• Dr Caralee McLiesh PSM, Auditor-General for Australia addressed the Audit Committee Chairs Forum. A summary of the key points from her presentation is below.
• Audit committees play a critical role in supporting better performance of agencies. The ANAO and audit committees often have complementary functions in providing oversight and accountability of government activities.
  • Audit committees can have a direct impact on improving performance at individual agency level by providing advice to senior management and also improve government services across the breadth of public sector activities.
• Dr McLiesh spoke about four key strategic areas of interest guiding her perspective as she commences her term as the Auditor-General.

1. Lifting government performance. This relates to the ANAO’s core purpose – supporting accountability and transparency through independent reporting to the parliament and therefore contributing to improved public sector performance. What can we do to best achieve this? How can we support the Parliament to drive transparency and accountability? How do we work best with audit entities? The ANAO has a unique sector-wide perspective and we can look across portfolios, look over time, and identify themes and the areas where we can target and work with the sector to drive improved performance.
2. Transparency. Transparency is a foundation of accountability. It is at a risk of eroding and the role of the Auditor-General and the Audit Office is to improve transparency and act a safeguard against a lack of transparency.
3. Innovation. The public sector environment is rapidly changing with new technologies, more complex services, rising community expectations, and changing geopolitics. How does the sector adapt? What is the role of artificial intelligence and the automation of government services? What does this mean for the future of the audit function?
4. Institutional settings. Institutional checks and balances in government are as important as they have ever been. The role of Auditor-General is as a steward of the institution and of the office of the ANAO. The ANAO’s function relies on its independence and its powers and these need to be protected and enhanced where appropriate, but operating independently does not mean operating in isolation.

• Carla Jago, Acting Deputy-Auditor General, delivered a presentation on emerging lessons from the ANAO’s Audit Program. A summary of the presentation is below and a copy of the speech is available from the related documents section of the website. 

Performance audit

• The 2024-25 Annual Audit Work Program (AAWP) is underway—13 performance audits have been tabled since the start of the 2024-25 financial year. This financial year, the ANAO is expected to table a total of 48 performance audits.
• Planning for the 2025-26 AAWP has commenced and consultation with entities and the Joint Committee of Public Account and Audit is expected to occur in March 2025.
• In 2024, the ANAO published two information reports—the Performance Audit Outcomes Information Report, and the COVID-19 – ANAO Audit Activity Information Report.
• The Performance Audit Outcomes Information Report is the first tabled report on this topic and follows a similar approach to a mid-term report that was produced by Grant Hehir, former Auditor-General for Australia, in 2020. The Performance Audit Outcomes Information Report analyses performance audit outcomes from 2019–20 to 2023–24 with a particular focus on 2023-24.
  • The key themes and issues emerged from the performance audits that were conducted into planning and implementation, evaluation, procurement and contract management, and cyber security activities. Findings from these performance audits can provide indicators of areas of risk to integrity, probity and ethics, including where action may be necessary to avert systemic issues.
    • Six performance audits were tabled focusing on compliance with selected public service legislative and policy requirements for credit cards and gifts, benefits and hospitality.
    • From 2019-20 to 2023-24, 36 performance audits of procurement and contract management were conducted. 53 per cent were found ‘not effective’ or ‘partly effective’. The key lessons emerged from the audits includes using appropriate expertise during processes; being transparent in decision making; demonstrating value for money; acting ethically; and maintaining good records.
• The ANAO observed that all 45 performance audits tabled in 2023-24 had record keeping issues on how decisions are made.
• The COVID-19 – ANAO Audit Activity Information Report focused on the lessons from the 13 performance audits and reviews undertaken by the ANAO under our COVID-19 multi-year audit strategy. It includes a span of 12 entities across 10 portfolios with 41 recommendations made.
• The key themes that emerged from the audits were the importance of establishing appropriate governance arrangements and proactively managing risks; systems and controls often were not adequate to deals with demands of rapid implementation; the need for comprehensive and up-to-date crisis management frameworks; and the importance to incorporating and actioning lessons learned from the experience.
• The report also mentions the limited assurance reviews conducted by the ANAO over the Advances to the Finance Minister from April 2020 to October 2020. The ANAO examined a total advance of $1.974 billion issued in 2019–20 and $1.673 billion issued in 2020–21 to 30 October 2020. The Auditor-General issued unmodified conclusions for all seven assurance reviews.
• Another performance audit of interest for audit committee chairs is the audit of the Implementation of Parliamentary Committee and Auditor-General Recommendations which was tabled on 20 November 2024.
  • Parliamentary committee and Auditor-General recommendations seek to address risks identified through inquiries and audits. Audit committees are required to provide independent advice on entities’ systems of risk oversight and management of internal controls. Complete and regular reporting to audit and risk committees on the implementation of recommendations, including evidence-based closure packs for completed parliamentary committee and Auditor-General recommendations, gives audit and risk committees visibility over how risks are being managed. This assists audit and risk committees to perform their functions.
• Some aspects audit committees may wish to consider in relation to recommendations addressed to your entity include: 
  • For parliamentary committee recommendations, Australian Government entities can support government by: advising ministers on requirements and better practice for the form and timing of responses to parliamentary committee reports; and monitoring compliance with required timeframes; and
  • For parliamentary committee and Auditor-General recommendations, Australian Government entities can support accountability and integrity by: establishing fit-for-purpose and proportionate implementation planning for agreed recommendations; monitoring implementation; and closing recommendations on the basis of robust evidence that the intent of the recommendation has been met.

