Background

1. The governing board of a corporate Commonwealth entity is the accountable authority for the entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act)¹, with responsibility for ‘leading, governing and setting the strategic direction’ for the entity.²

2. Around 59 corporate Commonwealth entities subject to the PGPA Act have governing boards, comprising a total of approximately 600 board positions.³ Corporate Commonwealth entities with governance boards vary significantly by function, and governance boards may also vary in their composition, operating arrangements, independence and subject-matter focus, depending on the specific requirements of their enabling legislation and other applicable laws.

Boards and corporate governance

Duties and roles

3. Boards play a key role in the effective corporate governance of an entity. Corporate governance is generally considered to involve two dimensions, which are the responsibility of the governing board:

Performance — monitoring the performance of the organisation and CEO. This also includes strategy — setting organisational goals and developing strategies for achieving them, and being responsive to changing environmental demands, including the prediction and management of risk. The objective is to enhance organisational performance;

Conformance — compliance with legal requirements and corporate governance and industry standards, and accountability to relevant stakeholders.

…

it is important to understand that governing is not the same as managing. Broadly, governance involves the systems and processes in place that shape, enable and oversee management of an organisation. Management is concerned with doing – with co-ordinating and managing the day-to-day operations of the business.⁴

4. In the Australian Government sector context, boards must govern the entity in a way that complies with the requirements of any enabling legislation, the Commonwealth finance law (which includes the PGPA Act and the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule)), and other applicable laws and requirements.

5. Sections 15 to 19 of the PGPA Act impose duties on accountable authorities in relation to governing the corporate Commonwealth entity for which they are responsible. As the accountable authority, members of Commonwealth governing boards are also officials under the PGPA Act and subject to the general duties of officials in sections 25 to 29 of the PGPA Act.

Commonwealth Superannuation Corporation

6. The Commonwealth Superannuation Corporation (CSC) is a corporate Commonwealth entity established on 1 July 2011 under the Governance of Australian Government Superannuation Schemes Act 2011 (GAGSS Act). CSC manages eleven government superannuation schemes and provides superannuation services to current and former Australian Government employees and members of the Australian Defence Force. CSC’s primary function is to administer the schemes and to manage and invest the funds in the best interests of its customers in accordance with the provisions of the various legislation and trust deeds that govern the schemes. Under CSC’s governing legislation, the function of the board is to ensure that CSC performs its functions as outlined in the governing legislation in a proper, efficient and effective manner. The board of CSC is the accountable authority.

Rationale for undertaking the audit

7. This topic was selected for audit as part of the ANAO’s multi-year audit program that examines aspects of the implementation of the PGPA Act. Amongst other things, the PGPA Act requires the accountable authority of an entity to establish and maintain an appropriate system of risk oversight and management, and an appropriate system of internal controls.

8. This audit is part of a series of performance audits of board governance which provides independent assurance to the Parliament on whether the selected boards have established effective arrangements to comply with the audited legislative and policy requirements and adopted practices that support effective governance. The audits also focus on any examples of better practice which may be worth highlighting as a learning for other boards.⁵

9. Four entities were included in the ANAO’s 2018–19 board governance audit series.⁶ For this second tranche of audits, the ANAO selected three corporate Commonwealth entities⁷ with enabling legislation (statutory authorities) that had no performance audit coverage in recent years. This enabled the ANAO to examine selected aspects of legal compliance and board governance in entities not often subject to in-depth performance audit, to ensure the selected entities were getting the basics right.

10. This report outlines the audit of the CSC in the Finance portfolio.

Audit objective and criteria

11. The objective of the audit was to assess the effectiveness of the governance board in the Commonwealth Superannuation Corporation (CSC).

12. To form a conclusion against this objective, the following high-level criteria were adopted.

• The board’s governance and administrative arrangements are consistent with relevant legislative requirements and the board has structured its own operations in a manner that supports effective governance.
• The board has established fit-for-purpose arrangements to oversight compliance with key legislative and other requirements, and the achievement of entity purposes.

13. The audit examined the period July 2019 until March 2022. This is referred to as the review period.

Conclusion

14. The governance board in the Commonwealth Superannuation Corporation (CSC) is largely effective, however there is a need for additional board focus on the requirements of the Commonwealth finance law.

15. The board has been largely effective in ensuring that its governance and administrative arrangements are consistent with relevant legislative requirements and partly effective in structuring its own operations in a manner that supports effective governance. In the period reviewed by the ANAO the board’s arrangements were effective except for: alignment of the CSC’s Fit and Proper Policy with the relevant Australian Prudential Regulation Authority (APRA) standard; documenting the reporting lines and processes of some governance committees; and including finance law requirements in the audit committee charter.

16. The board has established largely fit-for-purpose arrangements to oversight compliance with key legislative and other requirements, and the achievement of entity purposes. In the review period the board’s arrangements were effective except for: the alignment of elements of fraud risk planning with finance law requirements; compliance with the corporate plan requirements of the finance law; and obtaining assurance over the content of the 2019–20 or 2020–21 annual performance statements.

Supporting findings

Board governance and structure

17. Board members and the chair were appropriately appointed, and acting arrangements were properly conducted. The decision-making processes for fit and proper assessments were not set out in the relevant CSC policy as required by APRA Prudential Standards. (See paragraphs 2.3 to 2.18)

18. The board approved an external advisor to be allocated as a board committee member and this person was recorded in committee meeting papers and minutes as a ‘member’. CSC advised that the person was not a member of the committee and did not participate in the decision-making of the committee during the review period. (See paragraphs 2.21 to 2.24)

19. With a few exceptions, board meetings were minuted and the minutes recorded decisions made by the board. Board committee terms of reference outline that a record of proceedings of each meeting are to be retained and that the minutes of each meeting are to be circulated to the board. The committee terms of reference do not outline the process for approval of minutes before being tabled at the board and do not outline the process for out-of-session decisions. (See paragraphs 2.25 to 2.33)

20. The board has established a fit-for-purpose charter, sets expectations for entity management and the board secretariat, and assesses its own performance. The audit committee terms of reference do not specifically address its Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) obligations, or mention the audit committee’s role, relationship, authority or the reporting lines between it and the risk committee. At the board and senior management level, CSC prioritises compliance with APRA Prudential Standards over Public Governance, Performance and Accountability Act 2013 and PGPA Rule (finance law) requirements. (See paragraphs 2.34 to 2.67)

21. The board has oversight of the internal audit function and the entity’s response to internal audit findings and recommendations, through its audit committee. The effectiveness of this oversight is reduced by the limitations of the audit committee’s terms of reference. (See paragraphs 2.68 to 2.75)

Oversight of compliance and the achievement of entity purposes

22. The board has oversight of compliance with the elements of enabling legislation selected for ANAO review. The oversight arrangements include a compliance policy, a monitoring system, a compliance team which conducts checks of compliance attestations, and quarterly reporting to the audit committee and board on compliance. (See paragraphs 3.3 to 3.11)

23. There is oversight of, and compliance with, the PGPA Act corporate governance requirements selected for ANAO review with the exception of fraud risks. The risk committee (or audit committee or board) have not been provided with a plan that outlines how CSC will deal with specific fraud risks which are outside of the board’s risk appetite. A fraud and corruption risk assessment and fraud control plan have not been reviewed by the board, risk committee or audit committee during the period examined by the ANAO. (See paragraphs 3.12 to 3.41)

24. The corporate plan is not fully established as the CSC’s primary planning document. The ANAO made a similar finding on this matter in 2016. The corporate plan does not fully address three of the five minimum requirements of the PGPA Rule, or cover four reporting periods as set out in the PGPA Rule. (See paragraphs 3.42 to 3.53)

25. Board meeting minutes did not evidence consideration of whether performance information included in the corporate plan continued to provide meaningful information to the Parliament and the public on the use of resources and CSC’s efficiency and effectiveness in delivering outcomes. (See paragraphs 3.54 to 3.61)

26. The board undertakes regular review of financial and non-financial performance information. (See paragraphs 3.64 to 3.68)

27. The PGPA Rule requires the audit committee to review the appropriateness of performance reporting. This was not performed by the audit committee. Corporate Plans, performance reporting and annual performance statements were provided directly to the board for review and approval. The board did not obtain assurance over the content of the 2019–20 or 2020–21 annual performance statements. (See paragraphs 3.69 to 3.73)

Recommendations

28. The ANAO also suggested five areas of improvement related to board governance in CSC.

Summary of entity responses

29. A summary response from the CSC is provided below and the CSC’s full response can be found at Appendix 1. An extract of the draft report was also provided to the Department of Finance (Finance). A summary response from Finance is provided below and Finance’s full response can be found at Appendix 1.

Commonwealth Superannuation Corporation

CSC appreciates the in-depth review and independent assessment of CSC’s performance as a corporate Commonwealth entity. CSC is pleased with the ANAO determination that the CSC board is largely effective and notes the recommendations and areas of improvement suggested.

