Auditor-General's Update

• The ANAO published the ANAO Corporate Plan 2023-24 and 2023-24 Annual Audit Work Plan (AAWP) on 6 July 2023.
• In addition to the annual program of mandated financial statements audits, the Annual Audit Work Program 2023–24 includes: 95 potential performance audit and assurance review topics; details about in-progress performance audit and assurance work; and information on the program of audits of annual performance statements.
• The AAWP considers key features impacting the public sector operating environment including shifting priorities in the public sector, such the APS reform agenda and an increased focus on stewardship and integrity. The 2023–24 work program will continue to focus on core government activities such as procurement and contract management, service delivery and grants.
• The ANAO will also look to increase its focus on the National Disability Insurance Agency, topics related to climate change and the environment, as well as commencing a series of audits relating to Defence's implementation of the Defence Strategic Review.
• Ethics continues to be a focus for the ANAO. Audits identify that public servants, when meeting the requirements set out in rules, should also meet the intent of the rules frameworks. Acting ethically is a requirement of the PGPA Act and the Public Service Act. Entities are encouraged to read recent ANAO audits with an ethics/probity focus.
  • Auditor-General Report No. 31 of 2022-23: Administration of the Community Health and Hospitals Program
  • Auditor-General Report No. 30 of 2022-23 Probity Management in Financial Regulators – Australian Prudential Regulation Authority
  • Auditor-General Report No. 36 of 2022-23 Probity Management in Financial Regulators – Australian Securities and Investments Commission
  • Auditor-General Report No. 38 of 2022-23 Probity Management in Financial Regulators – Australian Competition and Consumer Commission
• Probity and integrity are also a Parliamentary focus. The JCPAA recently launched an inquiry into probity and ethics in the Australian Public Sector.
• The ANAO is continuing to see shifts in use of technology and data with movements towards artificial intelligence (AI). The ANAO is looking at audit processes around AI as well as the potential for the use of AI in its audit work.
• The Joint Committee of Public Accounts and Audit has recently published the following reports:
  • Report 494: Inquiry into the Department of Foreign Affairs and Trade's crisis management arrangements (March 2023)
  • Report 495: Inquiry into Commonwealth grants administration (June 2023)
  • Report 496: Inquiry into the Defence Major Projects Report 2020-21 and 2021-22 and Procurement of Hunter Class Frigates (June 2023)
  • Report 497: Inquiry into Commonwealth Financial Statements 2021–22 (June 2023)
• The ANAO continues to refine its Audit Insights products. Feedback from the sector included the addition of case studies in future insights products.

Performance statements update

• The ANAO is currently in the second year of the performance statements audits program following a two-year pilot. The current program consists of 10 audits with an to increase to 14 audits in 2023-24.
• To date, the ANAO has taken an educative approach with entities, particularly entities going through the program for the first time. The focus has been on ensuring entities build a good understanding of the Commonwealth performance framework and informing entities on how to develop informative performance measures.
• Incentives need to be appropriate to support meaningful reporting. There have been some instances of entities removing qualified measures instead of working to improve the performance information.
• Moving into 2023-24, the ANAO will be taking more of a top-down approach to performance statements by reinforcing the purpose of the PGPA ACT 2013. There will be additional focus on the purpose and key activities of entities as well as the notion of meaningful and complete information.
• As the program matures, it is expected that the ANAO will begin to see a reduction of effort and resourcing required by entities, particularly those entities that have been in the program for several years and have matured their reporting frameworks.
• There is continued engagement with the Performance Statements Audits Expert Advisory Panel. The Panel provides strategic advice to the ANAO on the annual performance statements audit program to improve the quality and reliability of performance reporting in the Commonwealth.
• The ANAO recently published an Audit Insights product, Reporting Meaningful Performance Information.

ANAO insights on Cyber and IT General Controls
Cyber Insights

• The ANAO recently published an Audit Insights product on Cyber Security showcasing case studies of good practice in this area.

• Audit Committee Chairs are encouraged to consider the following:
  • Decide what, when and how much to protect.
    • There are instances of entities being unable to advise what their critical assets are.
  • Regularly assess performance of security controls.
    • Entities establish controls to mitigate risk but often they don't check if controls are in place and operating effectively.
  • Monitor contractor performance.
    • Are contractors doing what they are engaged to do, particularly when it comes to your security processes?

