¹⁰⁵

3.39 Of these 35 operations, 57 per cent identified non-compliance.¹⁰⁶ Non-compliance was found for 14 of 28 (50 per cent) operations examining the cargo pathway, four of five (80 per cent) examining travellers, one of two examining mail (50 per cent) and one of two (50 per cent) examining approved arrangements. For the 10 operations since 2019 that identified non-compliance, departmental documents indicate that action has commenced or been taken in response to the non-compliance.

3.40 Following the establishment of a framework to assess the level of risk across each biosecurity pathway (Recommendation no.2; paragraph 2.55), the department should examine whether the current distribution of targeted operations across pathways (including the current high focus on cargo) is aligned with the identified risks.

Reallocation of resources

3.41 The department has demonstrated an ability to reallocate its resources in response to identified threats. For example, the department put in place measures to address the risk posed by the Brown Marmorated Stink Bug, increasing activities and requirements such as mandatory documentation, inspection and treatment. It has also put in place measures to respond to African swine fever, by increasing intervention with travellers and mail from affected countries.

3.42 However, as noted in paragraph 2.32, there is no framework to determine when an emerging risk should be escalated or intervened with. The department was unable to demonstrate any documented process to ensure its reallocation of resources to emerging threats is proportionate to the risk posed. Departmental documentation indicates that officials are not aware of how resourcing decisions are made to focus on priority risks, including whether the impact to other pathways is considered when resources are reallocated.

Are appropriate procedures and systems in place to support the detection of non-compliance?

3.44 Establishing appropriate procedures and systems supports regulators by providing staff with the information and resources necessary for regulatory decision-making. Key procedures and systems to support the detection of biosecurity non-compliance include procedural guidance, information systems, and training arrangements.

Policies, procedures and supporting documentation

Development of instructional material for the commencement of the legislation

3.45 As noted in Auditor-General Report No. 34 2016–17 Implementation of the Biosecurity Legislative Framework, the department developed a plan and strategy to amend and develop instructional material for the Biosecurity Act 2015 (the Act). However, only 160 of the 1000 documents identified as requiring amendment or development were finalised prior to the commencement of the Act in June 2016.¹⁰⁷

3.46 A project for developing and finalising the remaining instructional material was transitioned to business as usual (see paragraph 2.61) before completion. Departmental reporting indicates that six out of eight streams of instructional material were uncompleted at this time, including material for approved arrangements and the management of first points of entry.¹⁰⁸

3.47 While additional instructional material has been periodically updated and completed, the department was unable to provide evidence of reporting demonstrating the completion of all required instructional material. This limits the assurance that all material has been updated.

Quality of current instructional material

3.48 Nineteen pieces of instructional material covering the department’s key detection activities were examined.¹⁰⁹ Each document adequately specified roles and responsibilities and covered the key activities to be undertaken. However, some documents reference non-existent instructional material, and 10 of the 16 documents with hyperlinks to other documents had at least one broken link. Similar issues with accessibility were noted by the Inspector-General of Biosecurity in 2021.¹¹⁰

3.49 In addition, the effectiveness of the instructional material is limited by a lack of review to ensure it remains appropriate. Nine of the 19 examined documents had not been reviewed within the three-year period required by departmental policy. One document, relating to inspecting aircraft cargo holds, had not been updated since the commencement of the Biosecurity Act 2015. This is despite it having been identified as requiring amendment as part of the implementation of the Act (paragraph 3.45).

Information systems

3.50 Since 2008, multiple reviews have identified issues with the systems supporting non-compliance detection activities. For example, the 2008 review of Australia’s quarantine and biosecurity arrangements recommended the prompt redevelopment of systems¹¹¹, and the Inspector-General of Biosecurity stated in 2019 that information systems were inadequate for identifying changing biosecurity risks.¹¹²

3.51 While some progress has been made, a number of key systems used to support detection activities have not been updated (Table 3.2). These systems were included in the business case for the Biosecurity Integrated Information System program (BIIS; paragraph 2.64–2.65). The BIIS business case proposed replacement with a new system that provided workflow and automation capability to streamline current processes, reduce processing times, provide extra information to support decisions, and better apply risk-based monitoring. It noted that current systems:

• did not allow for the allocation of resources to address biosecurity risk in a timely, efficient and effective manner; and
• resulted in ‘highly inefficient business processes and poor quality data’ due to the manual processes adopted to compensate for system limitations.

Table 3.2: Progress made on system developments

Legend: ◆ System functionality updated; ▲ Partially updated; ■ Not yet updated

Note a: Department of Agriculture and Water Resources, Submission to the Independent Review of the APS [online], 2018, available from https://www.apsreview.gov.au/your-ideas/submissions/department-agriculture-water-resources [accessed 9 February 2021].

Note b: As part of the 2021–22 budget, $28.7 million was announced to expand the system for commercial vessels to include reporting on international aircraft and non-commercial sea vessels; S Morrison (Prime Minister) and D Littleproud (Minister for Agriculture, Drought and Emergency Management), Biosecurity for a safe Australia and thriving farming sector, media release, Parliament House, Canberra, 4 May 2021.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

Detection training and qualifications

Mandatory biosecurity officer training

3.52 The Biosecurity Act 2015 requires the Director of Biosecurity¹¹³ to determine the training and qualification requirements for biosecurity and biosecurity enforcement officers.¹¹⁴ The Director of Biosecurity issued a determination in June 2016 requiring biosecurity and biosecurity enforcement officers to complete two training modules (or equivalent training delivered by another government agency) relating to the Biosecurity Act 2015 and administrative decision-making.

