Corporate governance
As a statutory agency in the Defence portfolio, ASD reports directly to the Minister for Defence, the Hon Peter Dutton MP. ASD operates under the PGPA Act and the ISA. The Director-General ASD is the accountable authority of ASD.
All of ASD's activities are subject to oversight from IGIS. ASD's performance and financial statements are auditable by the Auditor-General.
The PJCIS provides further oversight of ASD's administration, expenditure, enabling legislation, and any matters referred by the Australian Senate, House of Representatives, or a minister of the Australian Government. ASD also appears before the Senate Standing Committee on Foreign Affairs, Defence and Trade during Estimates hearings.
Corporate Plan
On 31 August 2020, ASD published its third Corporate Plan, covering the period 2020–21 to 2023–24.
The course of the three corporate plans has remained constant as ASD continues to mature since becoming a statutory agency on 1 July 2018, including strengthening its reporting and performance framework and governance functions.
Governance framework
The Director-General is assisted in administering ASD by the Executive Committee, its subcommittees and the ASD Audit and Risk Committee (ASDARC); see Figure 3. ASD's governance framework was streamlined during 2020–21 to clarify decision-making processes and ensure clear lines of accountability.
Executive Committee
The ASD Executive Committee is the primary decision-making committee within ASD, with the Director-General as the accountable person.
The role of the committee is to provide advice to the Director‑General, set the strategic direction for ASD, and provide oversight of all ASD activities. The Executive Committee assists the Director‑General in ensuring that ASD meets the highest standards of governance, performance and accountability, with the Director‑General having ultimate decision-making authority on all issues.
The Executive Committee met fortnightly during 2020–21.
ASD Audit and Risk Committee
In accordance with section 45 of the PGPA Act and section 17 of the PGPA Rule, ASDARC comprises external and internal members. The committee is responsible for monitoring, reviewing, and, where appropriate, making recommendations to the Director-General about financial reporting; performance reporting; systems of risk oversight, including fraud risk assessment, deterrence and prevention; systems of internal control; and internal and external audit.
The committee has five members, three of whom are external to ASD. During 2020–21, ASDARC met formally five times. Informal activities during the year included workshops about ASD’s performance and familiarisation tours of key business areas.
An electronic version of the ASDARC charter is available from the ASD website at www.asd.gov.au/publications/governance/audit-and-risk-committee-charter.
Table 1 provides information in accordance with audit committee disclosure requirements for Commonwealth entities.
Member name | Qualifications, knowledge, skills or experience (include formal and informal as relevant) | Number of meetings attended / total number of meetings | Total annual remuneration (GST inc.) |
|---|---|---|---|
Mr Mark Ridley | Qualifications: Fellow of the Institute of Charted Accountants and a graduate of the Australian Institute of Company Directors, with a bachelor’s degrees in commerce and accounting. Notable roles: Chair of ASDARC since 1 July 2020 and has served as an independent member and chair of audit and risk committees for several large-sized and medium-sized Commonwealth agencies since 2011, and has also assisted some entities in the oversight of ICT projects. He was formerly a senior partner of PricewaterhouseCoopers with leadership roles in risk advice, internal audit, and ICT project assurance for large financial services companies, other industries and state and federal governments. | 5 of 5 | $32,164.00 |
Ms Sue Bird | Qualifications: Graduate of the Australian Institute of Company Directors, holds an honours degree in law from the Australian National University and was admitted to legal practice in 2000. She has received accreditation in PRINCE2 and MSP Project and Program Management and is a certified organisational coach. Notable roles: Member of ASDARC since 1 July 2020 and has previously held the position of Chief Operating Officer for the Australian Federal Police. She has also held a number of Chief Legal Counsel roles and is an independent integrity adviser for a large Commonwealth agency. | 5 of 5 | $18,959.09 |
Mr Mike Noyes | Qualifications: Bachelor of Science (Honours), Master of International Studies, Graduate Diploma Applied Finance. Notable roles: Member of ASDARC since early 2020 and has more than 25 years of experience working in the fields of international affairs and national security. | 5 of 5 | $0* |
Mr Craig Beutel | Qualifications: Masters in Military and Defence Studies. Notable roles: Member of ASDARC since late 2019. He brings to the committee 15 years of intelligence, operational and policy experience. | 5 of 5 | $0* |
Ms Jacinta Harrison | Qualifications: Certificate in National Security Policy (ANU) and a certification in Business Continuity Management, Portfolio, Program and Project Management. Notable roles: Member of ASDARC since early 2020. She brings to the committee 20 years of intelligence, operational and technical experience. | 4 of 5** | $0* |
*A Commonwealth employee does not receive additional remuneration when serving as a committee member.
** For one meeting, Ms Harrison was on annual leave.
Business Management Committee
The Business Management Committee (BMC) is ASD’s whole‑of‑enterprise decision‑making and consultation forum for ASD’s key enterprise enablement activities.
The BMC advises the Executive Committee on matters relating to people, finance, facilities and estate, workplace health and safety, risk, security and compliance, and ensures these matters remain aligned with ASD’s legislative requirements.
The BMC is chaired by the Deputy Director‑General Corporate and Capability. The BMC met ten times during 2020–21.
Data, Technology and Infrastructure Committee
The Data, Technology and Infrastructure Committee (DTIC) is ASD’s peak data and technology decision-making committee. The DTIC takes a whole-of-organisation perspective on capability, risk, and investment to optimise ASD’s strategic outcomes through mastery of data and technology.
The DTIC advises the Executive Committee on significant data and technology investments, capability risks, infrastructure and services lifecycle management, and data management and handling.
The DTIC is chaired by the Deputy Director-General Corporate and Capability. The DTIC met eleven times during 2020–21.
