Audit snapshot

Why did we do this audit?

  • The audit objective is to assess whether the Australian Security Intelligence Organisation’s (ASIO’s) workforce planning to support key activities is effective.
  • The sensitivity of ASIO’s role requires a workforce with high-level security clearances, and often specialised skillsets.
  • This audit provides assurance to the Parliament that ASIO is appropriately managing and aligning workforce requirements to key activities and effectively processing Top Secret Positive Vetting (TS (PV)) assessments to support Australian Intelligence Community workforce requirements.

Key facts

  • In its 2020–21 Portfolio Budget Statements, ASIO reported annual expenses of $680.2 million.
  • In 2019–20, ASIO completed 34,035 personnel security assessments, of which 3,652 were for TS (PV) clearances.

What did we find?

  • ASIO’s workforce planning to support key activities is largely effective.
  • Development of workforce plans is largely effective, and reflects alignment to ASIO’s key activities. However improvements are required on risk consideration, and collection and use of data in workforce planning.
  • ASIO workforce plan implementation was partially effective, and it has not established an enterprise level implementation plan or monitoring and reporting processes.
  • ASIO implemented Recommendation 12 of the 2017 Independent Intelligence Review based on a limited interpretation that it remediate the legacy backlog of 1,266 specific TS (PV) cases.

What did we recommend?

  • The Auditor-General made three recommendations to ASIO in relation to workforce planning risk management, collection and use of enterprise level data, and implementation planning.
  • ASIO agreed to all recommendations.

1,875

ASIO’s average staffing level in 2020–21.

20 of 25

workforce plan action items were progressed or implemented.

100%

clearance of a legacy backlog of TS (PV) security assessment cases by January 2020.

Summary and recommendations

Background

1. The Australian Security Intelligence Organisation (ASIO) is responsible for protecting Australia, its people and its interests from threats to security through intelligence collection, assessment and advice. ASIO’s functions are set out in the Australian Security Intelligence Organisation Act 19791, and key organisational activities are stated in its Corporate Plan 2021–25.2

2. Workforce planning is the continuous process of shaping the workforce to ensure it is capable of delivering organisational objectives now and in the future.3 For ASIO, demands on its services are in an environment of global instability and risk to national security. ASIO describes its workforce as ‘including trade specialists, as well as technical, corporate and intelligence professionals’, and in 2019–20 recruited 141 staff.4 In addition to its own workforce planning, ASIO works closely with registered vetting agencies to assess the suitability, on security grounds, of people who have or require access to Australian Government resources (people, information and assets), which is controlled or limited on security grounds, as well as mitigating insider threats through personnel security assessments. In accordance with the ASIO Act and Protective Security Policy Framework (PSPF), and as a component of the broader clearance process administered by the Australian Government Security Vetting Agency (AGSVA), ASIO conducts security assessments of personnel for Negative Vetting 1 and above clearance levels (or lower levels where concerns have been identified).

3. In 2017, reviews5 by the government and commissioned by ASIO highlighted continuing challenges in maintaining capabilities across the Australian Intelligence Community (AIC)6 in light of its specialised functions, and the limited pool from which personnel can be drawn. The 2017 Independent Intelligence Review (IIR)7 included a recommendation to remediate a backlog in Top Secret Positive Vetting (TS (PV)) security clearances that are required for the majority of roles within the AIC.

Rationale for undertaking the audit

4. ASIO’s role requires a workforce with high-level security clearances, and often specialised skillsets. It is important that ASIO is effectively undertaking workforce planning activities to manage the demand on its services in an environment of global instability that continues to pose risk to Australia’s national security.

5. This audit provides assurance to the Parliament that workforce planning in ASIO is effectively supporting delivery of its key activities; and that ASIO has implemented Recommendation 12 of the 2017 IIR, the intent of which was to ensure that TS (PV) assessments were being processed in a timely way to support AIC workforce requirements.

Audit objective and criteria

6. The audit objective was to assess the effectiveness of ASIO’s workforce planning to support key activities. To form a conclusion against this objective, the following high-level criteria were applied:

  • Is ASIO effectively developing workforce plans to support its key activities?
  • Is ASIO effectively implementing workforce plans?
  • Has Recommendation 12 of the 2017 IIR been implemented to support Australian intelligence community workforce requirements?

Conclusion

7. ASIO’s workforce planning to support key activities is largely effective.

8. ASIO’s development of workforce plans to support its key activities is largely effective. ASIO has established workforce planning documentation consistent with Australian Public Service Commission guidance, except for the consideration of risk. Workforce decisions are informed by the available data, however ASIO does not have a process to identify capabilities that inform enterprise workforce planning decisions and delivery of its key organisational activities.

9. ASIO’s workforce planning implementation to support key activities is partially effective. ASIO has not established an approved implementation plan for workforce planning at the enterprise level. However, ASIO had commenced or implemented the majority of the actionable items in its Workforce Plan 2025. ASIO has not established monitoring and reporting on workforce planning progress or whether its intended outcomes are being achieved.

10. ASIO implemented Recommendation 12 of the 2017 IIR. Top Secret Positive Vetting cases and processing times were reduced, and a significantly reduced backlog of cases remained after the remediation had concluded.

Supporting findings

11. ASIO’s current workforce planning aligns with APSC guidance for initiating workforce planning but does not link to other relevant business planning and strategy documents, or consider risk.

12. ASIO workforce planning is supported by available data analysis. However, decisions on enterprise workforce planning and delivery of key organisational activities are not being systematically supported by information on its existing workforce capabilities.

13. ASIO has not established an approved implementation plan for workforce planning at the enterprise level. However, ASIO has commenced or implemented 20 of 25 actionable items in its Workforce Plan 2025, including the development of three Workforce Action Plans.

14. ASIO has not established arrangements to monitor Workforce Plan implementation. ASIO has established separate and inconsistent monitoring arrangements for Workforce Action Plan implementation.

15. ASIO developed an effective strategy to manage the provision of resourcing for the purpose of implementing Recommendation 12 of the 2017 IIR. ASIO’s actual approach to resourcing did not fully align with its strategy in that the majority of additional resources remained in ASIO rather than being seconded to AGSVA. However, the strategy was implemented with appropriate use of governance arrangements with AGSVA and other Commonwealth entities.

16. ASIO has effectively established monitoring and reporting of its personnel security assessment performance. Monitoring and reporting arrangements have been established with AGSVA and other Commonwealth entities. The legacy backlog of 1,266 specific TS (PV) cases referred to in the 2017 IIR was remediated by January 2020, with a significantly reduced backlog of TS (PV) cases remaining. ASIO reported that it achieved its benchmark for ‘routine’ security assessments less than 50 per cent of the time in each month between March 2020 and February 2021. Use of overtime conditions and surge capacity has had a material impact on ASIO’s security assessment performance, but procedures have not been developed to formalise use of surge capacity.

Recommendations

Recommendation no. 1

Paragraph 2.19

The Australian Security Intelligence Organisation identify, document and manage risks and controls associated with its current workforce planning.

Australian Security Intelligence Organisation response: Agreed.

Recommendation no. 2

Paragraph 2.37

The Australian Security Intelligence Organisation develop a process that captures the capabilities of its existing workforce to support enterprise workforce planning decision-making, and delivery of its key activities.

Australian Security Intelligence Organisation response: Agreed.

Recommendation no. 3

Paragraph 3.20

The Australian Security Intelligence Organisation establish and apply an approved implementation plan for its Workforce Plan 2025 and Workforce Action Plans to:

  • document how actionable items will be assigned, prioritised, progressed, and measured;
  • establish monitoring and reporting arrangements on implementation progress to the appropriate oversight body;
  • evaluate the extent to which they are achieving their intended outcomes; and
  • provide data to inform adjustments in response to changes in organisational priorities, or future iterations of its workforce planning.

Australian Security Intelligence Organisation response: Agreed.

Summary of Australian Security Intelligence Organisation response

17. ASIO’s summary response to the report is provided below and its full response is at Appendix 1.

ASIO welcomed the independent of assessment ASIO’s workforce planning. ASIO’s people are ordinary Australians but they do extraordinary things—they are our most important asset and ASIO is committed to effective workforce planning to meet current and future demands. We have continued to strengthen our workforce analytics capability to enable strategic workforce management and decision-making. ASIO welcomes the ANAO findings, particularly the assessment that ASIO is largely effective at developing data-informed workforce plans.

