This edition of Audit Insights summarises key messages for all Australian Government entities from a series of recent Australian National Audit Office (ANAO) performance audits assessing the delivery of key components of the Australian Government’s response to the COVID-19 pandemic. It discusses the importance of planning, good governance and sound risk management in managing an emergency such as the COVID-19 pandemic.


Since its emergence in late 2019, coronavirus disease 2019 (COVID-19) has become a global pandemic that is impacting on human health and national economies. From February 2020 the Australian Government introduced of a range of policy measures in response to COVID-19 that included:

  • travel restrictions and international border control and quarantine arrangements;
  • financial support for affected individuals, businesses and communities; and
  • support for essential services and procurement of critical medical supplies.

With the release of the 2021–22 Budget on 11 May 2021, the Australian Government reported that it had committed $20 billion to COVID-19 health support measures and $291 billion to economic response measures.

The COVID-19 pandemic and the Australian Government’s rapid response to it significantly impacted on the risk environment faced by the Australian public sector. To account for this change in risk environment, the ANAO developed a COVID-19 multi-year audit strategy outlining its approach to auditing COVID-19 related measures and five early response audits of front line entities implementing COVID-19 policy measures. In addition, the ANAO published an audit insights in April 2020 summarising key messages from ANAO performance audits that examined rapid implementation of Australian Government initiatives, including in response to the Global Financial Crisis.

Between December 2020 and May 2021 the ANAO published five performance audits, conducted under phase one of the COVID-19 multi-year audit strategy, examining key aspects of the Australian Government’s early response to the COVID-19 pandemic:

This audit insights edition covers keys messages from phase-one audits, and builds on the messages outlined in the April 2020 edition on rapid implementation. Key learning areas covered in this audit insights relate to:

  1. crisis preparedness;
  2. governance arrangements in an emergency;
  3. identifying and managing implementation risk;
  4. mobilising resources and planning for rapid implementation;
  5. managing emergency procurements; and
  6. reviewing outcomes and lessons learnt.

Crisis preparedness

The Department of the Prime Minister and Cabinet’s 2017 Australian Government Crisis Management Framework (the framework) sets out Australian Government arrangements for managing crises across four phases: prevention, preparedness, response and recovery. It defines crisis preparedness as ‘arrangements to ensure that, should a crisis occur, the required resources, capabilities and services can be efficiently mobilised and deployed’.

The framework outlines standing governance and coordination arrangements for hazard-specific crisis responses, including domestic public health crises. National crisis response plans and arrangements developed by Australian Government agencies are required to reflect the roles and responsibilities set out in the framework.

In February 2020 the Department of Health (Health) published the Australian Health Sector Emergency Response Plan for Novel Coronavirus (COVID-19) to guide the national COVID-19 health response, which incorporates governance and coordination arrangements from the framework.

The learnings from Australia’s experience in responding to the COVID-19 pandemic provide an opportunity to review existing crisis management plans and arrangements to address any identified gaps or weaknesses.

Audit examples

From the onset of the COVID-19 pandemic in Australia, the Australian Public Service (APS) workforce had to adapt within a short timeframe to a new operating environment and position itself to handle a surge in demand for certain government services. The audit noted that existing whole-of-government crisis management documents do not include information on managing the APS workforce in response to a pandemic. There would be value in crisis management frameworks, plans and arrangements being updated to include consideration of APS-wide operational management matters, such as roles and responsibilities for identifying critical functions, mobilising the APS workforce and issuing APS-wide directions. (Report reference: paragraphs 2.6 and 2.7)

The National Medical Stockpile (NMS) is a strategic reserve of pharmaceuticals, vaccines, antidotes and personal protective equipment for use during the national response to a public health emergency. The audit highlighted the need for robust strategic planning that adequately prepares for emergency procurements. Where mechanisms are established for crisis preparedness, it is important that planning documents include specific guidance and protocols on how to operate in an emergency. (Report reference: paragraph 14). For example, the NMS 2015-19 Strategic Plan acknowledges that the Department cannot effectively manage and deploy the Stockpile without working in concert with other Australian Government departments and state and territory health authorities and clinicians to ensure a consistent and comprehensive approach to stockpiling capability. However, the audit found that no documented agreement has been reached with the states and territories regarding a national medical supplies stockpiling strategy for a health emergency response. This includes specific roles and responsibilities for stockpiling. A National Stockpiling Agreement was foreshadowed in the 2015–19 NMS Strategic Plan but never eventuated. (Report reference: paragraphs 2.26 and 2.33).