IT General Controls

• User access removal continues to be a concern. We are still seeing instances of user access not being removed when staff or contractors cease employment with an entity. Instances of unauthorised users logging on to systems post-employment have also been identified.
• Issues with the management and monitoring of privileged users continue to be identified.
• Change management processes are generally robust across the sector. However, several findings related to instances of change management breakdowns have been identified in the ANAO's Interim Report on Key Financial Controls of Major Entities.
• Entities should note that as technology changes so may the IT controls required to provide assurance your systems are operating as intended.

Emerging risks from data panel discussion

• The Department of Finance (Amy Fox, First Assistant Secretary) facilitated a panel discussion on emerging risks from data. Panellists included Lesa Craswell (Acting GED, ANAO), Sally Hill (AS, Office of the National Data Commissioner), and Ryan Black (Head of Policy and Research, Tech Council of Australia).
• Key messages for Audit Committees to consider included:
  • Commonwealth entities need to be aware of the value of data and how data can be used to achieve outcomes efficiently and effectively.
  • The governance of data needs to incorporate more than protective controls and safeguarding of data held by agencies.
  • Key questions for entities to ask around the governance of data includes:
    • What is the data being used for?
    • Who is the person(s) that has the holistic view, skills, and knowledge to oversee data?
    • Who is the agency currently sharing data with?
• There is a growth in generative artificial intelligence (AI). For example, text-based software such as ChatGPT, and image and code-based generative AI. There is a trend of incorporating generative AI within existing software which enables the generative AI to act as a 'co-pilot'. Many of these tools are used extensively within the public and private sector (for example, Microsoft Office 365).
• Agencies should create a culture where trialling and testing data and systems is safe, including allowing trials to fail and planning for data failures.
• Agencies should also take care to properly document their decision making around data and the reasons why decisions were taken.
• There has yet to be legislative change in the governance of AI, however, AI is not exempt from pre-existing legislation, such as the suite of Australia's anti-discrimination laws.
  • The private sector operates in a global market and within global data frameworks and has growing concerns that creating bespoke Australian requirements could result in frameworks which are out of step with international standards.
• The public and private sectors are experiencing recruitment challenges in the technology field. The Tech Council reported that across the economy there is an eight per cent growth in technology jobs.
• It is important for organisations to consider their workforce capabilities in data and digital skills, including incorporating data and digital skills into learning and development plans. Many workers in the data and digital field are mature age and reskilling from other parts of the economy.
• The Office of the National Data Commissioner has commenced the DATA Scheme. Under this scheme, accredited users can request Australian Government data from a data custodian. Agencies must respond to these requests. If a decision is taken to deny access to data a response, outlining the reason why the request was denied, must be providing within 30 days. Further information can be found on the Office of National Data Commissioner's website: https://www.datacommissioner.gov.au/the-data-scheme.
• The ANAO is undertaking an information gathering piece of work and will be requesting information from agencies about their use of AI and governance frameworks.
• The Office of the National Data Commissioner has launched a data inventory project to support Commonwealth entities to undertake a stocktake of their data assists. Information about the project can be found on the Office of the National Data Commissioner's website: https://www.datacommissioner.gov.au/find-data.

Financial Reporting update

• Audit-cleared accounts are due to be submitted to the Department of Finance by 15 August 2023 for material entities and 31 August 2023 for other entities. These submissions support the preparation of the Australian Government's Final Budget Outcome and Consolidated Financial Statements (CFS).
• The supplementary reporting pack (SRP) is due to the Department of Finance (Finance) by 17 August 2023 for material entities and 31 August 2023 for other entities.
• Staffing shortages and capability remain an ongoing pressure for the accounting and finance profession in the Australian Public Service.
• Finance has launched a new webpage containing resources for the accounting and finance profession in the Australian Public Service, including links to relevant legislation, guidance and other career related materials.

Emerging data requirements for entities

• The Australian Government has released an initial Data and Digital Government Strategy outlining its vision to deliver simple, secure and connected public services for all people and business through world class data and digital capabilities.
• The initial Strategy includes commitments and expectations of APS agencies to help achieve the Strategy's missions and drive progress towards its vision.
• Public consultation on the initial strategy is underway. A final Data and Digital Government Strategy and Implementation Plan are expected to be released by the end of 2023.