The Census of Population and Housing

1.1 The Census of Population and Housing (the Census), undertaken by the Australian Bureau of Statistics (ABS), is Australia’s largest data collection exercise. The purpose of the Census is to accurately measure the number and key characteristics of all people in Australia, Norfolk Island, and the Territories of Cocos (Keeling) Islands and Christmas Island on Census night every five years.

1.2 Census data includes information on the size of the population, the number of dwellings and other characteristics (Box 1). Data is collected about both individuals and dwellings on a household basis. The 2016 Census counted almost 10 million dwellings and 23.4 million people across Australia. The Census includes people on board vessels in or between Australian ports, or on long-distance trains, buses or aircraft, people entering Australia from overseas before midnight on Census night, and Australian residents in Antarctica.

Source: ABS, 2016 Census Household Form.

1.3 Data collected from the Census is to be used for a range of purposes including:

• informing public policy such as infrastructure and service planning;
• underpinning public funding to different levels of government;
• setting electoral boundaries; and
• supporting research on Australia’s economic, social and cultural make-up.

1.4 The Census and Statistics Act 1905 requires that a Census be conducted every five years.³ The Act:

• empowers the ABS to collect statistical information on a broad range of demographic, economic, environmental and social topics;
• enables the ABS to direct a person to provide statistical information, in which case they are legally obliged to do so;
• requires the ABS to publish the results of these statistical collections; and
• places a life-long obligation on all ABS officers to maintain the secrecy of information collected under the Act, and provides harsh penalties for those who fail to do so.

1.5 The Census is a significant undertaking for the ABS, involving up to seven years of work from planning to the final release of data. The 2016 Census cost $491 million and involved approximately 38,000 field staff. The ABS budget for the 2021 Census from 2016–17 to 2022–23 is $565 million. Census funding is based on a cyclical model that uses the funding from the previous Census as a base and then applies adjustments:

• plus — 10 per cent for increase in the number of dwellings, and the complexity of enumerating these dwellings and their residents⁴;
• less — efficiency dividend (5 years cumulative); and
• plus — indexation (5 years cumulative).

1.6 The 2021 Census will be Australia’s 18th Census. The ABS has three key objectives for the 2021 Census.

• Smooth running — the Census experience is easy, simple and secure.
• Strong support — governments, businesses and the community have confidence in the Census and there is a high level of community participation.
• High quality data — Census data is high quality and widely used to inform on areas of importance to Australia.

The Australian Bureau of Statistics

1.7 The ABS is Australia’s national statistical agency, providing official statistics on a wide range of economic, social, population and environmental matters of importance to Australia. The primary functions, duties and powers of the ABS are set out in the Australian Bureau of Statistics Act 1975, the Census and Statistics Act 1905 and the Public Governance, Performance and Accountability Act 2013.

1.8 The ABS is a non-corporate Commonwealth entity led by the Australian Statistician — a statutory office established by the Australian Bureau of Statistics Act 1975. The Australian Statistician is the accountable authority for the ABS.

1.9 In addition to the Census, the ABS conducts economic, population, social and environmental surveys, and produces a range of statistical products such as: monthly labour force estimates; the National Accounts; and causes of death statistics. The ABS is funded primarily though departmental appropriation, and in the 2019 Budget had total resourcing of $533 million with an average staffing level of 2562.

1.10 The ABS has an Executive Board in place, chaired by the Australian Statistician. The role of the Executive Board is to provide strategic oversight of the ABS and advice to the Australian Statistician on direction, policy, priorities, and to ensure the efficient, economical and ethical operations of the ABS.

1.11 Although there is an enforceable legal requirement for persons to participate in the Census, the ABS primarily relies on individuals’ cooperation to provide data, including for the Census. Census data collection relies heavily on public confidence and trust in the ABS’ information handling and security arrangements.

Conduct of the 2016 Census

1.12 The 2016 Census was the first Census to be ‘digital first’, whereby the ABS sought to obtain 65 per cent of responses through an online ‘eCensus’ form.⁵ The ABS contracted its previous information technology (IT) provider to deliver the 2016 eCensus website.

1.13 During the Census on 9 August 2016, the eCensus website was subject to a number of distributed denial of service (DDoS) attacks. This occurs where an attacker uses other (compromised) computers and devices to request content from the target system. If a large number of requests are made, an attack can limit the system’s ability to respond to legitimate traffic. One of the reviews after the 2016 Census described the failure of multiple IT controls:

• some IT equipment had incorrect settings, which meant it could not be effectively restarted;
• one of the telecommunications providers did not effectively implement restrictions on overseas computers accessing the eCensus form (geoblocking⁶);
• this provider shared its network with another telecommunications provider, in such a way that if one could not service the eCensus, neither could the other;
• network connectivity issues resulted in network monitoring systems reporting incorrect levels of outbound traffic data, prompting internal concerns eCensus data may have been compromised; and
• one of the telecommunications providers did not enable its DDoS attack mitigation for the data centre.⁷

1.14 The DDoS attacks, combined with these failures, prompted the ABS to close the online form. The ABS reopened the online form on the afternoon of 11 August 2016. The key events are outlined in Figure 1.1.

Figure 1.1: Key events in the 2016 Census

Note a: A DDoS attack is designed to disrupt or degrade an online service by flooding the system with traffic, consuming and diverting resources needed to support normal operations. A DDoS attack is not a hack, a breach, or a compromise, where data are exfiltrated or altered. However, they can be used as a cover to divert attention and resources during exfiltration.

Source: ABS, 2016 Census Overview [Internet], ABS, Canberra, 2018, available from https://www.abs.gov.au/websitedbs/D3310114.nsf/Home/Assuring%20Census%20Data%20Quality [accessed 30 April 2020] and A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security Culture and Practices across the Australian Government, PMC, Canberra, 2016, pp. 12–19, 32–33.

1.15 The ABS closed the online form because its contractor’s network performance monitoring system indicated a spike in unexplained outbound traffic. The ABS and the contractor were concerned that the outbound traffic could include personal information from the Census as a result of unauthorised access. The ABS and the contractor determined at 2am on 10 August 2016 that there was no actual increase in outbound traffic from ABS systems, and hence no risk to personal information. Most likely, network connectivity problems led to delays in receiving data, which presented as a spike.⁸ Later investigations confirmed there was no unauthorised access to data.⁹

Reviews and recommendations

1.16 The Senate, PMC, and the ABS initiated reviews into the events on Census night, ABS governance and the implications for cyber security across the Australian Public Service (APS). See Box 2.

Note a: Includes the two sets of additional comments at the end of the Committee’s report.

Source:  A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security Culture and Practices across the Australian Government, PMC, Canberra, 2016; Economic References Committee, The Senate, 2016 Census: issues of trust, 2016; and Census Independent Assurance Panel to the Australian Statistician, Report on the Quality of 2016 Census Data, ABS, Canberra, 2017, p. iii.

1.17 In total, the three Census reviews made 36 recommendations, 29 of which were directed at the ABS and agreed.¹⁰ The ABS has publicly stated its commitment to learn from the experience of the 2016 Census in conducting the 2021 Census.

1.18 In 2017–18, the ANAO conducted a performance audit of the ABS’ risk management of the Statistical Business Transformation Program. The report concluded that risk management arrangements to support the implementation of the Statistical Business Transformation Program were effective except for the requirement to monitor and assess risk treatments and take corrective action. It also found that the ABS enterprise-wide risk management framework was not fully effective.¹¹

Rationale for undertaking the audit

1.19 The failure of multiple IT controls during the 2016 Census reinforced the need for the ABS to implement robust planning arrangements for the 2021 Census including for cyber security, procurement, and review recommendations. An audit of the ABS’ preparedness for the 2021 Census would provide assurance on whether the ABS is on track to delivering its objectives for the Census.

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess whether the ABS is effectively preparing for the 2021 Census.

1.21 In assessing this objective, the following three high-level criteria were adopted:

• Has the ABS established appropriate oversight frameworks for the Census?
• Is the ABS taking appropriate steps in developing IT systems for the Census?
• Is the ABS effectively addressing key Census risks, implementing Census recommendations and ensuring timely delivery of the 2021 Census?

1.22 The scope of the audit covered the ABS’ preparations for the 2021 Census from December 2016 into 2020, particularly in higher-risk areas such as IT system development and cyber security. The audit also included the initiation, planning and early delivery of key projects to support the Census, and the implementation of recommendations from the three reviews (refer Box 2). The audit did not examine lower-risk aspects of the Census, such as inability to recruit staff, delays in releasing Census data and the design of the Census form.

Audit methodology

1.23 The audit methods included: examination of policies and documents; reviewing IT policies and testing the ABS’ systems; testing a sample of Census-related procurements; and interviewing relevant ABS officials and stakeholders.¹²

1.24 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $644,000.

1.25 The team members for this audit were David Monk, Edwin Apoderado, Amanda Reynolds, Sonya Carter, David Willis, William Richards, Zhiying Wen, Danielle Page, Jason Ralston, Lesa Craswell and Mark Rodrigues.

2.1 As noted at paragraph 1.1, the Census is the largest statistical collection undertaken in Australia and one of the most significant exercises of the ABS. Effective preparation and conduct of each Census requires appropriate oversight from senior management, including the Australian Statistician. To assess whether the ABS has established appropriate oversight frameworks for the Census, the ANAO examined whether the ABS has in place appropriate:

• planning and governance arrangements;
• risk framework;
• project management practices; and
• arrangements to conduct the Census efficiently.

Does the ABS have appropriate planning and governance arrangements for the Census?

2.2 Section 15 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires the Australian Statistician, as the accountable authority, to govern the ABS in a way that promotes proper use and management of public resources and promotes the achievement of the purposes of the entity.¹³ Appropriate planning supported by effective government arrangements supports the proper use of resources towards the achievement of the objectives of the ABS in relation to the Census.

