Audit snapshot

Why did we do this audit?

  • It is essential that financial regulators uphold high probity standards, to strengthen the legitimacy and integrity of the regulator and support the objectives of the regulatory scheme.
  • This is one of a series of three performance audits which continues the ANAO’s examination of probity management in Commonwealth entities.
  • The audit provides the Parliament with independent assurance regarding probity management at the Australian Securities and Investments Commission (ASIC).

Key facts

  • ASIC is an independent statutory authority established under the Australian Securities and Investments Commission Act 2001.
  • ASIC is Australia's integrated corporate, markets, financial services and consumer credit regulator.

What did we find?

  • Probity management at the Australian Securities and Investments Commission (ASIC) was largely effective.
  • ASIC had arrangements structured to manage the probity risks selected for review, and to promote compliance.
  • ASIC had a framework and arrangements to monitor, report on and provide assurance on the selected probity requirements.
  • ASIC fully or largely complied with most of the probity related requirements examined in this audit.

What did we recommend?

  • The Auditor-General made one recommendation to review financial thresholds for declaring hospitality in ASIC policies relating to gifts, benefits and hospitality.
  • ASIC agreed to the recommendation.

1947

employees at 30 June 2022.

38

ASIC Commissioners.

1

person (the ASIC Chair) is the Accountable Authority.

Summary and recommendations

Background

1. The Organisation for Economic Co-operation and Development (OECD) has observed that:

Regulation is a key tool for achieving the social, economic and environmental policy objectives of governments that cannot be effectively addressed through voluntary arrangements and other means. Governments have a broad range of regulatory powers reflecting the complex and diverse needs of their citizens, communities and economy.

Regulators are entities authorised by statute to use legal tools to achieve policy objectives, imposing obligations or burdens through functions such as licencing, permitting, accrediting, approvals, inspection and enforcement. Often they will use other complementary tools, such as information campaigns, to achieve the policy objectives, but it is the exercise of control through legal powers that makes the integrity of their decision-making processes, and thus their governance, very important.1

2. The OECD has further observed that:

Strong governance strengthens the legitimacy and integrity of the regulator, supporting the high level policy objectives of the regulatory scheme and will lead to better outcomes.2

3. The OECD has identified two broad aspects of governance relevant to regulators:

  • external governance (looking out from the regulator) — the roles, relationships and distribution of powers and responsibilities between the legislature, the minister, the ministry, the judiciary, the regulator’s governing body and regulated entities; and
  • internal governance (looking into the regulator) — the regulator’s organisational structures, standards of behaviour and roles and responsibilities, compliance and accountability measures, oversight of business processes, financial reporting and performance management.3

4. The Australian Government’s overarching governance framework for public entities, including its regulatory agencies, is established by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the supporting Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

5. The PGPA Act contains general duties for entity accountable authorities and officials which are relevant to probity and ethics.4 These duties are not restricted to resource management functions, as the PGPA Act regulates entity governance, performance and accountability more broadly. The general duties establish an overarching framework for probity and ethical behaviour applying to the officials of PGPA Act entities.

6. Further specific probity and ethical requirements may apply to entity personnel, including requirements established by the Parliament in the regulator’s enabling legislation, other applicable laws and policy frameworks, and the internal policies and frameworks put in place by the entity’s accountable authority.

Rationale for undertaking the audit

7. It is essential that financial regulators uphold high probity standards, to strengthen the legitimacy and integrity of the regulator and support the objectives of the regulatory scheme.

8. This is one of a series of three performance audits which continues the ANAO’s examination of probity management in Commonwealth entities and provides independent assurance to the Parliament. It builds on Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, which assessed the effectiveness of five rural research and development corporations’ management of probity.

9. This series of audits focuses on probity management in entities with a role in financial regulation activities. These are the:

  • Australian Competition and Consumer Commission (ACCC);
  • Australian Prudential Regulation Authority (APRA); and
  • Australian Securities and Investments Commission (ASIC).

Audit objective and criteria

10. The audit objective was to assess the effectiveness of ASIC’s probity management.

11. To form a conclusion against the objective, the ANAO adopted the following high-level criteria.

  • Does ASIC have arrangements structured to manage selected probity risks and promote compliance with requirements?
  • Has ASIC established monitoring and reporting arrangements to provide assurance on the effectiveness of internal controls and compliance with probity requirements?
  • Has ASIC complied with probity requirements?

12. The ANAO reviewed a selection of probity risks requiring management by Australian Government entities, including a number of specific risks requiring management by entities involved in financial regulation activities. The risks selected for review related to:

  • the ASIC Code of Conduct;
  • the management of conflict of interest;
  • the management of key regulatory risks (such as regulatory capture risk and financial trading);
  • the management of senior executive remuneration;
  • probity in procurement;
  • the oversight of corporate credit card expenditure;
  • the management of gifts, benefits and hospitality;
  • the identification and management of fraud risks; and
  • the management of public interest disclosures.

13. The ANAO’s review focused on the period July 2020–November 2022 and where relevant, included key subsequent events up to and including February 2023. The ANAO did not examine specific investigations into ASIC personnel or review ASIC’s corporate governance arrangements.5

Conclusion

14. Probity management at the Australian Securities and Investments Commission (ASIC) was largely effective.

15. ASIC has arrangements structured to manage the probity risks selected for ANAO review and arrangements to promote compliance with probity requirements. A remuneration policy for senior executives was approved on 9 November 2022.

16. ASIC has a framework and arrangements for monitoring the effectiveness of internal controls and compliance with probity requirements, and for providing assurance to the accountable authority in relation to probity. The framework includes regular compliance monitoring, reporting to management and high-level governance committees, and arrangements for following up on identified instances of non-compliance. Key activities are overseen by a Central Compliance function.

17. While ASIC fully or largely complied with most of the probity related requirements examined in this audit, there was partial compliance with requirements for managing probity in procurement.

18. ASIC’s internal attestation process did not identify any noncompliance associated with code of conduct and conflict of interest requirements. There is evidence that ASIC has addressed non-compliance with its financial trading policy, that was identified through the attestation process.

Supporting findings

Arrangements to manage probity risks and promote compliance with requirements

19. ASIC has developed an ASIC Code of Conduct and ASIC Values as required by its enabling legislation. ASIC has also identified key probity risks relating to: conflict of interest; key regulatory functions (including regulatory capture risk and financial trading); senior executive remuneration; procurement; corporate credit card expenditure; gifts, benefits and hospitality; fraud; and public interest disclosures. For the period examined in this audit, ASIC had policies, procedures and arrangements to manage its identified risks, with the exception of not having a remuneration policy for senior executives. The ASIC Commissioners approved a remuneration policy for senior executives on 9 November 2022. (See paragraphs 2.3 to 2.109)

20. ASIC has established a framework for the design and review of its policies. For the selected probity risks, there was evidence of relevant policies being reviewed and updated. (See paragraphs 2.110 to 2.112)

21. For the selected probity risks, ASIC has effectively informed its personnel of probity requirements. ASIC has adopted a combination of training, making information on policies, procedures and arrangements easily accessible on its intranet, and messaging from senior officials to reinforce knowledge of probity requirements and promote compliance. Completion of mandatory training is monitored and reported to senior management. (See paragraphs 2.113 to 2.120)

Monitoring, reporting and assurance

22. ASIC has a framework for monitoring the effectiveness of internal controls and providing assurance to the accountable authority in relation to probity. The framework includes regular internal audits into probity related topics. ASIC’s Central Compliance function also commenced a program of control assessments in 2022, which have included the consideration of controls relating to probity related compliance obligations. (See paragraphs 3.3 to 3.12)

23. ASIC undertakes regular compliance monitoring under its compliance management framework, and has established a Central Compliance function which reports on a regular basis to the Executive Risk Committee and Commission Risk Committee on compliance with obligations, including obligations related to probity requirements. Monitoring and reporting of compliance with probity requirements not tracked by the Central Compliance function occurs through ASIC’s Integrity Committee and updates to other Commission and management committees. (See paragraphs 3.13 to 3.23)

24. ASIC has a framework for following up on identified instances of non-compliance. This includes responding to incidents and rectifying realised risks, as well as consequence management. (See paragraphs 3.24 to 3.31)

Compliance with requirements

25. For the periods reviewed by the ANAO, ASIC undertook its internal assurance processes under which relevant personnel made attestations relating to the ASIC Code of Conduct and compliance with conflict of interest and financial trading requirements. Results for the respective processes were reported to senior management committees. Disclosures of ASIC Commissioners’ interests were provided to the Treasurer as required under the Australian Securities and Investments Commission Act 2001.

26. ASIC personnel largely complied with requirements relating to corporate credit card use and gifts, benefits and hospitality.

27. ASIC did not have a policy for managing senior executive remuneration until 9 November 2022. As a result, the ANAO was unable to test whether ASIC’s process for reviewing senior executive remuneration for its most recent performance period was undertaken in accordance with entity requirements. There is evidence that the Chair was provided with information on, and approved, individual remuneration outcomes for all members of the senior executive cohort for the most recent performance cycle or review process that involved a pay rise.

28. For the ten high-value procurements reviewed by the ANAO, ASIC partly complied with the requirements established in its internal ‘Procurement guideline — probity’. The selected requirements were not met in four of the procurements (40 per cent non-compliance); only one of the selected requirements was met in four of the procurements (40 per cent partial compliance); and all four of the selected requirements were met in only two of the procurements (20 per cent compliance).

29. There is scope for ASIC to enhance its requirements in relation to gifts, benefits and hospitality. (See paragraphs 4.3 to 4.64)

30. ASIC’s internal attestation process did not identify any noncompliance associated with code of conduct and conflict of interest requirements. There is evidence that the instances of noncompliance identified through the attestation process, relating to requirements for the disclosure of financial trading, were addressed by ASIC in accordance with its requirements.

31. There is no evidence of instances of non-compliance identified by this audit being addressed in accordance with ASIC’s requirements for: procurement; corporate credit cards; and gifts, benefits and hospitality. There is evidence of ASIC recording details of other instances of non-compliance and actions taken, in its Compliance Incidence Management System (CIMS) register. (See paragraphs 4.65 to 4.86)

Recommendation

Recommendation no. 1

Paragraph 4.62

The Australian Securities and Investments Commission review the financial thresholds for declaring hospitality in its internal register of gifts, benefits and hospitality, in the context of managing risks associated with accepting hospitality from regulated entities.

Australian Securities and Investments Commission response: Agreed.

Summary of Australian Securities and Investments Commission response

32. The proposed audit report was provided to ASIC. ASIC provided the summary response below. The full response from ASIC is provided at Appendix 1. The improvements observed by the ANAO during the course of this audit are at Appendix 2.

ASIC welcomed the ANAO review of probity management in financial regulators and worked openly and collaboratively with the ANAO. ASIC acknowledges the professionalism of the ANAO team.

ASIC is committed to meeting the high probity standards expected of Australia’s corporate, markets, financial services, and consumer credit regulator. Upholding high standards of probity is fundamental to ASIC’s ability to effectively deliver upon its strategic priorities and regulatory mandate. ASIC actively manages probity risks through a robust and fit for purpose integrity management framework, overseen by an executive integrity committee.

ASIC welcomes the findings in the ANAO report that ASIC’s probity management was largely effective, with arrangements structured to manage probity risks and to promote compliance, a framework and arrangements to monitor, report on and provide assurance on probity requirements, and fully or largely complied with most probity requirements.

ASIC agrees with the recommendation in the report, aimed at managing risks associated with accepting gifts, benefits and hospitality from regulated entities, and will review the financial thresholds for reporting hospitality in ASIC’s internal register.

Finally, ASIC will carefully consider the report’s opportunities for improvement to ensure ASIC’s probity practices and broader integrity framework remain efficient, effective, and fit for purpose.

Key messages from this audit for all Australian Government entities

This audit is one of a series of probity management audits that apply a standard methodology to probity management in financial regulators. The three entities included in the ANAO’s 2022–23 probity management in financial regulators series are the:

  • Australian Competition and Consumer Commission (ACCC);
  • Australian Prudential Regulation Authority (APRA); and
  • Australian Securities and Investments Commission (ASIC).

Key messages from the ANAO’s series of probity management audits will be outlined in an upcoming Audit Insights product available on the ANAO website.

1. Background

Introduction

Government regulators

1.1 The Organisation for Economic Co-operation and Development (OECD) has observed that:

Regulation is a key tool for achieving the social, economic and environmental policy objectives of governments that cannot be effectively addressed through voluntary arrangements and other means. Governments have a broad range of regulatory powers reflecting the complex and diverse needs of their citizens, communities and economy.

Regulators are entities authorised by statute to use legal tools to achieve policy objectives, imposing obligations or burdens through functions such as licencing, permitting, accrediting, approvals, inspection and enforcement. Often they will use other complementary tools, such as information campaigns, to achieve the policy objectives, but it is the exercise of control through legal powers that makes the integrity of their decision-making processes, and thus their governance, very important.6

Regulator governance

1.2 The OECD has further observed that:

Strong governance strengthens the legitimacy and integrity of the regulator, supporting the high level policy objectives of the regulatory scheme and will lead to better outcomes.7

1.3 The OECD has identified two broad aspects of governance relevant to regulators:

  • external governance (looking out from the regulator) — the roles, relationships and distribution of powers and responsibilities between the legislature, the minister, the ministry, the judiciary, the regulator’s governing body and regulated entities; and
  • internal governance (looking into the regulator) — the regulator’s organisational structures, standards of behaviour and roles and responsibilities, compliance and accountability measures, oversight of business processes, financial reporting and performance management.8

1.4 The OECD has described these components of external and internal governance as the ‘different building blocks that make up the governance architecture of regulators’.9

Duties of Australian Government officials

1.5 The Australian Government’s overarching governance framework for public entities, including its regulatory agencies, is established by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the supporting Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

1.6 The PGPA Act contains general duties for entity accountable authorities and officials which are relevant to probity and ethics.10 These duties are not restricted to resource management functions, as the objects of the PGPA Act (and its overview section) make clear that the Act is concerned with entity governance, performance and accountability more broadly (see Box 1 below).

Box 1: Objects and overview of the Public Governance, Performance and Accountability Act 2013 (PGPA Act)

Objects of the PGPA Act (section 5)

The objects of this Act are:

(a) to establish a coherent system of governance and accountability across Commonwealth entities; and

(b) to establish a performance framework across Commonwealth entities; and

(c) to require the Commonwealth and Commonwealth entities:

(i) to meet high standards of governance, performance and accountability; and

(ii) to provide meaningful information to the Parliament and the public; and

(iii) to use and manage public resources properly; and

(iv) to work cooperatively with others to achieve common objectives, where practicable; and

(d) to require Commonwealth companies to meet high standards of governance, performance and accountability.

Overview of the PGPA Act (section 6)

This Act is mainly about the governance, performance and accountability of Commonwealth entities.

It is also about:

  • the use and management of public resources by the Commonwealth and Commonwealth entities; and
  • the accountability of Commonwealth companies.

1.7 The requirements of the PGPA Act and PGPA Rule, including the general duties of entity officials, may extend to persons who are not entity employees (such as contractors) if they are considered to be entity officials under the Act. Contract provisions may also extend PGPA Act and PGPA Rule requirements (and elements of the Public Service Act 1999 (PS Act), discussed below) to persons who are not entity employees.11

1.8 As at 6 March 2023 there were 189 PGPA Act entities and companies.12 The duties of entity accountable authorities and officials under the PGPA Act are summarised in Box 2 below.

Box 2: General duties of accountable authorities and officials

General duties of accountable authorities (extracts)

Section 15 — Duty to govern the Commonwealth entity

(1) The accountable authority of a Commonwealth entity must govern the entity in a way that:

(a) promotes the proper use and management of public resources for which the authority is responsible; and

(b) promotes the achievement of the purposes of the entity; and

(c) promotes the financial sustainability of the entity.

Note: Section 21 (which is about the application of government policy) affects how this duty applies to accountable authorities of non-corporate Commonwealth entities.

(2) In making decisions for the purposes of subsection (1), the accountable authority must take into account the effect of those decisions on public resources generally.

General duties of officials (extracts)

Section 25 — Duty of care and diligence

(1) An official of a Commonwealth entity must exercise his or her powers, perform his or her functions and discharge his or her duties with the degree of care and diligence that a reasonable person would exercise if the person:

(a) were an official of a Commonwealth entity in the Commonwealth entity’s circumstances; and

(b) occupied the position held by, and had the same responsibilities within the Commonwealth entity as, the official.

(2) The rules may prescribe circumstances in which the requirements of subsection (1) are taken to be met.

Section 26 — Duty to act honestly, in good faith and for a proper purpose

An official of a Commonwealth entity must exercise his or her powers, perform his or her functions and discharge his or her duties honestly, in good faith and for a proper purpose.

Section 27 — Duty in relation to use of position

An official of a Commonwealth entity must not improperly use his or her position:

(a) to gain, or seek to gain, a benefit or an advantage for himself or herself or any other person; or

(b) to cause, or seek to cause, detriment to the entity, the Commonwealth or any other person.

Section 28 — Duty in relation to use of information

A person who obtains information because they are an official of a Commonwealth entity must not improperly use the information:

(a) to gain, or seek to gain, a benefit or an advantage for himself or herself or any other person; or

(b) to cause, or seek to cause, detriment to the Commonwealth entity, the Commonwealth or any other person.

Section 29 — Duty to disclose interests

(1) An official of a Commonwealth entity who has a material personal interest that relates to the affairs of the entity must disclose details of the interest.

(2) The rules may do the following:

(a) prescribe circumstances in which subsection (1) does not apply;

(b) prescribe how and when an interest must be disclosed;

(c) prescribe the consequences of disclosing an interest (for example, that the official must not participate at a meeting about a matter or vote on the matter).

Probity

1.9 Taken together, the general duties establish an overarching framework for probity and ethical behaviour applying to the officials of PGPA Act entities.

1.10 The Australian Government Department of Finance (Finance), which administers the PGPA Act and PGPA Rule and is the framework policy owner, has not included a general definition of probity in its PGPA Glossary.13 Finance has, however, adopted the following definition of probity in the procurement context:

Probity is the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.14

1.11 While intended to inform those involved in procurement activity, this definition of probity is sufficiently robust to describe the general expectation applying to Australian Government activity more broadly, including regulatory activity.

1.12 The specific probity and ethical requirements applying to the personnel of an Australian Government entity will depend on what type of entity it is, the legislation applying to it, the government policies and frameworks applying to it, and the internal policies and frameworks it has put in place. In summary.

  • Whether the entity is a non-corporate Commonwealth entity or a corporate Commonwealth entity15 under the PGPA Act, will determine which elements of the framework established by the PGPA Act and PGPA Rule will apply to the entity. In particular, entity type will affect whether certain activity-specific frameworks apply to an entity.
    • Activity-specific frameworks can establish ethical and probity requirements specific to the activity they regulate, and cover grants administration16, government procurement17, government advertising18, protective security19, appearing before the Parliament20, liaising with lobbyists21, caretaker conventions22, risk management23 and fraud control.24 These frameworks will generally specify which types of entities they cover and may also place specific obligations on the accountable authority, such as to promote an internal culture supportive of the purposes of the framework.18F25196F
  • Entities established under legislation are statutory bodies and will also be subject to the requirements of that legislation. The entity’s enabling legislation may include specific ethical obligations applying to the accountable authority and/or entity staff. Individual statutory offices are also established through legislation, which may include ethical requirements.
  • Other applicable legislation may place further ethical and probity requirements on the entity. Examples include anti-corruption legislation26 and corporations law requirements. As at 6 March 2023, there were 17 Commonwealth controlled companies subject to the Corporations Act 2001.
  • If the entity is subject to the PS Act27, additional ethical and probity requirements apply to Australian Public Service (APS) employees, including the APS Values and APS Code of Conduct.28
    • Section 10 of the PS Act sets out the APS Values. Subsection 10(2), ‘Ethical’, states that ‘The APS demonstrates leadership, is trustworthy, and acts with integrity, in all that it does.’ The APS Commissioner’s Directions (31 January 2022) made under the PS Act elaborate on the APS Values. Section 14 of the Directions sets out requirements to be met to uphold the ‘Ethical’ value, ‘having regard to an individual’s duties and responsibilities’. The requirements include: ‘acting in a way that models and promotes the highest standard of ethical behaviour’, ‘complying with all relevant laws, appropriate professional standards and the APS Code of Conduct’ and ‘acting in a way that is right and proper, as well as technically and legally correct or preferable’. Section 12 of the PS Act provides that an APS Agency Head ‘must uphold and promote the APS Values and APS Employment Principles’.
    • Australian Public Service Commission (APSC) guidance highlights that integrity covers several different and overlapping aspects that relate to conduct and how APS employees work individually and collectively. Integrity includes: compliance with legislative frameworks, policies and practices, and ensures standards for integrity are being met; a values-based approach that promotes ethical decisionmaking; institutional integrity, where organisational systems, policies and practices are purposeful, legitimate and trustworthy; and a pro-integrity culture, in which there is a positive, conscious effort to make integrity a central consideration of all activities.29
    • A number of specific probity requirements apply to APS Senior Executive Service (SES) employees and/or APS agency heads.30 These include the declaration of interests31 and the declaration of gifts, benefits and hospitality.32
  • Entity-specific frameworks include an entity’s internal policies and guidance in respect of implementing applicable laws and frameworks. Examples include Accountable Authority Instructions (AAIs) made under the PGPA Act33, and internal integrity frameworks. Entityspecific frameworks may sometimes establish higher expectations than the minimum standards established by whole-of-government policy owners such as Finance. Professional codes and standards may also apply to entity personnel working in certain sectors or roles. The need for such codes and standards may be specified in legislation applying to the entity.

The accountable authority’s role in promoting probity

1.13 As discussed in paragraph 1.6, the PGPA Act places a number of duties on an entity’s accountable authority. As discussed in paragraph 1.12, other applicable frameworks will also place obligations on entity leaders, such as the promotion of an appropriate culture. The ANAO has previously observed that in order to fulfil its governing role in relation to probity, the accountable authority would be expected to set out roles and reporting within the entity, approve and review probity policies, ensure it is informed about the entity’s activities, act on information promptly, and take an active role when working with management.34

The Australian Securities and Investments Commission

1.14 The Australian Securities and Investments Commission (ASIC) is an independent statutory authority. It was established under and administers the Australian Securities and Investments Commission Act 2001 (ASIC Act), and carries out most of its work under the Corporations Act. In ASIC’s Corporate Plan 2022–26, ASIC describes its role as being ‘Australia’s corporate, markets, financial services and consumer credit regulator.’35

1.15 ASIC is a non-corporate Commonwealth entity for the purposes of the PGPA Act. It is one of three entities that have body corporate status but are prescribed in their enabling legislation as non-corporate Commonwealth entities.36 Unlike most non-corporate Commonwealth entities, ASIC does not engage employees under the PS Act but instead engages employees under section 120 of the ASIC Act.

1.16 ASIC is comprised of Commissioners who are appointed by the Governor-General on the nomination of the Treasurer.37 The ASIC Chair38 is the accountable authority of ASIC and is responsible for determining the ASIC Code of Conduct and the ASIC Values under sections 126B and 126C of the ASIC Act respectively. Under ASIC’s governance framework, there is a separation of decision-making powers relating to regulatory functions and governance matters. ASIC distinguishes between Commission committees that are comprised of the Commissioners (including the ASIC Chair and Deputy Chairs) and management committees that are comprised of the ASIC Chair and senior executives.

