Audit snapshot

Why did we do this audit?

  • The Department of Parliamentary Services (DPS) supports the work of the Australian Parliament, including providing security, facilities and maintenance for the Parliament House building.
  • From 2014–15, DPS undertook a security upgrade capital works program to improve physical security at Parliament House.

Key facts

  • In 2020-21, DPS had an annual operating budget of $271.6 million and 1,031 staff.
  • In 2014, the National Terrorism Alert Level increased.
  • In October 2014, DPS developed a security upgrade capital works program to improve physical security at Parliament House.

What did we find?

  • The planning and delivery of the security upgrade capital works program at Parliament House by DPS was largely effective.
  • Governance arrangements and planning for the program were largely effective. Program management would have been improved by documenting project management quality assurance processes.
  • Procurement action complied with the Commonwealth Procurement Rules, with gaps identified in the documentation of contractual management arrangements.
  • DPS did not establish effective contract administrative and performance monitoring arrangements. An external assessment of the effectiveness of some components of the capital works program in reducing the physical security risks identified in 2014, commenced in December 2020.

What did we recommend?

  • The Auditor-General made three recommendations to DPS related to the program.
  • DPS agreed with two of the recommendations, and partly agreed to one recommendation.

$2.6bn

Value of the Parliament House building as at 30 June 2020.

4700

Number of rooms in the Parliament House building.

$145.4m

Comprising $126.7m capital funding and $18.7m expense funding for the security upgrade capital works program.

Summary and recommendations

Background

1. The Department of Parliamentary Services (DPS) supports the work of the Australian Parliament, including providing facilities and maintenance for the Australian Parliament House (Parliament House) building. From 2014–15, DPS undertook a security upgrade capital works program (the program) to improve physical security at Parliament House. DPS procured six head contracts and 13 consultancies and other contracts to undertake the works.

2. In the 2014–15 Mid-Year Economic and Fiscal Outlook, DPS was allocated $108.4 million capital funding and $18.7 million expense funding to undertake the program. The House of Representatives and the Senate approved the initial scope of works in March 2015.1 In April 2015 DPS was planning the program of works in three groups.2

  • Group One — secure hardening of several entry points and identified areas of potential vulnerability.
  • Group Two — major enhancements to security infrastructure, including the access control and closed-circuit television (CCTV) systems, and external glass facade.
  • Group Three — further building infrastructure upgrades, subject to additional funding approvals.

3. In the 2016–17 Budget DPS was allocated a further $18.3 million in capital funding over two years for strengthening the main and side skylights. The House of Representatives and the Senate approved further perimeter security works on 1 December 2016. Additional capital funding of $31.7 million over four financial years (2018–19 to 2021–22) was provided in the 2019–20 Budget for DPS to replace the auxiliary power system (emergency generators), and to upgrade the mobile phone antenna. This funding was in addition to the appropriation in 2014–15 that included an emergency generator measure.

4. The program was budgeted to run until 30 June 2018, with a one-year rectification period. Group One works were completed in June 2016 and the defect liability periods ended in June 2017. DPS extended the expected completion timeframe for the remainder of program covering Group Two works by 12 months to 30 June 2019, and then in 2019 by a further six months to 31 December 2019. In September 2020, DPS reported that the Parliament House security upgrade project reached practical completion in May 20203, with minor additions and modifications still underway to fully realise the project’s objectives, and these were expected to be completed by December 2020.4

Rationale for undertaking the audit

5. Two reports by the Senate Finance and Public Administration Legislation Committee in 2015 and two performance audits by the ANAO in 2015 and 2016 identified areas for improvement in DPS contract management. The delivery of the security upgrade capital works program was described by DPS as the largest capital works since the construction of Parliament House. This audit was included as a potential audit in the ANAO’s 2019–20 annual audit work program. On 14 November 2019, Senator Kimberley Kitching wrote to the Auditor-General raising specific concerns with the contract management of the program.5 Given the Parliamentary interest, this audit was undertaken to assess the effectiveness of the DPS planning and delivery of the security upgrade capital works program.

Audit objective and criteria

6. The objective of the audit was to examine the effectiveness of planning and delivery of the security upgrade capital works program at Parliament House by DPS. To form a conclusion against this objective, the ANAO adopted the following high-level criteria:

  • Did DPS effectively govern and plan the security works program?
  • Did DPS effectively procure service providers to deliver the security works program?
  • Did DPS effectively implement the security works program and control security risks?

7. The audit did not examine the Group Three auxiliary power system (emergency generators) project as works were underway, other capital works undertaken by DPS, building or asset maintenance, or other aspects of security at Parliament House — such as cyber security, or the operation of the Parliamentary Security Service.

Conclusion

8. The planning and delivery of the security upgrade capital works program at Parliament House by DPS was largely effective.

9. Governance arrangements and planning for the program were largely effective. DPS effectively contributed to the development of the program, and governance bodies largely fulfilled their roles and responsibilities. However, project management quality assurance processes were not fully implemented and there was no program performance framework.

10. DPS was largely effective in procuring suppliers to deliver the program. Procurement action complied with the Commonwealth Procurement Rules. Contract formation was consistent with Commonwealth standards, although with potential risks in the areas of timely execution, and there were gaps in the documentation of contractual management arrangements.

11. Implementation of Group One and Group Two of the program was partly effective. DPS conducted communications activities according to plan, and reporting was largely effective, but with gaps in oversight at critical periods. DPS management and oversight of contract performance was partly effective, as DPS did not establish effective administrative and performance monitoring arrangements. An external assessment of the effectiveness of some components of the capital works program in reducing the physical security risks identified in 2014, commenced in December 2020.

Supporting findings

Governance and planning

12. DPS made a largely effective contribution to the development of the program through its membership of the Parliament House Security Taskforce and work to validate project delivery times and costs. DPS clearly set out program objectives and costs in the funding proposal to government. All funding was allocated upfront in 2014–15, and there was evidence that the program would be delivered over a number of years that was yet to be determined.

13. DPS’ governance of the program was largely effective. The Project Control Group operated as DPS’ primary governance body. DPS had established quality control frameworks, but did not fully implement the planned processes.

14. The approach to planning for the program was partially effective. The absence of program performance framework and an approach to track program delivery timeframes in a consistent and coordinated way, resulted in a limited clear line of sight between agreed delivery timeframes from the Australian Parliament House Security Upgrade—Implementation Plan (SUIP) and later revised timeframes from the contracts.

Procurement

15. DPS complied with the Commonwealth Procurement Rules for the head contract procurements examined by the ANAO. Procurement processes were guided by procurement strategies, approaches to market met requirements, and open tenders were evaluated in accordance with tender evaluation plans to ensure value for money.

16. DPS established effective contracts with suppliers, using Australian Government templates for all six head contracts and 12 of 13 consultancies and other contracts examined. Records management and timely execution of contracts were areas for improvement. Contract management plans were in place for three head contracts, although DPS did not have contract management and associated plans for all head contracts, as recommended by internal policy.

Implementation

17. Communications and reporting were largely effective. DPS developed communication plans that sought to raise awareness amongst building occupants. DPS maintained oversight of communications throughout the program, but did not measure or review the effectiveness of communication activities. DPS planned, undertook and reviewed internal reporting.

18. DPS’ management and oversight of contract performance was partly effective. DPS did not establish key administrative arrangements to support contract management, including conflicts of interest and contract management plans. DPS established largely effective performance monitoring arrangements for the contracts. DPS monitored delivery in terms of budget and time; however, it was not evident that DPS had sufficient oversight over scope changes. Assessment of a contract that ended in December 2019 remained outstanding.

19. While accreditation of security zones provided assurance over elements of the capital works, an external security assessment of the capital works program would provide additional assurance that the program effectively controlled the five physical security risks identified in 2014. DPS assessed the intended effectiveness of some risk controls before implementation, but did not assess the effectiveness of all controls once implemented.

Recommendations

Recommendation no. 1

Paragraph 2.26

The Department of Parliamentary Services:

  • reviews the adequacy of the program management framework, policies and procedures that it has in place to administer a capital works program; and
  • ensures that it has quality assurance arrangements in place to assess whether the program management framework, policies and procedures are used effectively.

Department of Parliamentary Services response: Agreed.

Recommendation no. 2

Paragraph 4.52

The Department of Parliamentary Services undertake closure tasks for all contracts in accordance with internal policy.

Department of Parliamentary Services response: Agreed.

Recommendation no. 3

Paragraph 4.72

The Department of Parliamentary Services finalise the external security reviews of the capital works program, and make recommendations to the Security Management Board and Presiding Officers on any subsequent action identified by the these reviews.

Department of Parliamentary Services response: Partly Agreed.

Department of Parliamentary Services summary response

DPS welcomed the audit of the security upgrade works and agrees with the recommendations in principle. DPS has simultaneously used this audit process as an opportunity to conduct a post-implementation review and further develop program management processes as part of its continuous improvement initiatives.

DPS disagrees with a number of residual statements and findings in this report which could have been resolved before the reporting deadline with more transparent lines of enquiry. During the audit, DPS provided well in excess of 12,000 documents to support ANAO requests. This included contextual information to assist the audit team to understand the program framework. Unfortunately, limited discussion and context for lines of enquiry resulted in inaccurate draft findings and considerable follow up work by DPS which continued until the production of the section 19 report. DPS acknowledges that the ANAO has incorporated most of our responses and would welcome greater dialogue to enable a more effective review process.

DPS disagrees with the ANAO’s assessment that there was no program performance framework in place and that the KPl’s from the Security Upgrade Implementation Plan (SUIP) were not central to reporting on the progress of works being managed through that framework. The ANAO was unable to articulate what an effective program performance framework comprises and where this diverges from the approach taken by DPS in: managing the development of the detailed scope of works (as agreed by the Presiding Officers and the Parliament consistent with the SUIP); the progress of the implementation of those works (including managing contractor performance); and the review of the effectiveness of those works in addressing the security risks treated through the SUIP.

Project delays were experienced with some of the works program but DPS questions the value of measuring delays using high-level indicative delivery dates identified very early in the SUIP. These dates, which can only be viewed as estimates, preceded the complex detailed design and planning work for change to a monumental and architecturally significant building with nationally important heritage values. The design process alone required modelling of options before suitable solutions were adopted to minimise impact on the and Architect’s design intent. The resulting disruptive construction activity was also necessarily scheduled around parliamentary sitting periods and other significant events, generating intrinsic and sometimes unpredictable delays.

ANAO comment

20. The DPS Security Works Program performance framework is discussed at paragraph 2.35 and Appendix 5. DPS oversight of scope changes is detailed at paragraphs 4.33, 4.34, and 4.37 to 4.39. DPS performance monitoring of contract scope, time and budget is set out at paragraphs 4.25 to 4.48. An external security assessment of the capital works to provide assurance that the program effectively controlled the five physical security risks identified in 2014, is discussed at paragraphs 4.67 to 4.74.

Key messages from this audit for all Australian Government entities

Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Records management

Contract management

Governance and risk management

1. Background

Introduction

1.1 The Department of Parliamentary Services (DPS) supports the work of the Australian Parliament, including providing facilities and maintenance for the Australian Parliament House (Parliament House) building. From 2014–15, DPS undertook a security upgrade capital works program (the program) to improve physical security at Parliament House. DPS procured six head contracts and 13 consultancies and other contracts to undertake the works.

Security Works at Parliament House

The Department of Parliamentary Services

1.2 The Parliamentary Service Act 1999 establishes DPS as one of four parliamentary departments, and DPS staff are employed under that Act.6 The DPS Secretary reports to the Presiding Officers of the Parliament — the President of the Senate and the Speaker of the House of Representatives. As a non-corporate Commonwealth entity, the Public Governance, Performance and Accountability Act 2013 and related policies apply to DPS.

Providing facilities and maintenance for the Parliament House building

1.3 The Parliamentary precinct occupies a 35-hectare site, comprising approximately 4700 rooms across four levels, with a total floor area of more than 267,000 square metres (see Appendix 2).7 The protection of Parliament House against the risk of physical attack is critical to ensuring continuity, and public confidence, in the proper functioning of the Australian Parliament. Considering the multiple users of the building includes parliamentarians, building occupants and visitors, DPS’ effective stewardship of Parliament House involves ensuring a secure environment while maintaining public accessibility.

1.4 Parliament House received 746,844 visitors over the 2018–19 period, operating under arrangements where the building is accessible every day of the year inclusive of weekends and public holidays, with the exception of Christmas day.8 In September 2020 DPS reported that it did not meet the 2019–20 number of visitors target, due to bushfires throughout Australia in late 2019, and the impacts of COVID-19 which resulted in the building being closed to the general public from 26 March 2020 until 4 July 2020.9 Visitor numbers and occupancy limits have continued to be restricted in response to public health authority advice and ACT Government requirements.

1.5 The Presiding Officers have specific roles in relation to building works within the Parliamentary zone (see Appendix 2). The National Capital Authority is the relevant planning authority for Commonwealth buildings within the National Triangle. The Presiding Officers are responsible for security arrangements at Parliament House, with specific roles under the Parliamentary Precincts Act 1988 and the Parliamentary Service Act 1999.10

Security upgrade capital works program

1.6 Following an increase in the National Terrorism Alert Level in September 2014, the Presiding Officers accepted the recommendations of a series of reviews of security arrangements at Parliament House11 and established a multi-agency Parliament House Security Taskforce (the Taskforce)12 to oversee implementation of agreed measures.13

1.7 In October 2014, the Taskforce developed the Australian Parliament House Security Upgrade—Implementation Plan (SUIP), which assigned specific tasks to individual agencies. DPS was assigned responsibility for undertaking a security upgrade capital works program to improve physical security (Figure 1.1), alongside other measures related to the provision of security operations at Parliament House and updates to the security policy and governance framework.14 The program aimed to reduce five physical security risks assessed as ‘high’, although no target was set for the reduction in risk.

Figure 1.1: The SUIP and the capital works program

Shows the three layer structure of the security works upgrade program. The top layer is the Security Upgrade Implementation Plan (multi-agency). The middle layer is the Security upgrade capital works program (Department of Parliamentary Services). The b

Source: ANAO, based on DPS documents.

1.8 In the 2014–15 Mid-Year Economic and Fiscal Outlook, DPS was allocated $108.4 million in capital funding and $18.7 million expense funding to undertake the program.15 The House of Representatives and the Senate approved16 the initial scope of works for proposed perimeter security enhancements in March 2015, comprising:

  • a perimeter fence at the southern facade of the Ministerial wing;
  • a gate house facility outside the entrance to the Ministerial wing;
  • vehicle bollards at the base of the Ministerial entrance stairs; and
  • glazing replacement at Ministerial ground floor entrance.17

1.9 In April 2015 DPS was planning the program of works in three groups.18

  • Group One — Secure hardening of several entry points and identified areas of potential vulnerability (the perimeter security enhancements approved in March 2015 formed the package of work in Group One).
  • Group Two — Major enhancements to security infrastructure, including the access control and CCTV systems, and external glass facade.
  • Group Three — Further building infrastructure upgrades, subject to additional funding approvals.

