Introduction

Governance boards

1.1 The governing board of a corporate Commonwealth entity is the accountable authority for the entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act)¹¹, with responsibility for ‘leading, governing and setting the strategic direction’ for the entity.¹²

1.2 Around 60 corporate Commonwealth entities subject to the PGPA Act have governing boards, comprising a total of approximately 510 board positions.¹³ Corporate Commonwealth entities with governance boards vary significantly by function, and governance boards may also vary in their composition, operating arrangements, independence and subject-matter focus, depending on the specific requirements of their enabling legislation and other applicable laws.

Boards and corporate governance

Duties and roles

1.3 Sections 15 to 19 of the PGPA Act impose duties on accountable authorities in relation to governing the corporate Commonwealth entity for which they are responsible (see Box 1).¹⁴ As the accountable authority, members of Commonwealth governing boards are also officials under the PGPA Act and subject to the general duties of officials in sections 25 to 29 of the Act (see Box 1).¹⁵ Guidance issued to accountable authorities by the Department of Finance (Finance) observes that ‘each of these duties is as important as the others’.¹⁶

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities) - RMG 200, Summary: Governing your entity [Internet].

1.4 Boards play a key role in the effective governance of an entity. Corporate governance is generally considered to involve two dimensions, which are the responsibility of the governing board:

Performance—monitoring the performance of the organisation and CEO. This also includes strategy—setting organisational goals and developing strategies for achieving them, and being responsive to changing environmental demands, including the prediction and management of risk. The objective is to enhance organisational performance;

Conformance—compliance with legal requirements and corporate governance and industry standards, and accountability to relevant stakeholders.

… it is important to understand that governing is not the same as managing. Broadly, governance involves the systems and processes in place that shape, enable and oversee management of an organisation. Management is concerned with doing – with co-ordinating and managing the day-to-day operations of the business.¹⁷

1.5 The relationship between effective corporate governance and organisational performance is summarised in Box 2.

Culture and governance

1.6 The interplay of the ‘hard’ and ‘soft’ attributes of governance — and the criticality of board and organisational culture to an entity’s performance, values and conduct — have been central themes in notable Australian inquiries into organisational misconduct. These have included the 2003 Royal Commission into the failure of HIH Insurance²⁰, the 2018 APRA Prudential Inquiry into the Commonwealth Bank of Australia²¹ and the 2019 Royal Commission into the financial services industry.²² While the specific focus of these inquiries was on financial institutions, their key insights on culture and governance have wider applicability and provide lessons for all accountable authorities, including governance boards. Many Auditor-General reports have made findings consistent with those appearing in these inquiries.²³

2003 HIH Royal Commission

1.7 The HIH Royal Commissioner defined corporate governance as the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled in corporations — embracing not only the models or systems themselves but also the practices by which that exercise and control of authority is in fact effected. Justice Owen observed by way of introduction that:

A cause for serious concern arises from the [HIH] group’s corporate culture. By ‘corporate culture’ I mean the charism[a] or personality—sometimes overt but often unstated—that guides the decision-making process at all levels of an organisation …

The problematic aspects of the corporate culture of HIH—which led directly to the poor decision making—can be summarised succinctly. There was blind faith in a leadership that was ill-equipped for the task. There was insufficient ability and independence of mind in and associated with the organisation to see what had to be done and what had to be stopped or avoided. Risks were not properly identified and managed. Unpleasant information was hidden, filtered or sanitised. And there was a lack of sceptical questioning and analysis when and where it mattered.

At board level, there was little, if any, analysis of the future strategy of the company. Indeed, the company’s strategy was not documented and it is quite apparent to me that a member of the board would have had difficulty identifying any grand design …

… A board that does not understand the strategy may not appreciate the risks. And if it does not appreciate the risks it will probably not ask the right questions to ensure that the strategy is properly executed. This occurred in the governance of HIH. Sometimes questions simply were not posed; on other occasions the right questions were asked but the assessment of the responses was flawed.

1.8 More specifically, Justice Owen reported in chapter 6 of the report — which was dedicated to corporate governance — on key aspects of board operations and the importance of:

• clearly defined and recorded policies or guidelines;
• clearly defined limits on the authority of management, including in relation to staff emoluments;
• independent critical analysis by the board;
• recognition and resolution of conflicts of interest;
• dealing with governance concerns;
• maintaining control of the board agenda; and
• providing relevant information to the board.

2018 APRA Prudential Inquiry

1.9 The APRA Prudential Inquiry also dedicated substantial sections of its report to culture and governance. The review panel observed that:

Culture can be thought of as a system of shared values and norms that shape behaviours and mindsets within an institution. Once established, the culture can be difficult to shift. Desired cultural norms require constant reinforcement, both in words and in deeds. Statements of values are important in setting expectations but their impact is sotto voce. How an institution encourages and rewards its staff, for instance, can speak more loudly in reflecting the attitudes and behaviours that it truly values.²⁴

1.10 The Prudential Inquiry associated weaknesses in board oversight and organisational culture with:

• insufficient rigour and urgency by the Board and its Committees around holding management to account in ensuring that risks were mitigated and issues closed in a timely manner;
• gaps in reporting and metrics hampered the effectiveness of the Board and its Committees; and
• a heavy reliance on the authority of key individuals that weakened the Committee construct and the benefits that it provides.²⁵

2019 Hayne Royal Commission

1.11 The Hayne Royal Commission similarly incorporated a substantial chapter on culture, governance and remuneration in the final report. Commissioner Hayne reported that the evidence before the Commission showed that:

too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.