Governance arrangements during an emergency

Governance involves the systems and processes in place to manage performance (such as strategy development and performance monitoring and reporting) and conformance (such as compliance with legal requirements and relevant standards).

In an emergency, such as during the COVID-19 pandemic, governments and public service entities need to respond promptly and decisively to emerging threats. The imperative to act quickly does not diminish the importance of good governance. Focus may need to shift from strategic to tactical governance, establishing fit-for-purpose arrangements to ensure delivery of essential services through resource mobilisation, while gaining assurance over compliance with legal requirements and quality expectations – in both rapid response activities and business as usual.

Appropriate governance arrangements need to be established early in any emergency response or rapid implementation process to optimise their value. At the whole-of-government level, this can be achieved by mobilising standing governance and coordination arrangements outlined in crisis preparedness frameworks and plans. At the entity level, accountable authorities need to determine what is fit for purpose in the specific circumstances facing their entities and ensure that governance considers impacts on business as usual activities and changes to risk tolerance levels and risk control measures.

Leveraging existing governance mechanisms can provide an effective means to support the rapid implementation of measures, where these mechanisms provide for fit-for-purpose accountability, oversight and reporting arrangements. Existing resources, such as internal audit, can be used to provide timely assurance that frameworks are being followed and that decision-making processes are appropriately documented.

Keeping sufficient documentation of decision-making processes and outcomes is fundamental to effective governance, accountability and transparency. Accordingly, governance bodies should adopt a disciplined approach to:

  • clearly and comprehensively recording decisions and actions, including deliverables and timeframes;
  • assigning responsibility for actions and risks;
  • determining and documenting an appropriate set of performance indicators;
  • maintaining risk registers, ensuring enterprise risks and associated tolerance levels are systematically identified and assessed; and
  • following up with responsible parties and recording reasons for the closure of actions, including when not completed.

Audit examples

Health led emergency procurements to increase NMS reserves during COVID-19 and received assistance with procurements from the Department of Industry, Science, Energy and Resources. The audit found the entity-level and cross-entity governance arrangements established by these departments for the NMS procurements were fit for purpose. Aspects of good practice identified in the audit included:

  • ensuring roles and responsibilities are well understood (and documented) when working across entities;
  • using a flexible taskforce approach and involving procurement advisory services when undertaking urgent procurement activities; and
  • actively engaging executive management in decision-making.

(Report reference: paragraph 16)

Services Australia was responsible for implementing a range of COVID-19 economic response measures relating to income support and household payments. The audit found Services Australia developed fit-for-purpose governance arrangements to oversee its response to the COVID-19 pandemic. The audit highlighted the importance of:

  • identifying key decision-making bodies and executive reporting mechanisms;
  • leveraging existing governance mechanisms where possible, such as using the agency’s existing Executive Committee as the key group for reporting issues, risks, opportunities, progress and achievements; and
  • establishing additional committees and teams where needed to oversee operational level delivery.

(Report reference: paragraph 11)

This audit examined the Australian Taxation Office’s (ATO’s) management of risks relating to the implementation of six measures as part of the Australian Government’s economic response to the COVID-19 pandemic. The audit found the ATO implemented fit-for-purpose governance and oversight arrangements for the six economic response measures, drawing on existing bodies and frameworks where it could, and introducing specific and additional structures where needed. (Report reference: paragraph 12)

Identifying and managing implementation risk

Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) provides that accountable authorities of Commonwealth entities must establish and maintain appropriate systems of risk oversight and management. The 2014 Commonwealth Risk Management Policy sets out the government’s expectations for Commonwealth entities in undertaking the business of government. Risk is defined as the ‘effect of uncertainty on objectives’ and risk management as the ‘coordinated activities to direct and control an organisation with regard to risk’.

Risk tolerance is defined as ‘the levels of risk taking that are acceptable in order to achieve a specific objective or manage a category of risk’. The concept of risk tolerance assists entities to make informed decisions about whether mitigation strategies in addition to existing controls are required and, if so, the level of resourcing required to achieve desired outcomes.

