Skip to content

Potential audits

Performance Reporting Against the Financial Reporting Framework

In the 2009–10 Budget, a number of revisions were made to the financial reporting framework. The most significant of these involved changes to the arrangements for outcomes to reflect an increased emphasis on programs. Beginning in 2009–10, all General Government Sector agencies are required to report in accordance with an Outcomes and Programs Framework. Programs are the building blocks of government financial and non-financial reporting, management and analysis, and should provide a tangible link between Australian Government decisions, activities and the impacts of those actions.

An audit would build on the findings from the current audit—Development of Key Performance Indicators to Support the Outcomes and Programs Framework—and examine the appropriateness of a sample of agency performance indicators and the reporting against them.

Management of the Communications Multi-Use List and the Central Advertising System and the Government Master Media Agencies

Finance administers the Australian Government’s Advertising Framework. In addition to providing guidance to agencies on campaign processes, Finance also maintains the Communications Multi-Use List—a list of communications companies to be used by agencies for advertising campaigns—and administers the Australian Government’s Central Advertising System, which consolidates government advertising expenditure to secure optimal media discounts on Australian Government-wide media rates. In operating the Central Advertising System, Finance manages the contracts of two master media agencies that assist in media planning, placement and rates negotiations with media outlets.

An audit would examine Finance’s administration of the Communications Multi-Use List and the Central Advertising System, and the management of the contract entered into with the external agency attributed with the functions of the whole-of-government master media agency.

Management of Information Campaigns

All Australian Government agencies subject to the FMA Act are required to comply with the Guidelines on Information and Advertising Campaigns by Australian Government Departments and Agencies (March 2010) (the Guidelines) when booking advertising placements. In particular, as directed in the Guidelines, all information/non-campaign advertising needs to be placed through the appointed master media agency, Adcorp Australia Limited (1 June 2009 – 5 May 2012). Non-campaign advertisements are Australian Government advertisements that do not include paid media placement but instead involve advertisements that are simple and informative, generally appear only once or twice, contain factual statements, and contain typically low creative content. Some typical types of information campaigns or non-campaign advertising includes, but is not limited to:

  • recruitment for specific job vacancies;
  • auction and tender notices;
  • invitations to make submissions or apply for grants;
  • notification of date and/or location specific information (for example, notification of a public meeting at a particular time and place); and
  • other public notices.

An audit would examine Finance’s management of the information/non-campaign elements of the Australian Government advertising framework, and would also examine non-campaign advertising placements from selected portfolios for their compliance with relevant policies and procedures.

The placement of recruitment advertising is proposed as a separate potential audit in 2011–12.

Management of Recruitment Advertising

Recruitment advertising promotes specific and general job vacancies, including graduate opportunities, within Australian Government agencies. When undertaking recruitment advertising, agencies must comply with the Guidelines on Non-campaign Recruitment Advertising (the Guidelines) that are administered by Finance. The Australian Government released updated Guidelines in July 2009 to provide a consistent framework for agencies in achieving value for money. The Guidelines relate to non-campaign recruitment advertising in print media, and specify such elements as: the size of the advertisement; the use of colour; the number of times a vacancy can be advertised; and the use of composite advertising.

An audit would assess the effectiveness of Finance’s administration of the Guidelines and a selection of agencies’ compliance with the Guidelines.

Closing the Gap in Indigenous Disadvantage Initiative: Agency Coordination and Performance Information Reporting

In December 2007, the Council of Australian Governments (COAG) agreed to a series of six targets to address the gap between Indigenous and non-Indigenous Australians in a range of socio-economic indicators. In 2008, these targets were developed into the National Indigenous Reform Agreement, which now provides the overarching framework for the delivery of the Closing the Gap strategy. The six targets are:

  • to close the life-expectancy gap between Aboriginal and Torres Strait Islander people and other Australians within a generation;
  • to halve the mortality gap between Aboriginal and Torres Strait Islander children and other children under age five within a decade;
  • to halve the gap in literacy and numeracy achievement between Aboriginal and Torres Strait Islander students and other students within a decade;
  • to halve the gap in employment outcomes for Aboriginal and Torres Strait Islander people within a decade;
  • to at least halve the gap in attainment at Year 12 schooling (or equivalent level) by 2020; and
  • to provide all Aboriginal and Torres Strait Islander four-year-olds in remote communities with access to a quality preschool program within five years.

