ORGANISATIONAL STRUCTURE

Senior positions occupied during 2019–20 were as follows:

Inspector-General of Intelligence and Security (Statutory officer)
The Honourable Margaret Stone AO FAAL, appointed on 24 August 2015 and concluded on 23 August 2020.

Deputy Inspector-General of Intelligence and Security (SES Band 2)
Mr Jake Blight, appointed to the SES Band 2 Deputy Inspector-General on 23 October 2018. Mr Blight was originally appointed as the SES Band 1 deputy under the previous organisational structure in January 2012. Mr Blight was Acting Inspector‑General on some occasions during the reporting period.

Assistant Inspectors-General of Intelligence and Security (SES Band 1)
Mr Stephen McFarlane, appointed 8 February 2018; and Ms Bronwyn Notzon-Glenn, appointed 28 February 2019.

SENIOR MANAGEMENT COMMITTEES
The Office’s corporate governance framework provides for two senior management committees.

The Executive Committee meets weekly and comprises the Inspector-General, Deputy Inspector-General and the two Assistant Inspectors-General. The Executive Committee assists the Inspector-General to set the strategic direction of the Office and oversee its administration.

The Senior Officers’ Meeting is held weekly and comprises of the Inspector-General, Deputy Inspector-General, the two Assistant Inspectors-General and the Directors. The Senior Officers’ Meeting assists the Inspector-General with strategic planning, monitoring and reporting, and aligns priorities across the agency.

CORPORATE AND OPERATIONAL PLANNING
The Office’s corporate and operational planning processes are straightforward, reflecting the small size and specialist function of the Office.

The Office addresses these matters through:

• an annual forward planning process to set strategic priorities and a mid-cycle review
• weekly meetings between the Inspector-General and senior IGIS officers to review and document operational priorities
• monthly meetings between the Inspector-General and all IGIS officers during which current operational matters, internal guidelines, and procedures and governance issues are discussed
• a forward plan for inspection activities in each intelligence agency, which is determined in consultation with the relevant agency head (in accordance with s 9A of the IGIS Act).

PROTECTIVE SECURITY
The Australian Government’s Protective Security Policy Framework (PSPF) provides a structure for Australian Government agencies to manage security risks proportionately and effectively, and provides the necessary protection for the government’s people, information and assets.

The governance arrangements and core policies in the PSPF describes the higher level protective security outcomes and identifies mandatory compliance requirements which IGIS must meet.

How agencies assess their compliance with PSPF requirements has changed from compliance statements against 36 mandatory requirements, to a maturity model. In the last PSPF reporting period the Office recorded a maturity assessment of Embedded, which means:

All PSPF core and supporting requirements are implemented, effectively integrated and exceeding security outcomes. Entity’s implementation of better-practice guidance drives high performance. The entity’s security maturity provides comprehensive protection of the entity’s people, information and assets.

Throughout the reporting year the Office continued to participate in whole of government security management forums and cross-agency security management activities.

INTERNAL AUDIT AND RISK MANAGEMENT
IGIS has an internal risk management framework which establishes the IGIS Audit Committee, provides risk assessments, risk tolerance and acceptance thresholds, and includes business continuity plans.

In February 2020, the Office reviewed its business continuity plan to respond to the COVID-19
global pandemic and in March 2020 implemented a specific pandemic emergency management plan. This plan is scalable and adaptable to a broad range of pandemic and other emergency situations.

In late 2019–20, two internal audits were initiated; one relates to assurance concerning the agency’s wage compliance and the other relates to administration of employee leave liabilities.

The membership and functions of the IGIS Audit Committee are structured according to the PGPA Act. The charter for the IGIS Audit Committee is available at https://www.igis.gov. au/about/finance. Mr Trevor Kennedy (Attorney-General’s Department) was the Chair of the Committee until 22 July 2019; no meeting was held with Mr Kennedy as Chair during the reporting period. During 2019–20, the IGIS Audit Committee membership comprised of:

The Inspector-General may attend the meetings as an observer.

The Audit Committee meets on a periodic basis to consider matters including:

• risk management
• internal control
• financial statements
• compliance requirements
• internal audit
• external audit
• governance arrangements.

The Committee reviews the Risk Management Plan annually based on its assessment of the office risk performance over the period. The Risk Management Plan includes controls designed to mitigate risks across the following categories:

• personnel related
• accidental or intentional loss of information
• segregation of duties
• failure or compromise of information technology systems
• physical security of the office and facilities
• corporate liability
• fraud prevention, detection and management
• corporate compliance requirements.

Through its various mitigation strategies, the residual risk accepted by the Office is maintained in the low-medium levels in each of the categories.

ETHICAL STANDARDS AND FRAUD CONTROL
During 2019–20, the Office continued its commitment to high ethical standards and having high performing and professional staff. High ethical standards across the Office are maintained through:

• modelling of appropriate behaviours by the agency’s Senior Executive
• implementation of organisational suitability assessments
• a requirement that all IGIS officers maintain a high level security clearance
• annual declaration of known interests by the Senior Executive and all IGIS officers
• incorporation of APS Values and Code of Conduct expectations in IGIS’s performance agreement process.

The Office is a member of the APS Commission’s Ethics Contact Officer Network, and information and resources from this network are incorporated into broader agency communications.

During the reporting year there were no detected or alleged internal cases of fraud or breaches of the APS Code of Conduct. There was one detected instance of external fraudulent activity involving an agency credit card. The incident was identified through the agency’s controls. The matter was pursued and resolved using financial institution processes and all unauthorised funds were recovered by the financial institution.

The Office has established and maintains appropriate systems of risk oversight, management and internal controls in accordance with s 16 of the PGPA Act and the Commonwealth Risk Management Policy.

The Risk Management Plan includes controls designed to mitigate risks including: personnel related risks; accidental or intentional loss of information; segregation of duties; failure or compromise of information technology systems; physical security of the office and facilities; fraud prevention, detection and management; and corporate compliance requirements.

Regular monitoring of risks is undertaken and considered by the management team and reported to the Audit Committee.

EXECUTIVE REMUNERATION DISCLOSURES
The Inspector-General is a statutory office holder. In addition, the Office has three SES positions: one SES Band 2 position and two SES Band 1 positions. All of these positions are designated as Key Management Personnel (KMP).

The terms and conditions of all SES officer employment, including salary, are set out in individual s 24(1) determinations and are based broadly on SES remuneration within the Attorney-General’s Department. Each s 24(1) determination is reviewed annually with the Inspector-General, with more general performance discussions occurring during the year. The Inspector-General’s remuneration is determined by the Remuneration Tribunal.

The Office does not have a performance pay scheme. Details are in Annexure 5.2: Key Management Personnel.

EMPLOYMENT OF PERSONS FOR A PARTICULAR INQUIRY
Section 35(2AA) of the IGIS Act requires the annual report to comment on the employment under s 32(3) of any person to perform functions and exercise powers for the purposes of a particular inquiry, and any delegation under s 32AA to such a person. No person was employed under that provision during 2019–20.

ISSUES RELATING TO SIGNIFICANT NON-COMPLIANCE WITH THE FINANCE LAW
There were no significant issues relating to non-compliance with the finance law during 2019–20 that would be reportable to the responsible Minister under paragraph 19(1)(e) of the PGPA Act.