2. Areas of inquiry by the Committee

Overview

2.1As noted in the previous chapter, three areas of review in the Australian National Audit Office (ANAO)’s 2021-22 Financial Statements audit were the focus of the Committee in this inquiry. These were:

• the financial sustainability of certain material entities, including the Department of Home Affairs (Home Affairs), the Department of Agriculture, Fisheries and Forestry (Agriculture), and the National Disability Insurance Agency (NDIA)
• Defence’s use of appropriated funds in relation to the termination of the Attack Class submarine contract, and
• the Protective Security Policy Framework (PSPF) that is administered by the Attorney-General’s Department (AGD) and informs the cyber security practices of Commonwealth agencies.
  2. These issues are discussed in turn below.

Financial sustainability

Background

2.3The ANAO noted overall in its 2021-22 Financial Statements audit of Commonwealth entities that:

An assessment of an entity’s financial sustainability can provide an indication of financial management issues or signal a risk that the entity will require additional or refocused funding. The ANAO analysis concluded that the financial sustainability of the majority of entities was not at risk.[1]

2.4The ANAO further stated in this audit report, however, that:

Nevertheless, there would be benefit in the government developing performance targets or benchmarks. This would enable an entity to assess its own financial sustainability against agreed parameters over time, and against like entities.[2]

2.5The Department of Finance (Finance) stated in its submission to this inquiry that it conducts sustainability reporting and that it:

… actively engages with standard-setters about the international and national sustainability reporting standards that are currently under development for use by the private sector. Regular updates are provided to entities to ensure they remain aware of these developments.[3]

2.6The ANAO noted also in its 2021-22 Financial Statements audit that Finance had established the ‘Australian Government Transparency portal’ in 2018-19 ‘for centrally capturing publicly available corporate information for all Commonwealth entities’.[4] The ANAO further indicated that this platform includes tools that can ‘compare and contrast financial results across all entities through the use of the following four ratios’:

• total liabilities to total assets ratio, which indicates the level of ownership of the entity’s assets but can also be used to gain an understanding of the net equity of the entity;
• financial assets to total liabilities ratio, which indicates the extent to which an entity’s liabilities can be covered by its financial assets;
• current ratio, which indicates whether an entity’s current assets are greater than its current liabilities and whether the entity is likely to be able to pay its short-term liabilities as they fall due; and
• capital turnover ratio, which indicates whether an entity is replacing its assets at a sustainable rate.[5]
  7. ANAO further noted in its audit however that ‘Finance has not developed and communicated guidance to assist users in assessing whether the ratios indicate strong or weak financial performance in the context of the government sector’ and that it had therefore developed its own guidelines ‘based on generally accepted concepts of financial sustainability’ to conduct its analysis of the operating results and balance sheets of material Commonwealth entities.[6]
  8. The Committee queried the ANAO on why no formal framework existed for the Commonwealth Government to measure the financial sustainability of its entities. The Auditor-General remarked that the issue had been the subject of discussion between the Committee and Finance. He further commented that:

In a normal corporate type audit, sustainability usually goes to going concern issues—can you continue to pay your bills in an ongoing sense? For noncorporate government entities, that's not really relevant because they are part of the Crown and the Crown stands behind them, so they're almost always liquid, in that sense.[7]

Department of Home Affairs

2.9Home Affairs was asked why it had commissioned an independent review of its budget outcomes in 2022. Home Affairs responded that it ‘had challenges balancing the books over that time’ but that it had come within 0.7per cent of its budget over the previous eight years.[8] Home Affairs further remarked:

We have been very successful in terms of managing our budget, but we've done that under volumetric and inflationary pressures, cumulative historical savings efficiencies, new savings initiatives and absorbing costs. We also identified that, whilst we've been able to manage, there has been, in our observation, structural underfunding of the department… we sought an independent review in partnership with the Department of Finance to understand those pressures and to provide some guidance as to what remediation might look like if there was a common agreement that underfunding was in fact the case, and how we might then address that.[9]

2.10The Committee further queried the reasons why reviews of Home Affairs had also taken place in 2016 and 2018 in the areas of functional efficiency and budget measures and outcomes and how the findings of these multiple reports would have differed substantially over seven years. The department responded that:

… it's a case of us evolving our tools that we're using. We have been working on an underpinning evidence base, on a cost forecasting tool; we're working with the Department of Finance on that. We've got a structural and standard organisational view of our budget. We've always had a capability and functional view of our budget, but they are looking almost to an activity based costing level as the level of evidence they are more comfortable with. We're progressing through those stages.[10]

2.11The Committee asked Home Affairs to comment on the statement in the 2022 independent budget review that ‘the baseline budget situation for the department has become misaligned with its core and far-reaching activities relating to keeping Australia safe’.[11] Home Affairs responded that:

… were we of the view that we were unsustainable ahead of that? I don't think, as a department, we would have characterised it that way. I think we felt that we were under pressures and that there was structural underfunding for the department.[12]

2.12Home Affairs further stated on this issue, however, that it accepted the finding of the 2022 review that it was balancing risk service delivery and the cost of doing business in an unsustainable manner.[13]

2.13In relation to human resources, Home Affairs commented that it did not accept the concerns of Finance, as noted by the independent reviewer in the 2022 report, that its staff are routinely but not transparently moved between functions to the areas of newest priority and not to those with the highest delivery need. Home Affairs stated:

In terms of the work that was done as part of the review, what we actually did was demonstrate the process that we undertake when ASL [average staffing level] is transferred or resources are reprioritised within the department. We very clearly demonstrated to them the due diligence process and the transparency that's undertaken when resources are reallocated.[14]

2.14Home Affairs further commented in its response to questions on notice in relation to staffing and resourcing:

Home Affairs… manages the ongoing resourcing challenges, including ASL, through ongoing trade-offs across operational delivery, systems and processes, and people – which have come at a cost. It is not as simple as going to a particular area that was underfunded. The department prioritises resources to support front-line operational activities and delivery of core services. What we've done over many years is manage the budget within the parameters that are set and manage our priorities internally, whether it's people, processes, or operational activity, to work within that budget. As a result of changing priorities, we are working with the government in consideration for long-term sustainable solutions to address these very pressures.[15]

2.15Home Affairs accepted the statement from the review that its FTE resourcing had trended below the ASL cap since the formation of the department.[16]

2.16In further questioning from the Committee, Home Affairs acknowledged that $92million had been spent on a now terminated contract to privatise and improve its IT capability (the ‘global digital platform’) and that the savings of $180 million that were anticipated to flow from this could not now be realised.[17]

2.17The Committee asked additional questions on the nature of the resourcing decisions made by Home Affairs when faced with financial impacts such as the unrealised $180 million in savings and other pressures such as efficiency dividends. The Committee was particularly interested in how these might affect specific core functions such as visa processing backlogs (for which additional funding was provided in the 2022-23 budget). Home Affairs responded that:

We clearly run a centrally managed budget process and, as part of that, that [the loss of $180 million in savings] was considered a whole-of-department pressure. Given the inability of the immigration group, as an example, to achieve those efficiencies, it was unfair to allocate directly to them, especially given the fact that they were seeking to reduce the visa processing backlog. So they were managed at the department level.[18]

2.18Home Affairs was further questioned on the 2022 independent review conclusions that a framework should be embedded to ‘to engender trust and ongoing collaboration’ with Finance. Home Affairs replied that:

We outlined previously in our evidence as to the purpose of the review, and it was effective in delivering the outcomes we saw, which were to ensure that there was a common understanding of those pressures and to seek guidance as to what strategies we could employ together—that is, both the Department of Finance and us—to address those issues.[19]

Department of Agriculture, Fisheries and Forestry

2.19The Committee sought advice from Agriculture on the main drivers of its current financial pressures. Agriculture commented that inadequate revenue from fees and charges and increased biosecurity threats were among them:

… up to 40 per cent of our revenue comes from fees and charges, and those fees and charges for the cost-recovered services haven't been adjusted in line with what it actually costs to deliver those services, so we're facing deficit in those areas. In addition, around two-thirds of our department work on operational matters, primarily biosecurity functions at the border but also exports and trade, which has required us to surge resources into those operational areas to respond to major biosecurity threats and trade disruptions while maintaining core policy and administration capability.[20]

2.20Agriculture further commented that its estimated deficit for 2022-23 was $60million.[21] Agriculture responded on notice to questions about its cost recovery financial position since 2017-18 and these figures are provided in Tables 2.1 and 2.2. Agriculture noted in providing these figures that an appropriation of $10.488 million was received in 2022-23 ‘through the 2020-21 Budget measure, Busting Congestion for Agricultural Exporters, to continue providing regulatory services to agricultural exporters, while industry fees and charges increased’.[22]

Source: Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [2].