Planning for the 2021 Census

2.3 The ABS has developed a series of plans for activities to support the Census. These plans were developed progressively from 2017 and include:

• 2017 — governance, scope, budget and content consultation with stakeholders;
• 2018 — risk management and the schedule of key supporting activities¹⁴ (which included the major procurements of the website, the call centre and outsourced recruitment);
• 2019 — the revised schedule and the plans for staffing, data quality, internal communication, and quality gates (review points); and
• 2020 — the stakeholder management plan.

2.4 The ABS does not have an overarching plan for the Census. Without an overarching plan, it was not possible to determine whether the various activity plans were developed on time, in accordance with a broader schedule. The lack of an overarching plan limits the ability to view the various activity plans as a cohesive and integrated whole with reference to the purpose of the Census, key legislative requirements and a single schedule of milestones.

2.5 In the absence of an overarching plan, the ANAO reviewed whether the activity plans as a whole covered an appropriate range of planning considerations. Across these plans, key responsibilities, review points, risk management arrangements and an activity schedule, including dependencies with other projects, were set out.

2.6 The planning materials for the Census did not link the objectives of the Census to the Census and Statistics Act 1905, the Census and Statistics Regulation 2016 and other relevant legislative requirements. As a consequence activities to support the 2021 Census may not fully align with legislative requirements such as transferring documents to the archives, Census topics, and enforcement.

2.7 There is merit in the ABS developing an overarching high-level plan to assist in aligning and integrating Census-related activity plans under a common objective and better position the ABS to monitor the status of the Census project overall. Arrangements for monitoring the status of Census activities are examined from paragraph 2.47.

Governance framework

2.8 In 2017, the ABS established high-level governance arrangements for the Census, separate to the existing ABS governance and assurance structures of the ABS Executive Board and Audit Committee. An overview of the governance structure for the Census is presented in Figure 2.1.

Figure 2.1: Overview of the governance structure for the Census

Note a: The Risk Advisory Panels meet as required.

Source: ANAO analysis of ABS documentation.

2.9 The governance structure sets out the roles and functions of the main individuals and committees responsible for Census activities:

• Census Executive Board (CEB) — Chaired by the Australian Statistician and comprising the ABS’ three Deputy Australian Statisticians as well as three external members, is responsible for oversight of the strategic direction of the Census, including policy, priorities and direction, and monitors planning, development, operation and delivery¹⁵;
• Census Delivery Committee (CDC) — Chaired by the Senior Responsible Officer (a Deputy Australian Statistician) and comprising 13 members including two external members, is responsible for monitoring and reviewing progress of the Census program and advising the Board¹⁶;
• Senior Responsible Officer — the Deputy Australian Statistician for the Census and Data Services Group is responsible for refining the acceptable risk profile, risk thresholds and risk controls for 2021 Census and its constituent projects;
• Program Assurer — commissioned by the ABS to provide assurance and risk management advice to the Senior Responsible Officer, the CEB and the CDC;
• Risk Advisory Panels — they cover communications and citizen experience, security and ICT, and finance and they are chaired by the relevant General Manager;
• Census General Manager, Program Managers, Project Managers and the Census Program Management Office — reside within the ABS Census Division, are responsible for Census project management and reporting; and
• the General Manager and relevant Program Managers of the Technology and Security Division — are members of the CDC and the Security and ICT Risk Advisory Panel.

2.10 The CEB and CDC meet quarterly. The CDC meets one month before the CEB. The ABS advised that, since July 2020, the CDC has also had a presentation based meeting between each of its formal meetings.

2.11 The governance framework covers an appropriate range of matters. The terms of reference for the two oversight committees include membership, roles and frequency of meetings. Senior personnel and committees have decision-making responsibilities and other officials have operational duties. Key responsibilities include:

• the CEB has a general monitoring function, the CDC has a monitoring and review function across specific areas (for example the integrity of the risk register and whether delivery elements are within the agreed scope and budget), and the Senior Responsible Officer is to ensure the Census is reviewed at appropriate stages;
• the CDC and the Program Management Office are both responsible for monitoring benefits realisation; and
• the Senior Responsible Officer is responsible for managing relationships with key stakeholders generally and the Census General Manager is responsible for relationships with specific key stakeholders (for example government privacy bodies, government central agencies, and parliamentarians).¹⁷

2.12 The governance framework describes high-level reporting arrangements. The Senior Responsible Officer and the CDC are to report to the CEB at least three times a year. There is also a requirement for the Senior Responsible Officer to provide an annual report to the CEB covering the overall progress against the Census objectives, risk management, and communication and stakeholder updates.

Implementation of the governance framework

2.13 The ANAO examined the extent to which the ABS had implemented its governance framework for the Census, including whether the CEB acted in accordance with its terms of reference.

2.14 The CEB was required to review reports from the Senior Responsible Officer at least three times a year, which it did. It met quarterly and considered a range of reports on Census progress at each meeting. The CEB was required to have a quorum of the majority of its members at each meeting, which occurred.

2.15 Members of the CEB are required to declare interests at the start of each meeting. The minutes of the CEB recorded this occurring at all 10 applicable meetings between August 2017 and December 2019. This included one meeting where an external member declared their interest in a procurement and the CEB agreed not to discuss the procurement at the meeting.

2.16 The CEB is also required to receive an annual report on the Census covering progress against the three Census objectives¹⁸, risk management, and updates on public communications and stakeholder management. Papers and updates were provided on Census risk management and public communications. The CEB did not receive an annual report or any overall reporting on the three objectives after finalising the governance plan in August 2017.

2.17 In the absence of this general reporting, the ANAO tested reporting for a key aspect of each of the three objectives: major procurements (smooth running); privacy (strong support); and data quality targets (high quality data). The CEB received two types of reporting: summaries of recent actions (termed here as activity reports) and more detailed commentary requiring a decision or assessing progress against the schedule (analytical reports). Reporting to the CEB on key project elements is focussing on major procurements, as outlined in Table 2.1.

Table 2.1: Reporting to the Census Executive Board on key project elements for the 2021 Census, to March 2020

Note a: Major procurements comprise information technology (IT) systems, the call centre and the outsourcing of field staff recruitment.

Note b: Activity reports summarise recent actions. Analytical reports represent matters requiring a decision or providing an assessment against the schedule.

Note c: ABS officials prepared a Census data quality plan that covered data improvement priorities, statistical risk management and managing the statistical effect of changes to the Census. The CEB received a plan on data improvement priorities only.

Note d: Five of the seven activity reports on stakeholders related to consultations within the Australian Government. Footnote 17 describes the ABS’ priority relationships.

Source: ANAO analysis of CEB papers and minutes.

2.18 While the CEB is the decision-making authority for the Census, it does not have an overarching plan to form an overall view of the Census as a program. Further, it has not received reports on progress in achieving its objectives for the Census. The development of an overarching Census plan and the provision of reporting in accordance with its governance framework would strengthen the effectiveness of the ABS’ planning and governance arrangements.

Does the ABS have an appropriate risk framework for the Census?

2.22 The PGPA Act requires that entities establish and maintain an appropriate system of risk oversight and management. The Commonwealth Risk Policy requires entities to comply with nine elements, which reflect the fundamentals of effective risk management. It aims to embed risk management as part of the culture of entities where the shared understanding of risk leads to well-informed decision making.

ABS risk framework

2.23 The ABS has a risk management framework in place, approved by the accountable authority through the ABS Executive Board in November 2019. The ABS Risk Framework consists of the ABS Risk Management Policy, ABS Risk Appetite by category of risk, Risk Management Manual that operationalises the risk policy, and the ABS Risk Governance and Accountability arrangements.

2.24 The ABS uses a distributed risk governance model to provide oversight of risk, with program managers responsible for ensuring risk is within acceptable levels. While the ABS Executive Board has overarching responsibility for the oversight of risk, other committees are charged with facilitating discussion and ensuring that risk is being managed appropriately across the ABS. The ABS have a Chief Risk Officer in place, who is responsible for maintaining the ABS Enterprise Risk Management Framework, and risk management procedures and systems.

2.25 As a non-corporate Commonwealth entity, the ABS is required to implement the Commonwealth Risk Management Policy, which includes 22 specific requirements organised in nine policy elements.¹⁹ The ANAO assessed the extent to which the ABS Risk Management Framework complied with the Commonwealth Risk Management Policy.

2.26 Of the 22 requirements in the Commonwealth Risk Management Policy, the ABS Risk Management Framework met 20 and partly met two requirements. The ABS Risk Framework does not contain information on how risks are to be communicated to external stakeholders and does not fully detail the entity’s approach to embedding risk management into existing business processes.²⁰

Census risk framework

2.27 In March 2018 the ABS established its Census Risk and Issues Management Plan. The ABS has revised that plan on five occasions to July 2020. The July 2020 version of the Census Risk and Issues Management Plan includes the Census Risk Appetite, risk and issues management process and approach, risk and issues templates, control assurance, escalation and reporting, and roles and responsibilities, including the role of the program assurer.

2.28 Under this Plan, the ABS has identified strategic and operational risks for the Census. High rated strategic risks are:

• the ABS fails to deliver high quality data fit for purpose;
• the ABS experiences a reduction in ‘social licence’ or loses the confidence of government, the Parliament and other key stakeholders;
• the 2021 Census digital service (online channel) is unavailable or unable to effectively mitigate cyber attacks;
• the ABS is unable to reach, engage and motivate the public to participate in the Census and does not achieve target response rates;
• the ABS is unable to, or is perceived to be unable to, protect 2021 Census data; and
• the Aboriginal and Torres Strait Islander participation rate is the same as 2016 or worsens.

2.29 The three Risk Advisory Panels, noted at paragraph 2.9, cover communications and citizen experience; security and ICT; and finance. There are no records to indicate why the Risk Advisory Panels were established to cover these particular risks and not other risks. The purpose of the Risk Advisory Panels is to alert the Census program to emerging risks; assess the adequacy and implementation of controls; and ensure that residual risks are managed by sound recovery and continuity strategies. At August 2020, the panels had not been convened.²¹

2.30 The ABS has engaged a program assurer for the Census since July 2018. The program assurer has produced an Assurance Map which outlines the assurance activities in progress, completed and proposed in the next year. This map is based on project milestones, risks and issues, direct requests from the ABS, and insights from the program assurer. However, as noted at Table 2.2, the Assurance Map is not well aligned with the extreme inherent risks or risks controls of the Census.

