Introduction

1.1 Parliamentary committee and Auditor-General reports identify risks to the successful delivery of government outcomes and provide recommendations to address them. The successful implementation of agreed recommendations by Australian Government entities requires effective governance arrangements, with timely implementation approaches, that set clear responsibilities and timelines for addressing the required actions.

1.2 Committees of the Australian Parliament, including the Joint Committee of Public Accounts and Audit (JCPAA), consist of members from one or both Houses of Parliament. Parliamentary committee inquiries are used to ‘investigate specific matters of policy or government administration or performance’.² Where a parliamentary committee has made policy recommendations, the responsible Minister prepares and tables a government response in Parliament. Where the JCPAA has made administrative recommendations, an entity’s accountable authority may prepare and deliver an ‘Executive Minute’ response to the JCPAA’s committee secretary. The Auditor-General scrutinises and provides independent assurance as to whether the Executive arm of government is operating and accounting for its performance in accordance with the Parliament’s intent.

1.3 This is the fifth in a series of performance audits that examine the effectiveness of Australian Government entities’ implementation of agreed recommendations from parliamentary committee and Auditor-General reports.³ Details of the previous audits can be found in Appendix 3.

The Attorney-General’s portfolio

1.4 The Attorney-General’s portfolio consists of 17 entities and is responsible for key policy and regulatory functions across national security, cyber security, law enforcement, foreign interference and the administration of justice. Entities within this portfolio regularly receive recommendations from parliamentary committee inquiries and are subject to external audit by the Australian National Audit Office (ANAO). This audit focusses on three entities within the portfolio.

• Attorney-General’s Department (AGD), as the lead entity in the portfolio, is a non-corporate Commonwealth entity that is responsible for Australia’s law, justice, security and integrity frameworks and providing legal services to the Commonwealth.
• Australian Federal Police (AFP) is a non-corporate Commonwealth entity that is responsible for the provision of police services in relation to laws of the Commonwealth, and to the Australian Capital Territory and external territories. The AFP is also responsible for combatting transnational serious organised crime and terrorism, disrupting crime offshore, supporting regional security, and protecting Australian interests and assets. The AFP transferred to the Attorney-General’s portfolio on 1 July 2022 following a machinery of government change.⁴
• Office of the Commonwealth Director of Public Prosecutions (CDPP) is a non-corporate Commonwealth entity with the single outcome of contributing to a fair, safe and just society by delivering an effective, independent prosecution service⁵ in accordance with the Prosecution Policy of the Commonwealth.

1.5 Table 1.1 shows AGD, AFP and CDPP’s budget and staffing levels for the year 2022–23.

Table 1.1: Budget and average staffing levels of AGD, AFP and CDPP in 2022–23

Note a: Average staffing level is a method of counting that adjusts for casual and part-time staff to show the average number of full-time equivalent employees.

Source: Australian Government, October 2022, Portfolio Budget Statements 2022–23, Budget Related Paper No. 1.2: Attorney-General’s Portfolio.

Timeliness of responses to parliamentary committees

1.6 Parliamentary committee inquiries usually recommend government action. For example, the introduction of legislation, a change in administrative procedures, or a review of policy. Such action is the responsibility of the Executive Government rather than the Parliament.

1.7 In response to Auditor-General Report No. 6 2019–20, on 7 August 2019, the Secretary of the Department of the Prime Minister and Cabinet wrote to departmental secretaries strongly encouraging all departments and agencies to:

finalise government responses to parliamentary committee reports in a timely manner so that the Government can table its response to a committee report within the timeframes established through the respective resolutions of the House of Representatives and the Senate … [and] have processes in place to monitor the implementation of recommendations accepted by the Government.

1.8 The Secretary of the Department of the Prime Minister and Cabinet also advised ‘I would appreciate it if [departmental secretaries] could distribute my letter to agencies within your portfolio’.⁶

1.9 The President of the Australian Senate (Senate) and the Speaker of the House of Representatives (House) present a report to the Senate and House, respectively, on the status of all government responses twice a year.⁷ Reports remain on this schedule until:

• a response is received;
• the relevant committee agrees that a response is no longer expected; or
• a request to remove an inquiry from the list is received and agreed.

1.10 Table 1.2 outlines the key results from the President of the Senate report as at 30 June and 31 December 2022. Report responses are required within three months of the report being presented to the Senate.

Table 1.2: Senate — outstanding government responses as at 30 June and 31 December 2022^a

Note a: The ANAO identified discrepancies and could not obtain assurance over the completeness and accuracy of this data. For example, some joint committee reports were not included in reporting.

Note b: Total numbers include eight partial responses in the June report and 14 partial responses in the December report. Partial responses occur where responses have been received for some but not all recommendations. This typically occurs where recommendations are directed at multiple entities.

Note c: Fifteen JCPAA reports were listed in the June President of the Senate report. There were ten responses including six partial responses. All responses that were due to be provided were late.

Note d: The time allowed for responding had not yet expired for three of the 314 reports with no response in the June report, and had expired for all of the 319 reports with no response in the December report.

Note e: Fifteen JCPAA reports were listed in the December President of the Senate report. There were no complete responses and 12 partial responses. All responses were late.

Source: ANAO analysis of Senate reporting.

1.11 Table 1.3 outlines the key results from the Speaker of the House report as at 1 December 2022. Report responses are required within six months from the report being presented to the House.

Table 1.3: House — outstanding government responses as at 1 December 2022^a

Note a: The ANAO identified discrepancies and could not obtain assurance over the completeness and accuracy of this data. For example, some joint committee reports were not included in the reporting.

Note b: Total numbers include 15 partial responses. Partial responses occur where responses have been received for some but not all recommendations. This typically occurs where recommendations are directed at multiple entities.

Note c: Seventeen JCPAA reports were listed in the Speaker of the House report. There were 14 responses provided, all of these were partial responses, and nine were provided late. Three reports have received no response and are overdue.

Note d: The time allowed for responding had not yet expired for 27 of the 132 reports with no response.

Source: ANAO analysis of House of Representatives reporting.

1.12 Very few government responses to parliamentary committee reports were received in the required timeframes. Within the most recent reporting period:

• four of the 350 (one per cent) Senate and joint committee reports⁸ received a response within the three-month timeframe; and
• eleven of the 170 (six per cent) House and joint committee reports received a response within the six-month timeframe.

1.13 The timeliness of government responses has remained consistently low across all five performance audits in this series.

Rationale for undertaking the audit

1.14 The Attorney-General’s portfolio is responsible for key policy and regulatory functions across national security, cyber security, law enforcement, foreign interference and the administration of justice. Parliamentary committees and Auditor-General reports have identified risks to the successful delivery of outcomes within the portfolio and areas where administrative or other improvements can be made. The appropriate and timely implementation of agreed recommendations is an important part of realising the full benefit of a parliamentary inquiry or an audit, and for demonstrating accountability to the Parliament.

1.15 This is the fifth in a series of audits that highlights whether entities have implemented recommendations in line with commitments made to the Parliament. This audit will provide assurance to the Parliament that recommendations are being implemented as agreed.

Audit approach

Audit objective, criteria and scope

1.16 The audit examined whether AGD, AFP and CDPP have implemented all agreed recommendations from parliamentary committee and Auditor-General reports within the scoped timeframe.

1.17 To form a conclusion against the audit objective, the following high-level criteria were adopted.

• Do the entities have fit-for-purpose arrangements to respond to, monitor and implement agreed recommendations?
• Were agreed recommendations effectively implemented?

1.18 To allow sufficient time for implementation, the recommendations examined in criteria two of this audit were limited to the following two categories:

• parliamentary committee reports tabled between January 2020 and June 2021, where a government response was received prior to 30 June 2021, including those agreed to or noted, with an action item allocated to AGD, AFP or CDPP; and
• Auditor-General reports tabled between January 2020 and June 2021.

1.19 The scope of this audit did not include:

• parliamentary committee reports where the subject of the report was either a review of annual reports, or an inquiry or review into proposed bills or delegated legislation; and
• any recommendations that were agreed to by other entities within the Attorney-General’s portfolio.

1.20 Table 1.4 outlines the number of agreed parliamentary committee and Auditor-General recommendations examined in this audit. For details of the selected recommendations see Appendices 4, 5, 6 and 7.

Table 1.4: Parliamentary committee and Auditor-General reports and recommendations within the audit scope

Source: ANAO analysis.

Audit methodology

1.21 The audit involved:

• reviewing entity documentation, such as guidelines, procedures, management reports, audit committee papers, meeting minutes, briefing materials, implementation plans, closure packs and other supporting evidence relating to monitoring progress and reporting against agreed recommendations;
• examining IT system controls and supporting documentation for those systems used by entities to manage recommendations; and
• meeting with relevant entity staff.

1.22 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $460,000.

1.23 The team members for this audit were Laura Trobbiani, Irena Korenevski, Michael Dean, Hasani Ganewatta, Edwin Apoderado, Kelvin Le, Yahya Mohammad, Olivia Robbins, Lesa Craswell and Alex Wilkinson.

2.1 The successful implementation of agreed recommendations requires effective senior management oversight and monitoring. This involves: establishing processes and responsibilities for responding to recommendations; assigning clear responsibilities and timeframes for progressing recommendations; and giving oversight bodies sufficient and appropriate information for them to provide assurance to the entities’ accountable authority on the implementation of recommendations.

Do entities have fit-for-purpose governance arrangements and processes to respond to, monitor and implement agreed parliamentary committee recommendations?

