The effective management of risk is integral to achieving our objectives and supporting our purpose. Risk management is a critical component of the ANAO’s approach to good governance, and is integrated into our oversight structures, strategic planning framework and values-driven, high-performance culture.

Risk management framework

The ANAO’s risk management framework is based on adherence to the Commonwealth Risk Management Policy, which adopts definitions outlined in ISO 31000:2018 Risk management — Guidelines. The standard defines risk as ‘the effect of uncertainty on objectives’, and risk management as the ‘coordinated activities to direct and control an organisation with regard to risk’. The Commonwealth’s policy has nine elements and the ANAO has established risk oversight and management systems to address each of those elements.

The ANAO’s management of risk is embedded into all business-as-usual practices, using consistent language, approaches and documentation, with the adoption of both qualitative and quantitative risk analysis tools applicable across all operations and groups. Risks associated with audit products are identified and managed within the delivery of the products and within the quality framework through policies, procedural guidance and review points.

Risks need to be managed in the context of achieving organisational goals and objectives. While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the mitigating controls and their effectiveness at controlling risks.

The Auditor-General takes advice from the Executive Board of Management into account when approving the risk management framework and enterprise risk register and determining the ANAO’s appetite and tolerance for risk. The risk management framework identifies specific responsibilities for key personnel across the ANAO and the enterprise risk register assigns owners for each enterprise-level risk. In addition, all ANAO staff have a general responsibility to practise active risk management. The Executive Board of Management reviews any serious risk incidents each month, and any residual risk assessed as ‘high’ or above is monitored monthly. Business risks are reviewed at least annually.

The ANAO proactively managed a number of serious risk incidents in 2019–20 in response to a changing risk environment. These included environmental hazards restricting use of the ANAO’s office facilities and the COVID-19 pandemic. The required mitigations that the ANAO put in place in response to these risk events will continue to benefit the ANAO’s operations in the post-pandemic environment.

The Professional Services and Relationships Group and the two audit services groups have primary responsibility for managing audit risk. Each individual audit work plan assesses operational risks and mitigation strategies, and risk is assessed at all audit review points. Responsibility for managing operational audit risk is assigned to responsible senior executives and audit managers.

Internal audit

Internal audit provides an objective audit service that is designed to add value and improve the ANAO’s operations. A systematic and disciplined approach is taken to evaluate and improve the effectiveness of risk management, control and governance processes.

In 2019–20, the ANAO’s internal auditor, BellchambersBarrett, completed the following reviews:

• TeamMate rollout — pre-implementation review
• TeamMate rollout — implementation review
• JCPAA and other parliamentary committee audit recommendations
• Contract management — contract-out audits
• Payroll and payment data integrity
• Management of outsourced information and communications technology services
• ANAO Audit Manual compliance.

The seven completed internal audits made 10 recommendations in total all agreed to by the ANAO. Following the June 2020 Audit Committee meeting, work was in progress to address the five outstanding internal audit recommendations.

Control environment

The ANAO has a robust control environment in place. The current control framework includes the following policies and procedures, which document key business procedures and incorporate details of key internal controls:

• Auditor-General instructions — these apply key principles and requirements of the Commonwealth’s resource management framework to the operations of the ANAO;
• financial management procedures (to support the Auditor-General instructions);
• delegations and authorisations; and
• an employee handbook.

Regular reviews of controls are undertaken by management and through the use of internal audit.

Probity and independence

The ANAO’s commitment to high ethical and professional standards underpins the quality of its work. For audit professionals, independence is an element central to the quality of each audit. It requires all members of the audit team to avoid circumstances that could compromise their ability to act with integrity and exercise objectivity and professional scepticism. The ANAO Auditing Standards and the ANAO Independence Policy require staff and contractors engaged in audits to comply with the relevant provisions of the Accounting Professional and Ethical Standards Board’s APES 110 – Code of Ethics for Professional Accountants (including Independence Standards). Any threat to independence must be evaluated and safeguards applied to reduce the threat to an acceptable level. Situations where a threat cannot be reduced to an acceptable level are not entered into or not allowed to continue.

When conducting procurements, the ANAO adheres to the Department of Finance’s Ethics and Probity in Procurement principles. Staff involved in assessing procurements are required to receive a probity briefing from the procurement team. Any open tender procurements require the completion of probity and conflict of interest declarations from staff involved in evaluating the responses before they are given access to the responses. Complex procurements have nominated probity advisers included in the evaluation team — either internal ANAO staff or specialised external probity advisers.

