2.1 A compliance framework is a set of plans, policies or procedures that establish the approach taken to manage compliance. An appropriate compliance framework assists regulators to gather and use intelligence, target their efforts at the areas of highest risk of non-compliance, and plan for and measure their achievement of objectives.

2.2 To assess whether the department has established an appropriate compliance framework, the ANAO examined whether:

• intelligence is gathered and managed effectively;
• there is an appropriate framework to identify and manage risks;
• the approach to managing compliance is supported by appropriate plans and strategies;
• there are appropriate arrangements with partner agencies; and
• an appropriate performance framework has been established.

Is intelligence gathered and managed effectively?

2.3 Regulatory intelligence involves analysing data and information to generate insights to support the approach to managing non-compliance.¹⁴ To be effective, regulatory intelligence should be supported by appropriate plans and policies, appropriate arrangements to collect and store data and information, and be analysed and distributed in a way that meets decision-makers’ needs.

Intelligence plans, policies and procedures

2.4 The department does not currently have finalised plans, policies or procedures for gathering or managing biosecurity intelligence, though some supporting documentation has been recently completed.¹⁵ This limits assurance that intelligence is gathered and managed in a way that is consistent with departmental requirements. In addition, the absence of intelligence policies means that the department is not meeting section 2.6 of the Australian Government Investigations Standards¹⁶:

Where relevant, agencies should have a policy outlining the use of intelligence in identifying conduct which allegedly, apparently or potentially breaches the law.

2.5 The department commenced or committed to developing an intelligence plan or strategy in 2011, 2013, 2016, 2017 and 2019, including in response to an agreed recommendation from the Interim Inspector-General of Biosecurity.¹⁷ This did not result in an implemented intelligence plan or strategy. The department commenced development of a new strategy in 2020, with the strategy in draft as at March 2021.

Information collection

2.6 Collecting regulatory information from a range of reliable sources assists regulators to ensure insights generated from intelligence are accurate. Relevant sources for the department’s biosecurity regulation include information from its own activities and information gathered by other government agencies and biosecurity regulators.

Internally sourced information

2.7 The department captures a range of information from its own activities, including records of identified non-compliances and regulatory actions taken against non-compliant entities. However, the value of this information for intelligence is limited by the quality and structure of data entered into the department’s systems.

2.8 While there are largely appropriate controls in place to ensure the integrity of data once entered into systems, internal documents and reviews indicate that data entered for travellers, mail and cargo is subject to data quality issues. These include missing or incorrect details for: entities¹⁸; imported cargo¹⁹; detected cargo non-compliances; the reasons, application and results of biosecurity treatments for cargo²⁰; scanned documents²¹; and infringement notices.

2.9 The department undertakes monthly data reviews for the systems used for managing mail and travellers, to ensure an ‘acceptable level of data integrity and user confidence’.²² The department was unable to provide evidence of any similar approach to quantify or improve data quality for cargo systems, despite the known issues.

2.10 The issues with cargo data quality have impacted the department’s ability to provide timely and accurate intelligence to support the department’s regulation. For example, the department was unable to confirm the identity of an importer of illegal animal hides for ‘almost a month after the import’ due to incorrect information recorded in cargo systems.

2.11 Even where information is accurately entered, its value may be limited by the structure of collected data. Key information (such as reasons for non-compliance and actions taken in response, import permits, and passport numbers) is stored in free-text format, which has resulted in inconsistent formatting and contents, and has prevented analysis.

Externally sourced information

2.12 There are a range of external sources that possess information relevant to the department’s biosecurity compliance activities. In particular, the Department of Home Affairs (Home Affairs) is the primary holder of information about travellers and goods entering Australia. Other potential sources include state and territory biosecurity agencies, and Commonwealth regulatory and enforcement agencies.

Department of Home Affairs

2.13 The department has arrangements to request information from Home Affairs, to automatically transfer some cargo data from Home Affairs to departmental systems, and for officials to access Home Affairs’ systems through the Border Intelligence Fusion Centre.²³

2.14 However, the department is currently unable to collect some datasets from Home Affairs, despite both parties committing to a framework for ‘bulk data sharing’.²⁴ This includes datasets on cargo, travellers and mail that were not flagged as being of biosecurity concern or inspected by the department.²⁵ It is also unable to collect datasets on some traveller and mail characteristics, such as country of birth, visa sub-class and mail contents and destinations.

2.15 These datasets have been identified by the department as something that would improve its regulation, including its ability to identify and target non-compliance (see paragraphs 2.44 and 2.49). However, departmental systems are unable to store the information due to its ‘protected’ classification.²⁶ The department has commenced at least four projects since 2017 to work with Home Affairs to collect this information, but these have not yet been successful.

Other Commonwealth agencies and states and territories

2.16 The department collects information from other Commonwealth agencies on individual issues, entities or instances of non-compliance through ad hoc communication channels. This information has been used to gather a more complete intelligence picture around individual biosecurity issues. However, without structured arrangements setting out when and what information should be shared, there is a risk that information received will be reactive and dependent on personal relationships, and therefore be limited in its ability to support the identification of non-compliance trends.

2.17 The department has agreed to a protocol on data and information sharing with state and territory biosecurity agencies. The protocol requires the department to maintain a register of shared data, and states information and data sharing is ‘essential’ and ‘needed to prevent, mitigate and manage … biosecurity risks’. However, the department does not maintain a register of shared information and data, limiting its ability to understand what information is being collected from states and territories and how it is used.

Information storage

2.18 An April 2019 document identified 56 different systems used in the management of biosecurity. The majority of these systems do not communicate or have compatible data. In addition, key information is stored in isolated intranet sites²⁷ and spreadsheets.

2.19 It is important to store collected information in a way that facilitates access and analysis if it is to effectively inform the approach to regulation.²⁸ Without the ability to integrate data between different systems and information sources, the department’s ability to obtain a complete intelligence picture is limited.

2.20 The department has identified this issue in multiple reviews and documents, and has initiated projects to improve its systems and access to information (Table 2.1). While some projects have delivered improvements, there remain limitations to the department’s ability to access data and integrate information.

Table 2.1: Outcome of projects to improve information integration across systems

Note a: The department’s system for managing investigations into non-compliance is not accessible. Other information stored on departmental intranet sites, such as the department’s records of all non-compliance, have not yet been integrated into the models.

Source: ANAO based on Department of Agriculture, Water and the Environment information.

Intelligence products

2.21 For stored information to be useful, it should be analysed and disseminated to decision-makers in a way that meets their needs and supports decision-making. This includes tactical decisions about individual entities or instances of non-compliance, through to strategic decisions about the overall approach to biosecurity.

