Introduction

Government regulators

1.1 The Organisation for Economic Co-operation and Development (OECD) has observed that:

Regulation is a key tool for achieving the social, economic and environmental policy objectives of governments that cannot be effectively addressed through voluntary arrangements and other means. Governments have a broad range of regulatory powers reflecting the complex and diverse needs of their citizens, communities and economy.

Regulators are entities authorised by statute to use legal tools to achieve policy objectives, imposing obligations or burdens through functions such as licencing, permitting, accrediting, approvals, inspection and enforcement. Often they will use other complementary tools, such as information campaigns, to achieve the policy objectives, but it is the exercise of control through legal powers that makes the integrity of their decision-making processes, and thus their governance, very important.⁶

Regulator governance

1.2 The OECD has further observed that:

Strong governance strengthens the legitimacy and integrity of the regulator, supporting the high level policy objectives of the regulatory scheme and will lead to better outcomes.⁷

1.3 The OECD has identified two broad aspects of governance relevant to regulators:

• external governance (looking out from the regulator) – the roles, relationships and distribution of powers and responsibilities between the legislature, the minister, the ministry, the judiciary, the regulator’s governing body and regulated entities; and
• internal governance (looking into the regulator) – the regulator’s organisational structures, standards of behaviour and roles and responsibilities, compliance and accountability measures, oversight of business processes, financial reporting and performance management.⁸

1.4 The OECD has described these components of external and internal governance as the ‘different building blocks that make up the governance architecture of regulators’.⁹

Duties of Australian Government officials

1.5 The Australian Government’s overarching governance framework for public entities, including its regulatory agencies, is established by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the supporting Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

1.6 The PGPA Act contains general duties for entity accountable authorities and officials which are relevant to probity and ethics.¹⁰ These duties are not restricted to resource management functions, as the objects of the PGPA Act (and its overview section) make clear that the Act is concerned with entity governance, performance and accountability more broadly (see Box 1 below).

1.7 The requirements of the PGPA Act and PGPA Rule, including the general duties of entity officials, may extend to persons who are not entity employees (such as contractors) if they are considered to be entity officials under the Act. Contract provisions may also extend PGPA Act and PGPA Rule requirements (and elements of the Public Service Act 1999 (PS Act), discussed below) to persons who are not entity employees.¹¹

1.8 As at 6 March 2023 there were 189 PGPA Act entities and companies.¹² The duties of entity accountable authorities and officials under the PGPA Act are summarised in Box 2 below.

Probity

1.9 Taken together, the general duties establish an overarching framework for probity and ethical behaviour applying to the officials of PGPA Act entities.

1.10 The Australian Government Department of Finance (Finance), which administers the PGPA Act and PGPA Rule and is the framework policy owner, has not included a general definition of probity in its PGPA Glossary.¹³ Finance has, however, adopted the following definition of probity in the procurement context:

Probity is the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.¹⁴

1.11 While intended to inform those involved in procurement activity, this definition of probity is sufficiently robust to describe the general expectation applying to Australian Government activity more broadly, including regulatory activity.

1.12 The specific probity and ethical requirements applying to the personnel of an Australian Government entity will depend on what type of entity it is, the legislation applying to it, the government policies and frameworks applying to it, and the internal policies and frameworks it has put in place. In summary.

• Whether the entity is a non-corporate Commonwealth entity or a corporate Commonwealth entity¹⁵ under the PGPA Act, will determine which elements of the framework established by the PGPA Act and PGPA Rule will apply to the entity. In particular, entity type will affect whether certain activity-specific frameworks apply to an entity.
  • Activity-specific frameworks can establish ethical and probity requirements specific to the activity they regulate, and cover grants administration¹⁶, government procurement¹⁷, government advertising¹⁸, protective security¹⁹, appearing before the Parliament²⁰, liaising with lobbyists²¹, caretaker conventions²², risk management²³ and fraud control.²⁴ These frameworks will generally specify which types of entities they cover and may also place specific obligations on the accountable authority, such as to promote an internal culture supportive of the purposes of the framework.²⁵
• Entities established under legislation are statutory bodies and will also be subject to the requirements of that legislation. The entity’s enabling legislation may include specific ethical obligations applying to the accountable authority and/or entity staff. Individual statutory offices are also established through legislation, which may include ethical requirements.
• Other applicable legislation may place further ethical and probity requirements on the entity. Examples include anti-corruption legislation²⁶ and corporations law requirements. As at 6 March 2023, there were 17 Commonwealth controlled companies subject to the Corporations Act 2001.
• If the entity is subject to the PS Act²⁷, additional ethical and probity requirements apply to Australian Public Service (APS) employees, including the APS Values and APS Code of Conduct.²⁸
  • Section 10 of the PS Act sets out the APS Values. Subsection 10(2), ‘Ethical’, states that ‘The APS demonstrates leadership, is trustworthy, and acts with integrity, in all that it does.’ The APS Commissioner’s Directions (31 January 2022) made under the PS Act elaborate on the APS Values. Section 14 of the Directions sets out requirements to be met to uphold the ‘Ethical’ value, ‘having regard to an individual’s duties and responsibilities’. The requirements include: ‘acting in a way that models and promotes the highest standard of ethical behaviour’, ‘complying with all relevant laws, appropriate professional standards and the APS Code of Conduct’ and ‘acting in a way that is right and proper, as well as technically and legally correct or preferable’. Section 12 of the PS Act provides that an APS Agency Head ‘must uphold and promote the APS Values and APS Employment Principles’.
  • Australian Public Service Commission (APSC) guidance highlights that integrity covers several different and overlapping aspects that relate to conduct and how APS employees work individually and collectively. Integrity includes: compliance with legislative frameworks, policies and practices, and ensures standards for integrity are being met; a values-based approach that promotes ethical decision-making; institutional integrity, where organisational systems, policies and practices are purposeful, legitimate and trustworthy; and a pro-integrity culture, in which there is a positive, conscious effort to make integrity a central consideration of all activities.²⁹
  • A number of specific probity requirements apply to APS Senior Executive Service (SES) employees and/or APS agency heads.³⁰ These include the declaration of interests³¹ and the declaration of gifts, benefits and hospitality.³²
• Entity-specific frameworks include an entity’s internal policies and guidance in respect of implementing applicable laws and frameworks. Examples include Accountable Authority Instructions (AAIs) made under the PGPA Act³³, and internal integrity frameworks. Entity-specific frameworks may sometimes establish higher expectations than the minimum standards established by whole-of-government policy owners such as Finance. Professional codes and standards may also apply to entity personnel working in certain sectors or roles. The need for such codes and standards may be specified in legislation applying to the entity.

The accountable authority’s role in promoting probity

1.13 As discussed in paragraph 1.6, the PGPA Act places a number of duties on an entity’s accountable authority. As discussed in paragraph 1.12, other applicable frameworks will also place obligations on entity leaders, such as the promotion of an appropriate culture. The ANAO has previously observed that in order to fulfil its governing role in relation to probity, the accountable authority would be expected to set out roles and reporting within the entity, approve and review probity policies, ensure it is informed about the entity’s activities, act on information promptly, and take an active role when working with management.³⁴

The Australian Competition and Consumer Commission

1.14 The Australian Competition and Consumer Commission (ACCC) is an independent statutory authority. It was established under and administers the Competition and Consumer Act 2010 (CCA) and other legislation. According to the 2022–23 ACCC and Australian Energy Regulator (AER) Corporate Plan:

The primary responsibilities of the ACCC are to enforce compliance with the competition, consumer protection, fair trading and product safety provisions of the … (CCA), regulate national infrastructure and undertake market studies.³⁵

1.15 The ACCC is a non-corporate Commonwealth entity for the purposes of the PGPA Act. It is one of three entities that have body corporate status but are prescribed in their enabling legislation as non-corporate Commonwealth entities.³⁶ Like most non-corporate Commonwealth entities, the ACCC engages employees under the PS Act.

1.16 The ACCC is comprised of a Chairperson and six other members appointed by the Governor-General on the nomination of the Treasurer. The CCA also establishes the AER as a separate statutory authority with decision-making powers exercised separately to those exercised by members of the ACCC.³⁷ The five members of the AER are collectively referred to as the AER Board. For the purposes of the finance law the AER is part of the ACCC, and the ACCC Chairperson is the accountable authority under the PGPA Act. Under section 44AAC of the CCA, the Chairperson of the ACCC is required to make employees available to assist the AER Board exercise its functions. Under section 8A of the CCA, appointed associated members are involved in deciding matters before the Commission.³⁸ Under section 8AB of the CCA, AER Board members are taken to be Associate Members of the ACCC for the purposes of the PGPA Act and certain sections of the CCA.³⁹

1.17 The ACCC reflects the functional difference between the ACCC and AER in its organisational structure, with a separate AER Chief Executive Officer (CEO) who oversees organisational units dedicated to assisting the AER Board exercise its statutory functions.⁴⁰ The ACCC also presents many of its corporate documents, including its Corporate Plan and Annual Report, with branding of both the ACCC and AER.

1.18 In this audit the ANAO has considered the ACCC and AER as a single entity and has referred to the entity as the ‘ACCC’ except where particular consideration is required in relation to the AER Board acting pursuant to its specific statutory functions.

Oversight arrangements

1.19 The ACCC is subject to a range of oversight arrangements. These include the Australian Commission for Law Enforcement Integrity (ACLEI).⁴¹ The ACCC came under ACLEI’s jurisdiction on 1 January 2021.⁴²

1.20 In recent years the House of Representatives Standing Committee on Economics has also undertaken inquiries into the ACCC and its operations.⁴³

Rationale for undertaking the audit

1.21 It is essential that financial regulators uphold high probity standards, to strengthen the legitimacy and integrity of the regulator and support the objectives of the regulatory scheme.

1.22 This is one of a series of three performance audits which continues the ANAO‘s examination of probity management in Commonwealth entities and provides independent assurance to the Parliament. It builds on Auditor-General Report No. 21 2019–20 Probity Management in Rural Research and Development Corporations, which assessed the effectiveness of five rural research and development corporations’ management of probity.

1.23 This series of audits focuses on probity management in entities with a role in financial regulation activities. These are the:

• Australian Competition and Consumer Commission (ACCC);
• Australian Prudential Regulation Authority (APRA); and
• Australian Securities and Investments Commission (ASIC).

Audit approach

Audit objective, criteria and scope

1.24 The audit objective was to assess the effectiveness of the ACCC’s probity management.

1.25 To form a conclusion against the objective, the ANAO adopted the following high level criteria:

• Does the ACCC have arrangements structured to manage selected probity risks and promote compliance with requirements?
• Has the ACCC established monitoring and reporting arrangements to provide assurance on the effectiveness of internal controls and compliance with probity requirements?
• Has the ACCC complied with probity requirements?

1.26 The audit scope was the period July 2020–November 2022 and where relevant, included key subsequent events up to and including February 2023. The ANAO did not examine specific investigations into ACCC personnel or review the ACCC’s corporate governance arrangements.⁴⁴

Probity risks examined in this audit

1.27 The ANAO reviewed a selection of probity risks requiring management by Australian Government entities, including a number of specific risks requiring management by entities involved in financial regulation activities. The risks selected for review related to:

• the code of conduct;
• the management of conflict of interest;
• the management of key regulatory risks (such as regulatory capture risk and financial trading);
• the management of senior executive remuneration;
• probity in procurement;
• the oversight of corporate credit card expenditure;
• the management of gifts, benefits and hospitality;
• the identification and management of fraud risks; and
• the management of public interest disclosures.

1.28 In this audit report the ACCC and AER are considered as a single entity, the ‘ACCC’, except where particular consideration is required in relation to the AER Board acting pursuant to its specific statutory functions.

Audit methodology

1.29 The audit methodology included reviewing entity documentation and meeting with entity personnel.

1.30 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $389,000.

1.31 The team members for this audit were Grace Guilfoyle, James Sheeran, Jo Rattray-Wood, Alexandra McFadyen and Michelle Page.

1.32 The ANAO has co-operative evidence gathering arrangements in operation with entities. On 9 May 2022, the ACCC advised the ANAO that it was unable to voluntarily provide certain information requested by the ANAO due to legislative restrictions on the disclosure of the requested information. On 22 June 2022 the Auditor-General issued the ACCC with a notice to provide information and produce documents pursuant to section 32 of the Auditor-General Act 1997. The ACCC provided the information and documents requested within the specified time, following receipt of the notice.

2.1 An entity’s accountable authority and management are responsible for establishing and promoting a culture of ethical behaviour within the entity. Identifying key probity risks and establishing, maintaining and promoting policies, procedures and arrangements to manage those risks helps ensure probity risks are being effectively managed in accordance with relevant requirements and consistent with community expectations.

2.2 This chapter examines whether the ACCC has:

• identified key probity risks and developed policies, procedures and arrangements to manage the identified risks;
• ensured policies and procedures are maintained; and
• effectively informed relevant people of probity related requirements, to promote compliance.

Has the ACCC identified key probity risks and developed policies, procedures and arrangements to manage the identified risks?

Code of conduct

2.3 ACCC employees are engaged under the Public Service Act 1999 (PS Act) and are subject to the Australian Public Service (APS) Code of Conduct set out in section 13 of the PS Act. The Australian Public Service Commission (APSC) has stated that:

Employees of the Australian Public Service (APS) occupy a position of trust. They are entrusted by the Government and the community to undertake important work on their behalf. With this trust comes a high level of responsibility which should be matched by the highest standards of ethical behaviour from each APS employee … The conduct of public servants, both inside and outside the workplace, can have implications for the confidence the community has in the administration of an agency or the APS as a whole.⁴⁵

2.4 The ACCC also has a Code of Conduct for Commission Members and Associate Members (Members’ Code of Conduct). The Members’ Code of Conduct states that it ‘applies to all members of the Commission, including the Chair, Deputy Chairs, members and Associate Members.’⁴⁶ During the period examined for this audit, there were two versions of the Members’ Code of Conduct: one dated December 2019, which was replaced by one dated August 2022. Both versions of the Members’ Code of Conduct state that:

This Code is intended to assist members of the Commission to understand key obligations in relation to their conduct that arise from statutory and non-statutory sources, and to help members to identify situations where these obligations apply and the steps they should take to meet these obligations.

2.5 The Members’ Code of Conduct identifies expectations in a range of areas relevant to probity, including:

• conflicts of interest;
• proper behaviour;
• acceptance of gifts and hospitality;
• contact with interest groups;
• confidentiality;
• decision-making; and
• post-appointment arrangements.

2.6 The ACCC advised the ANAO that ‘the AER relies on the [Members’] Code of Conduct for all AER Board members, who are also Associate Members of the Commission.’⁴⁷ The ANAO’s review indicates that the Members’ Code of Conduct refers to AER Board members only in the context of them being Associate Members of the ACCC, and does not explicitly reference their AER function.