We also welcome the ANAO findings that ASIO is effectively implementing Recommendation 12 of the 2017 Independent Intelligence Review. Our personnel security assessments play a pivotal role in assisting the Australian Government to identify and mitigate violent, clandestine or deceptive efforts to compromise Australia’s national security. Your audit has provided further assurance that ASIO has assisted the Australian Government Security Vetting Agency (AGSVA) progress towards the key performance benchmark set by government.

ASIO is committed to accelerating our ability to achieve our purpose, deliver against our priorities and position the Organisation to meet future challenges. ASIO accepts the audit report recommendations which align to our agile approach in addressing complex workforce matters, and views this as an opportunity to continue evolving this important business practice. ASIO will address these recommendations through the implementation of ASIO’s Workforce Plan 2025 and the associated ASIO Workforce Planning Implementation Framework and future Workforce Action Plans.

Key messages from this audit for all Australian Government entities

Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Group title

Risk management

Key learning reference
  • Entities should undertake an enterprise-level risk assessment when developing and implementing strategic plans.
Group title

Program implementation

Key learning reference
  • Development of an effective implementation plan is important to ensure that workforce planning is executed within scope, timeframes and budget. Implementation plans should specify measurable and reasonable milestones and benchmarks, establish accountable roles and governance arrangements, and identify risks and controls.
Group title

Performance and impact measurement

Key learning reference
  • Successful implementation of workforce planning is underpinned by effective monitoring, review and evaluation processes to inform the achievement of intended outcomes, adjustments that may be required, or maturity on the basis of meaningful data.

1. Background

1.1 The Australian Security Intelligence Organisation (ASIO) is a non-corporate Commonwealth entity and its Director-General is its accountable authority. ASIO has one outcome ‘[t]o protect Australia, its people and its interests from threats to security through intelligence collection, assessment and advice to Government’8. ASIO’s functions are set out in the Australian Security Intelligence Organisation Act 19799 (ASIO Act), and its Corporate Plan 2021–25 lists its key activities:

  • countering terrorism;
  • countering espionage and foreign interference; and
  • border security.10

1.2 In accordance with the ASIO Act and Australian Government Protective Security Policy Framework (PSPF), ASIO also assists the Australian Government to protect its classified and sensitive information and assets by conducting security assessments of personnel for Negative Vetting 1 and above clearance levels (or lower levels where concerns have been identified). Since 2014, ASIO has reported that Australia has a National Terrorism Threat level of ‘probable’, citing heightened threats of an intent and capability to conduct a terrorist attack in Australia. Between 2017–18 and 2019–20, demand for personnel security assessments completed by ASIO increased, and in 2019–20, ASIO completed 34,035 personnel security assessments (an increase from 32,887 in 2018–19).11 Assessments in 2019–20 included 3,652 Top Secret Positive Vetting (TS (PV)) security clearances that are required for the majority of roles within the Australian Intelligence Community.

1.3 In its 2020–21 Budget Statements, ASIO reported annual expenses of $680.2 million and an average staffing level of 1,875.

1.4 In March 2021, ASIO’s Director-General addressed the public with an update on ASIO’s assessment of the current threat environment.12 Australia’s security outlook was described as ‘challenging and changing’, particularly in the face of the most recent global phenomena, COVID-19, that has forced the organisation to further evolve its approach to national security. In reference to its operating environment, ASIO’s 2019–20 annual report states that:

… our success is built on the imagination and intelligence of our team. ASIO’s people are ordinary Australians but they do extraordinary things—they are our most important asset. All our teams contribute to our mission.13

Workforce planning

1.5 The Australian Public Service Commission (APSC) defines workforce planning as being ‘a continuous process of shaping the workforce to ensure it is capable of delivering organisational objectives now and in the future’14. Workforce planning is a critical corporate function for the operation of any organisation that has multiple personnel. The APSC has developed guidance on a common approach to workforce planning in Commonwealth entities, building on existing information and good practice from across the Australian Public Service.15

1.6 APSC workforce planning guidance consists of modules for entities to use as guidance on how to collect and use accurate and complete workforce data and systems, and categorises these phases as: understanding and segmenting its workforce, assessing workforce demands and supply challenges, gaps and development of responses to them, and monitoring and reviewing whether intended outcomes have been achieved. According to APSC guidance, ‘initial implementation of workforce planning should be planned and undertaken as a project’ and ‘is clear from the onset about its objective, resourcing, scope, timeframe, stakeholder engagement and risks’.16

1.7 Workforce plan implementation should be tracked and tested by monitoring and reporting on progress to provide evidence to support implementation, and measure performance against clear benchmarks. Effective implementation arrangements create a line of sight between planning and outcomes that increase the likelihood of plans being effectively implemented.

Previous reviews

1.8 The role of effective enabling functions – such as workforce management, administrative structures and provision of security assessments for other government entities – in pursuit of national intelligence priorities is a theme of national security and intelligence inquiries that prompted significant reforms to ASIO.17

2017 Independent Intelligence Review

1.9 In July 2017, the second Independent Intelligence Review (the 2017 IIR) of the Australian Intelligence Community18 highlighted continuing challenges in maintaining capabilities across the Australian intelligence community in light of the specialised nature of functions and the limited pool from which personnel can be drawn. The 2017 IIR recommended reforms to human resource strategies and practices, which included the implementation of more effective models of recruiting, managing, and developing suitably trained and skilled staff. The 2017 IIR also recommended that:

[t]he Australian Security Intelligence Organisation receive additional resourcing to allow it to second staff to the Australian Government Security Vetting Agency (AGSVA) as soon as possible, and that the situation with AGSVA Top Secret (Positive Vetting) clearances be reviewed in early 2018 to allow time for the current remediation program to have effect. If processing times still exceed six months, alternative options for Top Secret (Positive Vetting) clearances should be explored.19

1.10 In its 2018–19 annual report, ASIO stated that the:

contribution provided by ASIO secondees to the AGSVA—in line with the recommendations of the Independent Intelligence Review of June 2017—has reinforced the cooperation between our two agencies and enabled a greater sharing of knowledge and expertise.20

ASIO also reported an increase in its timeliness of security assessments that enabled AGSVA to meet its benchmarks and support sponsoring entities to on-board staff in a timely manner.21

Thodey Review

1.11 In 2017, a review was commissioned by ASIO and completed by David Thodey AO that identified its business model needed to change to: capitalise on the benefits of augmented decision-making and data science; establish a strong, digitally enabled culture; reform its human resources practices; establish strategic partnerships with industry, academia and government; and strengthen innovation within the Organisation. The Director-General’s review in ASIO’s 2017–18 annual report stated that ‘[i]n line with the review’s recommendations, during this reporting period we commenced preparations for a major transformation to ensure ASIO remains fit for purpose in an increasingly complex security and operating environment’.22 ASIO’s 2018–19 annual report stated that it had commenced a significant Enterprise Transformation Program to implement the recommendations in the Thodey Review.23 In reference to enterprise transformation, ASIO’s 2019–20 annual report also stated that:

[g]iven the challenge of progressing with this program through the uncertain COVID-19 economic environment, a more modest program of reforms, based on similar organisational priorities, will start to be progressed in 2020–21.24

Rationale for undertaking the audit

1.12 ASIO’s role requires a workforce with high-level security clearances, and often specialised skillsets. It is important that ASIO is effectively undertaking workforce planning activities to manage the demand on its services in an environment of global instability that continues to pose risk to Australia’s national security.

1.13 ASIO is also responsible for assisting security vetting providers to mitigate insider threats through timely and robust security assessments. The 2017 IIR reported that workforce challenges were being exacerbated by a backlog of TS (PV) security clearances, which at its peak took more than 18 months to process.25

1.14 This audit provides assurance to the Parliament that workforce planning in ASIO is effectively supporting delivery of its key activities; and that ASIO has implemented Recommendation 12 of the 2017 IIR, the intent of which was to ensure that TS (PV) assessments were being processed to support Australian Intelligence Community workforce requirements.

Audit approach

Audit objective, criteria and scope

1.15 The audit objective was to assess the effectiveness of ASIO’s workforce planning to support key activities. To form a conclusion against the objective, the ANAO adopted the following high level criteria:

  • Is ASIO effectively developing workforce plans to support its key activities?
  • Is ASIO effectively implementing workforce plans?
  • Has Recommendation 12 of the 2017 IIR been implemented to support Australian intelligence community workforce requirements?

1.16 Examination of ASIO’s workforce planning focussed on its current workforce plans; those that are no longer in effect were reviewed and are referred to contextually in the report. The audit scope did not include an examination of implementation of recommendations of previous reviews other than Recommendation 12 of the 2017 IIR. However, previous reviews other than the 2017 IIR provide background as to the importance of workforce planning in ASIO and the audit rationale.

