Audit snapshot

Why did we do this audit?

  • The challenges faced during the 2016 Census reinforced the need to ensure that preparations for the 2021 Census are effective.
  • An audit of the ABS’ preparedness for the 2021 Census would provide assurance on whether the ABS is on track.

Key facts

  • The 2016 Census was the first Australian Census to be ‘digital first’. The ABS closed its online form for two days due to cyber attacks. Respondents ultimately used the online form in 63 per cent of cases, close to the ABS’ target of 65 per cent.
  • The response rate in 2016 was 95 per cent, close to its target of 96.5 per cent. The ABS counted 23.4 million people and almost 10 million dwellings.
  • Three external reviews were conducted into the events of census night and related matters.
  • The ABS appointed a program assurer to review progress of its preparation for the 2021 Census.

What did we find?

  • The ABS’ planning for the 2021 Census is partly effective.
  • The ABS has not fully implemented all lessons from the 2016 Census, particularly in relation to developing its cyber security for the Census.
  • From January to May 2020, the ABS classified its 2021 Census preparation at an ‘amber’ level of risk — meaning that successful delivery of the Census appears feasible but significant issues exist requiring management attention.

What did we recommend?

  • The Auditor-General made seven recommendations to the ABS covering planning, efficiency, IT systems and data, risk controls and implementing external review recommendations.
  • The ABS agreed to all seven recommendations.

$565 million

The budget for the 2021 Census.

75%

The target for the rate of households responding online.

7 years

Lifespan of the 2021 Census-related preparation and delivery work.

Summary and recommendations

Background

1. The Census of Population and Housing (the Census), undertaken by the Australian Bureau of Statistics (ABS), is Australia’s largest statistical collection. The purpose of the Census is to accurately measure the number and key characteristics of all people in Australia, Norfolk Island, and the Territories of Cocos (Keeling) Islands and Christmas Island on Census night every five years.

2. The 2016 Census was the first Census to be ‘digital first’, whereby the ABS sought to obtain 65 per cent of responses through an online eCensus form.1 On Census night on 9 August 2016, there was a failure of multiple information technology (IT) controls, particularly for the online eCensus form, which resulted in the closure of the Census webpage for two days.

3. The Senate, the Department of Prime Minister and Cabinet, and the ABS initiated reviews into the events on Census night, ABS governance and the broader implications for cyber security across the Australian Public Service. In total, the reviews made 36 recommendations, 29 of which were directed at the ABS and agreed.2

Rationale for undertaking the audit

4. The failure of multiple IT controls during the 2016 Census reinforced the need for the ABS to implement robust planning arrangements for the 2021 Census including for cyber security, procurement, and review recommendations. An audit of the ABS’ preparedness for the 2021 Census would provide assurance on whether the ABS is on track to delivering its objectives for the Census.

Audit objective and criteria

5. The objective of the audit was to assess whether the ABS is effectively preparing for the 2021 Census.

6. In assessing this objective, the following three high-level criteria were adopted:

  • Has the ABS established appropriate oversight frameworks for the Census?
  • Is the ABS taking appropriate steps in developing IT systems for the Census?
  • Is the ABS addressing key Census risks and implementing Census recommendations?

Conclusion

7. The ABS’ planning for the 2021 Census is partly effective.

8. The ABS has established largely appropriate planning and governance arrangements for the Census. The risk framework is compromised by weaknesses in the assurance arrangements.

9. The ABS is partly effective in its development of IT systems for the 2021 Census. Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers. The ABS has not put in place arrangements to ensure that improvements to its architecture framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.

10. The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations and ensuring timely delivery of the 2021 Census. Further management attention is required on the implementation and assessment of risk controls.

Supporting findings

Oversight arrangements

11. The planning and governance arrangements for the Census are appropriate, except that the ABS does not have an overarching plan to coordinate activity plans and enable a clear view of progress against planned activities.

12. The ABS largely complies with the Commonwealth Risk Management Policy and has established a risk management plan for the 2021 Census. While the ABS has engaged an external program assurer to report to its Census Executive Board, their assurance activities are not well aligned with the identified Census risks. The Audit Committee has not been well positioned to provide consistent risk oversight or assurance on the Census.

13. The ABS has been implementing largely appropriate project management practices from December 2019. It has established monitoring processes and in July 2020 finalised arrangements to assess and approve changes to the Census project.

14. The ABS has an efficiency measure for the Census. The ANAO was unable to provide assurance on the validity and reliability of the measure, however, it is consistent with a proxy measure developed by the ANAO from published ABS information. A report by the United Nations Economic Commission for Europe ranks Australia’s cost per capita as just under the average of a group of countries with similar Census methods.

Developing IT systems for the 2021 Census

15. The IT framework that the ABS has established for the 2021 Census is largely appropriate. However, the ABS’ implementation of its IT framework is not complete. The ABS has not established a systematic process for managing risks associated with non-compliance. Census systems do not fully align with the ABS enterprise IT framework giving rise to risks in relation to system integration and compliance with legislation and ABS policy. The ABS has not established a process to mitigate the risk of unauthorised changes being implemented across systems supporting the Census.

16. The ABS is establishing partly appropriate data handling practices for the 2021 Census. The ABS has designed controls and arrangements to manage risks relating to data quality and protection of privacy. The ABS has not fully implemented controls for managing the quality and protection of 2021 Census data and does not have in place appropriate arrangements to monitor control implementation.

17. The ABS has established partly appropriate cyber security measures for the 2021 Census. The high-level measures and controls in the ABS’ cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented.

18. The ABS has established IT supplier contracts that support value for money outcomes. The ABS has largely met key legal requirements for its Census IT procurements of $1 million or more.

Managing risk, recommendations and timeliness

19. The ABS has been partly effective in addressing key Census risks. The ABS has identified, reviewed and reported risk in accordance with its Risk and Issues Management Plan and the broader ABS framework, and has mostly embedded risk management in its key business processes. The ABS has not consistently implemented key risk controls and has not fully assessed control effectiveness as required in its Risk and Issues Management Plan.

20. ANAO analysis indicates that the ABS’ post-review activities align with 27 out of the 29 agreed recommendations. In the absence of effective governance oversight arrangements to monitor and report on the implementation of recommendations, the ABS does not have sufficient assurance that it has appropriately addressed the identified issues.

21. Since January 2020, the ABS has been largely effective at monitoring the progress of activities for the 2021 Census. ABS Census projections in 2018 and 2019 were generally ‘on track’. Throughout 2020 the Census has been ‘at risk’. ANAO testing of 17 key tasks indicated that four were reported complete at least three months prior to actual completion. The ABS has accurately reported key activities, decisions and issues to the Minister in a timely manner. Public reporting on progress with the Census is accurate but could cover a wider range of topics.

Recommendations

Recommendation no.1

Paragraph 2.19

The Australian Bureau of Statistics strengthen its planning and governance arrangements for the 2021 Census by:

  1. establishing a high-level plan of the Census integrating the objectives, activities, and their dependencies; and
  2. ensuring that the required reporting is provided to the Census Executive Board.

Australian Bureau of Statistics response: Agreed.

Recommendation no.2

Paragraph 2.76

To assist the Australian Bureau of Statistics in complying with section 16 EA of the Public Governance, Performance and Accountability Rule 2014, the Australian Bureau of Statistics:

  1. include an efficiency measure in its performance framework; and
  2. develop procedures to support the validity and reliability of the existing Census efficiency measure.

Australian Bureau of Statistics response: Agreed.

Recommendation no.3

Paragraph 3.19

The Australian Bureau of Statistics strengthen its IT framework for the Census by:

  1. assessing the impact of non-compliance with Australian Bureau of Statistics standard architectures, including the impact on meeting legislative and policy requirements; and
  2. establishing appropriate controls for mitigating unauthorised and inappropriate system changes, specifically focussing on developers that have access to migrate their own changes to Census-related systems.

Australian Bureau of Statistics response: Agreed.

Recommendation no.4

Paragraph 3.35

The Australian Bureau of Statistics obtain an appropriate level of assurance that the systems supporting the 2021 Census are meeting legal and Australian Bureau of Statistics policy requirements on data quality and privacy.

Australian Bureau of Statistics response: Agreed.

Recommendation no.5

Paragraph 3.56

The Australian Bureau of Statistics:

  1. define timeframes and responsibilities for implementing the 2021 Census Security Strategy and the Essential Eight Uplift Program, especially for areas that are required prior to the 2021 Census; and
  2. ensure contracted services meet Australian Bureau of Statistics specific design and cyber security requirements, and performance of security controls are regularly assessed.

Australian Bureau of Statistics response: Agreed.

Recommendation no.6

Paragraph 4.19

The Australian Bureau of Statistics implement its risk controls and regularly and consistently monitor the effectiveness of those controls.

Australian Bureau of Statistics response: Agreed.

Recommendation no.7

Paragraph 4.34

The Australian Bureau of Statistics:

  1. establish oversight arrangements to monitor the progress of the implementation of agreed recommendations from external reviews; and
  2. assure itself that it has fully implemented all agreed recommendations.

Australian Bureau of Statistics response: Agreed.

Summary of entity response

The Australian Bureau of Statistics (ABS) accepts all seven recommendations of the ANAO Audit Report and is in the process of implementing them in full before the August 2021 Census.

The timing of the report enables the ABS to further enhance our detailed preparations for the Census.

The ABS is pleased with the positive findings noted in the report, particularly that the planning and governance arrangements for the 2021 Census are largely effective. The ANAO has noted the significant progress the ABS has made since 2016 in our approaches and preparedness. This has been achieved in part through the implementation – now close to complete – of the recommendations from the three reviews following the 2016 Census. It has also been achieved by the development of a sound cyber-security strategy.

While the ANAO audit has been in progress, the ABS has in parallel made significant progress responding to the issues identified in the report. This progress has included active steps to strengthen program governance and engagement with the ABS Audit Committee.

The ABS is committed to ensuring data quality, privacy and security. The ABS is in the process of implementing the recommendations from two independent Privacy Impact Assessments on the 2021 Census, which were completed and published on our website in July 2020.

The ABS is continuing to implement the technology and security components necessary for a high quality 2021 Census. This includes rigorous independent testing and assurance of Census systems in line with the recommendations made in the report to ensure the maintenance of data quality, privacy and security.

Key messages from this audit for all Australian Government entities

Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Governance and risk management

Policy/program implementation

1. Background

The Census of Population and Housing

1.1 The Census of Population and Housing (the Census), undertaken by the Australian Bureau of Statistics (ABS), is Australia’s largest data collection exercise. The purpose of the Census is to accurately measure the number and key characteristics of all people in Australia, Norfolk Island, and the Territories of Cocos (Keeling) Islands and Christmas Island on Census night every five years.

1.2 Census data includes information on the size of the population, the number of dwellings and other characteristics (Box 1). Data is collected about both individuals and dwellings on a household basis. The 2016 Census counted almost 10 million dwellings and 23.4 million people across Australia. The Census includes people on board vessels in or between Australian ports, or on long-distance trains, buses or aircraft, people entering Australia from overseas before midnight on Census night, and Australian residents in Antarctica.

Box 1: Types of data collected during the 2016 Census

  • personal details such as date of birth, marital status, and residential history
  • citizenship and family origins
  • assistance with self-care
  • qualifications and study
  • paid and unpaid work
  • dwelling characteristics and car ownership

Source: ABS, 2016 Census Household Form.

1.3 Data collected from the Census is to be used for a range of purposes including:

  • informing public policy such as infrastructure and service planning;
  • underpinning public funding to different levels of government;
  • setting electoral boundaries; and
  • supporting research on Australia’s economic, social and cultural make-up.

1.4 The Census and Statistics Act 1905 requires that a Census be conducted every five years.3 The Act:

  • empowers the ABS to collect statistical information on a broad range of demographic, economic, environmental and social topics;
  • enables the ABS to direct a person to provide statistical information, in which case they are legally obliged to do so;
  • requires the ABS to publish the results of these statistical collections; and
  • places a life-long obligation on all ABS officers to maintain the secrecy of information collected under the Act, and provides harsh penalties for those who fail to do so.

1.5 The Census is a significant undertaking for the ABS, involving up to seven years of work from planning to the final release of data. The 2016 Census cost $491 million and involved approximately 38,000 field staff. The ABS budget for the 2021 Census from 2016–17 to 2022–23 is $565 million. Census funding is based on a cyclical model that uses the funding from the previous Census as a base and then applies adjustments:

  • plus — 10 per cent for increase in the number of dwellings, and the complexity of enumerating these dwellings and their residents4;
  • less — efficiency dividend (5 years cumulative); and
  • plus — indexation (5 years cumulative).

1.6 The 2021 Census will be Australia’s 18th Census. The ABS has three key objectives for the 2021 Census.

  • Smooth running — the Census experience is easy, simple and secure.
  • Strong support — governments, businesses and the community have confidence in the Census and there is a high level of community participation.
  • High quality data — Census data is high quality and widely used to inform on areas of importance to Australia.

The Australian Bureau of Statistics

1.7 The ABS is Australia’s national statistical agency, providing official statistics on a wide range of economic, social, population and environmental matters of importance to Australia. The primary functions, duties and powers of the ABS are set out in the Australian Bureau of Statistics Act 1975, the Census and Statistics Act 1905 and the Public Governance, Performance and Accountability Act 2013.

1.8 The ABS is a non-corporate Commonwealth entity led by the Australian Statistician — a statutory office established by the Australian Bureau of Statistics Act 1975. The Australian Statistician is the accountable authority for the ABS.

1.9 In addition to the Census, the ABS conducts economic, population, social and environmental surveys, and produces a range of statistical products such as: monthly labour force estimates; the National Accounts; and causes of death statistics. The ABS is funded primarily though departmental appropriation, and in the 2019 Budget had total resourcing of $533 million with an average staffing level of 2562.

1.10 The ABS has an Executive Board in place, chaired by the Australian Statistician. The role of the Executive Board is to provide strategic oversight of the ABS and advice to the Australian Statistician on direction, policy, priorities, and to ensure the efficient, economical and ethical operations of the ABS.

1.11 Although there is an enforceable legal requirement for persons to participate in the Census, the ABS primarily relies on individuals’ cooperation to provide data, including for the Census. Census data collection relies heavily on public confidence and trust in the ABS’ information handling and security arrangements.

Conduct of the 2016 Census

1.12 The 2016 Census was the first Census to be ‘digital first’, whereby the ABS sought to obtain 65 per cent of responses through an online ‘eCensus’ form.5 The ABS contracted its previous information technology (IT) provider to deliver the 2016 eCensus website.

1.13 During the Census on 9 August 2016, the eCensus website was subject to a number of distributed denial of service (DDoS) attacks. This occurs where an attacker uses other (compromised) computers and devices to request content from the target system. If a large number of requests are made, an attack can limit the system’s ability to respond to legitimate traffic. One of the reviews after the 2016 Census described the failure of multiple IT controls:

  • some IT equipment had incorrect settings, which meant it could not be effectively restarted;
  • one of the telecommunications providers did not effectively implement restrictions on overseas computers accessing the eCensus form (geoblocking6);
  • this provider shared its network with another telecommunications provider, in such a way that if one could not service the eCensus, neither could the other;
  • network connectivity issues resulted in network monitoring systems reporting incorrect levels of outbound traffic data, prompting internal concerns eCensus data may have been compromised; and
  • one of the telecommunications providers did not enable its DDoS attack mitigation for the data centre.7

1.14 The DDoS attacks, combined with these failures, prompted the ABS to close the online form. The ABS reopened the online form on the afternoon of 11 August 2016. The key events are outlined in Figure 1.1.

Figure 1.1: Key events in the 2016 Census

A flow chart showing that the ABS opened the online Census form at 9.00 am on Tuesday, 26 July 2016. Distributed denial of service attacks occurred during the day on Tuesday, 9 August 2016. The ABS closed the online form at 8.09 pm on 9 August due to uncertainty about increased outbound traffic and re-opened it at 2.29 pm on Thursday, 11 August 2016.

Note a: A DDoS attack is designed to disrupt or degrade an online service by flooding the system with traffic, consuming and diverting resources needed to support normal operations. A DDoS attack is not a hack, a breach, or a compromise, where data are exfiltrated or altered. However, they can be used as a cover to divert attention and resources during exfiltration.

Source: ABS, 2016 Census Overview [Internet], ABS, Canberra, 2018, available from https://www.abs.gov.au/websitedbs/D3310114.nsf/Home/Assuring%20Census%20Data%20Quality [accessed 30 April 2020] and A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security Culture and Practices across the Australian Government, PMC, Canberra, 2016, pp. 12–19, 32–33.