Identification of needs

2.22 While intelligence products²⁹ are developed in response to requests, the department has not yet completed a process to identify and prioritise the intelligence needs of decision-makers.³⁰ This limits its assurance that it is producing the intelligence products that will most effectively support key decisions. This is reflected in internal documents that indicate some decision-makers do not feel they receive intelligence that meets their needs. For example:

• an August 2019 minute stated that ‘…information and intelligence that can assist with the prioritisation of activities is not readily available’; and
• a December 2019 report stated that risk owners ‘…are not informed by a comprehensive intelligence picture or profile in the way that would be of significant benefit’.

Intelligence products coverage

2.23 To determine whether the department’s intelligence products effectively support the range of biosecurity regulatory decisions being made, the ANAO examined all 34 completed intelligence products that commenced between 1 July 2019 and 30 June 2020.³¹

2.24 While the department produced a range of intelligence products to support tactical and operational decision-making, it did not use collected information to develop intelligence products that support strategic decision-making. Of the 34 products examined by the ANAO, three provided strategic-level intelligence. These three products were based on publicly available information and did not use information collected from other agencies or the department’s own regulation. Themes from the strategic products have been reflected in high-level strategic discussions but have not yet resulted in changes to the department’s approach to regulating biosecurity.³²

2.25 The department had commenced work on an additional 14 strategic intelligence products at the time of audit fieldwork. This reflects the ongoing development of the department’s strategic intelligence capability, after it commenced strategic intelligence work in 2019.

2.26 While producing an increased number of strategic intelligence products will better support strategic decision-making in future, they should make use of information from the department’s regulation, as well as open source information.

Is there an appropriate framework to identify and manage risks?

2.28 Regulators with clear and comprehensive processes to assess risk are positioned to allocate their resources towards those areas of greatest impact. Appropriate risk assessment processes support the department to: compare risk across the biosecurity system and target efforts accordingly; identify and respond to emerging and priority risks; and understand which entities within a pathway to focus on.

2.29 The Australian Government has committed to a risk-managed approach to biosecurity regulation.³³ Effective implementation of such an approach will be important to manage increasing biosecurity risk in the future — the department predicted in 2017 that, under current regulatory strategies, unmitigated risks will increase 70 per cent and costs 50 per cent by 2025.³⁴

System-wide risk framework

2.30 While the department has adopted risk-based approaches to some individual components of biosecurity regulation (see paragraphs 2.35–2.54), it does not have a framework to assess and manage risk across the entire biosecurity system. There is no established process to assess the level of risk posed by each biosecurity pathway and target activities at those pathways accordingly.

2.31 The absence of a framework to manage risk across the biosecurity system has been identified internally and externally. This includes once in 2008, twice in 2015 and twice in 2020. There have been multiple attempts or commitments to implement such a framework, including in 2009, 2010, 2012, 2016, 2017, and ongoing at the time of audit fieldwork in March 2021. These did not result in an implemented framework, despite some producing tools that could be used to assess risk across the biosecurity system, including comparing the risk of different pathways (see Appendix 2).³⁵

Identifying emerging and priority risks

2.32 Without a framework to manage risk across the biosecurity system, there is no established process to determine risk tolerances or departmental priorities. This has resulted in internally identified issues, with 2019 departmental documents noting that priorities ‘changed rapidly over time’ and varied between working areas.

2.33 The department identified 12 priority biosecurity risks in August 2020.³⁶ No structured or documented process was used for this risk assessment. In addition, it lacked several elements of better practice risk assessment³⁷, including: defined criteria for evaluating risks and establishing tolerances; analysis of risks before treatments are applied; and arrangements for monitoring and review. This limits the department’s assurance that the assessment accurately captured key risks.

2.34 A departmental review stated in November 2020 that ‘biosecurity risk governance is currently ineffective’, noting this results in communication breakdowns between operational and policy areas and decreases the ability to proactively manage risks.

Pathway risk assessments

2.35 As outlined in Table 1.1, the department manages non-compliance with biosecurity requirements across multiple pathways through which pests and diseases may enter Australia, including cargo, travellers, mail, conveyances and approved arrangements.

2.36 The department’s approach to assessing risk varies across each pathway. It agreed to establish a ‘standard approach to risk pathway mapping and decision-making’ in response to a July 2020 Inspector-General of Biosecurity recommendation³⁸, but this had not commenced as at February 2021.

2.37 The ANAO examined the department’s approach to each of these pathways, with the results detailed below. The department does not assess the likelihood of non-compliance in the cargo pathway, with only the consequences of non-compliance assessed. The processes for travellers, mail, conveyances and approved arrangements were partially appropriate but had key limitations to their ability to accurately identify risks.

Cargo

2.38 The department’s process for assessing risk in the cargo pathway does not consider the likelihood of non-compliance by different entities. The department does, however, assess whether correctly declared cargo may be associated with a higher risk of pests and diseases, by examining whether import declarations specify goods of potential biosecurity concern.³⁹

2.39 The absence of a process to assess the likelihood of non-compliance for cargo is despite a departmental intelligence report noting in 2020 that non-compliance such as product substitution and fraudulent documentation ‘are enduring vulnerabilities of the cargo import pathway’. Without such a process, Australia is vulnerable to the entry of pests or diseases through non-compliant cargo.

2.40 The department has commenced projects to better assess risk in the cargo pathway. These projects have either not yet been completed or apply only to specific areas of the cargo pathway.

• Two initiatives have been implemented to identify importers with a history of compliance.⁴⁰ These initiatives do not apply to all goods⁴¹ and only apply where cargo would otherwise be subject to mandatory intervention.
• A project was commenced in 2018 to quantify the level of risk associated with 16 different types of goods, and to address ‘critical policy application issues’ including the absence of a ‘defined risk tolerance policy or approach’. This project ceased after assessing the risk associated with one good. No actions were taken in response to that assessment.
• A pilot of machine learning algorithms in 2020 indicated that they could more accurately predict non-compliance than current techniques.⁴² The department is planning to implement this approach more broadly across the cargo pathway.
• A project is underway to identify cargo types with a low risk of non-compliance, allowing activities to be better targeted at risk. However, the progress of this project has been hindered by data quality issues preventing accurate risk identification.

Travellers

2.41 There is no established process to assess risk for sea travellers.⁴³

2.42 Air traveller risk assessment is conducted through statistical analysis of the frequency that air travellers have been found to have undeclared high-risk goods against four characteristics (citizenship, age, gender, flight number). Risk assessment is used to compare travellers within each individual flight, and to compare the risk of different flights within each airport.

2.43 The department does not analyse the comparative risk posed by travellers at different airports, to enable it to target efforts at airports associated with higher risk travellers. In addition, while traveller risk assessments have been reviewed periodically, the department has not yet completed a policy for when risk assessments should be reviewed to ensure they remain current.

