This audit would assess the effectiveness and efficiency of entities’ administration of the Freedom of Information Act 1982 (FOI Act).

The FOI Act and the Australian Information Commissioner Act 2010 form the legislative framework that provides the public with a right of access to government documents. The ANAO previously undertook an audit of the administration of the FOI Act in 2017.

The Australian Information Commissioner’s Freedom of Information functions include conducting merits review (IC review) of decisions of agencies made under the FOI Act and the handling of complaints. The Information Commissioner is supported in these functions by the Freedom of Information Commissioner, appointed in March 2022. A new whole-of-government information management policy was adopted on 1 January 2021.

This audit would assess the effectiveness of the Department of the Prime Minister and Cabinet’s (PM&C’s) administration of the Regulatory Impact Analysis (RIA) framework.

The Office of Best Practice Regulation (OBPR) within PM&C works to ensure that major policy decisions are supported by sound evidence and analysis. The RIA framework is designed to help policymakers identify the relevant policy problem, examine a range of viable options, assess the costs and benefits of the options and develop the evidence base for well-informed decision making. The OBPR has a dual role: ensuring compliance with the RIA framework; and providing guidance and coaching across the Australian public service to assist entities to produce high quality analysis. The OBPR refreshed the government’s RIA framework in March 2020.

This information report would provide data and insights in relation to the executive government’s compliance with legislative requirements to report to Parliament. This information report will neither be an audit nor an assurance review and will present no conclusions or opinions.

The formal presentation of documents and reports by Ministers is one of the principal means whereby the Parliament informs itself in relation to public affairs.

This audit would review the progress of the Digital Identity system’s implementation, design and functionality, including the roles and responsibilities of stakeholders and the allocation and expenditure of funding, including contract management.

The Digital Identity program is led by the Digital Transformation Agency (DTA) and is made up of the Trusted Digital Identity Framework, the identity exchange (run by Services Australia), digital identity providers (currently myGovID managed by the Australian Taxation Office) and over 75 services currently connected to the system.

This audit would assess the effectiveness of selected entities’ arrangements for the use of probity advisors in procurement.

When undertaking procurements, entities can engage external probity practitioners to provide guidance and advice on how probity issues should be addressed, and assurance on whether probity requirements have been adhered to. In addition to the Commonwealth Procurement Rules (CPR) requirements, an entity’s accountable authority may issue additional Accountable Authority Instructions (AAIs) on these matters, under the Public Governance, Performance and Accountability (PGPA) Act 2013. The audit would also assess whether the entity followed any probity advice received and if not, whether that was documented.

This audit would examine the effectiveness of environmental performance reporting under the Environment Protection and Biodiversity Conservation Act 1999.

Under s516A of the Environment Protection and Biodiversity Conservation Act 1999, Commonwealth entities are required to report on environmental activities and outcomes in their annual report. Reporting must include information on how Commonwealth entities are implementing and incorporating the principles of Ecologically Sustainable Development in their operations.

This audit would assess the effectiveness of governance arrangements for executive remuneration in selected government business enterprises (GBEs). It would examine the basis on which performance targets are set and measured and provide assurance that they are set at reasonable levels.

The Public Governance, Performance and Accountability (PGPA) Rule 2014 has standardised and transparent arrangements for disclosing the remuneration of key management personnel in GBE annual reports. GBEs are required to disclose information on policies and practices that set out their governance and the basis on which remuneration is determined. Remuneration arrangements, including allowances and entitlements, are set by the board of each GBE.

This audit or series of audits would examine the implementation of the APS ethical framework by selected APS agencies.

The Australian Public Service (APS) ethical framework comprises the legal framework (the basis of which is the Public Service Act 1999 and the Public Governance, Performance and Accountability Act 2013 (PGPA Act); activity-specific frameworks (such as the Commonwealth Procurement Rules and Commonwealth Grants Rules and Guidelines); government policies; and entity-specific frameworks (including the requirements of enabling legislation, Accountable Authority Instructions, and other internal policies).

This audit would continue the ANAO’s series of audits of cybersecurity.

The scope would include comparing the entities’ cybersecurity frameworks and controls against the controls required under the Protective Security Policy Framework for Policy 2 — Management structures and responsibilities, Policy 4 — Security maturity monitoring, and Policy 10 — Safeguarding information from cyber threats, and the Australian Signals Directorate’s Essential Eight Maturity Model.

This audit would assess the effectiveness of the Australian Tax Office’s (ATO’s) and Services Australia’s management of the privacy of clients’ personal information, and the Office of the Australian Information Commissioner’s (OAIC’s) management of privacy complaints and investigations.

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals. It regulates how Australian Government agencies handle personal information, and includes 13 Australian Privacy Principles (APPs) that cover the processing of personal information. The Privacy Act is supported by the Privacy Regulation 2013.

The Attorney-General’s Department (AGD) has overall policy responsibility for privacy and has been conducting a review of the Privacy Act since December 2019. The OAIC’s responsibilities include administering privacy laws, providing guidance and assistance to entities (including special measures in response to the COVID-19 pandemic) and monitoring entities’ compliance with the Privacy Act. The National Data Commissioner within the Department of the Prime Minister and Cabinet is responsible for fostering best practice public sector data handling and sharing.

Services Australia and the ATO hold and manage client (customer and taxpayer) information in the course of their delivery of services and payments and oversight of the tax and superannuation systems, and share information for the purposes of comparing income data. Risks to the integrity and privacy of client information comprise data breaches through human error or system faults (45 per cent of all notifiable data breaches in agencies covered by the Privacy Act in July-December 2021) and malicious and criminal cyber attack (55 per cent).