Boards cannot operate properly without having the right information. And boards do not operate effectively if they do not challenge management.²⁶

1.12 The Commissioner challenged governance boards to actively discharge their core functions, including the strategic oversight of non-financial risks such as compliance risk, conduct risk and regulatory risk:

Every entity must ask the questions provoked by the Prudential Inquiry into CBA:

• Is there adequate oversight and challenge by the board and its gatekeeper committees of emerging non-financial risks?
• Is it clear who is accountable for risks and how they are to be held accountable?
• Are issues, incidents and risks identified quickly, referred up the management chain, and then managed and resolved urgently? Or is bureaucracy getting in the way?
• Is enough attention being given to compliance? Is it working in practice? Or is it just ‘box-ticking’?
• Do compensation, incentive or remuneration practices recognise and penalise poor conduct? How does the remuneration framework apply when there are poor risk outcomes or there are poor customer outcomes? Do senior managers and above feel the sting?²⁷

1.13 Key observations made in the Hayne Royal Commission on governance boards’ use of information, and the link between culture, governance and remuneration, are summarised in Box 3.

Assessment of culture and governance by boards

1.14 Recommendation 5.6 of the Hayne Royal Commission — titled ‘changing culture and governance’ — was that entities should, as often as reasonably possible, take proper steps to: assess the entity’s culture and its governance; identify any problems with that culture and governance; deal with those problems; and determine whether the changes it has made have been effective.

1.15 Underlining the criticality of organisational culture to entity performance, values and conduct, the Royal Commissioner emphasised that this recommendation, ‘although it is expressed generally, can and should be seen as both reflecting and building upon all the other recommendations that I make.’³⁴

1.16 In a similar vein, the HIH Royal Commission had warned in 2003 of the dangers of a ‘tick the box’ mentality towards corporate governance, and the benefits of periodic review by boards of corporate governance practices to ensure their suitability.

The Public Governance, Performance and Accountability Act 2013 (PGPA Act)

1.17 The objects of the PGPA Act include: to establish a coherent system of governance and accountability across Commonwealth entities; and to require the Commonwealth and Commonwealth entities to meet high standards of governance, performance and accountability.³⁵

1.18 As discussed in paragraph 1.3 of this audit report, the PGPA Act includes both general duties of accountable authorities and general duties of officials. It also establishes obligations relating to the proper use of public resources (that is, the efficient, effective, ethical and economical use of resources).³⁶ In so doing, the PGPA Act establishes clear cultural expectations for all Commonwealth accountable authorities and officials in respect to resource management. Finance, which supports the Finance Minister in the administration of the PGPA Act framework, has also issued a range of guidance documents on the technical aspects of resource management under the framework.

1.19 Finance issued a Resource Management Guide (RMG 200) in December 2016 to assist accountable authorities³⁷, which is principally a factual and procedural guide with a focus on legal compliance. There is no equivalent in the Commonwealth public sector of resources built up over time — such as the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations³⁸ and Australian Institute of Company Directors resources — to support public sector governance boards. In consequence, public sector accountable authorities would need to rely on a combination of personal experience and other resources to supplement the guidance released by Finance. As discussed, the recent APRA Prudential Inquiry and Hayne Royal Commission have again highlighted the criticality of effective board governance, corporate culture and the interplay of the ‘hard’ and ‘soft’ attributes of governance, and there would be merit in Finance issuing guidance which has regard to the key insights and messages of those inquiries directed to accountable authorities.

Recommendation

1.20 The first report in this series of board governance audits, Auditor-General Report No.34 of 2018–19 Effectiveness of Board Governance at Old Parliament House, includes a recommendation directed to the Department of Finance to update its guidance to accountable authorities having regard to the key insights and messages for accountable authorities identified in the recent inquiries and reviews referenced above. Finance agreed to the recommendation.

Rationale for undertaking the audit

1.21 This topic was selected for audit as part of the ANAO’s multi-year audit program that examines aspects of the implementation of the PGPA Act. This audit provides an opportunity for the ANAO to review whether boards have established effective arrangements to comply with selected legislative and policy requirements and adopted practices that support effective governance. The audit also contributes to the identification of practices that support effective governance that could be applied in other entities. This audit is one of a series of governance audits that apply a standard methodology to the governance of individual boards.

1.22 The four entities included in the ANAO’s 2018–19 board governance audit series are:

• Old Parliament House;
• the Special Broadcasting Service;
• the Australian Institute of Marine Science; and
• the Sydney Harbour Federation Trust.

Sydney Harbour Federation Trust (SHFT)

1.23 SHFT was established in September 2001 as a corporate Commonwealth entity under the Sydney Harbour Trust Act 2001 (SHFT Act) to conserve and preserve land in the Sydney Harbour region for the benefit of present and future generations of Australians.³⁹ This includes land at Chowder Bay, Cockatoo Island, Georges Heights, Macquarie Lightstation, Marine Biological Station, Middle Head, North Head, Sub Base Platypus, and Woolwich. The Parliament established the Trust as a transitional body to manage the land and facilitate its return in good order. The SHFT Act requires that as soon as practicable after the end of 19 September 2033, the Minister must, by notice published in the Gazette, specify a day on which the Act is to be repealed.⁴⁰ At this time the Trust will transfer suitable land to New South Wales for inclusion in the national parks and reserves system.⁴¹

1.24 SHFT is governed by a Board of Trustees⁴² appointed by the Minister for the Environment and Energy. Under the SHFT Act membership of the board consists of a Chair and seven other members. At the time of audit fieldwork there were seven members, including the Chair. Under the SHFT Act the board has power to do all things necessary or convenient to be done for, or in connection with, the performance of its functions. The Executive Director is to manage the affairs of the SHFT subject to the directions of, and in accordance with policies determined by, the board.

1.25 SHFT had 72 staff and 250 volunteers at the end of 2017–18⁴³ and generates approximately $19 million in own source revenue. SHFT does not receive operational funding from the government, however it occasionally receives capital funding.

Audit approach

Audit objective, criteria and scope

1.26 The objective of the audit was to assess the effectiveness of the governance board in the Sydney Harbour Federation Trust.

