Take our Insights reader feedback survey

Help shape the future of ANAO Insights by taking our reader feedback survey.

The aim of Insights: Audit Lessons (formerly Audit Insights) is to communicate lessons from our audit work and to make it easier for people working within the Australian public sector to apply those lessons.

This edition of Insights: Audit Lessons is targeted at Australian Government officials who are working in governance roles or who have responsibility for ensuring effective oversight and management of probity. Although it is based on audits of financial regulators, the lessons for managing probity risks can be applied across the public sector.


What is probity?

In seeking to achieve the outcomes required by the Parliament and Australian Government for citizens, the Australian public sector operates under frameworks that establish high expectations of probity, integrity and ethics.

An object of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) is to require entities ‘to meet high standards of governance, performance and accountability’, while the Public Service Act 1999 states that one of its main objects is ‘to establish an apolitical public service that is efficient and effective in serving the Government, the Parliament and the Australian public’.

Within the sector, there is both collective and individual responsibility for promoting and maintaining integrity, probity and ethics. Responsibility is shared by the heads of public sector organisations, their leaders and personnel.

There is no single definition of probity in the Australian public sector. However, the following definition in a procurement context describes the general expectation applying to Australian Government activity more broadly.

Probity is the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.

ANAO audits of probity

The ANAO assesses the management of probity as part of its audits. Probity is routinely assessed in performance audits of procurement and grants administration.

In June 2023, the Auditor-General presented a series of three performance audit reports that examined the effectiveness of probity management in financial regulators. The background chapter of these reports provide more information about probity requirements within the Australian public sector:

In these three audits, the ANAO reviewed the following probity risks requiring management by all Australian Government entities, including specific risks requiring management by financial regulators:

The ANAO examined whether the financial regulators had:

  • identified key probity risks and developed policies, procedures and arrangements to manage the identified risks;
  • maintained policies and procedures;
  • effectively informed relevant people of probity related requirements, to promote compliance;
  • monitored the effectiveness of internal controls relating to probity and provided assurance to the accountable authority;
  • monitored compliance with probity requirements, including regular monitoring and reporting; and
  • followed up on identified instances of non-compliance.

Lessons for managing probity

Based on the performance audits of financial regulators, this edition of Audit Lessons provides seven key lessons for managing probity in an Australian Government entity.

Figure 1: Lessons for managing probity

1. Promote a culture that supports probity

There is both collective and individual responsibility for promoting and maintaining probity.

Under the PGPA Act, an entity’s accountable authority must promote the proper use and management of public resources. ‘Proper’ includes ethical use and management. The PGPA Act also establishes general duties applying to the accountable authority and all officials of an entity, which are relevant to probity.

The Public Service Act 1999 provides that an Australian public service (APS) agency head must uphold and promote the APS Values, and members of the Senior Executive Service (SES) are expected to promote the APS Values and Code of Conduct by personal example and other appropriate means.

Probity is best achieved when it is well embedded in an entity and responsibilities are understood. The Australian Security and Investment Commission’s (ASIC’s) Compliance Policy states that ‘compliance is sustained by embedding it in the culture, behaviour and attitude of our staff members, Senior Executives and Commission members’.

An entity should create a culture that supports probity, through active promotion and modelling. Senior leaders can demonstrate that their entity values probity by ensuring that policies are aligned to ethical expectations and by setting the ‘tone at the top’.

Providing leadership — The accountable authority is expected to take responsibility for probity management in an entity — this includes: setting and promoting expectations; commissioning, approving and reviewing probity policies; monitoring and seeking assurance on compliance; acting promptly on information about probity failures; and ensuring responsibility for performance.

Communicating often — Ongoing messaging from senior leaders is an important tool to inform and remind personnel of their probity obligations and to set the tone from the top that probity matters.

Modelling good behaviour — The accountable authority and entity leaders play a key role in setting the ethical tone within their entity. Ensuring that legal and policy expectations are complied with, at all levels in the organisation, helps build a culture that probity matters.

Instilling a probity culture — An entity’s internal policies should be aligned to the desired culture, and leaders should clearly communicate that probity is about more than compliance. It is about meeting the ‘spirit’ as well as the ‘letter’ of legal and policy expectations.