CSC will use this report to further strengthen those areas where recommendations have been made and will continue to align its practice with the requirements of superannuation law as well as the PGPA Act and Rule. CSC is committed to ensuring that we have leading governance practices as expected of a trustee in the superannuation industry and also as expected of a corporate Commonwealth entity. CSC will continue to adapt our practice as appropriate to the changing landscape.

Department of Finance

The Department of Finance (Finance) welcomes this report.

As the ANAO notes, accountable authorities have certain duties and responsibilities under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). To assist accountable authorities in understanding and meeting these duties, Finance provides all new accountable authorities with PGPA framework guidance and an offer of in-person briefings with Finance officials. These in-person briefings are also provided to boards, councils and senior executives where requested.

Key messages from this audit for all Australian Government entities

30. This audit is part of a series of governance audits that have applied a standard methodology to the governance of individual boards. Key messages from this ongoing series of audits will be drawn on to update the ANAO Insights product on Board Governance available on the ANAO website.⁸

Introduction

1.1 The governing board of a corporate Commonwealth entity is the accountable authority for the entity under the Public Governance, Performance and Accountability Act 2013 (PGPA Act)⁹, with responsibility for ‘leading, governing and setting the strategic direction’ for the entity.¹⁰

1.2 Around 59 corporate Commonwealth entities subject to the PGPA Act have governing boards, comprising a total of approximately 600 board positions.¹¹ Corporate Commonwealth entities with governance boards vary significantly by function, and governance boards may also vary in their composition, operating arrangements, independence and subject-matter focus, depending on the specific requirements of their enabling legislation and other applicable laws.

Boards and corporate governance

1.3 Sections 15 to 19 of the PGPA Act impose duties on accountable authorities in relation to governing the corporate Commonwealth entity for which they are responsible (see Box 1).¹² As the accountable authority, members of Commonwealth governing boards are also officials under the PGPA Act and subject to the general duties of officials in sections 25 to 29 of the PGPA Act.¹³

1.4 Boards play a key role in the effective governance of an entity. Corporate governance is generally considered to involve two dimensions, which are the responsibility of the governing board:

Performance — monitoring the performance of the organisation and CEO. This also includes strategy — setting organisational goals and developing strategies for achieving them, and being responsive to changing environmental demands, including the prediction and management of risk. The objective is to enhance organisational performance;

Conformance — compliance with legal requirements and corporate governance and industry standards, and accountability to relevant stakeholders.

…

it is important to understand that governing is not the same as managing. Broadly, governance involves the systems and processes in place that shape, enable and oversee management of an organisation. Management is concerned with doing – with co-ordinating and managing the day-to-day operations of the business.¹⁴

1.5 The relationship between effective corporate governance and organisational performance is summarised in Box 2.

Note a: M Edwards and R Clough, Corporate Governance and Performance: An Exploration of the Connection in a Public Sector Context, Corporate Governance ARC Project, Paper No. 1, January 2005, pp.4–5.

Note b: ibid., p.14.

Culture and governance

1.6 The interplay of the ‘hard’ and ‘soft’ attributes of governance — and the criticality of board and organisational culture to an entity’s performance, values and conduct — have been central themes in notable Australian inquiries into organisational misconduct. These have included the 2003 Royal Commission into the failure of HIH Insurance¹⁵, the 2018 Australian Prudential Regulation Authority (APRA) Prudential Inquiry into the Commonwealth Bank of Australia¹⁶ and the 2019 Royal Commission into the financial services industry.¹⁷ While the specific focus of these inquiries was on financial institutions, their key insights on culture and governance (Box 3) have wider applicability and provide lessons for all accountable authorities, including governance boards.¹⁸

Source: ANAO, Audit Insights: Board Governance, 17 May 2019, available from https://www.anao.gov.au/work/audit-insights/board-governance.

1.7 Many Auditor-General reports have made findings consistent with those appearing in the reports of these inquiries.¹⁹ In April and May 2019, the Auditor-General presented a series of performance audits that reviewed whether the boards of four corporate Commonwealth entities had established effective arrangements to comply with selected legislative and policy requirements, and adopted practices that support effective governance:

• Report No.34 2018–19 Effectiveness of Board Governance at Old Parliament House — published on 18 April 2019;
• Report No.35 2018–19 Governance of the Special Broadcasting Service Corporation — published on 26 April 2019;
• Report No.36 2018–19 Effectiveness of Board Governance at the Australian Institute of Marine Science — published on 30 April 2019; and
• Report No.37 2018–19 Effectiveness of Board Governance at the Sydney Harbour Federation Trust — published on 2 May 2019.²⁰

1.8 The ANAO also published an audit insights product from this series of audits, which outlined a number of key messages that may be relevant to the operations of other Commonwealth boards as well as broader governance arrangements in Commonwealth entities.^{21 22}

The Public Governance, Performance and Accountability Act 2013 (PGPA Act)

1.9 The objects of the PGPA Act include: to establish a coherent system of governance and accountability across Commonwealth entities; and to require the Commonwealth and Commonwealth entities to meet high standards of governance, performance and accountability.²³

1.10 As discussed in paragraph 1.3, the PGPA Act includes both general duties of accountable authorities and general duties of officials. It also establishes obligations relating to the proper use of public resources (that is, the efficient, effective, economical and ethical use of resources).²⁴ In so doing, the PGPA Act establishes clear cultural expectations for all Commonwealth accountable authorities and officials in respect of resource management.

1.11 The Department of Finance (Finance), which supports the Finance Minister in the administration of the PGPA Act framework, has also issued a range of guidance documents on the technical aspects of resource management under the framework.

1.12 In April 2019 the Auditor-General made an agreed recommendation to Finance to update its guidance to accountable authorities having regard to the key insights and messages for accountable authorities identified in recent inquiries and reviews (the Hayne Royal Commission and APRA Prudential Inquiry).²⁵

1.13 In November 2019 Finance released a two-page paper titled: Lessons learned from the private sector: Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. This paper highlights that accountable authorities should be mindful of inquiries and reviews undertaken in the private sector and should consider any lessons that could be learned in their entity’s context. The paper also states the following.

• The accountable authority cannot simply rely upon the information presented by senior executive staff, they have the responsibility to request more information where necessary to fulfil their duties.
• The delegation of its powers does not discharge the duties of the accountable authority to ensure that those powers are being exercised correctly.
• The practical effectiveness of an entity’s governance model and internal controls should be periodically tested. Technically ticking every best practice box is not functional as culture and governance are never ‘fixed’.^{26 27}

1.14 Relevantly, Finance also released A guide for corporate Commonwealth entities on the role of audit committees in September 2021.²⁸ The guide states that:

Audit committees are integral to good corporate governance. They provide advice to accountable authorities, assist them to meet their duties and obligations, and support the development of key practice and capacity within [corporate Commonwealth entities] CCEs.²⁹

1.15 In December 2021 Finance advised the ANAO that:

• it monitors the appointment of new accountable authorities on a regular basis;
• to support accountable authorities in meeting their responsibilities under the PGPA Act, the Finance Secretary issues a new accountable authority with an introductory email providing guidance material, tools and resources available on the Finance website. These emails also offer in-person briefings from senior officials on their duties under the PGPA Act;
• it also provides broader PGPA framework briefings to senior executives and officials of PGPA Act entities and companies on request; and
• during 2020–21, it provided 17 new accountable authority introductory emails and delivered 14 in-person briefings. The briefings delivered by Finance officials in 2020–21 were to a combination of accountable authorities, officials and board members. Of the 14 in-person briefings, six were delivered to board members.

Rationale for undertaking the audit

1.16 This topic was selected for audit as part of the ANAO’s multi-year audit program that examines aspects of the implementation of the PGPA Act. Amongst other things, the PGPA Act requires the accountable authority of an entity to establish and maintain an appropriate system of risk oversight and management, and an appropriate system of internal controls.

1.17 This audit is part of a series of performance audits of board governance which provides independent assurance to the Parliament on whether the selected boards have established effective arrangements to comply with the audited legislative and policy requirements and adopted practices that support effective governance. As discussed in paragraph 1.8, the audits also focus on any examples of better practice which may be worth highlighting as a learning for other boards.

1.18 As discussed in paragraph 1.7, four entities were included in the ANAO’s 2018–19 board governance audit series. For this second tranche of audits, the ANAO selected three corporate Commonwealth entities with enabling legislation (statutory authorities) that had no performance audit coverage in recent years. This enabled the ANAO to examine selected aspects of legal compliance and board governance in entities not often subject to in-depth performance audit, to ensure the selected entities were getting the basics right. Each entity in this series of audits will be subject to a separate audit with three audit reports to be tabled.

1.19 The three entities included in the ANAO’s 2021–22 board governance audit series are:

• Commonwealth Superannuation Corporation (CSC) in the Finance portfolio;
• Australian Hearing Services (Hearing Australia) in the Social Services portfolio; and
• Australian Film, Television and Radio School (AFTRS) in the Infrastructure portfolio.