3.53 The department requires that evidence of completion of the mandatory training be provided to approve the appointment of a biosecurity or biosecurity enforcement officer. However, records in the department’s training systems do not clearly indicate that all officers have completed both units of training. Of the 2230 officers recorded by the department, 457 were not recorded as having completed the decision-making training, and 90 were not recorded as having completed the Biosecurity Act 2015 training. Fifty-two had not completed either training.

3.54 The department informed the ANAO that as part of the required five-year renewal of identification cards issued to biosecurity officers at the commencement of the Act (due in 2021), staff without training records in the system will be required to provide evidence of completion. The department should ensure that records of training completion are accurately captured for all biosecurity officers as part of this process.

Other training

3.55 The department has begun developing competency frameworks for biosecurity detection activities to: determine what competencies are required for staff; develop training to support staff to obtain those competencies; and track which staff have obtained competencies. This includes competencies for audits of approved arrangements, assessment of biosecurity documentation (such as import documents), and inspections of travellers, mail and cargo.

3.56 The competency frameworks for audit, document assessment and inspection activities are at varying stages of completion (Table 3.3). Without completed frameworks, there is limited assurance that staff have the training necessary to support effective detection activities.

Are detection activities conducted in accordance with legislative and procedural requirements?

3.57 Conducting detection activities in accordance with procedural guidance and relevant legislation is necessary to ensure activities: are legally valid; achieve the aims of the guidance and legislation; and support subsequent regulatory action.

3.58 To determine whether detection activities are conducted in accordance with procedural and legislative requirements, the ANAO examined the department’s assurance arrangements over detection activities and whether records indicate it is meeting requirements.

Assurance framework

3.59 To provide assurance over the conduct of detection activities, verification frameworks have been established for audits of approved arrangements, assessment of biosecurity documentation, and inspection of goods, mail, travellers and conveyances.¹¹⁵ These are designed to provide evidence that staff follow procedural and legislative requirements.

3.60 The department’s assurance over the conduct of detection activities is reduced by a failure to undertake all verifications required by the frameworks. Table 3.4 provides further information about the requirements of each framework, whether records indicate all required verifications were completed, and the results of verifications.

Identified issues

3.61 Departmental records indicate there are areas in which detection activities are not being conducted in accordance with procedural or legislative requirements. These areas include random inspections, record keeping and evidence collection, and the release of biosecurity risk material.

Random inspections

3.62 Records indicate that random inspections of cargo, air travellers, and mail have not all been conducted in accordance with procedures. Random inspections are intended to provide information on undetected non-compliance and the effectiveness of detection activities (see paragraph 3.80). However, the below issues limit their ability to provide accurate information.

• Scheduled random cargo inspections were not conducted in prior years. In 2018–19, only 42 per cent were conducted. Draft reporting indicates that targets for cargo inspections were met in 2019–20 for the first time since 2015–16. The department has also identified that non-compliances identified by random inspection are not being properly recorded in the relevant system.
• A 2015 CEBRA review of mail and traveller random inspections found that: ‘…sample selections are biased’ and ‘…data are sometimes fabricated or censored’. The department was unable to provide evidence that recommendations to address this have been completed.

Record keeping

3.63 The department has identified a range of issues with detection activity records not meeting procedural requirements (see paragraph 2.8).

3.64 Automated data reviews in 2019–20¹¹⁶ indicate that 1.5 per cent of air traveller records had probable errors, which is relatively consistent with past years.¹¹⁷ The proportion of mail records identified as having probable errors improved from 4.6 per cent in 2015–16 to 1.9 per cent in 2019–20.

3.65 These numbers are likely to be underestimated, as the reviews only identify records outside expected ranges.¹¹⁸ As noted in paragraph 2.9, the department has not quantified the extent of record keeping problems for other pathways, despite known issues.

3.66 The department’s ability to respond to detected non-compliance has been impacted by record keeping and evidence collection issues (paragraphs 4.47 and 4.49–4.50). For example:

• records of traveller non-compliance were unable to support regulatory action as they were incomplete, insufficient, inconsistent or not timely¹¹⁹; and
• action was not taken against approved arrangement holders with systemic non-compliance as collected evidence did not relate to the conditions of the arrangement.

3.67 Departmental documents indicate that it has commenced work to improve record keeping and evidence collection when non-compliance is detected, to avoid these issues in future. Reporting indicates this has improved the quality of traveller non-compliance records.

Incorrectly released biosecurity risk material

3.68 Random inspections of air travellers and mail after they have been inspected or have declared risk material provides an estimate of the amount of biosecurity risk material incorrectly released by staff. This indicates whether detection activities are being conducted in accordance with procedural requirements.

3.69 While issues with the conduct and records of random inspections impact the accuracy of these estimates (paragraph 3.62), departmental estimates indicate that 16.7 per cent of inspected air travellers carrying risk material were incorrectly released between July 2015 and March 2020.¹²⁰ This proportion has not improved over time.¹²¹ The estimated number of compliant travellers (travellers who correctly declared their risk material) subsequently released with risk material increased from 34,335 in 2015–16 to 88,146 in the first nine months of 2019–20.¹²²

3.70 For mail, reporting indicates the estimated number of inspected items incorrectly released with risk material has improved. Departmental records and estimates indicate that 5.6 per cent of inspected mail with risk material was incorrectly released in 2015–16. This was reported to have improved to 0.6 per cent in 2019–20.

3.71 The department does not have arrangements to estimate the proportion of biosecurity risks incorrectly released for conveyances, cargo or approved arrangements. There would be merit in implementing measures to estimate rates of incorrect release in other pathways.

