Last month, we welcomed Dr Caralee McLiesh PSM to the ANAO as the 16th Auditor-General for Australia. Dr McLiesh brings a wealth of experience to the role, with an extensive career spanning the public and private sectors.

Before commencing as Auditor-General on 4 November, Dr McLiesh served as the Secretary and Chief Executive of the New Zealand Treasury for five years, where she led the Treasury and its advice through the COVID-19 pandemic and worked with the New Zealand Government to deliver budgets and a range of legislative and policy reforms. Before that, Dr McLiesh served in the New South Wales public service, during which time she was awarded the Public Service Medal in 2017 for outstanding service to social impact investment policy and reform. Dr McLiesh has also worked at the World Bank in Washington DC, the International Red Cross in Botswana and Bosnia and Herzegovina, and the Boston Consulting Group.

The coming months will continue to be a busy time for our new Auditor-General as Dr McLiesh continues getting across the scope of the ANAO’s work and meets with entity heads across the public sector.

The COVID-19 pandemic and the Australian Government’s response to it significantly impacted the risk environment faced by the public sector. To support the Australian Government’s COVID-19 pandemic response priorities, the Australian Public Service (APS) quickly adapted its workplace practices and deployed resources to priority areas, while continuing to deliver business-as-usual activities. The ANAO responded to emerging public administration risks by developing the COVID-19 audit strategy. In undertaking the audit work, we took into account the environment in which programs and responses were being managed and delivered. You might also recall that, at the request of the COO Committee, we developed an insights product on Rapid Implementation of Australian Government Initiatives. This insights was based on key lessons learned from audits of past activities, likely to have wider applicability to the APS in supporting the national COVID-19 pandemic response. The product was published on 16 April 2020.

In October, we tabled an information report which consolidated the lessons from that audit strategy. It covers 13 performance audits and reviews across 12 entities within 10 portfolios where 41 recommendations were made. If we were to face an impactful emergency in the future, then hopefully these lessons will help entities to plan for and manage any response.

The five phase-1 COVID-19 audits examined the Australian Government’s early response to the pandemic. The key lesson from phase 1 audits was the importance of everyday fundamentals such as establishing appropriate governance arrangements and proactively managing risks.

The seven phase-2 audits highlighted that systems and controls that were considered sufficient for business-as-usual were not adequate to deal with the demands of rapid implementation during the COVID-19 pandemic. This necessitated a more disciplined approach to adapt to and manage changes to ensure effective program delivery.

Under phase-3, two elements of crises preparedness and response were emphasised: the need for comprehensive and up-to-date crisis management frameworks; and the importance of incorporating and actioning lessons learned from the experience. Notably, these elements reflect some of the key themes that emerged in phase-1 audits. Effective preparation for future crises enables a more effective and efficient response should they occur.

When was the last time you read a performance audit report? If you’re not engaged with one underway in your entity, it’s easy to miss lessons from reports on others’ activities. We now pull together an end-of-year report on our performance audit work, not unlike the reports we do for financial statements and performance statements audits. The purpose of the report is to draw out lessons from our performance audit work. This report also gives the Parliament a summary of key risks and issues.

The performance audit information report analyses performance audit outcomes from 2019–20 to 2023–24.

We’re all working hard to grow the APS’ capability and strengthen integrity in our organisations. Findings from our performance audits can provide indicators of risks to integrity, probity, and ethics, including where action may be necessary to deal with systemic issues. The information report highlights a range of themes and issues on planning and implementation, evaluation, procurement and contract management, and cyber security. Here’s a few highlights:

The use of AI by the public sector has been a growing area of discussion in recent years, particularly as we experience an increase in its use to manage and deliver public services. With a range of AI governance and assurance frameworks introduced by the Australian Government, the JCPAA commenced an inquiry to examine the adoption and use of AI systems and processes to conduct functions such as the delivery of public services.

We are entering the auditing of AI by focussing on governance, with a performance audit underway in the ATO. It is expected to table early in 2025 and we will look to share lessons from it to assist across the sector.

We have commenced research into what audit methodology, audit tool changes, and skills might be required to support audit work in the AI space. This is an area of focus in audit offices around the world. For us, there is also an opportunity to explore how automation can improve the audit process. While audit standards and assessments require human judgement, decision making and scepticism, we’ve identified areas of audit process that could be automated. We’re continuing to develop tools to achieve this, with oversight by our quality committee to ensure adherence to the ANAO’s auditing standards and our audit methodology.

The JCPAA is also conducting an inquiry into the contract management frameworks operated by Commonwealth entities. It will look into whether the expertise, governance arrangements, record keeping, performance measures, and policies and guidelines supporting contract management by entities are fit for purpose to ensure relevant project delivery. Hearings are underway. The inquiry is being conducted with reference to five of our performance audit reports:

1. Management of the Australian War Memorial’s Development Project
2. Procurement of My Health Record
3. Administration of the Adult Migrant English Program Contracts
4. Defence’s Management of Contracts for the Supply of Munitions — Part 1 
5. Defence’s Procurement and Implementation of the myClearance System

One thing to think about, if your entity is invited to appear before the JCPAA, is making sure you send the right witnesses and that they are well prepared. The JCPAA is a bipartisan committee which seeks to understand administrative practices as well as to hold entities to account for their performance. Witnesses are speaking on behalf of the accountable authority, if the accountable authority does not appear. They need to be sufficiently senior to speak at entity level as well as in detail on the matters under inquiry. This includes what steps the entity has made on implementing recommendations made in an audit report or how risks identified are being addressed.