Management Review Committee
ASD's Management Review Committee (MRC) is the key body for managing complex organisational suitability and personnel security risks for the agency.
Where required, the MRC considers potential issues of concern related to employee organisational suitability in a manner that balances intelligence-related equities and appropriate personnel management.
The MRC does not consider issues related to the security clearance process, broader employment conditions, Code of Conduct, other administrative investigations or performance management activities.
The MRC is co-chaired by the Deputy Director-General Corporate and Capability and the Deputy Director-General Signals Intelligence and Network Operations. The MRC met 19 times during 2020–21.
Operational Compliance Committee
The Operational Compliance Committee is the responsible body for ensuring ASD meets the highest standards of governance, performance and accountability in its operations, achieved through establishing and maintaining best practice compliance and oversight procedures.
When required, the Operational Compliance Committee ensures all compliance breaches, suspected and confirmed, are investigated following established procedures. It also reviews emerging operational compliance issues and assesses whether ASD’s legal and regulatory frameworks are in line with legislation and review recommendations.
The Operational Compliance Committee is chaired by the First Assistant Director-General Integrity, Security, Assurance and Corporate, and met quarterly during 2020–21.
Management of risk and fraud
Risk management
Consistent with requirements in the PGPA Act, the PGPA Rule, and the Commonwealth Risk Management Policy 2014, ASD has established systems and appropriate internal controls for oversight and management of risk.
Managing risk well enables ASD to achieve its purpose, strategic objectives and to meet government priorities. ASD continues to balance opportunity and accountability while operating with integrity to manage risk as this ensures the Australian public’s trust and confidence are maintained.
Effective risk management addresses the need for information regarding major risks to flow up, down, and across organisational structures to improve the quality of decisions in achieving strategic and business objectives.
In 2020–21, ASD continued to embed risk management principles to support timely decision-making and reporting, prioritise resources, increase compliance and efficiency, and continue to improve operations. Key achievements included:
- publishing a new enterprise risk management policy and enterprise risk management framework.
- reporting to senior committees on the effectiveness of enterprise risk management.
- running a program of deep-dives into ASD’s enterprise-level risk categories.
- running a series of enterprise risk management workshops for newly appointed risk owners and risk controllers.
- achieving an overall risk maturity rating of ‘Embedded’ in the Department of Finance Comcover Risk Management Benchmarking Survey 2021.
Fraud control and prevention
All staff within ASD’s mission, regardless of seniority, must adhere to policies and procedures and be held accountable for their actions. ASD takes all reasonable steps to minimise the potential for fraud by designing and implementing internal controls that prevent, detect and deal with fraudulent behaviour. ASD takes a stringent ‘educate, trust and verify’ approach to fraud. Given ASD’s role, operating environment, and reliance on partners, the protection of its people, information, and assets is paramount.
In accordance with the Commonwealth Fraud Control Framework 2017, ASD continues to meet its mandatory obligations to prevent, detect and respond to fraud.
In 2021, ASD undertook a fraud risk assessment while its existing Fraud Control Plan continued to ensure that fraud risks were adequately mitigated, monitored, reported, and controlled.
Every two years, ASD staff members complete mandatory training on fraud and integrity awareness. Fraud education is also promoted through activities such as International Fraud Awareness Week and regular messaging to the workforce.
During the reporting year, ASD participated in the Australian Institute of Criminology’s Annual Fraud Against the Commonwealth Census, for the second time as a statutory agency.
In 2020–21, ASD identified perceived or actual instances of fraud. A complex case investigating multiple issues concluded fraud had occurred when a staff member used fraudulent medical certificates for absences. The individual’s employment was later terminated on other grounds. Two separate instances of misuse of ASD’s ICT capability led to one individual resigning before a sanction could be imposed while the other individual was referred to Defence. A compromise of a Defence credit card belonging to an ASD staff member determined that no loss to the Commonwealth had occurred. A further case of a suspected fraud involving an allegation of breach of non-disclosure agreement, and disclosure of sensitive information, was reported but is yet to be finalised.
Ethical model
ASD's ethical structure is shaped around the legislation that governs ASD business and activities, and is embedded in its organisational values. The structure is supported by ASD’s security and integrity framework, which is designed to protect ASD’s people, information and assets and promote the effective and efficient delivery of ASD’s business. The framework outlines ASD’s values and standards and is designed to improve the transparency of how security and integrity issues are managed.
ASD staff are committed to upholding organisational values (Figure 4), which are an integral aspect of ASD's culture and are reflected in the Code of Conduct.
ASD has a robust internal operational compliance and oversight function to ensure it complies with the spirit and letter of the law. ASD’s internal programs provide timely operational compliance advice, policy and training, as well as carrying out self-regulatory functions through investigations and assurance activities. Combined, these internal programs are designed to ensure ASD undertakes all mission activities in accordance with legislation, policy and Ministerial Directions. ASD also works closely with IGIS, who provides independent assurance to ministers, the Parliament, and the public that ASD acts with legality and propriety and consistently with human rights.
Public Interest Disclosure
ASD is also subject to the Public Interest Disclosure Act 2013 (PID Act), which facilitates disclosure and investigation of wrongdoing and maladministration in the Commonwealth public sector. ASD-authorised officers are appointed by the Director-General to fulfil the purposes and direction of the PID Act.
During the reporting year, ASD received seven potential public interest disclosures (PIDs). Of these seven, one had information which informed a PID that was already under investigation, one was allocated to another Commonwealth agency, one was pending a final allocation decision and the other four were investigated by ASD. Of the four investigated by ASD, three investigations were finalised during 2020–21.
Visit
https://www.transparency.gov.au/annual-reports/australian-signals-directorate/reporting-year/2020-21-45