Financial statements – end of year report

• The Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2024 is expected to be released soon.
• The report highlighted that there is room for improvement in relation to the robustness of IT controls, assurance over cloud computing arrangements, policies and reporting of official hospitality and also artificial intelligence.
• For cyber security and IT controls, the ANAO’s reporting continues to draw attention to low levels of maturity in relation to IT controls, particularly in relation to IT security and the Protective Security Policy Framework (PSPF).
• The report also has a focus on official hospitality. The ANAO found that some entities did not have policies or procedures. Entities with higher level of exposure to provision of official hospitality need to consider implementing or enhancing compliance reporting arrangements.
• The ANAO looked at the adoption of artificial intelligence (AI) and found an increase in the adoption of AI across entities. There are now 62 agencies employing this technology. Around half of the entities have established AI policies and procedures, with around 20 per cent specifying whether any additional assurance mechanisms were needed.
  • The Digital Transformation Agency has recently released a policy around the responsible use of AI in government and that establishes some requirements for accountability and transparency, mainly for non-corporate entities.
• In relation to audit committees, we observed that audit committee member rotation could be more closely considered – most entities rotated members, but this was not formalised in policy or the audit committee charter. A policy should balance the need for continuity and experience against the need for objectivity of membership.
• In the report, the ANAO also identified that 53 per cent of legislative breaches identified in the 2023-24 Financial statement audits were related to incorrect payment of remuneration to key management personnel (KMP) or non-compliance with determinations made by the Remuneration Tribunal.
  • It is really important that entities have a robust framework in place to govern payments made to KMP to ensure that the payments are consistent with both policy and legislative requirements. The ANAO insights product on Executive Remuneration can assist entities with this issue.
• The ANAO have identified that most entities have adopted cloud computing arrangements in their IT environment. While the services might be outsourced, both the Information Security Manual (ISM)and the PSPF indicate that mitigating risks and oversight of the effectiveness of controls remains the responsibility of the entity which can’t be outsourced. 

Performance statements audit

• The 2024-25 reporting period marks the tenth year of the requirement for an accountable authority of a Commonwealth entity to prepare annual performance statements.
• In 2024, the ANAO completed the audits of 14 entities’ performance statements. As in previous years, these audits further tested the ANAO’s performance statements audit methodology. Entities have generally engaged well with the audit process with first year auditees better prepared for the audit than in previous years.
• The ANAO’s audit of performance statements has seen improvement in the quality of entities’ performance statements. Entities that have been in the program in prior years are most mature in their performance planning and reporting processes.
• An area of ongoing challenge for entities is to devise and to implement an entity-wide performance framework. This framework will assist entities to structure their performance information—purposes, key activities and performance measures—and determine how this structure should change over time.
• The ANAO continues to build its program of work in auditing performance statements with 21 entities audited in 2024–25 and we will continue to refine our performance statements methodology. 

Public sector engagement

• The ANAO has sought to improve the way it communicates with public sector entities and provide greater insights into our work.
• The ANAO has developed a new quarterly newsletter called Audit Matters (subscribe here). The newsletter is to provide update and insights on what we're seeing across the sector.
  • The first edition was published and distributed on 2 September 2024. it provides a summary of our recent work, including the work around integrity, probity and ethics, grants administration and performance measurement and reporting.
• The ANAO also regularly publishes its ‘Insights’ products (Audit Lessons, Audit Opinion, and Audit Practice) which aim to communicate key lessons to the public sector from our audit work and to support entities to better understand our audit work.
• Recent Insights publications include:
  • Audit Lessons – Gifts, Benefits and Hospitality, published on 29 October 2024 provides an overview of key issues found in gifts, benefits, and hospitality in entities and provides seven lessons aimed at improving compliance in this space. Audit Practice – Performance Audit Process, published on 6 November 2024, aims to help entities better understand the processes involved with a performance audit. 