Commonwealth Superannuation Corporation (CSC)

1.20 CSC is a corporate Commonwealth entity established on 1 July 2011 under the Governance of Australian Government Superannuation Schemes Act 2011 (GAGSS Act). CSC manages eleven government superannuation schemes and provides superannuation services to current and former Australian Government employees and members of the Australian Defence Force. CSC’s primary function is to administer the schemes and to manage and invest the funds in the best interests of its customers in accordance with the provisions of the various legislation and trust deeds that govern the schemes.

1.21 Under CSC’s governing legislation, the function of the board is to ensure that CSC performs its functions as outlined in the governing legislation in a proper, efficient and effective manner.³⁰ The board of CSC is the accountable authority.

1.22 From 1 July 2020, the GAGSS Act required the board to consist of a chair and eight other directors. A director is appointed by the Finance Minister (minister) by written instrument. A director must not hold office continuously for more than nine years. All directors are appointed on a part-time basis. A director is to be paid the remuneration that is determined by the Remuneration Tribunal.

1.23 The board has four standing committees to assist it carrying out its functions: the audit committee, the risk committee, the board governance committee and the remuneration and HR committee.³¹ It has also established other committees to assist with its decision review obligations under other legislation.

1.24 At 30 June 2021, the CSC workforce was 490 full and part-time staff which were organised into three primary functions: Investments, Customer Innovation and Services, and Corporate. There were also stand-alone Transformation and Technology, Risk and General Counsel units which reported directly to the Chief Executive Officer.

1.25 CSC is responsible for the management of a range of defined benefit, defined contribution and hybrid superannuation schemes. The defined benefit schemes are funded through special appropriations to the Department of Finance, the Department of Defence and the Department of Foreign Affairs and Trade. CSC, as an agent, has third party access rights to these special appropriations. In 2020–21 the total payments made from these special appropriations were approximately $11 billion. In relation to CSC’s defined contribution and hybrid superannuation schemes, the 2020–21 net after tax contributions received by CSC were approximately $3.2 billion.

Audit approach

Audit objective, criteria and scope

1.26 The objective of the audit was to assess the effectiveness of the governance board in the Commonwealth Superannuation Corporation (CSC).

1.27 To form a conclusion against this objective, the following high-level criteria were adopted.

• The board’s governance and administrative arrangements are consistent with relevant legislative requirements and the board has structured its own operations in a manner that supports effective governance.
• The board has established fit-for-purpose arrangements to oversight compliance with key legislative and other requirements, and the achievement of entity purposes.

1.28 The audit examined the period July 2019 until March 2022. This is referred to as the review period.

Audit methodology

1.29 In undertaking the audit the ANAO:

• reviewed board and committee papers and minutes from July 2019 to March 2022;
• reviewed a range of relevant documentation including entity corporate plans, strategy documents, board and committee charters, risk registers, conflict of interest declarations and other key policy and process documentation;
• held discussions with the current board chair, Chief Executive Officer and other staff;
• observed one board meeting, one audit committee meeting and one risk committee meeting in November 2021;
• reviewed relevant guidance and reviews on board and corporate governance; and
• examined internal audit and assurance reports.

1.30 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $170,000.

1.31 The team members for this audit were Michelle Page, Peter Bell and Susan Ryan.

2.1 Board governance and structure encompasses how the entity establishes and manages the board in accordance with its duties and responsibilities under the Commonwealth finance law — which includes the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) — its enabling legislation and other regulatory requirements. To assess the effectiveness of the governance board in the Commonwealth Superannuation Corporation (CSC), the ANAO examined whether:

• the board’s governance and administrative arrangements are consistent with relevant legislative requirements; and
• the board has structured its own operations in a manner that supports effective governance.

2.2 The CSC’s enabling legislation is the Governance of Australian Government Superannuation Schemes Act 2011 (GAGSS Act). CSC also holds both a Registerable Superannuation Entity (RSE) licence and an Australian Financial Services (AFS) licence, which means it is regulated by the Australian Prudential Regulation Authority (APRA) under the Superannuation Industry (Supervision) Act 1993 (SIS Act) and the Australian Securities and Investments Commission (ASIC) under the Corporations Act 2001. The board must establish fit-for-purpose governance arrangements to uphold the conditions of both its RSE and AFS licences and to comply with financial services law.

Are the board’s governance and administrative arrangements consistent with relevant legislative requirements?

2.3 To assess if CSC’s governance and administrative arrangements were consistent with legislative requirements, the ANAO examined the structure, membership, nomination, appointment and reappointment of board directors, the constitution of board meetings and the transparency of board decision-making. The audit examined the period July 2019 until March 2022. This is referred to as the review period.

Were board members and the chair appropriately appointed, and were acting arrangements properly conducted?

2.4 From 1 July 2020, the composition of the board under the GAGSS Act was a chair and eight other directors. CSC directors are appointed, on a part-time basis, by the Finance Minister (minister) by way of a written instrument.

2.5 Four of the eight directors are nominated as follows:

• two directors are nominated in writing by the President of the Australian Council of Trade Unions (ACTU); and
• two directors are nominated in writing by the Chief of the Defence Force.

2.6 The minister chooses the four remaining directors. The appointment of the chair is undertaken by the minister in consultation with the other directors. CSC documentation indicates that during the period reviewed, the board chair discussed the appointments of new directors with the minister and the potential contribution of individuals to the required skills of the board.

2.7 A person is not eligible for appointment as a director if the person’s appointment would result in a contravention of a fitness and propriety standard under the SIS Act.³² Fitness and propriety standards are outlined in CSC’s Fit and Proper Policy.

2.8 CSC’s Fit and Proper Policy states that prior to appointment, the board governance committee will conduct a fit and proper assessment of the candidate. The assessment is provided to the minister as part of the appointment process. This assessment includes: a review of the director’s declarations; self-assessment against a Board Skills Matrix; personal resume and relevant police and solvency checks. CSC has identified ten skills within the Board Skills Matrix to reflect the board’s collective skills and experience required to effectively and prudently manage the operations of CSC, in order to fulfil its duties and to deliver member outcomes. These include experience in: leadership, the finance services sector, risk management, technology and digital, public policy and understanding CSC’s members and customers.

2.9 The Board Skills Matrix is used to assess the collective skills of the current board membership. CSC documentation did not evidence its use as a mechanism to assist with: succession planning or to support the nomination of new board directors (to address any skills gaps of the board); or the allocation of directors, non-director members or external advisors to board committees. The use of a skills matrix can provide a more disciplined approach to the assessment of desirable skills and a firmer basis for advising the minister.

2.10 The board has also approved a Board Renewal Policy. This policy sets out how the board will seek to communicate with the minister, and those who are able to nominate directors, in order to achieve board renewal objectives. The policy states that the board seeks ‘to ensure that over any three-year period no more than three directors reach the end of their terms in any one year’.

2.11 Since July 2019, five directors were reappointed for a range of time periods up to three years, and four new directors were appointed. CSC maintained correspondence from the minister related to the reappointments and appointments. Evidence was also maintained on the fit and proper self-assessments performed by directors, and resolutions made by the board governance committee on the fit and proper assessments performed. In all instances, the board governance committee ‘resolved to declare’ that the director met the fit and proper requirements for reappointment or appointment to the board.

2.12 APRA Prudential Standard SPS 520: Fit and Proper sets out minimum requirements in determining the fitness and propriety of individuals to hold positions of responsibility. It states that the ultimate responsibility for ensuring the fitness and propriety of the responsible person rests with the board of directors.

2.13 Section 26 of SPS 520 requires an entity’s fit and proper policy to include the processes to be undertaken in assessing whether a person is fit and proper. This process must include the decision-making processes that will be followed. CSC’s Fit and Proper Policy does not outline the decision-making processes that will be followed.³³

2.14 The policy states that the board governance committee will ‘conduct’ the fit and proper assessment, but it does not indicate who is the decision maker or the decision-making process. In all reappointments and appointments examined by the ANAO, the board governance committee ‘resolved to declare’ that reappointment and appointment requirements were met. While the board governance committee has an advisory role, it is not evident that it has decision-making authority on this matter.

2.15 The board charter and board governance committee terms of reference both state that the purpose of the board governance committee is to ‘assist the board by advising and making recommendations on issues relevant to the governance of CSC and the identification, education and evaluation of directors’.

2.16 In February 2022 the board approved a revised board governance committee terms of reference that updated the authority of the committee. The updated terms of reference still do not provide the committee with the authority to make decisions about the fit and proper assessments that it carries out.