Oversight arrangements

1.17 ASIC is subject to a range of oversight arrangements. These include the following.

  • The Australian Commission for Law Enforcement Integrity (ACLEI).39 ASIC came under ACLEI’s jurisdiction on 1 January 2021.40
  • The Financial Regulator Assessment Authority (FRAA). The FRAA was established in 2021 in response to recommendations of the 2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Hayne Royal Commission).41 The FRAA’s role is to assess and report on the effectiveness and capability of ASIC and the Australian Prudential Regulation Authority.42

1.18 ASIC is also subject to oversight by the Parliamentary Joint Committee on Corporations and Financial Services, which is established under section 243 the ASIC Act. Recent reports by the Joint Committee have included consideration of ASIC’s governance framework43 and integrity risks, including ASIC’s integrity and anti-corruption arrangements, regulatory capture risks and other integrity risks.44 Other parliamentary committees that have undertaken inquiries into ASIC and its operations include the House of Representatives Standing Committee on Economics45 and the Senate Standing Committee on Economics.46

Thom review

1.19 In October 2020 the Department of the Treasury (Treasury) appointed Dr Vivienne Thom AM to undertake a review related to financial statements audit findings made by the ANAO regarding payments to ASIC key management personnel, as well as related governance matters. The final confidential report was provided to Treasury in December 2020 and an abridged report was prepared by Treasury in consultation with Dr Thom and released publicly in January 2021. The abridged version removed legal advice and personal and commercial information.

1.20 The abridged report included eight recommendations relating to corporate governance and accountabilities, internal monitoring and oversight arrangements (including for audit, risk and integrity), and policies relating to the payment of Commissioner expenses and related controls. Five of the recommendations were directed to ASIC and three were directed to the Treasury. ASIC accepted all recommendations directed to it.47 In a statement accompanying the release of the abridged report, the Treasurer stated that: ‘Given the nature of the matters raised, the Government expects ASIC to implement as a priority the recommendations made by Dr Thom concerning its internal risk, management and governance arrangements and to report to me regularly on its progress.’48

Rationale for undertaking the audit

1.21 It is essential that financial regulators uphold high probity standards, to strengthen the legitimacy and integrity of the regulator and support the objectives of the regulatory scheme.

1.22 This is one of a series of three performance audits which continues the ANAO’s examination of probity management in Commonwealth entities and provides independent assurance to the Parliament. It builds on Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, which assessed the effectiveness of five rural research and development corporations’ management of probity.

1.23 This series of audits focuses on probity management in entities with a role in financial regulation activities. These are the:

  • Australian Competition and Consumer Commission (ACCC);
  • Australian Prudential Regulation Authority (APRA); and
  • Australian Securities and Investments Commission (ASIC).

Audit approach

Audit objective, criteria and scope

1.24 The audit objective was to assess the effectiveness of ASIC’s probity management.

1.25 To form a conclusion against the objective, the ANAO adopted the following high level criteria:

  • Does ASIC have arrangements structured to manage selected probity risks and promote compliance with requirements?
  • Has ASIC established monitoring and reporting arrangements to provide assurance on the effectiveness of internal controls and compliance with probity requirements?
  • Has ASIC complied with probity requirements?

1.26 The audit scope was the period July 2020–November 2022 and where relevant, included key subsequent events up to and including February 2023. The ANAO did not examine specific investigations into ASIC personnel or review ASIC’s corporate governance arrangements.49

Probity risks examined in this audit

1.27 The ANAO reviewed a selection of probity risks requiring management by Australian Government entities, including a number of specific risks requiring management by entities involved in financial regulation activities. The risks selected for review related to:

  • the ASIC Code of Conduct;
  • the management of conflict of interest;
  • the management of key regulatory risks (such as regulatory capture risk and financial trading);
  • the management of senior executive remuneration;
  • probity in procurement;
  • the oversight of corporate credit card expenditure;
  • the management of gifts, benefits and hospitality;
  • the identification and management of fraud risks; and
  • the management of public interest disclosures.

Audit methodology

1.28 The audit methodology included reviewing entity documentation and meeting with entity personnel.

1.29 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $389,000.

1.30 The team members for this audit were Grace Guilfoyle, James Sheeran, Jo Rattray-Wood, Alexandra McFadyen and Michelle Page.

Disclosure

1.31 The ANAO engages ASIC to conduct an annual review of the ANAO Quality Assurance Framework and financial statements audit files, in a similar way to the review work conducted by ASIC on external auditors in the private sector. Safeguards are implemented to mitigate the threats to independence created by that relationship.

2. Arrangements to manage probity risks and promote compliance with requirements

Areas examined

This chapter examines whether the Australian Securities and Investments Commission (ASIC) has arrangements structured to manage selected probity risks and promote compliance with requirements. The selected risks relate to: code of conduct, conflict of interest; key regulatory functions; senior executive remuneration; procurement; corporate credit card expenditure; gifts, benefits and hospitality; fraud; and public interest disclosures. The period examined in this audit was July 2020–November 2022 and where relevant, included key subsequent events up to and including February 2023.

Conclusion

ASIC has arrangements structured to manage the probity risks selected for ANAO review and arrangements to promote compliance with probity requirements. A remuneration policy for senior executives was approved on 9 November 2022.

Area for improvement

The ANAO identified an opportunity for improvement in relation to the inclusion of references to regulatory capture risk and its management in ASIC’s corporate plan.

2.1 An entity’s accountable authority and management are responsible for establishing and promoting a culture of ethical behaviour within the entity. Identifying key probity risks and establishing, maintaining and promoting policies, procedures and arrangements to manage those risks helps ensure probity risks are being effectively managed in accordance with relevant requirements and consistent with community expectations.

2.2 This chapter examines whether ASIC has:

  • identified key probity risks and developed policies, procedures and arrangements to manage the identified risks;
  • ensured policies and procedures are maintained; and
  • effectively informed relevant people of probity related requirements, to promote compliance.

Has ASIC identified key probity risks and developed policies, procedures and arrangements to manage the identified risks?

ASIC has developed an ASIC Code of Conduct and ASIC Values as required by its enabling legislation. ASIC has also identified key probity risks relating to: conflict of interest; key regulatory functions (including regulatory capture risk and financial trading); senior executive remuneration; procurement; corporate credit card expenditure; gifts, benefits and hospitality; fraud; and public interest disclosures. For the period examined in this audit, ASIC had policies, procedures and arrangements to manage its identified risks, with the exception of not having a remuneration policy for senior executives. The ASIC Commissioners approved a remuneration policy for senior executives on 9 November 2022.

ASIC Code of Conduct and values statement

2.3 Changes introduced by the Treasury Laws Amendment (Enhancing ASIC’s Capabilities) Act 2018 meant that from 1 July 2019 ASIC employees were no longer engaged under the Public Service Act 1999 (PS Act) and were now engaged under the Australian Securities and Investments Commission Act 2001 (ASIC Act). This change also meant that ASIC employees were no longer subject to the Australian Public Service (APS) Code of Conduct and APS Values.50

2.4 The ASIC Act requires the ASIC Chair to establish an ASIC Code of Conduct and the ASIC Values.51 The ASIC Chair has established an ASIC Code of Conduct and the ASIC Values as required by the ASIC Act.52 The Code of Conduct is available on ASIC’s intranet site.

2.5 The December 2022 ASIC Code of Conduct states that it applies to:

all ASIC employees, ASIC’s Commission, contractors, consultants, secondees and volunteers (team members) regardless of where the work is performed. This is in accordance with s126B(2) of the ASIC Act. [emphasis in original]

2.6 The code sets out the standards of behaviour ASIC expects from all team members and is intended to guide decision making at ASIC. It states that:

ASIC’s reputation for honesty and integrity is essential to our role as a conduct regulator, and our standing in the communities we serve …

Our Code of Conduct sets out expectations about how we interact with you, and how we are accountable for our actions.

It states our commitment to act with professionalism and integrity, and helps guide our people to make the right choices and decisions when performing their role.

2.7 The code identifies expectations in a range of areas, including:

  • complying with laws and policies;
  • protecting and properly using information and records;
  • reporting wrongdoing;
  • interacting with people internally and externally;
  • acting with integrity;
  • disclosing conflicts of interest; and
  • acting responsibly with respect to gifts and hospitality.

2.8 The code states that failure to comply with the code may lead to disciplinary action up to and including termination of employment.

2.9 ASIC’s Code of Conduct training documentation states that the code ‘is not just a set of rules. It is the most important document we have for guiding people’s behaviour at ASIC.’53

2.10 ASIC’s Risk Appetite Statements for 202122 and 2022–23 state that ‘ASIC has No Tolerance toward unethical, corrupt or illegal conduct, or behaviours that are inconsistent with the standards that are appropriate for ASIC as a regulator and consistent with the expectations of Parliament and the community.’ [emphasis in original]

Conflict of interest

2.11 ASIC has identified conflict of interest as a key probity risk and developed policies, procedures and arrangements to manage the identified risks.

2.12 ASIC has identified activities, actions and decisions that compromise its independence, as a risk to its effectiveness. For example, ASIC’s business unit risk register identifies the following risk relating to conflict of interest:

If conflicts of interest are not declared and appropriately managed, there is a risk of inappropriate decision/s or restricted or sensitive information being unintentionally used (whether actual or perceived) for an improper purpose. This may impact the integrity or effectiveness of regulatory investigations, decisions or outcomes and cause reputational harm.

2.13 As referenced in Box 2 in Chapter 1 of this audit, section 29 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) establishes a duty to disclose interests and requires officials of Commonwealth entities who have a material personal interest that relates to the affairs of the entity to disclose the details of the interest. The ASIC Act also establishes requirements around disclosure and the management of conflicts of interest.54 The ASIC Code of Conduct states that:

Team members must avoid any real, potential or perceived conflict between their personal interests and their duties towards ASIC.

Team members must disclose any real, potential or perceived conflicts of interest including any outside employment or activities which may conflict with their role at ASIC.

2.14 To support the management of risks related to conflict of interest, ASIC has developed the following.

  • A disclosure policy applicable to all Commission members, including the ASIC Chair — ‘Disclosure obligations of ASIC Commissioners, November 2021’.
  • A conflict of interest policy for staff, secondees and ‘some consultants and contractors’55 — ‘ASIC Conflicts of interest policy, March 2021’.56

2.15 Together, these policies reference various obligations under the PGPA Act, ASIC Act and ASIC’s Code of Conduct. They address:

  • the fundamental importance of integrity to ASIC’s effectiveness as a regulator and in preserving public confidence in its work;
  • what constitutes an actual, potential or perceived conflict of interest;
  • how to identify or avoid conflicts of interest;
  • when and how conflicts are to be disclosed and recorded;
  • how declared conflicts of interest are to be managed for different categories of people working for/with ASIC and factors to consider when managing a conflict of interest;
  • specific situations such as secondments to and from ASIC, senior executives’ prospective future employment, and dealings with former ASIC senior officers; and
  • specific arrangements for high risk operational and regulatory activities, procurement and gifts, benefits and hospitality.57

2.16 ASIC has established a number of controls that stem from the Disclosure obligations of ASIC Commissioners and Conflicts of interest policies. ASIC Commissioners are required to submit a private declaration of interests as part of the appointment process. ASIC Commissioners are required to make a written disclosure of interests every six months at a minimum and have a requirement to report any changes as soon as reasonably practicable. Under the Disclosure obligations of ASIC Commissioners policy, a Commissioner who has a conflict of interest with a matter being considered by the Commission must not be present during consideration of, or a vote on, the matter. Exceptions to this requirement can occur when the remaining Commissioners agree.

2.17 Upon commencement at ASIC, everyone covered by the conflict of interest policy must read the policy, acknowledge they understand their obligations and make an initial conflict of interest declaration in writing. Everyone covered by the conflicts of interest policy must notify ASIC ‘as soon as you become aware that your Financial Interest or Other Interest, or a duty you owe to a person other than ASIC, conflicts, or may reasonably be thought to conflict, with the proper performance of your functions or duties at ASIC.’ ASIC’s arrangements for annual attestation of compliance with conflict of interest arrangements are discussed in paragraphs 4.7 to 4.20.

2.18 The staff conflict of interest policy states that once notified of a potential or actual conflict of interest, a staff member’s manager and Senior Executive will consider whether the individual’s interests or non-ASIC duties conflict, or may reasonably be thought to conflict, with the proper performance of their functions or duties at ASIC. The relevant Senior Executive (with the assistance of the staff member’s manager) is to ensure adequate and appropriate steps are taken to avoid or control any real, potential or perceived conflicts of interest.58 When it is not possible to manage a conflict of interest, the policy states that ASIC may request an individual to take steps to remove the conflict.59 ASIC advised the ANAO that details of any mitigation strategies are recorded in ASIC’s Enterprise Risk Management system.

2.19 Internal compliance with ASIC’s conflict of interest declaration requirements is discussed in Chapter 4 of this audit in paragraphs 4.7 to 4.21.

Key entity-wide risks relating to regulatory activities

2.20 The ANAO examined whether ASIC had identified regulatory capture risk and other key risks relating to its regulatory activities and established policies, procedures and arrangements to effectively manage those risks. The audit focussed on entity-wide policies, procedures and arrangements and not those that only applied to certain specific roles or activities.

2.21 ASIC had explicitly identified regulatory capture risk and established a range of controls to mitigate this risk. ASIC had also identified risks relating to its officials trading in financial instruments and information security.60 ASIC has established policies, procedures and arrangements to manage these risks.

Regulatory capture risk

2.22 Maintaining independence is crucial for regulators to effectively perform their function. The 2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Hayne Royal Commission) stated that ‘the risk of regulatory capture is well acknowledged’.61 The Parliamentary Joint Committee on Corporations and Financial Services, in its 2019 report on Statutory Oversight of the Australian Securities and Investments Commission, the Takeovers Panel and the Corporations Legislation, stated that:

The committee considers that regulatory capture is a significant issue faced by Australian regulators generally, given the size and power of corporations that operate in Australia. ASIC faces particular risks due to the financial benefits to be gained by participants in the financial services sector and the close interaction of ASIC staff and the industry it regulates.62

2.23 The committee defined regulatory capture as:

instances where regulators are excessively influenced or effectively controlled by the industry they are supposed to be regulating. There are three areas in which particular risks arise for regulatory capture:

  • staff moving between industry and regulatory jobs;
  • secondments; and
  • where regulatory staff are embedded in private sector organisations (that is, required to conduct their work within the workplace of industry participants, away from their home base at the regulator).63

2.24 The committee observed that:

embedded staff face increased risks of regulatory capture and corruption because of their proximity to those they regulate. ASIC informed the committee that it was aware of the risks and was taking precautions, including rotation between banks, limiting the amount of time away from ASIC, and ensuring the deployed staff are sufficiently senior. In addition, staff are also undergoing training, including examining case studies, to prevent regulatory capture in Australia.64

2.25 In its report, the committee reproduced evidence of the ASIC Chair, who advised that: ‘Regulatory capture is a big issue for us.’65

2.26 The need to maintain independence is reflected in ASIC’s Statement of Expectations and Statement of Intent.66 No mention is made in either regarding the risk of regulatory capture.

2.27 The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule)67 sets out requirements with which entities must comply in relation to their corporate plans. This includes that corporate plans include ‘a summary of the risk oversight and management systems of the entity, and the key risks that the entity will manage and how those risks will be managed’.68 ASIC’s Corporate Plan 2022–23 provides a description of ASIC key risks but does not explicitly reference the risk of regulatory capture. It does include references to ensuring ASIC acts with integrity and is impartial in decision making. As noted in paragraph 2.6 of this audit, ASIC’s Code of Conduct sets out the standards of behaviour expected of ASIC team members.69 This includes acting with integrity and behaving honestly and impartially when dealing with stakeholders.

2.28 ASIC’s risk appetite statement says that ‘ASIC has a Very Limited Appetite toward activities, actions and decisions that compromise its independence.’ Regulatory capture is also identified as a cause of risks to ASIC’s ‘perceived regulatory effectiveness’ in ASIC’s Enterprise Risk Profile. Controls relating to these risks include training on regulatory capture for staff in certain roles70 and regular internal audits on regulatory capture.71

2.29 ASIC’s Chief Risk Office has identified that regulatory capture risk manifests widely at ASIC through its:

  • licensing function (which ASIC considers high risk);
  • misconduct and breach reporting function;
  • supervisory functions (which ASIC considers high risk); and
  • enforcement functions.

2.30 ASIC’s risk register includes three instances where the risk description includes reference to regulatory capture. In two instances the risk register lists ‘On-site supervisory staff are rotated between institutions, amount of time away from ASIC is limited and deployed staff are sufficiently senior to minimise potential for regulatory capture’ as a component of controls in place. ASIC documentation indicates that ASIC has established a range of controls, which are outlined in Figure 2.1.

Figure 2.1: ASIC Regulatory Capture Risk Controls

A figure that lists various ASIC regulatory capture risk controls. The controls are listed under five headings: ASIC wide policies and procedures; Supervisory teams common controls; Licensing teams controls; Enforcement teams controls; and ASIC wide specific education.

Source: Based on ASIC documentation — Capture Risk Presentation from ASIC’s Chief Risk Officer.

2.31 The ANAO did not assess whether the identified risks relating to regulatory capture were effectively managed by ASIC.72

2.32 In November 2019 the Commission approved an internal audit considering regulatory capture as part of ASIC’s two-year audit plan for the 2020 and 2021 calendar years. The audit was deferred and was added to the rolling internal audit plan for 2021 and 2022, which was approved by the Commission in March 2021. The 2021 internal audit plan provided for audits or reviews on regulatory capture every two years. During the period subject to this ANAO audit, ASIC engaged a consulting firm to conduct the planned internal audit. The internal audit assessed the effectiveness of selected ASIC arrangements to mitigate the risk of regulatory capture in its Financial Reporting and Audit (FR&A) area.73 The internal audit concluded that ASIC’s FR&A team had a range of embedded controls that mitigated the risk of regulatory capture and a number of positive practices were observed.74 Three opportunities for improvement were also identified.75

2.33 The Parliamentary Joint Committee on Corporations and Financial Services has identified regulatory capture as a significant issue faced by Australian regulators, and the attendant risks have been acknowledged by ASIC. Given the significance of the risk, there would be benefit in ASIC addressing regulatory capture risk and its management, in the entity corporate plan.

Opportunity for improvement

2.34 There is an opportunity for the Australian Securities and Investments Commission to consider including references to regulatory capture risk and how it is managed in the entity corporate plan.

Restrictions on trading in financial instruments

2.35 In addition to general conflict of interest risk (discussed in paragraphs 2.11 to 2.19) and regulatory capture risks, ASIC has identified a specific entity-wide risk relating to ASIC officials (or others due to their work at ASIC) inappropriately gaining financial advantage by trading in financial products. ASIC has established a policy called ‘ASIC’s policy on trading in financial products’ dated July 2022 (the 2022 trading policy)76 and established procedures and arrangements designed to manage this identified risk.

2.36 The 2022 trading policy references ASIC’s Code of Conduct, which requires ASIC commissioners and staff to:

(a) not use ASIC Information, including inside information for an improper purpose, or to obtain an improper personal benefit or potential benefit for yourself or others; and

(b) to disclose and avoid situations in which there is an actual or perceived conflict between their personal interests and their duties towards ASIC.

2.37 The 2022 trading policy applies to Commissioners, staff members, secondees, ‘some consultants and contractors’ and ‘connected persons’.77 The policy applies to ‘Division 3 financial products’78, exchange-related financial products79 and involvement in initial public offerings.

2.38 The policy imposes restrictions on trading in order to mitigate the risks of financial gain. Specifically, people subject to the policy may only trade if:

  • the trade does not give rise to a perceived or actual conflict with their position and duties at ASIC;
  • the trade meets the requirements of the 2022 trading policy;
  • approval is obtained prior to trading and the trade is ordered within two business days of the approval; and
  • the trader confirms the trade was placed or executed within three days of receiving approval.80

2.39 The 2022 trading policy allows for waivers from having to comply with the policy in limited circumstances.81 The policy also enables the applicable person or their connected person to trade in an exchange related financial product that is on ASIC’s ‘Restricted Entity List’82 in exceptional circumstances.83 ASIC’s ‘Guide to ASIC’s policy on trading in financial products’ dated 2021 requires employees to ‘inform Security Services that permission to trade an Exchange Related Financial Product on the Restricted Entity List has been granted and any conditions that apply to that permission’. ASIC advised the ANAO that there were no waiver notifications received by ASIC Security Services during 2021–22. ASIC further advised that as of 12 February 2023 there had been one notification for 2022–23, and that this waiver was granted on the basis that the staff member did not have a material conflict of interest in relation to the financial product.

2.40 ASIC provided the ANAO with details regarding the number of approvals to trade made during 2021–22 and trading by Commissioners and Senior Executives. The summaries are set out in Table 2.1 and Table 2.2.

Table 2.1: Approvals to trade in 2021–22

Category

Number

Percentage

ASIC staffa

1947

N/A

ASIC staff who submitted trade requestsa

360

N/A

Requests for approval to trade 2021–22

2816

N/A

Notifications approved

2508

89

Notifications not approved

80

3

Notifications withdrawn

196

7

Breaches (trading without requesting approval)

32

1

     

Note a: The staff figure is based on average full-time equivalent staff from the 2021–22 annual report and does not include contingent workers or contractors.

Source: ASIC documentation.

Table 2.2: Trading by ASIC Commissioners and Senior Executives in 2021–22

Category

Number of people in cohort

Number of people in cohort who requested approval to trade

Number of requests for approval to trade 2021–22

Commissioners

6

2

3

Senior Executives

58

14

76

Total

64

16a

79b

       

Note a: This represents approximately four per cent of the number of ASIC staff who submitted trade requests (360) and less than one per cent of the total number of ASIC Commissioners and staff.

Note b: This represents three per cent of the number of requests for approval to trade in 2021–22 (2816).

Source: ASIC documentation.

2.41 Under the conflict of interest policies, applicable persons must summarise and declare their holdings and any trading of Division 3 Financial Products when commencing at ASIC (see paragraph 2.17). ASIC’s arrangements for annual attestation of compliance with conflict of interest arrangements are discussed in Chapter 4 of this audit in paragraphs 4.7 to 4.20.

Information security

2.42 Collecting, analysing, sharing and storing sensitive and confidential information is necessary for ASIC to exercise its regulatory functions. ASIC’s intranet has ‘Share Everything You Can’ guidance, which outlines key operating principles regarding sharing information required to undertake ASIC’s core regulatory functions while ensuring the ‘need to know’ principle is adhered to.

2.43 ASIC’s security risk profile includes five ‘key risks’, one of which is ‘unauthorised release of sensitive or classified information.’ ASIC’s Executive Risk Committee receives regular security reporting that includes reporting on information security84, which includes data on the number of instances of USB-writing85, remote printing, and information security incidents reported through ASIC’s Enterprise Risk Management system.86

2.44 ASIC’s security policy requires ASIC personnel who are leaving a ‘security sensitive position’ to participate in a security debrief. The debrief covers:

  • return of assets and information; and
  • ongoing non-disclosure, confidentiality, privacy and reporting obligations.

Senior executive remuneration

Entity policy

2.45 A senior executive remuneration policy contributes to the management of probity within an entity by introducing transparency in the remuneration setting process. Having the accountable authority establish and approve remuneration policies also enables the accountable authority to influence behaviour and can be an important mechanism in communicating the desired culture within the entity.

2.46 At the time this audit commenced (March 2022) ASIC did not have a policy that set out remuneration requirements in relation to its senior executives. The ASIC Commission approved a remuneration policy for senior executives on 9 November 2022.

