Annual reports of statutory agencies
The annual reports of the following statutory agencies in the
Attorney-General's portfolio were referred to the Legal and Constitutional
Affairs Legislation Committee (the committee) for examination and report between
1 November 2018 and 30 April 2019:
Australian Criminal Intelligence Commission—report for 2017–18;
Australian Financial Security Authority—report for 2017–18;
Australian Institute of Criminology—report for 2017–18;
Australian Security Intelligence Organisation (ASIO)—report for
Australian Transaction Reports and Analysis Centre—report for 2017–18;
High Court of Australia—report for 2017–18; and
Independent National Security Legislation Monitor—report for
Consideration of annual reports
In the following sections, the committee examines in closer detail the annual
reports of the Australian Criminal Intelligence Commission (ACIC) and the
Australian Transaction Reporting and Analysis Centre (AUSTRAC).
The ACIC's annual report has been chosen for detailed examination due to
three recent developments. Firstly, the ACIC has been the subject of an audit
by the Australian National Audit Office (ANAO) in relation to project
management. Secondly, the ACIC now comprises what was once the Australian Crime
Commission (ACC) and the Australian Institute of Criminology (AIC), the latter
of which now operates within the ACIC. Finally, the ACIC has been moved from
the Attorney-General's portfolio into the Home Affairs portfolio as a result of
machinery of government changes.
The AUSTRAC report is also considered in greater detail in this report
due to its recent incorporation into the Home Affairs portfolio.
Australian Criminal Intelligence Commission
The 2017–18 annual report of the ACIC was provided to the Minister for
Home Affairs on 28 September 2018 and was subsequently tabled in the Senate on 12 November
The ACIC is established by section 7 of the Australian Crime
Commission Act 2002 (ACC Act).
The ACIC's stated purpose is to:
[M]ake Australia safer through improved national ability to
discover, understand and respond to current and emerging crime threats and
criminal justice issues, including the ability to connect police and law
enforcement to essential criminal intelligence, policing knowledge and
information through collaborative national information systems and services.
The ACIC has one outcome and one program based on the Strategic
Plan 2016–21 (strategic plan), Corporate Plan 2017–18 to 2020–21
(corporate plan) and the Portfolio Budget Statement 2017–18 (PBS).
The Chief Executive Officer (CEO) is the accountable authority of the
Chief Executive Officer's review
The annual review of the ACIC was provided by Mr Michael
Phelan APM, CEO of the ACIC.
In his review, the CEO noted that the 2017–18 financial year was marked
by the agency's move into the Home Affairs portfolio in December 2017. Mr Phelan
stated that this move 'recognised the strategic importance of integrated, joint
agency activity to ensure a safer and more secure Australia'.
The agency's placement within the Home Affairs portfolio was said to offer a
trusted source of criminal intelligence, national policing information and
systems for law enforcement.
The review reflects on a number of ACIC projects that had progressed or been
completed during the reporting period, including:
maintaining 16 information and intelligence systems used by more
than 70,000 police and non-police users daily;
establishing the first iteration of the National Criminal
Intelligence System (NCIS), designed to support frontline personnel and provide
secure access to a national view of criminal intelligence and information;
supporting the continued rollout of Joint Cyber Security Centres
in multiple cities and permanently deployed cybercrime analysts to the
Australian Cyber Security Centre;
conducting 212 coercive examinations to discover new information
about crime relating to ACIC's special operations and special investigations;
delivering 2,162 intelligence products, including a range of
working with partner agencies to seize illicit drugs valued at
over $3.5 billion, dismantle an international criminal enterprise
operating encrypted communications, and prosecute a global money launderer and
drug trafficker in the United States.
According to the corporate plan, the ACIC's function is to assist,
alongside Commonwealth and state and territory agencies, in making Australia
safer and reducing the impact of crime. However, the nature of the agency's
role within this framework results in the ACIC being unable to control outcomes
or determine to what extent its performance has contributed to other agencies'
The corporate plan states:
Our information and intelligence systems and services provide
value to our stakeholders by enhancing their ability to undertake their role in
keeping Australia safe. We cannot apportion specific aspects of their
performance to our contribution, but we can measure the quality, volume of data
provided and reliability of these systems. We also seek to measure the
efficiency and effectiveness benefits our partners gained through new and
The ACIC's performance reporting scheme is broadly structured into four
categories as derived from the corporate plan and the PBS. The categories are:
Discover, Understand, Respond and Connect, which are reproduced in the annual
Each category has between one and four subcategories which contain performance
measures to be met. The PBS provides a broad performance criteria statement,
which does not set any specific key performance indicator (KPI) targets.