In order to maintain credibility and demonstrate independence, the ANAO regards integrity as a core value of the organisation — critical in sustaining the confidence of the Parliament, strengthening public trust in government and delivering quality audit products.

The ANAO’s integrity control system and processes include good governance practices, publishing of gifts and benefits, and an ongoing focus on independence in the delivery of our work. Beyond its control system, the ANAO maintains an enduring focus on promoting integrity as an organisational value that is embedded in our work and culture.

Fraud control and prevention

The Senior Executive Director CMG is responsible for managing the ANAO’s fraud control framework, including fraud detection, prevention and response. This framework is linked to the ANAO’s risk management framework and consolidates all fraud prevention and detection activities in one document. Having particular regard to risk against the ANAO’s reputation should fraudulent activity occur, the ANAO periodically reviews its fraud control framework to take into account changes in its operating environment. There were no incidents of fraud in 2019–20. We conducted a fraud risk assessment and concluded that all identified fraud risks were accurately assessed and appropriate controls were in place.

The ANAO continues to maintain appropriate fraud prevention, detection, investigation, reporting and data collection procedures in accordance with the Public Governance, Performance and Accountability Rule 2014. The ANAO enhances fraud awareness among staff through various mechanisms, including a mandatory fraud e-learning module.

Auditor-General’s disclosure of expenses

The Auditor-General voluntarily discloses publicly any expenses incurred to ensure transparency. The Auditor-General’s expenses are disclosed every six months. His expenses for the 2019 calendar year and for January to June 2020 are available on the ANAO website.

Gifts and benefits

The ANAO gifts and benefits policy recommends that ANAO employees do not accept any gifts or benefits in their role as an employee of the ANAO. Employees are required to report any offered gift or benefit (whether accepted or refused) within 10 business days of the offer being made, through an internal gifts and benefits register. The data collected through the register is reported to the ANAO’s Executive Board of Management, and a subset of the data is reported publicly. In response to new guidance released by the Australian Public Service Commissioner on the 18^th October 2019, the ANAO moved from quarterly to monthly public reporting of gifts and benefits through its website in January 2020.

Outside employment

The ANAO provides its employees with flexibility to participate in activities outside the Australian Public Service if the activities do not conflict or adversely affect the performance of their official duties. A range of activities may be deemed to be in the public interest and of professional benefit to the individual and to the ANAO. Outside work is other employment (paid or unpaid) or volunteer activities undertaken by an employee in addition to their official duties or while on paid or unpaid leave from the ANAO.

Prior approval is required for all outside activities and employment, unless specifically excluded from the policy. If an employee commenced outside employment before joining the ANAO, the employee must obtain approval to continue the employment immediately upon commencement. In all other cases, employees must obtain approval before commencing outside employment.

Approval is not required where activities are solely of a personal nature — that is, when employees perform work or undertake activities for voluntary community organisations or sporting bodies. Passive investment activities, such as rental properties, share trading and so on, are also excluded from approval requirements. However, all exclusions from approval are on the basis that activities are undertaken in the employee’s own time, no ANAO resources are used, and that there is no conflict of interest or adverse effect on their official duties.

At 30 June 2020, the ANAO approved 63 staff undertaking outside employment activities.

Compliance survey

The ANAO’s delegates assert compliance with the financial framework, including compliance with the PGPA Act, by completing a Compliance Survey. The response rate to the survey in 2019–20 was 90%. Not all identified staff provided a response due to their absence when the survey was being undertaken.

In 2019–20 the survey identified no significant breaches of the ANAO delegations, financial management rules and associated legislation. A number of non-significant breaches relating to procurement were identified in relation to reporting procurements via Austender within the mandated timeframe of 42 days. Non-significant instances of the misuse of the ANAO’s official credit cards were also identified.

There were 45 instances where procurements made by the ANAO were registered on Austender after 42 days. The ANAO has implemented additional internal controls to mitigate the likelihood of procurements not being reported on Austender within the mandated timeframe.

There were 16 instances of misuse or fraud related transactions of the ANAO’s corporate credit card in 2019–20. This represents 0.2% of total credit card transactions. Although the proportion of misuse is small, each instance is investigated, with all these incidents found to be inadvertent. All instances of credit card misuse were reported to the Executive Board of Management. The CFO contacted those staff that misused their credit card and reminded them of their obligations when using the card and ensured that the amounts associated with the misuse of the credit cards were repaid into the ANAO’s bank.