Introduction

1.1 The Great Barrier Reef (the Reef) extends along the east coast of Queensland from Cape York to Bundaberg (approximately 2300 kilometres) and makes up around 10 per cent of the world’s coral reef ecosystems.⁶ It contains a range of unique ecological communities, habitats and animal and plant species.⁷

1.2 In 1981, the Reef was declared a World Heritage Area.⁸ GBRMPA estimates the Reef contributes approximately $6.4 billion each year to the Australian economy and around 64,000 full time jobs.⁹

1.3 The Great Barrier Reef Marine Park Act 1975 (GBRMP Act) establishes the Great Barrier Reef Marine Park (the Marine Park) to provide for the long-term protection and conservation of the environment, biodiversity and heritage values of the Great Barrier Reef Region. The Marine Park encompasses approximately 70 Commonwealth islands and all waters beyond the low water mark, excluding Queensland internal waters and trading ports (see Figure 1.1).¹⁰

Figure 1.1: Map of the Great Barrier Reef Region

Source: Great Barrier Reef Marine Park Authority, Great Barrier Reef Outlook Report 2019, p. 4.

The role of the Great Barrier Reef Marine Park Authority

1.4 The Great Barrier Reef Marine Park Authority (GBRMPA) is established under section 6 of the GBRMP Act. It has primary responsibility for applying the Marine Park’s regulatory framework, which comprises the GBRMP Act, the Great Barrier Reef Marine Park Regulations 2019 (the Regulations), and legislative instruments made under them such as the Great Barrier Reef Marine Park Zoning Plan 2003 (the Zoning Plan).¹¹

1.5 GBRMPA’s Corporate Plan 2020–21 states that its purpose is to:

Provide for the long-term protection, ecologically sustainable use, understanding and enjoyment of the Great Barrier Reef for all Australians and the international community through the care and development of the marine park.¹²

1.6 Persons¹³ intending to undertake particular activities within the Marine Park are required to obtain permits prior to their commencement.¹⁴ GBRMPA and Queensland Parks and Wildlife Service and Partnerships (QPWS&P) within the Queensland Department of Environment and Science operate a joint application and permit assessment process for requests for access to both the Marine Park and Queensland’s Great Barrier Reef Coast Marine Park.¹⁵

1.7 Activities requiring permits are outlined in the Zoning Plan and include:

• most commercial activities, such as tourist programs and vessel and aircraft charter operations;
• certain types of fishing and aquaculture operations;
• taking of certain animals or plants;
• installation and operation of structures, such as jetties, marinas, pontoons, and moorings;
• any significant works, such as dredging and spoil dumping; and
• educational and research programs.

1.8 GBRMPA must assess the relevant impact of the proposed conduct before determining whether to grant a permit.¹⁶ Approved joint permit applications are signed by delegates from both GBRMPA and QPWS&P. Each permit can include multiple permissions, and each permission may be subject to one or more conditions¹⁷, which are required to be monitored and enforced by GBRMPA.

Previous scrutiny

1.9 The ANAO undertook a performance audit of GBRMPA’s management of permits and approvals in Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals. The audit identified shortcomings across a range of GBRMPA’s regulatory activities, including its assessment of permit applications, monitoring of permit holder compliance and response to non-compliance.¹⁸

1.10 The audit made five recommendations to GBRMPA to strengthen the:

• processing of permit applications;
• rigour of the permit application assessment and decision-making processes;
• effectiveness of permit conditions;
• effectiveness of permit compliance monitoring; and
• response to instances of non-compliance.¹⁹

1.11 GBRMPA’s response to the audit in August 2015 agreed to all five recommendations.²⁰ This response advised GBRMPA would address the five recommendations over the following four years. The recommendations are reproduced, and the ANAO’s assessment of the progress made to address them are outlined, in Appendix 2 of this report.

1.12 In 2016, the Joint Committee of Public Accounts and Audit (JCPAA) examined Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals in an inquiry. The JCPAA noted that ‘shortcomings in regulating the permit system for the marine park may be undermining the system as a means of managing risks to the Park’, and made three recommendations to GBRMPA to:

• appropriately accelerate its projected timeframe for the implementation of ANAO’s recommendations and report back to the Committee within six months with new timeframes and milestones for implementation;
• implement more effective performance information; and
• report back to the Committee within 18 months on whether it met the revised milestones for implementation with details and dates achieved.²¹

1.13 GBRMPA supported the first recommendation with qualifications and supported the other two recommendations. The recommendations are reproduced in Appendix 3 of this report.

1.14 A summary of the key timeframes against the implementation of recommendations and associated activities is outlined in Appendix 4.

Rationale for undertaking the audit

1.15 Effective regulation of permits and compliance in the Marine Park provides for the long-term protection and conservation of the environment, biodiversity and heritage values of the Great Barrier Reef Region.

1.16 Reports of parliamentary committees and the Auditor-General identify risks to the successful delivery of outcomes and areas where administrative or other improvements can be made. The appropriate and timely implementation of agreed recommendations is an important part of realising the full benefit of an audit or parliamentary inquiry, and for demonstrating accountability to the Parliament.²²

1.17 This follow-up audit will provide assurance that GBRMPA has implemented appropriate systems to manage risk and preserve the environmental, social and economic significance of the Marine Park and its World Heritage listing.

Audit approach

Audit objective, criteria and scope

1.18 The audit objective was to examine the effectiveness of GBRMPA’s regulation of permits and approvals, including its implementation of recommendations from Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals.

1.19 To form a conclusion against this objective, the ANAO adopted the following high-level criteria:

• Are there appropriate arrangements for processing, assessing and approving permit applications?
• Are there appropriate arrangements for managing and monitoring permissions?
• Has an appropriate non-compliance framework been established?

1.20 The audit focused on activities related to permit assessment, approvals and compliance management, and did not examine other activities conducted by GBRMPA.²³

Audit methodology

1.21 The audit methodology included:

• examination of GBRMPA’s documentation with a focus on implementation of recommendations;
• examination of permit assessment, monitoring and compliance related documentation and activities developed and implemented since the previous audit;
• assessment of GBRMPA’s IT system documentation and controls, including system improvements implemented since the previous audit; and
• interviews with relevant entity staff.

1.22 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $290,500.

1.23 Team members for this audit were Jacqueline Hedditch, Joshua Francis, Se Eun Lee, Matthew Rigter, Stevan Serafimov and Michael White.

2.1 Appropriate arrangements for processing, assessing and approving permit applications facilitate GBRMPA’s achievement of legislative objectives under the Great Barrier Reef Marine Park Act 1975 (GBRMP Act). It also ensures that GBRMPA, through the permissions system, effectively manages risks to the Great Barrier Reef Marine Park (the Marine Park).

2.2 To assess whether GBRMPA has appropriate arrangements for processing, assessing and approving permit applications, the ANAO examined whether:

• procedures support the processing of permit applications;
• assessment of permits is efficient and effective; and
• procedures support permit approval decisions.

Do procedures support processing of permit applications?

2.3 Accurate, current and complete procedures underpin effective permit application processing. Appropriate procedures provide GBRMPA with a basis to demonstrate accountability, transparency and consistency when processing permit applications. Training and internal communication is required to ensure staff appropriately apply policy and procedure.

2.4 Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals made findings relating to GBRMPA’s procedural documentation for processing of permit applications. Identified issues included: fragmented and incomplete guidance material for staff; materials in draft form or overdue for review or update; documents failed to address all key relevant assessment considerations; and a lack of training and internal communication.²⁴

2.5 This audit assessed GBRMPA’s policies, procedures and guidance documents in place to support its permit processing under the GBRMP Act. Specifically, the ANAO examined whether:

• the procedures for permit application processes have been reviewed and finalised;
• the procedures cover all components of the permit application process and address all legislative and policy requirements; and
• staff receive training and relevant communications on application processing.

Permit application, assessment and approval process

2.6 GBRMPA’s permit application, assessment and approval process is outlined in Figure 2.1. The stages in the permit application are: pre-assessment; assessment; review and quality assurance; decision; and reconsideration and appeal.

Figure 2.1: GBRMPA permit application, assessment and approval process

Note a: Steps are undertaken if required for the relevant application.

Source: ANAO analysis of GBRMPA information.