1.15 The ABS closed the online form because its contractor’s network performance monitoring system indicated a spike in unexplained outbound traffic. The ABS and the contractor were concerned that the outbound traffic could include personal information from the Census as a result of unauthorised access. The ABS and the contractor determined at 2am on 10 August 2016 that there was no actual increase in outbound traffic from ABS systems, and hence no risk to personal information. Most likely, network connectivity problems led to delays in receiving data, which presented as a spike.8 Later investigations confirmed there was no unauthorised access to data.9

Reviews and recommendations

1.16 The Senate, PMC, and the ABS initiated reviews into the events on Census night, ABS governance and the implications for cyber security across the Australian Public Service (APS). See Box 2.

Box 2: Reviews relating to the 2016 Census

  • Alastair MacGibbon (2016) Review of the Events Surrounding the 2016 eCensus, found poor contract management, procurement, governance, culture and skills. The report made 10 recommendations to the ABS and five items of better practice guidance to the APS.
  • Senate Economic References Committee (2016) 2016 Census: issues of trust, covered the whole Census and made 19 recommendations, 13 to the ABS.a
  • Census Independent Assurance Panel to the Australian Statistician (2017) Report on the Quality of 2016 Census Data found that the 2016 Census data is fit-for-purpose and made seven suggestions to the ABS.

Note a: Includes the two sets of additional comments at the end of the Committee’s report.

Source:  A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security Culture and Practices across the Australian Government, PMC, Canberra, 2016; Economic References Committee, The Senate, 2016 Census: issues of trust, 2016; and Census Independent Assurance Panel to the Australian Statistician, Report on the Quality of 2016 Census Data, ABS, Canberra, 2017, p. iii.

1.17 In total, the three Census reviews made 36 recommendations, 29 of which were directed at the ABS and agreed.10 The ABS has publicly stated its commitment to learn from the experience of the 2016 Census in conducting the 2021 Census.

1.18 In 2017–18, the ANAO conducted a performance audit of the ABS’ risk management of the Statistical Business Transformation Program. The report concluded that risk management arrangements to support the implementation of the Statistical Business Transformation Program were effective except for the requirement to monitor and assess risk treatments and take corrective action. It also found that the ABS enterprise-wide risk management framework was not fully effective.11

Rationale for undertaking the audit

1.19 The failure of multiple IT controls during the 2016 Census reinforced the need for the ABS to implement robust planning arrangements for the 2021 Census including for cyber security, procurement, and review recommendations. An audit of the ABS’ preparedness for the 2021 Census would provide assurance on whether the ABS is on track to delivering its objectives for the Census.

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess whether the ABS is effectively preparing for the 2021 Census.

1.21 In assessing this objective, the following three high-level criteria were adopted:

  • Has the ABS established appropriate oversight frameworks for the Census?
  • Is the ABS taking appropriate steps in developing IT systems for the Census?
  • Is the ABS effectively addressing key Census risks, implementing Census recommendations and ensuring timely delivery of the 2021 Census?

1.22 The scope of the audit covered the ABS’ preparations for the 2021 Census from December 2016 into 2020, particularly in higher-risk areas such as IT system development and cyber security. The audit also included the initiation, planning and early delivery of key projects to support the Census, and the implementation of recommendations from the three reviews (refer Box 2). The audit did not examine lower-risk aspects of the Census, such as inability to recruit staff, delays in releasing Census data and the design of the Census form.

Audit methodology

1.23 The audit methods included: examination of policies and documents; reviewing IT policies and testing the ABS’ systems; testing a sample of Census-related procurements; and interviewing relevant ABS officials and stakeholders.12

1.24 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $644,000.

1.25 The team members for this audit were David Monk, Edwin Apoderado, Amanda Reynolds, Sonya Carter, David Willis, William Richards, Zhiying Wen, Danielle Page, Jason Ralston, Lesa Craswell and Mark Rodrigues.

2. Oversight arrangements

Areas examined

This chapter examines senior management oversight of the 2021 Census through planning, governance, risk management, monitoring and control, and efficiency.

Conclusion

The Australian Bureau of Statistics (ABS) has established largely appropriate planning and governance arrangements for the Census. The risk framework is compromised by weaknesses in the assurance arrangements.

Areas for improvement

The ANAO made two recommendations designed to strengthen planning and governance arrangements for the Census, and assist the ABS in demonstrating the efficiency of its activities.

The ANAO also suggested that the ABS align its Census risk framework to the ABS enterprise risk framework, facilitate greater Audit Committee scrutiny of Census-related activities, and set timeframes for providing monthly progress reports to senior management.

2.1 As noted at paragraph 1.1, the Census is the largest statistical collection undertaken in Australia and one of the most significant exercises of the ABS. Effective preparation and conduct of each Census requires appropriate oversight from senior management, including the Australian Statistician. To assess whether the ABS has established appropriate oversight frameworks for the Census, the ANAO examined whether the ABS has in place appropriate:

  • planning and governance arrangements;
  • risk framework;
  • project management practices; and
  • arrangements to conduct the Census efficiently.

Does the ABS have appropriate planning and governance arrangements for the Census?

The planning and governance arrangements for the Census are appropriate, except that the ABS does not have an overarching plan to coordinate activity plans and enable a clear view of progress against planned activities.

2.2 Section 15 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires the Australian Statistician, as the accountable authority, to govern the ABS in a way that promotes proper use and management of public resources and promotes the achievement of the purposes of the entity.13 Appropriate planning supported by effective government arrangements supports the proper use of resources towards the achievement of the objectives of the ABS in relation to the Census.

Planning for the 2021 Census

2.3 The ABS has developed a series of plans for activities to support the Census. These plans were developed progressively from 2017 and include:

  • 2017 — governance, scope, budget and content consultation with stakeholders;
  • 2018 — risk management and the schedule of key supporting activities14 (which included the major procurements of the website, the call centre and outsourced recruitment);
  • 2019 — the revised schedule and the plans for staffing, data quality, internal communication, and quality gates (review points); and
  • 2020 — the stakeholder management plan.

2.4 The ABS does not have an overarching plan for the Census. Without an overarching plan, it was not possible to determine whether the various activity plans were developed on time, in accordance with a broader schedule. The lack of an overarching plan limits the ability to view the various activity plans as a cohesive and integrated whole with reference to the purpose of the Census, key legislative requirements and a single schedule of milestones.

2.5 In the absence of an overarching plan, the ANAO reviewed whether the activity plans as a whole covered an appropriate range of planning considerations. Across these plans, key responsibilities, review points, risk management arrangements and an activity schedule, including dependencies with other projects, were set out.

2.6 The planning materials for the Census did not link the objectives of the Census to the Census and Statistics Act 1905, the Census and Statistics Regulation 2016 and other relevant legislative requirements. As a consequence activities to support the 2021 Census may not fully align with legislative requirements such as transferring documents to the archives, Census topics, and enforcement.

2.7 There is merit in the ABS developing an overarching high-level plan to assist in aligning and integrating Census-related activity plans under a common objective and better position the ABS to monitor the status of the Census project overall. Arrangements for monitoring the status of Census activities are examined from paragraph 2.47.

Governance framework

2.8 In 2017, the ABS established high-level governance arrangements for the Census, separate to the existing ABS governance and assurance structures of the ABS Executive Board and Audit Committee. An overview of the governance structure for the Census is presented in Figure 2.1.

Figure 2.1: Overview of the governance structure for the Census

A diagram showing the reporting lines between the officials and committees for the Census. The peak committee is the Census Executive Board, the membership of which includes the Australian Statistician and the Senior Responsible Officer for the Census. Th

Note a: The Risk Advisory Panels meet as required.

Source: ANAO analysis of ABS documentation.

2.9 The governance structure sets out the roles and functions of the main individuals and committees responsible for Census activities:

  • Census Executive Board (CEB) — Chaired by the Australian Statistician and comprising the ABS’ three Deputy Australian Statisticians as well as three external members, is responsible for oversight of the strategic direction of the Census, including policy, priorities and direction, and monitors planning, development, operation and delivery15;
  • Census Delivery Committee (CDC) — Chaired by the Senior Responsible Officer (a Deputy Australian Statistician) and comprising 13 members including two external members, is responsible for monitoring and reviewing progress of the Census program and advising the Board16;
  • Senior Responsible Officer — the Deputy Australian Statistician for the Census and Data Services Group is responsible for refining the acceptable risk profile, risk thresholds and risk controls for 2021 Census and its constituent projects;
  • Program Assurer — commissioned by the ABS to provide assurance and risk management advice to the Senior Responsible Officer, the CEB and the CDC;
  • Risk Advisory Panels — they cover communications and citizen experience, security and ICT, and finance and they are chaired by the relevant General Manager;
  • Census General Manager, Program Managers, Project Managers and the Census Program Management Office — reside within the ABS Census Division, are responsible for Census project management and reporting; and
  • the General Manager and relevant Program Managers of the Technology and Security Division — are members of the CDC and the Security and ICT Risk Advisory Panel.

2.10 The CEB and CDC meet quarterly. The CDC meets one month before the CEB. The ABS advised that, since July 2020, the CDC has also had a presentation based meeting between each of its formal meetings.

2.11 The governance framework covers an appropriate range of matters. The terms of reference for the two oversight committees include membership, roles and frequency of meetings. Senior personnel and committees have decision-making responsibilities and other officials have operational duties. Key responsibilities include:

  • the CEB has a general monitoring function, the CDC has a monitoring and review function across specific areas (for example the integrity of the risk register and whether delivery elements are within the agreed scope and budget), and the Senior Responsible Officer is to ensure the Census is reviewed at appropriate stages;
  • the CDC and the Program Management Office are both responsible for monitoring benefits realisation; and
  • the Senior Responsible Officer is responsible for managing relationships with key stakeholders generally and the Census General Manager is responsible for relationships with specific key stakeholders (for example government privacy bodies, government central agencies, and parliamentarians).17

2.12 The governance framework describes high-level reporting arrangements. The Senior Responsible Officer and the CDC are to report to the CEB at least three times a year. There is also a requirement for the Senior Responsible Officer to provide an annual report to the CEB covering the overall progress against the Census objectives, risk management, and communication and stakeholder updates.

Implementation of the governance framework

2.13 The ANAO examined the extent to which the ABS had implemented its governance framework for the Census, including whether the CEB acted in accordance with its terms of reference.

2.14 The CEB was required to review reports from the Senior Responsible Officer at least three times a year, which it did. It met quarterly and considered a range of reports on Census progress at each meeting. The CEB was required to have a quorum of the majority of its members at each meeting, which occurred.

2.15 Members of the CEB are required to declare interests at the start of each meeting. The minutes of the CEB recorded this occurring at all 10 applicable meetings between August 2017 and December 2019. This included one meeting where an external member declared their interest in a procurement and the CEB agreed not to discuss the procurement at the meeting.

2.16 The CEB is also required to receive an annual report on the Census covering progress against the three Census objectives18, risk management, and updates on public communications and stakeholder management. Papers and updates were provided on Census risk management and public communications. The CEB did not receive an annual report or any overall reporting on the three objectives after finalising the governance plan in August 2017.

2.17 In the absence of this general reporting, the ANAO tested reporting for a key aspect of each of the three objectives: major procurements (smooth running); privacy (strong support); and data quality targets (high quality data). The CEB received two types of reporting: summaries of recent actions (termed here as activity reports) and more detailed commentary requiring a decision or assessing progress against the schedule (analytical reports). Reporting to the CEB on key project elements is focussing on major procurements, as outlined in Table 2.1.

Table 2.1: Reporting to the Census Executive Board on key project elements for the 2021 Census, to March 2020

Activity

Activity plan/strategy approval date

Activity reportsb

Analytical reportsb

Major procurementsa

June 2018

15

11

Privacy

December 2018

5

0

Data qualityc

January 2020

6

1

Risk

March 2018

2

8

Public communications

December 2018

5

1

Content consultation

August 2017

6

2

Stakeholders

In draft

7d

0

    

Note a: Major procurements comprise information technology (IT) systems, the call centre and the outsourcing of field staff recruitment.

Note b: Activity reports summarise recent actions. Analytical reports represent matters requiring a decision or providing an assessment against the schedule.

Note c: ABS officials prepared a Census data quality plan that covered data improvement priorities, statistical risk management and managing the statistical effect of changes to the Census. The CEB received a plan on data improvement priorities only.

Note d: Five of the seven activity reports on stakeholders related to consultations within the Australian Government. Footnote 17 describes the ABS’ priority relationships.

Source: ANAO analysis of CEB papers and minutes.

2.18 While the CEB is the decision-making authority for the Census, it does not have an overarching plan to form an overall view of the Census as a program. Further, it has not received reports on progress in achieving its objectives for the Census. The development of an overarching Census plan and the provision of reporting in accordance with its governance framework would strengthen the effectiveness of the ABS’ planning and governance arrangements.

Recommendation no.1

2.19 The Australian Bureau of Statistics strengthen its planning and governance arrangements for the 2021 Census by:

  1. establishing a high-level plan of the Census integrating the objectives, activities, and their dependencies; and
  2. ensuring that the required reporting is provided to the Census Executive Board.

Australian Bureau of Statistics response: Agreed.

2.20 As noted in the Audit Report, the ABS has developed planning documentation for the 2021 Census. This includes an overall critical path, planning schedules and review points. To implement Recommendation 1, the ABS is in the process of establishing a high-level plan of the Census integrating the objectives, activities, and their dependencies.

2.21 The ABS provides extensive reporting to the Census Executive Board on a quarterly basis and will ensure that the required reporting (i.e. the annual report specified in paragraphs 2.16 to 2.18) is provided.

Does the ABS have an appropriate risk framework for the Census?

The ABS largely complies with the Commonwealth Risk Management Policy and has established a risk management plan for the 2021 Census. While the ABS has engaged an external program assurer to report to its Census Executive Board, their assurance activities are not well aligned with the identified Census risks. The Audit Committee has not been well positioned to provide consistent risk oversight or assurance on the Census.

2.22 The PGPA Act requires that entities establish and maintain an appropriate system of risk oversight and management. The Commonwealth Risk Policy requires entities to comply with nine elements, which reflect the fundamentals of effective risk management. It aims to embed risk management as part of the culture of entities where the shared understanding of risk leads to well-informed decision making.

ABS risk framework

2.23 The ABS has a risk management framework in place, approved by the accountable authority through the ABS Executive Board in November 2019. The ABS Risk Framework consists of the ABS Risk Management Policy, ABS Risk Appetite by category of risk, Risk Management Manual that operationalises the risk policy, and the ABS Risk Governance and Accountability arrangements.

2.24 The ABS uses a distributed risk governance model to provide oversight of risk, with program managers responsible for ensuring risk is within acceptable levels. While the ABS Executive Board has overarching responsibility for the oversight of risk, other committees are charged with facilitating discussion and ensuring that risk is being managed appropriately across the ABS. The ABS have a Chief Risk Officer in place, who is responsible for maintaining the ABS Enterprise Risk Management Framework, and risk management procedures and systems.

2.25 As a non-corporate Commonwealth entity, the ABS is required to implement the Commonwealth Risk Management Policy, which includes 22 specific requirements organised in nine policy elements.19 The ANAO assessed the extent to which the ABS Risk Management Framework complied with the Commonwealth Risk Management Policy.

2.26 Of the 22 requirements in the Commonwealth Risk Management Policy, the ABS Risk Management Framework met 20 and partly met two requirements. The ABS Risk Framework does not contain information on how risks are to be communicated to external stakeholders and does not fully detail the entity’s approach to embedding risk management into existing business processes.20

Census risk framework

2.27 In March 2018 the ABS established its Census Risk and Issues Management Plan. The ABS has revised that plan on five occasions to July 2020. The July 2020 version of the Census Risk and Issues Management Plan includes the Census Risk Appetite, risk and issues management process and approach, risk and issues templates, control assurance, escalation and reporting, and roles and responsibilities, including the role of the program assurer.

2.28 Under this Plan, the ABS has identified strategic and operational risks for the Census. High rated strategic risks are:

  • the ABS fails to deliver high quality data fit for purpose;
  • the ABS experiences a reduction in ‘social licence’ or loses the confidence of government, the Parliament and other key stakeholders;
  • the 2021 Census digital service (online channel) is unavailable or unable to effectively mitigate cyber attacks;
  • the ABS is unable to reach, engage and motivate the public to participate in the Census and does not achieve target response rates;
  • the ABS is unable to, or is perceived to be unable to, protect 2021 Census data; and
  • the Aboriginal and Torres Strait Islander participation rate is the same as 2016 or worsens.