Source: Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [3]. Note: this is a projection and the final end-of-financial year position may change.

2.21Agriculture noted that its appropriations receivable reduced by $137.7 million over 2021-22 and that it would normally aim to finish in a surplus position.[23] Agriculture further commented however that it believed it had available cash to meet its obligations.[24]

2.22Agriculture confirmed that it had initiated staff freezes, travel freezes, a ban on staff education and training, and the cutting of contractors, stating:

As we have monitored our budget throughout the year, we have looked at pressures and priorities and worked with all of our business areas to identify the areas where they can make reductions, and you've outlined a few of those things, so things that are lower priority or more discretionary to reduce. And there have been a range of measures put in place to enable us to balance our budget to the end of the year.[25]

2.23Agriculture agreed in further questioning from the Committee that there had been an underlying structural cash deficit for many years in the cost recovery of biosecurity functions that have required various actions. Agriculture stated:

When you look at those numbers, there are ups and downs on the individual arrangements. The biosecurity ones do show deficits across quite a range of the various arrangements

… As we review the fees and charges, we do provide options and review options to the minister of the day. This then proposes that we provide discussion papers and go out and start to consult with industry stakeholders. That has resulted in some minor changes over the time. That's action we have taken—essentially, we provide advice to the minister. The other area is where we put forward a new policy proposal in an area where we see significant risk. Those things have been provided through NPPs on short-term arrangements where we've had funding for one or two years but not ongoing funding. That potentially has allowed us to manage year on year…[26]

2.24Agriculture was further queried on the reasons for the increases in its biosecurity costs over the previous eight years from $226 million to $348 million annually, as highlighted in its consultation paper Proposed changes to regulatory charging for biosecurity activities.[27] Agriculture commented:

The increase across that period of time from 2015-16 to 2023-24 would include the normal increases in costs that you would expect to see from inflation, as you've just referred to. But, at the same time that that's occurring, the risk profile and the activity needed to manage that risk profile have been changing… The short answer is the size of the task and the complexity of the task have been increasing, and so that is the main contributor to the increase in cost.[28]

2.25Agriculture provided further detailed information on these changing costs on notice, highlighting in this additional evidence that:

The changing costs representing additional effort and regulatory services since 2015-16 is $36.2 million or around 16%. This figure is derived by removing from the 2023-24 projected cost base ($348.83 million) the 2015-16 cost base ($226.7million), new government measures in 2023-24 expanded cost recovery and managing hitchhiker risks ($38.5 million) and an estimate of inflation on relevant costs from 2019-20 to 2023-24 ($47.4 million).[29]

2.26In terms of the heightened biosecurity risk profile that has caused some of these new cost pressures, Agriculture also provided the Committee on notice with some estimated economic costs to Australia of outbreaks from certain ‘hitchhiker pests’ that may be introduced from ship containers:

• $15.5 billion over 20 years for khapra beetle
• $8.5 billion over 20 years for invasive ants
• $1.7 billion over 20 years for Asian spongy moth
• $1.5 billion over 20 years for giant African snail
• $0.7 billion over 20 years for Asian honeybees.[30]
  27. Some Committee members expressed concern over the higher charges that users would be required to pay due to increased biosecurity expenditure and requested some more granular detail on these costs. Agriculture responded on notice that the Australian Government had, in late 2019, ‘approved expansion of cost recovered regulation to include additional biosecurity activities, increasing regulatory charging by $23.0 million per financial year ($11.5 million in the 2019-20 financial year)’.[31]
  28. Agriculture stated further in this response that this enhanced cost recovery was required to expand a number of essential regulatory activities, for which an increase in four specific charges was required:
• assurance and verification activities to provide confidence in compliance controls and support enforcement of regulation
• increased analytics and intelligence activities, including the use of data to identify trends to inform intervention and compliance activities
• the provision of technical and scientific advice to maintain up to date biosecurity risk management information
• import pest and disease risk mitigation planning.

The effect of this decision to expand cost recovery for biosecurity activities was an increase in four charges:

• Full Import Declaration charge—air was $33, to $38.
• Full Import Declaration charge—sea was $42 to $49.
• Vessels greater than or equal to 25 metres—arrival charge was $920, to $1054.[32]
• Vessels less than 25 metres—arrival charge was $100, to $120.
  29. In a response on notice regarding the basis for the higher growth rate in its cost-recovery pricing since 2020-21, Agriculture indicated that it was primarily due to biosecurity activity and stated:

Costs reduced in 2020-21 due to impacts from the COVID-19 pandemic as imports temporarily halted and flights into Australia ceased. To some degree, the costs in 2021-22 were a catchup of work that was not undertaken in 2020-21 while staff were unable to conduct physical inspections, assessments and audits.[33]

2.30Agriculture further indicated in this response on notice that the increases in 2021-22 related to:

• growing complexity and volumes of cargo
• increased effort directed towards managing the risks associated with and preventing Foot and Mouth Disease and Lumpy Skin Disease entering Australia, and
• $11.7 million of increased expenditure for the budget measure announced in 2021-22 to manage hitchhiker pests arriving through sea cargo.

And that those in 2022-23 included:

• continuing to manage high levels and complexity of cargo arrivals
• building capacity to reduce inspection and assessment times
• ongoing and increased management of pests and diseases, which includes a further $6.4 million for the hitchhiker budget measure announced in 2021-22, and
• the impact of the APS pay rise of 3% that came into effect in December 2022.[34]

National Disability Insurance Agency

2.31The Committee held discussions on 16 June 2023 with the NDIA and the ANAO on the existing risks to the financial sustainability of NDIA, a corporate Commonwealth entity. The ANAO’s audit findings in relation to key areas of financial statements risk for NDIA were noted during these discussions and are presented in Table 2.3.

Source: Auditor-General Report No. 8 of 2022-23: Table 4.13.10, pages 282-283.