2.7 Once approved, applicants are issued a permit document with specified permissions and conditions. If an application is not approved, applicants are advised of the outcome of the assessment. The GBRMP Act and the Great Barrier Reef Marine Park Regulations 2019 (the Regulations) provide for affected persons to request reconsideration of certain decisions.²⁵

2.8 GBRMPA’s Environmental Impact Management – Permission System policy document defines the following key items:

• Permit: A document issued by the managing agencies which details the permission(s) granted by the managing agencies. A permit may include one or more permissions; and
• Permission: Written approval to enter or use the Marine Park for a specific purpose, in cases where this is required by the Great Barrier Reef Marine Park Zoning Plan 2003 and Marine Parks (Great Barrier Reef Coast) Zoning Plan 2004.²⁶

2.9 Conditions for conducting a permitted activity are set by the managing agencies in the permit document.²⁷

Review and finalisation of documents

2.10 Well-drafted procedural documents support consistency in regulatory decision-making. Procedures should cover all major decision points, be consistent with legislative and policy requirements, and be reviewed regularly to ensure they remain appropriate over time. Finalisation of procedural documents with clear approvals and version control reduces the risk that permit applications are processed using out-of-date or incorrect procedures.

2.11 This audit examined 120 policy, procedure or guidance documents that support the permit application process. Many of these documents were developed or revised as part of processes addressing the findings of the previous audit.²⁸ Of these:

• 56 documents were externally published via GBRMPA’s eLibrary database²⁹; and
• 64 documents were internal documents.

2.12 External documents may include:

• guidelines for applicants;
• checklists for information required for different types of applications;
• example routine permits; and
• information sheets related to specific activities and other matters relevant to the management of the Reef.

2.13 Internal documents support GBRMPA staff to use key applications related systems and address regulatory requirements.

2.14 All 56 externally published documents have been finalised. These documents are clear, well-structured and contain relevant information. However, 15 documents are overdue for review as at January 2021, with one guideline on managing research in the Marine Park more than two years overdue.

2.15 The 64 internal documents reviewed varied significantly in structure, format and content. Some were in formal internal procedure templates, while others were plain word processor documents.³⁰ Many were undated and were presented in a variety of formats including procedural steps, user manuals or instructions for using new systems, or ‘tips and tricks’ for various permit processing steps. Several documents were labelled as standard operating procedures that consisted of emails or minutes to managers saved as records.

2.16 Of the 64 internal documents assessed:

• 25 (39 per cent) were finalised;
• some documents contained unaccepted edits in track-changes or unaddressed comments raising queries or issues from as far back as 2017;
• 13 (20 per cent) of internal procedure documents specified the date for review, with six of these overdue as at January 2021; and
• three guidelines refer to provisions in the 1983 Regulations that were repealed and replaced in April 2019.

2.17 Incomplete, outdated or unapproved procedures to process permit applications can increase the risk of staff non-compliance with legislative or policy requirements and affect consistency of decision-making processes. There is scope to clarify and consolidate the contents of internal procedures, and withdraw or archive old procedures or guidelines that are no longer relevant.

Controlled document policy

2.18 GBRMPA has a policy for the development, approval, storage, review and access of documents — referred to as controlled documents. According to the policy, controlled documents are ‘typically … instruments of delegation, policies, procedures / standard operating procedures, guidelines, templates, and forms’ and should be developed:

• for issues affecting accountability, efficiency or consistency; that could create a liability; or that could impact compliance with regulatory requirements;
• for processes that are lengthy or complex, routine but essential for success, or processes or activities that are consistently done incorrectly;
• to strengthen internal controls; or
• where required by legislation, whole-of-Government policy, Australian Standards or are better practice.

2.19 Of the 56 external documents, 26 were approved controlled documents. None of the 64 internal procedural documents on permit applications processing or permit compliance were approved controlled documents.³¹

2.20 The policy indicates that many of the internal procedural documents are suitable to be classified as a controlled document. Procedures that detail steps required for compliance with regulatory requirements, including those that address proper use of key systems or weaknesses in internal controls, would benefit from the centralised quality oversight applied to controlled documents. Some external documents not currently established as controlled documents may also benefit from this oversight.

Consistency with legislative and policy requirements

2.23 GBRMPA’s procedures must be consistent with the requirements of the GBRMP Act and the Regulations, as well as its key policy documents. The ANAO examined whether GBRMPA’s procedures clearly address all relevant steps in the permit application process, including legislative and policy requirements.

2.24 Analysis of the 120 policy, procedure and guidance documents found all steps within the permit application process required by the GBRMP Act, the Regulations and key policy documents are comprehensively outlined in the procedures, with the exception of one legislative requirement.

2.25 Section 92 of the Regulations requires that the delegate consider a number of mandatory criteria before determining the assessment approach. However, evidence of this is not recorded at the time of the decision, including in the field provided for that purpose on the Reef Management System (RMS).³² Procedures state that reasons should be recorded in the RMS for deciding on assessment approach, but does not cover what form this should take to satisfy the Regulations and there is no other guidance around this requirement.³³

2.26 There were two gaps in the permit application process undertaken by GBRMPA that were not sufficiently addressed by the procedures.

2.27 Procedures covering referrals of applications to Queensland Parks and Wildlife Service and Partnerships (QPWS&P) and internal GBRMPA line areas³⁴ are not comprehensive, do not reflect current practices, and remain in draft form.

2.28 Secondly, procedures do not adequately address requirements for supervisor checks of the application assessment before it goes to the delegate for final decision. The available guidelines are not comprehensive and do not detail whether one or two checks are required for all applications.

Staff training and communications

2.29 Report No.3 2015–16 recommended that GBRMPA reinforce to its staff:

• the need to document whether permit application assessment requirements have been addressed³⁵; and
• the importance of preparing assessment reports for delegates that adequately address regulatory assessment requirements.³⁶

2.30 The ANAO examined training provided to permit processing staff that address these recommendations. Key training provided to GBRMPA’s permit processing staff include modules on: the joint permissions system; assessment criteria; risk assessment; Marine Park legislation; delegations and authorisations; decision-making; and privacy.

2.31 GBRMPA policy requires completion of these training modules³⁷ in order for staff to exercise permit-related delegations. Some training is delivered through GBRMPA’s internal learning and development system. Other training materials are stored on GBRMPA’s electronic document records management system for staff to access and review.

2.32 Records indicate that not all staff exercising delegations have completed all mandatory modules. There is no system-based control that prevents staff who have not completed the mandatory training from exercising permit delegations.

2.33 Aspects of the permit applications process and system usage are reinforced via email communications and staff meetings. Emails communicate tips, reminders and other information relevant to permit applications for staff and are sent out on an as-needed basis. Monthly system refresher sessions are available for permissions processing staff. Attendance is not mandatory.

Is assessment of permits effective and efficient?

2.34 Effective and efficient processing of permit applications enables the achievement of the GBRMP Act’s objectives while minimising the use of public resources.

2.35 Report No.3 2015–16 made findings relating to GBRMPA’s processing of permit applications, including poor timeliness of assessments, record-keeping and documentation of evidence, non-compliance with procedures, and lack of quality assurance over completion of key procedural steps.

2.36 To assess whether GBRMPA’s assessment and processing of permit applications was efficient and effective the ANAO examined whether:

• permit applications were assessed and processed in accordance with procedures;
• GBRMPA has developed an efficiency framework or metrics; and
• the timeliness of permit application assessments has improved since the previous audit.

Assessment of permit applications

2.37 Compliance with relevant assessment procedures allows GBRMPA to demonstrate the permit assessment process is consistent with the GBRMP Act. The assessment of permit applications is part of the process outlined in Figure 2.1, above.

Permit-related information systems

2.38 Since Report No.3 2015–16, GBRMPA has undertaken activities to improve the permit application assessment process. This includes the introduction of electronic workflows and record-keeping for permit assessments to replace paper-based processes. Refer to Appendix 4 for further detail.

2.39 The information systems that support permit application assessment and the broader permission system are outlined in Figure 2.2, below.

Figure 2.2: Permit-related information systems

Note: Internal systems are accessed by GBRMPA and Queensland Parks and Wildlife Service and Partnerships (QPWS&P) staff.

Source: ANAO analysis of GBRMPA information.

