Services Australia delivers payments and services to and on behalf of 34 Australian Government entities. These services are underpinned by bilateral agreements between Services Australia and each entity. Only four of the 13 bilateral agreement documents reviewed by the ANAO for three entities contained all 11 elements expected in a bilateral agreement with the main exceptions in risk management, performance measures, and roles and responsibilities. The entities had effective management and oversight of bilateral arrangements through governance committees, and some risk management plans linked to broader departmental processes. Issues escalation/dispute resolution processes and practices were in place for the bilateral arrangements, with varying levels of effectiveness across the four entities.

Examples of better practice were evident in the Services Australia and Department of Agriculture, Water and the Environment bilateral agreement, including the issues escalation process and definitions of roles and responsibilities. For the latter, the relevant sections provide clear explanations of each entities’ responsibilities so that both parties have a shared understanding of their respective responsibilities within the bilateral relationship.

(Report reference: grey box before paragraph 3.2 and paragraph 3.6.)

The Commonwealth Director of Public Prosecutions (CDPP) operations are primarily funded through parliamentary appropriations. The CDPP also receives revenue through transfers of appropriations from other entities to cover the cost of prosecutions for offences under specific legislation (revenue recognised under ‘tied funding’ arrangements). These activities were governed by six memoranda of understanding (MOUs) with Commonwealth investigative agencies.

Clarity around practices through MOUs — for example, authority for some agencies to conduct some summary prosecutions themselves — is aimed at minimising duplication of effort and resources. Some recent MOUs for tied funding – for example, the MOU signed with the Department of Home Affairs in May 2019 – made no provision for timeliness.

This audit highlighted the importance of MOUs referencing specific timeliness targets.

(Report reference: paragraphs 2.14, 2.25 and 2.26.)

Well-established processes support the coordination between Services Australia’s assessment of job seekers and the Department of Social Services’ (DSS) management of Disability Employment Services (DES).

The Department of Education, Skills and Employment (DESE) provides IT systems to support DES agreement management and several other services. These services were governed through agreements and active inter-departmental committees. The audit highlighted the importance of DSS obtaining assurance from DESE that IT security controls are in place over systems and data, and that these are being monitored. The Systems MoU should specify requirements for DESE to provide reporting on relevant IT controls, to assure the security of DES participant data.

(Report reference: grey box before paragraph 3.65 and paragraph 3.72.)

The Department of Social Services (DSS) developed the Humanitarian Settlement Program (HSP) IT system (HSP system) to facilitate client referrals, travel, and service management (including claims submitted by providers and tracking of client outcomes). Home Affairs had signed a memorandum of understanding with DSS which included responsibilities for managing the HSP system.

The audit highlighted risks with manual data exchange between the entities and the requirement for DSS and Home Affairs to resolve data exchange issues, including DSS establishing protocols for actioning errors in processing the data, and Home Affairs liaising with providers to investigate missing or incorrect data in the system.

(Report reference: paragraphs 2.64, 2.85, 2.86 and 2.91.)

Bilateral agreements were the primary vehicle used between Services Australia and other entities for mitigating the risks where the two entities had different risk tolerances and organisational priorities, and consequently the responses to managing the risks are quite different. The purpose of bilateral agreements was to set out the basis for service delivery expectations and establish clear deliverables. This audit highlighted the importance of including provisions in the bilateral agreement committing to the development and implementation of risk management plans for all parties to the agreement.

An example of an appropriate risk planning section found in one of the services schedules was the parties agreeing to cooperatively communicate and manage any identified risks and to discuss in good faith the requirements (including key resources, activities, deliverables and timeframes) for the conduct of risk assessment, privacy impact statements, fraud assessments and other assessments.

Agreement service schedules should also include more detailed sections on how the entities will work together to address and mitigate risks.

(Report reference: paragraphs 1.9, 1.11, 2.29 and 2.30.)