2.31 The ANAO reviewed the Census Risk and Issues Management Plan against 29 elements of the ABS Risk Management Framework.²² The Plan is partly consistent with the ABS Framework, with 20 elements mostly or fully consistent. However, there were some differences in elements such as: no treatment owner or timeframes for completion of treatment included in risk registers; no inclusion of a target risk rating; and insufficient detail²³ in risk reporting requirements in governance committees’ terms of reference. The ABS should ensure that the Census Risk and Issues Management Plan is consistent with the ABS Framework, to support the effective management of risk consistent with Government expectations.

Audit Committee review of Census risks

2.32 The ABS has established an Audit Committee, in accordance with section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) and section 45 of the PGPA Act. The role of the Audit Committee is to provide independent advice and assurance to the accountable authority of an entity on the appropriateness of the entity’s accountability and control framework. According to the PGPA Rule, the functions of an audit committee must include reviewing the appropriateness of the entity’s financial reporting; performance reporting; system of risk oversight and management; and system of internal control.

2.33 The Audit Committee has a Charter approved by the Australian Statistician that contains most of the elements recommended by the Department of Finance.²⁴ Of the eight elements, the Charter fully or mostly met seven, and did not meet the element to state the period of Audit Committee membership appointment. Although the Charter does not explicitly include provisions for the Census, it states that the role of the Audit Committee is to review and provide advice on how the ABS manages its key risks, including those associated with projects, program implementation and activities.

2.34 The Audit Committee has also considered broader ABS risks relevant to the Census, including the ABS Risk Framework refresh, performance statements work and the Fraud Control Plan. Though the developments to the ABS Risk Framework were discussed, strategic ABS risks were not regularly provided to the Audit Committee until July 2018.

2.35 The Audit Committee has not been kept fully appraised of Census-related activities, risks and program assurance. Starting in May 2019, the Audit Committee received updates on Census program risks and related risk management. The reviews completed by the Census program assurer were not provided to the Audit Committee. While the ABS provided a summary of completed reviews to its Audit Committee in November 2019, the findings and recommendations from those reviews were not outlined.

2.36 In May 2020 the ABS provided an update on Census security, privacy, risk landscape, and postponement of the Operational Readiness Exercise to the Audit Committee. The program assurer provided further verbal updates on the assurance program work. Information on completed assurance reviews, findings and recommendations were not provided to the Audit Committee.

2.37 The Audit Committee has not commissioned internal audits of planning and preparation for the 2021 Census. A proposed internal audit of the Census did not proceed.²⁵ Previous internal audits provided to the Audit Committee relevant to the Census program included Records Destruction and the Australian Census Longitudinal Dataset 2016.

2.38 The ABS Audit Committee is not well positioned to provide consistent oversight of risks and assurance related to the 2021 Census. Given the role of the Audit Committee in providing assurance to the accountable authority, and the materiality of the Census to the objectives of the ABS, there is scope for the ABS to further engage its Audit Committee on its preparation for the 2021 Census.²⁶

Appointment of the program assurer

2.39 The ABS engaged a program assurer for the Census program in July 2018. The program assurer had previously been contracted to provide specialist program management services and advice to the Census program. The services to be provided under the program management advice contract included:

• leading the development of the ABS business case to Government on additional funding for the 2021 Census;
• supporting the leadership of the Program Management Office (PMO) and Program Manager, including advising on the development of program management documentation, assisting to identify milestones and the critical path, and building risk management capability;
• building and embedding project managing capability, practices and processes, as well as training and mentoring staff; and
• assisting with the development of reporting capability.

2.40 During the procurement, the ABS tender evaluation committee identified that using the same firm for both services was a conflict of interest risk, and sought further information from the firm about managing the conflict.²⁷ The ABS considered the further information provided by the firm and ceased the program advice contract in June 2018.

2.41 The ABS advised the ANAO that the program assurer’s approach to managing the conflict was to use different teams and leadership than when they provided project management advice. The program assurer also advised that it put a range of other measures in place, including restricting contact between teams, and systems based controls. The ABS did not document this approach in the initial meeting with the firm, in the tender evaluation committee evaluation, or in the spending proposal to the delegate.

2.42 The CEB has been appraised of the assurer’s activities. The program assurer attends CEB meetings, which have an item for interest declarations. The program assurer did not advise of any interests at these meetings. The CEB was made aware of the conflict of interest, and received advice that, as a result, the project advice contract would cease.

2.43 By ending one of the contracts, the ABS has taken an action to limit the conflict of interest risk. However, it was not clear that the ABS considered, during the procurement, that there may be a conflict of interest if that firm is to provide assurance related to its previous advice. There is scope for the ABS to brief the delegate on the actions that will be undertaken to manage such interests during procurements, to ensure any potential or perceived conflicts will be effectively managed.

Role of the program assurer

2.44 With limited oversight from the Audit Committee and lack of internal audit coverage, the Census program primarily relies on the program assurer to review the effectiveness of Census preparation and identify areas for improvement.²⁸ The program assurance function is to undertake regular reviews of key risk and issues areas, and report on identified risk and issues management to the CEB. The program assurer also conducts less formal discovery assurance sessions, such as seminars and workshops. The program assurer regularly attends CEB meetings and presented reports and updates to it.

2.45 The program assurer has conducted eight reviews and two discovery assurance sessions in the period October 2018 to March 2020. The assurance reports cover various aspects of program delivery, such as digital service, program planning and program testing coverage. However, the assurance products do not fully align with the inherent extreme risks to the Census as identified by the ABS. This is outlined in Table 2.2.

Table 2.2: Mapping of assurance work to inherent extreme program risks

Key: ◆ aligned; ▲ partly aligned; ■ not aligned; – no comparable item.

Source: ANAO analysis.

2.46 The Assurance Map is not solely based on the extreme inherent risks or risk controls of the Census. As a consequence, six of 10 products of the program assurer address inherent extreme risks to the Census (including Aboriginal and Torres Strait Islander participation rate, protecting Census data, and digital service risks). The ABS does not have assurance on three of the nine inherent extreme Census risks. The ABS does not oversee the implementation of agreed actions from the assurance products.

Is the ABS implementing appropriate project management practices for the Census?

2.47 Appropriate project management practices assist entities to ensure that project activities are undertaken in accordance with plans, issues are addressed as they arise, timeframes are met and the intended outcomes of projects are achieved. To assess the ABS’ management of projects, the ANAO examined the ABS’ arrangements for monitoring projects and the implementation of those arrangements.

Project monitoring arrangements

2.48 Project management arrangements were scoped out of the ABS Census governance framework. In the period from December 2016 to October 2019, the ABS did not have Census-specific policies or plans to monitor and control projects. Significant activity occurred during this time, such as developing the content, approving key plans and policies, and conducting major procurements.

2.49 From August 2018, the Program Manager met with the General Manager and the Senior Responsible Officer on the progress of Census activities and escalated related issues.²⁹ The ABS retained the agendas for these meetings, which were held at least monthly from June 2019. It did not retain records of decisions made or reporting back on escalated issues to the Senior Responsible Officer.

2.50 The Program Manager held ‘weekly stand up’ meetings with the Census Leadership Group from February 2018 to report on progress across the Census.³⁰ Attendees verbally reported on their area against four standard dot points.

2.51 In April 2019, the program assurer completed a review into how the ABS was managing the 2021 Census, in particular planning, monitoring and control, scope, and budget. It found that the ABS’ planning and control mechanisms for the 2021 Census demonstrated a transition to program management. However, a more consistent and integrated approach was required for effective delivery. The monitoring and control recommendations were that the ABS develop:

• a monitoring policy and guidance, which it agreed to implement by the end of May 2019; and
• a change policy to assess the impacts of proposed changes, which it agreed to implement without setting a deadline.

2.52 In October 2019, the program assurer completed a follow-up review and found that the ABS was in the process of implementing the recommendations. This review recommended that the ABS’ monitoring policy include a comparison against an established schedule. In December 2019 the ABS established Census-specific project status report guidance which outlined a process for project monitoring including risks, issues and progress against schedules.

2.53 The ANAO tested the Census project monitoring framework against the four relevant review recommendations and found the ABS had implemented three. The recommendations examined by the ANAO covered the frequency of reporting, agreed tolerances for red/amber/green status, the Senior Executive Service (SES) officers to receive the reports, and that reporting includes a comparison against planned progress (the critical path and mid-level schedule). The monitoring policies and procedures did not cover the timeliness of the reporting. This omission increases the chance that the reports are out of date when they are distributed.

2.54 The ABS committed to developing the framework by the end of May 2019 and did so in early October 2019. The ABS developed a draft process for assessing and approving changes to components of the Census budget in January 2020 and approved it in July 2020. The approval of the change process included comment that the ABS was trialling it in the first half of 2020 but the change documentation reviewed by the ANAO did not reference it.

Implementation of project monitoring

2.55 Since November 2019, managers of the 25 Census overarching projects are required to submit a monthly report to the PMO. The reports are to be based on a template prepared by the PMO and include the progress of the project, dependencies, risks, and issues, as well as the status of the project overall. The PMO is then to combine the completed templates into a report to the Program Manager and General Manager that presents commentary, the current and historical status of each overarching project, and the status of the Census overall. The Program Manager and General Manager then report to the Senior Responsible Officer by exception.³¹

2.56 The Program Manager and General Manager for the Census received monthly reporting from December 2019 onwards. The ANAO conducted sample testing on the use of the templates from December 2019 to April 2020 and found that, at the 95 per cent confidence level, the project leaders used the templates, filled them out, and that the reported status was consistent with the information provided. The PMO reviewed the 25 reports submitted for April 2020 and found they did not fully reconcile with the information in the project management software. The PMO conducted follow up reviews for the May reports, which were more consistent with the software data.

