As I’m sure you know, the federal election has been called and the 47th Parliament has been dissolved. The government is now in a caretaker mode and, by tradition, does not make major decisions except in consultation with the opposition.

There are established practices associated with the caretaker conventions that aim to protect the apolitical nature of the public service and avoid the use of Commonwealth resources in a way that advantages a particular party. While these conventions will inevitably have an impact on your entities’ operations until the 48th Parliament commences, it’s important to understand that it’s “business-as-usual” for the ANAO during the caretaker period. Our audit work will continue, which means that existing audits will stay active and new audits will be commenced. We can also continue to table audit reports out of session by presenting reports to the President of the Senate when the Senate is not sitting under Senate Standing Order 166.

Accountable authorities will continue to be provided with embargoed copies of audit reports two business days before tabling, as will ministers and the Prime Minister — who all retain their positions throughout the caretaker period. Leaders of all other parties, independent members of the Parliament, and shadow ministers will also continue to be notified of audit reports after they are tabled.

It’s important to remember that confidentiality requirements must be upheld during the caretaker period, and that entities cannot share report preparation papers, section 19 reports or extracts from these documents without the written approval of the Auditor-General.

Freedom of information (FOI) is an important component of democratic government that helps ensure a level of transparency for citizens by providing them the right to access government-held information. However, in the conduct of their duties, the Auditor-General, and the ANAO by extension, are exempt from FOI requests. This means the ANAO is not required to provide any information requested under the Freedom of Information Act 1982 (FOI Act), including audit information as well as information and data the ANAO collects from entities through its conduct of audits.

Audit-specific information and correspondence exchanged between the ANAO and audited entities for the purposes of ANAO audit work is also exempt from FOI requests, so if you receive a request for audit-related material — including (but not limited to) audit work plans, report preparation papers, draft reports or draft report extracts, and emails between the ANAO and your entity — you need to advise the FOI applicant that such material is exempt under the FOI Act and not provide them with that material. Failure to maintain the exemption across ANAO material may contravene confidentiality obligations under section 36 of the Auditor-General Act 1997.

It's important to remember that any information or data owned by your entity is not covered by the ANAO’s exemption, even if the ANAO obtains that information or data throughout the course of an audit. Requests to release such information will need to be considered by your entity in accordance with your established FOI processes.

If your entity receives an FOI request that encompasses any ANAO information or documents, please let us know by emailing ag1@anao.gov.au or by submitting a message through our website. We will be happy to consult with you on the matter.

Artificial intelligence (AI) is a hot topic at the moment across all industries and sectors. It is already having an impact on the operations of many businesses, and its use in the public sector is increasing.

Last month, we published our AI transparency statement which outlines the ANAO’s approach to AI adoption, the AI tools we use, our governance of AI, as well as our compliance with AI legislation and policies. Like audit offices across the world, we are seeking to examine how AI can improve our audit processes without compromising the human judgement and scepticism that are necessary for effective auditing.

In the previous edition of this newsletter, I mentioned we are entering the auditing of AI by focussing on governance, and I’m pleased to share the findings of our performance audit into governance of AI at the ATO. The ATO defines AI models as ‘algorithms designed to mimic or surpass human intelligence and make predictions based on data; and that use mathematical, statistical or machine learning techniques trained on extensive datasets to process and analyse information’. The ATO’s primary use of AI involves models that it developed in-house (alongside publicly available generative AI tools that it has assessed as low-risk), and it uses AI in a variety of contexts. It also has plans to expand its AI use over the coming years and has committed to the ethical and lawful adoption of AI.

Our audit found that the ATO has partly effective arrangements in place to support its adoption of AI — including arrangements for governance; design, development and deployment; and monitoring, evaluating and reporting. It also found that the ATO is adapting its current arrangements and introducing new arrangements to support its adoption of AI. The report includes seven recommendations directed to the ATO to address our findings, and I encourage you to take a closer look at these as well as the report itself.

