Auditor lashes junked national biometrics project after significant failures

The Australian Criminal Intelligence Commission’s management of its now infamously junked biometrics identification services (BIS) project has been blasted by the national auditor after a litany of serious failings were uncovered.

In a excoriating review released on Monday, the Australian National Audit Office (ANAO) revealed the agency’s handling of the $52 million project was “deficient in almost every significant respect” following the completion of the procurement.

It found “none of the project’s milestones or deliverables were met” and put the total cost of the project at $8 million higher than previously revealed by the ACIC.

The project was intended to replace the existing national automated fingerprint identification system (NAFIS) contract held by Morpho (now IDEMIA) with a new national biometrics database that included facial recognition capabilities.

CrimTrac – which would go on to merge with the Australian Crime Commission to create ACIC in July 2016 – went looking for potential service providers to provide a preferably commercial-off-the-shelf solution in 2015.

After receiving 12 responses, only two of which were compliant from Morpho and NEC, the agency entered a contract that “comprised more than 800 pages” with NEC for the build in April 2016.

It planned for the solution design to be complete by July 2016 and all contract requirements by 20 November 2017, with each accompanied by milestones that were ultimately without “a description of specific documents, activities, or tests needed for each milestone”.

But in June 2018 the contract was terminated after the “original planned completion date slipped at least three times, with some milestone being deferred by more than a year”.

However the audit reveals that the project was “reported as ‘red’ to key governance bodies as early as August 2016”, with the problems known across much of the agency except for the agency's own audit committee.

“There was awareness at all levels within ACIC that BIS was encountering serious difficulties,” the audit states.

Much of the auditor's concern with the project centred around its administration following procurement, which “was deficient in almost every significant respect”, including:

• Not following the mandated process in the contract for assessing progress against milestones and linking their achievement to payments “at any stage”
• Having poor financial management, including an inability to “advise definitively how much they had spent”, and spending $12 million on work that was either already covered by the contract or unnecessary
• Not adhering to a detailed implementation plan
• Having poor risk management, with risk registers established for the project but “not used effectively”

The upshot of this was that the agreed schedule for the delivery of BIS “was not adhered to and was repeatedly extended before BIS was terminated in June 2018”.

ACIC was also forced to extend NAFIS contract with Morpho in the process for a “significantly increased cost” to maintain uninterrupted availability.

The auditor found the BIS procurement was “largely effective”, bar “two critical requirements” for assumed identities and witness security, which were overlooked in the development phase, and would have cost approximately another $10 million to include.

Other items such as a user interface specification, which were never corrected before the contract was terminated, were also omitted for the project.

The report also reveals that ACIC’s relationship with NEC turned so sour during the course of the contract that the agency was forced to engage consultants turned mediators PwC to “reset the relationship” and “build trust” through“turnaround workshops” in December 2017.

“Evidence showed that the relationship between ACIC and NEC deteriorated to such an extent during the project that ACIC decided to engage PwC to intervene,” the audit states.

But the relationship counselling didn't go so well. By January 2018, ACIC requested that NEC remove and replace its program manager for BIS.

“In late January 2018, a new NEC Program Manager arrived but left within two weeks. A third replacement NEC Program Manager also departed in late February 2018.”

Staffing was also a cause for concern, with an “insufficient and inappropriately skilled BIS program team” that at one point contained less than half the necessary staff identified.

The audit similarly points to a possible distraction in the merger to create ACIC in July 2016 for the failings, with “a high degree of change at the SES level of the organisation” between April 2016 and June 2018.