- Practice
Identifying and addressing non-compliance
Introduction
3.1The previous chapter discussed significant variation in the governance practices of regulators, right across the capabilities of data collection and management, employing a risk-based approach, and having in place appropriate and contemporary policies and procedures, in addition to statements of expectations and intent.
3.2This chapter focusses on the practices of regulators, in particular their monitoring activities and use of regulatory powers, and finds a similar divergence in regulator performance, including poor performance again by regulators who have had well-established and long-running regulatory responsibilities.
3.3Regulators have a responsibility, according to the Australian National Audit Office (ANAO), to provide confidence to the Parliament, the Government and the Australian community that regulated entities are complying with their statutory obligations and that appropriate enforcement action is taken when a regulated entity fails to meet its obligations.
3.4This chapter begins by discussing the policy guidance provided by the Department of Finance (Finance) as it relates to the practice of regulation. It then discusses the manner in which regulators have approached monitoring regulated entities for compliance with the law; how regulators have used their regulatory powers; and whether investigations comply with the Australian Government Investigation Standards (AGIS).
3.5A key theme in this chapter is the diversity of approaches to compliance monitoring—from a complete failure to undertake any compliance monitoring to largely effective processes. Similar diversity was found in regulators’ use of their regulatory powers—the Department of Health and Aged Care (Health) sought to use powers for which it did not at the time have legislative authority, while the Department of Industry, Science and Resources’ (DISR) regulatory action in response to non-compliance was neither timely nor effective. Table 3.1 summarises the audit findings with regard to compliance monitoring, use of regulatory powers, and investigation standards.
Table 3.1Audit findings on regulator performance – Practice
| | | | | |
Audit finding | Largely effective | Largely effective | Not effective | Partly effective | Partly effective |
Compliance monitoring | Reactive and proactive approaches to monitoring compliance; use of operational intelligence | Largely prepared to monitor and enforce compliance; use of data to target monitoring | No regulatory action to monitor; registration process deficient | Appropriate approaches but failing to meet targets for monitoring; non-compliance increasing | Largely effective processes to detect and deal with suspected GST fraud |
Use of regulatory powers | Completed 10,000 cases; issued fewer than 200 infringement notices | Health funded for compliance role that exceeded statutory powers; ACQSC began monitoring on time | Regulatory powers rarely used | Regulatory action in response to non-compliance not timely or effective | N/A |
Investigation standards | Updating to AGIS 2022; investigation framework not fully fit for purpose; conduct does not fully align with AGIS | N/A | N/A | N/A | Updating to AGIS 2022 |
Source: Australian National Audit Office, Committee Hansard, National Measurement Institute
Policy guidance—Department of Finance
3.6The Regulatory Policy, Practice & Performance Framework (Framework) developed by Finance offers principles to assist entities in their regulatory responsibilities. Finance states regulators should align regulatory management with the six principles: targeted and risk-based (and proportionate); integrated in existing systems; user-centred; evidence-based and data driven; reflective of the digital era; and continuously improved and outcomes-focussed. Two of these principles are most relevant to the discussion in this chapter: targeted and risk-based, and evidence-based and data driven.
3.7A good regulatory system, according to the Framework, enables a targeted, risk-based and proportionate approach to regulation through education, administration, compliance, and enforcement activities. Regulatory intervention should be proportionate to the identified level of risk for an issue, drive compliance, and act as an effective deterrent.
3.8The policy advice for putting a targeted, risk-based and proportionate approach to regulation into practice does not deal in any detail with what constitutes proportionate activities or how they might be designed to drive compliance. Rather, it suggests that regulators should:
- establish checks and balances to identify potential issues early and minimise harm occurring
- work collaboratively with stakeholders to develop solutions with the greatest positive impact to the broader community
- design a regulatory system that allows the regulator to act in a proportionate and risk-based way to achieve the desired regulatory outcomes.
- With regard to putting in place an evidence-based and data-driven approach to regulation, when implementing regulatory systems, regulators should establish regulatory postures and fit-for-purpose education, monitoring, compliance, and enforcement strategies that are evidence-based and data-driven.
- When managing regulation, regulators should:
- consult the regulator performance guide (RMG 128) for best practice advice on taking a risk-based and data-driven approach
- implement data collection strategies to inform risk-based assessments and evidence-based education, monitoring, compliance, and enforcement decisions.
- RMG 128 provides guidance on the three best practice principles of regulation: continuous improvement and building trust; risk-based and data driven; and collaboration and engagement, in addition to an overview of performance reporting, and statements of expectations and intent.
- The policy guidance is not specifically targeted to the actual practice of an entity’s regulatory responsibilities discussed in this chapter, beyond stating ‘a risk based approach allows a regulator to properly assess the risks of non-compliance and respond in a proportionate way to the harm being managed’, and suggesting ‘strategic management of risk can improve efficiency by prioritising resources to the areas of highest risk, and increase compliance by focusing limited resources on the areas of the greatest risk of non-compliance’. Data and digital technology can be leveraged to help regulators better understand and manage risks.
Insights—Australian National Audit Office
3.13In its Insight publication on administering regulation, the ANAO states the development of a compliance program using the full scope of regulatory powers and responsibilities, which are proportionate to assessed compliance risk, supports the effective targeting of regulatory resources.
3.14The ANAO states a well-planned and strategically targeted compliance program enables an assessment of improvements or deterioration of compliance of regulated entities over time, and possible drivers, which itself can inform such activities as education and awareness raising.
3.15A fully implemented compliance program includes regulator action on identified instances of non-compliance. While regulatory responses are usually established in legislation, and should align with the severity and frequency of non-compliance, responses should escalate if non-compliance is not rectified over time.
Compliance monitoring
3.16As noted above, regulatory responsibilities include ensuring regulated entities are complying with their statutory obligations, and that when non-compliance is detected, appropriate enforcement action is taken.
