Chapter 2 Legislative support for new functions

Introduction

2.1                   Part 4 of the Auditor-General Act 1997 sets out the main functions and powers of the Auditor-General.  The main functions include undertaking financial statement audits, performance audits, audits by arrangement, and functions under other Acts.

2.2                   Traditionally, the primary functions performed by the Auditor-General have included the auditing of financial statements[1] and performance audits.[2]  More recently, however, the Auditor-General has taken on a range of individual assurance activities (or audits by arrangement). 

2.3                   These assurance activities generally consist of reviews undertaken by agreement with the client, either at the request of the client or in response to requests from stakeholders, including Ministers and parliamentary committees.[3]  These assurance activities may be handled through the publication of a formal report or by correspondence as determined by the relevant arrangement.[4]

2.4                   Currently the main assurance activity the ANAO is engaged in is the annual assurance review of the Defence Major Projects Report (MPR).  The MPR reports on the status of selected Defence equipment acquisition projects. 

2.5                   From July 2008 to March 2010, the Auditor-General was also involved in reviews of government advertising.  The focus of these reviews was to allow the Auditor-General to express a conclusion as to whether anything had arisen to indicate that government advertising campaigns did not comply with the relevant guidelines.

2.6                   Assurance activities such as the MPR (and the reviews of government advertising previously) are carried out under section 20 of the Act (Audits etc. by arrangement) and in accordance with the ANAO’s Auditing Standards.  These standards include the Standard on Assurance Engagements ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information issued by the Australian Auditing and Assurance Standards Board.

2.7                   Assurance activities of this kind provide a different level of assurance to that provided by financial statement, and performance audits. [5]  This difference is set out in the submission from the Australasian Council of Auditors-General (ACAG)[6] as follows: 

[A]n audit provides reasonable assurance which is defined as:

a high, but not absolute, level of assurance. This is where the assurance practitioner’s objective is a reduction in performance engagement risk to an acceptably low level in the circumstances of the performance engagement as the basis for a positive form of expression of the assurance practitioner’s conclusion.

Whereas, a review provides limited assurance. In a limited assurance engagement the assurance practitioner’s objective is a reduction in performance engagement risk to a level that is acceptable in the circumstances of the assurance engagement, as the basis for a negative form of expression of the assurance practitioner’s conclusion. The acceptable performance engagement risk in a limited assurance engagement is greater than for a reasonable assurance engagement.[7]

2.8                   More straightforwardly, Mr Geoff Wilson, Independent Auditor of the ANAO, explains: 

The difference between limited assurance and reasonable assurance is the amount of work that you actually do. In a limited review you are doing certain discussions and reviewing certain documents. In terms of reasonable assurance you are increasing the level of work that you are doing, including reviewing and testing various systems. That is a choice that is part of the engagement.[8]

2.9                   There was some consensus in the evidence that the area of assurance engagements was one that required attention.  For example, as Professor Wanna from the Institute of Public Administration Australia (IPAA) states:

It seems clear now, from a decade of this act, that there are areas where the mandate is unclear. I think one of the roles of this committee should be to help clarify the audit mandate…in relation to their assurance functions across government.[9]

Explicit recognition of assurance activities

2.10               As outlined above, assurance activities are currently carried out in accordance with section 20 of the Act.  This section, in part, states:

(1)        The Auditor-General may enter into an arrangement with any person or body:

(a) to audit financial statements of the person or body; or

(b) to conduct a performance audit of the person or body; or

(c) to provide services to the person or body that are of a kind commonly performed by auditors.[10]

2.11               The submission from ACAG clarifies further:

Where the work negotiated is an audit, then Section 20 (1) sub‑sections (a) or (b) apply. Where the work negotiated is a review, then Section 20(1)(c) applies although the word review is not explicitly included in this Section. Instead, reference is made to “services … of a kind commonly performed by auditors”. Auditors commonly conduct “reviews”.[11]

2.12               A number of submissions to the inquiry suggest that rather than falling under the auspices of section 20, the Act should make explicit provision for these assurance activities.[12]

2.13               The Committee is in receipt of no direct evidence to suggest that the main assurance activity currently being conducted by the Auditor-General under section 20 of the Act (i.e., the MPR) is problematic.  However, there is evidence to suggest that assurance activities undertaken by agreement with agencies could potentially create challenges. 