2.17 The ANAO has made a recommendation on this matter below.

2.21 In June 2020 the board approved the ‘board committee composition 2020’ which sets out the allocation of directors to board committees. By approving this paper, the board approved an external advisor to be allocated as a board committee ‘member’. This person was recorded as a risk committee ‘member’ in all meeting minutes and papers from July 2020 to November 2021. The individual was also recorded as a risk committee ‘member’ in CSC’s Annual Report 2020–21, which included a note that the person was a ‘consultant to committee’. CSC advised the ANAO that the person was not a member of the risk committee and did not participate in the decision-making of the committee during this period.³⁴ In November 2021 the board approved the ‘board committee composition 2021–22’ paper which indicated that this person was an ‘external advisor’ to the audit committee and the risk committee.³⁵ This was 17 months after the June 2020 board approval.

2.22 The rationale for board decision-making on the allocation of directors and external advisors to its committees is not documented. As discussed in paragraph 2.18, there is an opportunity for improvement for the board to use the Board Skills Matrix more strategically, including to inform and support decision-making and activities related to the nomination of directors, director succession planning and the allocation of directors, non-director members and external advisors to its committees.

2.23 Since 25 July 2021 the CSC audit committee has not met the desired skill level of ‘at least one member with relevant professional accounting, auditing and/or assurance qualification (CA, CPA etc)’ as outlined in the CSC’s Fit and Proper Policy.

2.24 Acting arrangements for directors, including for board committee membership were appropriately recorded and approved in board and committee meeting minutes.

Were meetings properly constituted, and is there a mechanism enabling decisions to be taken without meetings?

Board meetings

2.25 The board should hold such meetings as are necessary for the performance of its functions.³⁶ CSC’s board charter identifies that it has been the practice that the board holds at least eight meetings a year. A calendar is prepared each year to outline meetings and proposed coverage at each meeting. A quorum for a board meeting is six directors.³⁷ For voting, a question is decided by the agreement of six directors. Quorum requirements were met during the period reviewed.

2.26 Quorum requirements for the board committees are outlined in the relevant terms of reference documents. Quorum requirements for board committees were met during the period reviewed.

2.27 Board meetings are minuted, and the minutes record decisions made and actions to be taken. Board meeting papers include draft minutes of the previous meeting for board approval.

2.28 CSC’s board charter outlines procedures for the preparation of minutes and outlines the mechanisms to facilitate decisions without meetings. Out-of-session decisions are made if the required quorum of directors indicates agreement with the proposed decision in the manner requested.

2.29 In April 2020 the board held a special meeting to consider a short list of candidates and to agree on a preferred candidate for appointment as CSC’s Chief Executive Officer (CEO). There are neither minutes nor records of decisions made by the board during this meeting. Since April 2020 and until the end of the review period, CSC maintained records of out-of-session board meetings and decision-making.

Board committees

2.30 The board has approved terms of reference for each of its committees. The terms of reference documents require the preparation of minutes which are provided to the board. Each committee prepared meeting minutes for the period reviewed. The committee papers included draft minutes of the previous meeting for approval. The committee meeting minutes were tabled at subsequent board meetings.

2.31 Board committee terms of reference outline that a record of proceedings of each meeting is to be retained and that the minutes of each meeting are to be circulated to the board. The committee terms of reference do not outline the process for approval of minutes before they are tabled at the board, or the process for out-of-session decisions.

2.32 Until February 2022, the risk committee and audit committee terms of reference required, amongst other things, that the committees review the adequacy of their reporting to the board annually and report to the board on their performance annually. This process of review and reporting is important for the transparency of committee operations and to demonstrate achievement of the objectives of the committees. These requirements were not discharged annually by the committees in the review period. In February 2022, CSC updated the terms of reference for the risk committee and the audit committee and (amongst other things) removed these reporting requirements. The omission of these reporting requirements is not consistent with guidance from the Department of Finance.³⁸

Has the board structured its own operations in a manner that supports effective governance?

2.34 During the period reviewed, the board was supported by five committees.

• Audit committee — assists the board by providing an objective non-executive review of CSC’s financial reporting. The committee is made up of a minimum of three directors and all committee members must be directors.
• Risk committee — assists the board in discharging its responsibilities by oversighting risk culture, risk frameworks and management of non-financial risk. The committee is made up of a minimum of three directors and is chaired by a director appointed by the board.
• Board governance committee — assists the board by advising and making recommendations on issues relevant to the governance of CSC and the identification, education and evaluation of directors. The committee is made up of a minimum of three directors and is chaired by a director appointed by the board.
• Remuneration and HR committee — assists the board by advising and making recommendations on issues relevant to its Remuneration Policy and human resource obligations. The committee is made up of a minimum of three directors, all committee members must be directors and the committee is chaired by a director appointed by the board.
• Member outcomes committee — assisted the board to develop and implement practices to ensure that CSC meets the requirements of Prudential Standard SPS 515: Strategic Planning and Member Outcomes. The committee was dissolved by the board in November 2021.

2.35 The board has also established other committees to assist with its decision review obligations (reconsideration committees). The governance structure of the board and its high-level committees is illustrated in Figure 2.1.

Figure 2.1: Board committees

 

 

Note a: Member Outcomes Committee was dissolved in November 2021.

Source: ANAO analysis of CSC’s board and committee charters, meeting minutes and papers.

2.36 To assess if the board has structured its own operations in a manner that supports effective governance, the ANAO examined the charters, committee arrangements, oversight of key policies, induction, board performance assessments and arrangements for the establishment and operation of the internal audit function. The ANAO also considered behavioural observations of the operation of the board.

Does the board have a fit-for-purpose charter, set expectations for entity management and the board secretariat, and assess its own performance?

Charter

2.37 A board charter is a written document that sets out such things as:

• the functions, powers, and membership of the board;
• role, responsibilities and expectations of members, both individually and collectively, and of management³⁹;
• role and responsibilities of the chairperson⁴⁰;
• procedures for the conduct of meetings⁴¹; and
• policies on board performance review.

2.38 A charter can provide a single reference point that clearly sets out the functions, powers and membership of the board, as well as roles, responsibilities and accountabilities, consistent with relevant legislative requirements. Board charters can also articulate the desired culture of the board and address the ‘soft attributes’ of governance discussed in Chapter 1 of this audit relating to board culture and behaviours, which are critical to good governance.⁴²

2.39 The Australian Institute of Company Directors has indicated that:

In most organisations the governance framework is determined by the legislation that it has been created under … However, there are many aspects of modern governance which the board must consider and act upon that lie outside legal requirements. The board charter is one way of documenting these matters.⁴³

2.40 CSC’s board charter outlines the legislation under which the CSC was established and the legal requirements of directors, including obligations under the PGPA Act. The charter has been designed to address APRA’s Prudential Standard SPS 510: Governance, particularly with respect to the stated roles of the audit committee and remuneration committee. The audit committee role is focused on providing ‘an objective non-executive review of the financial reporting’. The board charter does not refer to the audit committee’s range of functions under section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). The PGPA Rule provides that:

(1) The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee for the entity.

(2) The functions must include reviewing the appropriateness of the accountable authority’s:

1. financial reporting; and
2. performance reporting; and
3. systems of risk oversight and management; and
4. system of internal controls for the entity.⁴⁴

2.41 While the audit committee terms of reference refer to the above activities, they do not specifically address the PGPA Rule obligations of the audit committee in relation to those activities. For example, the terms of reference do not outline the audit committee’s responsibility to review the appropriateness of performance reporting and systems of internal controls.

2.42 The relevant Department of Finance guidance, A guide for corporate Commonwealth entities on the role of audit committees, notes the following regarding the relationship between audit and risk committees:

If an accountable authority establishes a separate risk committee there needs to be clarity regarding the roles of the risk committee, the Chief Risk Officer (if one is appointed) and the audit committee and clear lines of communication between them. Any such arrangements should not dilute the statutory functions of the audit committee to review the appropriateness of the accountable authority’s system of risk oversight and management, nor the responsibility of the accountable authority, senior management and other officials to manage and engage with risk as an integral part of their responsibilities.⁴⁵

2.43 The CSC audit committee’s terms of reference (including the terms of reference that were approved by the board in February 2022) do not mention its role, relationship, authority or the reporting lines between it and the risk committee.

2.44 The risk committee’s terms of reference outline the following purpose:

The purpose of the Risk Committee (Committee) is to assist the Board of CSC in discharging its responsibilities by oversighting the frameworks and management of risk included in the following areas:

• Strategic and tactical risk: operational risk, business operations, technology, fraud, business continuity and recovery
• Counterparty risk
• Insurance risk
• Other non-investment risks that may have a material impact on the RSE’s operations, such as customer and reputational risks.

The Committee does not oversee material investment and liquidity risks. These are reported directly from the Investment Team to the Board. The Committee reports to the Audit Committee and the Board of the appropriateness of CSC’s non-investment risk oversight and management.

2.45 The ANAO’s review of board and committee meeting minutes for July 2019 to March 2022 indicates that the risk committee reported directly to the board, including providing regular oral updates and tabling of meeting minutes. The risk committee also referred a number of recommendations to the board via the audit committee.⁴⁶ The audit committee did not review (or conclude) on the appropriateness of the systems of risk oversight and management, which is a core audit committee function under section 17 of the PGPA Rule. The board should ensure that its committees, including the audit committee, are aware of such statutory functions.