3.17This section discusses the Department of Home Affairs’ (Home Affairs) failure to undertake monitoring activities and deficiencies in its registration process; Health’s proactive and reactive activities in the regulation of therapeutic goods; the regulatory roles of Health and the Aged Care Quality and Safety Commission (ACQSC) with regard to the aged care reforms; the declining record of trader audits undertaken by DISR; and the Australian Taxation Office’s (ATO) fraud detection and prevention models.
Home Affairs—Regulation of migration agents
3.18The ANAO found, notwithstanding a legislated obligation to do so, Home Affairs did not effectively regulate migration agents. The administration of the registration and re-registration process did not sufficiently address whether registered agents were fit and proper to give immigration assistance and were persons of integrity; and there was no regulatory action undertaken to monitor the activities of registered agents or providers of continuing professional development.
Registration and re-registration
3.19Home Affairs is required to be satisfied a registered migration agent is fit and proper to give immigration assistance and is a person of integrity, prior to approving registration. The audit found the registration and re-registration process did not ensure this occurred, in part due to practices such as deeming and automated registration approvals.
3.20The audit found that so long as certain conditions are met, re-registering applicants automatically continue to be registered until a decision is made. If a period of 10 months has passed since the applicant’s registration has expired and no ‘decision’ has been made, registrations are ‘deemed’ (granted). The ANAO found that agents for which there are serious integrity concerns, have had repeat applications to register ‘deemed,’ sometimes multiple times. Forty per cent of agents identified by Home Affairs itself has suspected of facilitation of criminal enterprise have had their registration applications ‘deemed’; twenty per cent have had registration ‘auto-granted’.
3.21The Migration Agents Regulatory System (MARS), is used to manage migration agent registration, continuing professional development (CPD) providers, complaints against registered migration agents (RMA), and consumer enquiries. In April 2021, Home Affairs implemented an automated decision-making process whereby MARS automatically approved an application for repeat registration based on certain criteria including:
- agent experience—greater than 12 months
- character—agent must have answered ‘no’ to a set of questions relating to integrity, fitness and propriety
- complaints—no open complaints and two or less closed complaints in less than 5 years
- disciplinary action—cannot have been subject to a caution, suspension, cancellation or barring.
- The audit found that since April 2021, 59 per cent of repeat registrations had been subject to automated approval. An auto-granted registration means there is no assessment of an application by a departmental officer. Applications for some agents for whom Home Affairs held integrity concerns have been auto-granted. The ANAO was told by Home Affairs it was unable to locate ‘any policy or legal document that supports implementation of the auto-grant process’.
- Home Affairs has subsequently advised it no longer auto-grants applications for re-registration and all registration applications are manually processed. It also advised that subject to the passage of legislation through the Parliament, it would implement strengthened background checks for all registered migration agents. Home Affairs has not commented on whether applications can still be deemed.
Monitoring agent conduct
3.24Under the Migration Act 1958 (Migration Act), Home Affairs is required to monitor the conduct of RMAs in their provision of immigration assistance. Home Affairs does not presently report on monitoring activities. The most recent reporting available on the activities was Home Affairs’ 2015–16 Annual Report, which stated a range of monitoring activities had been conducted during that year, including:
- self-audit surveys to ensure agent compliance with various aspects of the code
- review of agent websites to verify adherence to advertising requirements
- checking that new agents held the required elements of a professional library
- office visits to assess business processes in accordance with the code
- review of client files
- review of continuing professional development providers and activities.
- The ANAO found the following with regard to monitoring activities:
- the number of monitoring activities recorded in MARS had reduced substantially since 2015–16
- of the 38 quarters in the period examined, just over one third (37 per cent) included any monitoring
- no monitoring activities had been recorded since the first quarter of 2020–21.
- Home Affairs stated it had developed a Compliance and Monitoring Framework, Strategy and Plan for 2024–25 and monitoring activities had commenced in September 2024, focussed on:
- the use of migration agent registration numbers in advertising and other publications
- handling of client money obligations.
- This is substantively less than the monitoring activities reported in 2015–16. HomeAffairs stated the plan identifies monitoring activities to be conducted using its regulatory powers, but provided no further detail or evidence. Home Affairs has not yet decided how it will report on its monitoring activities.
Monitoring continuing professional development providers
3.28Home Affairs was also found to be not effectively monitoring CPD providers. Registered migration agents are required to maintain requisite knowledge and skills by completing mandatory CPD requirements.
3.29Home Affairs has not undertaken and documented a risk assessment of the population of approved CPD providers. There are 22providers approved by HomeAffairs, and in 2023, one provider provided more than half of reported continuing professional development. The ANAO noted this meant Home Affairs would need only to focus on a small number of providers to obtain assurance over the significant majority of CPD being undertaken by registered migration agents.
3.30The ANAO found that in considering whether a CPD provider meets the fit and proper person requirement under the Migration Act Regulations, Home Affairs’ consideration of prior complaints against a provider was limited. By way of example, Home Affairs assessed an application in November 2021 from a CPD provider containing the names of 13employees who were registered migration agents or former registered migration agents.
3.31Home Affairs considered ‘a few of the agents have some complaints against their names’ but ‘the complaints appear minor in nature and have not affected their ability to register as agents’. In fact:
- ten of the thirteen had been subject to complaints
- four were the subject of more than five complaints and two more than ten complaints
- two were found to have breached the Code of Conduct without any disciplinary action being taken
- of the total 62 complaints against the 13 agents, Home Affairs had no records on the substance of 33 of the complaints, any actions taken, or the outcome. The ANAO found Home Affairs was not able to provide evidence it had properly considered the complaints in arriving at its decision.
- The CPD Provider Standards establish the requirement that CPD activity is to be prepared or presented by persons who are suitably qualified. The audit found Home Affairs had no arrangements in place to assure itself the persons delivering CPD were suitably qualified; and had inadequate controls in place to identify whether approved CPD providers had identified all registered migration agents delivering training, and whether there have been any complaints about those agents.