2.40 The Reef Management System (RMS) is the primary system GBRMPA uses to manage permit applications and assessments.³⁸ The RMS is supported by internal and publicly accessible systems. GBRMPA’s electronic document records management system (The Dock) stores the permit application and assessment documents that are linked to the relevant parts of the workflow on RMS. The publicly accessible systems allow for electronic lodgement of permit applications and searches of permit-related information.³⁹

Compliance with assessment procedures

2.41 The ANAO assessed a sample of 70 applications received between 4 October 2017 and 31 December 2020 for compliance with GBRMPA’s procedures.⁴⁰ The results of key procedural requirements tested are summarised in Table 2.1.

Table 2.1: GBRMPA’s compliance with assessment procedures

Legend: ◆ Met: >95% of cases met the test; ▲ Partly met: 75% to 94% of cases met the test; ■ Not met: <75% of cases met the test.

Note a: Under paragraph 24HA(7)(b) of the Native Title Act 1993 GBRMPA is required to notify all registered Aboriginal or Torres Strait Islander bodies, registered native title bodies corporate and registered native title claimants, relevant to the location(s) in which a permitted activity is proposed to occur, of the description and general nature of the application prior to the grant of a permit and provide an opportunity to comment.

Note b: The ANAO assessed the supervisor checks recorded in the RMS against documentation that is marked as a guide only. GBRMPA advised that this guide is used as part of daily business practice, however workflow documents are currently being drafted.

Source: ANAO analysis.

2.42 GBRMPA’s assessment process met six of the 11 key requirements. Two requirements were partly met, and three requirements were assessed as not met.

2.43 The requirements assessed as not met were: meeting the Permission System Service Charter (service charter) timeframes (see paragraphs 2.56 to 2.57); compliance with internal criteria to exercise permit-related delegation (see paragraphs 2.76 to 2.80); and the completion of RMS fields required by procedure. These fields included:

• the free text field where the delegate records reasons for making an assessment approach decision under section 92 of the Regulations, which is not required by the system and used at the delegate’s discretion (see paragraph 2.25); and
• relevant date fields indicating: the date on which all information was received from the applicant; assessment completion date; and date the assessment was sent to the delegate for final decision. These dates are used by the system to calculate performance against the service charter timeframes.

Record-keeping

2.44 Failure to create and maintain accurate records of regulation impacts GBRMPA’s accountability and transparency, and creates legal risks if decisions are later scrutinised or appealed.

2.45 Not all key documents relating to the application assessment were available on GBRMPA’s electronic document records management system. Of the 70 applications examined, 10 assessment reports to the delegate and five other documents⁴¹ required by procedure were not found on file.

2.46 GBRMPA amended relevant procedures in January 2021 to reduce the record-keeping risks related to broken hyperlinks, amendments to template document names, or changes following system upgrades.

Efficiency and timeliness of assessments

2.47 The Public Governance, Performance and Accountability Act 2013 (the PGPA Act) requires entities to be governed in a way that promotes the proper use and management of public resources.⁴² The PGPA Act defines ‘proper’ as efficient, effective, economical and ethical.⁴³

2.48 The Auditing and Assurance Standards Board defines efficiency as the ‘performance principle relating to the minimisation of inputs employed to deliver the intended outputs in terms of quality, quantity and timing’.⁴⁴

2.49 Efficient use of public resources enables regulators to maximise outputs for government and the community, reduce demands on the Australian Government budget and promote financial sustainability. An efficient permit application process also ensures that applicants are able to access the Marine Park for planned activities in a timely manner.

2.50 Comments from stakeholders received by the ANAO as part of Report No.3 2015–16 found that permit holders and general stakeholders consistently identified the lack of timeliness as a major issue, particularly for non-routine applications.⁴⁵

2.51 Analysis in Report No.3 2015–16 found that for routine applications, GBRMPA met its target timeframe (then 60 days) to complete assessments 57.4 per cent of the time during the period July 2012 to June 2014. For non-routine applications⁴⁶, GBRMPA required up to 90 days to complete assessments for 13 of the 63 applications (20.6 per cent), and up to a year to assess a further 28 applications (44.4 per cent). Assessments for the remaining 22 applications required between one and nearly four years to complete (with the longest assessment for a new applicant being two years and eight months).⁴⁷

2.52 In 2016, the Joint Committee of Public Accounts and Audit (JCPAA) recommended that GBRMPA implement more effective performance information, including targets for permit application processing, assessment and approval timeframes, and continue to monitor and publicly report on performance outcomes in this area.⁴⁸

2.53 The ANAO examined whether GBRMPA has improved its assessment timeliness and implemented appropriate arrangements to measure and monitor efficiency of permit assessments.

Assessment timeliness

2.54 Section 112 of the Regulations requires a decision on an application for a permit to be made within a reasonable period after receiving the application. However, a reasonable period is not defined in the Regulations.

2.55 In the absence of statutory timeframes, GBRMPA adopted a service charter specific to the permission system on 4 October 2017.⁴⁹ GBRMPA reports on its average performance against the service charter timeframes in its annual reports. It also provides a weekly update to its Executive Management Group (EMG)⁵⁰ on the status of permit applications, including performance against service level standards.

Performance against service charter timeframes

2.56 The ANAO examined whether GBRMPA has met the timeframes specified in the service charter for all applications received between 4 October 2017 and 31 December 2020.⁵¹ Table 2.2 outlines the results of testing against the relevant timeframes.

Table 2.2: GBRMPA’s performance against service charter timeframes

Note a: A properly made application is one that contains enough information about the proposed activity to allow an assessment of potential impacts and determine the most appropriate risk management measures.

Note b: For tailored assessments where a further information request (FINFO) is required, the timeframe commences once this process has been completed.

Note c: From 4 October 2017.

Note d: As part of the response to COVID-19, from March 2020 GBRMPA contacted permit holders with permits approaching expiry to obtain verbal agreement to lodge and initiate continuation applications on their behalf. This was to prevent permits from expiring, and enable businesses to re-open once travel and other restrictions were lifted. GBRMPA reporting indicates that COVID-19 contributed to the decline against service charter standards in 2020.

Source: ANAO analysis of GBRMPA data.

2.57 GBRMPA met the service charter timeframes for the majority of routine applications since 4 October 2017. GBRMPA’s timeliness is less consistent for tailored assessment approaches, with around 31 per cent of tailored applications exceeding the 50-day target for decision on average. Of these: 174 applications (22 per cent) took between 51 to 75 days; 36 applications (4 per cent) took between 76 to 100 days; and 39 applications (5 per cent) took more than 100 days.

Measurement of efficiency

2.58 As outlined in paragraph 2.48, efficiency is calculated by analysing inputs employed to deliver the intended outputs. Reporting on performance against service level standards is GBRMPA’s only efficiency-related metric.⁵² GBRMPA has not established other arrangements to measure its use of resources in relation to its processing of permit applications.

2.59 In the absence of an existing efficiency indicator, the ANAO examined whether an efficiency indicator could be created using inputs, such as the cost of processing permit applications, and corresponding outputs, such as number of permits processed per financial year. GBRMPA was unable to provide a sufficient level of information on the costs of permit processing activities to enable the development of an efficiency indicator.

2.60 Lack of arrangements to measure efficiency in its delivery of permit processing activities limits GBRMPA’s ability to demonstrate to the Parliament, the public and itself that it is properly managing the public resources for which it is responsible. Establishing measures to monitor efficiency will enable GBRMPA and external stakeholders to understand changes in performance, target areas for improvement and monitor changes over time.

Do procedures support permit approval?

2.62 A permissions system that achieves GBRMPA’s legislated objectives requires permit approval decisions to be informed by all assessment criteria and the risks relevant to the various permitted activities.

2.63 Report No.3 2015–16 found that permit application assessment reports prepared for the delegates failed to address all relevant assessment criteria to inform delegates’ decisions to issue or refuse permits, and appropriate risk assessment templates were not developed for all permitted activity types.⁵³

2.64 As a result, the delegates’ decisions to grant or refuse applications for certain activities were not informed by all relevant considerations or a documented assessment of the risks that the activities pose to the Marine Park.

2.65 To determine whether these findings had been addressed, the ANAO examined whether:

• assessment templates provide for all regulatory considerations to be fully addressed;
• all assessment templates in use were accompanied by risk assessment templates; and
• permit approval decisions are made according to procedure.