2.29 The three Risk Advisory Panels, noted at paragraph 2.9, cover communications and citizen experience; security and ICT; and finance. There are no records to indicate why the Risk Advisory Panels were established to cover these particular risks and not other risks. The purpose of the Risk Advisory Panels is to alert the Census program to emerging risks; assess the adequacy and implementation of controls; and ensure that residual risks are managed by sound recovery and continuity strategies. At August 2020, the panels had not been convened.21

2.30 The ABS has engaged a program assurer for the Census since July 2018. The program assurer has produced an Assurance Map which outlines the assurance activities in progress, completed and proposed in the next year. This map is based on project milestones, risks and issues, direct requests from the ABS, and insights from the program assurer. However, as noted at Table 2.2, the Assurance Map is not well aligned with the extreme inherent risks or risks controls of the Census.

2.31 The ANAO reviewed the Census Risk and Issues Management Plan against 29 elements of the ABS Risk Management Framework.22 The Plan is partly consistent with the ABS Framework, with 20 elements mostly or fully consistent. However, there were some differences in elements such as: no treatment owner or timeframes for completion of treatment included in risk registers; no inclusion of a target risk rating; and insufficient detail23 in risk reporting requirements in governance committees’ terms of reference. The ABS should ensure that the Census Risk and Issues Management Plan is consistent with the ABS Framework, to support the effective management of risk consistent with Government expectations.

Audit Committee review of Census risks

2.32 The ABS has established an Audit Committee, in accordance with section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) and section 45 of the PGPA Act. The role of the Audit Committee is to provide independent advice and assurance to the accountable authority of an entity on the appropriateness of the entity’s accountability and control framework. According to the PGPA Rule, the functions of an audit committee must include reviewing the appropriateness of the entity’s financial reporting; performance reporting; system of risk oversight and management; and system of internal control.

2.33 The Audit Committee has a Charter approved by the Australian Statistician that contains most of the elements recommended by the Department of Finance.24 Of the eight elements, the Charter fully or mostly met seven, and did not meet the element to state the period of Audit Committee membership appointment. Although the Charter does not explicitly include provisions for the Census, it states that the role of the Audit Committee is to review and provide advice on how the ABS manages its key risks, including those associated with projects, program implementation and activities.

2.34 The Audit Committee has also considered broader ABS risks relevant to the Census, including the ABS Risk Framework refresh, performance statements work and the Fraud Control Plan. Though the developments to the ABS Risk Framework were discussed, strategic ABS risks were not regularly provided to the Audit Committee until July 2018.

2.35 The Audit Committee has not been kept fully appraised of Census-related activities, risks and program assurance. Starting in May 2019, the Audit Committee received updates on Census program risks and related risk management. The reviews completed by the Census program assurer were not provided to the Audit Committee. While the ABS provided a summary of completed reviews to its Audit Committee in November 2019, the findings and recommendations from those reviews were not outlined.

2.36 In May 2020 the ABS provided an update on Census security, privacy, risk landscape, and postponement of the Operational Readiness Exercise to the Audit Committee. The program assurer provided further verbal updates on the assurance program work. Information on completed assurance reviews, findings and recommendations were not provided to the Audit Committee.

2.37 The Audit Committee has not commissioned internal audits of planning and preparation for the 2021 Census. A proposed internal audit of the Census did not proceed.25 Previous internal audits provided to the Audit Committee relevant to the Census program included Records Destruction and the Australian Census Longitudinal Dataset 2016.

2.38 The ABS Audit Committee is not well positioned to provide consistent oversight of risks and assurance related to the 2021 Census. Given the role of the Audit Committee in providing assurance to the accountable authority, and the materiality of the Census to the objectives of the ABS, there is scope for the ABS to further engage its Audit Committee on its preparation for the 2021 Census.26

Appointment of the program assurer

2.39 The ABS engaged a program assurer for the Census program in July 2018. The program assurer had previously been contracted to provide specialist program management services and advice to the Census program. The services to be provided under the program management advice contract included:

  • leading the development of the ABS business case to Government on additional funding for the 2021 Census;
  • supporting the leadership of the Program Management Office (PMO) and Program Manager, including advising on the development of program management documentation, assisting to identify milestones and the critical path, and building risk management capability;
  • building and embedding project managing capability, practices and processes, as well as training and mentoring staff; and
  • assisting with the development of reporting capability.

2.40 During the procurement, the ABS tender evaluation committee identified that using the same firm for both services was a conflict of interest risk, and sought further information from the firm about managing the conflict.27 The ABS considered the further information provided by the firm and ceased the program advice contract in June 2018.

2.41 The ABS advised the ANAO that the program assurer’s approach to managing the conflict was to use different teams and leadership than when they provided project management advice. The program assurer also advised that it put a range of other measures in place, including restricting contact between teams, and systems based controls. The ABS did not document this approach in the initial meeting with the firm, in the tender evaluation committee evaluation, or in the spending proposal to the delegate.

2.42 The CEB has been appraised of the assurer’s activities. The program assurer attends CEB meetings, which have an item for interest declarations. The program assurer did not advise of any interests at these meetings. The CEB was made aware of the conflict of interest, and received advice that, as a result, the project advice contract would cease.

2.43 By ending one of the contracts, the ABS has taken an action to limit the conflict of interest risk. However, it was not clear that the ABS considered, during the procurement, that there may be a conflict of interest if that firm is to provide assurance related to its previous advice. There is scope for the ABS to brief the delegate on the actions that will be undertaken to manage such interests during procurements, to ensure any potential or perceived conflicts will be effectively managed.

Role of the program assurer

2.44 With limited oversight from the Audit Committee and lack of internal audit coverage, the Census program primarily relies on the program assurer to review the effectiveness of Census preparation and identify areas for improvement.28 The program assurance function is to undertake regular reviews of key risk and issues areas, and report on identified risk and issues management to the CEB. The program assurer also conducts less formal discovery assurance sessions, such as seminars and workshops. The program assurer regularly attends CEB meetings and presented reports and updates to it.

2.45 The program assurer has conducted eight reviews and two discovery assurance sessions in the period October 2018 to March 2020. The assurance reports cover various aspects of program delivery, such as digital service, program planning and program testing coverage. However, the assurance products do not fully align with the inherent extreme risks to the Census as identified by the ABS. This is outlined in Table 2.2.

Table 2.2: Mapping of assurance work to inherent extreme program risks

Inherent extreme program risks

Assurance activity

Risk and assurance alignment

Target response rates are not met

In-field support and command centre review

The Census experiences a reduction in ‘social licence’ and/or loses the confidence of government, the Parliament and other key stakeholders

The 2021 Census digital service (online channel) is unavailable or unable to effectively mitigate cyber attacks

Initial review

Census Communications fail to reach, engage and motivate the public to participate in the Census and does not achieve target response rates

Review of communication products

The Census is unable to, or is perceived to be unable to, protect 2021 Census data

IT security discovery session

Key external suppliers are unable to deliver on time, to quality and within budget during the Census

Government approvals and processes are not timely

Online and self-response targets are not met

User centred design review

The Aboriginal and Torres Strait Islander participation rate is the same as the 2016 Census or worsens

Inclusive strategies discovery session

Team dynamics review

Planning review and follow up review

Review of coverage in field tests

   

Key:  aligned; partly aligned; not aligned; – no comparable item.

Source: ANAO analysis.

2.46 The Assurance Map is not solely based on the extreme inherent risks or risk controls of the Census. As a consequence, six of 10 products of the program assurer address inherent extreme risks to the Census (including Aboriginal and Torres Strait Islander participation rate, protecting Census data, and digital service risks). The ABS does not have assurance on three of the nine inherent extreme Census risks. The ABS does not oversee the implementation of agreed actions from the assurance products.

Is the ABS implementing appropriate project management practices for the Census?

The ABS has been implementing largely appropriate project management practices from December 2019. It has established monitoring processes and in July 2020 finalised arrangements to assess and approve changes to the Census project.

2.47 Appropriate project management practices assist entities to ensure that project activities are undertaken in accordance with plans, issues are addressed as they arise, timeframes are met and the intended outcomes of projects are achieved. To assess the ABS’ management of projects, the ANAO examined the ABS’ arrangements for monitoring projects and the implementation of those arrangements.

Project monitoring arrangements

2.48 Project management arrangements were scoped out of the ABS Census governance framework. In the period from December 2016 to October 2019, the ABS did not have Census-specific policies or plans to monitor and control projects. Significant activity occurred during this time, such as developing the content, approving key plans and policies, and conducting major procurements.

2.49 From August 2018, the Program Manager met with the General Manager and the Senior Responsible Officer on the progress of Census activities and escalated related issues.29 The ABS retained the agendas for these meetings, which were held at least monthly from June 2019. It did not retain records of decisions made or reporting back on escalated issues to the Senior Responsible Officer.

2.50 The Program Manager held ‘weekly stand up’ meetings with the Census Leadership Group from February 2018 to report on progress across the Census.30 Attendees verbally reported on their area against four standard dot points.

2.51 In April 2019, the program assurer completed a review into how the ABS was managing the 2021 Census, in particular planning, monitoring and control, scope, and budget. It found that the ABS’ planning and control mechanisms for the 2021 Census demonstrated a transition to program management. However, a more consistent and integrated approach was required for effective delivery. The monitoring and control recommendations were that the ABS develop:

  • a monitoring policy and guidance, which it agreed to implement by the end of May 2019; and
  • a change policy to assess the impacts of proposed changes, which it agreed to implement without setting a deadline.

2.52 In October 2019, the program assurer completed a follow-up review and found that the ABS was in the process of implementing the recommendations. This review recommended that the ABS’ monitoring policy include a comparison against an established schedule. In December 2019 the ABS established Census-specific project status report guidance which outlined a process for project monitoring including risks, issues and progress against schedules.

2.53 The ANAO tested the Census project monitoring framework against the four relevant review recommendations and found the ABS had implemented three. The recommendations examined by the ANAO covered the frequency of reporting, agreed tolerances for red/amber/green status, the Senior Executive Service (SES) officers to receive the reports, and that reporting includes a comparison against planned progress (the critical path and mid-level schedule). The monitoring policies and procedures did not cover the timeliness of the reporting. This omission increases the chance that the reports are out of date when they are distributed.

2.54 The ABS committed to developing the framework by the end of May 2019 and did so in early October 2019. The ABS developed a draft process for assessing and approving changes to components of the Census budget in January 2020 and approved it in July 2020. The approval of the change process included comment that the ABS was trialling it in the first half of 2020 but the change documentation reviewed by the ANAO did not reference it.

Implementation of project monitoring

2.55 Since November 2019, managers of the 25 Census overarching projects are required to submit a monthly report to the PMO. The reports are to be based on a template prepared by the PMO and include the progress of the project, dependencies, risks, and issues, as well as the status of the project overall. The PMO is then to combine the completed templates into a report to the Program Manager and General Manager that presents commentary, the current and historical status of each overarching project, and the status of the Census overall. The Program Manager and General Manager then report to the Senior Responsible Officer by exception.31

2.56 The Program Manager and General Manager for the Census received monthly reporting from December 2019 onwards. The ANAO conducted sample testing on the use of the templates from December 2019 to April 2020 and found that, at the 95 per cent confidence level, the project leaders used the templates, filled them out, and that the reported status was consistent with the information provided. The PMO reviewed the 25 reports submitted for April 2020 and found they did not fully reconcile with the information in the project management software. The PMO conducted follow up reviews for the May reports, which were more consistent with the software data.

2.57 The ABS did not establish timeframes for the PMO to report to the Program Manager and General Manager. The ANAO examined the time period between the managers’ reporting deadline and when the PMO distributed the combined report to the SES project owners. For four of the six monthly reports from December 2019 to May 2020, the time lag was seven calendar days or less. For December 2019 it was 11 days and for April 2020 it was 14 days. There is merit in the ABS including in its project management arrangements a target period for reporting to the SES.

2.58 The ANAO tested whether the reporting to the SES described remedial action for overarching projects that were rated amber or red. Out of 64 cases where the ABS rated an overarching project amber or red, it described remedial action in 27 cases, as outlined in Table 2.3.

Table 2.3: Reported remedial action for Census overarching projects rated amber or red, November 2019 to May 2020

 

Improvement recorded

No improvement recorded

Total

Describes remedial action

5

22

27

No remedial action

0

37

37

Total

5

59

64

    

Source: ANAO analysis of ABS records.

2.59 The ABS finalised its change policy for the Census in July 2020. The program assurer recommended a change process so that the ABS would know the full consequences of variations to Census activities, particularly in relation to the schedule and the budget. The PMO developed a template in February 2020 for making changes to project names and dates.32 The template includes:

  • an assessment of impacts on other parts of the Census;
  • what internal consultations have been conducted to support this conclusion; and
  • Program Manager approval of date changes.

2.60 The ANAO examined whether the ABS considered the schedule and budget when it approved changes to the Census plan, by reviewing the project change register which had been in place since October 2019. Up to early April 2020, the register comprised 37 changes, of which 16 covered minor matters such as renaming parts of the plan. Excluding these, the analysis covered 21 changes, of which eight added detail to the plan and 13 considered the impact of the change on the Census schedule, or stated that dependencies were being managed.

Is the ABS making arrangements to conduct the Census efficiently?

The ABS has an efficiency measure for the Census. The ANAO was unable to provide assurance on the validity and reliability of the measure, however, it is consistent with a proxy measure developed by the ANAO from published ABS information. A report by the United Nations Economic Commission for Europe ranks Australia’s cost per capita as just under the average of a group of countries with similar Census methods.

2.61 Section 15 of the PGPA Act requires the Australian Statistician, as the accountable authority of the ABS, to promote the proper use and management of public resources for which the authority is responsible. Section 8 of the PGPA Act defines ‘proper’ to include efficiency.

2.62 The Auditing and Assurance Standards Board defines efficiency as the ‘performance principle relating to the minimisation of inputs employed to deliver the intended outputs in terms of quality, quantity and timing’.33

Efficiency measures at the ABS

2.63 Section 16E of the PGPA Rule 2014 requires Commonwealth entities to include performance measures in their corporate plans to indicate how they will assess their performance in achieving the entity’s purposes. The Department of Finance guidance states that ’Good performance measures will provide meaningful information on an entity’s purpose in terms of the effectiveness and efficiency of activities focused on that purpose.’34

2.64 The ABS corporate plan had measures for public trust in its statistics, partnerships with outside organisations, and new statistics for emerging priorities. It did not have an efficiency measure for the Census or an efficiency measure for its activities generally.35 Omitting an efficiency measure from its corporate plan limits the ability of the ABS to demonstrate to the public and the Parliament that it is properly managing the public resources for which it is responsible.

2.65 The ABS commissioned an internal audit into its performance measures, which reported in April 2020. The report noted that the ABS was not proposing an efficiency measure in its corporate plan for 2020–21 and recommended that the ABS consider one. Management responded that it would investigate an efficiency measure, including benchmarking against other countries’ statistical organisations.

Census efficiency measurement

2.66 The ABS measures its efficiency in conducting the Census through the calculation of cost per capita. The purpose of this measure is to compare relevant inputs (dollars) against relevant outputs (each person counted). While the ABS has not established an efficiency target for the Census, the measure has been used to identify trends over time and benchmark against other Census collection bodies.

ABS Census efficiency over time

2.67 The measure, as calculated by the ABS, suggests an efficiency gain from $22.72 per capita in 2011 to an estimated $21.74 per capita in 2016, as outlined in Figure 2.2. Examples of factors that have increased the costs of conducting the Census up to and including the 2011 Census are:

  • a higher proportion of people in the workforce means there are fewer people at home, requiring more visits from field staff;
  • an increase in the number of secure apartments, which require more time for field staff to gain access;
  • fewer people per dwelling; and
  • difficulty recruiting field staff, meaning that full time ABS employees must travel to some locations to conduct fieldwork.36

2.68 Internal ABS data indicated an efficiency improvement between 2011 and 2016. The ABS attributed this improvement in efficiency to cost savings through the use of an address register. This means the ABS can mail 80 per cent of households before the Census and invite people to participate in the Census online. The ABS advised it does not send field staff to households that participate online, which has reduced costs.

Figure 2.2: Census costs per capita, 2018 dollars

 

Source: ABS documentation.

