Services Australia portfolio

In determining the 2022–23 audit work program, ANAO considers prior-year audit and other review findings and what these indicate about portfolio risks and areas for improvement. The ANAO also considers emerging risks from new investments, reforms or operating environment changes.

The primary risk identified for Services Australia relates to the implementation and management of new and existing ICT systems for service delivery, including ensuring effective cyber security. As the key payment delivery entity, this would ensure that effective ongoing services are provided to the community.

Specific risks in Services Australia relate to governance, service delivery and asset management and sustainment.

Governance

The COVID-19 pandemic and natural disasters, including bushfires and floods, have triggered a surge in demand for Services Australia’s services. Fraud and payment integrity risks are particularly significant where resources are under pressure.  The delivery of services on behalf of other entities places a responsibility on Services Australia to provide adequate assurance to the accountable authority of those other entities over payment accuracy and timeliness so that the accountable authority can meet their responsibilities under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). 

A priority for Services Australia is improving the digital service offer and welfare payment infrastructure through projects and investment in core technology enablers. Services Australia faces challenges around the effective implementation of new ICT systems while also maintaining the entity’s current ICT infrastructure. Under-delivery or overspending in this area will put pressure on planned expenditure or delivery in other areas. The ANAO’s audit work will therefore focus on Services Australia’s ICT general control environment, financial expenditure and the performance of ICT project management and delivery. A recent audit found that Services Australia has not met all core requirements of the Protective Security Policy Framework at its self-assessed maturity level in relation to safeguarding people, information and assets. 

Services Australia delivers programs through a large number of ICT systems. IT control weaknesses increase the risk of fraudulent, unauthorised or erroneous transactions being processed, and an increased risk of such transactions not being detected in a timely manner.  Given the dependencies on the appropriate governance of the ICT environment to ensure accurate payments, the ANAO’s work includes a focus on access management, change management and program development.

Service delivery

Services Australia delivers a range of services on behalf of policy agencies including in emergencies. Audit findings have highlighted the importance of service delivery arrangements between Services Australia and other Commonwealth entities being fit-for-purpose and appropriately reflecting the type of service delivery.  The risk and compliance management approach should be developed with the policy department. Shared risks need to be appropriately managed.  Service delivery responsibilities should be clearly articulated in service delivery governance arrangements.

Audits have highlighted the need for a comprehensive set of performance measures that tell an accurate performance story, including with regards to efficiency and cost-effectiveness.

Australia’s Cyber Security Strategy 2020 outlines a range of initiatives to uplift Australia’s cyber security, including to harden government IT systems. Services Australia is one of the pilot entities under the ‘cyber hub’ model developed as part of the Hardening Australian Government IT Initiative. While this initiative aims to strengthen Government’s cyber security posture across Commonwealth entities, it is still under development and there are risks related to the delivery and implementation of services to entities.

Asset management and sustainment

Services Australia is continuing to undertake a major transformation and modernisation program across each of its service delivery channels – digital, face-to-face and telephony. Appropriate physical asset management includes consideration of asset risks, development of a strategic asset management strategy that is aligned to entity purposes and reporting against asset performance measures. 

Services Australia

Services Australia has responsibility for delivering a range of payments and services to support individuals, families and communities, as well as providers and businesses. These include income support payments and services; aged care payments; Medicare payments and services; and child support services. Social and health-related payments and services delivered by Services Australia on behalf of other entities are recognised within each of the individual policy agencies’ financial statements.

Services Australia’s total budgeted assets for 2022–23 are just under $6.7 billion with almost 21 per cent of these assets attributable to child support receivables and 34 per cent attributable to land and buildings, encompassing right-of-use assets, as shown in Figure 2.

Figure 2: Services Australia’s total budgeted financial statements by category ($’000)

Source: ANAO analysis of 29 March 2022–23 PBS.

There are three key risks for Services Australia’s financial statements that have been highlighted for specific audit coverage in 2021–22, including those that have been considered potential Key Audit Matters (KAM) by the ANAO.

• The value of child support payments yet to be paid by non-custodial parents at the end of each financial year, which involves an actuarial estimation process and requires significant judgement and assumptions. (KAM — Valuation of receivables related to the Child Support Scheme)
• The complexities in capturing the actual costs of various internally developed software applications and their accounting treatment in accordance with relevant accounting standards. (KAM — Valuation of Intangible Assets)
• The valuation of right-of-use (ROU) assets due to the large property and ICT lease holdings, which involves an assessment of key judgements associated with ROU valuations, particularly the treatment of lease options and assurance processes for identifying and recognising lease modifications and new or terminated leases. (KAM — Valuation of ROU Assets)