Updated assessment report templates

2.66 Prior to the amendments that came into effect on 4 October 2017, the Regulations outlined six common mandatory considerations that must be considered by the delegate when making a decision to grant or refuse all Marine Park permits, and 11 discretionary considerations that the delegate may take into account when making a decision.

2.67 The amendments of October 2017 removed the list of discretionary considerations. The Regulations now contain a consolidated list of 16 mandatory considerations the delegate must consider in deciding whether to grant a permission on an application, and whether or not to impose any conditions on the permission.⁵⁴

2.68 GBRMPA’s assessment templates⁵⁵ have been updated and expanded to ensure that all mandatory criteria are addressed. Examination of the 70 sampled applications confirmed that where assessment reports were available (see paragraphs 2.44 to 2.46), they addressed all 16 mandatory criteria, including noting those that were not relevant for delegate consideration.

2.69 There were two assessment templates in GBRMPA’s list of current templates that when reviewed by the ANAO were in draft and contained unaddressed comments in the document.⁵⁶ GBRMPA should ensure all its templates in use are finalised and up to date. While reviewing templates GBRMPA should continue to use approved versions and keep drafts separate to ensure they are not used by staff before revision is complete.

Risk assessment templates

2.70 A documented assessment of risks associated with each permit application allows the delegate to consider the extent to which relevant risks to the Marine Park posed by the proposed activity can be effectively managed.

2.71 GBRMPA developed a new internal risk assessment procedure for permit applications following Report No.3 2015–16. This procedure outlines how the managing agencies will be evaluating risks to the values of the two marine parks posed by proposed activities.⁵⁷ Changes to the risk assessment methodology included revising risk levels and consequence ratings, as well as the likelihood of the risks eventuating. The procedure came into effect on 4 October 2017 along with the amendments to the Regulations, and other policies and guidelines (see Appendix 4).

2.72 All 19 assessment templates examined by the ANAO contained a risk assessment template that aligned with the internal procedure. These risk assessment templates contain standard risks that are relevant to the particular permitted activity covered by the assessment template. The risk assessment templates include pre-filled inherent risk ratings and risk ratings after existing controls, including via proposed conditions, that have been taken into account.

2.73 The ANAO found that seven out of 19 risk assessment templates examined did not indicate the date on which the pre-filled risk assessment was undertaken and did not contain a field in which the assessment officer is to fill in the date the assessment was reviewed and applied to the individual application. As the pre-filled risk assessment templates are sometimes used without further changes, specifying the date on which the risks were considered by including a date field for assessment officers to complete during the assessment process would assist in ensuring that the risks are updated and revised where relevant.

2.74 GBRMPA began reviewing its risk assessment procedure in April 2020, ahead of the scheduled review date specified in the procedure (September 2020). The process involves ‘[r]eview and update of the Risk Assessment – Permission System internal procedure to assess fit-for-purpose with renewed risk tolerance and broader Authority review of risk assessment processes.’ As at April 2021 the risk assessment procedure remains under review.

Permit approval decisions

2.75 The instrument of delegation made under the GBRMP Act states that powers and functions relating to managing permissions, including granting and refusing permissions, under the Regulations are delegated to the Chief Executive Officer, General Manager/Senior Executive Service officer, staff at Executive Levels 1 and 2, and staff at APS Levels 2 to 6.⁵⁸

2.76 GBRMPA also has an internal procedure outlining mandatory requirements for staff to exercise permit-related delegations. These requirements include the completion of six training modules (paragraph 2.30) and a conflict of interest declaration that is updated at least annually.

2.77 For the 70 sampled permit application assessments:

• a delegate appropriately authorised under the instrument of delegation made all decisions; and
• clear and reliable evidence could not be identified that the delegates for 47 permits of 70 sampled assessments had completed the required six training modules.⁵⁹

2.78 Conflict of interest forms are required to be completed as part of the annual performance and development agreement process. All 18 staff working on permit processing and assessments in February 2021 have completed their conflict of interest declarations.

2.79 Supervisors are responsible for reviewing the employee’s conflict declaration to ensure the form has been completed properly and any declared conflicts are managed. This process does not provide clear oversight of declared conflicts where the delegate is not the direct supervisor of the staff member who completed the assessment.

3.1 GBRMPA requires persons intending to undertake particular activities within the Great Barrier Reef Marine Park (the Marine Park) to obtain permits prior to their commencement. Each permit can include multiple permissions, and each permission may be subject to one or more conditions, which are required to be monitored and enforced by GBRMPA.

3.2 To assess whether GBRMPA has appropriate arrangements for managing and monitoring permissions, this audit examined whether:

• standard conditions are periodically reviewed;
• there is a framework for compliance monitoring activities; and
• compliance monitoring activities are effective.

Are standard conditions periodically reviewed?

3.3 GBRMPA permits provide written approval to enter or use the Marine Park for a specific purpose. Permits specify permission(s) subject to conditions.⁶⁰ These conditions are the mechanism for reducing the risks that permitted activities pose to the Marine Park. To ensure that conditions are effective at reducing the risks associated with permitted activities they should be periodically reviewed for their ongoing appropriateness.

3.4 GBRMPA applies standard conditions in two circumstances. The first is conditions issued in routine permits.⁶¹ The second is conditions for tailored applications, which can be amended as required by the delegate approving the permission.

3.5 GBRMPA provides customised conditions as required to address risks associated with specific proposals including intended use, location within the Marine Park and individual site-specific environmental risks.

3.6 Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals recommended that GBRMPA improve the effectiveness of conditions used to manage risks to the Marine Park from permitted activities, including periodic review of the adequacy of standard conditions.⁶²

Review of standard conditions

3.7 GBRMPA has undertaken two reviews over standard conditions since Report No.3 2015–16. Reviews of some standard conditions occurred in 2016 as part of the application process changes implemented in October 2017. This included the development of routine permits and reviewing standard conditions relating to: tourism and charter activities; equipment used in activities; and indemnity and insurance.

3.8 As part of this process, 262 conditions were reviewed, resulting in recommendations to retain, modify or remove 231 of those conditions.⁶³ GBRMPA advised the ANAO that it did not capture information on the number of individual conditions changed as a result of the review. Therefore the action taken to address these recommendations is unclear.

3.9 The second review process began in 2018 when planning commenced for the Risk-based Permission Project (the project) to improve the risk-based approach to the permissions system. The primary outcome identified in the project plan is for resources and efforts to be focussed on activities that pose a high risk to the Reef.

3.10 The project plan was approved by the Joint Streamlining Permissions Steering Committee (the Joint Steering Committee) in August 2019, with an estimated timeframe of three to five years.⁶⁴ The project is intended to review approximately 1000 standard conditions in accordance with the process approved by the Joint Steering Committee.⁶⁵

3.11 The conditions review aims to improve efficiency for permit compliance by:

• consolidating and removing duplicate conditions;
• ensuring the conditions are enforceable; and
• improving consistency across low risk permits to reduce the need to create custom permit documents.

3.12 As at February 2021, 588 standard conditions for tourism and charter permissions have been reviewed.

3.13 Nine issues papers have been developed and presented to the Joint Steering Committee between June and December 2020 that identify issues with standard conditions for tourism and charter permissions. The themes covered by these issues papers are outlined in Table 3.1.

Table 3.1: Issues identified in tourism and charter standard conditions review

Note a: A total of nine issues papers have been prepared to date. Issues papers were intended to consolidate a range of expert opinions identified during review working groups and provide a range of options for consideration by the Joint Steering Committee.

Source: ANAO analysis of GBRMPA information.

3.14 Although a number of issues have been identified that are currently impacting on the clarity and enforceability of permissions conditions, no changes have yet been made as a result of this review activity. GBRMPA expects to present recommended actions for the 588 conditions reviewed to date to the Joint Steering Committee in mid-2021.

Reporting against review of standard conditions

3.15 Reporting on project progress occurs to the Joint Steering Committee and Field Management Strategy and Operations Groups.⁶⁶ Reporting provides an overview of the status of activities listed within the project plan, however does not provide a clear line of sight of the achievement of overall project outcomes. Specifically, the conditions review is intended to:

• provide for permits that have concise, clear and enforceable conditions;
• reduce the effort on creating customised permits through standardisation; and
• improve business efficiencies for permit compliance.

