The ANAO is exploring how AI may be used to improve business operations by enhancing efficiency, while ensuring quality and transparency in decision-making.

In embracing emerging technology — which includes AI — the ANAO will do so thoughtfully while managing risk for responsible and effective adoption.

The ANAO Use of Artificial Intelligence Policy (the policy) outlines the conditions under which ANAO staff and contractors may use AI. This is to ensure the responsible, safe, and ethical use of AI, with the intention of:

• reducing the risk of using AI to the ANAO;
• upholding the highest ethical standards when using AI; and
• enabling transparency in the use of AI at ANAO.

The policy limits the use of publicly available generative AI tools (such as ChatGPT, Bing AI, and other large language models). It outlines staff obligations regarding the use of both publicly available AI and licensed enterprise AI. The policy also sets out expectations for the use of AI in audit-related activities.

The policy is supported by existing ANAO security frameworks, policies and guidance.

The ANAO is exploring how generative AI can enhance the audit process in a profession where human judgment and scepticism are fundamental to auditing standards. This work continues through the adoption of Microsoft Copilot across the ANAO, as well as by monitoring emerging trends and learning from the experiences of others within the APS and the broader public sector audit community, both in Australia and internationally.

The ANAO primarily uses commercial, vendor‑provided AI tools within approved enterprise environments. The ANAO does not currently develop or deploy bespoke AI systems in‑house.

The ANAO uses four enterprise applications that incorporate AI:

• Nuix — Nuix is an eDiscovery tool used to search large unstructured data sets. One of its features uses AI to identify shapes and words in images. The ANAO has been using Nuix prior to the introduction of this AI function and does not view the AI-powered image search as a risk.
• Adobe Acrobat — This software includes an automatic form-filling function which cannot be disabled. Given its limited use, this feature is considered low risk.
• Copilot — Microsoft Copilot is an AI-powered assistant embedded across the Microsoft 365 ecosystem — including Word, Excel, Outlook, PowerPoint, Teams, and other applications. It leverages large language models combined with the Microsoft Graph (which includes data like emails, documents, meetings, chats, and calendar events) to deliver contextually aware productivity support. Copilot is considered low risk as it operates within the ANAO’s secure Microsoft 365 environment, does not use ANAO data to train AI models, and is subject to governance, audit logging and formal evaluation processes.
• CTM Scout is a third-party platform that facilitates corporate travel bookings and features AI Chat Bot capabilities. Since this activity does not constitute audit work and involves only minimal personal information (such as staff name and date of birth), the associated risks are considered low. Therefore, an assessment under the ANAO Use of Artificial Intelligence Policy is not required.

The ANAO manages AI use cases through structured governance, documentation and continuous evaluation processes. AI use cases are captured in an internal register, with outcomes and feedback used to inform understanding of benefits, risks and effectiveness.

The ANAO actively monitors vendor-proposed changes to installed software within its IT environment — including and specifically for the introduction of new AI vendor-supplied functions — to identify any potential risks before the software update is installed.

Future development or customisation of AI tools is managed through ANAO’s project and change management frameworks and is subject to additional governance, risk assessment, and assurance processes. These processes include consideration of usability, productivity, security, privacy and audit implications.

The ANAO classifies its use of AI in accordance with the DTA classification system for AI use.

Usage patterns

• Workplace productivity
• Image processing
• Analytics for insights

Domains

• Corporate and enabling

The ANAO may access personal information during audits and applies robust physical, information and personnel security policies to protect sensitive information and support secure, responsible audit work. The ANAO is committed to the safe and responsible use of AI. All AI tools and their applications will be carefully considered to ensure there is benefit to the technology and can be used safely and ethically.

The ANAO does not use AI tools that interact directly with the public and assesses its current AI use as low impact. Existing security measures and policies are considered sufficient to manage public impact and protection risks.

The Executive Board of Management (EBOM) is the ANAO’s primary governing body and is responsible for overseeing the use of AI. The Auditor‑General has approved the ANAO’s Use of Artificial Intelligence Policy, which establishes the framework for responsible AI use across the organisation.

AI applications are recorded in an internal register and reported to the Security & Information Technology Committee (a sub‑committee of EBOM) which supports ongoing oversight and transparency. The use of AI is also subject to governance by Accountable Officials, who oversee implementation and report high‑risk use cases, including their intended application, risk assessment and sensitivities.

For audit‑related activities, AI use must be documented in audit planning and subject to defined assurance processes, including testing, validation and review of outputs. These arrangements ensure that AI use cases are assessed, monitored and implemented with appropriate consideration of risks, impact and benefits.

The ANAO complies with all relevant legislation in its use of AI, including requirements relating to privacy, security and confidentiality. The ANAO’s Use of Artificial Intelligence Policy establishes clear conditions to prevent misuse and ensures AI is applied in a responsible, safe and ethical manner. Ongoing monitoring, risk management and governance oversight supported by the ANAO’s quality and security frameworks provide assurance that AI use remains compliant across both public‑facing and internal operations.

ANAO’s existing management processes provide staff with the ability to raise concerns relating to the use of AI, including security, privacy or data handling issues. These processes support the identification, assessment and management of risks associated with AI use and are supported by the ANAO’s broader incident management, governance and compliance frameworks.

The ANAO has:

• implemented mandatory requirements set out in the Digital Transformation Agency policy within the specified timelines;
• appointed the Chief Operating Officer as the Accountable Official for AI within the ANAO;
• appointed the Group Executive Director, Systems Assurance and Data Analytics, as the Chief AI Officer within the ANAO; and
• informed all staff of the appropriate use and risks associated with the use of generative AI through an internal communications and training program, including the implementation of mandatory AI fundamentals training.

The ANAO continues to review its approach in line with Australian Government policy, including consideration of mechanisms to enhance transparency and public engagement regarding AI use.

ANAO’s transparency statement was last updated on 26 June 2026 and will be reviewed annually, with Security & Information Technology Committee endorsement and EBOM approval sought before publication.

Contact: enquiries about this statement can be submitted to the ANAO via our contact us page

Approved for publication by Dr Caralee McLiesh PSM, Auditor-General for Australia