Audit methodology

1.17 The audit method included:

  • reviewing relevant documentation, including policies, project and program performance reporting;
  • analysis of workforce planning and data collection and processes; and
  • interviews with ASIO staff and stakeholders, including the Office of National Intelligence and Department of Defence.

1.18 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of $379,562.

1.19 The team members for this audit were Glen Ewers, Jessica Kanikula, Renee Hall, Paul Bryant, and Alex Wilkinson.

2. Workforce planning to support delivery of key activities

Areas examined

This chapter examined whether the Australian Security Intelligence Organisation (ASIO) is effectively developing workforce planning to support its key activities.

Conclusion

ASIO’s development of workforce plans to support its key activities is largely effective. ASIO has established workforce planning documentation consistent with Australian Public Service Commission guidance, except for the consideration of risk. Workforce decisions are informed by the available data, however ASIO does not have a process to identify capabilities that inform enterprise workforce planning decisions and delivery of its key activities.

Areas for improvement

The ANAO made two recommendations aimed at improving ASIO’s risk assessment in the context of workforce planning and collection of information on workforce capabilities to support enterprise level workforce planning. A suggested improvement is also made to integrate workforce planning documentation and other relevant business planning and strategy documentation.

2.1 Effective workforce planning by ASIO is important to manage the demand on its services in a challenging and changing environment that continues to pose risk to Australia’s national security. To assess whether ASIO is taking a strategic approach to developing its workforce planning, the ANAO assessed ASIO planning documentation against Australian Public Service Commission (APSC) guidance and comparable Australian Government and national security benchmarks and reviewed whether planning is supported by appropriate data analysis.

Is ASIO taking a strategic approach to workforce planning?

ASIO’s current workforce planning aligns with APSC guidance for initiating workforce planning but does not link to other relevant business planning and strategy documents or consider risk.

2.2 ASIO has developed one Workforce Plan since June 2018 (ASIO Workforce Plan 2025 that was endorsed mid-2020) and an ASIO People Strategy 2019–23 (endorsed June 2019). The approach taken to develop the Workforce Plan 2025 and Workforce Action Plans commenced under the Workforce sub-project of the Enterprise Transformation Project in late 2019. (shown in Figure 2.1).

Figure 2.1: ASIO strategic workforce publications and linked activities since June 2018

 

This figure presents a timeline of relevant publications and activities for ASIO’s workforce planning since June 2018 at the enterprise and below enterprise level.

 

Source: ANAO analysis of ASIO documentation.

Workforce planning: June 2018 – June 2020

2.3 From June 2018 to June 2020, drivers for ASIO’s strategic workforce planning included the Enterprise Transformation Program, ASIO Strategy 2018–23, and the ASIO People Strategy 2019–23.

2.4 In 2018, ASIO commenced the Enterprise Transformation Program to implement the recommendations of the Thodey Review26, and take advantage of modern data and technology platforms, and provide ASIO with the tools to better respond to changes in its security and technology environment.27 In June 2020, ASIO’s Executive Committee terminated the Enterprise Transformation Program after two years of operation, based on government advice that it would only consider funding proposals that were directly in response to the social and economic impacts of the COVID-19 pandemic. Workforce sub-projects and data analytics work under the program were also terminated, noting that ASIO continued to invest in the activity after the program ceased. Action items that had not been fully delivered when the workforce sub-projects were closed were continued under business-as-usual workforce management activities.

2.5 ASIO described its Strategy 2018–23 as the ‘roadmap for our enterprise transformation’ that ‘sets the direction to realise our vision of delivering trusted intelligence to secure Australia’.28 The document includes details on workforce groups that assist ASIO to achieve its vision, its services, and its core activities. The Strategy lists ‘People and culture’ among its ‘key enablers’. In July 2020, the Strategy 2018–23 was replaced by the ASIO Corporate Plan 2020–24. In the Plan, key enablers to success are listed as ‘People and Leadership’.

2.6 ASIO’s People Strategy 2019–23 identifies the role of its people in providing trusted intelligence and outlines its ‘commitment to develop and support a high-calibre workforce, able to deliver on [the] ASIO Strategy 2018–23’. ASIO advised that the People Strategy 2019–23 has not been superseded, and initiatives to realise the vision in the document have been reflected in the development of the ASIO Workforce Plan 2025.29

Workforce planning: June 2020 onwards

2.7 After the Enterprise Transformation Program was terminated in June 2020, ASIO established revised strategic workforce planning arrangements under a four-year Corporate Plan. The new Corporate Plan superseded previous corporate planning, and the ASIO Strategy 2018–23.

2.8 Complementing the four-year Corporate Plan, ASIO developed the ASIO Workforce Plan 2025. The Workforce Plan 2025 states ‘people and culture are critical enablers of mission success’, and its purpose ‘is to guide the development of [ASIO’s] future workforce’.

2.9 Linked to the Workforce Plan 2025, Workforce Action Plans have been developed according to job family and similar job functions consistent with the APSC Job Family Model.30 Workforce Action Plans focus on current and future issues for segments of ASIO’s workforce. Two different methods were trialled to develop the first two Workforce Action Plans: one based on structure; and the second, which was preferred, on a capability that comprised several job functions. For their respective workforce segments, the Workforce Action Plans outline the strategic context, current and future state, staff feedback, recommended actions and their relative priority. A third approved Workforce Action Plan followed the same general format and was developed by job function.31

2.10 Other activities that contribute to workforce planning include:

  • Dashboard reporting of workforce data to inform planning decision-making, budget and recruitment planning32, and a pilot application of an Operating Model that was developed under the Enterprise Transformation Program.
  • Analytical reports that cover ASIO’s operating environment, how it intends to respond, and gives effect to its key activities. Together with annual business plans developed at various organisational levels, analytical reports and their accompanying strategy included ASIO’s key activities in more detail than its Corporate Plan, and inform how job functions and business areas are to operate in relevant parts of the organisation.

Alignment with APSC workforce guidance

2.11 The ANAO reviewed ASIO’s workforce planning since June 2020 against APSC workforce planning guidance. With the exception of linking workforce and business planning, and considering enterprise risks, ASIO’s workforce planning is consistent with APSC guidance.33 The ANAO’s analysis is illustrated in Table 2.1.

Table 2.1: ANAO assessment of ASIO Workforce Plan initiation and planning alignment with APSC Guidance

Planning phase

Component

Summary assessment

Initiation

Level of readiness

Who is responsible

Approval and buy-in

Linking workforce and business planning

Planning

Objective

Resources

Scope

Timeframes

Stakeholder engagement

Risk

     

Key:  ASIO workforce planning aligns with all aspects of APSC component.

ASIO workforce planning aligns with some but not all aspects of APSC component.

ASIO workforce planning does not include APSC component.

Source: ANAO analysis of ASIO documentation.

2.12 ASIO workforce planning documentation documented key responsibilities, approvers, linked to current corporate and strategic plans, and specified most planning components. Development of the Workforce Plan 2025 was informed by ASIO executive engagement, and staff survey results collected in 2020. APSC, Australian Intelligence Community and other Commonwealth entity advice was also sought in the development of the Workforce Plan 2025.

2.13 ASIO’s Workforce Plan 2025 and the three Workforce Action Plans did not consistently include references to the documents that influence, or are influenced by workforce planning, so that they are integrated, cohesive and work together to achieve the same outcomes. While there are ad-hoc references to the Corporate Plan and strategically significant documents in workforce planning documentation, there would be merit in ASIO including consistent references to documents such as analytical reports, budget and business plans in its workforce planning documentation.34

Workforce risk

2.14 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires the Director-General of ASIO to establish and maintain systems relating to risk and control.35 ASIO must also comply with the Commonwealth Risk Management Policy (CRMP)36, which supports the requirements of section 16 of the PGPA Act. The CRMP includes that entities must:

  • ensure that the systematic management of risk is embedded in key business processes; and
  • develop a positive risk culture where risk is appropriately identified, assessed, communicated and managed across all levels of the entity.

2.15 Under the Enterprise Transformation Program, ASIO established and maintained an enterprise risk register that included a number of risks and controls relating to workforce planning. ASIO discontinued use of the risk register when the Enterprise Transformation Program was terminated in June 2020.

2.16 In October 2020, ASIO finalised an enterprise-level Risk Management Policy, and a Risk Appetite and Tolerance document. Coordination and governance of enterprise risk reporting is listed in the Risk Management Policy as including ‘managing the ASIO Enterprise Risk Register’.