When read alongside the PBS, the annual report appears to provide a
relatively 'clear read' in relation to its performance criteria.
The annual report explains that the ACIC used a mix of qualitative and
quantitative measures to examine its achievements against its performance
criteria, in addition to utilising a stakeholder satisfaction survey to assess
performance against each criterion.
Each performance criterion is accompanied with an explanation of the
methodology used to measure performance, including why other methodologies were
not used if applicable.
As stated above, the ACIC does not appear to have specific KPI targets.
Instead, its performance is assessed according to broad goals. The PBS provided
a statement in relation to the planned measurement of the ACIC's performance:
The ACIC collects qualitative and quantitative performance
data. The ACIC monitors and analyses trends in quantitative data against
relevant performance criteria, where appropriate, which includes:
comparative statistics on information and intelligence systems and
services availability, usage and support levels
demonstrated delivery and implementation of planned systems and services
that satisfy stakeholders and users
comparative statistics on volume and breadth of intelligence shared
the level and types of our activities to discover and understand crime
the level, types and results of our responses to disrupting serious and
annual stakeholder survey results that form an overall assessment
against the performance criteria.
For example, the category titled Connect 1 states that the
performance criterion is: 'Existing ACIC systems and services are accessible,
used and reliable'.
While the corporate plan and PBS suggest methods in which the ACIC may seek to
identify results related to that goal, such as surveys or comparative
multi-year statistics, it does not identify what the specific targets are for
Further, the information provided in the performance statement do not make
clear which statistics are to be used for assessing performance, as opposed to
information provided as additional explanation or evidence. The approach
applied to Connect 1 is reproduced across most performance criteria set
for the ACIC.
Out of ten performance criteria, three were reported to be 'partially met'.
These criteria included:
Connect 1: Existing ACIC systems and services are accessible,
used and reliable;
Connect 2: The delivery and implementation of new and enhanced
ACIC systems and satisfies the needs of stakeholders and users;
Connect 4: The ACIC builds, coordinates and maintains strong and
collaborative relationships with domestic and international partners.
Discussion of each of the relevant criterion is accompanied by supporting
data and statistics, detailing information such as relevant projects or
products delivered, strategic and operational insights provided to partner
agencies, reports completed and usage of ACIC-owned systems. As noted above, it
is unclear whether this information is presented as evidence demonstrating that
the performance criterion was met or for another purpose.
As a result of the lack of clarity regarding the specific methods used
to measure performance, it is difficult to ascertain whether the ACIC has met
its performance criteria or to what extent it has not met the criteria. This is
demonstrated in the three 'partially met' performance criteria, where it is uncertain
to what extent the ACIC failed to meet the criteria.
The committee is thus unable to make a clear assessment of whether the
ACIC has met or has not met its performance criteria based on the information
provided in the report. As previously noted by the committee, the importance of
clear performance reporting in annual reports is necessary to 'provide
sufficient information and analysis for the Parliament to make a fully informed
judgement on department performance.'
This view has been supported by the ANAO, which stated in a 2013 report
on performance measurement and reporting in Australian government agencies:
Performance reporting is most effective in informing the
government, the Parliament, and the public when based on clearly expressed
outcome statements, program objectives, deliverables and KPIs...[There is a] need
for focused and clear outcome statements and well defined program objectives as
important in allowing the development of appropriate KPIs. Entities’ periodic
review of both outcomes and objectives, together with adherence to Finance
guidance, will contribute to meeting the need for focus, clarity and well
defined outcome statements and program objectives.
The committee encourages all portfolio agencies to clearly state whether
a performance criteria is met or not, and clearly present supporting evidence.
