The ANAO is exploring how AI may be used to improve business operations by enhancing efficiency, while ensuring quality and transparency in decision-making.

Currently the ANAO’s security policies limit the use of publicly available generative AI (for example, ChatGPT, Bing AI and other large language models). The security policies are supported by a guideline that explains to staff their obligations and states that AI cannot be used in audit.

Like audit offices around the world, the ANAO is seeking to examine how generative AI can improve the audit process itself, in a profession where human judgement and scepticism are foundations in auditing standards. This work will progress through monitoring trends and learning from experiences of those within the international public sector audit community over coming years.

Currently, the ANAO uses two applications that incorporate AI. These applications are:

• Nuix — Nuix is an eDiscovery tool used to search large unstructured data sets. One of its features uses AI to identify shapes and words in images. The ANAO has been using Nuix prior to the introduction of this AI function and does not view the AI-powered image search as a risk.
• Adobe Acrobat — The latest version of Adobe Acrobat includes an automatic form-filling function, which cannot be disabled. Given its limited use, this feature is considered low risk.

The ANAO actively monitors proposed changes to installed software within the IT environment, specifically for the introduction of new AI functions, to identify any potential risks before the software update is installed.

The ANAO does not use AI tools that interact with the public and considers the limited use of AI within the organisation to have a low impact on the public. Noting this assessment, no additional protections have been implemented with respect to public impact and protection.

The Executive Board of Management (EBOM) is the ANAO’s primary governing body. EBOM approves policies for and oversees the use of AI. If the ANAO decides to invest in an AI tool, the tool will be developed and deployed as part of a formal project that will consider the risk and benefit of any such tool and agree risk mitigations and controls that may be required. Any project of this nature will be reviewed by a sub-committee of the Executive Board of Management (EBOM) and approved by EBOM. An EBOM review will include both formal risk assessments and benefits realisation plans.

Any AI application identified or implemented is placed on a register and reported to the IT Strategic Committee. 

The ANAO has issued guidelines on the use of publicly available generative AI and is currently drafting an AI policy. This AI policy is expected to be finalised and approved by EBOM in March 2025.

The ANAO complies with all relevant legislation and has not identified any breaches in the use of AI.

The ANAO has:

• implemented all elements of the Digital Transformation Agency policy;
• appointed the Chief Operating Officer and Chief Digital Officer as the accountable officers for AI within the ANAO; and
• informed all staff of the appropriate use and risks associated with the use of generative AI through an internal communications and training program.

Approved for publication by Dr Caralee McLiesh PSM, Auditor-General for Australia