Government policy

2.47 Probity requirements for the personnel of Australian Government entities include compliance with applicable laws and government policies.87

2.48 In recent years the Australian Government has made decisions that impacted remuneration arrangements for senior executives in Australian Government entities. On 26 March 2020, the Australian Government announced that all remuneration increases for APS Senior Executive Service (SES) or equivalent employees (senior executives) would be suspended across the Commonwealth public sector in response to the COVID19 pandemic.88 On 25 June 2021, the Australian Public Service Commission (APSC) announced the end of the pause on all remuneration adjustments for senior executives.89 ASIC records indicate that it applied the March 2020 remuneration pause to its senior executives and there were no pay increases for the 2019–20 financial year.

2.49 In August 2021 the APSC released Performance Bonus Guidance applicable to all Commonwealth entities and companies. The guidance stated that:

Commonwealth entities and companies should exercise rigour and restraint in the use of performance bonus payments … Performance bonuses may only be used in limited circumstances, justifiable to the Parliament and the public … As a general principle, most positions should not be eligible to earn a performance bonus. For instance, performance bonuses would not be appropriate in most policy, service delivery, regulatory, or corporate roles … Commonwealth entities and companies should avoid the broad use of performance bonuses.90

2.50 In August 2021, following the lifting of the pause in June 2021, the Commission approved: a 1.7 per cent across the board remuneration increase to all eligible senior executives91, backdated to 1 July 2021; and payment of performance bonuses to senior executives as provided for in their employment contracts for the 2020–21 performance cycle.92 ASIC documents indicate that ASIC consulted with other regulators (including the ACCC and APRA) and the APSC prior to approving the pay rise. ASIC documentation stated that: ‘We consider the modest remuneration increase and payment of bonuses aligns with government policy. We do not consider that there is risk in making such a payment.’93

2.51 In October 2021 the Chair approved that performance bonuses be rolled into senior executive pay. ASIC documentation outlines the principles ASIC adopted for rolling in bonuses.94 There is documentation that the ASIC Chair was provided with details of remuneration arrangements for the eligible cohort. See Chapter 4 of this audit (paragraphs 4.22 to 4.29) for further details.

2.52 In August 2022 the ASIC Chair approved a pause on further pay increases to senior executives. ASIC documentation indicates this was due in part to APSC guidance recommending entities should not implement pay increases for senior executives where those adjustments rely on the Wage Price Index. ASIC documentation indicates that ASIC’s senior executive pay increases do not rely on the Wage Price Index provisions however ASIC considered ‘the APSC advice [was] a useful gauge of the current government sentiment on pay adjustments’ and this was one of the reasons given for not providing pay increases for senior executives.

2.53 On 6 October 2022 the Australian Government released the Public Sector Interim Workplace Arrangements 2022, which replaced the Public Sector Workplace Relations Policy 2020. The interim arrangements operate from 1 September 2022 until 31 August 2023. They apply to APS and nonAPS Australian Government entities and Members of Parliament staff. The arrangements also apply to SES and equivalent employees. The interim arrangements provide for a one-off annual remuneration increase of three per cent for Commonwealth employees.

2.54 On 27 October 2022 the ASIC Chief Operating Officer (COO) advised staff that the ASIC Chair and Commission endorsed a three per cent pay increase across the board effective from 10 November 2022, in line with the Australian Government’s Public Sector Workplace Relations Interim Arrangements 2022. See Chapter 4 of this audit (paragraphs 4.22 to 4.29) for further details.

Procurement

2.55 ASIC has identified key probity risks related to procurement and has developed policies, procedures and arrangements to manage the identified risks.

2.56 Under the PGPA Act, the Finance Minister issues the Commonwealth Procurement Rules (CPRs) for officials to follow when performing duties in relation to procurement. The CPRs govern how entities buy goods and services and state that procurements should:

use public resources in an efficient, effective, economical and ethical manner that is not inconsistent with the policies of the Commonwealth.95

2.57 The CPRs define the terms ‘efficient’, ‘effective’, ‘economical’ and ‘ethical’, and state that:

Ethical relates to honesty, integrity, probity, diligence, fairness and consistency. Ethical behaviour identifies and manages conflicts of interests, and does not make improper use of an individual’s position.96

2.58 Under the CPRs, ethical behaviour includes:

  • recognising and dealing with actual, potential and perceived conflicts of interest;
  • dealing with potential suppliers, tenderers and suppliers equitably, including by seeking appropriate internal or external advice when probity issues arise, and not accepting inappropriate gifts or hospitality;
  • carefully considering the use of public resources; and
  • complying with all directions, including relevant entity requirements, in relation to gifts or hospitality, privacy and security.97

2.59 ASIC’s procurement policies identify that ASIC is required to comply with the CPRs. ASIC has policies and guidance specific to probity in procurement, which establish a risk-based approach to determining the level of probity management required for a procurement.98 The probity risk assessment includes consideration of the estimated value of the procurement as well as ‘probity risk factors’ including complexity, sensitivities relating to ASIC’s core business99, criticality to ASIC achieving its objectives, market competitiveness and supply chain complexity. Where one of the probity risk factors applies, ASIC’s 2021 Probity Guideline requires the probity risk level be increased, depending on the value of the procurement. Procurements assessed as medium risk require a probity plan and an internal procurement advisor, while procurements assessed as high risk require a probity plan and an external probity advisor.

2.60 The ANAO’s assessment of ASIC’s compliance with probity requirements for a sample of procurements is discussed in Chapter 4 of this audit in paragraphs 4.30 to 4.40.

Corporate credit card expenditure

2.61 ASIC has identified the key probity risks related to corporate credit card expenditure and developed policies, procedures and arrangements to manage the identified risks.

2.62 Corporate credit cards (credit cards) offer a transparent, flexible and efficient way for Australian Government officials to obtain cash, goods or services to meet business needs. Australian Government policy requires non-corporate Commonwealth entities to pay expenses via a payment card where the payment is an eligible payment under $10,000.100 The misuse of credit cards can expose an entity to risks such as waste and fraud. Instances of misuse and weaknesses in relevant entity controls attract considerable parliamentary and public interest and can cause reputational damage to affected entities and the Australian Government.101

2.63 ASIC issues credit cards to Commissioners and staff.102 The ANAO reviewed ASIC’s credit card policy, procedures and arrangements to assess whether they addressed selected risks associated with the use of credit cards. In particular, the ANAO examined whether ASIC’s policies, procedures and arrangements addressed:

  • requirements for the issue of credit cards, including specifying cardholder obligations;
  • expenditure approval requirements;
  • acquittal requirements (including timing and documentation requirements and reviewer responsibilities); and
  • requirements for the return of credit cards.

2.64 ASIC has a credit card policy (‘ASIC Finance Policy Corporate Credit Cards’ dated October 2022103) that applies to all ASIC corporate credit cardholders and their delegates. ASIC also provides credit card related guidance on its intranet.

Requirements for the issue of credit cards including specifying cardholder obligations

2.65 ASIC’s credit card policy sets out the application process, which includes a requirement for the applicant to complete a mandatory corporate credit card e-learning module and agree to comply with the requirements of the policy. The policy also outlines the roles and responsibilities of cardholders.104

Credit card expenditure limits

2.66 ASIC has established transactional and monthly limits on all ASIC credit cards. Different limits apply based on anticipated level of use and the role of the cardholders. For staff below the senior executive level, the limit is nominated by the cardholders’ supervisor as part of the process to obtain a credit card. The limits are listed in Table 2.3.

Table 2.3: ASIC corporate credit card limits

Anticipated level of credit card use/ASIC role

Value per transaction

($)

Value per month

($)

Low anticipated use

5,000

10,000

Medium anticipated use

10,000

20,000

High anticipated use

20,000

40,000

Senior Executive Leader and Senior Executive Specialists (Senior Executives)

20,000

40,000

Commissioner

40,000

60,000

     

Source: ANAO analysis of ASIC documentation.

2.67 Under ASIC’s corporate credit card policy, Commissioners have a standing approval to use their corporate credit card for domestic travel, taxi fares when needing to work after hours and other miscellaneous expenditure up to a value of $5000. ASIC senior executives105 have a similar standing approval for miscellaneous expenditure up to $500. On a case by case basis, ASIC Executive Directors can approve similar standing approval arrangements for senior executives who report to them.

Expenditure approval requirements

2.68 ASIC’s credit card policy provides guidance on what corporate cards can be used for. Staff are not able to approve their own credit card expenses. Expenditure approval must be provided by a PGPA financial delegate under section 23 of the PGPA Act and is separate from the acquittal process.

Approval arrangements for ASIC Commissioners

2.69 A corporate credit card holder’s expenditure is typically approved by their supervisor. For the role of the accountable authority there is a power imbalance as they do not have the equivalent of a supervisor. Previous ANAO audits have identified risks in relation to positional authority.106 In Auditor-General Report No. 33 2015–16 Defence’s Management of Credit and other Transaction Cards, the ANAO observed that for review of credit card transactions to work effectively:

the reviewer must be in a position to exercise independent judgement … this means that they cannot be in a position which would constrain unreasonably their capacity to question transactions that appear inappropriate; for example, this may be difficult for a person junior to the cardholder … (paragraph 2.42).

2.70 The 2020 Thom review also highlighted risks related to positional authority when approving expenses for very senior personnel. The report stated that:

Clearly there are particular challenges that arise when subordinate officials are required to approve expenses for very senior statutory officers, particular for the Accountable Authority. These decisions can still be problematic, even if the approving official is very senior, for example, the CFO or COO … challenges arise for expenses that, while business expenses in nature, have sensitivities and can be subject to public scrutiny and criticism.107

2.71 Recommendation 8 of the Thom review included the following elements, to manage positional authority issues related to expense approvals.

The review recommends that ASIC should:

  • Require the Chair’s approval for the expenses of Commission members; and
  • Require a Deputy Chair’s approval for the Chair’s expenses.108

2.72 The final confidential report of the Thom review was provided to Treasury on 17 December 2020 and an abridged report, prepared for public release, was dated 28 January 2021.109

2.73 Recommendation 8 of the Thom review was addressed by introducing the following processes involving ‘standing approvals’ in late 2020.

  • Prior to November 2020 ASIC Commissioners were authorised to approve their own credit card expenses.
  • In November 2020 the process was changed so that the Chair (or acting Chair as the accountable authority) issued a standing approval to Commissioners covering business expenses and domestic travel.
  • The longest serving Commissioner then issued a standing approval for business expenses and domestic travel to the Chair.
  • In February 2021 the Deputy Chair issued a standing approval for the Chair for certain business expenses.110

2.74 ASIC introduced its ‘Statutory Appointments Governance Framework: Remuneration, Expense and Relocation Policy’ in August 2021. This policy states that:

Expenses incurred by Commissioners that are outside of, or exceed, the thresholds set out in the Expenses Guide or Standing Approval require written pre-approval by the Chair, or in the case of the Chair, a Deputy Chair.

2.75 Elsewhere the policy outlines that one of the roles of the COO is to ‘approve any proposed corporate card expenditure by a Commissioner outside of any Standing Approvals’. This contradicts the approval arrangements introduced in November 2020. In the undated Commissioner Expenses and Benefits Guide, the COO is listed as the role required to approve Commissioner international travel itinerary. ASIC advised the ANAO that it is aware of the inconsistency and will correct it when the policy is next reviewed.

2.76 ASIC advised the ANAO that none of the executive assistants of the accountable authority had an active corporate credit card during the audit period. Executive assistants to other Commissioners had active credit cards during the period.

Acquittal requirements

2.77 ASIC’s credit card policy sets out acquittal requirements including timing, documentation requirements and roles and responsibilities of reviewers. The acquittal process for credit card transactions is undertaken online. Cardholders are required to submit acquittal documentation with sufficient information for the delegate to approve by a specified date — this includes all relevant approvals, tax invoices and receipts. If the cardholder has lost receipts or tax invoices, they must prepare a statutory declaration. Cardholders are not authorised to approve or acquit their own expenses. Reviewers, amongst other things, must sight and ensure that all supporting documentation has been saved on ASIC’s SharePoint site.

2.78 All instances of non-business use of a corporate credit card are a breach of the PGPA Act. An initial instance of personal use will result in a warning, a second instance will result in escalation to the cardholder’s senior executive or Commissioner, and a third instance will result in the cancellation of the card. This does not apply to coincidental private expenditure.111

Acquittal arrangements for ASIC Commissioners

2.79 ASIC advised the ANAO that:

Up until October 2020 the ASIC Chair reviewed and approved the credit card acquittal for Commissioners … The CFO reviewed and approved the Chair’s credit card acquittal.

From November 2020 there was a change to the governance practices for credit card acquittals, such that all Commissioners’, including the Chair’s, credit card acquittals [were] reviewed and approved by the COO, while Executive Directors’ credit card acquittals [were] reviewed and approved by the CFO. In August 2022 this was changed to the COO reviewing and approving Executive Directors’ credit card acquittals and the CFO reviewing and approving Commissioners’ credit card acquittals.112

2.80 ASIC also advised the ANAO that Commissioner executive assistants’ credit card acquittals are reviewed and approved by the CFO.

2.81 The credit card policy includes escalation arrangements for identified non-compliance with acquittal requirements.113 In October 2022, following the release of ASIC’s revised credit card policy, ASIC’s CFO emailed all staff to advise of its release and details of key changes. The CFO also emailed ASIC executive assistants (EAs), stating that:

Finance recognises there is a power imbalance between the EA and the Senior Staff member. Whilst the EAs are not making any decisions on spending money, Finance do acknowledge that there are potential instances where EAs may need to query transactions or request evidence to appropriately complete the acquittal. It is important that EAs feel supported to undertake these activities. If you feel uncomfortable with any aspect of your duties or responsibilities in relation to approving the acquittals you can contact ASIC’s Integrity Risk Specialist for a confidential discussion and advice or you can make a report using Speak Up platform … In the meantime, EAs can also email the PGPA Finance Team … with any queries they may have in regards to the acquittal process or reach out to me directly.

Requirements for the return of credit cards

2.82 The policy outlines requirements when cardholders leave ASIC or go on extended leave114 and states that an employee’s final pay will not be released until all statements have been acquitted. The policy also states that cardholders who have not used their cards for more than 12 months will be requested to return their cards for cancellation and destruction and (as mentioned in paragraph 2.78) misuse of the card can result in it being cancelled.

Monitoring of credit card use.

2.83 The credit card policy states that:

  • all cardholders are required to attest to their compliance with the policy as part of ASIC’s biannual PGPA Credit Card Compliance questionnaires;
  • random audits of cardholder supporting documents and acquittals are undertaken on a regular basis;
  • cardholders are required to repeat the credit card training module for any noncompliance with the policy within a reasonable time; and
  • all breaches of the policy, including failure to complete the biannual PGPA Credit Card Compliance questionnaires, must be reported on ASIC’s Compliance Incident Management System.115

2.84 In September 2022 ASIC’s internal audit function conducted an assurance review of the credit card controls framework. The audit’s overall rating for the framework was ‘Needs Improvement (borderline Unsatisfactory)’ as ‘it identified that some key controls are ineffective at managing the risk within tolerance’. Four observations were made in the audit and management agreed to implement them.116 ASIC advised the ANAO in December 2022 that the ASIC Finance team had completed agreed actions for three of the four observations and detailed work was underway on the remaining observation (number two) which is due for completion from June 2023.

2.85 ASIC advised the ANAO in December 2022 that its PGPA Finance Compliance Team (PFCT) undertakes monthly monitoring and follow up of unacquitted corporate credit card transactions.117 ASIC further advised that:

The process for follow up in relation to Commissioner’s credit cards is … via a conversation with the PFCT and the Commissioner’s executive assistant where the acquittal has not been submitted by the [due date], or the executive assistant of the acquittal delegate (COO/CFO) where the acquittal has been submitted but has not been approved by the delegate by the [due date].

2.86 ASIC also advised the ANAO that:

  • since August 2022, when the CFO became the acquittal delegate for Commissioners, the CFO will follow up directly with the Commissioner or the Commissioner’s executive assistant; and
  • from December 2022, the PFCT will enhance its process to include a follow up email to the Commissioner’s executive assistant following the conversation.

2.87 ASIC’s compliance with credit card requirements is discussed in Chapter 4 of this audit in paragraphs 4.41 to 4.47.

Gifts, benefits and hospitality

2.88 ASIC has identified risks in relation to gifts, benefits and hospitality and has established policies, procedures and arrangements to manage the identified risks.

2.89 Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person. The giving or receiving of gifts, benefits and hospitality can create the perception that an official is subject to inappropriate external influence. Perceptions of this sort can give rise to reputational risks for public entities, including the legitimacy and integrity of regulators (discussed in paragraphs 1.2 and 1.3 of this audit report).

2.90 A policy for giving and receiving gifts, benefits and hospitality is an important element of a robust control environment and supports ethical conduct. The effective implementation of such a policy, which generally requires accurate disclosures by entity personnel, benefits from strong cultural settings within the entity, including the example set by senior leadership (‘tone at the top’).

2.91 ASIC has developed separate policies for Commissioners and staff on the receipt of gifts, benefits and hospitality. ASIC’s policy for Commissioners is contained in a policy titled ‘Disclosure obligations of ASIC Commissioners’ and the policy for staff is contained within ASIC’s Conflicts of interest policy. Both of these policies were discussed in the conflict of interest section of this audit (see paragraphs 2.11 to 2.19).

2.92 ASIC’s conflict of interest policy states that:

ASIC Staff should not accept any gifts, hospitality or benefits that give rise to a real (actual), potential or perceived conflicts of Interest. A conflict may arise because acceptance (either in a particular instance or cumulatively) may influence, the actions or decisions of ASIC Staff Members.

Generally, you must decline any gift, benefit or hospitality offered by a third Party in the course of, or related to, your work with ASIC.

However, ASIC recognises that in limited situations … it may be appropriate and in ASIC’s interest to accept benefits and hospitality, provided acceptance does not conflict with the proper performance of your functions or duties at ASIC, or give rise to any real or potential conflicts of Interest.

You must not improperly use your official position to seek or obtain a gift, benefit or hospitality for you or someone else.

2.93 ASIC’s ‘Disclosure obligations of ASIC Commissioners’ includes the same provisions as those quoted above. Both policies also outline:

  • examples of gifts, benefits and hospitality;
  • when it is appropriate to accept gifts, benefits and hospitality;
  • declaration and approval requirements for accepting gifts, benefits and hospitality; and
  • reporting requirements, including thresholds for reporting and what will be reported publicly on ASIC’s website.118

2.94 ASIC’s key requirements for managing gifts, benefits and hospitality are summarised in Table 2.4.

Table 2.4: ASIC’s gifts, benefits and hospitality arrangements

Category

ASIC staff

ASIC Commissioners

Definitions of gifts, benefits and hospitality

  • No definitions but policies contain several examples of each category.

Same as for ASIC staff.

Approach to conflict of interest

  • Offer of gifts, benefits or hospitality that give rise to a real, potential or perceived conflict of interest should not be accepted.

Same as for ASIC staff.

Declaration requirements

  • All gifts and benefits must be declared.
  • Modest hospitality valued below $50 does not need to be declared.
  • Hospitality valued at $50 or more must be declared.
  • All declarations are to be made through ASIC’s enterprise risk management system.
  • Where possible, declarations should be made prior to acceptance.
  • All gifts and benefits must be declared.
  • Modest hospitality valued up to $100 does not need to be declared.
  • Hospitality valued at over $100 must be declared.
  • All declarations are to be made through ASIC’s enterprise risk management system.

Approval requirements

  • Approval to be sought where possible in advance or receiving any gift, benefit or hospitality.
  • Token gifts that are to be kept require approval.
  • Benefits require approval before acceptance.
  • Hospitality valued at $50 or more requires approval before acceptance.
  • Senior executives can approve acceptance of a benefit or hospitality valued up to $250.
  • Senior executives who report directly to the ASIC Chair must obtain approval from the Chair.
  • Gifts that are to be retained must be reviewed and approved by the ASIC Chair.
  • Approval for hospitality other than modest hospitality should be sought from the ASIC Chair before it is accepted.
  • Gifts, benefits and hospitality accepted and retained by the ASIC Chair are to be reviewed and approved by a deputy chair or the longest serving Commissioner.

Prohibited gifts, benefits or hospitality

  • Cash or cash equivalents (for example, gift cards).

Same as for ASIC staff.

Cultural giftsa

  • All gifts must be surrendered to ASIC, except for token gifts (see below).

Same as for ASIC staff.

Requirements to surrender to ASIC

  • All gifts must be surrendered to ASIC, except for token gifts (for example, certificates, plaques, stationery) which may be retained with Senior Executive approval.
  • All gifts should be surrendered except where it is impractical to do so (for example, perishable gifts such as fresh fruit).

Publication of gifts, benefits and hospitality registers

  • Gifts surrendered to ASIC, and benefits and hospitality accepted by staff members, valued at $100 and above will be published quarterly on ASIC’s external website.
  • Recipient names not identified.
  • ASIC publishes a register that discloses gifts, benefits and hospitality accepted or surrendered by ASIC Commissioners valued at more than $100. The register is updated quarterly.
  • Recipient names identified.
     

Note a: Cultural gifts are items of cultural or sentimental value for which a monetary value is difficult to assign.

Source: ANAO analysis of ASIC documentation.

2.95 ASIC’s compliance with gifts, benefits and hospitality requirements is discussed in Chapter 4 of this audit in paragraphs 4.48 to 4.64.

Identification and management of fraud risks

2.96 Section 10 of the PGPA Rule requires the accountable authority to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.119 It lists six requirements relating to fraud risk assessments, fraud control plans, and mechanisms for preventing fraud.

2.97 ASIC has a ‘Fraud and Anti-corruption Policy’ dated November 2022 (November 2022 Fraud Policy) and a ‘2022–24 Fraud Control Plan’ released in July 2022. ASIC’s November 2022 Fraud Policy defines fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’ and states that: ‘At ASIC … we protect and promote integrity by preventing, detecting and responding to internal fraud and corruption risks’.

2.98 The November 2022 Fraud Policy and the Fraud Control Plan apply to ASIC members and staff.120 The Commission Risk Committee (which includes the ASIC Chair as a member) approves the policy and Fraud Control Plan. ASIC’s Audit and Risk Committee is responsible for providing assurance to the Chair and the Commission on ASIC’s systems of internal control including fraud and corruption controls.

2.99 ASIC records indicate that in 2020–21 there was one internal allegation of fraud received or detected and in 2021–22 there was one external allegation of fraud received or detected. ASIC advised the ANAO in April 2023 that the external suspected fraud in 2021–22 was successfully detected (stopped) without financial loss.

2.100 The Fraud Control Plan sets out how ASIC prevents, detects and responds to fraud and corruption risks. The ANAO assessed whether ASIC’s fraud policy, plan and arrangements complied with section 10 of the PGPA Rule. Overall, as outlined in Table 2.5, ASIC has met the requirements of section 10.

Table 2.5: Fraud control requirements and ASIC compliance

PGPA Rule section 10 requirement

Meets requirement

Description/examples of ASIC arrangements

Conduct a fraud risk assessment regularly and when there is a substantial change in the structure, functions or activities of the entity.

Business units identify fraud and corruption risksa and record them in ASIC’s enterprise risk register. Enterprise risks are reviewed every four months by ASIC’s Executive Risk Committee.

Develop and implement a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment.

ASIC had a fraud control plan in place.