Reporting regularly — Regular reporting can help keep the accountable authority and senior leadership informed about the effectiveness of probity management within the entity.

Case study 1. Examples of reporting to senior officers

ASIC had an Integrity Committee (a sub-committee of its Executive Risk Committee) to oversee its Integrity Framework. The Integrity Committee received monitoring and reporting on compliance with probity requirements.

The Australian Prudential Regulation Authority’s (APRA’s) Board received a variety of reporting on compliance with probity requirements (training and awareness activities, code of conduct, conflict of interest declarations and gifts register). There was also quarterly reporting to APRA’s Audit and Risk Committee.

2. Identify the probity requirements that apply to your organisation and assess probity risks

The specific probity, integrity and ethical requirements applying to an entity’s personnel will depend on: what type of entity it is; the legislation and Australian Government policies and frameworks under which the entity operates; and the internal policies and frameworks the entity has put in place.

An understanding of the probity requirements and risks specific to an entity will assist the entity to manage probity most effectively, including through the development of fit-for-purpose policies and procedures.

The Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires entities ‘to meet high standards of governance, performance and accountability’ and sets out general duties of accountable authorities and officials. Taken together, the requirements of the PGPA Act and PGPA Rule 2014 provide an overarching framework for probity and ethical behaviour. The specific application of the PGPA Act requirements depends on whether the entity is a non-corporate Commonwealth entity or corporate Commonwealth entity.

There are activity specific frameworks that set out ethical and probity requirements for certain Australian Government activities, such as grants administration, procurement, government advertising, protective security, appearing before the Parliament, engaging with lobbyists, caretaker conventions, risk management and fraud control.

If an entity is subject to the Public Service Act 1999, general ethical and probity requirements are set out in the APS Values and APS Code of Conduct. Further probity requirements apply to Senior Executive Service employees and APS agency heads.

Other laws, such as the legislation establishing a statutory body, may set out further probity requirements.

  • For example, the Australian Prudential Regulation Authority Act 1998 requires that the APRA Chair ‘must determine, in writing, the APRA Values’ and that ‘the Chair must uphold and promote the APRA Values’.

Internal frameworks of an entity may also set out probity requirements. These include accountable authority instructions made under the PGPA Act, and other internal policies.

Within the context of these requirements, entities should assess probity risks and define an appetite for probity risks. Some risks may be more or less relevant for different entities. For example, the risks of regulatory capture and trading in financial instruments are especially relevant to financial regulators. The ANAO observed that the financial regulators stated that they generally had no or a very low appetite for probity risks.

3. Develop policies and procedures to manage probity risks

Establishing, maintaining and promoting policies and procedures to manage probity risks helps ensure that these risks are being effectively managed in accordance with relevant requirements and in a manner that is consistent with community expectations. Entity policies should be aligned to the ethical expectations established in relevant frameworks.

Policies and procedures should be risk-based — Risk-based policies and procedures support an entity to comply with requirements and manage the probity risks that are heightened for that entity. For example, if there are specific procurement risks for the entity, such as a limited number of potential suppliers in specialised markets, the policies and procedures should include additional controls to manage that risk.

Policies and procedures should be clear and comprehensive — Clear and comprehensive policies and procedures mean that personnel need to apply less discretion in probity matters. This decreases the risk of personnel engaging in conduct that is, or is perceived to be, inappropriate.

Policies and procedures should be regularly reviewed — An enterprise framework with time-specific requirements for designing and reviewing internal policies, and clear protocols for controlled policy and procedure documents, can provide a structured approach to ensuring that policies and procedures are always up to date.

Box 1: Tips to enhance probity for procurement and gifts, benefits and hospitality


  • Specify the probity management requirements applicable to all procurements.
  • Specify the circumstances that require extra probity management measures and what those measures are.
  • Ensure that internal guidance clearly identifies any exemptions from internal probity management requirements, and the exemption process to be followed.
  • Ensure that internal guidance clearly specifies how probity risks are to be managed where exemptions apply.

