Browse our range of publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
This edition of audit insights summarises key messages for all Australian Government entities from a series of recent Australian National Audit Office (ANAO) performance audits assessing the planning and implementation of regulation activities. It discusses the importance of using available data and intelligence information to develop and execute risk-based regulatory activities targeted in proportion to the impacts of non-compliance.
Regulation is an important function of the Australian Government and high-quality regulation —whether of the private, not-for-profit or public sector — is crucial for the protection and proper functioning of the economy, society and the environment. Many Australian Government entities hold responsibilities for the implementation of regulatory functions including departments and statutory entities dedicated to the administration of regulation in highly specialised sectors.
Audit findings often highlight issues with respect to the appropriate implementation of risk-based approaches to regulation. Risk-based regulation is important in ensuring that the burden of regulation is appropriate. However, it can only be successful if the accountable authority of an entity uses available evidence to develop a strategic, diligent and risk-based regulatory compliance approach and ensures that it is consistently implemented. While efficiency for the regulator and the sector is important, too strong a focus on ‘red tape’ reduction — including through not utilising the full range of regulatory powers provided by the Parliament — can often be at the expense of effective outcomes.
Australian Government regulators are empowered by, and subject to, a range of legal and other requirements including:
- the specific legislation that establishes the regulatory powers of the entity, and underpinning policies and relevant directions;
- the Public Governance, Performance and Accountability Act 2013 (PGPA Act) along with delegated legislation such as the PGPA Rule 2014, the Commonwealth Procurement Rules and the Commonwealth Risk Management Policy; and
- the Australian Government Regulator Performance Framework — introduced in October 2014 to encourage regulators to achieve their objectives while minimising their impact on regulated entities.
A key part of the Australian Government Regulator Performance Framework is that actions undertaken by regulators are proportionate to the regulatory risk being managed. Drawing from this framework, ANAO performance audits of regulators include examination of the design, implementation and enforcement of regulation to enable regulators to deliver on regulatory objectives. In the period 2015–16 to 2019–20 the ANAO has undertaken 25 performance audits on the administration of regulatory activities.
Over the past 12 months, the Auditor-General has tabled six performance audits on the administration of regulation by non-corporate Commonwealth entities:
- Auditor-General Report No.29 of 2019–20 Regulation of Charities by the Australian Charities and Not-for-profits Commission;
- Auditor-General Report No.33 of 2019–20 Tertiary Education Quality and Standards Agency’s Regulation of Higher Education;
- Auditor-General Report No.47 of 2019–20 Referrals, Assessments and Approvals of Controlled Actions under the Environment Protection and Biodiversity Conservation Act 1999;
- Auditor-General Report No.48 of 2019–20 Management of the Australian Government’s Lobbying Code of Conduct — Follow-up Audit;
- Auditor-General Report No.5 of 2020–21 Regulation of the National Energy Market; and
- Auditor-General Report No.8 of 2020–21 Administration of Financial Disclosure Requirements under the Commonwealth Electoral Act.
Key learning areas covered in this audit insights relate to:
- collection and management of compliance information;
- assessment of compliance risk;
- implementation of risk-based compliance programs;
- record keeping; and
- measuring performance.
Collection and management of compliance information
Accurate, integrated and reliable information on regulated entities, activities and individuals supports regulators in assessing the risk of non‐compliance and the development of targeted compliance and enforcement strategies. It also forms data which can be used as intelligence in planning future compliance strategies.
Information collected by the regulator assists in determining if the regulated entities are meeting all legislative requirements, and can also assist in determining whether contrary evidence exists where the regulator relies on self-assertions by the regulated entities.
Where the role of the regulator includes maintaining public registers, websites or other information on regulated entities, appropriate collection and management of compliance information helps ensure that the information published is accurate and can be relied upon by citizens. Appropriate collection and management of information includes storage of information in a way that enables it to be easily accessed for analysis, reporting or other compliance activities.
If a regulator maintains multiple IT systems to collect and store compliance information, steps should be taken to ensure the systems are linked, can be cross-checked to ensure information held in multiple places is consistent and can be collated to provide a holistic picture of a regulated entity’s compliance history, performance and risk. This will require adequate staff guidance on information storage and retrieval.