Biometric Identification Services project
The Biometric Identification Services (BIS) project was a platform
designed to replace the National Automated Fingerprint Identification System
and intended to enable a national facial recognition platform for law
enforcement agencies across the Commonwealth, states and territories. A
discussion of the background to the project can be found in the Parliamentary
Joint Committee on Law Enforcement (PJCLE) report Examination of the
Australian Criminal Intelligence Commission Annual Report 2016-17.
Eighteen months after the BIS project development contract was awarded
to NEC Australia, it was reported in January 2018 that the project was
significantly delayed and experiencing budgetary problems. The ACIC
subsequently announced the discontinuance of the BIS project due to the delays,
and cancelled the contract with NEC by mutual agreement in June 2018.
At the request of the ACIC, the ANAO conducted an audit and published a
report on the ACIC's handling of the BIS project on 21 January 2019,
considering issues such as the procurement process and management of the
The ANAO found that, while the BIS procurement process was compliant with the
Commonwealth Procurement Rules and ICT Investment Approval requirements, the
administration of the project thereafter was 'deficient in almost every respect'
which contributed to the project continuously missing deadlines.
It found that the financial management of the BIS project was poor, and raised
concerns about the ACIC being unable to definitively state how much had been
spent in total on the project, in addition to a one-off 'goodwill' payment to
NEC totalling $2.9 million that was not linked to any contractual milestone.
The ANAO reported that total expenditure on the discontinued project amounted
to $34 million, having achieved none of the project deliverables or milestones.
The PJCLE expressed concern in its report regarding the management and
cancellation of the BIS project. It noted that there was a significant cost to
the Commonwealth, including approximately $26 million which would not be recouped
and the resulting renegotiation of contracts for other related projects.
That committee acknowledged, however, that the ACIC appeared willing to learn
from the experience, as evidenced by the self-initiated request to the ANAO for
an audit, and stated that it would monitor the agency's response to the audit report.
In the 2017–18 ACIC annual report, very little mention is made of the
BIS project or how it was funded. The BIS project fell under performance
criterion 'Connect 2: The delivery and implementation of new and enhanced
ACIC systems and services satisfied the needs of stakeholders and users', which
was reported to be 'partially met'.
The report stated:
Following consultation with law enforcement partners, we
determined the benefits of continuing the project no longer outweighed the
costs and risks for our agency and partner agencies, and that the current
National Automated Fingerprint Identification System (NAFIS) remains fit for
In its discussion of its performance, the ACIC recognised the impact of
the discontinuance of the BIS project on its stakeholder survey, which is a
measure of performance for the criterion. The ACIC stated that it had learned a
number of critical lessons from the experience and identified issues such as:
the need to improve communication with stakeholders and manage
engagement at the portfolio/agency level rather than on a project level, which
had prompted the establishment of a dedicated Technology Collaboration and
Coordination Unit to build and develop stakeholder relationships effectively;
building capacity to more effectively deliver project, program
and portfolio outcomes through the Enterprise Program Management Office, which
would also respond to findings of reviews and audits and implement refined practices
and processes accordingly;
managing projects more effectively and developing a user-centric
approach which would adopt processes that meet the Digital Service Standard;
strengthening governance of all projects by including
stakeholders in planning and governance at all levels during project
The ACIC annual report provided information about the ANAO audit in its statement
on reports on its operation by the Auditor-General, a Parliamentary Committee
or the Commonwealth Ombudsman, as required by section 17AG(3)(b) of the PGPA
Act. However, the statement does not provide context or reasons for the audit.
Very little information is provided in the annual report regarding the
financial performance of the contract. The financial statements provide limited
insight into where and how appropriations were made on the BIS project.
Further, the financial statements provide no explanation regarding the impact
of the project's closure on the ACIC's other programs and overall budget.
The ACIC reported an operating deficit of $16.325 million for the 2017–18
The agency received $88.46 million in operating appropriations,
$2.64 million in departmental capital budget expenses, and $0.580 million
for an equity injection.
The annual report also provides a breakdown of the operating
appropriation, noting that $79.607 million was provided in base funding with
the remainder being tied to specific projects. Tied funding projects included:
funding for the Australian Gangs Intelligence Coordination Centre; enhancing
security at all office sites and personnel security capabilities; developing
and enhancing cybercrime intelligence and analysis capability; development of
the National Order Reference System; supporting the Australian Cyber Security
Centre; and establishing a national database of rejected applications for
Working with Children Checks.