The JCPAA has also released the report of its inquiry into the use and governance of AI systems by public sector entities. It made four recommendations including introducing and updating legislation to better govern AI use, considering the establishment of mandatory rules and governance requirements for public sector AI use, adding questions to the APS Employee Census that capture public servant’s understanding of AI and emerging technologies, and establishing a statutory joint committee on artificial intelligence and emerging technologies, to name just a few. The report’s findings and recommendations are relevant across the public sector, and I encourage you to read it in full.

Continuing on the theme of JCPAA inquiries, the report of the inquiry into public sector IT procurement and projects has also been released. The scope of the JCPAA inquiry encompassed four Auditor-General reports:

1. Procurement of the Permissions Capability
2. Administration of the Parliamentary Expenses Management System
3. Establishment of the Workforce Australia Services Panel
4. Design and Implementation of the Australian Apprenticeships Incentive System

Findings from the inquiry highlight capability, planning, and management shortfalls leading to poor results for Commonwealth entities entering into external IT contracts. As a result of the JCPAA’s concerns for the future of public sector IT procurements and the need for capability building that addresses these concerns, recommendations called for improved guidance and policy documents on developing IT-specific procurement plans, and on ensuring entities’ capability to effectively undertake IT projects.

Procuring and maintaining critical IT infrastructure is a core part of running any public sector entity, and I encourage you to read the JCPAA’s report.

We recently published a new Audit Lessons product on the management of corporate credit cards. It shares six key lessons learned from four recent performance audits on credit card compliance and other relevant audits over the past five years.

1. Compliance with credit card requirements by senior executives sets the tone for the entity.
2. Controls to prevent and detect credit card non-compliance are needed to address risks.
3. Policies and procedures should be fit-for-purpose and make it straightforward for staff to do the right thing.
4. Credit card training can improve levels of compliance.
5. Transaction approvers should be in a position to exercise independent judgement.
6. Internal audits and reporting on credit card compliance can assist with ongoing assurance and improvement.

I encourage anyone who works in financial management, or who otherwise has a governance role with responsibility for the management of corporate credit cards, to read through this edition of Audit Lessons closely. I also encourage all SES officers to read through and internalise these lessons — it’s important that we, as leaders, model integrity in credit card compliance and set the tone from the top.

Since the previous edition of this newsletter, we’ve released three major audit products — the first of these is our major projects report (MPR) for 2023–24. Commissioned by the JCPAA, the MPR informs parliamentary scrutiny and the national conversation on major Defence acquisitions.

With responsibility for managing the process of bringing new specialist military equipment into service for the Australian Defence Force, Defence was managing 568 major and 99 minor acquisition projects costing $245 billion at 30 June 2024. The major projects included in the latest MPR represent a selection of the most significant major projects (21 in total with a combined budget of approximately $81 billion) and Defence is expected to prepare project data summary sheet (PDSS) information in accordance with JCPAA-endorsed guidelines for the ANAO to review.

The ANAO provides limited assurance to the Parliament as to whether Defence prepared the PDSSs in accordance with the guidelines, and for 2023–24 the Auditor-General concluded that nothing came to her attention that caused her to believe the information reviewed was not prepared in accordance with the guidelines — with one exception, relating to the way Defence disclosed “lessons learned” as required in the MPR guidelines.

The Auditor-General also drew attention to that fact that some information in 20 PDSSs had not been published due to Defence’s assessment that it could reasonably be expected to cause damage to the security, defence or international relations of the Commonwealth. This reduces the level of transparency and accountability to the Parliament and other stakeholders. I encourage you to take a look at the MPR in full, particularly the Auditor-General’s independent assurance report at part 3. The JCPAA typically conducts an inquiry into the MPR, so we expect it will do so once the new Parliament commences.

Our second and third major audit products consist of our report on the financial statements audits of Australian Government entities and our report on performance statements in the Commonwealth — both for the 2023–24 financial year.

Our financial statements audits report provides a summary of the final results of our audits of the consolidated financial statements for the Australian Government and the financial statements of Australian Government entities. As at 9 December 2024, the ANAO issued 240 unmodified auditor’s reports with a total of 214 audit findings and legislative breaches reported to entities. These findings consisted of six significant findings, 46 moderate findings, 147 minor findings, and 15 legislative breaches. The number of findings increased across all categories compared to 2022–23 (which saw 200 findings) except for significant findings, of which there were nine in 2022–23.