2.2 Figure 2.1 illustrates the ANAO’s analysis of the three entities’ governance arrangements, processes and practices, and maps the responsibilities within the entities to respond to, monitor and implement agreed parliamentary recommendations.

2.3 In assessing governance arrangements, the ANAO considered if entities had established roles and responsibilities, and appropriate risk management frameworks. In assessing processes, the ANAO considered if entities had clear and documented guidance on the necessary steps to achieve an outcome.

• AGD had documented responsibilities and processes for identifying and responding to parliamentary committee recommendations where it was the lead entity for the response. AGD lacked documented responsibilities and processes to implement, monitor, and close all parliamentary committee recommendations.
• AFP had documented responsibilities and processes for identifying, responding to, monitoring, overseeing and closing parliamentary committee recommendations, but lacked documented processes for implementing recommendations.
• CDPP had documented responsibilities for overseeing parliamentary committee recommendations and in December 2022 CDPP documented responsibilities for responding to parliamentary committee recommendations. CDPP did not have documented responsibilities or processes for identifying, implementing, monitoring or closing parliamentary committee recommendations.

2.4 CDPP did not have any parliamentary committee recommendations within the scope of this audit⁹, and as a relatively small entity¹⁰, CDPP is not frequently subject to parliamentary committee recommendations. When examining CDPP against the audit criteria, the ANAO’s analysis takes these factors into consideration. Findings and opportunities for improvement discussed in the following sections of this report are based on risks to CDPP due to not having documented processes or responsibilities.

Identifying parliamentary committee recommendations

2.5 Processes that identify parliamentary committee recommendations relevant to an entity provide assurance that the issues identified in the committee reports are being considered. Government responses to parliamentary committee reports are prepared by the portfolio lead entity, which consults with other entities as required. AGD advised it was the lead entity for most government responses in the portfolio.¹¹

Attorney-General’s Department

2.6 AGD has in place a process for identifying relevant parliamentary recommendations where it is the lead entity. This process involves the Department of the Prime Minister and Cabinet’s Tabling Office notifying the department that it is the lead entity for the government’s response. While there is no documented process to identify parliamentary committee reports for which the department is not the lead entity, AGD advised that in practice, it is informed of reports by the relevant lead entity.

2.7 AGD has also been subject to machinery of government (MOG) changes which can result in recommendations being transferred to the portfolio. In July 2022, AGD’s Audit and Risk Management Committee (ARMC) requested an update on the additional recommendations AGD was responsible for as a result of a MOG which came into effect in July 2022. In October 2022, the department informed the ARMC that it was responsible for the implementation of an additional 73 parliamentary committee recommendations and four Auditor-General recommendations. In addition to the ARMC process, AGD considered parliamentary committee recommendations requiring transfer to or from other entities as part of its engagement to action the July 2022 MOG. These practices are not documented, which could impact business continuity, consistency and efficiency.

Australian Federal Police

2.9 AFP’s ministerial and parliamentary liaison section is responsible for monitoring parliamentary activity to identify reports containing recommendations relevant to AFP.

Office of the Commonwealth Director of Public Prosecutions

2.10 CDPP does not have documented responsibilities or a process to identify parliamentary committee recommendations. CDPP advised that it relies on other entities to inform it of relevant recommendations, in particular, the portfolio’s lead entity AGD. AGD does not have a documented process for informing entities within the portfolio of relevant recommendations.

Responding to parliamentary committee recommendations

2.12 Clear arrangements to respond to recommendations supports an entity to understand the intent of the recommendation, and acknowledge appropriate and achievable activities to address the identified risks. Responding to parliamentary committee recommendations is the responsibility of government. Government entities, such as AGD, AFP and CDPP, can lead or provide input into advice on what the government response will be. In the following section an entity’s response to parliamentary committee recommendations is considered to be their advice to government.

• AGD had documented responsibilities and processes to respond to parliamentary committee recommendations, however, it did not specify how recommendations would be allocated within the department. In practice, responses to recommendations were allocated to the relevant business area and cleared by the business area’s Senior Executive Service (SES) officer.
• AFP had documented responsibilities and processes for responding to recommendations. The ministerial and parliamentary liaison section is responsible for coordinating the response, which then allocates responsibility for drafting the response to the relevant business area. The draft response is cleared by the business area’s SES officer.
• CDPP amended its Executive Leadership Group (ELG)¹² terms of reference in December 2022 to assign the ELG responsibility for overseeing CDPP’s response to parliamentary committee recommendations. CDPP advised the ANAO that relevant business areas are responsible for responding to recommendations. Before December 2022, CDPP did not have documented responsibilities or a process to respond to parliamentary committee recommendations.

Timeliness of responses

2.13 Entities should respond to parliamentary committee reports within three or six months, depending on the type of committee.¹³ This timeframe includes ministerial consideration. AGD, as the portfolio department, should develop the government responses it leads within this timeframe. AGD notes the timeframes for responses to parliamentary committees in its guidance, but does not require business areas to provide advice on proposed responses to the relevant minister in order to meet the required timeframes.

2.14 Table 2.1 shows AGD responded to four per cent of parliamentary committee recommendations within the set timeframes in the past five years. The time taken by AGD to draft a response is one factor which can contribute to overdue government responses.

Table 2.1: Proportion of parliamentary committee recommendations^a from 2017 to 2022 responded to by AGD within the Senate and House of Representatives’ timeframes

Note a: Includes recommendations in parliamentary committee reports which reference AGD in the text of the recommendation. There may be additional recommendations relevant to AGD that were not captured.

Source: ANAO analysis of parliamentary committee reports.

2.17 AFP advised the ANAO that it provides input to government responses within the timeframes set by the lead entity. For the Parliamentary Joint Committee on Intelligence and Security (PJCIS) report on press freedom considered in this audit (see Table 1.4 and Appendix 4), AFP was contacted by the Department of Home Affairs for input to the government response. AFP provided this input within the requested timeframe.¹⁴

2.18 As identified in paragraph 2.12, CDPP assigned responsibility for overseeing its response to parliamentary committee recommendations in December 2022 but did not have a process for requiring timely responses or input to responses.

Implementation of parliamentary committee recommendations

2.19 The successful implementation of parliamentary recommendations requires appropriate planning and senior management oversight to set clear responsibilities and timeframes for delivering the agreed action.

Implementation planning

2.20 The three entities did not have documented roles and responsibilities, or processes, for planning the implementation of parliamentary committee recommendations (see Table 2.2).

Table 2.2: Entities’ processes and practices to plan the implementation of parliamentary committee recommendations

Key: ▲ Consistent practice that is not documented ■ No documented procedure or consistent practice

Note a: AGD had processes to assign responsibility and timeframes for the implementation of JCPAA recommendations, but not for other parliamentary committees.

Source: ANAO analysis of AGD, AFP and CDPP evidence.

2.21 Entity processes for parliamentary committee recommendations did not document:

• the development of implementation plans for recommendations;
• that business areas be assigned responsibility for the implementation of recommendations; or
• that these areas set timeframes for implementation or assign risk ratings.

2.22 AGD assigned responsibility to implement the Joint Committee of Public Accounts and Audit (JCPAA) recommendations. AGD did not have a documented process or consistent practice for assigning responsibility to implement recommendations from other parliamentary committees. For the recommendations contained in the PJCIS report on press freedom (see Table 1.4 and Appendix 4), recommendations were assigned to relevant business areas for implementation.

2.23 In practice, AFP assigned responsibility for parliamentary committee recommendations through its oversight body, the Investigations, Operations and Compliance Board of Management (IOCBoM).

2.24 CDPP did not have a documented process for implementing parliamentary committee recommendations. Although CDPP is not subject to frequent parliamentary recommendations, documenting the planning process for the implementation of recommendations may better support business continuity, consistency and efficiency.

2.25 CDPP advised its processes to plan for, implement and monitor recommendations from assurance activities such as internal audits could be used for parliamentary committee and Auditor-General recommendations. These processes did not explicitly reference parliamentary committee or Auditor-General recommendations, which can involve different considerations than internal audit recommendations. As there were no parliamentary recommendations applicable to CDPP in the period examined, this audit did not assess if CDPP followed these processes as an established practice in implementing, monitoring and closing parliamentary committee recommendations.

Risk Management

2.26 Under section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), Commonwealth entities must establish effective internal checks and controls and an effective risk and assurance framework to monitor and manage risk at the enterprise level. The three entities had established risk management policies and supporting frameworks that met the PGPA Act and Commonwealth Risk Management Policy requirements.¹⁵ These set out each entity’s approach to risk management including roles and responsibilities, monitoring, reviewing and continually improving risk management.

2.27 Parliamentary committee and Auditor-General recommendations should be assigned risk ratings to identify the impact on the entity if they are not implemented. The three entities’ risk management policies require staff to identify and assess risks as part of good governance.

2.28 Table 2.2 above shows the entities did not require risk ratings to be assigned to parliamentary committee recommendations. This reduces the scope of the entities’ enterprise level risk approach. CDPP advised it considered all recommendations from external assurance bodies, including parliamentary committee recommendations, to be high priority.

Monitoring and oversight of parliamentary committee recommendations

2.33 Effective monitoring requires oversight and an approach that accurately tracks progress and records the actions of the business area, or individual, responsible for implementation. In this audit, the ANAO considered monitoring as the administrative process to compile updates and prepare reporting to oversight bodies, while oversight is conducted by assurance and/or management bodies.¹⁶

• AGD did not assign an executive or governing body responsibility for monitoring or overseeing all parliamentary committee recommendations. The ARMC was responsible for overseeing the implementation and endorsing the closure of JCPAA recommendations.
• AFP’s IOCBoM was responsible for overseeing the implementation of parliamentary committee recommendations and assigned responsibility for monitoring to the internal audit section.
• CDPP’s Audit Committee was responsible for overseeing the implementation of parliamentary committee recommendations. CDPP did not assign responsibility to a business area, executive or governing body for monitoring the implementation of parliamentary committee recommendations.