1.27 To form a conclusion against the audit objective the following high level criteria were adopted:

• the board’s governance and administrative arrangements are consistent with relevant legislative requirements and the board has structured its own operations in a manner that supports effective governance; and
• the board has established fit-for-purpose arrangements to oversight compliance with key legislative and other requirements.

1.28 The audit examined the period July 2016 until March 2019.

1.29 Guidance to boards issued by the Department of Finance was reviewed by the ANAO having regard to the report of the 2019 Hayne Royal Commission⁴⁴, which was released in the course of this audit, and other key reviews of board governance.⁴⁵

Audit methodology

1.30 In undertaking the audit the ANAO:

• reviewed board and audit committee papers and minutes from July 2016 to December 2018;
• reviewed a range of relevant documentation including entity corporate plans, strategy documents, board and audit committee charters, risk registers, and conflict of interest declarations;
• interviewed current and former board members;
• attended two board meetings (June and September 2018) and one audit committee meeting (September 2018) as an observer; and
• reviewed relevant guidance and reviews on board governance.

1.31 The audit was conducted in accordance with the ANAO Audit Standards at a cost to the ANAO of approximately $203,000. The team members for this audit were Grace Guilfoyle, Kelly Williamson, Shane Armstrong and Michelle Page.

Are the board’s governance and administrative arrangements consistent with relevant legislative requirements and has the board structured its own operations in a manner that supports effective governance?

2.1 SHFT was established as a statutory body by its enabling legislation, the Sydney Harbour Trust Act 2001 (SHFT Act). Prior to this, it existed as an interim body. The ANAO examined whether:

• the board’s governance and administrative arrangements are consistent with the enabling legislation; and
• the board had structured its own operations in a manner that supports effective governance.

2.2 The results of the ANAO’s assessment against each of these requirements and any suggestions for improvement are outlined below.

Consistency of governance and administrative arrangements with the SHFT Act

Membership and appointment of board members

2.3 The SHFT Act outlines the requirements for board membership, with the Minister responsible for appointments. The Act requires the appointment of:

• a Chair; and
• seven other members.

2.4 Two board positions are to be held by persons recommended by the Government of New South Wales (NSW). In addition, one of the board members must, in the Minister’s opinion, represent the interests of Indigenous people, and another must be an elected member of an affected local government council. Appointments are to be for a period not exceeding three years.

2.5 During the period under review (July 2016 to March 2019), the number of members on the board varied from five to eight. The terms of two board members (the previous Chair and another member) expired during this time. The member was reappointed and a new Chair was appointed. The new Chair had previously been a member on the board. In addition, two new appointments were made. One of the new appointments resigned prior to attending any board meetings. Appointment of the current board members was made by the Minister, for the three-year term allowed for in the legislation. There were two NSW appointments, one Indigenous representative, and one local government representative in accordance with the requirements.

2.6 Other than the Chair, board members were not directly involved in developing the skill requirements for board vacancies, although they were aware of communication between the Chair and the Minister on this issue. The ANAO was advised that in respect to oversight of the appointments process, candidates are generally identified through initial informal discussions between the portfolio department⁴⁶, the Chair of the SHFT board, the Executive Director of SHFT and the Minister’s Office. The department completed a skills analysis of board members to identify gaps for the new appointments in April 2018, and there is no evidence that the board was consulted. The department then wrote to the Minister recommending candidates. Following the Minister’s agreement, the Minister wrote to the Prime Minister seeking agreement to present the nominees for Cabinet consideration. Records indicate that appointments to the board are deemed significant and require Cabinet approval.

Opportunities for improvement

2.7 There is an opportunity for the board to have more active engagement with the department and the Minister in relation to the skill requirements for future board appointments.

Acting arrangements for the board Chair

2.8 The SHFT Act requires that the board members present appoint a Commonwealth member to preside if the Chair is not present, or that the Minister appoint a member to act as Chair during a vacancy. There were four occasions when the Deputy Chair was acting Chair during the period reviewed by the ANAO. This is authorised in the Deputy Chair’s instrument of appointment provided by the Minister and fulfils the requirements of the SHFT Act. The board charter does not provide information on acting or Deputy Chair arrangements.

Opportunities for improvement

2.9 There is an opportunity for the SHFT board to enhance its board charter by including requirements relating to acting and Deputy Chair arrangements.

Meeting requirements, quorum, presiding at meetings and voting

2.10 The SHFT Act states that the board is to hold such meetings as are necessary for the efficient performance of its functions, with at least four meetings to be held each year, including two meetings that are open to the public. During the period reviewed by the ANAO the board met more frequently than these minimum requirements. In both 2016–17 and 2017–18 the board had at least four standard private meetings and additional meetings in relation to specific issues, such as the approval of management plans, consideration of leasing matters and SHFT’s financial statements.

2.11 In relation to board meetings, the SHFT Act specifies that a majority of the members holding office constitutes a quorum. The ANAO reviewed board minutes from July 2016 to December 2018 and a quorum was obtained at each board meeting.

2.12 The SHFT Act specifies that a question is decided by a majority of the votes of the members present and voting, and that the person presiding at a meeting has a deliberative vote and, if necessary, also a casting vote. SHFT advised the ANAO that all matters were resolved through consensus during the period examined by the audit.

2.13 The SHFT Act requires that the name of each person who moves or seconds a motion be recorded in the minutes, and that minutes must be made publicly available. These requirements have been met during the period reviewed by the ANAO, and the minutes are available on the SHFT website. The ANAO’s review of minutes of board meetings held from July 2016 until December 2018 found that minutes clearly indicate board actions.

Notice of meetings

2.14 Under the SHFT Act, members are entitled to receive 24 hours notice of urgent meetings, seven days notice of other meetings, and the public are entitled to receive seven days notice of public meetings. For the last two financial years there have been no urgent meetings. Notices of public meetings have been posted on the SHFT website with at least seven days notice. SHFT board meeting dates are arranged with board members using an online mechanism.