2.14               This is because assurance activities conducted under section 20 of the Act do not provide the Auditor-General with the formal information‑gathering powers that normally apply to the conduct of financial statement or performance audits.[13]  This restriction is set out in subsection 31(a) (Purpose for which information-gathering powers may be used) as follows:

The powers under sections 32 and 33[[14]] may be used for the purpose of, or in connection with, any Auditor-General function, except:

(a) an audit or other function under section 20.[15]

2.15               Additionally, as outlined in ACAG’s submission below, the fact that audits or reviews are conducted by arrangement significantly constrains the role of the Auditor-General: 

ACAG also notes that under Section 20, any such audits or reviews are by arrangement (therefore negotiated) between the A-G and any person or body. This must mean that the “person or body” could refuse to have the audit or review conducted or seek to impose conditions with which the A-G may, or may not, wish to comply. For example, the person or body could agree to the conduct of an audit or review but limit the scope in such a way as to make the audit or review meaningless.[16]

2.16               Professor Wanna from IPAA commented in a similar vein:

I am not fully aware of what the problems are with the Defence reports but there seems to be a concern, certainly from the audit community, that they do not have the same strength of powers…when they are negotiating these. You must remember that the culture of the Audit Office is to be very consensual and to get agreement. Of course, that then puts them in that kind of bargaining position. One interpretation of that section of the act would be that you can refuse to cooperate then. So an agency or a minister would be within their powers to say, ‘No, I’m not cooperating.’[17]

2.17               At the hearing on 22 June 2009, the Auditor-General, Mr Ian McPhee PSM, further explained the potential problems using the MPR as an example:

The importance of [assurance reviews] being treated specially is that you can link up my normal powers to obtain evidence and to undertake these reviews without the agreement of the other Commonwealth agency. So it allows the Auditor General more authority. Take a position: conceivably, you are doing the [MPR], and, hypothetically, the government has a change of heart and thinks these...reviews are actually disclosing a bit too much information and are not very satisfactory. At the moment, I rely on the agreement of the DMO to provide me with access, to provide the necessary information to allow me to do the audit.  Under a provision that I have got in mind, I would have the authority to undertake those reviews knowing it was important for the committee no matter what.[18]

2.18               Both ACAG and the ANAO argue on the basis of the information set out above, that assurance activities should be explicitly recognised in the Act.

2.19               ACAG proposes that the Act should be broadened in two respects:  first, in circumstances where the Parliament has sought audits or reviews, these audits or reviews should be conducted at the discretion of the Auditor‑General and not by arrangement; and, second, explicit provision should be included in the Act for the Auditor-General to conduct reviews.  ACAG also submits that any requests for additional functions should be accompanied by appropriate resourcing.[19]

2.20               Paragraph 1 of the appendix to the ANAO’s primary submission (no 3) outlines the provisions that would need to be incorporated into the Act should such an amendment be recommended by the Committee as follows:

• provide the Auditor-General with the explicit authority to undertake assurance activities consistent with his other functions,
  
  
• provide for the coercive information-gathering powers in the Act to be used for the purpose of carrying out assurance activities, and
  
  
• provide the Auditor-General with the authority to determine arrangements, including reporting arrangements to the Parliament, to be followed in the conduct of assurance activities.[20]

2.21               While not specific about the form increased legislative backing should take, the Defence Materiel Organisation (DMO) also provides some support for explicitly recognising assurance activities in the Act as follows:

From a DMO perspective, I support the broadening of the Act to give sufficient legislative backing for new functions such as reviews, eg the “Major Projects Report”.[21]

Committee comment

2.22               On the basis of the evidence received, and there being no evidence to the contrary, the Committee believes it is appropriate that the Auditor‑General be provided with explicit authority to conduct assurance engagements.  

2.23               In light of its experience with oversight of the MPR, the Committee notes that these assurance activities, while not full performance audits, can be an extremely effective way of monitoring public accountability.

2.24               The Committee expects that implementation of Recommendation 1 below would not render section 20 of the Act redundant.

2.25               Additionally, the Committee also notes that any amendments to the Act to provide explicit recognition of assurance engagements would result in consequent amendments to reflect that change (for example, sub-section 8(4) and section 24 would need to refer to audit and assurance activities).[22]

2.26               The Committee has an expectation that the Parliament and the Australian public will continue to be informed of the outcomes of these assurance activities.