There were some common themes across our audits:

• IT controls remain a key issue — 43 per cent of all audit findings related to the IT control environment (particularly IT security) and three significant findings remained unresolved at the conclusion of our audits
• legislative breaches arise from incorrect payments made to key management personnel — 53 per cent of legislative breaches related to incorrect remuneration payments and/or non-compliance with determinations made by the Remuneration Tribunal. Ongoing findings from our audits indicate payroll controls and governance for key management personnel could be improved
• annual report tabling timeliness improved — 90 per cent (compared with 66 per cent in 2022–23) of entities required to table an annual report in the Parliament did so prior to the date that the portfolio’s supplementary budget estimates hearing commenced
• quality of financial statements improved — the total number of adjusted and unadjusted audit differences decreased during 2023–24 (although 40 per cent of audit differences remained unadjusted by entities)
• the use of AI in Commonwealth entities is increasing — 56 entities used AI in their operations (compared with 27 entities in 2022–23), typically for research and development activities, data and reporting, and IT systems administration
• assurance over cloud computing arrangements could improve — 89 per cent of entities used cloud computing arrangements (primarily software-as-a-service arrangements), however 82 per cent of entities did not have policies or procedures in place to provide assurance that providers had implemented appropriate controls over the security, privacy, integrity and availability of entity information held under these arrangements

Our performance statements audit program continues to expand each year, and in 2023–24 we conducted audits of the annual performance statements of 14 Commonwealth entities (an increase from 10 entities in 2022–23). Performance information is important for public sector accountability and transparency, as it shows how taxpayers’ money has been spent and what the spending has achieved. Having access to performance information also enables entities to understand what is working and what needs improvement, and is essential for good management and the effective stewardship of public resources.

The results from our 2023–24 performance statements audits were mixed, with nine of the 14 entities receiving an auditor’s report with an unmodified conclusion, and five receiving a modified audit conclusion that identified material areas where users could not rely on the performance statements, but the effect was not pervasive to the performance statements as a whole. We identified two broad reasons for the modified audit conclusions:

1. performance statements were not complete — they did not present a full, balanced and accurate picture of the entity’s performance as important information had been omitted
2. insufficient evidence — the ANAO was unable to obtain enough appropriate evidence to form a reasonable basis for the audit conclusion on the entity’s performance statements

A total of 66 findings were reported to entities comprising 23 significant, 23 moderate and 20 minor findings. The significant and moderate findings fall under the following themes:

• accuracy and reliability — entities could not provide appropriate evidence that the reported information was reliable, accurate and free from bias
• usefulness — performance measures were not relevant, clear, reliable or aligned to the entity’s purposes or key activities, and so may not present meaningful insights into the entity’s performance or support entity decision making
• preparation — preparation processes and practices for performance statements were not effective, including timeliness, record keeping and availability of supporting documentation
• completeness — performance statements did not present a full, balanced and accurate picture of the entity’s performance, including all relevant data and contextual information
• data — inadequate assurance over the completeness, integrity and accuracy of data, reflecting a lack of controls over how data is managed across the data lifecycle

Our financial statements and performance statements audit reports contain findings that all entities can learn from and apply in their own operations, and I encourage you to read through both of them.

Further, I would recommend that your entity’s Chief Financial Officer or officials involved in governance or performance reporting attend the ANAO’s Financial and Performance Reporting forum on 27 June 2025. At the forum, the ANAO and other Commonwealth entities will present on key insights in the sector.

A copy of the material from the previous forum held on 29 November 2024 is available on our website. If you have any questions regarding the forum, please contact our External Relations team.

We are always happy to share our insights and lessons to help to improve public administration and to educate entities about the ANAO’s audit processes. If you would like senior ANAO staff to come and speak to your executive board, SES cohort or other groups of staff, please discuss this with your ANAO audit contact or reach out to engagement@anao.gov.au.