In relation to the ACIC's own source income, it collected
$124.265 million. This included $97.737 million as a result of the provision
of National Policing Information Services, $10.379 million received from the
Proceeds of Crime Trust Account, $1.385 million in resources received
free-of-charge, and $14.764 million relating to the provision of services.
Services provided included biometric systems for the recognition of
fingerprints and DNA, identification systems for missing persons and disaster
victims, protection services to assist with managing child offenders, and the
national police history checking service.
As discussed earlier, the committee encourages the ACIC to clearly state
whether a performance criteria has been met or not, and clearly present
supporting evidence. This would assist the committee to reach a fully informed
judgement about the ACIC's performance over each financial year. The committee reiterates
the ANAO's advice stating that clear tools to measure agency performance are
crucial in enabling effective oversight of the functions of government.
The committee also observes that the annual report contains limited
information regarding the cessation of the BIS project. Given the significant
expenditure on the project and its failure to meet any deliverables or
milestones, further information about the project, its management, costs and
the reasons for its discontinuance would be beneficial in avoiding similar
problems in the future.
Noting the comments made by the PJCLE on the BIS project, this committee
will continue to monitor future project management by the ACIC and the
performance reporting of such projects in annual reports.
Notwithstanding these issues, the committee finds the report to be
Australian Transaction Reports and Analysis Centre
AUSTRAC provided its 2017–18 report to the minister on 26 September
2018, which was subsequently tabled in the House of Representatives and the
Senate on 12 November 2018.
AUSTRAC was established under the Financial Transaction Reports
Act 1988, and continues in existence under section 209 of the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). AUSTRAC's
stated purpose is to:
[P]rotect Australia from financial crime and terrorism
financing, and contribute to the growth and resilience of Australia's economy,
by discovering, understanding and disrupting criminal activity, through our
intelligence and regulatory programs.
Prior to December 2017, AUSTRAC was an agency in the Attorney-General's
portfolio. As a result of machinery-of-government changes, AUSTRAC was moved
into the Home Affairs portfolio, under the Minister for Home Affairs and the
Minister for Law Enforcement and Cyber Security.
AUSTRAC has one outcome and one program based on the Corporate
Plan 2017–21 (Corporate Plan) and the Portfolio Budget Statement 2017–18
The Chief Executive Officer (CEO) is the accountable authority of AUSTRAC.
Chief Executive Officer's review
Ms Nicole Rose PSM, CEO, provided the annual review for the 2017–18
reporting period. Ms Rose commenced her role as AUSTRAC's CEO on 13 November
Ms Rose opened the annual review by stating that AUSTRAC has continued
its position as Australia's financial intelligence unit and anti-money
laundering and counter-terrorism financing (AML/CTF) regulator to pursue its
vision of 'a financial system free from criminal abuse'.
The CEO stated that the establishment of the Home Affairs portfolio had
resulted in increased opportunities for AUSTRAC to engage with the public and
private sectors. Increased challenges in combating financial crime, including
the rise of cryptocurrencies, enabled AUSTRAC to collaborate with these
partners via projects such as the Fintel Alliance, the world-first partnership
to combat AML/CTF, and the multi-agency Serious Financial Crime Taskforce
(SFCT) which identifies and addresses serious and complex financial crimes.
AUSTRAC also contributed to the work of other Commonwealth and state/territory
agencies, including the federal Department of Human Services and the Western
Australian Joint Organised Crime Taskforce.
Other achievements during the reporting period noted by the CEO
instituting landmark civil penalty proceedings in the Federal
Court of Australia against the Commonwealth Bank of Australia (CBA) for
multiple contraventions of the AML/CTF Act, which resulted in the court
ordering the CBA to pay a $700 million penalty, the largest civil penalty in
Australian corporate history;
publishing and disseminating three risk assessments to assist in
educating the financial sector's understanding of AML/CTF capabilities and
addressing vulnerabilities within the industry and its products;
collaborating with regulated entities to establish a 'Community
of Practice' and redesign the annual AML/CTF compliance reports;
alongside the Attorney-General's Department and the Department of
Home Affairs, contributing to legislative reform to the AML/CTF Act, addressing
issues such as the regulation of digital currency, enhancing
information-sharing capabilities between related bodies corporate, and
expanding the range of regulatory offences;
engagement with international partners, including hosting a
number of conferences and visits from overseas counterparts.