Decisions without meetings

2.15 The SHFT Act allows for resolutions without meetings where a majority that would have constituted a quorum at a board meeting indicate agreement with the resolution under the method determined by the board. The ANAO identified two instances of decisions without meetings, both of which met the legislative requirements. This was done through an emailed request to board members to approve documents via a circular resolution.

2.16 SHFT advised that board members communicate on board business through a variety of channels including private email. Board members and the entity should be cognisant of the need to ensure that information relating to the entity is handled and maintained in accordance with applicable Commonwealth information security and record keeping requirements. These requirements apply to communication channels such as emails, which are official records.

Appointment and responsibilities of the Executive Director

2.17 The SHFT Act specifies that there is to be an Executive Director, appointed by the Minister on the recommendation of the board, who is not a member of the board. A new Executive Director was appointed in April 2017. The portfolio department facilitated the search for an Executive Director, with the panel comprising the SHFT board Chair, a board member, and a person with no involvement with the board. A recommendation from the panel was provided to the Minister, who in turn provided a recommendation to the Prime Minister.

2.18 The SHFT Act further states that the Executive Director is to manage the affairs of SHFT, subject to the directions of, and in accordance with policies determined by, the board. There are no other requirements relating to Executive Director duties in the Act. The board has delegated powers and functions to the Executive Director, including through an Instrument of Financial Delegations. As discussed in Table 3.2, the Executive Director provided the board with a signed declaration confirming that delegations have been properly exercised every six months, with one exception. The declaration does not include details of the basis of assurance, for example, what controls are in place and how they are tested.

Outside employment

2.19 The SHFT Act states that the Executive Director must not engage in paid employment outside the duties of his or her office except with the approval of the board. SHFT advised the ANAO that the Executive Director has not engaged in any paid outside employment. As discussed further in Table 3.1, declarations of interest is a standing agenda item at board meetings.

Board operations

2.20 Paragraphs 1.3 to 1.16 of this audit report outlined key insights on corporate governance and board operations, including in recent reviews and inquiries. Key themes include the need for:

• recognition and management of conflicts of interest;
• board members to question and challenge management;
• risk to be properly identified, considered and managed;
• boards to consider future strategy and key policies including remuneration policy;
• boards to periodically assess corporate governance and organisational culture; and
• appropriate oversight of compliance.

2.21 The ANAO attended two board meetings at SHFT (June and September 2018) and one Portfolio Audit Committee (PAC) meeting (September 2018). In those meetings, and through the review of board and audit committee papers and minutes, and interviews and interactions with board members, the ANAO observed board members collectively displaying a range of qualities and behaviours that indicated the existence of a positive governance culture at board level. These included:

• an openness to declaring conflicts of interest;
• a willingness to challenge management, engage in robust debate, explore various options and seek further clarification as needed;
• an ability to conduct meetings in a professional, collegiate and respectful manner;
• an understanding of their obligations as the accountable authority and the challenges facing the entity;
• a desire and commitment to act in the best interests of the entity; and
• a willingness to undertake sufficient preparation to enable meetings to be conducted in a productive manner.

2.22 At board meetings the ANAO observed discussion, consistent with SHFT’s functions, related to the use of SHFT land and community consultation. Board meetings included various standing agenda items, including an Executive Director’s report and matters relating to governance, risk and compliance; work health and safety; finance; leasing and property; internal controls; and performance.

2.23 As discussed in Table 3.3, SHFT has a community advisory committee, which is expected to meet quarterly, and the board, as required under the SHFT Act, conducts two board meetings each year that are open to the public. The board receives community advisory committee updates at each board meeting.

2.24 The remainder of this section examines specific aspects of the board’s governance and administrative arrangements.

Does the board have a charter?

2.25 A board charter is a written document that sets out such things as:

• the functions, powers, and membership of the board;
• role, responsibilities and expectations of members, both individually and collectively, and of management⁴⁷;
• role and responsibilities of the Chair⁴⁸;
• procedures for the conduct of meetings⁴⁹; and
• policies on board performance review.

2.26 A charter can provide a single reference point that clearly sets out the functions, powers and membership of the board, as well as roles, responsibilities and accountabilities, consistent with relevant legislative requirements. Board charters can also articulate the desired culture of the board and address the ‘soft attributes’ of governance discussed in chapter 1 of this audit report relating to board culture and behaviours, which are critical to good governance.⁵⁰ The Australian Institute of Company Directors has indicated that:

In most organisations the governance framework is determined by the legislation that it has been created under…However, there are many aspects of modern governance which the board must consider and act upon that lie outside legal requirements. The board charter is one way of documenting these matters.⁵¹

2.27 SHFT has a board charter that details the objects, functions and powers of SHFT and the responsibilities of the board, in accordance with the SHFT Act. The charter outlines the SHFT board’s relationship with government, as well as responsibilities and accountabilities to the Minister, entity and Executive Director. The charter also contains behavioural expectations for board members via a code of conduct, which includes general obligations as well as confidentiality, conflict of interest, and gifts, benefits and hospitality requirements. The charter contains a provision for sanctions to be imposed where the code of conduct has been breached, which may include a reprimand, or a recommendation to the Minister for termination of the board member’s engagement. The charter provides guidance on meeting procedures, including quorum requirements, voting, minutes, and resolutions without meetings, in accordance with the SHFT Act.

2.28 The board charter is included in the induction kit for board members. In addition, the code of conduct is publicly available on the SHFT website.

2.29 The SHFT board’s inclusion of behavioural expectations in its board charter is a practice that other entities could consider adopting.

Does the accountable authority approve or have oversight of key policies?