- The CPD activities developed by providers require no approval from Home Affairs. Rather, providers must accommodate and cooperate with quality assurance processes conducted by Home Affairs. Providers are told HomeAffairs will undertake monitoring to ensure compliance with the CPD Provider Standards and CPD Framework. Home Affairs identified, in its 2018–19 Compliance Plan, a risk that providers may deliver poor quality CPD that does not comply with the standards, and proposed to address the risk through strategies it did not subsequently implement. These included failing to undertake a desk audit of all CPD providers (four occurred in 2019–20 and none subsequently), and to attend a selection of mandatory CPD activities for between 40 per cent and 60 per cent of providers.
Department of Health—Therapeutic Goods Act non-compliance
3.34Health was found to have reactive and proactive approaches to monitoring for compliance. The Therapeutic Goods Administration (TGA) website has a page entitled ‘report a breach,’ which includes links to online forms for ‘product and import non-compliance’ and for ‘advertising non-compliance’. The audit found Health had effectively implemented procedures for recording and triaging reports of alleged non-compliance. A clear workflow had been established, although recordkeeping of triage outcomes was poor. The triage system allows for a two-pass assessment where required, and results in the escalation of more serious cases.
3.35Health undertakes proactive regulatory activities related to the import and supply of therapeutic goods and the identification of advertising non-compliance. For the import and supply of therapeutic goods, Health has allocated an officer to prepare operational intelligence reports on compliance topics for operational areas, and to respond to specific requests for information. Health has relationships with other government entities for intelligence sharing.
3.36To deter and address the unlawful advertising of unapproved therapeutic goods on digital platforms, Health undertakes a number of activities, including: establishing ongoing relationships with digital platforms; providing digital platforms with information and guidance on advertising requirements to prevent unlawful advertisements; monitoring digital platforms; and establishing processes to report unlawful advertisements to platforms.
3.37The audit found Health’s compliance plans were out of date or in draft form. Health advised the Committee it had set compliance priorities for 2024–25 and confirmed there were compliance plans for each compliance priority.
Department of Health and ACQSC—Aged Care Reforms
Regulatory roles
3.38The audit into the aged care reforms examined whether the regulating entities, Health and the ACQSC, were prepared to regulate the implementation of new requirements for mandatory care minutes and 24/7 registered nurse requirements.
3.39Though previous independent reviews of aged care regulation had found a lack of clarity in responsibilities between Health and the ACQSC, in the case of aged care reforms, the ANAO found respective roles and responsibilities for regulating compliance with the new requirements had been clearly defined and communicated to stakeholders. Further, the roles and responsibilities were consistent with statutory powers, almost.
3.40Health had planned to conduct a program of audits of provider compliance reporting —including some forensic on-site audits in higher risk facilities—for which it lacked legislative authority. This power to monitor whether information given by providers is correct had been provided to the ACQSC through legislation that had been intended to centralise regulatory functions and powers within a single regulator to address previous fragmentation of these functions.
3.41Health had separate statutory powers to verify the accuracy or data quality of compliance reports and financial reports. Its regulatory authority in that instance was to issue a notice requiring a provider to provide further information. Legislation at the time did not give Health powers relating to entry and search, monitoring and investigation, or the ability to require persons to attend a place and answer questions, or issue sanctions. Health was aware it did not have the necessary legal power to undertake the proposed audit function and legislation would be required to provide these powers.
3.42When asked about its actions to expand its regulatory function to audit activities, Health did not answer the question, referring instead to its assurance activities, of which the Committee was already aware.
Risk-based and randomised targeting
3.43To monitor compliance, Health planned to target 755 facilities for audit each year—90 per cent on the basis of risk, and 10 per cent selected randomly to benchmark the effectiveness of the targeting strategy.
3.44Health developed an audit site development tool to support its compliance monitoring. The purpose of the tool was to assign relative risk levels to residential aged care services to support risk-based targeting and to generate an unbiased sample of services on a randomised basis for audit. The tool was designed to detect anomalies in reported data, for instance, unusually high or low expenses for registered nurses or unusually high reported care minutes. Delays in Health business processes, in particular with regard to measuring the accuracy of the targeting model, meant the proportion of risk-based (90 per cent) and random selection (10 per cent) was not initially met.
3.45The ACQSC has also used risk profiling to develop concepts or hypotheses to test and target its regulatory efforts where there is the greatest potential risk for and impact on older people. The testing occurs through targeted programs of regulatory engagement, including active supervision of poor performers. The ACQSC analyses quantitative and qualitative data, and comparative case studies to evaluate and improve its risk profiling and regulatory response. Validated risk profiles are used to measure regulatory outcomes over time and the ACQSC adjusts its regulatory approach accordingly.
Department of Industry, Science and Resources—Trade measurement
3.46The ANAO found DISR’s approach to trade measurement compliance had been party effective. This finding was in part due to the fact that while DISR had appropriate approaches to monitor the level of compliance, it had both reduced its compliance monitoring and had not met its own targets for trader audits, at the same time as compliance rates were remaining largely static (initial audits) or declining (follow-up audits). Further, DISR was overstating the number of trader audits it undertook, including in the total such activities as online research where no regulatory powers were used.
National Measurement Act 1960 obligations versus contracted responsibilities
3.47At the same time DISR was failing to reach its own targets to regulate the activities it was obligated to by the National Measurement Act 1960 (National Measurement Act), it was prioritising and exceeding targets for monitoring and compliance of tobacco plain packaging (TPP) laws, undertaken under contract (memorandum of understanding) for Health. It was similarly prioritising fuel inspection and sampling activities undertaken on behalf of the Department of Climate Change, Energy, the Environment and Water.
3.48When asked how DISR was of the view it was giving appropriate priority to its responsibilities under the National Measurement Act, DISR responded by talking about its regulatory approach, its use of cooperative agreements, the impact of the COVID pandemic, and the activities of inspectors. DISR told the committee it did appear that it prioritised tobacco plain packaging activities over its legislated responsibilities, but this was because it had trouble recruiting inspectors following the pandemic.
3.49The ANAO had found DISR did in fact instruct its inspectors to prioritise tobacco plain packaging visits over trader audit activities in order to meet the terms of the memorandum of understanding with Health.