Underpinning these targets are the seven COAG-agreed Building Blocks (Early Childhood, Schooling, Health, Economic Participation, Healthy Homes, Safe Communities, and Governance and Leadership) which form the strategic areas for action by governments. The Closing the Gap initiative has been designed as a collaborative, whole-of-government effort and contributions to the targets are expected to come from a range of programs administered within the building block areas.

An audit or series of audits would consider aspects of the Australian Government’s involvement in the Closing the Gap initiative. These include examining the lead agency arrangements, agency coordination mechanisms for planning, prioritising and implementing programs within the building blocks, and agency performance information systems to consider the extent that these enable reporting on progress toward the six targets. 

Implementation of the COAG Service Delivery Principles for Programs and Services for Indigenous Australians

In 2004, COAG agreed on a National Framework of Principles for Government Service Delivery to Indigenous Australians. The principles covered the following areas: sharing responsibility; harnessing the mainstream; streamlining service delivery; establishing transparency and accountability; developing a learning framework; and focusing on priority areas. In 2008, COAG endorsed the National Indigenous Reform Agreement. As part of the National Indigenous Reform Agreement, COAG reissued an expanded set of principles entitled the Service Delivery Principles for Programs and Services for Indigenous Australians. All governments were required to take these principles into account in designing policies and delivering services. The service delivery principles are intended to guide the design and delivery of Indigenous-specific and mainstream government programs and services provided to Indigenous people as well as guide the development and negotiation of National Partnership Agreements.

The 2008 service delivery principles are: the Priority Principle (programs and services should contribute to Closing the Gap by meeting targets endorsed by COAG), Indigenous Engagement Principle (engagement should be central to the design and delivery of programs and services), Sustainability Principles (programs and services should be directed and resourced over an adequate period of time to meet the COAG targets), Access Principle (programs and services should be physically and culturally accessible to Indigenous people), Integration Principle (there should be collaboration between and within governments at all levels and their agencies to effectively coordinate programs and services) and the Accountability Principle (programs and services should have regular and transparent performance monitoring, review and evaluation).

An audit would examine the organisational initiatives undertaken to date by Australian Government agencies to put these principles into operation and monitor their use.


The Australian Government purchased over $42 billion in property and services in 2009–10 through procurement processes. When undertaking procurement, agencies are required to follow the principles and requirements set out in the CPGs and associated legislation. It is expected that revised CPGs will be issued in 2011–12.

In recent years the ANAO has completed cross-portfolio audits on contract management and direct source procurement. Another procurement audit is underway on agencies’ establishment and use of panels. The ANAO plans to build on this series of audits by conducting audits on specific aspects of procurement, such as agencies’ approaches to attaining value for money when procuring property and services.

Management of Property

Australian Government organisations require access to property to carry out their business and deliver their services. Property costs are one of the largest recurrent expenses of government. In October 2009, the Minister for Finance and Deregulation issued the Commonwealth Property Management Guidelines (the Property Guidelines) to assist organisations subject to the FMA Act improve the efficiency and effectiveness of Commonwealth property management. The Property Guidelines established mandatory requirements which require organisations to have a property management plan and report data on property leased and owned to Finance. The Property Guidelines also established an office accommodation occupational density target for new leases or buildings and major fit-outs. Application of the Property Guidelines was expected to result in net budget savings increasing to around $100 million per annum by 2025.

An audit or series of audits would examine the efficiency and effectiveness of entities’ management of property in support of business outcomes. The audit would include an assessment of entities’ application of the Property Guidelines.

The Implementation of the Protective Security Policy Framework

On 8 June 2010, the Attorney-General announced that a new Protective Security Policy Framework (PSPF) had come into effect. The PSPF replaces the Protective Security Manual and contains 33 mandatory protective security requirements for Australian Government agencies to implement, followed by a tiered framework of core standards, policies and guidelines.  The Information Security Manual, authored by the Defence Signals Directorate, provides detailed technical measures for information security and continues to apply under the PSPF.

The PSPF applies to Australian Government agencies and any organisations working on their behalf, or handling Australian Government information and assets. This may include other governments and contracted service or goods providers.

The Attorney-General’s Department has policy responsibility for the development and implementation of the PSPF. Following the announcement of the PSPF, a 12-month transition period between the Protective Security Manual and the full PSPF was planned.

A cross-portfolio audit would examine the effectiveness of the implementation of the PSPF, including communication and guidance to Australian Government entities from the Attorney-General’s Department, and an assessment of the implementation of the PSPF in selected entities.

