Thank you for inviting me to speak today and I am sorry I am not Julian Hill MP who you were expecting to hear from. Up until the ministerial changes that took effect from Monday of this week, Mr Hill was the Chair of the Joint Committee of Public Accounts and Audit (JCPAA) and before that he was the Deputy Chair. Given Mr Hill's appointment as an Assistant Minister, someone else will be taking over as chair of the JCPAA and hopefully we will hear who that is soon.

The subject of Building a Public Sector with the strong foundations of integrity and trust is one that is critical to the effective operation of the public service.

I am sure I will cover some of the same things that Mr Hill would have covered, as I am going to touch on some recent JCPAA inquiries and reports. The JCPAA recently concluded its inquiry into probity and ethics in the Australian public sector and released Report 502 – called The never-ending quest for the golden thread - Probity and ethics in the Australian public sector. I will refer to this as the "golden thread" report in this presentation. The ANAO made a submission to this inquiry and I am going to use that submission as the base for my presentation today, supplemented with the recommendations and conclusions made by the JCPAA and some insights from some recent ANAO audit work.

In seeking to achieve the outcomes required by Parliament and Government for citizens, the Australian public sector operates largely under principles-based frameworks, established by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Public Service Act 1999 (Public Service Act). While principles-based, these frameworks impose high expectations, including: 'high standards of governance, performance and accountability'; and 'an apolitical public service that is efficient and effective in serving the Government, the Parliament and the Australian public'.

The specific integrity, probity and ethical arrangements applying to public sector personnel will depend on the type of organisation that engages them and their engagement status. The PGPA Act establishes the overarching governance, performance and accountability framework for resource use and management within the sector and refers to 'entities' headed by 'accountable authorities' and comprising 'officials'. The Public Service Act regulates the conduct and employment of a specific group of officials comprising the Australian Public Service (APS) and refers to 'agencies' headed by 'agency heads' and comprising 'APS employees'.

Not all PGPA Act officials are in the APS, and separate arrangements may apply to statutory office holders and contractors.

Within the sector, there is both collective and individual responsibility for maintaining integrity, probity and ethical conduct — shared by framework policy owners, the heads of public sector organisations, and their personnel. The approach taken to compliance by each of these actors is fundamental to integrity outcomes in the public sector context, as, as the APSC itself says, 'compliance ensures standards for integrity are met'.

Policy owners establish the rules of operation in key areas — including resource use and management, procurement, grants administration, cyber security, record-keeping, legal work, Freedom of Information and integrity — and then largely rely on PGPA accountable authorities and APS agency heads to be responsible for compliance. Under the principles-based approach, mandatory rules are largely set to control actions where risks are deemed highest.

Some key policy owners include: the Department of Finance for the PGPA Act framework, procurement and grants; the Australian Public Service Commission for the Public Service Act integrity framework; the National Archives of Australia for the record-keeping framework; and the Attorney-General's Department for the performance of Commonwealth legal work and the Legal Services Directions.

The heads of public sector organisations also establish internal frameworks within their organisations to instruct their personnel on certain matters. For example, the accountable authority of a PGPA entity is authorised to issue Accountable Authority Instructions (AAIs), which can impose obligations additional to the minimum standards established under the PGPA Act and PGPA Rule. The PGPA Rule and other legislative instruments such as the Commonwealth Procurement Rules and Commonwealth Grants Rules and Guidelines establish the requirements and procedures necessary to give effect to the governance, performance and accountability matters covered by the PGPA Act.

At the individual level, the PGPA Act contains 'general duties of officials' applying to both the accountable authority and entity officials, which are relevant to integrity, probity and ethics. The general duties relate to: acting with care and diligence; acting honestly, in good faith and for a proper purpose; not misusing one's position; the proper use of information; and disclosing interests. Taken together, the general duties establish an overarching framework for integrity, probity and ethical behaviour applying to the accountable authorities and officials of all PGPA Act entities.

There are also 'general duties of accountable authorities' applying to the accountable authority of a PGPA entity. These include the duty to govern the entity in a way that promotes the proper use and management of public resources for which the accountable authority is responsible.

If an organisation is also an agency under the Public Service Act, additional ethical and probity requirements apply to its leaders and APS employees, including the APS Values and APS Code of Conduct set out in the Act. The Act provides that an agency head 'must uphold and promote the APS Values' and members of the Senior Executive Service (SES) are expected to promote the APS Values and Code of Conduct 'by personal example and other appropriate means'.However, these requirements do not directly apply outside of the APS.