2.30 The SHFT board has oversight of most key SHFT policies.⁵² Various policies have been reviewed by the board during the period reviewed by the ANAO although board minutes do not always indicate board approval. Policies reviewed by the board include:

• gifts and hospitality policy, noted and taken as read in September 2016;
• crisis and emergency management policy, noted and taken as read in September 2016;
• personal protective equipment policy, noted and taken as read in September 2016;
• injury management and rehabilitation policy, noted and taken as read in September 2016;
• fitness for work policy, noted and taken as read in September 2016;
• health and wellbeing policy, noted and taken as read in September 2016;
• workplace surveillance policy, noted and taken as read in September 2016;
• rental subsidy policy for contributory and delivery partners, approved in December 2016;
• strategic financial plan, taken as read, March 2017⁵³;
• leasing policy, approved in June 2017;
• work health and safety policy, approved in October 2017;
• event policy, approved in September 2018; and
• strategic asset management plan, noted in December 2018.

2.31 The board was advised in June 2017 that the policies taken as read by the board in September 2016 had been updated by SHFT management. Other policies that the board is the listed authoriser for, but which were last approved by the board prior to the period reviewed by the ANAO include:

• Fraud control policy, last approved by the board in December 2014;
• Risk management policy, last approved by the board in July 2015, and reviewed by management with no changes required in November 2017; and
• Procurement policy, last approved by the board in December 2014.

2.32 SHFT has financial delegations, as discussed in paragraph 2.18, which are reviewed and approved by the board each year, most recently in June 2018. SHFT also has accountable authority instructions, approved by the board in 2015, and subsequently reviewed by management. SHFT has a code of conduct, reviewed and approved by management, who advise the board of changes.

Opportunities for improvement

2.33 There is an opportunity for the SHFT board to focus its review and approval of policies on key policies, frameworks, and instructions (particularly those related to its duties as an accountable authority) and having a more active role in determining the timing and frequency of review. Board review of key policies and frameworks such as financial delegations, fraud, risk management and work health and safety can assist board members gain assurance that they are effectively discharging their duties as the accountable authority by setting the framework for compliance with relevant legislation. Having the board approve policies such as code of conduct, remuneration and key quality assurance frameworks (if applicable) enables boards to influence behaviours and can be an important mechanism in communicating the desired culture within the entity. Recent reviews such as the 2018 APRA Prudential Review and the 2019 Hayne Royal Commission have highlighted that boards need to be alive to how incentives in organisations can drive inappropriate behaviours.⁵⁴ Periodic board review of key policies can assist a board in its messaging to the entity about the organisational culture it wishes to promote.

2.34 In relation to risk management policies and frameworks specifically, the Commonwealth Risk Management Policy (CRMP) requires the accountable authority to endorse an entity’s risk management policy and framework. Corporate Commonwealth entities, such as SHFT, are not required to comply with the CRMP but should review and align their risk management frameworks and systems with the policy as a matter of good practice. Given the SHFT risk management policy was last approved by the board in July 2015, when considering which policies to focus on, the board should consider aligning its approval of the SHFT risk management framework and systems with the CRMP.

Are board members provided with appropriate induction?

2.35 Upon induction, board members are provided with a range of appropriate information. This includes:

• visits to SHFT sites;
• discussion with the Chair and key personnel;
• selected documents (for example, relevant legislation, the Corporate Governance Framework, the Governance Framework, Organisation Chart, annual and corporate reports, Reconciliation Action Plan, Comprehensive Plan, Management Plan, Leasing Policy and the board charter); and
• previous minutes, future meeting dates and board member contact details.

2.36 All board members indicated to the ANAO that they were satisfied with the information provided at induction.

Opportunities for improvement

2.37 There are some key policies related to the accountable authority role that are not provided at induction, including those related to risk, delegations, and fraud control. This is further discussed in Table 3.2. Early provision of these documents to new board members may be beneficial in helping them understand the risk appetite and control processes of the entity.

Has the board set expectations for reporting to it by management?

2.38 The SHFT board has not formally set expectations for reporting to it by management. Management reports to the board through standing agenda items and a standard format for presenting papers that has evolved over time.

Opportunities for improvement

2.39 The corporate governance reviews discussed in chapter 1 of this report have consistently highlighted the importance of holding management to account. There is an opportunity for the SHFT board to formally set expectations for reporting to it by management through its board charter. This could assist in ensuring that the board and management have a shared understanding of the board’s requirements and could assist the board in meeting its obligations as an accountable authority. This could be particularly useful given recent turnover in board membership.

Is board performance collectively and individually assessed?

2.40 SHFT advised the ANAO that during the period examined by this audit (July 2016 to December 2018), there had not been a formal assessment of the performance of the board (collectively or of individual members).⁵⁵

Opportunities for improvement

2.41 Periodically evaluating board performance can enable a board to reflect on its operations and assess whether it has effectively met its objectives and obligations. This should include assessing performance in terms of the performance and conformance elements discussed in paragraph 1.4 of this report. Lessons learned from this process can assist the board in setting priorities and goals and contribute to enhancing overall board and organisational effectiveness. Documenting the process, performance criteria, outcomes, and any actions taken in response to issues identified can also assist in ensuring accountability and transparency. Boards could also consider reporting in their annual report that a performance evaluation has been undertaken, insights it has gained from the evaluation and any governance changes it has made as a result. It may also be helpful for boards to evaluate their meetings, such as through informal discussion at the end of each meeting.

Does the board establish arrangements and expectations in relation to the board secretariat?

2.42 The SHFT Act does not provide requirements relating to secretariat arrangements. The Executive Assistant to the Executive Director performs the role of board secretary at meetings. SHFT advised the ANAO that there is no documentation formalising this role. Interviews with board members indicate satisfaction with secretariat arrangements, with staff able to access information required and no issues raised regarding timeliness of papers or accuracy of minutes.

Is reporting of performance results listed as an agenda item at each meeting?

2.43 At each meeting the board is provided with an Executive Director report that includes reporting of performance against corporate plan performance criteria.