2.34 Table 2.3 shows the responsible oversight bodies in AGD and AFP, as discussed above, received updates on the implementation of parliamentary committee recommendations. CDPP did not provide updates to an oversight body as there were no agreed parliamentary committee recommendations in the period examined.

Table 2.3: Updates received by oversight bodies on the progress of parliamentary committee recommendation implementation between January 2020 and December 2022

Note a: The total used to calculate the percentage does not include meetings that occurred when the entity did not have open parliamentary committee recommendations, or for AGD, JCPAA recommendations.

Note b: AGD began reporting on the implementation of JCPAA recommendations to the ARMC from August 2021. Updates on other parliamentary committee recommendations were not provided. AGD held eight ARMC meetings in the period examined since it began receiving updates on JCPAA recommendations. Seven of these meetings occurred when AGD did not have open JCPAA recommendations.

Note c: AFP began reporting to the IOCBoM on the implementation of parliamentary committee recommendations in August 2021 and held seven meetings since that time in the period examined.

Source: ANAO analysis of AGD and AFP evidence.

Attorney-General’s Department

2.35 AGD did not have a process to monitor the implementation of all agreed parliamentary committee recommendations, with the exception of JCPAA recommendations. Table 2.3 shows that between 2020 and 2022, the ARMC received one update on JCPAA recommendations. In 2019, AGD noted to an internal advisory body¹⁷ that it did not monitor the implementation of parliamentary committee recommendations at an enterprise level¹⁸, which impacted its ability to provide timely responses when questioned about its responsiveness to parliamentary committee reports. In June 2021, the department advised its ARMC:

[t]he Department does not centrally track the progress and implementation of the resulting parliamentary committee recommendations … given the legislative focus on many parliamentary committee recommendations relating to AGD, we do not consider there would be value in ARMC considering the implementation status of such recommendations.

2.36 In the period examined, the department’s ARMC did not receive regular updates on the implementation of all parliamentary committee recommendations or AGD’s mechanisms for implementing them. This did not meet the ARMC’s charter function to:

satisfy itself [AGD] has appropriate mechanisms of reviewing relevant parliamentary committee reports, external reviews and evaluations of the department and implementing, where appropriate, any resultant recommendations.

2.37 Previous Auditor-General reports have found that the successful implementation of agreed recommendations requires strong senior management oversight and monitoring.¹⁹

Australian Federal Police

2.38 AFP had provided two updates to its IOCBoM in the period examined since June 2021, when it established the IOCBoM’s oversight role.²⁰ These updates reported on the status of parliamentary committee recommendations. Actions taken to implement the recommendations were not included in the report unless the recommendation was proposed for closure. This did not provide decision-makers with sufficient information to have a clear line of sight of the progress made in implementing agreed recommendations before their closure.

Office of the Commonwealth Director of Public Prosecutions

2.40 CDPP advised that due to the infrequency in which it receives parliamentary committee recommendations, it did not have a documented process in place to monitor their implementation.²¹ The Audit Committee’s annual work plans documented its responsibility for overseeing the implementation of parliamentary committee recommendations.

2.41 Similar to AGD’s ARMC charter responsibility discussed in paragraph 2.36, a function of CDPP’s Audit Committee is to satisfy itself that CDPP has appropriate mechanisms to implement agreed recommendations from parliamentary committee reports. The ANAO found CDPP’s Audit Committee did not receive reports on these mechanisms or updates to confirm whether there were parliamentary committee reports relevant to CDPP in the period examined.

Closure and reporting of parliamentary committee recommendations

Closure of recommendations

2.46 AGD’s ARMC is responsible for endorsing JCPAA recommendations for closure, but the process did not require supporting evidence. In practice, AGD required closure packs for JCPAA recommendations, and this requirement was documented in December 2022. AGD did not have documented processes for closing the remaining parliamentary committee recommendations.

2.47 AFP’s IOCBoM is responsible for closing parliamentary committee recommendations but did not require evidence to inform closure.

2.48 CDPP did not have documented responsibilities or processes to close parliamentary committee recommendations. CDPP advised the ANAO that the Audit Committee can recommend the closure of parliamentary committee recommendations for the Commonwealth Director of Public Prosecutions (CDPP Director)²² to action.²³

External reporting

2.49 Entities are required to provide updates to the Department of the Prime Minister and Cabinet on outstanding government responses to parliamentary committee inquiries when requested, which are then reported to the Senate and House of Representatives. As discussed in paragraph 2.5, as the portfolio department, AGD advised it is likely to lead most government responses, and must meet this reporting requirement. AGD had guidance on how to prepare these reports and provided input when requested by the Department of Prime Minister and Cabinet Tabling Office.

2.50 Entities are not required to report on the implementation status or closure of agreed recommendations to the Parliament, unless requested.²⁴ The JCPAA requested two updates from AGD on recommendations agreed in the period examined (January 2020 to June 2021).²⁵ AGD provided these updates.

Do entities have fit-for-purpose governance arrangements and processes to respond to, monitor and implement agreed Auditor-General recommendations?

2.51 Figure 2.2 illustrates the ANAO’s analysis of the three entities’ governance arrangements, processes and practices to respond to, monitor and implement agreed Auditor-General recommendations.

2.52 Figure 2.2 illustrates:

• AGD had documented responsibilities and processes for responding to, implementing, monitoring and closing Auditor-General recommendations;
• AFP had documented responsibilities and processes for monitoring and closing Auditor-General recommendations, but did not have documented responsibilities or processes for responding to and implementing recommendations; and
• CDPP had documented responsibilities for responding to, overseeing and closing Auditor-General recommendations, but did not have documented responsibilities and processes for implementing or monitoring Auditor-General recommendations.

2.53 Entities that do not have processes or procedures increase the risk of inconsistency in administration and decision-making.

Identifying and responding to Auditor-General recommendations

Identifying recommendations

2.54 The Auditor-General provides a copy, or relevant extract, of the draft audit report to the entity’s accountable authority, and requests written comments from the accountable authority within 28 days.²⁶ AGD, AFP and CDPP responded to all Auditor-General recommendations made in the past five years in sufficient time to be tabled with the audit report.

Responding to recommendations

2.55 AGD and CDPP partially documented their respective process to respond to Auditor-General recommendations in December 2022. AFP did not have documented responsibilities or processes to respond to Auditor-General recommendations.

• AGD business areas are responsible for drafting AGD‘s response to Auditor-General recommendations. In practice, the assurance section²⁷ coordinates AGD’s response.
• In practice, AFP’s response is coordinated by its internal audit section. The relevant business area within AFP drafts the response to the recommendations which is cleared by its SES officer.
• From December 2022, CDPP’s ELG is responsible for overseeing CDPP’s response to Auditor-General reports and recommendations. In practice, the relevant business area within CDPP drafts the response to the recommendations which is cleared by its SES officer.

2.56 Entities should clearly state whether they intend to implement the recommendation in their response.

2.57 Table 2.4 shows that for recommendations tabled and agreed to, between January 2020 and June 2021, only AGD did not agree to one Auditor-General recommendation with a clear statement of intent.²⁸

Table 2.4: Auditor-General recommendations for AGD, AFP and CDPP with a clear statement of intended implementation agreed between January 2020 and June 2021

Note a: AGD agreed in principle to one recommendation.

Source: ANAO analysis.

Implementation of Auditor-General recommendations

Implementation planning

2.58 Table 2.5 shows AGD documented its processes and practices to plan the implementation of Auditor-General recommendations in December 2022, formalising many existing practices. AFP and CDPP did not have documented processes to plan the implementation of Auditor-General recommendations.

Table 2.5: Entities’ processes and practices to plan the implementation of Auditor-General recommendations

Key: ◆ Documented process ▲ Consistent practice that is not documented ■ No documented procedure or consistent practice

Source: ANAO analysis of AGD, AFP and CDPP evidence.

2.59 Entity processes did not require business areas to develop implementation plans for recommendations.

• AGD’s assurance section was responsible for assigning business areas responsibility to implement recommendations and set timeframes for implementation.
• AFP did not have a documented requirement to assign responsibility to implement or assign timeframes for the implementation of Auditor-General recommendations. In practice, AFP’s internal audit area consulted with business areas to allocate Auditor-General recommendations. AFP did not set timeframes for implementation.
• CDPP did not have a documented requirement to assign responsibility to implement or assign timeframes for the implementation of Auditor-General recommendations. For the four recommendations from Auditor-General Report No. 28 of 2019–20, CDPP assigned owners through the ELG and set a timeframe for the implementation of one of the four recommendations (see paragraph 3.6).

Risk Management

2.60 As discussed in paragraph 2.26, the entities had established risk management policies and supporting frameworks. The ANAO examined how the three entities addressed risk in relation to the implementation of Auditor-General recommendations.

• AGD updated its internal audit Standard Operating Procedure in December 2022 to require risk ratings be assigned to Auditor-General recommendations.²⁹
• In December 2022, AFP implemented a ‘risk-based process’ to monitor recommendations. This was based on internal audit team members’ judgement of which recommendations were high risk and did not use a risk matrix or consistent procedure. At December 2022, AFP had not assigned risk ratings to any Auditor-General recommendations received between 2020 and 2022.
• CDPP does not require risk ratings to be assigned to Auditor-General recommendations. As noted in paragraph 2.28, CDPP advised the ANAO that it considered all recommendations from external assurance bodies, including the Auditor-General, as high priority.

