biometric identification

(QESP Editor’s Note: The following is a reprint of the Summary  from a 21 January 2019 Australian National Audit Office (ANAO) Report.  The full report is available at

The objective of this audit was to assess the effectiveness of the Australian Criminal Intelligence Commission’s administration of the Biometric Identification Service project.



1. On 1 July 2016, the Australian Criminal Intelligence Commission (ACIC) was created through the merger of the CrimTrac agency (CrimTrac), the Australian Crime Commission (ACC) and the Australian Institute of Criminology (AIC).1 Prior to the merger, CrimTrac had commenced planning and initial administration of the Biometric Identification Services project (the BIS project or BIS).

2. BIS was a $52 million project with two key goals:

  • replacement of the existing National Automated Fingerprint Identification System (NAFIS)2; and
  • addition of a facial recognition capability to enhance law enforcement’s biometric capabilities.

3. A Biometric Identification Solution Contract was signed on 20 April 2016 between NEC Australia (NEC) and CrimTrac, just prior to ACIC’s creation.

4. The BIS project encountered difficulties at an early stage. Despite intervention by the executive of ACIC and ultimately unsuccessful negotiations between ACIC and NEC, the ACIC CEO announced on 15 June 2018 that the project had been terminated.

5. When it became apparent that BIS would not be completed prior to the expiry in May 2017 of ACIC’s contract with Morpho, the company that operated NAFIS, ACIC extended its contract with Morpho (for a substantially higher price). The NAFIS contract is now due to expire in May 2020. ACIC has yet to decide the future of NAFIS.


Rationale for undertaking the audit

  • The audit was requested by ACIC’s Acting Chief Operating Officer on behalf of ACIC on 14 February 2018; and
  • the BIS (and the system it was to replace, NAFIS) are critical enabling systems for Commonwealth and state law enforcement. A threat to the availability of this capability would be of significant concern to the Australian Government.


Audit objective and criteria

6. The objective of this audit was to assess the effectiveness of ACIC’s administration of the BIS project.

7. The audit criteria were:

  • Was the procurement process for the BIS project conducted in accordance with the Commonwealth Procurement Rules?; and
  • Has ACIC effectively managed the BIS project to achieve agreed outcomes?



8. While CrimTrac’s management of the BIS procurement process was largely effective, the subsequent administration of the BIS project by CrimTrac and ACIC was deficient in almost every significant respect. The total expenditure on the project was $34 million. None of the project’s milestones or deliverables were met.

9. The procurement was designed and planned consistent with the Commonwealth Procurement Rules and ICT Investment Approval requirements and the tender assessment process supported value for money. However, two critical requirements were overlooked in the requirements gathering phase and the approach to negotiating and entering the contract did not effectively support achievement of outcomes. This was a result of the contract not explaining the milestones and performance requirements in a manner that was readily understood and applied.

10. ACIC did not effectively manage the BIS project with its approach characterised by: poor risk management; not following at any point the mandated process in the contract for assessing progress against milestones and linking their achievement to payments; reporting arrangements not driving action; non adherence to a detailed implementation plan; and inadequate financial management, including being unable to definitively advise how much they had spent on the project.


Supporting findings

The tender process

11. The BIS procurement was largely effective. CrimTrac designed and planned the procurement consistent with the Commonwealth Procurement Rules and ICT Investment Approval requirements. Requirements were developed in conjunction with state and territory police, although two critical requirements were overlooked.

12. CrimTrac’s approach to market supported a value for money outcome. The approach to market had sufficient reach and two valid tenders were received.

13. The tender assessment process supported value for money. It was transparent and consistent with planning documents and the Commonwealth Procurement Rules in that:

  • there was appropriate weighting of selection criteria;
  • internal and external probity advisers oversaw all phases of evaluation; and
  • the Tender Evaluation Committee report to the delegate was comprehensive.

14. The approach to negotiating and entering the contract did not effectively support achievement of outcomes because the contract did not explain the milestones and performance requirements in a manner that was readily understood and applied.