2.32The ANAO noted that the ‘Higher’ risk rating given to the items shown in Table 2.3 indicates that ‘a lot of the assumptions and a lot of the judgements can lead to the figures being wrong, in very simple terms’.[35]

2.33The acting Auditor-General commented in relation to the participant numbers and expenses in the scheme that received the higher risk rating:

The auditor doesn't look at the number. The auditor looks at how the number is constructed. In terms of participant numbers, you see growth in participant numbers. What that means to us is, then: 'Are their processes for getting through the gate right? Are their quality control processes, eligibility processes et cetera right? Is there a control risk in there that the gate is too wide or isn't being administered?' A high volume of transactions always brings risk. The more transactions there are, the more there is a risk of something going awry. The more participants, the more providers, the more plans, the more there's a risk that despite the best efforts of the people and the system something goes wrong.[36]

2.34The acting Auditor-General further emphasised in this regard that ‘in our financial statements we always point to the revenue source: how is this organisation funded?’[37], commenting that:

… there's Commonwealth money and there's state money. We see the Commonwealth money going up, and we say, 'What's driving that?' More participants, more transactions, and how those transactions are actually executed. That will determine how much deep-diving we do into what's happening in the organisation to lead to the construction of those numbers.[38]

2.35NDIA commented in this regard that ‘there's risk of the expense within the year and then there's risk in terms of future projections’[39], adding that:

Obviously, the more confidence we have around the certainty of the expense within the year assists with confidence in the projections. That said, as we've discussed in estimates, the projections inevitably involve estimates of the future number of participants entering the scheme and growth in the budget per participant.[40]

2.36NDIA additionally noted that:

When it comes to the participant plan expense, the two key drivers of that are the number of participants and average participant expense. Obviously, when it comes to the number of participants, that's a function of our access decisions. It's a function of the number of participants exiting the scheme. We've got processes around each of those, around our access decisions, processes around eligibility re-assessment that leads to the number of participants exiting the scheme. The average expense per participant is driven by the increases in average plan sizes and the utilisation of each participant's plan.[41]

2.37NDIA remarked also in relation to planning and coordination with states and territories that the NDIS was ‘picking up a lot of costs that were never anticipated to be picked up by the NDIS’ because the scheme was ‘filling gaps where there's no alternative and there are no other appropriate services being made available’.[42] NDIA further stated that:

…under the bilateral agreements between the Commonwealth and states and territories, the jurisdictions fund a proportion of the scheme's participant supports through in-kind contributions… Some of those examples include personal support in schools, transport subsidies, school bus services and accommodation services. The intention over time is to phase out those in-kind arrangements, as I said, and that process has commenced. However, it's going to take us a number of years to unpack and work our way through that[43]

2.38NDIA further commented that the risk sharing arrangements negotiated with the states and territories were ‘predicated on very, very different modelling and numbers from the Productivity Commission… the NDIS review is looking at the arrangements in relation to everything from the governance to the funding model itself at the moment.’[44]

2.39NDIA pointed out during the hearing that it expects to have greater predictability in relation to its projections when the scheme has been in operation for 10 years. NDIA stated:

… we're doing a lot of work on how we assure ourselves of all the inputs into the work of our scheme actuary. We would 100 per cent agree with the ANAO, and we're always really appreciative of their advice in relation to what they're observing as well. But what we would say is that under each of those factors there's a whole range of subsets. When I look at high volume of transactions, as we've discussed before, the range of supported independent living decisions we've seen over the last 18 months is absolutely driving what we're seeing in terms of scheme costs. What we discussed in relation to the additions within the budget this year goes to higher participant numbers, higher intraplan inflation and, absolutely, a range of home and living decisions that are really pushing up our costs.[45]

2.40NDIA further commented in relation to assumptions about costs that:

The confidence around those projections will result from more confidence around the initiatives and programs that the agency and the system more broadly will undertake that will give us more confidence around how both the participant numbers and the cost per participant will move in future than the relative level of confidence that we've had in the past.[46]

2.41NDIA further noted its activities in relation to improving its fraud detection and the establishment of the ‘Fraud Fusion Taskforce’ in conjunction with the Australian Tax Office and Australian Securities and Investments Commission.[47]

Committee comment

2.42In relation to the financial sustainability of the Department of Home Affairs, the Committee appreciates the evidence of Home Affairs’ officials however considers its Budget situation is not straightforward. It is technically true that the department came within 0.7 per cent of its budget over the previous eight years. The Committee was concerned, however, at the conclusion of the 2022 independent budget review that the department’s baseline situation was misaligned with its core activities and that it was balancing risk service delivery and the cost of doing business in an unsustainable manner.

2.43The Committee was extremely concerned to learn that although the $92 million contract to privatise visa processing failed and was abandoned the Government nevertheless forced the department to bear expected savings of $180 million, further exacerbating the structural underfunding of the department. The department advised that it was impossible for the immigration group to achieve those savings, hence they were allocated more broadly across the department.

2.44In relation to the financial sustainability of the Department of Agriculture, the Committee acknowledges and accepts the evidence of Agriculture that there had been an underlying structural cash deficit in that department for many years driven by the cost recovery of biosecurity functions. Given the clear evidence regarding the critical need for ongoing and enhanced biosecurity activity and the estimated economic costs to Australia from certain ‘hitchhiker pests’ or other biosecurity breaches this situation was fundamentally unsustainable and that the Government and the department must respond appropriately.

2.45The financial situation with the NDIA is understandably complex but the Committee notes that the costs of the scheme have been increasing faster than anticipated and that these represent real risks to the long term sustainability and viability of the NDIS.

2.46The Committee welcomes the fact that there is a current NDIS review of which part 1 ‘will examine the design, operations and sustainability of the NDIS covering issues outlined in the full-Scheme bilateral agreements between the Commonwealth and jurisdictions’.[48] The Committee awaits the findings of part 1 with interest and encourages NDIA to continue its efforts to bring more certainty to the forward projections for its expenditure. It will be pleasing if the ANAO is able to start to downgrade its financial statements risk assessments of NDIA in its next audit.

2.47The Committee recommends that the Department of Home Affairs provide an update to the Committee within six months of the tabling of this report regarding the implementation of recommendations arising from the 2022 independent budget review and actions taken by Government and the department to improve its budget sustainability and structural misalignment between the department’s baseline budget situation and its core activities.

2.48The Committee recommends that the National Disability Insurance Agency provide an update to the Committee within six months of the tabling of this report on any gaps between its projected and actual costs for the 2022-23 financial year and how this has compared with previous years since the start of the National Disability Insurance Scheme.

Defence’s use of appropriations

Background and analysis

2.49ANAO reported in its 2021-22 Financial Statements Audit that the Department of Defence (Defence) had ‘used non-operating funding available from Appropriation Act (No. 2) 2020-21 for the termination payment in relation to the cancelled Attack Class submarine project (operating expenditure)’.[49] ANAO further commented in this regard that:

It is not clear that the Parliament, in passing the Act, intended for an appropriation for non-operating expenditure to be used for the purpose of funding Defence’s operating expenditure. Subsequent AGS [Australian Government Solicitor] and Department of Finance advice has not considered this to be inconsistent with the Appropriation Acts.[50]

2.50ANAO further concluded in its audit, however, notwithstanding the aforementioned advice from the Australian Government Solicitor (AGS) and Finance, that there was still a potential risk for the Parliament emanating from this action:

The risk for the Parliament from this precedent is that the controls and framework supporting the appropriation and expenditure of funds it may have reasonably considered to be in place, for example that an appropriation for non-operating purposes could only be used for that purpose, may not in fact exist or are being followed by entities.[51]

2.51The Guide to Appropriations from Finance defines the Annual Appropriations Bills as follows:

• Appropriation Bill (No. 1)—a key element in the Budget that contains details of estimates for ordinary annual services of the government (i.e. for the continuing expenditure by Commonwealth entities on services for existing policies)
• Appropriation Bill (No. 2)—for new administered expenses, non-operating costs, and payments to states, territories and local government
• Appropriation (Parliamentary Departments) Bill (No. 1)—proposes appropriations for the parliamentary departments.[52]
  52. Defence stated in its submission to this inquiry on this matter that:

These funds were originally appropriated to Defence through Act 2 (capital funding) mechanisms under the Annual Appropriations Acts. All of the capital components of Defence’s Acquisition Program within the IIP are funded by way of Act 2 funding mechanisms. The accounting treatment for the expenditure associated with [the] termination payment is that it is operating in nature.

Defence sought advice from the Australian Government Solicitor (AGS) who advised, in their view, that if a court considered this case, it would, on balance, conclude that the appropriation relied on in this case (Act 2 funds) could have supported the termination payment and secondly, a court would, on balance, find that no breach of section 83 of the Constitution had occurred.[53]

2.53The Committee explored this issue further with ANAO, Defence, and Finance at a public hearing on 31 March. The Auditor-General reiterated the ANAO’s concerns at that hearing about how these funds had been used by Defence:

What concerned us in subsequent discussions was, for my purpose, a lack of clarity that came about. If it's not appropriate to use an appropriation for capital for operating, I would have expected a response from the Department of Defence and Finance to say that that was a mistake, an error or whatever and that it was something that shouldn't have happened and a clear statement that this isn't what the appropriation can be used for. ….