2.57 The ABS did not establish timeframes for the PMO to report to the Program Manager and General Manager. The ANAO examined the time period between the managers’ reporting deadline and when the PMO distributed the combined report to the SES project owners. For four of the six monthly reports from December 2019 to May 2020, the time lag was seven calendar days or less. For December 2019 it was 11 days and for April 2020 it was 14 days. There is merit in the ABS including in its project management arrangements a target period for reporting to the SES.

2.58 The ANAO tested whether the reporting to the SES described remedial action for overarching projects that were rated amber or red. Out of 64 cases where the ABS rated an overarching project amber or red, it described remedial action in 27 cases, as outlined in Table 2.3.

Table 2.3: Reported remedial action for Census overarching projects rated amber or red, November 2019 to May 2020

Source: ANAO analysis of ABS records.

2.59 The ABS finalised its change policy for the Census in July 2020. The program assurer recommended a change process so that the ABS would know the full consequences of variations to Census activities, particularly in relation to the schedule and the budget. The PMO developed a template in February 2020 for making changes to project names and dates.³² The template includes:

• an assessment of impacts on other parts of the Census;
• what internal consultations have been conducted to support this conclusion; and
• Program Manager approval of date changes.

2.60 The ANAO examined whether the ABS considered the schedule and budget when it approved changes to the Census plan, by reviewing the project change register which had been in place since October 2019. Up to early April 2020, the register comprised 37 changes, of which 16 covered minor matters such as renaming parts of the plan. Excluding these, the analysis covered 21 changes, of which eight added detail to the plan and 13 considered the impact of the change on the Census schedule, or stated that dependencies were being managed.

Is the ABS making arrangements to conduct the Census efficiently?

2.61 Section 15 of the PGPA Act requires the Australian Statistician, as the accountable authority of the ABS, to promote the proper use and management of public resources for which the authority is responsible. Section 8 of the PGPA Act defines ‘proper’ to include efficiency.

2.62 The Auditing and Assurance Standards Board defines efficiency as the ‘performance principle relating to the minimisation of inputs employed to deliver the intended outputs in terms of quality, quantity and timing’.³³

Efficiency measures at the ABS

2.63 Section 16E of the PGPA Rule 2014 requires Commonwealth entities to include performance measures in their corporate plans to indicate how they will assess their performance in achieving the entity’s purposes. The Department of Finance guidance states that ’Good performance measures will provide meaningful information on an entity’s purpose in terms of the effectiveness and efficiency of activities focused on that purpose.’³⁴

2.64 The ABS corporate plan had measures for public trust in its statistics, partnerships with outside organisations, and new statistics for emerging priorities. It did not have an efficiency measure for the Census or an efficiency measure for its activities generally.³⁵ Omitting an efficiency measure from its corporate plan limits the ability of the ABS to demonstrate to the public and the Parliament that it is properly managing the public resources for which it is responsible.

2.65 The ABS commissioned an internal audit into its performance measures, which reported in April 2020. The report noted that the ABS was not proposing an efficiency measure in its corporate plan for 2020–21 and recommended that the ABS consider one. Management responded that it would investigate an efficiency measure, including benchmarking against other countries’ statistical organisations.

Census efficiency measurement

2.66 The ABS measures its efficiency in conducting the Census through the calculation of cost per capita. The purpose of this measure is to compare relevant inputs (dollars) against relevant outputs (each person counted). While the ABS has not established an efficiency target for the Census, the measure has been used to identify trends over time and benchmark against other Census collection bodies.

ABS Census efficiency over time

2.67 The measure, as calculated by the ABS, suggests an efficiency gain from $22.72 per capita in 2011 to an estimated $21.74 per capita in 2016, as outlined in Figure 2.2. Examples of factors that have increased the costs of conducting the Census up to and including the 2011 Census are:

• a higher proportion of people in the workforce means there are fewer people at home, requiring more visits from field staff;
• an increase in the number of secure apartments, which require more time for field staff to gain access;
• fewer people per dwelling; and
• difficulty recruiting field staff, meaning that full time ABS employees must travel to some locations to conduct fieldwork.³⁶

2.68 Internal ABS data indicated an efficiency improvement between 2011 and 2016. The ABS attributed this improvement in efficiency to cost savings through the use of an address register. This means the ABS can mail 80 per cent of households before the Census and invite people to participate in the Census online. The ABS advised it does not send field staff to households that participate online, which has reduced costs.

Figure 2.2: Census costs per capita, 2018 dollars

Source: ABS documentation.

2.69 While the ABS has retained data on aggregate Census costs from 1987–88 to 2015–16 it was unable to provide the ANAO with information about the components of these costs. Further, the ABS does not have documented procedures to calculate the measure. Without the underlying cost data and established procedures, the ANAO was unable to provide assurance on the validity and reliability of the ABS’ reported Census efficiency measure.

2.70 In the absence of a valid and reliable efficiency measure, the ANAO used information published by the ABS to develop a proxy measure of efficiency. This efficiency data is reproduced in Figure 2.3. It shows a drop in Census efficiency between 1996 and 2001, and then efficiency varying around $20 per head from 2001 to 2016. The efficiency improvement between 2011 and 2016 was $0.99 per capita.

Figure 2.3: Cost per capita, of the total Census and of field staff, 2020 dollars

Note: The ABS’ financial statements for 1995–96 and 1996–97 did not separately report salaries and superannuation for Census field staff.

Source: ANAO analysis of published ABS data.

2.71 Figure 2.3 also shows a decrease in field staff costs (salaries and superannuation) from 2011 to 2016, which correlates with the ABS’ efficiency measure.

Comparisons against other countries

2.72 The value of direct international comparisons of Census efficiency between countries can be limited due to variation in population distribution (impacting on economies of scale), varying data collection methods, and the frequency of Census collection (influencing retention of knowledge). The United Nations Economic Commission for Europe (UNECE) collects Census costs per capita from national Census collecting bodies, standardises the cost results and publishes each 10-year Census cycle for a selection of countries grouped by Census collection methods.³⁷

2.73 The most recent UNECE report that included cost per capita data from Australia was published in 2008. The report used the ABS efficiency measure from the 2006 Census and ranks Australia in the middle of a group of countries with similar Census methods. Australia’s cost per capita, when standardised to units in US dollars was just under the group average, as outlined in Table 2.4.

Table 2.4: Measure of per capita Census costs, countries grouped by Census method

Note a: Purchasing power parity units in US dollars. This measure is based on the purchasing power in the different countries standardised into one common measuring unit.

Note b: England and Wales.

Source: UNECE, Measuring population and housing: Practices of UNECE countries in the 2000 round of Censuses, 2008, p. 41.

Use of the efficiency measure

2.74 The CEB considered opportunities to improve efficiency with neither the savings nor the associated costs quantified. Since 2017, the ABS has made use of its Census efficiency measure and available cost data, including:

• August 2017 — the CEB considered time series data on Census efficiency and some sensitivity analysis of its budget;
• June 2018 — the CEB considered a range of savings measures (such as re-using the enumeration systems from 2016) and performance targets (online and self-response rates) which, combined with the efficiency dividend, would deliver $90.1 million in savings; and
• December 2018 — the CEB considered that it would not realise these savings and it had commenced negotiations with government on increased funding.³⁸

2.75 The inclusion of an enterprise efficiency measure in its performance measurement framework would better position the Australian Statistician to demonstrate proper use of public resources, as per section 15 of the PGPA Act. In addition, the development of procedures to calculate the Census cost per capita would support the validity of the measure and reliability over time. Together, the efficiency measures will provide greater insight into whether any efficiency gains in the preparation and conduct of the Census are being complimented or off-set by changes in the efficiency of other areas of the ABS.

3.1 Conducting a successful Census requires the ABS to establish appropriate processes to manage and secure its IT systems, collect and store data and manage the delivery of services by contractors. IT systems should support the ABS to demonstrate that it is meeting its legal and policy requirements, including but not limited to:

• Australian Bureau of Statistics Act 1975;
• Census and Statistics Act 1905;
• Public Governance, Performance and Accountability Act 2013 (PGPA Act);
• Privacy Act 1988;
• Australian Government Protective Security Policy Framework (PSPF);
• Australian Signals Directorate Information Security Manual (ISM); and
• Archives Act 1983.

3.2 To assess whether the ABS is effectively developing IT systems for the 2021 Census, the ANAO reviewed the ABS’ development of a Census IT framework, data handling practices, cyber security measures and procurement for IT suppliers.

Does the ABS have an appropriate IT framework for the Census?

3.3 ISACA defines an IT framework as covering the policies and procedures to manage an entity’s IT environment and support business objectives.³⁹ The IT framework can consist of IT architectures, such as principles and standards, to support and guide the development of systems and applications. The ANAO reviewed the ABS’ enterprise IT framework, its integration with the Census IT framework and its implementation of controls for managing changes to its IT systems.

ABS enterprise IT framework

3.4 An enterprise IT strategy sets out the direction for an entity’s IT investment and supports consistency with business goals and objectives. The ABS has developed an IT Strategy to support its 2025 strategic priorities. The IT Strategy was endorsed by the Executive Board in June 2019.

3.5 The enterprise IT strategy specifies strategic alignment with program and business areas through initiatives in areas such as the Digital Census and the ABS Statistical Business Transformation Program. The ABS has in place further strategies at the program and business area levels, including for the Census. Governance frameworks have been established to support the implementation of the strategies at the program and business area levels.⁴⁰

3.6 The ABS has defined an Architecture Governance Framework for its IT systems to ensure that systems conform to approved architecture specifications. Consistent with the Framework, the ABS has established an Architecture and Design Working group within the ABS Technology Services Division. The ABS has not implemented other governance structures specified in the Framework, such as an Architecture Committee and a Statistical and Data Process Optimisation Working Group.

3.7 The ABS has over 30 systems that support the operation of the Census and other ABS business areas. The ABS informed the ANAO that there are several architectures in use throughout the ABS, however, these architectures have not been consistently used to build ABS systems.⁴¹ The ABS chose not to implement intended controls across all systems due to the age of some systems. The ABS is focussing on aligning its important and newer systems, such as the Census eForm, with the architectures. The flexible application of architectures and controls across systems may increase the risk that ABS systems do not comply with legislation and policy requirements.