Gifts, benefits and hospitality

  • Have a clear guiding principle for officials to generally avoid the acceptance of gifts, benefits or hospitality and state the circumstances where this does not apply, e.g., where embarrassment could be caused to a foreign national dignitary.
  • Review any historical differences in policy between senior leaders and other personnel, such as differences in financial reporting limits, reporting timeframes or reporting requirements. The effective implementation of gifts, benefits and hospitality policies benefits from strong cultural settings within the entity, including the example set by senior leadership (‘tone at the top’).
  • Ensure policies include timeframes for reporting the offer of gifts, benefits and hospitality and the surrendering of gifts or benefits to the entity.
  • Have a register, at the enterprise level, for recording all offers of gifts, benefits and hospitality, and whether the offer was accepted and why. An enterprise level register enables the accountable authority to communicate expectations and review trends across the entity.
  • Require that personnel who accept an item record their assessment of whether acceptance results in a conflict of interest. Documenting the basis for decision making facilitates internal review activity and supports accountability.
  • Establish a process for determining whether acceptance may result in a real or perceived conflict of interest, and how to handle risk.
  • Where the acceptance of a gift, benefit or hospitality requires the approval of a more senior officer, record the date of approval in the register. This can support an entity to gain assurance over whether approval arrangements are complied with.
  • Ensure the register includes whether gifts were retained by the individuals accepting them, surrendered to the entity or disposed of in some other way.
  • Publish the register of all gifts, benefits and hospitality on the entity’s website for transparency and accountability.

4. Inform personnel of probity requirements

The effectiveness of an entity’s arrangements for managing probity risks is dependent on personnel being effectively informed and reminded of the requirements they are required to comply with. The provision of accurate and accessible information is particularly important if requirements change.

Accessible and current information — Information about probity issues and requirements should be accessible by personnel (for example on an entity’s intranet site). Policies and procedures should be easy for personnel to locate, and personnel should feel assured that they are looking at up to date and approved policies and procedures.

Expert assistance — There should be contact details for specialist officers who can provide guidance and assistance.

Training — Training can be used to inform personnel about probity issues and requirements. Each of the financial regulators examined in recent ANAO performance audits had training to address probity risks.

Box 2: Some factors to consider when developing training

  • Decide whether training will be mandatory or optional.
  • Decide if there will be a requirement to periodically complete the training (refreshers).
  • Establish an approach to assessing the effectiveness of the training.
  • Establish arrangements to monitor compliance with training requirements.
  • Set out arrangements for dealing with non-compliance with mandatory training.

5. Check that internal controls for managing probity risks are effective

Information provided through well-functioning assurance arrangements can provide confidence that probity risks are being effectively managed through internal controls, or identify when controls are ineffective or absent.

System of internal control — A system of internal control for managing probity risks can include: policies and procedures; internal audits and reviews; training; and executive review and oversight. Section 16 of the PGPA Act requires the accountable authority to establish an appropriate system of internal control. Section 57 of the Public Service Act 1999 provides that the responsibilities of a departmental secretary include to implement measures directed at ensuring that the department complies with the law.

Monitoring internal controls — A risk-based framework for monitoring the effectiveness of internal controls can provide assurance to an entity’s accountable authority that the system of control is working effectively to manage probity risks. A monitoring framework assists the accountable authority to meet section 17 of the PGPA Rule which requires that an audit committee be established and that it reviews the entity’s system of internal controls.

Internal audit — Internal audit provides a structured mechanism for assessing the effectiveness of controls for probity risks. Internal audit can undertake audits, advisory reviews or other tasks. Internal audits or reviews might be cyclical / periodic or one-off. Internal audit should also ensure that the audit committee has the information needed to perform its functions.

Audit committees — In discharging its duties, an audit committee should ensure that it has sufficient visibility over the management of probity risks. APRA identified in October 2021 that its audit committee did not have sufficient information regarding internal controls. As a result, the internal audit area modified its reporting to provide this information to the committee. The audit committee should provide written advice to the accountable authority about the appropriateness of the accountable authority’s system of internal control for the entity.

Box 3: Some factors to consider when developing a framework for monitoring the effectiveness of internal controls

  • Roles and responsibilities for assessing internal controls.
  • A methodology for selecting controls for testing.
  • Requirements for the frequency of controls testing.
  • An assessment rating approach (e.g. fully effective, partly effective, not effective).
  • Reporting arrangements.
  • Continuous improvement arrangements.