2.17 In February 2021, ASIO’s Executive Committee agreed to a proposed approach for reviewing and assessing enterprise risks and noted that division level risk registers were being developed. In May 2021, the Executive Committee approved an initial version of a risk register that identified risks and controls, including in relation to ASIO’s workforce. However, the register required further validation and identification of risk ratings once controls had been applied.

2.18 ASIO did not document how people or capability enterprise risks are managed by implementing actionable items under the Workforce Plan 2025 or are more likely to occur if they are not effectively implemented. The absence of documented risks and controls associated with strategic workforce planning can compromise ASIO’s awareness of the relationship between its workforce and operational demands.

Recommendation no.1

2.19 The Australian Security Intelligence Organisation identify, document and manage risks and controls associated with its current workforce planning.

Australian Security Intelligence Organisation response: Agreed.

2.20 ASIO acknowledges the importance of managing risk and has implemented an Enterprise Risk Management Policy. ASIO has identified and documented enterprise risks, risk rating and controls in ASIO’s enterprise risk register and in division risk registers. Processes for managing risk are documented in ASIO’s enterprise-level policy for managing enterprise risk, supported by new risk appetite and risk tolerance statements. ASIO notes within its workforce planning approach the existing links to enterprise risk and associated controls could be strengthened and will address this area in the development of future Workforce Action Plans.

Is ASIO workforce planning supported by data analysis?

ASIO workforce planning is supported by available data analysis. However, decisions on enterprise workforce planning and delivery of key organisational activities are not being systematically supported by information on its existing workforce capabilities.

2.21 Accurate and complete workforce data and systems used to support workforce decisions are required to effectively complete workforce planning steps. ASIO’s 2018–19 annual report stated that in 2018 it had commenced the Enterprise Transformation Program ‘to take advantage of modern data and technology platforms and equip ASIO with the tools to better respond to changes in our complex security and technology environments.’37 ASIO reported that the Thodey Review found that it needed ‘to escalate the adoption of more agile models of recruiting, managing, developing and deploying professional staff and skills.’38

Workforce data availability

Workforce dashboards

2.22 Prior to May 2020, ASIO relied on reporting on its workforce using spreadsheets with manual processes that required considerable data manipulation. ASIO’s human resource management system (HRMIS) was its payroll data system. Data extraction into spreadsheet datasets was manually completed, checked and used to support workforce reporting.

2.23 In March 2017, ASIO commenced development of an enterprise data warehouse and automated reporting capability for workforce data. These became operational in May 2020 and are referred to as ‘Workforce Dashboards’. ASIO has documented the procedures to complete the production of reports from this system, identifying the source data and formulae used, formatting required, and outputs that are generated.

2.24 ASIO has used this automated capability to undertake workforce data analytics. Workforce dashboards are supported by a daily extract of 10 years of data and take less time and effort than the previous approach to workforce data analytics.39

2.25 ASIO relies on a mix of manual, and IT monitoring controls to check the accuracy of workforce reporting. Exception reporting and user feedback mechanisms are used as controls to provide assurance over the data quality presented in reports. Exceptions (such as records failing to pass validation rules or failing to transfer between systems) are manually investigated and resolved.

Staff engagement

2.26 Workshops with management, as well as staff survey result summaries also provided data used for workforce planning at all enterprise levels. The results of staff surveys were used as the basis for establishing a baseline for staff satisfaction of career pathways, learning and development, and management of unacceptable behaviour. The survey results were used to inform development of actionable items in each of the three Workforce Action Plans developed to date. Follow up surveys had been initiated or forecast during the course of the audit to update information used to develop workforce planning documentation. Survey data was also used to measure Workforce Plan action item implementation.

Workforce segmentation

2.27 Workforce segmentation is the process of categorising employee groups based on their requirements or characteristics. APSC workforce planning guidance suggests that segments include specific job family, job function or job role within your organisation.40

2.28 ASIO developed a job family model in 2012 and updated the model in 2018.41 In 2019, ASIO commissioned a review of its operating model that emphasised the importance of functions carried out by roles rather than where they are situated within the organisational structure. The review outcome was used as the basis for determining the scope of workforce planning below the enterprise level across the majority of positions in ASIO’s operational workforce.

2.29 Workforce Dashboard reports can be generated to display staff and position data according to nominal or actual occupancy, including organisation structure and job family. As at February 2021, for the purposes of workforce planning, ASIO had the following information available as Workforce Dashboard reports:

  • staff biodata (for example, name, address, date of birth, diversity);
  • position information (for example, headcount, job role and classification);
  • nominal and actual vacancy rates, position history and position movements;
  • allowances and other payroll-related information;
  • separation, commencement and length of service rates;
  • licence holder and mandatory training completion; and
  • stages of performance cycle completion.

2.30 The Workforce Dashboard reports do not report information regarding the skills and capabilities of ASIO’s workforce because this data is not captured. ASIO has previously identified the need for this analysis:

  • a skills audit was planned and not completed under the Enterprise Transformation Program;
  • in January 2020, an assessment of available data was commissioned and reported that data regarding staff competencies, proficiencies and skills was not available at this time. ASIO advised that ‘this was aspirational work that has not progressed further’, and that a forthcoming Human Resource system is expected to provide this capability.

2.31 Information on skills and capabilities of the current workforce provides an input into understanding the extent to which workforce demands are or can be met by internal supply. Currently, at an enterprise level ASIO does not maintain information in relation to skills, experience and capabilities of its existing workforce. ASIO has been aware of these data limitations since October 2018.

2.32 ASIO’s 2019–20 Corporate Plan included actions to develop people and culture, and an approach that ‘identifies future workforce skills and capability requirements, optimises our recruitment pipeline, and modernises our workforce planning practices’. ASIO’s Workforce Plan 2025 also identifies actions to be undertaken to measure its workforce:

  • ‘[w]hat success looks like’ is the statement that ‘[w]e make informed, data-driven decisions and effectively leverage skills and knowledge within the workforce.’
  • ‘[a]ctions to achieve success’ is the actionable item ‘identifying current and future skills gaps to prioritise workforce investment’.
Workforce demand, supply and gaps analysis

2.33 Workforce demands (such as the skills, capabilities, location, and availability requirements of personnel) and supply (the personnel available internally and external to the organisation) are metrics used to consider current and future workforce requirements and to inform decisions.42

2.34 ANAO reviewed ASIO’s available workforce analysis to understand its workforce, as well as the current and future demands on it. There is a clear articulation of the vision and plan for the organisation, and evidence of requirements to deliver it are quantified in a workforce context. Data used to support workforce discussions on responding to demands and gaps was limited to average staffing level data and feedback from the senior executive.

Use of data to support workforce planning

2.35 ASIO’s Executive Committee and Capability and Investment Committee are the Governance committees responsible for strategic workforce planning. Both committees have monthly standing items for workforce updates, as well as additional ad-hoc items as they arise. The ANAO reviewed papers and minutes for committee proceedings between February 2020 and March 2021, which showed that workforce planning decisions were supported by available data analysis on topics such as:

  • recruitment pipeline management;
  • staffing level forecasting and actual reporting against budget allocations;
  • workforce policy implementation;
  • secondments in and out of the organisation;
  • classification profiles and spans of control; and
  • leave usage.

2.36 Meeting records indicate that ASIO actively monitors and makes decisions that impact on its workforce, drawing on data available to it (as listed in paragraph 2.29). However, the absence of a readily available dataset that captures skills, proficiencies and capabilities held by its current workforce, gaps and future requirements, limits the effectiveness of ASIO’s enterprise workforce management.

Recommendation no.2

2.37 The Australian Security Intelligence Organisation develop a process that captures the capabilities of its existing workforce to support enterprise workforce planning decision-making, and delivery of its key activities.

Australian Security Intelligence Organisation response: Agreed.

2.38 This recommendation aligns with ASIO’s future priorities as highlighted within ASIO’s Workforce Plan 2025.

3. Workforce planning implementation

Areas examined

This chapter examines the extent to which the Australian Security Intelligence Organisation (ASIO) is effectively implementing its workforce planning to support delivery of its key activities, as well as monitoring and reporting on implementation progress.

Conclusion

ASIO’s workforce planning implementation to support key activities is partially effective. ASIO has not established an approved implementation plan for workforce planning at the enterprise level. However, ASIO had commenced or implemented the majority of the actionable items in its Workforce Plan 2025. ASIO has not established monitoring and reporting on workforce planning progress or whether its intended outcomes are being achieved.