Risk tolerance may necessarily increase during an emergency, to ensure the response is implemented rapidly. Articulating risk tolerance early in the implementation phase of new measures, and reviewing this throughout the implementation phase, provides a sound basis on which to support effective risk management, including the best use of entity resources. The rationale for setting the risk tolerance for particular risks or categories of risk should be clearly documented, both to evidence entity decision-making and to support subsequent assurance activities.

In a complex emergency multiple entities, including government and non-government entities, may need to work together to coordinate the response and manage shared risks. The identification of risks that extend beyond a single entity, and that require shared oversight and management, is a key aspect of effective risk management at an entity and whole-of-government level. Effective management of shared risks can involve:

  • formalising roles and responsibilities for managing different aspects of the identified risks;
  • understanding different entities’ risk tolerances;
  • establishing arrangements to monitor the effectiveness of agreed risk management controls and treatments; and
  • ensuring appropriate oversight of shared risks by relevant entity and interdepartmental governance and coordination bodies.

Audit examples

This audit identified that a whole-of-government risk assessment for managing the APS workforce in an emergency had not been conducted prior to the COVID-19 pandemic. Consequently, key workforce risks from COVID-19 were largely managed reactively. The COVID-19 pandemic has highlighted the need to consider workforce risks at an APS-wide level. Governance and coordination bodies such as the Secretaries Board and Chief Operating Officers Committee provide a mechanism for entities to work together more effectively on managing shared risks. (Report reference: paragraph 10)

The audit found the ATO adopted an iterative approach to identifying risks at a project and program level that was fit for purpose. The ATO identified risk tolerances, controls and treatment strategies. Risks associated with the implementation of economic response measures were assessed to be within tolerance, with the exception of integrity risks where the need for additional treatment strategies was identified. (Report reference: paragraphs 14–16)

The audit found that risks to effective deployment of the NMS in a pandemic of any magnitude were not sufficiently considered in the years preceding the COVID-19 response. Risk-based emergency response planning that incorporates contingencies and considers the full range of service providers and stakeholders can assist an entity to rapidly adapt service delivery to the requirements of an emergency response. (Report reference: paragraphs 10 and 3.19)

Mobilising resources and planning for rapid implementation

During an emergency response, the demands of rapid implementation may require entities to adopt a flexible and adaptive management stance, ready to mobilise skills, resources and systems to high priority areas, while maintaining a focus on risks and impacts to existing operations. In such circumstances, planning may be difficult due to the imperative to commence implementation as soon as possible. Planning may need to occur in stages, prioritising critical foundations and building on them later.

Where there is a need to mobilise staff rapidly to work on new and urgent initiatives, clear assessment and decision-making about business priorities can support appropriate reallocation. Reallocating existing staff to rapid response activities can assist in reducing risk, as they require less training and have familiarity with embedded business processes and systems. A taskforce approach can be an effective means to develop governance and delivery arrangements in compressed timeframes.

The ANAO’s phase-one COVID-19 audits highlighted that scalable procurement, resource allocation and ICT systems supported by crisis preparedness planning can assist entities to adapt service delivery to the requirements of an emergency response. Most entities examined through these audits had established taskforces to plan and deliver COVID-19 response measures.

In January 2021, after the initial COVID-19 response, the Australian Public Service Commission (APSC) published a toolkit to help government taskforces achieve good outcomes through structured planning processes. The toolkit provides guidance and templates for key stages of the lifecycle of a taskforce, covering:

  • determining scope, key deliverables and timeframes;
  • establishing clear and effective governance arrangements;
  • achieving the right fit and mix of staffing and leadership;
  • planning and managing taskforce work and identifying and mitigating risks;
  • actively engaging with stakeholders;
  • ensuring corporate and administrative processes and supports are in place;
  • managing closure and handover, including documenting lessons learnt; and
  • avoiding or resolving common problems experienced by taskforces.