2.7 Some requirements set out in the Members’ Code of Conduct apply to ACCC Commissioners only, with no equivalent arrangement outlined for AER Board members. These include:

• guidance on members trading in shares (this is discussed further in paragraphs 2.46 to 2.60)⁴⁸;
• paid outside employment⁴⁹;
• reporting ‘relevant interests’⁵⁰; and
• arrangements for current members who commence discussions with potential employers for the period after their term expires.⁵¹

2.8 The 2019 Members’ Code of Conduct explicitly detailed the conflict of interest requirements established under the Competition and Consumer Act 2010 (CCA) for ACCC Commissioners. However, requirements specific to AER Board members, that are also contained in the CCA, were not mentioned.⁵² This information was not included in the subsequent, 2022 Members’ Code of Conduct.

2.9 The ACCC further advised the ANAO that the ACCC’s gifts, benefits and hospitality policy also applies to AER Board members. The ANAO’s review indicates that while the Members’ Code of Conduct refers to gifts, benefits and hospitality⁵³:

• the gifts, benefits and hospitality policy does not explicitly state that it applies to AER Board members; and
• available advice on the applicability of the ACCC’s gifts, benefits and hospitality policy to AER Board members is not clear.

2.10 There would be benefit in clarifying and as necessary incorporating specific AER requirements in the Code of Conduct for Commission Members and Associate Members, for the benefit of the members and in the interests of transparency.

Conflict of interest

2.12 The ACCC has identified conflict of interest as a key probity risk and developed policies, procedures and arrangements to manage the identified risks. w

2.13 The ACCC’s November 2022 Enterprise Risk Register includes the risk that:

Serious findings of a lack of integrity by staff or statutory appointees (for instance as a result of fraud, corruption or other impropriety), or inadequate compliance and assurance systems, damages the agency’s reputation as an effective regulator with the Australian Government and other key stakeholders, resulting in reduced funding and/or responsibilities, and reduced credibility as a regulator.

2.14 The November 2022 Enterprise Risk Register listed ‘Conflict of interest processes’ as a key control for managing these risks. ACCC divisions identify risks in their divisional business plans, some of which include specific identification of risks related to conflict of interest.⁵⁴

2.15 As referenced in Box 2 in Chapter 1 of this audit, section 29 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) establishes a duty to disclose interests and requires officials of Commonwealth entities who have a material personal interest that relates to the affairs of the entity to disclose the details of the interest. The CCA also establishes requirements around disclosure and management of conflicts of interest for the ACCC Chair and ACCC Commissioners⁵⁵, as well as the AER Board Chair and AER Board members.⁵⁶ As discussed in paragraph 2.3, ACCC employees are subject to the APS Code of Conduct found in section 13 of the PS Act. The Code states that:

An APS employee must:

(a) take reasonable steps to avoid any conflict of interest (real or apparent) in connection with the employee’s APS employment; and

(b) disclose details of any material personal interest of the employee in connection with the employee’s APS employment.

2.16 To support the management of risks related to conflict of interest, the ACCC has developed a conflict of interest policy for ACCC employees. Conflict of interest requirements for ACCC Commissioners and AER Board members are included in the Members’ Code of Conduct, discussed in paragraphs 2.4 to 2.11.

Requirements for ACCC employees

2.17 The ACCC had two versions of its conflict of interest policy during the period reviewed for this audit. The first was dated June 2016 and was replaced by an update dated November 2022. Both versions apply ‘to all ongoing and non-ongoing employees, including SES [Senior Executive Service]’ and state that:

The Conflict of Interest Policy aims to mitigate two strategic risks …

• failure of governance processes around decision-making
• damage to reputation and being seen as an ineffective regulator.

2.18 The 2016 and 2022 conflict of interest policies address various obligations under the PGPA Act and PS Act. The conflict of interest policies also address:

• the importance of appropriately managing conflict of interest to avoid damaging the reputation of the ACCC and APS;
• what constitutes an actual, potential or perceived conflict of interest;
• how to identify or avoid conflicts of interest;
• when and how conflicts are to be disclosed for non-SES and SES employees; and
• obligations of employees and managers.

2.19 The ACCC has established separate processes for identifying and managing conflicts of interest for its SES and non-SES employees. Non-SES employees are required to complete a conflict of interest self-assessment within one month of commencing with the ACCC and thereafter at least once each financial year or if the employee has a change in circumstances that might give rise to new conflicts of interest.⁵⁷ Where the self-assessment results in the identification of a ‘real, perceived or potential conflict of interest’, non-SES employees are required to complete a disclosure form, which includes details of the conflict and a plan for managing it.

2.20 In respect to SES employees, the 2022 conflict of interest policy states that:

SES employees are required to make a declaration of their material personal interests in connection with their employment at the ACCC. The declaration must also include a management plan developed between the SES and their immediate manager to address any conflicts which arise from the declaration of interests. All entities in whish [sic] shares are held and the number of shares held must be included in the declaration.

2.21 The 2022 conflict of interest policy also states that SES ‘Sign-offs can be escalated where appropriate, for example, where an EGM [Executive General Manager] considers that there are particular issues that should be brought to the CEO’s attention.’⁵⁸

2.22 A review of the ACCC’s framework for managing SES employees’ conflicts of interest was conducted in 2021. This review found 13 areas for improvement and considered that the underlying cause of multiple areas for improvement was the platform the ACCC used to manage conflict of interest.⁵⁹ The review determined that the digital system used by the ACCC was not fit-for-purpose.⁶⁰

2.23 The ACCC identified four areas for improvement that were not dependent on a system infrastructure upgrade being completed.⁶¹ The ACCC advised the ANAO that: ‘The Executive Management Board noted the project update and provided in-principle support for the conflict of interest project to progress with the development an ICT project brief for the Data, Information and Security Committee’s consideration with other projects’.

Requirements for contractors

2.24 Both the 2016 and 2022 conflict of interest policies, which were in place during the period reviewed for this audit, state the following about requirements for contractors:

2.4 The conflict of interest issues concerning contractors who act on behalf of the ACCC are managed through the contractual terms of their engagement.

2.5 Managers of contractors need to consider the nature of the contractor’s role when determining how to address the risks posed by conflict of interest. The more a role involves engagement in decision making such as recommendations concerning legal or regulatory or procurement matters the greater need there is for a formal conflict of interest declaration to be provided by the contractor.

2.25 ACCC intranet content states that:

Conflict of interest issues for people engaged under a contract to supply services to the ACCC/AER are managed through the contractual terms of their engagement. The contractor’s manager will advise the contractor of disclosure requirements.

…

When a disclosure is required, the contractor should use the Conflict of Interest form … available in Aurion [the ACCC’s human resources system].

Requirements for ACCC Commissioners and AER Board members

2.26 As noted in paragraph 2.5, conflict of interest requirements for ACCC Commissioners and AER Board members are included in the Members’ Code of Conduct, which was discussed in paragraphs 2.4 to 2.8. The Members’ Code of Conduct states that: ‘Members should always perform their official duties without fear or favour, and regardless of any expectation that they (or persons associated with them) will benefit or suffer as a consequence.’ It also states that:

Conflicts of interest can take a variety of forms. An actual conflict of interest occurs where a member’s interest in fact compromises, influences or affects the proper performance of their official duties. A perceived conflict of interest occurs where a member’s interest gives rise to a reasonable apprehension of bias in relation to the proper performance of their official duties — even if the member would not in fact be biased. However, perceived conflicts do not arise where the interest is so insignificant that no reasonable person would think that it would give rise to bias or affect the proper performance of duties. For example, where a member’s pecuniary interest is trivial and so could not reasonably be thought to affect their performance, it is unlikely that a perceived conflict of interest would arise.

2.27 The Members’ Code of Conduct also:

• addresses the legislative basis of conflict of interest requirements⁶²;
• provides examples of potential conflicts of interest; and
• sets out processes for disclosing interests (ACCC Commissioners only).⁶³

2.28 As discussed, for the period examined for this audit, there were two versions of the Members’ Code of Conduct. The first was dated December 2019 and was replaced by the version dated August 2022. Both versions included a requirement for Commissioners to inform the Chair on an annual basis of their interests. The 2019 Members’ Code of Conduct included instructions for members and templates for various declarations. In the 2019 Members’ Code of Conduct the template for the ‘Commission member statement of private interests (financial, non-financial and personal)’ requested details relating to shareholdings, real estate; trusts and nominee companies; directorships in companies; partnerships; investments; other assets; other substantial sources of income; gifts; sponsored travel; hospitality; and liabilities. The 2022 Members’ Code of Conduct did not contain the instructions or templates. The ACCC provided the ANAO with a ‘Declaration of Private Interests Form’. The ACCC advised the ANAO in February 2023 that the form is provided to Commissioners as part of onboarding.

2.29 In September 2020 the ACCC identified that officers with responsibility for distributing agendas and meeting papers for Commission committees did not have access to sufficient information that would allow them to prevent Commissioners from receiving information relating to individuals or businesses with whom the Commissioners had an identified conflict. To address this issue, in November 2022, the ACCC provided its Executive General Managers and certain legal and Executive Office officers⁶⁴ with access to a ‘Commissioner conflict of interest disclosure register’. These officers were advised that:

Your access has been provided on the basis you will in certain circumstances need to consult the register – for example when seeking decisions from Commissioners – to assist in the process of ensuring Commissioners who have made a disclosure and are recused do not participate in decision making. The primary obligation is on Commissioners to avoid participation in matters for which they are recused but having access to this register will assist you in supporting this practice.

2.30 In addition to the requirements for all Commissioners, under section 17 of the CCA, the ACCC Chair ‘must give written notice to the Minister of all pecuniary interests that the Chairperson has or acquires in any business carried on in Australia or in any body corporate carrying out such business.’ Internal compliance with the ACCC’s conflict of interest declaration requirements is discussed in Chapter 4 of this report in paragraphs 4.4 to 4.9.

Key entity-wide risks relating to regulatory activities

2.31 The ANAO examined whether the ACCC had identified regulatory capture risk and other key risks relating to its regulatory activities and established policies, procedures and arrangements to effectively manage those risks. The audit scope focussed on entity-wide policies, procedures and arrangements and not those that only applied to certain specific roles or activities.

2.32 The ACCC has not explicitly identified regulatory capture risk as a risk to be managed in its enterprise risk register. The ACCC had identified risks relating to trading in financial instruments and information security. Policies, procedures and arrangements relating to probity management in regulatory activities could be improved.

Regulatory capture risk

2.33 Maintaining independence is crucial for regulators to effectively perform their function. The 2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Hayne Royal Commission) stated that ‘the risk of regulatory capture is well acknowledged’.⁶⁵ The Parliamentary Joint Committee on Corporations and Financial Services, in its 2019 report on Statutory Oversight of the Australian Securities and Investments Commission, the Takeovers Panel and the Corporations Legislation, stated that:

The committee considers that regulatory capture is a significant issue faced by Australian regulators generally, given the size and power of corporations that operate in Australia.⁶⁶

2.34 The committee defined regulatory capture as:

instances where regulators are excessively influenced or effectively controlled by the industry they are supposed to be regulating. There are three areas in which particular risks arise for regulatory capture:

• staff moving between industry and regulatory jobs;
• secondments; and
• where regulatory staff are embedded in private sector organisations (that is, required to conduct their work within the workplace of industry participants, away from their home base at the regulator).⁶⁷

2.35 In relation to the issues raised in paragraph 2.34, the ACCC advised the ANAO that:

Staff movements between industry and regulatory jobs does occur from time to time, which is managed through existing probity controls including the conflict of interest declaration process and exclusion of relevant staff from matters that give rise or may be perceived to give rise to a conflict of interest.

Secondments to and from the ACCC are typically in relation to government agencies or overseas competition or consumer regulators. Secondments to industry and staff being embedded in private sector organisations occur very rarely, if ever, within the ACCC. These would be governed by the Paid and Unpaid Other Employment Policy, and have been previously considered by the agency.⁶⁸

2.36 The need to maintain independence is reflected in the ACCC Statement of Expectations, and a reference to the ACCC being an independent Commonwealth statutory authority is included in the ‘ACCC Statement of Intent — Telecommunications-related functions’ published on the ACCC website.⁶⁹ No mention is made in either regarding the risk of regulatory capture.

2.37 The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule)⁷⁰ sets out requirements with which entities must comply in relation to their corporate plans. This includes that corporate plans include ‘a summary of the risk oversight and management systems of the entity, and the key risks that the entity will manage and how those risks will be managed’.⁷¹ The ACCC and AER Corporate Plan 2022–23 provides a description of the ACCC’s and AER’s key risks. It identifies ‘Serious findings of a lack of integrity, inadequate compliance and assurance systems damage the agency’s reputation as an effective regulator’ as a key risk⁷², but does not reference the risk of regulatory capture. It also references the ACCC values, including ‘independent’ and ‘trustworthy’.⁷³ As noted in paragraphs 2.3 and 2.4, ACCC employees are subject to the APS Code of Conduct and Commission Members and Associate Members are subject to the Members’ Code of Conduct. These set out the standards of behaviour expected of ACCC employees and Commissioners. This includes the highest standards of ethical behaviour from each APS employee and Commissioners to act honestly, in good faith and for a proper purpose.

2.38 The ACCC’s Enterprise Risk Register includes a more expansive version of the risk articulated in the ACCC and AER Corporate Plan 2022–23. It identifies the risk of:

Serious findings of a lack of integrity by staff or statutory appointees (for instance as a result of fraud, corruption or other impropriety), or inadequate compliance and assurance systems, damages the agency’s reputation as an effective regulator with the Australian Government and other key stakeholders, resulting in reduced funding and/or responsibilities, and reduced credibility as a regulator.⁷⁴

2.39 The Enterprise Risk Register (September 2022) provides further information related to this risk, and states that:

the agency’s reputation is critical to its ongoing effectiveness as a regulator. Reputation within the business community and the legal profession is critical for incentivising compliance with the laws the agency administers and enforces. Reputation with other regulators is also important for facilitating cooperation when tackling shared challenges. Lastly, reputation with the public at large, Government and broader public service is critical to maintaining and/or extending agency funding, without which incentives for compliance would diminish.

A particular way in which the agency’s credibility can be adversely impacted is through findings or outcomes that staff and/or statutory appointees have engaged in conduct that involves corruption, fraud, impropriety or that otherwise calls into question the agency’s integrity and trustworthiness. Examples include misappropriation or misapplication of public funds; cronyism and nepotism; significant conflicts of interest (especially if undeclared). Such conduct may be either intentional or inadvertent. The agency’s credibility can also be adversely impacted through findings or outcomes that the agency does not have appropriately robust systems to ensure integrity in our processes. Vigilance, focus, ongoing investment of time and resources is therefore needed to protect the agency’s reputation.

2.40 Nine key controls are identified for this risk. The ACCC advised the ANAO that five of these would mitigate regulatory capture risk: procurement approval processes; conflict of interest processes; recruitment processes (including a requirement for an independent member on all panels); the internal audit program; and establishing an integrity unit. The ACCC also advised the ANAO of the following ‘Protections against regulatory capture’:

• the ACCC’s function as an economy-wide regulator; and
• its structure under which decision-making powers are generally limited to statutory appointees.