1.10 In the 2016–17 Budget, DPS was allocated $18.3 million in further capital funding over two years for strengthening the main and side skylights19, and these works were assigned to Group Two. The House of Representatives and the Senate approved further perimeter enhancements security works on 1 December 2016, comprising:

  • fencing to the northern and southern grass ramps;
  • forecourt fencing along the angled wall;
  • Ministerial wing fencing along the angled wall;
  • barriers on the eastern and western building perimeter;
  • camera surveillance (CCTV systems); and
  • selected glazing replacement around the building perimeter.20

1.11 A June 2015 project management plan outlined that the Group 3 works related exclusively to Ministerial wing works that were not funded. In February 2016, a project report detailed that the Ministerial wing works were no longer required. In June 2016, DPS had assigned a single project to Group Three works that had received funding in the 2014–15 capital works program appropriation relating to the upgrade of emergency generators. An August 2016 project management plan (that was updated in August 2018), provided a work breakdown for the three groups of works (see Appendix 3).

1.12 DPS advised its Audit Committee in September 2018 that in conjunction with the Presiding Officers an agreement had been made to place Group Three works on hold for two years. Additional capital funding of $31.7 million over four financial years (2018–19 to 2021–22) was provided following the 2019–20 Budget measure for DPS to replace the auxiliary power system (emergency generators), and to upgrade the mobile phone antenna.21 A DPS project progress report in December 2019 detailed that the auxiliary power system project completion date was July 2021.

Delivery of the capital works program

1.13 The program commenced in 2014–15 and was budgeted to run until 30 June 2018, with a one-year rectification period.22 Group One works were completed in June 2016 and the defects liability period ended in June 2017. DPS extended the expected completion timeframe for the remainder of the program covering Group Two works by 12 months to 30 June 201923, and then in 2019 by a further six months to 31 December 201924 (Figure 1.2).

1.14 In September 2020, DPS reported that the Parliament House security upgrade project reached practical completion in May 202025, with minor additions and modifications still underway to fully realise the project’s objectives. These were expected to be completed by December 2020.26

Figure 1.2: Timeline of the security upgrade capital works program

Shows the timeline for dates of key decisions and milestones in the delivery of the program. These are described in paragraphs 1.13 and 1.14.

Source: ANAO, based on DPS documents.

Previous reviews and audits

1.15 The Senate Finance and Public Administration Legislation Committee has conducted three inquiries relevant to the program. The inquiry reports:

  • tabled on 25 June 2015 — on the proposed security upgrade capital works27;
  • tabled on 17 September 2015 — on DPS, including contract management28; and
  • is expected to table on 30 June 2021 — on the operation and management of DPS.

1.16 The Australian National Audit Office (ANAO) has undertaken two performance audits of DPS contract management in areas separate from the program29:

  • Auditor-General Report No. 24 2014–15, Managing Assets and Contracts at Parliament House, identified deficiencies in DPS contract management; and
  • Auditor-General Report No. 19 2016–17, Managing Contracts at Parliament House, found there had been an overall improvement in the establishment and management of contracts, but there was a need to improve contract management planning, risk management planning, and monitoring of contractor performance.

1.17 DPS undertook eight internal audits relevant to the program between 2015 and 2020.

Rationale for undertaking the audit

1.18 Two reports by the Senate Finance and Public Administration Legislation Committee in 2015 and two performance audits by the ANAO in 2015 and 2016 identified potential improvements to DPS contract management. The delivery of the security upgrade capital works program was described by DPS as the largest capital works since the construction of Parliament House. This audit was included as a potential audit in the ANAO’s 2019–20 Annual Audit Work Program. On 14 November 2019, Senator Kimberley Kitching wrote to the Auditor-General raising specific concerns with the contract management of the program.30 Given the Parliamentary interest, this audit was undertaken to assess the effectiveness of DPS’ planning and delivery of the security upgrade capital works program.

Audit approach

Audit objective, criteria and scope

1.19 The objective of the audit was to examine the effectiveness of planning and delivery of the security upgrade capital works program at Parliament House by DPS. To form a conclusion against this objective, the ANAO adopted the following high-level criteria:

  • Did DPS effectively govern and plan the security works program?
  • Did DPS effectively procure service providers to deliver the security works program?
  • Did DPS effectively implement the security works program and control security risks?

1.20 The audit did not examine the Group Three auxiliary power system (emergency generators) project as works were underway and other capital works undertaken by DPS, building or asset maintenance, or other aspects of security at Parliament House such as cyber security or the operation of the Parliamentary Security Service.

Audit methodology

1.21 Audit procedures included:

  • reviewing DPS documents; and
  • interviewing key management personnel at DPS and relevant staff from the project manager/contract administrator.

1.22 The ANAO received four citizen contributions.

1.23 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $480,000.

1.24 Team members for this audit were Nathan Callaway, Barbara Das and Peta Martyn.

2. Governance and planning

Areas examined

This chapter examines whether the Department of Parliamentary Services (DPS) effectively governed and planned the security upgrade capital works program (the program).

Conclusion

Governance arrangements and planning for the program were largely effective. DPS effectively contributed to the development of the program, and governance bodies largely fulfilled their roles and responsibilities. However, project management quality assurance processes were not fully implemented and there was no program performance framework.

Areas for improvement

The ANAO made one recommendation aimed at improving DPS’ program management framework.

2.1 The Department of the Prime Minister and Cabinet’s Guide to Implementation Planning stated that ‘effective governance arrangements are critical to successful delivery’ and that planning should provide ‘a structured approach or path for how an initiative will be implemented’.31 The ANAO examined whether DPS:

  • effectively contributed to the development of the program;
  • established effective governance arrangements to oversee the program; and
  • used an effective planning process for the program.

Did DPS effectively contribute to the development of the program?

DPS made a largely effective contribution to the development of the program through its membership of the Parliament House Security Taskforce and work to validate project delivery times and costs. DPS clearly set out program objectives and costs in the funding proposal to government. All funding was allocated upfront in 2014–15, and there was evidence that the program would be delivered over a number of years that was yet to be determined.

2.2 For initiatives that involve multiple entities, it is important to clearly identify which entities are responsible for the various aspects of the initiative.32 The ANAO examined whether DPS effectively contributed to the development of the Australian Parliament House (Parliament House) Security Upgrade Implementation Plan (SUIP) and the proposal seeking funding for the plan.

2.3 In 2014 following the heightened threat environment in Australia33, there was an urgency to address the security risks related to Parliament House identified in the 2014 reviews (see paragraph 1.6). The timeline for the development of the program is detailed in Box 1.

Box 1: Key milestones relating to the development of the program

The Presiding Officers, at the request of the Prime Minister, established the Parliament House Security Taskforce on 22 September 2014.

The Presiding Officers endorsed the SUIP on 22 October 2014.

DPS submitted the funding proposal in November 2014 for the security works and funding was approved on 15 December 2014.

Australian Parliament House Security Upgrade Implementation Plan

2.4 The Parliament House Security Taskforce (the Taskforce) developed the program and created an implementation plan, with DPS and other entities providing input.34 The Secretary of DPS was a member of the Taskforce, which first met on 22 September 2014. DPS contributed to the development of the program by responding to requests from the Taskforce, providing advice about moral rights consultation and circulating the results of related audits and trials.

2.5 The SUIP, approved in October 2014, set out four staged categories of work for implementation, with some works planned to occur sequentially. At this time the planned completion date for the program was 31 December 2016. In May 2015 DPS developed the Security Upgrade Transition Plan and revised the SUIP, with a new grouping and schedule of the works into three groups, with a revised completion date of July 2017 for the program. DPS advice to the Taskforce when submitting the revised SUIP was that the transition plan packaged works into groups with the aim of delivering the various works in the most efficient manner and involved some reprogramming of works. The Taskforce endorsed the transition plan, including the revised timeframes, at its May 2015 meeting.

Funding proposal

2.6 The funding proposal was to implement the physical enhancements outlined in the SUIP to address the security risks related to Parliament House, and clearly outlined program objectives and costs. DPS stated that each of the proposed actions would provide a risk treatment or threat mitigation that, when considered holistically, would provide a significantly improved level of security for the Parliament and its occupants. DPS requested that all capital funding be appropriated up-front in the first financial year in 2014–15. In May 2015, approval was sought for the money to be rolled over and re-phased for forward financial years. The funding proposal did not specify timeframes for the delivery of the security works, and recognised that whilst the capital costs could be committed, the actual construction, commissioning and defect liability period would extend into the out years. As part of the funding process, DPS identified pressures and constraints related to timing. In particular, the delivery schedule was based on limited information and DPS considered there was a risk that not all factors had been considered that could impact on the delivery of the works.

Did DPS establish effective governance for the program?

DPS’ governance of the program was largely effective. The Project Control Group operated as DPS’ primary governance body. DPS established quality control frameworks, but did not fully implement the planned processes.

Governance framework

2.7 The Guide to Implementation Planning outlined that:

  • governance arrangements should be documented to show the lines of decision-making responsibility, consultation channels and avenues for horizontal collaboration; and
  • the roles and responsibilities of each person or group involved in the initiative needs to be clearly defined, agreed and documented.35
Oversight

2.8 The Secretary of DPS approved a governance framework in December 2014 for DPS’ implementation of the program. The key oversight arrangements are illustrated at Figure 2.1.

Figure 2.1: Governance arrangements for the security works upgrade program

Shows the four layers of different governance groups with oversight roles and responsibilities for the security works upgrade program.  The top layer is external to the department and includes the Presiding Officers in the centre, the Security Management Board to the left of the Presiding Officers, and the Parliament House Security Taskforce, and the Security Working Group to the right of the Presiding Officers.  The second to fourth layers of the diagram are internal to the department. At the second layer is the Secretary of the Department of Parliamentary Services with a reporting line to the Presiding Officers. The third layer is the Project Control Group, with a reporting line to the Secretary. The Project Management Group is at the fourth layer with a reporting line to the Project Control Group. The Electronic Security Systems Board sits alongside both the Project Management Group and the Project Control Group with a reporting line directly to the Secretary. The governance arrangements are described in paragraphs 2.8 to 2.11.

Legend: 

indicates external governance arrangements for the program.

indicates internal governance arrangements established for the program.

indicates governance arrangements that were in existence before the program commenced.

Notes: The Security Management Board membership includes: the Secretary of DPS (or appointee); an SES employee of the Department of the Senate; an SES employee of the Department of the House of Representatives; and the Australian Federal Police Commissioner or Deputy Commissioner.

The Parliament House Security Taskforce (the Taskforce) membership included: the Speaker of the House of Representatives (Chair); the President of the Senate; an Associate Secretary (Department of the Prime Minister and Cabinet); two Assistant Commissioners (Australian Federal Police); a Deputy Secretary (Attorney-General’s Department); a representative (Australian Security Intelligence Organisation); a Deputy Secretary (Department of Finance); and the Secretary, DPS. In May 2017, the Taskforce’s responsibilities were transferred to Security Management Board.

The Project Control Group membership included the following DPS staff: the First Assistant Secretary, Building and Asset Management Division (Chair); the Chief Operating Officer; the Chief Information Officer; the Assistant Secretary, Program Delivery; the Assistant Secretary, Asset Development & Maintenance; the Assistant Secretary, Security; the Assistant Secretary, Parliamentary Experience; the Assistant Secretary, Strategic Asset Planning & Performance; the Chief Financial Offer; and the Parliamentary Librarian.

The Project Management Group Membership included the following DPS staff: Assistant Secretary Program Delivery Branch (Chair); Assistant Secretary, Security Branch; Assistant Secretary, Asset Development & Maintenance Branch; Assistant Secretary, ICT Strategy Planning and Applications; Assistant Secretary, ICT Infrastructure; the Project Director; and the Assistant Project Director.

Source: ANAO depiction of key program governance arrangements.

2.9 There were four different versions of the governance structure diagrams in DPS documentation in the 2014–15 period.36 DPS advised that the different versions of the diagrams reflected updates resulting from embedding the program over time. Later changes to the governance structure were not updated to reflect the: closure of the Program Management Group in August 2017; Taskforce responsibilities being transferred to the SMB in May 2017; and introduction of the specific governance arrangements in June 2019 for the Electronic Security Systems Board that had some responsibilities relating to the delivery of the Group Two (electronic security) works contract.

2.10 The Presiding Officers were involved in providing advice, direction and approval for the program, and from September 2017 received capital works digest reports from DPS.

2.11 The key DPS internal oversight arrangements operated as follows.

  • The Secretary of DPS37 established the Project Control Group (PCG) as DPS’ primary governance body. The PCG reported to the Secretary of DPS, and provided advice and guidance around planning and implementation; overseeing communication and consultation approaches; and monitoring the delivery of the program. Minutes documented the PCG meetings from January 2015 until the final meeting in November 2019. Commencing from the period around June to December 2019, the Electronic Security Systems Board had responsibility for overseeing the completion of the Group Two (electronic security) works.
  • For the Group Two works, DPS established the Project Management Group (also known as the Program Board) in May 2015 to support the Project Control Group (PCG). The Project Management Group was introduced to assist with communications, stakeholder engagement and the resolution of operational issues as a prior step to the PCG. The Project Management Group met 18 times between May 2015 and August 2017, and their discussions were operational in nature, in accordance with their remit. DPS advised that a verbal direction was given by a DPS official that meetings were no longer to be held.
Roles and responsibilities

2.12 The Presiding Officers were the key approvers of the designs and decisions to progress the individual projects.38 The Secretary of DPS is accountable to and reports to both Houses of Parliament through the Presiding Officers. The PCG and Program Management Group were not decision-making bodies, although their membership included DPS senior executives who were decision makers within the department.

2.13 Having a single senior responsible officer for the delivery of large programs is considered good practice.39 DPS established the role of program sponsor. However, DPS documentation did not clearly demonstrate that this role was the senior responsible officer. DPS advised that there were four different program sponsors and five project directors over the life of the program.

2.14 The roles and responsibilities of other key program personnel — the project director and the project manager — were clearly defined. The roles and responsibilities of these positions were outlined in governance documentation and the program management plans.

  • The project director was the management focal point between the senior executive, construction partners and internal stakeholders during the design and construction activities and was responsible for ensuring the early escalation of potential delays or resolving issues escalated through the various project work streams.
  • The project manager was responsible for the management of the work streams within the program and the implementation of the works streams from initiation to handover and support.

2.15 The Guide to Implementation Planning also stated that ‘teams with appropriate capabilities and skills will need to be assembled’.40 In November 2014, DPS established the Program Delivery Branch, as a temporary unit, to plan and deliver all components of the program.41 The branch was established in recognition that ‘the extent of works required under the program was not able to be met using the existing DPS Project team staffing levels’.42 DPS intended that the branch would consist of a team within DPS supported by a contracted project delivery team. The branch had difficulties in attracting and retaining staff because of the lack of longer term job security and competing work priorities.43

2.16 In April 2015, DPS procured a project manager and contract administrator (PMCA). The PMCA was responsible for a substantial part of the general project management and contract administration for the program, including: developing and refining the scope, cost and program of work; undertaking procurements; contract administration; and program reporting. The PMCA team was an embedded part of the Program Delivery Branch.

2.17 In July 2017, the Program Delivery Branch merged with the Capital Works Branch44 with the aim of a more unified delivery of the capital works plan and the program, and to help minimise disruption to building occupants and visitors.

Program management and quality frameworks

2.18 A program management framework consists of the policies, procedures and tools used to support the management of a program, and ‘while program management is underpinned by project management skills, [program management] is a more complex and demanding discipline’.45

2.19 By March 2015, DPS had identified that:

  • a multi-faceted project of this size and scale had not been undertaken at Parliament House since the building was originally constructed in the early 1980s;
  • DPS had a poor record in delivering small to medium sized building construction and security projects, and although significant steps had been taken to improve this capability, the change process was still in its infancy; and
  • DPS had a historically poor approach to engagement with the Heritage, Security and Visitor Experience areas when undertaking construction projects.