Is the board provided with information to assist members to gain a good understanding of the entity’s strategic environment and risks?

2.44 SHFT has a risk management framework, endorsed by the PAC and approved by the board in 2015. The framework includes a risk management policy, which contains a risk appetite statement. The risk management policy has not been reviewed or approved by the board since approved in 2015, although the board was advised of a review, with no changes required, in November 2017. The risk management policy is not included in the board induction pack. There is risk reporting at each SHFT board meeting, with a standing agenda item on risk, governance and compliance involving presentation of current risk issues, the strategic risk register, a risk treatment schedule, a risk heat map, the internal controls action plan, and a work health and safety report.

2.45 The board demonstrates engagement in strategic planning, which requires an understanding of the strategic environment, through its involvement in corporate plan approval and the approval of management plans of sites managed by SHFT. Board members have a range of backgrounds including local government, military and Indigenous. This can be expected to support an understanding of SHFT’s particular operating environment.

2.46 SHFT uses a PAC rather than having its own audit committee. The PAC acts as a single joint audit committee for the Department of the Environment and Energy, SHFT and the Director of National Parks. The PAC was set up by the department to gain process efficiencies whilst also providing effective oversight of SHFT operations with respect to public sector requirements. The PAC reviews a sub-set of the risk documentation that is provided to the board, seeing only the current risk issues and the work health and safety report. As discussed further in paragraphs 2.48 to 2.52 and Tables 3.1, 3.2 and 3.5, board members advised the ANAO that they placed limited reliance on the PAC for assurance as they have limited visibility of the PAC’s operations. Those board members further advised that due to the limitations of the PAC, they primarily rely on their own review of management reporting to obtain the necessary assurance.

2.47 Overall, the board is provided with information to enable members to have a good understanding of SHFT’s strategic environment and risks although, as discussed below, the SHFT board needs to manage the risk that its current use of the PAC is not providing the board with the advice and assurance it needs.

In establishing the audit committee has the board considered structure, composition, size, skills and independence of mind of members to enable the committee to be effective and has the board established an audit charter outlining key requirements?

2.48 PAC members are appointed by the Secretary of the Department of the Environment and Energy. SHFT has not been directly involved in PAC member appointments but has been advised by the department when an appointment has been made.

2.49 The PAC has five members, including an independent Chair, two independent members, and two portfolio department officials. Membership is consistent with the charter which states that it must comprise at least three members, and that the majority of members must be independent. The current Chair of the PAC is independent of the portfolio department and SHFT. The charter also specifies that entity Chief Executive Officers, Chief Financial Officers, Chief Audit Executives or accountable authorities cannot be PAC members. No SHFT board members or SHFT officials are PAC members. The SHFT Executive Director or Chief Financial Officer are invited to attend PAC meetings as observers and one or both, or their acting representatives, have been in attendance at all meetings in the period examined by this audit. No PAC representatives attend SHFT board meetings and the ANAO has not seen evidence of reporting from the PAC to the board, other than in relation to the financial statements.⁵⁶ The PAC charter does not require the internal and external auditors of entities to be invited to its meetings. In practice, external audit representatives have attended all PAC meetings, and internal audit representatives have attended occasionally during the period examined by the ANAO.

2.50 The PAC charter further states that the charter will be reviewed annually, and that this review will include consultation with the accountable authorities of entities. The charter also states that any substantive changes will be recommended by the Committee and formally approved by the accountable authorities. The PAC charter was last reviewed by the PAC in June 2018, with proposed changes endorsed for recommendation to the PAC’s accountable authorities. After the PAC endorsed the charter, the draft charter was sent to SHFT, and SHFT formally approved the document.

2.51 The process by which the PAC provides assurance to the SHFT board in relation to SHFT financial statements is via a SHFT finance sub-committee. The SHFT finance sub-committee comprises two members of the PAC and a member of the SHFT board. There are no terms of reference for the sub-committee and the ANAO was advised that terms of reference will be implemented. For SHFT’s 2017–18 financial statements the SHFT finance sub-committee met with the board Chair, Executive Director, Chief Financial Officer and an ANAO officer was present as an observer.⁵⁷ The sub-committee agreed to provide advice to the PAC in relation to the financial statements. On the basis of this advice, the PAC provided written advice to the board. The letter from the sub-committee to the PAC and the letter from the PAC to the board were tabled at the SHFT board meeting prior to the approval of the financial statements.

2.52 As discussed above, a number of board members interviewed by the ANAO indicated that they placed limited reliance on the PAC for assurance purposes due to a lack of visibility over what it does and instead relied primarily on reports provided by SHFT management. Board minutes reviewed by the ANAO did not indicate a board level discussion of these issues. Further, the ANAO was advised that these issues had not been raised with the PAC or the portfolio department. The concerns of board members communicated to the ANAO should be discussed at board level and if necessary raised with the PAC to ensure that the full potential of the PAC as a source of external advice and assurance to the SHFT accountable authority is realised.

Is there an internal audit function that provides assurance to the board and does the board have oversight of internal audit and the entity’s response to internal audit findings and recommendations?

2.55 SHFT has an outsourced internal audit function, contracted through the portfolio department’s internal audit panel arrangement. SHFT has had two internal audits during the period reviewed by the ANAO, covering cyber security (a portfolio department internal audit involving SHFT and other entities within the portfolio), and contractor management.⁵⁸ All internal audit reports are provided to the PAC. The PAC monitors an internal audit recommendation tracker. This includes details of the recommendations and implementation status, although it is not always clear whether each recommendation has been agreed. The portfolio department’s cyber security internal audit contained a recommendation relating to all of the agencies within the portfolio, including SHFT.⁵⁹ This has not been included in SHFT’s internal audit recommendation tracker. SHFT has advised that their existing mechanisms partially address the recommendation, and that further action is planned.