2.41 On the first point, the ACCC advised the ANAO in June 2022 that:

the agency has a very wide remit and in many instances operates as an ‘economy-wide’ regulator. Many of the agency’s core activities are not sector-specific: e.g., competition and consumer investigations and enforcement; merger assessments; competition exemptions; product safety etc. This work is also highly transactional such that when one project is finished, the staff and managers involved move onto the next, often in a different sector of the economy, and involving different stakeholders. Even where functions do have a sectoral focus, the stakeholder group is highly diverse, such as in respect of the agency’s infrastructure regulatory functions and the AER. The separation of decision-makers and staff is again relevant as a safeguard. Further, the agency’s regulatory model is very clearly focused around compliance, enforcement and deterrence, and the agency has a strong record of using its powers to achieve these outcomes, including via litigation. This is distinct from other models where the regulator may be more closely involved with stakeholders (e.g., co-regulatory) or seeking outcomes via consensus or cooperation.

Each of these factors mitigate the risk factors usually associated with regulatory capture.

2.42 On the second point, the ACCC advised the ANAO that:

The agency has limited delegations for any substantive aspects of its subject-matter or functional activities. Formal powers and functions are typically exercised by the relevant decision-making authority, be that the Commission, the Board and/or their respective Chairs. Where functional delegations exist, they generally relate to minor, routine or procedural matters, such as where delegations would assist with the efficient functioning of the agency. Core decision-making responsibilities therefore remain with the relevant statutorily–appointed authority.

2.43 The ANAO did not assess whether the identified risks relating to regulatory capture were effectively managed by the ACCC.⁷⁵

2.44 In summary, the ACCC has not explicitly identified regulatory capture, as a risk to be managed, in its enterprise risk register or other relevant documentation. The Parliamentary Joint Committee on Corporations and Financial Services has identified regulatory capture as a significant issue faced by Australian regulators. Given the significance of the risk, there would be benefit in the ACCC addressing regulatory capture risk and its management, in the entity corporate plan.

Restrictions on trading in financial instruments

2.46 In addition to general conflict of interest risk (discussed in paragraphs 2.12 to 2.30), the ACCC has identified a specific entity-wide risk relating to ACCC officials inappropriately gaining financial advantage due to their role at the ACCC.

Employees

2.47 The June 2016 Conflict of Interest Policy stated that:

To avoid situations of conflict of interest, ACCC employees must … not use information obtained in the course of official duties to gain an advantage for themselves or for any other person e.g. using information to buy or sell shares.

2.48 Advice on this risk was made available on the ACCC’s intranet, including the following:

an APS employee who buys or sells shares while in possession of commercially sensitive information may have a real or perceived conflict of interest and may have breached the APS Code of Conduct by making improper use of inside information to gain, or seek to gain, a benefit or an advantage for them self [sic] or anyone else. If so, their employment could be terminated and/or they could be subject to other penalties …

Employees should be aware that some of the information they receive and can access in the course of their duties:

may not be generally available and would reasonably be expected to have a material effect on the price or value of a financial product if it was generally known, and/or

may be commercially sensitive.

Employees must not trade in shares or other financial products, or induce others to do so, while in possession of such information. It is the responsibility of each employee to form a judgment as to whether the information they possess in the course of their APS employment would be considered inside or commercially sensitive information. If unsure, you should discuss this with your Director or SES.

2.49 The ACCC updated its conflict of interest policy in November 2022 to include a section on ‘improper use of information — share trading’. The policy outlines the obligations of ACCC employees⁷⁶ regarding insider trading, including that:

All ACCC employees must:

(a) scrupulously observe the prohibitions on insider trading and tipping contained in Division 3 of Part 7.10 of the Corporations Act 2001;

(b) use reasonable endeavours to avoid situations where it might reasonably appear that they have not complied with those prohibitions or have made improper use of information obtained in the course of their employment with the ACCC; and

(c) not trade where there is, or it may reasonably appear there is, a conflict between their role and responsibilities at ACCC and their trading activities.

2.50 The 2022 conflict of interest policy further states that:

To ensure that we avoid situations in which employees are at risk of failing to comply with these legal obligations, the following prohibitions also apply to share trading by ACCC employees:

(a) SES must not trade in any securities related to a current ACCC matter under assessment, investigation or market study in which they are actually or potentially a decision maker.

(b) Employees must not trade in any securities related to a current ACCC matter under assessment, investigation or market study they are or have been involved in.

(c) Employees must not trade in any securities related to a current ACCC matter under assessment, investigation or market study about which they have had access to confidential information, for example by accessing Commission or Committee papers, by attending meetings at which the matter is discussed in detail or by informal discussions with colleagues.

(d) Changes in shareholdings and other material personal interests should be updated in Aurion [the ACCC’s human resources system] during the year, as well as during the annual conflict of interest declaration.

2.51 Under the conflict of interest policy, the ACCC CEO may grant an exemption to the restrictions on trading in financial instruments in ‘exceptional circumstances … after consultation with the relevant SES manager, ACCC General Counsel and Deputy General Counsel, Corporate’.⁷⁷

ACCC Commissioners and AER Board members

2.52 The 2019 Members’ Code of Conduct provided the following guidance regarding shareholdings by ACCC Commissioners:

Full-time members should normally avoid holding shares directly. If a full-time member proposes to hold shares directly, they should consult the Chair and exercise careful personal judgement in respect of such transactions to ensure that any financial dealings do not raise an actual or perceived conflict with the functions of that member.

2.53 As noted in footnote 48, the reference to ‘full-time members’ indicates that this stipulation did not apply to AER Board members, who are Associate Members of the ACCC.⁷⁸ The ACCC advised the ANAO in February 2023 that:

While the ACCC’s Members Code of Conduct does not specifically refer to AER Board members … it includes information relating to trading in financial products. AER Board members are formally covered in their capacity as Associate Commissioners and by convention have abided by the Code.

2.54 The August 2022 update to the Members’ Code of Conduct also included the requirement quoted in paragraph 2.52 and broadened advice regarding trading in shares. It now states that:

Any official who buys or sells shares while in possession of commercially sensitive information may have a real or perceived conflict of interest and may have breached their PGPA Act obligations by making improper use of inside information to gain, or seek to gain, a benefit or an advantage for themself or anyone else. If so, their appointment could be terminated and/or they could be subject to other penalties.

2.55 The arrangements relating to ACCC Commissioners and AER Board members trading in financial instruments are not as strong as those for ACCC employees, for whom prior approval (via the granting of an exemption) is required to undertake trading in financial instruments in situations where there may be a real or perceived conflict of interest (see paragraphs 2.49 to 2.51). The arrangements for ACCC Commissioners and AER Board members should be strengthened, and aligned to arrangements applying to employees, by introducing a requirement to obtain approval prior to trading in financial instruments.

Information security

2.61 In the course of undertaking its functions, the ACCC collects, analyses, shares and stores sensitive and confidential information.

Confidentiality project

2.62 The ACCC commenced an enterprise-wide confidentiality project in August 2019 to facilitate implementation of recommendations made by an internal legal review of confidentiality arrangements.⁷⁹ One recommendation was to create a position statement on the ACCC’s risk appetite and tolerance in respect of inadvertent disclosure of confidential information. This recommendation was accepted and a position statement was endorsed by ACCC Commissioners and AER Board members in February 2020 and made available on the ACCC intranet. The confidentiality position statement said that:

Unauthorised disclosure of, or access to, confidential information is rated as one of the agency’s top six strategic risks … It has been rated as high risk with potentially major consequences if a disclosure occurs … [emphasis in original]

The risks associated with inadvertent disclosure of confidential information include:

• serious harm to the person, organisation, or company that has provided the information
• a significant impact on our reputation
• undermining confidence in the agency, making it difficult for us to carry out our functions, including conducting reviews and investigations, and bringing proceedings
• potential liability for claims including breach of contract or statutory duty.

2.63 The ACCC’s Strategic Risk Profile 2019–20 included the risk of ‘Confidentiality breach: Unauthorised release of, or access to, confidential information’, which was rated a ‘high’ risk.

2.64 The confidentiality project was closed on 31 March 2021 and the unauthorised disclosure risk was removed from the strategic risk register in October 2021. The ACCC advised the ANAO in July 2022 that:

We consider we now have largely effective controls in place to address the risk, to the point where a confidentiality breach is no longer identified as an enterprise risk. The identified controls we have in place to address these risks include, for example, that we have robust induction practices for staff in relation to handling information, and regular reminders on our intranet.

2.65 The ACCC further advised the ANAO in December 2022 that:

In 2021, the agency revised and updated its approach to managing enterprise risks, which included re-formulating its ‘Enterprise Risk Register’ and ‘Strategic Risk Profile’ so that they focused on a more targeted set of enterprise risks. This included reducing the number of enterprise risks from 24 to 8, and refocusing management of other risks to an operational/business unit level.

Consistent with this, risks relating to inadvertent disclosure of information were, and continue to be, managed at the divisional/business unit level rather than the enterprise level. This reflects that risks relating to inadvertent disclosure of information have different features in different business units.

Document access

2.66 The ANAO observed that meeting papers for several ACCC governance and management committees were accessible on the ACCC intranet. This included papers presented to the ACCC Commission and AER Board, their sub committees and associated subject-matter specific inquiry and management committees. These papers frequently included confidential information gathered in relation to entities regulated by the ACCC and AER, as well as sensitive information relating to ongoing investigations and regulatory decision-making. Examples include:

• advice provided to support recommendations to instigate legal proceedings against regulated entities;
• advice and recommendations regarding regulatory decision-making, including merger authorisations;
• legal advice, including advice on the prospects of successful litigation and potential counter arguments that may be made by regulated entities; and
• proposed penalties for entities with whom the ACCC is engaged in litigation, including the method for determining minimum terms of settlement, discounts to be provided for early settlement and details of settlement negotiations.

2.67 Regarding the accessibility of this sensitive information, the ACCC advised the ANAO that:

the agency has a longstanding culture of transparency and open access to information and knowledge sharing where appropriate. This includes but is not limited to decision making bodies in respect of meetings of the Commission, AER Board and most subject matter committees. We consider this a vital part in assisting the agency to carry out its day to day business operations and functions in the most efficient, effective and transparent manner. The transparency assists with a number of probity considerations, supports whole of agency awareness of interrelated matters, maximises benefit information utilisation, assists with avoidance of duplication and inconsistency …

Although generally meeting attendance is open to all, predominantly, it is the relevant staff that have an item on a meeting agenda that would be in attendance … Staff from the broader division relevant to the matter are often in attendance, to understand the decision-making process and strategic considerations beyond their immediate work …

Where a specific item that is to be discussed at a meeting is particularly sensitive, attendance and access to the relevant paper is closely managed by the relevant secretariat on a case by case basis, but with appropriate transparency preserved. This represents a small proportion of the Commission’s and AER’s work.

The ACCC has standard terms on which it receives information (including confidential information) from third parties such as businesses. These include that there is no restriction on the internal use of the information consistent with the agency’s statutory functions.

Protective markings in committee papers

2.68 The ACCC’s committee papers containing sensitive information typically did not display protective markings as required by the ACCC’s ‘Guidance on security classification 2019’. This guidance requires that documents that contain or cite sensitive information should be marked as ‘OFFICIAL: Sensitive’⁸⁰, with an additional marking of ‘Legal privilege’ where documents contain legal advice or material otherwise protected by legal professional privilege. The guidance also states that ‘OFFICIAL: Sensitive documents must be marked’. Under the Australian Government’s Protective Security Policy Framework (PSPF), PSPF Policy 8 (relating to sensitive and classified information) states that ‘the need-to-know principle applies to all OFFICIAL: Sensitive information’.⁸¹

2.69 Committee papers available on the ACCC intranet, including those presented to the ACCC Commission or AER Board for regulatory decision-making, typically include check boxes at the beginning of the document indicating whether the document contains legally privileged or confidential information.

Security report

2.75 The ACCC prepares an information security report each month.⁸² This report provides information on a number of security related matters including:

• security incidents⁸³;
• completion of security training;
• USB usage;
• emails sent to external sources (and the senders, recipients and classification of the email); and
• internet usage.

Senior executive remuneration

Entity policy

2.76 A senior executive remuneration policy contributes to the management of probity within an entity by introducing transparency in the remuneration setting process. Having the accountable authority establish and approve remuneration policies also enables the accountable authority to influence behaviour and can be an important mechanism in communicating the desired culture within the entity.

2.77 The ACCC has a Senior Executive Service (SES) remuneration and benefits policy (December 2022).⁸⁴ The policy was approved by the ACCC CEO and outlines the objectives for SES renumeration and non-monetary benefits.⁸⁵ The policy includes remuneration increments for each SES classification level that are aligned to percentiles (for example, APS median and ‘APS 95^th percentile’) in the APS remuneration report.⁸⁶ The policy outlines base salary, employer superannuation contribution and total remuneration for various increment levels within each band of the SES cohort. ACCC documentation states that:

Pay levels are influenced by a number of different factors including meeting starting salary considerations; market relativities; time in role; choices or nuances of specific arrangements with individuals … It is expected that over time as SES separate and commence, SES remuneration will become more closely aligned to the remuneration increments in the ACCC SES remuneration policy.

2.78 The policy states that it operates ‘in conjunction with the General 24.1 Determination for Senior Executive Officers which is approved by the ACCC Chair and individual 24.1 issued to each Senior Executive Officer.’⁸⁷ Among other things, the General 24.1 Determination sets out how the performance of SES officers will be assessed. It also states that a ‘Senior Executive Officer’s performance will be formally reviewed at least annually’ and that ‘All performance assessments will be reviewed and moderated by the COO’.

Government policy

2.79 Probity requirements for the personnel of Australian Government entities include compliance with applicable laws and government policies.⁸⁸

2.80 In recent years the Australian Government has made decisions that impacted remuneration arrangements for senior executives in Australian Government entities. On 26 March 2020, the Australian Government announced that all remuneration increases for APS Senior Executive Service (SES) or equivalent employees (senior executives) would be suspended across the Commonwealth public sector in response to the COVID-19 pandemic.⁸⁹ On 25 June 2021, the Australian Public Service Commission (APSC) announced the end of the pause on all remuneration adjustments for senior executives.⁹⁰ ACCC records indicate that it applied the March 2020 remuneration pause to its senior executives and there were no pay increases for the 2019–20 financial year.

2.81 In August 2021 the APSC released Performance Bonus Guidance applicable to all Commonwealth entities and companies. The guidance stated that:

Commonwealth entities and companies should exercise rigour and restraint in the use of performance bonus payments … Performance bonuses may only be used in limited circumstances, justifiable to the Parliament and the public … As a general principle, most positions should not be eligible to earn a performance bonus. For instance, performance bonuses would not be appropriate in most policy, service delivery, regulatory, or corporate roles … Commonwealth entities and companies should avoid the broad use of performance bonuses.⁹¹

2.82 ACCC documentation dated March 2021 stated that the ‘ACCC’s approach to SES remuneration is largely inconsistent with the broader APS and potentially, public expectations’.⁹² In March 2021, the ACCC initiated a review to update its SES employment framework. ACCC documentation states that:

This included reviewing the [section] 24.1 [PS Act] determination that specifies terms and conditions for Senior Executive Officers, as well as the SES remuneration policy.