This audit highlighted the importance of regulators establishing and consistently applying robust systems and processes for gathering, storing, retrieving and analysing compliance intelligence from all relevant sources. While the Australian Energy Regulator (AER) collected significant amounts of information, it was often captured or stored in ways that did not allow for efficient retrieval or analysis to inform the AER’s compliance and enforcement activities. In instances where structured, reliable and complete intelligence datasets were in place (underpinned by sound capture and storage processes), this facilitated analysis to be performed that allowed the regulator to better understand risks of non-compliance with relevant legislation, regulations and rules. (Report reference: paragraph 19)
The report of this audit outlined the value and importance of analysing reports submitted by regulated entities to identify and take action on instances of non-compliance. This analysis will also inform risk-based compliance activity and provide assurance to the regulator that the objectives of the legislation are being delivered to government. (Report reference: paragraph 11)
Assessment of compliance risk
Clear and consistent processes for understanding which regulated entities, activities and individuals pose the highest risk of non-compliance with key regulatory requirements will position regulators to design and implement risk-based compliance programs. An effective risk assessment process should include strong linkages between risk ratings and regulatory activities, including compliance assessments informed by recent and comprehensive compliance intelligence. Collecting regulatory information from a range of reliable sources assists regulators to ensure their information is complete and accurateand enables a stronger level of assurance that regulatory objectives are being met.
A risk-based compliance process may be required by legislation, policy, or in order to ensure the regulator is conducting its business efficiently. As stated in paragraph 2.21 of Auditor-General Report No.47 of 2019–20, ‘regulators that assess the risk of non-compliance are better positioned to target regulatory activities towards areas of greatest impact’, and will therefore be more efficient.
Having robust systems for information will assist the regulator to identify compliance trends, compare the nature of non-compliance between different requirements and identify emerging risks.
Data analytics can form an important element of risk assessment and inform the compliance program. One regulator audited formed a dedicated analytics and insights team to enhance its market analysis and monitoring capabilities. The benefits of this capability will only be fully realised if arrangements for gathering, storing, retrieving and analysing information are complete and consistent.
When a regulator is responsible for approving and/or assessing activities under legislation, there needs to be a framework in place to enable the regulator’s staff to assess compliance risk. Compliance risk assessments should inform regulatory plans such as compliance monitoring activities. Further, regulator activities to promote voluntary compliance will be more effective where they are aligned to known risks of inadvertent non-compliance. (Report reference: paragraph 13)
The Tertiary Education Quality and Standards Agency’s assignment and maintenance of risk ratings to higher education providers were largely effective because risk indicators and data were aligned with the relevant provisions of the Tertiary Education Quality and Standards Agency Act 2011 and the higher education threshold standards. A key learning from this audit was that the more up to date the data being relied on for risk assessment is, the more accurate the assessments will be and therefore the more targeted and effective the compliance activity will be. (Report reference: paragraph 7)
Implementation of risk-based compliance programs
The development of compliance programs using the full scope of regulatory powers and responsibilities, proportionate to assessed compliance risk, supports the effective targeting of regulatory resources. Regulators should select entities or individuals for compliance activities by applying an appropriate risk-based approach that is capable of providing assurance that the overall purpose of the compliance review program is being achieved. A well-planned and strategically targeted compliance program will also enable an assessment of improvements or deterioration of compliance of regulated entities, activities or individuals over time and possible drivers of this, which can inform associated activities such as education and awareness raising.
The regulator’s risk management framework should set out risk tolerance levels and inform compliance activity to ensure that risks are maintained within tolerance levels. Regulators should ensure that they are being consistent with control requirements specified in the risk management framework (such as having risk treatment plans where risks exceed tolerance levels) and that risk mitigation measures, such as a ‘tip off’ facility, are used to inform compliance actions and those actions are documented.
Fully implementing a compliance program requires that the regulator act on identified instances of non-compliance, with actions usually set out in legislation. While the action should align with the severity and frequency of the non-compliance, it should also escalate if the non-compliance is not rectified over time. As set out in paragraphs 3.82 to 3.85 of Auditor-General Report No.8 of 2020–21, actions can start from encouragement, and escalate to direction, enforcement and prosecution, in line with the legislative powers of the regulator. If actions are not escalated in accordance with regulatory powers, the impact of the regulator and the achievement of regulatory outcomes may be diminished.