3.50In response to a recommendation that DISR give appropriate priority to its responsibilities under the National Measurement Act, DISR told the ANAO that if it gave appropriate priority to its responsibilities under the National Management Act, it was DISR’s decision as to the scope and extent of activities it undertook for other entities.
Regulatory activity under National Measurement Act 1960 obligations
3.51Until 2022–23, DISR published its annual priorities in a National Compliance Plan, which included its projected national audit activities, that is, the target number of trader audits, instrument tests, pre-packaged article inspections, trial purchases and fuel sample monitoring. Since 2023–24 it has published its annual priorities in the ‘Legal Metrology Priorities’ publication, which does not include numerical targets for trader audits. The target for trader audits in 2023–24—5,450—was provided in a response to a question on notice. This is more than six thousand audits below DISR’s target in 2017–18, a decrease of almost 53 per cent from the previous target. Of the targeted 5,450 audits, the NMI carried out 5,161. This is shown in Table 3.2.
Table 3.2DISR compliance targets and actual performance
| | | |
| | | | | |
2017–18 | 11,500 | 9,633 | 13,000 | 14,906 | 85,000 | 71,799 |
2018–19 | 8,000 | 7,586 | 10,000 | 15,887 | 60,000 | 70,183 |
2019–20 | 10,000 | 7,600 | 10,000 | 13,588 | 70,000 | 78,290 |
2020–21 | 10,000 | 4,842 | 10,000 | 14,049 | 70,000 | 25,990 |
2021–22 | 8,000 | 3,131 | 15,000 | 7,118 | 70,000 | 17,360 |
2022–23 | 8,000 | 4,410 | 10,000 | 7,651 | 60,000 | 29,966 |
2023–24 | 5,450 | 5,161 | N/A | 8,526 | N/A | 61,263 |
Source: Australian National Audit Office and National Measurement Institute
3.52Since 2017–18, the actual number of audits has decreased by almost 47percent. Though DISR continues to cite the pandemic as a factor in this decline, the decline in performance was occurring well prior to the pandemic. This was noted by the ANAO.
3.53One reason for the decline in trader audits, according to DISR, it that it has adjusted its regulatory approach to focus greater attention on harm, rather than solely focussing on measurement accuracy. Previously, the Committee was told, an inspector ‘might just go in, do an instrument and leave.’ Now, inspectors undertake multiple investigations—check multiple instruments, check the trading practices, check pre-packaged goods, check if there is a quality assurance system, and check who the suppliers, manufacturers and importers are, amongst other things. It is not clear how this reflects a change in focus from accuracy to harm, which elsewhere DISR suggested may be related to the size of an entity.
3.54This change in focus, DISR says, means inspectors now discuss a range of topics with a trader to assess compliance, including assessing trader practices and viewing quality systems and training records. It states, the approach seeks to improve compliance outcomes by ensuring appropriate systems are in place to achieve ongoing compliance. No detail has been provided on when this new approach was introduced. It is not clear what the outcome of this change in approach has been.
Table 3.3Trader audits and non-compliance rates
| | | | |
| | | |
2019–20 | 5,736 | 1,932 | 33.7% | 1,864 | 470 | 25.2% |
2020–21 | 3,587 | 1,222 | 34.1% | 1,255 | 337 | 26.9% |
2021–22 | 2,529 | 791 | 31.3% | 602 | 121 | 20.1% |
2022–23 | 3,183 | 1,059 | 33.3% | 1,227 | 282 | 23.0% |
2023–24 | 3,634 | 1,197 | 32.9% | 1,527 | 433 | 28.4% |
Source: National Measurement Institute
3.55Data shows the level of non-compliance detected in follow-up audits is increasing; non-compliance was detected in 28.4% of follow-up audits in 2023–24. The ANAO found DISR’s monitoring and reporting arrangements did not extend to the effectiveness of its regulatory approach.
3.56The Committee was told that the level of non-compliance may be affected by shortcomings in DISR’s database whereby a follow-up audit might confirm the initial non-compliance had been rectified, but further non-compliance was detected. This was recorded as non-compliance. DISR stated it had modified its database—Trade Measurement Activity Recording System (TMARS)—to ensure further non-compliance issues were treated as a new metric, and as a consequence, expected compliance rates on follow-up audits to improve.
3.57However, notwithstanding the improvement to its database, DISR did not provide any statistics on what percentage of non-compliance at follow-up was existing or new. During the audit, the ANAO had found inconsistencies in record keeping and limited information in the TMARS system meant it was difficult to assess whether non-compliance identified in initial audits had actually been addressed at the time of the follow-up audits.
Australian Taxation Office—Management of GST fraud risk
3.58The ATO uses risk assessment tools and models to detect potentially incorrect goods and services tax (GST) refunds in a ‘real time environment’ at the time of the business activity statement (BAS) lodgement and prior to the issue of any refund. All BAS refunds are risk assessed as part of the refund processing system.
3.59Under the Contemporising GST Risk Models (CGRM) project, the ATO has been redesigning risk models to detect BAS refunds that are incorrect. The ATO had deployed a number of risk models under the program since 2021, and at the time of the audit, was assessing the effectiveness of two risk models through a random audit program. The CGRM project has a history of schedule overruns.
3.60When a tax refund has been identified by a model as requiring review based on a likelihood score, the ATO undertakes risk treatments. The number of cases actioned by the ATO is determined by the number of risk treatments planned to be undertaken by each business line, not the model outputs. In 2022–23 the ATO undertook 43,103 pre-issue refund checks and 26,796 post-issue refund checks—a significant increase from previous years as a consequence of additional risk treatments imposed during Operation Protego. The ATO’s accuracy in detecting fraudulent claims has generally been improving over time.
3.61The ATO also detects potential GST fraud through: referrals from financial institutions; data-matching for property transactions with GST implications; data collection and exchange of information with other tax jurisdictions to detect potential non-compliance of off-shore suppliers of low value important goods; and direct contact with taxpayers who are registered but have not met lodgement obligations. It also uses the justified trust regime to obtain assurance large businesses are paying the correct amount of GST.