2.69 While the ABS has retained data on aggregate Census costs from 1987–88 to 2015–16 it was unable to provide the ANAO with information about the components of these costs. Further, the ABS does not have documented procedures to calculate the measure. Without the underlying cost data and established procedures, the ANAO was unable to provide assurance on the validity and reliability of the ABS’ reported Census efficiency measure.

2.70 In the absence of a valid and reliable efficiency measure, the ANAO used information published by the ABS to develop a proxy measure of efficiency. This efficiency data is reproduced in Figure 2.3. It shows a drop in Census efficiency between 1996 and 2001, and then efficiency varying around $20 per head from 2001 to 2016. The efficiency improvement between 2011 and 2016 was $0.99 per capita.

Figure 2.3: Cost per capita, of the total Census and of field staff, 2020 dollars

 

Note: The ABS’ financial statements for 1995–96 and 1996–97 did not separately report salaries and superannuation for Census field staff.

Source: ANAO analysis of published ABS data.

2.71 Figure 2.3 also shows a decrease in field staff costs (salaries and superannuation) from 2011 to 2016, which correlates with the ABS’ efficiency measure.

Comparisons against other countries

2.72 The value of direct international comparisons of Census efficiency between countries can be limited due to variation in population distribution (impacting on economies of scale), varying data collection methods, and the frequency of Census collection (influencing retention of knowledge). The United Nations Economic Commission for Europe (UNECE) collects Census costs per capita from national Census collecting bodies, standardises the cost results and publishes each 10-year Census cycle for a selection of countries grouped by Census collection methods.37

2.73 The most recent UNECE report that included cost per capita data from Australia was published in 2008. The report used the ABS efficiency measure from the 2006 Census and ranks Australia in the middle of a group of countries with similar Census methods. Australia’s cost per capita, when standardised to units in US dollars was just under the group average, as outlined in Table 2.4.

Table 2.4: Measure of per capita Census costs, countries grouped by Census method

Country

Census cost per capitaa

France

3.4

Malta

5.4

United Kingdomb

6.5

Italy

6.5

Portugal

7.1

Austria

7.5

Slovakia

8.1

Australia

9.1

Luxembourg

10.6

Israel

10.8

Canada

11.1

Ireland

12.6

Czech Republic

19.3

United States

22.7

Average Group

10.1

  

Note a: Purchasing power parity units in US dollars. This measure is based on the purchasing power in the different countries standardised into one common measuring unit.

Note b: England and Wales.

Source: UNECE, Measuring population and housing: Practices of UNECE countries in the 2000 round of Censuses, 2008, p. 41.

Use of the efficiency measure

2.74 The CEB considered opportunities to improve efficiency with neither the savings nor the associated costs quantified. Since 2017, the ABS has made use of its Census efficiency measure and available cost data, including:

  • August 2017 — the CEB considered time series data on Census efficiency and some sensitivity analysis of its budget;
  • June 2018 — the CEB considered a range of savings measures (such as re-using the enumeration systems from 2016) and performance targets (online and self-response rates) which, combined with the efficiency dividend, would deliver $90.1 million in savings; and
  • December 2018 — the CEB considered that it would not realise these savings and it had commenced negotiations with government on increased funding.38

2.75 The inclusion of an enterprise efficiency measure in its performance measurement framework would better position the Australian Statistician to demonstrate proper use of public resources, as per section 15 of the PGPA Act. In addition, the development of procedures to calculate the Census cost per capita would support the validity of the measure and reliability over time. Together, the efficiency measures will provide greater insight into whether any efficiency gains in the preparation and conduct of the Census are being complimented or off-set by changes in the efficiency of other areas of the ABS.

Recommendation no.2

2.76 To assist the Australian Bureau of Statistics in complying with section 16 EA of the Public Governance, Performance and Accountability Rule 2014, the Australian Bureau of Statistics:

  1. include an efficiency measure in its performance framework; and
  2. develop procedures to support the validity and reliability of the existing Census efficiency measure.

Australian Bureau of Statistics response: Agreed.

2.77 The ABS agrees on the value of performance measures to ensure effective monitoring, and efficient use and management of public resources.

2.78 The ABS is including an efficiency measure in the ABS Performance Framework and is developing procedures to support the validity and reliability of the existing Census efficiency measure.

3. Developing IT systems for the 2021 Census

Areas examined

This chapter examines whether the Australian Bureau of Statistics (ABS) is taking appropriate steps in developing information technology (IT) systems for the 2021 Census.

Conclusion

The ABS is partly effective in its development of IT systems for the 2021 Census. Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers. The ABS has not put in place arrangements to ensure that improvements to its architecture framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.

Areas for improvement

The ANAO made three recommendations for the ABS to: assess the impact of non-compliance with IT architecture controls and mitigate unauthorised changes to Census systems; strengthen its assurance on data quality and privacy; and strengthen its cyber security.

3.1 Conducting a successful Census requires the ABS to establish appropriate processes to manage and secure its IT systems, collect and store data and manage the delivery of services by contractors. IT systems should support the ABS to demonstrate that it is meeting its legal and policy requirements, including but not limited to:

  • Australian Bureau of Statistics Act 1975;
  • Census and Statistics Act 1905;
  • Public Governance, Performance and Accountability Act 2013 (PGPA Act);
  • Privacy Act 1988;
  • Australian Government Protective Security Policy Framework (PSPF);
  • Australian Signals Directorate Information Security Manual (ISM); and
  • Archives Act 1983.

3.2 To assess whether the ABS is effectively developing IT systems for the 2021 Census, the ANAO reviewed the ABS’ development of a Census IT framework, data handling practices, cyber security measures and procurement for IT suppliers.

Does the ABS have an appropriate IT framework for the Census?

The IT framework that the ABS has established for the 2021 Census is largely appropriate. However, the ABS’ implementation of its IT framework is not complete. The ABS has not established a systematic process for managing risks associated with non-compliance. Census systems do not fully align with the ABS enterprise IT framework giving rise to risks in relation to system integration and compliance with legislation and ABS policy. The ABS has not established a process to mitigate the risk of unauthorised changes being implemented across systems supporting the Census.

3.3 ISACA defines an IT framework as covering the policies and procedures to manage an entity’s IT environment and support business objectives.39 The IT framework can consist of IT architectures, such as principles and standards, to support and guide the development of systems and applications. The ANAO reviewed the ABS’ enterprise IT framework, its integration with the Census IT framework and its implementation of controls for managing changes to its IT systems.

ABS enterprise IT framework

3.4 An enterprise IT strategy sets out the direction for an entity’s IT investment and supports consistency with business goals and objectives. The ABS has developed an IT Strategy to support its 2025 strategic priorities. The IT Strategy was endorsed by the Executive Board in June 2019.

3.5 The enterprise IT strategy specifies strategic alignment with program and business areas through initiatives in areas such as the Digital Census and the ABS Statistical Business Transformation Program. The ABS has in place further strategies at the program and business area levels, including for the Census. Governance frameworks have been established to support the implementation of the strategies at the program and business area levels.40

3.6 The ABS has defined an Architecture Governance Framework for its IT systems to ensure that systems conform to approved architecture specifications. Consistent with the Framework, the ABS has established an Architecture and Design Working group within the ABS Technology Services Division. The ABS has not implemented other governance structures specified in the Framework, such as an Architecture Committee and a Statistical and Data Process Optimisation Working Group.

3.7 The ABS has over 30 systems that support the operation of the Census and other ABS business areas. The ABS informed the ANAO that there are several architectures in use throughout the ABS, however, these architectures have not been consistently used to build ABS systems.41 The ABS chose not to implement intended controls across all systems due to the age of some systems. The ABS is focussing on aligning its important and newer systems, such as the Census eForm, with the architectures. The flexible application of architectures and controls across systems may increase the risk that ABS systems do not comply with legislation and policy requirements.

3.8 The ABS has not fully developed an enterprise architecture, which raises risks that systems:

  • may not align to strategic goals;
  • cannot efficiently and effectively adapt to changes in environment and requirements; and
  • are not interoperable (that is, they cannot work together where required).

Integration with the Census IT framework

3.9 The ABS has established a program-level strategy for the 2021 Census. The 2021 Census ICT Strategy specifies the strategies for supporting the 2021 Census such as the 2021 Census Investment Strategy.

3.10 The ABS Technology Services Division is responsible for managing the 2021 Census Investment Strategy. The Technology Services Division lead attends meetings of the Census Executive Board and provides updates to the ABS Executive Board, as required, in accordance with the Census governance framework.

3.11 The ABS has not developed a systematic process, with thresholds in place, for escalating issues related to the 2021 Census Investment Strategy. Escalation is driven by officials raising concerns with the Program Management Office, with the Program Management Office then determining whether to raise the issue with the Census Executive Board. There is a risk that the Board does not have oversight over emerging risks to critical success factors.

3.12 The major Census systems42 were built individually and have their own architectures. These systems did not utilise a common enterprise architecture during implementation. The ABS has not fully developed processes for ensuring alignment of existing Census systems with its enterprise architectures.

3.13 In April 2020 the ABS appointed a Data Architect to improve the management of Census data across ABS systems, including alignment of systems with enterprise architectures and required privacy controls. However, in the absence of an integrated IT framework, the ABS does not have an appropriate level of assurance that IT systems are aligned across its program and business area strategies, including the 2021 Census ICT Strategy, and that each is contributing to the required priorities.

System change controls

3.14 Change management is the process of designing, programming, testing and migrating system changes to the end user environment. Appropriate change management processes are important to prevent inconsistent and unauthorised changes being made. The ANAO reviewed the ABS’ change management processes at the enterprise and Census program levels and its implementation of system change controls.

Control implementation

3.15 The ABS has an established enterprise-wide process for managing system changes. Changes are to be presented to the Change Advisory Board for approval before migration to the ABS IT environment. The ABS uses a change management tool to approve and monitor requests for system changes. The Change Manager documents approved changes and reports major changes to the relevant fortnightly branch meetings. Approved requests are implemented by the relevant support team within the production environment.

3.16 The ABS has implemented development, testing and production environments to help control and segregate changes between production versions of applications. The ABS has defined officials who are responsible for approving system changes for particular systems. These officials are referred to as the owners of those systems.

3.17 The ABS has developed a draft test strategy for the 2021 Census to support the testing, review and approval of changes, including how changes interact with other programs such as Next Generation Infrastructure projects. The Census 2021 Test Strategy states how particular types of changes are treated and what artefacts are required to support decision making.

3.18 The ABS has small teams providing support for multiple systems and environments, increasing the risk that activities are not appropriately segregated and changes are made to production systems without approval. While the ABS monitors change requests throughout its enterprise-wide change management process, the monitoring focuses on change requests that have been submitted within the change management tool. The monitoring process does not address the risk of implemented changes that have not been requested for approval. Without mitigations for those changes that have not been registered within the change management tool, there is an increased risk of unauthorised or inappropriate changes being performed to the Census systems and the ABS environment.

Recommendation no.3

3.19 The Australian Bureau of Statistics strengthen its IT framework for the Census by:

  1. assessing the impact of non-compliance with Australian Bureau of Statistics standard architectures, including the impact on meeting legislative and policy requirements; and
  2. establishing appropriate controls for mitigating unauthorised and inappropriate system changes, specifically focussing on developers that have access to migrate their own changes to Census-related systems.

Australian Bureau of Statistics response: Agreed.

3.20 As part of the testing and independent assurance process for the 2021 Census, the ABS is assessing the implications of alignment with ABS standard architectures, and confirming they fully comply with appropriate legislative and policy requirements for the Census.

3.21 The ABS is in the process of strengthening its software configuration management controls to improve application change management practices. This will strengthen the controls preventing developers being able to migrate their own changes to Census-related systems.

Is the ABS establishing appropriate data handling practices?

The ABS is establishing partly appropriate data handling practices for the 2021 Census. The ABS has designed controls and arrangements to manage risks relating to data quality and protection of privacy. The ABS has not fully implemented controls for managing the quality and protection of 2021 Census data and does not have in place appropriate arrangements to monitor control implementation.

3.22 The ABS’ data handling practices was an identified risk following the 2016 Census.43 Data handling refers to the practice of assessing the sensitivity of information and implementing controls to secure information in alignment with its sensitivity. The ANAO examined ABS data handling arrangements with respect to its measures to support data quality and privacy.

Data quality framework

3.23 The ABS established an appropriate data quality framework, as part of its Corporate Manual, in 2012. The ABS Data Quality Framework is based on international frameworks. The Framework defines and frames data against seven dimensions of data quality to support the 2021 Census objective of high quality Census data.44 The key components of the Framework include a data quality plan, quality gates and system testing.45

Control implementation

3.24 The ABS 2021 Data Quality Plan specifies the high-level design of data quality controls for ensuring that the 2021 Census system requirements and designs are aligned with the Framework. The design specifies the use of quality gates to validate whether systems support operational requirements during field testing.

3.25 The ABS quality gate template covers an appropriate range of components in alignment with the ABS Data Quality Framework including quality measures, roles, tolerance, actions and evaluation. A review of a sample of Census quality gates was performed by the Census Data Quality and Statistical Risk business area as part of its October 2019 field test. Overall, the review found quality gates to be effective and recommended that the ABS continue implementing quality gates for the 2021 Census.

3.26 The review also noted weaknesses in the implementation of quality gates:

  • inconsistencies between the measures included in the quality gates (for example risk management and operational plans)46;
  • quality gate documents were too long and complex for staff; and
  • weaknesses in documentation and monitoring of actions after quality gates were signed off.

3.27 The ABS has undertaken to implement some improvements to the quality gate process to support its 2020 operational tests.

3.28 The ANAO reviewed the system documentation for two Census systems: the Census eForm and the MyWork application. The ABS has established test plans to support the verification of MyWork and eForm system functionality against requirements. However, the test plans do not include testing on data quality. Without the inclusion of data quality in test plans, the ABS will not have assurance that data captured, stored and transferred in relation to the tested systems adhere to the ABS Data Quality Framework.

Data privacy framework

3.29 The ABS has rated its privacy risks as inherently high or extreme. It has established an enterprise privacy framework — the ABS Privacy Framework — to manage privacy risks which includes elements specific to the Census. The key components of the Framework for managing the protection of privacy include a Privacy Management Plan, privacy impact assessments, Information Security Registered Assessors Program (IRAP) assessments and system security controls.

Control implementation

3.30 The ABS Privacy Management Plan provides defined roles, responsibilities and key activities to support privacy risk management. The controls to mitigate risks in the Privacy Management Plan align with the ABS Privacy Framework. Privacy risks are managed within the 2021 Census program by the Census Privacy Team, which reports to the Census General Manager. The Census Privacy Team consults the ABS Privacy Office on all medium and high impact activities. The Privacy Teams provide support and implementation of the relevant Work Plans across the ABS.

3.31 Privacy training is a key control outlined in the ABS Privacy Management Plan. The privacy training is consistent with privacy obligations against specific positions and roles supporting the Census. For example, privacy training for Census field officers includes guidance on how to correctly handle paper forms. The ABS privacy training is mandatory and conducted on an annual basis and must be performed regardless of whether staff gain access to systems. As of March 2020, 82 per cent of Census Division staff had completed the ABS Privacy Module for the year. The completion of training is monitored by Privacy Champions within each business area. The managers of each business area are responsible for ensuring officials complete the necessary training.

3.32 The ABS obtained privacy impact assessments of its data handling practices for consumer data47 and administrative data48 from consultants in March and April 2020, respectively. The privacy impact assessments covered the 13 Australian Privacy Principles (APPs).49 The ABS was assessed as compliant with the majority of the APPs. Improvements were noted in the areas relating to APP 11, Security of personal information.50 The ABS is progressing activities against APP 11, specifically independent security risk assessment for key systems supporting the Census. The program of independent security reviews has been specified in the 2021 Census Security Strategy.

3.33 Data management and privacy functions were defined in the design documents for the eForm and MyWork systems. However, the operation of the system security controls could not be confirmed as the implementation of the eForm and MyWork systems had not been completed at the time of audit testing.

3.34 As part of the ABS’ assurance program, the ABS Executive Board monitors the progress of implementation for privacy controls. The reports to the Executive Board are high-level and do not include whether privacy controls and requirements have been effectively implemented for each system.

Recommendation no.4

3.35 The Australian Bureau of Statistics obtain an appropriate level of assurance that the systems supporting the 2021 Census are meeting legal and Australian Bureau of Statistics policy requirements on data quality and privacy.