JCPAA reports have implications and recommendations that are relevant across the public sector, and I encourage everyone to follow the progress of the inquiry and read the final report once it’s released.

We recently published two insights products — the first on lessons from our recent gifts, benefits and hospitality audit work, and the second outlining the practice of performance auditing, in particular our performance audit process.

Our gifts, benefits and hospitality Audit Lessons product shares seven lessons for the public sector:

1. Establishing a guiding principle for officials to generally avoid the acceptance of gifts, benefits and hospitality helps promote a culture of integrity.
2. Establishing preventative and detective controls helps manage corruption risks associated with gifts and benefits. 
3. Internal policies on gifts, benefits and hospitality should be clear and specific.
4. Guidance could highlight entity activities that are at a heightened risk from gifts, benefits and hospitality.
5. Controls can help ensure inappropriate personal benefits are not derived from official travel.
6. Reporting all gifts and benefits — not just those accepted — can help identify risks.
7. Accurate valuation of gifts, benefits and hospitality increases transparency. 

I encourage anyone with responsibility for implementing internal policies and controls on the receipt of gifts, benefits and hospitality to have a read. I think that each SES officer should really lead by example in this space and continue to talk about gifts, benefits and hospitality and the relationship with potential, perceived or real conflicts of interest in their branches, divisions or groups. Transparency through reporting is important, and so is our mindset about gifts, benefits and hospitality in the APS.

I get feedback from time-to-time that people need more information about the performance audit process. For staff with responsibility for governance, internal audit, or a government activity that may be the subject of an ANAO performance audit, I’d encourage you to take a look at our latest Audit Practice product on the performance audit process. It aims to explain ANAO methodologies and help entities prepare for our audits by outlining some of our processes and expectations in conducting audits. As is always the case, you are very welcome to invite the ANAO to come to speak to your organisation about our work including the process of auditing.

Fraud control arrangements continue to be an area of focus for us. Some of our recent audit work has looked at planning for the implementation of the changes to the Commonwealth Fraud Control Framework, including the Fraud Rule (within the PGPA Rule), which came into effect from 1 July 2024. Two areas of concern have become apparent:

1. Entities changing the titles of their fraud plans and risk assessments to add the words ‘and corruption’ without necessarily considering corruption risk itself, and not including corruption risk assessments, mitigations and controls in a considered way.
2. Entities focusing on internal fraud and corruption without an equal focus on external fraud and corruption. External fraud and corruption could occur in dealings with the private sector or regulated organisations/bodies, or via recipients of public funding through grants, procurement or in other ways. 

I encourage you all to read our recent performance audit reports on fraud control arrangements in the Department of Health and Aged Care, the National Health and Medical Research Council, and the Australian Skills Quality Authority. 

We’ve had the benefit also of having AGD speak to audit committee chairs at our end-of-year forum about the implementation of the new Rule.

Parliamentary committee and Auditor-General recommendations seek to address risks identified through inquiries and audits. We aim to provide assurance on the implementation of these recommendations by auditing entities’ implementation of them.

Audit and risk committees are required to provide independent advice on entities’ systems of risk oversight/management and internal controls — therefore, complete and regular reporting helps provide them with visibility over how risks are being managed. Providing audit and risk committees with evidence-based ‘closure packs’ for completed parliamentary committee and Auditor-General recommendations is a valuable approach to support their role and function.

If recommendations have been addressed to your entity, you may wish to consider the following:

• For parliamentary committee recommendations, entities can support government by advising ministers on the requirements and best practice on the form and timing of responses, and by monitoring compliance with required timeframes. 
• For parliamentary committee and Auditor-General recommendations, entities can support accountability and integrity by establishing fit for purpose and proportionate implementation planning for agreed recommendations, monitoring implementation, and closing recommendations on the basis of robust evidence that the intent of the recommendation has been met.

We recently tabled a performance audit report on the implementation of select parliamentary committee and Auditor-General recommendations in the indigenous affairs portfolio.

Last issue, we mentioned that in December 2023 we published our integrity framework, and a report against it, for the first time. As an update, our latest Integrity Framework 2024–25 and Integrity Report 2023–24 were published in November 2024.

The integrity framework continues to provide structure to our integrity control system and helps us with ethical decision making, risk, fraud, and misconduct management. While it is focused on our purpose as the external auditor for the Commonwealth, those of you considering developing your own integrity framework may benefit from reviewing ours. The integrity report identifies integrity-related matters and risks, as well as controls that have been implemented in the framework to manage potential integrity issues. We’re very happy to talk to entities about the process we used to develop our integrity framework three years ago, and what we’ve learned along the way. Reach out if you’d like to touch base on this.