Areas for improvement

The ANAO made one recommendation aimed at improving monitoring, reporting and evaluation of workforce plan implementation, and an opportunity for improvement to explicitly link activities that have workforce implications with strategic workforce planning.

3.1 Previous ANAO performance audits have found that there is a correlation between effective governance arrangements and implementation of a program.43 This chapter considers whether ASIO has:

  • established arrangements to implement workforce planning to support key activities; and
  • appropriate monitoring and reporting of workforce planning implementation activities.

Have arrangements been established to implement workforce planning to support key activities?

ASIO has not established an approved implementation plan for workforce planning at the enterprise level. However, ASIO has commenced or implemented 20 of 25 actionable items in its Workforce Plan 2025, including the development of three Workforce Action Plans.

Established implementation arrangements

3.2 ASIO’s Executive Committee is responsible for workforce planning, including its implementation at the enterprise level. Executive Committee documents identify that it receives frequent updates on a range of workforce matters, including the development and implementation of workforce planning.

3.3 In July 2020, ASIO’s Executive Committee endorsed the Workforce Plan 202544, two Workforce Action Plans, and the development of a further Action Plan.45 The Committee did not agree to a proposal in the agenda item paper that an implementation schedule be developed mapping existing effort and identifying gaps that will need to be addressed.46 ASIO advised that as at June 2021, there was no approved implementation plan for its Workforce Plan 2025.

3.4 The absence of an approved implementation plan means:

  • action officers assigned to lead item implementation are not documented;
  • a method for measuring the progress of actionable items is not listed;
  • a timeline or milestones for prioritising and delivering each item is not documented;
  • targets or key performance indicators have not been documented to establish a baseline and measure performance over time; and
  • there is no consolidated record of activities that are contributing to the delivery of what is articulated in workforce planning documentation.

3.5 ASIO has established a team that is responsible for strategic human resources, which is also responsible for managing implementation of actionable items in the Workforce Plan.47

Implementation of workforce planning

3.6 In the absence of an implementation plan, ASIO established arrangements to implement certain components of the Workforce Plan 2025. Progress reports have been developed on the implementation of all three Workforce Action Plans, which include details on the status, resourcing and the lead assigned for each actionable item.

3.7 The ANAO reviewed ASIO’s implementation of actionable items listed in its workforce planning. The items examined included:

  • six items listed under ‘What does success look like’, 11 actions under ‘Actions to achieve success’, and eight items listed under ‘Measures’ included in ASIO’s Workforce Plan 2025; and
  • 46 actions to be implemented over a two-three year timeframe contained in three completed Workforce Action Plans.

3.8 A summary of the implementation of actionable items is in Table 3.1, and is based on available evidence of implementation reported to have occurred in practice, or was planned but not yet implemented for ASIO’s current workforce planning (Workforce Plan 2025 and approved Action Plans).

Table 3.1: Summary ANAO assessment of actionable item implementation in ASIO workforce planning by March 2021

Document (date endorsed)

Heading

Number of action items

Summary ANAO assessment of implementation status

Workforce Plan 2025

(July 2020)

What does success look like

6

6 =

Actions to achieve success

11

2 =

6 =

3 =

Measures

8

2 =

4 =

2 =

Workforce Action Plan 1 (July 2020)

15

1 =

14 =

Workforce Action Plan 2 (July 2020)

12

12 =

Workforce Action Plan 3 (February 2021)

19

1 =

6 =

12 =

Total

71

4 =

18 =

37 =

12 =

       

Key:  entity implemented the action in full and within the specified timeframe.

entity implementation has commenced, has not been completed and the specified timeframe has not expired.

entity implementation has commenced but not been completed and the specified timeframe has passed.

implementation of actionable item is not scheduled to have commenced.

evidence of implementation not available.

Source: ANAO analysis of ASIO documentation.

3.9 ASIO had progressed or implemented 20 actionable items in its Workforce Plan 2025 and a further two items in the three Workforce Action Plans. In the absence of an implementation plan for the Workforce Plan 2025, evidence of implementation was not available for the majority of actionable items in the three Workforce Action Plans. Some of these actionable items were listed as a high priority.

Further Workforce Action Plan development

3.10 As at July 2020, two Workforce Action Plans had been developed and approved, and capture workforce planning below the enterprise level. A third Workforce Action Plan was approved in February 2021.48

3.11 ASIO advised that it approved the initial development of three Workforce Action Plans for its operational workforce. ASIO has not determined the number of plans that would be developed under the Workforce Plan 2025, and how many employees would be covered under each one.49 ASIO provided the ANAO with data on staffing levels in March 2021 according to job family, job function and division, which showed that 33 per cent of ASIO staff are covered by an approved Workforce Action Plan, and 67 per cent are not. The three approved Action Plans were not selected from a list that covered the entire workforce.

3.12 For one Workforce Action Plan a business decision was made not to monitor implementation of its actions, and staff survey results that covered this business area would be monitored instead. While monitoring should inform adjustments in workforce planning, the progress reporting did not document why the Workforce Action Plan actions were not progressed in favour of staff survey results.

Recruitment

3.13 Recruitment activity from across the organisation, as well as bulk processes, are consolidated in an annual calendar, and pipelines of intake rates are estimated and addressed by the Executive Committee. At an enterprise level, this is monitored alongside modelling of budgeted and actual average staffing levels. Manager feedback at the branch level is included in enterprise level recruitment planning. However, this qualitative information is not supplemented by:

  • data on the skills, proficiencies and capabilities held by existing staff who could be redeployed to fill a workforce requirement; or
  • skills, proficiencies and capabilities in career planning to inform whether redeployment of existing workforce could offset recruitment.

3.14 The Executive Committee, and Capability and Investment Committee also conduct workforce planning and address the Workforce Plan 2025 as part of the budget planning process. Examples include options to reallocate average staffing levels, adjust contractor to staff ratios, and dependency on certain means of recruitment over others. While there are several references to achieving ‘efficiency’ in ASIO’s Workforce Plan 2025, there is no reference to budget planning being used to support its implementation.

Reallocation

3.15 Separate to the workforce strategic planning process, the Executive Committee approved a pilot program that was intended to align workforce resource allocation to key activities for 2020–21. There was recognition of the pilot program that had occurred in late 2020 in the Workforce Action Plan with which it had overlapping scope. However, the relevant Workforce Action Plan did not refer to the pilot or its findings as actionable items. The pilot program redeployed ASIO’s workforce below the enterprise level according to a shift in organisational priorities. This established a list of capabilities and governance arrangements required for similar changes in the other business areas and resulted in recommendations that are intended to improve the process in future years. While ASIO’s Executive Committee has been updated on progress of the pilot, it has not yet been implemented in other business areas or at an enterprise level.

Are workforce planning implementation activities being appropriately monitored and reported?

ASIO has not established arrangements to monitor Workforce Plan implementation. ASIO has established separate and inconsistent monitoring arrangements for Workforce Action Plan implementation.

3.16 As ASIO has not established an approved implementation plan for the Workforce Plan 2025 (see paragraph 3.3), it has not reported on the progress of its workforce planning at the enterprise level. Executive Committee records indicate that a decision was made to develop Workforce Action Plans without the development of an implementation schedule to map existing effort and identify gaps that will need to be addressed.

3.17 Despite the absence of Workforce Plan 2025 monitoring, arrangements are in place to monitor and report on the progress of individual Workforce Action Plans (see paragraph 3.6). For example, the Executive Committee has requested ad-hoc monitoring and reporting under regular ‘Workforce Update’ items (see paragraphs 3.14).

3.18 ASIO currently has a reform program50 underway with accountability residing with the Executive Committee. Internal progress reporting against this reform program is a better practice example of how ASIO could monitor and report on progress against its workforce planning.

3.19 An evaluation should establish mechanisms so that findings can be shared and inform similar programs or future iterations of workforce planning activities. An evaluation framework for a program of strategic importance to an entity is usually completed during the planning, or early stages of implementation to ensure that progress is measured and recorded in a manner that supports the evaluation.51 ASIO has not established an approach for evaluating the extent to which its workforce planning has achieved its intended outcomes.

Recommendation no.3

3.20 The Australian Security Intelligence Organisation establish and apply an approved implementation plan for its Workforce Plan 2025 and Workforce Action Plans to:

  • document how actionable items will be assigned, prioritised, progressed, and measured;
  • establish monitoring and reporting arrangements on implementation progress to the appropriate oversight body;
  • evaluate the extent to which they are achieving their intended outcomes; and
  • provide data to inform adjustments in response to changes in organisational priorities, or future iterations of its workforce planning.