The Implementation of the Australian Government Security Vetting Agency

On 1 December 2009, the Australian Government announced that the vetting of all Australian Government agencies’ security clearances (apart from those exempt agencies) would be conducted by a single centralised security vetting agency. Responsibilities of the Australian Security Vetting Service, within the Attorney-General’s Department, were subsequently transferred to the newly formed Australian Government Security Vetting Agency (AGSVA) in the Department of Defence. Implementation of the AGSVA has been part of a Better Regulation Ministerial Partnership initiative between the Attorney-General, the Minister for Finance and Deregulation and the Minister for Defence to reduce costs and improve the efficiency of the security vetting process.

The AGSVA began processing Australian Government security clearances from 1 October 2010. The AGSVA currently employs over 200 staff in all major capital cities around Australia and all clearances granted by them have a whole-of-government effect.

An audit would examine the implementation of the AGSVA, including the transitional and outsourcing arrangements for the processing of the security clearances, and the degree to which the initial aims associated with setting up the AGSVA have been realised. The audit would complement the potential audit of security assessments of individuals by the Australian Security Intelligence Organisation.

Physical Security

The Australian Government requires a variety of resources, including people, information and assets to make and implement its decisions. Agencies hold significant resources on behalf of the Australian Government and the Australian people to fulfil government functions. The Australian Government expects each of its agencies to create and maintain an appropriate physical security environment for the protection of these functions and associated resources. The appropriate physical security environment should support the efficient and effective performance of agency outputs, without compromising the application of protective security measures.

The Commonwealth’s Protective Security Policy is outlined in the Protective Security Policy Framework. It provides specific guidance to agencies on the protection of the Commonwealth’s information, assets, personnel and clients from potential security threats. The framework outlines the Commonwealth’s physical security policy, including the recommended physical security framework, procedures and minimum standards.

An audit would assess selected Australian Government entities’ implementation of physical systems and practices to protect the Commonwealth’s information, assets, personnel and clients from potential security risks in accordance with legislative and policy requirements.

Security Risk Management

Agencies are required to adopt a risk management approach to cover all areas of protective security activity across their organisation. The Protective Security Policy Framework advises that the security risk management process should:

  • identify specific risks to their people, information and assets;
  • identify the agency’s level of risk tolerance;
  • identify appropriate protections to reduce or remove risks; and
  • identify and accept responsibility for untreatable residual risks (such as undertaking business on the Internet).

Within this context, agencies are to establish the scope of any security risk assessment and identify the people, information and assets to be safeguarded and determine the threats to people, information and assets in Australia and abroad, including the need to appropriately classify information. Agencies also need to consider the requirements of the FMA Act for the efficient, effective and ethical use of Commonwealth resources.

An audit would assess the effectiveness of security risk management in selected Australian Government entities. It would include an examination of the appropriate classification of information in accordance with the security framework.

Information and Communications Technology Security: Management of Privileged Accounts

Privileged accounts in an Australian Government entity’s Information and Communications Technology (ICT) environment are those that give the user the capacity to modify system configurations, account privileges, audit logs, data files or applications. These accounts are highly desirable for an attacker to access due to the high level of access granted, and inappropriate use of privileged accounts can be a major contributory factor to failures of security or cyber security incidents on ICT systems. The Defence Signals Directorate has identified the control of privileged access to ICT systems as one of the most effective strategies that Australian Government entities can take to mitigate targeted cyber intrusions.

The Protective Security Policy Framework and the Information Security Manual outline the requirements for Australian Government entities’ management of ICT privileged access accounts. An audit would examine whether selected entities are effectively managing their privileged access accounts, in accordance with Australian Government protective security requirements, and the entities’ own policy requirements.

Managing Data Privacy

Under the Privacy Act 1998 (the Privacy Act), entities are required to comply with 11 Information Privacy Principles (IPPs) when handling personal information. The IPPs outline how an entity may collect, use, store and disclose personal information. The Privacy Act’s IPP 4 specifically relates to how entities store and secure personal information, indicating that a recordkeeper who has possession or control of a record that contains personal information, including staff and public information, shall ensure that the record is protected.

IPP 4 applies to all personal information held by entities, regardless of how it was collected. It is based on the principle that a person whose information is held by a government entity has a right to expect that the entity will hold it securely, and will ensure that access to the information is permitted only for legitimate purposes.

An audit would examine the effectiveness of controls put in place by entities to secure personal information, including for staff or public related data, and personal data collected as a function of any agency’s role in collating, assessing and maintaining personal information.