2.20 To address issues of project management, DPS adopted a new project methodology to be more flexible and responsive in delivering the program.46 DPS used program management plans covering: scope; quality; risk management; communication and stakeholder engagement; human resources; budget management; scheduling; governance and reporting; and procurement.

2.21 The ANAO ide ntified that at the outset of the program, there were gaps in policies or guidance in place relating to: the identification, selection and prioritisation of projects; program and project planning; design and approval of projects; and heritage assessment. In 2018–19, DPS implemented the Management of Design Integrity Framework (comprising consultation framework, policy and process documents), which was intended to ensure effective project management in partnership with designers and in consultation with moral rights administrators.47

2.22 DPS developed two quality frameworks for the program. The first quality framework was developed in June 2015, but was not approved by the delegate. The PMCA developed the second framework in August 2016. The quality frameworks aimed to:

  • ensure that all project management processes are conducted in a quality manner (quality assurance) and that quality criteria for the outputs themselves (quality control) were developed — first quality framework; and
  • increase certainty, and reduce the risk of project failure — second quality framework.

2.23 The first quality framework did not specify how quality assurance would be achieved, as defined — that is, ensuring that all project management processes were conducted in a timely manner, such as those included in the program management plan and outlined at paragraph 2.22. The framework stated that quality project management processes would be defined that applied to each project; however, it was not evident from documentation how this element of the quality framework was planned to operate and how it operated in practice. DPS advised in June 2021 that ‘DPS had ongoing day-to-day interactions with [the PMCA] to ensure that the processes in place are occurring and effective, which is a key element of DPS’ quality assurance that project management processes were undertaken in a quality manner’.

2.24 The second framework specified two aspects of quality:

  • corporate quality accreditation, such as adherence to the National Code of Practice for the Building and Construction Industry; and
  • project technical accreditation, which are project specific accreditations required to fulfil the project objectives and critical success factors.

2.25 DPS did not record key documents related to its quality control activities as required under its second quality framework: a quality assurance schedule to outline the project technical accreditation requirements, as well as an approved schedule of inspections, audits and reviews to ensure the quality of the program; and a quality assurance register to keep track of and record accreditation activities relating to the quality assurance of the program. In addition, DPS conducted three internal audits of the program and monthly reports addressed some compliance obligations relating to Commonwealth requirements around: heritage; work health and safety; and the Building Code 2013.

Recommendation no.1

2.26 The Department of Parliamentary Services:

  • reviews the adequacy of the program management framework, policies and procedures that it has in place to administer a capital works program; and
  • ensures that it has quality assurance arrangements in place to assess whether the program management framework, policies and procedures are used effectively.

Department of Parliamentary response: Agreed.

2.27 DPS has used this audit as an opportunity to conduct a post-implementation review and further develop program management processes as part of a program of continuous improvement. Elements of the program management framework currently in operation have been described in Appendix 1 - Entity Response.

Risk management framework

2.28 An appropriate risk management framework allows entities to effectively assess, control and monitor risks in order to achieve their business objectives. The Public Governance, Performance and Accountability Act 2013 (PGPA Act) prescribes that all Commonwealth entities must establish and maintain an appropriate system of risk oversight and management. The Commonwealth Risk Management Policy also provides guidance to Commonwealth entities on implementing these systems, including for establishing a risk management framework.

2.29 DPS established two risk management frameworks for the program.48 The two frameworks both addressed: risk governance arrangements; assessment processes; mitigation and treatment processes; and monitoring arrangements for the program. The first risk management framework, in place until August 2016, was not appropriate for the program as the risk management processes were not clearly set out and monitoring arrangements were not adequate. The second risk management framework was largely appropriate, and set out risk management processes, oversight arrangements and monitoring and review arrangements. A full assessment of DPS’ risk management framework for the program against the Commonwealth Risk Management Policy is at Appendix 4.

Did DPS use an effective planning process for the program?

The approach to planning for the program was partially effective. The absence of program performance framework and an approach to track program delivery timeframes in a consistent and coordinated way, resulted in a limited clear line of sight between agreed delivery timeframes from the SUIP and later revised timeframes from the contracts.

2.30 A planning process should provide a structured approach for how an initiative will be implemented to reach an outcome.49 Planning was undertaken at the program level through the development of program management plans (PMPs) and at the project level through the design phase.

Program planning

2.31 In November 2014, as part of the funding proposal, DPS noted that some of the security works which involved replacement or enhancement of obsolete equipment could be implemented immediately after receiving funding. Other measures that were more complex in nature, because they involved significant design changes or had implications for the design integrity of Parliament, would require dedicated project management and architectural resources to ensure that projects were delivered as quickly as possible.

2.32 DPS developed PMPs to operationalise the project management methodology. The PMPs were key program documents that were designed to be updated throughout the program and consisted of a collection of strategies and associated plans. The PMPs outlined arrangements for the program such as governance arrangements, stakeholders and roles and responsibilities. The most recent PMP dated August 2016 included ten associated plans covering management of: scope; risk; communications; human resources; procurement; quality; time; cost; workplace health and safety; and environmental.

2.33 Program planning was undertaken by DPS for the Group One and Group Two works. DPS provided the ANAO with four different PMPs for the program. As the planning process was ongoing and subject to review and updates, some of these plans had multiple versions.50

  • The first plan was approved by the Secretary of DPS in December 2014. The plan focussed on establishing governance arrangements for the program, noting that other areas of the plan were still being developed such as: a risk management framework; an approach to quality; and a delivery schedule.
  • The second plan was approved by the relevant First Assistant Secretary in May 2015. The plan provided greater details in the sub-plans and covered the Group Two works only.
  • The third plan is dated June 2015; however, it is not evident who approved this plan and it does not have a finalised date. The plan covers similar areas to the May 2015 plan, however, it is unclear if this plan just related to Group One works.
  • The fourth plan is dated August 2016 and it is not evident who approved the plan. This plan applied to the entire program, covering the areas identified in the paragraph above.

2.34 The May 2015 PMP/SUIP (see paragraph 2.5) grouped and scheduled works into three groups: Group One; Group Two; and Group Three (see Appendix 3). The first two groups contained 37 security works: 19 works for Group One works; and 18 for Group Two (10 physical security, one radio upgrade51 and seven electronic security). The Group Three works evolved over the life of the program, as outlined in paragraphs 1.11 and 1.12. As at March 2021, one project was still being delivered under Group Three that had received funding in the 2014–15 capital works program appropriation, relating to the upgrade of emergency generators. DPS procured six head contracts and 13 consultancies and other contracts to undertake Group One and Group Two works.

2.35 Appendix 5 sets out the ANAO’s assessment of DPS planning for the program. Program objectives were clearly outlined and costs were managed through cost management plans. DPS also engaged with stakeholders for the planning phase. However, planning did not establish an approach to track delivery timeframes in a consistent and coordinated way, such that there was a clear line of sight between agreed delivery timeframes from the SUIP and later revised timeframes from the contracts. At the outset of the program, six key performance indicators (KPIs) were set out in the SUIP covering: timeliness; cost; delivery of the works; mitigation of vulnerabilities; management of risks; and a review of the new measures. The KPIs were not incorporated into DPS’ PMPs and DPS did not monitor and report against the KPIs, and did not establish a program performance framework. DPS also did not review the third PMP in accordance with its review schedule and did not maintain adequate records of PMPs.

Design

2.36 DPS engaged contractors to design the works. While contracting arrangements are discussed in more detail in later chapters, the three key contractors for the design phases were:

  • Group One — the design phase was led by an architectural firm, commenced in December 2014 and the finalisation date was not able to be ascertained;
  • Group Two managing contractor (physical security) — the design phase was led by the managing contractor, commenced in April 2016 and was finalised in March 2017; and
  • Group Two head contractor (electronic security) — the design phase was led by the head contractor, commenced in May 2016 and was finalised in November 2016.
Design process

2.37 DPS identified in June 2015 that there was not a defined design process for the Group One works, and this had led to the need for redesign. The project completion report for these works noted that ‘there was a relatively high incidence of issues and associated variations relating to poor/incomplete design’. DPS identified the following issues relating to the design process for the Group One works.

  • There were delays in completing the design work.
  • There was a lack of a defined design process, including approval processes.
  • A poor standard of design documentation resulted in inaccurate cost plans and design solutions that did not align with the user requirements and significantly exceeded the budget.

2.38 For the Group Two works — physical security and electronic security — the design phase involved the development of a range of documentation, including detailed design documents. These documented the design phase activities including: preliminary analysis and designs; scheduling and cost plans; design reports, drawings and specifications; and project plans. DPS assessed Group Two contractors as performing effectively in terms of the design.

Design integrity and heritage

2.39 While not listed on the National Heritage List52, Parliament House is a nationally significant building. The design integrity and heritage values of Parliament House are an important consideration for DPS.

2.40 DPS identified the potential for the security works to impact the heritage of the building, and the potential for an inability to resolve competing security and heritage requirements to affect the works. As a result, DPS stipulated the need for stakeholder engagement and articulation of design integrity and heritage requirements as part of the design process. However, while DPS advised that planning legislation set requirements, DPS did not document its internal design integrity process or heritage consideration process for the security works.53

2.41 Heritage Impact Assessments were the primary mechanism through which heritage considerations were assessed. The purpose of the assessments was to identify and document how the security works may impact on the heritage values of Parliament House and to propose measures to mitigate those impacts. Thirty-one of 34 works had a heritage impact assessment.54

Moral rights

2.42 Moral rights under the Copyright Act 1968 give creators of artistic works — including architecture and design — legal rights over dealings with their work.55 DPS identified the need to consult with Parliament House’s moral rights holder, given the extent of the security works. DPS consulted with the moral rights administrator for each of the groups of work.

2.43 Box 2 provides an overview of the design approach adopted for one project — the construction of a fence/barrier around Parliament House.

Box 2: Perimeter security design integrity and heritage

The perimeter security enhancements were part of the Group Two (physical security) works and included fences and various other barriers around Parliament House. DPS recognised that the proposed design for this project could impact on the design integrity of the building and sought a variety of design options.

In March 2016, a Heritage Impact Assessment was undertaken, with an addendum in October 2016 to assess the revised design. The assessment concluded that the degree of impact on the heritage values from the proposed fencing to the front and rear of the building would be: moderate; long term; medium scale; and moderate intensity. It noted that:

  • the symbolism, design integrity, character, views to and from Parliament House, its form and function would be adversely impacted by the introduction of fences to the front and rear of Parliament House; and
  • given the adverse symbolic, visual, and physical impacts arising from the fencing, the ability to remove them in the future at an appropriate time is important.

A similar assessment was made of the proposed landscape barriers.

  • In October 2016, DPS wrote to the moral rights administrator for Parliament House seeking feedback on the proposed design for the Group Two (physical security) works. The managing contractor then submitted the detailed design report to DPS, including the design for the fencing project. The report outlined that a range of stakeholders were consulted through the design process, and that the managing contractor made design changes in response to stakeholder feedback. There was no general public consultation; DPS advised that public consultation is not required and would have been inappropriate in the context of a security works upgrade program, but consultation was undertaken with the National Capital Authority as the relevant planning authority for Commonwealth buildings within the National Triangle.
  • In November 2016, DPS endorsed the detailed design report. The Presiding Officers endorsed the design on 1 December 2016.

Both Houses of Parliament approved the design for the project in December 2016.

Approvals

2.44 DPS provided evidence to demonstrate that 17 of the 34 works were appropriately approved, either by the Presiding Officers or the Parliament. DPS did not provide approval documentation for the remaining 17 works.

3. Procurement

Areas examined

This chapter examines whether the Department of Parliamentary Services (DPS) effectively procured suppliers to deliver the security upgrade capital works program (the program).

Conclusion

DPS was largely effective in procuring suppliers to deliver the program. Procurement action complied with the Commonwealth Procurement Rules. Contract formation was consistent with Commonwealth standards, although with potential risks in the areas of timely execution, and there were gaps in the documentation of contractual management arrangements.

Areas for improvement

The ANAO identified areas for improvement in contract formation and contractual management arrangements.

3.1 The ANAO examined whether DPS:

  • complied with the Commonwealth Procurement Rules; and
  • established effective contracts with suppliers.

Did DPS comply with the Commonwealth Procurement Rules?

DPS complied with the Commonwealth Procurement Rules for the head contract procurements examined by the ANAO. Procurement processes were guided by procurement strategies, approaches to market met requirements, and open tenders were evaluated in accordance with tender evaluation plans to ensure value for money.

3.2 As a non-corporate Commonwealth entity under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act), DPS must conduct procurement in accordance with the Commonwealth Procurement Rules (CPRs). The CPRs are supported by guidance issued by the Department of Finance. The ANAO primarily examined six head contract procurement processes (see Table 3.1).

Table 3.1: Six head contract procurements for Group One and Group Two works

Contract

Description

Contract one

Group One architectural services

Contract two

Project management and contract administration (PMCA)

Contract three

Group One construction manager

Contract four

Group Two managing contractor (physical security)

Contract five

Group Two head contractor (electronic security)

Contract six

Group Two radio upgrade services

  

Source: ANAO, based on DPS documentation.

Procurement Planning

3.3 DPS undertook procurement processes for the contracts examined by the ANAO over the period from October 2013 to September 2016. During this time, the July 2012 and July 2014 versions of the CPRs were in force. In April 2015, DPS introduced a new suite of documents including a DPS Procurement Manual, DPS Procurement Officer Manual, Procurement Risk Management Plan, and templates for seeking procurement approvals.

3.4 From the outset of the program, DPS recognised that the program would need to comply with CPR requirements. Department of Finance guidance states that the first steps in a procurement process are to plan the procurement based on an identified need, and to scope the procurement.56

3.5 In the context of an expedited planning and procurement process — from the external security assessments in September 2014, to the funding proposal in November 2014 and the procurement approval in early December 2014 — DPS included procurement strategies for the Group One construction manager contract and the project management and contract administration (PMCA) contract in the respective decisions to approve the approach to market.

3.6 For Group Two works, DPS developed a procurement strategy to identify each of the procurement activities to be undertaken.57 The strategy covered physical security, electronic security, and various consultancies. DPS approved the strategy on 29 May 2015, after endorsement by the Program Board, and following approval of the program management plan. DPS also maintained a procurement management plan for the program, which was intended to be reviewed six monthly and was revised twice between 2015 and 2018. DPS prepared a separate procurement strategy for the radio upgrade services contract.

3.7 Procurement strategies for contracts two to six (see Table 3.1) outlined the plan for and scope of the procurements as recommended by Department of Finance guidance, and outlined objectives and rationales for the procurements. A procurement risk assessment for Group One works identified 13 risks, all assessed at a low risk rating.58 The Group Two procurement strategy identified eight potential risk events that were not assigned a risk rating.

3.8 A 2015 internal audit found that the Group One strategies outlined the proposed procurement methods, timeframes and steps required to ensure compliance with the CPRs, the PGPA Act and DPS policy.

3.9 The Group Two procurement strategy was further developed and more detailed, with evidence of more project planning and market research having been undertaken.

Procurement methods

3.10 Department of Finance guidance states that the next step in a procurement process is to determine the procurement method — for example, limited or open tender.59 The CPRs require that procurement of construction services above a procurement threshold of $7.5 million must be conducted in accordance with Division 2 additional rules, unless an exemption applies.