3.16 Reporting to these committees does not include reporting against these outcomes.

3.17 Internal reporting also occurs against the annual operating plan.⁶⁷ GBRMPA considers that its annual operating plan reporting provides the standard reporting framework for each business unit and key deliverables, including monitoring against the project. However, reporting against the annual operating plan does not clearly communicate the project’s progress against its milestones and deliverables and does not provide a clear overview of progress over time.⁶⁸

3.18 The two examples of annual operating plan reporting reviewed by the ANAO provided limited information to support the ‘green’ status⁶⁹:

• one report makes statements about project activities but does not report against targets or baselines; and
• the other outlines the project deliverables but does not report on the activities that have been delivered.

3.19 External reporting as part of the annual performance statements is limited to a high level statement under the annual compliance plan activities. Reporting for 2019–20 noted that GBRMPA was reviewing the enforceability of standard conditions for specific permission types and involvement in the condition review process.

Is there a framework for permissions monitoring activities?

3.23 An appropriate framework of policies, procedures and systems for permissions monitoring is required to manage risks to the Marine Park associated with permitted activities and identify permissions non-compliance.

3.24 Report No.3 2015–16 made findings relating to GBRMPA’s framework for managing and monitoring of permissions, including:

• a lack of risk-based plans to coordinate its permit compliance monitoring activities;
• generally not monitoring or assessing most post-approval reporting documents submitted by permit holders;
• the patrols used as the primary mechanism used to monitor compliance not being suited to detecting numerous types of permit non-compliance;
• limited guidelines for staff undertaking monitoring of permissions conditions; and
• shortcomings in the quality and completeness of some monitoring activities.⁷⁰

3.25 This audit assessed whether GBRMPA has implemented the actions identified to address these issues.

Strengthening Permissions Compliance Action Plan 2015–2020

3.26 GBRMPA established the Strengthening Permissions Compliance Action Plan 2015–2020 (the compliance action plan) to address the permissions monitoring and compliance related findings of Report No.3 2015–16 and to implement Recommendations no.4 and 5.⁷¹

3.27 The compliance action plan was approved in September 2015 with a scheduled completion date of 30 June 2020. The compliance action plan sets out 14 deliverables in its implementation schedule. These deliverables and the ANAO’s assessment of whether scheduled timeframes were met and their implementation status at April 2021 are set out in Table 3.2.

3.28 Table 3.2 outlines that GBRMPA has largely completed the deliverables to establish a framework for managing and monitoring permissions. However, half of the deliverables, including key framework and system deliverables, were not completed in the planned timeframes.

Policies, procedures and systems

3.29 An appropriate framework of policies, procedures and systems supports the efficient and effective delivery of regulatory activities.⁷² Report No.3 2015–16 found that GBRMPA did not have appropriate policies, procedures and systems for monitoring permissions compliance.⁷³

3.30 GBRMPA’s permissions compliance action plan contained deliverables to implement permissions monitoring policies, procedures and systems by the end of 2019–20. Outstanding actions at 30 June 2020 included the finalisation of permissions compliance policies and guidelines, and the implementation of a module in the Reef Management System (RMS) to support permissions monitoring and compliance.

3.31 Overarching permissions compliance procedural documentation was approved in March 2021. The procedure includes a section that covers monitoring and reporting against permissions (see paragraphs 3.34 to 3.36 for further detail).

IT general controls over permits systems

3.32 The ANAO examined the IT general controls related to the RMS and found that current controls do not provide adequate assurance over the data within the RMS. GBRMPA should improve the IT general controls over the RMS to provide greater assurance over permit-related data. In particular, GBRMPA is unable to provide assurance over the changes implemented. Key issues include:

• the structure of the commencements and terminations data within RMS Permits is such that its extraction could not confirm completeness and accuracy of the data;
• privileged user activity is not sufficiently logged and monitored;
• there is no segregation of duties between the development and migration of changes; and
• there is no way to determine if changes have been made that bypass the change management process.

3.33 GBRMPA has implemented robust arrangements for data back-up including periodic testing for recoverability.

Development of annual compliance plans

3.34 Report No.3 2015–16 identified a lack of risk-based plans to coordinate permit compliance monitoring activities. GBRMPA committed to developing and implementing annual permissions compliance plans to address this finding. GBRMPA has developed an annual permissions compliance plan each year from 2015–16 to 2020–21.

3.35 The annual compliance plans outline categories of activities intended to support the achievement of permissions compliance outcomes:

• education and communication to raise permit holder awareness of how to comply;
• monitoring and reporting to assess levels of permit holder compliance; and
• enforcement measures aimed at adjusting permit holder behaviour towards compliance.

3.36 According to the plan, monitoring and reporting may include the following activities:

• surveillance;
• environmental site supervision;
• compliance audits (including desktop; field inspections; and system based checks);
• investigations; and
• compliance planning where specific plans are developed for high risk permissions.

3.37 The annual compliance plans also outline the types of permissions non-compliance that may occur. GBRMPA has undertaken a risk assessment of these non-compliance types, based on the impact of non-compliance on the Marine Park and the likelihood of non-compliance occurring. For each non-compliance type, GBRMPA has identified a number of ‘treatments’ intended to reduce the risk. These treatments may include a range of education and communication, monitoring and reporting, or enforcement activities.

3.38 Each type of permissions non-compliance is assigned an initial untreated risk rating and a treated risk rating.⁷⁴ The treated risk ratings are based on the assumption that all planned treatments are implemented.

3.39 The 2019–20 annual compliance plan objectives include that ‘risks are prioritised and treatments identified based on the available resources and the application of appropriate compliance tools.’ GBRMPA’s other annual permissions compliance plans contain similar statements.

3.40 However, there is no evidence of GBRMPA aligning or prioritising treatments, including monitoring and reporting activities, against identified risks. Further, the plans do not present any information on prioritisation of resource allocation, in particular against education and communication, and monitoring and reporting activities.

3.41 For example, the 2019–20 plan identifies 31 categories of non-compliance risks and 130 treatments. The plan assigns these to be completed with staffing resourcing of ‘approximately four full time equivalents’.

3.42 The first three annual compliance plans present no information on resource allocation (Table 3.3). Plans from 2018–19 to 2020–21 present information on the allocation of staffing resources to treatment categories.⁷⁵ There is no allocation of any other types of resourcing in any of the annual permissions compliance plans.⁷⁶

Table 3.3: Annual compliance plans resource allocation (full time equivalents — FTE)

Source: ANAO analysis of GBRMPA information.

Governance for the delivery of the compliance framework

3.43 In agreeing to recommendations made by the Parliament or the Auditor-General, GBRMPA is providing a commitment to the Parliament to improve the relevant area of administration.⁷⁷ The governance arrangements in place to monitor and oversee the implementation of actions against recommendations should provide assurance that the intent of the recommendation has been met.

3.44 Audit committees provide independent advice and assurance to an entity’s accountable authority on financial and performance reporting, risk oversight management and internal controls.⁷⁸ GBRMPA’s audit committee charter (the charter) states that the audit committee is responsible for ensuring GBRMPA has appropriate mechanisms in place to review relevant parliamentary committee reports, external reviews and evaluations, and implement, where appropriate, any resultant recommendations.

3.45 GBRMPA’s audit committee maintains a register of internal audit recommendations. This register includes the management commitments made to address internal audit recommendations and the status of actions to address these recommendations. GBRMPA’s audit committee does not maintain a similar register to monitor parliamentary and external audit recommendations.

Review of standard conditions

3.46 As noted in paragraph 3.6, Report No.3 2015–16 recommended that GBRMPA improve the effectiveness of conditions used to manage risks to the Marine Park from permitted activities, including periodic review of the adequacy of standard conditions (Recommendation no.3).

3.47 In meetings held in February 2016, June 2016 and November 2016, GBRMPA reported to its audit committee that work is ongoing to implement Recommendation no.3 and stated that ‘[s]tandard permit conditions will be reviewed in April–June 2017 after Regulation amendments, revised policies and new guidelines are finalised’. GBRMPA advised the audit committee in these meetings that ‘[t]he intention is to establish a rolling review schedule for standard permit assessments and conditions’.