Are detection activities effective at identifying non-compliance?

3.72 Effectively identifying non-compliance supports identification and prevention of biosecurity risk material entering Australia, and identification of non-compliant entities for further action. The ANAO examined departmental records to determine whether detection activities are effectively targeted at non-compliant entities, and to determine the level of undetected non-compliance.

Targeting of inspection activities

3.73 Risk-based detection activities that are effectively targeted at non-compliant entities increase the impact of the department’s resources and reduce the burden on compliant entities.

3.74 In 2013, the department and CEBRA developed a methodology to assess how well mail and traveller detection activities were targeted.¹²³ This methodology estimated the proportion of mail or travellers referred for inspection that were non-compliant. The department ceased reporting against these measures in 2017, leaving it with no reporting on the effectiveness of its targeting.

3.75 Records of detection activities for commercial vessels, air travellers, mail, commercial cargo and approved arrangements indicate that the proportion of inspections that found non-compliance has increased since July 2015 for commercial vessels, mail and commercial cargo (Figure 3.1). This could indicate that detection activities have become more effectively targeted at risk over time, or that non-compliance rates are increasing.

Figure 3.1: Proportion of monthly inspected items recorded as non-compliant^a

Note a: Sea travellers were not analysed as required records were unavailable. Non-commercial cargo was not analysed as the relevant system ‘cannot accurately report on intervention and compliance rates’. Aircraft and non-commercial sea-vessels were not analysed, as they are not inspected on a risk basis.

Note b: Non-compliance was defined as vessels that received 10 or more demerit points under the vessel compliance scheme. Data was only available from January 2017, due to a change in systems (Table 3.2).

Note c: Inspections included only physical inspections. Non-compliance was defined as undeclared goods listed as ‘high risk’ by the department. Data was only available until March 2020, as reporting ceased due to a fall in traveller numbers due to COVID-19.

Note d: Inspections included only physical inspections. Non-compliance was defined as detection of goods listed as ‘high risk’ by the department. The ANAO excluded results from May–August 2020 (grey datapoints) from trend analysis due to the department undertaking 100 per cent screening of profiled groups during this period.

Source: ANAO based on Department of Agriculture, Water and the Environment reporting.

3.76 While it has improved, the rate that inspections reported non-compliance for commercial vessels remains low overall. Most inspections (greater than 90 per cent) have not recorded non-compliance. Without a structured risk assessment framework, the department is unable to demonstrate whether this level of intervention is appropriate.

3.77 Departmental estimates indicate the likelihood of non-compliance of travellers more than doubled from 1.2 to 2.6 per cent from 2015–16 to 2019–20. However, the rate that inspections recorded non-compliance decreased from 15.4 per cent to 12 per cent during this period. This indicates the department may have become less effective at targeting non-compliant travellers.

3.78 The proportion of physical inspections of mail that recorded non-compliance increased from 14 per cent in 2015–16 to 45 per cent in 2019–20. This indicates that mail screening processes (x-ray, detector dog, manual decision-making; paragraph 3.24) have become more effective at identifying non-compliance for physical inspection. The proportion of mail selected for screening (using profiles; paragraph 3.22) that were recorded as non-compliant remains low, with 0.32 per cent of screened mail identified as non-compliant in 2019–20.

Undetected biosecurity risks entering Australia

3.79 Non-compliance detection activities help identify potential biosecurity risks in incoming items and entities. This assists in preventing the entry of plant and animal pests and diseases into Australia.

Departmental monitoring

3.80 The department estimates the total amount of undetected biosecurity risk material entering Australia through air travellers and non-letter class mail¹²⁴ using random sampling, based on methods developed by CEBRA.¹²⁵ It also monitors the proportion of undetected biosecurity risks in commercial full-container-load (FCL) sea cargo¹²⁶ and, as at February 2021, non-commercial air cargo handled by some express air carriers.¹²⁷

3.81 The department does not currently monitor undetected biosecurity risks for other pathways or cargo types, despite commencing a project to monitor commercial air cargo in 2015 and committing to expand its cargo monitoring in response to an Interim Inspector-General of Biosecurity recommendation in 2016.¹²⁸ This prevents a full understanding of its effectiveness in detecting biosecurity risks entering Australia.

Undetected biosecurity risks

3.82 The Biosecurity Act 2015 states that the appropriate level of protection against biosecurity risks for Australia is one aimed at reducing biosecurity risks to ‘very low, but not zero’.¹²⁹ This is used in determining what goods can be imported and any conditions on their import. However, the department has not used it to determine a tolerance for undetected biosecurity risks or defined it in relation to non-compliance.

3.83 While no overall tolerance has been established for undetected biosecurity risks, the department’s 2019–20 performance framework stated that its target is to decrease the proportion of undetected non-compliance for air travellers and mail.¹³⁰ No targets have been established for other pathways.

3.84 The ANAO examined the estimated number of undetected biosecurity risks entering Australia each month through air travellers, non-letter class mail, and commercial sea cargo (Figure 3.2). While issues with data quality and the conduct of sampling (paragraphs 2.8 and 3.62) reduce the accuracy of these estimates, they indicate the number of undetected biosecurity risks entering Australia has increased.

Figure 3.2: Number of monthly estimated undetected biosecurity risks by pathway

Note a: The number of commercial cargo consignments was estimated by multiplying the proportion of non-compliance identified in the department’s random sampling of FCL sea cargo by the total number of uninspected commercial cargo consignments. This number of uninspected commercial consignments also includes bulk, break-bulk, and less-than-container-load cargo (14.5 per cent of commercial sea cargo referred to the department). The department was only able to provide total commercial cargo numbers, and not separate numbers for different commercial sea cargo types. From February 2019, records of random sampling included additional types of non-compliances that were not previously reported, increasing non-compliance rates.