But there is also legal advice floating around which suggests that it might be an appropriate use of the funds or permitted under the appropriation bill to utilise money which is in an appropriation headed 'non-operating for equity purposes' for operating purposes. If that is the case, I would think that this committee might turn its mind to whether that is an intended consequence of how they thought the legislation was drafted or how parliament thought it was drafted and whether the appropriation bills need to provide more clarity on what those funds can be used for. It's very technical, but the appropriation bills are a control that the parliament put in place over the executive with respect to expenditure.[54]

2.54The Auditor-General further remarked that this was an appropriation control and not a financial statements issue and that ‘it doesn't change anything with respect to how the expenditure is treated, because it is operating and it's accounted for as operating in the financial statements.’[55]

2.55The Auditor-General expressed the further view that the operating and non-operating funding sources needed to be kept separate in keeping with the Senate compact of 1965, by which the Government and Senate came to an agreement on what appropriations would be defined, or not, as the ‘ordinary annual services of the Government’ that could not be amended by the Senate. He commented that:

They're kept separate largely to deal with the Constitution. This is the Senate agreement of 1965 about what should be appropriated that the Senate can't amend and what they can amend. That's the purpose of the separation. Like all lines in appropriation bills, it provides a control as well. The parliament appropriates money for particular departments for their activity, it appropriates money for their capital for their activity and it appropriates money for payments to the states for their activity. The ability to transfer money between appropriation items increases the flexibility of the executive but reduces the control of the parliament over those activities.[56]

2.56The definitions used in the context of the funding that is included in even and odd numbered appropriation bills was discussed by Defence at the hearing:

One of the issues that we raised in our submission goes to the definition of 'ordinary annual services of government'—I think that's the term—and whether technical accounting concepts around what is 'capital' and what is 'operating' are useful for the parliament in making that distinction. If I was to put my Defence hat on, which I will, us acquiring military capability is certainly part of the ongoing normal operations of Defence. It is an accounting construct, which puts it into bill 2 and suggests that that is not the normal annual service of the government as defined—going back to the compact of 1965. My additional point is that that distinction does come with an overhead across the government in dealing with those different flavours of appropriation.[57]

2.57Finance commented at the hearing that the challenge in relation to this matter was in the comparison of legal and accounting frameworks. Finance stated:

The annual appropriation bills are built in line, as the Auditor-General has talked about, to meet the requirements of the Constitution. Generally it's the odd numbered bills that are for the ordinary annual services of government, and then the even numbered bills are for services other than the ordinary annual services of government. Those two terms aren't defined, but there has been an agreement by parliament over very many years in that Senate compact of 1965, which has been varied on a number of occasions—and we've referenced that in our submission for this hearing—but basically calls out what has been agreed between the houses of parliament about what will be considered as things that should be included as not the ordinary annual services of government.

So the construct of whether operating should be in bill 1 versus bill 2 doesn't step into that space specifically.[58]

2.58Finance further commented specifically on the Defence appropriation being considered, which had been termed an ‘equity injection’, that:

When AGS consider and provide advice in relation to the appropriations, they look at the constitutional requirements, the appropriation bills and the supporting materials, and they look at the portfolio budget statements from agencies. They look at the variety of information and then they also look at where there are items that are not defined, which includes ordinary annual services of government… in the Defence situation, they have said that the term 'equity injection' is not defined. It's an accounting concept, but it doesn't have a meaning in relation to the appropriation acts.[59]

2.59Finance further confirmed following questioning from the Committee that the term ‘equity injection’ is not considered in the compact of 1965. Finance stated:

If there is a line item that says 'equity injections' in the appropriation act, it is a classification term. It is useful to make the link between accounting and legal frameworks, but AGS have advised that, in terms of the acts, it doesn't constrain the expenditure.[60]

2.60Defence provided more specific details on the nature of the transaction in question, stating:

The government agreed that Defence should use the funding associated with the future submarine funding provision to terminate the arrangement with Naval Group. That was a discrete decision that was made. That funding was initially appropriated to us for that project, in the main, as an equity injection. For that project, some of the expenditure associated with it is operating in nature and is covered in bill 1. You have one project that has elements of operating expenditure that's captured in bill 1, and the large part is an equity injection in bill 2.[61]

2.61Defence further emphasised that there were a range of factors that allowed no opportunity to reclassify the funding for the submarines:

Certainly, if it had happened earlier in the first quarter or the second quarter of the financial year, there may have been opportunities to reclassify some of that attack class funding, the future submarine funding, from bill 2 to bill 1. If we had known at that time, and there was a bill process that we could apply it to, we could've made that move in conjunction with the Department of Finance, but the fact that it was happening in May and June, and it was sizeable, meant we didn't have that opportunity. The other contributing factor, of course, is that May and June was when we were changing government. The opportunity that we may have in some financial years, where we have a bill 5 and a bill 6 at a very late stage in a financial year, to perhaps pick up some of these things, or for late decisions of government, wasn't available.[62]

2.62Finance noted in relation to alternative options around the treatment and classification of this funding that other than the extra set of appropriation bills alluded to by Defence, an advance to the Finance Minister was another possibility as long as certain criteria and upper limits were satisfied.[63] Finance further commented, however that:

Should we have had a conversation in relation to this payment, our starting point would be working with Defence always before going to look at an advance to the finance minister. To satisfy the definition that the funding is urgently needed, we would seek [Australian Government Solicitor] AGS advice about legally available appropriations, because legally available appropriation sources would need to be accessed in the first instance. While we didn't have this advice in advance, the outcome would likely have been the same in the circumstance, because AGS have said the funding was legally available for this purpose.[64]

2.63Defence added:

Whether we capitalised it and then wrote it off or whether we expensed it all, it was the same effect. But, if we'd gone down the first path of capitalising some of it, we couldn't have done all of it. But some of it could have been and then arguably that part of the payment was not in breach or counter to what the rules were around using bill 2 funding for it. That's where it all becomes very grey and very complex and creates a whole lot of complexity.[65]

2.64In his final remarks, the Auditor-General commented that the issue was raised in the ANAO’s audit ‘because of the nature of what we saw, for the parliament, whether it's concerned or not’.[66] He added:

How the payment is treated in the accounts is what was agreed. The appropriate accounting treatment from our point of view was the accounting treatment which Defence put to us, as far as I'm aware. They haven't argued with us that any element of it is of a capital nature, to my knowledge.[67]

2.65Subsequent to the public hearing, the Auditor-General provided a further submission to the Committee on this matter in which he reemphasised the concerns of the ANAO in relation to this payment:

The implications of Defence’s decision and the AGS advice are that there may be ambiguity in the interpretation of specified terms in the Appropriation Acts, with the effect that they do not act as a control over expenditure of the Executive Government in a way that Parliament may have intended.[68]

2.66The Auditor-General made the further point that ‘Schedule 2 of Appropriation Act No.2 explicitly refers to ‘Non-operating’ and ‘Equity Injections’ against the appropriation for the Defence portfolio and other portfolios’.[69] He commented:

It is not evident what purpose the two headings in Schedule 2 – for ‘Non-operating’ and ‘Equity Injections’ – might have, other than to specify the purpose of the appropriation as intended by Parliament. As discussed, that purpose is described in the explanatory memorandum’s commentary on clause 10 of Appropriation Act No.2, and it is not clear to the ANAO how it has come to be interpreted otherwise (namely, that the appropriation could be used for the purpose of funding Defence’s operating expenses).[70]