3.11 DPS initially decided to proceed to limited tender for Group One construction management works in December 2014, and for the PMCA in February 2015. In both cases, DPS sought advice from the Department of Finance to confirm the validity of relying on CPR paragraph 10.3b (reasons of extreme urgency)60 to conduct a limited tender. The limited tender approach was agreed at the SES Band 2 level in reliance on paragraph 10.3b, the identified need to complete high priority works immediately, and the low risk profile of Group One works. Both procurement actions subsequently used panel arrangements managed by another agency (see paragraph 3.18).

3.12 Prior to the program, DPS had conducted an open tender for architectural services in 2013–14. DPS conducted open tender procurements for the Group Two managing contractor (physical security), Group Two head contractor (electronic security) and the Group Two radio upgrade services contracts, as these procurements were above the relevant procurement thresholds.

3.13 A key element of procurement design is the integration of probity considerations into all aspects of the procurement, to ensure ethical procurement and the proper use and management of public resources.61 In September 2015, an internal audit examining Group One works found that a probity plan had not been developed for those works; however, a probity advisor was engaged for Group Two works. The Group Two managing contractor (physical security), Group Two head contractor (electronic security) and Group Two radio upgrade services procurements all had probity plans.

Approach to Market

3.14 For the Group One construction manager approach to market, DPS requested the building architect to nominate one or more providers with whom they had worked previously, and approached the one nominated provider. This approach was taken to ensure the nominated provider had demonstrated experience in undertaking works at Parliament House, an understanding of the inherent infrastructure issues of the building and to minimise coordination risks between design and construction. The nominated provider was engaged from a construction management services panel managed by another agency (see paragraph 3.18).

3.15 DPS also identified two potential providers for the PMCA contract from a panel arrangement managed by the Australian Federal Police.

3.16 DPS conducted open tenders published on the Australian Government’s procurement information system, AusTender, for the Group One architectural services, Group Two managing contractor (physical security), Group Two head contractor (electronic security), and Group Two radio upgrade services procurements.

3.17 DPS provided information to tenderers by way of request documentation, with additional information provided by means of amendments to the initial approach to market circulated to all tenderers, and — for two of the four procurements — industry briefings.62 The approaches to market complied with minimum time limits, and DPS did not accept any late submissions. DPS sought and received advice from the Department of Finance to ensure sensitive material was not disclosed in the request documentation, and some information was only released to potential tenderers upon completion of a disclaimer and confidentiality agreement.63

Evaluation

3.18 For the Group One construction manager procurement process, DPS agreed to a limited tender procurement approach on 5 December 2014, awarded the contract on 9 December 2014, and executed the contract on 18 December 2014. A single provider submitted a fee proposal under a panel arrangement managed by the Australian Federal Police that was established by open tender. A 2015 internal audit found this approach reasonable in the circumstances, and found that the method of procurement through the panel was in accordance with the CPRs but the documentation maintained for the procurement could have more accurately reflected the method of procurement and process followed.

3.19 DPS could have adopted a more robust approach to the consideration of price and whole of life costs in the Group One construction manager procurement, as the panel arrangement was relied on for the value for money assessment of the fees. However, this related only to the construction management fee ($349,453) and not the related trade costs that were delivered under the contract (estimated at the time to be $4 million).

3.20 The PMCA procurement process also used a panel arrangement, and evaluated two proposals.

3.21 For the Group One architectural services, Group Two managing contractor (physical security), Group Two head contractor (electronic security), and Group Two radio upgrade services procurement processes, DPS developed Tender Evaluation Plans in consultation with internal procurement and external legal and probity advisers. Tender Evaluation Plans recorded evaluation committee members and advisers by role, set out the responsibilities of the chair and committee members, and outlined the evaluation process including the weighted evaluation and value for money criteria. Tender Evaluation Plans set out the evaluation criteria for the procurement, but the criteria did not always include the mandatory considerations set out in clause 4.5 of the CPRs: environmental sustainability; and whole-of-life costs.

3.22 Evaluation committees for these four procurement processes provided evaluation reports to the delegated decision maker to take into account in approving negotiations with the selected contractor. Evaluation reports set out committee recommendations, based on a value for money assessment against evaluation criteria, and took into account risk as part of the balanced assessment, as required by the CPRs. The committees took into account relevant experience and performance history of tenderers for all four procurements. Evaluation reports set out the evaluation process, confirmed conformance with the Tender Evaluation Plan, and evaluation reports for the Group Two managing contractor (physical security) and Group Two head contractor (electronic security) processes included a probity report from the probity adviser.

Did DPS establish effective contracts with suppliers?

DPS established effective contracts with suppliers, using Australian Government templates for all six head contracts and 12 of 13 consultancies and other contracts examined. Records management and timely execution of contracts were areas for improvement. Contract management plans were in place for three head contracts, although DPS did not have contract management and associated plans for all head contracts, as recommended by internal policy.

3.23 The ANAO examined six head contracts (see paragraph 3.2) — and 13 consultancies and other contracts procured directly by DPS and worth a combined total of almost $2 million — to determine whether DPS established effective contractual arrangements with suppliers. The ANAO examined contractual provisions and approval processes for subcontracting, but did not examine individual subcontracts.

Establishing effective contracts

Contract formation

3.24 All six head contracts used Australian Government contract templates as the basis for contract negotiation and formation, with the form of contract depending on the procurement method used. Table 3.2 sets out the form of contract for the six head contracts.64

Table 3.2: Forms of head contract for six head contracts

Contract

Form

One — Group One architectural services

Deed of standing offer and work orders

Two — Project management and contract administration (PMCA)

Deed of standing offer and official orders

Three — Group One construction manager

Deed of standing offer and building works contract

Four — Group Two managing contractor (physical security)

Commonwealth managing contractor contracta

Five — Group Two head contractor (electronic security)

Commonwealth head contractor contracta

Six — Group Two radio upgrade services

Digital sourcing model contract

  

Note a: The Group Two managing contractor and the Group Two head contractor contracts were based on the Defence Estate Quality Management System Suite of Facilities Contracts: https://www.defence.gov.au/estatemanagement/Support/SuiteContracts/default.asp.

Source: DPS documents.

3.25 The ANAO also examined 13 consultancies and other contracts procured by DPS between 15 October 2014 and 22 January 2018 and found that all but one used Commonwealth contracts, work orders under deeds of standing offer, or panel arrangements. Since 1 January 2016, it has been mandatory for non-corporate Commonwealth entities such as DPS to use the Commonwealth Contracting Suite (CCS) for procurements under $200,000, unless exceptions apply. Of five contracts examined that were entered into since 1 January 2016, three contracts were exceptions to the requirement (two were above the $200,000 threshold and one was from a panel procurement arrangement), and the remaining two contracts used the CCS.

3.26 At the start of the program, records were saved in DPS system workgroup files. In 2016, DPS started to migrate record keeping to electronic records management software, but workgroup files remained in active use throughout the program into 2020 and had not been fully migrated at the time of the audit. Program records were also kept on proprietary project management software and were not fully migrated into DPS records management software at the time of the audit. DPS did not appropriately maintain a contract register for contractual documents within the program. The diversity in records management approaches meant that DPS was not able to readily access signed copies of contracts and associated program documents in a timely manner.

3.27 The execution of contracts after work has commenced can create legal risk for contracting entities, particularly if work is undertaken outside the scope of the written contract.

  • From the six head contracts and 15 work orders, seven instances were identified where work orders under the head contracts were executed between one and 42 calendar days after work orders required work to be undertaken and one undated instance, worth a combined total of around $1.5 million.
  • For the Group Two radio upgrade services contract, one component of an authorised variation reimbursed a contractor for $26,195 of expenses (representing 4.2 per cent of the contract price) already incurred prior to variation execution.
  • Out of 13 consultancies and other contracts reviewed, the ANAO identified five instances of contracts or extensions that were executed between three and 36 calendar days after contracts required work to be undertaken, one instance executed after almost 18 months, and two instances that were undated, worth a combined total of almost $1 million.65
Contractual performance expectations

3.28 Each of the six head contracts specified objectives and deliverables, and detailed milestones were clearly specified in four of the six contracts (not in the Group One architectural services or Group One construction manager contracts).

Use of third parties

3.29 Service delivery may require the engagement of third parties, such as subcontractors. The Commonwealth Procurement Rules and Australian Government Contract Management Guide66 outlines requirements and guidance for the use of particular contract clauses relevant to the use of third parties. Of the six contractual clauses examined (see Table 3.3), five were better practice and not mandatory, with public disclosure of subcontractor participation being the only mandatory required clause.

3.30 In each of the six head contracts, service delivery was restricted to specified personnel and/or nominated subcontractors, and there were limitations on assignment. All six head contracts required written approval from DPS to use additional subcontractors. There was evidence of the inclusion of subcontractor details in work orders for the Group One architectural services and in the official order for PMCA. The Group One construction manager was contracted to undertake all procurement for the works and to obtain subcontracting approval from DPS, contract directly with subcontractors for trade packages and materials on DPS behalf, and was responsible for all works. There was no nominated subcontractors included in the contract. The Group Two managing contractor (physical security) and Group Two head contractor (electronic security) were contracted to seek approval from DPS prior to tendering for reimbursable or provisional work, to obtain subcontracting approval from DPS, and contract directly with subcontractors. Nominated subcontractors were detailed in the contract. DPS was not able to provide evidence that it had approved any subcontractors, and advised that subcontracting approval generally occurred in the form of variations to the contract.

Table 3.3: Third party arrangements in six head contracts

Contractual provisions

Onea

Twoa

Threea

Foura

Fivea

Sixa

Written permission required to use additional subcontractors

Limitations on assignmentb

Limitations on novationc

Public disclosure of subcontractor participationd

‘Back-to-back’ contractinge

No reduction in head contractor’s contractual obligationsf

       

Legend:  contract provision sets out arrangements largely or fully. contract provision sets out arrangements partly.  contract does not include a provision that sets out the arrangements.

Note a: Table 3.2 details the relevant contracts.

Note b: Assignment refers to the situation ‘where the supplier wishes to transfer some or all of its rights under the contract to a third party that is not currently a party to the contract. There may be risks to the customer if the supplier is permitted to assign some or all of its rights to a third party that has not been through the scrutiny of a procurement process’ (https://www.finance.gov.au/government/procurement/clausebank/assignment).

Note c: Novation is where an ‘incoming third party supplier will be taking over part or full responsibility of the contract, as if it has been a party to the Contract since the commencement’ (https://www.finance.gov.au/government/procurement/clausebank/novation-and-assignment).

Note d: Agencies must require contractors to agree to the public disclosure of the names of any subcontractors engaged to perform services in relation to a contract, Commonwealth Procurement Rules — July 2012 and July 2014, paragraph 7.19.

Note e: The practice of including obligations from a head contract in subcontracts to make the subcontractor legally responsible for elements of project delivery.

Note f: A contract provision that ensures that the use of subcontractors do not result in a reduction in the head contractor’s contractual obligations to DPS.

Source: ANAO, based on DPS documents.

Liability frameworks and protections for the Australian Government

3.31 The CPRs require that entities consider risks when making decisions relating to the terms of the contract, and that entities should generally not accept risk which another party is better placed to manage.67 Table 3.4 sets out liability frameworks and the relevant protections for the Australian Government in the six head contracts, examining five better practice and non-mandatory contract clauses.

Table 3.4: Liability frameworks in six head contracts

Contractual provisions

Onea

Twoa

Threea

Foura

Fivea

Sixa

Audit and accessb

Performance assurance (securities)c

Performance assurance (liquidated damages)c

Indemnities and insuranced

Dispute resolution and termination

       

Legend:  contract provision sets out liability requirement largely or fully. contract provision sets out liability requirement partly. – non-mandatory liability requirement was not included in the contract.

Note a: Table 3.2 details the relevant contracts.

Note b: An audit and access clause can preserve the rights of agencies to access contractor premises and inspect records associated with the contract.

Note c: It is not mandatory to use securities or liquidated damages provisions in Commonwealth contracts, and their use will reflect a decision by the entity based on the nature and risk of the contract.

Note d: Entities can manage legal risks by requiring contractors to indemnify the Commonwealth, and to hold insurance such as public liability, professional indemnity and workers’ compensation insurance.

Source: ANAO, based on DPS documents.

Establishing effective contract management arrangements

3.32 The DPS Contract Manager Manual requires all contracts to be actively managed to help ensure contractor performance is satisfactory, stakeholders are well informed and all contract requirements are met. The manual sets out a range of required and recommended steps to enact contract management within DPS. The inclusion of relevant contract clauses and terms enables active contract management. Table 3.5 details the contract management arrangements where there was a relevant recommended step outlined in the DPS Contract Manager Manual, with the exception of the final two rows where there was no requirements set out in the manual.

Table 3.5: Contract management arrangements

Contract

Onea

Twoa

Threea

Foura

Fivea

Sixa

Risk management plan

Transition of documents in contract

  • Transition plan required by contract

  • Transition plan held by DPS

Communication strategy

Security plan required by contract

Security incident reporting obligation in contract

       

Legend:  met not met – not relevant

Note a: Table 3.2 details the relevant contracts.

Source: ANAO, based on DPS documents.

3.33 DPS had a risk management plan template, and the DPS Contract Manager Manual required the contract manager to ‘develop or review any necessary risk plans’. DPS did not have risk management plans for the six head contracts.

3.34 The DPS Contract Manager Manual stated that the contract or transition-out strategy should cover the transfer of records, information or equipment. All six head contracts covered transition arrangements, four also contained specific requirements to handover documents to DPS, and two required the contractor to develop and implement a handover and transition management plan, however, DPS did not have transition plans.

3.35 The development and implementation of a communication strategy and the key elements of a strategy was recommended in the DPS Contract Manager Manual. Through the PMCA, DPS maintained a communications plan for the program, and the Group Two managing contractor (physical security) developed a communications plan for its projects.

3.36 There was no requirement for a contract manager to develop a security management plan, and DPS did not develop security management plans for the six head contracts. While all six contracts contained provisions relating to non-disclosure of Commonwealth information, only two required contractors to develop or implement specific security management plans or processes to protect information, and only two contained security incident reporting obligations. DPS advised that three of the six head contractors included security-related provisions in their site management plans, and DPS provided high-level guidance on security requirements for onsite work.

3.37 In November 2016, a head contractor lost documentation that was classified as ‘For Official Use Only’, relating to the proposed design of the security works information communications network, and the hosted systems. The contractor notified DPS of the loss of material on 7 February 2017, and DPS investigated the incident. In July 2017, DPS’ investigation assessment report to the Presiding Officers outlined that there was a low risk of the documentation coming into the possession of an adversary, the documents were primarily based on information that was publically available, and they contained limited detail due to the early stage of the design work. DPS’ assessment also acknowledged that since the loss of the documentation, the design of the network changed significantly, and as a result, the information was no longer current. DPS considered that the level of detail in the documents meant that in isolation the information would lead to very little risk in facilitating compromise to the network or the system.

3.38 The contract with DPS did not include security incident reporting obligations, and this was identified as one of the causes of delay in reporting. DPS identified potential improvements to contractor incident reporting and document handling practices. DPS stated that the contractor ‘was asked to improve their handling of sensitive information. Further, some contractual documentation has been amended’68, and from November 2017 the contractor amended the Site Management Plan to cover incident reporting. There would be merit in DPS considering including security incident reporting obligations in future contracts.