Note b: Undetected biosecurity risks were defined as travellers carrying undeclared goods listed as ‘high risk’ by the department. Travellers estimates ceased after March 2020 due to a decrease in traveller volumes resulting from COVID-19. The ANAO excluded results from March 2020 (grey datapoint) from analysis due to decreased traveller volumes resulting from COVID-19.

Note c: Undetected biosecurity risks for mail were defined as mail containing goods listed as ‘high risk’ by the department. The ANAO excluded results from May–August 2020 (grey datapoints) from analysis due to the department undertaking 100 per cent screening of profiled groups during this period.

Source: ANAO based on Department of Agriculture, Water and the Environment reporting.

3.85 The proportion of undetected risks in commercial sea cargo appear to have increased. Reporting indicates that the proportion of uninspected FCL sea cargo consignments that were non-compliant increased from 1.8 to 9.6 per cent between 2015–16 and 2019–20.

3.86 The estimated proportion of travellers entering Australia with biosecurity risk material that were not detected increased from 84 per cent in 2015–16 to 95 per cent in 2019–20. The total estimated number of undetected biosecurity risks entering Australia more than doubled from 18,800 in 2015–16 to 38,200 in the first nine months of 2019–20. This indicates that detection activities for air travellers have become less effective in terms of both proportion and volume of undetected biosecurity risks.

3.87 The estimated proportion of all risk material detected by the department for non-letter class mail has improved from 13 per cent in 2015–16 to 20 per cent in 2019–20. However, increasing mail volumes and amounts of risk material being sent meant that this was not enough to prevent an increase in the estimated overall volume of biosecurity risks entering Australia.

4.1 As outlined in Table 1.1, the department responds to non-compliance with biosecurity requirements across multiple pathways through which pests and diseases may enter Australia. This includes cargo, travellers, mail, conveyances and approved arrangements.

4.2 The Biosecurity Act 2015 (the Act) provided an expanded range of regulatory tools for responding to non-compliance. Effective use of these tools is necessary to deter non-compliant behaviour and maintain Australia’s biosecurity status.

4.3 The regulatory tools available to respond to non-compliance¹³¹ include monitoring and investigation powers, engagement and education (letters of warning and advice), administrative actions (varying, suspending or revoking permissions and approvals)¹³², civil sanctions (infringement notices, civil penalty proceedings, enforceable undertakings, and injunctions), and criminal sanctions via referral to the Commonwealth Director of Public Prosecutions¹³³ (CDPP).

4.4 To assess whether the department’s use of regulatory tools in response to non-compliance with biosecurity requirements is effective, the ANAO examined whether:

• appropriate systems and procedures are in place to support the use of regulatory tools;
• actions taken in response to non-compliance are timely and proportionate to risk;
• the use of regulatory tools is consistent with legislative and procedural requirements;
• actions in response to non-compliance are effective at managing biosecurity risks; and
• the use of regulatory tools has been evaluated.

Are appropriate procedures and systems in place to support the use of regulatory tools?

4.5 Establishing appropriate procedures and systems helps ensure regulatory tools: are able to be used as intended; achieve desired outcomes; and are used in a legally sound and defensible manner. This includes implementing policies, procedures and supporting documentation, establishing appropriate information systems, ensuring staff are appropriately trained and qualified, and ensuring regulatory powers have been legally delegated to officials.

Policies, procedures and supporting documentation

4.6 Where policies, procedures and supporting documentation have been developed, they are largely clear in defining roles and responsibilities, and provide largely sufficient guidance to support staff in the use of regulatory tools under the Act.

4.7 However, the department has not established policies, procedures and supporting documentation to support the use of all of the regulatory tools available (Table 4.1). Finalised documentation relates primarily to the use of infringement notices with air travellers and the conduct of investigations. This limits the ability to effectively apply other regulatory tools.

Table 4.1: Policies, procedures and supporting documentation for regulatory tools

Legend: ◆ Fully implemented; ▲ Partially implemented; ■ Not implemented

Note a: Completed supporting documentation includes matrices for determining what evidence is required to support an infringement notice under different provisions of the Act.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

4.8 Similar gaps in policies, procedures and supporting documentation for the use of regulatory tools have been identified by the Inspector-General of Biosecurity. The Inspector-General has made a number of recommendations, including:

• in August 2019 — to develop more effective policies, processes and instructional material to manage critical non-compliance at an approved arrangement, including clarifying processes for suspension or revocation of its approval, contingency response plans for such eventualities, and timely sanctions for less serious non-compliance¹³⁴; and
• in July 2020 — to develop an operational policy framework to issue infringement notices and civil penalties for non-compliance relating to imported goods.¹³⁵

4.9 As at March 2021, implementation of these recommendations has not been completed.

Information systems

4.10 The department utilises a range of information systems to support the use of regulatory tools.

4.11 Many of the systems used to support the use of regulatory tools are the same as those used in detection activities. As noted in paragraph 3.50, multiple reviews and documents have identified shortcomings in these systems, which also extend to their ability to support the use of regulatory tools. For example, the business case for the Biosecurity Integrated Information System (BIIS; paragraphs 2.64–2.65) noted that current systems do not ‘reliably document decisions and regulatory roles exercised by officers’.