Parliamentary engagement

• The Joint Committee on Public Accounts and Audits (JCPAA) has commenced an inquiry into the use and governance of artificial intelligence (AI) systems by public sector entities. The ANAO has made a submission to this inquiry which can be found on the committee’s website.
• There are several other JCPAA inquiries underway, including into contract management frameworks operated by Commonwealth entities and into the administration of Commonwealth regulations.

• Jane Meade, Group Executive Director, Professional Services Group, ANAO delivered a presentation on financial areas for audit committee considerations. The two areas which were discussed included issues related to contingent liabilities and prior period reporting errors.
• Contingent liabilities – recognising provisions versus disclosing contingent liabilities
  • A provision is a type of liability where there is some uncertainty as to the timing or amount of payment that’s going to be made in the future. To recognise any sort of liability you need to have a present obligation that has come from a past event and it must be probable that there will be a payment in the future.
  • The issue we saw this year was with a number of entities asserting that they couldn't make a reliable estimate of the obligation and therefore they didn't recognise a liability in their financial statements. Instead, the entities disclosed that they had a contingent liability. Under accounting standards, it is expected that there will only be extremely rare cases where a reliable estimate cannot be made.
  • It is important to remember that a provision is an estimate by nature. Estimates are an essential part of the preparation of financial statements and the uncertainty that is inherent in an estimate doesn’t undermine the reliability of those financial statements. Disclosure requirements allow the entity to be transparent about the uncertainties and the assumptions used in calculating the estimate.
  • Where an entity discloses a contingent liability because they believe a reliable estimate cannot be made, audit Committees should consider asking why that is the case and whether the uncertainty can be dealt with in the estimation process.
• Prior period errors
  • A prior period is when either the entity or the auditor identify that there was a material error in the prior year financial statements. When this occurs, the entity is required to make a restatement in the financial statements. This results in the prior year numbers being restated to reflect the amount that it should have been.
  • In some cases, auditors may determine that it's appropriate to use an emphasis of matter paragraph to highlight the disclosure. This is not a qualification.
  • This year, to increase internal transparency around this area the ANAO revised its consultation policy.
  • Prior period errors and restatements are a potential indicator of quality issues in both preparation and audit processes. There were around 40 prior errors identified across the range of financial statements audits.
  • The ANAO is undertaking a root cause analysis to determine if there is a risk to audit quality from these errors.

2023-24 Financial Reporting

• The Final Budget Outcome was tabled in Parliament on 30 September 2024. The 2023-24 Consolidated Financial Statements were signed by the Finance Minister on 28 November 2024 and are expected to be tabled in mid-December 2024.

Conflict of Interest & Confidentiality Review

• An update was provided on the management of conflicts of interest and confidentiality. Members discussed opportunities, challenges and enhancements in managing conflicts of interest and confidentiality with the non-government sector.