3.62As discussed in chapter two, the audit found that the ATO did not collate or aggregate data from the various fraud detection methods in each ATO business line to develop a whole of GST product perspective of fraud, relying instead on reporting to internal committees.
3.63The ATO advised the Committee a holistic GST fraud risk assessment was completed in 2024, and future assessments would be undertaken every two years.
Use of regulatory powers
3.64The ANAO has found, over a number of audits, that regulators are not using their full suite of regulatory responses. Where regulatory powers are used, it is more often the regulatory powers at the lower end which are used, than the higher end.
Action in response to non-compliance
3.65Regulators, upon detecting non-compliance, should assess the extent of the non-compliance and the potential for harm and initiate proportionate action to address the risk posed by the non-compliance.
Department of Health—Therapeutic Goods Act non-compliance
3.66Health advised during the 2023–24 financial year, it issued almost 8,000 warning letters, seized over 8,000,000 goods for unlawful import, sent over 4,800 content removal requests for unlawful advertising of therapeutic goods on digital platforms, and finalised 10,000 cases. However, it had issued only 190 (or possibly only 150) infringement notices.
3.67When asked to explain the fact 10,000 cases were completed but less than 200 infringement notices had been issued, Health responded its approach was to work with an entity in ‘coming into compliance. We may be saying, “We believe this aspect on your website could be a breach of the advertising. Could you reconsider?”’ If there were repeated warnings, actions might proceed ‘up that compliance triangle to more serious aspects, such as infringement notices or civil or criminal action’.
3.68Health stated it takes an educative approach to compliance enforcement, with Health’s regulatory compliance framework for therapeutic goods including the key principle ‘we promote high levels of voluntary compliance by effectively engaging with and educating the regulated community, with clear guidance on how to comply’. Health further stated, ‘we recognise education and guidance are key to encouraging and assisting with compliance with Australian regulation’.
3.69Health had produced an advertising compliance education strategy and an advertising compliance education plan and in 2021–22, undertook a range of education activities with regard to advertising, including public education campaigns; developed guidance documents and fact sheets; held webinars and workshops; made media statements; engaged with stakeholders through a range of consultative arrangements; and operated an advertising inquiry management function. However, it still issued almost 8,000 warning letters in 2023–24.
Department of Industry, Science and Resources—Trade measurement
3.70The ANAO found DISR’s regulatory action in response to identified non-compliance was not timely or effective. During the audit period, DISR had been conducting fewer follow-up audits, and when they were undertaken, they were delayed. Increasing rates of non-compliance were being found in follow-up audits, and this was not consistently followed by enforcement action. Even where escalated enforcement action was taken, it was most commonly through warning letters and infringement notices, neither of which had been issued in a timely manner.
Table 3.4National Measurement Institute enforcement actions
| | | | | | | |
| |
2019–20 | 1,932 | 470 | 2,234 | 188 | 100 | 2 | 1 | 1 |
2020–21 | 1,222 | 337 | 1,787 | 40 | 12 | 2 | 1 | 0 |
2021–22 | 791 | 121 | 926 | 35 | 18 | 0 | 0 | 0 |
2022–23 | 1,059 | 282 | 1,687 | 47 | 18 | 1 | 1 | 0 |
2023–24 | 1,197 | 433 | 1,971 | 59 | 24 | 1 | 0 | 0 |
Source: National Measurement InstituteNC Notices – Non-compliance notices; Infringe notices – Infringement notices; EU – Enforceable undertakings; CDPP – Referrals to the CDPP; Convict – ConvictionsAn enforcement action, including a warning letter or infringement notice, may cover more than one breach of the law.
3.71Following identification of non-compliance, DISR’s enforcement and compliance policies specify the issuance of a non-compliance notice (containing information relating to the alleged non-compliance and the relevant legislative provision breached, and information on the obligations to undertake corrective action).
3.72A follow-up audit is to be scheduled to check the non-compliance has been corrected. If the inspector detects continued non-compliance, or the level of non-compliance initially detected results in more significant harm, the inspector may recommend an escalated regulatory response to the investigations and compliance team for review and decision.
3.73The ANAO observed instances where non-compliance notices were not issued despite non-compliance being identified—contrary to DISR’s internal procedures and public-facing documents. The ANAO also found instances where non-compliance was found in a follow-up audit and no further enforcement action was taken.
3.74The ANAO examined the timeliness of the issuance of warning letters and infringement notices over a three year period and found 43 per cent of warning letters were not issued within the required 43 days following recommendation by an investigating officer. On average it took 53 days, with the maximum being 395 days. Of the infringement notices examined, 84 per cent were not issued within the 34calendar days from recommendation, as required by DISR’s procedures. The average was 84 days, with the time taken to issue an infringement notice between 12and 316 days.
3.75The ANAO examined a sample of 20 enforcement actions (where a breach of the law had been identified) between 1 July 2019 and 30 June 2022:
- 45 per cent resulted in a warning letter, issued on average 74 days after the action was recommended
- 20 per cent resulted in an infringement notice, issued between 78 days and 4.6months following recommendation
- 25 per cent resulted in no further action being taken
- 10 per cent were in progress at the time of the audit.
- In 2023–24, DISR failed to meet its inspector guidance that specified follow-up audits should be scheduled 28 days after the initial non-compliance was identified—on average it was taking 71 days to complete a follow-up audit in 2023–24. This has been a long-running issue; the ANAO found a downward trend in the total number of follow-up audits conducted. This trend, in 2023–24, however, may be reversing.
- The Committee was told DISR responded to recommendation 5 of the audit to strengthen its approach to conducting follow-up audits, and to conduct follow-up audits in a timely manner, by introducing expectations for timeliness of follow-up audits.
- What DISR did in October 2023, was extend its timeframes for follow-up audits. The 28 day target was more than doubled to 60 days for non-compliance with consumer detriment, and more than quadrupled to 120 days for non-compliance with no consumer detriment. The Committee was advised that in the first six months of 2024–25, the average number of days taken to complete a follow-up audit was 44 days.