3.8 The ABS has not fully developed an enterprise architecture, which raises risks that systems:

• may not align to strategic goals;
• cannot efficiently and effectively adapt to changes in environment and requirements; and
• are not interoperable (that is, they cannot work together where required).

Integration with the Census IT framework

3.9 The ABS has established a program-level strategy for the 2021 Census. The 2021 Census ICT Strategy specifies the strategies for supporting the 2021 Census such as the 2021 Census Investment Strategy.

3.10 The ABS Technology Services Division is responsible for managing the 2021 Census Investment Strategy. The Technology Services Division lead attends meetings of the Census Executive Board and provides updates to the ABS Executive Board, as required, in accordance with the Census governance framework.

3.11 The ABS has not developed a systematic process, with thresholds in place, for escalating issues related to the 2021 Census Investment Strategy. Escalation is driven by officials raising concerns with the Program Management Office, with the Program Management Office then determining whether to raise the issue with the Census Executive Board. There is a risk that the Board does not have oversight over emerging risks to critical success factors.

3.12 The major Census systems⁴² were built individually and have their own architectures. These systems did not utilise a common enterprise architecture during implementation. The ABS has not fully developed processes for ensuring alignment of existing Census systems with its enterprise architectures.

3.13 In April 2020 the ABS appointed a Data Architect to improve the management of Census data across ABS systems, including alignment of systems with enterprise architectures and required privacy controls. However, in the absence of an integrated IT framework, the ABS does not have an appropriate level of assurance that IT systems are aligned across its program and business area strategies, including the 2021 Census ICT Strategy, and that each is contributing to the required priorities.

System change controls

3.14 Change management is the process of designing, programming, testing and migrating system changes to the end user environment. Appropriate change management processes are important to prevent inconsistent and unauthorised changes being made. The ANAO reviewed the ABS’ change management processes at the enterprise and Census program levels and its implementation of system change controls.

Control implementation

3.15 The ABS has an established enterprise-wide process for managing system changes. Changes are to be presented to the Change Advisory Board for approval before migration to the ABS IT environment. The ABS uses a change management tool to approve and monitor requests for system changes. The Change Manager documents approved changes and reports major changes to the relevant fortnightly branch meetings. Approved requests are implemented by the relevant support team within the production environment.

3.16 The ABS has implemented development, testing and production environments to help control and segregate changes between production versions of applications. The ABS has defined officials who are responsible for approving system changes for particular systems. These officials are referred to as the owners of those systems.

3.17 The ABS has developed a draft test strategy for the 2021 Census to support the testing, review and approval of changes, including how changes interact with other programs such as Next Generation Infrastructure projects. The Census 2021 Test Strategy states how particular types of changes are treated and what artefacts are required to support decision making.

3.18 The ABS has small teams providing support for multiple systems and environments, increasing the risk that activities are not appropriately segregated and changes are made to production systems without approval. While the ABS monitors change requests throughout its enterprise-wide change management process, the monitoring focuses on change requests that have been submitted within the change management tool. The monitoring process does not address the risk of implemented changes that have not been requested for approval. Without mitigations for those changes that have not been registered within the change management tool, there is an increased risk of unauthorised or inappropriate changes being performed to the Census systems and the ABS environment.

Is the ABS establishing appropriate data handling practices?

3.22 The ABS’ data handling practices was an identified risk following the 2016 Census.⁴³ Data handling refers to the practice of assessing the sensitivity of information and implementing controls to secure information in alignment with its sensitivity. The ANAO examined ABS data handling arrangements with respect to its measures to support data quality and privacy.

Data quality framework

3.23 The ABS established an appropriate data quality framework, as part of its Corporate Manual, in 2012. The ABS Data Quality Framework is based on international frameworks. The Framework defines and frames data against seven dimensions of data quality to support the 2021 Census objective of high quality Census data.⁴⁴ The key components of the Framework include a data quality plan, quality gates and system testing.⁴⁵

Control implementation

3.24 The ABS 2021 Data Quality Plan specifies the high-level design of data quality controls for ensuring that the 2021 Census system requirements and designs are aligned with the Framework. The design specifies the use of quality gates to validate whether systems support operational requirements during field testing.

3.25 The ABS quality gate template covers an appropriate range of components in alignment with the ABS Data Quality Framework including quality measures, roles, tolerance, actions and evaluation. A review of a sample of Census quality gates was performed by the Census Data Quality and Statistical Risk business area as part of its October 2019 field test. Overall, the review found quality gates to be effective and recommended that the ABS continue implementing quality gates for the 2021 Census.

3.26 The review also noted weaknesses in the implementation of quality gates:

• inconsistencies between the measures included in the quality gates (for example risk management and operational plans)⁴⁶;
• quality gate documents were too long and complex for staff; and
• weaknesses in documentation and monitoring of actions after quality gates were signed off.

3.27 The ABS has undertaken to implement some improvements to the quality gate process to support its 2020 operational tests.

3.28 The ANAO reviewed the system documentation for two Census systems: the Census eForm and the MyWork application. The ABS has established test plans to support the verification of MyWork and eForm system functionality against requirements. However, the test plans do not include testing on data quality. Without the inclusion of data quality in test plans, the ABS will not have assurance that data captured, stored and transferred in relation to the tested systems adhere to the ABS Data Quality Framework.

Data privacy framework

3.29 The ABS has rated its privacy risks as inherently high or extreme. It has established an enterprise privacy framework — the ABS Privacy Framework — to manage privacy risks which includes elements specific to the Census. The key components of the Framework for managing the protection of privacy include a Privacy Management Plan, privacy impact assessments, Information Security Registered Assessors Program (IRAP) assessments and system security controls.

Control implementation

3.30 The ABS Privacy Management Plan provides defined roles, responsibilities and key activities to support privacy risk management. The controls to mitigate risks in the Privacy Management Plan align with the ABS Privacy Framework. Privacy risks are managed within the 2021 Census program by the Census Privacy Team, which reports to the Census General Manager. The Census Privacy Team consults the ABS Privacy Office on all medium and high impact activities. The Privacy Teams provide support and implementation of the relevant Work Plans across the ABS.

3.31 Privacy training is a key control outlined in the ABS Privacy Management Plan. The privacy training is consistent with privacy obligations against specific positions and roles supporting the Census. For example, privacy training for Census field officers includes guidance on how to correctly handle paper forms. The ABS privacy training is mandatory and conducted on an annual basis and must be performed regardless of whether staff gain access to systems. As of March 2020, 82 per cent of Census Division staff had completed the ABS Privacy Module for the year. The completion of training is monitored by Privacy Champions within each business area. The managers of each business area are responsible for ensuring officials complete the necessary training.

3.32 The ABS obtained privacy impact assessments of its data handling practices for consumer data⁴⁷ and administrative data⁴⁸ from consultants in March and April 2020, respectively. The privacy impact assessments covered the 13 Australian Privacy Principles (APPs).⁴⁹ The ABS was assessed as compliant with the majority of the APPs. Improvements were noted in the areas relating to APP 11, Security of personal information.⁵⁰ The ABS is progressing activities against APP 11, specifically independent security risk assessment for key systems supporting the Census. The program of independent security reviews has been specified in the 2021 Census Security Strategy.

3.33 Data management and privacy functions were defined in the design documents for the eForm and MyWork systems. However, the operation of the system security controls could not be confirmed as the implementation of the eForm and MyWork systems had not been completed at the time of audit testing.

3.34 As part of the ABS’ assurance program, the ABS Executive Board monitors the progress of implementation for privacy controls. The reports to the Executive Board are high-level and do not include whether privacy controls and requirements have been effectively implemented for each system.

Has the ABS established appropriate cyber security measures?

3.37 Maintaining public trust in the security of its data is fundamental to the ABS’ core business of producing trusted regional and national statistics for Australia. The ABS identified the inability, or perceived inability, to protect Census data as an inherently ‘extreme’ risk for the 2021 Census.

3.38 The ANAO reviewed the cyber security measures for the 2021 Census against the requirements in the PSPF. This requires non-corporate Commonwealth entities, such as the ABS, to implement the first four strategies of the Australian Cyber Security Centre’s Essential Eight. They are:

• application control (to prevent execution of unapproved and malicious programs);
• patch applications (to prevent execution of malicious code on systems);
• restrict administrative privileges (only to trusted users); and
• patch operating systems (to prevent the compromise of systems).

3.39 The PSPF also requires entities to consider which of the remaining Strategies to Mitigate Cyber Security Incidents developed by the Australian Cyber Security Centre (ACSC) they need to implement.

3.40 The ACSC recommends that entities implement the full Essential Eight⁵¹, which includes:

• configure Microsoft Office macro settings (to block macros from the Internet);
• user application hardening (to block Flash, ads and Java on the Internet);
• multi-factor authentication (to make it harder for adversaries to access sensitive information and systems); and
• daily backups (to ensure information can be accessed following a cyber security incident).

3.41 The PSPF requires that non-corporate Commonwealth entities report on their security each financial year to their portfolio minister and to the Attorney-General. Entities are required to self-assess their maturity for each of sixteen core requirements against the four levels in the PSPF Maturity Self-Assessment Model: Ad hoc, Developing, Managing or Embedded.

Cyber security strategy for the 2021 Census

3.42 The Census Delivery Committee endorsed an IT Security Strategy for the 2021 Census in February 2020. The strategy outlines the design of the ABS approach to implementing cyber security measures and establishes a scheme for identifying the criticality⁵² of systems.

3.43 The IT Security Strategy for the 2021 Census incorporates elements from the MacGibbon and Senate Committee reviews into the ABS’ risk management approach. These include establishing and conducting security tests of Census controls and management and the use of IRAP assessments.⁵³ The high-level cyber security measures and controls outlined in the strategy are sound. Risks to system types are documented and appropriate controls to address risks are identified.