2.61 AFP and CDPP have established practices for certain components of planning the implementation of Auditor-General recommendations³⁰, but could improve these by establishing and documenting processes, and requiring timeframes and risk ratings. The current practices are more substantive than those in place to plan the implementation of parliamentary committee recommendations, discussed in paragraphs 2.19 to 2.28.

Monitoring and oversight of Auditor-General recommendations

2.63 AGD documented its process to monitor the implementation of Auditor-General recommendations in December 2022. This formalised AGD’s existing practices for its assurance section to coordinate monitoring, which included requesting updates from business areas prior to ARMC meetings in a tracking document. This document supports reporting to the ARMC but did not consistently contain the previous status of recommendations or closed recommendations. As a result, it can be difficult to monitor changes or have assurance on the completeness of the information reported.

2.64 AFP had a documented process to monitor Auditor-General recommendations and utilised an electronic system, LEX. The use of this system is discussed further in paragraph 2.79.

2.65 CDPP does not have documented processes to monitor the implementation of Auditor-General recommendations. In practice, the Commonwealth Solicitor³¹ coordinated updates on agreed Auditor-General recommendations in a document which was presented to the ELG. Similar to AGD’s tracking document discussed in paragraph 2.63, CDPP’s document supports reporting, but did not contain the previous status of recommendations or closed recommendations.³² In addition to the recommendations, CDPP also monitored the implementation of opportunities for improvement identified in Auditor-General Report No. 28 2019–20.³³

Oversight

2.66 Each of the entities had clear oversight requirements for the implementation of Auditor-General recommendations.

• AGD’s ARMC was responsible for overseeing the implementation of Auditor-General recommendations. AGD’s Chief Audit Executive was the SES officer responsible for Auditor-General recommendations.
• AFP’s Audit and Risk Committee was responsible for overseeing the implementation of Auditor-General recommendations. AFP did not assign an executive responsibility for Auditor-General recommendations in its governance arrangements.
• CDPP’s Audit Committee was responsible for overseeing the implementation of Auditor-General recommendations. The ELG also agreed to oversee the implementation of Auditor-General recommendations from Auditor-General Report No. 28 2019–20.

2.67 Table 2.6 shows AGD, AFP and CDPP provided regular updates to their relevant audit committee on the implementation of Auditor-General recommendations.

Table 2.6: Frequency of updates received by oversight bodies in AGD, AFP and CDPP on the implementation of Auditor-General recommendations between January 2020 and December 2022

Note a: The total used to calculate the percentage does not include meetings that occurred when the entity did not have open Auditor-General recommendations. AGD and AFP had open Auditor-General recommendations for all meetings in the period examined.

Note b: AGD held 15 Audit and Risk Management Committee meetings in the period examined. Three of these meetings focused on consideration of the draft financial and annual performance statements.

Note c: AFP held 15 Audit and Risk Committee meetings in the period examined. Two of these meetings focused on consideration of the draft financial and annual performance statements.

Note d: CDPP held 45 ELG meetings and 12 Audit Committee meetings in the period examined. The 45 ELG meetings include ELG meetings and meetings of the ELG and Assistant Directors. The CDPP advised that this included meetings held to manage the CDPP’s response to the COVID-19 pandemic. Eleven of the ELG meetings and four Audit Committee meetings occurred when CDPP had no open recommendations to receive updates on and were not included.

Source: ANAO analysis of AGD, AFP and CDPP evidence.

Closure and reporting for Auditor-General recommendations

2.68 In practice, AGD and AFP’s audit committees were responsible for endorsing Auditor-General recommendations for closure, which was actioned by management. For CDPP, closure was considered the responsibility of CDPP’s Director³⁴ and occurred through the ELG. CDPP’s Audit Committee also reviewed recommendations CDPP considered implemented and provided advice on their closure to the CDPP’s Director when required.

• AGD required business areas to develop a closure report with evidence for Auditor-General recommendations. From December 2022, AGD also required the Chief Audit Executive to review these packs and ensure sufficient evidence is provided to support closure.
• AFP does not require closure reports, but in practice the internal audit section reviews evidence provided by business areas and provides assurance to the Audit and Risk Committee of the accuracy of the statements.
• CDPP does not require a closure pack or evidence of actions implemented, but the ELG received updates, papers and demonstrations of the actions taken to implement recommendations. These updates were not always provided to support the closure of recommendations.

External reporting on the implementation of recommendations

2.69 The JCPAA examines all Auditor-General reports tabled in Parliament, and can conduct inquiries into tabled Auditor-General reports and make recommendations, or request updates from entities. In August 2021, the JCPAA requested AGD provide an update on the implementation of recommendations from Auditor-General Report No. 48 2019–20 Management of the Australian Government’s Lobbying Code of Conduct — Follow-up Audit.³⁵ AGD provided this update within the requested six-month timeframe.

Are there effective systems to monitor the implementation of agreed recommendations?

Systems and processes

2.70 Each entity uses a different system or document to record monitoring of agreed parliamentary committee and Auditor-General recommendations.

• AGD uses a document to monitor current JCPAA and Auditor-General recommendations.³⁶
• AFP uses the LEX system³⁷ to monitor parliamentary committee and Auditor-General recommendations.
• CDPP uses a document to monitor current Auditor-General recommendations.³⁸

System controls and completeness

2.71 Entities should ensure there are sufficient controls to maintain complete and accurate data, and effectively monitor and report on the implementation status of recommendations.

Attorney-General’s Department

2.72 AGD updated the monitoring of Auditor-General and JCPAA agreed recommendations quarterly prior to ARMC meetings. This monitoring document is stored on an electronic document and records management system. Access to this monitoring document is restricted to personnel with appropriate delegations.

2.73 As discussed in paragraph 2.35, AGD did not monitor the implementation of agreed parliamentary committee recommendations, other than those made by the JCPAA. In late 2021 AGD investigated using the Parliamentary Document Management System (PDMS) to track its response to parliamentary committee reports and implementation of agreed recommendations. As at February 2023, AGD had not progressed this.³⁹ Previous ANAO audits in this series have noted the use of PDMS by other entities and found it a largely effective system for this purpose.⁴⁰

2.74 AGD manually entered and updated agreed JCPAA and Auditor-General recommendations into its tracking document, and removed the recommendation once the ARMC agreed to its closure. AGD did not require a quality review of the updates, but advised that an unspecified number of reviews had been conducted in practice. AGD did not have controls in place or assurance over the completeness of its monitoring of parliamentary recommendations.

2.75 As at December 2022, the monitoring document used by AGD to track recommendations:

• contained the one agreed Auditor-General recommendation from the period examined that AGD considered open and no closed recommendations⁴¹; and
• did not contain the 11 parliamentary committee recommendations tabled and agreed in the period examined.⁴²

2.76 The lack of controls and completeness of the tracking document presents the risk that AGD may not accurately advise the ARMC on the implementation of recommendations. As a department which frequently receives parliamentary committee and Auditor-General recommendations, this is a risk for AGD.

Australian Federal Police

2.79 AFP advised it updated the monitoring of agreed parliamentary committee and Auditor-General recommendations in the LEX system after each relevant Audit and Risk Committee or IOCBoM meeting. As at December 2022, AFP advised that it could not provide assurance that LEX contained a complete list of all agreed parliamentary committee recommendations. As at January 2023, LEX contained all four agreed parliamentary committee and Auditor-General recommendations within the scope of this audit.

2.80 AFP used manual processes to enter, update and close agreed parliamentary committee and Auditor-General recommendations in the LEX system. Access to LEX is restricted to an appropriate number of personnel and access is reviewed when users changed roles. AFP did not have a quality assurance process in place for the information contained in LEX, but advised it conducted ‘spot checks on an ad hoc basis’. AFP has implemented IT general controls to support the LEX system.⁴³

Office of the Commonwealth Director of Public Prosecutions

2.81 CDPP manually entered and updated agreed Auditor-General recommendations into its tracking document and removed these once the recommendations were considered closed. CDPP advised updates were peer-reviewed at the SES-level via a clearance process. Due to CDPP’s size and infrequency of recommendations requiring implementation, CDPP’s use of a tracking document is appropriate.

2.82 As discussed in paragraph 2.24, CDPP could improve its approach by documenting processes to monitor parliamentary committee and Auditor-General recommendations. CDPP’s tracker contained all agreed Auditor-General recommendations in the period examined while the recommendations were open. CDPP had no agreed parliamentary committee recommendations in the period examined in this audit.

3.1 The appropriate and timely implementation of agreed recommendations is important to realise the full benefit of a parliamentary committee inquiry, or an audit, and demonstrates accountability to the Parliament. As discussed in paragraph 2.1, entities should have planning and monitoring arrangements to ensure the effective implementation of agreed recommendations. Table 1.4 outlines the number of agreed parliamentary committee and Auditor-General recommendations examined in this audit. For details of the selected recommendations see Appendices 4, 5, 6 and 7.

Were there fit-for-purpose implementation plans for each of the selected recommendations?

3.2 Chapter 2 identified that AFP and CDPP did not have documented processes or guidance on how to implement recommendations. AGD developed processes and guidance in December 2022. In the absence of documented guidance for all entities, the ANAO examined whether AGD, AFP and CDPP assigned roles and responsibilities, timeframes and risk ratings for selected recommendations. The results of this are summarised in Table 3.1.