Australian Bureau of Statistics response: Agreed.

3.36 Meeting legal and policy requirements on data quality and protecting people’s privacy are key priorities for the ABS. The ABS has strengthened both internal and external assurance mechanisms to provide the appropriate level of assurance in relation to data quality and privacy. The Census Executive Board will receive assurances that:

  • All major Census processes and systems have been tested in the October 2020 Operational Readiness Exercise and assured against the ABS Data Quality Framework.
  • Rigorous data quality testing is in place for 2021.
  • Before systems are used for the Census, they have passed a comprehensive quality gate process. The quality gates include assurances on data quality, privacy and security.
  • The ABS is implementing the recommendations from the independent Privacy Impact Assessments (PIAs) on the 2021 Census, which were completed and published on the ABS website in July 2020.
  • The ABS has undertaken independent Information Security Registered Assessors Program (IRAP) assessments for Census systems.

Has the ABS established appropriate cyber security measures?

The ABS has established partly appropriate cyber security measures for the 2021 Census. The high-level measures and controls in the ABS’ cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented.

3.37 Maintaining public trust in the security of its data is fundamental to the ABS’ core business of producing trusted regional and national statistics for Australia. The ABS identified the inability, or perceived inability, to protect Census data as an inherently ‘extreme’ risk for the 2021 Census.

3.38 The ANAO reviewed the cyber security measures for the 2021 Census against the requirements in the PSPF. This requires non-corporate Commonwealth entities, such as the ABS, to implement the first four strategies of the Australian Cyber Security Centre’s Essential Eight. They are:

  • application control (to prevent execution of unapproved and malicious programs);
  • patch applications (to prevent execution of malicious code on systems);
  • restrict administrative privileges (only to trusted users); and
  • patch operating systems (to prevent the compromise of systems).

3.39 The PSPF also requires entities to consider which of the remaining Strategies to Mitigate Cyber Security Incidents developed by the Australian Cyber Security Centre (ACSC) they need to implement.

3.40 The ACSC recommends that entities implement the full Essential Eight51, which includes:

  • configure Microsoft Office macro settings (to block macros from the Internet);
  • user application hardening (to block Flash, ads and Java on the Internet);
  • multi-factor authentication (to make it harder for adversaries to access sensitive information and systems); and
  • daily backups (to ensure information can be accessed following a cyber security incident).

3.41 The PSPF requires that non-corporate Commonwealth entities report on their security each financial year to their portfolio minister and to the Attorney-General. Entities are required to self-assess their maturity for each of sixteen core requirements against the four levels in the PSPF Maturity Self-Assessment Model: Ad hoc, Developing, Managing or Embedded.

Cyber security strategy for the 2021 Census

3.42 The Census Delivery Committee endorsed an IT Security Strategy for the 2021 Census in February 2020. The strategy outlines the design of the ABS approach to implementing cyber security measures and establishes a scheme for identifying the criticality52 of systems.

3.43 The IT Security Strategy for the 2021 Census incorporates elements from the MacGibbon and Senate Committee reviews into the ABS’ risk management approach. These include establishing and conducting security tests of Census controls and management and the use of IRAP assessments.53 The high-level cyber security measures and controls outlined in the strategy are sound. Risks to system types are documented and appropriate controls to address risks are identified.

3.44 The strategy, however, did not:

  • state how identified risks will be managed until the desired maturity is reached;
  • identify when the required activities to address the associated risks will be completed; and
  • stipulate security requirements in service level agreements with third parties.

Cyber security strategies and controls

Cyber security mitigation strategies

3.45 In its 2018–19 PSPF self-assessment, the ABS reported that its compliance level with the Essential Eight strategies was ‘Developing’ (Level 2) under the PSPF. The ACSC reviewed the ABS’ compliance with the Essential Eight mitigation strategies in November 2019, as part of its Cyber Uplift sprint program. The ACSC’s review identified non-compliance in similar areas which was broadly consistent with the ABS’ self-assessment. The ACSC also highlighted additional issues with some mitigation strategies. The ABS has commenced remediation activities to address the issues raised by the ACSC’s review.54

3.46 The ACSC’s review stated that a longer-term investment will be required to meet the target maturity level. The ABS has allocated funding to projects to address the areas where the ACSC found lower compliance.

3.47 ABS IT Security conducted an internal audit in September 2019 and found eight out of 37 tested strategies to mitigate cyber security incidents were not achieving the required PSPF maturity level. In November 2019, the ABS Security Committee55 agreed to lifting maturity against the Essential Eight and that further work on the 37 strategies was not required.

3.48 The ABS informed the ANAO that it intends to implement its 2021 Census Security Strategy before the Census date. However, it has not set a target for the completion of its Essential Eight Uplift Program, which spans more than just the Census systems. There is a risk that the ABS’ Essential Eight uplift will not be implemented in time for the Census to provide sufficient coverage over the breadth of the ABS’ threat environment, as the ABS begins to introduce new products and systems in preparation for the 2021 Census.

3.49 The ABS has monitored and managed its threat and risk landscape in the interim through an established set of controls. The controls were introduced at the infrastructure or domain level, which provide good security foundations for Census systems. However, the controls have not been introduced into the ABS environment in a systemic way. There is no implementation plan for Census systems that sets the priority, funding and timing according to each system’s value, importance or sensitivity.

Assurance activities

3.50 The IT Security Strategy for the 2021 Census does not require assurance activities to be conducted within a defined timeframe. The ABS has defined a high-level deployment schedule for Census Systems, however, this does not detail the timeline for the implementation of the IT security strategies nor the IRAP assessments.

3.51 As of March 2020, the ABS had not conducted security tests of Census controls and management or completed an IRAP assessment of Census systems. In May 2020, the ABS commenced the process of having an IRAP conducted on its Census eForm system.

3.52 The ABS conducted two internal assessments of its cyber security mitigation strategies, as part of an internal audit in September 2019 and in its 2018–19 PSPF self-assessment in October 2019. These internal assessments did not identify weaknesses in areas identified in the ACSC’s review in November 2019.

3.53 In February 2020, the program assurer for the 2021 Census found that there was no consistent approach to system designs or requirement analysis, and that these could lead to an increased risk of systems not being delivered on time. The review included a number of agreed actions.56

Management of third parties and contractor services

3.54 The IT Security Strategy for the 2021 Census requires third party providers to use ‘secure-by-design’ development and independent security assessments for all Census systems they develop. The ABS does not require these to be included in the contracted service level agreements with third parties. The ABS relies on the general contract clauses that do not specify the requirement for secure-by-design development, however, it does specify the requirement for independent security assessments and working collaboratively with government.

3.55 In February 2020, the program assurer for the 2021 Census found unclear requirements and a lack of prioritisation, which could affect the timeframes for service delivery and security testing. Overall, there was insufficient evidence of measures in place to ensure that security controls are implemented, operated and maintained by the service provider, or whether a reassessment of security risks would be required if service changes were to occur.

Recommendation no.5

3.56 The Australian Bureau of Statistics:

  1. define timeframes and responsibilities for implementing the 2021 Census Security Strategy and the Essential Eight Uplift Program, especially for areas that are required prior to the 2021 Census; and
  2. ensure contracted services meet Australian Bureau of Statistics specific design and cyber security requirements, and performance of security controls are regularly assessed.

Australian Bureau of Statistics response: Agreed.

3.57 The ABS is updating documentation for program management of the Census to make explicit the timeframes and responsibilities for the implementation of the 2021 Census Security Strategy and the Essential Eight Uplift Program, especially for areas that are required prior to the 2021 Census.

3.58 The ABS is continuing to strengthen review and assurance practices to ensure contracted services meet ABS specific design and cyber security requirements and maintain appropriate compliance with security requirements and controls.

Is the ABS ensuring that IT suppliers deliver value for money?

The ABS has established IT supplier contracts that support value for money outcomes. The ABS has largely met key legal requirements for its Census IT procurements of $1 million or more.

3.59 The ABS has approached the market for IT suppliers to support its delivery of the 2021 Census. As of 30 June 2020, the ABS is undertaking nine IT procurements where the estimated value was at least $1 million. The contracts had a combined total of $37 million and were at different stages during the first half of 2020, as outlined in Table 3.1.

Table 3.1: Census IT procurements over $1 million

Procurement name

Estimated value

Approach to market date

Contract start

Stage at 30 June 2020a

Value at 30 June 2020a

Census Digital Service

$12,000,000–$15,000,000

17 September 2018

3 May 2019b

Contract commenced

$21,836,617

Paper Data Capture Software & Scanning Infrastructure

$4,400,000

1 November 2019

18 May 2020 and 27 May 2020c

Contracts commenced

$3,800,000

Field Staff Mobile Application

$2,500,000

5 February 2020

7 April 2020

Contract commenced

$1,525,087

Return Mail Registration Solution

$2,000,000

20 January 2020

9 June 2020

Contract commenced

$550,300

Provision and Support of the 2021 Census Chatbot

$1,100,000

12 February 2020

28 April 2020

Contract commenced

$891,116

Customer Relationship Management (CRM) Solution software

$1,000,000

11 November 2019

N/A

Tender under evaluation

N/A

CRM Solution implementation support services

17 January 2020

28 February 2020d

Contract commenced

$427,953

IT Service Management and Enterprise Monitoring Platform as a Service

$3,000,000

28 January 2020

1 April 2020

Contract commenced

$6,365,106

Operational Insights Program

$1,000,000

17 January 2020

3 March 2020e

Contract commenced

$1,576,268

           

Note a: The testing discussed from paragraph 3.66 was conducted as at 30 March 2020. Table 3.1 presents information as at June 2020 to provide more precision around contract value.

Note b: The Deed of Standing Offer for the Census Digital Service was dated 3 May 2019.

Note c: This procurement was split into two contracts for Paper Data Capture Software and Scanning Infrastructure.

Note d: An initial Work Order for the alpha phase for the CRM Solution implementation support services was signed 28 February 2020.

Note e: An initial Statement of Work was signed 3 March 2020.

Source: ABS documentation.

3.60 As noted at paragraph 2.61, the accountable authority of the ABS is required to promote the proper use and management of public resources under the PGPA Act. ABS officials are required to comply with the Commonwealth Procurement Rules (CPRs) when conducting procurements. Entities need to adopt processes that are not just technically compliant with the CPRs but are also consistent with their intent, which is to drive value for money through competition. Value for money requires a consideration of financial and non-financial costs and benefits including whole-of-life costs.

3.61 The ANAO reviewed the nine IT procurements in Table 3.1 as at March 2020 against key legal requirements in the PGPA Act and the CPRs relevant to the operation of the Census.57 The ANAO also examined the ABS’ contract negotiations with IT suppliers for the 2021 Census.

The ABS procurement and contract management framework

3.62 The ABS has established a procurement and contract management framework, consisting of the ABS Accountable Authority Instructions, Corporate Manual policies, guidance within the ABS intranet and procurement templates. The framework provides ABS officials with appropriate guidance and directs officials to the PGPA Act, CPRs and Department of Finance guidance.

3.63 The ABS’ Accountable Authority Instructions require that delegates must be satisfied that a procurement achieves value for money and complies with all of the CPRs.

3.64 The ABS’ Corporate Manual requires all procurement activity to be conducted in accordance with the PGPA Act. The Manual requires officials to follow the guidance within the ABS intranet and includes specific rules on IT procurement. The ABS intranet includes procurement guidance to ABS officials on conducting procurements. The guidance mandates the use of the ABS’ procurement templates for all procurements over $10,000.

3.65 The ABS has a suite of procurement templates, which it has used in seven of the nine IT procurements reviewed by the ANAO. The ABS Contract Management Policy approved in June 2020 requires contract managers to use the ABS Contract Management Framework templates in all procurements.

Engagement of IT suppliers for the 2021 Census

3.66 The ABS approached the market for the nine IT procurements for the 2021 Census with estimated values of over $1 million through six different methods of procurement:

  • an open approach to market through AusTender, for two procurements;
  • approaching suppliers under the Digital Transformation Agency Digital Marketplace Panel, for three procurements;
  • approaching one supplier under the ICT Professional Services — Treasury Portfolio Panel, for one procurement58;
  • approaching Amazon Web Services, under the Whole of Government Amazon Web Services arrangement, for one procurement;
  • approaching the Microsoft reseller59 under the Whole of Government Microsoft arrangement, for one procurement; and
  • establishing a limited tender, based on an identified absence of competition in the market for technical reasons.

3.67 All the procurement methods that the ABS used for the 2021 Census complied with the CPRs and ABS policy. The tenders for two of the three completed procurements at March 2020 (the Census Digital Service and support services for implementing a Customer Relationship Management solution) each received multiple bidders. The ABS used the Whole of Government Arrangement for the Operational Insights Program procurement. Competition between bidders and the use of whole of government arrangements contribute toward value for money outcomes.

3.68 The ANAO reviewed the procurement and contract management documentation for the nine IT procurements against 12 key legal requirements in the PGPA Act and the CPRs:

  • Approach to market: comply with additional rules for procurements over $80,000, including open tendering; publish open tender procurements on AusTender; estimate expected value before deciding on the procurement method; include a complete description in request documentation;
  • Tender evaluation: make a value for money assessment; assess tenderers solely on their ability to satisfy the conditions for participation in the request for tender; award the contract to the tenderer best able to undertake the contract and provide value for money;
  • Risk management: establish processes to identify, analyse, allocate and treat risk; consider risk when assessing value for money, spending money and determining contract terms; place obligations on suppliers proportionate to the assessed risks; and
  • Performance management: when applying a standard to goods or services make reasonable enquiries to determine supplier compliance with the standard; base specifications for goods and services on performance and functional requirements and international standards.
Approach to market

3.69 The ABS’ IT procurements for the 2021 Census have largely met key requirements for approaching the market. The ABS estimated the expected value of seven out of the nine IT procurements reviewed before a decision on the procurement method was made. The ABS also complied with the Division 2 rules in the CPRs for all open tenders. The ABS delegate did not approve a procurement plan that determined the estimated value before selecting the procurement method for the IT Service Management and Enterprise Monitoring Platform as a Service, and the Operational Insights Program procurements.

Tender evaluation

3.70 The three procurements with suppliers selected at March 2020 met the key requirements for evaluating tenderers (the Census Digital Service, support services for implementing a CRM solution and the Operational Insights Program). The delegate approved spending proposals for all three procurements based on value for money assessments that included both financial and non-financial factors, including whole-of-life costs.

Risk management

3.71 Seven out of the nine IT procurements met the key requirements for managing procurement risk. The ABS made risk assessments before deciding on the procurement method for seven of the nine procurements. The mitigations identified in the risk assessments were evident in the procurement processes for these seven IT procurements. The ABS delegate did not approve a risk assessment before selecting the procurement method for the IT Service Management and Enterprise Monitoring Platform as a Service, and the Operational Insights Program procurements.

Performance management

3.72 The ABS has met the legal requirements for performance management. The ABS applied standards relating to the usability of the end product to the contract solution requirements for the Census Digital Service. In March 2020, the ABS began planning to have independent testing conducted to determine whether the Census Digital Service end product will meet the contract standards. Although key external supplier delivery was deemed an inherent extreme risk, auditing vendor compliance with the standard was not included in the Assurance Map for the program assurer for the 2021 Census, as shown in Table 2.2.

3.73 The ABS included standards in the statement of requirements for the CRM implementation support services procurement. The tenderer for the CRM support services agreed to the Digital Marketplace Comprehensive Terms, which requires suppliers to comply with applicable international standards. Three procurements under evaluation also require tenderers to comply with applicable international standards. The IT Service Management and Enterprise Monitoring Platform as a Service and Operational Insights Program procurements were made under arrangements that require suppliers to comply with relevant Australian or international standards. The ABS did not determine whether a standard would be applicable for the goods and services in the Paper Data Capture or Return Mail Registration Solution procurements.

3.74 The ABS clearly set out specifications in terms of performance and functional requirements in the request documentation for all procurements. Request documentation required that deliverables comply with applicable international standards.

Contract negotiations with IT suppliers for the 2021 Census

3.75 The ABS conducted formal contract negotiations for the one IT procurement at the contract stage in March 2020. The Department of Finance’s BuyRight tool includes guidance on negotiations for procurements under $1 million.60

3.76 The ANAO reviewed the ABS’ negotiations with the IT supplier for the Census Digital Service against the guidance in the BuyRight tool. The ABS’ contract negotiations with the highest ranked tenderer for the Census Digital Service demonstrated the steps identified in the BuyRight tool.