Information and Communications Technology: Software Licensing

Computer software is a core part of the infrastructure of Australian Government entities, and its use permeates every aspect of their daily business. Software is available as Commercial-Off-The-Shelf (COTS) systems, or open source[10], or is developed internally by an organisation to meet a specific business requirement. In January 2011, the Australian Government released its Open Source Software Policy, requiring entities to consider open source software for all software procurements from 1 March 2011. When Australian Government entities choose to implement COTS or open source software, both are issued to an entity under a license which sets out the conditions under which the entity may use the software, and any costs attached to the license.

An audit would examine how selected Australian Government entities are managing software licenses, including an examination of whether the entities’ current licensing arrangements are efficient and effective, compliance with software licensing conditions is being adequately monitored, and whether the Australian Government’s policies and guidance for the use of open source software are being effectively implemented. 

Management of Business Continuity

Australian Government agencies deliver a wide range of programs and services which are critical to the economic and social wellbeing of our society. Single or multiple events may cause a significant disruption or outage to the ‘business as usual’ operations of agencies, compromising their ability to function, which could have significant consequences for citizens, businesses and governments.

In order to respond to such disruptions, agencies need to consider business continuity management (BCM) as an integral part of their organisational risk management framework. BCM planning guides agencies in responding to unplanned disruptions or outages, variously described as an emergency, crisis and/or disaster, when normal management practices and procedures may be unable to cope.

In 2010, the ANAO reported that:

Overall, our assessment of continuity management indicates agencies are aware of the importance of BCP and DRP [Disaster Recovery Planning] to the continuous delivery of their services. However, many agencies had not fully embedded the establishment, maintenance, and testing of business continuity and recovery plans into their normal business activities.[11]

The objective of the audit would be to examine BCM arrangements in a selection of Australian Government entities. Better practice characteristics and principles identified in the ANAO’s Better Practice Guide Business Continuity Management June 2009 would be considered as part of the examination.

Implementation and Management of Electronic Document Records Management Systems

The decision to implement an Electronic Document Records Management System (EDRMS) to assist in the management of paper and electronic records and documents can be driven by a range of factors. These may include the need to improve efficiency, administration, customer service and compliance with standards or legislation.

An audit would assess EDRMS implementation, management and effectiveness in selected Australian Government entities.

Freedom of Information

The Commonwealth Freedom of Information Act 1982 (FOI Act) creates a legally enforceable right of access to documents in the possession of Commonwealth ministers and agencies. The Act was introduced in order to improve accountability of government for administrative decision–making. The Act does not require a person to establish a special interest or ‘need to know’ before he or she is entitled to seek to have access granted. It also details the circumstances under which access to information can be denied.

Reforms to the Act in 2010, and the passage of the Australian Information Commissioner Act 2010, have introduced fundamental changes to the way information held by government is managed and accessed by members of the public. These reforms are designed to promote a pro-disclosure culture across government and build a stronger foundation for more openness.

An audit would assess agencies’ compliance with the new FOI Act requirements, and the appropriateness of their policies and processes for dealing with requests for information. The audit scope would complement work undertaken by the Office of the Australian Information Commissioner in oversighting the operation of the FOI Act, and reviewing decisions made under the FOI Act.

Managing Conflicts of Interest

The community has a right to expect that all public officials will perform their duties in a fair and unbiased way, and that the decisions they make are not affected by self-interest, private affiliations, or the likelihood of personal gain or loss. It is, therefore, crucial that public officials and public sector entities protect the public interest by ensuring that private interests that conflict or may conflict with it are identified and managed effectively. A clear conflict of interest policy which details specific reporting procedures is an effective tool to ensure that potential and actual conflicts of interests are handled appropriately, before they give rise to allegations of misconduct. Even the perception that a conflict of interest has influenced an outcome can undermine public confidence in an agency and its staff.

An audit would examine the policies and practices used by a selection of public sector entities to manage conflicts of interest and potential conflicts of interest.

The Handling of Public Money by Persons Outside the Commonwealth

Public sector administration can sometimes involve ‘outsiders’ handling public money, which can have implications for agencies in relation to the FMA Act and Financial Management and Accountability Regulations 1997 (FMA Regulations). For the purposes of the FMA Act and FMA Regulations, an outsider is defined as: ‘any person other than the Commonwealth, an official or a Minister’. Section 12 of the FMA Act provides that an official or Minister must not enter into an arrangement for the receipt, custody or payment of public money by an outsider, unless the Finance Minister has first given written authorisation, or the arrangement is expressly authorised by an Act. In late 2010, the Finance Minister’s Delegation to agency Chief Executives was extended to permit outsiders to make payments of public money. To support agencies’ use of the Delegation, Finance issued agencies with further guidance on outsiders handling public money in early 2011.