• Joanna Virtue, Assistant Secretary, Fraud Prevention and Anti-Corruption Branch, Attorney-General’s Department delivered the keynote address on the new Commonwealth Fraud and Corruption Control Framework. The following section is a summary of the speech. A copy of the presentation is available on the related documents section of this webpage.
• The Commonwealth Fraud and Corruption Control Framework was implemented on 1 July 2024 and is designed to support all Commonwealth entities to effectively manage fraud and corruption risk. It is part of the package of reforms by the Australian Government which aims to strengthen integrity in the Australian public service.
• Audit Committee Chairs will play a role in supporting the accountable authority to implement the framework within Commonwealth entities.
• The Commonwealth Fraud and Corruption Control Framework is an element of the Commonwealth’s finance law under the Public Governance Performance and Accountability (PGPA) Act 2013 which establishes a coherent system of governance and accountability for public resources, including protecting those resources from risk.
• There are three key parts of the Commonwealth Fraud and Corruption Control Framework:
  • Fraud and Corruption Rule - Section 10 of the Public Governance, Performance and Accountability Rule 2014;
  • Fraud and Corruption Policy - Sets out the requirements for specific areas of fraud and corruption control; and
  • Fraud and Corruption Guidance - Resource Management Guide No. 201: Preventing, detecting and dealing with fraud and corruption
• The significant change in the Fraud and Corruption Rule is the inclusion of corruption. Accountable authorities of Commonwealth entities must now take steps to prevent, detect, and deal with corrupt conduct. This complements the prevention and investigation function of the National Anti-Corruption Commission.
• There are also new clauses which require entities to periodically review the effectiveness of fraud and corruption controls, have governance structures and processes to effectively oversee and manage the risk of fraud and corruption, and have officials to manage fraud and corruption.
• The Fraud and Corruption Rule sets the minimum standards for managing the risks and incidents of fraud and corruption within an entity. All Commonwealth entities must comply with these requirements in the rule.
• Non corporate Commonwealth entities must also implement the policy, and corporate and Commonwealth companies are strongly encouraged to implement the policy
• The core procedural requirements in the rule and policy can be implemented in a way that takes account of each entity’s unique operating context. The accountable authority must establish a system of internal controls which is fit for purpose. 
• The Commonwealth Fraud and Corruption Control Framework has a shift towards prevention which is achieved through the expanded and more prescriptive elements under the new Fraud and Corruption Policy, including:
  • targeted and rigorous fraud and corruption risk assessments;
  • control effectiveness reviews; and
  • governance arrangements.
• For audit committees, you will need to consider if the entity has appropriate arrangements in place to support the effective oversight and management of the entity’s fraud and corruption risks? You may wish to ask:
  • Has the entity documented:
    • the roles and responsibilities of officials, positions and internal governance bodies?
    • its approach to managing fraud and corruption – how did officials determine what are reasonable measures and appropriate mechanisms for the entity?
    • key decisions such as actions to take following on from an investigation?
  • Has the entity refreshed its enterprise risk assessment and considered targeted fraud and corruption risk assessments for higher risk activities?
  • Have the Accountable Authority Instructions been updated to ensure fraud and corruption risks are considered when developing new initiatives?
  • Has the entity implemented a program to review the effectiveness of fraud and corruption controls?
• The hidden nature of fraud and corruption makes it difficult to quantity the true cost. International comparatives suggest that 3% to 5.95% of government expenditure is lost to fraud or error.
• These international measurement exercises also suggest that we can expect to find fraud and corruption in all government entities and programs. However, the majority of Australian Government entities are not detecting any fraud or corruption each year.
• This leads to two misconceptions:

1. The first is that fraud is not a widescale problem for most government entities.
2. The second is that fraud is an outlier event and that when we find it, there has been a failure. This disincentivises entities to proactively look for fraud.

• The natural result of these misconceptions is that entities will not prioritise investment in preventing fraud and corruption until there is evidence that they are occurring
• If we are to build a stronger APS that embodies integrity in everything it does, we need to actively confront these misconceptions by:
  • improving reporting and increasing transparency around the levels of fraud and corruption we experience; and
  • celebrating efforts to find fraud and corrupt conduct.
• There are often ‘overlooked’ impacts of fraud and corruption:
  • Impacts the lives of vulnerable Australians.
  • Creates incentives for other crimes such as identify theft.
  • Hinders policy outcomes and reduces the quality of essential services.
  • Increases costs in delivering public services.
  • Erodes public trust in government and public services. 
  • Undermines the role of government and the integrity of public institutions.
• The Commonwealth Fraud Prevention Centre has a range of guides, toolkits and training available to support entities. Please visit the following website for more information: https://www.counterfraud.gov.au/.

• The Audit Committee Chairs Forum featured a panel discussion on fraud and corruption in the Commonwealth public sector. This followed the key note address and covered themes from the ANAO’s audits on fraud control arrangements, and related audits on topics such as conflicts of interest.
• The panellist included:
  • Joanna Virtue, Assistant Secretary, Fraud Prevention and Anti-Corruption Branch, Attorney-General’s Department;  Dr Ben Gauntlett, Deputy Commissioner, National Anti-Corruption Commission;
  • Tracey Carroll, First Assistant Secretary, Governance and Grants Division, Department of Finance; and
  • Michelle Page, A/g Group Executive Director, Australian National Audit Office (moderator).
• The panellists discussed a broad range of themes and issues related to fraud and corruption in the Commonwealth public service. Highlights from the panel discussion included:
  • Audit committees play a critical role in providing oversight of the approach towards and implementation of the new Commonwealth Fraud and Corruption Control Framework.
  • Audit committees should develop an understanding of the new Commonwealth Fraud and Corruption Control Framework and other new obligations, such as those under the National Anti-Corruption Commission Act 2022.
    • For example, the definition of corrupt conduct in the National Anti-Corruption Commission Act 2022 is broad and there are different referral pathways (mandatory and voluntary) which have its own obligations.
    • Audit committees should be aware of the conduct of non-public officials seeking to influence public officials.
  • Developing a positive culture within an entity is essential to appropriately manage fraud and corruption risks:
    • It is important to implement appropriate frameworks and policies within an entity and to ensure there is a culture that encourages engagement with these frameworks beyond a compliance-centric approach.
    • The results of the APS census can provide an insight into the values and behaviours of staff within an entity and can provide an indication of where staff values do not align to organisational values.
    • Finding fraud and corruption is a ‘good’. When instances of fraud and corruption are detected an entity can measure its impacts, implement better preventative controls, and manage the incident appropriately.
  • Measuring the impacts of fraud losses:
    • Quantifying the impact of losses to fraud and corruption can be difficult. Losses incurred due to fraud and corrupt activity go beyond the direct financial loss.
    • Fraud and corruption can lead to the erosion of public trust, exploitation of public programs and services, environmental damage, delay in the delivery of services, turn over of staff, reputational damage, and direct impact on individuals, particularly from vulnerable cohorts (for example instances of misuse of information in cases of domestic violence and identity theft).
    • Understanding the non-financial elements of fraud and corruption can lead to a better risk assessment and internal control measures.