The APS Values include an 'Ethical' value, which is that: 'The APS demonstrates leadership, is trustworthy, and acts with integrity, in all that it does.' The Australian Public Service Commissioner may issue directions relating to the APS Values. The Directions set out requirements to be met to uphold the 'Ethical' value. The requirements include: 'acting in a way that models and promotes the highest standard of ethical behaviour', 'complying with all relevant laws, appropriate professional standards and the APS Code of Conduct' and 'acting in a way that is right and proper, as well as technically and legally correct or preferable'.

The APS Code of Conduct has 13 requirements that include:

• behaving honestly and with integrity in connection with APS employment;
•  acting with care and diligence;
• complying with all applicable Australian laws;
• complying with any lawful and reasonable direction;
• avoiding conflicts of interest and disclosing material personal interests;
• proper use of resources;
• not providing false or misleading information;
• not misusing power or authority;
• upholding the APS values; and
• upholding the integrity and good reputation of the agency and the APS.

Further probity requirements apply to APS Senior Executive Service (SES) employees and/or APS agency heads. These include the declaration of interests and the declaration of gifts, benefits and hospitality.

Section 57 of the Act specifies the responsibilities of the Secretary of a Department. These include: 'to implement measures directed at ensuring that the Department complies with the law'.

The interaction between the Public Service Act and PGPA Act is recognised in section 32 of the PGPA Act. It states that to avoid doubt, the finance law is an Australian law for the purposes of subsection 13(4) of the Public Service Act. If the Public Service Act applies to an official of a PGPA entity, the official will be required under subsection 13(4) of the Public Service Act to comply with applicable Australian laws, which include the finance law.

This means that if the official contravenes the finance law, sanctions may be imposed on the official under section 15 of the Public Service Act.

The integrity, probity and ethical requirements applying to contractors are managed in different ways, at an agency level, as there is no whole-of-workforce framework or approach applying across the APS. This is the case notwithstanding the fact that a large number of contractors are doing work in and as part of the operations of APS agencies, alongside APS personnel, as part of a mixed workforce.

In addition, activity-specific frameworks will often contain ethical requirements focused on the activity they regulate. These include the frameworks for: grants administration; government procurement; government advertising; protective security; appearing before parliament; the caretaker period; liaising with lobbyists; conducting investigations; legal work; risk management; and fraud and corruption control.

Integrity, probity and ethical requirements, including those in activity-specific frameworks, may be expressed as minimum requirements. Further requirements may be established by the head of an organisation through AAIs and internal policies. Public sector personnel must also comply with any applicable ethical requirements set out in general government policies, professional codes and standards, or legislation (such as the enabling legislation of statutory bodies and corporations law).

The National Anti-Corruption Commission (NACC) has also released a summary of integrity arrangements, titled Towards Integrity Maturity: Mapping the Commonwealth integrity landscape.

The ANAO audits against framework requirements, to provide independent assurance to Parliament and assist it to hold the executive government to account.

In recent years the ANAO has increasingly brought into scope issues of ethics (as defined in the PGPA Act and Public Service Act), particularly where meeting mandatory requirements is not sufficient to ensure compliance with the high expectations set out in principles-based legislation and frameworks. If you are interested in understanding more about this enhanced focus, including the development of ANAO methodology guidance for audits of ethics, it is set out in Appendix 1 of the submission we made to the JCPAA probity and ethics inquiry.

As part of its inquiry the JCPAA reviewed a number of ANAO performance audits that were either planned by the ANAO to review aspects of selected entities' probity management, or made findings relating to ethics in the course of a wider ANAO review of program administration. These audits were:

• Auditor-General Report No.31 2022–23 Administration of the Community Health and Hospitals Program
• Auditor-General Report No.18 2022–23 The Acquisition, Management and Leasing of Artworks by Artbank
• Auditor-General Report No.30 2022–23 Probity Management in Financial Regulators — Australian Prudential Regulation Authority
• Auditor-General Report No.36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission
• Auditor-General Report No.38 2022–23 Probity Management in Financial Regulators — Australian Competition and Consumer Commission

The ANAO has commenced a rolling program of performance audits that assess compliance with key areas of the proper use of resources under the PGPA Act and the Public Service Act. Topics that we have undertaken or that we have underway are compliance with credit card requirements; gifts, benefits and hospitality; and management of conflicts of interest.