Table 3.1: Assessment of AGD, AFP and CDPP’s implementation planning for each selected recommendation

Note a: CDPP advised ANAO that it considered all recommendations from external review bodies, including Auditor-General recommendations, to be a high priority.

Source: ANAO analysis of entities’ documentation.

Attorney-General’s Department

3.3 AGD advised that business areas are responsible for progressing and implementing agreed parliamentary committee and Auditor-General recommendations. While AGD does not require implementation plans (see paragraphs 2.21 and 2.59), business areas developed implementation plans for 12 of 19 recommendations. The plans ranged from implementation plans developed specifically for the recommendation(s), to high-level planning documents for the business area’s operational activities that included work on the recommendation(s).

• AGD assigned all 19 parliamentary committee and Auditor-General recommendations a recommendation owner. For the JCPAA and Auditor-General recommendations, recommendation owners were at Senior Executive Service (SES) level. For the eight other parliamentary committee recommendations, AGD identified and assigned relevant business areas responsibility for implementation.
• For 17 of the 19 recommendations, AGD identified implementation action items.
• AGD set implementation timeframes for all recommendations, except two parliamentary committee recommendations.
• While none of the recommendations were assigned a risk rating, AGD documented consideration of risk for 14 recommendations. This ranged from identifying risks and mitigation strategies, to undertaking an assessment of likelihood and consequence.

Australian Federal Police

3.4 AFP does not require implementation plans for parliamentary committee or Auditor-General recommendations (see paragraphs 2.21 and 2.59) and did not develop implementation plans for three of the four recommendations. The one implementation plan developed was specific to the project addressed in the recommendation.⁴⁴

• AFP assigned all four parliamentary committee and Auditor-General recommendations an SES-level recommendation owner.
• For the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommendation, AFP advised it nominally allocated the recommendation owner, and the recommendation owner was not responsible for implementing the recommendation.⁴⁵ While AFP did not record responsibility to the correct business area in its monitoring system, AFP communicated the responsibility for implementation to the appropriate business area.
• For all four recommendations, AFP identified implementation action items.

3.5 From November 2022, AFP used a ‘risk-based process’ to report on the implementation of Auditor-General recommendations. As discussed in paragraph 2.60, this process involved AFP’s internal audit section assessing which recommendations were high risk, although this process did not use a risk matrix or consistent procedure. There was no documented consideration of risk, or assigned risk rating, for the three Auditor-General recommendations, either before or after the risk-based process was implemented. AFP assigned a risk rating to the parliamentary committee recommendation.

The Office of the Commonwealth Director of Public Prosecutions

3.6 CDPP does not require implementation plans, and did not develop implementation plans, for Auditor-General recommendations (see paragraph 2.59).⁴⁶

• All four Auditor-General recommendations were assigned an SES-level recommendation owner(s).
• There were action items for three of the four recommendations.
• A timeframe for implementation was established for one recommendation. For the other three recommendations, while CDPP advised the ANAO that timeframes were discussed, the agreed timeframes were not documented.
• None of the recommendations were assigned a risk rating and there was no documented consideration of risk. CDPP advised that it considered all Auditor-General recommendations to be a high priority.

Was each selected recommendation effectively monitored?

Attorney-General’s Department

3.7 AGD’s assurance section monitors the implementation of JCPAA and Auditor-General recommendations through a tracking document (see paragraph 2.72). The department’s Audit and Risk Management Committee (ARMC) was responsible for oversight of recommendation implementation (see paragraph 2.66).

3.8 The ARMC received updates on the implementation of JCPAA and Auditor-General recommendations at 12 of 14 meetings held between January 2020 and December 2022, during which the recommendations were considered open.⁴⁷ The updates included: traffic light reports on the status of the recommendation; due dates; requests for extensions and extension history; the recommendation owner; and written comments on the action taken by AGD to progress implementation. The number of updates to the ARMC for each JCPAA and Auditor-General recommendation ranged from one to eight. Evidence of implementation was provided alongside updates and/or upon closure of the recommendation (see paragraphs 3.36 and 3.73).

3.9 AGD did not monitor the implementation of other parliamentary committee recommendations at an enterprise level (see paragraph 2.35). AGD’s National Security Section (NSS) monitored the implementation of the eight PJCIS recommendations.

• From July 2021, NSS maintained a tracking document that contained the status of recommendations and written comments on implementation actions but did not track due dates.
• NSS sought updates from other AGD business areas responsible for implementation during business-as-usual operations, such as preparation for Senate estimates hearings.
• NSS’s requests for updates did not require evidence of implementation, but some business areas provided evidence.
• While NSS engaged with SES-level officers within AGD on the implementation of the PJCIS recommendations in its business-as-usual operations, implementation was not monitored at an enterprise level.

3.10 While there was no designated oversight body for the implementation of all parliamentary committee recommendations (see paragraphs 2.33 and 2.35), AGD provided a briefing paper to the ARMC in August 2021. As part of a general update on the AGD business area’s activities and priorities, this paper contained a high-level summary of the work AGD was progressing in relation to five of the eight PJCIS recommendations.

Implementation timeliness

3.11 AGD’s implementation of recommendations within planned timeframes is outlined in Table 3.2.

Table 3.2: Timeliness of AGD’s implementation of recommendations

Note a: For PJCIS recommendations, there was no practice of requesting extensions.

Source: ANAO analysis of AGD documents.

3.12 For the 11 JCPAA and Auditor-General recommendations:

• AGD requested extensions from the ARMC for the five recommendations not implemented by the original due date;
• AGD implemented eight recommendations within agreed timeframes, including agreed extensions (73 per cent); and
• all extension requests were documented in ARMC meeting papers and minutes, although extension requests for four of the five recommendations were submitted to the ARMC after the approved due date had passed.

3.13 For the eight PJCIS recommendations:

• two recommendations had no due dates assigned, and NSS did not monitor the progress of the other six recommendations against due dates;
• as at December 2022, implementation was ongoing for five of the eight recommendations (see Table 3.4); and
• four of the five recommendations that remain open have not met the original planned due dates. AGD has set revised due dates within planning documents.⁴⁸

Australian Federal Police

3.14 AFP uses the LEX system⁴⁹ to record progress on the implementation of parliamentary committee and Auditor-General recommendations. The system enables reporting to the Investigations Operations and Compliance Board of Management (IOCBoM), and to the Audit and Risk Committee (ARC) on parliamentary committee and Auditor-General recommendations. LEX contained updates on the implementation of the three Auditor-General recommendations but did not have an update recorded for the one PJCIS recommendation.

• The IOCBoM did not receive an update on the implementation of the one parliamentary committee recommendation at any of its seven meetings between August 2021 and December 2022. AFP provided three updates on the implementation of this recommendation to oversight bodies linked to the implementation area.⁵⁰
• The ARC received updates on the implementation of the three Auditor-General recommendations at five of its nine meetings between January 2020 and December 2022, during which recommendations were open.⁵¹ The updates provided to the ARC did not include supporting evidence, including for the closure of one of the three recommendations.

Implementation timeliness

3.15 As discussed in paragraphs 2.21, 2.59 and Table 3.1, AFP did not assign and did not report against timeframes for the implementation of recommendations.

Office of the Commonwealth Director of Public Prosecutions

3.16 Following the tabling of Auditor-General Report No. 28 2019–20, CDPP’s Executive Leadership Group (ELG) required that reporting on the Auditor-General recommendations ‘would be through a traffic light report to the ELG for each meeting’. CDPP’s Audit Committee was also responsible for monitoring the implementation of recommendations.

3.17 The ELG received an update on the Auditor-General recommendations at 21 of 34 meetings held between January 2020 and December 2022 during which the recommendations were considered open.⁵² The number of updates for each recommendation ranged from nine to 21.⁵³ The updates contained the ‘traffic light’ status of the recommendation, the responsible officer, and written comments on the actions taken by CDPP to progress implementation. Evidence of implementation was provided to the ELG for three of the four recommendations during this period.

3.18 Between January 2020 and December 2022, the Audit Committee received updates on the implementation of the recommendations at the eight meetings it held while recommendations were considered open. The Audit Committee received the same update reports as the ELG. Updates were provided on all four recommendations, with four to eight updates provided for each recommendation. Evidence of implementation, such as a demonstration or links to documents, was provided to the Audit Committee for three of the four recommendations.

Implementation timeliness

3.19 CDPP established a due date for one of the four Auditor-General recommendations. This recommendation was not implemented within the due date and there was no request for an extension.⁵⁴

Were the selected recommendations implemented in full and closed in accordance with requirements?

3.20 The approach used by the ANAO to assess the implementation status of the 27 recommendations examined in this audit is set out below in Table 3.3.

Table 3.3: Implementation status assessment categories

Note: ANAO’s assessment of entities’ implementation of recommendations was as at December 2022.

Source: ANAO documentation.

Attorney-General’s Department’s parliamentary recommendations

3.21 Table 3.4 contains AGD’s status and the ANAO’s assessment of the implementation of the selected parliamentary committee recommendations. Additional commentary is provided below where AGD’s status and the ANAO’s assessment differed. Appendix 4 provides the full text of each agreed recommendation.

Table 3.4: Summary assessment of the implementation of agreed AGD parliamentary committee recommendations^a

Note a: AGD’s status and ANAO’s assessment differed for the recommendations highlighted in the table.

Note b: While ANAO assessed implementation was ongoing, AGD did not complete the review of all secrecy provisions by June 2021 as required by the recommendation.

Source: ANAO analysis of AGD information.