Introductory comments

• Good morning everyone, and thank you George for the introduction.
• We have previously spoken about how we are in an environment of mixed trust in the public sector, and that audit committees play a pivotal role in the assurance and compliance activities of Commonwealth entities.
• In response to this environment today’s forum will feature an in depth look at fraud and corruption in the Commonwealth public sector. The ANAO has a unique role within the Commonwealth public sector. The ANAO does not have powers to undertake investigatory or anti corruption activities, but it does audit against public sector frameworks, including matters related to of probity, governance arrangements, risk, ethics, and fraud control arrangements to provide independent assurance to Parliament and to provide accountability over government activities.
• Later today, there will be a presentation and then a panel discussion on fraud and corruption in the Commonwealth public sector.
• Earlier in the year, the Commonwealth Fraud and Corruption Control Framework came into effect and it is designed to support entities to effectively manage the risks of fraud and corruption. The changes within the framework, which you will hear more about from Joanna, are a part of integrity reforms aimed at improving standards of integrity across the public sector and trust in government.
• It is important to remember that that entities shouldn’t simply add “and corruption” to their plans and risk assessments but implement the required changes and meaningfully engage with the risks of corruption.
• The ANAO has completed a series of audits in select Commonwealth agencies on fraud control arrangements, and as part of the panel discussion Michelle will speak to some of the findings from the series we completed in 2020 and more recently tabled audits this year.
• As my colleagues mentioned earlier, the ANAO and audit committees can serve complementary roles, and one area in particular is in promoting a culture of integrity. Audit Committees can play a role in examining an entities’ culture regarding probity, ethics, fraud and corruption. I encourage you to engage with the discussion this afternoon and think about the integrity culture within the entities which you serve as Audit Committee Chairs.
• Today, I will be speaking to you about key themes and emerging lessons from the ANAO’s audit program from across all aspects of our audit work: performance audit, performance statements audit, and financial statements audit.
• I will also speak about some of the ANAO’s recent publications and what we are doing to better communicate the findings of our audit work to the public sector and I will also touch on our engagement with the parliament.

Emerging lessons from ANAO’s audit program

Performance audit

• We are well underway on the 2024-25 Annual Audit Work Program – we have tabled 13 performance audits since the beginning of the financial year, and we are expecting to table a total of 48 performance audits this financial year.
• We have commenced the planning for next year’s Annual Audit Work Program and we expect to commence our broader consultation with entities and the Joint Committee of Public Accounts and Audit (JCPAA) in approximately March 2025.
• This year, we have also published two new information reports.

Performance Audit Outcomes Information Report

• First, in October 2024, we published the 2023-24 Performance Audit Outcomes Information Report. This is the first tabled report on this topic and follows a similar approach to a mid-term report that was produced by Grant Hehir in 2020 and published on our website. This most recent report analyses performance audit outcomes from 2019–20 to 2023–24 with a particular focus on 2023-24.
• The areas analysed in the report include: audit activity, audit objectives, and stage of delivery against portfolios and audit conclusions; entity responses to recommendations, including their implementation; and improvements made by entities during audits.
• Key themes and issues emerging from the performance audits we undertook in this period included planning and implementation, evaluation, procurement and contract management, and cyber security. Findings from these performance audits can provide indicators of areas of risk to integrity, probity and ethics, including where action may be necessary to avert systemic issues.
  • We tabled six performance audit reports in the Parliament that focused on compliance with selected public service legislative and policy requirements for credit cards and gifts, benefits and hospitality. We emphasised in these reports that it is critical that senior executives set the tone for the entity. Preventative and detective controls must be in place to ensure compliance with the respective whole-of-government frameworks, rules, policies and guidelines.
  • There were 36 performance audits of procurement and contract management conducted over the period from 2019–20 to 2023–24, with 53 per cent found to be either ‘not effective’ or ‘partly effective’. Key lessons include using appropriate expertise; being transparent in decision making; demonstrating value for money; acting ethically; and maintaining good records.
  • In the report we reviewed the lessons from our first management of cyber security incidents performance audit (tabled in June 2024). One of the emerging themes was that entities are expected to be ‘cyber exemplars’ as they process and store some of Australia’s most sensitive data to support the delivery of essential public services.
  • Low levels of cyber resilience make entities more susceptible to cyber-attack and reduce business continuity and recovery prospects following a cyber security incident. Preparedness to respond to and recover from a cyber-attack is a key part of cyber resilience.
• Finally, we made observations that all 45 performance audits tabled in the Parliament in 2023–24 show that getting the ‘basics right’ in terms of records management processes continues to be a challenge across the public sector as we identified record-keeping issues in all 45 reports.