4.12 The management of approved arrangements currently uses a number of systems that do not integrate. This prevents a clear view of all details of an approved arrangement, including past legislative and administrative decisions, limiting staff’s ability to understand the behaviour of non-compliant entities. This was intended to be addressed by the BIIS program through the development of an end-to-end workflow system by October 2019.¹³⁶ As at March 2021 these enhancements are not yet complete.

4.13 The department has identified that staff are not appropriately trained and supported to effectively use its investigation management system. A 2019 survey found that it is ‘not an understood system and only a small part of its functionality is used’, and that ‘the lack of formal training falls short of the requirements set out in the [Australian Government Investigations Standards]’.¹³⁷ The survey report recommended the development of instructional material and training. Instructional material has been completed, while training modules remain in development.

4.14 In addition, appropriate systems have not yet been implemented for some key activities. For example, the department uses intranet sites¹³⁸ to record and triage identified non-compliance, manage corrective action requests for approved arrangements, and to manage infringement notices issued to travellers. These sites do not integrate with other systems, require manual re-entry of data stored elsewhere (this has resulted in some information not being entered in the site that records identified non-compliance), and do not have appropriate controls to ensure data accuracy.

Training and qualifications for the use of regulatory tools

4.15 The department has established and documented training and qualification requirements to support staff to effectively use regulatory tools under the Act.

Qualifications

4.16 The department has determined that all staff involved in undertaking investigation and enforcement activities in response to non-compliance are required to meet the qualification requirements established in the Australian Government Investigations Standards.¹³⁹ It also requires additional qualifications for other roles, including a Certificate IV or Diploma of Intelligence for staff who use intelligence to support investigation activities.

4.17 Departmental documentation indicates that all investigators hold required qualifications or appropriate equivalents. However, only one of six officers involved in using intelligence to support investigation activities could provide evidence of an intelligence-related qualification.

Training

4.18 Biosecurity and biosecurity enforcement officers are required under the Act to complete two training modules (or their equivalent). Identified issues with records of completion of this training are discussed in paragraph 3.53.

4.19 As actions taken in response to non-compliance for travellers are typically delivered on the spot by operational staff outside of the central investigation and enforcement area of the department, the department has established specific training for these activities. This includes training for issuing infringement notices and managing non-compliance.

4.20 The department also delivered a series of training sessions in 2019 and 2020 to support the introduction of new visa cancellation grounds for contravention of the Act (paragraph 4.37). It included example scenarios and guidance to support staff in referring non-compliant travellers who met specified criteria to the Department of Home Affairs (Home Affairs) for visa cancellation.¹⁴⁰

Delegations

4.21 Under the Biosecurity Act 2015 and Regulatory Powers (Standard Provisions) Act 2014¹⁴¹, some powers given to the Minister or the Director of Biosecurity to manage biosecurity non-compliance can be delegated to other officials. Establishing effective arrangements to manage delegations helps ensure officials do not exercise powers they have not been delegated.

4.22 From the introduction of the Biosecurity Act 2015 until February 2020, internal records indicate the department did not effectively manage delegations for biosecurity officers and biosecurity enforcement officers. This resulted in powers being exercised without the correct delegation, with records indicating 12 per cent of infringement notices were issued by staff without the correct delegation. Key issues included that:

• delegations under the Biosecurity Act 2015 were assigned to departmental positions¹⁴², while delegations under the Regulatory Powers (Standard Provisions) Act 2014 were assigned to individual officers¹⁴³ — this often resulted in staff in an acting role or who had moved between positions not possessing the correct delegations for their role; and
• the system used to record delegations was subject to a time lag, resulting in staff being presented with out-of-date information.

4.23 Following a 2019 review that found the delegations system did not adequately manage the risk of powers being exercised without a valid delegation, a new delegations framework was implemented in February 2020. This framework aligned delegations under the Biosecurity Act 2015 with individual officers rather than positions and removed the need for a specialised system.

Are actions taken in response to non-compliance timely and proportionate to risk?

4.24 Responses to identified non-compliance should be timely to deter future non-compliance and proportionate to risk to ensure resources are expended on the highest risks and act as a sufficient deterrent. This can be facilitated by establishing an appropriate process to triage and prioritise actions and applying different regulatory tools based on the nature of the non-compliance.

4.25 The department’s biosecurity compliance statement states that its compliance posture is dependent on entity behaviour. This ranges from supporting clients who voluntarily comply, to using the full force of the law to deal with deliberate non-compliance.¹⁴⁴

Triage and prioritisation

4.26 Documented processes to prioritise and establish when regulatory tools should be used support a response to non-compliance that is consistent, timely and proportionate to risk.

4.27 The department has established a process to assess each reported non-compliance and allocate it to an appropriate area for further action. Each reported non-compliance is assigned a priority, which determines how quickly it will be processed. It is also assigned a ‘harm’ score, but procedural guidance does not specify how this should inform the regulatory response. The department has identified scope for further improvement in this triage process, commencing work on a triage and escalation framework in 2020.

4.28 Where non-compliance is referred for further investigation, there is an additional process for its assessment and prioritisation. This process identifies and categorises the level of risk, determines whether further investigation is required, assigns a priority rating, and determines what response may be appropriate.

Use of the range of available regulatory tools

4.29 There are a range of regulatory tools available under the Act to respond to non-compliance. These tools were intended to provide options to ensure that penalties are in proportion to the offence.¹⁴⁵ However, the department has not used all available tools (Table 4.2), limiting its ability to tailor its responses to the level of risk.

Table 4.2: Use of available regulatory tools in relation to non-compliance

Legend: ◆ Used; ▲ Used in some pathways; ■ Not used

Note a: The department’s policy for approved arrangements allows for an approved arrangement holder to request a suspension or revocation of an approved arrangement. These have not been considered as part of this audit as they do not typically apply to instances of non-compliance.