The My Health Record is an example of a program with shared risks between different Commonwealth agencies and also jurisdictions and the wider community, including the healthcare sector, clinical software vendors, and consumers.

The Australian Digital Health Agency’s (ADHA’s) approach to managing shared risks with government entities included involving those entities in My Health Record governance committees and identifying some shared risks in risk registers.

ADHA could have further clarified the specific roles and responsibilities of other government entities in managing shared risks by explicitly indicating which risks are shared, with which entities, and who in other entities is responsible for controls implementation.

(Report reference: key learning, paragraphs 3.9 to 3.14.)

The interwoven responsibilities across bushfire recovery and rebuild measures resulted in risks affecting more than one entity and required joint management strategies between relevant entities. The National Bushfire Recovery Agency (NBRA) defined ‘shared risk’ as ‘Commonwealth funding is not adequately administered, meaningfully used or transparent’. The NBRA was mapping shared risks to assist in targeting assurance around fraud, payment mechanisms and existing capabilities/assurance of partner agencies. A workshop was held on shared risk where members discussed:

• the roles of the NBRA and Commonwealth partner agencies on joint accountability for shared risks;
• shared risk themes;
• the identification of shared risks: unmet needs; misuse and waste; oversight gaps; unclear impacts; and capacity constraints; and
• a typical approach to a shared risk and assurance plan.

The next step identified was to develop a Shared Risk and Assurance Plan with further consultation to occur with partner agencies.

(Report reference: paragraphs 3.10, 3.11 and 3.12.)

The ATO’s compliance arrangements reflect its assessment that risks to revenue are relatively low, and its approach of managing risks at the sector level (for example, small business risks). However, the compliance arrangements and risk assessment processes have not fully captured key elements of the Scheme’s design. As the policy owner of the Scheme, Agriculture should work with the ATO to be satisfied that risk assessment and compliance processes are appropriate.

Where multiple entities are involved in administering a program, the lead policy entity should ensure that program delivery arrangements, including compliance activities, are informed by an assessment of risks and benefits undertaken on a ‘whole-of-government’ basis.

(Report reference: paragraph 11 and Key learnings for all Australian Government entities.)

The audit highlighted the importance of effective performance monitoring and reporting arrangements. Services Australia’s Bilateral Agreement Framework outlines five criteria required for performance measures: specific (unambiguous and singular); measurable (quantitative or qualitative and auditable); affordable (achievable and funded); relevant (relevance and aligned strategically); and time-based (timeliness and regular review).

Where monthly reports are provided in accordance with the service schedule, the purchaser/policy entity should independently verify the accuracy of the performance reports to be able to assure itself that the program is being delivered appropriately. Assurance and analysis of Service Australia’s performance by its partner agencies would provide the partner agencies with confidence in the information provided.

(Report reference: paragraphs 13, 15, 2.34, 3.74–3.78, 3.79–3.94 and 3.95–3.104.)

A standard for brief assessment (targeting 85 per cent within 90 days service) was strongly emphasised by the CDPP in internal communications. The audit highlighted that the service standard’s contribution to ongoing improvement in timeliness relied on several factors, including the service standard being formalised in memoranda of understanding with agencies.

(Report reference: paragraph 4.34)

The projected benefits realisation period for My Health Record is ten years. ADHA developed a benefits realisation plan in 2017 which defined success for the opt-out model of the My Health Record system. Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data. The plan stated that intermediate output measures would be tracked using My Health Record system data analytics. The plan also stated that additional bespoke research and statistical analyses would be necessary to measure the longer-term (‘end’) benefits.

This audit highlighted that, where the intended benefits of a program are projected to be realised over a relatively long period, entities should not only describe what the intended benefits are and how they could be measured, but also make clear delivery plans showing how and when the benefits will be measured, evaluated and reported.

(Report reference: paragraphs 4.17, 4.18, 4.21 and 4.28, and key learnings (performance and impact measurement.))