3.39 The DPS Contract Manager Manual recommends developing a contract management plan, and that management of the contract should be guided by risk, complexity, size, sensitivity and the duration of the purchase under consideration. DPS had plans for three of the six head contracts (the Group One construction manager, Group Two managing contractor (physical security), and Group Two head contractor (electronic security) contracts. See Table 3.2). DPS informed the ANAO that contract management plans for the remaining three contracts would not have added additional value to the contract management arrangements.69 DPS use of the established contract management plans is discussed further in paragraph 4.23.

4. Implementation

Areas examined

This chapter examines whether the Department of Parliamentary Services (DPS) effectively implemented the security upgrade capital works program (the program).

Conclusion

Implementation of Group One and Group Two of the program was partly effective. DPS conducted communications activities according to plan, and reporting was largely effective, but with gaps in oversight at critical periods. DPS management and oversight of contract performance was partly effective, as DPS did not establish effective administrative and performance monitoring arrangements. An external assessment of the effectiveness of some components of the capital works program in reducing the physical security risks identified in 2014, commenced in December 2020.

Areas for improvement

The ANAO made one recommendation aimed at improving contract management, one recommendation aimed at providing better security risk assurance, and identified areas for improvement in contract management.

4.1 The ANAO examined:

  • communication and reporting — to ensure key stakeholders were informed of the program;
  • contract management — to ensure the program was effectively delivered; and
  • security risk assurance — to ensure the program achieved its original objective.

Did DPS communicate and report effectively throughout the program?

Communications and reporting were largely effective. DPS developed communication plans that sought to raise awareness amongst building occupants. DPS maintained oversight of communications throughout the program, but did not measure or review the effectiveness of communication activities. DPS planned, undertook and reviewed internal reporting.

4.2 The ANAO examined whether DPS effectively planned, undertook and reviewed external communication activities throughout the program, and conducted internal reporting through program governance arrangements.

Communication

4.3 On 9 September 2014, the Prime Minister wrote to the Presiding Officers emphasising the importance of developing a sound communications strategy to explain the reasons for upgrading security at Parliament House.

4.4 DPS prepared communications plans in 2014 and 2015 as part of program management plans (PMP), and from 2016 the project manager and contract administrator (PMCA) prepared communications plans covering internal project communications between contractors and DPS, but not external communications. In April 2015, DPS advised the Senate that ‘the main element covered within the communications plan is to increase and improve the awareness of components of the security enhancement projects across the main occupants and stakeholders of the building without drawing undue attention to the program or risking the undermining of the security aims of the works’.70

4.5 DPS communicated to parliamentarians mainly through the Presiding Officers and committee appearances. In September 2015, the Presiding Officers noted the Parliament House Security Taskforce (the Taskforce) was intended as a conduit of key information on progress and designs to relevant ministers but that this approach had not worked as well as intended, and proposed future consultation through the Special Minister of State with responsibilities for works affecting the Ministerial Wing.

4.6 DPS also conducted communications activities in two of the 11 potential channels set out in the 2015 PMP, including 40 emailed information circulars over the period from 23 February 2015 to 22 September 2020, and four media statements between November 2016 and November 2019. The information circulars gave notice of the impact of capital works on building users, for example imminent building works or the closure or opening of entrances. DPS generally sent circulars either the same day or within seven days prior to the impacting event. DPS sent circulars to Members, Senators, ministerial and parliamentary staff and public servants, and the Press Gallery President and Vice-President, but not other building tenants.71 DPS informed the ANAO that communications were targeted to impacted building occupants, or to people who were responsible for disseminating information.

4.7 Communications plans were intended to be iterative and scheduled to be reviewed periodically, although there was no evidence that reviews were conducted other than as part of successive drafts of the PMPs, or that later PMP revisions or versions were informed by the results of such reviews. DPS did not measure or review the effectiveness of communications activities. The communications plan for Group Two works required the establishment and maintenance of a complaints register along with monthly reporting. There was no evidence this register was established or maintained, or that reports were provided to or considered by the Project Management Group or Project Control Group.

Reporting

4.8 From the outset of the program, the PMP contained reporting requirements, and five of the six head contracts (not the Group One architectural services contract) contained requirements for regular meetings and/or progress reports to DPS or the PMCA.

4.9 The PMP required the Project Director to report through the Project Management Board to the Project Control Group, which would provide regular progress and financial reports to the Executive Committee. DPS stated to the Senate Finance and Public Administration Legislation Committee in 2015 that:

  • ‘A Project Control Group (PCG), comprised of DPS Senior Executive representatives, is the primary body directly overseeing the program of works…and monitors the schedule, budget and progress of the capital works’; and
  • ‘DPS reports to the Taskforce on matters relating to the security enhancements, project management, delivery, cost and scope amendments. In addition to reporting to the Taskforce, DPS is providing advice to the Security Management Board (SMB) on the progress of works’.72

4.10 The terms of reference for the PCG required reporting to the DPS Executive in a timely manner and ensuring that advice is available to brief the Presiding Officers on planning and delivery of the project. Chaired by the First Assistant Secretary Building and Asset Management Division, the PCG was directly accountable to the Secretary and was to report regularly through the DPS Executive.

4.11 The PCG met 39 times between January 2015 and November 2019. The Secretary of DPS chaired or attended around one-third of all meetings. While DPS did not maintain records of all meetings, the PCG discussed the progress of the program at each of the 30 meetings for which minutes were available. The PCG also received ‘traffic light’ progress reports from mid-2015 to mid-2019, and from March 2018 these were supplemented with, then replaced in August 2019 by contractor reports.

4.12 While the Terms of Reference required the PCG to meet regularly, the time between meetings varied from two days in the early stages of the program to seven months on two occasions. Immediately prior to the first seven-month hiatus (August 2017 to March 2018), the PCG had been briefed on four high risks to the program, and delays to Group Three works. During the second seven-month hiatus (October 2018 to May 2019), the program experienced significant issues with non-performance by a subcontractor. It was not evident that the PCG could appropriately monitor implementation and delivery as required by its Terms of Reference during these lengthy gaps in reporting. DPS advised that the meeting schedule and timing responded to the needs of the program, and that the issues with the subcontractor were escalated and managed directly by the Secretary and relevant First Assistant Secretary.

4.13 In 2015, DPS had planned to provide the Executive Committee with Functional Design Briefs and updates on progress as requested, reports from the PCG, and monthly financial reports. The Executive Committee received monthly financial reporting as part of administered budget reporting, and brief verbal updates on the program — usually from the Secretary — on seven occasions between January 2015 and March 2017, and did not consider the program thereafter. The Secretary and other Executive Committee members were members of the PCG, the Taskforce and the SMB.

4.14 On 12 May 2015, the Taskforce agreed for DPS to provide a progress report to the Presiding Officers on a monthly basis and at the Taskforce meetings. The Taskforce met 24 times from September 2014 until disbanding in February 2017. The Secretary attended 19 meetings, and DPS provided written progress reports to 17 meetings.

4.15 DPS also provided briefings on the progress of the program to each of 36 meetings of the SMB between 17 December 2014 and 4 May 2020, initially written briefings and from 2016 predominantly verbal briefings. These briefings included four updates on subcontractor-related delays over the period from August 2018 to January 2019.

4.16 Successive PMPs prepared by DPS required the PCG to review risks on a minimum quarterly basis, or more regularly as required, and the program reported individual risks to PCG meetings. The PCG did not conduct quarterly risk reviews of the risk register as required by the PMP. Risk reporting to the Taskforce largely related to the management of the five physical security risks rather than program risks, and risk reporting to the SMB was largely limited to the point-in-time risks associated with an instance of subcontractor underperformance.

4.17 Contracts generally required reporting on a monthly basis or as required by DPS. The PMP required regular reporting, and by mid-2015 this had become monthly reporting to align with PCG meetings, with the PCG to review risk on a minimum quarterly basis, or more regularly as required. The PMP set out the expected content of reports.

4.18 DPS reviewed aspects of reporting arrangements through internal audits in 2015, 2017 and 2019, and reported fully or substantially implementing relevant recommendations. The 2015 PMP made provision for ‘lessons learned’ review points at the conclusion of each group of works. DPS conducted a ‘lessons learned’ review at the conclusion of Group One, and in 2019 an internal audit conducted a review of Group Two works then underway.

Did DPS effectively manage and oversee contract performance?

DPS’ management and oversight of contract performance was partly effective. DPS did not establish key administrative arrangements to support contract management, including conflicts of interest and contract management plans. DPS established largely effective performance monitoring arrangements for the contracts. DPS monitored delivery in terms of budget and time; however, it was not evident that DPS had sufficient oversight over scope changes. Assessment of a contract that ended in December 2019 remained outstanding.

4.19 The Public Governance, Performance and Accountability Act 201373, the Commonwealth Procurement Rules74 and the Australian Government Contract Management Guide (the Contract Management Guide) outline requirements and guidance for the management of contracts.75 DPS developed a DPS Contract Manager Manual to support officers in effective contract management.

Administrative arrangements

4.20 The Contract Management Guide and the DPS Contract Manager Manual identify that effective contract administrative arrangements include:

  • confirming contract management roles and responsibilities;
  • establishing arrangements to manage conflict of interest;
  • using contract management plans; and
  • setting-up communication and assurance mechanisms.

Table 4.1 summarises the assessment of administrative arrangements for the six head contracts.76

Table 4.1: ANAO assessment of contract administrative arrangements

Contract

Onea

Twoa

Threea

Foura

Fivea

Sixa

Roles and responsibilities

Conflict of interests

Use of contract management plans

Communication and assurance

       

Legend:  arrangements were largely or fully in place. arrangements were partly in place. arrangements were not in place.

Note a: Table 3.2 details the relevant contracts.

Source: ANAO analysis of DPS documentation.

4.21 The PMP and the PMCA contract set out: DPS’ responsibilities for program decision-making in relation to contracts; and the roles and responsibilities of the PMCA. DPS was responsible for the management of the PMCA contract. The other five contracts were at times managed by DPS and at other times managed by the PMCA and overseen by DPS — see Figure 4.1. In the absence of contract management plans, program documentation did not always clearly set out contract management roles and responsibilities for DPS in administering the Group One architectural services and Group Two radio upgrade services contracts.

Figure 4.1: Overview of the six head contracts

Shows a timeline for the commencement date and completion date for each of the six head contracts, between October 2014 and December 2020.  The Group One architectural services contract operated from October 2014 to June 2017.  The Group One construction manager contract operated from December 2014 to June 2017.  The Project Management Contract Administration (PMCA) contract operated from April 2015 to December 2019.  The Group Two managing contractor (physical security) contract operated from April 2016 to December 2020.  The Group Two head contractor (electronic security) contract operated from May 2016 to July 2020.  The Group Two radio upgrade services contract operated from September 2016 to November 2018.

Source: ANAO analysis of DPS documentation, including contracts and reporting.

4.22 The Contract Management Guide outlines that contract managers ‘should ensure all individuals materially involved with the management of a contract make a conflict of interest declaration and update it on a regular basis’. The DPS Contract Manager Manual, Chief Executive’s Instructions dated November 2010, and Finance Procedures for Contract Management dated June 2019, did not set out requirements for the management of conflicts of interest. In June 2021, DPS provided the current DPS Procurement Policy requirements for conflicts of interest and examples of completed conflict of interest declarations from various DPS staff and contractors.

4.23 The Contract Management Guide recommends a contract management plan for complex or strategic contracts. The DPS Contract Manager Manual provides guidance on, but does not mandate the use of contract management plans. The manual notes these are a useful tool for supporting management of risks to the success of a contract and a major contributor to ensuring value for money. Contract management plans were developed for three of the six head contracts (the Group One construction manager, Group Two managing contractor (physical security), and Group Two head contractor (electronic security) contracts, see Table 3.2). These plans were not used to support effective oversight as they: were not used to track contract information; were not approved, updated and maintained throughout the delivery of the contracts; and had not been used by DPS for oversight or management. DPS should consider reviewing the Contract Manager Manual to align with the Contract Management Guide.

4.24 DPS met regularly with key delivery contractors for the majority of the contract periods to review and discuss construction progress and the program and risks and issues affecting progress, timing and cost. Contractors provided reports to support the meetings. DPS used contractor meetings and PMCA monthly reporting to DPS to gain assurance over the activities of the contractors, and reviewed and approved expenditure on contractor invoices.

Performance monitoring mechanisms

4.25 The DPS Contract Manager Manual stated that the monitoring of contracts focusses on collecting and analysing information to provide assurance to DPS that progress is being made in line with agreed timeframes and towards providing the contract deliverables.

Performance monitoring mechanisms

4.26 In managing the four head contracts related to delivery77, DPS required the PMCA to attend PCG meetings and produce regular reports to assist with oversight of contractor performance. Between July 2015 and November 2019, the PMCA produced monthly reports that covered performance-related issues such as progress against milestones, schedule, budget, quality and emerging issues.

4.27 The contracts stipulated performance monitoring mechanisms for the four contractors including progress meetings and regular reporting. These mechanisms were to be used by the PMCA to inform reporting to DPS and to support oversight of the delivery contracts. Records of meetings and reports showed that these mechanisms were in regular use but not for the full duration of the contracts. While there were lengthy periods where there were no records of planned contractor site meetings or related reports, PMCA monthly reports to DPS continued to provide detail on progress and risks against scope, time and budget for the major contractors.

4.28 For the two other contracts78, performance monitoring mechanisms were partially established.

  • The contract for the Group One architectural services works did not include mechanisms for ongoing performance monitoring, such as regular meetings or reporting. DPS managed this contract from October 2014 until June 2015 and during this time held regular meetings with the design consultant but did not produce regular performance reporting. From June 2015, the PMCA produced monthly reports for DPS which assessed the performance of this contractor.
  • The contract with the PMCA required the PMCA to attend project management meetings to provide regular updates and to raise opportunities and threats, and produce a monthly report. The project management meetings did not occur. Monthly reports produced by the PMCA included a section reporting on its own performance. DPS did not produce its own documented assessments of the PMCA’s performance.
Underperformance

4.29 The DPS Contract Manager Manual outlines the importance of identifying and dealing with underperformance before it becomes serious, at which point it can become more costly and disruptive to manage. As contract manager, DPS was responsible for managing any underperformance for the six head contracts.

4.30 DPS produced a monthly performance report which, until November 2016, included an assessment of the performance of each contractor and identified areas of weak performance. From December 2016, the reports no longer included individual assessments of contractor performance, although they still included reporting in terms of scope, time and budget.

4.31 For the Group One construction manager contractor, 16 of 17 monthly reports outlined issues with this contractor’s performance. DPS did not instigate formal underperformance processes and advised that the nature of the performance issues did not require any payments to be withheld from the contractor.

Performance monitoring — scope, time and budget

4.32 Performance standards should be specified in the contract and should be fit-for-purpose. The performance standards79 should allow for an assessment of whether the goods or services:

  • were within scope (whether the deliverables met specification);
  • were delivered on time; and
  • were within the agreed budget.80

In undertaking the analysis of scope, time and budget for this section, the ANAO did not assess the contract variation processes for the contracts.

Monitoring against contract scope, time and budget

4.33 The PMP specified that the PCG was to approve changes to scope, and proposed developing a scope change register to track and monitor any changes to scope. PCG documentation did not demonstrate that it had reviewed and approved scope changes for the program. While DPS tracked contract variations, there was no evidence that a scope change register was developed.81

4.34 Monthly reporting against the contracts included limited information about scope. From December 2016 the reports included a traffic light assessment of the contracts in terms of delivering against scope. Across the reporting for the four delivery contracts, scope was rated: green 61 per cent of the time; amber 37 per cent of the time; and red two per cent of the time. DPS did not define the parameters of each traffic light level in terms of assessing scope, time and budget.