- The effectiveness of DISR’s regulatory responses is also not clear. The NMI provided the Committee with evidence of the effectiveness of its regulatory tools. Almost 40per cent of businesses receiving an infringement notice remained non-compliant at the following inspection. Records show that despite this figure, DISR has entered into only six enforceable undertakings since 2019–20—this is the next level of response available under the NMI’s escalatory model.
Table 3.5Effectiveness of NMI regulatory tools 2020–2024
| |
Education and non-compliance notice | 25% |
Warning letter | 29% |
Infringement notice | 39% |
Source: Department of Industry, Science and Resources
3.80The NMI was unable to explain the reasons repeatedly non-compliant retailers may not receive more substantial responses, beyond:
- repeated non-compliance may not lead to escalation in every instance, for instance if the non-compliance was related to low impact or low harm
- a single enforcement action may deal with multiple instances of failed compliance as enforcement actions are aggregated against entities not individual locations
- there may be a time delay between identifying a failed trader and issuing an infringement notice such that it crosses a year boundary.
- When asked for DISR’s accountability framework for strengthening its approach to follow-up audits and regulatory responses, DISR stated its Inspectors Manual contained expectations and key performance indicators; under its Trade Measurement Services Accountable Leadership Procedure it undertook supervisory checks to ensure expectations and key performance indicators were met; and internal auditing would commence in early 2025.
- When asked how the Inspectors Manual and Trade Measurement Services Accountable Leadership Procedure improved the timeliness of follow-up audits and the use of enforcement actions where non-compliance was detected, DISR responded:
- the Inspectors Manual set out mandatory requirements and best-practice for regulatory activities, and specified key performance indicators for follow-up inspections and details of expected activities at those inspection
- the Trade Measurement Services Accountable Leadership Procedure established a governance structure to ensure accountability of staff, including specifying the content and frequency of supervisory checks.
- Both these documents had been produced in response to recommendation 5 of the audit. The internal audit procedure to commence in early 2025 would confirm processes and procedures introduced following the audit were being followed.
Department of Health and ACQSC—Aged Care Reforms
3.84As noted above, Health was funded for, and began work to develop, an audit function for the care minutes and 24/7 RN provider reporting that exceeded its statutory powers. Through a procurement process, Health contracted EY to develop and deliver the audit methodology, a pilot activity to test the methodology, and training for staff. Health also planned to recruit staff so the audit activity could commence in Julyand August 2023, and planned to deploy an IT solution to support the audit function.
3.85However, the ANAO found the EY deliverables were delayed, mainly due to the absence of legal authority for Health’s proposed program of audits. Recruitment of staff for the audit function was also delayed, as was the IT solution. Health revised the final methodology to be delivered by EY to omit activities that would require new powers, and limited its role to verifying the accuracy of provider data using existing statutory powers. Health began verification activities, using its existing powers in September 2023. At the time of the audit, no verification activities had been completed.
3.86The ACQSC received additional funding to resource its regulatory activities for the new aged care requirements. It developed a regulatory approach that contained a three-phase plan—phase three of which was regulatory action, which was planned to commence in July 2023. The ACQSC divided services into three tranches depending on their risk profile. It planned to conduct 495 desk-based monitoring contacts and 198 one-day site visits to, amongst other things, monitor alternative clinical care arrangements in place at services that received an exemption from the 24/7 RN requirement and determine whether there was any non-compliance with the standards. The ACQSC assumed approximately 30 or 40 services would require escalation to a full on-site review against the standards. The ACQSC recognised it had overestimated the need for some monitoring and would seek to redeploy excess resources to support the desk-base monitoring and one-day site visits. At the time of the audit, the ACQSC had conducted 17 desk-based and 20 on-site monitoring activities.
Home Affairs—Regulation of migration agents
3.87The role of the Office of the Migration Agents Registration Authority (OMARA), under the Migration Act is to protect consumers of migration assistance and the integrity of the Australian visa system through its regulation of registered migration agents and former registered migration agents.
3.88The ANAO found Home Affairs did not take timely or effective regulatory action when it received complaints about the activities of individual agents; and it rarely used its regulatory powers. In 2022–23, 299 complaints about 244 migration agents were received. Only 9 per cent of complaints were actioned via a substantive regulatory response indicated by the use of powers available to Home Affairs under the Migration Act. Some complaints were dismissed because there was ‘insufficient evidence’ when Home Affairs had not actually used its regulatory powers to investigate.
3.89This is not a recent issue. For nine months between 2016 and 2017, there were no delegations in place for officials to exercise regulatory powers, but this had not affected monitoring of agent activities, investigations or sanctions because it had undertaken no such activities during the nine month period.
Registration decisions
3.90Home Affairs, under the Migration Act (section 305C), has the power to require an agent to provide prescribed information or documents in circumstances where HomeAffairs is considering refusing a registration application or making a decision to cancel or suspend an agent’s registration, or cautioning an agent.
3.91Home Affairs stated there ‘may be very clear reasons’ it did not use its section 305C powers to obtain evidence, including because it was of the view the available evidence did not support the allegations. Other reasons were where evidence had been obtained under a different section of the Migration Act (section 308), and where evidence was already available to support the allegations.
3.92The ANAO examined whether this account of the non-use of regulatory powers accorded with practice and found with regard to one case:
- one agent’s applications for registration and re-registration had been approved annually between 2005 and 2022 (including four times by deeming)
- between 2006 and 2019, 15 complaints had been made against the agent
- Home Affairs told the Minister in a brief that all 16 [sic] complaints had been investigated and dismissed, ‘due mainly to insufficient evidence’
- in relation to the matters in the brief, Home Affairs had not: issued any notices under sections 305C or 308 of the Migration Act to require the agent to provide information, or considered whether it should reopen prior complaints relevant to the allegations at hand
- Home Affairs did not advise the Minister it had not used its powers under the Migration Act
- the agent’s registration was cancelled, 15 months after a complaint was submitted by another area of Home Affairs and one month after media reporting that HomeAffairs identified as alleging the agent was engaged in conduct that undermined the migration law.