2.46 A consolidated meeting schedule for the board and its committees is maintained by CSC’s General Counsel and is included in board meeting papers. Workplans have also been prepared for board committees to outline the areas of coverage and the meeting/quarter in which the coverage will be provided by management to the committee. Workplans cover either one or two calendar years. The audit committee workplans for 2020–21 and 2021–22 do not mention performance reporting or oversight of risk management.

Board expectations for entity management and the board secretariat

2.49 CSC’s Governance Framework (August 2021) states that it:

sets out how the Board oversees and exercises its authority in relation to Commonwealth Superannuation Corporation’s (CSC’s) business operations, which encompass the totality of systems, structures, policies, processes and people that underpin accountability within CSC’s business operations.

2.50 The framework was designed to meet APRA Prudential Standard SPS 510: Governance. This document includes an appendix which lists the policies that are approved by the board. This includes a list of 29 frameworks, policies and documents.⁴⁷ It includes policies related to risk management, fraud control, conflicts management, compliance and investments governance.

2.51 The list does not include other key policies that relate directly to the PGPA Act, and other key legislative responsibilities. For example, the Complaints Policy and Work Health and Safety Policy (2017) are not approved by the board. Policies such as these enable boards to influence behaviours and can be an important mechanism in communicating the desired culture within the entity. Reviews such as the 2018 APRA Prudential Review⁴⁸ and the 2019 Hayne Royal Commission⁴⁹ have highlighted that boards need to be alive to how incentives in organisations can drive inappropriate behaviours. Periodic board review of these policies can assist a board in its messaging to the entity about the organisational culture it wishes to promote. In June 2021 the board agreed to an action to perform a ‘comprehensive reporting and agenda review’, which would include consideration of what policies should be approved by the board and its committees. Initial results of this review were scheduled to be discussed at the April 2022 board meeting.

2.52 The board charter outlines the ‘relationship with and access to management’. This includes an approach to constructive and respectful relations with management, open access to management and operational management. The board has also set expectations of management through its forward workplans for itself and its committees.

2.53 The board charter outlines arrangements and expectations for the board secretariat through the identification of the General Counsel Team to assist with developing agenda and minute taking.

Board induction, education, and performance

2.55 In the past, CSC has provided induction to new directors through a welcome email which included an induction pack and relevant key documents and a briefing with the CEO. This induction material outlined CSC’s core functions, board structure, strategic focus and industry issues. In June 2021, the board agreed to an action plan to improve induction. This followed an External Board Performance Review (April 2021) prepared by consultants (Lintstock), which highlighted that ratings for board director induction and training were ‘somewhat mediocre in nature, and it would seem that a more structured induction programme would be beneficial — including, for example, a briefing on the schemes by the General Counsel and on the investment approach by the CIO’.

2.56 A two-day induction program has been developed by CSC’s General Counsel and CEO. This induction program was ‘trialled and tested’ between December 2021 and February 2022 for new board directors who commenced at CSC in September 2021 and October 2021.

2.57 To assist the board in understanding the entity’s strategic environment and risks the board has established a number of standard meeting agenda items covering these areas including the chair’s report, CEO’s report, finance report, risk management and strategy reporting. The board also holds strategy days during which the board can engage with management on the direction of the entity. Board strategy days were held in February 2020, March 2021 and March 2022.

2.58 To promote continuous education of board directors, the board has established ‘voluntary’ one-hour sessions before board meetings in which directors engage with management on relevant education topics. For example, in November 2021 there was a voluntary session on understanding CSC’s risk appetite and this was attended by all board directors.

2.59 CSC’s Fit and Proper Policy requires CSC directors to undertake professional development of at least 40 hours in a rolling three-year period and at least ten hours annually. The board governance committee reviewed director professional development in November 2021 and found that ‘most directors … remain on track or have already met the three-year rolling targets’. Professional development hours are monitored annually by the board governance committee.

2.60 The board charter requires board performance evaluation to be conducted annually and to examine the board as a whole, the chair, individual directors and board committees. CSC’s Board Evaluation Policy (September 2019) sets out how evaluations may be conducted. The policy states that the means of assessment will be determined by the board, on the recommendation of the board governance committee.

2.61 In March 2020 a short survey was completed by members of the board and its committees on performance. Action plans were identified and discussed at the June 2020 board governance committee meeting. As part of this process, the chair of the board conducted individual performance discussions with directors between September 2019 and April 2020. Actions arising from the board performance evaluation process included: providing the board with a better understanding of cyber security; reconsideration of committee composition; and monitoring the number, duration and content of board and committee meetings to ensure they are fulfilling the duties as set out in relevant terms of reference.

2.62 In 2021, the board governance committee engaged consultants (Lintstock) to conduct a ‘board development programme’ over the next three years. The initial survey and reports were provided to CSC in April 2021. The April 2021 survey was completed by board members. The survey assessed individual performance of the chair of the board but not the chairs of the board’s committees.

2.63 Action plans to address improvement areas arising from the board evaluation have been developed and were approved at the June 2021 board meeting. Actions related to undertaking a comprehensive reporting and agenda review, development of an induction and training program, improving communication with customers, and changes to the committee review process.

Behavioural observations

2.64 The ANAO attended one board meeting, one audit committee meeting and one risk committee meeting in November 2021. The ANAO interviewed the chair of the board in February 2022. Interviews were also held with members of the General Counsel Team. In those meetings, and through a review of board and committee papers and minutes, the ANAO observed board directors collectively displaying a range of qualities and behaviours that indicate a positive governance culture at the board level.⁵⁰ These included:

• an openness to declaring conflicts of interest;
• an ability to conduct meetings in a professional, collegiate and respectful manner;
• a willingness to undertake sufficient preparation to enable meetings to be conducted in a productive manner;
• a desire and commitment to act in the best interest of the CSC;
• a willingness to invest in their own understanding of issues and CSC operations, including participation in voluntary training sessions; and
• direct engagement with the CSC executive on key areas of interest.

2.65 However, the ANAO noted that at the board and senior management level, CSC prioritised compliance with APRA Prudential Standards over PGPA Act and PGPA Rule (finance law) requirements, because of the perceived relative severity of the impacts of non-compliance.⁵¹ As outlined in Chapter 1, the responsibility of the board encompasses the ‘soft’ attributes of governance.⁵² This includes the need for behaviours promoting compliance with all relevant legal obligations.

2.66 As discussed in paragraphs 2.37 to 2.46 of this audit, board charter and committee terms of reference should provide sufficient information about roles, relationships, authority and expectations of the board to meet finance law requirements.

Is there an internal audit function that provides assurance to the board and does the board have oversight of internal audit and the entity’s response to internal audit findings and recommendations?

2.68 The audit committee terms of reference outline specific responsibilities related to the oversight of internal audit. These include:

• to appoint and monitor the Internal Audit Provider;
• to approve the internal audit plan and ensure internal audit projects are adequately resourced;
• to ensure there is appropriate interaction between management and internal and external auditors;
• to meet with the internal auditor, without management being present, to discuss any issues arising from internal audit work; and
• to ensure that the internal auditor has free and unfettered right of access to the Committee.

2.69 In November 2021 the audit committee approved the continuation of KPMG as the internal audit provider for the next three calendar years commencing 1 January 2022. KPMG has been the internal audit provider for CSC since 2018.

2.70 The audit committee approves an annual audit plan in February each year. The internal audit plan is prepared to reflect the requirements of the APRA Prudential Standards, changes to CSC’s business and the practice of rotating through CSC’s identified material risks. The audit plan includes a three-year strategic view of internal audit activities. Each of the approved audit plans for 2020 and 2021 included 12 internal audit activities.

2.71 The audit committee approves the scopes of individual assurance activities. The audit committee reviews the outcomes of internal audit activities. This includes management responses to audit findings and recommendations.

2.72 CSC management prepares a status of internal audit recommendations document which is provided regularly to the audit committee. This outlines management responses to recommendations and when recommendations are closed or whether there are changes to expected recommendation implementation dates.

2.73 In September 2021, the audit committee prepared a report to the board on non-audit services provided in 2020–21. This provided a retrospective look at work performed by both the internal audit provider and the service provider contracted by the ANAO. This report was prepared to confirm that the audit committee was satisfied that the provision of these services during the 2020–21 financial year was compatible with the general standard of independence for auditors.

2.74 At each board meeting the audit committee chair has provided an oral report on the activities of the committee and has tabled the minutes of the previous meeting, including a listing of matters considered.

2.75 During the review period the board, through the audit committee, had effective oversight of the internal audit function and management’s response to internal audit findings and recommendations.