Audit examples

While pandemic preparedness planning was found to be partially effective, the audit found planning for COVID-19 NMS procurements was fit for purpose. Health did not develop a strategic or operational procurement plan but elements of a plan (such as definition of objectives, timeframes and procurement method) were incorporated in documentation. The Department of Industry, Science, Energy and Resources’ taskforces developed, used and shared process maps, templates and checklists to guide procurement activities. (Report reference: paragraph 15)

The audit found Services Australia identified the need to adjust its workforce, ICT and physical resourcing to deliver on government COVID-19 response commitments. The agency on-boarded or re-deployed staff and increased its ICT capability to meet the increased volume of transactions. Additional ICT resources (to support home-based work arrangements) were provided and cleaning procedures (to adhere to workplace safety guidelines) were documented as having been introduced. (Report reference: paragraph 12). Services Australia identified staff internally for redeployment through a skills survey, so that experienced staff could be rapidly deployed to new payment processing tasks to ensure people received their payments as quickly as possible (Report reference: paragraphs 2.56-2.57)

The audit found the ATO followed a sound process to identify and obtain required resources and capabilities to support the rapid implementation of the six economic response measures, and to understand the impacts on its business-as-usual activities. The ATO identified constraints and developed responses to address staffing and ICT capability requirements to deliver the measures. (Report reference: paragraph 13)

Managing emergency procurements

Emergency responses may require the procurement of resources within compressed timeframes. Paragraph 2.6 of the Commonwealth Procurement Rules (CPRs) allows accountable authorities to decide that the CPRs do not apply to a procurement under certain circumstances, including to safeguard national security and to protect human health. Under paragraph 10.3b, procurements can also be exempted from the CPR requirement to be conducted through open tender for reasons of extreme urgency.

When deciding that the CPRs do not apply under paragraph 2.6, accountable authorities can assist officers conducting the procurements to meet the PGPA Act requirement to use and manage public resources properly by: determining the extent of departure from specific requirements of the CPRs; and specifying an alternative framework for conducting procurements. The accountable authority should revoke the measures in place under paragraph 2.6 when they are no longer necessary.

Implementing non-competitive or limited tender emergency procurements in a manner consistent with the PGPA Act can be facilitated by:

  • establishing probity measures early in the process;
  • documenting an evaluation plan that sets out consistent criteria underlying procurement decisions;
  • using benchmarking to demonstrate value-for-money; and
  • maintaining adequate records to facilitate transparency.

Audit examples

The Acting Secretary of Health invoked paragraphs 2.6 and 10.3 for the COVID-19 NMS procurements. The audits found that Health applied the CPRs appropriately but that elements of procurement implementation could have been improved through better pre-emergency planning and protocols. Having procurement protocols in place prior to an emergency will help entities ensure that attention can be focused on the emergency response without needing to divert resources to establishing systems and procedures for the procurements. (Report references: paragraph 2.45 of Auditor-General Report No.22; and paragraph 2.76 of Auditor-General Report No.39)

Reviewing outcomes and lessons learnt

As an emergency response moves to a different phase it is important to allocate time and resources to completing project closure activities, including reviewing outcomes and identifying lessons learnt. Undertaking appropriate closure activities supports accountability, and documenting lessons that were learnt through the project can provide a valuable resource to inform future planning.

The ANAO’s phase-one COVID-19 audits identified the following good practices — which are also highlighted in the APSC’s 2021 Taskforce Toolkit — for concluding a taskforce project:

  • having a dedicated closure plan, and setting aside time at the end of a project to tie up loose ends and provide a comprehensive handover;
  • keeping appropriate records throughout the project, especially for decisions made;
  • engaging with corporate areas to schedule the closure of administration supports (for example, ICT access and accommodation); and
  • engaging with secondees and their home areas early to plan for their return and ensure a positive transition.

Audit examples

The audit found APSC and the whole-of-government Chief Operating Officers Committee commenced a number of initiatives to capture lessons from the APS workforce response to COVID-19. Planning for future operations had also commenced and there were indications that planning was being informed by lessons learnt. (Report reference: paragraph 14)

Taskforces established by the Department of Industry, Science, Energy and Resources developed ‘closure reports’ to conclude their NMS procurement activities and hand over remaining work. These reports explained the overall objectives and strategies of the taskforce, the procurement activities undertaken, the location of records and key lessons learnt. (Report reference: paragraph 3.8)

Services Australia had commenced planning for the transition to a post COVID-19 response environment. Key activities highlighted in the audit included: planning for the reintroduction of measures paused during the COVID-19 response; and holding project closure meetings with the Department of Social Services to discuss anticipated policies and plan for future service delivery. (Report reference: paragraph 18)

Future audit coverage

In addition to the phase-one COVID-19 audits, the ANAO is conducting the following performance audits under phase two of the ANAO’s COVID-19 multi-year audit strategy:

Additional COVID-19 response audits are identified as part of the ANAO’s annual audit work program.