2.44 The accuracy of the risk assessment is limited by the department’s inability to access additional data held by Home Affairs (paragraph 2.14).⁴⁴ Departmental documentation notes that ‘due to limited data sets, [risk assessments] are broad and a large number of compliant travellers are intervened with unnecessarily whilst high risk travellers may be missed’, and that prioritising inspection according to the assessment will perform ‘slightly better than random selection’.

Mail

2.45 The department assesses risk in the mail pathway by analysing data on the frequency that mail has been found to contain high risk goods against three characteristics (gateway, country of origin, mail class). This analysis is used to identify which groups of individual mail items are higher risk. It can also provide information on which mail centres pose a higher level of risk.

2.46 The department plans to review its mail risk assessments annually, with reviews having been completed in 2016, 2017, twice in 2019⁴⁵, and 2020. These risk assessments do not include letter-class mail, with separate reviews in 2011, 2015, and 2020 finding that letters posed a lower risk compared to other mail classes.

2.47 The accuracy of mail risk assessment is impacted by variations in mail volume estimates. Information from Australia Post on total mail volumes is used to calculate the expected probability of non-compliance. Large variations between the department’s and Australia Post’s mail volume estimates⁴⁶ in 2016–17 and 2017–18 resulted in a number of groups with high rates of undeclared biosecurity risk material not being assessed.⁴⁷

2.48 The department took action to improve mail volume data in 2017, but variations have since increased. Departmental mail volume estimates were 16.5 million (21.2 per cent) greater than Australia Post’s in 2020.⁴⁸

2.49 The department’s inability to use data from customs declarations held by Home Affairs (see paragraph 2.14) further limits the accuracy of the assessment.⁴⁹ A 2017 document noted that the inability to use customs data to enable informed and precise risk assessment places the department ‘…behind most developed nations’. While the impacts of not using this data have been identified, the department has not yet been able to use it for risk assessment.⁵⁰

Conveyances

2.50 The risk of commercial sea vessels is assessed using an automated risk assessment program. The assessment is based on a range of inputs, including the pre-arrival reporting of the vessel, vessel characteristics, and the vessel’s history (including compliance history). This program generates a risk rating and ranks each vessel in a port. It does not allow the department to identify the level of risk posed by different ports.

2.51 The department has not reviewed the risk assessment program to ensure it is still targeted at areas of highest risk since implementation in 2016, despite agreeing to do so in response to an internal audit recommendation in 2018. The department closed this recommendation without completing the review, noting that it considers a review should be undertaken in 2021.⁵¹

2.52 There is no process to assess, review or target biosecurity risk for non-commercial vessels and commercial or non-commercial aircraft. The department agreed to a recommendation to establish such a process for non-commercial vessels in response to a 2018 internal audit. The department also closed this recommendation, despite it not being completed.

Approved arrangements

2.53 Once arrangements⁵² are approved, the department assesses them to be one of two risk levels⁵³, based on the compliance history of the arrangement and whether the arrangement has been recently established or changed. Other factors, such as the potential consequences of non-compliance or the compliance history of the arrangement’s industry, are not considered.⁵⁴

2.54 The department committed to considering additional risk factors as part of a review of its risk framework for approved arrangements, in response to a recommendation from the Inspector-General of Biosecurity in 2019.⁵⁵ The department was unable to provide evidence that this work has been undertaken, despite closing the recommendation.

Is compliance management supported by appropriate plans?

2.56 Establishing and implementing appropriate plans supports regulators to deliver a regulatory approach that achieves desired outcomes. Effective planning and implementation is particularly important to guide the biosecurity reforms that have been identified as necessary to maintain Australia’s pest and disease status into the future (see paragraph 1.10). This includes plans to establish the general approach to regulating biosecurity, as well as specific project plans to reform individual elements of the biosecurity system.

Planning framework

2.57 Following the commencement of the Biosecurity Act 2015 (the Act), the department began developing a planning framework to guide its regulation. This included a policy statement (the Biosecurity Compliance Statement 2016) to outline its regulatory approach, a strategy to establish its long-term direction, and an annual biosecurity plan to establish yearly focuses. The current status of each is included below (Table 2.2).

Table 2.2: Implementation of biosecurity planning and strategy framework

Legend: ◆ Implemented and updated; ▲ Implemented but not updated; ■ Not implemented

Note a: Department of Agriculture and Water Resources, Biosecurity Compliance Statement [internet], 2016, available from https://www.agriculture.gov.au/biosecurity/legislation/compliance/biosecurity-compliance-statement [accessed 12 January 2021].

Note b: The department published Commonwealth Biosecurity 2030 on 26 May 2021, which is intended to establish a strategic roadmap for biosecurity. As this occurred after the conclusion of audit fieldwork, it was not examined as part of the audit; Department of Agriculture, Water and the Environment, Commonwealth Biosecurity 2030 [internet], 2021, available from https://www.agriculture.gov.au/sites/default/files/documents/commonwealth-biosecurity-2030.pdf [accessed 1 June 2021].

Note c: Department of Agriculture and Water Resources, Biosecurity Compliance Plan 2016–17 [internet], 2017, available from https://www.agriculture.gov.au/biosecurity/legislation/compliance/biosecurity-compliance-plan [accessed 12 January 2021].

Note d: For example, since the publication of the plan, the department has implemented a new reporting system for non-commercial sea vessels, implemented a system to reduce inspections for highly compliant cargo importers, and increased penalties for non-compliant entities, including visa cancellations. In addition, international trade and travel patterns have altered significantly following the outbreak of COVID-19.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

2.58 Without a current plan or strategy to guide its biosecurity regulation, there is a risk that the department’s activities are not coordinated in way that will achieve agreed biosecurity outcomes. This has been noted by the department, with internal documents stating that the absence of a biosecurity strategy inhibits the ‘realisation of a stronger biosecurity system’.

Individual reform plans

Implementation of the biosecurity legislative framework

2.60 The ANAO previously examined the early implementation of the Biosecurity Act 2015 and found that the arrangements established up to that point effectively supported the implementation of the legislative framework in accordance with legislative timeframes.⁵⁶ However, the department is unable to demonstrate that some subsequent activities necessary to ‘achieve the benefits of implementing the Biosecurity Act’ have been completed.

2.61 The final stage of the biosecurity legislation implementation program⁵⁷, intended to complete the remaining deliverables, was not formally undertaken. Instead, four projects of uncompleted work were transitioned to business as usual⁵⁸, despite the final program overview report noting that the status of the program was ‘at risk’ and ‘close monitoring of the risks and issues highlighted in the report [is] required’. The ANAO identified the following issues with the oversight of these activities under business as usual.