The review sought for both:

1. Internal consistency (to bring all Senior Executive Officers onto the same terms and conditions given many longstanding SES have not had a determination reissued in several years) and

2. External consistency (to have ACCC/AER remuneration including the rolling in of performance pay aligned with the broader APS approach and values).

2.83 As part of the review, performance pay and allowances would also be incrementally rolled into base salary over the next 14 months for eligible SES.⁹³ ACCC documentation indicates that performance pay was rolled into base salary from 1 July 2021.⁹⁴ ACCC documentation states that the principles guiding the review were that changes be:

5. Cost neutral – any changes must result in a Senior Executive Officer’s total reward being the same as before the change. There cannot be any additional cost to the ACCC.

6. Consistent with the broader APS – remuneration for ACCC’s Senior Executive Officers should be consistent with the broader APS.

7. Performance oriented – align remuneration for Senior Executive Officers to ACCC/AER strategic objectives and desired leadership behaviours.

8. Contemporary – incorporate motivators other than remuneration (i.e. non-monetary benefits) to drive performance.

2.84 As part of the review, a revised general s.24 (PS Act) determination was approved by the ACCC Chair on 1 July 2021. The determination states that senior executives may request a remuneration review once in any two year period⁹⁵ and that performance will be assessed in accordance with the requirements set out in the determination. The s.24 determination further states that consideration may also be given to any one or more of the following criteria:

a. market relativities

b. a change in the scope/complexity of the Senior Executive Officer’s role

c. impact on the organisation if the Senior Executive Officer were to leave the ACCC

d. cost of a replacement with equivalent skills.

2.85 In August 2021, following the lifting of the pause in June 2021, the ACCC Chair approved a 1.7 per cent across the board remuneration increase⁹⁶ to all eligible senior executives, SES, and SES equivalent employees⁹⁷, with the exception of the ACCC CEO.⁹⁸

2.86 On 6 October 2022 the Australian Government released the Public Sector Interim Workplace Arrangements 2022, which replaced the Public Sector Workplace Relations Policy 2020. The interim arrangements operate from 1 September 2022 until 31 August 2023. They apply to APS and non-APS Australian Government entities and Members of Parliament staff. The arrangements also apply to SES and equivalent employees. The interim arrangements provide for a one-off annual remuneration increase of three per cent for Commonwealth employees.

2.87 On 2 December 2022, the ACCC CEO approved a three per cent salary increase for the SES cohort⁹⁹ in line with the Australian Government’s Public Sector Workplace Relations Interim Arrangements 2022.On 13 December 2022, the ACCC Chair approved a three per cent salary increase for the ACCC CEO in accordance with the same workplace arrangements.¹⁰⁰ Chapter 4 of this audit (paragraphs 4.14 to 4.21) provides further details.

Procurement

2.88 The ACCC has identified key probity risks related to procurement and has developed policies, procedures and arrangements to manage the identified risks.

2.89 Under the PGPA Act, the Finance Minister issues the Commonwealth Procurement Rules (CPRs) for officials to follow when performing duties in relation to procurement. The CPRs govern how entities buy goods and services and state that procurements should:

use public resources in an efficient, effective, economical and ethical manner that is not inconsistent with the policies of the Commonwealth.¹⁰¹

2.90 The CPRs define the terms ‘efficient’, ‘effective’, ‘economical’ and ‘ethical’, and state that:

Ethical relates to honesty, integrity, probity, diligence, fairness and consistency. Ethical behaviour identifies and manages conflicts of interests, and does not make improper use of an individual’s position.¹⁰²

2.91 Under the CPRs, ethical behaviour includes:

• recognising and dealing with actual, potential and perceived conflicts of interest;
• dealing with potential suppliers, tenderers and suppliers equitably, including by seeking appropriate internal or external advice when probity issues arise, and not accepting inappropriate gifts or hospitality;
• carefully considering the use of public resources; and
• complying with all directions, including relevant entity requirements, in relation to gifts or hospitality, privacy and security.¹⁰³

2.92 The ACCC’s Accountable Authority Instructions (AAIs) identify that the ACCC is required to comply with the CPRs. The section on procurement in the AAIs states that ‘Officials must disclose any current or prospective personal interest that may create a conflict of interest as soon as they become aware of the conflict.’ Guidance is also provided on the ACCC’s intranet regarding probity considerations in procurement. This includes:

• general advice about probity in procurement¹⁰⁴;
• links to advice from the Department of Finance regarding probity in procurement¹⁰⁵; and
• a template for a procurement probity plan.

2.93 The ACCC has also developed training and briefing materials that include consideration of probity in procurement.

2.94 The ACCC’s procurement policies and guidance do not include specific operational requirements for the management of probity in procurement, including in relation to entities the ACCC regulates, or regarding entities subject to ongoing ACCC investigations or legal action.¹⁰⁶ The ACCC advised the ANAO that a central procurement team reviews all procurements valued at $10,000 or more, with the exception of procurements of external legal services from panel arrangements.¹⁰⁷ The ACCC further advised that:

Approaches for assuring probity and managing probity issues in procurement are tailored to each procurement depending on the size, risk and complexity of the matter. The agency uses internal probity advisors and external probity advisor[s] as required. The central procurement team with support from the Corporate Law Unit will appoint a probity advisor for complex, high risk procurements. Procurement plans, probity plans, conflict of interest declarations, evaluation plans and evaluation reports are required for complex and high risk procurements and completed as required for transactional or routine procurements.

2.95 In November 2021 the ACCC commissioned a review of 41 procurements undertaken in its Consumer Data Right (CDR) Division.¹⁰⁸ The review was finalised in April 2022 and identified that:

In almost all procurements we identified that probity documentation was needed. It many cases there was no evidence of probity processes or documentation existing at all for the procurement (or we were not provided it).

2.96 The ANAO examined a sample of ACCC procurements (see paragraphs 4.22 to 4.25). The ANAO identified that probity management practices for some procurements included: members of the evaluation team providing activity-specific conflict of interest declarations; appointment of probity advisors; and/or the establishment of probity plans. Some procurements had none of these practices. The ACCC advised the ANAO in February 2023 that:

The sample of procurements that were examined by the ANAO had been assessed by the procurement team and the appropriate probity documentation and practices were completed, based on the level of risk and complexity associated with each procurement. The Commonwealth Procurement Rules require officials to maintain for each procurement a level of documentation commensurate with the scale, scope and risk of the procurement. For simple, low risk procurements, the probity practices listed above are not normally required.

2.97 The findings of the ACCC’s 2021 review of selected procurements (discussed in paragraph 2.95), and the differences in approach identified by the ANAO (discussed in paragraph 2.96), indicates that there is an opportunity for the ACCC to seek to obtain greater consistency in its identification and management of probity risks in procurement, by enhancing its internal guidance.

Corporate credit card expenditure

2.99 The ACCC has identified the key probity risks related to corporate credit card expenditure and developed policies, procedures and arrangements to manage most of the identified risks. Positional authority risk would be reduced by amending current arrangements for the approval of ACCC Commissioner and AER Board member expenses.

2.100 Corporate credit cards (credit cards) offer a transparent, flexible and efficient way for Australian Government officials to obtain cash¹⁰⁹, goods or services to meet business needs. Australian Government policy requires non-corporate Commonwealth entities to pay expenses via a payment card where the payment is an eligible payment under $10,000.¹¹⁰ The misuse of credit cards can expose an entity to risks such as waste and fraud. Instances of misuse and weaknesses in relevant entity controls attract considerable parliamentary and public interest and can cause reputational damage to affected entities and the Australian Government.¹¹¹

2.101 The ACCC issues credit cards to Commissioners and staff.¹¹² The ANAO reviewed the ACCC’s credit card policy, procedures and arrangements to assess whether they addressed selected risks associated with the use of credit cards. In particular, the ANAO examined whether the ACCC’s policies, procedures and arrangements addressed:

• requirements for the issue of credit cards, including specifying cardholder obligations;
• expenditure approval requirements;
• acquittal requirements (including timing and documentation requirements and reviewer responsibilities); and
• requirements for the return of credit cards.

2.102 The ACCC’s AAIs outline requirements in relation to the issue, usage and security of corporate credit cards. The ACCC also has a credit card manual (Card Holder Manual January 2019) that further details various requirements in relation to credit card use. Credit card related guidance is provided on the ACCC intranet.

Requirements for the issue of credit cards including specifying cardholder obligations

2.103 The ACCC’s credit card manual sets out the application process, which includes the requirement to provide a justification, receive supervisor’s approval, and read and sign the corporate credit card cardholder agreement.¹¹³ The AAIs and credit card manual also outline some roles and responsibilities of cardholders.¹¹⁴ The ACCC intranet guidance sets out requirements for reconciling monthly credit card statements and disputing a credit card transaction.

Credit card expenditure limits

2.104 The ACCC credit card manual discusses transaction and monthly credit limits but does not specify particular limits. At the time of conducting audit fieldwork these parameters were set on a case by case basis.¹¹⁵

Expenditure approval requirements

2.105 In its credit card manual, the ACCC provides guidance for staff as to what are acceptable and unacceptable transactions. Staff are not able to approve their own credit card expenses. The ACCC has credit card approval guidance for managers which outlines how managers approve expenses and what documents the staff member incurring the expense must provide to support approval.

Approval arrangements for ACCC Commissioners

2.106 A corporate credit card holder’s expenditure is typically approved by their supervisor. For the role of the accountable authority there is a power imbalance as they do not have the equivalent of a supervisor. Previous ANAO audits have identified risks in relation to positional authority.¹¹⁶ In Auditor-General Report No. 33 2015–16 Defence’s Management of Credit and other Transaction Cards, the ANAO reported that for review of credit card transactions to work effectively:

the reviewer must be in a position to exercise independent judgement … this means that they cannot be in a position which would constrain unreasonably their capacity to question transactions that appear inappropriate; for example, this may be difficult for a person junior to the cardholder … (paragraph 2.42).

2.107 The 2020 Thom review of the Australian Securities and Investments Commission (ASIC) governance arrangements¹¹⁷ also highlighted risks related to positional authority when approving expenses for very senior personnel. The report stated that:

Clearly there are particular challenges that arise when subordinate officials are required to approve expenses for very senior statutory officers, particular for the Accountable Authority. These decisions can still be problematic, even if the approving official is very senior, for example, the CFO or COO … challenges arise for expenses that, while business expenses in nature, have sensitivities and can be subject to public scrutiny and criticism.¹¹⁸

2.108 Recommendation 8 of the Thom review included the following elements, to manage positional authority issues related to expense approvals.

The review recommends that ASIC should:

• Require the Chair’s approval for the expenses of Commission members; and
• Require a Deputy Chair’s approval for the Chair’s expenses.¹¹⁹

2.109 Although directed to ASIC, the recommendation highlighted a risk for statutory bodies. The process for approving credit card expenditure by the ACCC Commissioners is not documented and there are no requirements for ACCC Commissioners to obtain pre-approval for credit card expenses. The ACCC advised the ANAO that: ‘All credit cardholders have a s23 [PGPA Act] delegation to incur expenditure on their credit card up to the limit of their credit card.’ The ACCC CEO reviews and approves credit card expenses as part of the acquittal process for the ACCC Chair and Commissioners and the AER CEO approves credit card expenses as part of the acquittal process for the AER Chair and AER Board members. This approach is not consistent with that recommended by the Thom review.

2.110 Following the release of the Thom review the ACCC undertook a high level internal review of its corporate governance frameworks which considered the relevance to the ACCC of the Thom review findings and recommendations, including recommendation 8.¹²⁰ The ACCC review noted that one of the weaknesses of the ACCC approvals process for Commissioner expenses was: ‘Senior SES is subordinate to the Chair (the accountable authority)’.¹²¹ The ACCC review assessed that recommendation 8 of the Thom Review was relevant to the ACCC ‘In part’, and stated that:

Commissioner expenses must be approved by the COO. Presently, consider this approach (i.e. Commissioner expenses approved by a very senior SES) appropriately reduces risks associated with subordinate approver.

However, could be benefit to test whether any refinement to process needed for larger / more sensitive expenses.

2.111 In summary, the ACCC’s approach to the management of positional authority risk remains inconsistent with that recommended by the Thom review, notwithstanding the acknowledged weaknesses with that approach. Positional authority risk should be addressed by amending current arrangements for the approval of ACCC Commissioner and AER Board member expenses.

2.115 The ACCC advised the ANAO in February 2023 that ‘Executive Assistants are only permitted to make purchases on behalf of ACCC Commissioners and AER Board members where prior approval is received by the relevant Senior Executive.’¹²² This process is not documented, however the ACCC advised the ANAO that this approval may be written or verbal and is provided by the person requesting the purchase of the goods or services.

Acquittal requirements

2.116 The ACCC has guidance on the acquittal process (titled ‘Purchase card online acquittal process January 2019’) which provides information on scanning receipts, retention of hard copy documents, and dealing with missing receipts. The ACCC credit card manual does not include guidance in relation to timeframes for acquittal. For much of the audit period, ACCC intranet guidance states that the 29^th day of the month is the end of the billing period. In contrast, a Finance Branch procedure document (Credit Card Application Processing August 2021) states that ‘All acquittals should be in by the last business day of the month’. The ACCC advised the ANAO that:

The end of the billing period is 27th of each month. Cardholders are required to acquit their transactions in full by the end of the following month. All transactions are routinely acquitted and approved by the supervisor prior to month end close.

2.117 During the audit the ACCC updated its intranet guidance to clarify that the 27^th of each month is the end of the billing period.

2.118 The ACCC credit card manual states that ‘If the monthly Credit Card Statement Summary is not actioned in a timely manner, or the other requirements of the credit card manual are not followed, the corporate credit card may be withdrawn.’ In relation to whether there is documented guidance outlining consequences when appropriate acquittal requirements are not met, the ACCC advised the ANAO that:

The Finance Branch has effective controls in place to ensure prompt acquittal, review and approval of credit card transactions. System reminders are sent to all card holders notifying of transactions awaiting acquittal in addition to the central administrator following up with card holders and supervisors where required. Delays in acquitting monthly transactions are escalated to the Director of Finance or the Chief Finance Officer.

2.119 The ACCC’s guidance on the acquittal process provides some guidance on requirements regarding lost receipts. The purchase card and online acquittal process guidelines state the following with regard to missing receipts:

If you do not have the receipt/tax invoice and the purchase is greater than $82.50 inclusive of GST, you should contact the supplier to obtain a duplicate tax invoice.

If a duplicate record is unavailable or no receipt was issued you will need to provide some other documentary evidence of the transaction.

Please complete the Lost Receipt Declaration Form and attach to credit card transaction (with other evidence if available).