2.67Regarding ANAO’s review of the legal advice Defence received from AGS on the termination payment, the Auditor-General noted:

In its advice, AGS highlighted that its conclusion concerned the position as a matter of law. AGS also drew attention to the policy and procedures established by Finance in relation to the use of appropriations by entities. AGS advised that ‘regardless of the legal position, accounting principles and Department of Finance policy might dictate that the termination payment should have been funded from a different appropriation’ and that AGS ‘would generally advise agencies not to use amounts appropriated as an “other departmental item” for purposes that are not in the nature of capital expenditure’.[71]

2.68The Auditor-General noted Finance's views in its discussions with ANAO in relation to the AGS advice that:

• it did not believe that there are strong grounds for concern that the AGS advice has broader implications for the appropriations framework or the intended operation of the annual Appropriation Acts;
• the Defence payment appeared to have been a one-off isolated instance; and
• to manage any potential risk to the legislative framework for appropriations and to ensure this scenario remains an isolated, one-off occurrence, Finance would review its policy and guidance to ensure the integrity of the appropriation framework.[72]
  69. He stated in the supplementary submission, however, that ‘on its face, there is a tension in Finance’s advice to the ANAO and the Committee. While downplaying the framework implications of Defence’s decision, there is nonetheless a desire to ensure that it remains a one-off instance.’ He further remarked that:

The ANAO remains concerned that Finance has still not considered the full implications of Defence’s actions, which go beyond exercising a measure of ‘flexibility’ at the margin, and which led AGS to say that it would generally advise agencies not to use the approach adopted by Defence.[73]

2.70He added in relation to Defence’s submitted arguments that:

… the fundamentals of the appropriations framework are established by the Constitution, for the purpose of ensuring Parliamentary authority over the spending of the Executive Government. Government entities are expected to comply with both the letter and spirit of the framework, regardless of perceived inconvenience… the appropriation framework does not prevent entities seeking a re-alignment of their appropriation funding through the budget process (and additional subsequent appropriation bills presented to the Parliament) for a given financial year.[74]

2.71He further commented in the supplementary submission that ‘for the Parliament, the handling of this payment raises questions as to whether its control framework for appropriations has been respected and whether it is at risk of further misuse’ remarking that:

A significant precedent has been established for appropriations provided for non-operating expenses (through Appropriation Act No.2) to be used for operating expenses, with the risk of undermining the control framework’s purpose in separating appropriation types. It may be that if the words in the Appropriation Bills do not clearly reflect the Parliament’s intent in classifying expenditure between the bills, then further clarity may be required.[75]

Committee comment

2.72The Committee understands that there were various time pressures on Defence to operate the way it did in relation to its payment to terminate the Attack Class submarine contract, following Government’s policy decision to not continue with the project. However, the use of various accounting methods to enable the executive branch of government to make this payment from funds appropriated for non-operating expenditure is clearly problematic.

2.73The Committee concurs with the concerns of the ANAO in this respect and is of the view that the intent of the Parliament should not have been subverted in the name of administrative expediency on the part of the executive branch.

2.74The Committee would have been assisted in considering this matter if Defence and Finance had simply acknowledging that the incident was not appropriate, but this acknowledgement was not forthcoming. Instead agencies sought to argue that what had transpired was appropriate, while simultaneously advising that it should not happen again.

2.75The Committee acknowledges that the legal advice from AGS which Defence recieved, provided to the Committee in redacted form, set out arguments which a Court would likely have accepted allowed the termination payment to be made in this way. The Committee concludes that whether or not the payment from an appropriation may have been ‘legal’ is not the core issue, as just because this may have been able to have been done does not mean it should have been done.

2.76Regardless, in practical terms this is not a matter for the courts. It is a matter for the Parliament. It is for the Parliament to determine future financial controls over the Executive.

2.77It is clear that Defence understood that there was a potential issue as it sought and obtained legal advice from AGS. Defence also considered that additional appropriation legislation may be needed to reclassify this funding but took the view that there was insufficient time to do so. It has not been made clear to the Committee why the payment needed to be made prior to the end of the financial year. The money that Defence used to terminate the submarine contract was appropriated under bill no. 2 and was therefore non-operating expenditure.

2.78The Committee’s strong view is that this situation should not have happened, that it should not be allowed to happen again, and that an ‘equity injection’ should be formally and clearly defined in the appropriation terminology as non-operating funding that is separate from the operating funding used for the normal annual services of government. The rightful role of the Parliament alone to reclassify appropriated funding must be upheld and the Committee is firmly standing up for this principle on behalf of the Parliament.

2.79The Committee recommends that the Minister for Finance review the matter and accept the Committee’s conclusion that the payment of compensation to terminate the Attack Class submarine project from appropriations provided for non-operating expenses should not have occurred and was against the spirit, if not the letter, of the Appropriations Acts.

2.80The Committee recommends that the Minister for Finance consider providing additional clarity in the coverage of the Appropriation Bills, including clearly defining an ‘equity injection’ or ‘equity funding’ as non-operating expenditure in the terminology and framework used for the Appropriation Bills.

The Protective Security Policy Framework

Background and analysis

2.81The Protective Security Policy Framework (PSPF) was an area of focus for the ANAO in its Financial Statements audit. The PSPF is a set of guidelines and principles administered by the Attorney-General’s Department (AGD) that is designed to help Commonwealth organisations protect their information, assets, and people from various security risks. It aims to provides a comprehensive framework for managing security in a consistent and effective manner across the following four areas:

1Governance: the management and oversight of security within an organisation

2Personnel security: ensuring that employees, contractors, and other individuals with access to sensitive information or assets are trustworthy and reliable

3Physical security: protecting the physical premises and assets of an organisation, and

4Information security: protecting information assets, including electronic data, systems, and networks.[76]

2.82The PSPF applies to Australian Government entities and organisations that are designated as ‘non-corporate Commonwealth entities’ under the Public Governance, Performance and Accountability Act 2013. This includes government departments, agencies, statutory bodies, and other entities that are part of the Australian Government.

2.83The PSPF governs the security of government Information Communications Technology (ICT) systems across non-corporate Commonwealth entities and the Australian Government Information Security Manual (ISM) provides the guidance to implementing appropriate security controls.[77] The PSPF also represents better practice for corporate Commonwealth entities and wholly owned Commonwealth companies.[78]

2.84Within the PSPF also, the Australian Signals Directorate (ASD) specifically contributes to the area of information security by providing advice, standards, and guidelines to help entities protect their information assets from cyber threats and attacks. ASD's expertise and recommendations in areas such as secure system configurations, network protection, incident response, and secure communication channels are incorporated into the PSPF.

2.85The ‘Essential Eight’ (E8) are a set of cybersecurity strategies developed by ASD[79] which are mandated under the PSPF.[80] These strategies are designed to mitigate the most common and damaging cyber threats faced by government organisations and include the use of only approved and trusted applications on systems, the application of security patches and secure settings, and restricting administrative access to only those users who require it.

2.86The ANAO reported in its audit that, in contravention of PSPF principles and guidelines relating to information security, ‘several government entities have not implemented effective controls relating to the timely removal of user access’.[81] ANAO further stated that ‘this highlights a potential security threat to systems and information across all government entities’.[82]

2.87More specifically, the ANAO reported in its Financial Statements audit that it had ‘assessed termination controls in place at 144 ‘relevant’ government entities (that is, all departments of state, and other entities that manage their own IT network services but excluding highly classified networks)’ and found that:

… 53 entities do not have a policy encompassing user access removal or that define the timeframe access should be removed from systems following a user’s departure from the entity. A lack of policies related to user access removal increases the risk that access will not be removed in a timely manner and may be inappropriately used to access information.[83]

2.88The Committee scrutinised this issue further at a public hearing on 19 May with the ANAO, AGD, and ASD.

