Regulation is an important function of the Australian Government and high-quality regulation —whether of the private, not-for-profit or public sector — is crucial for the protection and proper functioning of the economy, society and the environment. Many Australian Government entities hold responsibilities for the implementation of regulatory functions including departments and statutory entities dedicated to the administration of regulation in highly specialised sectors.

Audit findings often highlight issues with respect to the appropriate implementation of risk-based approaches to regulation. Risk-based regulation is important in ensuring that the burden of regulation is appropriate. However, it can only be successful if the accountable authority of an entity uses available evidence to develop a strategic, diligent and risk-based regulatory compliance approach and ensures that it is consistently implemented. While efficiency for the regulator and the sector is important, too strong a focus on ‘red tape’ reduction — including through not utilising the full range of regulatory powers provided by the Parliament — can often be at the expense of effective outcomes.

Australian Government regulators are empowered by, and subject to, a range of legal and other requirements including:

• the specific legislation that establishes the regulatory powers of the entity, and underpinning policies and relevant directions;
• the Public Governance, Performance and Accountability Act 2013 (PGPA Act) along with delegated legislation such as the PGPA Rule 2014, the Commonwealth Procurement Rules and the Commonwealth Risk Management Policy; and
• the Australian Government Regulator Performance Framework — introduced in October 2014 to encourage regulators to achieve their objectives while minimising their impact on regulated entities. 

A key part of the Australian Government Regulator Performance Framework is that actions undertaken by regulators are proportionate to the regulatory risk being managed. Drawing from this framework, ANAO performance audits of regulators include examination of the design, implementation and enforcement of regulation to enable regulators to deliver on regulatory objectives. In the period 2015–16 to 2019–20 the ANAO has undertaken 25 performance audits on the administration of regulatory activities.

Over the past 12 months, the Auditor-General has tabled six performance audits on the administration of regulation by non-corporate Commonwealth entities:

• Auditor-General Report No.29 of 2019–20 Regulation of Charities by the Australian Charities and Not-for-profits Commission;
• Auditor-General Report No.33 of 2019–20 Tertiary Education Quality and Standards Agency’s Regulation of Higher Education;
• Auditor-General Report No.47 of 2019–20 Referrals, Assessments and Approvals of Controlled Actions under the Environment Protection and Biodiversity Conservation Act 1999;
• Auditor-General Report No.48 of 2019–20 Management of the Australian Government’s Lobbying Code of Conduct — Follow-up Audit;
• Auditor-General Report No.5 of 2020–21 Regulation of the National Energy Market; and
• Auditor-General Report No.8 of 2020–21 Administration of Financial Disclosure Requirements under the Commonwealth Electoral Act.

Key learning areas covered in this audit insights relate to:

1. collection and management of compliance information;
2. assessment of compliance risk;
3. implementation of risk-based compliance programs;
4. record keeping; and
5. measuring performance.

Accurate, integrated and reliable information on regulated entities, activities and individuals supports regulators in assessing the risk of non‐compliance and the development of targeted compliance and enforcement strategies. It also forms data which can be used as intelligence in planning future compliance strategies.

Information collected by the regulator assists in determining if the regulated entities are meeting all legislative requirements, and can also assist in determining whether contrary evidence exists where the regulator relies on self-assertions by the regulated entities .

Where the role of the regulator includes maintaining public registers, websites or other information on regulated entities, appropriate collection and management of compliance information helps ensure that the information published is accurate and can be relied upon by citizens . Appropriate collection and management of information includes storage of information in a way that enables it to be easily accessed for analysis, reporting or other compliance activities.

If a regulator maintains multiple IT systems to collect and store compliance information, steps should be taken to ensure the systems are linked, can be cross-checked to ensure information held in multiple places is consistent and can be collated to provide a holistic picture of a regulated entity’s compliance history, performance and risk. This will require adequate staff guidance on information storage and retrieval .

Clear and consistent processes for understanding which regulated entities, activities and individuals pose the highest risk of non-compliance with key regulatory requirements will position regulators to design and implement risk-based compliance programs. An effective risk assessment process should include strong linkages between risk ratings and regulatory activities, including compliance assessments informed by recent and comprehensive compliance intelligence. Collecting regulatory information from a range of reliable sources assists regulators to ensure their information is complete and accurate  and enables a stronger level of assurance that regulatory objectives are being met.