Our focus on compliance in this area is in response to the issues identified in recent audit reports, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, the Royal Commission into Robodebt, and the concerns of the Parliament.  They can tell the Parliament about the "tone at the top". I note that Senate Estimates committees have, across portfolios, pursued lines of questioning with respect to gifts and hospitality in at least the last 3 sessions.  It is clearly an area of Parliamentary interest.

The JCPAA in its recent Report No. 504: Inquiry into Procurement at Services Australia and the NDIA has recommended:

• [Recommendation 4] that the Department of Finance and the Digital Transformation Agency take appropriate action to understand the extent to which inappropriate cultivation of Commonwealth officials may be occurring as a result of hospitality and gifts by major ICT vendors; and also
• [Recommendation 5] that the Australian National Audit Office consider the evidence and issues raised in this inquiry and consider further audits in relation to gifts and hospitality issues in the public sector to identify practices of concern, raise awareness, and help to build ethical cultures that operate with probity. This may include exercising its powers to obtain information from private sector entities that contract to the Commonwealth, in relation to gifts and hospitality provided to public officials.

Recently the ANAO tabled an audit of the APSC's Administration of Integrity Functions using our ethics methodology. This was an audit looking at the system level and we will continue our program of audits into the implementation of ethical frameworks by entities in the 2024-25 audit cycle. We have just commenced an audit into the implementation of ethical frameworks by the Department of Employment and Workplace Relations.

ANAO audits provide evidence that the Australian public sector regularly falls short of complying with both the intent and requirements of its regulatory frameworks and lacks effective accountability for performance. Some identified non-compliance has been deliberate, raising ethical issues including at the leadership level.

While audit findings do not prove that there is a systemic integrity problem, long-running findings are an indicator that action is necessary to avert the risk of issues becoming systemic. All of which indicate that current approaches may not be effectively supporting framework expectations of a high integrity culture.

This raises the question of whether the current risk tolerance for compliance with framework expectations is appropriately supporting integrity. Audits suggest that in making outcome versus compliance decisions, the risk tolerance for non-compliance is high, particularly where consequences are low or benefits are high. That is, an 'achievement orientation' and 'getting things done' — including by 'cutting corners' if necessary — has a significantly higher value than compliance. It may be that incentives and rewards need to be reset, including through the performance management system, which is a component of the control environment operating in the public sector.

At the heart of the issue is complying with the requirements and intent of established frameworks. They must be more than aspirational. They have a legislative basis and need to be followed and enforced. The approach that actors in the system – the policy owners, heads of organisations and their personnel — take to compliance is fundamental to integrity outcomes. The Australian Public Service Commission has emphasised that 'compliance ensures standards for integrity are met'. As I mentioned earlier, section 14 of the Australian Public Service Commissioner's Directions 2022 provides that upholding the 'ethical' value in subsection 10(2) of the Public Service Act requires 'complying with all relevant laws' and 'acting in a way that is right and proper, as well as technically and legally correct or preferable.

The JCPAA's "golden thread" report stated that evidence received by the Committee shows that even when officials are found acting contrary to finance law, reference is frequently made to a lack of malintent, to having acted in good faith, and delivering on decisions of government, as if that somehow excuses a breach of the law.

The Committee's report stated that its firm conclusion is that any claim or view that it is somehow acceptable for an officer to breach finance law and fail to act with probity, but still be acting in good faith and for a proper purpose, is clearly and unambiguously wrong.

Recommendation 1 of the "golden thread" report by the JCPAA was for the Department of Finance to issue guidance that makes clear to public officials that if they breach finance law, suggesting there was no malice or personal gain is not sufficient to fulfil their obligation under the Public Governance, Performance and Accountability Act 2013 to act honestly, in good faith, and for a proper purpose.

There are almost no formal mechanisms in public sector integrity frameworks to provide assurance on compliance. Often the ANAO is the only source of assurance on compliance and ANAO resources mean that coverage is limited. While entity accountable authorities and agency heads must be responsible for compliance within their organisations, policy owners should at least have processes in place to identify the level of compliance across the sector and be willing to modify their regulatory approach if it is not working. Audits generally observe that policy owners are reluctant to take accountability for providing robust advice to entities, defaulting to advising that decisions are for accountable authorities.

The existing frameworks were developed by internal regulators and proposed to Parliament by the executive government, on the basis of their fitness for purpose and the expectation that they would be fully complied with. It is currently difficult to see how most framework owners are able to provide assurance to government or the Parliament on the effectiveness of the frameworks they, largely, advised should be implemented and which they administer.