Acquittal arrangements for ACCC Commissioners and AER Board members

2.120 The ACCC advised the ANAO that the acquittal arrangements for ACCC Commissioners and AER Board members are as follows:

Credit card transactions for members are reviewed and approved through online workflow by senior executives of the Commission, consistent with agency requirements.

The ACCC CEO reviews and approves credit card acquittals for the Accountable Authority, the ACCC Commissioners and the AER CEO.

The AER CEO reviews and approves credit card acquittals for the AER Chair and AER Board Members.

The Chief Finance Officer approves credit card acquittals for the ACCC CEO.

Requirements for the return of credit cards

2.121 The ACCC’s intranet guidance states that:

Credit cards are to be cancelled when:

• Employment ceases
• Employee is going on extended leave
• Employees job role has changed & a credit card is no longer required
• Credit card is lost or fraudulent activity is suspected
• Another option is to request to block the card if it is temporarily misplaced.

ACCC monitoring of credit card use.

2.122 The ACCC advised the ANAO that in addition to the review of transactions by the cardholder’s supervisor, ‘The Finance Branch subsequently reviews individual transactions $82.50 GST inclusive or more for both reasonableness and GST compliance.’

2.123 The ACCC’s compliance with credit card requirements is discussed in Chapter 4 of this audit in paragraphs 4.26 to 4.33.

Gifts, benefits and hospitality

2.124 The ACCC has identified risks in relation to gifts, benefits and hospitality and has established policies, procedures and arrangements to manage the identified risks.

2.125 Section 27 of the PGPA Act states that an official must not improperly use their position to gain, or seek to gain, a benefit to themselves or another person. The giving or receiving of gifts, benefits and hospitality can create the perception that an official is subject to inappropriate external influence. Perceptions of this sort can give rise to reputational risks for public entities, including the legitimacy and integrity of regulators (discussed in paragraphs 1.2 and 1.3 of this audit report).

2.126 The ACCC is an APS agency. On 30 November 2021, the APSC released ‘Guidance for Agency Heads — Gifts and Benefits’, which states that:

Public confidence in APS agencies and the APS more broadly can be damaged when gifts and benefits that create a conflict of interest are accepted or not properly declared. The appearance of a conflict can be just as damaging to public confidence in public administration as a conflict which gives rise to a concern based on objective facts.¹²³

2.127 A policy for giving and receiving gifts, benefits and hospitality is an important element of a robust control environment and supports ethical conduct. The effective implementation of such a policy, which generally requires accurate disclosures by entity personnel, benefits from strong cultural settings within the entity, including the example set by senior leadership (‘tone at the top’).

2.128 The ACCC’s policy on gifts, benefits and hospitality applies to ACCC officials¹²⁴ and contractors. As discussed in paragraph 2.9, the ACCC advised the ANAO that the ACCC’s practice has been to apply the policy to AER Board members, although this arrangement has not been formally documented beyond including the ACCC policy on the AER website.¹²⁵

2.129 The ACCC’s policy sets out seven principles, which include the following:

ACCC officials, while performing their roles, must apply the following principles in considering whether to accept any gifts, benefits and/or hospitality:

a. An ACCC official should generally seek to avoid accepting gifts unless when it would benefit the ACCC in carrying out its roles, duties and/or functions to accept a gift.

b. An ACCC official should not accept any gift, hospitality or benefit if it would result in an actual conflict of interest.

c. An ACCC official should only accept a gift, hospitality or benefit, when there may be a perceived conflict of interest, when it would benefit the ACCC in carrying out its roles, duties and/or functions.

2.130 Principle ‘c’ above describes circumstances where an official may accept a gift, hospitality or benefit notwithstanding a perceived conflict of interest. The circumstance is when acceptance would benefit the ACCC.¹²⁶ This approach contradicts the following stipulation, appearing earlier in the ACCC’s policy, that acceptance should not occur where it gives rise to an actual or perceived conflict of interest:

ACCC officials should not accept any gifts, hospitality or benefits that give rise to an actual or perceived conflict of interest. A conflict may arise because acceptance (either in a particular instance or cumulatively) may influence, or be perceived to influence, the actions or decisions of ACCC officials. The ACCC’s integrity as an independent regulator must remain beyond reproach.

2.131 For the avoidance of doubt and to facilitate compliance, there is benefit in the ACCC reconciling inconsistencies relating to perceived conflicts of interest. There is also scope to strengthen the ACCC’s framework for the management of gifts, benefits and hospitality. As discussed in paragraph 2.129, the ACCC’s policy provides that ‘an ACCC official should generally seek to avoid accepting gifts’. Extending this guiding principle to benefits and hospitality would strengthen the ACCC’s framework.

2.133 The ACCC’s policy on gifts, benefits and hospitality also outlines:

• examples of gifts, benefits and hospitality;
• when it is appropriate to accept gifts, benefits and hospitality;
• declaration and approval requirements for accepting gifts, benefits and hospitality; and
• reporting requirements, including thresholds for declaring gifts, benefits and hospitality and what will be reported publicly on the ACCC’s website.¹²⁷

2.134 The ACCC supplements this policy with intranet guidance. The ACCC’s key requirements for managing gifts, benefits and hospitality are summarised in Table 2.1.

Table 2.1: The ACCC’s gifts, benefits and hospitality arrangements

Note a: The policy states that a donation may be accepted if the Commissioner or supervising SES is satisfied the proposed charity is aligned with the ACCC’s values.

Note b: Suppliers include, for example, printers, stationery providers, landlords, property or fit-out agents or suppliers. Although the acceptance of gifts and benefits from suppliers is prohibited, the ACCC permits the receipt of hospitality from suppliers in some cases. The policy lists factors to be considered in determining whether to accept the hospitality.

Note c: Cultural gifts are items of cultural or sentimental value for which a monetary value is difficult to assign.

Source: ANAO analysis of ACCC documentation.

2.135 The ACCC uses a manual process for recording, collating and reviewing gifts, benefits and hospitality received by ACCC Commissioners each quarter.¹²⁸ A similar process is used for AER Board members.¹²⁹ ACCC employees declare their receipt of gifts, benefits and hospitality valued at $50 or higher, in a central register kept in the ACCC’s human resources system. The quarterly process used for ACCC Commissioners does not support compliance with the policy requirement to declare gifts, benefits and hospitality ‘as soon as practicable following an offer or receipt of the gift, benefit or hospitality.’ A quarterly process also introduces additional risk that matters requiring declaration could be overlooked. The process adopted for ACCC employees helps reduce this risk and supports compliance with the policy requirement to make declarations as soon as practicable. There would be benefit in aligning the declaration timeframe for ACCC Commissioners with that applying to ACCC employees.

2.137 Recording accepted offers of gifts, benefits or hospitality in separate manual systems, especially when the information is being collated and published externally for transparency purposes, creates the risk that information is not properly recorded and disclosures may not be made when they should be. Requiring all accepted offers of gifts, benefits and hospitality to be recorded in the ACCC’s human resources software system, irrespective of whether the offer was accepted by an ACCC Commissioner, AER Board member, employee or contractor, would provide additional assurance that records are complete.

2.141 As discussed in paragraph 2.129, the ACCC’s policy regarding conflicts of interest states that: ‘An ACCC official should only accept a gift, hospitality or benefit, when there may be a perceived conflict of interest, when it would benefit the ACCC in carrying out its roles, duties and/or functions.’

2.142 The policy also states that ACCC officials should: ‘Consult the CEO prior to acceptance if a Commissioner or a supervising SES officer (in relation to a[n] employee) has any reservations about whether there is any potential conflict or sufficient benefit to warrant the acceptance of the offer.’

2.143 No guidance is provided in the policy on assessing benefits to the ACCC. However, the policy provides examples of when it is appropriate to accept an offer of hospitality and when more consideration is required, and an example of when hospitality should be declined.

2.144 The one example of when hospitality should be declined is as follows:

An invitation to an ACCC official to attend a private dinner paid for by a private sector entity with a limited number of stakeholders present and where attendance is considered to provide no recognisable benefit to the ACCC in carrying out its roles, duties and/or functions.

2.145 Examples provided in the policy for ‘circumstances when it is okay to accept hospitality’ include the following.

• A Commissioner attending an industry dinner following an industry forum.
• …
• Christmas or seasonal drinks/events hosted by business and consumer stakeholder bodies and by law and consulting firms on ACCC panels.

2.146 Examples provided under the heading ‘Circumstances when more consideration is required before accepting the hospitality offered’ include the following.

• Networking functions, such as alumni events, drinks hosted by barristers at their chambers, and breakfast, lunch, dinner, drinks or seminar events hosted by corporate suppliers or potential suppliers to the ACCC particularly where coinciding with procurement processes.
• Celebration meals offered to ACCC staff at the conclusion of a matter at a restaurant, by law firms, consultancies, or experts engaged by the ACCC.
• Attendance at a corporate sponsored table at an event.

2.147 The ACCC policy provides a list of factors ACCC officials should consider when determining whether to accept hospitality.¹³⁰ In relation to ‘Circumstances when more consideration is required before accepting the hospitality offered’, the policy states that after consideration of these factors, ‘If the ACCC official considers that attendance would benefit the ACCC in carrying out its roles, duties and/or functions, the official should attend and declare the hospitality in the gifts register’.

2.148 As noted in Table 2.1, the ACCC’s policy prohibits gifts from ACCC suppliers.¹³¹ A number of the examples cited above show that accepting hospitality from suppliers is permissible, including in situations where it is more than incidental to ACCC officials undertaking their core functions. The ACCC advised the ANAO in February 2023 that:

the ACCC considers there are legitimate circumstances where it is appropriate to accept hospitality. These circumstances are where the hospitality is relatively low value and incidental to the purpose of establishing and supporting the engagement with key partners such as legal practitioners.

However, the ACCC acknowledges that there is ambiguity and possible inconsistency in the advice given in the Gifts, hospitality and benefits policy. The policy is due for review in November 2024; however, the agency will now bring this forward to be considered by August 2023. Part of that Policy refresh project includes simplifying the language in policies and ensuring that there is no conflicting information being provided in the guidance documents.

2.149 With respect to gifts, benefits and hospitality, the perception of a conflict of interest can be just as important as an actual conflict of interest. The emphasis in ACCC guidance on identifying the benefit to the ACCC above managing perceived conflicts of interest leaves the ACCC vulnerable to risks of perceived threats to its independence as a regulator. There is also a risk of negative perceptions regarding the fairness of ACCC procurement practices, where hospitality provided by suppliers is more than incidental to ACCC officials undertaking their core functions. There is scope for the ACCC to strengthen its guidance regarding the acceptance of gifts, benefits or hospitality from suppliers.

2.151 Further, the ACCC’s process for declaring gifts, benefits and hospitality does not require recipients to document in the gifts, benefits and hospitality register their assessment of whether accepting an offer represents a real or perceived conflict of interest, and how any identified perceived conflicts are to be managed. The ACCC should improve the transparency of its internal gifts, benefits and hospitality register by introducing a requirement to capture such information.

2.155 The ACCC’s compliance with gifts, benefits and hospitality requirements is discussed in Chapter 4 of this audit in paragraphs 4.34 to 4.46.

Identification and management of fraud risks

2.156 Section 10 of the PGPA Rule requires the accountable authority to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.¹³² It lists six requirements relating to fraud risk assessments, fraud control plans, and mechanisms for preventing fraud.

2.157 The ACCC’s 2022 Enterprise Risk Register includes the following risk:

Serious findings of a lack of integrity by staff or statutory appointees (for instance as a result of fraud, corruption or other impropriety), or inadequate compliance and assurance systems, damages the agency’s reputation as an effective regulator with the Australian Government and other key stakeholders, resulting in reduced funding and/or responsibilities, and reduced credibility as a regulator.

2.158 This risk had a ‘high’ rating, and as of November 2022 was rated as above the ACCC’s risk tolerance.

2.159 The ACCC has a Fraud Control Plan (August 2022).¹³³ It was endorsed by the ACCC’s Audit and Risk Committee in August 2022 and approved by the ACCC’s Corporate Governance Board, which includes the accountable authority, in October 2022.

2.160 The 2022 Fraud Control Plan defines fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. It ‘assesses the risk of fraud occurring at the ACCC and sets out controls to address that risk’. The plan outlines 19 fraud risks.

2.161 Both the 2022 Fraud Control Plan, and the preceding 2019 plan, refer to the ACCC and AER. While both plans reference the application of the policy to ACCC staff, they do not specify whether they apply to ACCC Commissioners and/or AER board members.¹³⁴

2.162 ACCC records indicate that:

• in 2020–21 there were seven allegations of fraud received or detected (four internal and three external); and
• in 2021–22 there were six allegations of fraud received or detected (two internal and four external).

2.163 In both financial years the external fraud related to external charges on ACCC credit cards. ACCC documentation indicates the amounts were refunded by the financial institution.

2.164 The 2022 and 2019 fraud control plans set out how the ACCC prevents, detects and responds to fraud and corruption risks. The ANAO assessed whether the ACCC’s fraud policy, plan and arrangements complied with section 10 of the PGPA Rule. Overall, as outlined in Table 2.2, the ACCC has met the requirements of section 10.

Table 2.2: Fraud control requirements and ACCC compliance

Note a: The ACCC also has a Contractor Induction program. Contractors on contracts of four weeks or longer are required to complete the Fraud Awareness module.

Note b: The ACCC’s 2022 Fraud Control Plan states that suspected fraudulent activity will be referred to the AFP in circumstances where the matter involves:

a significant or potentially significant monetary or property loss to the Commonwealth;

activity that has, or has the potential to, undermine public confidence in, or the integrity of, the ACCC;

the bribery or corruption, or attempted bribery or corruption, of an ACCC staff member or Commissioner;

the unlawful causing of a significant gain, or loss, to an external party.

Note c: In February 2022 the ACCC advised the ANAO that ‘Suspected fraud or potential fraud by the AER Board members (other than the Chair) can be reported to any manager or supervisor of the reporting individual, or to the Fraud Control Officer, or via the process set out in the Public Interest Disclosure Act 2013. Allegations in relation to the AER Chair must be reported to the ACCC CEO’.

Note d: Subject to any laws that require otherwise.

Source: ANAO analysis of ACCC documentation.

Public interest disclosures

2.165 The ACCC has established a public interest disclosure (PID) policy that is accessible to both ACCC officials and the public; has identified authorised officers; and makes optional training available to authorised officers through the Australian Government Solicitor.