4.35 The monthly reports identified and reported on key dates (planned, forecast and actual). The reports included a high-level traffic light assessment against whether contracts were being delivered on time (against the agreed schedule). Across all reporting for the four delivery contracts, contracts were rated as: green 14 per cent of the time; amber 61 per cent of the time; and red 25 per cent of the time.

4.36 Detailed cost management plans were developed to track and monitor against the contract delivery budgets. DPS regularly monitored expenditure on the program, including at the individual contract level. Traffic light reporting produced by the PMCA showed that contract costs were rated: green 41 per cent of the time; amber 40 per cent of the time; and red 19 per cent of the time.

Final evaluation of contracts in terms of scope, time and budget

4.37 Four contracts specified that acceptance testing82 would include an assessment of whether goods and services were provided within the scope of the contract.83 For these four contracts, from a total of 37 works, evidence of DPS approval of one works acceptance testing relating to electronic works was outstanding. Correspondence in August 2019 indicated that DPS was in the process of confirming that a defect in the works had been rectified, and the completion notice was not signed by two of the three nominated DPS officials.

4.38 For the Group One architectural services and PMCA contracts, delivery standards were not defined and it was not evident how DPS assessed that the goods and services delivered under these contracts were within scope. DPS did not complete end of contract evaluations for the PMCA contract. It was, therefore, not evident to what extent DPS considered these contractors to have delivered against the scope of the original contracts.

4.39 Due to the lack of documentation to track the scope and approved scope changes, the ANAO was unable to fully confirm whether the contracts were delivered within scope. DPS has also not assessed the program in this way.

4.40 The key contract deliverables were almost all delivered after the original contract delivery times (see Appendix 684). The average delays were:

  • Group One works were delivered on average 67 days after planned delivery dates;
  • Group Two (physical security) works were delivered on average 361 days late; and
  • Group Two (electronic security) works were delivered on average 636 days late.

4.41 Throughout delivery, DPS did not track or report on the original indicative delivery dates outlined in the Security Upgrade Implementation Plan (SUIP) and the revised dates in the PMP through to contracts and variations and then to final completion dates. As noted in Appendix 5, DPS did report to the Taskforce and the SMB. These reports did not demonstrate a clear line of sight between the original indicative timeframes and final delivery times for individual projects.

4.42 The PMCA developed a completion report for Group One works that reported on the original budget compared to the actual cost of Group One related contracts. DPS had not undertaken an equivalent final assessment of the total cost of the Group Two works.

4.43 Table 4.2 compares the original contract value and approved DPS budget for the six contracts against the contract expenditure or varied value of those contracts. The figures for the Group Two works contracts are not final figures as DPS had not assessed the final cost of the Group Two contracts. DPS advised that given the nature of the design and construct contracts, these contracts ‘would necessarily involve contract variations that would increase the publicly reported contract value’.

Table 4.2: Six head contracts original value, budget and expenditure

Contract

Original valueab

Approved budgetac

Expenditure/valuead

Contract one — Group One architectural services

e

$1,014,240

$1,374,219f

Contract two — PMCA

$1,786,205

$1,874,405

$6,394,935f

Contract three — Group One construction managerg

$349,453

$16,889,595

$16,405,042h

Contract four — Group Two managing contractor (physical security)i

$2,483,599

$100,450,552

$100,154,143h

Contract five — Group Two head contractor (electronic security)j

$20,079,796

$54,962,558

$54,598,922h

Contract six — Group Two radio upgrade services

$4,386,109

$5,200,000

$5,991,794h

Total

 

$180,391,350

$184,919,055

    

Note a: All figures are GST exclusive.

Note b: The original value is the total of official orders under a deed of standing offer, or included in the contract at the time of execution, and does not reflect subsequent approved contract variations.

Note c: Approved budget is based on DPS program cost plan, as at December 2019. In addition to funding allocated to DPS to undertake the security works program, the program cost plan showed that $414,857 in DPS departmental capital funding was also allocated to the program. For contract four, the approved budget is based on DPS data as at August 2019 that includes additional funding of $31,864,606 provided in contract variation approved on 3 August 2019.

Note d: Estimated cost to completion based on DPS program cost plan, as at December 2019. Contract value from contract notices published on AusTender where available after December 2019.

Note e: Multiple work orders under deed of standing offer.

Note f: Estimated cost to completion based on DPS program cost plan, as at December 2019.

Note g: This contract included construction management fees and trade costs, both of these costs are included in the budget and estimated cost to completion figures in the table.

Note h: Contract value from most recent contract notice published on AusTender.

Note i: This contract included contractor’s management and work fee, and reimbursable work, all of these costs are included in the budget and contract value figures in the table.

Note j: This contract included project costs and a period of maintenance support costs, both of these costs are included in the budget and contract value figures in the table.

Source: The six head contracts, AusTender contract notices and DPS’ Cost Management Plan.

4.44 DPS engaged a contractor to provide general project management and contract administration services (PMCA) for Group Two works in April 2015. In July 2015, DPS engaged the same contractor to provide PMCA services for Group One works. The value of the official orders at the time of execution were $294,050 and $1.49 million respectively. As at December 2019, DPS had recorded four variations to the Group Two works and 12 variations for Group One works official orders, primarily due to the need for additional resources because of delays in the delivery of the works, or due to increased scope in program works. The variations were recorded at a total value of $217,000 for Group Two works, and $4.29 million for Group One works.

4.45 DPS executed the contract with the Group One construction manager in December 2014. The construction management fee of $349,453 that was included in the contract was based on total construction cost of $3 million. DPS noted in the contract approval documentation that subsequent to the contractor submitting the fee proposal, the works were further developed and the total expected construction cost was revised to $4 million. DPS instigated the first contract variation on 30 March 2015, revising the total construction cost to $12.49 million and the associated construction management fee to $1.3 million. In December 2015, further contract variations increased the total construction costs to $14.89 million and the associated construction management fee to $2 million primarily due to inclusion of an additional project in scope of the works and changes to allowable working hours requiring additional out of hours supervision.

4.46 The Group Two managing contractor (physical security) contract set out the costs for the contractor’s management and work fee, and reimbursable work of $2.48 million for the planning phase. The contract also included delivery phase target cost of $40 million for the contractor’s management and work fee, and reimbursable work. As at 19 December 2019, DPS had recorded 293 contract variations with a total value of $60.74 million primarily relating to subcontractors costs for completion of reimbursable works. An August 2019 contract variation incorporated the auxiliary power (emergency generators) project in the Group Two managing contractor (physical security) works, following the allocation of additional capital funding of $31.7 million in the 2019–20 Budget measure (see paragraph 1.12).

4.47 DPS tendered for the design and construct of the electronic security system upgrade works, and maintenance services for the electronic security system prior to construction completion. The reported contract value for the Group Two head contractor (electronic security) increased over the program from $20 million in July 2016 to $55 million in February 2020. Examination of seven of the top eight variations with a value greater than $1 million, found that all variations were documented and approved at the Assistant Secretary or First Assistant Secretary level, and that DPS approved increases to the total contract amount when necessary. Five of the top eight variations, totalling $17.4 million that were approved in March, June and October 2017, and March and April 2018, related to design changes; DPS-instigated additional requirements; physical security works; and existing conditions unknown at the time of the contract. The remaining three of the top eight variations, totalling $11.2 million, related to interim maintenance service delivery and were approved in February, June and December 2019. DPS was allocated $10.9 million over four years (and $3.3 million per year ongoing) in the 2018–19 Additional Estimates for the electronic security upgrade maintenance measure.85

4.48 DPS had included nominal amounts for some contract costs, and once relevant work designs had been agreed, there was evidence that expected costs were verified by DPS’ contracted cost planner. Documentation supported that DPS would request additional information to support variation order requests, and in some circumstances reject variation order requests.

Handover of contract management responsibilities and contract closure

4.49 In December 2019, the PMCA contract ended and DPS officers assumed responsibility for the ongoing management of the two delivery contracts still in force: the Group Two managing contractor (physical security) works; and the Group Two head contractor (electronic security) works. The PMCA produced handover reports outlining the status of the contracts, including work that DPS would need to complete in taking over contract management.

4.50 DPS did not provide documentation that would allow the ANAO to assess whether it had effectively managed these two contracts from December 2019. Key contract management documentation was not updated by DPS including the: program management plan; risk register; issue and action register; cost management plan; and program schedules.

4.51 Two key aspects of the contract closure phase involve evaluating the contract performance at contract end, and identifying and documenting lessons learned. DPS had not performed these two key contract closure tasks for the PMCA contract and the two Group Two contracts related to physical security and electronic security. DPS advised that it intends to complete the contract closure tasks for the two Group Two contracts at the end of their defect liability periods — February 2021 and May 2021.

Recommendation no.2

4.52 The Department of Parliamentary Services undertake closure tasks for all contracts in accordance with internal policy.

Department of Parliamentary Services response: Agreed.

4.53 DPS confirmed that contract closure tasks for the Group Two contracts would be completed following the end of the defect liability periods for these contracts.

Status of the program at March 2021

4.54 In December 2014, DPS received funding to deliver the program. DPS received funding to deliver 21 measures related to the program. The SUIP, dated May 2015, included 36 deliverables. Across the four head contracts for the program (excluding contract one and two identified in Table 4.2), there were 37 deliverables.

4.55 The completion of the 37 deliverables specified in the contracts is as follows:

  • DPS completed the final project of the Group One works, which included 19 deliverables, in June 2016 with the defect liability period ending in June 2017.
  • DPS completed the radio upgrade project in August 2018 with the defect liability period ending in August 2019.
  • DPS completed the final deliverable of the Group Two (physical security) works, which included a total of 10 deliverables, in February 2020 with the defect liability period ending in February 2021.

4.56 DPS completed the final deliverable of the Group Two (electronic security) works, which included a total of seven deliverables, in May 2020 with the defect liability period ending in May 2021.

4.57 Of the 21 funding measures, the ANAO was able to confirm that 14 had been delivered and three had not been delivered (two had been removed from scope, relating to secure access to Queens Terrace and public gallery screen, and one was being delivered, relating to auxiliary power (emergency generators), see paragraphs 1.11 and 1.12). For the remaining four measures (relating to replacing obsolete manual locking mechanisms, private area access, entry point reconfiguration and hardening, and business continuity office accommodation), the ANAO was unable to identify a link to the contract deliverables to assess whether the funding measure had been delivered. DPS advised in June 2021 that these measures were completed.

Did the program effectively control physical security risks?

While accreditation of security zones provided assurance over elements of the capital works, an external security assessment of the capital works program would provide additional assurance that the program effectively controlled the five physical security risks identified in 2014. DPS assessed the intended effectiveness of some risk controls before implementation, but did not assess the effectiveness of all controls once implemented.

4.58 The Protective Security Policy Framework (PSPF) articulates government protective security policy and provides guidance across the areas of security governance, personnel security, physical security and information security. As a non-corporate Commonwealth entity, DPS must apply the PSPF as it relates to its risk environment.86 The PSPF requires that each entity must provide a safe and secure physical environment for their people, information and assets.87

4.59 The program aimed to implement recommended controls for five physical security risks identified by external security assessments in September 2014.88 The ANAO examined whether the program effectively controlled these physical security risks by reference to three PSPF physical security requirements:

  • security planning to assess and manage risk;
  • integrating protective security into facilities planning; and
  • conducting regular assurance reviews.

4.60 This examination focussed on the physical security risks covered by the program and implementation of related PSPF requirements over the seven year period from 2014 to 2020. The ANAO did not examine the assessment and control of all physical or other security risks, or compliance with other PSPF requirements by DPS generally.

Security planning to assess and manage risk

4.61 Three external counter-terrorism security risk assessments in 2014 preceded the program.89 The assessments identified five physical security risks, each of which was analysed as having a ‘high’ risk rating. Additional security risk assessments conducted between 2014 and 2017 informed aspects of the Group One and Group Two works. Each of the assessments was a stand-alone document, and DPS did not integrate these assessments into an entity-wide security risk assessment framework. DPS did not set a risk appetite or risk tolerance level, or evaluate these five physical security risks compared to tolerance until May 2019. It was however implicit in the initiation of the program that the risks were considered above tolerance.

4.62 DPS assessed the proposed risk reduction of some individual measures at various times between 2015 and 2017, including perimeter security, the Early Warning and Intercommunication System, and video analytics. However, during the program, DPS did not assess the control effectiveness of all capital works in reducing the likelihood and consequences of assessed risks, and did not integrate assessments of control effectiveness into an entity-wide security risk framework.

4.63 Between 2014 and 2019, DPS did not have a security plan as required by the PSPF90, and recorded this deficiency in annual self-assessment compliance reports. An internal audit in mid-2019 identified that DPS ‘has not formally defined how it applies a risk-based approach to security management…[including] articulating its security risk approach and performing the relevant security risk assessments to guide security management activities’, and recommended that DPS conduct annual risk assessments and develop a security plan. From June 2019, DPS implemented a security plan and related policies, including annual risk assessments as part of the PSPF Maturity Assessment, and the 2019–20 self-assessment.

Integrating protective security into facilities planning

4.64 The PSPF requires that entities must fully integrate protective security in the process of planning, selecting, designing and modifying facilities. This includes certifying and accrediting security zones91 within facilities before they are used operationally and if certain triggering circumstances are met, including ‘significant changes to the architecture of the facility or the physical security controls used’.92

4.65 The ANAO examined the six head contracts93 to identify whether they contained provisions integrating protective security requirements and standards into facilities planning. Three of the six head contracts — the Group Two managing contract (physical security), Group Two head contractor (electronic security), and Group Two radio upgrade services contracts — contained provisions requiring contractors to take into account PSPF standards for physical security. Two contracts — the PMCA and Group One construction manager contracts — contained a mechanism to allow DPS to specify standards, and the Group One architectural services contract contained no such provisions. In June 2019, DPS updated procurement policies to include specific requirements for contract managers to monitor supplier compliance with the PSPF and security obligations in contracts.

4.66 A March 2017 internal audit of the program recommended that DPS ‘identify, assess and document program level risks’ including compliance with security accreditation requirements. In 2019, following external security zone certification assessments conducted in 2016 and 2019, DPS certified and accredited security zones rated Zone 3 and Zone 4 (restricted office areas) and commenced additional capital works — outside the security capital works program — to remediate residual physical security risks that were identified through this process.94 In addition, security zones refurbished as part of the program in 2019 were certified and accredited in 2020. In November 2020, the SMB approved a physical security zone accreditation plan. Public access areas rated Zone 1 were recertified and reaccredited in December 2020, and DPS informed the ANAO that recertification and reaccreditation of remaining Zone 2 office areas was underway.

Conducting regular assurance reviews

4.67 During the program, DPS prepared annual PSPF compliance reports that included self-assessments of the implementation of physical security requirements.95 In late 2018, the only remaining area of self-assessed non-compliance with PSPF physical security requirements related to preparation of a security plan, which was developed in June 2019 (see paragraph 4.63).