Have an appropriate mechanism for preventing fraud, including by ensuring that:

(i) officials of the entity are made aware of what constitutes fraud; and

(ii) the risk of fraud is taken into account in planning and conducting the activities of the entity.

ASIC staff are required to complete training upon commencement and refresh annually. Completion of training is monitored. Training materials include defining fraud.

ASIC’s intranet includes information relating to fraud including how to report suspected or actual fraud or corruption.

There are examples of fraud related messaging to staff.

The Executive Risk Committee annually assesses ASIC’s risk management and fraud management frameworks and reports to the audit committee on its findings.

Have an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially.

Mechanisms include ASIC’s ‘Speak Up’ platform that enables ASIC staff to report (including anonymously) suspected or actual instances of fraud and corruption.

Staff are required to report suspected or actual instances of fraud to their manager or through the Speak Up platform. Team leaders/senior executives receiving such reports are required to contact the Chief Risk Officer or Chief Legal Officer.

Internal and external audit activities can also detect incidents of fraud.

Have an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud.

ASIC’s 2022–24 Fraud Control Plan set out mechanisms for investigating and dealing with fraud or suspected fraud incidents. ASIC’s 2022 Fraud Policy states that the Chief Risk Officer and Chief Legal Officer investigate as necessary all instances of fraud or corruption.

Have an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

Staff can report suspected or actual instances of fraud to their manager/Senior Executive Leader/Executive Director, Chief Internal Auditor or Operational Risk Executive.

The Executive Risk Committee and Commission Risk Committee receive a report on fraud exposure annually, which identifies actions undertaken in response to instances of fraud.

     

Note a: At the highest level, ASIC identifies three primary categories of occupational fraud: asset misappropriation (which involves an employee stealing or misusing the employing organisation’s resources and which ASIC states occurs in the vast majority of fraud incidents); financial statement fraud schemes (in which the perpetrator intentionally causes a material misstatement or omission in ASIC’s financial statements, which ASIC states are the least common but costliest category of occupational fraud); and corruption, which includes offenses such as bribery, conflict of interest, and extortion (which ASIC states falls in the middle in terms of both frequency and financial damage).

Source: ANAO analysis of ASIC documentation.

Public interest disclosures

2.101 ASIC has established a public interest disclosure (PID) policy that is accessible to both ASIC officials and the public; has identified authorised officers; has training relating to PID available to ASIC officials; and provides PID guidance on its intranet and website.

2.102 The Public Interest Disclosure Act 2013 (PID Act) establishes a PID scheme where public officials ‘who suspect wrongdoing within the Commonwealth public sector can raise their concerns.’121 The PID Act ‘applies to Australian Government agencies, Commonwealth companies, public authorities and Commonwealth contracted service providers.’122 The purpose of the PID Act is to:

promote the integrity and accountability of the Commonwealth public sector by:

  • encouraging and facilitating the making of disclosures of wrongdoing by public officials
  • ensuring that public officials who make protected disclosures are supported and protected from adverse consequences relating to the making of a disclosure
  • ensuring that disclosures are properly investigated and dealt with.123

2.103 The kinds of conduct that disclosures can be made about include but are not limited to:

  • a contravention of the law
  • corruption
  • perverting the course of justice
  • maladministration
  • an abuse of public trust
  • falsifying scientific research
  • wastage of public money, or
  • conduct that is a danger to health, safety or the environment.124

2.104 The PID Act sets out a range of obligations including those relating to the principal officer of each agency125 and authorised officers.126

2.105 The ANAO examined whether ASIC had:

  • established a PID policy that was accessible to ASIC officials and the public;
  • identified authorised officers;
  • PID training available for staff; and
  • provided PID related guidance on its intranet and website.

2.106 ASIC has a public interest disclosure policy. The policy is available on ASIC’s intranet and website so is accessible to both ASIC officials and the public. This policy includes information on:

  • what is a public interest disclosure;
  • what is disclosable conduct;
  • who can make a public interest disclosure;
  • protections under the PID Act;
  • how to make a public interest disclosure;
  • roles and responsibilities;
  • what happens after a public interest disclosure is made;
  • confidentiality requirements; and
  • support arrangements.

2.107 A public interest disclosure can be made by current and former public officials including ASIC current or former staff (including temporary and contracted employees), ASIC Commissioners, and service providers contracted to ASIC (including their officers and employees). ASIC’s policy states that:

A person who is not a current or former public official may also be deemed to be a public official by an authorised officer if the authorised officer believes on reasonable grounds that the person has information that concerns disclosable conduct.

2.108 ASIC also provides guidance relating to public interest disclosures on its intranet. ASIC’s website includes a link to its PID policy and the email addresses to be used to make a disclosure to an authorised officer.

2.109 As of 27 March 2023, ASIC had 17 authorised officers. ASIC also has mandatory training related to PID as part of the compulsory modules and annual refresher course for staff (see Table 2.6 for details). There is no additional training related to PID for those appointed as authorised officers, however ASIC has a suite of guidance for authorised officers.

Were relevant policies subject to periodic review?

ASIC has established a framework for the design and review of its policies. For the selected probity risks, there was evidence of relevant policies being reviewed and updated.

2.110 Periodic review of entity policies assists in ensuring they remain fit-for-purpose and address current risks. For the period examined as part of this audit, the ANAO examined whether relevant policies were subject to periodic review.127

2.111 ASIC has established an Enterprise Policy Framework to provide a consistent approach to the design and review of ASIC’s internal policies. As part of this framework, ASIC maintains a policy register which includes a list of all current policies, the policy owner, the last review and last review approver. The policy owner is responsible for reviewing their policies every two years, in accordance with ASIC’s policy cycle process.

2.112 Over the period examined for this audit, relevant ASIC policies were reviewed and updated under the framework.128

Does ASIC effectively inform its personnel of probity requirements and promote compliance?

For the selected probity risks, ASIC has effectively informed its personnel of probity requirements. ASIC has adopted a combination of training, making information on policies, procedures and arrangements easily accessible on its intranet, and messaging from senior officials to reinforce knowledge of probity requirements and promote compliance. Completion of mandatory training is monitored and reported to senior management.

2.113 The effectiveness of an entity’s arrangements for managing probity risks is dependent on personnel being effectively informed of the requirements with which they are required to comply. This can be done through, for example:

  • the provision of training;
  • making information on policies, procedures and arrangements addressing probity risks easily accessible to staff; and
  • regular messaging from senior officers.

Training related to probity risks

2.114 ASIC has a suite of training relevant to the probity risks examined in this audit. ASIC launched a revised training program called the ‘Essentials Program’, which was rolled out between March and June 2022. This program consolidated 15 mandatory training modules into three.129 ASIC staff, including senior executives, must complete all three Essentials modules annually.

2.115 For new starters, mandatory training must be completed within four weeks. In December 2022 ASIC’s Management Committee was provided with seven recommendations aimed at simplifying and improving contingent worker130 completion of relevant mandatory training.131 These included that the completion of Module 1 and Module 2 from the ‘Essentials Program’132 would be mandatory for contingent workers, with annual recertification required by contingent workers who are engaged for longer than 12 months.

2.116 ASIC advised the ANAO that training is mandatory for Commissioners.133 ASIC has additional mandatory training for staff with specific responsibilities, such as those undertaking procurement activity and those holding credit cards. Table 2.6 provides details of the training available for the probity risks examined in this audit.

Table 2.6: ASIC probity related training

Probity risk

Mandatory training available

Frequency of required renewal

Code of conduct

Yes

Annually

Conflict of interest

Yes

Annually

Regulatory capture

Yes

Regulatory capture training is mandatory for staff in ASIC’s Regulatory Practice stream.

Not required

Trading policy

Yes

Annually

Confidentiality and information security

Yes

Annually

Procurement

Yes

Procurement training is mandatory for staff who access the Contract Management System.

Every 2 years

Corporate credit card expenditure

Yes

Credit card training is mandatory for staff who hold a credit card.

Every 2 years

Gifts, benefits and hospitality

Yes

Training for gifts, benefits and hospitality is contained within the conflict of interest module.

Annually

Fraud

Yes

Annually

Public interest disclosures

Yes

Annually

     

Source: ANAO analysis of ASIC documentation.

2.117 ASIC tracks the completion of mandatory training for Commissioners, employees and contingent workers, and managers are responsible for ensuring their team members have completed the appropriate modules. Managers have a dashboard that displays the status of team members’ compliance with mandatory training requirements. ASIC advised the ANAO that: ‘Executive Directors receive individual reports on non-compliance (and can access data about their group’s completion of mandatory training via Learnhub).’ Learnhub is ASIC’s training management system.

2.118 The completion of mandatory training is also centrally monitored and included in quarterly people and development reports provided to the Executive Risk Committee, the Commission Risk Committee and the Management Committee.134 As at 30 September 2022, ASIC reporting indicated that the Essentials Program Module 1 had a 99.33 per cent completion rate, Module 2 had a 98.50 per cent completion rate and Module 3 had a 96.89 per cent completion rate.

Accessibility of information on probity requirements

2.119 ASIC makes policies, procedures and information regarding arrangements to address probity risks available on its intranet. Often this information contained contact details for specialist staff who can provide assistance.

Messaging from senior officials

2.120 ASIC uses a range of channels for providing its personnel with information on probity requirements, including information on policy updates, reminders regarding obligations and senior officials’ expectations. These channels include:

  • the ASIC Direct newsletter;
  • the ASIC Daily newsletter;
  • Commission updates; and
  • email reminders to all staff.

3. Monitoring, reporting and assurance

Areas examined

This chapter examines whether the Australian Securities and Investments Commission (ASIC) has established monitoring and reporting arrangements to provide assurance on the effectiveness of its internal controls and compliance with probity requirements, and arrangements to follow up on identified instances of non-compliance. The period examined in this audit was July 2020–November 2022 and where relevant, included key subsequent events up to and including February 2023.

Conclusion

ASIC has a framework and arrangements for monitoring the effectiveness of internal controls and compliance with probity requirements, and for providing assurance to the accountable authority in relation to probity. The framework includes regular compliance monitoring, reporting to management and high-level governance committees, and arrangements for following up on identified instances of non-compliance. Key activities are overseen by a Central Compliance function.

3.1 An entity’s accountable authority is required to establish appropriate controls and maintain sufficient oversight to ensure internal controls operate as intended, to assist in mitigating probity related risks and promote compliance. Well-functioning assurance arrangements, including reporting to senior management, provide confidence that risks are being effectively controlled or identify when controls are ineffective or absent. Entities also need to ensure that instances of noncompliance are treated in a timely and appropriate manner in accordance with specified requirements.

3.2 This chapter examines whether ASIC has established monitoring and reporting arrangements to provide assurance on the effectiveness of internal controls and compliance with probity requirements. Specifically, the ANAO examined if ASIC has established a fit for purpose framework for:

  • monitoring the effectiveness of internal controls relating to probity and providing assurance to the accountable authority;
  • monitoring compliance with probity requirements, including regular monitoring and reporting; and
  • following up on identified instances of non-compliance.

Is there a framework for monitoring the effectiveness of internal controls relating to probity and providing assurance to the accountable authority?

ASIC has a framework for monitoring the effectiveness of internal controls and providing assurance to the accountable authority in relation to probity. The framework includes regular internal audits into probity related topics. ASIC’s Central Compliance function also commenced a program of control assessments in 2022, which have included the consideration of controls relating to probity related compliance obligations.

3.3 Information on the effectiveness of internal controls gives the accountable authority assurance regarding compliance with probity policies and the extent to which staff uphold standards of conduct. Section 16 of the Public Governance, Performance and Accountability Act (PGPA Act) requires the accountable authority of a Commonwealth entity to establish an appropriate system of internal control. Section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority to establish an audit committee, the functions of which must include reviewing the appropriateness of the system of internal control. This would include coverage of oversight of the management of identified probity risks.

Internal audit

Review activity

3.4 ASIC advised its audit committee that as of February 2022 it was resourced to undertake approximately 15 internal audits and three advisory reviews each year. ASIC’s internal audit plan includes ‘cyclical audits and reviews’, through which ‘areas of key PGPA risk and other areas of very limited appetite’ are subject to audits or reviews on a set frequency. This includes audits and reviews of the following probity risks examined as part of this audit135:

  • PGPA compliance (credit cards, travel and gifts);
  • procurement;
  • regulatory capture; and
  • conflict of interest.

3.5 Audits on each of these risks were undertaken during the period examined as part of this audit.

3.6 In addition to these cyclical audits and reviews, ASIC undertakes ‘one off’ audits, including on probity related topics. Examples during the period covered by this audit included:

  • implementation of the five Thom Review recommendations directed to ASIC136;
  • payments to part-time statutory office holders;
  • Australian Commission for Law Enforcement Integrity (ACLEI) alignment; and
  • Commissioner expenses.

3.7 Internal audit reports are included as a standing agenda item at Commission Risk Committee and Executive Risk Committee meetings. The Commission Risk Committee is comprised of all ASIC Commissioners, including the ASIC Chair, who is the ASIC accountable authority. The Commission Risk Committee and Executive Risk Committee also receive updates on the status of audit recommendations at each meeting.

Oversight

3.8 Under the terms of reference of ASIC’s Audit and Risk Committee, the committee’s role is to review and provide advice to ASIC’s accountable authority on ASIC’s systems of risk oversight and management and system of internal control. As part of exercising this function, the Audit and Risk Committee receives updates on ASIC’s internal audit control framework, ASIC’s internal audit forward work program, completed internal audit reports and the status of open internal audit recommendations. ASIC also prepares dashboard reporting on key metrics relating to compliance with PGPA Act requirements that are provided to the Audit Committee each quarter. This includes reporting based on attestations made by senior executives relating to:

  • reportable breaches of the PGPA Act;
  • completion rates for fraud and corruption mandatory training;
  • appropriate escalation of risks identified as outside of tolerance;
  • policies and procedures being up-to-date; and
  • implementation of high risk audit recommendations.

Compliance management framework control assessments

3.9 In 2022 ASIC commenced undertaking assessments of compliance-related controls under its compliance management framework. ASIC refers to this as the ‘compliance plan evaluation and attestation process’ and it involves ASIC’s Central Compliance function.137 ASIC’s compliance management framework is discussed further in paragraphs 3.13 to 3.20.

3.10 The assessments have focused on obligations with an inherent risk rating of ‘severe’ or ‘high’. Controls assessed through this process have included the following probity related topics:

  • unauthorised use or disclosure of protected information;
  • trading restrictions;
  • procurement;
  • conflict of interest;
  • use of corporate credit cards; and
  • Commissioner remuneration, allowances and relocation.

3.11 The results of the assessments were reported to ASIC’s Executive Risk Committee on 2 August 2022 and the Commission Risk Committee on 23 August 2022. The report included ratings on which obligations were assessed as ‘operating within appetite’ or ‘outside of appetite’ or ‘unknown’.138 The report also included recommendations for strengthening controls for obligations irrespective of their rating.

3.12 In October 2022, ASIC’s Executive Risk Committee was presented with the proposed approach to testing compliance-related controls for the 2022–23 financial year and beyond. The approach included a risk-based approach with different levels of assurance sought depending on the inherent level of risk. Most compliance obligations with a ‘medium’ inherent risk were to be assessed through analysis of compliance questionnaires and attestations by managers with responsibilities for the controls. In the 2022 assessments, compliance obligations with a ‘high’ or ‘severe’ inherent risk were subject to this process in addition to additional sample testing to verify the effectiveness of controls. All ‘severe’, ‘high’ and selected ‘medium’ risk obligations were to be subject to this process for 2022–23, with control assessments of the remaining ‘medium’ risk obligations planned to commence in 2023–24.

Is there a framework for monitoring compliance with probity requirements, including regular monitoring and reporting?

ASIC undertakes regular compliance monitoring under its compliance management framework, and has established a Central Compliance function which reports on a regular basis to the Executive Risk Committee and Commission Risk Committee on compliance with obligations, including obligations related to probity requirements. Monitoring and reporting of compliance with probity requirements not tracked by the Central Compliance function occurs through ASIC’s Integrity Committee and updates to other Commission and management committees.

Compliance management framework

3.13 ASIC’s December 2021 Compliance Policy outlines ASIC’s approach to managing compliance with a range of obligations and how ASIC monitors and reports on compliance with those obligations. The policy defines a ‘compliance obligation’ as:

any statutory or regulatory requirement ASIC must comply with, or directs its staff members and/or Commission members to comply with due to the nature of the risk. For example, the requirements set out in an internal ASIC policy.

3.14 The policy further states that:

Compliance with ASIC’s … obligations is fundamental to the effective performance of our role as a corporate, markets and financial services regulator. Compliance is sustained by embedding it in the culture, behaviour and attitudes of our staff members, Senior Executives and Commission members.

3.15 ASIC’s Central Compliance function is responsible for providing advisory support to business areas within ASIC regarding compliance management, administering ASIC’s ‘obligation library’139, preparing reports on compliance with obligations, and overseeing the annual evaluation and attestation processes of the compliance plan. ASIC’s Central Compliance function reports to ASIC’s Chief Risk Officer, who in turn reports to ASIC’s Chief Operating Officer.

Monitoring and reporting non-compliance

3.16 The ASIC Compliance Policy states that:

Where potential non-compliance is identified, a notification must be submitted via the Compliance Incident Management System (CIMS) for specified obligations, or by an alternative method as described in the relevant internal ASIC policy.

3.17 CIMS is a system through which ASIC staff report potential breaches of certain obligations. Probity related obligations that are reported through CIMS include those established under ASIC’s policies relating to:

  • executive remuneration and entitlements;
  • procurement; and
  • use of corporate credit cards.140

3.18 Potential breaches of obligations relating to conflict of interest, trading breaches, gifts, benefits and hospitality and fraud are recorded in the relevant register not CIMS. Guidance on ASIC’s intranet states that:

only incidents relating to Obligations Notifiable in CIMS … are able to be notified and responded to through the CIMS. Events that are unrelated to Obligations Notifiable in CIMS do not form part of the compliance incident management process at present and instead must be reported via the appropriate escalation channels for consideration.141

3.19 ASIC’s intranet provides a list of policies and details of how someone reports an event relating to each policy.

3.20 The Central Compliance function provides compliance reports three times per year to the Executive Risk Committee and Commission Risk Committee. These reports included details of reported compliance incidents, including incidents reported through CIMS. Compliance with conflict of interest requirements is subject to sample testing by ASIC’s compliance team from time to time. Compliance with trading and gifts, benefits and hospitality requirements are included in enterprise risk reporting as ‘key risk indicators’ for ASIC’s enterprise risk relating to ‘operational quality and discipline’.

Integrity Committee

3.21 ASIC’s Integrity Committee is a sub-committee of the Executive Risk Committee and provides quarterly updates to the Commission Risk Committee.142 The Integrity Committee meets bi-monthly to oversee: ASIC’s Integrity Framework; activities related to ACLEI143; summary information on reports made through the ‘Speak Up’ platform144; and integrity, fraud and corruption control measures.

3.22 In October 2022 the Integrity Committee was presented with an assessment of ASIC’s Integrity Framework against ACLEI’s Integrity Maturity Model. The assessment resulted in proposed improvements relating to training and awareness raising.

Other compliance reporting

3.23 ASIC’s Commission and management committees receive regular reporting on compliance with probity requirements, in addition to the reporting undertaken under ASIC’s Compliance Management Framework and to the Integrity Committee. This includes reporting on the completion of mandatory training145 and completion of ASIC’s annual attestation process.146

Is there a framework for following up on identified instances of noncompliance?

ASIC has a framework for following up on identified instances of non-compliance. This includes responding to incidents and rectifying realised risks, as well as consequence management.

3.24 Having a framework for following up on identified instances of non-compliance assists in providing assurance to the accountable authority regarding the effectiveness of probity management arrangements.

Responding to non-compliance with probity requirements

3.25 ASIC’s Compliance Policy is supported by the Compliance Management Handbook. The Handbook states that:

Where non-compliance is identified, corrective action must be taken to manage non-compliance. Mitigating controls should also be implemented where required to prevent the risk of the event re-occurring and encourage continual improvement in compliance management at ASIC.

3.26 ASIC Commissioners and staff members are required to report an event that could impact compliance with obligations in CIMS. The CIMS procedure requires the team responsible for rectifying the compliance incident to assign a ‘rectification manager’ to resolve the incident and implement mitigating controls. The Central Compliance function has responsibility for oversight of this process and for reporting to the Executive Risk Committee, Commission Risk Committee and Audit Committee on the outcomes of incidents.

3.27 Sensitive incidents can also be reported and escalated through channels other than CIMS, including through the Speak Up platform.

Consequences for non-compliance with probity requirements

3.28 ASIC’s Compliance Policy states that personnel who fail to comply with their obligations ‘may be subject to disciplinary action under ASIC’s Code of Conduct, up to and including termination of employment.’ Responsibility for managing non-compliance of staff members lies with Senior Executives. According to the compliance policy, ASIC’s Central Compliance team monitors progress of compliance actions. ASIC’s process for following up instances of identified noncompliance with code of conduct requirements is outlined in the ASIC Code of Conduct and the ‘Procedures for Investigating Code of Conduct and other Grievances’.

3.29 ASIC’s guideline for probity in procurement, conflict of interest policy147 and policy on trading in financial products state that failure to comply may result in disciplinary action under ASIC’s Code of Conduct. The policy on trading in financial products also advises that insider trading prohibitions apply to ASIC personnel and that failure to comply could be an offence under the Corporations Act 2001.

3.30 ASIC’s credit card policy states that credit card holders with expenditure not acquitted after four months will have their credit cards cancelled.148 Three instances of private use of an ASIC credit card will result in the physical card being retained by the ASIC finance area.149 Further noncompliance will result in the card being cancelled. The policy also states that certain activities will result in disciplinary action or termination of employment.150

3.31 Identification of probity related non-compliance and the management of identified noncompliance are discussed in Chapter 4 of this audit report.

4. Compliance with requirements

Areas examined

This chapter examines whether the Australian Securities and Investments Commission (ASIC) has demonstrated compliance with its probity requirements and addressed noncompliance in accordance with its stated requirements.

Conclusion

While ASIC fully or largely complied with most of the probity related requirements examined in this audit, there was partial compliance with requirements for managing probity in procurement.

ASIC’s internal attestation process did not identify any noncompliance associated with code of conduct and conflict of interest requirements. There is evidence that ASIC has addressed noncompliance with its financial trading policy, that was identified through the attestation process.

Areas for improvement

There was one recommendation to review financial thresholds in ASIC policies relating to the acceptance of gifts, benefits and hospitality.

Opportunities for improvement related to: providing managers with additional information to follow up with staff on compliance with the internal attestation process; updating guidance on probity management in procurement; and strengthening reporting requirements for gifts, benefits and hospitality offered to ASIC personnel.

4.1 Entities cannot effectively manage probity related risks if the policies, procedures and arrangements designed to mitigate those risks are not followed. This chapter assesses whether ASIC can demonstrate compliance with the probity requirements selected for ANAO review and addressed non-compliance in accordance with its stated requirements.

4.2 The requirements reviewed by the ANAO related to:

  • the ASIC Code of Conduct;
  • conflict of interest and disclosure of financial trading;
  • senior executive remuneration;
  • selected procurement requirements;
  • corporate credit card use; and
  • gifts, benefits and hospitality.151

Has ASIC complied with the selected probity requirements?

For the periods reviewed by the ANAO, ASIC undertook its internal assurance processes under which relevant personnel made attestations relating to the ASIC Code of Conduct and compliance with conflict of interest and financial trading requirements. Results for the respective processes were reported to senior management committees. Disclosures of ASIC Commissioners’ interests were provided to the Treasurer as required under the Australian Securities and Investments Commission Act 2001.