3.44 The strategy, however, did not:

• state how identified risks will be managed until the desired maturity is reached;
• identify when the required activities to address the associated risks will be completed; and
• stipulate security requirements in service level agreements with third parties.

Cyber security strategies and controls

Cyber security mitigation strategies

3.45 In its 2018–19 PSPF self-assessment, the ABS reported that its compliance level with the Essential Eight strategies was ‘Developing’ (Level 2) under the PSPF. The ACSC reviewed the ABS’ compliance with the Essential Eight mitigation strategies in November 2019, as part of its Cyber Uplift sprint program. The ACSC’s review identified non-compliance in similar areas which was broadly consistent with the ABS’ self-assessment. The ACSC also highlighted additional issues with some mitigation strategies. The ABS has commenced remediation activities to address the issues raised by the ACSC’s review.⁵⁴

3.46 The ACSC’s review stated that a longer-term investment will be required to meet the target maturity level. The ABS has allocated funding to projects to address the areas where the ACSC found lower compliance.

3.47 ABS IT Security conducted an internal audit in September 2019 and found eight out of 37 tested strategies to mitigate cyber security incidents were not achieving the required PSPF maturity level. In November 2019, the ABS Security Committee⁵⁵ agreed to lifting maturity against the Essential Eight and that further work on the 37 strategies was not required.

3.48 The ABS informed the ANAO that it intends to implement its 2021 Census Security Strategy before the Census date. However, it has not set a target for the completion of its Essential Eight Uplift Program, which spans more than just the Census systems. There is a risk that the ABS’ Essential Eight uplift will not be implemented in time for the Census to provide sufficient coverage over the breadth of the ABS’ threat environment, as the ABS begins to introduce new products and systems in preparation for the 2021 Census.

3.49 The ABS has monitored and managed its threat and risk landscape in the interim through an established set of controls. The controls were introduced at the infrastructure or domain level, which provide good security foundations for Census systems. However, the controls have not been introduced into the ABS environment in a systemic way. There is no implementation plan for Census systems that sets the priority, funding and timing according to each system’s value, importance or sensitivity.

Assurance activities

3.50 The IT Security Strategy for the 2021 Census does not require assurance activities to be conducted within a defined timeframe. The ABS has defined a high-level deployment schedule for Census Systems, however, this does not detail the timeline for the implementation of the IT security strategies nor the IRAP assessments.

3.51 As of March 2020, the ABS had not conducted security tests of Census controls and management or completed an IRAP assessment of Census systems. In May 2020, the ABS commenced the process of having an IRAP conducted on its Census eForm system.

3.52 The ABS conducted two internal assessments of its cyber security mitigation strategies, as part of an internal audit in September 2019 and in its 2018–19 PSPF self-assessment in October 2019. These internal assessments did not identify weaknesses in areas identified in the ACSC’s review in November 2019.

3.53 In February 2020, the program assurer for the 2021 Census found that there was no consistent approach to system designs or requirement analysis, and that these could lead to an increased risk of systems not being delivered on time. The review included a number of agreed actions.⁵⁶

Management of third parties and contractor services

3.54 The IT Security Strategy for the 2021 Census requires third party providers to use ‘secure-by-design’ development and independent security assessments for all Census systems they develop. The ABS does not require these to be included in the contracted service level agreements with third parties. The ABS relies on the general contract clauses that do not specify the requirement for secure-by-design development, however, it does specify the requirement for independent security assessments and working collaboratively with government.

3.55 In February 2020, the program assurer for the 2021 Census found unclear requirements and a lack of prioritisation, which could affect the timeframes for service delivery and security testing. Overall, there was insufficient evidence of measures in place to ensure that security controls are implemented, operated and maintained by the service provider, or whether a reassessment of security risks would be required if service changes were to occur.

Is the ABS ensuring that IT suppliers deliver value for money?

3.59 The ABS has approached the market for IT suppliers to support its delivery of the 2021 Census. As of 30 June 2020, the ABS is undertaking nine IT procurements where the estimated value was at least $1 million. The contracts had a combined total of $37 million and were at different stages during the first half of 2020, as outlined in Table 3.1.

3.60 As noted at paragraph 2.61, the accountable authority of the ABS is required to promote the proper use and management of public resources under the PGPA Act. ABS officials are required to comply with the Commonwealth Procurement Rules (CPRs) when conducting procurements. Entities need to adopt processes that are not just technically compliant with the CPRs but are also consistent with their intent, which is to drive value for money through competition. Value for money requires a consideration of financial and non-financial costs and benefits including whole-of-life costs.

3.61 The ANAO reviewed the nine IT procurements in Table 3.1 as at March 2020 against key legal requirements in the PGPA Act and the CPRs relevant to the operation of the Census.⁵⁷ The ANAO also examined the ABS’ contract negotiations with IT suppliers for the 2021 Census.

The ABS procurement and contract management framework

3.62 The ABS has established a procurement and contract management framework, consisting of the ABS Accountable Authority Instructions, Corporate Manual policies, guidance within the ABS intranet and procurement templates. The framework provides ABS officials with appropriate guidance and directs officials to the PGPA Act, CPRs and Department of Finance guidance.

3.63 The ABS’ Accountable Authority Instructions require that delegates must be satisfied that a procurement achieves value for money and complies with all of the CPRs.

3.64 The ABS’ Corporate Manual requires all procurement activity to be conducted in accordance with the PGPA Act. The Manual requires officials to follow the guidance within the ABS intranet and includes specific rules on IT procurement. The ABS intranet includes procurement guidance to ABS officials on conducting procurements. The guidance mandates the use of the ABS’ procurement templates for all procurements over $10,000.

3.65 The ABS has a suite of procurement templates, which it has used in seven of the nine IT procurements reviewed by the ANAO. The ABS Contract Management Policy approved in June 2020 requires contract managers to use the ABS Contract Management Framework templates in all procurements.

Engagement of IT suppliers for the 2021 Census

3.66 The ABS approached the market for the nine IT procurements for the 2021 Census with estimated values of over $1 million through six different methods of procurement:

• an open approach to market through AusTender, for two procurements;
• approaching suppliers under the Digital Transformation Agency Digital Marketplace Panel, for three procurements;
• approaching one supplier under the ICT Professional Services — Treasury Portfolio Panel, for one procurement⁵⁸;
• approaching Amazon Web Services, under the Whole of Government Amazon Web Services arrangement, for one procurement;
• approaching the Microsoft reseller⁵⁹ under the Whole of Government Microsoft arrangement, for one procurement; and
• establishing a limited tender, based on an identified absence of competition in the market for technical reasons.

3.67 All the procurement methods that the ABS used for the 2021 Census complied with the CPRs and ABS policy. The tenders for two of the three completed procurements at March 2020 (the Census Digital Service and support services for implementing a Customer Relationship Management solution) each received multiple bidders. The ABS used the Whole of Government Arrangement for the Operational Insights Program procurement. Competition between bidders and the use of whole of government arrangements contribute toward value for money outcomes.

3.68 The ANAO reviewed the procurement and contract management documentation for the nine IT procurements against 12 key legal requirements in the PGPA Act and the CPRs:

• Approach to market: comply with additional rules for procurements over $80,000, including open tendering; publish open tender procurements on AusTender; estimate expected value before deciding on the procurement method; include a complete description in request documentation;
• Tender evaluation: make a value for money assessment; assess tenderers solely on their ability to satisfy the conditions for participation in the request for tender; award the contract to the tenderer best able to undertake the contract and provide value for money;
• Risk management: establish processes to identify, analyse, allocate and treat risk; consider risk when assessing value for money, spending money and determining contract terms; place obligations on suppliers proportionate to the assessed risks; and
• Performance management: when applying a standard to goods or services make reasonable enquiries to determine supplier compliance with the standard; base specifications for goods and services on performance and functional requirements and international standards.

Approach to market

3.69 The ABS’ IT procurements for the 2021 Census have largely met key requirements for approaching the market. The ABS estimated the expected value of seven out of the nine IT procurements reviewed before a decision on the procurement method was made. The ABS also complied with the Division 2 rules in the CPRs for all open tenders. The ABS delegate did not approve a procurement plan that determined the estimated value before selecting the procurement method for the IT Service Management and Enterprise Monitoring Platform as a Service, and the Operational Insights Program procurements.

Tender evaluation

3.70 The three procurements with suppliers selected at March 2020 met the key requirements for evaluating tenderers (the Census Digital Service, support services for implementing a CRM solution and the Operational Insights Program). The delegate approved spending proposals for all three procurements based on value for money assessments that included both financial and non-financial factors, including whole-of-life costs.

Risk management

3.71 Seven out of the nine IT procurements met the key requirements for managing procurement risk. The ABS made risk assessments before deciding on the procurement method for seven of the nine procurements. The mitigations identified in the risk assessments were evident in the procurement processes for these seven IT procurements. The ABS delegate did not approve a risk assessment before selecting the procurement method for the IT Service Management and Enterprise Monitoring Platform as a Service, and the Operational Insights Program procurements.

Performance management

3.72 The ABS has met the legal requirements for performance management. The ABS applied standards relating to the usability of the end product to the contract solution requirements for the Census Digital Service. In March 2020, the ABS began planning to have independent testing conducted to determine whether the Census Digital Service end product will meet the contract standards. Although key external supplier delivery was deemed an inherent extreme risk, auditing vendor compliance with the standard was not included in the Assurance Map for the program assurer for the 2021 Census, as shown in Table 2.2.

3.73 The ABS included standards in the statement of requirements for the CRM implementation support services procurement. The tenderer for the CRM support services agreed to the Digital Marketplace Comprehensive Terms, which requires suppliers to comply with applicable international standards. Three procurements under evaluation also require tenderers to comply with applicable international standards. The IT Service Management and Enterprise Monitoring Platform as a Service and Operational Insights Program procurements were made under arrangements that require suppliers to comply with relevant Australian or international standards. The ABS did not determine whether a standard would be applicable for the goods and services in the Paper Data Capture or Return Mail Registration Solution procurements.