COVID-19 – ANAO Audit Activity Information Report

• The other information report that we tabled consolidates the lessons from the 13 performance audits and reviews undertaken by the ANAO under our COVID-19 multi-year audit strategy. It includes a span of 12 entities across 10 portfolios with 41 recommendations made.
• The COVID-19 pandemic resulted in significant disruptions to people’s lives. As of 31 May 2024, Australia recorded 17,920 COVID-19 related deaths nationally. Worldwide, 7.05 million COVID-19 deaths were reported to the World Health Organization from 227 countries as of 30 June 2024.
• The COVID-19 pandemic led to an increase in government spending, as the Australian Government introduced measures to safeguard public health, protect critical infrastructure and support the economy through the global health crisis.
• According to the Australian Institute of Health and Welfare (AIHW), over the period 2019–20 to 2021–22, an estimated $47 billion was expended by the Australian Government in health-related COVID-19 activities.
• The COVID-19 pandemic also had an impact on the risk environment faced by the Australian public sector. From the onset of the COVID-19 pandemic in Australia, the Australian Public Service (APS) had to adapt within a short timeframe to a new operating environment and position itself to handle a surge in demand for government services. This included monitoring and reporting on the evolving situation around the country as well as globally; establishing arrangements to ensure business continuity while deploying staff on a large scale to support critical government functions; and rapidly designing and implementing a new suite of government policies announced during the COVID-19 pandemic. This evolving operating environment was taken into account in the ANAO’s audit work.
• The ANAO responded to the emerging sector-wide risks for public administration by developing a strategy for a program of audits examining the delivery of the Australian Government’s COVID-19 pandemic response (COVID-19 audit strategy) and as I mentioned earlier, this included 13 performance audits and reviews.
• The key themes and lessons that emerged from the audits:
  • emphasised the importance of everyday fundamentals such as establishing appropriate governance arrangements and proactively managing risks;
  • highlighted that systems and controls that were considered sufficient for business-as-usual were often not adequate to deal with the demands of rapid implementation during the COVID-19 pandemic, and necessitated a more disciplined approach to adapt to and manage changes to ensure effective program delivery;
  • emphasised the need for comprehensive and up-to-date crisis management frameworks; and
  • the importance of incorporating and actioning lessons learned from the experience. 
• The report also mentions the limited assurance reviews conducted by the ANAO over the Advances to the Finance Minister from April 2020 to October 2020. We examined a total advance of $1.974 billion issued in 2019–20 and $1.673 billion issued in 2020–21 to 30 October 2020. The Auditor-General issued unmodified conclusions for all seven assurance reviews.

Implementation of Parliamentary Committee and Auditor-General Recommendations

• I would also like to draw your attention to sector-wide observations that were made in the audit we tabled on 20 November 2024 on the Implementation of Parliamentary Committee and Auditor-General Recommendations – Indigenous Portfolio.
• You as Audit Committee Chairs, play an in important role in supporting the government to meet its responsibilities to the Parliament and this is an important element of public sector integrity.
• Parliamentary committee and Auditor-General recommendations seek to address risks identified through inquiries and audits. Audit committees are required to provide independent advice on entities’ systems of risk oversight and management and internal controls. Complete and regular reporting to audit and risk committees, including by providing evidence-based closure packs for completed parliamentary committee and Auditor-General recommendations, gives audit and risk committees visibility over how risks are being managed. This assists audit and risk committees to perform their functions.
• Some aspects you may wish to consider with recommendations addressed to your entity include:
  • For parliamentary committee recommendations, Australian Government entities can support government by: advising ministers on requirements and better practice for the form and timing of responses to parliamentary committee reports; and monitoring compliance with required timeframes; and
  • For parliamentary committee and Auditor-General recommendations, Australian Government entities can support accountability and integrity by: establishing fit-for-purpose and proportionate implementation planning for agreed recommendations; monitoring implementation; and closing recommendations on the basis of robust evidence that the intent of the recommendation has been met. 