2.166 The Public Interest Disclosure Act 2013 (PID Act) establishes a PID scheme where public officials ‘who suspect wrongdoing within the Commonwealth public sector can raise their concerns.’¹³⁵ The PID Act ‘applies to Australian Government agencies, Commonwealth companies, public authorities and Commonwealth contracted service providers.’¹³⁶ The purpose of the PID Act is to:

promote the integrity and accountability of the Commonwealth public sector by:

• encouraging and facilitating the making of disclosures of wrongdoing by public officials
• ensuring that public officials who make protected disclosures are supported and protected from adverse consequences relating to the making of a disclosure
• ensuring that disclosures are properly investigated and dealt with.¹³⁷

2.167 The kinds of conduct that disclosures can be made about include but are not limited to:

• a contravention of the law
• corruption
• perverting the course of justice
• maladministration
• an abuse of public trust
• falsifying scientific research
• wastage of public money, or
• conduct that is a danger to health, safety or the environment.¹³⁸

2.168 The PID Act sets out a range of obligations including those relating to the principal officer of each agency¹³⁹ and authorised officers.¹⁴⁰

2.169 The ANAO examined whether the ACCC had:

• established a PID policy that was accessible to ACCC officials and the public;
• identified authorised officers;
• PID training available for staff; and
• provided PID related guidance on its intranet and website.

2.170 The ACCC has a public interest disclosure policy dated June 2018. The policy is available on the ACCC’s intranet and outlines:

• the requirements of a public interest disclosure;
• what is disclosable conduct;
• who can make a public interest disclosure;
• protections under the PID Act;
• how to make a public interest disclosure;
• roles and responsibilities;
• what happens after a public interest disclosure is made;
• confidentiality requirements; and
• support arrangements.

2.171 A public interest disclosure can be made by current and former ACCC employees, including temporary and contracted employees, and service providers contracted by ACCC (including their officers and employees). The ACCC’s policy states that:

Authorised Officers are the Principal Officer and officers of an agency authorised in writing by the Principal Officer for the purposes of the PID Act (s36). They have a range of decision-making, notification and other responsibilities under the PID Act.

2.172 The ACCC also provides guidance relating to public interest disclosure on its intranet. The ACCC’s website includes a link to its PID Policy and the email address to be used to make a disclosure to an authorised officer.

2.173 As of 27 March 2023, the ACCC had eight authorised officers. As discussed in Table 2.3, the ACCC has mandatory PID training for new starters and offered optional PID training to authorised officers, run by the Australian Government Solicitor.

Were relevant policies subject to periodic review?

2.174 Periodic review of entity policies assists in ensuring they remain fit-for-purpose and address current risks. For the period examined as part of this audit, the ANAO examined whether relevant policies were subject to periodic review.¹⁴¹

2.175 The ACCC undertook an internal compliance review that was completed in May 2022, which recommended that the ACCC ‘introduce a document control system and carry out a project to refresh the ACCC’s internal control documents’. In November 2022 the ACCC advised the ANAO that its compliance team was working on:

a policies and procedures library for employees (called Policy and Procedure Hub), continuing to aim for launch by end of the year. Work on this library includes developing an overarching governance framework to manage processes for ensuring policies included in the library are approved policies and procedures, and therefore can be relied upon with confidence as the ‘single source of truth’.

2.176 The Policy and Procedure Hub was launched in January 2023. The ACCC commenced its ‘policy refresh’ project in July 2022. ACCC documentation states that:

With consideration of the ongoing ANAO probity audit, the internal compliance team was asked to prioritise integrity related policies, with a focus being to update and strengthen the policies from an integrity and probity perspective.

2.177 The ACCC advised the ANAO in February 2023 that: ‘The project will also develop an Internal Control Document Development and Review Policy with guidance on how to determine appropriate review periods and determine appropriate levels of accountability.’

2.178 Over the period examined for this audit, most relevant ACCC policies were reviewed and updated.¹⁴²

Does the ACCC effectively inform its personnel of probity requirements and promote compliance?

2.179 The effectiveness of an entity’s arrangements for managing probity risks is dependent on personnel being effectively informed of the requirements with which they are required to comply. This can be done through, for example:

• the provision of training;
• making information on policies, procedures and arrangements addressing probity risks easily accessible to staff; and
• regular messaging from senior officers.

Training related to probity risks

2.180 The ACCC has a suite of training, some of which is mandatory, that addresses the probity risks examined in this audit. The ACCC launched a revised learning and development program (the ‘Essentials Program’) in June 2022. The Essentials Program includes:

• a security awareness course that is required to be completed annually;
• induction courses that are required to be completed within a specified period after commencement with the ACCC¹⁴³;
• role-specific courses that are required to be completed prior to commencing in a role or within a specified period of time after commencement in the role¹⁴⁴; and
• other courses that are required to be completed within 24 months.¹⁴⁵

2.181 ACCC documentation states that courses were chosen for inclusion in the Essentials Program because:

• they help us to meet statutory/legislative obligations and/or employment policy standards
• lack of knowledge and compliance would pose significant risk to the ACCC/AER
• they reflect ACCC/AER priorities (e.g. diversity and inclusion, appropriate workplace behaviours and psychological safety)
• they meet Australian Public Service Commissioner directives.

2.182 Table 2.3 provides details of training available for ACCC personnel for the probity risks examined in this audit.

Table 2.3: ACCC probity related training

Note a: The APSC provides a range of education and training courses through the APS Academy.

Source: ANAO analysis of ACCC documentation.

2.183 The ACCC advised the ANAO that:

In June 2022, the ACCC/AER launched a suite of “essential” training known as the Essentials program via the Bunya online learning management system. All employees are required to complete this training …

Guidance to employees is that courses in the Essentials program that have previously been completed, including as part of the Induction Program, do not need to be repeated unless they are a reoccurring course. Currently the only reoccurring course is Security Awareness.

2.184 The ACCC further advised the ANAO that:

ACCC Commissioners and AER Board members are employees for the purposes of the Bunya system and receive the same automatic emails and reminders to complete the agency’s Induction and Essentials programs of training as other agency employees.

Refresher training

2.185 Mandatory refresher training can be an effective way to help ensure knowledge regarding probity requirements is up-to-date and personnel are reminded of their obligations. As of January 2023, security awareness training was the only training module with a requirement that staff undertake mandatory refresher training. This was made mandatory in July 2021, with all staff required to complete the training by February 2022.¹⁴⁶

2.186 The July 2021 review into the management of senior executive conflicts of interest (see paragraphs 2.22 and 2.23) made two recommendations regarding annual refresher training on conflicts of interest.¹⁴⁷ The ACCC advised the ANAO that ‘Conflict of Interest training applying to all Commission officials has been updated. The recommendation for more specific training and annual refresher training for SES is expected to be considered further by the proposed Chief Integrity Officer.’¹⁴⁸ The ACCC further advised the ANAO that the recommendation for managers to complete an annual course to identify and manage conflicts of interest would also be considered by the proposed Chief Integrity Officer.

2.187 As noted in paragraph 2.14, the ACCC’s Enterprise Risk Register lists ‘Conflict of interest processes’ as a key control for managing integrity risk, which is one of the ACCC’s seven enterprise risks.¹⁴⁹ The ACCC could usefully consider the role of refresher training in its management and mitigation of identified enterprise-level integrity risks.

Monitoring compliance with requirements

2.189 ACCC records indicate that when introducing the Essentials Program, the ACCC ‘moved away from a “mandatory” compliance-focused approach’ that had earlier been planned. References to mandatory modules (except for security awareness training) and consequences for non-completion were removed from the guideline document prepared to assist ACCC personnel understand the Essentials Program. Instead the ACCC favoured an ‘initial focus on a cultural shift rather than “rules”’.

2.190 The ACCC advised that ANAO that monitoring completion of the Essentials Program courses is done by supervisors as part of the annual performance cycle process, as follows:

As part of performance planning, employees are asked to confirm (self-report) that they have a plan to complete the Essentials program and, at the end of the performance cycle, that they are up to date with Essential program training. This is designed to act as a prompt to encourage completion of the program and to provide some data to the agency on completion of the program.

Managers will be monitoring completions as part of performance planning discussions …

Currently there is no central reporting on Essential program completions or compliance (aside from reporting on Security awareness training compliance and quarterly reporting on completion of D&I [diversity and inclusion] training). Reporting compliance with training requirements based on Bunya [online learning system] data is currently a resource intensive, manual process.¹⁵⁰

2.191 As discussed in paragraph 2.181, training courses were selected for inclusion in the Essentials Program to satisfy compliance obligations, meet agency priorities and help manage enterprise risks. Centralised monitoring and reporting of completion rates for this training would provide additional assurance regarding achievement of those goals.

Accessibility of information on probity requirements

2.193 The ACCC makes policies, procedures and information regarding arrangements to address probity risks available on its intranet. Some intranet pages that contain this information also contain contact details for specialist staff who can provide assistance.

Messaging from senior officials

2.194 The ACCC uses a range of channels for providing its personnel with information on probity requirements, including information on policy updates, and reminders regarding obligations and senior officials’ expectations. These channels include:

• regular direct messaging from the CEO;
• an email newsletter called ‘ACCCess’; and
• articles published on the intranet landing page.

3.1 An entity’s accountable authority is required to establish appropriate controls and maintain sufficient oversight to ensure internal controls operate as intended, to assist in mitigating probity related risks and promote compliance. Well-functioning assurance arrangements, including reporting to senior management, provide confidence that risks are being effectively controlled or identify when controls are ineffective or absent. Entities also need to ensure that instances of non-compliance are treated in a timely and appropriate manner in accordance with specified requirements.

3.2 This chapter assesses whether the ACCC has established monitoring and reporting arrangements to provide assurance on the effectiveness of internal controls and compliance with probity requirements. Specifically, the ANAO examined if the ACCC has established a fit for purpose framework for:

• monitoring the effectiveness of internal controls relating to probity and providing assurance to the accountable authority;
• monitoring compliance with probity requirements, including regular monitoring and reporting; and
• following up on identified instances of non-compliance.

Is there a framework for monitoring the effectiveness of internal controls relating to probity and providing assurance to the accountable authority?

3.3 Information on the effectiveness of internal controls gives the accountable authority assurance regarding compliance with probity policies and the extent to which staff uphold standards of conduct. Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires the accountable authority of a Commonwealth entity to establish an appropriate system of internal control. Section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority to establish an audit committee, the functions of which must include reviewing the appropriateness of the system of internal control. This would include coverage of oversight of the management of identified probity risks.

Internal audit

Review activity

3.4 The ACCC has an internal audit strategy covering the period 2019–23. The strategy states that ‘key strategic risks … underpin the Internal Audit Strategy.’ The strategy lists criteria for selecting internal audit topics and states that that there would be periodic audits on topics that are key to the achievement of key business objectives and strategic priorities, and strategic risks. The ACCC’s 2021–22 Annual Report states that ‘Audit topics consider areas of significant risk and seek to ensure that all major functions, systems and business areas of the agency are audited regularly.’

3.5 The ACCC undertook two internal audits in 2020–21¹⁵¹ and three in 2021–22. The internal audits in this period included:

• IT security and governance;
• monitoring compliance with enforceable undertakings;
• employee use of delegations and authorisations;
• information security and awareness (iManage)¹⁵²; and
• management of COVID-19 and lessons learned.

3.6 In the annual letter of assurance to the ACCC Chair in 2019, 2020 and 2021, the Chair of the ACCC’s Audit and Risk Committee¹⁵³ encouraged the ACCC Chair to consider the adequacy of the budget provided to internal audit.¹⁵⁴ The assurance letter dated 14 September 2021 stated that:

In its 2019 and 2020 assurances letters to you the [Audit] Committee encouraged management to consider the adequacy of the internal audit budget. The Committee notes the importance of ensuring internal budget allocation keeps pace with the substantial increase in the agency size and complexity of work in recent years. The Committee therefore again encourages you to assess whether the current model of 3 internal audits per year is sufficient to adequately cover all key risks within an acceptable multi-year timeframe.

3.7 The number of internal audits undertaken has meant there has not been regular testing of controls relating to risks identified in the ACCC’s strategic risk registers, including probity related risks. The ACCC’s 2019–20 Strategic Risk Profile included six risks, all of which were rated as ‘high’.¹⁵⁵ A further assessment of the ACCC’s enterprise risks occurred in October 2021, with eight risks identified as ‘key enterprise risks for 2021–22’. This resulted in the addition of a risk related to ‘serious findings of a lack of integrity damage the agency’s reputation as an effective regulator’, which was given a risk rating of ‘medium’.¹⁵⁶ An update in September 2022 included seven enterprise risks, of which five were rated as ‘high’, including the risk of ‘serious findings of a lack of integrity, or inadequate compliance and assurance systems damage the agency’s reputation as an effective regulator’.

3.8 In April 2022 the ACCC Executive Management Board was presented with a proposal to incrementally increase the number of internal audits by one to two audits per year. In August 2022 the ACCC commenced a two year contract with an external provider of internal audit services.¹⁵⁷ Correspondence from the Chair of the Audit and Risk Committee to the ACCC Chair dated 8 September 2022 stated that:

The [Audit and Risk] Committee notes the changes that have been progressed in relation to the agency’s internal audit model. In its 2019, 2020 and 2021 annual letters of advice, the Committee encouraged management to consider the adequacy of the internal audit approach and budget. The Committee has emphasised the importance of ensuring internal budget allocation keeps pace with the substantial increase in the agency size and complexity of work.

The Committee has been encouraged in 2021–22 to see that management has reconsidered the approach to internal audit and decided to move to an audit partner model with more funding and scope for further audits to be undertaken. … We note that engagement and induction for the audit partner is underway, and we will continue to monitor progress. This will constitute a significant investment.

3.9 The updated ACCC and AER Risk Management Framework, which was approved by the Acting ACCC Chair on 16 December 2022, stated that:

The agency has engaged a third party service provider as an audit partner to carry out the centralised internal audit function. The provider is engaged for a two year period, commencing in September 2022. The provider will conduct three to four formal audits per year, supported by additional reviews and other work with an assurance or business improvement focus.

3.10 The ACCC’s internal audit provider prepared an Internal Audit Work Plan (IAWP) for 2022– 24, which was approved by the ACCC’s Chief Risk Officer in January 2023 and noted by the Audit and Risk Committee in February 2023.¹⁵⁸ The 2022–24 IAWP included four internal audits for 2022–23¹⁵⁹ and six for 2023–24.¹⁶⁰ The internal audit provider also undertook an assurance mapping activity in 2022–23, to assess the ACCC’s assurance arrangements across its seven enterprise risks.

3.11 Prior to the 2022–24 IAWP, the ACCC’s internal audit program was undertaken under the Internal Audit Strategy 2019–2023, which included an Internal Audit Plan for 2019–23. A paper to the Audit and Risk Committee in March 2022 stated that while the Internal Audit Plan for 2019–23 contained a schedule of internal audit topics for the years covered by the Internal Audit Strategy, ‘In practice the topics for each year are reviewed and determined annually by the Executive Office with input from senior management, and may change from what is specified in the Plan.’

Oversight

3.12 Under its charter, the role of the ACCC’s Audit and Risk Committee is to provide ‘independent advice and assurance to the Accountable Authority, through the CGB [Corporate Governance Board], on the entity’s financial reporting, performance reporting, risk oversight and management, and systems of internal control.’ The Audit and Risk Committee receives updates on the ACCC’s internal control framework. Internal audit reports are discussed as a standing agenda item at the Audit and Risk Committee and the Committee also receives regular reporting on the implementation of audit recommendations.