3.77 The ABS sought a reduction of 20 per cent from the tendered price for the Census Digital Service of $34.4 million through its negotiations. The negotiations resolved key issues including increasing the tenderer’s liability cap and shifting the contracting approach from a fixed price to a maximum-capped price model. The ABS signed a Deed of Standing Offer with a maximum-capped price of $35.3 million. The Spending Proposal stated that the change in the contracting approach will allow greater flexibility through the use of agile development and harvesting savings where the ABS’ needs or priorities change.

4. Managing risk, recommendations and timeliness

Areas examined

This chapter examines whether the Australian Bureau of Statistics (ABS) is effectively addressing key Census risks, implementing past Census recommendations and ensuring timely delivery of the 2021 Census.

Conclusion

The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations and ensuring timely delivery of the 2021 Census. Further management attention is required on the implementation and assessment of risk controls.

Areas for improvement

The ANAO made two recommendations designed to strengthen the ABS’ implementation of risk controls and improve its oversight of implementing agreed recommendations.

The ANAO suggested that the ABS update its Census website quarterly and cover all the high-level milestones to aid transparency and build public trust.

4.1 Preparing for the Census requires the ABS to have commenced a range of activities years beforehand. To assess whether the ABS is effectively addressing key Census risks, implementing recommendations and ensuring timely delivery of the 2021 Census, the ANAO examined the ABS’ implementation of its risk management framework, arrangements to demonstrate whether recommendations have been fully closed and its progress against Census plans.

Is the ABS effectively addressing key Census risks?

The ABS has been partly effective in addressing key Census risks. The ABS has identified, reviewed and reported risk in accordance with its Risk and Issues Management Plan and the broader ABS framework, and has mostly embedded risk management in its key business processes. The ABS has not consistently implemented key risk controls and has not fully assessed control effectiveness as required in its Risk and Issues Management Plan.

Census risk identification and assessment

4.2 The ABS has had a Census Risk and Issues Management Plan (the Plan) in place since March 2018 (as discussed paragraph 2.27). The Plan sets out a broad process for the identification and assessment of Census risks. Key elements of the Plan include risk and issues management, escalation and reporting, templates, control assurance and the risk appetite for the Census. The ABS Risk Manual also sets out detailed steps for identifying risk.

4.3 The ABS sets out its risk appetite and tolerance for Census risk in the Plan. The risk appetite describes the appetite for broad categories of risk. The ABS has a generally low appetite for risk regarding the Census, with a medium appetite for some aspects of external engagement, meeting user expectations and financial sustainability.

4.4 Risk tolerance is assessed for each risk and is not a reflection of risk severity. The three categories are:

  • intolerable — proposed treatments are unlikely to make it tolerable and significant intervention is required;
  • developing — proposed treatments will likely make the risk tolerable. The likely effectiveness of treatments should be reviewed; and
  • tolerable — the risk is tolerable provided the effectiveness of the treatments is maintained.

4.5 Where tolerance was included in the Census program and strategic risk registers, all except one risk was rated as ‘developing’.

4.6 In accordance with its Census Risk and Issues Management Plan, the ABS established a Program Risk Register and a Strategic Risk Register for the Census. The ANAO tested the registers as at November 2019. The program level risks included risks identified by the ABS as material operational concerns that could jeopardise the success of the Census. The ABS rated nine of the Census program risks as extreme pre-mitigation. Some program risks aligned with Census strategic risks, such as ‘the Census experiences a reduction in social licence and/or loses the confidence of government, the Parliament and other key stakeholders’, and ‘the Census is unable to, or is perceived to be, unable to protect 2021 Census data’. In May 2020, four inherent program extreme risks that duplicated strategic risks were closed.

4.7 The strategic risks focused on the top 10 risks to the Census. These are risks aligned with the ABS’ enterprise strategic risks, defined as risks with the greatest potential to significantly harm the ABS. Census strategic risks included data protection, meeting customer needs and maintaining the ‘social licence’. Six of these risks were rated as extreme pre-mitigation, and high once controls have been considered.61 These were rated ‘developing’ in terms of risk tolerance.

4.8 The ANAO tested the implementation of the ABS’ Census strategic and program risk registers against 10 elements of the Plan.62 The ABS’ risk registers were fully or mostly in accordance with the Plan in seven out of 10 of the elements; and partly in accordance with the Plan for the remaining three elements. The three partly ratings were due to:

  • inconsistent application of risk controls and testing their effectiveness (discussed at paragraph 4.15)63;
  • the absence of documented likelihood, consequence (inherent and residual) and mitigations for risks listed in the strategic risk register; and
  • the lack of the ability to document in the strategic risk register further proposed treatments if residual risks were assessed by the ABS as intolerable.

4.9 The ABS Census risk registers at May 2020 documented the likelihood, consequence and mitigations, and required further treatments if the ABS were to assess a residual risk as intolerable.

Reviewing and reporting Census risk

4.10 The ABS Risk Framework emphasises the importance of risk monitoring and review. The ABS Risk Manual requires that risks are reviewed at least annually, and also after a major deliverable, and that monitoring occurs often enough to detect early warning signs that a risk is being realised. The Census Risk and Issues Management Plan outlines that strategic Census risks are to be reported to the Census Executive Board (CEB) quarterly, and Census program level risks are to be reported to the Census Delivery Committee (CDC) quarterly.

4.11 Quarterly reporting of Census risks has occurred through the CEB and CDC in accordance with the Census Risk and Issues Management Plan since March 2018. Further, the CEB has undertaken focused discussions on particular strategic risks at every meeting since December 2018, covering seven of the strategic risks to date.

Risk management in key business processes

4.12 The Commonwealth Risk Management Policy requires entities to ensure that risk management is embedded in key business processes.64 The ANAO tested whether risk management was embedded in the ABS’ processes to prepare for the Census. The ABS has largely embedded risk management in the Census program as outlined in Table 4.1.

Table 4.1: Risk management embedded in areas of the Census program

Program area

Is risk management embedded?

Strategic planning

Whether the governance plan, public communications strategy, information technology (IT) strategy, and documents defining scope and quality contained risk management provisions

Three quarter full Harvey ball

Establishment of governance arrangements

Whether the terms of reference of the CDC and the CEB contained risk management provisions, such as their role in managing risk

Full Harvey ball

The ABS’ contribution to government decisions, delivery, and decision making

Whether risk was considered in the decision making and delivery of the Census program, and in the ABS’ input into government decisions, in this instance the Census Regulations

Full Harvey ball

  

Key: Empty Harvey ball Criteria not met;  One quarter full Harvey ball Criteria partly met;  Three quarter full Harvey ball Criteria mostly met;  Full Harvey ball Criteria met

Source: ANAO analysis of ABS documents.

4.13 Risk management provisions are evident in the early strategic planning documentation, such as the design strategy and high-level governance plan. It is also included in the IT investment strategy. Risk management is not present in the data quality targets, and only partly included in the communications approach and strategy.

4.14 Risk management is embedded in the establishment of governance arrangements and decision-making through the CEB and CDC. The terms of reference for both forums included risk management arrangements. The ABS has also considered risk management in the development of regulations.65 During the development of the Census and Statistics Amendment (Statistical Information) Regulations 2020, the ABS conducted a focused analysis of the risk related to Government approvals.

Implementation and effectiveness of key risk controls

4.15 The Census Risk and Issues Management Plan includes a mandatory requirement to assess the effectiveness of critical or material controls on a quarterly basis.66 The ANAO examined the implementation of risk controls for the Census risks rated as inherently extreme.67

4.16 The implementation of the key risk controls and whether control effectiveness has been assessed is outlined in Table 4.2. Three out of the seven risk controls examined did not have a plan or policy for implementation, and six out of seven did not fully implement the control.

Table 4.2: Implementation of key controls for inherent extreme program risks

Risk control

Has a plan or policy been developed?

Has this control been implemented?

Has the ABS assessed the effectiveness of this control?

Public communications

Full Harvey ball

Three quarter full Harvey ball

Empty Harvey ball

Stakeholder engagement

Full Harvey ball

One quarter full Harvey ball

Empty Harvey ball

Response strategies

Full Harvey ball

One quarter full Harvey ball

One quarter full Harvey ball

Contract management training

Empty Harvey ball

Three quarter full Harvey ball

Full Harvey ball

Key suppliers culture and relationship management

Empty Harvey ball

One quarter full Harvey ball

One quarter full Harvey ball

Keeping the Minister and the Government informed

Full Harvey ball

One quarter full Harvey ball

Empty Harvey ball

Security of paper forms

Empty Harvey ball

Full Harvey ball

Full Harvey ball

    

Key: Empty Harvey ball Criteria not met;  One quarter full Harvey ball Criteria partly met;  Three quarter full Harvey ball Criteria mostly met;  Full Harvey ball Criteria met

Source: ANAO analysis of ABS documents.

4.17 Areas where risk controls were not fully implemented include:

  • the Minister was not informed of progress against agreed high-level milestones for the Census;
  • documentation was not provided to the ANAO to demonstrate that contract managers undertook contract management training;
  • not all required actions were undertaken;
  • supplier culture and relationship management was not consistently covered in governance plans, meeting documentation and progress reporting in two of the three supplier relationships examined68;
  • stakeholder engagement was not undertaken in accordance with the Census stakeholder engagement plan, with individual stakeholder management plans not drafted for high risk groups, no contact report template developed, and no planned approach for the stakeholder meetings that were undertaken; and
  • public communications activities as outlined in the Census Communication Approach occurred up to a year later than scheduled.

4.18 For five out of the seven risk controls tested, there was minimal or no evidence of effectiveness being assessed for the control as required by the Risk and Issues Management Plan. As risk controls are not consistently implemented and the effectiveness of those controls are not fully assessed, the ABS is not well positioned to assess if the controls are working as intended.

Recommendation no.6

4.19 The Australian Bureau of Statistics implement its risk controls and regularly and consistently monitor the effectiveness of those controls.

Australian Bureau of Statistics response: Agreed.

4.20 As ABS enters the last year of preparation for the 2021 Census, we are strengthening a range of governance, reporting and risk management approaches. This includes enhancing the visibility and monitoring of risk controls. Project management software is being used to improve the regularity and quality of reporting. The Census Executive Board is monitoring the control effectiveness through a rolling program of Deep Dives on each strategic risk. This rolling program of monitoring has been in place since December 2018.

Is the ABS effectively implementing past Census recommendations?

ANAO analysis indicates that the ABS’ post-review activities align with 27 out of the 29 agreed recommendations. In the absence of effective governance oversight arrangements to monitor and report on the implementation of recommendations, the ABS does not have sufficient assurance that it has appropriately addressed the identified issues.

4.21 Formally responding to a recommendation formalises the government or entity’s commitment to implement it and improve that area of public administration. Effectively implementing agreed recommendations requires planning and oversight to set clear responsibilities, timeframes and reporting requirements.

4.22 As outlined in paragraph 1.16, three major reviews were undertaken following the 2016 Census:

  • Senate Economics References Committee — 2016 Census issues of trust;
  • Mr Alastair MacGibbon — Review of the Events Surrounding the 2016 eCensus; and
  • Independent Assurance Panel — Report on the Quality of the 2016 Census Data.

4.23 The Government tabled a response in the Parliament to the Senate Committee report. The Minister responsible for the ABS issued a media release stating that the Government accepted the MacGibbon recommendations.69 The ABS stated in its 2016–17 annual report that it would use the Panel’s report in delivering the 2021 Census.70 The three reviews raised a total of 36 recommendations of which 29 were agreed to by the ABS or the Government on behalf of the ABS (see Appendix 2 for a list of recommendations).71 The recommendations covered some overlapping themes as outlined in Table 4.3.

Table 4.3: Categories of recommendations made to the ABS after the 2016 Census

Topic

Senate Economics References Committee

MacGibbon

Independent Assurance Panel

IT development

2

1

0

Privacy

3

3

1

Data collection

1

0

5

Communications with external stakeholders

1

1

0

IT procurement

2

2

0

Fines

2

0

0

Ministerial briefings

1

1a

0

Independent Assurance Panels

0

1

1

Governance

0

1

0

Data breaches

1

0

0

Recommendations to the Government

6

0

0

Total

19

10

7

    

Note a: The statement in the MacGibbon report that the ABS should report monthly to the Minister on implementing the report’s recommendation was treated as the 10th recommendation in the report.

Source: Senate Economics References Committee — 2016 Census issues of trust; Alastair MacGibbon — Review of the Events Surrounding the 2016 eCensus; Independent Assurance Panel — Report on the Quality of the 2016 Census Data.

4.24 The ABS informed the ANAO that it had addressed all recommendations made in respect of the 2016 Census.

Governance oversight of recommendations

4.25 Strong senior management oversight and implementation planning with clear responsibilities and timeframes supports the successful implementation of recommendations.

4.26 The ABS had a system in place to support monthly reporting to the Minister on its progress against the nine accepted MacGibbon recommendations. In June 2017 the ABS advised the Minister that it had implemented seven recommendations and that the remaining two (recommendation 3 for a privacy management plan and recommendation 9 for a communication strategy) were on track. It also advised that reporting of the progress and finalisation of the two remaining recommendations would be included in the general fortnightly briefs to the Minister. However, the ABS did not further report to the Minister on the status of the two outstanding recommendations.72

4.27 The ABS did not have in place arrangements to monitor and report on the implementation of the other agreed recommendations made by reviewers. While the ABS informed the ANAO that it had monitored the implementation of all recommendations, it was unable to provide implementation plans, evidence of tracking or internal reporting on the implementation of recommendations to the ANAO.

4.28 The ABS did not report to the Minister, senior management or its Audit Committee on the progress or the completion of implementing the recommendations made by the Senate Economics References Committee or the Independent Assessment Panel.73 Overall, the ABS did not have effective governance arrangements to assure itself that it had fully implemented all agreed recommendations from the reviews.

Progress in implementing recommendations

4.29 In the absence of appropriate governance oversight, the ANAO was unable to rely on existing controls in assessing whether the ABS had fully implemented agreed recommendations. As a consequence, the ANAO examined additional documentation on the implementation of the 29 agreed recommendations.74

4.30 ANAO analysis indicated that a range of activities had been undertaken by the ABS to address 27 of the 29 agreed recommendations including:

  • preparing an Address Register Strategy to improve the data and manage costs;
  • identifying a range of services to be provided to special needs groups and how these would be accessed through the Customer Contact Centre;
  • developing a communications strategy with education activities to occur between January 2020 and April 2021;
  • engaging the Australian Cyber Security Centre and an external party to perform security assessments of Census-supporting infrastructure and systems, which included a review of security incident response planning and coordination; and
  • engaging an external party to perform a Privacy Impact Assessment and updating policy and procedures for handling personal information.

4.31 The ANAO was not able to directly link the ABS’ post-review activities to two agreed recommendations. For MacGibbon recommendation 7 on cultural change, the ABS did not demonstrate implementation of three items in the plan it presented to the Minister: consulting with stakeholders on its draft plan; finalising the plan; and reporting back to stakeholders on implementing the plan.

4.32 The second recommendation of the Senate Economics References Committee was for the ABS to develop internal guidelines encouraging active engagement with business and non-government organisations. The ABS developed stakeholder guidelines in 2017 that mentioned these groups but did not encourage active consultation with them. The ABS provided evidence that it has been consulting with non-government organisations on the Census.

4.33 The ABS commissioned a management initiated review from its internal auditor to obtain assurance on whether the ABS had implemented seven recommendations from the 2016 Census, including the two discussed above. At August 2020, this internal audit had progressed to fieldwork.

Recommendation no.7

4.34 The Australian Bureau of Statistics:

  1. establish oversight arrangements to monitor the progress of the implementation of agreed recommendations from external reviews; and
  2. assure itself that it has fully implemented all agreed recommendations.

Australian Bureau of Statistics response: Agreed.

4.35 The ABS has enhanced its existing oversight arrangements with the ABS Audit Committee, to enable them to monitor the implementation of the recommendations from external reviews.

4.36 The ABS has engaged its internal auditors and independent Census assurers to review the implementation of all agreed recommendations from the three reviews of the 2016 Census. This will enable ABS to assure itself that it has fully implemented all agreed recommendations.

Is the ABS effectively monitoring progress against its schedule for the 2021 Census?

Since January 2020, the ABS has been largely effective at monitoring the progress of activities for the 2021 Census. ABS Census projections in 2018 and 2019 were generally ‘on track’. Throughout 2020 the Census has been ‘at risk’. ANAO testing of 17 key tasks indicated that four were reported complete at least three months prior to actual completion. The ABS has accurately reported key activities, decisions and issues to the Minister in a timely manner. Public reporting on progress with the Census is accurate but could cover a wider range of topics.