ASIC personnel largely complied with requirements relating to corporate credit card use and gifts, benefits and hospitality.

ASIC did not have a policy for managing senior executive remuneration until 9 November 2022. As a result, the ANAO was unable to test whether ASIC’s process for reviewing senior executive remuneration for its most recent performance period was undertaken in accordance with entity requirements. There is evidence that the Chair was provided with information on, and approved, individual remuneration outcomes for all members of the senior executive cohort for the most recent performance cycle or review process that involved a pay rise.

For the ten high-value procurements reviewed by the ANAO, ASIC partly complied with the requirements established in its internal ‘Procurement guideline — probity’. The selected requirements were not met in four of the procurements (40 per cent non-compliance); only one of the selected requirements was met in four of the procurements (40 per cent partial compliance); and all four of the selected requirements were met in only two of the procurements (20 per cent compliance).

There is scope for ASIC to enhance its requirements in relation to gifts, benefits and hospitality.

Compliance with training requirements relating to the ASIC Code of Conduct

4.3 ASIC’s Code of Conduct arrangements are discussed in paragraphs 2.3 to 2.10. Officials subject to ASIC’s Code of Conduct are required to undertake mandatory training in relation to the Code of Conduct.

4.4 The ANAO examined whether there is evidence of people subject to ASIC’s Code of Conduct having completed mandatory training for the most recent period.

4.5 Completion rates for this and other mandatory training are monitored and reported to ASIC’s Executive Committee. Reporting to ASIC’s Executive Committee in July 2022 indicated that the first module of ASIC’s new mandatory training suite (ASIC Essentials) was rolled out on 29 March 2022. This module included training on ASIC’s Code of Conduct. A completion rate of 99.04 per cent was reported for that training. ASIC documentation states that:

Completion rates are higher than the acceptable threshold of 90% and feedback has indicated the modules are easy to navigate and provide good organizational context on regulatory and legislative obligations.

4.6 As discussed in paragraph 2.118, at 30 September 2022, ASIC reported that the completion rate for Module 1 of the Essentials Program was 99.33 per cent.

Compliance with attestation process requirements relating to the code of conduct, conflict of interest and disclosure of financial trading

4.7 ASIC’s arrangements for managing conflict of interest and disclosure of financial trading are discussed in paragraphs 2.11 to 2.19 and 2.35 to 2.41 respectively.

4.8 In addition to the requirement to disclose interests and identify conflicts as they arise (see paragraph 2.17), prior to 2022 ASIC also required its staff and contractors to make an annual declaration of interests every July.152 ASIC documentation indicates that technical issues with ASIC’s enterprise risk management system resulted in the 2019–20 declaration cycle being postponed until 8 February 2021. The first reporting on compliance with the declaration process to ASIC’s Executive Risk Committee occurred on 22 June 2021, with 39 senior executives and 245 other personnel identified as not having finalised the process as at 15 June 2021.153 Further reporting to ASIC’s Executive Risk Committee on 27 July 2021 identified that the attestation process had not been finalised for approximately 15 senior executives (25 per cent of the cohort) and 127 staff (seven per cent of the cohort). There was no annual declaration process conducted in 2020–21.

4.9 The ANAO examined whether there is evidence of ASIC having conducted its attestation process relating to code of conduct, conflict of interest and disclosure of financial trading for the most recent period. The most recent annual attestation period ran from 4 July 2022 to 29 July 2022. ASIC records indicate that 180 people (7.9 per cent) were non-compliant with the attestation process.

4.10 In 2022 ASIC replaced the annual declaration with an annual attestation. This requires all ASIC team members to attest that they have complied with requirements to make declarations relating to ASIC’s policies on:

  • disclosure of interests and conflicts;
  • trading in exchange-related financial products;
  • gifts, benefits and hospitality;
  • security responsibilities;
  • changes in circumstances; and
  • overseas travel.154

4.11 As part of the disclosure of interests and conflicts, people subject to the process must attest that they have read and understood certain policy documents (including ASIC’s Code of Conduct) in the last 12 months.

4.12 At the end of the 2022 attestation cycle, reporting to the Executive Risk Committee identified that 92.1 per cent of the required personnel had completed the attestation, and that 80.5 per cent of non-compliant personnel were ‘contingent workers’.155 A list of personnel who were non-compliant with the requirement to make an annual attestation was provided to the Executive Risk Committee.

4.13 The results of ASIC’s 2022 attestation process are presented in Table 4.1.

Table 4.1: Results of ASIC’s 2022 attestation cycle

Category

Total

Percentage

Personnel required to make an attestation

2,255

N/A

Attestations completed

2,076

92.1a

No attestation completed

180

7.9

Non-compliant ASIC employees

35

1.5

Non-compliant contingent workersb

145

6.4

     

Note a: ASIC advised the ANAO that it has a target attestation completion rate of 90 per cent to remain within its risk tolerance.

Note b: Contingent workers are not ASIC employees. Some contingent workers have access to ASIC’s information or systems.

Source: ANAO review of ASIC documentation.

4.14 ASIC advised the ANAO that it is currently reviewing compliance requirements for its contingent workers.156

4.15 Internal reporting to the Executive Risk Committee in October 2022 highlighted a number of areas of improvement:

The Attestation process was designed to increase the up-take and accuracy of point-in-time reporting of compliance related matters. The data … shows the process was successful in driving reporting behaviour as well-above average increases in retrospective reporting of trades, international travel and changes in personal circumstances were observed during the attestation period. … The significant increase in point-in-time reporting suggests that a considerable number of team members failed to disclose reports at the time that they became aware of them. Delayed reporting of conflicts and other obligations present risks to team members in respect to the maintenance of their Australian Government security clearance, in addition to compliance and risks to ASIC.

4.16 ASIC documentation indicates that during the attestation period there were also above average increases in the number of disclosures of interests and the number of gifts declared. The increases are shown in Table 4.2.

Table 4.2: Number of declarations made during July 2022 compared to 2022 — monthly averagea

Category

Number declared during July 2022

2022 monthly average (excluding July 2022)a

Retrospective reporting of trading activity

52

2.3

Requests to trade

260

154

Disclosures of interests

81

20

Gifts declared

26

11

     

Note a: The monthly average figure covers the period 1 January 2022 to 17 November 2022 (excluding July 2022 when the attestation process was underway).

Source: ASIC documentation.

4.17 ASIC advised the ANAO in December 2022 that ‘system generated Annual Attestation noncompletion emails were sent to all noncompliant team members 5 days, 2 days and 1 day prior to the conclusion of the cycle.’ ASIC documentation indicates that on 29 July 2022 senior executives were provided with advice as to who in their team had not completed their attestation and the expectation that attestations should be completed by midnight that day.

Opportunity for improvement

4.18 There is an opportunity for ASIC to improve compliance with its internal attestation process, by providing managers with earlier notice of which staff and contingent workers for which they are responsible have completed the attestation, to enable them to follow up on outstanding attestations.

4.19 ASIC advised the ANAO in December 2022 that ASIC people managers received a noncompliance notification once the attestation closed (1 August 2022). ASIC further advised that:

The attestation process was a point in time exercise for staff to confirm they were compliant with a number of policies, including conflicts of interest. The attestation process opened on 4/7/22 and closed on 29/7/22 and therefore staff who had not completed the attestation could not do so after 29/7/22. However, staff could still update their COI [conflict of interest] disclosures, make trading notifications (or requests etc), so just because they did not complete the attestation does not mean they were non-compliant with the underlying policies.

The myRAD [ASIC’s Enterprise Risk Management system] platform must be accessed from your work laptop — you cannot access it via phone or ipad, which means staff on leave may not have been able to access the attestation (only staff on long term leave (3+ months) were excluded from the attestation process) …

The Chief Legal Office was notified of all people who did not complete the attestation, and the additional disclosures in the request to trade, disclosure of interests, overseas travel, and gifts, benefits and hospitality registers in myRAD would have triggered normal workflows for action (i.e. for declarations of interest the people manager would get a workflow notification to review the disclosure).

4.20 As discussed in paragraph 4.68, ASIC has not documented the consequences for not completing the attestation process. ASIC’s Executive Directors were provided with details of people who had not completed the attestation process. Information about trading policy breaches identified during the attestation process is provided in paragraphs 4.73 to 4.76.

Disclosure of Commissioners’ interests

4.21 Under section 123 of the Australian Securities and Investments Commission Act 2001, ASIC Commissioners have a standing obligation to disclose certain interests to the Minister in writing. ASIC’s practice is for each Commissioner to provide a letter to the Treasurer every six months containing disclosures of interests. All ASIC Commissioners undertook this disclosure process for the period examined in this audit.

Compliance with senior executive remuneration requirements

4.22 ASIC’s arrangements for senior executive remuneration are discussed in paragraphs 2.45 to 2.54. As noted in paragraph 2.46, ASIC did not have a policy for managing senior executive remuneration until 9 November 2022. As a result, the ANAO was unable to test whether ASIC’s process for reviewing senior executive remuneration for its most recent performance period was undertaken in accordance with entity requirements.

4.23 The ANAO reviewed whether ASIC’s accountable authority (the ASIC Chair) was provided with and approved individual remuneration outcomes for members of the senior executive cohort for the most recent performance cycle or review process that resulted in a pay rise (excluding across the board increases applied in accordance with government policy).157

4.24 As outlined in paragraph 2.50, the Commission approved a 1.7 per cent remuneration increase to all eligible senior executives in August 2021. This rise was consistent with the requirements of the Public Service Workplace Relations Policy 2020. As outlined in paragraph 2.51, in October 2021 the Chair approved that performance bonuses be rolled into senior executive pay. At that time the Chair was provided with a table listing individual members of the senior executive158, excluding the Chief Operating Officer (COO), outlining:

  • how long they had been a senior executive at ASIC;
  • their performance rating for the year;
  • their average bonus over the previous three years;
  • their existing remuneration, average bonus amount and the total of these two amounts when combined;
  • the applicable discount factor159;
  • the proposed new total remuneration;
  • a ‘compa-ratio’ figure160; and
  • a ‘Notes’ section that provided the Chair with comparative information regarding various senior executives.

4.25 ASIC advised the ANAO that the COO was not included in the table provided to the Chair:

on the basis of conflict of interest. … [the COO] participated in the bonus roll-in discussions for all executives on the memo with the Accountable Authority and the Chief People Officer. To keep the COO at arms’ length from any discussion on his remuneration, his situation was managed outside of this process.

4.26 ASIC documentation indicates that the COO had been appointed to the role in March 2021 for an initial period of 12 months. The employment contract provided for a remuneration review after 12 months. The 1.7 per cent remuneration increase that the Chair approved for eligible senior executives discussed in paragraph 2.50 was not applied to the COO due to the new remuneration agreement entered into in March 2021. The Chair was provided with options regarding the total remuneration package for the COO on 28 October 2021. The Chair was provided with information similar to that provided for the senior executive cohort as part of the bonus roll-in process described in paragraph 2.51. The roll-in of bonuses became effective in December 2021.

4.27 As outlined in paragraph 2.54, ASIC documentation indicates that in October 2022 the ASIC COO advised staff that the ASIC Chair and Commission endorsed a three per cent pay increase across the board effective from 10 November 2022, in line with the Australian Government’s Public Sector Workplace Relations Interim Arrangements 2022 released on 6 October 2022.

4.28 As of March 2023, no further increases in remuneration to members of the senior executive had occurred.

4.29 In summary, for the process examined by the ANAO, there is evidence that the Chair was provided with information on, and approved, individual remuneration outcomes for all members of the senior executive cohort.

Compliance with selected procurement requirements

4.30 ASIC’s policies, procedures and arrangements for probity management in procurement activities are outlined in paragraphs 2.55 to 2.60.

4.31 For a selection of high-value procurements, the ANAO assessed whether ASIC complied with its requirements for probity management in procurement.

4.32 The ANAO selected a sample of ten procurements undertaken by ASIC between July 2021 and October 2022. The procurements were the 10 highest value procurements for the period recorded on AusTender as at 19 October 2022.

4.33 For each procurement, the ANAO assessed whether there was evidence of probity management in accordance with requirements detailed in ASIC’s ‘Procurement guideline — probity’.161 All of the procurements in the ANAO sample were valued over $1 million, meaning they all had a probity risk rating of at least ‘medium’ under ASIC’s ‘Procurement guideline — probity’. The requirements assessed were those relating to:

  • probity risk assessment162;
  • establishment of a probity plan163;
  • appointment of a probity advisor164; and
  • declaration of conflicts of interests.165

4.34 The results of the ANAO’s assessment are presented in Table 4.3.

Table 4.3: Consideration of probity in the selected ASIC procurements

Sample number

Procurement and Contract Notice (CN) number

Procurement type

Value at 19/10/22 as recorded on AusTender

($)

ANAO comment

1

Transactional banking agreement review 2022–2024 (CN3903188)

Limited tender – single supplier approached

7,230,949

  • ASIC documentation states that that it only approached the Reserve Bank of Australia for this procurement because ‘Approaching the open market for these services could raise significant reputation risk and be perceived as a conflict of interest with potential service providers being ASIC’s regulated community.’
  • There was no documented evidence of: a probity risk assessment, a probity plan, or use of probity advisor.

2

Program management services (CN3825997-A2)

Panel procurement – ‘ask the market’ followed by a request for detailed quote from five suppliers

6,622,209

  • At the outset of the procurement, risks associated with a potential tenderer were identified and probity management arrangements put in place.
  • There was evidence of a probity risk assessment, probity plan, use of a probity advisor, and declarations of conflict of interest.

3

ASIC AWS Cloud Commitment 2022–2025 (CN3869054)

Use of mandatory Australian Government coordinated procurement arrangement

5,873,142

  • There was no documented evidence of a probity risk assessment, a probity plan, the use of a probity advisor, or declarations of conflict of interest.

4

Microsoft VSA5 Software Licensing via Data3 (CN3916506)

Use of mandatory Australian Government coordinated procurement arrangement

5,294,948

  • There was no documented evidence of a probity risk assessment, a probity plan, use of a probity advisor, or declarations of conflict of interest.

5

Early case assessment and evidence management software and support (CN3869044)

Panel procurement – single supplier approached

5,153,719

  • There was evidence of a probity risk assessment, probity plan, use of a probity advisor, and declarations of conflict of interest.
  • ASIC sought external probity advice due to operational sensitivities.
  • There was a documented assessment of probity risks but not an overall probity risk rating.

6

Financial Adviser (FA) examinations (CN3839358)

Limited tender – single supplier approached

4,545,043

  • This procurement was subject to earlier guidelines on probity in procurement.a
  • Evaluation panel members and technical advisors made conflict of interest declarations.
  • There was no documented use of a probity advisor, consideration of the need for a probity plan or completion of general procurement conduct statements.

7

Microsoft Volume Sourcing Agreement 5 CCC (CN3866583)

Use of mandatory Australian Government coordinated procurement arrangement

4,282,504

  • There was no documented evidence of a probity risk assessment, a probity plan, use of a probity advisor, or declarations of conflict of interest.

8

DATA STRATEGY FY22 and FY23 Plan (CN3893991)

Panel procurement – four suppliers approached

3,903,900

  • There was no documented evidence of a probity risk assessment, a probity plan, or use of a probity advisor.
  • The three evaluation panel members made procurement conduct statements and conflict of interest declarations regarding the four suppliers approached.

9

IT Specialists MBR Program (CN3837544-A1)

Panel procurement – single supplier approached

3,786,162

  • There was no documented evidence of a probity risk assessment, a probity plan, use of a probity advisor, or declarations of conflict of interest.
  • ASIC documentation indicates that this procurement was to enable continuity of contractor personnel from the supplier that was replaced through the Program management services procurement listed above (CN3825997-A2).

10

Mainframe Managed Services (CN3909161)

Panel procurement – 677 suppliers approachedb

3,705,570

  • There was no documented evidence of a probity risk assessment, a probity plan, or use of a probity advisor.
  • Evaluation team members made procurement conduct and conflict of interest declarations while the request for quote was open. There were no tenderer-specific conflict of interest declarations.
         

Note a: For this procurement the applicable requirements were set out in ASIC’s 2020 ‘Procurement Guideline – Managing Probity’. Key probity requirements for high value or complex procurements were: using a probity advisor from ASIC’s central procurement area; consulting the central procurement area about the need for a probity plan; completion of a ‘general procurement conduct statement’; and declaration of conflicts of interest.

Note b: ASIC Advised that it ‘sought quotations from suppliers via an RFQ approached suppliers on the Digital Marketplace Panel under DTA panel category “Support and Operations”’.

Source: ANAO analysis of ASIC and AusTender documentation.

4.35 As summarised in Table 4.3, for the ten high-value procurements reviewed by the ANAO, ASIC only partly complied with the requirements established in its ‘Procurement guideline — probity’.

  • None of the selected requirements were met in four of the procurements (40 per cent non-compliance).
  • Only one of the selected requirements was met in four of the procurements (40 per cent partial compliance).
  • All four of the selected requirements were met in only two of the procurements (20 per cent compliance).

4.36 There was an absence of a documented risk assessment for eight of the ten procurements. This meant that it was not clear whether any additional probity management requirements for high probity risk procurements were required.166

4.37 In November 2022 ASIC advised the ANAO that:

The digital workflow requires that any endorser or approver (to establish or vary a contract) to attest that they do not have a conflict of interest … However, this systemic attestation is not included in the final approved form for procurements using the workflow prior to 1/7/22.

4.38 Seven of the procurements involved ASIC approaching a single supplier, including three where doing so is mandatory under whole of Australian Government coordinated procurement arrangements.167 For four of these seven procurements, ASIC advised the ANAO that the only probity management steps required were conflict of interest attestation by the endorser and/or the final decision-maker.168 This exemption from ASIC’s policy is not explicitly stated in its ‘Procurement guideline — probity’.

4.39 The results of the ANAO’s testing indicate that there is an opportunity for ASIC to seek to obtain greater consistency in its identification and management of probity risks in procurement, by enhancing its internal guidance.

Opportunity for improvement

4.40 There is an opportunity for the Australian Securities and Investments Commission to update its internal guidance on probity in procurement, to:

  • clearly identify any exemptions from internal probity management requirements; and
  • specify how probity risks are to be managed where exemptions apply.

Compliance with corporate credit card requirements

4.41 ASIC’s arrangements for corporate credit card expenditure were discussed in paragraphs 2.61 to 2.87.

4.42 The ANAO examined the corporate credit use of the following senior ASIC personnel:

  • the Accountable Authority;
  • the Deputy Chairs; and
  • Chief Operating Officer.

4.43 These roles were selected on the basis that setting the ‘tone at the top’ is important when trying to instil an ethical culture in an entity. Further, external review is a means of testing whether there are controls in place to manage positional authority risks within an entity.169

4.44 The ANAO also examined whether the executive assistants for people in the above roles have credit cards and if so, whether they can make purchases on behalf of their manager.170

4.45 The ANAO reviewed all credit card transactions for the people in the selected roles for the months of June and July 2022. These months were selected as they are sufficiently recent to reflect current entity practices and, at the time of conducting audit testing, the acquittal process should have been complete. The ANAO examined whether:

  • transactions were acquitted within the required timeframe;
  • tax invoices or other supporting documentation was provided (where applicable);
  • transactions were approved in accordance with requirements171; and
  • whether transactions appeared for incidental or other private expenditure.

4.46 In the audit sample there were 197 transactions, with a total expenditure of $40,352. The results for the 197 transactions examined were as follows.

  • Twenty four (12.2 per cent) were non-compliant with ASIC’s acquittal requirements, as they were not acquitted by the 20th day of the following month as required by the credit card policy.
  • Tax invoices or other supporting invoices were provided (where applicable).
  • Transactions were approved in line with requirements.

4.47 For the 197 transactions reviewed by the ANAO, no instances were observed that appeared to be for private expenditure.

Compliance with gifts, benefits and hospitality requirements

4.48 ASIC’s arrangements for gifts, benefits and hospitality were discussed in paragraphs 2.88 to 2.95.

4.49 The ANAO reviewed ASIC’s gifts, benefits and hospitality register for the period 1 July 2020 to 30 September 2022. The ANAO examined the register for this period because the effective management of probity risks related to gifts, benefits and hospitality is an important element of: supporting an ethical culture; managing the risk of real and perceived conflicts of interest; and managing the risk of regulatory capture.

4.50 The ANAO examined whether:

  • declarations were made in line with the ASIC policy;
  • gifts, benefits or hospitality to staff were approved in accordance with requirements; and
  • where applicable, details of gifts, benefits and hospitality reported on ASIC’s website matched those on ASIC’s internal register.

4.51 There were 259 entries in the register, of which: 228 were recorded as accepted; five were recorded as declined; and 26 were recorded as ‘expired’.172

4.52 Table 4.4 provides a summary of the entries in ASIC’s gifts, benefits and hospitality register during the period reviewed by the ANAO.

Table 4.4: Summary of ASIC’s gifts, benefits and hospitality register

Categorya

Number

Percentage

Examples

Complimentary attendance at a conference, presentation or seminar

117

45

  • Discounted or free registration to attend a conference (virtual or in person). In-person attendance may include incidental hospitality.
  • Presenters at a conference or seminar received a free ticket to attend the rest of the event.
  • Attendance at training courses, presentations and seminars free of charge.

Functions and events

21b

8

  • Attendance at gala events associated with university fellowships.
  • Invitations to drinks and canapes functions hosted by external legal counsel.
  • Attendance at speaking events as the guest of industry peak bodies.
  • Complementary attendance at industry awards nights.
  • One entry in this category also included the declaration of a bottle of wine.b

Meals

50c

19

  • Lunches and dinners hosted by previous employers of ASIC personnel (for example, partners at law firms).
  • Dinners hosted by conference organisers pre- or post- conference.
  • Breakfast networking event.
  • Networking lunches and dinners (for example, for people in specific roles or leadership positions).
  • Attendance at boardroom luncheon events hosted by law firms.
  • One entry in this category also included the declaration of a donation to charity made on behalf of ASIC.c

Gifts

19

7

  • Bottles of wine for conference speakers.
  • Books.
  • Flowers.
  • Tree planted on behalf of participant in a conference.
  • Serving plate.
  • Donation to a charitable organisation on behalf of ASIC.
  • Tickets to a theatre production.

Token Giftsd

11

4

  • Branded duffle bags.
  • Mouse pad with charger.
  • Sanitiser.
  • Chocolates.
  • Biscuits.
  • Branded stationery.
  • Calendars.
  • Commemorative place mats.

Cultural Giftse

2

1

  • Gift from an international delegation of a foreign government.
  • Handmade item from an international business organisation.

Airline lounge memberships

7

3

  • Commission members received complimentary membership to airline lounges.

Total accepted and approved items

228

 

 

Declined

5

2

  • Offer by regulated entity to donate money to a charitable organisation on behalf of an ASIC officer.
  • Complimentary attendance at a conference where approval was not obtained in advance.
  • Gift cards.
  • Offer of lunch by a law firm with which ASIC is engaged.
  • Dinner with Chief Executive Officer and Executive Director of an industry peak body.

Expired

27

10

  • Duplicate entries.
  • Entries for events that were cancelled.
  • Items that did not need to be declared.

Total entries

259

100f

 

       

Note a: The categories in this table were determined by the ANAO based on analysis of ASIC’s Gifts, Benefits and Hospitality register.

