The Digital Transformation Agency (DTA) is “ineffective” at one of its core functions – IT procurement – failing to prove value for money in some cases and falling “short of ethical requirements” in others, according to auditors.
An excoriating audit of the DTA’s IT procurement practices, published in the lead-up to a public holiday, criticises the agency’s work on projects including myGov, the COVIDSafe app and hardening government IT or HGIT, under which a series of cyber security hubs are being stood up.
The audit did not cover whole-of-government arrangements or purchases made through “ICT-related panels.”
But it did see auditors examine nine procurements – including “seven of the DTA’s nine highest value procurements” with start dates in 2019–20 and 2020–21 – and the findings aren’t pretty.
“For the nine ICT-related procurements examined by the [audit office], the DTA did not conduct the procurements effectively and its approach fell short of ethical requirements,” the auditors state. [pdf]
“None of these procurements fully complied with the Commonwealth Procurement Rules (CPRs).
“The DTA did not conduct approach-to-market or tender evaluation processes effectively, and it did not consistently provide sound advice to decision-makers.”
The audit also notes that “none of the nine procurements had a contract management plan”.
“While its contracts include performance expectations, the DTA has not effectively monitored performance against these expectations,” the auditors said.
“The DTA has not effectively managed contracts to deliver against the objectives of the procurements and to achieve value for money.
“Its management of one of the examined procurements fell particularly short of ethical requirements, with the DTA changing the scope and substantially increasing the value of the contract through 10 variations.”
The agency’s use of variations to contracts – rather than re-testing the market – is a practice that comes in for considerable criticism from auditors.
“The DTA varied seven of the nine procurements examined,” the auditors said.
“In one case, a directly sourced contract was ‘leveraged’ multiple times, increasing in value by 40 times with substantial changes to scope.
“Varying a contract in this way is not consistent with ethical requirements.”
Auditors uncovered evidence of pushback by some teams to the practice, but this did not appear to have an impact.
While the DTA accepted all recommendations, its comments to the auditor suggest it blamed the pandemic for some of the issues.
“While the audit report identifies shortfalls in relation to internal procurement processes, controls and education, each of the sampled procurements still achieved their intended outcomes and supported critical delivery requirements in an unprecedented pandemic environment,” a summary of the DTA’s response to the audit states.
However, the audit concludes only one-third of the procurements “relate to the Australian government’s response to the pandemic: myGov Upgrade Horizon 1; COVIDSafe app development; and COVIDSafe app enhancements.”
For two of those – and two other procurements – the auditors found the DTA only approached one supplier.
“For the COVIDSafe app development procurement, the rationale for approaching only one supplier was that it was an ‘urgent’ requirement ‘to support the Covid-19 response’,” the auditors state.
“DTA’s internal finance team advised the business area that, as the procurement was Covid-19-related, ‘we can bypass the usual process’.”
‘Potential fraud’ incident
The audit also unpacks what is described as an alleged “potential fraud” incident with a package of work related to the digital identity charging framework in myGov.
The incident involved alleged “potential” conflicts of interest in the awarding of labour hire agreements to an IT contracting firm, and “above-market rates being paid”.
The auditors said the DTA engaged McGrathNicol to perform “an ‘initial assessment’” of the incident but “not a fraud investigation”.
The conclusion was one of “insufficient evidence”; DTA staff were given some “procurement refresh training”, but otherwise the agency “did not take appropriate action”, the auditors said.
Not only was the contract “not terminated” but it was “varied twice after the examination was completed, extending the end date and increasing the value,” the auditor found.
The auditors also uncovered an instance where a supplier in the COVIDSafe app development procurement was paid twice, with overpayments totalling $380,600.
Upon being made aware in March this year, the DTA said it was likely the result of “human error”.
It also said that while its “financial management software should have displayed an error message identifying a potential duplicate payment, this could have been overridden.”
The overpayment was acknowledged by the supplier in June. However, by mid-August, the auditors said, “the DTA had not yet reached an agreement with [the supplier] on a repayment plan or recovered any of the funds.”