An audit would examine the extent to which a selection of public sector agencies are complying with their obligations under Section 12 of the FMA Act.

Internal Audit

Internal audit is a key component of any organisation’s governance framework, and plays a critical role in providing assurance regarding the conformance and performance of the organisation’s systems and administrative processes.

An audit would assess whether selected Australian Government entities have applied better practices contained in the ANAO’s Better Practice Guide Public Sector Internal Audit (2007) when establishing the role and managing the use of their internal audit functions. For the selected entities, the audit would examine the internal audit function’s accountabilities within the overall governance framework, work priorities and practices, and evaluation. The audit would also assess whether the recommendations contained in Audit Report No.3 2004–05 Management of Internal Audit in Commonwealth Organisations have been implemented.


Evaluation involves the systematic and objective assessment of policies and programs to assess their efficiency and effectiveness. Within the Australian Government, responsibility for evaluation is usually devolved to the entities responsible for program oversight and implementation. The evaluation experience and capability of these entities is variable.

In March 2010, Ahead of the Game: Blueprint for Reform of Australian Government Administration emphasised the importance of evaluative work to continuous improvement and identified actions to strengthen government evaluation. These actions involve the consultative development of central policy guidance covering evaluation by the Department of the Prime Minister and Cabinet, and organisations taking steps to enhance their evaluation of policy and programs.

An audit would examine Australian Government entities’ evaluative capacity and, for selected entities, the efficiency and effectiveness of differing models and approaches to evaluation. The audit would also explore the progress of work underway to improve evaluation in response to the Ahead of the Game report.

Senate Order for Departmental and Agency Contracts (Calendar Year 2011 Compliance)

The Senate Order for Departmental and Agency Contracts requires agencies operating under the FMA Act to place lists of contracts valued at $100 000 or more on the Internet. These lists must indicate, among other things, whether each contract requires the parties to maintain the confidentiality of any of the contract’s provisions.

An audit would assess the appropriateness of the use of confidentiality provisions in selected contracts reported in the 2011 calendar year listings, and the processes used by selected agencies for compiling contract listings.

Agency Management of Arrangements to Meet Australia’s International Obligations Under Selected Treaties

Treaties are agreements between countries which are binding at international law. Through a process, known as ratification or accession, countries indicate their commitment to undertake the obligations under a treaty. Since 1901, Australia has ratified 335 treaties and acceded to 258 treaties, all of which are currently in force. Australia is a party to treaties on postal, shipping and social security and health arrangements, defence and security, nuclear non-proliferation, the environment, civil aviation, maritime delimitation, technological exchanges, and agreements designed to establish universal standards in relation to the treatment of civilians in time of war.

An audit would examine how relevant agencies are managing arrangements to meet Australia’s international obligations under selected treaties.

Workforce Planning

Many agencies are facing increasing challenges in engaging and retaining suitably qualified people that will enable them to deliver quality, timely and cost-effective services. The changing demographics of the Australian population and skills shortages are likely to further drive competition for highly performing staff. Effective workforce planning can assist agencies anticipate the staffing and skill requirements needed to enable them to deliver organisational objectives now and in the future. In 2010, Ahead of the Game: Blueprint for the Reform of Australian Government Administration recommended an Australian Public Service (APS)-wide workforce planning framework be developed for use by agencies to develop fit-for-purpose workforce plans.

An audit, following establishment of the APS-wide workforce planning framework, would assess whether selected Australian Government entities have developed and implemented policies and practices to enhance the effectiveness of their workforce and enable them to meet their business challenges in the medium to longer-term. The audit would also examine work being undertaken by the Australian Public Service Commission to coordinate workforce planning.

[10] Open source systems are generally available without an up-front cost, and with the source code available, giving the ability for the software to be used, copied or modified to suit any purpose, generally without payment of a royalty or other fee.

[11]ANAO Audit Report No.50 2009–10 Interim Phase of the Audit of Financial Statements of Major General Government Sector Agencies for the year ending 30 June 2010, p. 42.

Last : Audits in progress at July 2011

Next : Better Practice Guides