Note b: In this category a person attending a function or event also received a bottle of wine. This has not been included in the total for the gifts category.

Note c: In this category a person receiving a meal also declared a donation that was made to a charity on behalf of ASIC. This has not been included in the total for the gifts category.

Note d: Token gifts are defined as items of low or no monetary value.

Note e: Cultural gifts are items of cultural or sentimental value for which a monetary value is difficult to assign.

Note f: Due to rounding, the ‘Percentage’ column does not add to 100 per cent.

Source: ANAO analysis of ASIC’s gifts, benefits and hospitality register, 1 July 2020 to 30 September 2022.

4.53 In respect to the entries in ASIC’s register for the period reviewed, most gifts, benefits and hospitality were managed in accordance with ASIC requirements.173 The ANAO identified the following exceptions.

  • There were 21 occasions where the benefit or hospitality was reported after the event.174
  • There were three occasions where a gift received by staff was reported more than 30 days after it was received.175
  • There were seven occasions when non-token gifts were kept by the recipients that were not recorded as being surrendered to ASIC.176 The acceptance of these non-token gifts was approved by ASIC personnel.
    • Six of these occasions included bottles of wine. Five of the six bottles had a reported value ranging from $30 to $100. The sixth bottle was included as part of a combination of items with a combined reported value of $80.
    • The seventh occasion was a gift with a reported value of $70, which included lollies, a candle and a notebook.
  • There were six occasions where the entry in the register was not published online.177

4.54 According to the ASIC policy, in order to receive a benefit, or hospitality valued at $50 and over, staff must seek approval from their Senior Executive before accepting the offer. As the register ASIC provided to the ANAO did not record when a Senior Executive had approved each entry, the ANAO was not in a position to test if approvals had been made in accordance with ASIC’s policy. There is an opportunity for improvement in ASIC’s internal guidance, by clarifying reporting timeframes for gifts and recording approval timeframes for entries on the register of gifts, benefits and hospitality.

Opportunity for improvement

4.55 There is an opportunity for the Australian Securities and Investments Commission to:

  • set a timeframe for reporting gifts; and
  • record the date of approval by the relevant senior executive or Commissioner for each entry on the register of gifts, benefits and hospitality, to better enable ASIC to gain assurance as to whether the approval requirements are being complied with.

4.56 As noted in paragraph 2.92, ASIC’s conflict of interest policy states that178:

ASIC Staff should not accept any gifts, hospitality or benefits that give rise to a real (actual), potential or perceived conflicts of Interest.

Generally, you must decline any gift, benefit or hospitality offered by a third Party in the course of, or related to, your work with ASIC.

However, ASIC recognises that in limited situations … it may be appropriate and in ASIC’s interest to accept benefits and hospitality, provided acceptance does not conflict with the proper performance of your functions or duties at ASIC, or give rise to any real or potential conflicts of Interest.

4.57 ASIC’s processes require personnel making a declaration in the gifts, benefits and hospitality register to address the following questions:

  • ‘is acceptance of gift/benefit/hospitality a conflict of interest (Yes/No/Unsure?)’;
  • ‘reason for gift/benefit/hospitality’; and
  • ‘explain how acceptance of the benefit or hospitality further benefits ASIC’.

4.58 The register shows that in some cases, the personnel making a declaration and/or the approvers, have included additional information supporting the assessment of whether acceptance would represent a conflict of interest. ASIC could strengthen its arrangements for gifts, benefits and hospitality by requiring all personnel making a declaration to include the basis for their assessment of whether acceptance results in a conflict of interest.

Opportunity for improvement

4.59 There is an opportunity for the Australian Securities and Investments Commission to require personnel making a declaration of a gift, benefit or hospitality to record in the internal register the basis for their assessment of whether acceptance results in a conflict of interest.

4.60 On 10 August 2022 the ASIC Chair attended a farewell event for the retiring Chair of the Commonwealth Bank of Australia.179 The bank is regulated by ASIC. The Chair’s attendance at this event was not recorded in ASIC’s internal gifts, benefits and hospitality register. ASIC advised the ANAO in February 2023 that ‘ASIC’s policy does not require the approval, disclosure or reporting of modest hospitality where there is a genuine benefit to ASIC and acceptance doesn’t give rise to a conflict of interest.’ ASIC’s November 2021 policy, ‘Disclosure obligations of ASIC Commissioners’, provides that:

61. Generally, Commissioners must decline any gift, benefit or hospitality offered in the course of, or related to, their official duties on behalf of ASIC.

62. ASIC recognises that in limited situations … it may be appropriate and in ASIC’s interest for Commissioners to accept benefits and hospitality. This is only the case if acceptance does not give rise to a real conflict and would benefit ASIC in performing its role, duties and functions.180

69. Any hospitality over the value of A$100 must be reported in myRAD [ASIC’s Enterprise Risk Management system].

4.61 The ANAO’s review indicates that there are entries by Commissioners on ASIC’s gifts, benefits and hospitality register for hospitality with an estimated value below $100. The declaration of all hospitality received from regulated entities, particularly by senior personnel, is a transparent approach to disclosure which contributes to the management of reputational risk by regulators.181 ASIC should review whether its financial thresholds for declaring hospitality in its internal register could further contribute to the management of reputational risk, particularly where hospitality is more than incidental to ASIC personnel undertaking their core regulatory functions.

Recommendation no.1

4.62 The Australian Securities and Investments Commission review the financial thresholds for declaring hospitality in its internal register of gifts, benefits and hospitality, in the context of managing risks associated with accepting hospitality from regulated entities.

Australian Securities and Investments Commission response: Agreed.

4.63 ASIC’s policy for the acceptance and reporting of gifts, benefits and hospitality by Commissioners is based on the Australian Public Service Commission’s guidance for agency heads on gifts and benefits. The example cited by the ANAO was within ASIC’s policy.

4.64 Notwithstanding the above, ASIC agrees with the recommendation to review the financial thresholds for reporting hospitality in ASIC’s internal gifts, benefits, and hospitality register.

Has non-compliance been addressed in accordance with stated requirements?

ASIC’s internal attestation process did not identify any noncompliance associated with code of conduct and conflict of interest requirements. There is evidence that the instances of noncompliance identified through the attestation process, relating to requirements for the disclosure of financial trading, were addressed by ASIC in accordance with its requirements.

There is no evidence of instances of non-compliance identified by this audit being addressed in accordance with ASIC’s requirements for: procurement; corporate credit cards; and gifts, benefits and hospitality. There is evidence of ASIC recording details of other instances of noncompliance and actions taken, in its Compliance Incidence Management System (CIMS) register.

4.65 Following up on identified instances of non-compliance assists in providing assurance to the accountable authority on compliance with entity requirements and the effectiveness of probity management arrangements.

4.66 ASIC’s framework for following up on identified instances of non-compliance is discussed in paragraphs 3.24 to 3.31.

4.67 The ANAO examined whether there was evidence of action being taken in relation to noncompliance identified by ASIC and in the context of this audit.

Attestation process relating to ASIC Code of Conduct, conflict of interest and disclosure of financial trading

4.68 ASIC has not documented the consequences for not completing the internal attestation process discussed in paragraphs 4.7 to 4.20. ASIC advised the ANAO that ‘non-compliant individuals and their people manager received an automated email from the myRAD system. The security team provided Executive Directors with the details of the attestation process, including noncompliant individuals.’182

4.69 ASIC conducted its attestation process in relation to code of conduct, conflict of interest and disclosure of financial trading in accordance with its requirements. As outlined in paragraph 4.12, 92.1 per cent of the required personnel had completed the attestation, and 80.5 per cent of noncompliant personnel were contingent workers.183

4.70 In regards to ASIC staff, as outlined in paragraph 4.19, ASIC advised the ANAO that the Chief Legal Office was notified of all people who did not complete the attestation, and the additional disclosures in the request to trade, disclosure of interests, overseas travel, and gifts, benefits and hospitality registers in myRAD would have triggered normal workflows for action.

4.71 As discussed in paragraph 4.14, ASIC advised the ANAO that it is currently reviewing compliance requirements for contingent workers.

4.72 The attestation process did not identify any noncompliance associated with ASIC’s Code of Conduct and conflict of interest requirements.

4.73 In October 2022, the report to ASIC’s Executive Risk Committee on the results of the attestation process (see paragraphs 4.12 to 4.16) included identification of 51 instances of noncompliance with retrospective reporting of trading activity, which ASIC identified as ‘severity 2 breaches’.184

4.74 In December 2022 ASIC advised the ANAO that, given the number of trading policy breaches identified as a result of the annual attestation process, ASIC’s Chief Legal Office undertook a process to determine which breaches needed to be dealt with first, and how to deal with less urgent breaches. ASIC further advised that the process involved the following procedures.

  • CLO [Chief Legal Office] looked at the breaches and the securities the breaches were for. Those that were found not requiring a trade approval (e.g. ETFs [exchange traded funds], unlisted managed funds, cryptocurrency, connected person’s trade whereby the staff member wasn’t aware of the updated definition of connected person), we ceased processing them (i.e. cancelled).
  • For the remaining actual breaches, CLO found that majority of them were for contractors who advised that they weren’t aware of the Trading Policy and the requirements to seek trade approval. They only became aware of the requirement when they were completing the Annual Attestation.
  • For these breaches, CLO categorised the breaches as low, medium, or high risk. This ‘risk assessment’ is not a standard procedure. CLO used these categories (only this time) to help them decide whether we needed to conduct a fuller assessment and send out the results of a full assessment to the relevant manager, SEL [Senior Executive Leader], ED [Executive Director], and P&D [People and Development] (as is usually the case), or if the assessment should just be sent to the staff member and their manager. This is because most of these breaches were lodged by contingent workers/contractors who were not aware of the Trading Policy. Please note that these contractors were not required to complete the mandatory online learning in Trading and Conflicts of Interest Policy and that these staff members are mainly located in the IT area.
  • When assessing these breaches, CLO still did their usual checks regardless of whether they were a low, medium, or high risk. That is CLO still checked the minimum of e.g. share price movements, any sensitive announcements around the date of the trades, the role of the staff member, if staff member have traded in the past, any prior breaches, any COI [conflict of interest] identified.
  • If the staff member had not lodged a trade request in the past, it was their first breach, they are a contingent worker, it’s a severity 2 breach and there was no COI identified, then CLO would categorise it as low risk. CLO would send an email directly to the staff member and their manager, acknowledging the breach and reminding them of their obligations under the Trading Policy.
  • A medium risk is one where the staff member is an ordinary ASIC staff member (i.e. not contingent worker), may or may not have lodged trade request/breach in the past, lodged a severity 2 breach this time around, no COI identified. The full assessment email is sent to the manager, SEL, ED, and if necessary, P&D.
  • A high risk is a severity 1 breach (for all ASIC staff, contractors or not) and a full assessment email sent out to the manager, SEL, ED, and if necessary, P&D.185

4.75 ASIC advised the ANAO in December 2022 that there were 52 instances of retrospective reporting in July 2022.186

4.76 ASIC advised the ANAO in February 2023 that 94 retrospective trades were reported by 22 staff and contingent workers. Of the 94 trades identified, nine were duplicated entries, 23 were assessed as not breaching the policy187, and five related to a contingent worker who has left ASIC. For the remaining 57 breaches requiring action, ASIC advised the ANAO as follows.

  • Actions to respond to 39 staff breaches had been completed as at 13 February 2023, with action taken by the manager or People and Development.188
  • One was assessed as low risk relating to a staff member.189
  • Twelve were determined to be low risk breaches by contingent workers.190
  • Five trades, made by two people, have not had all actions completed as at 13 February 2023. For three, the manager was reviewing the assessment. For two, ASIC was awaiting a response from the manager to confirm action had been taken.

Procurement, use of corporate credit cards and gifts, benefits and hospitality

4.77 There is no evidence of instances of non-compliance identified by the ANAO being addressed in accordance with ASIC’s requirements for: procurement; credit cards; and gifts, benefits and hospitality. There is evidence of ASIC recording details, in its CIMS register, of other instances of non-compliance and actions taken.

Procurement

4.78 ASIC’s ‘Procurement guideline — probity’ states that:

Non-compliance with this Guideline will first be reported to the Compliance Incidence Management System (CIMS) register in the myRAD system detailing the incident, actions taken and future mitigation strategies implemented.

Non-compliance incidents may be a breach of the ASIC Code of Conduct. Potential breaches will be investigated and if a breach is found, may result in disciplinary actions as outlined in the ASIC Code of Conduct.

4.79 Instances of noncompliance with internal procurement requirements, as observed by the ANAO in this audit, are outlined in Table 4.3. ASIC advised the ANAO in February 2023 that:

ASIC is satisfied that these procurements appropriately considered and managed the probityrelated risk, and that the completing a full probity assessment and plan as required under the current framework would not provide a meaningful benefit in the management of the risk. The ANAO’s testing highlighted the need for ASIC to review and update the procurement framework to identify circumstances where a detailed probity assessment and plan are not required, and for these instances, set out what the minimum requirements are. This review is underway with the changes expected to be implemented by the end of March 2023.

Corporate credit cards

4.80 ASIC’s policy on corporate credit cards, applicable at the time of the transactions selected for ANAO review, includes consequences for noncompliance.191 These relate to more significant instances of noncompliance than those identified by the ANAO (see paragraph 4.46).

4.81 ASIC advised the ANAO in February 2023 that:

The PGPA Compliance team followed up verbally in relation to the [corporate credit card] acquittals which were not completed by the 20th of the following month. From December 2022 these verbal follow-ups will be followed up with an email.192

4.82 There is evidence of ASIC recording, in its CIMS register, instances of non-compliance in relation to the use of ASIC corporate credit cards for personal expenditure. The register records the name of the incident, steps to contain the incident and remediation steps. Details in the register include advice that personnel have refunded the amount and re-completed mandatory training.

Gifts, benefits and hospitality

4.83 Requirements relating to gifts, benefits and hospitality are set out in ASIC’s ‘Disclosure obligations of ASIC Commissioners’ and ASIC’s ‘Conflicts of interest policy’ for employees.

4.84 The policy for Commissioners does not specify consequences for noncompliance whereas the policy for staff outlines consequences ranging from reprimand to termination of employment.

4.85 For the instances of noncompliance identified by the ANAO (see paragraph 4.53), ASIC advised that as all declarations of gifts, benefits and hospitality are recorded in ASIC’s risk management system, all entries are work flowed to the relevant manager. Managers are then responsible for following up with the staff responsible for the noncompliance.

4.86 ASIC further advised the ANAO that:

Conflicts of interest and gifts, benefits and hospitality are generally principles based and rely on an assessment by the manager/senior executive as to whether the notification is likely to be an actual, potential or perceived conflict, and they will work with the disclosing team member to identify an appropriate course of action/accepting or declining the gift/benefit/hospitality. This involves situationally specific nuance related to the team member’s role, seniority and any other relevant information, and may also include seeking advice from people and development and the chief legal office. Non-compliance with the policy is directly linked to the code of conduct and legislative requirements. Detailing consequences below the code of conduct level in the policy is not practicable.

Appendices

Appendix 1 Australian Securities and Investments Commission response

Page one of the response from the Australian Securities and Investments Commission. A summary of the response can be found in the summary and recommendations chapter.

Page two of the response from the Australian Securities and Investments Commission. A summary of the response can be found in the summary and recommendations chapter.

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2022–23 Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

  • strengthening governance arrangements;
  • introducing or revising policies, strategies, guidelines or administrative processes; and
  • initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented. Changes observed include the following.

  • Developed and issued a policy for senior executive remuneration.
  • Updates to the following policies:
    • Accountable Authority Instructions;
    • Code of Conduct;
    • Trading;
    • Procurement;
    • Corporate Credit Cards;
    • Fraud and Anti-corruption; and
    • Fraud Control Plan.
  • The Essentials Program (training) came into effect from May 2022.

Appendix 3 Department of Finance guidance — Ethics and Probity in Procurement: Principles

1. An extract of the Department of Finance’s guidance on ‘Ethics and Probity in Procurement: Principles’193 is reproduced below.

1. The principles underpinning ethics and probity in Australian Government Procurement are:

  • Officials must act ethically, in accordance with the APS Values (set out in section 10 of the Public Service Act 1999) and Code of Conduct (set out in section 13 of the Public Service Act 1999), at all times in undertaking procurement.
  • Officials must not make improper use of their position.
  • Officials should avoid placing themselves in a position where there is the potential for claims of bias.
  • Officials must not accept hospitality, gifts or benefits from any potential suppliers.
  • Agencies must not seek to benefit from supplier practices that may be dishonest, unethical or unsafe, which may include tax avoidance, fraud, corruption, exploitation, unmanaged conflicts of interest and modern slavery practices.
  • All tenderers must be treated equitably. This means that all tenderers must be treated fairly - it does not necessarily mean that they are treated equally.
  • Conflicts of interest must be managed appropriately.
  • Probity and conflict of interest requirements should be applied with appropriate and proportionate measures informed by sound risk management principles.
  • Value for money outcomes are best served by effective probity measures that do not exclude suppliers from consideration for inconsequential reasons.
  • Confidential information must be treated appropriately during and after a procurement process.
  • External probity specialists should only be appointed where justified by the nature of the procurement.

Footnotes

1 OECD, OECD Best Practice Principles for Regulatory Policy, The Governance of Regulators [Internet], OECD, 2014, p. 17, available from https://read.oecd-ilibrary.org/governance/the-governance-of-regulators_… [accessed 18 November 2022].

2 ibid., p. 17.

3 ibid., p. 19.

4 An accountable authority can be an individual or a group of individuals (such as a governing board). An accountable authority, whether an individual or a member of a governing board, is also an official under the PGPA Act and is therefore subject to the general duties of officials in sections 25 to 29 of the PGPA Act.

5 In recent years the ANAO has conducted two series of governance audits. These audits assessed the effectiveness of the governance board in public sector entities. These are available on the ANAO’s website from https://www.anao.gov.au/pubs/performance-audit?query=board+governance&items_per_page=10 [accessed 3 March 2023].

6 OECD, OECD Best Practice Principles for Regulatory Policy, The Governance of Regulators [Internet], OECD, 2014, p. 17, available from https://read.oecd-ilibrary.org/governance/the-governance-of-regulators_… [accessed 18 November 2022].

Professor Malcolm K. Sparrow similarly observed in 2000 that: ‘The important features that distinguish regulatory and enforcement agencies from the rest of government are precisely the important features that they share. The core of their mission involves the imposition of duties. They deliver obligations, rather than services. …Their routine use of state authority and coercion distinguishes them from the rest of government and carries its own distinct strategic and managerial challenges.’ Sparrow, M. K., The Regulatory Craft, Brookings Institution Press, Washington DC, 2000, p. 2.

7 OECD, OECD Best Practice Principles for Regulatory Policy, The Governance of Regulators [Internet], OECD, 2014, p. 17, available from https://read.oecd-ilibrary.org/governance/the-governance-of-regulators_… [accessed 18 November 2022].

8 ibid., p. 19.

9 OECD, The Governance of Regulators, Governance of Regulators’ Practices: Accountability, Transparency and Co-ordination [Internet], OECD, 2016, p. 16, available from https://read.oecd-ilibrary.org/governance/governance-of-regulators-prac… [accessed 18 November 2022].

10 An accountable authority can be an individual or a group of individuals (such as a governing board). An accountable authority, whether an individual or a member of a governing board, is also an official under the PGPA Act and is therefore subject to the general duties of officials in sections 25 to 29 of the PGPA Act.

11 Auditor-General Report No. 43 2021–22 Effectiveness of the Management of Contractors — Department of Defence, pp. 16–22.

This was one of a series of three performance audits — in the Department of Defence, the Department of Veterans’ Affairs and Services Australia — which examined the management of contractors by Australian Public Service (APS) agencies. Chapter 5 of this audit report set out high-level observations and key messages for all APS agencies, including in respect to the application of ethical and personnel security requirements to the contractor workforce. The ANAO observed in paragraphs 5.4–5.5 that individual agencies determine the extent to which the ethical and integrity frameworks that apply to APS employees (which include the ethical requirements of the PS Act and the PGPA Act) also apply to contractors and other non-APS personnel engaged by the agency. These decisions are captured in, and managed through, contracts. This discretionary approach applies in an agency operating environment where a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce. On that basis, the rationale for a discretionary approach is not clear. One risk of adopting a discretionary approach is that it may give rise to unequal behavioural expectations across personnel types within workplaces, and the risk of inconsistent management of personnel behaviours.

12 The PGPA Act Flipchart and List published by the Department of Finance (Finance) provides a summary of all noncorporate and corporate Commonwealth entities and companies. These resources are available from https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 6 April 2023].

13 Department of Finance, PGPA Glossary [Internet], available from https://www.finance.gov.au/about-us/glossary/pgpa/term-ethical [accessed 23 May 2023].

The glossary includes the following definition of ethical:

(in relation to the proper use of public resources) The extent to which the proposed use is consistent with the core beliefs and values of society. Where a person behaves in an ethical manner it could be expected that a person in a similar situation would undertake a similar course of action. For the approval of proposed commitments of relevant money, an ethical use of resources involves managing conflicts of interests, and approving the commitment based on the facts without being influenced by personal bias. Ethical considerations must be balanced with whether the use will also be efficient, effective and economical. [emphasis in original]

14 Department of Finance, Ethics and Probity in Procurement: Principles [Internet], Finance, 17 May 2021, available from https://www.finance.gov.au/government/procurement/buying-australian-government/ethics-and-probity-procurement [accessed 9 February 2023].

15 Corporate Commonwealth entities are legally separate from the Commonwealth. The Finance Flipchart recorded that there were 100 non-corporate Commonwealth entities and 72 corporate Commonwealth entities as at 6 March 2023.

16 Department of Finance, Commonwealth Grants Rules and Guidelines 2017 [Internet], Finance, available from https://www.finance.gov.au/government/commonwealth-grants/commonwealth-grants-rules-and-guidelines [accessed 21 November 2022].

The Australian Government grants policy framework applies to all noncorporate Commonwealth entities subject to the PGPA Act.

17 Department of Finance, Commonwealth Procurement Rules [Internet], Finance, 1 July 2022, available from https://www.finance.gov.au/government/procurement/commonwealth-procurement-rules [accessed 21 November 2022].

Officials from non-corporate Commonwealth entities and prescribed corporate Commonwealth entities listed in section 30 of the PGPA Rule must comply with the Commonwealth Procurement Rules when performing duties related to procurement.

18 Department of Finance, Australian Government Guidelines on Information and Advertising Campaigns by noncorporate Commonwealth entities. Interim Guidelines were in effect from July 2022, available from https://www.finance.gov.au/government/advertising/australian-government-guidelines-information-and-advertising-campaigns-non-corporate-commonwealth-entities [accessed 21 November 2022]. Non-corporate Commonwealth entities under the PGPA Act must comply with the Guidelines.

19 Attorney-General’s Department, Protective Security Policy Framework (PSPF) [Internet], AGD, available from https://www.protectivesecurity.gov.au/ [accessed 21 November 2022].

The PSPF applies to non-corporate Commonwealth entities subject to the PGPA Act to the extent consistent with legislation. The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act. Non-government organisations that access security classified information may be required to enter into a deed or agreement to apply relevant parts of the PSPF for that information.

20 Department of the Prime Minister and Cabinet, Government Guidelines for Official Witnesses before Parliamentary Committees and Related Matters – February 2015 [Internet], PM&C, available from https://www.pmc.gov.au/resource-centre/government/government-guidelines-official-witnesses-parliamentary-committees-and-related-matters-february-2015 [accessed 21 November 2022].