2.56 As discussed in paragraph 2.49, the board does not receive direct reporting from the PAC other than in relation to the financial statements. This limits the board’s visibility of the PAC’s work in reviewing internal audit findings and tracking management actions. The board was provided with the contractor management internal audit report, which includes details of the recommendations and management’s response. The board was provided with some information on the portfolio department’s cyber security audit, but the board papers do not include reference to recommendations.

2.57 The SHFT board approved the internal audit work plan. There is evidence that the board considered the work plan, including requesting a particular audit topic. While the PAC also reviewed the internal audit work plan, there is no evidence of the PAC providing advice to the board on the plan, other than through discussion with management at the meeting. The PAC was provided with assurance from SHFT management that the internal audit plan was developed with consideration of SHFT risks.

2.58 In September 2017, the board requested that internal audit present at board meetings at least annually. Internal audit joined the December 2018 meeting via teleconference to discuss the findings of an internal audit on contract management.

2.59 Overall the board has oversight of its internal audit function and management’s response to internal audit findings and recommendations. However, it has limited visibility of the work done by the PAC regarding internal audit matters.

Has the board established fit-for-purpose arrangements to oversight compliance with key legislative and other requirements

3.1 The ANAO examined whether the board had established fit-for-purpose arrangements to ensure oversight of and compliance with:

• Government Policy Orders⁶⁰;
• selected parts of the entity’s enabling legislation; and
• selected parts of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) relating to: duties of accountable authorities; duties of officials; the corporate plan; financial statements, annual report and audit committees.

3.2 The results of the ANAO’s assessment against each of these requirements for the SHFT board are outlined below.

Oversight of, and compliance with, Government Policy Order

3.3 SHFT is subject to a Government Policy Order (GPO) issued by the Finance Minister under section 22 of the PGPA Act.⁶¹ Under the order, SHFT is required to comply with the Public Governance, Performance and Accountability (Charging for Regulatory Activities) Order 2017.⁶² Evidence of how the board is provided assurance of compliance with the GPO could not be provided. In addition, there is no reference to the GPO in the SHFT annual report as required by section 17BE(e) of the PGPA Rule.⁶³

3.4 SHFT management advised that SHFT complies with the Finance Minister Order (Order 2017) through charging for regulatory activities such as Liquor Licence Fees and Development Applications.

Opportunities for improvement

3.7 There is an opportunity for the SHFT board to enhance its oversight of, and compliance with, key legislative and other requirements by including the GPO in its existing compliance and assurance mechanisms. Including details of the basis of assurance, for example, what controls are in place and how they are tested, would assist board members gain a greater understanding of the robustness of internal controls supporting legal compliance.

Oversight of, and compliance with, elements of enabling legislation

3.8 SHFT is required to comply with its enabling legislation, the Sydney Harbour Federation Trust Act 2001 (SHFT Act) and Regulations. Under the SHFT Act, the Executive Director is responsible for managing the affairs of SHFT subject to the directions of, and in accordance with policies determined by, the board. The ANAO’s assessment of the SHFT board’s oversight of, and compliance with, selected key requirements of the SHFT Act is outlined below.

3.9 In terms of how the board oversights compliance with the requirements of its enabling legislation, the primary mechanism is regular reporting through the governance, risk and compliance standing agenda item. This includes quarterly reporting on management compliance statements, discussion of any breaches, and an annual compliance report. The quarterly management compliance statements certify that the signing staff member complied with a list of internal policies and procedures and a list of relevant legislation, including the SHFT Act. The quarterly compliance statements are not included in the board papers but SHFT management advised the ANAO that they can be made available at board meetings for members to see. The annual compliance report focuses on the PGPA Act rather than the enabling legislation. This is discussed further in Table 3.2.

3.10 Board members advised the ANAO they gain assurance on compliance with the enabling legislation from their individual and collective experience in reviewing management reports, questioning entity management and their knowledge of the policies, procedures and processes in place that support compliance.

Oversight of, and compliance with, selected PGPA Act requirements

3.11 The PGPA Act sets out requirements for the governance, reporting and accountability of Commonwealth entities. The PGPA Act is principles based and the accountable authority has the flexibility to establish the systems and processes that are appropriate for their entity. The Department of Finance (Finance) provides entities with guidance on how to meet the various requirements of the PGPA Act including providing examples of how entities can demonstrate compliance.

3.12 The ANAO examined whether the SHFT board established fit-for-purpose arrangements for oversight of, and compliance with, the following parts of the PGPA Act and PGPA Rule relating to corporate governance:

• general duties of an accountable authority;
• duties as an official; and
• specific requirements relating to corporate plans, annual reports and the audit committee.

General duties as an accountable authority

3.13 The general duties imposed on an accountable authority, which are considered in the following section, are to:

1. govern the Commonwealth entity (section 15);
2. establish and maintain appropriate systems relating to risk management and oversight and internal controls (section 16);
3. encourage officials to cooperate with others to achieve common objectives (section 17);
4. take into account the effects of imposing requirements on others (section 18); and
5. keep their Minister and the Finance Minister informed (section 19).⁶⁴

(a) Duty to govern the Commonwealth entity (section 15)

3.14 Finance guidance states that governing an entity includes:

• promoting the proper (efficient, effective, economical and ethical) use and management of public resources;
• promoting the achievement of the purposes of the entity;
• promoting the financial sustainability of the entity;
• taking account of the effect of decisions on public resources generally; and
• establishing appropriate systems of risk management and internal control, including measures directed at ensuring officials comply with the finance law (such as accountable authority instructions and delegations).⁶⁵

3.15 The ANAO’s assessment in relation to the SHFT board’s requirement to govern the entity is outlined in Table 3.1.

Table 3.1: Duty to govern the entity (PGPA Act section 15)

Note a: This includes maintaining a: compliance policy; compliance manual; manager’s compliance guide; compliance with legislation schedule, which lists relevant legislation, assigns a risk rating, details the nature of assurance, and assigns a responsible officer; Environmental Protection and Biodiversity Conservation Act checklist; PGPA Act checklist; SHFT Act checklist; and breach register. Aside from the PGPA Act checklist and compliance policy, these documents are not provided to the board for review or approval but support management in monitoring compliance with their obligations.