• A review that was intended to verify that all deliverables had been accepted by business-as-usual owners did not verify the acceptance of the deliverables.
• Departmental documents do not demonstrate whether intended activities have been fully completed for three of the four projects transitioned to business-as-usual.⁵⁹

2.62 In addition, planned reporting was not completed. From a framework of seven performance measures designed to assess whether the benefits of the legislation had been realised, five were determined to require ongoing reporting following the transition to business-as-usual as their benefits were yet to be realised.⁶⁰ The department was unable to provide evidence of this reporting, despite agreeing to the recommendation to implement the framework in the previous ANAO audit.⁶¹ Specific measures relating to the use of regulatory tools are discussed further in paragraphs 4.71–4.72.

System developments

2.63 The department has commenced a range of information system developments to address identified issues that prevented systems from supporting a risk-based operating environment. These include: inefficient business processes; poor quality data and unlinked systems limiting the ability to extract and analyse information; inability to share and aggregate data with states and territories to confirm pest and disease statuses; and an inability to manage some critical biosecurity functions (such as monitoring off-shore threats). See paragraphs 2.18–2.20, 3.50–3.51 and 4.10–4.14 for more information on identified system deficiencies.

2.64 The primary system development project was the Biosecurity Integrated Information System (BIIS) program. The program commenced in 2016 and received $30.9 million in funding. It included the development of a single integrated workflow solution to replace a range of existing biosecurity import systems and allow staff to operate through a single interface when conducting biosecurity activities, such as scheduling, undertaking, and recording results of inspections and audits of travellers, mail, cargo and approved arrangements.

2.65 The BIIS program, which was scheduled to be completed by January 2020, has been allocated $26 million more than the original funding amount to 2020–21 and is not yet completed, with only partial delivery of intended benefits (see paragraphs 3.51 and 4.12). Deliverables have been changed and no longer meet some identified needs from the business case, including development of a single integrated biosecurity import system with a single interface (described as ‘imperative’ in the business case), with key systems no longer included.⁶² Departmental reporting does not clearly demonstrate when these changes were documented or approved by senior officials, or clearly outline what business requirements had changed.

2.66 The department has commenced a range of other system development projects, some of which include deliverables originally in-scope for the BIIS program. The ANAO identified a range of issues with reporting and documentation for the BIIS program and other system development projects that may limit their ability to deliver intended benefits, including:

• regular changes in scope, time, and cost;
• deficiencies in reporting against scope, time and cost⁶³;
• a lack of reporting on alignment and achievement of originally intended benefits, including potential impacts on original benefits due to changes in scope; and
• limited evidence of action in response to risks with high ratings or requiring urgent action.

2.67 In addition, there is no overarching development strategy or system architecture. Without this, there is a lack of evidence of coordination and prioritisation to target projects at areas of greatest need, avoid duplication, leverage off other projects, and maximise collective benefits.

Have appropriate arrangements been established with partner agencies?

2.69 The department’s management of biosecurity interacts with and relies on a number of other agencies. Key agencies for the regulation of biosecurity are outlined below.

• Home Affairs — responsible for international goods and entities entering Australia.
• Department of Health (Health) — responsible for human biosecurity policy.
• Australia Post — responsible for international mail.
• State and territory biosecurity agencies — responsible for biosecurity within their borders.

2.70 Establishing formal agreements, communication arrangements, and arrangements for managing shared risks will support the maximisation of benefits with other agencies.

Formal agreements

2.71 Formal agreements with other agencies, such as memoranda of understanding, play a key role in establishing and clarifying how agencies work together. The department has established agreements with all key agencies.

2.72 Agreements with partner agencies appropriately specify the roles and responsibilities of each agency. Some agreements have not been reviewed within specified timeframes, or do not include a schedule for review.⁶⁴ Notably, an agreement between Australia Post, Home Affairs and the department regarding international mail has not been updated since 2009, despite substantial change in the mail pathway⁶⁵ and the commencement of the Biosecurity Act 2015.

2.73 Reviewing and updating arrangements would provide greater assurance that agreements with partner agencies remain current and effectively support biosecurity interactions.

Communication arrangements

2.74 Effective communication arrangements support agencies to receive relevant information, and coordinate with and benefit from activities undertaken by each other.

2.75 The department commits to the sharing of information in all agreements with key agencies. Information is shared on request with Commonwealth agencies about individual issues (see paragraphs 2.13–2.17). While the department informed the ANAO it shares information with states and territories, it was unable to provide evidence.

2.76 The department has established ongoing arrangements to meet with all key agencies. Records of these meetings document: collaboration on issues and initiatives; information sharing and updates on work that may affect other agencies; the resolution of issues between agencies; and planning to align future work and deliver mutual benefits.

Shared risks

2.77 Shared risks are risks that are common to multiple agencies, which must be mitigated to enable each agency to discharge its responsibilities. The Commonwealth Risk Management Policy requires agencies to implement arrangements to understand and contribute to the management of shared risks.⁶⁶

2.78 Shared risks may arise through entities or goods that pose a plant or animal biosecurity risk (shared with the states and territories) as well as a human biosecurity risk (shared with Health) or a risk to border security (shared with Home Affairs).

2.79 The department does not have established arrangements to assess or manage shared risks relating to its regulation of biosecurity. Agreements with other agencies do not identify shared risks or specify how they are to be managed.

2.80 Understanding and managing shared risk is important for effective program design and implementation.⁶⁷ The framework to assess and manage risk across the biosecurity system outlined in Recommendation no.2 (paragraph 2.55) should include arrangements to assess and document risks shared with other agencies and the controls in place for those risks.

Has an appropriate performance framework been established?

2.81 A key element of regulatory governance is the establishment of an appropriate performance framework that provides information about whether the regulator is achieving its intended results. This should include external performance measures to provide information about the achievement of its purpose to Parliament and other stakeholders, and internal performance measures to inform officials about the effectiveness of their regulatory approach.

External performance information

Commonwealth performance framework

2.82 The Commonwealth performance framework requires entities to establish, as part of their annual corporate plans, their purpose and performance measures to measure their performance in achieving that purpose.⁶⁸ Results against these measures are required to be provided in their annual performance statements, to provide accountability to the Parliament and public.

2.83 The department’s 2020–21 corporate plan separates its purpose⁶⁹ into five different objectives, one of which focuses on biosecurity (manage biosecurity risks to Australian agriculture, the environment and our way of life).⁷⁰ Three performance measures are established under this objective, relating to meeting regulatory timeframes, compliance rates, and the development of further performance measures.⁷¹ The ANAO assessed these measures against the requirements established in the Commonwealth performance framework and accompanying guidance.⁷²

2.84 While one measure provided information about compliance rates for two of the five biosecurity pathways, the measures do not facilitate a full assessment of the department’s effectiveness in managing biosecurity risk. The measures do not provide efficiency information. These limitations prevent the performance measures from accomplishing their aim of providing information about the achievement of the department’s purposes⁷³ or about the achievement of the objectives of the Biosecurity Act 2015.