Financial statements – end of year report

• Our 2023–24 financial statements audit end of year report is expected to be tabled in the next couple of weeks.
• This report highlights that while controls supporting financial reporting were generally sound there was room for improvement in relation to the robustness of IT controls, assurance over cloud computing arrangements, policies and reporting of official hospitality and artificial intelligence.
• For cyber security and IT controls, our reporting continues to draw attention to low levels of maturity in relation to IT controls, particularly related to IT security and the Protective Security Policy Framework. Entities and audit committees could consider what additional action is required to monitor and improve an entity’s control environment, particularly given the cyber threat environment.
• For our financial statements end of year report this year we look a closer look at official hospitality. We found that some entities did not have policies or procedures, most entities do not report to senior management on hospitality or have specific compliance measures in place. Entities with higher levels of exposure to the provision of official hospitality could consider implementing or enhancing compliance and reporting arrangements
• After first looking at it in last year’s end of year report, we again took a look at the adoption of artificial intelligence (AI) by entities. Adoption has increased – there are now 62 agencies deploying this emerging technology. Around half of these entities had established AI policies and procedures, with around 20 per cent specifying whether any additional assurance mechanisms were required. The Digital Transformation Agency has recently released the policy for the responsible use of AI in government, which establishes requirements for accountability and transparency on the use of AI within non-corporate entities. If you haven’t had a chance to look at this yet, I would recommend you add it to your Christmas reading list.
• In relation to audit committees, we observed that audit committee member rotation could be more closely considered – most entities rotated members, but this was not formalised in policy or the audit committee charter. A policy should balance the need for continuity and experience against the need for objectivity of membership.
• We also identify in the report that fifty-three per cent of legislative breaches identified by the ANAO in 2023–24 relate to incorrect payments of remuneration to key management personnel (KMP) and/or non-compliance with determinations made by the Remuneration Tribunal. It is important that entities have a robust framework in place to govern payments made to KMP to ensure that payments are consistent with policy or legal requirements. There is an ANAO Insights product on Executive Remuneration that has further information that may assist.
• A final area I will touch on from this report is cloud computing. We identified that most entities have now adopted cloud computing arrangements in their IT environment. While services may be outsourced, the ISM and PSPF indicate that mitigating risks and oversight of effectiveness of controls remain in the purview of the entity. We found that about a quarter of entities were in the practice of receiving Service Organisation Control certificates (commonly called SOC certificates) for all cloud services, and most entities did not have a policy to review or obtain these certificates. SOC certificates can provide assurance over the operating effectiveness of IT controls at a cloud provider and there are opportunities for entities to further consider their use in managing cloud providers. 

Performance statements audit work

• The 2024–25 reporting period marks the tenth year of the requirement for the Accountable Authority of a Commonwealth entity to prepare annual performance statements. The ANAO has audited the implementation of this requirement initially through a series of performance audits (2016 2018), then a pilot program of three entities (2020–2021) and now the performance statements audit program.
• In 2024, the ANAO completed the audits of 14 entities’ performance statements. As in previous years, these audits further tested the ANAO’s performance statements audit methodology. Entities have generally engaged well with the audit process with first year auditees better prepared for the audit than in previous years.
• The ANAO’s audit of performance statements has seen improvement in the quality of entities’ performance statements. Entities that have been in the program in prior years are most mature in their performance planning and reporting processes.
• An area of ongoing challenge for entities is to devise and to implement an entity-wide performance framework. This framework will assist entities to structure their performance information—purposes, key activities and performance measures—and determine how this structure should change over time.
• The ANAO continues to build its program of work in auditing performance statements with 21 entities audited in 2024–25 and we will continue to refine our performance statements audit approach and relationship with audited entities.