A risk-based compliance process may be required by legislation, policy, or in order to ensure the regulator is conducting its business efficiently. As stated in paragraph 2.21 of Auditor-General Report No.47 of 2019–20, ‘regulators that assess the risk of non-compliance are better positioned to target regulatory activities towards areas of greatest impact’, and will therefore be more efficient.

Having robust systems for information will assist the regulator to identify compliance trends, compare the nature of non-compliance between different requirements and identify emerging risks .

Data analytics can form an important element of risk assessment and inform the compliance program. One regulator audited formed a dedicated analytics and insights team to enhance its market analysis and monitoring capabilities. The benefits of this capability will only be fully realised if arrangements for gathering, storing, retrieving and analysing information are complete and consistent .

The development of compliance programs using the full scope of regulatory powers and responsibilities, proportionate to assessed compliance risk, supports the effective targeting of regulatory resources. Regulators should select entities or individuals for compliance activities by applying an appropriate risk-based approach that is capable of providing assurance that the overall purpose of the compliance review program is being achieved. A well-planned and strategically targeted compliance program will also enable an assessment of improvements or deterioration of compliance of regulated entities, activities or individuals over time and possible drivers of this, which can inform associated activities such as education and awareness raising.

The regulator’s risk management framework should set out risk tolerance levels and inform compliance activity to ensure that risks are maintained within tolerance levels. Regulators should ensure that they are being consistent with control requirements specified in the risk management framework (such as having risk treatment plans where risks exceed tolerance levels) and that risk mitigation measures, such as a ‘tip off’ facility, are used to inform compliance actions and those actions are documented .

Fully implementing a compliance program requires that the regulator act on identified instances of non-compliance, with actions usually set out in legislation. While the action should align with the severity and frequency of the non-compliance, it should also escalate if the non-compliance is not rectified over time. As set out in paragraphs 3.82 to 3.85 of Auditor-General Report No.8 of 2020–21, actions can start from encouragement, and escalate to direction, enforcement and prosecution, in line with the legislative powers of the regulator. If actions are not escalated in accordance with regulatory powers, the impact of the regulator and the achievement of regulatory outcomes may be diminished.

Appropriate recording of regulatory actions and the rationale for regulatory decisions supports transparency and accountability, particularly as a regulator’s decisions or actions may be subject to external scrutiny or be challenged . A regulator, through its records, should be able to demonstrate that approval decisions align with requirements  and that compliance activity and/or actions undertaken were warranted given risk, the evidence available, the compliance framework developed and legislative powers.

Comprehensive records also assist in providing the accountable authority and the Parliament with assurance that the regulator is being consistent and transparent in its approval decisions and that these decisions are based on adequate evidence .

To promote transparency and accountability, regulators should publicly report on the number and outcomes of core compliance activities such as compliance assessments. Regulators should also report on the extent to which regulated entities and individuals comply, and fail to comply, with obligations under the legislation. This provides the Parliament with transparency about whether regulatory objectives are being met.

Sections 37 to 40 of the PGPA Act, and sections 16E to 16F of the PGPA Rule, place requirements on accountable authorities to measure their entities’ performance and publish annual performance statements. The Department of Finance has issued guidance to entities to assist in the development of performance information.

Entities should develop performance measures that not only inform the Parliament of the achievement against regulatory objectives, but which also report on efficiency. Compliance information collected by the regulator will assist in determining performance against expectations and the impact of regulatory activities over time .

When regulators develop performance measures, they should ensure that the measures are incorporated into an appropriate monitoring, reporting and evaluation framework that provides assurance over its achievement of objectives, as set out in relevant legislation .

Proper documentation will provide evidence to support the performance information reported and enable consistent and accurate performance statements to be developed. Some examples of performance measures for regulators include timeliness of decision making, accuracy against legislative requirements (tested through quality assurance processes), efficiency of the regulatory process for regulated entities, efficiency of the regulator (measured by resource inputs against outputs delivered over time or compared to a benchmark) and number of appeals.

All the audits covered in this edition of audit insights, with the exception of the Management of the Australian Government’s Lobbying Code of Conduct — Follow-up Audit, made recommendations for regulators to improve their performance measurement, particularly in relation to the impact of regulatory activities on regulatory objectives.

The ANAO annual audit work program lists other potential performance audits of regulators that are yet to commence. The implementation of risk-based regulation will be a continuing feature of the ANAO’s work program.