4.68 The revised 2018 PSPF annual reporting requirements include a maturity self-assessment model consisting of four ratings, from lowest to highest: ‘ad hoc’, ‘developing’, ‘managing’, and ‘embedded’.96 In March 2019, DPS advised its Audit Committee that it had conducted a draft maturity self-assessment, and reached an overall assessment of ‘ad hoc’ (partial implementation of PSPF requirements). The final self-assessment report in July 2019 included ratings of ‘managing’ (all requirements implemented) for 85 requirements and ‘developing’ (majority of requirements implemented) for three requirements.97 In September 2019, DPS advised its Audit Committee that this would result in an overall maturity assessment of ‘developing’.98

4.69 In July 2019, an internal audit conducted to assess PSPF alignment — and provide advice to develop an implementation plan to lift the capability to ‘managing’ — found that:

the Department has had a responsive approach to protective security management, rather than based on an integrated risk-based approach…there has not been an overarching framework or mechanism to bring together a converged view of security risks and security management, and ensure consistent application of security management practices across the Department.

4.70 With SMB endorsement, in 2017 the Presiding Officers approved DPS to request a security risk review at the completion of the Group Two works, and consider having this review occur every two years. In late 2018 and again in late 2019, DPS held initial discussions to procure an external security assessment of the capital works. The assessment would not commence until all security upgrade works were fully commissioned and operable. The security risk assessment of some components of the capital works program commenced in December 2020.

4.71 An external security assessment of the entire capital works would provide additional assurance that the program effectively controlled the five physical security risks identified in 2014.

Recommendation no.3

4.72 The Department of Parliamentary Services finalise the external security reviews of the capital works program, and make recommendations to the Security Management Board and Presiding Officers on any subsequent action identified by these reviews.

Department of Parliamentary Services response: Partly Agreed.

4.73 DPS agrees with the principle of the ANAO recommendation but disagrees with one aspect of the role assigned to DPS in the ANAO recommendation - the requirement for DPS to make recommendations to the Security Management Board (SMB).

4.74 The ANAO recommendation requires DPS to make its own recommendations to the SMB on any subsequent action identified by the external security reviews. This is a misinterpretation of the role of DPS under section 65A of the Parliamentary Service Act 1999. This section states that “the Security Management Board is responsible for providing advice to the Presiding Officers on security policy and the management or operation of security measures for Parliament House”. The Secretary of DPS, as one of four members of the SMB, will consider the outcomes of the review and jointly with the other members of the SMB make recommendations to the Presiding Officers.

4.75 The external security review could not be undertaken until the security works were completed in accordance with the 2014 Security Upgrade Implementation Plan. Stage One of the two stage external security review has been completed to draft stage and will be submitted to the SMB for their consideration in July 2021.

Appendices

Appendix 1 Department of Parliamentary Services response

Page one of the response from the Department of Parliamentary Services. You can find a summary of the response from summary and recommendations chapter of this report.

Page two of the response from the Department of Parliamentary Services. You can find a summary of the response from summary and recommendations chapter of this report.

Page three of the response from the Department of Parliamentary Services. You can find a summary of the response from summary and recommendations chapter of this report.

Page four of the response from the Department of Parliamentary Services. You can find a summary of the response from summary and recommendations chapter of this report.

Page five of the response from the Department of Parliamentary Services. You can find a summary of the response from summary and recommendations chapter of this report.

ANAO Comment on the Department of Parliamentary Services response

  1. Performance audits by their nature involve engagement between the ANAO and the audited entity. The conduct of an audit is facilitated when the audited entity provides all reasonable facilities and assistance to aid the conduct of an audit, including with the following.
    • Access — providing the ANAO with access to any premises, systems, documents and other property that may be necessary to the audit.
    • Responsiveness — responding in a reasonable timeframe to requests for access to relevant staff, facilities, documentation and information. The ANAO requires requests for access and information to be responded to within one week of requests being made.
    • Electronic data — consistent with the Government’s Digital Continuity Policy, all requested records are to be made available to the ANAO electronically.

The Department of Parliamentary Services was not able to facilitate all of these requirements.

Under Section 24 of the Auditor-General Act 1997, the Auditor-General sets auditing standards that apply to performing the Auditor-General’s functions. These standards are legislative instruments and incorporate the standards issued by Australian Auditing and Assurance Standards Board, and are consistent with the key requirements of the International Standards of Supreme Audit Institutions (ISSAI). Under these standards, the ANAO gathers evidence that is sufficient and appropriate to address the audit’s objectives, and support the audit’s findings and conclusions. The ANAO exercises professional judgement in relation to the sufficient quantity and appropriate quality of audit evidence.

  1. See paragraph 2.35 and Appendix 5.
  2. The footnotes included in the Department of Parliamentary Services response have been redacted as they refer to a proposed report that is covered by confidentiality obligations under subsection 36(3) of the Auditor-General Act 1997.
  3. See paragraphs 4.33, 4.34, and 4.37 to 4.39.
  4. See paragraphs 2.22 to 2.26.

Appendix 2 Parliamentary precincts and zone

Figure A.1: Parliamentary precincts

A design sketch giving an overhead view of the parliamentary precinct that has been taken from the Parliamentary Precincts Act 1988. The precinct is described in paragraph 1.3.

Source: Parliamentary Precincts Act 1988.

Figure A.2: Parliamentary zone

A design sketch giving an overhead view of the parliamentary zone that has bene taken from the Parliamentary Precincts Act 1988. The zone is described in paragraph 1.5.

Source: Parliamentary Precincts Act 1988.

Appendix 3 Security upgrade capital works program — scope of works

Security upgrade capital works program

Group One — perimeter enhancements

  • Group One involved hardening entry points.
  • Touch Point 1 Basement level carpark
  • Touch Point 2 & 3 Ground floor level entries
  • Touch Point 4 Loading dock
  • Touch Point 5 & 7 Ministerial Wing entry east and west
  • Touch Point 6 Ground floor — Ministerial entrance
  • Touch Point 8 Ministerial basement entry
  • Touch Point 9 External works Ministerial wing — south fence
  • Touch Point 10 Guard house
  • Touch Point 11 External works Ministerial wing — south bollards
  • Touch Point 12 & 13 Level one — Ministerial entrance
  • Touch Point 14 & 15 Ground floor — kitchens and meeting rooms
  • Touch Point 16 & 17 First floor — kitchens and meeting rooms
  • Touch Point 18 First floor — meeting rooms
  • Touch Point 19 PM courtyard — ballistic and blast proof window treatments

Group Two — electronic access control, CCTV systems and glazing of external façade

  • Group Two involved building hardening.
  • Stage 1 Work Element 1A Senate Entry Point
  • Stage 2 Work Element 1B House of Representative (HOR) Entry Point
  • Stage 3 Work Element 2 Alternate Front Entrance
  • Stage 4 Work Element 3 Level 1 Hardening
  • Stage 5 Work Element 4A Windows (HOR, Senate, Ministerial Wing)
  • Stages 6 and 7 Work Element 4B Perimeter Treatment
  • Stage 8 Work Element 5A Great Hall Skylight
  • Stage 8 Work Element 5B Members Hall Skylight
  • Stage 8 Work Element 5C Committee Room Skylight
  • Stages 9 and 10 Work Element 6 Ceremonial Doors and Temporary Entrances
  • Electronic Security

Group Three — additional works

  • From June 2016, Group Three included one capital works project that had received funding in the 2014–15 capital works program appropriation:
  • WM1847 Emergency Generator Upgrade.

Source: ANAO summary of DPS documents.

Appendix 4 ANAO assessment of DPS risk management frameworks for the program

Area

ANAO assessment

Governance

The risk management frameworks defined roles and responsibilities, including that the:

  • PCG and Program Sponsor had responsibility for ensuring that appropriate risk management processes were applied — first risk management framework; and
  • Project Director was responsible for risk management, with the PCG reviewing the risks and mitigations — second risk management framework.

Assessment

The two risk management frameworks outlined approaches to assessing risks. The process in the first framework lacked detail about the steps involved in assessing risks; however, the second framework was more comprehensive in specifying the steps to identify risks and then to analyse and evaluate those risks. This included that risk workshops would be undertaken to assist with the assessment of risks.

The risk registers were the primary mechanism to document risks and the assessment of those risks. For Group One, the risk descriptions were not always clear in explaining the nature of the risk. For example, one risk was ‘political risk’ with no further explanation. The risk register for the Group Two works was clearer and more comprehensive.

For both risk registers, there was not a clear distinction between program or critical risks and project or operational risks. This issue was identified in a 2015 internal audit and then again in a 2017 internal audit.

Mitigation

The first risk management framework contained no guidance about the process to identify mitigations and treatments for risks. The second framework contained guidance in this regard.

For both frameworks, the risk registers were the primary mechanism to document the approach to the control and treatment of risks. For the Group One works, mitigation strategies in the Group One risk register were not always sufficiently clear in outlining how they would address the risks. For the Group Two works, the mitigation strategies were more clearly outlined to demonstrate how they would address the risks.

Monitoring

In the first risk management framework, DPS stated that it would regularly monitor and review risks, and update the risk register. The PCG was also to review the risk register at least quarterly.

In the second risk management framework, DPS stated that: risks would be monitored throughout the project; the effectiveness of mitigation strategies would be assessed; and changes to risks or the identification of new risks would be analysed and evaluated, as well as appropriately mitigated.

DPS did not regularly review and update the risk register for the Group One works. The register for the Group Two works was included in monthly reports until November 2019. But it is unclear when the risk register was last updated.

DPS advised that the risk register was updated once in 2017 and twice in 2018.

  

Source: ANAO analysis of DPS documents.

Appendix 5 ANAO assessment of DPS planning for the program

Assessment question

ANAO assessment

Did DPS clearly articulate the program’s goals?

The objectives of the program were expressed in different ways over the life of the program; however, the two key aspects to the objectives were to:

  • deliver the works identified in the SUIPa; and
  • appropriately treat the security risks.

Did DPS clearly specify costs?

The NPP provided the overall funding for the program; however, did not allocate funding to the individual security works projects. DPS developed a cost management plan to specify the costs of individual works and to manage costs throughout the program.

Did DPS clearly specify timeframes?

DPS was aware that timeframes would most likely change throughout the program as more information was gathered and as the works were designed. The SUIP, transition plan and PMP included information around delivery dates. However, the key mechanism to plan delivery times was detailed program schedules, to be updated weekly. These schedules did not provide a clear line of sight between the SUIP, the transition plan, the PMP and the contract delivery timeframes. DPS produced two styles of reports for the Parliament House Security Taskforce and then the Security Management Board. The Taskforce report assessed delivery against the SUIP deliverables, but not the agreed timeframes in the SUIP. The report to the Security Management Board reported against contract deliverables, rather than the SUIP deliverables and timeframes.

Did DPS develop an effective performance framework?

The SUIP included six key performance indicators (KPIs) around: timeliness; cost; delivery of the works; mitigation of vulnerabilities; management of risks; and a review of the new measures. DPS did not incorporate these KPIs into its program planning. DPS did not monitor and report against these KPIs, and did not establish its own approach to monitoring performance at the program level. The performance of contractors in delivering individual projects is discussed in Chapter Four.

Did DPS effectively engage with stakeholders during the planning phase?

While DPS did not set out a plan for its engagement with stakeholders during the development of the PMP, DPS consulted with a range of stakeholders during the planning phase for the program. These included external entities (particularly through the Taskforce) and internal stakeholders.

Did DPS maintain planning throughout the delivery?

DPS developed three PMPs, each of which had more than one version, indicating that planning was monitored and reviewed throughout. In the third PMP, DPS included review arrangements for plan components — reviews to be conducted every six months. However, DPS was unable to provide evidence that the intended reviews were undertaken.

   

Legend:  requirements were met. requirements were partly met. requirements were not met.

Note a: Australian Parliament House Security Upgrade—Implementation Plan (SUIP).

Source: ANAO assessment of DPS documentation.

Appendix 6 DPS and ANAO assessment of whether projects were delivered on time

Group

Were the projects delivered on time? (original contract/baseline completion date versus actual completion date)

One

Of the 19 projects in this group:

  • nine were delivered later than the planned schedule — an average of 83 days later than planned;
  • one was delivered ahead of schedule — 82 days earlier than planned; and
  • DPS did not specify delivery dates for the other nine projects.

Two (physical security)

Of the 10 projects in this group:

  • eight were delivered later than the planned delivery date — on average, 361 days late; and
  • two did not have planned delivery times.

Two (electronic security)

Of the eight projects in this group:

  • seven projects were delivered after their original planned dates — on average, the projects were 636 days late; and
  • one did not have a planned delivery timeframe.
  

Source: DPS documentation and ANAO analysis of DPS documentation.

Footnotes

1 Capital works within the Parliamentary zone (comprising the area bounded by State Circle, Commonwealth and Kings Avenues and the southern edge of Lake Burley Griffin, see Appendix 2) requires approval by resolution of each House of the Parliament: Parliament Act 1974, section 5. They are not subject to the Public Works Committee approval process.

2 Department of Parliamentary Services, submission to the Senate Finance and Public Administration Legislation Committee inquiry into the proposed Parliament House security upgrade works, 29 April 2015, [internet] available from: https://www.aph.gov.au/DocumentStore.ashx?id=32a4c41f-a635-4975-b551-237905a489f4&subId=350638 [accessed 25 November 2020].

3 Department of Parliamentary Services, Annual Report 2019–20, DPS, Canberra, 2020, p. 40.

4 ibid.

5 The Auditor-General responded on 11 December 2019, https://www.anao.gov.au/work/request/proposed-audits-the-parliamentary-departments-portfolio [accessed 25 November 2020].

6 Other parliamentary departments forming the Parliamentary Service are the Department of the Senate, the Department of the House of Representatives and the Parliamentary Budget Office: Parliamentary Service Act 1999.

7 Department of Parliamentary Services, Annual Report 2018–19, DPS, Canberra, 2019, p. 10.

8 ibid., p. 51.

9 Department of Parliamentary Services, Annual Report 2019–20, DPS, Canberra, 2020, pp. 32 and 59.

10 For example, the Presiding Officers are advised by a Security Management Board established under section 65A of the Parliamentary Service Act 1999.

11 The Attorney-General’s Department and the Australian Federal Police conducted the reviews in September 2014, assisted by DPS security: DPS, Submission to the Senate Finance and Public Administration Legislation Committee, 29 April 2015, available from www.aph.gov.au [accessed 25 November 2020].

12 Taskforce membership included: Department of the House of Representatives; Department of the Senate; DPS; Department of the Prime Minister and Cabinet; Department of Finance; Attorney-General’s Department; and the Australian Federal Police.

13 Other measures included increased security presence and access controls, a Memorandum of Understanding with the Australian Federal Police to ensure cooperation in the provision of security operations at Parliament House, and updates to the security policy and governance framework: Department of Parliamentary Services, Annual Report 2014–15, DPS, Canberra, 2015, pp. 46–47.

14 Department of Parliamentary Services, Annual Report 2014–15, DPS, Canberra, 2015, pp. 4–5.

15 Commonwealth of Australia, Mid-Year Economic and Fiscal Outlook 2014–15, The Treasury, Canberra, 2014, p. 207. The amounts appropriated to DPS for security upgrades under the measure consisted of $108.4 million in capital funding over two years (2014–15 and 2015–16), and $18.7 million in expense funding over four years (2014–15 to 2017–18). Measures included: ballistic and blast treatment; identity management and access control; closed circuit television; business continuity accommodation; and other security enhancements (including replacing locks, elevator works, perimeter works and fencing, additional emergency generators, public gallery screening and radio communications system replacement).