The guidelines state that they are ‘designed to assist departmental and agency officials, statutory office holders and the staff of statutory authorities in their dealings with the parliament. The term ‘official’ is used throughout the Guidelines; it includes all persons employed by the Commonwealth who are undertaking duties within a Commonwealth department or agency (whether employed under the PS Act or other legislation) and those in government business enterprises, corporations and companies. It is recognised, however, that the role and nature of some statutory office holders and their staff will require the selective application of these Guidelines, depending on the individual office holder’s particular statutory functions and responsibilities.’

21 Attorney-General’s Department, Australian Government Register of Lobbyists and Lobbying Code of Conduct [Internet], AGD, available from https://www.ag.gov.au/integrity/australian-government-register-lobbyists [accessed 21 November 2022].

Under the code, Australian Government representatives must only meet with third-party lobbyists who are registered. Under the code Australian Government representatives include an agency head or a person employed under the PS Act, a person engaged as a contractor or consultant by an Australian Government agency whose staff are employed under the PS Act, and a member of the Australian Defence Force.

22 Department of the Prime Minister and Cabinet, Guidance on Caretaker Conventions 2021 [Internet], PM&C, available from https://www.pmc.gov.au/resource-centre/government/guidance-caretaker-conventions [accessed 21 November 2022].

The guidance states that: ‘The conventions and practices have developed primarily in the context of the relationship between ministers and their departments (and executive agencies since the commencement of the PS Act). The relationship between ministers and other Australian Government entities and bodies, such as statutory authorities and government companies, varies depending on the specific body. All bodies should observe the conventions and practices, unless doing so would conflict with their legal obligations or compelling organisational requirements.’

23 Department of Finance, Commonwealth Risk Management Policy [Internet], Finance, 1 January 2023, available from https://www.finance.gov.au/about-us/news/2022/revised-commonwealth-risk-management-policy-2023 [accessed 1 February 2023].

The Policy was developed to support section 16 of the PGPA Act, which requires accountable authorities to maintain systems of risk oversight, management and internal control. The Policy is mandatory for all noncorporate Commonwealth entities and recommended as best practice for corporate Commonwealth entities.

24 Attorney-General’s Department, Commonwealth Fraud Control Framework [Internet], AGD, available from https://www.counterfraud.gov.au/library/commonwealth-fraud-control-framework [accessed 21 November 2022].

The Framework comprises three tiered documents — the fraud rule, fraud policy and fraud guidance — with different binding effects for corporate and non-corporate Commonwealth entities. Non-corporate Commonwealth entities must comply with the fraud rule and fraud policy. The fraud guidance is not binding, however the government considers the guidance to be better practice and expects entities to follow it where appropriate.

25 For example, Element Three of the 2023 Commonwealth Risk Management Policy states that ‘Culture is shaped by the behaviours and attitudes of leaders. The desired culture for managing risk should be clearly defined and demonstrated by the executive in a form that is communicated and actively promoted to staff. An entity’s internal policies should also be aligned to its desired culture.’ The fraud guidance under the Commonwealth Fraud Control Framework states that accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention.

26 Established under the Law Enforcement Integrity Commissioner Act 2006 (LEIC Act), the Australian Commission for Law Enforcement Integrity (ACLEI) oversees the integrity of Australian Government law enforcement agencies and selected regulators. The Integrity Commissioner investigates allegations of corruption involving current or former staff members of the Australian Competition and Consumer Commission (ACCC); Australian Prudential Regulation Authority (APRA); and Australian Securities and Investments Commission (ASIC).

Australian Commission for Law Enforcement Integrity, About the Commission [Internet], available from https://www.aclei.gov.au/about-aclei/about-commission [accessed 23 November 2022].

In November 2022 the Australian Parliament passed legislation to establish a new National Anti-Corruption Commission (NACC), with jurisdiction over the Commonwealth public sector as a whole. ACLEI will be subsumed into the NACC. The NACC is expected to begin operations in mid-2023.

On 9 December 2022 ACLEI launched a Commonwealth Integrity Maturity Framework to assist Commonwealth entities to assess and plan to improve their integrity systems in preparation for the commencement of the NACC.

Australian Commission for Law Enforcement Integrity, Commonwealth Integrity Maturity Framework [Internet], available from https://www.aclei.gov.au/preventing-corruption/commonwealth-integrity-maturity-framework [accessed 1 February 2023].

27 The Australian Public Service Commission (APSC) reported that in 2020–21, 97 Australian Government entities employed staff under the PS Act.

Australian Public Service Commission, State of the Service Report 2020-21 [Internet], APSC, available from https://www.apsc.gov.au/initiatives-and-programs/workforce-information/research-analysis-and-publications/state-service/state-service-report-2020-21/appendix-2-aps-agencies [accessed 18 November 2022].

28 Australian Public Service Commission, APS Values and Code of Conduct in practice [Internet], APSC, 13 September 2021, available from https://www.apsc.gov.au/publication/aps-values-and-code-conduct-practice [accessed 18 November 2022].

29 Australian Public Service Commission, Fact sheet: Defining Integrity [Internet], APSC, 9 December 2021, available from https://www.apsc.gov.au/node/1532 [accessed 20 November 2022].

30 Australian Public Service Commission, Integrity in the APS [Internet], APSC, 8 December 2021, available from https://www.apsc.gov.au/working-aps/integrity [accessed 20 November 2022].

31 Australian Public Service Commission, Declaration of interests [Internet], APSC, 7 March 2019, available from https://www.apsc.gov.au/working-aps/integrity/integrity-resources/declaration-interests [accessed 20 November 2022].

32 Australian Public Service Commission, Guidance for Agency Heads–Gifts and Benefits [Internet], APSC, available from https://www.apsc.gov.au/working-aps/integrity/integrity-resources/guidance-agency-heads-gifts-and-benefits [accessed 20 November 2022].

33 AAIs are written instruments that may be issued by the accountable authority to instruct officials on matters relating to the PGPA Act framework. AAIs assist accountable authorities in meeting their general duties under the PGPA Act and establishing appropriate internal controls for their entity.

Finance guidance on AAIs is available from https://www.finance.gov.au/government/managing-commonwealth-resources/managing-risk-internal-accountability/duties/risk-internal-controls/accountable-authority-instructions-aais-rmg-206 [accessed 18 November 2022].

34 Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, p. 17.

35 Australian Securities and Investments Commission, Corporate Plan 2022–26 [Internet], ASIC, p. 6, available from https://asic.gov.au/about-asic/corporate-publications/asic-corporate-plan/ [accessed 21 November 2022].

36 ASIC was established as a body corporate under section 8(1) of the ASIC Act. However, pursuant to section 8(1A) of the ASIC Act, ASIC is taken to be a non-corporate Commonwealth entity for the purposes of the Commonwealth finance law. Section 8 of the PGPA Act provides that ‘finance law’ means the PGPA Act, or the rules made under section 101 of the PGPA Act, or any instrument made under the PGPA Act, or an Appropriation Act.

37 Under the ASIC Act, there are at least three, but no more than eight, ASIC members. ASIC refers to ASIC members as Commissioners.

38 The ASIC Act provides for the appointment of a Chairperson and up to two Deputy Chairpersons. ASIC refers to these roles as Chair and Deputy Chair respectively.

39 ACLEI provides oversight in relation to the integrity of Australian Government law enforcement agencies. According to its website, ACLEI’s key activities are to:

  • detect corruption and enhance ACLEI partner agencies’ capability to detect corruption;
  • receive and assess notifications and referrals of alleged corrupt conduct by members of law enforcement agencies;
  • conduct investigations into serious and systemic corrupt conduct;
  • support partner law enforcement agencies to conduct their own investigations; and
  • prevent corruption through engagement, support and identification of vulnerabilities.

Australian Commission for Law Enforcement Integrity, About the Commission [Internet], ACLEI, available from https://www.aclei.gov.au/about-aclei/about-commission [accessed 21 November 2022].

40 Other Australian Government entities subject to ACLEI’s jurisdiction include: the Australian Competition and Consumer Commission; Australian Criminal Intelligence Commission; Australian Federal Police; Australian Prudential Regulation Authority; Australian Taxation Office; Australian Transaction Reports and Analysis Centre; Department of Agriculture, Water and the Environment; and Department of Home Affairs (including the Australian Border Force).

41 K M Hayne, Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry [Internet], available from https://www.royalcommission.gov.au/banking [accessed 11 April 2023].

42 The FRAA undertakes an assessment of aspects of each agency’s effectiveness and capability every two years. The FRAA completed its first report on ASIC in August 2022, which assessed: strategic prioritisation, planning and decision-making; surveillance; and licensing.

Financial Regulator Assessment Authority, Effectiveness and Capability Reviews of the Australian Securities and Investments Commission [Internet], FRAA, July 2022, available from https://fraa.gov.au/sites/fraa.gov.au/files/2022-08/asic-assessment-report.pdf [accessed 21 October 2022].

43 Joint Committee on Corporations and Financial Services, Oversight of ASIC, the Takeovers Panel and the Corporations Legislation No. 1 of the 46th Parliament [Internet], Parliament of Australia, Report No. 1 of the 46th Parliament, March 2022, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Corporations_and_Financial_Services/No1of46thParliament/Report [accessed 24 March 2023].

44 Joint Committee on Corporations and Financial Services, Statutory Oversight of the Australian Securities and Investments Commission, the Takeovers Panel and the Corporations Legislation [Internet], Parliament of Australia, Report No. 1 of the 45th Parliament, February 2019, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Corporations_and_Financial_Services/No1of45thParliament/Report [accessed 30 October 2022].

45 See for example: House of Representatives Standing Committee on Economics, Review of the Australian Securities and Investments Commission Annual Report 2019 [Internet], Parliament of Australia, 9 December 2020, available from https://www.aph.gov.au/Parliamentary_Business/Committees/House/Economics/ASICAnnualReport2019/Report [accessed 24 March 2023].

46 See for example: Senate Standing Committee on Economics, Sterling Income Trust [Internet], Parliament of Australia, February 2022, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/SterlingIncomeTrust/Report [accessed 24 March 2023].

47 Implementation of these recommendations is discussed in footnote 136 of this audit report.

48 J Frydenberg, (Treasurer), ‘Outcomes of review of ASIC Governance’, media release, 29 January 2021. The abridged report is available from https://ministers.treasury.gov.au/sites/ministers.treasury.gov.au/files/2021-01/Abridged_ASIC_Governance_Report-for-release_0.pdf [accessed 11 April 2023].

49 In recent years the ANAO has conducted two series of governance audits. These audits assessed the effectiveness of the governance board in public sector entities. These are available on the ANAO’s website from https://www.anao.gov.au/pubs/performance-audit?query=board+governance&items_per_page=10 [accessed 3 March 2023].

50 The APS Code of Conduct, set out in section 13 of the PS Act, outlines the standard of behaviour expected of APS agency heads and employees. The APS Values, set out in section 10 of the PS Act, articulate expectations of public servants in terms of performance and standards of behaviour, and embody principles of good public administration.

Australian Public Service Commission, APS Values, Code of Conduct and Employment Principles [Internet], APSC, 13 December 2021, available from https://www.apsc.gov.au/working-aps/integrity/integrity-resources/aps-values-code-conduct-and-employment-principles [accessed 26 November 2022].

51 Section 126B of the ASIC Act establishes the requirement for the ASIC Code of Conduct and section 126C the requirement to establish the ASIC Values.

52 There were two versions of the ASIC Code of Conduct during the audit period. The first was dated July 2019 and the second was dated December 2022. The ASIC Values of accountability, professionalism and teamwork are contained within the ASIC Code of Conduct.

53 Training related to probity risks is discussed in paragraphs 2.114 to 2.118 of this audit.

54 Part 7 of the ASIC Act establishes responsibilities for Commissioners to disclose certain interests to the Minister and provide notifications of interests to ASIC. It also requires the ASIC Chair to ‘ensure adequate disclosure of interest requirements for ASIC staff members.’

55 ASIC advised the ANAO that the reference to ‘some consultants and contractors’ in the conflict of interest policy (and also in the trading policy, see paragraph 2.37 for details) is a historic reference to those contractors and consultants who have access to ASIC’s systems and office premises. ASIC has ‘contingent workers’ who are not employees and which include consultants and contractors. Some of these contingent workers have access to ASIC systems while others (for example, maintenance and cleaning contractors) do not. Contingent workers with access to ASIC systems are required to comply with additional requirements.

56 During the period subject to ANAO review, ASIC had a prior version of both policies. The previous policies were broadly similar in nature to the 2021 versions.

57 The management of gifts, benefits and hospitality is discussed in paragraphs 2.88 to 2.95 of this audit.

58 The staff policy states that in certain circumstances, ASIC may authorise a staff member to continue their duties at ASIC without any further action. If, however, ASIC considers that some action is required to reduce the risk and control the conflict, ASIC may: rearrange staff members’ duties and responsibilities; introduce additional security measures for sensitive and confidential Information; remove staff members from making a decision in relation to a particular matter or investigation; or escalate the matter to the Senior Executive and Commission for consideration.

59 ASIC’s staff policy states ASIC will only ask an individual to divest their interest or non-ASIC duty if the options to control the conflict of interest are either unavailable or inappropriate in the circumstances. In this case ASIC may: transfer the individual to an equivalent position; request the individual divest the interest or nonASIC duty; request the individual resign from paid/volunteer work outside ASIC; remove an individual from a committee, panel or investigation; or require an individual to formally decline a gift, benefit or hospitality.

60 The ANAO’s review of information security focussed on high level review of ASIC’s risk documentation and monitoring and reporting arrangements.

61 K M Hayne, Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry [Internet], p. 443, available from https://www.royalcommission.gov.au/banking [accessed 11 April 2023].

62 Joint Committee on Corporations and Financial Services, Statutory Oversight of the Australian Securities and Investments Commission, the Takeovers Panel and the Corporations Legislation, Report No. 1 of the 45th Parliament, February 2019, p. 54, paragraph 3.49, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Corporations_and_Financial_Services/No1of45thParliament/Report [accessed 30 October 2022].

63 ibid., p. 31, paragraph 3.24.

64 ibid., p. 34, paragraph 3.34.

65 ibid., pp 31-32, paragraph 3.25.

66 Sometimes entities are provided with a Statement of Expectations from their Minister. These statements generally outline the Minister’s key priorities and set out the Government’s expectations for the entity, including the priorities it is expected to observe in conducting its operations. Entities then respond to their Minister as to how they intend to deliver the identified priorities through a Statement of Intent.

The Statement of Expectations and Statement of Intent are available on ASIC’s website, available from https://asic.gov.au/about-asic/what-we-do/how-we-operate/accountability-and-reporting/statements-of-expectations-and-intent/ [accessed 21 March 2023].

67 The PGPA Act is supported by the PGPA Rule. The PGPA Rule prescribes a range of matters that are necessary or convenient to be prescribed for the purposes of carrying out or giving effect to the PGPA Act. Sections 16E and 27A of the PGPA Rule set out the matters that the accountable authority must include in the entity’s corporate plan.

68 See section 16E of the PGPA Rule.

PGPA Rule 2014 [Internet], available from https://www.legislation.gov.au/Details/F2022C01102 [accessed 9 March 2023].

69 As outlined in paragraph 2.5, team members include all ASIC employees, ASIC’s Commission, contractors, consultants, secondees and volunteers.

70 ASIC advised the ANAO in March 2023 that: the Regulatory Practice training module includes training on regulatory capture; that all employees identified as being in the Regulatory Practice stream are required to undertake this mandatory training module; and that this cohort includes supervision and stakeholder facing teams.

71 See paragraphs 3.4 to 3.7 for a discussion of ASIC’s internal audit program.

72 The ANAO reviewed the extent to which regulatory capture risk was reflected in ASIC’s key external corporate documents and internal risk documentation as part of reviewing, at a high level, whether ASIC had identified regulatory capture as an enterprise risk.

73 The report stated that the FR&A team undertakes a series of core work programs of which two were identified as potentially at risk of regulatory capture. These were ASIC’s financial reporting (or accounts) surveillance program (ASP, which the report states is a proactive review of the financial reports of Australian Stock Exchange listed companies) and its audit inspection program (AIP, which the report states includes ASIC audits of financial reports of public interest entities prepared under the Corporations Act 2001).

74 These included that: a documented, risk-based approach was used to inform selection of companies for review; multiple staff members were involved in key decision-making; and the consolidated and overall reports were subject to review external of AIP.

75 These related to recording the decisions and supporting rationale for excluding entities or groups of entities from review, analysis of coverage of regulated entities, and seeking external review of the audit inspection process reviews selection methodology.

76 During the period subject to ANAO review, ASIC had four different versions of a trading policy. The different versions are broadly similar in nature.

77 In the 2022 trading policy the term ‘connected persons’ refers to:

a) any person whose financial affairs are controlled or managed by people subject to the trading policy; and

b) any companies, trusts and entities controlled by persons subject to the trading policy or the persons described in (a) above.

Examples of connected persons are dependant children of the applicable person, or where the appliable person can act under a Power of Attorney, as an executor of a deceased estate or under some other agreement or arrangement where they can make financial decisions for another person or entity.

78 Division 3 financial products include: securities; derivatives; interests in a managed investment scheme; debentures, stocks or bonds issued or proposed to be issued by a government; certain superannuation products; and any other financial products that are able to be traded on a financial market.

79 For example, foreign and domestic securities and debentures, stocks or bonds issued or proposed to be issued by a government. It does not include basic deposit products, mortgages, credit cards and other everyday financial products including insurance policies issued by listed and unlisted entities.

80 If a trade is to be undertaken by a connected person, he or she will need to obtain ASIC’s approval before they can trade.

81 For example, if the connected person of the applicable person is subject to a competing or inconsistent policy in the course of their employment. Waivers may be subject to conditions.

82 This is a list of exchange related financial products in which pre-registration or trading is restricted by ASIC.

83 Exceptional circumstances may include circumstances where the applicable person is managing the financial affairs of an elderly relative or where they have a legal obligation, for example as an executor of a deceased estate, to sell shares to comply with statutory duties.

84 Under its terms of reference, ASIC’s Executive Risk Committee receives a security and business continuity update every four months.

85 An April 2021 internal audit identified weaknesses in controls regarding the ability of users of ASIC’s system to write files to USB devices. ASIC documentation indicates that ASIC is seeking to reduce the number of users with USB write privileges from over 300 to fewer than 50 by the end of 2022. ASIC advised the ANAO that as at 14 December 2022, there were 229 people with USB write access and that ‘Active efforts to reduce this as a priority remain ongoing.’

86 One of the categories reported on through ASIC’s Enterprise Risk Management system is ‘Unauthorised dealing with information (access, release, modification, and destruction)’. Reporting from 1 January 2021 to 31 March 2022 showed an average of 6.6 incidents reported in this category per quarter. ASIC advised the ANAO in December 2022 that the average per quarter for the period 1 April 2022 to 31 December 2022 was three.

87 For example, section 21 of the PGPA Act provides that the accountable authority of a noncorporate Commonwealth entity must govern the entity in a way that is not inconsistent with the policies of the Australian Government.

88 The suspension applied to general wage increases and, where applicable, performance-based increment progression plus payment of discretionary SES bonuses.

Australian Public Service Commission, Australian Public Service Remuneration Report 2021 [Internet], APSC, p. 2, available from https://www.apsc.gov.au/sites/default/files/2022-08/Australian%20Public%20Service%20-%20Remuneration%20Report%202021%20-%20Accessible.pdf [accessed 28 October 2022].

89 ibid.

90 Australian Public Service Commission, Performance Bonus Guidance [Internet], APSC, 13 August 2021, p. 2, available from https://www.apsc.gov.au/circulars-guidance-and-advice/performance-bonus-guidance [accessed 28 October 2022].

91 This was consistent with the Public Service Workplace Relations Policy 2020.

92 ASIC advised the ANAO that the average bonus payment for ASIC Executive Directors was 5.5 per cent and for non-Executive Directors (which refers to ASIC’s Senior Executive Leaders and Senior Executive Specialists) it was 6.5 per cent. In ASIC’s organisation structure, Executive Directors supervise non-Executive Directors.

93 ASIC considered that: if it did not pay remuneration increases senior executives would experience a real wage contraction, possibly impacting engagement and retention; not paying bonuses for a second year risked disenfranchising the senior executive; and ASIC’s financial statements had been prepared based on ASIC’s standard remuneration practices (which included allowances for remuneration increases and bonuses based on a 6 per cent assumption). There were concerns that changes to these assumptions so late in the financial system audit would be a reputational risk for ASIC because the ANAO had already been informed that ASIC had provisioned for these payments.

94 ASIC applied a discount factor to most senior executives in recognition that performance bonuses are discretionary. The discount factor ranged from zero to one hundred per cent. The other principles had regard to: APS guidance and benchmarking; the individual performance, behaviour, experience and three year average bonus payment of senior executives; market remuneration data; that remuneration decisions demonstrate accountable use of public money; equity and transparency. ASIC advised the ANAO that for Executive Directors and Senior Executive Leaders, the average increase in remuneration as a percentage of their total remuneration package, after applying the discount, was 3.5 and 3.3 per cent respectively.

95 Department of Finance, Commonwealth Procurement Rules [Internet], Finance, 1 July 2022, p. 11, paragraph 4.4, available from https://www.finance.gov.au/government/procurement/commonwealth-procurement-rules [accessed 21 November 2022]. The CPRs are subject to periodic update.

96 ibid., p. 15, paragraph 6.5.

97 ibid., p. 15, paragraph 6.6.

Additionally, the Department of Finance has issued guidance outlining 11 principles to support probity in procurement. These are included in Appendix 3 of this audit report.

98 This includes a 2021 Probity Guideline that applies to ‘all persons directly involved in ASIC procurement processes, including members of the Evaluation Team … and any other person nominated by the Approver of the procurement process’. The guideline states that ‘promoting integrity and probity is an integral element of the Australian Securities & Investment Commission’s (ASIC) procurement processes.’

99 Regarding ‘sensitivities relating to ASIC’s core business’, ASIC’s ‘Probity guideline – procurement’ adds the following: ‘For example – are or have the vendors been subject to investigation or other ASIC enforcement activity? Could the procurement risk non-compliance with other internal policies or processes?’

100 The value is inclusive of GST and merchant service fees.

Department of Finance, Payment card policy for payments valued below $10,000 [Internet], Finance, July 2022, available from https://www.finance.gov.au/publications/resource-management-guides/supplier-pay-time-or-pay-interest-policy-rmg-417/part-2-payment-card-policy-payments-valued-below-10000 [accessed 1 November 2022].

101 Auditor-General Report No. 8 2016–17 Controls over Credit Card Use, p. 13.

102 Non-ASIC employees are generally ineligible to be issued a credit card. In special circumstances a non-ASIC employee may be issued with a card if approved by a Commissioner.

103 During the audit period the previous credit card policy was the ‘ASIC Corporate Credit Card policy’ dated 15 April 2019.

104 These include ensuring that: their credit card use is consistent with relevant delegations and complies with ASIC policy, the PGPA Act, the PGPA Rule and the CPRs; corporate credit cards must not be used for private expenditure (unless coincidental with business expenditure and must be reimbursed by the cardholder); the credit card is stored safely and securely; and the cardholder meets acquittal requirements.

105 Standing approval for ASIC Executive Directors is provided for one business-related professional membership or accreditation per year (for example a legal practising certificate) for up to $1,000. The approval notes that expenditure must be in accordance with ASIC’s Remuneration and Performance Management Policy and expenditure is required to be a proper use of public resources. Any such expenditure must also comply with applicable ASIC policies including the Procurement Policy and the Resource Management Instructions.