In the absence of system-level assurance by internal regulators, the ANAO suggested that the Committee may wish to consider how the Parliament could receive assurance directly, to drive compliance with integrity, probity and ethical requirements and accountability for performance.

The JCPAA recently considered the role of the Department of Finance as policy steward of the procurement framework and emphasised the need for leadership from the system steward and regulator. The committee stated in its Report 498 on procurement: 'That doesn't mean being accountable for every procurement, but it does mean collecting more and better information about agencies' compliance with the CPRs to give it an accurate picture of how the procurement framework is operating.'

The critical role of policy owners in maintaining a culture of integrity in the sector, including respect for the rule of law, has also been a focus of recent reviews of the public sector and its performance. These reviews have included the Thodey Review, the capability review of the APSC and the Robodebt Royal Commission.

• The 2019 Thodey Review of the APS recommended the reinforcement of APS institutional integrity to sustain the highest standards of ethics and build a pro-integrity culture and practices in the APS. The review proposed an enhanced role for the APSC, amendments to the Public Service Act, embedding integrity guidance in induction processes, and that the APSC and Department of Finance extend APS integrity requirements to service providers and long-term APS contractors and consultants.
• The 2023 capability review of the APSC identified a need 'for the Commission to fulfil a more central role in government' and identified 'Leading on integrity for the APS' as one of the most important focus areas. The review also observed that: 'A particular point of difference between stakeholders and staff related to the integrity agenda. Most staff see the Commission as fulfilling its role in upholding the integrity of the APS through guidance material, while stakeholders saw a more substantial role for the Commission, with stronger direction and leadership.'
• The 2023 Robodebt Royal Commission included chapters on 'Improving the Australian Public Service' and 'Lawyers and legal services.'

Under the Public Service Act the Australian Public Service Commissioner, supported by the APSC, has functions that include: 'to uphold high standards of integrity and conduct in the APS', 'to monitor, review and report on APS capabilities', 'to evaluate the extent to which Agencies incorporate and uphold the APS Values and the APS Employment Principles', and 'to evaluate the adequacy of systems and procedures in Agencies for ensuring compliance with the Code of Conduct.'

In April 2022 the APSC released a non-mandatory Integrity Metrics Resource directed to APS agencies. The resource potentially provides a basis for consistent integrity assessment and subsequent reporting to internal regulators and the Parliament. There is also a Commonwealth Integrity Maturity Framework, released by the Australian Commission for Law Enforcement Integrity in December 2022 and subsequently taken up by the National Anti-Corruption Commission (NACC). The NACC states that the project has drawn from the APSC's Integrity Metrics Maturity Model.

The NACC's Commonwealth Integrity Maturity Framework comprises eight integrity principles, with each principle accompanied by a four-level maturity scale. An important feature of the framework is the inclusion of performance management as part of 'Principle 2: Integrity knowledge and performance management', and the development of specific integrity maturity indicators for performance management.

This approach provides the basis for:

• a performance management system that explicitly references integrity requirements;
• a performance management system geared to monitoring and incentivising integrity as well as achieving outcomes; and
• a pathway for driving integrity maturity within individual organisations and across the sector.

The ANAO believes there is scope to consider the development of a common sector-wide integrity framework. As discussed, the specific integrity arrangements applying to personnel operating in the public sector — which include APS employees, PGPA officials, statutory office holders and contractors — depends on the type of entity that engages them and their engagement status. There is also overlap between the requirements of the PGPA Act, Public Service Act, and some legislation applying to statutory bodies.

While probity, ethical and integrity requirements have slightly different technical definitions and nuances, depending on the applicable legislation, they are all very similar in practice. A common integrity framework, applying to all personnel involved in public sector activity, would streamline and reinforce core expectations, provide a basis for the assessment of integrity performance across all personnel and entity types, and provide a basis for standardised integrity reporting to internal regulators and the Parliament.

To this end, the JCPAA's "golden thread" report included a number of recommendations.

Recommendation 3 was that the APS Employee Census be augmented with questions asking officers of their level of confidence that agencies' assessments, advice and decisions on issues such as procurement, grants, regulatory actions, and so on, comply with both the letter and intent of legislative and regulatory frameworks.

