Take our Insights reader feedback survey

Help shape the future of ANAO Insights by taking our reader feedback survey.

This edition of Audit Insights summarises key messages for all Australian government entities from a series of Australian National Audit Office (ANAO) performance audits that have examined service delivery through other entities. It discusses the importance of establishing appropriate service delivery governance arrangements between entities, understanding risk tolerances and managing service delivery risks, and establishing performance monitoring and measurement arrangements.


To maximise effectiveness and efficiency, many Australian Government entities deliver services through other entities, including using non-government service providers or Australian Government entities.

Arrangements for service delivery through other Australian Government entities occurs either via a purchaser-provider relationship or a partnership arrangement.

  • Under a purchaser-provider relationship, services are delivered to an entity and costs recovered under section 74 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) (cost recovery). For these relationships, the service delivery entity (provider) is required to deliver services to the expectations and service levels set out by agreement with the purchasing entity and demonstrate value for money for those services. The purchasing entity is responsible for monitoring the services provided by the service delivery entity to ensure they are meeting the agreed requirements and expectations.
  • Under a partnership arrangement, a service delivery entity is funded by direct Budget appropriation to deliver services of a program which is the responsibility of a policy entity. For these arrangements, the policy entity retains responsibility for the outcomes of its programs and the service delivery entity is directly accountable to the Australian Government and Parliament for delivering the services to the Australian community and for prioritising that service delivery within its funding budget.

In 2019–20 and 2020–21, the Auditor-General tabled the following performance audits that examined aspects of service delivery through other entities:

Audit findings have highlighted the importance of service delivery arrangements being fit-for-purpose and appropriately reflecting the type of service delivery arrangement. Providing a robust basis for service delivery expectations can be achieved through the fundamental service agreement elements outlined below.

Key learning areas covered in this insights publication, relate to:

  1. establishing appropriate service delivery governance arrangements
  2. understanding risk tolerances and managing service delivery risks; and
  3. establishing performance monitoring and measurement arrangements.

1. Establishing appropriate service delivery governance arrangements

A critical factor in arrangements where service delivery is through another Australian Government entity is accountability. Effective agreements can limit ambiguity in terms of roles and responsibilities, establish clear governance arrangements and expectations of the operation of controls and outline the agreed reporting on these arrangements. Providing a robust basis for service delivery expectations can be achieved through the following fundamental service agreement elements:

  1. a clear objective of the agreement;
  2. defined roles and responsibilities of each party;
  3. suitable governance arrangements;
  4. performance measures;
  5. reporting and communication arrangements;
  6. a clear approach to risk management;
  7. issues identification and dispute resolution processes;
  8. funding arrangements;
  9. level of approval/sign-off;
  10. term of agreement; and
  11. review points.

Audit examples

Services Australia delivers payments and services to and on behalf of 34 Australian Government entities. These services are underpinned by bilateral agreements between Services Australia and each entity. Only four of the 13 bilateral agreement documents reviewed by the ANAO for three entities contained all 11 elements expected in a bilateral agreement with the main exceptions in risk management, performance measures, and roles and responsibilities. The entities had effective management and oversight of bilateral arrangements through governance committees, and some risk management plans linked to broader departmental processes. Issues escalation/dispute resolution processes and practices were in place for the bilateral arrangements, with varying levels of effectiveness across the four entities.

Examples of better practice were evident in the Services Australia and Department of Agriculture, Water and the Environment bilateral agreement, including the issues escalation process and definitions of roles and responsibilities. For the latter, the relevant sections provide clear explanations of each entities’ responsibilities so that both parties have a shared understanding of their respective responsibilities within the bilateral relationship.

(Report reference: grey box before paragraph 3.2 and paragraph 3.6.)

The Commonwealth Director of Public Prosecutions (CDPP) operations are primarily funded through parliamentary appropriations. The CDPP also receives revenue through transfers of appropriations from other entities to cover the cost of prosecutions for offences under specific legislation (revenue recognised under ‘tied funding’ arrangements). These activities were governed by six memoranda of understanding (MOUs) with Commonwealth investigative agencies.

Clarity around practices through MOUs — for example, authority for some agencies to conduct some summary prosecutions themselves — is aimed at minimising duplication of effort and resources. Some recent MOUs for tied funding – for example, the MOU signed with the Department of Home Affairs in May 2019 – made no provision for timeliness.

This audit highlighted the importance of MOUs referencing specific timeliness targets.

(Report reference: paragraphs 2.14, 2.25 and 2.26.)

Management of Agreements for Disability Employment Services

Auditor-General Report No.45 of 2019–20

Well-established processes support the coordination between Services Australia’s assessment of job seekers and the Department of Social Services’ (DSS) management of Disability Employment Services (DES).