Note b: Not all permit suspensions and revocations are associated with non-compliance.

Note c: Biosecurity officers must demonstrate (that the officer formed the belief on reasonable grounds) that a traveller knowingly provided false or misleading information when an infringement notice is issued for alleged contravention of subsection 532(1) or subsection 533(1) of the Biosecurity Act 2015.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

Funding to expand the use of regulatory tools

4.30 The department received $28 million over four years from 2018–19 to invest in targeted assurance, verification and enforcement activities. Amongst other things, major deliverables of the funding included expanding the use of infringement notices, and exploring the use of civil penalty proceedings, enforceable undertakings and injunctions. The department was unable to confirm how much funding was allocated to these specific deliverables.

4.31 The department provided regular reporting on its progress to the Minister for Agriculture and Water Resources between January 2018 and March 2019. In the first update to the Minister, the department stated it had commenced development of an enterprise wide policy to govern the use of civil penalties, enforceable undertakings and injunctions. No further progress was noted in the reporting. This policy was finalised in March 2021.

4.32 In October 2018, the department advised the Minister that infringement notices had been made operational in the cargo environment and would be expanded into the mail environment. As at January 2021, no infringement notices have been issued for cargo and mail.

Actions in air traveller and approved arrangement pathways

4.33 While most regulatory responses are determined by a central non-compliance and enforcement area, the traveller and approved arrangement pathways have separate arrangements. The ANAO examined the timeliness and proportionality of actions in those pathways.

Air travellers

4.34 The department has established an infringement notice scheme for air travellers, where biosecurity officers may issue infringement notices on the spot.

4.35 Actions taken in response to non-compliance by travellers are mostly timely, as infringement notices are required to be paid prior to leaving the airport, unless an extension is granted. Approximately eight per cent of infringement notices are not paid prior to leaving the airport.¹⁴⁶ Paragraph 4.50 provides more information on the department’s approach to managing unpaid infringement notices.

4.36 The proportionality of actions in response to traveller non-compliance has been supported by an amendment to the Act that allows for different penalty amounts to be specified in infringement notices for goods that pose a high level of risk.¹⁴⁷ Prior to 1 January 2021, all infringement notices were set at two penalty units (the equivalent of $444), but may now be up to 12 penalty units ($2664).¹⁴⁸ In January and February 2021, the department reported 11 infringement notices using the increased penalty unit provision.

4.37 In addition, the department has begun referring air travellers to Home Affairs for visa cancellation from October 2019, as noted in paragraph 4.20. The department intends to use this option in response to serious non-compliance, supporting its ability to take actions in proportion to risk.As at March 2021, 33 travellers have been referred, with 14 visas cancelled.

Approved arrangements

4.38 The primary tool for managing biosecurity risks associated with non-compliance at approved arrangements is the corrective action request (CAR).¹⁴⁹ CARs are issued to approved arrangement holders to notify them of non-compliance and provide them with a timeframe for rectification. CARs may be classified as minor, major, critical or non-rated.

4.39 The ANAO examined the timeliness of 39 critical CARs. Under the policy, a critical CAR should be closed within seven days (or 21 days total when the CAR is reissued twice — the maximum allowed under the policy). While the department’s register of CARs is not complete and accurate¹⁵⁰, available records indicate that the CARs were not finalised in a timely manner. For example:

• one case was marked as closed after 284 days — the ANAO was unable to identify documentation to verify this case was appropriately closed; and
• of the 25 cases the ANAO was able to verify were appropriately closed, the longest time taken to close out a request was 69 days, and the average time was 23 days.

4.40 If there is a critical non-compliance, or more than a specified amount of minor or major non-compliances, the arrangement is to be audited at an increased rate (paragraph 3.31).¹⁵¹ Where a critical non-compliance is assessed, the department may request an arrangement holder to show cause¹⁵² why the arrangement should not be suspended or revoked. This may also occur where three successive CARs are issued for the same non-compliance.

4.41 As the department does not currently have a system which provides for end-to-end management of approved arrangements, the ANAO was unable to determine the extent to which show cause processes have been pursued. The Inspector-General of Biosecurity has commented on delays in issuing show-cause notices for non-compliance to approved arrangement sites.

Fit and proper person test

4.42 Under the Act, the department must consider whether a person or entity is a fit and proper person when considering whether to approve or vary an arrangement. This requires a specific test under the Act. The department also has the ability to cancel or suspend approved arrangements if satisfied the arrangement holder is no longer a fit and proper person.¹⁵³

4.43 While fit and proper person tests have been used in response to some instances of non-compliance by existing arrangements, the department informed the ANAO that they are primarily conducted when considering applications for new or varied arrangements. There is no policy for how and when fit and proper person tests should be used in response to non-compliance, limiting the assurance that they are used in a way that is effective and proportionate to risk.

Is the use of regulatory tools consistent with legislative and procedural requirements?

4.44 The department must ensure that its use of regulatory tools is consistent with legislative and procedural requirements. Failure to use regulatory tools in accordance with legislative and procedural requirements may result in legally invalid sanctions and weaken the department’s reputation as a regulator.

4.45 The ANAO examined whether administrative actions, civil sanctions and criminal sanctions under the Act have been issued in accordance with legislative and procedural requirements.

Administrative actions

4.46 Use of administrative actions (such as varying, suspending or revoking approved arrangements and permits) is limited by a lack of compliance with procedural and legislative requirements leading up to a potential administrative action, including when collecting evidence.