2.85 In addition, the measures only partially met the requirements of relating to the department’s objective, or being reliable, verifiable, and unbiased. The primary limitations were a lack of information about what would be measured and the inclusion of activities not related to the biosecurity objective (such as export activities, logging, and water efficiency). The measures also did not meet the requirement of containing qualitative as well as quantitative information, but did meet the requirement of enabling an assessment of performance over time.

2.86 The department is aware of the absence of information on the effectiveness of its biosecurity regulation, with a 2019 report noting that there is ‘no broader assessment of whether the regulatory systems are delivering the outcomes intended’. To address this issue, the department has committed to develop a performance framework to assess the outcomes of the national biosecurity system.⁷⁴ In June 2020, a Centre of Excellence for Biosecurity Risk Analysis (CEBRA) report delivered a set of potential measures for the national biosecurity performance framework.⁷⁵ A full national biosecurity performance framework based on these measures is intended to be developed by mid-2021.⁷⁶

Regulator performance framework

2.87 The regulator performance framework, released in October 2014, requires Commonwealth regulators to publish annual self-assessments on their performance against six performance indicators.⁷⁷ These indicators are designed to encourage regulators to take a risk-based approach that minimises impact on regulated entities, and do not assess the achievement of regulatory outcomes (as per the Commonwealth performance framework, above). As at March 2021, the department has released self-assessments for each year from 2015–16 to 2018–19.

2.88 The ANAO examined the department’s 2018–19 self-assessment of its biosecurity regulation, and found it did not enable a reliable assessment of regulatory performance. Performance targets used vague language that did not enable an objective assessment of their achievement, and it was unclear how achievement against the targets was to be measured.⁷⁸ Reporting against the targets was not reliable, as it only involved descriptions of activities taken by the department. The Inspector-General of Biosecurity has discussed the reliability of the assessment, stating it was ‘substantially inconsistent with … industry feedback’.⁷⁹

Internal performance information

2.89 Internal monitoring of performance using well-defined measures can be a valuable source of information for a regulator on its strategies and areas for improvement.

2.90 The department does not have formalised internal performance measures on the effectiveness or efficiency of its overall regulation of biosecurity. While there are measures or management-level reporting for individual pathways (discussed below), these are often incomplete or disjointed. This limits their ability to facilitate a view of the effectiveness or efficiency of the regulation of biosecurity as a whole.

2.91 For the individual pathways of cargo, conveyances and approved arrangements, there are no performance measures, despite CEBRA developing potential measures for those pathways in 2016.⁸⁰ There are reporting arrangements for management-level information, such as the number of inspections undertaken and non-compliance rates. This reporting, while potentially a useful input for decision-makers, does not facilitate a full assessment of the department’s effectiveness in managing the risk of pests and diseases entering Australia through those pathways.

2.92 Performance measures have been established for the traveller and mail pathways (including compliance levels before and after passing through biosecurity control). However, the measures lack targets, and departmental documents indicate that they are not used to inform the department’s regulation. For example, a 2018 internal audit found that mail performance measures ‘do not support the assessment or improvement of operations’. The department was unable to demonstrate any use of the measures to inform changes to its regulatory approach.

4.1 As outlined in Table 1.1, the department responds to non-compliance with biosecurity requirements across multiple pathways through which pests and diseases may enter Australia. This includes cargo, travellers, mail, conveyances and approved arrangements.

4.2 The Biosecurity Act 2015 (the Act) provided an expanded range of regulatory tools for responding to non-compliance. Effective use of these tools is necessary to deter non-compliant behaviour and maintain Australia’s biosecurity status.

4.3 The regulatory tools available to respond to non-compliance¹³¹ include monitoring and investigation powers, engagement and education (letters of warning and advice), administrative actions (varying, suspending or revoking permissions and approvals)¹³², civil sanctions (infringement notices, civil penalty proceedings, enforceable undertakings, and injunctions), and criminal sanctions via referral to the Commonwealth Director of Public Prosecutions¹³³ (CDPP).

4.4 To assess whether the department’s use of regulatory tools in response to non-compliance with biosecurity requirements is effective, the ANAO examined whether:

• appropriate systems and procedures are in place to support the use of regulatory tools;
• actions taken in response to non-compliance are timely and proportionate to risk;
• the use of regulatory tools is consistent with legislative and procedural requirements;
• actions in response to non-compliance are effective at managing biosecurity risks; and
• the use of regulatory tools has been evaluated.

Are appropriate procedures and systems in place to support the use of regulatory tools?

4.5 Establishing appropriate procedures and systems helps ensure regulatory tools: are able to be used as intended; achieve desired outcomes; and are used in a legally sound and defensible manner. This includes implementing policies, procedures and supporting documentation, establishing appropriate information systems, ensuring staff are appropriately trained and qualified, and ensuring regulatory powers have been legally delegated to officials.

Policies, procedures and supporting documentation

4.6 Where policies, procedures and supporting documentation have been developed, they are largely clear in defining roles and responsibilities, and provide largely sufficient guidance to support staff in the use of regulatory tools under the Act.

4.7 However, the department has not established policies, procedures and supporting documentation to support the use of all of the regulatory tools available (Table 4.1). Finalised documentation relates primarily to the use of infringement notices with air travellers and the conduct of investigations. This limits the ability to effectively apply other regulatory tools.

Table 4.1: Policies, procedures and supporting documentation for regulatory tools

Legend: ◆ Fully implemented; ▲ Partially implemented; ■ Not implemented

Note a: Completed supporting documentation includes matrices for determining what evidence is required to support an infringement notice under different provisions of the Act.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

4.8 Similar gaps in policies, procedures and supporting documentation for the use of regulatory tools have been identified by the Inspector-General of Biosecurity. The Inspector-General has made a number of recommendations, including:

• in August 2019 — to develop more effective policies, processes and instructional material to manage critical non-compliance at an approved arrangement, including clarifying processes for suspension or revocation of its approval, contingency response plans for such eventualities, and timely sanctions for less serious non-compliance¹³⁴; and
• in July 2020 — to develop an operational policy framework to issue infringement notices and civil penalties for non-compliance relating to imported goods.¹³⁵

4.9 As at March 2021, implementation of these recommendations has not been completed.

Information systems

4.10 The department utilises a range of information systems to support the use of regulatory tools.

4.11 Many of the systems used to support the use of regulatory tools are the same as those used in detection activities. As noted in paragraph 3.50, multiple reviews and documents have identified shortcomings in these systems, which also extend to their ability to support the use of regulatory tools. For example, the business case for the Biosecurity Integrated Information System (BIIS; paragraphs 2.64–2.65) noted that current systems do not ‘reliably document decisions and regulatory roles exercised by officers’.