3.48 This was also reflected in GBRMPA’s initial advice to the JCPAA as part of its submission to the inquiry. In February 2017, in its response to the JCPAA recommendations in Report 456: Defence Major Equipment Procurement and Evaluation, and Great Barrier Reef Regulation (see Appendix 3), GBRMPA referred to an ongoing review process to improve the effectiveness of conditions to address risk, and indicated that a substantial review of conditions will coincide with the implementation of the amended Regulations and guidance material.

3.49 On 8 November 2017, GBRMPA reported to its audit committee that it had implemented the first three recommendations from Report No.3 2015–16 with the first tranche of improvements to the permissions system that came into effect in October 2017. It did not mention whether standard conditions had been reviewed as planned, or a periodic review schedule for standard conditions had been established.

3.50 In August 2018, an internal audit into the framework guiding assessment of applications, including the implementation of Recommendations no.1 to 3, commissioned by GBRMPA assessed that Recommendation no.3 had been completed, noting:

The control framework embraces a ‘continuous improvement’ mindset which addresses and improves the assessment and approval systems and associated policies and procedures on an ongoing basis.

3.51 GBRMPA agreed to five management actions in response to the internal audit, all due for completion by 30 November 2018. Reporting to the audit committee in November 2018 stated that all actions were completed on 24 October 2018.

3.52 The audit committee noted the November 2018 update with Recommendation no.3 reported as being completed by internal audit. There is no subsequent record of the audit committee considering GBRMPA’s implementation of Recommendation no.3.

3.53 In October 2018, GBRMPA advised the JCPAA that Recommendation no.3 from Report No.3 2015–16 had been completed, referring again to the improvements to the permissions system implemented on 4 October 2017. There was no mention of review of standard conditions or a schedule to undertake such a review.

3.54 As noted in paragraph 3.14 the current review of conditions has not been completed.

Compliance management

3.55 GBRMPA’s reporting to the JCPAA and its audit committee on the implementation of recommendations related to compliance management (Recommendations no.4 and 5) is not consistent and committed timeframes have not been met.

• In October 2018, GBRMPA advised the JCPAA that Recommendations no.4 and 5 were ‘Achieved’, however also stated that actions to address these recommendations were ‘in draft form’ or anticipated to ‘be largely complete by the end of the 2018–19 financial year’.
• Reporting to GBRMPA’s audit committee in March 2020 stated progress to implement previous audit Recommendations no.4 and 5 had been made, but work to fully implement Recommendations no.4 and 5 was ongoing.

3.56 There is no subsequent record of the audit committee considering GBRMPA’s implementation of Recommendations no.4 and 5.

3.57 In relation to the audit committee considering closure of recommendations from Report No.3 2015–16 there is no evidence that the audit committee:

• critically examined the advice provided to it in relation to the actions taken to address the ANAO recommendations;
• clearly tracked the audit and related JCPAA recommendations over time, including documenting decisions on whether the recommendations had been addressed; or
• provided assurance to the accountable authority on the closure of recommendations.

Are permissions monitoring activities effective?

3.60 Effective permissions monitoring is required for GBRMPA to manage the risks posed to the Marine Park from permitted activities. Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals found that GBRMPA’s permissions monitoring was insufficient to determine permit holders’ compliance with permissions.⁷⁹

Post-approval reporting requirements

3.61 Report No.3 2015–16 found GBRMPA was not effectively monitoring most types of post-approval reporting requirements.⁸⁰ The report recommended that GBRMPA develop and enhance standard operating procedures for undertaking permissions compliance monitoring activities (including in relation to post-approval reporting requirements).

3.62 GBRMPA implemented measures to monitor post-approval reporting requirements in response to this recommendation, with functionality to record due dates and document the achievement of post-approval reporting requirements added to the RMS in October 2019. However, use of spreadsheets concurrently with the RMS continued until the end of 2020. Further system amendments were made in March 2021 that automatically raise an allegation of non-compliance when a reporting requirement due date becomes overdue.

3.63 Between August 2015 and February 2021, monitoring of post-approval reporting requirements was not supported by appropriate system-based record-keeping to ensure all overdue requirements were recorded and appropriately actioned as non-compliance. Parts of the process, including sending reminders to permit holders of approaching due dates for reporting and referring overdue cases for compliance action, were managed across multiple spreadsheets.

3.64 Reporting against post-approval requirements between August 2015 and February 2021 indicates that:

• not all requirements were met or recorded as met on the RMS where the due dates had passed⁸¹;
• not all post-approval reporting requirements have their due date and status recorded in the RMS; and
• individual post-approval reporting requirements recorded in the RMS cannot be traced through the reminder and non-compliance allegation spreadsheets to confirm that compliance actions have been taken for all unmet post-approval reporting requirements.

3.65 The implementation of the RMS compliance module in February 2021 includes functionality designed to improve GBRMPA’s capability to provide assurance that all outstanding post-approval reporting requirements are actioned.

Performance information

3.66 A key element of regulatory governance is the establishment of an appropriate performance framework that provides information about whether the regulator is achieving intended results. This should include external performance measures to provide information about the achievement of its purpose to Parliament and other stakeholders, and internal performance measures to inform officials, including the Board, about the efficiency and effectiveness of its regulation.

3.67 As part of their annual corporate planning process Commonwealth entities are required to establish their purpose(s) and a set of performance measures that can provide an assessment of the extent to which they have succeeded in achieving that purpose. Results against these performance measures are required to be provided in the annual performance statements.⁸²

Purpose statement

3.68 Subsection 16E(2) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires entities to include the purposes of the entity in their corporate plan. The purposes of an entity include the objectives, functions or role of the entity. A clear and concise statement of the purposes of an entity underpins a robust performance reporting framework.⁸³ GBRMPA’s purpose is stated in its corporate plan:

Provide for the long-term protection, ecologically sustainable use, understanding and enjoyment of the Great Barrier Reef for all Australians and the international community through the care and development of the Marine Park.⁸⁴

3.69 GBRMPA’s purpose statement is followed by a statement of its role:

The Great Barrier Reef Marine Park Authority (the Authority) is established under the Great Barrier Reef Marine Park Act 1975 (Marine Park Act) and is the Australian Government statutory authority responsible for protecting and managing the environment, biodiversity and heritage values of the Great Barrier Reef Region (the Region).

The Authority reports to the Australian Government Minister for the Environment and advises the Minister on a range of matters relevant to the care and development of the Great Barrier Reef (the Reef). Our work includes day-to-day Marine Park management, development and implementation of policies, plans and programs to protect biodiversity, building capacity through partnerships and education, and synthesising knowledge to guide innovation and adaptive management.⁸⁵

3.70 When read together, the purpose and role statements cover the required elements as they present the majority of GBRMPA’s objectives, functions and roles. They are clear and concise, although some elements of the objects of the Act under section 2A are not explicitly covered, specifically encouragement of engagement in the protection and management of the reef region by interested persons and groups, including Queensland and local governments, communities, Indigenous persons, business and industry.

Activities

3.71 Subsection 16E(2) of the PGPA Rule requires entities to identify the key activities the entity will undertake during the reporting period to achieve its purposes.⁸⁶ This audit assessed GBRMPA’s identification of key activities related to Marine Park permits and approvals. GBRMPA’s 2020–21 corporate plan presents these activities in ‘Program Area 2: Enhancing Reef resilience through innovation, management and regulation of the Marine Park and our in-field presence’.⁸⁷

3.72 GBRMPA’s 2020–21 corporate plan outlines ‘delivery strategies’⁸⁸ against each Program Area. The delivery strategies are considered to be the key activities required by subsection 16E(2) of the PGPA Rule. The delivery strategies and an assessment of whether they are aligned to a performance criterion for Program Area 2 are set out in Table 3.4.

Table 3.4: Delivery strategies for Program Area 2

Source: ANAO analysis of GBRMPA 2020–21 Corporate Plan p. 33.

3.73 The delivery strategies identified for Program Area 2 contribute to GBRMPA’s purpose, however they do not adequately describe all of the key activities GBRMPA plans to undertake for Program Area 2. Permissions system related activities are not clearly described in any of the delivery strategies.