3.13 As discussed in paragraph 2.110, the ACCC undertook an internal review of its governance frameworks following publication of the Thom review. The ACCC internal review stated that:

Executive Office has indicated it can also consider further whether internal audit reports that are currently provided to Audit Committee should also be provided to Corporate Governance Board.

3.14 A paper provided to the Audit and Risk Committee indicates that as of November 2022, there was:

No regular update provided to CGB [Corporate Governance Board] regarding:

• Audits commenced
• Final audit reports delivered
• Tracking implementation of recommendations.

Audit reports/updates provided by exception, or as requested.

3.15 The Corporate Governance Board receives minutes of Audit and Risk Committee meetings and verbal updates from members of the Audit and Risk Committee. The ACCC’s Executive Management Board, which is chaired by the ACCC Chief Executive Officer, receives final audit reports/outcomes where relevant.¹⁶¹

Internal assessment of the effectiveness of controls

3.16 In May 2022, the ACCC undertook an entity-wide assessment of selected internal controls related to corporate and governance obligations.¹⁶² ACCC documentation indicates that the assessment built on a legislative compliance review undertaken by an external consultant in 2019. The 2022 assessment was reported to the Executive Management Board and the Corporate Governance Board in June 2022. The covering minute to both committees stated that:

The assessment relied on information and documents provided by line areas in addition to information obtained from interviews with Responsible Officers and Accountable SES. It did not include testing of internal controls to check if they were effective in meeting each obligation in practice.

3.17 The assessment considered arrangements relating to:

• conflict of interest;
• procurement;
• credit card expenditure;
• gifts, benefits and hospitality; and
• fraud control.

3.18 The review contained 38 recommendations for strengthening policies, procedures and arrangements relating to specific compliance obligations.¹⁶³ It also contained a recommendation for the ACCC to implement a ‘control document management system’ and ‘policy refresh project’.¹⁶⁴ The policy refresh project is discussed in paragraphs 2.175 to 2.177.

3.19 As of March 2023, the ACCC was developing a compliance framework.¹⁶⁵ It has not yet been determined what control monitoring and testing activities are planned under the proposed framework.

Other reviews of probity controls

3.20 In December 2022 the ACCC advised the ANAO that:

to supplement the internal audit program the agency also undertakes other audit initiatives directed at key enterprise risks. An example is the two audits per year undertaken in relation to the Consumer Data Right. These audits are reported to the CDR Internal Governance Board … and the Audit and Risk Committee.¹⁶⁶

3.21 This review activity has included a review related to Consumer Data Right (CDR) procurements and CDR cyber security and compliance with the Information Security Manual.¹⁶⁷ While the ACCC refers to these as internal audits, these reviews were not formally part of the internal audit program and were not subject to the ACCC’s standard practices for tracking the implementation of recommendations. Both reviews were provided to the Audit and Risk Committee for noting.

3.22 Additionally, the ACCC commissioned a review related to senior executive conflict of interest management, which was finalised in July 2021.¹⁶⁸ ACCC documentation indicates that it was provided to the ACCC’s Executive Management Board.

Is there a framework for monitoring compliance with probity requirements, including regular monitoring and reporting?

3.23 The ACCC undertakes regular monitoring of compliance with some probity requirements. This includes compliance with annual conflict of interest declaration requirements and completion of mandatory security awareness training.

3.24 A compliance assurance process, to inform mandatory reporting on compliance with the PGPA Act and PGPA Rule, are part of the ACCC’s annual report preparation.¹⁶⁹ This process is informed by compliance questionnaires completed by senior officers¹⁷⁰, as well as monitoring of procurement activity and finance-related internal controls.

3.25 An October 2019 compliance assessment commissioned by the ACCC recommended that the ACCC establish a legislative compliance framework.¹⁷¹ The ACCC’s compliance arrangements were also identified as an area for improvement in the 2021 internal review into governance frameworks which followed publication of the Thom review.¹⁷² The internal review stated that:

To date, the agency’s culture has served it well in quickly identifying issues that may result in non-compliance; however, there is no central management or oversight to identify compliance risks, assign responsibility and accountability, audit compliance with our obligations and, assign responsibility and accountability when an issue is identified for resolution. Moreover, the agency’s growing size and diversification of its statutory roles and responsibilities reinforces the need to have in place fit-for-purpose formal governance structures, rather than remaining reliant on a culture of compliance. As noted above, the current structure considerations have an opportunity to invest in improved compliance awareness and compliance monitoring.

3.26 The ACCC’s Audit and Risk Committee was advised in November 2021 that a dedicated compliance team had been established, and the committee was provided with a draft project plan on developing a central compliance function. This team undertook a compliance assessment process (discussed in paragraphs 3.16 to 3.18). The ACCC advised the ANAO that:

In early 2023, the team will continue to refine the framework as further planning is undertaken of:

• the policy refresh project
• the procurement and implementing of the Risk and Compliance IT tool, and
• preparing the Assurance checklist: Systems of internal control for the Audit and Risk Committee for end of financial year reporting …

Monitoring and reporting on compliance activities with obligations and internal controls (e.g. policies) is the responsibility of the obligation/policy owner. As part of the policy refresh project, policy owners will be required to include an accountability table which will clearly identify and delegate responsibilities for monitoring compliance (and non-compliance) and reporting on the same. Internal Compliance will have a role to oversee that the monitoring and reporting activities are being undertaken (but is not responsible for doing that monitoring and reporting), as well as a role to review and inspect reports to help identify any patterns of behaviour or systemic issues to be raised with an appropriate governance board.

3.27 As of March 2023 the ACCC was in the process of developing an entity-wide compliance framework and was undertaking a procurement process for software to facilitate centralised compliance management and reporting of compliance incidents. The ACCC advised the ANAO that the Compliance Framework was expected to be considered by the Corporate Governance Board in May 2023 and the compliance management software was expected to be launched in mid-2023.

Is there a framework for following up on identified instances of non-compliance?

3.28 Having a framework for following up on identified instances of non-compliance assists in providing assurance to the accountable authority regarding the effectiveness of probity management arrangements.

Responding to non-compliance with probity requirements

3.29 The ACCC does not have an entity-wide framework for responding to instances of non-compliance with probity requirements.

3.30 As discussed in paragraph 3.13, after the release of the Thom review in 2021, the ACCC undertook an internal review ‘to identify whether the agency had any weaknesses or gaps in its governance frameworks.’ As discussed in paragraphs 3.16 to 3.18, in May 2022 the ACCC also undertook an entity-wide assessment of selected internal controls related to corporate and governance obligations.

Consequences for non-compliance with probity requirements

General approach

3.31 As discussed in paragraphs 3.19 and 3.27, the ACCC was developing a compliance framework in late 2022. As of January 2023, the ACCC had no general approach regarding consequences for non-compliance with probity requirements.

Policy specific

3.32 As discussed in paragraph 2.3, the Australian Public Service (APS) Code of Conduct applies to ACCC staff. Consequences for failing to manage conflict of interest can result in a breach of the APS Code of Conduct. In its conflict of interest policy, the ACCC states that:

If a breach of the Code of Conduct is found, section 15 of the Public Service Act provides that the following sanctions may be imposed:

• termination of employment
• reduction in classification
• re-assignment of duties
• reduction in salary
• deductions from salary, by way of fine
• a reprimand.

Depending on the nature of the conflict of interest, prosecution under the Crimes Act 1914 could also occur with appropriate penalties being imposed by a court.

3.33 The other ACCC policies reviewed in this audit typically did not include details of the consequences for non-compliance.

3.34 Credit cards can be withdrawn in circumstances where there is non-compliance with the credit card manual, as discussed in paragraph 2.118. Where there is accidental misuse of a credit card, the ACCC advised the ANAO that ‘the cardholder will contact the Finance Branch for instructions. The transaction/s will be acquitted as a receivable and the Finance Branch will contact the cardholder with instructions on how to repay the funds.’

3.35 Identification of probity related non-compliance and management of identified non-compliance is discussed in Chapter 4 of this audit report.

4.1 Entities cannot effectively manage probity related risks if the policies, procedures and arrangements designed to mitigate those risks are not followed. This chapter assesses whether the ACCC has demonstrated compliance with the probity requirements selected for ANAO review and addressed non-compliance in accordance with its stated requirements.

4.2 The requirements reviewed by the ANAO related to:

• code of conduct;
• conflict of interest;
• trading in financial instruments;
• senior executive remuneration;
• selected procurement requirements;
• corporate credit card use; and
• gifts, benefits and hospitality.¹⁷³

Has the ACCC complied with the selected probity requirements?

Code of conduct

4.3 When Commissioners and employees join the ACCC they are required to declare, amongst other things, that they have read and understood the Australian Public Service (APS) Code of Conduct.¹⁷⁴ The requirement to comply with the APS Code of Conduct is reiterated in induction training that employees and Commissioners are required to complete. As discussed in paragraph 2.190, there is no central reporting on the completion of training aside from reporting on security awareness training compliance and quarterly reporting on completion of diversity and inclusion training. As the ACCC does not require any attestation or completion of training on an annual basis that is centrally reported, the ANAO did not review compliance with requirements in relation to the APS Code of Conduct or the ACCC’s Code of Conduct for Commission Members and Associate Members (Members’ Code of Conduct).

Compliance with annual declaration process requirements relating to conflict of interest

4.4 The ACCC’s arrangements for managing conflicts of interest are discussed in paragraphs 2.12 to 2.30.

4.5 As discussed in paragraph 2.19, ACCC employees are required to complete a conflict of interest declaration (SES employees) or a self-assessment (non-SES employees¹⁷⁵) within one month of commencing with the ACCC and if the employee has a change in circumstances that might give rise to new conflicts of interest. In addition to these requirements, SES employees are required to complete an annual conflict of interest declaration and non-SES employees are required to complete a conflict of interest self-assessment each financial year. All ACCC employees, including senior executives, are required to confirm that they:

• have read and understood the conflict of interest policy;
• are aware of insider trading law and prohibitions in place around trading while in possession of price sensitive information; and
• have identified any real, perceived or potential conflicts of interest relating to themselves and their immediate family members.

4.6 The ANAO examined whether there is evidence of the ACCC having conducted its annual conflict of interest declaration (SES) and self-assessment (non-SES) processes for the most recent period, and whether the results were reported to relevant senior management. The ANAO also examined what actions the ACCC took in relation to identified non-compliance.

4.7 At the time the ANAO conducted audit fieldwork, the most recent cycles had ended on 31 July 2022 for SES declarations and 31 August 2022 for non-SES self-assessments.¹⁷⁶ ACCC documentation indicates that the ACCC tracked completion rates and reported results to the Corporate Governance Board in October 2022. The report indicated the following.

• All SES declaration forms were submitted by 31 July 2022.
• As of 4 October 2022, 1217 out of 1233 non-SES employees (99 per cent) had completed their self-assessment. The report advised that 16 forms were still to be completed by non-SES employees who had either returned from leave after 31 July 2022 or joined the ACCC/Australian Energy Regulator (AER) in August 2022. The report further advised that follow up action was planned ‘to ensure compliance at the earliest possibility’.

Disclosure of Commissioner and Board member interests

4.8 As noted in footnote 50, the Members’ Code of Conduct states that ‘Commissioners should inform the Chair on an annual basis – by 30 June – of all their relevant interests’. The most recent declaration process for ACCC Commissioners and AER Board members was undertaken in June and July 2022. Declaration of interest forms were completed by all ACCC Commissioners and AER Board members, including the ACCC Chair and AER Board Chair, with one exception.¹⁷⁷ The individual declarations were not provided to the ACCC Chair. The ACCC advised the ANAO in April 2023 that:

In June 2022, the Executive Office asked Commissioners to:

• validate their entities in the Commissioner Disclosure register
• complete the annual Declaration of Private Interest Form.

Executive Office staff reviewed the validated entries and the completed Declaration of Private Interest Forms to ensure that all relevant disclosures that could give rise to a perceived or actual conflict of interest were included in the Commissioner Disclosure register. The Executive Office also considered associate members’ Declaration of Private Interest Forms.

On 31 August 2022, a paper was presented to Commissioners, including the Chair, that set out a report of Commissioners’ declarations received outside Commission meetings or not previously considered, including following the annual Declaration of Private Interest Form process …

4.9 Under section 17 of the Competition and Consumer Act 2010, the ACCC Chair ‘must give written notice to the Minister of all pecuniary interests that the Chairperson has or acquires in any business carried on in Australia or in any body corporate carrying out such business.’ In March 2023 the ACCC advised the ANAO that ‘The agency’s practice and interpretation of section 17 is that the Chair provides a disclosure of interest declaration to the Minister upon appointment to the role and upon any change in circumstances post-appointment.’ The ACCC Chair commenced in the role on 21 March 2022 and signed a letter to the Treasurer dated 3 June 2022 detailing pecuniary interests. The letter was sent to the Treasurer on 12 May 2023.¹⁷⁸

Compliance with trading in financial instruments requirements

4.10 The ACCC’s arrangements for trading in financial instruments are discussed in paragraphs 2.46 to 2.60. As discussed in paragraph 2.49, the ACCC updated its conflict of interest policy in November 2022 to include a section on ‘improper use of information — share trading’. This established restrictions regarding trading in securities for employees. As this was at the end of the period subject to audit the ANAO did not examine compliance with these requirements.

4.11 As discussed in paragraph 2.52, the Members’ Code of Conduct states that:

Full-time members should normally avoid holding shares directly. If a full-time member proposes to hold shares directly, they should consult the Chair and exercise careful personal judgement in respect of such transactions to ensure that any financial dealings do not raise an actual or perceived conflict with the functions of that member.

4.12 In February 2023 the ACCC advised the ANAO that ‘The only direct shareholdings disclosed by ACCC Commissioners were in their possession upon commencement and either remained in their possession or were divested post commencement.’ This statement was consistent with information contained in ACCC Commissioner and AER Board member declarations. The ACCC further advised the ANAO that:

In relation to AER Board members, only one member … has disclosed direct shareholdings. The shareholdings are held via a self-managed superannuation fund and are not energy–related. If a perceived or actual conflict of interest arose for [an] AER Member … in the course of … ACCC/AER work, a management plan would be implemented. As no conflict has arisen, a management plan has not been required.

4.13 The AER Board member listed the superannuation fund in the annual declaration of interests.

Compliance with senior executive remuneration requirements

4.14 The ACCC’s arrangements for senior executive remuneration are discussed in paragraphs 2.76 to 2.87. As discussed in paragraphs 2.77 and 2.78, the ACCC has a remuneration and benefits policy for substantive SES employees, which states that the ‘policy operates in conjunction with the General [section] 24.1 [PS Act] determination for Senior Executive Officers and individual 24.1 issued to each Senior Executive Officer’. The General 24.1 Determination sets out requirements relating to annual review of performance for SES employees and requirements regarding requests for individual renumeration reviews.¹⁷⁹

4.15 The ANAO reviewed whether:

• the process for reviewing senior executive remuneration for its most recent performance period was undertaken in accordance with entity requirements; and
• whether the ACCC’s accountable authority (the ACCC Chair) was provided with and approved individual remuneration outcomes for members of the senior executive cohort for the most recent performance cycle that resulted in a pay rise.