4.12 The management of approved arrangements currently uses a number of systems that do not integrate. This prevents a clear view of all details of an approved arrangement, including past legislative and administrative decisions, limiting staff’s ability to understand the behaviour of non-compliant entities. This was intended to be addressed by the BIIS program through the development of an end-to-end workflow system by October 2019.¹³⁶ As at March 2021 these enhancements are not yet complete.

4.13 The department has identified that staff are not appropriately trained and supported to effectively use its investigation management system. A 2019 survey found that it is ‘not an understood system and only a small part of its functionality is used’, and that ‘the lack of formal training falls short of the requirements set out in the [Australian Government Investigations Standards]’.¹³⁷ The survey report recommended the development of instructional material and training. Instructional material has been completed, while training modules remain in development.

4.14 In addition, appropriate systems have not yet been implemented for some key activities. For example, the department uses intranet sites¹³⁸ to record and triage identified non-compliance, manage corrective action requests for approved arrangements, and to manage infringement notices issued to travellers. These sites do not integrate with other systems, require manual re-entry of data stored elsewhere (this has resulted in some information not being entered in the site that records identified non-compliance), and do not have appropriate controls to ensure data accuracy.

Training and qualifications for the use of regulatory tools

4.15 The department has established and documented training and qualification requirements to support staff to effectively use regulatory tools under the Act.

Qualifications

4.16 The department has determined that all staff involved in undertaking investigation and enforcement activities in response to non-compliance are required to meet the qualification requirements established in the Australian Government Investigations Standards.¹³⁹ It also requires additional qualifications for other roles, including a Certificate IV or Diploma of Intelligence for staff who use intelligence to support investigation activities.

4.17 Departmental documentation indicates that all investigators hold required qualifications or appropriate equivalents. However, only one of six officers involved in using intelligence to support investigation activities could provide evidence of an intelligence-related qualification.

Training

4.18 Biosecurity and biosecurity enforcement officers are required under the Act to complete two training modules (or their equivalent). Identified issues with records of completion of this training are discussed in paragraph 3.53.

4.19 As actions taken in response to non-compliance for travellers are typically delivered on the spot by operational staff outside of the central investigation and enforcement area of the department, the department has established specific training for these activities. This includes training for issuing infringement notices and managing non-compliance.

4.20 The department also delivered a series of training sessions in 2019 and 2020 to support the introduction of new visa cancellation grounds for contravention of the Act (paragraph 4.37). It included example scenarios and guidance to support staff in referring non-compliant travellers who met specified criteria to the Department of Home Affairs (Home Affairs) for visa cancellation.¹⁴⁰

Delegations

4.21 Under the Biosecurity Act 2015 and Regulatory Powers (Standard Provisions) Act 2014¹⁴¹, some powers given to the Minister or the Director of Biosecurity to manage biosecurity non-compliance can be delegated to other officials. Establishing effective arrangements to manage delegations helps ensure officials do not exercise powers they have not been delegated.

4.22 From the introduction of the Biosecurity Act 2015 until February 2020, internal records indicate the department did not effectively manage delegations for biosecurity officers and biosecurity enforcement officers. This resulted in powers being exercised without the correct delegation, with records indicating 12 per cent of infringement notices were issued by staff without the correct delegation. Key issues included that:

• delegations under the Biosecurity Act 2015 were assigned to departmental positions¹⁴², while delegations under the Regulatory Powers (Standard Provisions) Act 2014 were assigned to individual officers¹⁴³ — this often resulted in staff in an acting role or who had moved between positions not possessing the correct delegations for their role; and
• the system used to record delegations was subject to a time lag, resulting in staff being presented with out-of-date information.

4.23 Following a 2019 review that found the delegations system did not adequately manage the risk of powers being exercised without a valid delegation, a new delegations framework was implemented in February 2020. This framework aligned delegations under the Biosecurity Act 2015 with individual officers rather than positions and removed the need for a specialised system.

Are actions taken in response to non-compliance timely and proportionate to risk?

4.24 Responses to identified non-compliance should be timely to deter future non-compliance and proportionate to risk to ensure resources are expended on the highest risks and act as a sufficient deterrent. This can be facilitated by establishing an appropriate process to triage and prioritise actions and applying different regulatory tools based on the nature of the non-compliance.

4.25 The department’s biosecurity compliance statement states that its compliance posture is dependent on entity behaviour. This ranges from supporting clients who voluntarily comply, to using the full force of the law to deal with deliberate non-compliance.¹⁴⁴

Triage and prioritisation

4.26 Documented processes to prioritise and establish when regulatory tools should be used support a response to non-compliance that is consistent, timely and proportionate to risk.

4.27 The department has established a process to assess each reported non-compliance and allocate it to an appropriate area for further action. Each reported non-compliance is assigned a priority, which determines how quickly it will be processed. It is also assigned a ‘harm’ score, but procedural guidance does not specify how this should inform the regulatory response. The department has identified scope for further improvement in this triage process, commencing work on a triage and escalation framework in 2020.

4.28 Where non-compliance is referred for further investigation, there is an additional process for its assessment and prioritisation. This process identifies and categorises the level of risk, determines whether further investigation is required, assigns a priority rating, and determines what response may be appropriate.

Use of the range of available regulatory tools

4.29 There are a range of regulatory tools available under the Act to respond to non-compliance. These tools were intended to provide options to ensure that penalties are in proportion to the offence.¹⁴⁵ However, the department has not used all available tools (Table 4.2), limiting its ability to tailor its responses to the level of risk.

Table 4.2: Use of available regulatory tools in relation to non-compliance

Legend: ◆ Used; ▲ Used in some pathways; ■ Not used

Note a: The department’s policy for approved arrangements allows for an approved arrangement holder to request a suspension or revocation of an approved arrangement. These have not been considered as part of this audit as they do not typically apply to instances of non-compliance.

Note b: Not all permit suspensions and revocations are associated with non-compliance.

Note c: Biosecurity officers must demonstrate (that the officer formed the belief on reasonable grounds) that a traveller knowingly provided false or misleading information when an infringement notice is issued for alleged contravention of subsection 532(1) or subsection 533(1) of the Biosecurity Act 2015.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

Funding to expand the use of regulatory tools

4.30 The department received $28 million over four years from 2018–19 to invest in targeted assurance, verification and enforcement activities. Amongst other things, major deliverables of the funding included expanding the use of infringement notices, and exploring the use of civil penalty proceedings, enforceable undertakings and injunctions. The department was unable to confirm how much funding was allocated to these specific deliverables.

4.31 The department provided regular reporting on its progress to the Minister for Agriculture and Water Resources between January 2018 and March 2019. In the first update to the Minister, the department stated it had commenced development of an enterprise wide policy to govern the use of civil penalties, enforceable undertakings and injunctions. No further progress was noted in the reporting. This policy was finalised in March 2021.

4.32 In October 2018, the department advised the Minister that infringement notices had been made operational in the cargo environment and would be expanded into the mail environment. As at January 2021, no infringement notices have been issued for cargo and mail.