4.37 Monitoring the completion of tasks against an established schedule and accurately reporting on this progress assists entities, the Minister and stakeholders to know whether milestones are on track to be delivered as planned. In order to assess the effectiveness of the ABS’ monitoring and reporting of the progress of Census activities, the ANAO examined whether:

  • the ABS has completed key milestones and tasks on schedule;
  • projections indicate the Census is on schedule;
  • the ABS has reported the progress of Census 2021 activities to the Minister accurately; and
  • the ABS has reported the progress of Census 2021 activities to the public accurately.

Completion of key Census milestones and tasks

4.38 The Census comprises many tasks and milestones. In some cases, the ABS needs to complete a task or milestone in order to start another. These dependencies mean that some tasks and milestones are particularly important because a delay in one part of a project could delay it overall. The ABS sometimes referred to these as ‘hard tasks’. It has used several systems to monitor the progress of the 2021 Census. The main systems the ABS used to monitor progress are outlined in Box 3.

Box 3: How the ABS has monitored progress of the 2021 Census

February 2018 to September 2019

The CEB and CDC received reporting on six or seven ‘streams’, some of which were divided into sub-streams, with red/amber/green status. The CEB received this report in March 2018 and quarterly between September 2018 and September 2019 and the CDC received the report in February 2018 and quarterly between November 2018 and August 2019. The reports occasionally referred to dependencies.

June 2018 to June 2019

The ABS reported the status of tasks underway to each meeting of the CEB and CDC.a As at June 2019, there were 373 tasks (sub-projects). This approach categorised tasks as hard or soft. A delay in a hard task would have consequences for the progress of the Census overall. The ABS did not describe the dependencies.

October 2019 to May 2020

The ABS developed the revised Census schedule in October 2019 and entered the tasks into project management software. Within the software, it grouped the tasks into 25 overarching, multi-year projects such as field operations management, the Census Digital Service, and logistics. From November 2019, the ABS has reported the red/amber/green status of the overarching projects each month to the Census Program Management Office (PMO). From December 2019, the PMO produced a compiled report that it provided to senior management and the governance committees.

The PMO also used the data in the project management software to prepare a critical path report that aggregated the 25 overarching projects into eight areas. Some of the areas stood alone and some were linked. The critical path comprised 32 soft events and 23 hard events. The ABS included the critical path report in the meeting papers for the CEB and CDC.

Note a: Tasks varied significantly in complexity, from identifying providers for key Census services or signing particular contracts, to setting up the contact and data operations centres.

4.39 From February 2018 to September 2019, the ABS’ reporting was sufficient to inform the CEB and CDC of the current status of the Census. However, this reporting did not inform the CEB and CDC of the future state and emerging risks to the Census as it did not track tasks against an initial plan and did not report the progress of tasks in a consistent manner.

4.40 ANAO analysis of reporting to the CEB and CDC indicates that the ABS was on-track to complete key deliverables by the original planned dates for the majority of tasks. Between June 2018 and June 2019 the ABS commenced 366 Census tasks, of which 75 had been reported as completed at the end of the period.75 See Figure 4.1.

Figure 4.1: Reported status of tasks commenced for the 2021 Census as at June 2019

 

Source: ANAO analysis of CEB and CDC papers.

4.41 The Census had 45 delayed tasks. The average delay was 2.4 months. Forty-one delayed tasks had soft milestones.76 The remaining four of the delayed tasks were hard milestones and related to content, logistics, operational intelligence and public communications. Their average delay was 1.8 months, however, the ABS recorded them as being on track. From November 2019 to May 2020 the ABS generally reported the corresponding overarching projects with green status, except for operational intelligence, indicating no material effect from the delay to the hard milestone.

4.42 The hard milestone for operational intelligence was to make a decision on the technology solution for the command centre. The program assurer’s review of IT for the command centre, finalised in February 2020, noted a lack of clarity in requirements and design leading to delays and risk of re-work. The overarching project for operational intelligence has reported amber and red status, with an improvement in May 2020 due to additional staff.

4.43 The ANAO reviewed 17 tasks with hard milestones or that were included in the critical path produced in November 2019, and that were planned for completion prior to 31 March 2020.77 The aim was to establish whether the ABS reasonably estimated the timeframes of tasks, has been completing tasks in line with its plan, and whether the ABS was accurately reporting the status of tasks.

4.44 ANAO analysis of documentation for the 17 tasks found the ABS had completed all tasks. Of these, one was completed between one and three months late, four were completed three to six months late and one was completed over six months late. Approximately one third of these milestones were late. Further, four tasks were completed at least three months after being reported as complete to the CDC and CEB.

4.45 The delays in completing critical tasks and milestones increases the risk that the 2021 Census will not be delivered in an effective manner. The lack of accuracy in reporting to the CEB and CDC limited their ability to take informed decisions on additional actions needed to deliver the 2021 Census in a timely way.

Projected timeliness of the 2021 Census

4.46 From February 2018, the ABS reported the overall status (red/amber/green) of the Census to the CEB and CDC at each of their quarterly meetings (the CDC meets a month before the CEB). The status of the Census in 2018 and 2019 was generally green, except for February and March 2019, when its status was amber due to budget.78 The reporting in 2020 has recorded the status as amber for delays in preparations for the Operational Readiness Exercise (the major field test originally scheduled for August 2020) and the impact of COVID-19.

4.47 The overarching projects and overall reporting are summarised in Table 4.4. These status reports show that the underlying and headline reporting on the implementation of the overarching projects and the Census overall is consistent and that the Census has been rated amber throughout 2020.

4.48 The CDC and CEB receive the status reports in dashboard form. Their discussions regarding the amber status of the Census focussed on the implications to the Operational Readiness Exercise (the major field test). The CEB decided in March 2020 to reschedule the Operational Readiness Exercise from August 2020 to October or November 2020.

Table 4.4: Internal reporting of the projected timeliness of the 25 Census overarching projects and the Census overall

 

Nov 2019

Dec 2019

Jan 2020

Feb 2020

Mar 2020

Apr 2020

May 2020

Green

16

16

14

13

13

11

13

Amber

6

7

8

9

12

14

12

Red

0

2

3

3

0

0

0

No report

3

0

0

0

0

0

0

Overall

Green

NA

Amber

Amber

NA

Amber

Amber

        

Source: ANAO analysis of ABS records.

4.49 The projected timeliness of the Census improved between February and May 2020. Implementation of the program assurer’s recommendations made in relation to project management practices in Chapter 2 will increase the ABS’ chances of delivering a timely Census.

Reporting of progress to the Minister

4.50 As the accountable authority for the ABS, the Australian Statistician has a duty to ensure the responsible Minister is informed about ABS activities, decisions and issues in a timely manner as per section 19 of the PGPA Act. The ABS reports on its activities to the Minister in fortnightly briefings; these often involve commentary on the Census. Additionally the ABS provides Census-specific briefings to the Minister on a quarterly basis after each CEB meeting.

4.51 ANAO analysis found that the ABS had accurately informed the Minister of significant activities and decisions relating to the Census in a timely manner via the briefings after CEB meetings.

Reporting of Census progress to the public

4.52 The ABS publicly reports on its performance and activities through a number of publications including its annual reports, corporate plans, the ABS website and Census 2021 website. The ABS has not defined any formal performance measures nor has it reported on the progress relating to the 2021 Census as part of its performance statements.

4.53 The MacGibbon report in 2016 stated that a lack of communication with the public ‘opened the door for speculation’ and undermined public trust.79 It is therefore important that the ABS communicates in a timely and accurate manner about the progress of the Census. MacGibbon further noted that whilst the ABS had a ‘well formed and prepared communications strategy’ it did not adequately cover its ‘digital first’ approach and concerns around security and privacy.80

4.54 The ABS’ public reporting on the status of Census planning activities was primarily undertaken through the Census 2021 website and the ABS 2018–19 Annual Report. In June 2017, the CEB defined 50 high-level milestones for Census 2021.81 ANAO analysis found that the ABS had publicly reported on nine high-level milestones. The ABS last updated its Census 2021 website in September 2019. There is merit in the ABS updating its website quarterly with progress against a broader range of milestones to improve transparency.

4.55 The ANAO assessed 12 specific claims made by the ABS regarding the progress of key Census activities through its corporate publications to verify the accuracy of public reporting. All 12 claims were verified with supporting documentation.

Appendices

Appendix 1 Entity response

Response from the Australian Bureau of Statistics

Appendix 2 ANAO testing of ABS’ implementation of review recommendations

Table A.1: Senate Economics References Committee — 2016 Census: issues of trust

Senate Economics References Committee — 2016 Census: issues of trust

Government response

Implementation

1. (a). The committee recommends that all future Privacy Impact Assessments relating to the Census, are conducted externally with the final report published on the ABS website 12 months in advance of the Census to which it relates.

1. (b). Following the release of a PIA recommending changes to future Censuses, consultation across the Australian community should be undertaken by the ABS with the outcomes clearly documented on the ABS website no less than six months before a future Census.

Agreed

Implemented

2. The committee recommends that the ABS update its internal guidelines to make clear that consultation requires active engagement with the non-government and private sector.

Agreed

Not implemented

3. The committee recommends that the ABS publicly commit to reporting any breach of Census-related data to the Office of the Australian Information Commissioner within one week of becoming aware of the breach.

Agreed in principle

ABS complies with government response

4. The committee recommends that the Australian Government commit the necessary funding for the 2021 Census in the 2017–18 Budget.

Noted

NA

5. The committee recommends that the ABS conduct open tendering processes for future Census solutions requiring the participation of the private sector.

Noted

ABS complies with government response

6. The committee recommends that the ABS give greater attention to intellectual property provisions in contracts that include licensing and royalty arrangements.

Agreed

Implemented

7. The committee recommends that the 2021 eCensus application be subject to an Information Security Registered Assessors Program Assessment.

Agreed

Implemented

8. The committee recommends that the ABS take a more proactive role in validating the resilience of the eCensus application for the 2021 Census.

Agreed

Implemented

9. The committee recommends that the Department of Finance review its ICT Investment Approval Process to ensure that projects such as the 2016 Census are covered by the cabinet two-pass process.

Noted

NA

10. The committee recommends that the Australian Government provide portfolio stability for the ABS.

Noted

NA

11. The committee recommends responsible ministers seek six-monthly briefings on the progress of Census preparations. These briefings should cover issues including, but not limited to, cyber security, system redundancy, procurement processes and the capacity of the ABS to manage risks associated with the Census.

Noted

ABS complies with government response

12. The committee recommends that the ABS consider establishing a dedicated telephone assistance line for people who require special assistance in completing the Census.

Noted

ABS complies with government response

13. The committee recommends that the maximum value of fines and any other penalties relating to the Census be explicitly stated.

Agreed

Implemented

14. The committee recommends that the Australian Bureau of Statistics develop a clear communications strategy outlining the outcomes for non-compliance with the Census, including resolution processes and the value of possible penalties.

Agreed

Implemented

15. The committee recommends that the Australian Government provide sufficient funding for the ABS to undertake its legislated functions to a continued high standard.

Noted

NA

16. The committee recommends that the responsible minister act as a matter of urgency to assist the ABS in filling senior positions left vacant for greater than 6 months.

Not agreed

NA

Senators’ additional recommendations

1. There should be a legislative amendment to the Census and Statistics Act 1905 to make clear that the provision of a person’s name is voluntary.

Not agreed

NA

2. Prior to any linking of Census data to other administrative data sets or to the adoption and implementation of SLCD, such changes must be brought to the Parliament for its consideration and approval.

Not agreed

NA

3. A new independent Privacy Impact Assessment is performed on the changes to the Census within the next 6 months, the outcome of which must determine the acceptability of the changes made to the management of Census data after the 2016 Census.

Not agreed

ABS complies with government response

     

Source: Senate Economics References Committee, 2016 Census: issues of trust and ANAO analysis of ABS documents.

Table A.2: MacGibbon Report — Review of the Events Surrounding the 2016 eCensus

MacGibbon Report — Review of the Events Surrounding the 2016 eCensus

Government response

Implementation

1. The ABS should engage an independent security consultant for a wide-ranging examination of all aspects of their information collection and storage relating to Census data — from web application through to infrastructure and policies.

Accepted

Implemented

2. The ABS should ensure future significant changes to personal information handling practices are subject to an independently-conducted privacy impact assessment and are supported by broad ranging consultation.

Accepted

Implemented

3. The ABS should adopt a privacy management plan to enhance its capability to identify and manage privacy issues.

Accepted

Implemented

4. The ABS should assess and enhance existing ABS privacy training for staff.

Accepted

Implemented

5. The ABS should develop a specific strategy to remove the current state of vendor lock-in.

Accepted

Implemented

6. The ABS should strengthen its approach to outsourced ICT supplier performance management to ensure greater oversight and accountability.

Accepted

Implemented

7. The ABS should draw upon the lessons it takes from the Census experience to help to guide and to advocate for the cultural change path it is following.

Accepted

Not implemented

8. The ABS’ decision in August to assemble an independent panel to provide assurance and transparency of Census quality is supported and the resulting report should be made public.

Accepted

Implemented

9. The ABS should implement a targeted communication strategy to address public perceptions about Census data quality.

Accepted

Implemented

The ABS should report monthly to their Minister outlining progress against the above [MacGibbon] recommendations.

Accepted

Implemented

Better Practice Guidance for entities

1. Agencies should review their approach to cyber security incident response planning and coordination and exercising of those plans with stakeholders.

Nil

Implemented

2. Agencies should ensure independent security assessments are conducted on critical ICT deliverables.

Nil

Not implemented

3. Agencies should test security measures and monitoring systems for online government services under foreseeable adverse conditions, including under attack conditions.

Nil

Not implemented

4. Agencies should be conscious of updated interpretations of governing legislation to addressing the changing technological environment. Agencies should review their oversight and assurance arrangements for outsourced cyber security services.

Nil

Implemented

5. The Office of the Australian Information Commissioner has recommended the government develop an APS-wide Privacy Code in collaboration with the Office. The Code should address privacy and security risks by requiring all agencies to:

  • have an up-to-date privacy management plan
  • appoint dedicated privacy contact officers
  • appoint ‘Privacy Champions’
  • undertake written Privacy Impact Assessments where relevant, and
  • take steps to enhance internal privacy capability.

Nil

ABS complies with proposed Code

     

Source: Alastair MacGibbon Review of the Events Surrounding the 2016 eCensus and ANAO analysis of ABS documents.

Table A.3: Independent Assurance Panel — Report on the Quality of 2016 Census Data

Independent Assurance Panel — Report on the Quality of 2016 Census Data

ABS response

Implementation

1. The change in collection approach led to challenges in the determination of whether dwellings were occupied on Census night, which impacts on the number of people that are imputed and the overall Census response rate. The ABS should consider new approaches to improve the accuracy of occupancy determination in future Censuses. This could involve administrative data sources or a special survey of non-responding dwellings as is done in Canada.

Accepted

Implemented

2. The results of the Post Enumeration Survey indicated that the Census person imputation can be improved. The ABS should consider new approaches to person imputation for future Censuses, including post-Census adjustments based on the Post Enumeration Survey down to small area geographies.

Accepted

Implemented

3. The use of the Address Register likely led to the increase in the number of dwellings that have no information for their structure type, as well as a decrease in the proportion of dwellings classified as flats and apartments attached to houses. While the proportion of the overall dwelling stock that these issues affect is small, improved field procedures or access to administrative files could lessen the impact of this in future Censuses.

Accepted

Implemented

4. The 2016 Census results for Aboriginal and Torres Strait Islander peoples are comparable to those from the 2011 Census, although the coverage of these populations remains lower than that of the general population. Given the importance of producing representative information about Aboriginal and Torres Strait Islander peoples, the ABS should consider ways of improving the coverage of these populations ahead of future Censuses, in consultation with Aboriginal and Torres Strait Islander communities.

Accepted

Implemented

5. Even though their contribution to the overall population is small, the lower response rate for non-private dwellings has had some effect on quality. Methods for improving the response rate and/or the accuracy of identifying the number of non-responding persons in non-private dwellings for whom imputation is necessary should be investigated.

Accepted

Implemented

6. Given the decline in the reporting of date of birth and the reduced proportion of people choosing to have their form retained by the National Archives, the ABS should consider how it can best respond to privacy concerns for future Censuses and provide appropriate assurances to the public. In particular, the ABS should consider sourcing an external Privacy Impact Assessment for future Censuses.