Note b: SHFT has been unable to locate the signed 2016–17 Annual Compliance statements and the signed Joint Certification by the Chief Financial Officer and Executive Director in the 2017–18 Annual Compliance statements. This is an example of the recording keeping issue discussed as an opportunity for improvement in Table 3.1. The ANAO did sight the unsigned certificates in the board papers.

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities) - RMG 200, Summary: Governing your entity [Internet], Department of Finance, December 2016, available from https://www.finance.gov.au/resource-management/accountability/accountable-authorities/ [accessed March 2019] and ANAO analysis.

(b) Duty to establish and maintain appropriate systems relating to risk management and oversight and internal controls (section 16)

3.18 The ANAO’s assessment in relation to the SHFT board’s requirement to establish appropriate systems of risk management and oversight and internal controls is outlined in Table 3.2.

Table 3.2: Duty to establish and maintain appropriate systems relating to risk management and oversight and internal controls (PGPA Act section 16)

Note a: The Executive Director delegation confirmation was adopted as a standing item as of the 20 December 2017 board meeting.

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities) - RMG 200, engaging with risk and establishing controls section [Internet], Department of Finance, December 2016, available from https://www.finance.gov.au/resource-management/accountability/accountable-authorities/ [accessed March 2019] and ANAO analysis.

(c)–(e) Duty to encourage officials to cooperate with others to achieve common objectives (section 17); take into account the effects of imposing requirements on others (section 18); and keep the Minister and the Finance Minister informed (section 19).⁶⁶

3.19 The ANAO undertook a high-level review of the board’s oversight of, and compliance with, the requirements to cooperate, consider requirements on others and keep Ministers informed. The ANAO’s assessment is outlined in Table 3.3.

Table 3.3: Duty to cooperate, consider requirements on others and keep Ministers informed (PGPA Act sections 17–19)

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities) - RMG 200, working with others and supporting ministers sections [Internet], Department of Finance, December 2016, available from https://www.finance.gov.au/resource-management/accountability/accountable-authorities/ [accessed March 2019] and ANAO analysis.

General duties as an official

3.20 In addition to the general duties for an accountable authority, the PGPA Act outlines duties applicable to all officials (which include the accountable authority). Officials are required to exercise a duty:

• of care and diligence (section 25);
• to act honestly, in good faith and for a proper purpose (section 26);
• not to misuse position (section 27);
• not to misuse information (section 28); and
• to disclose material personal interests (section 29).⁶⁷

3.21 Officials also have a responsibility to:

• comply with the finance law;
• comply with the governance arrangements in the entity, for example, internal controls on the proper use and management of public resources; and
• meet high standards of governance, performance and accountability.⁶⁸

3.22 Officials who breach their duties or responsibilities under the PGPA Act can be subject to employment sanctions (including termination of appointment for board members) or criminal sanctions for intentional or serious misuse of public resources. For more details of the duties that apply to all officials under the PGPA Act, refer to Appendix 3 of this audit report.

3.23 The ANAO’s assessment in relation to the SHFT board’s oversight of, and compliance with, the requirements of officials (sections 25–29 of the PGPA Act) is outlined in Table 3.4.

Table 3.4: General duties as an official (PGPA Act sections 25–29)

Note a: Prior to SHFT using its Portfolio Audit Committee SHFT had its own Audit, Risk and Compliance Committee.

Source: Department of Finance, General duties of officials-RMG 203 [Internet], Department of Finance, January 2018, available from https://www.finance.gov.au/resource-management/accountability/officials/ [accessed March 2019] and ANAO analysis.

Specific requirements relating to corporate plans, annual reports and audit committee

3.24 The PGPA Act and PGPA Rule set out a number of specific requirements relating to an entity’s corporate plan, annual report, performance and financial statements and audit committee. For further detail, refer to Appendices 4 to 6 of this report. The ANAO’s assessment of the SHFT board’s oversight of, and compliance with, selected key requirements is outlined in Table 3.5. For the purpose of this report, the most recent applicable document is discussed.

Table 3.5: Board oversight of, and compliance with, selected PGPA Act requirements

Note: The ANAO did not examine the quality of the corporate plan, annual report, performance statement and financial statements.

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities)-RMG 200, Improving performance and accountability; and Governing your entity [Internet], Department of Finance, December 2016, available from https://www.finance.gov.au/resource-management/accountability/accountable-authorities/ [accessed March 2019], and ANAO analysis.

Appendix 1 Entity responses

Appendix 2 General duties as an accountable authority

Source: Department of Finance, Guide to the PGPA Act for Secretaries, Chief Executives or governing boards (accountable authorities)-RMG 200, Summary: Your general duties as an accountable authority [Internet], Department of Finance, December 2016, available from https://www.finance.gov.au/resource-management/accountability/accountable-authorities/ [accessed March 2019].

Appendix 3 General duties as an official

Note a: Finance law includes the PGPA Act and rules and instruments made under the PGPA Act, as well as Appropriation Acts, and the systems of risk management and internal control in their entity established by their accountable authority (including any delegations or authorisations).

Source: Department of Finance, General duties of officials-RMG 203 [Internet], Department of Finance, January 2018, available from https://www.finance.gov.au/resource-management/accountability/officials/ [accessed March 2019].

Appendix 4 Selected PGPA Act requirements

Source: Public Governance, Performance and Accountability Act 2013

Appendix 5 Extract of PGPA Rule 2014

Source: Public Governance, Performance and Accountability Rule 2014.

Appendix 6 Extract of PGPA Rule 2014 section 17

Source: Public Governance, Performance and Accountability Rule 2014.