Actions in air traveller and approved arrangement pathways

4.33 While most regulatory responses are determined by a central non-compliance and enforcement area, the traveller and approved arrangement pathways have separate arrangements. The ANAO examined the timeliness and proportionality of actions in those pathways.

Air travellers

4.34 The department has established an infringement notice scheme for air travellers, where biosecurity officers may issue infringement notices on the spot.

4.35 Actions taken in response to non-compliance by travellers are mostly timely, as infringement notices are required to be paid prior to leaving the airport, unless an extension is granted. Approximately eight per cent of infringement notices are not paid prior to leaving the airport.¹⁴⁶ Paragraph 4.50 provides more information on the department’s approach to managing unpaid infringement notices.

4.36 The proportionality of actions in response to traveller non-compliance has been supported by an amendment to the Act that allows for different penalty amounts to be specified in infringement notices for goods that pose a high level of risk.¹⁴⁷ Prior to 1 January 2021, all infringement notices were set at two penalty units (the equivalent of $444), but may now be up to 12 penalty units ($2664).¹⁴⁸ In January and February 2021, the department reported 11 infringement notices using the increased penalty unit provision.

4.37 In addition, the department has begun referring air travellers to Home Affairs for visa cancellation from October 2019, as noted in paragraph 4.20. The department intends to use this option in response to serious non-compliance, supporting its ability to take actions in proportion to risk. As at March 2021, 33 travellers have been referred, with 14 visas cancelled.

Approved arrangements

4.38 The primary tool for managing biosecurity risks associated with non-compliance at approved arrangements is the corrective action request (CAR).¹⁴⁹ CARs are issued to approved arrangement holders to notify them of non-compliance and provide them with a timeframe for rectification. CARs may be classified as minor, major, critical or non-rated.

4.39 The ANAO examined the timeliness of 39 critical CARs. Under the policy, a critical CAR should be closed within seven days (or 21 days total when the CAR is reissued twice — the maximum allowed under the policy). While the department’s register of CARs is not complete and accurate¹⁵⁰, available records indicate that the CARs were not finalised in a timely manner. For example:

• one case was marked as closed after 284 days — the ANAO was unable to identify documentation to verify this case was appropriately closed; and
• of the 25 cases the ANAO was able to verify were appropriately closed, the longest time taken to close out a request was 69 days, and the average time was 23 days.

4.40 If there is a critical non-compliance, or more than a specified amount of minor or major non-compliances, the arrangement is to be audited at an increased rate (paragraph 3.31).¹⁵¹ Where a critical non-compliance is assessed, the department may request an arrangement holder to show cause¹⁵² why the arrangement should not be suspended or revoked. This may also occur where three successive CARs are issued for the same non-compliance.

4.41 As the department does not currently have a system which provides for end-to-end management of approved arrangements, the ANAO was unable to determine the extent to which show cause processes have been pursued. The Inspector-General of Biosecurity has commented on delays in issuing show-cause notices for non-compliance to approved arrangement sites.

Fit and proper person test

4.42 Under the Act, the department must consider whether a person or entity is a fit and proper person when considering whether to approve or vary an arrangement. This requires a specific test under the Act. The department also has the ability to cancel or suspend approved arrangements if satisfied the arrangement holder is no longer a fit and proper person.¹⁵³

4.43 While fit and proper person tests have been used in response to some instances of non-compliance by existing arrangements, the department informed the ANAO that they are primarily conducted when considering applications for new or varied arrangements. There is no policy for how and when fit and proper person tests should be used in response to non-compliance, limiting the assurance that they are used in a way that is effective and proportionate to risk.

Is the use of regulatory tools consistent with legislative and procedural requirements?

4.44 The department must ensure that its use of regulatory tools is consistent with legislative and procedural requirements. Failure to use regulatory tools in accordance with legislative and procedural requirements may result in legally invalid sanctions and weaken the department’s reputation as a regulator.

4.45 The ANAO examined whether administrative actions, civil sanctions and criminal sanctions under the Act have been issued in accordance with legislative and procedural requirements.

Administrative actions

4.46 Use of administrative actions (such as varying, suspending or revoking approved arrangements and permits) is limited by a lack of compliance with procedural and legislative requirements leading up to a potential administrative action, including when collecting evidence.

4.47 In March 2020, the department reviewed all show cause processes undertaken for approved arrangements since the introduction of the Act. Of the 100 cases, 47 resulted in a notice of intention or notice of decision to suspend or revoke an approved arrangement being issued. Of those 53 cases that did not progress to a notice of intention or decision, the department reported issues with supporting documentation, including lack of evidence and ambiguous conditions. The department has not undertaken any work in response to this review.

Civil sanctions

4.48 As noted in Table 4.2, the only civil sanctions that have been used are infringement notices for air travellers.

4.49 In 2017 and 2018, the department undertook a review of infringement notices issued in airports, identifying a number of infringement notices that were issued incorrectly. Identified issues included notices issued without the correct delegation (see paragraph 4.22) and with insufficient supporting evidence on file. The department identified 917 notices that were unable to be rectified, which represented 14 per cent of infringement notices issued to date.¹⁵⁴ This resulted in refunds for 865 paid notices to the value of $322,000.

4.50 These issues have also been identified by the department when attempting to identify unpaid infringement notices for potential civil penalty proceedings (see Table 4.2). Several issues with the notices such as not having demonstrated intentional non-compliance¹⁵⁵, incorrect or incomplete evidence and incorrect delegations have been noted as preventing these cases from progressing to litigation.

4.51 The department has commenced a process to manually check each infringement notice for administrative errors, such as incomplete notes or incorrect delegations, and to rectify these errors where possible. The proportion of errors identified following the introduction of the checking process has been reported to have reduced.

4.52 While the number of issued infringement notices has reduced since the Australian border closed in response to the COVID-19 pandemic, the department has identified that this approach to validating each issued infringement notice will not be sustainable as traveller volumes increase in the future. The department could ensure staff are supported and trained to appropriately issue infringement notices so that a less resource intensive quality assurance process is required.

Criminal sanctions

4.53 To determine whether investigations supporting criminal sanctions are conducted in compliance with procedural guidance and the Australian Government Investigations Standards, the department has established an annual audit and verification process.¹⁵⁶ Audits were not completed during 2015–16 and 2016–17. The department has since completed the outstanding audits for the 2015–16 and 2016–17 periods, as well as those for 2017–18 and 2018–19.

4.54 The audit and verification process identified ‘minor issues’ relating to compliance with procedural requirements, such as record keeping not consistent with procedures.¹⁵⁷ In most instances, records and relevant information could be identified in supplementary documentation or email records.