Accepted

Implemented

7. The establishment of an Independent Assurance Panel to review the quality of Census data provides greater transparency and accountability. The establishment of such a Panel should be repeated for future Censuses to provide additional assurance on the quality of the valuable national resource that is the Australian Census. If this measure is pursued for future Censuses, the ABS should have regard to the timeframe for completion of this work, noting the limitations associated with delivering a report coincident with the release of the Census data.

Accepted

Implemented

     

Source: Independent Assurance Panel Report on the Quality of 2016 Census Data and ANAO analysis of ABS documents.

Table A.4: Auditor-General Report — Statistical Business Transformation Program — Managing Risk

Auditor-General Report — Statistical Business Transformation Program — Managing Risk

ABS response

Implementation

1. The ABS:

  1. finalise its risk management framework and ensure that the revised framework complies with the Commonwealth Risk Management Policy and is embedded into its processes and procedures; and
  2. implement an effective process to manage strategic risks.

Agreed

  1. Implemented
  2. NA

2. The ABS update the total Program cost estimate, incorporating all work yet to be completed in accordance with the revised Program schedule, and effectively manage the Program budget to ensure that the Program achieves the intended benefits and meets Program outcomes.

Agreed

NA

3. The ABS monitor Program risk treatments and take action when treatments are not effective.

Agreed

NA

     

Source: Auditor-General Report No. 5 (2018–19) Statistical Business Transformation Program — Managing Risk and ANAO analysis of ABS documents.

Footnotes

1 In the 2006 and 2011 Censuses, the ABS provided households with a paper form, as well as the option of entering data online.

2 This includes recommendations in the Senate Committee report where the Government stated in its response that it was already performing the recommended action or it would take different but related action.

3 Section 8.

4 ‘Enumerate’ means to list or count.

5 In the 2006 and 2011 Censuses, the ABS provided households with a paper form, as well as the option of

entering data online.

6 Geoblocks restrict access or change content based on the IP address of the computer making the request for

content. IP addresses give a reasonable indication of the country of origin, provided this has not been altered

or hidden.

7 A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security

Culture and Practices across the Australian Government, Department of the Prime Minister and Cabinet

(PMC), Canberra, 2016, pp. 12–19, 32–33.

8 A MacGibbon, Review of the Events Surrounding the 2016 eCensus: Improving Institutional Cyber Security Culture and Practices across the Australian Government, PMC, Canberra, 2016, pp. 12–19, 32–33.

9 On 11 August 2016, the Acting Australian Information Commissioner, based on advice from the Australian Signals Directorate, stated it was satisfied the DDoS attack did not result in unauthorised access to, or extraction of, personal information.

10 This includes recommendations in the Senate Committee report where the Government stated in its response that it was already performing the recommended action or it would take different but related action.

11 Auditor-General Report No.5 2018–19 Statistical Business Transformation Program — Managing Risk, pp. 7–8. The Statistical Business Transformation Program is a major ABS re-engineering program to replace a large number of separate systems and processes with an integrated, enterprise-wide solution to reduce the risk of system failure, increase efficiency and improve access to data. The report made three recommendations, one of which was directed at the whole of ABS Risk Framework.

12 On 9 April 2020, the Australian Public Service Commission (APSC) issued Circular 2020/3: COVID-19 – Remote working and evolving work arrangements [Internet], APSC, Canberra, 2020, available from https://www.apsc.gov.au/circular-20203-covid-19-remote-working-and-evolving-work-arrangements [accessed 8 August 2020]. The Auditor-General paused engagement with entities on performance audits during April 2020 in recognition of the efforts of APS entities to implement the Government’s stimulus agenda, and to prepare entities for new working arrangements to meet recommended health measures. The ABS requested that the audit continue, and advised that it had previously developed technology and work practices to operate flexibly and that it was making a smooth transition to new working arrangements.

13 Section 8 of the PGPA Act defines ‘proper’, in relation to the use or management of public resources, as

efficient, effective, economical and ethical.

14 The ABS initially planned to hold its major field test (the Operational Readiness Exercise) in August 2020. Due

to COVID-19, the ABS has amended the schedule to hold it in October 2020.

15 The CEB external members are from the Australian Taxation Office, Queensland Treasury and Telstra.

16 The CDC external members are from the Australian Electoral Commission and the Digital Transformation Agency.

17 The governance plan did not identify key stakeholders for the Census. Other documents list ABS priority relationships as being with its ministers, selected Commonwealth and state government entities and selected advisory bodies such as the Australian Statistics Advisory Council.

18 As noted at paragraph 1.6, the ABS has established its three objectives for the 2021 Census as: smooth running; strong support; and high quality data.

19 These elements cover: establishing a risk management policy and risk framework; defining responsibility for managing risk; developing a positive risk culture and embedding risk management in business processes; managing shared risk, and communicating and consulting about risk; maintaining risk management capacity; and reviewing and continuously improving the management of risk.

20 As the ABS has established its risk management framework and the framework largely complies with the Commonwealth Risk Management Policy, the ABS has implemented part of recommendation 1 of Auditor-General Report No.5 2018–19, Statistical Business Transformation Program — Managing Risk, p. 24.

21 In February 2020, the CDC requested that the permanent ABS Security Committee reassess the security risk appetite for the Census. The Security Committee did so in June 2020 and approved a process to reprioritise IT security risk treatments.

22 These were 29 elements identified by the ANAO as requirements under the ABS Risk Framework.

23 The ABS Risk Governance Arrangements indicate that governance committees’ terms of reference should provide specific requirements for the frequency and granularity of risk reporting. The terms of reference of the CDC and CEB do not contain this level of detail.

24 Department of Finance, Guide for non-corporate Commonwealth entities on the role of audit committees, RMG No. 202, Finance, Canberra, 2020.

25 The proposed audit did not proceed due to this ANAO audit commencing.

26 In August 2020, following the provision of emerging findings from this audit, the Audit Committee Chair requested a ‘discovery’ exercise to get a better understanding of the ABS’ approach to managing key Census risks’.

27 There is a potential for conflict of interest when an organisation provides both assurance and advice services — that organisation may be required to provide assurance on advice it has previously provided. This entails a risk that the assurance process is compromised or that the assurance provided is of minimal value to the Census program.

28 The ABS also engages with other providers for assurance, for example on privacy and cyber security.

29 Examples of these issues are: program assurer feedback on slippages (March 2019); assessing whether to reduce the scope of the October 2019 test due to delays (June and August 2019); and the status of the Census Digital Service moving from amber to red (February 2020).

30 The Census Leadership Group initially comprised eight people: the Census Program Managers, the PMO and key Executive Level officials. At June 2020, it comprised 38 people, including the Census General Manager. The General Manager also received reporting through their membership of the CDC and as an invitee to meetings of the CEB.

31 The Senior Responsible Officer also receives status reports twice a quarter through their membership of the CEB and the CDC.

32 The project management software does not currently hold financial information.

33 Auditing and Assurance Standards Board, Standard on Assurance Engagements ASAE 3500 Performance Engagements, 2017.

34 Department of Finance, Resource Management Guide No. 131: Developing Good Performance Information, Finance, Canberra, 2015, p. 24.

35 The last ABS corporate plan to have measures related to efficiency was for 2016–17. It had three measures: a target for reductions in red tape for data providers; targets for the use of electronic forms, including the 2016 Census; and modernising their data systems (now the Statistical Business Transformation Program).

36 ABS, Submission to the Senate Economics References Committee’s Inquiry into the 2016 Census of Population and Housing, No. 38, Senate Economics References Committee, Canberra, 2016, p. 40.

37 UNECE, Measuring population and housing: Practices of UNECE countries in the 2000 round of Censuses, United Nations, Geneva, 2008; UNECE, Measuring population and housing: Practices of UNECE countries in the 2010 round of Censuses, United Nations, Geneva, 2014.

38 The ABS received an additional $38.3 million for the Census in 2019: Australian Government, Budget Measures: Budget Paper No. 2: 2019–20, Commonwealth of Australia, Canberra, 2019, p. 165.

39 ISACA is a centralised source of information and guidance in the new field of electronic data processing audit. It was formerly known as the Information Systems Audit and Control Association.

40 Frameworks have been established for IT security, change management, program and project management, privacy and data quality and integration.

41 An entity’s IT architecture is the policies and standards it applies to developing systems and applications.

42 The major Census systems are the Census Digital Service, Enumeration Management System, Paper Data Capture, Mail House Facilities, and Operations Management System.

43 The Senate Committee, MacGibbon and Independent Panel reviews of the 2016 Census all included recommendations for the ABS to improve its handling of personal information. Refer Box 2.

44 The seven dimensions of data quality in the ABS Data Quality Framework are Institutional Environment, Relevance, Timeliness, Accuracy, Coherence, Interpretability, and Accessibility.

45 Quality gates are review points. The ABS developed a quality gate framework with 34 quality gates across the Census overall. The Census Program Managers are responsible for signing off on 30 of the gates.

46 Quality measures define the acceptance criteria, responsibility, documentation and assessment requirements for meeting the quality requirements.

47 General and statistical consumer data provided by consumers and authorised entities.

48 Information maintained by governments and other entities, usually related to the delivery of a service.

49 The APPs specify the rules for handling of personal information. Schedule 1 – Australian Privacy Principles, Privacy Act 1988, https://www.legislation.gov.au/Details/C2020C00237.

50 ‘An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.’ An entity has obligations to destroy or de-identify personal information in certain circumstances. Office of the Australian Information Commissioner, Australian Privacy Principle 11 – Security of personal information, OAIC, 2019, pp. 3, 7.

51 ACSC, Essential Eight Maturity Model [Internet] ACSC, Canberra, 2020, available from https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model [accessed 2 September 2020].

52 The ACSC suggests identifying systems and information that are critical to business operations to adequately prepare and respond to cyber security incidents. ACSC, Strategies to Mitigate Cyber Security Incidents, Cyber.gov.au, available from https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents [accessed 12 August 2020].

53 The Information Security Registered Assessors Program is an Australian Signals Directorate initiative to provide information technology security assessment services to government. The Australian Signals Directorate endorses information technology professionals to provide security services with the aim to secure broader industry and Australian Government information systems. ACSC, What is IRAP? [Internet], Cyber.gov.au, available from https://www.cyber.gov.au/irap/what-irap [accessed 4 May 2020].

54 The ABS has approached the market for additional security tools to address capability shortfalls.

55 The ABS Security Committee reports to and seeks approval from the ABS Executive Board on security-related activities, risks and issues across the ABS. The Chief Information Officer is the Committee Chair.

56 Agreed actions from the review included prioritising the completion of the requirements deep dives, focus work on areas where there is a significant change in business or technology requirements, establish a solution architecture function for the Census, link business and technology milestones and establish a technology risk register.

57 Auditor-General Report No. 4 2020–21 Establishment and Use of ICT Related Procurement Panels and Arrangements examined the extent to which entities’ establishment and use of ICT related procurement panels and arrangements supported the achievement of value for money outcomes. The audit concluded that in establishing the three selected ICT related procurement panels and arrangements, the Department of Infrastructure, Transport, Regional Development and Communications and the Digital Transformation Agency could not fully demonstrate that the arrangements supported the achievement of value for money outcomes. In their use of the 15 selected ICT related procurement panels and arrangements, entities could demonstrate that the majority of procurements supported value for money outcomes, however, in three cases it was difficult for entities to demonstrate this due to the absence of competition.

58 Entities can encourage competition to drive value for money beyond the minimum requirements in the CPRs; Auditor-General Report No. 4 2020–21 Establishment and Use of ICT Related Procurement Panels and Arrangements, pp. 72–73.

59 Microsoft uses certified partners and resellers. The Digital Transformation Agency signed an agreement with a reseller to act as the sole provider to government agencies under a whole-of-government arrangement.

60 The Department of Finance’s BuyRight tool identifies notifying the successful supplier; including an agenda in negotiations; documenting the outcomes of negotiations; getting endorsement from the delegate; and incorporating agreed positions into the contract.

61 The ABS has considered the impact of the COVID-19 pandemic on the Census. In May 2020 a further two strategic risks were added and 12 operational risks were added, primarily as a result of delays to the Operational Readiness Exercise (originally scheduled for August 2020) and other COVID-19 impacts. One strategic risk and eight program risks have COVID-19 impact recorded on the risk register. The ABS rated none of these risks inherently extreme.

62 The ANAO examined 10 key requirements of the Census Risk and Issues Management Plan: strategic and operational risk registers in place; consistency with templates; risk identification; assessing the risk (timing, likelihood, consequence); developing mitigations; implementing and monitoring control effectiveness; assessing risk tolerability; further treatments if risk remains outside of tolerances; assigning a control lead; and assess control effectiveness on a five point scale.

63 The effectiveness of some of the risk controls are expected to be tested as part of the Operational Readiness Exercise scheduled for October 2020.

64 Ensuring that risk is embedded in ABS processes and procedures addresses part of ANAO recommendation 1 of Auditor-General Report No.5 2018–19 Statistical Business Transformation Program — Managing Risk, pp. 7–8.

65 Amendments to the Census and Statistics Regulation 2016 were made to outline new questions to be asked in the 2021 Census. In addition the 2016 Regulations cover some powers of entry and related offences.

66 The reviewer of the control must be independent of the project team and cannot be the control owner.

67 The seven inherent extreme risks were: target response rates are not met; a reduction in ‘social licence’; Census communications do not motivate the public; key external suppliers do not meet time, cost or quality requirements; delays in government approvals and processes; online and self-response targets not met; and Indigenous response rate does not improve compared with 2016. Three of the controls were common across several extreme risks. All inherent extreme risks have two or more of these key risk controls, apart from those related to IT systems which are covered in Chapter 3.

68 The contracts were for the three largest Census procurements, each of which exceeded $10 million. They comprised the Census Digital Service, recruitment of field staff, and call centre services.

69 Australian Government, Australian Government response to the Senate Economics References Committee report: 2016 Census: issues of trust, Commonwealth of Australia, Canberra, 2017; and M McCormack (Minister for Small Business) ‘Statement on the MacGibbon Review’, media release, Parliament House, Canberra, 24 November 2016.

70 ABS, Annual Report 2016–17, ABS, Canberra, 2017, p. 25.

71 This includes recommendations in the Senate Committee report where the Government stated in its response that it was already performing the recommended action or it would take different but related action.

72 The two remaining recommendations were to develop an ABS privacy management plan (recommendation 3) and a targeted communications strategy (recommendation 9). The ABS Privacy Management Plan was delayed, to account for changes to the Commonwealth Privacy Framework released in August 2017. The ABS finalised its privacy management plan for 2018–19 on 28 June 2018. The recommendation to develop a targeted communications strategy to address public perceptions about Census data quality was assessed by the ANAO as implemented.

73 The role of the Audit Committee is to assist the accountable authority by providing independent assurance and advice.

74 The MacGibbon report included five areas of better practice guidance for all entities. The ANAO did not find evidence of the ABS accepting the guidance. The ANAO tested the ABS’s systems against the guidance. The ABS had implemented three of the five pieces of better practice guidance. Recent audit reports on implementing recommendations are: Auditor-General Report No. 6 of 2019–20 Implementation of ANAO and Parliamentary Committee Recommendations; and Auditor-General Report No. 46 of 2019–20 Implementation of ANAO and Parliamentary Committee Recommendations — Education and Health Portfolios.

75 The Census had 130 tasks that originally had a completion date of June 2019 or earlier. The remaining 55 tasks were reported to the CEB as ‘on-track’ before the planned completion date and were not reported to the CEB after the planned completion date.

76 The soft milestones are not expected to have an impact on the Census overall, and so delays in those are not assessed as material.

77 The ANAO selected all 17 tasks listed as hard milestones or that were included on the critical path that were planned for completion prior to 31 March, as delays in these projects are the most likely to have a material impact on the overall status of the 2021 Census.

78 The ABS received additional funding that year; Australian Government, Budget Measures: Budget Paper No. 2: 2008–09, Commonwealth of Australia, Canberra, 2019, p. 165.

79 A MacGibbon, Review of the events surrounding the 2016 eCensus, 2016, pp. 5–6.

80 A MacGibbon, Review of the events surrounding the 2016 eCensus, 2016, p. 49.

81 ANAO analysis used these milestones because they have been the only set of high-level milestones set for the Census and there has been significant change in how projects are structured and named.