3.74 The ABS clearly set out specifications in terms of performance and functional requirements in the request documentation for all procurements. Request documentation required that deliverables comply with applicable international standards.

Contract negotiations with IT suppliers for the 2021 Census

3.75 The ABS conducted formal contract negotiations for the one IT procurement at the contract stage in March 2020. The Department of Finance’s BuyRight tool includes guidance on negotiations for procurements under $1 million.⁶⁰

3.76 The ANAO reviewed the ABS’ negotiations with the IT supplier for the Census Digital Service against the guidance in the BuyRight tool. The ABS’ contract negotiations with the highest ranked tenderer for the Census Digital Service demonstrated the steps identified in the BuyRight tool.

3.77 The ABS sought a reduction of 20 per cent from the tendered price for the Census Digital Service of $34.4 million through its negotiations. The negotiations resolved key issues including increasing the tenderer’s liability cap and shifting the contracting approach from a fixed price to a maximum-capped price model. The ABS signed a Deed of Standing Offer with a maximum-capped price of $35.3 million. The Spending Proposal stated that the change in the contracting approach will allow greater flexibility through the use of agile development and harvesting savings where the ABS’ needs or priorities change.

4.1 Preparing for the Census requires the ABS to have commenced a range of activities years beforehand. To assess whether the ABS is effectively addressing key Census risks, implementing recommendations and ensuring timely delivery of the 2021 Census, the ANAO examined the ABS' implementation of its risk management framework, arrangements to demonstrate whether recommendations have been fully closed and its progress against Census plans.

Is the ABS effectively addressing key Census risks?

Census risk identification and assessment

4.2 The ABS has had a Census Risk and Issues Management Plan (the Plan) in place since March 2018 (as discussed paragraph 2.27). The Plan sets out a broad process for the identification and assessment of Census risks. Key elements of the Plan include risk and issues management, escalation and reporting, templates, control assurance and the risk appetite for the Census. The ABS Risk Manual also sets out detailed steps for identifying risk.

4.3 The ABS sets out its risk appetite and tolerance for Census risk in the Plan. The risk appetite describes the appetite for broad categories of risk. The ABS has a generally low appetite for risk regarding the Census, with a medium appetite for some aspects of external engagement, meeting user expectations and financial sustainability.

4.4 Risk tolerance is assessed for each risk and is not a reflection of risk severity. The three categories are:

• intolerable — proposed treatments are unlikely to make it tolerable and significant intervention is required;
• developing — proposed treatments will likely make the risk tolerable. The likely effectiveness of treatments should be reviewed; and
• tolerable — the risk is tolerable provided the effectiveness of the treatments is maintained.

4.5 Where tolerance was included in the Census program and strategic risk registers, all except one risk was rated as 'developing'.

4.6 In accordance with its Census Risk and Issues Management Plan, the ABS established a Program Risk Register and a Strategic Risk Register for the Census. The ANAO tested the registers as at November 2019. The program level risks included risks identified by the ABS as material operational concerns that could jeopardise the success of the Census. The ABS rated nine of the Census program risks as extreme pre-mitigation. Some program risks aligned with Census strategic risks, such as 'the Census experiences a reduction in social licence and/or loses the confidence of government, the Parliament and other key stakeholders', and 'the Census is unable to, or is perceived to be, unable to protect 2021 Census data'. In May 2020, four inherent program extreme risks that duplicated strategic risks were closed.

4.7 The strategic risks focused on the top 10 risks to the Census. These are risks aligned with the ABS' enterprise strategic risks, defined as risks with the greatest potential to significantly harm the ABS. Census strategic risks included data protection, meeting customer needs and maintaining the 'social licence'. Six of these risks were rated as extreme pre-mitigation, and high once controls have been considered.⁶¹ These were rated 'developing' in terms of risk tolerance.

4.8 The ANAO tested the implementation of the ABS' Census strategic and program risk registers against 10 elements of the Plan.⁶² The ABS' risk registers were fully or mostly in accordance with the Plan in seven out of 10 of the elements; and partly in accordance with the Plan for the remaining three elements. The three partly ratings were due to:

• inconsistent application of risk controls and testing their effectiveness (discussed at paragraph 4.15)⁶³;
• the absence of documented likelihood, consequence (inherent and residual) and mitigations for risks listed in the strategic risk register; and
• the lack of the ability to document in the strategic risk register further proposed treatments if residual risks were assessed by the ABS as intolerable.

4.9 The ABS Census risk registers at May 2020 documented the likelihood, consequence and mitigations, and required further treatments if the ABS were to assess a residual risk as intolerable.

Reviewing and reporting Census risk

4.10 The ABS Risk Framework emphasises the importance of risk monitoring and review. The ABS Risk Manual requires that risks are reviewed at least annually, and also after a major deliverable, and that monitoring occurs often enough to detect early warning signs that a risk is being realised. The Census Risk and Issues Management Plan outlines that strategic Census risks are to be reported to the Census Executive Board (CEB) quarterly, and Census program level risks are to be reported to the Census Delivery Committee (CDC) quarterly.

4.11 Quarterly reporting of Census risks has occurred through the CEB and CDC in accordance with the Census Risk and Issues Management Plan since March 2018. Further, the CEB has undertaken focused discussions on particular strategic risks at every meeting since December 2018, covering seven of the strategic risks to date.

Risk management in key business processes

4.12 The Commonwealth Risk Management Policy requires entities to ensure that risk management is embedded in key business processes.⁶⁴ The ANAO tested whether risk management was embedded in the ABS' processes to prepare for the Census. The ABS has largely embedded risk management in the Census program as outlined in Table 4.1.

Table 4.1: Risk management embedded in areas of the Census program

Key:  Criteria not met; Criteria partly met; Criteria mostly met; Criteria met

Source: ANAO analysis of ABS documents.

4.13 Risk management provisions are evident in the early strategic planning documentation, such as the design strategy and high-level governance plan. It is also included in the IT investment strategy. Risk management is not present in the data quality targets, and only partly included in the communications approach and strategy.

4.14 Risk management is embedded in the establishment of governance arrangements and decision-making through the CEB and CDC. The terms of reference for both forums included risk management arrangements. The ABS has also considered risk management in the development of regulations.⁶⁵ During the development of the Census and Statistics Amendment (Statistical Information) Regulations 2020, the ABS conducted a focused analysis of the risk related to Government approvals.

Implementation and effectiveness of key risk controls

4.15 The Census Risk and Issues Management Plan includes a mandatory requirement to assess the effectiveness of critical or material controls on a quarterly basis.⁶⁶ The ANAO examined the implementation of risk controls for the Census risks rated as inherently extreme.⁶⁷

4.16 The implementation of the key risk controls and whether control effectiveness has been assessed is outlined in Table 4.2. Three out of the seven risk controls examined did not have a plan or policy for implementation, and six out of seven did not fully implement the control.

Table 4.2: Implementation of key controls for inherent extreme program risks

Key:  Criteria not met; Criteria partly met; Criteria mostly met; Criteria met

Source: ANAO analysis of ABS documents.

4.17 Areas where risk controls were not fully implemented include:

• the Minister was not informed of progress against agreed high-level milestones for the Census;
• documentation was not provided to the ANAO to demonstrate that contract managers undertook contract management training;
• not all required actions were undertaken;
• supplier culture and relationship management was not consistently covered in governance plans, meeting documentation and progress reporting in two of the three supplier relationships examined⁶⁸;
• stakeholder engagement was not undertaken in accordance with the Census stakeholder engagement plan, with individual stakeholder management plans not drafted for high risk groups, no contact report template developed, and no planned approach for the stakeholder meetings that were undertaken; and
• public communications activities as outlined in the Census Communication Approach occurred up to a year later than scheduled.

4.18 For five out of the seven risk controls tested, there was minimal or no evidence of effectiveness being assessed for the control as required by the Risk and Issues Management Plan. As risk controls are not consistently implemented and the effectiveness of those controls are not fully assessed, the ABS is not well positioned to assess if the controls are working as intended.

Is the ABS effectively implementing past Census recommendations?

4.21 Formally responding to a recommendation formalises the government or entity's commitment to implement it and improve that area of public administration. Effectively implementing agreed recommendations requires planning and oversight to set clear responsibilities, timeframes and reporting requirements.

4.22 As outlined in paragraph 1.16, three major reviews were undertaken following the 2016 Census:

• Senate Economics References Committee — 2016 Census issues of trust;
• Mr Alastair MacGibbon — Review of the Events Surrounding the 2016 eCensus; and
• Independent Assurance Panel — Report on the Quality of the 2016 Census Data.

4.23 The Government tabled a response in the Parliament to the Senate Committee report. The Minister responsible for the ABS issued a media release stating that the Government accepted the MacGibbon recommendations.⁶⁹ The ABS stated in its 2016–17 annual report that it would use the Panel's report in delivering the 2021 Census.⁷⁰ The three reviews raised a total of 36 recommendations of which 29 were agreed to by the ABS or the Government on behalf of the ABS (see Appendix 2 for a list of recommendations).⁷¹ The recommendations covered some overlapping themes as outlined in Table 4.3.

Table 4.3: Categories of recommendations made to the ABS after the 2016 Census

Note a: The statement in the MacGibbon report that the ABS should report monthly to the Minister on implementing the report's recommendation was treated as the 10th recommendation in the report.

Source: Senate Economics References Committee — 2016 Census issues of trust; Alastair MacGibbon — Review of the Events Surrounding the 2016 eCensus; Independent Assurance Panel — Report on the Quality of the 2016 Census Data.

4.24 The ABS informed the ANAO that it had addressed all recommendations made in respect of the 2016 Census.

Governance oversight of recommendations

4.25 Strong senior management oversight and implementation planning with clear responsibilities and timeframes supports the successful implementation of recommendations.