3.1 Accountable authorities have a duty to establish and maintain an appropriate system of internal control for the entity, including by implementing measures directed at ensuring officials of the entity comply with the Commonwealth finance law.⁵³ To assess the effectiveness of the governance board in the Commonwealth Superannuation Corporation (CSC), the ANAO examined whether the board has established fit-for-purpose arrangements to oversight:

• compliance with key legislative and other requirements; and
• the achievement of entity purposes.

Has the board established fit-for-purpose arrangements to oversight compliance with key legislation and other requirements?

3.2 To assess if the board has established fit-for-purpose arrangements to oversight compliance with key legislation and other requirements, the ANAO examined processes to identify, monitor and report on relevant enabling legislation, and actions to address any identified breaches. The audit examined the period July 2019 until March 2022. This is referred to as the review period.

Is there oversight of compliance with elements of enabling legislation?

3.3 The Commonwealth Superannuation Corporation’s (CSC) Compliance Policy (August 2021) states that:

CSC operates in a complex regulatory environment where effective compliance is the meeting of obligations set out in laws, regulations, rules, self-regulatory organisation standards, and codes of conduct applicable to CSC’s activities.

Ineffective compliance may give rise to legal or regulatory sanctions, financial loss, or damage to CSC’s reputation. As such, CSC must have strong systems and controls in place to ensure its compliance obligations are met, and compliance incidents appropriately managed.

3.4 As a corporate Commonwealth entity, an Australian Financial Services (AFS) licensee and a Registrable Superannuation Entity (RSE) licence holder, CSC has a range of legal and regulatory obligations with which it must comply. This includes, but is not limited to, complying with obligations under:

• the Governance of Australian Government Superannuation Schemes Act 2011 (GAGSS Act);
• the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule);
• the Superannuation Industry (Supervision) Act 1993 (SIS Act) and associated regulations;
• the Corporations Act 2001 and associated regulations;
• the Australian Prudential Regulation Authority (APRA) Prudential Standards;
• the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and Rules;
• scheme legislation, trust deeds and governing rules;
• taxation legislation; and
• privacy and data protection laws.

3.5 CSC’s regulatory environment, including relevant legislation with which it must comply, is outlined in CSC’s Compliance Policy, which was updated in August 2021. This policy provides an overview of the approach that CSC has established that will be followed when breaches are identified. It outlines CSC’s approach to compliance which uses a three lines of defence compliance model. The model that is applied is that CSC’s business areas have primary responsibility for compliance in relation to the activities of the business area. Business areas are supported by the second line of defence (General Counsel Team and Risk Team) and third line of defence (audit) in performing their responsibilities. Business areas are also supported in their broader management of risks by the Risk Team.

3.6 CSC’s General Counsel has principal oversight of compliance and compliance frameworks within CSC’s business operation, including:

• developing the compliance framework and associated policies and processes;
• reporting to the board and audit committee on compliance matters;
• providing compliance training and advice, including on legal and regulatory developments;
• undertaking monitoring and oversight activities, including through breach and incident reporting processes and compliance attestation processes;
• reviewing and assessing incidents and overseeing incident remediation, including providing legal analysis as required;
• identifying and reporting to the board and executive on emerging compliance issues; and
• breach reporting to regulators as required.

3.7 CSC uses a web-based compliance monitoring system (OSCAR). The Compliance Team uses this system in the monitoring and management of compliance including for:

• self-assessment style attestation reporting by CSC and its services providers;
• reporting, recording, assessing and managing compliance incidents within the system; and
• capturing compliance data and reporting on compliance performance over time.

3.8 The board receives quarterly reporting on compliance. Quarterly compliance reports provide a summary of compliance issues and their management since the last report. This includes: new significant or reportable breaches, CSC breaches open for over six months, overdue management compliance audit recommendations, and feedback recommendations from General Counsel.

3.9 The audit committee receives more detailed quarterly compliance information, including detailed analysis of compliance breaches and an incident analysis dashboard.⁵⁴ For example, for the September 2021 reporting period, there were 201 reported incidents, 157 were closed and 44 remained active incidents. The audit committee also receives a legal and regulatory update as part of its standing agenda items.

3.10 Internal audit status updates and reports provided to the audit committee also identify any non-compliance identified as part of internal audit activities and relevant actions to address non-compliance.

3.11 During the review period the board, through the audit committee, had effective arrangements for the oversight of compliance with the key elements of its enabling legislation.

Is there oversight of, and compliance with, selected PGPA Act requirements?

3.12 The PGPA Act sets out requirements for the governance, reporting and accountability of Commonwealth entities. The PGPA Act is principles based and the accountable authority has the flexibility to establish the systems and processes that are appropriate for their entity. The Department of Finance (Finance) provides entities with guidance on how to meet the various requirements of the PGPA Act and PGPA Rule including providing examples of how entities can demonstrate compliance.

3.13 The ANAO examined if the board had established fit-for-purpose arrangements for oversight of, and compliance with, the following parts of the PGPA Act and PGPA Rule relating to corporate governance: the general duties of an accountable authority and the duties of officials.

General duties of an accountable authority

3.14 The general duties imposed on an accountable authority in the PGPA Act, which are considered in the following section, are to:

• govern the Commonwealth entity (section 15);
• establish and maintain appropriate systems relating to risk management and oversight and internal controls (section 16);
• encourage officials to cooperate with others to achieve common objectives (section 17);
• take into account the effects of imposing requirements on others (section 18); and
• keep their minister, and the Finance Minister, informed (section 19).

3.15 The ANAO’s assessment in relation to CSC’s compliance with these requirements has been detailed below.

Duty to govern the entity

3.16 The board has developed a charter for how the board performs its functions ‘in a proper, efficient and effective manner’. As outlined in Chapter 2 of this report, the board has also structured its own operations to include the use of board committees to support its decision-making and assist it in meeting its responsibilities. This includes providing oversight and reporting on the use and management of public resources for which the accountable authority is responsible.

3.17 The board approves the strategic direction of the entity through the corporate plan, strategic plan and delivery plan. These documents, taken together, outline the entity’s purposes and activities it will engage in to achieve those purposes. The documents outline strategic priorities and key business initiatives, including performance measures and financial considerations.

3.18 The board approves financial budgets for the entity and receives regular financial reporting to track the use and management of public resources and to monitor the financial sustainability of the entity. The board regularly approves Financial Delegations and Authorities instruments. The board also receives regular reporting on the achievement of financial and non-financial performance measures. Other policies reviewed by the board are described in paragraphs 2.49 to 2.51.

Duty to establish and maintain systems relating to risk and control

3.19 The board has approved a Risk Management Strategy (November 2021). This document describes the strategy CSC has in place for managing risks and the key elements of the risk management framework that give effect to this strategy. The framework is designed with reference to ISO 31000:2018 Risk Management – Guidelines, APRA’s Prudential Standard SPS 220 Risk Management and APRA’s Prudential Practice Guide SPG 220 Risk Management.

3.20 The board has approved a Risk Appetite Statement (November 2021) which documents the board’s view on how much risk CSC is prepared to accept in pursuit of its objectives. The Risk Appetite Statement outlines operating boundaries to guide management on the application of the board’s risk appetite. This document states that ‘zero appetite for a particular event is articulating an operational boundary rather than a risk (there is no risk/reward/cost trade-off to be evaluated)’. In a risk management update provided to the risk committee in March 2022, it was noted that in a recent risk culture survey ‘employees either do not understand risk appetite or how to apply it as part of their decision making … almost half of respondents (54%) indicating the boundaries of acceptable risk taking are unclear.’

3.21 As part of its planned agenda items, the board receives regular reports on the top non-investment risks, investment risks, emerging risks and a general risk management update. The risk management update includes a CSC risk dashboard examining enterprise category risks and remediations.

3.22 Under section 10 of the PGPA Rule the accountable authority has explicit governance responsibilities in relation to the management of fraud risks.⁵⁵ The board has approved a Fraud and Corruption Control System (November 2021), which CSC has indicated is its fraud control plan. This document outlines the systems for controlling the risk of fraud and corruption. It states that it has been designed to comply with AS 8001:2021 Fraud & Corruption Control, APRA SPG 223 – Fraud Risk Management and the Commonwealth Fraud Control Framework.

3.23 CSC’s Fraud and Corruption Control System states that the board ‘has an awareness of the CSC’s fraud and corruption exposures and demonstrates a high level of commitment to controlling the risks of fraud and corruption both against CSC and by CSC’. The following statement of risk attitude is included in CSC’s Risk Appetite Statement:

CSC has no tolerance for internal fraud, inadequate governance processes to manage conflicts of interest, or deliberate material regulatory breaches.

3.24 A fraud risk register has been prepared as part of the business-as-usual risk register. The December 2021 risk register identified ten external fraud risks and twenty-three internal fraud risks. Two of the internal fraud risks had a residual risk rating of ‘medium’, which is above the board’s ‘no tolerance’ for internal fraud. These were:

• ID 053 – Third party payment from fund (internal event); and
• ID 140 – Fraudulent diversion of superannuation contributions (cheque or SuperStream).