Consistency in approach is a key learning from this audit. This means documenting and consistently applying the approach to determining when certain regulatory powers and processes will apply (which should be consistent with the relevant legislation). Where the regulator departs from the documented process, the rationale for this decision should be recorded. (Report reference: paragraphs 3.46–3.48)
Understanding the willingness of entities or individuals to comply with regulated requirements (such as a code as was the case in this audit) is important in managing risks of non-compliance. Risks should be identified in advance of instances of non-compliance occurring, and data collected from the sector will inform this risk identification and mitigation process. This audit also highlighted that to be effective, regulators should have a strategy in place to provide assurance that risks to compliance with the legislation (a code in this instance) are effectively managed. In practice, activities and procedures such as email communications with regulated entities, compliance dashboards and draft standard operating procedures can assist in managing some risks. (Report reference: paragraph 21)
Appropriate recording of regulatory actions and the rationale for regulatory decisions supports transparency and accountability, particularly as a regulator’s decisions or actions may be subject to external scrutiny or be challenged. A regulator, through its records, should be able to demonstrate that approval decisions align with requirements and that compliance activity and/or actions undertaken were warranted given risk, the evidence available, the compliance framework developed and legislative powers.
Comprehensive records also assist in providing the accountable authority and the Parliament with assurance that the regulator is being consistent and transparent in its approval decisions and that these decisions are based on adequate evidence.
A key learning from this audit was that regulation-related assessments, recommendations and decisions should be documented, and recorded in an accessible records management system. This is particularly important in instances where the regulator needs to produce relevant documentation to ensure the decision is defendable in court, a tribunal or the Parliament. There was an instance outlined in this audit where a decision was set aside by the Federal Court in 2019 as the department was unable to demonstrate all public submissions had been considered. (Report reference: paragraphs 3.47–3.48, Case study 1)
This audit highlighted that where the regulator is required to undertake certain procedural checks, in order to assess whether an entity meets the legal definition of — in this case — a charity, there needs to be documented evidence that these checks were followed. The documented evidence needs to be accessible and retrievable. Without this, the regulator is unable to demonstrate that the intent of the regulatory activity (registration requirements in the case of this audit) have been met. (Report reference: paragraph 2.25)
To promote transparency and accountability, regulators should publicly report on the number and outcomes of core compliance activities such as compliance assessments. Regulators should also report on the extent to which regulated entities and individuals comply, and fail to comply, with obligations under the legislation. This provides the Parliament with transparency about whether regulatory objectives are being met.
Sections 37 to 40 of the PGPA Act, and sections 16E to 16F of the PGPA Rule, place requirements on accountable authorities to measure their entities’ performance and publish annual performance statements. The Department of Finance has issued guidance to entities to assist in the development of performance information.
Entities should develop performance measures that not only inform the Parliament of the achievement against regulatory objectives, but which also report on efficiency. Compliance information collected by the regulator will assist in determining performance against expectations and the impact of regulatory activities over time.
When regulators develop performance measures, they should ensure that the measures are incorporated into an appropriate monitoring, reporting and evaluation framework that provides assurance over its achievement of objectives, as set out in relevant legislation.
Proper documentation will provide evidence to support the performance information reported and enable consistent and accurate performance statements to be developed. Some examples of performance measures for regulators include timeliness of decision making, accuracy against legislative requirements (tested through quality assurance processes), efficiency of the regulatory process for regulated entities, efficiency of the regulator (measured by resource inputs against outputs delivered over time or compared to a benchmark) and number of appeals.
All the audits covered in this edition of audit insights, with the exception of the Management of the Australian Government’s Lobbying Code of Conduct — Follow-up Audit, made recommendations for regulators to improve their performance measurement, particularly in relation to the impact of regulatory activities on regulatory objectives.
Future audit coverage
The ANAO annual audit work program lists other potential performance audits of regulators that are yet to commence. The implementation of risk-based regulation will be a continuing feature of the ANAO’s work program.