The Department of Education, Skills and Employment (DESE) provides IT systems to support DES agreement management and several other services. These services were governed through agreements and active inter-departmental committees. The audit highlighted the importance of DSS obtaining assurance from DESE that IT security controls are in place over systems and data, and that these are being monitored. The Systems MoU should specify requirements for DESE to provide reporting on relevant IT controls, to assure the security of DES participant data.

(Report reference: grey box before paragraph 3.65 and paragraph 3.72.)

Delivery of the Humanitarian Settlement Program

Auditor-General Report No.17 of 2019–20

The Department of Social Services (DSS) developed the Humanitarian Settlement Program (HSP) IT system (HSP system) to facilitate client referrals, travel, and service management (including claims submitted by providers and tracking of client outcomes). Home Affairs had signed a memorandum of understanding with DSS which included responsibilities for managing the HSP system.

The audit highlighted risks with manual data exchange between the entities and the requirement for DSS and Home Affairs to resolve data exchange issues, including DSS establishing protocols for actioning errors in processing the data, and Home Affairs liaising with providers to investigate missing or incorrect data in the system.

(Report reference: paragraphs 2.64, 2.85, 2.86 and 2.91.)

2. Understanding risk tolerances and managing service delivery risks

A statement regarding risk management is a key element of a service agreement. When services are delivered by another entity, through either a purchaser and provider or partnership arrangement, risks to service delivery should be managed proactively in an ongoing manner by both entities, to enable each entity to effectively discharge its responsibilities. The purchasing/policy entity should be aware of the service provider entity’s service delivery risks, and potential impact on meeting service levels, to mitigate risks to achieving broader policy objectives.

The Commonwealth Risk Management Policy states that ‘entities must implement arrangements to understand and contribute to the management of shared risks’. The policy provides several ‘tips’ for managing shared risks, including: establishing memoranda of understanding with partners to formalise shared risk management; development of shared risk registers; educating officials on their responsibilities to identify and manage shared risks; and documenting control owners and governance arrangements for monitoring shared risks.

Entities should be aware of each other’s risk tolerances and approaches, as while risks can be common or shared, the two entities can have different risk tolerances and organisational priorities, so the responses to managing the risks are quite different. For example, a program may be of critical significance for achieving the outcomes of a purchasing/policy entity but be considered of low significance among the broader range of programs of the service delivery entity. Audits have highlighted the importance of identifying shared risks and developing an agreed approach to risk management which is documented, setting the framework for how to work collaboratively to manage instances where the tolerances and priorities significantly differ.

Audit examples

Bilateral agreements were the primary vehicle used between Services Australia and other entities for mitigating the risks where the two entities had different risk tolerances and organisational priorities, and consequently the responses to managing the risks are quite different. The purpose of bilateral agreements was to set out the basis for service delivery expectations and establish clear deliverables. This audit highlighted the importance of including provisions in the bilateral agreement committing to the development and implementation of risk management plans for all parties to the agreement.

An example of an appropriate risk planning section found in one of the services schedules was the parties agreeing to cooperatively communicate and manage any identified risks and to discuss in good faith the requirements (including key resources, activities, deliverables and timeframes) for the conduct of risk assessment, privacy impact statements, fraud assessments and other assessments.

Agreement service schedules should also include more detailed sections on how the entities will work together to address and mitigate risks.

(Report reference: paragraphs 1.9, 1.11, 2.29 and 2.30.)

Implementation of the My Health Record System

Auditor-General Report No.25 of 2019–20

The My Health Record is an example of a program with shared risks between different Commonwealth agencies and also jurisdictions and the wider community, including the healthcare sector, clinical software vendors, and consumers.

The Australian Digital Health Agency’s (ADHA’s) approach to managing shared risks with government entities included involving those entities in My Health Record governance committees and identifying some shared risks in risk registers.

ADHA could have further clarified the specific roles and responsibilities of other government entities in managing shared risks by explicitly indicating which risks are shared, with which entities, and who in other entities is responsible for controls implementation.

(Report reference: key learning, paragraphs 3.9 to 3.14.)

Administration of the National Bushfire Recovery Agency

Auditor-General Report No.46 of 2020–21

The interwoven responsibilities across bushfire recovery and rebuild measures resulted in risks affecting more than one entity and required joint management strategies between relevant entities. The National Bushfire Recovery Agency (NBRA) defined ‘shared risk’ as ‘Commonwealth funding is not adequately administered, meaningfully used or transparent’. The NBRA was mapping shared risks to assist in targeting assurance around fraud, payment mechanisms and existing capabilities/assurance of partner agencies. A workshop was held on shared risk where members discussed:

  • the roles of the NBRA and Commonwealth partner agencies on joint accountability for shared risks;
  • shared risk themes;
  • the identification of shared risks: unmet needs; misuse and waste; oversight gaps; unclear impacts; and capacity constraints; and
  • a typical approach to a shared risk and assurance plan.