106 For example, Auditor-General Report No. 1 2021–22 Defence’s Administration of Enabling ServicesEnterprise Resource Planning Program: Tranche 1, paragraphs 4.30 and 4.42, discussed risk relating to positional authority in relation to delegation and time approval arrangements.

107 Dr Vivienne Thom AM, Abridged report on the review of ASIC governance arrangements [Internet], Department of the Treasury, 28 January 2021, p. 39, available from https://ministers.treasury.gov.au/sites/ministers.treasury.gov.au/files/2021-01/Abridged_ASIC_Governance_Report-for-release_0.pdf [accessed 24 March 2023].

108 ibid., Recommendation 8, pp. 6-7.

109 ibid., p. 1.

110 The approval relates to domestic travel, after hours work, other miscellaneous expenditure, general obligations and use of IT devices.

111 ASIC’s credit card policy notes that coincidental private expenditure refers to the portion of expenditure that is private in nature when a supplier provides a cardholder with a single account that contains both business expenditure and private expenditure.

112 ASIC advised the ANAO that in approving the Commissioners’ credit card acquittals, the CFO (previously the COO) is responsible for reviewing whether the expenditure is in accordance with the: Standing approval by the Chair; ASIC’s Appointments Remuneration, Expense and Relocation Policy September 2022; ASIC Expenses and Benefits Guide; Remuneration Tribunal determinations and the credit card policy, and that appropriate supporting documentation has been saved on file.

113 The policy states that cardholders with an acquittal two months overdue will be reported to their Senior Executive Leader; over three months reported to their Commissioner and failure to acquit credit card expenditure by the fourth month will result in the credit card being cancelled.

114 For example, cardholders leaving ASIC or cardholders who take leave for more than three months will be asked to cut the card in half and give it to their manager or team leader.

115 ASIC’s Compliance Incident Management System is discussed in Chapter 3 of this audit.

116 Observations related to: 1) controls over corporate credit card expenditure not operating to effectively manage the risk within appetite; 2) credit card monitoring and control processes being highly manual and not fully implemented; 3) the ability for credit card delegates to delegate their acquittal responsibilities increases ASIC’s fraud exposure risk; and 4) inconsistent credit card policy and guidance materials.

117 ASIC advised the ANAO that this involves sending the credit card status report to all senior executive leaders and executive directors on a monthly basis, with instructions to follow up with staff where the acquittal is overdue, and direct follow up with the cardholder/acquitter (where it is a non-commissioner). This is done via email from the ‘PGPA Finance Team’ email account for all ASIC credit card holders except for Commissioners.

118 On 30 November 2021, the APSC released guidance for APS agencies (which excludes ASIC) requiring agency heads to publicly disclose on their entity website, all gifts or benefits accepted valued at over $100 (excluding GST) on a quarterly basis. The guidance states that:

To ensure consistency and transparency across the Commonwealth, statutory office holders and heads of Commonwealth entities and companies are strongly encouraged to adopt this guidance, and mirror these arrangements, as best practice. Although not a requirement under this guidance, there is a strong expectation that agency heads will also publish gifts and benefits received by staff in their agency that exceed the threshold of $AUD100.00 (excluding GST).

ASIC has included these requirements in its policies.

119 PGPA Rule 2014 [Internet], available from https://www.legislation.gov.au/Details/F2022C01102 [accessed 9 March 2023].

120 They apply to: permanent, temporary and casual employees; contractors engaged under section 121(1) of the ASIC Act; secondees engaged under section 122 of the ASIC Act and volunteers; and any other person or entity who has access to ASIC’s physical or virtual operating environment and systems.

121 Commonwealth Ombudsman, Public interest disclosure (whistleblowing) [Internet], Commonwealth Ombudsman, available from https://www.ombudsman.gov.au/complaints/public-interest-disclosure-whistleblowing [accessed 7 March 2023].

A person must be a current or former ‘public official’ as defined in s 69 of the PID Act, to make a public interest disclosure …

Individuals and organisations that provide goods or services under a Commonwealth contract … and their officers or employees are also public officials for the purposes of the PID Act.

Commonwealth Ombudsman, Agency Guide To The Public Interest Disclosure Act 2013 Version 2 [Internet], Commonwealth Ombudsman, April 2016, p. 4, available from https://www.ombudsman.gov.au/__data/assets/pdf_file/0020/37415/Agency_Guide_to_the_PID_Act_Version_2.pdf [accessed 7 March 2023].

122 Commonwealth Ombudsman, Information for Agencies [Internet], Commonwealth Ombudsman, available from https://www.ombudsman.gov.au/industry-and-agency-oversight/public-interest-disclosure-whistleblowing/information-for-agencies [accessed 7 March 2023].

123 Commonwealth Ombudsman, Agency Guide To The Public Interest Disclosure Act 2013 Version 2 [Internet], Commonwealth Ombudsman, April 2016, p. 2, available from https://www.ombudsman.gov.au/__data/assets/pdf_file/0020/37415/Agency_Guide_to_the_PID_Act_Version_2.pdf [accessed 7 March 2023].

124 Commonwealth Ombudsman, Public interest disclosure (whistleblowing) [Internet], Commonwealth Ombudsman, available from https://www.ombudsman.gov.au/complaints/public-interest-disclosure-whistleblowing [accessed 7 March 2023].

125 A principal officer is the head of an agency or their delegate. In ASIC, the ASIC Chair is the principal officer. The PID Act requires a principal officer to:

  • Appoint a sufficient number of authorised officers to receive internal PIDs in your agency
  • Ensure the authorised officers are accessible to current and former public officials of your agency
  • Establish written PID procedures for your agency and ensure these are accessible
  • Broadly promote the PID scheme to public officials as an effective way to speak up about wrongdoing
  • Promptly act to investigate and address allegations of wrongdoing
  • Delegate powers and responsibilities as are necessary for the effective operation of the PID scheme
  • Influence an organisational culture that supports public officials who speak up about wrongdoing and does not tolerate reprisal against them
  • Drive change to address problems uncovered through the investigation of internal PIDs [emphasis in original]

Commonwealth Ombudsman, Public Interest Disclosure Scheme Reference Guide [Internet], Commonwealth Ombudsman, p. 1, available from https://www.ombudsman.gov.au/__data/assets/pdf_file/0024/37428/pid_reference_guide.pdf [accessed 7 March 2023].

126 An ‘authorised officer is a public official who belongs to the agency and is either the principal officer or is appointed in writing as such by the principal officer.’

Commonwealth Ombudsman, Agency Guide To The Public Interest Disclosure Act 2013 Version 2 [Internet], Commonwealth Ombudsman, April 2016, p. 16, available from https://www.ombudsman.gov.au/__data/assets/pdf_file/0020/37415/Agency_Guide_to_the_PID_Act_Version_2.pdf [accessed 7 March 2023].

Amongst other things, authorised officers provide advice to public officials about PIDs and assess whether allegations of wrongdoing constitute a PID.

127 Relevant policies are those related to the probity risks outlined in the audit scope section of Chapter 1 of this audit (see paragraph 1.27).

128 Appendix 2 of this audit report provides examples of policies updated during the period covered by this audit.

129 The previous set of modules covered the same topics as the new Essentials Program modules.

130 As outlined in footnote 55, contingent workers are not ASIC employees. Some contingent workers have access to ASIC’s information or systems.

131 ASIC’s Management Committee was advised that:

While expectations for contingent workers have been communicated, these requirements are not formally embedded in process and procedure. Consequently, people managers, contract managers and contingent worker[s] often do not understand their obligations. This has contributed to lower completion rates among contingent workers.

ASIC advised the ANAO in February 2023 that:

The project team … have completed:

– confirming which mandatory training modules contingent workers would need to complete

– confirming obligations which contingent workers would need to provide a compliance attestation to ASIC about, and the workflow changes to be implemented to facilitate this

– clarifying roles and responsibilities for the completion of mandatory training and attestations

The team has scoped a solution for contingent workers to complete their mandatory training without having to log on to ASIC’s systems, which will make it significantly easier for contingent workers to complete this training in a timely manner … This work remains on track to be presented to the Data and Information Security Sub-Committee (DISSC) in the first half of 2023.

132 Module 1 covers topics such as: Safety in the Workplace, and Code of Conduct and Security. Module 2 covers: Conflicts of Interest, Trading, Fraud and Privacy.

133 ASIC advised the ANAO that its People and Development area automatically enrols all team members (including Commissioners) in the three mandatory training modules, and that team members receive automated email notifications to complete mandatory training modules.

134 Completion of mandatory training is included in enterprise risk reporting and is a ‘key risk indicator’ for ASIC’s enterprise risk relating to ‘operational quality and discipline’.

135 According to ASIC’s 2022–23 audit plan, the topics subject to review every two years include: PGPA compliance (credit cards, travel and gifts); procurement; regulatory capture; conflict of interest; and payroll.

136 The Thom Review is discussed in paragraphs 1.19 to 1.20 and paragraphs 2.70 to 2.72 of this audit report.

  • The Department of the Treasury commissioned a review into ASIC’s implementation of the Thom Review recommendations, which was finalised in October 2021. This review concluded that ASIC had implemented the five recommendations directed to ASIC. The report also stated that: ‘It should be noted, specifically for policies that have only recently been finalised … that we were unable to assess the operating effectiveness of controls given how recently they had been implemented.’
  • The internal audit undertaken by ASIC into implementation of Thom Review recommendations was completed in May 2022. Reporting to ASIC’s Audit and Risk Committee in June 2022 advised that: ‘This review determined that the actions implemented to address [the recommendations] are embedded and working effectively, with a limited number of exceptions which are rated as minor.’

137 Under its compliance management framework, ASIC’s Central Compliance function reviews compliance plans prepared by business areas responsible for overseeing compliance-related controls and reviews the business areas’ assessment of control effectiveness.

138 There were two obligations rated as ‘unknown’. One was where implementation of a new arrangement was still underway and the other was where there was limited quality assurance undertaken to determine whether results were valid and no obligation owner was identified.

139 The obligation library is a register of compliance obligations established under legislation and ASIC’s internal policies.

140 ASIC advised the ANAO that:

Credit card breaches of the PGPA Act, for example the personal use of credit cards, are managed through CIMS. Other breaches of the policy (which are not breaches of the PGPA Act, for example failure to acquit credit card expenditure by the 20th day of the following month) are actioned by the PFCT [PGPA Finance Compliance Team] … but are not recorded in CIMS.

ASIC further advised that the PFCT team assesses all CIMS incidents in relation to credit cards, ‘to identify whether the cardholder has previously breached the policy, which will determine the nature of the consequence / remediation (i.e. counselling, being required to re-complete the credit card training module, suspension of card etc).’ See paragraph 2.78 for further details.

141 The intranet lists where events excluded from notification via CIMS can be reported. This includes:

  • ASIC’s Code of Conduct. ASIC employees are directed to a specific page on ASIC’s intranet.
  • Conflicts of interest, which are to be reported in myRAD (ASIC’s Enterprise Risk Management system) as part of the disclosure of interest, annual declaration or gifts, benefits and hospitality registers.
  • The trading policy. ASIC employees are advised to use the Request to Trade Register in myRAD.
  • The fraud control policy. ASIC employees are advised to report to their manager/senior executive leader/executive director, Chief Internal Audit, or Operational Risk Executive.

142 The Integrity Committee’s terms of reference state that:

The IC [Integrity Committee] oversees ASIC’s Integrity Framework, policies and practices, advises the ASIC Chair on internal corruption matters notified to the Australian Commission for Law Enforcement Integrity, sponsors training and awareness and makes recommendations to the Executive Risk Committee (ERC) and Commission Risk Committee (CRiC) in relation to material integrity risks and issues.

143 ASIC staff meet monthly with representatives of ACLEI to discuss any corruption matters that may have arisen and to obtain advice on applying the threshold test for notifications under the Law Enforcement Integrity Commissioner Act 2006.

144 The Speak Up platform allows ASIC staff to anonymously raise concerns or make confidential reports about suspected wrongdoing. This includes probity related matters such as unmanaged conflicts of interest, procurement practices and secondary employment arrangements. Internal reporting to ASIC’s Integrity Committee in December 2022, on ASIC’s Speak Up Annual Review for 2021–22, indicated that there had been 28 reports received through the platform between October 2021 and October 2022.

145 ASIC’s suite of mandatory training includes a number of probity related modules. See paragraphs 2.114 to 2.118 of this audit report for a discussion of ASIC’s probity related mandatory training.

146 ASIC’s annual attestation process is discussed in paragraphs 4.7 to 4.20 of this audit report.

147 ASIC’s policy on gifts, benefits and hospitality is part of its conflict of interest policy.

148 Cardholders with an acquittal that is three months overdue are reported to the ASIC Commissioner.

149 ASIC advised the ANAO in December 2022 that ‘across the review period there have not been any instances of a 3rd breach in relation to personal use, which would result in the removal of the physical card from the cardholder per the policy.’

150 Examples include inappropriate use of corporate credit cards and altering receipts.

151 The ANAO did not test ASIC’s compliance with public interest disclosures.

152 During this process, holders of security clearances were also asked to confirm whether they had reported any significant changes to their circumstances.

153 This equates to approximately 61 per cent of ASIC’s senior executives and 13 per cent of ASIC’s staff. For the senior executives, 21 declarations (54 per cent) had been submitted but were pending review by the ASIC security team.

154 The categories ‘changes in circumstances’ and ‘overseas travel’ relate to reporting requirements for holders of security clearances.

155 As outlined in footnote 55 contingent workers are not ASIC employees. Some contingent workers have access to ASIC’s information or systems.

156 See footnote 131 for details of ASIC’s project to identify requirements applicable to contingent workers.

157 The most recent process that impacted individual renumeration outcomes (excluding remuneration increases that occurred in response to Australian Government policy requirements) occurred as part of ASIC’s process to roll-in the payment of performance bonuses into total remuneration.

158 ASIC advised the ANAO that the information provided to the Chair did not include team members who were undertaking short-term higher duties at the senior executive level.

159 As discussed in paragraph 2.51, ASIC documentation indicates that most bonus roll-in amounts would be adjusted by applying a discount factor to account for certainty. Documents provided to the ASIC Chair stated that for ‘most Senior Executives, a 20% discount factor has been applied’ and outlined the reasons. The Chair was also provided with details of where a discount factor of between 25 and 40 per cent had been applied, where a full bonus or no bonus roll-in was applied, and the reasons for the differences. As outlined in footnote 94, the average increase in total remuneration as a result of the roll-in of performance bonuses was: 3.5 per cent for Executive Directors; and 3.33 per cent for non-Executive Directors.

160 A ‘compa-ratio’ divides a team member’s pay rate by the midpoint of the salary range for the banding they are in to determine where their salary rate sits compared to the midpoint and others within the band. For example, a compa-ratio of ‘one’ means that the team member is paid at exactly the mid-point. Higher or lower than one means they are paid above or below the midpoint.

161 While it includes the term ‘guideline’ in its title, ASIC’s ‘Procurement guideline – probity’ states that:

This Probity Guideline applies to, and must be read and followed by, all persons directly involved in ASIC procurement processes, including members of the Evaluation Team (ET) and any other person nominated by the Approver (of the procurement process).

162 The probity management requirements for each procurement depend on whether the procurement’s probity risk is assessed as ‘low’, ‘medium’ or ‘high’. Accordingly, it is necessary that a probity risk assessment is undertaken and a probity risk rating determined.

163 Procurements with a probity risk rating of ‘medium’ or ‘high’ all require a probity plan.

164 Procurements with a probity risk rating of ‘medium’ require an internal probity advisor. For procurements with a probity risk rating of ‘high’, ASIC’s policy recommends an external probity advisor.

165 Personnel involved in a procurement with a ‘medium’ or ‘high’ probity risk rating are required to complete conflict of interest declarations and an ‘acknowledgement of probity guidelines’.

166 Under its ‘Procurement guideline — probity’, it is recommended that high risk procurements have external probity advisors responsible for the probity plan and providing probity advice.

167 Under paragraph 4.12 of the Commonwealth Procurement Rules, use of coordinated procurements is mandatory for non-corporate Commonwealth entities. According to the Department of Finance website:

These arrangements ensure more efficient processes to deliver better prices, service and quality for the Commonwealth. Coordinated procurement arrangements also offer increased transparency, standard terms and conditions and improved contract management that benefits both the government and suppliers.

Department of Finance, Whole of Australian Government Procurement [Internet], Finance, 2022, available from https://www.finance.gov.au/government/procurement/whole-australian-government-procurement [accessed 20 November 2022].

168 Of the four procurements, three were procurements made under mandatory Australian Government coordinated procurement arrangements (CN3869054, CN3916506 and CN3866583). The fourth procurement was for the IT Specialists MBR Program procurement (CN3837544-A1). ASIC advised the ANAO that ‘This procurement was from a standing panel to enable continuity of [contractor] personnel during the transition and hand over period.’

169 The COO was selected as a key senior executive in relation to managing the entity and is typically responsible for many of the probity related risks examined in this audit.

Positional authority risks are discussed further in paragraphs 2.69 to 2.71 of this audit report.

170 As discussed in paragraph 2.76, ASIC advised the ANAO that none of the executive assistants of the accountable authority had an active corporate credit card during the audit period. Executive assistants to the other roles examined had active credit cards during the period.

171 Standing approval arrangements for Commissioners and senior executives are discussed in paragraph 2.67.

172 ‘Expired’ entries included duplicate entries, entries for events that were cancelled and items that did not need to be declared.

173 ASIC’s requirements are summarised in Chapter 2 in Table 2.4 of this audit report.

174 ASIC’s policy for non-Commissioners (2021) states that: ‘any benefit (irrespective of value) … must be declared … and the required approval obtained before acceptance’ and ‘all hospitality of a monetary value of $50 and above must be declared … and the required approval obtained before acceptance.’ In prior versions of this policy, ASIC required employees to either ‘get ASIC’s written approval prior to acceptance’, or ‘notify ASIC on myRAD of the gift or benefit as soon as practicable after its acceptance’. For the purposes of ANAO testing, ‘as soon as practicable’ was considered to be within 30 days of receipt.

ASIC’s policy in relation to Commissioners states that: ‘For hospitality other than “modest hospitality” … where possible the Commissioner should seek the approval of the Chairperson through myRAD before they accept the hospitality.’

175 The applicable policy required employees to either obtain written approval prior to acceptance or notify ASIC of the gift or benefit as soon as practicable after its acceptance. For the purposes of ANAO testing, ‘as soon as practicable’ was considered to be within 30 days of receipt. There was also one occasion when a token gift received by staff was reported 50 days after it was received. In this instance the applicable policy did not specify a timeframe for having to declare receipt of the gift.

176 ASIC’s policy states that ‘any gifts must be surrendered to ASIC, other than a token gift (such as a plaque, certificate, trophy or low-value item such as stationery)’.

177 For five of these occasions, ASIC advised the ANAO that: ‘These entries reported in March 2021 were for various seminars/conferences attended by ASIC staff members. Staff valued these items between $100-$200 however subsequent discussions with the staff members indicated these were free events. Subsequently, the relevant staff and their managers were reminded to ascribe an appropriate value for seminars/conferences.’ The register provided to the ANAO still included the original reported value for each of those entries.

178 ASIC’s ‘Disclosure obligations of ASIC Commissioners’ policy includes much the same provisions as ASIC’s conflict of interest policy. See paragraph 2.93 and Table 2.4 of this audit report.

179 The Chair’s attendance was reported in the Australian Financial Review newspaper. See J Eyers, ‘Livingstone exits CBA declaring victory’, Australian Financial Review, 12 August 2022.

180 Paragraph 70 of the policy states that:

Provided that acceptance does not give rise to a real or potential conflict of interest, it may be appropriate for a Commissioner to accept the following benefits and hospitality:

(a) Properly managed attendance at seminars, conferences and other public engagements, where hospitality may be provided to the Commissioner in the form of accommodation, food and beverages.

(b) Hospitality provided when a Commissioner is representing ASIC at meetings with other government agencies, international regulators or international bodies.

(c) Modest hospitality that may genuinely assist ASIC to develop and maintain constructive relationships with stakeholders.

Paragraph 69 of the policy states that: ‘What is “modest” will depend on the circumstances, but as a general guide it should not be disproportionately lavish or exclusive for the circumstances.’

181 ASIC’s November 2021 policy, ‘Disclosure obligations of ASIC Commissioners’, includes a section on ‘Why disclosure is important’. Paragraph 8 of that section recognises the potential for reputational risk to ASIC.

182 ASIC further advised the ANAO in December 2022 that the workflow is the same process for all entries recoded in myRAD, and the nature of follow up action is determined by the supervisor, depending on the nature of the noncompliance. As discussed in paragraph 4.19 people who had not completed the attestation by the due date are unable to enter the details once it has closed. ASIC advised the ANAO that ‘just because they did not complete the attestation does not mean they were non-compliant with the underlying policies.’

183 ASIC advised the ANAO that it has a target attestation completion rate of 90 per cent to remain within its risk tolerance.

184 In ASIC there are two categories of breaches.

  • Severity 1 breach — trading without approval in an Exchange Related Financial product, restricted from trading at the time and date of the trade.
  • Severity 2 breach — trading without approval in an Exchange Related Financial Product, not restricted at the time and date of the trade.

185 The number of breaches resulting from the annual attestation process are as follows:

  • ASIC staff — three severity 1 breaches across three staff and 64 severity 2 breaches across 14 staff.
  • Contingent workers — 27 severity 2 breaches across seven workers.

186 ASIC advised the ANAO that the difference between the 51 instances discussed in paragraph 4.73 and the December 2022 figure was due to ASIC’s records being ‘live’ and, as such, there were ‘timing differences when it comes to reporting; the difference in numbers reflects point in time reporting of notifications and assessments of retrospective trades.’

187 Examples of trades not in breach of the policy involved cryptocurrency, dividend payments and exchangetraded funds allowable under the policy.

188 Actions taken include: ensuring that staff complete the online training module; breach acknowledgment email being sent to staff member; and managers discussing the breach, reiterating the importance of ensuring awareness and understanding of, and compliance with, the requirements of relevant policies.

189 In this case both the manager and staff member were emailed ‘acknowledging the breach and reminding them of their obligations under the Trading Policy.’

190 In these cases, ASIC advised that both the manager and the contingent worker were emailed ‘acknowledging the beach and reminding them of their obligations under the Trading Policy.’

191 Documented consequences include the physical card being removed from staff and retained by Finance once a cardholder has breached the corporate card policy three times. The virtual number will remain active to facilitate business travel and accommodation. Following removal, further non-compliance with this policy will result in the card been cancelled.

192 ASIC also advised the ANAO that in relation to transactions that related to acquittals for a Commissioner or the COO:

there were some expense items which were sent back for further supporting documentation by the acquittal delegate, however the bulk of the acquittal was approved within the required timeframe … These transactions were directly followed up by the acquittal delegate’s executive assistant, and since August 2022 when the acquitted changed to the CFO [Chief Financial Officer], by the CFO directly with the Deputy Commissioner. The PFCT [finance compliance team] do not undertake additional follow up action on transactions sent back unless the transactions are not re-submitted for approval in a timely manner [by the due date], in which case this involves a conversation.

193 Department of Finance, Ethics and Probity in Procurement: Principles [Internet], 17 May 2021, available from https://www.finance.gov.au/government/procurement/buying-australian-government/ethics-and-probity-procurement [accessed 9 February 2023].