4.16 As outlined in paragraph 2.85, the ACCC Chair approved a 1.7 per cent remuneration increase for SES and SES equivalents, excluding the ACCC Chief Executive Officer (CEO), in August 2021. This rise was consistent with the requirements of the Public Service Workplace Relations Policy 2020.¹⁸⁰

4.17 On 2 December 2022, the ACCC CEO approved a three per cent salary increase for the SES cohort¹⁸¹ in accordance with the Public Sector Interim Workplace Arrangements 2022.On 13 December 2022, the ACCC Chair approved a three per cent salary increase for the ACCC CEO in accordance with the same workplace arrangements.¹⁸² The ACCC Chair was provided with information on: the CEO’s existing remuneration, proposed remuneration, and relativities with other SES at that level across the APS.¹⁸³

4.18 In addition to the general increases for the SES during the period reviewed by the ANAO, the most recent process that resulted in a pay increase for some SES officers was a review process undertaken in December 2022. For a small number of senior executives, increments were approved by the ACCC CEO on 21 December 2022. The ACCC’s General s24 Determination states that: ‘A Senior Executive Officer’s performance will be formally reviewed at least annually. All performance assessments are required to be reviewed and moderated by the ACCC COO.’¹⁸⁴ As part of the review process, the CEO was provided with information, including on the individual remuneration and performance of all those in the senior executive cohort. ACCC records indicate that in February 2023 the ACCC Chair was provided with the outcomes of the remuneration review.

4.19 In September 2022 the ACCC Chair was advised that the People and Culture Branch planned to provide both annual and regular reporting on remuneration details to the Chair for substantive SES Band 2 and 3 employees, ‘to improve probity and assist us with providing assurance to you that the ACCC manages executive remuneration appropriately.’

4.20 As of March 2023, no further increases in remuneration to members of the senior executive had occurred.

4.21 In summary, for the process examined by the ANAO:

• the process for reviewing senior executive remuneration for its most recent performance period was undertaken in accordance with entity requirements; and
• there is evidence the ACCC Chair was provided with the remuneration outcomes for members of the senior executive cohort for the most recent performance review process that resulted in a pay rise for some members of the senior executive cohort.

Consideration of probity in procurement

4.22 The ACCC’s policies, guidance and arrangements for probity management in procurement activities are outlined in paragraphs 2.88 to 2.98. The ACCC’s procurement policies and guidance require officials to comply with the CPRs.¹⁸⁵ As discussed in paragraph 2.94, the ACCC’s procurement policies and guidance do not include any further specific requirements for the management of probity related risks.

4.23 The ANAO selected a sample of ten procurements undertaken by the ACCC between July 2021 and October 2022. The procurements selected were the 10 highest value procurements for the period recorded on AusTender as at 19 October 2022.

4.24 For each procurement, the ANAO assessed whether there was evidence of the consideration of probity as part of the procurement process. The results of this assessment are summarised in Table 4.1.

Table 4.1: Consideration of probity in the selected ACCC procurements

Note a: The ACCC advised the ANAO in February 2023 that BPMR stands for Broadband Performance Monitoring and Reporting.

Note b: This procurement was undertaken through the Software Marketplace — Whole of Australian Government Software Licensing and Services Panel. The procurement was for services under ‘category 1’, for which there is only a single supplier.

Note c: The AusTender contract number for the phase 1 procurement is CN3767189 with a total reported value of $220,000.

Source: ANAO review of ACCC documentation.

4.25 As summarised in Table 4.1, for the ten high-value procurements reviewed by the ANAO, the ACCC documented consideration of probity as part of the procurement process in five cases. In four of the remaining five procurements, internal probity requirements established for the individual procurements were not fully complied with.¹⁸⁶ As discussed in paragraph 2.97, there is an opportunity for the ACCC to seek to obtain greater consistency in its identification and management of probity risks in procurement, by enhancing its internal guidance.

Compliance with corporate credit card requirements

4.26 The ACCC’s policies, procedures and arrangements for credit card expenditure are discussed in paragraphs 2.99 to 2.123.

4.27 The ANAO examined the corporate credit card use of the following senior ACCC personnel:

• the Accountable Authority;
• the AER Chair;
• ACCC Deputy Chairs;
• AER Deputy Chair;
• ACCC Chief Executive Officer (called the ACCC Chief Operating Officer prior to January 2022); and
• AER Chief Executive Officer.¹⁸⁷

4.28 These roles were selected on the basis that setting the ‘tone at the top’ is important when trying to instil an ethical culture in an entity. Further, external review is a means of testing whether there are controls in place to manage positional authority risks within an entity.¹⁸⁸

4.29 The ANAO also examined whether the executive assistants for people in the above roles have credit cards and if so, whether they can make purchases on behalf of their manager.

4.30 The ANAO reviewed all credit card transactions for the people in the selected roles for the months of June and July 2022. These months were selected as they were sufficiently recent to reflect current entity practices and, at the time of conducting audit testing, the acquittal process should have been complete. The ANAO examined whether:

• transactions were acquitted within the required timeframe;
• tax invoices or other supporting documentation was provided (where applicable);
• transactions were approved in accordance with requirements¹⁸⁹; and
• whether transactions appeared to be for incidental or other private expenditure.

4.31 In the audit sample there were 102 credit card transactions, with a total expenditure of $14,446.23. Of the 102 transactions examined, all were compliant with ACCC requirements. There were also three instances identified by the ACCC where there were no tax receipts provided as required. A lost receipt declaration was completed in each case, in accordance with ACCC requirements.

4.32 The ACCC advised the ANAO that executive assistants can make purchases on behalf of senior ACCC personnel. The ANAO did not identify any transactions where a manager approved expenses incurred on their executive assistant’s card.

4.33 Of the 102 transactions reviewed by the ANAO, no instances were observed that appeared to be for private expenditure.

Compliance with gifts, benefits and hospitality requirements

4.34 The ACCC’s arrangements for gifts, benefits and hospitality are discussed in paragraphs 2.124 to 2.155.

4.35 The ANAO reviewed the ACCC’s gifts, benefits and hospitality register for the period 1 July 2020 to 30 September 2022. The ANAO examined the register for this period because the effective management of probity risks related to gifts, benefits and hospitality is an important element of: supporting an ethical culture; managing the risk of real and perceived conflicts of interest; and managing the risk of regulatory capture.

4.36 The ANAO examined whether:

• declarations were made in line with ACCC policy;
• gifts, benefits or hospitality to staff were approved in accordance with requirements¹⁹⁰; and
• where applicable, details of gifts, benefits and hospitality reported on the ACCC’s website matched those on the ACCC’s three internal registers.

4.37 As discussed in paragraphs 2.135 to 2.140, the ACCC maintains separate registers for staff¹⁹¹, ACCC Commissioners, and AER Board members.¹⁹² The ANAO analysis was undertaken across all three registers. There were a combined 127 entries in the registers.

4.38 Table 4.2 provides a summary of entries in the ACCC’s gifts, benefits and hospitality registers during the period reviewed by the ANAO.

Table 4.2: Summary of the ACCC’s gifts, benefits and hospitality registers

Note a: The categories in this table were determined by the ANAO based on analysis of the ACCC’s three Gifts, Benefits and Hospitality registers.

Note b: Cultural gifts are items of cultural or sentimental value for which a monetary value is difficult to assign.

Note c: Due to rounding, the ‘Percentage’ column does not add to 100 per cent.

Source: ANAO analysis of the three ACCC gifts, benefits and hospitality registers, 1 July 2020 to 30 September 2022.

4.39 In respect to the entries in the ACCC’s three registers for the period reviewed, most gifts, benefits and hospitality were managed in accordance with ACCC requirements.¹⁹³ The ANAO identified the following exceptions.

• There were two occasions where a gift card was accepted contrary to ACCC policy.
• There were 12 occasions where the gift, benefit or hospitality was reported late. On five of these occasions reporting occurred eight to 16 months after the event. On the other seven occasions reporting occurred two months after the event.
• There were 10 occasions where the entry in a register was not published online.
• There was one occasion where the entry was published online but did not appear in the internal register.
• Registers for AER Board members and ACCC employees assigned to the AER were not published for the period 3 January 2020 to 31 December 2020. The ACCC advised the ANAO in February 2023 that this was ‘due an oversight at the time of staff turnover’.¹⁹⁴

4.40 Additionally, there was one occasion where attendance at a drinks function appeared to give rise to a potential conflict of interest but was accepted nonetheless. The hospitality was described in the register as:

This was a general invitation to [a] low value function. It was accepted because it provides an opportunity to meet and appraise the strength of [name of organisation removed] and staff providing corporate legal advice on Commonwealth issues; to determine whether the firm is a viable competitive option for use by the CLU [Corporate Law Unit] team.

4.41 The ACCC advised the ANAO in February 2023 that: when the ACCC official attended this function, there was no tender or purchasing process in place; and the ACCC has not engaged with the organisation in relation to any procurement activity since the function.

4.42 As discussed in paragraphs 2.129 and 2.130, the ACCC’s gifts, benefits and hospitality policy permits acceptance of this type of hospitality, notwithstanding the potential for a perceived or actual conflict of interest. The policy also states that ‘Any offer of a gift or benefit that is made in connection with a tender or purchasing process’ is to be refused. The ACCC register indicates that the purpose of attending the function was to determine whether the firm was a viable competitive option for use by the ACCC’s Corporate Law Unit. On that basis, acceptance of the hospitality was contrary to ACCC policy.

4.43 The ANAO also identified the following discrepancies between the internal staff register and the registers published on the ACCC and AER websites.

• Instances where an individual staff member made a declaration, however the register on the website described multiple members as attending the event.
• For declarations surrounding airline lounge memberships, it is not clear which individuals, or how many individuals, received this benefit.

4.44 In relation to the airline lounge memberships, the ANAO was advised that ‘the ACCC declares these in a generic disclosure on its register rather than accumulating individual disclosures.’

4.45 ACCC policy states that employees must seek and document approval from their supervising SES officer to accept a gift, benefit or hospitality.¹⁹⁵ When making declarations in the register, ACCC employees provide the name of the SES officer who approved acceptance. However, the documentation supporting this approval is contained outside the relevant register. As the registers provided to the ANAO did not contain supporting evidence for the approval, the ANAO was not in a position to test if approvals had been made in accordance with ACCC policy. There is an opportunity to improve the transparency and completeness of the ACCC’s gifts, benefits and hospitality registers by documenting the supporting evidence for an approval in the registers. In addition, as the ACCC CEO does not have a ‘supervising SES officer’ there is scope for the ACCC to establish approval arrangements for the acceptance of gifts, benefits or hospitality by the ACCC CEO.¹⁹⁶

Has non-compliance been addressed in accordance with stated requirements?

4.47 Following up on identified instances of non-compliance assists in providing assurance to the accountable authority on compliance with entity requirements and the effectiveness of probity management arrangements.

4.48 The ACCC’s framework for following up on identified instances of non-compliance is discussed in paragraphs 3.28 to 3.35. As of March 2023, the ACCC was in the process of developing an entity-wide framework for following up on instances of non-compliance.

4.49 The ANAO examined whether there was evidence of action being taken in relation to non-compliance identified by the ACCC and in the context of this audit.

Declaration process relating to conflict of interest

4.50 The ACCC conducted the annual conflict of interest declarations (SES) and self-assessment (non-SES) process in accordance with its requirements. The ACCC was able to demonstrate that completion rates were tracked and that individuals who had not completed the declaration were followed up until all those required to complete the declaration had done so.

Procurement

4.51 In respect to the non-compliance with procurement requirements discussed in paragraphs 4.22 to 4.25, the ACCC advised the ANAO in February 2023 that:

The ACCC has monitoring controls in place to capture and report instances of non-compliance with the Finance Law to Senior Management and the Audit Committee. Where non-compliance is identified, individuals are required to implement strategies to prevent future instances of occurrence and report these as part of the non-compliance process.

4.52 The ACCC further advised the ANAO that:

The ACCC understands the importance of consistency in identification and management of probity risks in procurement.

The agency will look to consider ways in which it can further strengthen its existing internal guidance on probity requirements and governance for all procurements, including having additional probity management measures for higher risk, more complex procurements.

Gifts, benefits and hospitality

4.53 In respect to the non-compliance with its gifts, benefits and hospitality arrangements discussed in paragraphs 4.34 to 4.46, the ACCC advised the ANAO in February 2023 that ‘The ACCC notes that the ANAO has identified instances on [sic] non-compliance.’ The ACCC further advised the ANAO that ‘there are areas for clarification and improvement of our current Gifts, hospitality and benefits policy and practices.’

4.54 As noted in paragraph 2.148, the ACCC also advised the ANAO in February 2023 that its review of the gifts, benefits and hospitality policy would be brought forward from November 2024 to August 2023.

Appendix 1 Australian Competition and Consumer Commission response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2022–23 Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented. Changes observed include the following.

• Updates to policies and frameworks, including:
  • Accountable Authority Instructions and the Commissioner and Associate Members Code of Conduct; and
  • policies relating to conflict of interest; senior executive remuneration; the credit card manual; gifts, benefits and hospitality; fraud control plan; and risk management framework.
• Updated intranet guidance related to probity in procurement and credit cards.
• Addition of gifts, benefits and hospitality training for new staff and new procurement training made available.
• Entity-wide assessment of selected internal controls.
• Revised approach to internal audit and appointment of external provider of internal audit services.
• Launch of the Policy and Procedure Hub.

Appendix 3 Department of Finance guidance — Ethics and Probity in Procurement: Principles

1. An extract of the Department of Finance’s guidance on Ethics and Probity in Procurement: Principles¹⁹⁷ is reproduced below.

1. The principles underpinning ethics and probity in Australian Government Procurement are:

• Officials must act ethically, in accordance with the APS Values (set out in section 10 of the Public Service Act 1999) and Code of Conduct (set out in section 13 of the Public Service Act 1999), at all times in undertaking procurement.
• Officials must not make improper use of their position.
• Officials should avoid placing themselves in a position where there is the potential for claims of bias.
• Officials must not accept hospitality, gifts or benefits from any potential suppliers.
• Agencies must not seek to benefit from supplier practices that may be dishonest, unethical or unsafe, which may include tax avoidance, fraud, corruption, exploitation, unmanaged conflicts of interest and modern slavery practices.
• All tenderers must be treated equitably. This means that all tenderers must be treated fairly - it does not necessarily mean that they are treated equally.
• Conflicts of interest must be managed appropriately.
• Probity and conflict of interest requirements should be applied with appropriate and proportionate measures informed by sound risk management principles.
• Value for money outcomes are best served by effective probity measures that do not exclude suppliers from consideration for inconsequential reasons.
• Confidential information must be treated appropriately during and after a procurement process.
• External probity specialists should only be appointed where justified by the nature of the procurement.