Performance measures

3.74 Reporting by entities under the Commonwealth performance framework should provide a ‘clear read’ and a ‘line of sight’ between the allocation and use of public resources and the results being achieved.⁸⁹

3.75 GBRMPA’s performance information relating to the permissions system was not clear, consistent and reconcilable for each annual cycle between 2017–18 and 2019–20 as:

• reporting does not demonstrate to the Parliament and the public a clear read of performance within each cycle; and
• annual performance statements stated performance targets were met, but did not link to supporting evidence.

3.76 The reader’s ability to assess GBRMPA’s permissions system performance across the performance cycles is limited by changes to performance criteria, targets and information from one annual performance cycle to the next.

3.77 GBRMPA redesigned and set five permissions system related performance criteria and targets for 2020–21. This is the third redesign in four annual performance cycles (see Table A.3 in Appendix 5).

3.78 The 2020–21 performance measures have been assessed against the PGPA Rule requirements that performance measures: include output, efficiency and effectiveness measures (if appropriate); are related (to key purposes or activities); and are measurable (reliable, verifiable and unbiased) (Table 3.5).⁹⁰

Table 3.5: Assessment of 2020–21 permissions system performance measures

Legend: PGPA Rule requirements — ◆ Met; ▲ Mostly met; ■ Not met.

Source: ANAO analysis of GBRMPA information.

3.79 These five permissions system related performance measures may not meet PGPA Rule requirements as:

• there is no specific performance measure for efficiency; and
• they may not be measurable as two do not provide clear targets or methodologies.

3.80 The PGPA Rule also requires that performance measures relate directly to one or more purposes or key activities.⁹¹ While the performance criteria for Corporate Result 2.2 are related to GBRMPA’s purpose, the delivery strategies are not clearly aligned to permissions system’s activities.

3.81 The Regulator Performance Framework requires regulators to publish annual self-assessments on their performance against six performance indicators.⁹² While GBRMPA’s website acknowledges the requirement for annual reporting, GBRMPA has only published one self-assessment which was for 2015–16.⁹³ GBRMPA commenced another self-assessment process in February 2021. In March 2021 GBRMPA advised the ANAO this work was being progressed ‘as resourcing allows’.⁹⁴

Internal performance reporting

3.82 Internal reporting and monitoring of performance using well-defined measures can be a valuable source of information for a regulator on its strategies and areas for improvement.

3.83 GBRMPA’s internal reporting mechanisms for permissions compliance include:

• weekly high level reports to the General Manager;
• monthly reporting to the Compliance Operations Group; and
• quarterly reporting in the Field Management Compliance Program quarterly report⁹⁵ and against the annual operating plan.

3.84 Internal reporting for permissions compliance is brief, not standardised or consistent between periods, and does not align with the outcomes and targets established in the annual compliance plans. Reporting is typically focussed on permit application and decision volumes, and supporting activities such as system and policy development, rather than compliance monitoring and reporting on the realisation of risks.

4.1 Effective regulation of permissions requires GBRMPA to act on identified instances of non-compliance. An appropriate framework of policies, processes, systems and plans support effective permissions non-compliance actions.

4.2 To assess whether GBRMPA has established an appropriate non-compliance framework, the ANAO examined whether:

• there is a framework for managing permissions non-compliance;
• permissions non-compliance is managed consistently with this framework; and
• enforcement actions are verified prior to the closure of investigations.

Is there a framework for managing permissions non-compliance?

4.3 An appropriate framework of policies, processes, systems and plans supports effective permissions non-compliance actions, including by:

• defining and identifying instances of non-compliance;
• aligning actions with the severity and frequency of non-compliance; and
• establishing appropriate training and qualifications requirements for staff responsible for managing non-compliance.

4.4 Report No.3 2015–16 made findings relating to GBRMPA’s approach to managing permissions non-compliance. Specifically, an overarching compliance framework was in draft form and did not address all regulatory requirements. It recommended that GBRMPA improve processes for responding to instances of permissions non-compliance, including:

• updating and finalising guidance documentation for managing non-compliance; and
• reinforcing to staff the need for all instances of non-compliance by permit holders to be reported and recorded in relevant systems.⁹⁶

Permissions non-compliance framework

4.5 Report No.3 2015–16 reported that the Field Management Compliance Unit (FMCU) was responsible for investigations of alleged non-compliance with permissions as well as activities not subject to permissions.⁹⁷ Alleged non-compliance with permissions related to five per cent of all recorded incidents examined by the FMCU. The majority of non-compliance incidents and investigations related to breaches of state fishing permits and licence or activities not subject to permissions.⁹⁸ A permissions compliance team, separate to the FMCU, was established in September 2018.

4.6 The status of implementation of actions to address key issues relating to the non-compliance framework identified in Report No.3 2015–16 are outlined in Table 4.1.

4.7 While information system updates implemented in February 2021 are expected to address some issues, such as improved record-keeping, these outcomes have not yet been realised. Investigation planning and prioritisation of cases have not been addressed in the March 2021 updates.

Marine Park inspectors

4.8 Marine Park inspectors exercise powers under the Great Barrier Reef Marine Park Act 1975 (GBRMP Act).⁹⁹ Inspector powers are wide ranging and include powers to: access premises; stop and search aircraft and vessels and persons; give directions; require a person to leave the Marine Park; require a person to produce a permit; and give an infringement notice to a person for certain contraventions.

4.9 Prior to procedural documentation being approved in March 2021, it was not clear whether staff investigating permissions non-compliance were required to be appointed as Marine Park inspectors. The qualifications required by Marine Park inspectors undertaking permissions compliance activities were also not clearly defined.

4.10 Procedures approved in March 2021 have clarified that permissions non-compliance can be investigated by staff who are not appointed as Marine Park inspectors. However, all permissions compliance staff are required to have investigations qualifications.

4.11 As at March 2021, three of the four staff within the permissions compliance team have been appointed as Marine Park inspectors. Of the three permissions compliance staff appointed as inspectors, one holds both a Certificate IV in Government (Investigation) and a Diploma of Government (Investigation); one holds a Certification IV in Government (Investigation); and one staff member does not hold either of these qualifications. The remaining member of the permissions compliance team is currently undertaking a Certificate IV in Government (Investigation) but has not yet been appointed as an inspector.

Training requirements

4.12 The Field Management Compliance Unit (FMCU) provides training to Marine Park inspectors. Content covered in the training includes:

• an overview of roles and responsibilities of FMCU staff and Queensland Parks and Wildlife Service and Partnerships (QPWS&P) rangers;
• inspector powers provided by the Act;
• collection of evidence and seizures;
• use of FMCU systems such as the Field Reporting System;
• common offences and submitting evidence to the Commonwealth Director of Public Prosecutions; and
• emerging issues in compliance.

4.13 The training includes a session relating to permissions compliance, however this information is pitched at FMCU inspectors and provides limited information for inspectors performing permissions compliance roles. While this addresses part of Recommendation no.5 from Report No.3 2015–16, by providing information to other business areas, it does not provide support and guidance for staff undertaking permissions compliance activities.¹⁰⁰ The roles and responsibilities of permissions compliance staff is not covered in the training to the same extent as the FMCU and QPWS&P.

4.14 There is scope for GBRMPA to review inspector training materials to provide more tailored information for staff undertaking permissions compliance roles. As permissions compliance related policies and procedures are finalised, GBRMPA should review these documents to ensure that inspector requirements, including training and qualifications, are clearly defined.

Is permissions non-compliance managed consistently with the framework?

4.15 A clear and approved framework which establishes the range of responses to non-compliance supports appropriate enforcement actions and GBRMPA to operate as an effective regulator. This includes providing for:

• selection of appropriate responses based on the level of risk and impact;
• escalation actions when non-compliance is not rectified; and
• appropriately recording regulatory actions taken.

4.16 In the absence of a framework against which GBRMPA’s management of permissions non-compliance could be assessed, the audit examined the:

• types of permissions non-compliance GBRMPA has managed and actioned; and
• delegations exercised when managing permissions non-compliance.

Management of permissions non-compliance allegations

4.17 Report No.3 2015–16 reported that between July 2012 and June 2014 GBRMPA recorded 76 allegations of non-compliance with permissions. Investigations were undertaken for 59 of these allegations. It also identified that many allegations were not being recorded on GBRMPA’s systems. When non-compliance was investigated, generally these investigations were not timely and decision-making was poorly documented.¹⁰¹

4.18 Between July 2015 and February 2021, GBRMPA recorded allegations of non-compliance in spreadsheets. These spreadsheets consisted of fields for recording allegations, activities, actions and some outcomes. The final outcome for 99 records (9 per cent) is unclear.¹⁰²

4.19 The format of these spreadsheets changed over time. While these spreadsheets record actions GBRMPA has taken in relation to allegations of non-compliance, there is no assurance over the completeness of information or actions taken.