2.89ANAO noted at this hearing that:

… [IT issues] still make up the bulk of findings in the financial statements end-of-year report. There were 175 findings [in the ANAO’s review of the 2021-22 Financial Statements], and IT made up 46 per cent of the total… As to our moderate risk findings, the IT findings account for about 51 per cent of those. It's predominantly in the IT security space. We do find a few in the change management space, but predominantly in IT security, and that's usually related to user access management and privileged user management. They're the two big themes.[84]

2.90AGD confirmed for the Committee at the hearing that compliance with the PSPF isdetermined through self-assessment by the agencies.[85] AGD further indicated in response to Committee questions that there was no independent assurance checking of these assessments, but noted a ‘pilot’ had commenced in the previous year.[86] While no further details were provided, in a separate audit report the ANAO examined the ‘voluntary peer review process’, which involves inviting entities to opt-in for an external review of their self-assessment prior to submission. The ANAO concluded that this and other measures implemented by AGD did not enable it to obtain an appropriate level of assurance on the accuracy of entities’ self‑assessment results.

2.91The ANAO recommended that ‘the Attorney‑General’s Department implement appropriate assurance and evaluation arrangements to provide the basis for advice to government on the extent to which the Protective Security Policy Framework is achieving its outcomes.’[87] As part of its response to the ANAO’s recommendation, AGD stated that ‘the accountable authority of each non-corporate Commonwealth entity is answerable to their minister for their reporting.’[88]

2.92In its responses to a written question from the Committee for some detail on the accuracy of these self-assessments regarding the level of effectiveness in removing user access, ANAO indicated that:

• As at 30 June 2021, 80% of 97 non-corporate commonwealth entities assessed themselves as being fully effective or higher at removing access ‘On separation or transfer, the entity removed personnel’s access to Australian Government resources, including physical facilities and ICT systems’. As at 30 June 2022 this self-reported figure increased to 82%.
• As at 30 June 2022 there were three entities that were reported to have a moderate risk finding related to the removal of user access and reported being fully effective or higher.
• As at the interim audit for 2022-23 eight of the 20 entities reviewed that reported being fully effective or higher as at 30 June 2022 had either a moderate or minor finding related to the removal of user access.[89]
  93. The Auditor-General noted that the ANAO commonly found an ‘optimism bias’ in how agencies had been reporting in these IT self-assessments.[90] ASD expressed the view that the reasons for this falls into three areas:

The first goes to misunderstandings that lead to either partial implementation of the E8 [essential eight] or a misconfiguration of the E8. There's a technical misunderstanding or a technical challenge associated with the E8 that is proving difficult here. The second goes to agencies' knowledge of the breadth of their IT assets, and ensuring they understand what is fully within their IT environment… The third category go to nuances within internal systems that are not vulnerabilities from the outside; they would need an actor to be on the inside, anyway, in order for those nuances to be exploited. That's in our view not an overoptimism… They're technical issues that are proving challenging for CISOs [chief information security officers] to grapple with.[91]

2.94The Auditor-General noted in response that he accepted that this bias was not necessarily intentional but an outcome of the system and agreed with ASD on the reasons behind it.[92]

2.95AGD stated that it was ‘not the regulator in this space’ but that its role:

… is very much just to manage the PSPF, or to set the standards required of government across the four security areas based on the technical advice that we get from ACSC [Australian Cyber Security Centre] and ASD, and within a sort of cyber context which is led by the Department of Home Affairs.[93]

2.96The Auditor-General commented in relation to this however that:

We across government struggle to understand the validity or desirability of people who set rules for how the Public Service needs to operate suggesting that they have no responsibility for assuring the success of the system. If they do have a responsibility for assuring the success of the system, that almost by definition makes them the regulator, because they set the rules, and by advising the minister who sets the rules surely that brings with it some associated responsibility for ensuring the rules are in place and are working.[94]

2.97The Committee asked ASD about the specific implications of the user access issues that had been raised in the ANAO audit. ASD responded that, as with any Essential Eight control, a lack in this regard increases vulnerability. ASD commented in terms of its own assessments:

… when we assign a maturity level to a Commonwealth entity, that maturity level is the lowest score they have on their implementation of all of the Essential Eight. So, if they may be at maturity level 1, for instance, on seven of those eight controls but at zero on the eighth, then the maturity level we assign is zero. That's simply because the vulnerability persists.[95]

2.98ASD further commented that under these circumstances, the agency will be ‘more open to compromise’ and that ‘depending on the control, it may leave the agency more open to having credentials stolen… more open to a hostile actor moving laterally through that agency’.[96] ASD explained further that:

… the extent to which a system is unsecured will enable an actor to access that system, and it will enable an actor to move stealthily from one part of that system to another without being detected. To the extent that controls are lacking, it would enable an actor to potentially exfiltrate, that is, take data out of that system, without necessarily being identified by the administrator of that system.[97]

2.99The Committee queried the extent to which AGD could have accurate knowledge of cyber vulnerabilities across Commonwealth entities given how the assessments are done and the lack of assurance auditing. AGD responded that:

We're not talking about a static situation. The cyber, as with the security, context generally constantly evolves, as does the needed response. It needs to change as well. The annual report gives us areas of focus. It gives the entities that are responsible for actioning the deficits or areas for improvement themselves.[98]

2.100AGD further stated in this regard:

… [as stated in last year’s Annual Report] there is a range of reasons why people might not be able to reach the Essential Eight on all fronts. One of them is legacy IT systems. We know that now and we're working very closely with ASD to address that issue separately… We'll work very closely with ASD to change the survey to ask the appropriate questions for those systems, which will take them out of the general reporting. It's a complex issue and it's not just, 'Everyone's not meeting the benchmark; therefore, everything is bad.' Across-the-board the results are different and there are definitely areas where we can specifically look to address things.[99]

2.101AGD commented in response to the Committee’s questions about its role, and whether it should also have responsibility to ensure compliance and perform a regulatory-type of function in relation to the PSPF, that ‘at this point in time, that is not our role as we understand it, to do a regulatory or non-regulatory double-check of the information that we get in, apart from how it interacts with our portal’.[100] AGD further stated:

The focus of our regime is very much on the accountable authority, and it puts the implementation of the standards on the accountable authority. They have to tell their minister. They have to tell the Attorney. They do that through our annual report.[101]

2.102AGD provided further information on its PSPF role on notice to the Committee, stating that ‘each year the department publishes a consolidated annual assessment report which details entities’ reported maturity against the PSPF’.[102]

2.103In a subsequent response to a written question on notice however regarding compliance with the cyber security measures in the PSPF, ANAO stated:

The ANAO has previously noted that the current framework to support responsible Ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements in relation to the implementation of the PSPF requirements.[103] This is also relevant in the implement of appropriate IT security controls to support the production of financial statements.[104]

2.104ANAO further noted in these written responses that ‘cyber security culture can play a significant role in improving compliance with framework requirements’.[105] ANAO emphasised that:

Establishing and embedding cyber security in behaviours and practices across governance and risk management, roles and responsibilities, technical support and monitoring of compliance ensures entities implement fit-for-purpose cyber security risk management frameworks to support their operations.[106]

2.105The Auditor-General expressed the further view in this regard that whereas there has been a ‘ramp-up’ by AGD and ASD in terms of improving cybersecurity, it had been very slow. He further remarked:

When you have a piece of policy which is a must, and it’s mandatory, the implementers of that policy have a responsibility under the Public Service Act to implement it. If they don’t do it, they aren't meeting their requirements as an official under the Public Service Act. There isn't a way out of this. With respect to the PSPF framework, it's not as tight as that, though, because while you're required to do things you're required to get to a certain level or put in place mitigating controls. It's not as hard as some of the other rules that we talk about.[107]

2.106ASD commented that it had ‘has invested a lot in terms of helping entities across the Commonwealth assess their implementation of the E8. We have put forward an E8 assessment process guide’.[108] ASD further emphasised in relation to the comments of the Auditor-General:

… when we do an assessment of E8 compliance through our own survey, not only are we looking at what I would say is very reliable data about the extent to which controls are in place, not self-reported data but, 'Are controls in place? Yes or no?', we're also looking at the presence of what we call compensating controls, that is, if the agency doesn't have a control in the E8 in place, are there comparable controls that are as effective as the one that we have listed in the E8? I hope that offers a little bit more context around the reliability of data question and the optimism bias issue that's been discussed.[109]

2.107ASD further informed the Committee in response to questioning that while the self-assessment tool and Australian Cyber Security Centre (ACSC) surveys are separate, they inform each other and the possibility of combining them has been discussed with AGD.[110]

2.108AGD remarked in relation to this that ‘it's best thought of as two lists of questions being asked, one set of questions by ASD and one set of questions by us. They're framed slightly differently. They come together to give a good picture’.[111] AGD further commented:

We need to be careful one is not necessarily replacing the other; they're complementary. Now that we're getting to a point that this will be the first reporting period where all Essential Eight are coming to maturity, it's the first point where we're really starting to overlap with that full question set. That's why we've been doing this work on how can we remove the administrative burden on entities and have a more streamlined questionnaire.[112]

2.109AGD further noted that PSPF policy 10,[113] which requires entities to mitigate their exposure to cyber security risks, ‘has the highest number of ad-hoc ratings—ad hoc being the lowest level—of all the [PSPF] policies’ and would be an area of focus going forward in terms of implementation.[114]

2.110The Deputy Auditor-General noted that evidence from ANAO’s audit work on IT matters across the Commonwealth can also be used to inform on cyber vulnerabilities and ‘that could be taken into account in success measures or policy advice’.[115]

2.111AGD subsequently informed the Committee in its response to questions on notice that:

The department makes considered efforts to support entities to improve the accuracy of their security maturity self-assessment reports. The department initiated a peer review process pilot for the 2021-2022 reporting period to provide entities with a mechanism to obtain external review of their self-assessment report prior to submission. The peer review process supports entities to improve the accuracy of their reports and provides a forum for information sharing, including sharing best-practice approaches to implementation of PSPF requirements and reporting.[116]

2.112AGD further emphasised in its submission that it ‘has made modifications to the reporting portal and the reporting questions to improve the clarity and accuracy of reporting’ and that it hosts annual information sessions to assist entities to understand their PSPF obligations. AGD also commented that it is continually exploring ways to strengthen assurance and evaluation in relation to the PSPF and cybersecurity.[117]

Committee Comment

2.113The Committee commends the work of AGD and ASD in their efforts to ensure a high level of cyber security across the Commonwealth through the PSPF. The fact remains however that IT issues, particularly failures to terminate user access appropriately, continue to represent the majority of the ANAO’s adverse findings in its Financial Statements audits for many years. This situation cannot be allowed to continue year on year without further mitigations given the escalating cyber security threat to the Commonwealth.

2.114The Committee is also concerned about the persistent optimism bias found by ANAO in relation to self-reporting by entities on cybersecurity compliance, and the likelihood that agencies understate the true picture of the vulnerabilities that may exist. While the complexity and scale of the IT systems across different Commonwealth agencies is understood, the dependence on self-assessments to assess the extent of compliance with the cybersecurity framework is likely to remain inadequate, regardless of any enhanced guidance or changes to the framework by AGD or ASD.

2.115The Committee also shares the view of the Auditor-General in relation to AGD and the PSPF that being a policy owner with no regulatory responsibility for that policy is problematic. The Committee’s view is that AGD’s inability to provide regulatory oversight is linked to the absence of appropriate assurance of entities’ self-assessments and the bias and inaccuracies inherent in those assessments.

2.116The peer review process that AGD has trialled is a welcome step forward. It is not, however, equivalent to a robust external assurance process to provide government confidence that it has an accurate picture of the cyber security capabilities of non-corporate Commonwealth entities. AGD’s position that each entity is responsible for the accuracy of its own PSPF self-reporting has allowed inaccuracies to persist in some of these assessments. This highlighted to the Committee the importance of a robust and appropriate assurance process as recommended by ANAO.

2.117The Committee also notes that AGD’s significant work on the PSPF is not reflected in a performance measure in its annual performance statements. This minimises parliamentary and public visibility of AGD’s valuable work, and also limits accountability through the ANAO’s reporting on AGD’s performance statements.

2.118The Committee recommends that in light of the constant optimism biases which disguise the true situation in relation to public sector cyber-security the Government consider implementing an assurance regime on agencies’ self-reporting to government on the cybersecurity aspects of the Protective Security Policy Framework, at least on a risk basis if not across all entities, and adopt appropriate assurance measures as recommended by the Australian National Audit Office.

2.119The Committee recommends that the Attorney-General’s Department developappropriate performance measures to be included in its annual performance statement of its effectiveness in promoting compliance with the cyber security components of the Protective Security Policy Framework.

Mr Julian Hill MP

Chair

27 June 2023

Footnotes

[1]Auditor-General Report No. 8 2022–23 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2022, Executive Summary, paragraph 14, p. 11.

[2]Auditor-General Report No. 8 2022–23, Chapter 2, p. 33.

[3]Department of Finance (Finance), Submission 4, p. 5.

[4]Auditor-General Report No. 8 2022–23, paragraph 2.37, p. 43.

[5]Auditor-General Report No. 8 2022–23, paragraph 2.37, p. 43.

[6]Auditor-General Report No. 8 2022–23, paragraph 2.38, p. 43.

[7]Mr Grant Hehir, Auditor-General, Australian National Audit Office (ANAO), Committee Hansard, Canberra, 31March 2023, p. 12.

[8]Ms Justine Saunders APM, Chief Operating Officer, Department of Home Affairs (Home Affairs), Committee Hansard, Canberra, 31 March 2023, p. 13.

[9]Ms Saunders, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 13.

[10]Ms Stephanie Cargill, Chief Finance Officer, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 14.

[11]Mr Julian Hill MP, Chair, Joint Committee of Public Accounts and Audit (JCPAA), Committee Hansard, Canberra, 31 March 2023, p. 14.

[12]Ms Saunders, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 14.

[13]Ms Saunders, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 14.

[14]Ms Cargill, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 15.

[15]Home Affairs, Submission 14 (responses to questions on notice), p. [3].

[16]Ms Cargill, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 16.

[17]Ms Saunders, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 17.

[18]Ms Cargill, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 18.

[19]Ms Saunders, Home Affairs, Committee Hansard, Canberra, 31 March 2023, p. 20.

[20]Ms Cindy Briscoe, Deputy Secretary, Department of Agriculture, Fisheries and Forestry (Agriculture), Committee Hansard, Canberra, 31 March 2023, p. 20.

[21]Ms Briscoe, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 21.

[22]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [4].

[23]Mr Paul Pak Poy, Chief Finance Officer, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 23.

[24]Mr Pak Poy, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 23.

[25]Ms Briscoe, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 23.

[26]Ms Briscoe, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 24.

[27]Agriculture, Proposed changes to regulatory charging for biosecurity activities, Consultation paper, Biosecurity Cost Recovery Arrangement, Canberra, March 2023, p. 26, https://haveyoursay.agriculture.gov.au/biosecurity-cost-recovery, viewed 2 June 2023.

[28]Mr Pak Poy, Agriculture, Committee Hansard, Canberra, 31 March 2023, p. 24.

[29]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [14].

[30]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [16].

[31]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [19].

[32]Agriculture, Supplementary submission 12.1 (response to questions on notice), pages [19]-[20].

[33]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [17].

[34]Agriculture, Supplementary submission 12.1 (response to questions on notice), p. [17].