Australian Security Intelligence Organisation response: Agreed.

3.21 ASIO recognises the importance of an established implementation plan to monitor and report on progress. Approval of the draft ASIO Workforce Planning Implementation Framework (provided to ANAO during this audit) will be sought and implemented.

4. Top Secret Positive Vetting security assessments to support Australian Intelligence Community workforce requirements

Areas examined

This chapter examines the Australian Security Intelligence Organisation’s (ASIO’s) strategy for, and implementation of, Recommendation 12 of the 2017 Independent Intelligence Review to support workforce on-boarding in the Australian Intelligence Community.

Conclusion

ASIO implemented Recommendation 12 of the 2017 Independent Intelligence Review. Top Secret Positive Vetting cases and processing times reduced, and a significantly reduced backlog of cases remained after the remediation had concluded.

Areas for improvement

ASIO should formalise a framework for initiating surge arrangements when faced with both anticipated and unanticipated increases in demand for security assessments, in order to mitigate the risk of shortages of resources needed to address high volumes of cases in a timely fashion.

4.1 Timely on-boarding of fully vetted personnel is essential in order to effectively meet APS workforce requirements. Under the Australian Government Protective Security Policy Framework (PSPF), ASIO is responsible for conducting the personnel security assessment component of applications for, and revalidations of, security clearances to access any information or place, the access of which is controlled or limited on security grounds. Part IV of the ASIO Act 1979 specifies ASIO’s role to assess whether access by a person to any information or place, access to which is controlled or limited on security grounds, would be consistent with the requirements of security.

4.2 To improve the timeliness and robustness in the processing of Top Secret Positive Vetting (TS (PV)) security clearances, Recommendation 12 of the 2017 Independent Intelligence Review (2017 IIR) stated:

‘[t]he Australian Security Intelligence Organisation receive additional resourcing to allow it to second staff to the Australian Government Security Vetting Agency (AGSVA) as soon as possible, and that the situation with AGSVA Top Secret (Positive Vetting) clearances be reviewed in early 2018 to allow time for the current remediation program to have effect. If processing times still exceed six months, alternative options for Top Secret (Positive Vetting) clearances should be explored.’

4.3 Timely security clearance processing ensures that recruitment and on-boarding of APS staff into roles that are of importance to Australia’s national security can occur in a reasonable timeframe. When recruiting for roles that require access to highly classified material, personnel are required to obtain a TS (PV) level security clearance before they can occupy most positions within the Australian Intelligence Community (AIC).

4.4 To assess whether Recommendation 12 of the 2017 IIR has been effectively implemented to support Australian intelligence community workforce requirements, the ANAO examined ASIO’s:

  • strategy development in response to the recommendation; and
  • monitoring and reporting of strategy implementation, including the extent to which it was implemented, and any arrangements that were in place to ensure they would continue to support AIC workforce requirements.

Was an effective strategy developed to manage ASIO secondees for the purpose of implementing the 2017 IIR?

ASIO developed an effective strategy to manage the provision of resourcing for the purpose of implementing Recommendation 12 of the 2017 IIR. ASIO’s actual approach to resourcing did not fully align with its strategy in that the majority of additional resources remained in ASIO rather than being seconded to the Australian Government Security Vetting Agency (AGSVA). However, the strategy was implemented with appropriate use of governance arrangements with AGSVA and other Commonwealth entities.

Strategy development

4.5 In July 2017, ASIO finalised its response to Recommendation 12 of the 2017 IIR, which would involve seconding staff to AGSVA to increase security assessment resourcing and reinforce cooperation and knowledge-sharing between the two agencies. ASIO interpreted Recommendation 12 as only applying to the legacy backlog of 1,266 specific TS (PV) cases. The government approved ASIO’s response and provided funding over two years.52

4.6 In December 2017, ASIO’s Executive approved an implementation plan to deploy nine secondees to AGSVA. Under the implementation plan, ASIO would:

  • use a phased recruitment process to source nine ASIO secondees over the agreed two year period in order to minimise impact on other business areas;
  • recruit secondees via an internal expression of interest (EOI) process;
  • ensure all secondees sourced have their positions backfilled before they are deployed; and
  • install appropriate infrastructure so that the secondees could use ASIO systems during their deployment.

4.7 An existing inter-agency oversight body with senior executive membership, including the Department of Defence and ASIO, called the ‘AGSVA Governance Board’ monitored progress of:

  • remediating the ‘legacy’ backlog of TS (PV) cases53; and
  • reducing overall security clearance processing timeframes.

4.8 On 11 December 2017, the ASIO Director-General wrote to the Secretary for Defence regarding positive vetting remediation, including ASIO’s efforts in introducing efficiencies. This included an update on ASIO’s intention to second staff to AGSVA.

4.9 In May 2018, bilateral arrangements between ASIO and AGSVA were used to revise existing arrangements to remediate the backlog of TS (PV) cases under the ASIO-AGSVA Protocol (the protocol). The protocol specified duties to be undertaken by both entities, their respective responsibilities, benchmarks to monitor performance, and means by which the two entities would communicate (discussed further in paragraph 4.18). Secondee terms and conditions were also agreed under a Memorandum of Understanding (MoU) signed in July 2018. Another iteration of the protocol was signed in February 2021, however ASIO security assessment responsibilities and benchmarks were unchanged.54

Strategy implementation

4.10 Arrangements formalised under the protocol were implemented, with regular communication between ASIO and AGSVA, covering activity that demonstrated that an effective strategy had been developed, which is consistent with the intent of the recommendation.

4.11 As part of the implementation plan, an internal EOI was released between December 2017 and January 2018 to identify the resources required. One third of the required resources were considered suitable from the EOI. In addition to there being an insufficient number of identified suitable resources, those that were recruited could not be deployed until:

  • they were suitably trained for the role; and
  • their line areas had capacity to release them.

4.12 A second EOI in May 2018 identified the remaining two thirds of resources. In July 2018, ASIO seconded 22 per cent of resources to AGSVA. By October 2018, the remaining resources had been redeployed internally to form the Independent Intelligence Review Response team (IIRRT).

4.13 The secondees to AGSVA were tasked with providing AGSVA vetting officers with specialised expertise in security matters, strengthening communication and coordination between the two agencies, and helping to improve and streamline vetting processes. The IIRRT was primarily responsible for completing security assessments for the legacy backlog of TS (PV) cases. The IIRRT functions were supplemented by other initiatives to remediate TS (PV) security assessment case numbers, including:

  • short-term surge capacity55;
  • overtime conditions;
  • new recruit rotation prior to their intelligence development program commencement;
  • deployment of a triaging case management system; and
  • other process reviews to increase assessment efficiency.56

4.14 The implementation plan had forecast that the first resources selected were scheduled to commence their secondment by February 2018. However, the need for a second EOI delayed full implementation of the secondment program. The implementation plan also stated that all secondees would be deployed by ‘no later than January 2019’. Despite the delays and modifications to plan implementation, deployment occurred within the timeframe specified in the implementation plan. The time taken to complete recruitment and on-boarding of additional resources aligns with findings from a previous ANAO audit of ASIO security assessments.57

Processing Review

4.15 Recommendation 12 of the 2017 IIR also included that if TS (PV) clearance processing times still exceeded six months by early 2018, then a review should be conducted that explores alternative options for processing TS (PV) cases. The timeframe in the recommendation of early 2018 was ‘to allow time for the current remediation program to have effect’.58 The review therefore did not commence until after the additional resourcing was made available within ASIO and to AGSVA (as discussed in paragraph 4.12).

4.16 In March 2019, the government commissioned an independent review of options for TS (PV) processing in response to clearance processing timeframes exceeding six months. While the trigger for the review was contained in Recommendation 12 of the 2017 IIR, a government decision directed responsibility for it to a taskforce within the Department of the Prime Minister and Cabinet, rather than ASIO. ASIO was not accountable for implementation of this component of Recommendation 12 of the 2017 IIR, however its scope would include TS (PV) security assessments. The review report was completed in December 2019.

Was performance of personnel security assessment performance monitored and reported?

ASIO has effectively established monitoring and reporting of its personnel security assessment performance. Monitoring and reporting arrangements have been established with AGSVA and other Commonwealth entities. The legacy backlog of 1,266 specific TS (PV) cases referred to in the 2017 IIR was remediated by January 2020, with a significantly reduced backlog of TS (PV) cases remaining. ASIO reported that it achieved its benchmark for ‘routine’ TS (PV) security assessments less than 50 per cent of the time in each month between March 2020 and February 2021. Use of overtime conditions and surge capacity has had a material impact on ASIO’s security assessment performance, but procedures have not been developed to formalise use of surge capacity.