3.22 There were three instances where AGD’s status and the ANAO’s assessment in Table 3.4 differed.

Joint Committee of Public Accounts and Audit, Report 485: Cyber Resilience – recommendations 1 and 2

Recommendation 1

3.23 The ANAO assessed this recommendation as partly implemented.

3.24 Recommendation 1 was that:

The Attorney-General’s Department provide an update on its implementation of external moderation models/benchmarking processes, to verify Commonwealth entities’ reported compliance with cybersecurity requirements, including implementation timeframes.

3.25 While AGD provided an update to the JCPAA in the government’s response tabled on 8 June 2021, the update did not cover all of the information the recommendation required.

• AGD did not include an update on the department’s work on implementing external moderation models/benchmarking processes to verify entities’ reported compliance with cybersecurity requirements, or the timeframe for this work.
• The update instead focused on AGD’s work to improve the accuracy of entities’ self-assessments, and the accuracy of assessments against security policy frameworks, and the timeframe for this work.

3.26 The action taken by AGD fell well short of the intent of the recommendation.

Recommendation 2

3.27 The ANAO assessed this recommendation as largely implemented.

3.28 Recommendation 2 was that:

The Committee recommends that the Attorney-General’s Department:

• provide an update on the levels of cyber security maturity within Commonwealth entities and the feasibility of mandating the Essential Eight across Commonwealth entities, including the threshold of cyber security maturity required by Government to impose this mandate, and expected timeframes; and
• report back on any impediments to mandating the Top Four mitigation strategies for government business enterprises and corporate Commonwealth entities.

3.29 While AGD provided an update to the JCPAA in the government’s response tabled on 8 June 2021, the update did not cover all the information required in the recommendation. The update did not include the levels of cyber security maturity across all Commonwealth entities, or the threshold of cyber security maturity required by the government to impose a mandate to meet the Essential Eight. The update fell short of the intent of the recommendation.

Parliamentary Joint Committee on Intelligence and Security, Inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press –recommendation 13

3.30 The ANAO assessed this recommendation as not implemented.

3.31 Recommendation 13 was that:

Training on the application of the Protective Security Policy Framework requirements for sensitive and classified information be made compulsory for all relevant Commonwealth officers and employees.

3.32 AGD advised the ANAO that the existing requirements in Protective Security Policy Framework (PSPF) Policy 2⁵⁵ meant that AGD ‘assessed that no further action was required’ in relation to this recommendation. AGD further advised that ‘PSPF is a principles-based framework which mandates core and supporting requirements’ and that AGD:

considers the existing PSPF policy 2 requirements for annual security awareness training for all personnel and contractors and specific security awareness training for those in specialised or high-risk positions, is sufficient.

3.33 PSPF Policy 2 states that ‘entities must provide all personnel, including contractors, with security awareness training at engagement and annually thereafter’. PSPF Policy 2 also recommends topics that should be included in security awareness training and recommends that ‘entities use their security plan to identify areas to include in their security awareness training program’. The recommended topics to be included in security training do not explicitly include the PSPF requirements for sensitive and classified information.

3.34 As PSPF Policy 2 does not explicitly require training on the application of the PSPF requirements for sensitive and classified information to be compulsory, as required by the recommendation, AGD has not met the intent of the recommendation.

Attorney-General’s Department’s closure of parliamentary committee recommendations

3.35 AGD closes JCPAA recommendations through the ARMC but does not have a documented process for closing other parliamentary committee recommendations. AGD considered six of the 11 parliamentary recommendations implemented.

3.36 For the three JCPAA recommendations AGD considered implemented, AGD prepared closure reports with supporting evidence of implementation. AGD presented the closure reports to the ARMC and requested the ARMC note the closure reports, and agree the recommendations had been addressed and completed. The ARMC agreed to close the three recommendations.

3.37 For the three PJCIS recommendations AGD considered implemented, AGD did not prepare closure reports.

• One recommendation was considered closed by AGD as this was actioned through a government response tabled on 16 December 2020.
• For the remaining two PJCIS recommendations, the responsible AGD business area provided written advice with SES-level endorsement to the NSS that the recommendations should be closed. For one of these recommendations, evidence of implementation was provided by the AGD business area to NSS after the ‘closed’ status of the recommendation was questioned. For the other recommendation, evidence of AGD’s actions to implement the recommendation was not provided to NSS.

Attorney-General’s Department’s Auditor-General recommendations

3.38 Table 3.5 contains AGD’s status and the ANAO’s assessment of the implementation of selected Auditor-General recommendations. Additional commentary is provided where AGD’s status and the ANAO’s assessment differed. Appendix 5 provides the full text of each agreed recommendation.

Table 3.5: Summary assessment of the implementation of agreed AGD Auditor-General recommendations^a

Note a: AGD’s status and ANAO’s assessment differed for the recommendations highlighted in the table.

Source: ANAO analysis of AGD information.

3.39 There were five instances where AGD’s status and the ANAO’s assessment in Table 3.5 differed.

Auditor-General Report No. 32 2020–21 Cyber Security Strategies of Non-Corporate Commonwealth Entities – recommendations 2, 4, 9, 10 and 11

Recommendation 2

3.40 The ANAO assessed this recommendation as partly implemented.

3.41 Recommendation 2 was that:

The Attorney-General’s Department performs and documents risk assessments for any patches not implemented in accordance with the requirements of the Australian Government Information Security Manual and its policies, including defining an action plan for managing the risks associated with not implementing those patches.

3.42 AGD made improvements to the risk assessment process that identifies, assesses, and addresses vulnerabilities in its environment. The ARMC approved the implementation of the recommendation in October 2021. The ANAO reviewed the approved process and found that AGD had not consistently performed the required risk assessment activities. Risk assessments were not performed and documented in accordance with the Australian Government Security Manual and AGD’s policies. This may result in vulnerabilities not being appropriately managed.

3.43 AGD initiated processes, but the intended outcomes have not been achieved and the department’s actions fell well short of the intention of the recommendation.

Recommendation 4

3.44 The ANAO assessed this recommendation as partly implemented.

3.45 Recommendation 4 was that:

The Attorney-General’s Department improves the processes for documenting risk assessments and monitoring cyber security events, to assure itself that actions taken against cyber security events are performed consistently and appropriately.

3.46 AGD made improvements to the process that identifies, assesses, and monitors cyber security events, and demonstrated that the improved process is designed appropriately. The ANAO reviewed the process and found that risk assessments and monitoring of security events were not consistently performed and documented. This may result in security alerts not being properly investigated and risks remaining unmitigated.

3.47 AGD initiated processes, but outcomes have not been achieved and the department’s actions fell well short of the intention of the recommendation.

Recommendation 9

3.48 The ANAO assessed this recommendation as largely implemented.

3.49 Recommendation 9 was that:

The Attorney-General’s Department reviews the existing maturity levels under the PSPF maturity assessment model to determine if the maturity levels are fit-for-purpose and effectively aligned with the Essential Eight Maturity Model, having regard to the Australian Signals Directorate’s proposed update to the Essential Eight Maturity Model.

3.50 AGD reviewed the maturity levels in the PSPF maturity model and, in November 2021, proposed updates to the model. AGD did not:

• determine whether the maturity levels were effectively aligned with the Essential Eight Maturity Model in the review; and
• did not consider the Australian Signals Directorate’s proposed update to the Essential Eight Maturity Model.

3.51 The action taken by AGD fell short of the intent of the recommendation.

Recommendation 10

3.52 The ANAO assessed this recommendation as largely implemented.

3.53 Recommendation 10 was that:

The Attorney-General’s Department further improves the guidance on PSPF Policy 10 to clarify:

a. the correlation of the maturity levels in the PSPF and Essential Eight maturity models, and their implementation requirements;

b. the scope of the maturity level calculation suggested by the reporting portal and how entities can more accurately determine their selected PSPF maturity level; and

c. the assessment against the requirement to consider the implementation of the remaining 29 mitigation strategies, and the merit of its inclusion in the PSPF Policy 10 maturity level calculation.

3.54 AGD updated PSPF Policy 10 in March 2022 and released a pre-reporting information pack in June 2022 containing further information. While the updated guidance addressed parts (b) and (c) of the recommendation, it did not fully address part (a).

3.55 The March 2022 version of PSPF Policy 10 only identified a correlation between the ‘Managing’ maturity level and the associated implementation requirement for the PSPF and the Essential Eight maturity models. In October 2022, AGD updated PSPF Policy 10 to remove the reference to the ‘Managing’ maturity rating⁵⁶, reflecting the updates made to PSPF Policy 5.⁵⁷ The October versions of PSPF Policy 5 and PSPF Policy 10 do not clearly define the minimum requirements within the PSPF maturity model, and how this correlates to the Essential Eight maturity model.

3.56 AGD advised the ANAO that the March 2022 version of PSPF Policy 10 clarifies the relationship between the maturity levels in the PSPF and Essential Eight maturity models. The ANAO considers that while AGD made improvements to the guidance throughout 2022, AGD did not provide improved guidance in relation to the correlation of all maturity levels within the PSPF and Essential Eight maturity models, and the associated implementation requirements.

3.57 AGD’s actions fell short of the intent of the recommendation.

Recommendation 11

3.58 The ANAO assessed this recommendation as not implemented.

3.59 Recommendation 11 was that:

The Attorney-General’s Department implements arrangements to obtain an appropriate level of assurance on the accuracy of entities’ PSPF Policy 10 self-assessment results.