AUSTRAC's performance reporting scheme comprises six performance
criteria. These six performance criteria are measured using a number of
different methods, which are outlined in the annual report.
AUSTRAC does not appear to use specific KPI targets. Instead, the PBS indicates
that AUSTRAC measures performance by using a 'range of case studies and
quantitative and qualitative reporting'.
When read alongside the PBS, the annual report appears to provide a
'clear read' in relation to its performance criteria.
AUSTRAC reported that all performance criteria had been fully achieved
for the reporting period. The annual report also noted that all performance
criteria established by the PBS were achieved as well.
Each performance criterion is accompanied with supporting material
demonstrating how it was met. For example, the performance criterion titled
Corporate Plan Performance Criterion 1.1: Our public and private sector
partners readily access intelligence that is of value, included evidence to
support this finding:
AUSTRAC's continued work on the Fintel Alliance, a public-private
partnership established in March 2017 to develop shared intelligence and
develop shared intelligence and deliver innovative solutions to protect the
Australian economy from criminal abuse, with additional information on related
Fintel Alliance projects such as the online money mules project and the child
sexual exploitation project;
136,225,100 reports from industry over the reporting period,
representing a 21.6 per cent increase on the previous reporting period;
contributing to a number of multi-agency task forces, including
case studies of AUSTRAC's information being used to inform public
partners, including Operation Astatine, which focussed on a NSW-based criminal
syndicate involved in drug trafficking and tobacco smuggling;
the production of risk assessments that identify and evaluate the
money laundering or terrorism financing risks posed by financial sectors and
products, including advice released by the Minister for Justice in
July 2017 regarding risks in the securities and derivatives sector, which
were reported to have been responded to meaningfully by the industry.
As noted above, AUSTRAC does not have specific KPI targets for assessing
performance. It is therefore reliant on using a wider range of achievements to
assess the performance of the agency. As observed in the discussion regarding
the ACIC, this can be challenging for the Senate in determining whether
agencies have met their performance criteria. Specific KPI targets may assist
in promoting a fulsome understanding of AUSTRAC's performance.
The performance reporting in the annual report is otherwise highly
detailed and provides illustrative examples of how AUSTRAC has sought to
achieve its performance criteria, even where specific KPIs are not present. The
examples demonstrate a clear link with the relevant performance criterion, and are
presented clearly and concisely.
AUSTRAC reported a net operating surplus of $2.2 million for the
2017–18 financial year. This was compared with the 2016–17
reporting period which resulted in a net operating deficit of $8.7 million.
The net operating surplus includes $4.9 million of unfunded depreciation and
amortisation expenses. Total revenue for the reporting period was $70 million,
representing a $7.9 million increase over the previous year's results.
Expenses for AUSTRAC were reported to amount to a total of
$67.763 million, which includes employee benefits, supplier costs, and
write-down and impairment of intangible assets.
In relation to employee benefits, the annual report explains that there was a
variance in the budgeted cost compared to the actual expenditure. This was due to
two factors: firstly, in 2017, AUSTRAC engaged in a program in which
contractors were converted to APS staff, which resulted in a higher cost for
employee benefits than originally budgeted. Secondly, due to new funding
measures announced in the Mid-Year Economic and Fiscal Outlook (MYEFO) 2017-18,
additional resourcing was engaged to meet demand.
AUSTRAC also reported a total expenditure on legal services for the 2017–18
financial year as $3,459,004 (exclusive of GST), which includes the cost of
providing internal and external legal services.
The committee commends AUSTRAC on its informative and clearly expressed
annual report. While it notes that the lack of specific KPIs can make it
difficult for agencies to measure performance, AUSTRAC has provided
explanations of its activities in meeting performance criteria, and demonstrated
how it has met these criteria with illustrative and clearly related examples of
its work. AUSTRAC's reporting is an excellent example to all agencies without
specific KPIs of how effective performance reporting can be achieved in circumstances
where performance criteria do not have specific targets or refer to broad
The committee finds the annual report to be 'apparently satisfactory'.
Navigation: Previous Page | Contents | Next Page