Monitoring and reporting arrangements

4.17 To monitor its personnel security assessment performance between 2017 and 2020, ASIO collected information on the:

  • cases referred to ASIO;
  • cases assessed;
  • number of cases that are routine or complex;
  • time required to complete the security assessment;
  • case volumes by sponsoring entity; and
  • effectiveness of the secondees in AGSVA.

4.18 Since July 2017, ASIO has prepared regular progress reports that indicate the status of personnel security assessment arrangements and remediation of processing backlogs as they arise. Progress reports were provided to:

  • AGSVA Governance Board meetings on a quarterly basis;
  • bilateral meetings between ASIO and AGSVA on a monthly basis; and
  • ASIO Executive Board reporting by exception.

4.19 ASIO’s monitoring and reporting has been used to identify and implement efficiencies in its security assessment and vetting processes.59

4.20 The ANAO reviewed progress reporting on secondment arrangements by ASIO. ASIO reported on progress of its internal secondees to the AGSVA Governance Board, as well as the monthly ASIO-AGSVA meetings. Reporting also showed that from October 2018 the legacy backlog identified in the 2017 IIR was steadily remediated and had been officially cleared by January 2020. For its secondees to AGSVA, ASIO received progress reports under its MoU that included feedback on secondee performance and their impact on clearance processing. The impact of surge60 and use of overtime was also regularly reported to the same forums.

Personnel security assessment performance

4.21 Recommendation 12 of the 2017 IIR was made in response to findings that:

  • ‘the time it takes to process a TS (PV) is unacceptably long’; and
  • ‘it is of critical importance that the clearance process remains robust’.61
Processing timeliness

4.22 In June 2017 AGSVA’s key performance indicator (KPI) for processing a security clearance application was nine months (180 business days). Under the protocol with AGSVA, ASIO has two agreed key performance indicators (KPI) for its completion of personnel security assessments; in 80 per cent of cases, ASIO agreed to the following processing timeframes:

  • ‘routine’ TS (PV) security assessments within 30 business days; and
  • ‘priority’ TS (PV) security assessments within 15 business days.

4.23 Figure 4.1 shows the percentage of security assessments completed by ASIO within agreed KPIs between July 2018 and February 2021.

Figure 4.1: Percentage of security assessments completed within agreed KPIs between July 2018 and February 2021

 

Note: ASIO collects data on Routine, Priority and Complex cases. Complex cases are not included in the KPI calculation and so have been omitted from the figure.

Source: ANAO analysis of ASIO data.

4.24 Figure 4.1 shows that ASIO data on the timeliness of ‘routine’ security assessment processing has fluctuated between July 2018 and February 2021, while its ‘priority’ assessment KPIs have been achieved for all months in the period. It also suggests that ASIO has been able to meet both KPIs between November 2018 and July 2019. However, routine assessment timeliness was reported as being below the agreed 80 per cent KPI for the majority of months between July 2019 and November 2019. ASIO attributed not meeting its benchmark during this period to significantly increased referral numbers, general staff absences, and having no available trained staff or new recruits across the organisation.

4.25 ASIO’s TS (PV) backlog and average processing times (see Table 4.1) declined substantially but a backlog has continued during and after remediation of the legacy backlog. Reported average processing times of TS (PV) cases had also decreased over time and remained within the 180 business day (nine month) benchmark since October 2019.

Table 4.1: ASIO’s TS (PV) backlog and processing times, 2018–19 to 2020–21

Performance as at:

14 March 2019

3 June 2019

31 October 2019

2 March 2020

2 June 2020

20 January 2021

TS (PV) backlog size

592

281

47

36

63

100

Average processing times – business days (months)

296

292 (14.6)

165 (8.3)

152 (7.6)

148 (7.4)

162 (8.1)

             

Source: ASIO reporting to the AGSVA Governance Board.

4.26 The ANAO also reviewed TS (PV) case volumes on hand at the end of each month to determine the extent to which this was a factor in driving ASIO performance against its timeliness KPIs (shown in Figure 4.2).

Figure 4.2: Number of Positive Vetting security assessment cases on-hand each month between July 2018 and February 2021

 

Note: ASIO collects data on Routine, Priority and Complex cases. Complex cases are not included in the cases on hand calculation and so have been omitted from the figure.

Source: ANAO analysis of ASIO data.

4.27 Figure 4.2 suggests that assessment volumes have decreased for the majority of the time between July 2018 and February 2021, with a moderate increase between November 2019 and September 2020.

4.28 According to an ASIO internal briefing, there were 1,266 cases in the backlog referred to in the 2017 IIR in October 2018 when the secondment program commenced. By September 2019, the backlog had been diminished to 17 cases (a 99 per cent reduction). The legacy backlog was remediated completely by January 2020, addressing ASIO’s interpretation of the intent of Recommendation 12 of the 2017 IIR. However, a backlog persisted after the recommendation had been implemented.62

Processing arrangements

4.29 While security assessment volumes decreased between July 2017 and January 2020, ASIO advised that the security environment and the impact that this will have on demand for TS (PV) security assessments remains unpredictable. ASIO has established processing arrangements to respond to unpredictable security assessment demand. ASIO has historically used overtime and surge capacity of additional staff resources in response to increases in demand for security assessments.

4.30 ASIO’s internal reporting reflects a significant reliance on the use of overtime conditions under ASIO’s enterprise agreement in response to events where there has been an excessively high security assessment demand that is creating a backlog of cases. The timing of use of overtime aligns with ASIO reporting having met its KPIs more often, and a downward trend in case volumes.

4.31 Records of ASIO’s use of surge capacity during the timeframe covered in Figure 4.1 and Figure 4.2 show that this is conducted according to assessed priorities at the discretion of accountable personnel, rather than according to approved surge capacity procedures. The timing of initiated surge capacity aligns with ASIO reporting having met its KPIs more often, and a downward trend in case volumes. However, consistent with a recommendation from a previous ANAO report in 2011–1263 there is merit in ASIO formalising surge capacity procedures that document that parameters such as:

  • governance and accountabilities for decisions and reporting of surge capacity64;
  • conditions to initiate, increase and cease use of surge capacity;
  • resourcing-to-case ratios to guide capacity to be requested;
  • minimum training requirements that personnel must complete and maintain in order to participate in surge activity; and
  • a register of personnel who are trained and can provide additional surge capacity if they can be released from their position to do so.

Appendices

Appendix 1 Australian Security Intelligence Organisation response

 

The first page of the response from the Australian Security Intelligence Agency .You can find a summary of the response in the summary and recommendations chapter of this report.

 

 

The second page of the response from the Australian Security Intelligence Agency .You can find a summary of the response in the summary and recommendations chapter of this report.

 

Appendix 2 Performance improvements observed by the ANAO

1. The fact that independent external audit exists, and the accompanying potential for scrutiny, improves performance. Program-level improvements usually occur: in anticipation of ANAO audit activity; during an audit engagement as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

  • strengthening governance arrangements;
  • initiating reviews or investigations; and
  • introducing or revising policies or guidelines.

4. In this context, the below improvements were observed by the ANAO during the course of the audit. It is not clear if these actions and/or the timing of these actions were already planned before this audit commenced. The ANAO has not sought to obtain reasonable assurance over the source of these improvements or whether they have been appropriately implemented.

5. Performance improvements observed by the ANAO during the course of this audit were that ASIO:

  • established a new Workforce Plan (see paragraph 2.2);
  • established an enterprise risk register (paragraph 2.17);
  • upgraded payroll data analysis and dashboard reporting that inform workforce planning (see paragraph 2.21 to 2.25);
  • implemented pilot reallocation program (see paragraph 3.15); and
  • upgraded personnel security assessment data analysis and dashboard reporting to inform surge decisions (see paragraph 4.31).

Footnotes

1Australian Security Intelligence Organisation Act 1979, section 17.

2 Australian Security Intelligence Organisation, ASIO Corporate Plan 2021–25, p. 10, available from https://www.asio.gov.au/sites/default/files/ASIO Corporate Plan 2021-25.pdf [accessed 30 August 2021].

3 Commonwealth of Australia, APSC Workforce planning guide, Initiation and planning for workforce planning, December 2011, p. 6.

4 Australian Security Intelligence Organisation, ASIO Annual Report 2019–20, p. 11, available from https://www.asio.gov.au/sites/default/files/ASIO Annual Report 2019-20.pdf [accessed 30 August 2021].