3.60 AGD researched domestic and international examples of protective security assurance and moderation mechanisms. However, in November 2021, AGD advised the Government Security Committee⁵⁸ that ‘it is the responsibility of the accountable authority to ensure the accuracy of their entity’s self-assessment’. AGD implemented changes with the intent of supporting entities to improve the accuracy of their own self-reporting, including:

• adjusting the PSPF self-assessment to include an acknowledgement of self-reporting obligations, requiring entities to declare that the accuracy of the assessment has been verified by the accountable authority;
• developing and releasing an evidence guide that provides entities with examples of how to evidence their implementation and assess their maturity; and
• commencing a voluntary peer review process, inviting entities to opt-in for an external review of their self-assessment report prior to submission.

3.61 While AGD has taken actions to implement the recommendation, the actions did not meet the intent of the recommendation that the department agreed to ‘in principle’. AGD has not established arrangements to obtain an appropriate level of assurance on the accuracy of entities’ PSPF Policy 10 self-assessment results.

3.62 AGD advised the ANAO that the ‘PSPF does not require the [AGD] to engage in any activities that would involve assessing, validating or providing assurance of the reliability or accuracy of entity self-assessments’.

3.63 AGD relies on entity self-assessment results to report to the government and public on the Australian Government’s security culture and maturity. Previous ANAO audits have identified issues with the accuracy of entity self-reporting on the PSPF, have noted that AGD did not verify the responses provided by entities, and did not identify the accuracy of self-assessments as a risk.⁵⁹

3.64 In designing an assurance framework and determining the appropriate level of assurance required, consideration should be given to the likelihood and impact if a risk were to eventuate, and the effectiveness of controls in place to mitigate the risk. Due to the previous ANAO audit findings of inaccurate or optimistic entity self-assessments, and without an appropriate assurance or evaluation framework, AGD cannot provide accurate advice to the government on the extent to which the PSPF is achieving its information security outcomes.

Attorney-General’s Department’s closure of Auditor-General recommendations

3.72 AGD’s business areas are required to prepare recommendation closure reports with associated evidence, and its ARMC is responsible for endorsing the closure of Auditor-General recommendations.

3.73 AGD considered all eight Auditor-General recommendations to be implemented (refer Table 3.5). AGD provided closure reports to the ARMC for the eight recommendations.

• For six of the eight recommendations, supporting evidence of implementation was provided to the ARMC alongside the closure reports.
• For one recommendation⁶⁰, evidence of implementation was provided to AGD’s assurance section, which advised the ARMC that it ‘has reviewed and confirmed the attachments in the closure report’.
• For the remaining recommendation⁶¹, supporting evidence of implementation had been provided to the ARMC previously.

3.74 The ARMC agreed to close all eight Auditor-General recommendations.

Australian Federal Police’s parliamentary committee and Auditor-General recommendations

3.75 Table 3.6 contains AFP’s status and the ANAO’s assessment of the implementation of selected parliamentary committee and Auditor-General recommendations. Additional commentary is provided below where the AFP’s status and the ANAO’s assessment differed. Appendix 6 provides the full text of each agreed recommendation.

Table 3.6: Summary assessment of the implementation of agreed AFP parliamentary committee and Auditor-General recommendations^a

Note a: AFP’s status and ANAO’s assessment differed for the recommendations highlighted in the table.

Source: ANAO analysis of AFP information.

3.76 There were three instances where AFP’s status and ANAO’s assessment in Table 3.6 differed.

Parliamentary Joint Committee on Intelligence and Security, Inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press, recommendation 1

3.77 The ANAO assessed this recommendation as largely implemented.

3.78 Recommendation 1 was that:

The Committee recommends that the Australian Federal Police and other Commonwealth law enforcement agencies with investigatory powers amend their operating procedures or practices to advise journalists or media organisations when they are no longer persons of interest in an investigation in circumstances where doing so would not jeopardise the future of the investigation.

3.79 AFP drafted and published section 11 of the National Guideline on investigative action involving professional journalists or news media organisations (the guideline) to action this recommendation.⁶² The guideline states:

Where a professional journalist or news media organisation knows they are a person of interest in an investigation, consideration must be given to advising them when they are no longer considered to be a person of interest. Such notification should only be given where it would not jeopardise or prejudice the investigation.

3.80 The guideline mandates that the AFP must give consideration to informing journalists when they are no longer a person of interest, but does not require that they are informed, when it would not jeopardise an investigation.⁶³

3.81 AFP advised that ‘consideration must be given’ was used to allow an investigator to not only consider the exceptions, but also how and when to notify the individual or organisation. The guideline states where the AFP has decided to make such a notification, ‘reasonable steps should be taken to advise [the previous subject of the investigation] in a reasonable timeframe’. The guideline also states:

Consultation with AFP Legal should occur regarding the content or form of any notification to a professional journalist or news media organisation under this section. For instance, the content of such advice might include that it is based on information available at the time and does not preclude the AFP from reconsidering their status as a person of interest.

3.82 The ANAO assessed that the guideline includes appropriate guidance on how and when this notification should occur, separate to the requirement that AFP consider advising a journalist if they are no longer a person of interest.

3.83 As AFP’s National Guideline mandates that consideration must be given, rather than requiring that journalists or media organisations be advised, the ANAO considered AFP’s implementation was less extensive than the recommendation as agreed.

Auditor-General Report No. 43 2020–21 Australian Federal Police’s Use of Statutory Powers, recommendations 1 and 3

Recommendation 1

3.84 The ANAO assessed this recommendation as partly implemented.

3.85 Recommendation 1 was that:

The Australian Federal Police enforces its requirement that section 3E Crimes Act warrants be thoroughly reviewed by at least a supervisor and retain documentary evidence that the review has occurred.

3.86 While AFP updated guidance and training material to clarify the requirement to review section 3E Crimes Act warrants, and document this review, it did not establish a control to enforce this requirement.

3.87 AFP began rolling out a new Investigations Management System (IMS) in March 2023. AFP advised ANAO that the IMS will include system controls to require and record the review of search warrants.

3.88 AFP’s actions fell well short of the intent of the recommendation.

Recommendation 3

3.89 The ANAO assessed this recommendation as largely implemented.

3.90 Recommendation 3 was that:

The Australian Federal Police implement a systematic quality assurance process for its section 3E Crimes Act warrant application, execution and documentation.

3.91 While AFP has implemented a quality assurance process, the process is not systematic as there is no documented sampling approach or frequency of audits. AFP advised it plans to conduct an annual or biennial audit of 3E Crimes Act search warrants compliance with guidance, including the requirement that warrants be thoroughly reviewed. AFP advised these audits would use representative or whole-of-population sampling.

3.92 AFP finalised the first of these audits in October 2022. Beyond a planned 2023 audit, AFP has not committed to this approach as an ongoing activity, and planning documents do not reference a representative or whole-of-population approach to sampling.

3.93 AFP’s actions fell short of the intent of the recommendation.

Australian Federal Police’s closure of recommendations

3.94 AFP’s IOCBoM is responsible for closing parliamentary committee recommendations. AFP considered the one PJCIS parliamentary committee recommendation to be implemented (see Table 3.6). The IOCBoM did not receive a request to close, or agree to close, this recommendation. In March 2021, the Sensitive Investigations Oversight Board⁶⁴ approved the guideline discussed in paragraph 3.79, which AFP advised implemented the recommendation, but did not close the recommendation.

3.95 AFP’s ARC is responsible for endorsing Auditor-General recommendations for closure. AFP considered one of the three Auditor-General recommendations implemented (see Table 3.6), which the ARC endorsed for closure in November 2021. For this recommendation, AFP internal audit advised the ARC that it ‘has confirmed the implementation of the management actions’. No evidence was provided to the ARC to support closure.

Office of the Commonwealth Director of Public Prosecutions’ Auditor-General recommendations

3.96 Table 3.7 contains CDPP’s status and ANAO’s assessment of the implementation of selected Auditor-General recommendations. Additional commentary is provided below where the CDPP’s status and the ANAO’s assessment differed. Appendix 7 provides the full text of each agreed recommendation.

Table 3.7: Summary assessment of the implementation of agreed CDPP Auditor-General recommendations^a

Note a: CDPP’s status and ANAO’s assessment differed for the recommendations highlighted in the table.

Source: ANAO analysis of CDPP information.

3.97 There were three instances where CDPP’s status and ANAO’s assessment in Table 3.7 differed.

Auditor-General Report No. 28 2019–20 Case Management by the Office of the Commonwealth Director of Public Prosecutions – recommendations 2, 3 and 4

Recommendation 2

3.98 The ANAO assessed this recommendation as largely implemented.

3.99 Recommendation 2 was that:

CDPP establish a process to utilise existing data to monitor case management efficiency in terms of the average cost involved in processing referrals, including in conducting brief assessments and prosecutions.

3.100 CDPP established the ‘Average Cost Dashboard’ (the dashboard) tool that uses existing data from three CDPP systems — TechnologyOne, caseHQ and the Effort Allocation Tool (EAT) — to present information on the average cost of processing referrals.⁶⁵ The action taken by CDPP was less extensive than the agreed recommendation, as the dashboard does not provide a breakdown on the average cost for phases such as brief assessment and prosecution.

3.101 CDPP advised the ANAO that the existing data within CDPP’s systems does not allow for this further breakdown of average cost information in the dashboard. While at least one system contains information on the status of a matter by phase, CDPP advised that ‘it is not currently possible to accurately match existing EAT effort data to caseHQ phase data without significant manual intervention’. Updates to the ELG and CDPP’s Audit Committee did not detail constraints around the data across the three systems. CDPP further advised the ANAO that it is ‘in the early stages of planning for a new case management system, with consideration to be given to improved business system functionality/data integration’.