4.47 In March 2020, the department reviewed all show cause processes undertaken for approved arrangements since the introduction of the Act. Of the 100 cases, 47 resulted in a notice of intention or notice of decision to suspend or revoke an approved arrangement being issued. Of those 53 cases that did not progress to a notice of intention or decision, the department reported issues with supporting documentation, including lack of evidence and ambiguous conditions. The department has not undertaken any work in response to this review.

Civil sanctions

4.48 As noted in Table 4.2, the only civil sanctions that have been used are infringement notices for air travellers.

4.49 In 2017 and 2018, the department undertook a review of infringement notices issued in airports, identifying a number of infringement notices that were issued incorrectly. Identified issues included notices issued without the correct delegation (see paragraph 4.22) and with insufficient supporting evidence on file. The department identified 917 notices that were unable to be rectified, which represented 14 per cent of infringement notices issued to date.¹⁵⁴ This resulted in refunds for 865 paid notices to the value of $322,000.

4.50 These issues have also been identified by the department when attempting to identify unpaid infringement notices for potential civil penalty proceedings (see Table 4.2). Several issues with the notices such as not having demonstrated intentional non-compliance¹⁵⁵, incorrect or incomplete evidence and incorrect delegations have been noted as preventing these cases from progressing to litigation.

4.51 The department has commenced a process to manually check each infringement notice for administrative errors, such as incomplete notes or incorrect delegations, and to rectify these errors where possible. The proportion of errors identified following the introduction of the checking process has been reported to have reduced.

4.52 While the number of issued infringement notices has reduced since the Australian border closed in response to the COVID-19 pandemic, the department has identified that this approach to validating each issued infringement notice will not be sustainable as traveller volumes increase in the future. The department could ensure staff are supported and trained to appropriately issue infringement notices so that a less resource intensive quality assurance process is required.

Criminal sanctions

4.53 To determine whether investigations supporting criminal sanctions are conducted in compliance with procedural guidance and the Australian Government Investigations Standards, the department has established an annual audit and verification process.¹⁵⁶ Audits were not completed during 2015–16 and 2016–17. The department has since completed the outstanding audits for the 2015–16 and 2016–17 periods, as well as those for 2017–18 and 2018–19.

4.54 The audit and verification process identified ‘minor issues’ relating to compliance with procedural requirements, such as record keeping not consistent with procedures.¹⁵⁷ In most instances, records and relevant information could be identified in supplementary documentation or email records.

4.55 Accurate and complete record keeping is necessary to ensure that the department can effectively use its available regulatory tools. The department should continue to reinforce the importance of robust record keeping relating to investigations, and ensure quality assurance activities are regularly conducted.

Are actions taken in response to non-compliance effective at managing biosecurity risks?

4.56 Regulatory tools should support the management of biosecurity risks by minimising impacts from non-compliance and preventing future non-compliance.

Education

4.57 The department utilises letters of warning and advice, and notices (for air travellers) as part of its education activities. In 2017, the department reviewed the use of warning letters in the cargo pathway for non-compliance issues assessed as inadvertent or opportunistic.

4.58 Departmental documentation indicates that the review was unable to form a clear picture of the effectiveness of warning letters at changing recipients’ compliance behaviour. This was primarily due to a lack of inspections to determine ongoing compliance after warning letters had been issued.

4.59 The review found two cargo supply chains with a greater proportion of non-compliant than compliant inspection findings after a warning letter was issued. As such, in these two cases the warning letters were found to be not effective at influencing behaviour change.

4.60 The effectiveness of educational tools in other pathways has not been reviewed.

Administrative actions

4.61 As noted in paragraphs 4.39 and 4.46–4.47, issues have been identified with the department’s timeliness and ability to progress administrative actions in response to non-compliance at approved arrangements (including show cause, revocation, and suspension of arrangements). As approved arrangements continue to operate until administrative action is finalised, this limits the department’s ability to manage the risk of non-compliance.

4.62 Similarly, the Inspector-General of Biosecurity noted in 2019 that the processes for applying administrative sanctions appear time consuming and weighted to the management of legal risks to the department rather than biosecurity risks.¹⁵⁸

4.63 Issues with departmental systems (paragraph 4.12) prevent a complete analysis of the impact of administrative actions on non-compliance rates in approved arrangements. However, there is evidence of approved arrangements not complying with requirements for extended periods, despite departmental action. Case study 1 examines an approved arrangement where a number of critical and other non-compliance risks were identified over a 20-month period.

4.64 In respect of administrative actions taken to vary, suspend or revoke import permits, there is limited evidence regarding their effectiveness. Without policies or procedures to establish how these actions should be used in response to non-compliance (Table 4.1), there is limited assurance they are being used in a way that effectively manages biosecurity risk.

Civil sanctions

4.65 The number of infringement notices reported as issued to air travellers has increased each year since the introduction of the Act (Figure 4.1). In July 2020, the department stated that it was on track to issue more than double the number of infringement notices in 2019–20 compared to 2018–19, prior to the introduction of travel restrictions in response to COVID-19.¹⁵⁹

Figure 4.1: Number of infringement notices issued in airports

Note a: The Biosecurity Act 2015 commenced on 16 June 2016.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

4.66 The department was not able to provide any evidence that demonstrates the impact of infringement notices on overall traveller compliance rates. This is despite the department having noted that traveller behaviour is shifting from inadvertent to deliberate non-compliance. Departmental estimates also indicate that overall non-compliance rates for air travellers have about doubled from 1.2 to 2.6 per cent from 2015–16 to 2019–20.¹⁶⁰

4.67 As the department has not utilised enforceable undertakings, injunctions and civil penalty proceedings, or infringement notices outside of the traveller pathway (Table 4.2), their use has not had an impact on the management of biosecurity risk.