16 Capital works within the Parliamentary zone (comprising the area bounded by State Circle, Commonwealth and Kings Avenues and the southern edge of Lake Burley Griffin, see Appendix 2) requires approval by resolution of each House of the Parliament: Parliament Act 1974, section 5. They are not subject to the Public Works Committee approval process.

17 Department of Parliamentary Services, Parliament House Security Upgrade Works — Perimeter Security Enhancements, pp. 2–3, available at: https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;adv=yes;orderBy=customrank;page=1;query=Date%3A30%2F11%2F2016%20Dataset%3Atabledpapers;rec=9;resCount=Default [accessed 25 November 2020].

18 Department of Parliamentary Services, submission to the Senate Finance and Public Administration Legislation Committee inquiry into the proposed Parliament House security upgrade works, 29 April 2015, https://www.aph.gov.au/DocumentStore.ashx?id=32a4c41f-a635-4975-b551-237905a489f4&subId=350638 [accessed 25 November 2020].

19 Commonwealth of Australia, Budget Paper No.2 Budget Measures 2016–17, The Treasury, Canberra, 3 May 2016, p. 133.

20 Department of Parliamentary Services, Parliament House Security Upgrade Works – Perimeter Security Enhancements, pp. 2–4, available at: https://parlinfo.aph.gov.au/ [accessed 25 November 2020].

21 Commonwealth of Australia, Budget Paper No.2 Budget Measures 2019–20, The Treasury, Canberra, April 2019, p. 202.

22 Department of Parliamentary Services, Annual Report 2014–15, DPS, Canberra, 2015, pp. 46–47. Department of Parliamentary Services, Corporate Plan 2017–18, DPS, Canberra, 2017, pp. 24–25.

23 Department of Parliamentary Services, Corporate Plan 2018–19, DPS, Canberra, p. 34.

24 Department of Parliamentary Services, Corporate Plan 2019–20, DPS, Canberra, p. 34.

25 Department of Parliamentary Services, Annual Report 2019–20, DPS, Canberra, 2020, p. 40.

26 ibid, 2020, p. 40.

27 The Senate, Proposed Parliament House security upgrade works, Senate Finance and Public Administration Legislation Committee, Canberra, June 2015.

28 The Senate, Department of Parliamentary Services – Final Report, Senate Finance and Public Administration Legislation Committee, Canberra, September 2015.

29 Auditor-General Report No.24 2014–15, Managing Assets and Contracts at Parliament House, available at https://www.anao.gov.au/work/performance-audit/managing-assets-and-contracts-parliament-house [accessed 25 November 2020]. Auditor-General Report No. 19 2016–17 Managing Contracts at Parliament House, available at https://www.anao.gov.au/work/performance-audit/managing-contracts-parliament-house [accessed 25 November 2020].

30 The Auditor-General responded on 11 December 2019, https://www.anao.gov.au/work/request/proposed-audits-the-parliamentary-departments-portfolio [accessed 25 November 2020].

31 Department of the Prime Minister and Cabinet (Cabinet Implementation Unit), Guide to Implementation Planning, 2014, PM&C, Canberra, pp. 12 and 16., [internet] https://www.pmc.gov.au/sites/default/files/files/guide-to-implementation-planning.pdf [accessed 30 September 2020].

32 ibid., p. 12.

33 In 2014, the national terrorism threat level increased to Probable, after being at Medium for 13 years. The Parliament House threat level was Possible.

34 The Taskforce membership included the Presiding Officers and the Secretary of DPS. There were also representatives from the: Department of the Prime Minister and Cabinet; Australian Federal Police; Attorney-General’s Department; Australian Security Intelligence Organisation; and Department of Finance.

35 Department of the Prime Minister and Cabinet (Cabinet Implementation Unit), Guide to Implementation Planning, 2014, PM&C, Canberra, pp. 12 and 13, [internet] https://www.pmc.gov.au/sites/default/files/files/guide-to-implementation-planning.pdf [accessed 30 September 2020].

36 The four versions were in: the December 2014 Program Management Plan; the DPS submission to the Finance and Public Administration Legislation Committee in January 2015; the Governance Structure from April 2015; and the June 2015 Program Management Plan.

37 The Secretary of DPS regularly attended the Taskforce, SMB and PCG meetings.

38 The Parliamentary Precincts Act 1988 vests management and control of the precincts in the Presiding Officers.

39 Department of the Prime Minister and Cabinet, Guide to Implementation Planning, PMC, Canberra, 2014, p. 17, https://www.pmc.gov.au/sites/default/files/files/guide-to-implementation-planning.pdf [accessed 30 November 2020].

40 Ibid., pp. 12 and 30.

41 The electronics package of work (part of Group Two works) was initially the responsibility of the Security Branch, however in April 2015 this work transferred to the Program Delivery Branch.

42 DPS, ‘Submission by the Department of Parliamentary Services to the Senate Finance and Public Administration Legislation Committee’, 29 April 2015, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_and_Public_Administration/PH_security_upgrade/Submissions [accessed 30 November 2020].

43 In September 2015, DPS modified the status of this branch to allow employees to be engaged as ongoing (i.e. when the branch would be disbanded, the employees would move to other areas of DPS).

44 The Capital Works Branch is responsible for managing the Parliament House Works Program, delivering capital works for building infrastructure projects that enable Parliament House to function effectively as a safe and accessible building.

45 Australian Public Service Commission, Learning from Failure, APSC, Canberra, August 2015, available from https://www.apsc.gov.au/learning-failure-why-large-government-policy-initiatives-have-gone-so-badly-wrong-past-and-how [accessed 30 November 2020].

46 DPS adopted the project management methodology called the Project Management Body of Knowledge.

47 Department of Parliamentary Services, Annual Report 2018–19, DPS, 2019, page vii.

48 DPS also had enterprise risk management frameworks in place throughout the life of the program that provided an overarching approach to risk management within the department.

49 Department of the Prime Minister and Cabinet, Guide to Implementation Planning, PM&C, Canberra, 2014, p. 12, https://www.pmc.gov.au/sites/default/files/files/guide-to-implementation-planning.pdf [accessed 30 November 2020].

50 PMP consisted of an overarching plan and a range of sub-plans.

51 In December 2016, a project for the replacement of the security communications and two-radio system was included under the scope of the Group Two works. It had been managed separate to the program by the DPS Security Branch and was at approximately 20 per cent completion at the time of handover.

52 The National Heritage List is Australia’s list of natural, historic and Indigenous places of outstanding significance to the nation. Once a place is put on the National Heritage List the provisions of the Environment Protection and Biodiversity Conservation Act 1999 apply. The Act does not apply to Parliament House.

53 In 2018–19, DPS developed the Management of Design Integrity Framework, which aimed to ensure that future upgrades to the building and surrounds are guided by the design intent of the original architects.

54 The ANAO examined 34 of the 37 security works projects. The ANAO did not examine the design of the radio upgrades component of the Group Two works as the design of this body of work occurred prior to it being managed as part of the program and was less likely to have substantial impacts on the design integrity and heritage of Parliament House. The ANAO also did not examine two projects that were added to the program later in the process, in November 2018 and May 2019.

55 The moral rights holder for Parliament House is currently a representative of the original architect.

56 Department of Finance, Procurement Process Considerations [Internet], Finance, available from https://www.finance.gov.au/government/procurement/buying-australian-government/procurement-process-considerations, 7 August 2020 [accessed 25 November 2020].

57 This work was undertaken by the PMCA.

58Commonwealth Procurement Rules – July 2014, paragraph 8.2. Commonwealth Procurement Rules – 20 April 2019, paragraph 8.2 had been slightly reworded to read ‘Relevant entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement…’.

59 Department of Finance, Procurement Process Considerations [Internet], Finance, available from https://www.finance.gov.au/government/procurement/buying-australian-government/procurement-process-considerations, 7 August 2020 [accessed 25 November 2020].

60 Commonwealth Procurement Rules paragraph 10.3 relevantly stated ‘A relevant entity must only conduct a procurement at or above the relevant procurement threshold through limited tender in the following circumstances:…b. when, for reasons of extreme urgency brought about by events unforeseen by the relevant entity, the goods and services could not be obtained in time under open tender or prequalified tender’.

61 See CPR paragraphs 6.1 and 6.6 and the Public Governance, Performance and Accountability Act 2013, section 15.

62 The Commonwealth Procurement Rules contain accountability and transparency requirements in respect of notifications to the market to ensure that all potential tenderers receive sufficient and consistent information in a timely manner: Commonwealth Procurement Rules – July 2014, paragraphs 7.9 to 7.15.

63 Entities should ensure that confidential or sensitive or classified information is managed appropriately through the approach to market process, and the Commonwealth Procurement Rules do not oblige entities to release this information: Commonwealth Procurement Rules – July 2014, paragraph 10.7.

64 Digital sourcing model contracts are now managed by the Digital Transformation Agency.

65 The eight contracts related to security consultancy services (one instance undated, one instance dated 5 March 2015, and one instance dated 7 June 2017), programming services (one instance dated 22 June 2016), quantity surveyor services (one instance dated 12 February 2015), management advisory services (one instance dated 27 May 2015), business analysis services (one instance undated and one instance dated September 2015).

66 Department of Finance, Australian Government Contract Management Guide, January 2020, available from https://www.finance.gov.au/government/procurement/contract-management-guide [accessed 16 November 2020]. The Commonwealth ClauseBank includes pre-drafted contract terms and the Commonwealth Contracting Suite (CCS) aims to streamline and simplify procurement processes, setting out better practice for standard contract terms and conditions.

67Commonwealth Procurement Rules – July 2014, paragraphs 8.2 and 8.3; Commonwealth Procurement Rules – 20 April 2019, paragraphs 8.2 and 8.4.

68 Commonwealth, Official Committee Hansard, Senate, Finance and Public Administration Legislation Committee, Estimates, 23 October 2017, testimony of Mr Cooper, p. 32.

69 In June 2021, DPS advised that the Group One architectural services was managed through regular meetings and interactions with the contractor that they have a longstanding relationship with, as the morale rights administrators for Parliament House. For the PMCA, DPS considered the contract to have detailed and specific level requirements with respect to performance requirements, with established reporting requirements. For the Group Two radio upgrade services, DPS assessed the contract to be primarily for the purchase of hardware and equipment, with only a small element of system integration, and for this reason a contract management plan was not considered to be required.

70 Department of Parliamentary Services, Submission to the Senate Finance and Public Administration Legislation Committee, Submission 6, DPS, 29 April 2015, p. 15.

71 Target audiences that were not included were school groups, tour operators, official visitors, tourists, National Capital Authority, ACT Government and suppliers/couriers.

72 Department of Parliamentary Services, Submission to the Senate Finance and Public Administration Legislation Committee, DPS, 29 April 2015, p. 7.

73 Accountable authorities are responsible for the proper use and management of public resources (section 26). Accountable authorities may also enter, vary and administer arrangements (such as contracts, agreements and deeds) relating to the affairs of the entity (section 23).

74 The rules outline that the ongoing management of the contract is an important element in achieving the objectives of the procurement. Department of Finance, Commonwealth Procurement Rules, April 2019, available from <https://www.finance.gov.au/sites/default/files/2019-11/CPRs-20-April-2019_1.pdf> [accessed 16 November 2020], paragraph 2.10.

75 Department of Finance, Australian Government Contract Management Guide, January 2020, available from https://www.finance.gov.au/government/procurement/contract-management-guide [accessed 16 November 2020], p. 29.

76 Chapter 3 examines the effectiveness of contract management arrangements at paragraphs 3.32 to 3.39.

77 The Group One construction manager contract; the Group Two managing contractor (physical security) contract; the Group Two head contractor (electronic security) contract; and the Group Two radio upgrade services contract.

78 The Group One architectural services contract and the contract for the PMCA.

79 Measurable indicators may be called key performance indicators or service level agreements.

80 Department of Finance, Contract Management Guide, January 2020, available from <https://www.finance.gov.au/government/procurement/contract-management-guide> [accessed 16 November 2020], pp. 29–30.

81 In June 2021, DPS provided contract variation registers in place of scope change registers.

82 Acceptance testing is the process of the contract manager ensuring that the supplier meets its obligations under the contracts — including that the goods or services purchased under the contract are received on time, within budget and are fully compliant with contract specifications.

83 The four contracts were the Group One construction manager contract, the Group Two managing contractor (physical security) contract, the Group Two head contractor (electronic security) contract, and the Group Two radio upgrade services contract.

84 Appendix 6 summarises DPS reporting on completion of the four delivery contracts, in terms of if the elements of the contracts were delivered on time, and provides an ANAO assessment. As a result of delays to the delivery of the program, the contract with the PMCA was extended from September 2017 to December 2019.

85 Commonwealth of Australia, Mid-Year Economic and Fiscal Outlook 2018–19, The Treasury, Canberra, 2018, pp. 144 and 213, [Internet], available at: https://archive.budget.gov.au/2018-19/myefo/myefo_2018-19.pdf (accessed April 2021).

86 Attorney-General’s Department, Protective Security Policy Framework [Internet], AGD, available from https://www.protectivesecurity.gov.au [accessed 25 November 2020]. A new PSPF commenced on 1 October 2018, replacing the PSPF in force since 2014.

87 Attorney-General’s Department, Physical Security [Internet], AGD, available from https://www.protectivesecurity.gov.au/physical/Pages/default.aspx [accessed 25 November 2020].

88 Department of Parliamentary Services, Annual Report 2014–15, DPS, 2015, pp. 46–47.

89 The three risk assessments were the Interim Review, the Targeted Security Review and the Parliament House Security Review (AECOM).

90 The PSPF requires that agencies must prepare and regularly review a security plan to assess and manage their security risks, and sets out the mandatory elements of the plan: PSPF Chapter 3 Security planning and risk management; formerly GOV-4 and PHYSEC-1.

91 The PSPF distinguishes between five types of security zone: Zone 1 (public access areas), Zone 2 (entity office areas), Zone 3 (entity restricted office areas), Zone 4 (entity restricted office areas) with additional controls, and Zone 5 (entity highly restricted office area): PSPF, Chapter 16 Entity facilities [Internet], Table 2, AGD https://www.protectivesecurity.gov.au/sites/default/files/Table-2-security-zone-descriptions.pdf [accessed 30 November 2020].

92 Integrating protective security considerations into facilities is a core requirement of PSPF Chapter 16 Entity facilities (formerly PHYSEC-3). Security zone certification and accreditation is covered by supporting requirements 7 and 8 of Chapter 16.

93 See Table 3.1.

94 At the time of the audit, these works had commenced, but were not complete.

95 Annual reporting is a core requirement of PSPF Chapter 5 Reporting on security (formerly GOV-7), and reviewing security plans is a mandatory supporting requirement from PSPF Chapter 3 Security planning and risk management (formerly GOV-4).

96 Attorney-General’s Department, PSPF Chapter 5 Reporting on security, Annex A PPF Security Self-Assessment Maturity Model [Internet], AGD, https://www.protectivesecurity.gov.au/sites/default/files/2020-06/govsec05-annexa-security-governance_2.pdf [accessed 30 November 2020].

97 Commonwealth, Official Committee Hansard, Senate, Finance and Public Administration Legislation Committee, Estimates, 2 March 2020, p. 22.

98 DPS October 2020 PSPF annual compliance report self-assessed the overall maturity rating level to be ‘managing’, with all subcomponents also self-assessed at the ‘managing’ maturity level.