Recommendation 4 was for the Australian Public Service Commission to develop clearer guidance for entities that contains a definition of culture, and metrics on building, measuring and assessing organisational culture as it applies to probity. It goes on to state that metrics for culture must be capable of providing insights and assurance of the extent to which officers are in fact behaving in a way that is right and proper, and according to the letter and the intent of the law.

Recommendation 5 was that the PGPA Act Framework be amended to introduce a requirement for entities to develop and maintain an overarching Integrity Framework that brings together:

• The relevant legislative, regulatory and policy frameworks through which the agency functions;
• assessments of major integrity risks;
• statement of the desired culture as it applies to officers demonstrating probity and acting ethically as they carry out their responsibilities;
• assurance mechanisms of sufficient substance and scope, appropriate to the size of the entity and its risks, for accountable authorities to be confident officers are acting according to the letter and the intent of the frameworks; and
• robust accountability arrangements.

It also recommends that Accountable Authorities must report on their Framework, including culture, in their annual report and state they have evidence officers in their agency are acting with probity.

Recommendation 6 then states that the Department of Finance and the Australian Public Service Commission should each develop an approach, including robust metrics, to provide reasonable assurance that the policy frameworks they administer are effective. An update is to be provided to the Committee within six months, including timelines to complete this work.

Some of the overall conclusions reached by the JCPAA in its "golden thread" report are that – and I will quote here -

"In essence, the Committee has identified three critical and interdependent aspects of the system necessary to foster an Australian Public Sector that acts with probity and integrity:

• Frameworks—the myriad of legislation, regulations, rules, policies, codes and guidelines which set the requirements of entities and officers, including but not limited to, finance law.
• Culture—'the way we do things around here' will rightly vary across entities depending on their missions, but within the limits set by cross-government frameworks; the tone is set by governments and the Parliament, while entity culture is overwhelmingly set by senior leaders.
• Accountability—of individual officers for their actions; of senior leaders and accountable authorities for their entities; and of policy owners for outcomes of and compliance with their policies.

The key, however, to ensuring the public sector acts with probity and integrity is overwhelmingly not the rules per se—it is ethical leadership: the 'golden thread' that binds and animates the system in a positive direction. Evidence received over numerous inquiries indicates that perhaps 80 per cent of organisational culture is set by the behaviour of leaders—at all levels, but starting at the top.

Integrity frameworks in and of themselves are not sufficient to animate officers in a positive direction—that is the job of leaders who set the culture and signal what behaviours are acceptable within the frameworks. As the old maxim goes, 'just because you can, doesn't mean you should'. Similarly, frameworks are unable to get at whether, when they carry out their duties to achieve results, officers are acting with probity. That requires entities to assess culture, accompanied by robust individual and collective accountability mechanisms."   End of quote.

The Committee concluded, having examined and reflected upon the submissions from entities, that organisational culture was the key element that sits between the law and the achievement of desired outcomes in an ethical manner.

Implementation of the recommendations from the "golden thread" report, and those the ANAO makes at an entity level may have an impact on your work in assessing the controls in place to achieve integrity.

I thought it would also be worth noting that the ANAO has an internal integrity framework and for the first-time last year we published our integrity report on our website. Our Integrity Framework provides an overarching structure to the ANAO's integrity control system, supporting our institution's integrity. The framework serves to assist in ethical decision making and risk, fraud and misconduct management. Our integrity report includes integrity-related matters that occurred during the year and identifies emerging trends and areas where the ANAO may have vulnerabilities and risks to integrity or elements of the Integrity Framework that require strengthening. The report also highlights areas where new controls have been implemented in the ANAO Integrity Framework during the year.

In closing, I would like to bring all of this back to your role as internal auditors across the public sector.

In an environment of mixed trust in the public sector, internal audit plays a pivotal role in the assurance and compliance activities of Commonwealth entities. It is essential that internal audit plays its role in ensuring that entities get these basics right.

As internal auditors you might want to consider how you can provide assurance and insights to entities in this space – if your entity is a policy owner you could look at how they are undertaking that role and what assurance they have on sector compliance. If your entity is one that is required to comply with such frameworks, then that could be the focus of your work. Audits of entity culture are becoming more common – if this isn't an area you have strayed into yet it might be worth considering, given the importance of tone at the top in setting organisational culture.

Another emerging area where internal audit can play a key role is in the use of automated decision-making and how this intersects with ethical considerations. The Ombudsman released an updated Better Practice Guide on this topic in January – it is worth a look if your entity is moving into, or is already operating in, this space.

Thank you. I'm happy to take any questions you may have.