Criminal sanctions

4.68 Since the introduction of the Act, 40 cases referred for prosecution by the department have been finalised. Of those cases, 12 have been withdrawn¹⁶¹, with the remaining 28 reaching a guilty outcome. This indicates that the department is acting consistently with the Prosecution Policy of the Commonwealth, which states that ‘a prosecution should not proceed if there is no reasonable prospect of a conviction being secured’.¹⁶²

4.69 Departmental records indicate that it is not always effective at using criminal sanctions to manage non-compliance. Case study 2 examines an individual who has been prosecuted multiple times and continues to not comply with biosecurity requirements.

Note a: Biosecurity Act 2015, subsection 174(4); An amendment to the Act to address this issue was introduced and passed in March 2021.

Has the use of regulatory tools been evaluated?

4.70 Evaluation is a critical element in establishing accountability for program performance and ensuring ongoing improvement. The ANAO examined the department’s arrangements to monitor and evaluate its use of new regulatory tools under the Act, and the enforceability of its use of regulatory tools.

Use of new regulatory tools under the Act

4.71 As outlined in paragraph 2.62, the department developed a benefit measures framework to outline the intended benefits to be achieved by the implementation of the Act and support evaluation of the effectiveness of the legislation and its implementation.

4.72 The framework included benefit measures relating to the effectiveness of new regulatory tools in supporting the department to deal with biosecurity risks. While these measures were reported against in April 2018, subsequent reporting was not completed. Table 4.3 provides a summary of the measures, their 2018 reported results, and final status.

4.73 While the implementation of regulatory tools under the Act was intended to reduce the costs and regulatory burden on government and entities, the framework did not include any measures to assess this. This is despite the department agreeing to a recommendation in Auditor-General Report No.34 2016–17 Implementation of the Biosecurity Legislative Framework to ensure the framework was effective in assessing the value of the reduction in costs and regulatory burden.¹⁶³

4.74 In 2017, the department commissioned a review that forecast the implementation of the Act to reduce annual compliance costs by $5.5 million — 20 per cent lower than originally estimated.¹⁶⁴

4.75 No other evaluation of the implementation of regulatory tools under the Act has been conducted. As the department has not conducted any other evaluation, or completed all intended reporting of benefits, it is unable to demonstrate that the implementation of new regulatory tools under the Act has been effective in achieving its intended benefits.

Enforceability of regulatory tools

4.76 The department established a taskforce in July 2019 to deliver a capability to utilise the full suite of administrative actions and civil law sanctions available to it. As part of this work, the taskforce reviewed the department’s current use of regulatory tools, focusing on enforceability.

4.77 A report from the review was produced in November 2019. It found that ‘enforceability impediments have prevented the use of desired regulatory responses, including being unable to effectively manage known biosecurity risks, take administrative action or achieve successful criminal prosecutions’. The report made eight recommendations.

4.78 An update was provided to the department’s executive board in September 2020.¹⁶⁵ It included a condensed set of five recommendations made by the taskforce. These were to: develop a departmental policy to support the utilisation of civil sanctions; establish a governance structure with clear roles and responsibilities; develop material to guide the use of civil sanctions; develop an implementation strategy, including education for staff, external messaging and industry engagement; and establish a capability to build future regulatory system enforceability assurance.

4.79 As at March 2021, these recommendations have not been fully implemented. Full implementation of these recommendations, as well as addressing the gaps identified throughout this chapter, is necessary to ensure the department is able to effectively manage biosecurity non-compliance using the full suite of regulatory tools available under the Act.

Appendix 1 Department of Agriculture, Water and the Environment response

Appendix 2 Risk framework reviews and activities

Table A.1: Identification of and attempts to address the lack of a system-wide biosecurity risk framework

Note a: R Beale, F Fairbrother, A Inglis, D Trebeck, One Biosecurity: A Working Partnership — The Independent Review of Australia’s Quarantine and Biosecurity Arrangements, 2008, pp. 157–159.

Note b: Australian Government, Budget Paper No. 2, Budget Measures 2010–11, 2010, p. 90

Note c: A Robinson, M Burgman, W Atkinson, R Cannon, C Miller, H Immonen, AQIS Import Clearance Review [internet], Australian Centre of Excellence for Risk Analysis, 2009, available from https://cebra.unimelb.edu.au/__data/assets/pdf_file/0016/2220244/0804.pdf;

A Robinson, M Burgman, R Langlands, R Cannon, F Clarke, AQIS Import Clearance Risk Framework [internet], Australian Centre of Excellence for Risk Analysis, 2009, available from https://cebra.unimelb.edu.au/__data/assets/pdf_file/0018/2220246/0804a-final-report.pdf

Note d: Department of Agriculture and Water Resources, Reform of Australia’s Biosecurity System — An Update since the Publication of One Biosecurity: A Working Partnership, 2012, pp. 11–12.

Note e: Inspector-General of Biosecurity Review Report No. 2019–20/03, Biosecurity risk management of international express airfreight pathway for non-commercial assignments, p. 5.

Note f: Centre of Excellence for Biosecurity Risk Analysis, Annual Report 2019–20 [internet], p. 12, available from https://cebra.unimelb.edu.au/__data/assets/pdf_file/0005/3517097/CEBRA-Annual-Report-2020-Final.pdf

Source: ANAO based on Department of Agriculture, Water and the Environment and publically available documents.