Recommendation 3

3.102 The ANAO assessed this recommendation as partly implemented.

3.103 Recommendation 3 was that:

CDPP establish appropriate timeliness targets for each brief complexity category, formally communicate these to investigative agencies, and detail the results and methodology in the annual report.

3.104 CDPP retained its original target for 85 per cent of brief assessments to be completed within 90 days. CDPP did not establish separate timeliness targets for each brief complexity category, which did not address the intent of the recommendation to drive timeliness across all brief complexities.⁶⁶

3.105 CDPP advised it:

considered the Auditor-General’s Recommendation 3 very carefully and ultimately determined that retaining the universal 90-day KPI for each complexity was appropriate. For timeliness, the benefits of the simplicity of a single target and it being accepted in the CDPP and by partner agencies was recognised as significant. The CDPP was concerned about prioritising the completion of less complex matters over higher risk and more important matters, as well as diluting the KPI as a driver for the completion of all matters.

3.106 While CDPP communicated its timeliness target to investigative agencies in a document available on its Partner Agency Portal⁶⁷, the methodology and results for CDPP’s timeliness target were not detailed in its 2021–22 Annual Report.

3.107 CDPP implemented processes but decided to implement less extensive actions than the recommendation as agreed.

Recommendation 4

3.108 This recommendation consists of three parts. The ANAO assessed each part of this recommendation separately and has assessed the whole recommendation as partly implemented.

3.109 Recommendation 4 was that:

CDPP improve the reliability and completeness of performance criteria presented in its corporate plan and annual performance statements by establishing:

(a) a process to provide assurance that prosecutors are adhering to the Prosecution Policy of the Commonwealth when assessing briefs and conducting prosecutions;

(b) a consistent, robust and transparent methodology for the surveying of investigative agency satisfaction; and

(c) a case management efficiency criterion in the annual performance statement.

Recommendation 4(a)

3.110 The ANAO assessed this part of the recommendation as implemented.

Recommendation 4(b)

3.111 The ANAO assessed this part of the recommendation as largely implemented.

3.112 CDPP established a new methodology for surveying partner agency satisfaction in 2020, and published the methodology in its 2019–20 and 2021–22 Annual Reports.⁶⁸ The new methodology set out that respondents were selected from two groups.

• The first group was a sample of case officers from a random selection of cases. The number of respondents per agency reflected the frequency of referrals made to CDPP. This group accounted for two-thirds of identified respondents.
• The second group was a targeted sample of contacts who were identified by CDPP prosecutors as staff from partner agencies who had significant dealings with CDPP. This group accounted for one-third of identified respondents.

3.113 The methodology did not detail how the CDPP would present or consider data from the two groups of respondents or the response rates for each group. The results included in CDPP’s 2019–20 and 2021–22 Annual Reports did not include information on which entities the respondents were from, or if this was proportionate with each entities’ involvement with CDPP. CDPP also did not provide a transparent breakdown of the survey results received from the random and targeted sample groups. Case study 1 discusses the 2022 survey results and how these were communicated in CDPP’s 2021–22 Annual Report. CDPP implemented processes but did not achieve a component of the agreed outcome of the recommendation to establish a transparent methodology.

Recommendation 4(c)

3.115 The ANAO has assessed this part of the recommendation as not implemented.

3.116 CDPP investigated options for an efficiency criteria between April 2020 and March 2022, and decided not to develop a case management efficiency criterion or report publicly on case management efficiency in its annual performance statements. CDPP advised the ELG it could not identify a suitable performance efficiency criterion for external reporting. CDPP developed a performance and efficiency framework to internally monitor efficiency. This framework and its results are not externally reported. In March 2022, CDPP advised its Audit Committee ‘that a watching brief be maintained by Senior Management for a suitable performance efficiency measure.’ ELG did not document a commitment to maintain a ‘watching brief’ when it closed the recommendation in April 2022.

3.117 CDPP did not implement the recommendation as agreed.

Office of the Commonwealth Director of Public Prosecutions’ closure of recommendations

3.118 CDPP considered all Auditor-General recommendations implemented (refer Table 3.7). As identified in paragraph 2.68, the closure of recommendations occurs through the ELG and the Audit Committee. While there is no documented requirement for CDPP to develop a closure report or provide evidence of actions implemented, the ELG agreed in April 2020 that ‘when the recommendation is fully implemented a finalised paper will be provided to the ELG’.

3.119 The process to close the four Auditor-General recommendations was inconsistent.

• CDPP proposed closure of three recommendations in updates or papers to the ELG. The ELG agreed to close these recommendations. For two of these recommendations, after receiving an update, the Audit Committee advised members of the ELG that it supported the closure of the recommendations.
• For one recommendation, ELG noted the traffic light report which included the ‘closed’ status of the recommendation.
• For two recommendations, the Audit Committee noted the ‘closed’ status reported against the recommendations in the traffic light report and did not comment on closure.
• Evidence of implementation was provided for all four recommendations either to the ELG or to the Audit Committee in previous updates on implementation progress.⁶⁹

Appendix 1 Entity responses

ANAO comment on the Attorney-General’s Department response

1. The report notes in paragraphs 3.63 and 3.64 that due to previous audit findings of inaccurate entity self-assessments and without an appropriate assurance or evaluation framework, AGD cannot provide accurate advice to government on the extent to which the PSPF is achieving its information security outcomes.

ANAO comment on the Office of the Commonwealth Director of Public Prosecutions response

1. The report notes in Table 2.6 and paragraph 3.17 that the Executive Leadership Group received updates on the implementation of Auditor-General recommendations. Note d to Table 2.6 provides context on the number of ELG meetings held in the period examined, including advice provided by the CDPP.

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2022–23 Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• The Attorney-General’s Department documented its process to respond to, monitor and implement Auditor-General recommendations.
• The Attorney-General’s Department amended its Audit and Risk Management Committee charter to include responsibility to endorse the closure of JCPAA recommendations.
• The Australian Federal Police initiated risk-based reporting on the implementation of Auditor-General recommendations to its Audit and Risk Committee.
• The Office of the Commonwealth Director of Public Prosecutions amended its Executive Leadership Group terms of reference to include responsibility to oversee the response to parliamentary committee and Auditor-General recommendations.

Appendix 3 Previous audits in the series examining the effectiveness of Australian Government entities’ implementation of parliamentary committee and Auditor-General recommendations

1. This is the fifth in a series of performance audits that examine the effectiveness of Australian Government entities’ implementation of agreed recommendations from parliamentary committee and Auditor-General reports. The previous audits in the series are listed below.

• Auditor-General Report No. 6 2019–20, tabled in August 2019, examined entities in the Agriculture and Infrastructure portfolios. It found the four selected entities had not effectively demonstrated implementation of all agreed recommendations examined by the audit. The report made four recommendations to finalise the implementation of recommendations, and improve governance and executive oversight of the implementation of recommendations. Three recommendations were directed to the entities included in the audit, and one to the Department of the Prime Minister and Cabinet, to ‘reinforce the responsibility of accountable authorities to monitor and implement agreed parliamentary committee recommendations.’
• Auditor-General Report No. 46 2019–20, tabled in June 2020, examined entities in the Health and Education portfolios. It concluded that nothing came to the ANAO’s attention that the entities had not implemented applicable parliamentary committee and Auditor-General performance audit recommendations. The report found entities implemented all parliamentary committee recommendations agreed to in the period 1 July 2016 to 30 June 2017. It also noted general arrangements to respond to, monitor and manage parliamentary committee recommendations required improvement.
• Auditor-General Report No. 34 2020–21, tabled in April 2021, examined the Department of Defence. Of the 32 agreed recommendations examined in the audit, the ANAO found 15 were implemented, six were largely implemented, four were partly implemented and seven were not implemented. The report concluded that the Department of Defence had appropriate governance arrangements to respond to, monitor and implement Auditor-General performance audit recommendations, and partially appropriate governance arrangements for parliamentary committee recommendations.
• Auditor-General Report No. 25 2021–22, tabled in May 2022, examined the Department of Home Affairs. With respect to the 25 agreed recommendations examined, the ANAO assessed 16 as implemented, two as largely implemented, three as partly implemented, one as not implemented, and three as implementation ongoing. The report concluded the Department of Home Affairs had largely fit-for-purpose arrangements to respond to, monitor and implement agreed recommendations.

Appendix 4 Agreed parliamentary committee recommendations for AGD between January 2020 and June 2021

Source: Joint Committee of Public Accounts and Audit, Report 485: Cyber Resilience Inquiry into Auditor-General’s Reports 1 and 13 (2019–20), and Parliamentary Joint Committee on Intelligence and Security, Inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.

Appendix 5 Agreed Auditor-General recommendations for AGD between January 2020 and June 2021

Source: Auditor-General Report No. 48 2019–20, Management of the Australian Government’s Lobbying Code of Conduct - Follow-up Audit, and Auditor-General Report No. 32 2020–21, Cyber Security Strategies of Non-Corporate Entities.

Appendix 6 Agreed parliamentary committee and Auditor-General and recommendations for AFP between January 2020 and June 2021

Source: Parliamentary Joint Committee on Intelligence and Security, Inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press, and Auditor-General Report No. 43 2020–21, Australian Federal Police’s Use of Statutory Powers.

Appendix 7 Agreed Auditor-General recommendations for CDPP between January 2020 and June 2021

Source: Auditor-General Report No. 28 2019–20 Case Management by the Office of the Commonwealth Director of Public Prosecutions.