3.25 The risk committee (or audit committee or board) has not been provided with a plan that outlines how CSC will deal with specific fraud risks including those which are outside of the board’s risk appetite.

3.26 In June 2021 CSC engaged consultants (MW Consulting) to perform an Independent Review of the Fraud and Corruption Risk Assessment. This report was tabled at the risk committee in September 2021. Management provided information to the risk committee that outlined changes management had made to the Fraud and Corruption Control System based on the recommendations contained in the report. The report made recommendations to management to update the fraud risk register including changes to risk descriptions, risk ratings, articulation of controls, and owners. The report also provided observations and recommendations on a number of fraud risks. It did not include a fraud risk assessment or fraud control plan.

3.27 Neither the risk committee nor audit committee considered whether the changes made by management to the risk register, as a result of the consultancy report, were consistent with the accountable authority’s obligation to ensure there were appropriate mechanisms for dealing with identified fraud risks.

3.28 Section 10 of the PGPA Rule requires that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by: conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment. During the review period, neither a fraud and corruption risk assessment nor a fraud control plan which dealt with identified fraud risks was reviewed by the board, risk committee or audit committee.

3.29 As part of its planned agenda items, the risk committee receives reports for noting on potential fraud referrals, including a potential fraud referral analysis outlining allegation type, referral source and how many referrals/cases have been referred externally for further investigation. During the review period thirteen updates were provided. The most recent update was provided in March 2022, this identified that there were 85 potential fraud referrals over the rolling 12-month period to 31 January 2022. The most frequent allegations identified in this update were: member identity theft alert; benefit abuse; illegal early release; and online account compromised. The report also identified one internal fraud allegation.

3.32 For information related to establishing and maintaining an appropriate system of internal control for the entity, refer to paragraphs 2.68 to 2.75 on the oversight of the internal audit function and paragraphs 3.3 to 3.11 on arrangements for the oversight of compliance with key legislation.

Duty to encourage cooperation with others and duty in relation to requirements imposed on others

3.33 The Corporate Plan 2021–22 outlines CSC’s mission, values and customer promise. The values include: ‘focus on customers, be fair, listen openly and talk straight, work together and think broadly’.

3.34 CSC’s customer promise is underpinned by three customer commitments:

1. Guiding you towards your personal super goals

2. Empowering you with the confidence to take the next step

3. Sharing our expertise to secure your financial future.⁵⁶

3.35 A stakeholder engagement strategy and stakeholder engagement management plan are currently being developed by CSC. There is no date scheduled for when these documents will be approved by the board.

3.36 The Risk Management Strategy (November 2021) recognises the importance of communication and consultation at each step of the risk management process. It encourages dialogue with key stakeholders to be focused on consultation rather than a one-way flow of information, to ensure those accountable for implementing the risk management process and the stakeholders understand the basis on which decisions are made, and the reasons why particular actions are required.

Duty to keep responsible Minister and Finance Minister informed

3.37 Each board meeting includes a general business item of ‘Board Correspondence’. This provides a summary, and includes relevant attachments, of any correspondence with the minister on the activities of the entity and what information has been provided and/or received. At each board meeting there is also a chair’s report.

General duties of officials

3.38 In addition to the general duties of an accountable authority discussed above, the PGPA Act specifies duties applicable to all officials (which include the accountable authority). Officials are required to exercise a duty:

• of care and diligence (section 25);
• to act honestly, in good faith and for a proper purpose (section 26);
• not to misuse position (section 27);
• not to misuse information (section 28); and
• to disclose material personal interests (section 29).

3.39 Officials also have a responsibility to:

• comply with the finance law;
• comply with the governance arrangements in the entity, for example, internal controls on the proper use and management of public resources; and
• meet high standards of governance, performance and accountability.

3.40 Officials who breach their duties or responsibilities under the PGPA Act can be subject to employment sanctions (including termination of appointment for board members) or criminal sanctions for intentional or serious misuse of public resources. For more details of the duties that apply to all officials under the PGPA Act, refer to Appendix 4 of this audit.

3.41 The CSC has a range of policies and procedures that describe the general duties of officials. These are summarised in Table 3.1.

Has the board established fit-for-purpose arrangements to oversight the achievement of entity purposes?

3.42 The corporate plan is the primary planning document published by an entity⁵⁷, setting out its purposes, the operating context in which it will operate, the key activities it intends to pursue, and how performance will be measured and assessed over at least four reporting periods.⁵⁸

3.43 The annual performance statements are the mechanism by which an accountable authority provides information about the entity’s performance in achieving its purposes.⁵⁹ The annual performance statements are intended to complete the cycle of performance reporting that commenced at the start of the reporting period with the Portfolio Budget Statements (PBS) and corporate plan. An entity’s annual performance statements should report the actual results achieved against the performance measures and targets set for the entity in its corporate plan and PBS.⁶⁰

3.44 Performance measurement involves collecting, analysing and reporting information about the performance of an entity against its purposes. Having effective performance reporting and monitoring arrangements is a key aspect of good governance. Finance guidance states that:

Effective performance measurement enables entities to:

• measure and assess their progress toward achieving their purposes;
• drive desired changes in the efficiency and effectiveness of services;
• demonstrate whether the use of public resources is making a difference and delivering on government objectives;
• make decisions about how best to deploy its resources to achieve competing priorities; and
• demonstrate and promote their achievements and explain any variance from expectations or reference points/enables entities to identify and report on their achievements.⁶¹

3.45 To assess if the board has established fit-for-purpose arrangements to oversight the achievement of entity purposes, the ANAO examined the content of the corporate plans and the annual performance statements and assessed whether these documents complied with the PGPA Rule and reflected Finance resource management guidance. The level of assurance sought by the board over the content of these documents was also considered. In addition, the ANAO assessed the arrangements for monitoring by the board of financial and non-financial performance.

Is there oversight of entity performance against the purposes and performance measures identified in the corporate plan?

3.46 The audit committee terms of reference includes in its purpose to provide an assessment of Commonwealth performance reporting requirements. However, corporate plans, performance reporting and annual performance statements are not provided to, or assessed by, the audit committee, rather they are provided directly to the board for review and approval. This does not align to the role of an audit committee as set out in the PGPA Rule (discussed in paragraphs 2.37 to 2.46 of this audit report).⁶²

Corporate plans

3.47 Each year the board approves CSC’s business plan. The business plan comprises three components:

• the corporate plan — this section details the required corporate plan information to be provided to the minister and published on CSC’s website. The contents of this section are driven by PGPA Act and PGPA Rule requirements;
• the strategic plan — this section details CSC’s strategic objectives and how CSC will operationalise its strategic priorities. The strategic priorities are specific and measurable and linked to the achievement of member outcomes. This section includes a suite of key business initiatives that have been developed to achieve the strategic targets, details other significant business as usual projects, and provides information on financial and risk management matters relevant to the achievement of the strategy. It also includes how initiatives will contribute to sound and prudent management of business operations; and
• the delivery plan — this section provides more detailed information on key business initiatives and will be used by management to track activities. It includes how certain activities will be funded and how they will progressively impact CSC’s financial projections. Material risks are also identified.

3.48 The corporate plan has not been fully established as CSC’s primary planning document, as it is one component of an overarching business planning framework which consists of a number of planning processes and documents. The ANAO made a similar finding on this matter in 2016.⁶³

3.49 The nature and complexity of an entity determines the scope and complexity of its internal planning processes and, by extension, the content of its corporate plan. However, the PGPA Rule provides that the corporate plan must cover a period of at least four reporting periods and there are another five PGPA Rule minimum requirements that must be addressed in the corporate plan. Table 3.2 summarises the ANAO’s assessment of the CSC Corporate Plan 2021–22 document against these minimum requirements. Results of the assessment are further analysed below.

Table 3.2: Analysis of CSC’s compliance with corporate plan requirements

Key: ◆ Fully compliant ▲ Partially compliant ■ Not compliant

Source: ANAO analysis of CSC Corporate Plan 2021–22.

3.50 In the following section, the ANAO has set out details of the ‘not compliant’ and ‘partially compliant’ assessments in the table above.

Not compliant results

3.51 The Corporate Plan 2021–22 only covered a three-year period to 2023–24.

3.52 In terms of ‘operating context’, the Corporate Plan 2021–22 does not provide the following information. Strategies and plans the entity will implement to have the capability it needs to undertake its key activities and achieve its purposes. The Corporate Plan 2021–22 identifies the current capabilities to deliver its core functions including: organisational governance, risk management, people and culture, data management and corporate effectiveness and infrastructure. It does not identify strategies and plans it is implementing, or planning to implement during the reporting period, to develop its capabilities to achieve its purposes. For example, the strategic plan provides information on how the strategic objectives of the transformed customer operating model and changes to technology infrastructure and information security will provide the needed platform for greater innovation in customer products and improved net promoter scores. This information has been approved by the board as part of the broader business plan document, but it has not been described in the corporate plan that is provided to the minister and the public.