5 Reviews in this context refer to the: Australian Government, Independent Intelligence Review and A Digital Transformation of the Australian Security Intelligence Organisation, Canberra, 2017 (hitherto referred to as the Thodey Review).

6 The AIC currently consists of: ASIO, the Australian Secret Intelligence Service, the Office of National Intelligence, the Defence Intelligence Organisation, the Australian Signals Directorate, and the Australian Geospatial-Intelligence Organisation.

7 Commissioned by the Australian Government.

8 Commonwealth of Australia, 2021–22 Australian Security Intelligence Organisation Budget Statements, p. 172.

9Australian Security Intelligence Organisation Act 1979, section 17.

10 Australian Security Intelligence Organisation, ASIO Corporate Plan 2021–25, p. 10, available from https://www.asio.gov.au/sites/default/files/ASIO Corporate Plan 2021-25.pdf [accessed 30 August 2021].

11 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 8, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

12 Australian Security Intelligence Organisation, Director-General’s Annual Threat Assessment, 17 March 2021, available from https://www.asio.gov.au/publications/speeches-and-statements/director-generals-annual-threat-assessment-2021.html#skip-link [accessed 30 August 2021].

13 Australian Security Intelligence Organisation, ASIO Annual Report 2019–20, p. 11, available from https://www.asio.gov.au/sites/default/files/ASIO Annual Report 2019-20.pdf [accessed 30 August 2021].

14 Commonwealth of Australia, APSC Workforce planning guide — Initiation and planning for workforce planning, December 2011, p. 6.

15 Commonwealth of Australia, APSC Workforce planning guide, December 2011.

16 Commonwealth of Australia, APSC Workforce planning guideInitiation and planning for workforce planning, December 2011, p. 14.

17 See both the 1979 and 1983 Hope Royal Commissions.

18 The Report was commissioned by the Australian Government on 7 November 2016.

19 Commonwealth of Australia, Department of the Prime Minister and Cabinet, 2017 Independent Intelligence Review, 2017, p. 18, available from https://pmc.gov.au/sites/default/files/publications/2017-Independent-Intelligence-Review.pdf [accessed 30 August 2021].

20 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 44, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

21 Australian Security Intelligence Organisation, ASIO Annual Report 2019–20, p. 44, available from https://www.asio.gov.au/sites/default/files/ASIO Annual Report 2019-20.pdf [accessed 30 August 2021].

22 Australian Security Intelligence Organisation, ASIO Annual Report 2017–18, p. 5, available from https://www.asio.gov.au/sites/default/files/ASIO%20Annual%20Report%20to%20Parliament%202017-18.pdf [accessed 30 August 2021].

23 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 5, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

24 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 54, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

25 Commonwealth of Australia, Department of the Prime Minister and Cabinet, 2017 Independent Intelligence Review, 2017, p. 77, available from https://pmc.gov.au/sites/default/files/publications/2017-Independent-Intelligence-Review.pdf [accessed 30 August 2021].

26 See paragraph 1.11.

27 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 5, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

28 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 6, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%2… [accessed 30 August 2021].

29 See paragraph 2.2.

30 The Job Family Model is one of the APSC’s key Workforce Planning tools. The Job Family Model provides a standardised system for classifying and comparing roles across the APS and associated organisations. Each Job Family is made up of one or more Job Functions. They are the second tier of the model’s hierarchy and represent a subgroup of jobs that require similar skills, capabilities, knowledge and training.

31 Workforce Action Plans are further discussed in paragraphs 3.10–3.13.

32 See paragraphs 2.20–2.23.

33 Commonwealth of Australia, APSC Workforce Planning guide – initiation and planning for workforce planning, December 2011, pp. 8–17.

34 ASIO advised the ANAO that as corporate strategy documents are developed they are incorporated into continuous workforce planning activities.

35Public Governance, Performance and Accountability Act 2013, section 16.

36 Commonwealth of Australia, Commonwealth Risk Management Policy - Public Governance, Performance and Accountability, 2013.

37 Australian Security Intelligence Organisation, ASIO Annual Report 2018–19, p. 5, available from https://www.asio.gov.au/sites/default/files/2018-19%20Annual%20Report%20WEB2.pdf [accessed 30 August 2021].

38 Australian Security Intelligence Organisation, ASIO Annual Report 2017–18, p. 66, available from https://www.asio.gov.au/sites/default/files/ASIO%20Annual%20Report%20to%20Parliament%202017-18.pdf [accessed 30 August 2021].

39 ASIO advised that one report that took one staff member up to three days to produce into a spreadsheet now takes one staff member six minutes.

40 Commonwealth of Australia, APSC Workforce Planning Guide Module 4 – Segmenting your workforce, 2011, p. 4.

41 ASIO also advised of its plans to conduct a further update to its list of job functions in 2021.

42 Commonwealth of Australia, APSC Workforce Planning Guide Module 5 — Demand Analysis, 2011; Commonwealth of Australia, APSC Workforce Planning Guide Module 6 — Supply Analysis, 2011.

43 ANAO, Audit Insights — Implementation of Recommendations [Internet], 2021, available from https://www.anao.gov.au/work/audit-insights/implementation-recommendations-2021 [accessed 30 August 2021].

44 See Chapter 2, paragraph 2.8.

45 See Chapter 2, paragraph 2.9. A further Workforce Action Plan was completed during the audit.

46 The meeting decisions recorded were that the Committee endorsed the Workforce Plan 2025, noted two completed Workforce Action Plans, noted the planned development of one further Workforce Action Plan and asked all other work stop.

47 In June 2020 when the Workforce Plan 2025 was being finalised ASIO had 3.0 FTE dedicated to strategic human resources (including workforce planning). As at March 2021, resourcing had increased to 4.0 FTE (responsible for workforce planning and associated people strategy initiatives such as People Capability Framework implementation and pulse check 2021).

48 See Chapter 2, paragraph 2.9.

49 A decision has not been made to have a Workforce Action Plan for each segment of its workforce, with the Workforce Plan 2025 covering the entire workforce.

50 ‘Reform Program’ was listed as a key priority in the ASIO Corporate Plan 2020–24.

51 Auditor-General Report No.47 2018–19, Evaluating Aboriginal and Torres Strait Islander Programs, p. 11, available from https://www.anao.gov.au/work/performance-audit/evaluating-indigenous-programs.

52 The appropriation split was $1 million in 2017–18, and $1.4 million in 2018–19.

53 The ‘legacy’ backlog is comprised of all aged cases on hand that have been received by ASIO prior to (and including) October 2018. Cases received after October 2018 do not fall under the category of ‘legacy caseload’ as referred to in AGSVA Governance Board reporting.

54 The revised version reflects a priority for the strengthening of the relationship between ASIO/AGSVA; amendments were minor - KPI’s for ASIO remain the same at the time this audit was undertaken, though ASIO have advised that ‘the KPIs are “to be updated” and this is the subject of ongoing discussion between ASIO and AGSVA’.

55 ‘Surge’ is a function that draws on personnel with a specific skillset to provide extra capacity when needed for a limited amount of time.

56 Some of these initiatives had already been utilised to accommodate remediation of backlogs/increasing processing times within the security assessment team prior to the release of the 2017 IIR.

57 Auditor-General Report No.49 2011–12 Security Assessments of Individuals found that sourcing staff qualified in conducting security assessments and vetting is particularly difficult (given the specialised nature of this field).

58 The remediation program specified in the recommendation was referring to AGSVA’s program of work to remediate their own backlog. This had commenced in 2016.

59 For example, referral rates from AGSVA to ASIO were reported to have decreased due to an increased mutual understanding of cases that do not require a security assessment.

60 Surge was used to help remediate backlog and respond to increased assessment referrals.

61 Commonwealth of Australia, Department of the Prime Minister and Cabinet, 2017 Independent Intelligence Review, 2017, p. 78, available from https://pmc.gov.au/sites/default/files/publications/2017-Independent-Intelligence-Review.pdf [accessed 30 August 2021].

62 See Table 4.1 above.

63 Recommendation 1, to which ASIO agreed, was: ‘To strengthen workforce planning strategies, including for a contingency or surge capacity for the security assessment branches, the ANAO recommends that ASIO:

  • periodically re‐assesses staffing levels of the security assessment branches based on current and projected risks, priorities, and caseloads; and
  • develops a workforce plan for the Security Assessments and Border Investigations Division.’

64 The ANAO acknowledges that there exists a process for approvals to initiate surge, namely through discretionary appeal to the Executive Board, however this process is reactive and carries with it administrative risks.