- Of 50 examples and case studies of completed or closed cases raised by the ANAO with Home Affairs during the audit, there was only one where Home Affairs was considering whether further action might have been, or was, warranted. Home Affairs advised the ANAO in February 2024 it accepted it needed to ‘uplift its capabilities’ to use Migration Act powers. However, it has not specified the regulatory actions it plans to undertake.
Complaints
3.94Home Affairs uses a matrix to assess the severity and impact of migration agent conduct and inform treatment strategies, including decisions on which complaints to action. The matrix contains nine unweighted criteria that are used to arrive at a severity rating. Five criteria deal with the nature of the alleged conduct, four deal with whether there is awareness of the alleged conduct outside Home Affairs and whether there is political and/or media interest. Being unweighted, the nature of the conduct is treated with the same importance as political sensitivities or Home Affairs priorities. The ANAO found that given the nature of the criteria and the fact they are unweighted, the matrix could not ensure that when deciding which complaints to action, Home Affairs gave priority to the protection of consumers or integrity of the visa system—which is its legislated responsibility.
3.95The ANAO found the majority of complaints were dismissed by Home Affairs, rather than being investigated, and there was a risk this would be exacerbated by HomeAffairs’ new performance measures (discussed in the next chapter). In its submission to the inquiry, Home Affairs stated it was recruiting and training new staff so as to resolve complaints more rapidly.
3.96The ANAO found departmental records did not provide an accurate reflection of the extent to which complaints were investigated and regulatory action taken. The audit found:
- complaints were reported as ‘finalised’ with an outcome of ‘close and hold’ when Home Affairs had taken no action to investigate using its powers under the Migration Act
- complaints were reported as ‘finalised’ with an outcome of ‘already sanctioned’ when Home Affairs had not investigated or taken any regulatory action to resolve the particular complaint
- no sanction had been applied in cases where complaints are found to have involved a breach of the Code of Conduct
- complaints were reported as resulting in an outcome of ‘addressed with the agent,’ which is not a disciplinary action prescribed in the Migration Act
- complaints were reported as resulting in a ‘suspected breach notice,’ which is not an action prescribed in the Migration Act
- complaints previously identified for investigation were closed without investigation activity using powers under the Migration Act being used.
- The ANAO also found that of the 89 complaints recorded as finalised in May 2022:
- 83 per cent were dismissed by Home Affairs
- 71 per cent were over 12 months old
- four complaints resulted in sanction decisions against two agents—caution and registration suspension.
Information gathering powers
3.98Under section 308 of the Migration Act, Home Affairs has the power to require an agent to: make a statutory declaration in answer to a question in writing; appear before individuals specified by OMARA to answer questions; and provide OMARA with specified documents or records relevant to an agent’s continuing registration. Home Affairs told the ANAO its use of section 308 was discretionary and based in part on the evidence available to support the allegation.
3.99The audit found that even in cases where migration agents were suspected of facilitating criminal enterprise or involvement of cash-for-visa schemes, Home Affairs had not always exercised its available regulatory powers under the Migration Act to investigate.
Response to ANAO recommendations
3.100The ANAO made two recommendations with regard to Home Affairs’ use of its regulatory powers to investigate complaints. The first recommended Home Affairs strengthen its regulation of migration agent registration requirements by making greater use of the powers provided under the Migration Act to inform its assessment of whether applications for registration should be granted.
3.101Home Affairs did not agree in the detail of its response to do so; instead it agreed it was important to use its regulatory powers where it was relevant, appropriate and lawful. It would ‘continue to enhance its ability to appropriately assess whether an application for registration should be granted having regard to available evidence before the Authority including through the exercise of relevant powers under the Migration Act.
3.102The ANAO made a further recommendation that Home Affairs strengthen its regulation of migration agent registration requirements by making greater use of its regulatory powers to investigate complaints. Though Home Affairs agreed, it qualified its agreement by stating it was important to make use of the powers ‘where it is relevant, appropriate and lawful to do so,’ and it would continue to enhance its abilities to ensure it appropriately addressed inappropriate contact in a timely manner through the exercise of relevant powers.
3.103In its response to the audit, Home Affairs disagreed with the finding OMARA did not take effective action on complaints it received about the activities of registered migration agents. Home Affairs stated while it was important to make use of its regulatory powers, the exercise of such powers and the imposition of disciplinary decision were not the only appropriate actions Home Affairs could take in response to complaints. It undertook to address compliance risk in a timely manner, including through the exercise of ‘relevant’ powers ‘as appropriate’.
3.104The audit contained evidence that the use of regulatory powers was in fact an appropriate benchmark, and Home Affairs had admitted this in its response to the audit. Specifically, Home Affairs recognised it must have supporting evidence obtained using the powers under the Migration Act to pursue disciplinary action; and that recording a breach without imposing a sanction on an agent was a practice HomeAffairs would cease. Home Affairs also acknowledged the need to implement a quality assurance process of its sanction decisions.
3.105In its submissions to the inquiry, Home Affairs stated it has undertaken a number of activities to expand and uplift OMARA’s regulatory capabilities including an early resolution model for complaints (which was actually in existence at the time of the audit), changing procedures to raise own-motion complaints where appropriate, improving peer review and case management practices, and establishing a small intelligence team for complex investigations. Home Affairs stated results were improving with OMARA sanctioning 10 registered migration agents in 2023–24, and refusing the registration of 11. It reported 27 prospective agents withdrew their registration applications in anticipation of OMARA making a decision to refuse. Home Affairs stated agents found to have breached the Code of Conduct were sanctioned.
3.106Whether any of this amounts to effective regulatory oversight, or improvement in its performance is not clear to the Committee. In the absence of any context, all that can be said is that OMARA has increased some metrics. Home Affairs stated it had no comparative data on the exercise of its statutory powers.
