A powerful parliamentary committee has blasted the Australian Public Service and other Commonwealth entities for failures in IT governance that pose threats to security and the exposure of sensitive information.
The Joint Committee of Public Accounts and Audit has also criticised specific agencies over breaches in payments and remuneration and has issued a general warning for all departments to lift their game in reporting to the Federal Parliament.
The committee has tabled its report of the Inquiry into Commonwealth Financial Statements 2022-23, which scrutinised the Australian National Audit Office’s annual auditing of the financial accounting and reporting by Commonwealth entities.
The auditing provides assurance to the parliament on the financial position of the Australian Government and the expenditure of taxpayers’ money.
The report focuses on the financial statements audits of 243 separate entities in 2022-23.
Compared to 2021-22, there were increased weaknesses in change management policies and controls for IT systems and in the processes used by entities for accounting for computer software.
Committee chair Linda Burney said poor IT governance, particularly user access issues, was one of the most significant findings of the Auditor-General’s report into the financial statements.
“Unauthorised user access to IT systems across the Commonwealth remains a problem,” she said.
“The risks this poses are potentially significant as some of the agencies involved hold highly sensitive information.”
The Australian Taxation Office, Department of Defence, National Archives of Australia and Services Australia were the worst culprits, with the committee recommending each of them report within six months on their progress in closing “significant breaches” relating to their governance and control of IT systems.
“It is to be hoped that recommendations of this nature will eventually no longer be needed,” Ms Burney said.
“Unauthorised user access poses serious risks to the Commonwealth, particularly in agencies holding highly sensitive information. The committee is becoming increasingly concerned by the persistent nature of this problem.”
Another area of particular concern to the committee from the 2022-23 audits was the increase in the number of annual reports not being presented in time to be scrutinised at end-of-year Senate Estimates hearings.
While there was an increase over the previous year (from 86 per cent to 91 per cent) in statements being finalised and auditor reports issued within three months of the financial year-end, the number of entities tabling their annual reports in time to be scrutinised at subsequent Senate Estimates hearings declined from 74 per cent to 66 per cent over the previous year.
“The parliament must have this information, and is indeed entitled to expect it, in time to readily and properly scrutinise the expenditure of taxpayer funds,” Ms Burney said.
The committee named the following entities and asked for responses from each as to why their annual reports had not been tabled in time to be scrutinised at supplementary budget estimates for the past three years: High Court of Australia; Australian Strategy Policy Institute Ltd; Royal Australian Air Force Veterans’ Residences Trust Fund; RAAF Welfare Recreational Company; Royal Australian Navy Central Canteens Board; Bundanon Trust; Anindilyakwa Land Council; Central Land Council; Northern Land Council; Outback Stores Pty Ltd; Tiwi Land Council; Workplace Gender Equality Agency; and Wreck Bay Aboriginal Community Council.
Other concerns included legislative breaches involving certain payments and incorrect executive remuneration or non-compliance with the Remuneration Tribunal, as well as the lack of a mandatory internal auditing function for Commonwealth entities.
The committee requires an update within six months from the Northern Land Council, Tiwi Land Council, and the Department of Health and Aged Care on their respective progress in addressing the significant legislative breaches identified by the Australian National Audit Office.
It also recommends that the Department of Finance amend the current guidelines to require it be notified immediately of any breach of the executive remuneration rules and then engage with the entity in question to discuss remediation steps.
The parliamentary committee has requested an anonymised update from the Department of Finance within 12 months on the number of reported breaches it has received, the amounts involved, and whether they have been adequately resolved.
“Finally, the use and control of emerging technologies by public sector entities, particularly artificial intelligence, which came to light during this inquiry was of significant interest to the committee,” Ms Burney said.
“The committee corresponded with each of 36 entities that reported the adoption of some form of emerging technology during the financial statements audits.
“However, given the scope of the information received and the importance of this issue, it was subsequently decided to initiate a separate committee inquiry into AI use and governance in the public sector with an intention to report in early 2025.”