4.26 The ABS had a system in place to support monthly reporting to the Minister on its progress against the nine accepted MacGibbon recommendations. In June 2017 the ABS advised the Minister that it had implemented seven recommendations and that the remaining two (recommendation 3 for a privacy management plan and recommendation 9 for a communication strategy) were on track. It also advised that reporting of the progress and finalisation of the two remaining recommendations would be included in the general fortnightly briefs to the Minister. However, the ABS did not further report to the Minister on the status of the two outstanding recommendations.⁷²

4.27 The ABS did not have in place arrangements to monitor and report on the implementation of the other agreed recommendations made by reviewers. While the ABS informed the ANAO that it had monitored the implementation of all recommendations, it was unable to provide implementation plans, evidence of tracking or internal reporting on the implementation of recommendations to the ANAO.

4.28 The ABS did not report to the Minister, senior management or its Audit Committee on the progress or the completion of implementing the recommendations made by the Senate Economics References Committee or the Independent Assessment Panel.⁷³ Overall, the ABS did not have effective governance arrangements to assure itself that it had fully implemented all agreed recommendations from the reviews.

Progress in implementing recommendations

4.29 In the absence of appropriate governance oversight, the ANAO was unable to rely on existing controls in assessing whether the ABS had fully implemented agreed recommendations. As a consequence, the ANAO examined additional documentation on the implementation of the 29 agreed recommendations.⁷⁴

4.30 ANAO analysis indicated that a range of activities had been undertaken by the ABS to address 27 of the 29 agreed recommendations including:

• preparing an Address Register Strategy to improve the data and manage costs;
• identifying a range of services to be provided to special needs groups and how these would be accessed through the Customer Contact Centre;
• developing a communications strategy with education activities to occur between January 2020 and April 2021;
• engaging the Australian Cyber Security Centre and an external party to perform security assessments of Census-supporting infrastructure and systems, which included a review of security incident response planning and coordination; and
• engaging an external party to perform a Privacy Impact Assessment and updating policy and procedures for handling personal information.

4.31 The ANAO was not able to directly link the ABS' post-review activities to two agreed recommendations. For MacGibbon recommendation 7 on cultural change, the ABS did not demonstrate implementation of three items in the plan it presented to the Minister: consulting with stakeholders on its draft plan; finalising the plan; and reporting back to stakeholders on implementing the plan.

4.32 The second recommendation of the Senate Economics References Committee was for the ABS to develop internal guidelines encouraging active engagement with business and non-government organisations. The ABS developed stakeholder guidelines in 2017 that mentioned these groups but did not encourage active consultation with them. The ABS provided evidence that it has been consulting with non-government organisations on the Census.

4.33 The ABS commissioned a management initiated review from its internal auditor to obtain assurance on whether the ABS had implemented seven recommendations from the 2016 Census, including the two discussed above. At August 2020, this internal audit had progressed to fieldwork.

Is the ABS effectively monitoring progress against its schedule for the 2021 Census?

4.37 Monitoring the completion of tasks against an established schedule and accurately reporting on this progress assists entities, the Minister and stakeholders to know whether milestones are on track to be delivered as planned. In order to assess the effectiveness of the ABS' monitoring and reporting of the progress of Census activities, the ANAO examined whether:

• the ABS has completed key milestones and tasks on schedule;
• projections indicate the Census is on schedule;
• the ABS has reported the progress of Census 2021 activities to the Minister accurately; and
• the ABS has reported the progress of Census 2021 activities to the public accurately.

Completion of key Census milestones and tasks

4.38 The Census comprises many tasks and milestones. In some cases, the ABS needs to complete a task or milestone in order to start another. These dependencies mean that some tasks and milestones are particularly important because a delay in one part of a project could delay it overall. The ABS sometimes referred to these as 'hard tasks'. It has used several systems to monitor the progress of the 2021 Census. The main systems the ABS used to monitor progress are outlined in Box 3.

Note a: Tasks varied significantly in complexity, from identifying providers for key Census services or signing particular contracts, to setting up the contact and data operations centres.

4.39 From February 2018 to September 2019, the ABS' reporting was sufficient to inform the CEB and CDC of the current status of the Census. However, this reporting did not inform the CEB and CDC of the future state and emerging risks to the Census as it did not track tasks against an initial plan and did not report the progress of tasks in a consistent manner.

4.40 ANAO analysis of reporting to the CEB and CDC indicates that the ABS was on-track to complete key deliverables by the original planned dates for the majority of tasks. Between June 2018 and June 2019 the ABS commenced 366 Census tasks, of which 75 had been reported as completed at the end of the period.⁷⁵ See Figure 4.1.

Figure 4.1: Reported status of tasks commenced for the 2021 Census as at June 2019

Source: ANAO analysis of CEB and CDC papers.

4.41 The Census had 45 delayed tasks. The average delay was 2.4 months. Forty-one delayed tasks had soft milestones.⁷⁶ The remaining four of the delayed tasks were hard milestones and related to content, logistics, operational intelligence and public communications. Their average delay was 1.8 months, however, the ABS recorded them as being on track. From November 2019 to May 2020 the ABS generally reported the corresponding overarching projects with green status, except for operational intelligence, indicating no material effect from the delay to the hard milestone.

4.42 The hard milestone for operational intelligence was to make a decision on the technology solution for the command centre. The program assurer's review of IT for the command centre, finalised in February 2020, noted a lack of clarity in requirements and design leading to delays and risk of re-work. The overarching project for operational intelligence has reported amber and red status, with an improvement in May 2020 due to additional staff.

4.43 The ANAO reviewed 17 tasks with hard milestones or that were included in the critical path produced in November 2019, and that were planned for completion prior to 31 March 2020.⁷⁷ The aim was to establish whether the ABS reasonably estimated the timeframes of tasks, has been completing tasks in line with its plan, and whether the ABS was accurately reporting the status of tasks.

4.44 ANAO analysis of documentation for the 17 tasks found the ABS had completed all tasks. Of these, one was completed between one and three months late, four were completed three to six months late and one was completed over six months late. Approximately one third of these milestones were late. Further, four tasks were completed at least three months after being reported as complete to the CDC and CEB.

4.45 The delays in completing critical tasks and milestones increases the risk that the 2021 Census will not be delivered in an effective manner. The lack of accuracy in reporting to the CEB and CDC limited their ability to take informed decisions on additional actions needed to deliver the 2021 Census in a timely way.

Projected timeliness of the 2021 Census

4.46 From February 2018, the ABS reported the overall status (red/amber/green) of the Census to the CEB and CDC at each of their quarterly meetings (the CDC meets a month before the CEB). The status of the Census in 2018 and 2019 was generally green, except for February and March 2019, when its status was amber due to budget.⁷⁸ The reporting in 2020 has recorded the status as amber for delays in preparations for the Operational Readiness Exercise (the major field test originally scheduled for August 2020) and the impact of COVID-19.

4.47 The overarching projects and overall reporting are summarised in Table 4.4. These status reports show that the underlying and headline reporting on the implementation of the overarching projects and the Census overall is consistent and that the Census has been rated amber throughout 2020.

4.48 The CDC and CEB receive the status reports in dashboard form. Their discussions regarding the amber status of the Census focussed on the implications to the Operational Readiness Exercise (the major field test). The CEB decided in March 2020 to reschedule the Operational Readiness Exercise from August 2020 to October or November 2020.

4.49 The projected timeliness of the Census improved between February and May 2020. Implementation of the program assurer's recommendations made in relation to project management practices in Chapter 2 will increase the ABS' chances of delivering a timely Census.

Reporting of progress to the Minister

4.50 As the accountable authority for the ABS, the Australian Statistician has a duty to ensure the responsible Minister is informed about ABS activities, decisions and issues in a timely manner as per section 19 of the PGPA Act. The ABS reports on its activities to the Minister in fortnightly briefings; these often involve commentary on the Census. Additionally the ABS provides Census-specific briefings to the Minister on a quarterly basis after each CEB meeting.

4.51 ANAO analysis found that the ABS had accurately informed the Minister of significant activities and decisions relating to the Census in a timely manner via the briefings after CEB meetings.

Reporting of Census progress to the public

4.52 The ABS publicly reports on its performance and activities through a number of publications including its annual reports, corporate plans, the ABS website and Census 2021 website. The ABS has not defined any formal performance measures nor has it reported on the progress relating to the 2021 Census as part of its performance statements.

4.53 The MacGibbon report in 2016 stated that a lack of communication with the public 'opened the door for speculation' and undermined public trust.⁷⁹ It is therefore important that the ABS communicates in a timely and accurate manner about the progress of the Census. MacGibbon further noted that whilst the ABS had a 'well formed and prepared communications strategy' it did not adequately cover its 'digital first' approach and concerns around security and privacy.⁸⁰

4.54 The ABS' public reporting on the status of Census planning activities was primarily undertaken through the Census 2021 website and the ABS 2018–19 Annual Report. In June 2017, the CEB defined 50 high-level milestones for Census 2021.⁸¹ ANAO analysis found that the ABS had publicly reported on nine high-level milestones. The ABS last updated its Census 2021 website in September 2019. There is merit in the ABS updating its website quarterly with progress against a broader range of milestones to improve transparency.

4.55 The ANAO assessed 12 specific claims made by the ABS regarding the progress of key Census activities through its corporate publications to verify the accuracy of public reporting. All 12 claims were verified with supporting documentation.

Appendix 1 Entity response

Appendix 2 ANAO testing of ABS’ implementation of review recommendations

Table A.1: Senate Economics References Committee — 2016 Census: issues of trust

Source: Senate Economics References Committee, 2016 Census: issues of trust and ANAO analysis of ABS documents.

Table A.2: MacGibbon Report — Review of the Events Surrounding the 2016 eCensus

Source: Alastair MacGibbon Review of the Events Surrounding the 2016 eCensus and ANAO analysis of ABS documents.

Table A.3: Independent Assurance Panel — Report on the Quality of 2016 Census Data

Source: Independent Assurance Panel Report on the Quality of 2016 Census Data and ANAO analysis of ABS documents.

Table A.4: Auditor-General Report — Statistical Business Transformation Program — Managing Risk

Source: Auditor-General Report No. 5 (2018–19) Statistical Business Transformation Program — Managing Risk and ANAO analysis of ABS documents.