The next step identified was to develop a Shared Risk and Assurance Plan with further consultation to occur with partner agencies.

(Report reference: paragraphs 3.10, 3.11 and 3.12.)

Farm Management Deposits Scheme

Auditor-General Report No.51 of 2018–19

The ATO’s compliance arrangements reflect its assessment that risks to revenue are relatively low, and its approach of managing risks at the sector level (for example, small business risks). However, the compliance arrangements and risk assessment processes have not fully captured key elements of the Scheme’s design. As the policy owner of the Scheme, Agriculture should work with the ATO to be satisfied that risk assessment and compliance processes are appropriate.

Where multiple entities are involved in administering a program, the lead policy entity should ensure that program delivery arrangements, including compliance activities, are informed by an assessment of risks and benefits undertaken on a ‘whole-of-government’ basis.

(Report reference: paragraph 11 and Key learnings for all Australian Government entities.)

3. Establishing performance measurement and reporting arrangements

Performance measurement and reporting arrangements are two of the fundamental elements of a service agreement.

Performance measures should be clearly agreed between the purchaser and the provider and partners. Performance measures may be set out in the provider’s internal service standards, or may be written into the formal agreement between the entities. Whatever the mechanism, sharing this information between the entities allows the purchaser to hold the provider accountable for the delivery of the program.

Regular reporting on service delivery by the provider entity allows the purchaser to monitor the effectiveness and efficiency of the delivery, including against the program objectives and value for money. Under a purchaser-provider relationship, the purchasing entity is responsible for reporting to government and Parliament on the delivery of the services against the objectives. It therefore needs the information necessary to provide these reports. This information may be reported through key performance indicator reporting set into contract agreements or may be collected separately by the program owner. As the purchaser has the final accountability for delivery of the services, it should assure itself that the performance information provided is accurate. One way to achieve this could be through independent verification of accuracy of the performance information.

Under a partnership arrangement, reporting arrangements vary and will depend on the enabling legislation and agreements established between the entities. For example, Services Australia and DSS have a partnership relationship. Services Australia is funded by direct Budget appropriation to deliver certain programs on behalf of DSS. Under the Bilateral Management Arrangement which governs this relationship, Services Australia (the service delivery entity) is responsible for monitoring performance in partnership with DSS (the policy entity), and also publicly reports against bilateral agreement performance measures (such as achievement of service level standards) through its Annual Performance Statement.

Audit examples

The audit highlighted the importance of effective performance monitoring and reporting arrangements. Services Australia’s Bilateral Agreement Framework outlines five criteria required for performance measures: specific (unambiguous and singular); measurable (quantitative or qualitative and auditable); affordable (achievable and funded); relevant (relevance and aligned strategically); and time-based (timeliness and regular review).

Where monthly reports are provided in accordance with the service schedule, the purchaser/policy entity should independently verify the accuracy of the performance reports to be able to assure itself that the program is being delivered appropriately. Assurance and analysis of Service Australia’s performance by its partner agencies would provide the partner agencies with confidence in the information provided.

(Report reference: paragraphs 13, 15, 2.34, 3.74–3.78, 3.79–3.94 and 3.95–3.104.)

A standard for brief assessment (targeting 85 per cent within 90 days service) was strongly emphasised by the CDPP in internal communications. The audit highlighted that the service standard’s contribution to ongoing improvement in timeliness relied on several factors, including the service standard being formalised in memoranda of understanding with agencies.

(Report reference: paragraph 4.34)

Implementation of the My Health Record System

Auditor-General Report No.25 of 2019–20

The projected benefits realisation period for My Health Record is ten years. ADHA developed a benefits realisation plan in 2017 which defined success for the opt-out model of the My Health Record system. Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data. The plan stated that intermediate output measures would be tracked using My Health Record system data analytics. The plan also stated that additional bespoke research and statistical analyses would be necessary to measure the longer-term (‘end’) benefits.

This audit highlighted that, where the intended benefits of a program are projected to be realised over a relatively long period, entities should not only describe what the intended benefits are and how they could be measured, but also make clear delivery plans showing how and when the benefits will be measured, evaluated and reported.

(Report reference: paragraphs 4.17, 4.18, 4.21 and 4.28, and key learnings (performance and impact measurement.))

Future audit coverage

The ANAO annual audit work program lists other potential performance audits examining service delivery that are yet to commence.