3.53 In addition, the Corporate Plan 2021–22 did not include details of any organisation or body that will make a significant contribution towards achieving the entity’s purposes through cooperation with the entity, including how that cooperation will help achieve those purposes. The draft stakeholder management strategy highlights that CSC has a range of external stakeholders that make a significant contribution towards achieving the entity’s purposes and that their cooperation is critical to the success of CSC’s activities. The draft stakeholder engagement strategy identifies a range of external stakeholders, including the Department of Defence, employer agencies, fund managers and partners that assist with the administration and delivery of CSC’s operations.

Partially compliant results

3.54 The Department of Finance’s guidance on developing good performance information states that:

Accountable authorities are required to measure and assess the performance of the entity in achieving its purposes. One of the objects of the [PGPA] Act is to require Commonwealth entities to provide meaningful information to the Parliament and the public to assist them in understanding how entities are performing, and how they are using the resources that have been entrusted to them.⁶⁴

3.55 For its key activities and performance requirements, CSC has included limited information in the Corporate Plan 2021–22. The information included focuses on the delivery of its core functions to achieve member outcomes. These are the activities and performance measures identified in the PBS.

3.56 The key activities and performance measures (criteria and targets) included in CSC’s corporate plans have remained the same for more than five years. During this time CSC has faced, and responded to, environmental and regulatory challenges to its operations and how it is using the public resources that have been entrusted to it to achieve member outcomes.

3.57 The board is engaged in the development of CSC’s business plan and strategic directions. The board also approves CSC’s corporate plan. However, board meeting minutes did not evidence consideration or review of the appropriateness of the type and level of information on key activities and performance measures included in the corporate plan. Similarly, board meeting minutes did not evidence consideration of whether this information continued to provide meaningful information to the Parliament and the public on the use of resources and CSC’s efficiency and effectiveness in delivering outcomes.

3.58 CSC has identified four performance criteria and five performance targets in its Corporate Plan 2021–22 to assist the Parliament and the public in assessing its performance. Section 16EA of the PGPA Rule requires an entity’s performance measures to use sources of information and methodologies that are reliable and verifiable and to provide an unbiased basis for the measurement and assessment of the entity’s performance. The ANAO identified that performance targets included in CSC’s Corporate Plan 2021–22 did not always provide sufficient information on the measures to meet these requirements. Table 3.3 below outlines, by way of example, the performance criteria and target to measure the activity ‘Administer the Schemes’ in the corporate plan.

Table 3.3: Corporate Plan 2021–22 performance information

Source: CSC Corporate Plan 2021–22.

3.59 The performance criteria and targets in Table 3.3 do not provide sufficient information to the Parliament and the public on what will be measured (for example, what the key operational objectives to be achieved are) or the methodologies and data sources to support the measurement. Without sufficient supporting material CSC cannot demonstrate that the measure is unbiased.

3.60 In addition, this target is a composite target, and does not provide any pre-determined weighting or approach to assessing the final result. Without a pre-determined approach to the calculation of a composite result CSC cannot demonstrate that the measure and target, read together, are unbiased.

3.61 Section 16EA of the PGPA Rule requires that, where reasonably practicable, performance measures should comprise a mix of qualitative and quantitative performance measures and include measures of the entity’s outputs, efficiency and effectiveness. There are no measures of efficiency evident in the corporate plan. CSC did not provide the ANAO with evidence of the board considering the number, type and balance of performance information included in the Corporate Plan 2021–22.

Note a: ANAO comment: As discussed in paragraph 3.42 and footnote 57 of this report, successive versions of the Explanatory Memorandum for the Public Governance, Performance and Accountability Bill 2013 stated that: ‘The corporate plan is the primary planning document of an entity’. As noted in paragraph 3.48 and footnote 63 of this report, the CSC advised the ANAO in August 2016, in response to an audit finding that it had not positioned its first corporate plan as the primary planning document, that: ‘Given the Department of Finance’s policy expectations that the PGPA plan is the primary planning document, the CSC Board agreed at its 12 May 2016 meeting that the 2016–17 PGPA corporate plan be regarded as the principal planning document for delivering on CSC’s purpose, and will contain performance criteria and targets that indicate achievement of that purpose.’

Performance monitoring

3.64 The board monitors quarterly management reporting on the achievement of corporate plan performance targets, business plan milestones and key business initiatives. Progressive performance information is provided. Status information is provided on the achievement of key business initiatives, including information on risk, schedule, budget and resources. An operational performance dashboard is also provided to the board for noting. The board receives regular reports on customers and complaints which include progress against its strategy and elements of its performance measures. Every quarter, the board receives a finance report which includes a summary of financial position against budget and an analysis of variances.

3.65 CSC management performs an Annual Business Performance Review. The 2020 review was reported to the board in June 2021. This review is prepared to meet APRA Prudential Standard SPS 515: Strategic Planning and Member Outcomes requirement to review CSC’s performance in achieving its strategic objectives. It draws on the information included in the quarterly performance reporting.

Annual performance statements

3.66 Annual performance statements are approved by the board as part of its approval of the annual report. Board minutes indicate that annual reports for 2019–20 and 2020–21 were reviewed and approved by the board.

3.67 There are three PGPA Rule minimum requirements that must be addressed in an entity’s annual performance statements. Table 3.4 summarises the ANAO’s assessment of compliance for CSC’s annual performance statements included in the Annual Report 2020–21.

Table 3.4: Analysis of CSC’s compliance with annual performance statement requirements

Key: ◆ Fully compliant ▲ Partially compliant ■ Not compliant

Source: ANAO analysis of CSC Annual Report 2020–21.

3.68 The quality of the annual performance statements and their ability to provide informative results for an entity’s performance stems from the quality of the performance measures (criteria and targets) included in the corporate plan. Refer to paragraphs 3.54 to 3.61 for an assessment of the performance measures included in CSC’s corporate plans.

Are there arrangements to provide the board with assurance relating to entity performance against the purposes and performance measures identified in the corporate plan?

3.69 Finance provides a range of guidance and suggestions for audit committees to consider when addressing the PGPA Rule requirements for reviewing the appropriateness of performance reporting. This includes considering the efficiency of undertaking a rolling approach to detailed review of performance reporting.⁶⁵

3.70 The board did not obtain assurance over the content of the 2019–20 or 2020–21 annual performance statements. The annual performance statements were prepared by management and provided to the board for approval.

3.71 The audit committee has responsibility for providing assurance over the internal control and compliance systems. This includes the approval of the internal audit plan (refer to paragraphs 2.68 to 2.75 for additional detail on the internal audit function).

3.72 The internal audit plan included two reviews performed by the internal auditor (KPMG) which related to the data collection and survey processes used within CSC. These processes are used to prepare information which is included in the annual performance statements related to customer satisfaction and net promoter scores (NPS). The following internal audits were completed.

• Voice of the Customer Program Review, June 2019. The objective of the review was to assess the independence, completeness and accuracy of the voice of the customer program and scoring system. Twelve opportunities for improvement were identified in this report.
• NPS Survey Assessment, December 2020. The objective of this review was to assess progress in implementing improvement opportunities in the above-mentioned June 2019 Voice of the Customer Program Review. This report identified five findings and nine performance improvement opportunities.

3.73 The annual performance statements include information related to investment performance. Although there were no internal audits which specifically assessed investment performance information and the data collection process, the board has relied on annual ANAO limited assurance reports on APRA reporting forms and on controls and compliance to indicate if management reporting was complete and accurate for the period, including performance reporting.⁶⁶

Appendix 1 Entity responses

 

 

 

 

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2021–22 Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. During the course of the audit, the ANAO did not observe changes in the Commonwealth Superannuation Corporation’s approach to board governance.

Appendix 3 General duties as an accountable authority

Source: ANAO analysis of sections 15–19 of the Public Governance, Performance and Accountability Act 2013.

Appendix 4 General duties of an official

Source: ANAO analysis of sections 25–29 of the Public Governance, Performance and Accountability Act 2013.

Appendix 5 Director qualities and behaviours

1. The ANAO sought to determine whether board directors demonstrated corporate governance better practice qualities and behaviours drawn from key themes in recent reviews of corporate governance. These included:

• an openness to declaring conflicts of interest;
• an ability to conduct meetings in a professional, collegiate and respectful manner;
• a willingness to undertake sufficient preparation to enable meetings to be conducted in a productive manner;
• an understanding of their obligations as the accountable authority under the Public Governance, Performance and Accountability Act 2013 and the challenges facing the entity;
• a desire and commitment to act in the best interest of the entity;
• a willingness to invest in their own understanding of issues and entity operations, including participation in voluntary training sessions; and
• direct engagement with the entity executive on key areas of interest.

2. A comparable list of qualities and behaviours was adopted in the ANAO’s 2019 audit series on board governance discussed in paragraph 1.7 of this report.