Public sector engagement

• As we have previously mentioned, the ANAO has sought to improve the way it communicates with public sector entities and provide greater insights into our work.
• We have developed a new quarterly ANAO newsletter - Audit Matters. The purpose of Audit Matters is to inform those like yourselves of updates on the ANAO’s work and provide insights on what we are seeing in the Australian Government sector.
• The inaugural edition of Audit Matters was published on the ANAO website and distributed on 2 September 2024. This edition provided a summary of recent ANAO audit work, including on integrity, probity and ethics; grants administration; and performance measurement and reporting.
• Audit Matters also contains useful information for entities about audit readiness and what to expect from an audit.
• For example, one thing worth considering when you read audit topics in the Annual Audit Work Program is how your entity would prepare for an audit in that topic area. A good ‘readiness’ exercise might be for audit committees to ask questions about record keeping, governance documentation and practices, and the completeness and security of entity data. You might also want to look at the sorts of criteria we use in audits to help you think about how programs or activities in the entity ‘stack up’ to audit criteria in similar areas.
• Reading a recent audit report on a topic relevant to your entity’s area of public administration might be a good idea, along with asking the entity’s staff: ‘could that happen here?’ and ‘how do we know how we are going?’.
• The next edition is scheduled for December 2024. If would like to subscribe please visit the ANAO website or get in touch with us after today’s forum.
• You can also find our other ‘Insights’ (including audit lessons, audit opinion, and audit practice) publications on the ANAO website.
• On 29 October, we published a new Audit Lessons on ‘Gifts, Benefits and Hospitality’. As you may be aware, the ANAO has recently conducted audits of compliance with gifts, benefits and hospitality requirements within selected Commonwealth entities.
• The ANAO found that 95% entities had gifts and benefits registers on their websites, 64% of entities were up to date with quarterly reporting requirements, and that 3% of entities required all gifts to be declared. Other entities had various thresholds before gifts were required to be declared (10% of entities did not define a threshold 86% stipulated a threshold of $100 and 1% of entities had a $50 threshold).
• This Audit Lessons publication provides seven lessons aimed at improving Australian Government entities’ compliance with gifts, benefits and hospitality requirements, including establishing guiding principles and preventative and detective controls, developing clear internal policies, reporting all gifts and benefits, and the accurate valuation of gifts to increase transparency. You can read about these lessons in more detail on the ANAO’s website.
• On 6 November 2024, we released an Insights Practice product called ‘Performance Audit Process’. This edition of Practice aims to provide entities with information about how the ANAO plans for and conducts its performance audit activities.
• It describes the planning processes as part of developing the AAWP, and the stages of an audit an entity can expect to occur during an audit. I encourage you all to read this piece to help build you understanding of our audit activity.   

Parliamentary engagement

• Moving now to recent work of the Parliament, and in particular, the Joint Committee of Public Accounts and Audit (JCPAA).
• The JCPAA has commenced an inquiry into the use and governance of artificial intelligence systems by public sector entities and the Committee will specifically examine the adoption and use of AI systems and processes by public sector entities to conduct certain functions, including the delivery of services.
• The use of AI systems has been at the forefront of the public sector in recent years and we are experiencing an increase in the use of automated technologies to deliver public services. There are various frameworks that the Australian Government has introduced regarding the governance and assurance requirements.
• The ANAO has made a submission to this inquiry. As technologies, including AI, continue to evolve there will be a need for entities to consider the scale and focus of governance, controls and assurance mechanisms to ensure that risks are appropriately mitigated.
• The ANAO has begun research activities into what audit methodology, audit tool changes and skills may be required to support audit work in this area. For the ANAO, there is an opportunity to explore how automation can improve the audit process. While audit standards require human judgement, decision-making and scepticism, the ANAO has identified audit processes that can be automated. The ANAO has developed tools to achieve this, with oversight by the ANAO’s Quality Committee, to ensure adherence to the ANAO auditing standards and our audit methodology.
• The ANAO’s previous reporting on the adoption of emerging technologies by entities has drawn attention to the opportunities for improvement and innovation that can be harnessed by entities, as well as the potential for increased risk and unintended consequences. Risks that could be faced by entities include a lack of transparency in decision making or processing, bias and discrimination, security and privacy concerns, legal and regulatory challenges, misinformation, manipulation and unintended consequences.
• Rapid developments and the evolving nature of emerging technologies, including AI, could further heighten these risks. These rapid changes and risks highlight the importance on the control frameworks required to ensure that there are appropriate governance, minimum standards, or requirements for auditability or traceability, on the process and output of or decisions made through AI.
• Within the ANAO, work is underway to govern the use of emerging technology within our business, recognising that information collected for audit purposes is the subject of strict confidentiality provisions in the Auditor General Act 1997. We will continue to monitor the use of emerging technologies through our audit work.
• In February 2024, we commenced a performance audit relating to the Australian Taxation Office’s adoption of Artificial Intelligence. The objective of this audit is to assess whether the ATO has effective arrangements in place to support the adoption of AI. The audit is scheduled to be tabled in the Parliament in early 2025.
• Other inquiries, such as the inquiry into contract management frameworks operated by Commonwealth entities and the inquiry into the administration of Commonwealth regulations are ongoing. I encourage you to watch the progress of all of these inquiries and read the final reports when the inquiries are concluded. The reports of JCPAA often have implications and recommendations that are relevant and applicable across all public sector entities. 

Closing comment

• That is everything I wanted to cover off today from the ANAO’s audit program.
• Thank you again for your attention.

Subscribe to this event to receive updates.