[35]Mr Bola Oyetunji, Group Executive Director, Financial Statements Audit Services Group, ANAO, Committee Hansard, Canberra, 16 June 2023, p. 7

[36]Ms Rona Mellor PSM, Acting Auditor-General, Committee Hansard, Canberra, 16 June 2023, p. 7.

[37]Ms Mellor, Acting Auditor-General, Committee Hansard, Canberra, 16 June 2023, p. 7.

[38]Ms Mellor, Acting Auditor-General, Committee Hansard, Canberra, 16 June 2023, p. 7.

[39]Mr David Gifford, Scheme Actuary, National Disability Insurance Agency (NDIA), Committee Hansard, Canberra, 16 June 2023, p. 8.

[40]Mr Gifford, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 8.

[41]Mr Gifford, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 9.

[42]Ms Rebecca Falkingham, Chief Executive Officer, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 5.

[43]Ms Falkingham, CEO, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 5.

[44]Ms Falkingham, CEO, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 5.

[45]Ms Falkingham, CEO, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 10.

[46]Mr Gifford, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 11.

[47]Ms Falkingham, CEO, NDIA, Committee Hansard, Canberra, 16 June 2023, p. 15.

[48]NDIS Review, Terms of Reference, Australian Government, Canberra, October 2022, https://www.ndisreview.gov.au/about/terms-of-reference, viewed 19 June 2023.

[49]Auditor-General Report No. 8 2022–23, Financial audit results and other matters, p. 10.

[50]Auditor-General Report No. 8 2022–23, Financial audit results and other matters, p. 10.

[51]Auditor-General Report No. 8 2022–23, Financial audit results and other matters, p. 10.

[52]Finance, Guide to Appropriations: Resource Management Guide No. 100, August 2019, Canberra, paragraph 29, p. 12, https://www.finance.gov.au/sites/default/files/2019-11/RMG100-Guide-to-Appropriations_0.pdf, viewed 15 June 2023.

[53]Department of Defence (Defence), Submission 2, p. 2.

[54]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 31 March 2023, p. 2.

[55]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 31 March 2023, p. 3.

[56]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 31 March 2023, p. 3.

[57]Mr Groves, Defence, Committee Hansard, Canberra, 31 March 2023, p. 7.

[58]Ms Tracey Carroll, First Assistant Secretary, Governance and Resource Management, Finance, CommitteeHansard, Canberra, 31 March 2023, p. 3.

[59]Ms Carroll, Finance, CommitteeHansard, Canberra, 31 March 2023, p. 4.

[60]Ms Carroll, Finance, CommitteeHansard, Canberra, 31 March 2023, p. 5.

[61]Mr Steven Groves, Chief Finance Officer, Defence, CommitteeHansard, Canberra, 31 March 2023, p. 6.

[62]Mr Groves, Defence, Committee Hansard, Canberra, 31 March 2023, p. 6.

[63]Mr Nathan Williamson, Deputy Secretary, Finance, Committee Hansard, Canberra, 31 March 2023, p. 8.

[64]Ms Carroll, Finance, CommitteeHansard, Canberra, 31 March 2023, p. 8.

[65]Mr Groves, Defence, Committee Hansard, Canberra, 31 March 2023, p. 11.

[66]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 31 March 2023, p. 11.

[67]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 31 March 2023, p. 11.

[68]ANAO, Supplementary Submission 15.1, p. 4.

[69]ANAO, Supplementary Submission 15.1, p. 4.

[70]ANAO, Supplementary Submission 15.1, p. 4.

[71]ANAO, Supplementary Submission 15.1, pages 3-4.

[72]ANAO, Supplementary Submission 15.1, pages 4-5.

[73]ANAO, Supplementary Submission 15.1, p. 5.

[74]ANAO, Supplementary Submission 15.1, p. 6.

[75]ANAO, Supplementary Submission 15.1, p. 7.

[76]Attorney-General’s Department (AGD), Protective Security Policy Framework (PSPF),https://www.protectivesecurity.gov.au/ viewed 15 June 2023.

[77]Auditor-General Report No. 8 2022–23, paragraph 2.99, p. 65.

[78]AGD, Applying the Protective Security Policy Framework, https://www.protectivesecurity.gov.au/about/applying-protective-security-policy-framework, viewed 15 June 2023.

[79]Australian Signals Directorate (ASD), Essential Eight,https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight, viewed 15 June 2023.

[80]AGD, PSPF Policy 10: Safeguarding data from cyber threats, https://www.protectivesecurity.gov.au/publications-library/policy-10-safeguarding-data-cyber-threats, viewed 15 June 2023.

[81]Auditor-General Report No. 8 2022–23, paragraph 2.100, p. 65.

[82]Auditor-General Report No. 8 2022–23, paragraph 2.100, p. 65.

[83]Auditor-General Report No. 8 2022–23, paragraph 2.101, p. 65.

[84]Ms Lesa Craswell, Senior Executive Director, Systems Assurance and Data Analytics Group, ANAO, Committee Hansard, Canberra, 19 May 2023, p. 1.

[85]Ms Brooke Hartigan, First Assistant Secretary, Security and Counter-Terrorism Division, National Security and Criminal Justice Group, Attorney-General's Department (AGD), Committee Hansard, Canberra, 19May2023, p. 2.

[86]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 2.

[87]Auditor-General Report No. 22 2022-23, Implementation of Parliamentary Committee and Auditor-General Recommendations — Attorney-General’s Portfolio, paragraphs 3.60-3.61, pp. 54‑55.

[88] Auditor-General Report No. 22 2022-23, Implementation of Parliamentary Committee and Auditor-General Recommendations — Attorney-General’s Portfolio, paragraphs 3.60-3.61, p. 55.

[89]ANAO, Submission 15 (responses to written questions), p. [8].

[90]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 19May2023, p. 2.

[91]Dr Derek Bopping, Acting Head, Australian Cyber Security Centre, Australian Signals Directorate (ASD), Committee Hansard, Canberra, 19May2023, p. 8.

[92]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 19May2023, p. 9.

[93]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 3.

[94]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 19May2023, p. 3.

[95]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, pages 3-4.

[96]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, p. 4.

[97]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, p. 4.

[98]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 4.

[99]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 5.

[100]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 7.

[101]Ms Hartigan, AGD, Committee Hansard, Canberra, 19May2023, p. 7.

[102]AGD, Submission 16 (response to questions on notice), p. 2.

[103]Auditor-General Report No.32 2020-21 Cyber Security Strategies of Non-Corporate Commonwealth Entities.

[104]ANAO, Submission 15 (responses to written questions), p. [6].

[105]ANAO, Submission 15 (responses to written questions), p. [6].

[106]ANAO, Submission 15 (responses to written questions), p. [6].

[107]Mr Hehir, Auditor-General, Committee Hansard, Canberra, 19May2023, p. 7.

[108]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, p. 8.

[109]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, pages 8-9.

[110]Dr Bopping, ASD, Committee Hansard, Canberra, 19May2023, p. 9.

[111]Mr Luke Muffett, Assistant Secretary, Security Law and Policy Branch, Security and Counter-Terrorism Division, National Security and Criminal Justice Group, AGD, Committee Hansard, Canberra, 19May2023, pages 9-10.

[112]Mr Muffett, AGD, Committee Hansard, Canberra, 19May2023, p. 10.

[113]AGD, PSPF Policy 10: Safeguarding data from cyber threats, https://www.protectivesecurity.gov.au/publications-library/policy-10-safeguarding-data-cyber-threats, viewed 15 June 2023.

[114]Mr Muffett, AGD, Committee Hansard, Canberra, 19May2023, p. 10.

[115]Ms Rona Mellor PSM, Deputy Auditor-General, Committee Hansard, Canberra, 19May2023, p. 10.

[116]AGD, Submission 16 (response to questions on notice), p. 3.

[117]AGD, Submission 16 (response to questions on notice), p. 3.