Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Select Committee on a National Integrity Commission
05/07/2017
Adequacy of the Australian government's framework for addressing corruption and misconduct

HEHIR, Mr Grant, Auditor-General, Australian National Audit Office

IOANNOU, Dr Tom, Group Executive Director, Australian National Audit Office

MELLOR, Ms Rona, Deputy Auditor-General, Australian National Audit Office

Committee met at 08:26

CHAIR ( Senator Jacinta Collins ): I call the committee to order. I declare open this public hearing of the Senate Select Committee on a National Integrity Commission. The inquiry's terms of reference are available from the secretariat. The committee's proceedings today will follow the program as circulated. These are public proceedings being broadcast live via the web.

I remind witnesses that, in giving evidence to the committee, they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee, and such action may be treated by the Senate as a contempt. It is also a contempt to give false or misleading evidence to the committee. The committee prefers evidence to be given in public, but, under the Senate's resolutions, witnesses have the right to request to be heard in confidence, described as being in camera. It is important that witnesses give the committee notice if they intend to ask to give evidence in camera. If you are a witness today and intend to request to give evidence in camera, please bring this to the attention of the secretariat as soon as possible. If a witness objects to answering a question, the witness should state the ground upon which the objection is taken and the committee will determine whether it will insist on an answer, having regard to the ground which is claimed. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may, of course, also be made at any other time.

I remind senators and officers that the Senate has resolved that an officer of a department of the Commonwealth or a state shall not be asked to give opinions on matters of policy and shall be given reasonable opportunity to refer questions asked of the officer to superior officers or to a minister. This resolution prohibits only questions asking for opinions on matters of policy and does not preclude questions asked for explanations of policies or factual questions about when and how policies were adopted.

With the formalities over, I welcome everybody here today. I welcome representatives of the Australian National Audit Office. Thank you for talking with us today. The committee has received your submission, No. 15. Would you like to make a brief opening statement?

Mr Hehir : No, thank you.

Senator KAKOSCHKE-MOORE: Thank you for your submission. I want to go to the issue of where the ANAO identify a possible corruption or misconduct risk in the process of your examinations. If you do identify a risk—it could be a risk in a process that is being employed by a department that could leave it to open to exploitation—what would you do with that information?

Mr Hehir : In the normal course of our financial audit work, we, as a matter of procedure, undertake review activity to determine whether there is a risk of fraudulent activity which may have a material impact on the financial statements. In every audit, we undertake a process of reviewing the frameworks and activities and actions of agencies with respect to managing fraud risk. In our most recent report to parliament on our financial audit activities, which is called the controls report and was tabled last week, I think, we make reference to the work that we undertook on the 25 major entities that make up the majority of public sector expenditure. We talk about the fact that we have done that work and that, in undertaking that work, we found that all of the entities had risk plans in place, they were up to date, they were being implemented and none of the agencies were identified as having a high risk of fraudulent activity impacting upon their financial statements. That is a bit of background.

If we identify that there are risks in their framework, we provide a report to the agency. They are called findings and, depending on the risk, they are an A, B or C finding. We rate them according to the likelihood of them having a high impact on the financial statements. Then, for A and B findings, they would be reported to parliament in either our controls report, which was put out last week, or our end-of-year final report to parliament on the financial statements of all entities. In the unlikely event that it was a risk of material misstatement, that would become a qualification on the accounts and it would be brought to the attention of parliament, ministers et cetera through the financial statement opinion.

Senator KAKOSCHKE-MOORE: I am just trying to get my head around the way that these reports work. So you have a findings report and then—

Mr Hehir : We are doing work in this context to determine whether the financial statements fairly represent the financial position of the entity. The main report on that is the report to the accountable authority, which appears in their annual report, which is a statement by the Audit Office about the quality of the financial statement. Either they fairly represent or there is a qualification over it. Underneath that, we provide a report to management which sets out any issues that we have found in our audit work which pose risks to the fair representation of the financial position of the agency and we work with them to resolve those risks. If they are higher level risks—that is, A or B findings—we report those to parliament in an aggregate report. So it cascades from reporting to entities and accountable authorities up to parliament, in a grouped-up response.

Senator KAKOSCHKE-MOORE: So the A or B risks would still be communicated back to the entity?

Mr Hehir : Back to the entity in the first instance and then to parliament, twice a year, effectively.