4.55 Accurate and complete record keeping is necessary to ensure that the department can effectively use its available regulatory tools. The department should continue to reinforce the importance of robust record keeping relating to investigations, and ensure quality assurance activities are regularly conducted.

Are actions taken in response to non-compliance effective at managing biosecurity risks?

4.56 Regulatory tools should support the management of biosecurity risks by minimising impacts from non-compliance and preventing future non-compliance.

Education

4.57 The department utilises letters of warning and advice, and notices (for air travellers) as part of its education activities. In 2017, the department reviewed the use of warning letters in the cargo pathway for non-compliance issues assessed as inadvertent or opportunistic.

4.58 Departmental documentation indicates that the review was unable to form a clear picture of the effectiveness of warning letters at changing recipients’ compliance behaviour. This was primarily due to a lack of inspections to determine ongoing compliance after warning letters had been issued.

4.59 The review found two cargo supply chains with a greater proportion of non-compliant than compliant inspection findings after a warning letter was issued. As such, in these two cases the warning letters were found to be not effective at influencing behaviour change.

4.60 The effectiveness of educational tools in other pathways has not been reviewed.

Administrative actions

4.61 As noted in paragraphs 4.39 and 4.46–4.47, issues have been identified with the department’s timeliness and ability to progress administrative actions in response to non-compliance at approved arrangements (including show cause, revocation, and suspension of arrangements). As approved arrangements continue to operate until administrative action is finalised, this limits the department’s ability to manage the risk of non-compliance.

4.62 Similarly, the Inspector-General of Biosecurity noted in 2019 that the processes for applying administrative sanctions appear time consuming and weighted to the management of legal risks to the department rather than biosecurity risks.¹⁵⁸

4.63 Issues with departmental systems (paragraph 4.12) prevent a complete analysis of the impact of administrative actions on non-compliance rates in approved arrangements. However, there is evidence of approved arrangements not complying with requirements for extended periods, despite departmental action. Case study 1 examines an approved arrangement where a number of critical and other non-compliance risks were identified over a 20-month period.

4.64 In respect of administrative actions taken to vary, suspend or revoke import permits, there is limited evidence regarding their effectiveness. Without policies or procedures to establish how these actions should be used in response to non-compliance (Table 4.1), there is limited assurance they are being used in a way that effectively manages biosecurity risk.

Civil sanctions

4.65 The number of infringement notices reported as issued to air travellers has increased each year since the introduction of the Act (Figure 4.1). In July 2020, the department stated that it was on track to issue more than double the number of infringement notices in 2019–20 compared to 2018–19, prior to the introduction of travel restrictions in response to COVID-19.¹⁵⁹

Figure 4.1: Number of infringement notices issued in airports

Note a: The Biosecurity Act 2015 commenced on 16 June 2016.

Source: ANAO based on Department of Agriculture, Water and the Environment documents.

4.66 The department was not able to provide any evidence that demonstrates the impact of infringement notices on overall traveller compliance rates. This is despite the department having noted that traveller behaviour is shifting from inadvertent to deliberate non-compliance. Departmental estimates also indicate that overall non-compliance rates for air travellers have about doubled from 1.2 to 2.6 per cent from 2015–16 to 2019–20.¹⁶⁰

4.67 As the department has not utilised enforceable undertakings, injunctions and civil penalty proceedings, or infringement notices outside of the traveller pathway (Table 4.2), their use has not had an impact on the management of biosecurity risk.

Criminal sanctions

4.68 Since the introduction of the Act, 40 cases referred for prosecution by the department have been finalised. Of those cases, 12 have been withdrawn¹⁶¹, with the remaining 28 reaching a guilty outcome. This indicates that the department is acting consistently with the Prosecution Policy of the Commonwealth, which states that ‘a prosecution should not proceed if there is no reasonable prospect of a conviction being secured’.¹⁶²

4.69 Departmental records indicate that it is not always effective at using criminal sanctions to manage non-compliance. Case study 2 examines an individual who has been prosecuted multiple times and continues to not comply with biosecurity requirements.

Note a: Biosecurity Act 2015, subsection 174(4); An amendment to the Act to address this issue was introduced and passed in March 2021.

Has the use of regulatory tools been evaluated?

4.70 Evaluation is a critical element in establishing accountability for program performance and ensuring ongoing improvement. The ANAO examined the department’s arrangements to monitor and evaluate its use of new regulatory tools under the Act, and the enforceability of its use of regulatory tools.

Use of new regulatory tools under the Act

4.71 As outlined in paragraph 2.62, the department developed a benefit measures framework to outline the intended benefits to be achieved by the implementation of the Act and support evaluation of the effectiveness of the legislation and its implementation.

4.72 The framework included benefit measures relating to the effectiveness of new regulatory tools in supporting the department to deal with biosecurity risks. While these measures were reported against in April 2018, subsequent reporting was not completed. Table 4.3 provides a summary of the measures, their 2018 reported results, and final status.

4.73 While the implementation of regulatory tools under the Act was intended to reduce the costs and regulatory burden on government and entities, the framework did not include any measures to assess this. This is despite the department agreeing to a recommendation in Auditor-General Report No.34 2016–17 Implementation of the Biosecurity Legislative Framework to ensure the framework was effective in assessing the value of the reduction in costs and regulatory burden.¹⁶³

4.74 In 2017, the department commissioned a review that forecast the implementation of the Act to reduce annual compliance costs by $5.5 million — 20 per cent lower than originally estimated.¹⁶⁴

4.75 No other evaluation of the implementation of regulatory tools under the Act has been conducted. As the department has not conducted any other evaluation, or completed all intended reporting of benefits, it is unable to demonstrate that the implementation of new regulatory tools under the Act has been effective in achieving its intended benefits.

Enforceability of regulatory tools

4.76 The department established a taskforce in July 2019 to deliver a capability to utilise the full suite of administrative actions and civil law sanctions available to it. As part of this work, the taskforce reviewed the department’s current use of regulatory tools, focusing on enforceability.

4.77 A report from the review was produced in November 2019. It found that ‘enforceability impediments have prevented the use of desired regulatory responses, including being unable to effectively manage known biosecurity risks, take administrative action or achieve successful criminal prosecutions’. The report made eight recommendations.

4.78 An update was provided to the department’s executive board in September 2020.¹⁶⁵ It included a condensed set of five recommendations made by the taskforce. These were to: develop a departmental policy to support the utilisation of civil sanctions; establish a governance structure with clear roles and responsibilities; develop material to guide the use of civil sanctions; develop an implementation strategy, including education for staff, external messaging and industry engagement; and establish a capability to build future regulatory system enforceability assurance.

4.79 As at March 2021, these recommendations have not been fully implemented. Full implementation of these recommendations, as well as addressing the gaps identified throughout this chapter, is necessary to ensure the department is able to effectively manage biosecurity non-compliance using the full suite of regulatory tools available under the Act.