3.107Home Affairs states it is ‘investigating’ options for more effective reporting on complaints including identifying when statutory powers are used. It provided no further detail on whether this work would result in comprehensive performance reporting or timeframes.
3.108At some future stage and subject to the passage of legislation, Home Affairs advised ‘strengthened’ background checks would be implemented for registered migration agents involving stronger identify verification, criminal history check, and security assessment. It is not clear how this addresses the broad concerns raised by the audit as to migration agent regulation.
3.109Home Affairs, in uplifting its capabilities, has recruited and trained additional staff with a target of average staffing of 60 by 30 June 2025.
Investigation functions
3.110The AGIS establishes the standards for the conduct of investigations including standards for: arrangements that support investigations (investigation policies and procedures); case management (how reports of alleged non-compliance are received, recorded, assessed and accepted for investigation); ethical conduct; and quality assurance.
3.111The AGIS was updated in October 2022, and entities are required to proactively transfer their approaches from the requirements of the previous standard (AGIS2011) to the requirements of AGIS 2022 ‘within a reasonable timeframe’.
Department of Health—Therapeutic Goods Act non-compliance
3.112The audit into Health’s regulation of therapeutic goods contained an assessment of Health’s regulatory investigations. The ANAO found that while the conduct of investigations was undertaken largely effectively, the investigation framework was not fully fit for purpose and the conduct of investigations did not fully align with the relevant standards in the AGIS. Health’s investigation policies and procedures for the regulation of therapeutic goods were not mature and did not fully comply with the AGIS; investigator qualifications were not sufficiently monitored; the process for declaring conflicts of interest and complaints handling was not fit-for-purpose; and a quality assurance process had not been established. In June 2023, Health remained in the process of updating its Investigation Policy to align with the October2022 AGIS.
Conduct of investigations
3.113Health did have investigation procedures, but the majority of these procedures were in draft. Health agreed to an ANAO recommendation that it finalise its investigation procedures and establish an internal control for their regular review and update.
Investigator qualifications
3.114The Audit found only 73 per cent of investigators who conducted investigations sampled by the ANAO had a minimum level of investigator qualifications as required under the AGIS. Further, at the time Health did not maintain records of investigator qualifications. Health agreed to a recommendation that it ensure investigators maintained a minimum level of investigator qualification and keep appropriate records.
Complaints
3.115The AGIS requirements for the ethical conduct of investigations include requirements for declarations of interest and procedures for dealing with complaints. Despite relevant specifications in the APS Code of Conduct, Health’s Accountable Authority Instructions, the departmental Conflict of Interests Policy, and the Regulatory Compliance Branch’s draft Integrity Policy, annual declarations of conflicts of interest had not been completed. Health accepted a recommendation with regard to establishing internal controls to ensure officials involved in investigations and compliance activities made and managed declarations of interest and appropriate records were kept.
3.116A 2022 internal audit into complaints handling had found Health’s management of complaints should be improved, including through the establishment of an overarching complaints management framework; an updated complaints management policy; communication and training to raise awareness of the policy; and a central reporting mechanism to understand the types, volume, frequency and response timeframe to complaints received. Health agreed to a recommendation to establish a clear complaint handling channel and a system for end-to-end complaint management. Health stated it was investigating a ‘single front door’ for all complaints and an enterprise-wide client relationship management system to provide for the triage and distribution of complaints.
Quality assurance
3.117The purpose of a quality review is to establish whether an investigation was conducted in a way that complied with the AGIS. Under the 2022 AGIS, entities are required to have an Investigations Quality Assurance Policy that includes quality assurance activities, and to conduct a formal external quality assurance activity every two years. Health did not have a quality assurance program for its investigations related to therapeutic goods in place and agreed to an ANAO recommendation to develop an investigations quality assurance policy.
3.118A number of offences related to the import, export, manufacture or supply of therapeutic goods are established in the Therapeutic Goods Act 1989, which also provides Health with compliance and enforcement powers, ranging from enforceable undertakings and infringement notices to criminal and civil penalty proceedings. Additionally, Health may conduct non-statutory activities prior to using compliance powers, including warning letters and informal engagement, which predominantly serve an educative purpose and provide for voluntary compliance. Health’s compliance investigations and activities for the import and supply of unapproved therapeutic goods, and for advertising of therapeutic goods were consistent with the AGIS and undertaken effectively, aside from a lack of investigation planning for serious non-compliance cases and supervisor review.
3.119In 2021–22, Health closed 8,625 compliance cases in relation to the import, supply, export or manufacturing of unapproved therapeutic goods and 2,376 cases related to the advertising of therapeutic goods. The ANAO examined, against the then AGIS requirements for case management and the conduct of investigations, a random sample of cases to determine whether Health had effectively undertaken investigations and compliance actions, with a targeted sample examined for cases of serious non-compliance.
3.120For investigations of serious non-compliance, the ANAO found planning documentation was not consistently completed, and where it was undertaken, none used the investigation plan template and none fully complied with AGIS requirements. For instance, there were failures to outline the objective and scope of the investigation, as well as the team structure and management of risks. In the absence of investigation plans, the ANAO wrote supervisors were not well placed to monitor the performance of investigations or to ensure risks were being managed appropriately.
3.121The AGIS in force at the time stated supervisors should review investigations at appropriate intervals to ensure adherence with the AGIS and investigation plans. In its audited sample, the ANAO found shortcomings in the process of supervisor review, including failures in record keeping, a lack of evidence of appropriate supervisor review, and where there was evidence of appropriate supervisor review, the review did not include adhering to the AGIS or investigation plans. The audit suggested opportunities for improvement in this area.
3.122Health advised the Committee it was requesting closure from the Audit and Risk Committee on the finalisation of aligning investigation procedures with AGIS 2022, and establishing internal controls for regulator review and update.
Australian Taxation Office—Management of GST fraud risk
3.123The ATO told the ANAO it was in the process of updating the investigation procedures for external fraud to align with AGIS 2022 and expected this to be completed by February 2024.