Case study 2. ASIC’s approach to assessing the effectiveness of internal controls

ASIC’s framework for monitoring the effectiveness of internal controls and providing assurance to the accountable authority in relation to probity included:

  • cyclical internal audits and reviews into probity related topics;
  • a central compliance function which undertakes a program of control assessments, including of controls relating to probity obligations; and
  • an Audit and Risk Committee that reviewed and provided advice to the accountable authority on ASIC’s systems of risk oversight and management and internal control.

To read more about ASIC’s approach to assessing the effectiveness of internal controls, see paragraphs 3.4 to 3.12 of Probity Management in Financial Regulators — Australian Securities and Investments Commission | Australian National Audit Office (ANAO)

6. Promote, check and follow up compliance with probity requirements

Entities that have arrangements to support personnel to comply with probity requirements, and which set out clear consequences for non-compliance, are more likely to have better outcomes. Checking compliance against expectations provides the basis to respond to instances of non-compliance in a timely and appropriate manner.

Documented compliance procedures — Having a documented approach for assessing compliance with probity requirements increases the chance of effectively managing non-compliance.

Case study 3. APRA’s Compliance Management Policy

APRA’s Compliance Management Policy comprised:

  • a register of external compliance obligations;
  • incident reporting and escalation standards;
  • conflicts of interest framework (including for gifts and hospitality);
  • compliance monitoring;
  • compliance training;
  • compliance reporting and management oversight;
  • actions management;
  • controls management; and
  • consequence management.

Compliance roles — Each of the three financial regulators had a central compliance team responsible for delivering compliance frameworks, and for promoting compliance by providing advice and guidance.

Attestation processes Attestation increases compliance with entity declaration requirements by requiring staff to state that they have read, understood and complied with entity policies.

Clear consequences — Probity arrangements are strengthened when there are clear arrangements for following up instances of non-compliance and when consequences are clear. The severity of consequences should be proportional to the severity of misconduct, risk and impact.

Case study 4. ASIC’s attestation and compliance process

ASIC had an internal attestation process which required all personnel to attest that they had complied with requirements to make declarations relating to ASIC’s policies on:

  • disclosure of interests and conflicts;
  • trading in exchange-related financial products;
  • gifts, benefits and hospitality;
  • security responsibilities;
  • changes in circumstances; and
  • overseas travel.

As part of the disclosure of interests and conflicts, people subject to the process must attest that they have read and understood certain policy documents (including ASIC’s Code of Conduct) in the last 12 months.

At the end of the attestation cycle, reporting to the Executive Risk Committee identified what percentage of the required personnel had completed the attestation, and provided information on non-compliant personnel, including their engagement status. ASIC identified non-compliance amongst contingent workers, including consultants and contractors, enabling it to assess risk. A list of non-compliant personnel was provided to the Executive Risk Committee.

ASIC reported that the attestation process led to increased reporting of financial trades, international travel, changes in personal circumstances, conflicts of interest and the number of gifts declared.

To read more about ASIC’s attestation process, see paragraphs 4.7 to 4.20 of Probity Management in Financial Regulators — Australian Securities and Investments Commission | Australian National Audit Office (ANAO)

7. Keep records to demonstrate probity

Record keeping is fundamental to sound public sector administration and record keeping requirements are set out in the Archives Act 1983 and related standards. Poor record keeping is an impediment to transparency and accountability for results, and can impair the ability of an entity to demonstrate effective management of probity.

Commensurate — There is not a one-size fits all approach for record keeping on probity. Record keeping arrangements should be commensurate with the activity. For example, the Commonwealth Procurement Rules state that ‘officials must maintain for each procurement a level of documentation commensurate with the scale, scope and risk of the procurement’.

Guidance and templates — As a general principle, effective record keeping is best supported by clear guidance and templates. The Joint Committee of Public Accounts and Audit has highlighted the need for better record keeping guidance and templates in relation to probity in grants administration.

Early consideration — Record keeping arrangements are best thought about early on. Records and information should be kept to:

  • support the assessment of probity risks;
  • support the assessment of the effectiveness of internal controls and compliance with probity requirements;
  • measure performance;
  • document follow-up action regarding non-compliance; and
  • demonstrate probity of a process.

Communicate record-keeping requirements — Personnel should be made aware of record keeping obligations.