Management of the project

15. The governance framework for BIS was not effective.

  • Risk registers established for the project were not used effectively.
  • External reviews in June and November 2017 identified the absence of a robust governance structure.
  • ACIC’s Audit Committee was not informed of the status of the project.

16. Contract management was not effective.

  • The stipulated contract process by which progress against milestones and deliverables was to be assessed was not followed at any stage and ACIC thus had no way of assuring itself that it got what it paid for.
  • ACIC agreed to more than $12 million in additional work. Documentation showed that some of this work may have been unnecessary and other work may have already been covered under the contract.
  • ACIC ‘inherited’ the former CrimTrac and ACC Electronic Document and Records Management Systems (EDRMS), leading to duplication and ineffective record keeping. Further, many staff did not use any EDRMS, instead keeping records on their own computers, in uncurated network drives or in email inboxes.
  • While a Benefits Management Framework was developed and evidence showed that a benefits realisation and documentation process was intended, it was not implemented.
  • An internal audit report had found that ACIC did not have an effective contractor management framework.

17. ACIC established appropriate arrangements for reporting to stakeholders. However these were not fully effective because they did not result in sufficient action being taken and the external stakeholders felt that reporting dropped off over time.

18. The contract provided an implementation plan including Solution Delivery and Solution Design, with more detail for Solution Delivery.

  • The agreed schedule was not adhered to and was repeatedly extended before BIS was terminated in June 2018.
  • In order to maintain the uninterrupted availability of a national fingerprint capability for law enforcement, ACIC was obliged to renegotiate the existing NAFIS contract at a significantly increased cost.

19. Financial management of the BIS project was poor. ACIC’s corporate finance area had no responsibility for management of the financial aspects of the BIS project; neither did the project team have a dedicated financial or contract manager. ACIC was unable to advise definitively how much they had spent on the project.

20. ACIC made a ‘goodwill’ payment of $2.9 million to NEC which was not linked to the achievement of any contract milestone. ACIC was not able to provide details of how the quantum of this payment was calculated.


Summary of entity response

21. The proposed report was provided to ACIC. A summary of its response is provided below and its full response is at Appendix 1.

The Australian Criminal Intelligence Commission (ACIC) found the Australian National Audit Office’s audit of its Biometric Identification Services Project to be thorough and comprehensive. It has revealed significant failures in the management and delivery of the project, and has identified opportunities for the ACIC to refine its practices in order to improve its delivery of information and intelligence services to law enforcement and national security agencies in Australia.


Key messages from this audit for all Australian Government entities

22. The findings from this audit provide a range of learnings for other government departments managing technical bespoke procurement, which contains inherent risks due to its complexity or untested suitability.

Governance and risk management

  • When managing a project of this nature, it is important that sound governance arrangements are in place, that have full oversight of progress, risks and mitigation plans, contingency planning and design and delivery challenges.
  • An important element of governance is assurance mechanisms at each major decision making milestone — such as agreeing final business requirements for tender, or the technical deliverables in the contract — where the officer signing off tender scope or the contract has sufficient assurance that it contains all necessary business requirements, particularly those that are critical to the effective operation of the system or product. This assurance can come through adequately broad and deep consultation, assurance committees or technical advice.
  • Where the project is significant relative to the size of the organisation’s budget or capability, then the project risks should form part of the broader organisational risk management structures and governance arrangements given the impact on the organisation if risks were realised.


Contract management

  • Contracts must be clear in terms of deliverables, milestones, performance measures and accountabilities, and the entity should have strong contract management capability in place with clear reporting lines.
  • Further, the entity should ensure that it obtains the right technical expertise such that risks, design challenges and contact deliverables are well understood and the negotiation position of the entity is evenly balanced with the successful tenderer.


Records management

  • Given that personnel can change and machinery of government changes can occur, records are a critical part of informing future decision making and transparency and accountability for past decision making.
  • Sound record management procedures should be in place not just for major projects but for all entity business transactions and decision making.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.