Senator KAKOSCHKE-MOORE: How many of these higher level risk reports have you produced in the last few financial years?

Mr Hehir : With respect to fraud?

Senator KAKOSCHKE-MOORE: Yes, with respect to fraud.

Mr Hehir : I am sorry, I could not answer that precisely—very few, I would say. I can take that on notice and let you know, but it would be a handful or less, I would think.

Senator KAKOSCHKE-MOORE: If through your examinations you identify something that causes you concern, an A or B risk, do you ever get to the point where you would not only classify it as a risk but identify that something untoward has happened and that there could have been maladministration?

Mr Hehir : In our financial audit work, it is possible, but usually we are working at a framework level there. We are looking at how effectively the agency implements its fraud prevention framework and we are also looking at what they do when they identify fraud underneath that. It is not just that they have a framework in place, but that they are implementing it and, when they identify potential fraud or actual fraud, that they are taking action to deal with it. So we go to that level.

We are more likely to identify misconduct or fraud when we do performance audit work, because we do a deeper dive into the activity of an agency in that work. In those cases, and I point out a few of these examples in our submission, if we identify something that looks like misconduct or fraud type activities then we do not investigate it any further once it is identified. We go to an appropriate investigatory entity, which is an integrity body in some circumstances, or just to the accountable authority, depending on the nature of it. We inform them of the issues that we have raised and then they deal with those issues.

Senator KAKOSCHKE-MOORE: And how do you go about following up with the entities on their success in remedying the risks that you have identified? Are they required to report back to you within a certain time frame?

Mr Hehir : With respect to the financial audit work, they would usually go on to their audit committee's work program, which would follow them up. We sit in on all of the audit committees and follow them up. Because we report on it every year, if it is not resolved then it is left open and it is reported on the next year and we keep doing that. Normally those types of issues, and I am talking in the fraud or misconduct area here, unless they are really significant system changes, are usually resolved within 12 months.

Senator KAKOSCHKE-MOORE: And just generally speaking, does the ANAO ever receive tip-offs or disclosures from members of the public about activity that concerns them, that they think you should investigate?

Mr Hehir : With respect to our performance audits, when we commence a performance audit we put it on our website and we basically tell the community that we are open to any information that they would like to give us about what we are auditing. We do receive in that context—rarely, but it does happen maybe a couple of times a year—commentary from the public raising areas of concern around the conduct of public servants in the delivery of services. When we get that we would almost always do some work to determine whether, on the face of it, we should pass it on to the integrity body. If it looks quite serious, we would pass it straight to the relevant integrity body. It depends on the nature of how the issue is raised with us. If there is a lot of evidence that they are giving us, we would just pass it straight to the appropriate body.

CHAIR: I have questions related to your submission. In the third last paragraph, you talk about the provision for the Attorney-General to issue a certificate that provision of information would be contrary to the public interest. Does the joint parliamentary committee have oversight of those issues as well, or is it just the Attorney-General?

Mr Hehir : Under my legislation, the Attorney-General is the only individual who can prevent me from publishing information by issuing a certificate. So the public accounts committee is largely who we report through. They would not normally be in a position—

CHAIR: Would they know?

Mr Hehir : Know that the—

CHAIR: That a certificate has been issued in a matter?

Mr Hehir : Yes, it is required to be made public.

CHAIR: Has there been any instance where the committee has sought to question such a certificate having occurred?

Mr Hehir : I am not aware that there has ever been a certificate. Under the act, there is normally a set number of issues where I have to turn my mind as to whether it is in the public interest to disclose things. Usually, the discussions tend to happen between me and the accountable authority in the agency. They raise concerns and we talk it through and it is resolved one way or another. I think it would be quite extraordinary to get to a stage where a certificate would have to be issued.

CHAIR: Thank you for the description of your financial audit work. That is very useful to the committee. I think it is reasonably clear that your work is focusing on the risks to financial statements, but I am interested to know whether you have identified any gaps or vulnerabilities in our broader integrity framework that would be useful for the committee to understand. We have already had some discussions with the Australian Electoral Commission and it is clear that there are some areas where some tightening of arrangements may be a good thing there. But, from your work looking at financial statements, I am curious if there are any areas you think we should be looking at more closely.