4.20 GBRMPA introduced stage one of a compliance module into the Reef Management System in February 2021. The compliance module has been designed to support GBRMPA’s management of allegations and cases of permissions non-compliance. GBRMPA advised the ANAO that following the implementation of the compliance module the spreadsheets are no longer in use.

4.21 Table 4.2 outlines the number of allegations of non-compliance recorded and the number of allegations reported externally in GBRMPA’s annual reports.

Table 4.2: Recorded permissions non-compliance allegations 2015–16 to 2019–20

Note a: Data from 2014–15 has not been included as this was during the period GBRMPA was implementing new processes. GBRMPA annual reports: 2015–16, Table 2; 2016–17, Table 4; 2017–18 Table 4; 2018–19 Figure 9; 2019–20, Figure 9.

Note b: During this audit, the ANAO identified that Figure 9 in the 2019–20 annual report incorrectly presents figures as percentages rather than plain numerals and the legend is missing three allegation types. GBRMPA has acknowledged this error on the annual report page of its website.

Source: ANAO analysis of GBRMPA information.

4.22 Table 4.2 illustrates that there are inconsistencies between:

• the compliance module data set which includes 864 permissions non-compliance allegations with a created date between 1 July 2015 and 30 June 2020¹⁰³; and
• the annual number of the non-compliance allegations GBRMPA has reported in each annual report from 2015–16 to 2019–20, which totals 1259 permissions non-compliance allegations for the same period.

4.23 The information presented in the annual reports is based on data recorded in the permissions non-compliance spreadsheets, which have been replaced as at February 2021.

4.24 GBRMPA attributes the differences between the two sources to the data cleansing process that occurred when spreadsheet data was uploaded to the RMS compliance module. GBRMPA only uploaded historical allegations that had sufficient data to populate the RMS compliance module.¹⁰⁴ GBRMPA also advised that the reporting functionality in RMS compliance module is not fully implemented as at March 2021 so some allegations may not have been captured in the dataset analysed in Table 4.2.

Permissions non-compliance investigation actions

4.25 Not utilising the full range of regulatory powers can limit the effectiveness of a regulator in achieving its outcomes.¹⁰⁵ As outlined in paragraph 3.35, GBRMPA’s annual permissions compliance plans include the following categories of actions it intends to implement to achieve its permissions compliance outcomes:

• education and communication to raise permit holder awareness of compliance;
• monitoring and reporting actions to assess levels of permit holder compliance; and
• enforcement actions intended to adjust permit holder behaviour towards compliance.

4.26 GBRMPA reported on the actions taken in response to permissions non-compliance allegations in its annual reports between 2015–16 and 2017–18.¹⁰⁶ Table 4.3 presents these actions against the annual compliance plan’s outcomes and strategies.

Table 4.3: Reported permissions non-compliance action taken 2015–16 to 2017–18

Note a: This is the number of investigations closed with no further action. A clear record of the number of individual investigations undertaken has not been identified.

Note b: Process based actions may result in no further action or alternative compliance action being undertaken. They do not represent a compliance outcome.

Note c: An individual allegation of non-compliance may be subject to multiple actions.

Source: ANAO from GBRMPA information.

4.27 The presentation of this information between 2015–16 and 2017–18 did not include consistent action descriptions across the reporting periods. As such it does not provide clear insights to the reader for performance over time.

4.28 Further, almost two-thirds (886 out of 1361) of the reported actions did not result in finalisation of annual compliance plan outcomes. Reporting on these process-based actions may be misleading as it is not clearly aligned to the achievement of outcomes.

4.29 This reporting also shows that while annual permissions compliance plans identify infringement notices, directions and orders, or prosecutions as possible strategies for responding to permissions non-compliance, these strategies were not used between 2015–16 and 2017–18.¹⁰⁷

4.30 The permissions service charter was established in October 2017 and commits to reporting the number of administrative compliance actions taken for permissions and environmental management charge non-compliances.¹⁰⁸ GBRMPA did not meet this commitment in 2018–19 or 2019–20 as this information is not reported. GBRMPA’s 2020–21 corporate plan does not include this as a reporting metric.

4.31 Based on current record-keeping and reporting practices, GBRMPA is unable to demonstrate that actions taken in response to permissions non-compliance are aligned to, and effective at, managing identified risks and issues.

Delegations

4.32 The ability to provide assurance that legislative powers are appropriately exercised requires an entity to retain records that a decision-maker held the required delegation at the time a decision is made. A regulator that cannot demonstrate that actions are consistent with legislated powers may have regulatory action overturned if subjected to external review or challenge.¹⁰⁹

4.33 An instrument made under the GBRMP Act delegates powers for managing permissions non-compliance to GBRMPA and Queensland Parks and Wildlife Service and Partnerships (QPWS&P) employees.¹¹⁰ The delegation instrument includes 18 permissions non-compliance related delegations. The RMS compliance module allows for 37 actions in relation to an allegation of permissions non-compliance. It is not clear within the system which actions require a delegation.

4.34 GBRMPA’s permissions compliance documentation and RMS compliance module uses the term delegate to refer to any decision-maker. The procedure for permissions non-compliance does not clearly identify if the action requires the decision-maker to exercise a legislative delegation, or if the decision is administrative and not a specific power under the Act.

4.35 GBRMPA’s spreadsheet based management of permissions compliance allegations between 2015 and February 2021 does not provide assurance the decisions were made by appropriately authorised decision-makers as spreadsheets do not specify the decision-maker for all key actions.

4.36 The RMS compliance module implemented in February 2021 does not support system-based assurance that permissions compliance actions are consistent with GBRMPA delegation instrument as:

• user roles are manually maintained by system administrators with no link to the human resources system that records an employee’s current ongoing or acting employment level¹¹¹;
• decisions recorded on the system do not align with the corresponding legislative powers provided through the delegation instrument; and
• user profiles¹¹² are mapped to position numbers, however the delegation instrument assigns legislative powers to employment levels and not a position number.

Are enforcement actions verified prior to the closure of investigations?

4.39 Verification of enforcement actions prior to investigation closure ensures that issues impacting the Marine Park are adequately addressed and provides assurance over GBRMPA’s actions as a regulator.

4.40 Report No.3 2015–16 found that documentation related to enforcement decision making was poor. In some cases, primarily related to education of permit holders, investigations were closed despite the enforcement action not having been undertaken.¹¹³

4.41 Audit assurance based on sample testing requires finalised policies and procedures supported by appropriate record-keeping and information systems.¹¹⁴ As GBRMPA had not finalised an appropriate permissions compliance framework that required verification of enforcement activities prior to investigation closure until March 2021, sample based analysis testing was not considered appropriate.¹¹⁵ Assurance cannot be provided by GBRMPA that all permissions compliance decisions are being appropriately completed.

Appendix 1 Great Barrier Reef Marine Park Authority response

Appendix 2 Recommendations from Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals

Table A.1: Recommendations from Auditor-General Report No.3 2015–16 Regulation of Great Barrier Reef Marine Park Permits and Approvals

Table A.2: Assessment of implementation of previous audit recommendations

Note a: Systems and procedures to address these recommendations were implemented in February and March 2021 at the end of this audit’s fieldwork stage. These assessments are based on document reviews. The effectiveness of these systems and procedures was not assessed with sample based testing.

Source: ANAO analysis of GBRMPA documentation.

Appendix 3 Recommendations from Joint Committee of Public Accounts and Audit Report 456: Defence Major Equipment Procurement and Evaluation, and Great Barrier Reef Regulation

Appendix 4 Timeline of Great Barrier Reef Marine Park Authority implementation of recommendations

Figure A.1: Timeline of actions to address previous audit recommendations

Source: ANAO based on GBRMPA information.

Appendix 5 Permissions system related outcomes, performance criteria and targets

Table A.4: Permissions compliance related performance targets 2017–18 to 2020–21

Source: GBRMPA corporate plans 2017–18 to 2020–21.