The Auditor-General has savaged the Australian Criminal Intelligence Commission's management of its failed biometric identification database, labelling it "deficient in almost every significant respect".
The commission, formerly known as CrimTrac, announced in June last year it would dump the project, which was meant to replace an existing national database of fingerprints used by law enforcement, as well as provide added capability for a facial recognition database.
The project was dumped in June last year, more than two years after the contract with NEC was first signed, with none of the 17 milestones set out in its contract achieved.
The original project was worth $52 million, but forecast costs on the project were estimated to have blown out to more than $90 million. The audit report stated that $34 million was spent on the project in total. Officials revealed in November that taxpayers would see no benefit from the $26 million wasted on the project, with other benefits found for the other funds spent.
Despite none of the 17 milestones being met by NEC, the commission continued to pay the company for its work on the project, in addition to $12 million for contract variations or work not originally in the contract.
"Documentation showed that some of this work may have been unnecessary and other work may have already been covered under the contract," the report said.
"The stipulated contract process by which progress against milestones and deliverables was to be assessed was not followed at any stage and ACIC thus had no way of assuring itself that it got what it paid for."
"Financial management of the [biometric identification services] project was poor," acting Auditor-General Rona Mellor said.
Two extra payments came in for particular criticism. The first one was for $4 million in June 2017 for "reverse synchronisation" to connect the new system with the old system. One SES officer described it to the audit office as "one of the worst decisions that was made", and another officer called the function technically almost impossible to achieve.
The second was a payment of $2.9 million, described as a goodwill payment. It came after disputes between the Commission and NEC about whether extra claimed costs had been approved, with poor record keeping contributing to the confusion, and ACIC describing an "impasse" between the two parties.
"[The payment] was seen as a way to navigate the impasse and establish and re-baseline a constructive relationship for the continued delivery of the program," the commission told the audit office.
Relationships between key personnel at ACIC and NEC deteriorated to the point that the commission requested the removal of NEC's program manager on the project, which it had the ability to do under the contract. The next program manager left within two weeks, and a third program manager left within a month.
Record keeping at the commission was piecemeal, with different systems being used and many records being kept on network drives. Some records were found in one employee's email account and their computer hard drive.
Even the contract itself was hard to locate.
"While the ANAO located electronic drafts of the contract (or parts of it) in multiple locations, it took ACIC more than four weeks to find and produce a definitive original document," the report said.
Reporting and governance were also criticised, after different boards and committees were repeatedly told the project required corrective action, as early as August 2016.
"With the exception of the Audit Committee, there was awareness at all levels within ACIC that BIS was encountering serious difficulties," the report said.
"The evidence shows that reporting through the governance framework did not lead to corrective actions until very late in the project."
In May 2018, almost two years after the project started, staff members at the commission realised the original contract didn't cover assumed identities that allow law enforcement officers to operate under cover, or witnesses who are in witness protection and must have their identities protected.
The commission was forced to extend its contract with another company, Morpho, for its existing national fingerprint identification system multiple times, with the annual cost increasing by 140 per cent since 2011-2012. The system, which once cost $3.8 million, will this financial year be worth $9.4 million to Morpho.
The largest increase in cost came when it became clear the new system wouldn't be ready by the contract's original expiry date in May 2017.
"This reflected ACIC’s weak negotiating position with Morpho (the unsuccessful tenderer for BIS) in ensuring continuation of [the National Automated Fingerprint Identification System]," the report stated.
The audit found the procurement process was "largely effective", but issues arose once the contract was negotiated with NEC.
The commission noted the findings and committed to implementing changes in light of them.
The commission had earlier flagged that it could request a suppression to the audit report under section 37 of the Auditor-General Act - in the same way a section was redacted from the report into Defence's acquisition of the Hawkei joint light protected vehicle - but the report was released without redaction.
NEC has responded to the report through a spokesman, welcoming the report and defending the company's history.
"NEC has a proud history and reputation as a leader in biometrics technology globally and every day we strive to be cutting edge in this field," the spokesman said.
"NEC has delivered many similar projects around the world successfully, often for government and in most cases as Project Lead/Systems Integrator. In this project however, NEC was not the Systems Integrator, but the contractor."
The company maintains the project was ready to be handed over for testing when the contract was ended.
"NEC was ready to hand over the BIS project for systems testing when the project was terminated."