Mr Hehir : I have not seen any area where, when we identify an issue, there is not clearly a body where you can take it to to do further work—whether that is the Australian Federal Police or a particular integrity body set up. In defence or security areas or in areas of misconduct it tends to be the accountable authority we would raise it with. In my time in that role when that has happened—and there have only been a handful of times—I have found that we do not have any evidence that issues are not appropriately addressed. What I mean by 'do not have any evidence', when we deal with accountable authorities they tend to tell us that they did something and what they did to address the concern that we raised. From that point of view, I have not seen a gap.

CHAIR: How many different authorities would you deal with?

Mr Hehir : What type of authority—sorry?

CHAIR: In seeking to address a matter that might relate to corruption, integrity or mismanagement.

Mr Hehir : The accountable authorities for the entities. There are 250 entities, so all of their accountable authorities: the AFP, the Law Enforcement Integrity Commission, the Inspector-General of Intelligence and Security—

CHAIR: So I think what we have loosely described as our 24- or 25-odd integrity agencies as well as the relevant department.

Mr Hehir : Yes.

Ms Mellor : It does depend on what we are auditing, though. In the act the information the Auditor-General collects is confidential to the audit and there is a permission to the Auditor-General to release information to the AFP. Certainly the information we are gathering comes from an accountable authority's business. So we can discuss it with them. But the nature of the work—between performance audits and financial audits it will be different—will lend itself to where you would take something if it arose.

CHAIR: The Commonwealth Ombudsman has suggested that one way of improving the current system would be to assign a lead coordination role. One of the issues I am exploring here is the suggestion that part of the argument for a national integrity commission is the suggestion that there is a public perception that matters do not necessarily go anywhere because of the 'multifaceted approach'—the government's current description of our integrity framework. Do you have a view about whether that would assist the process?

Mr Hehir : It depends on what the lead role was to do. As I said previously, I have not come across a situation where it was not clear to me who I should go to with an issue. So I am not certain what a lead role would do in that context.

From the context of the work that we undertake—and it is something that I raise in the submission—one concern for me would be the impact of a framework where a body could prevent me from undertaking my activities in supporting accountability to parliament by having the authority to say that I cannot do certain work because they are doing it et cetera. Is that likely to occur? Within the bodies that we tend to deal with in that framework, which are largely the ombudsman and the Inspector-General of Taxation, we tend to just coordinate activities. If someone is doing a piece of work in an area, the other body tends not to do anything, because why would you duplicate effort?

CHAIR: So your preference is discretionary rather than mandatory reporting.

Mr Hehir : No. We would report everything anyway.

CHAIR: No, I am talking specifically about your comments in relation to mandatory reporting of corruption matters. That is where I saw your reservation in your submission.

Mr Hehir : What I was trying to do there was point the committee to some of the debates that have happened in other jurisdictions around those issues. I worked as Auditor-General in New South Wales, where under the ICAC legislation there was mandatory reporting, and did not find that a major impediment to our activity. I doubt it would be a major impediment here, because we would do it in any event. We are not an investigatory body, so, if we come across anything which would fall within the mandate of the activities covered by another integrity body which has those powers. We would pass it on to them in any event.

In the strict sense in the audit world, we would see those types of things as an infringement upon the independence of how we can carry out our work. A general proposition of auditors would be that we prefer not to have that, but I would not call that a significant issue for us, because it would not change our practice.

CHAIR: Okay. One of the criticisms raised with us with respect to the current system is that agencies like yours do not have a core focus on corruption and, in a sense, your purpose is not to reduce the likelihood of corrupt conduct per se. With your experience, Mr Hehir, from New South Wales, where there is an ICAC, what difference do you think that makes?

Mr Hehir : I think the existence of an ICAC probably in the operations of the Audit Office puts into sharper focus who you report all of these things to. Again, as I said, we identify the appropriate body in any event.

CHAIR: I understand your comment there, but I am thinking more from the public perception end as well. The suggestion is there is a loss of confidence in our processes. It is one thing for you to know which is the relevant agency; I think I have questioned whether even some of our members of the House of Representatives would necessarily be in a good position to easily refer a matter that a constituent might bring forward. Is it too complex?

Mr Hehir : I am hesitating on making a judgement on something we have not done any work in. As auditors, we tend not to like to speculate on things.

CHAIR: I understand.

Mr Hehir : My only observation would be that, where you have integrity bodies, they seem to find issues. Whether those issues would be found in the normal course of events, I have not done or seen any work which leads you to a view either way. Again, I find it difficult to speculate on whether or not they increase public confidence. I am sorry.

CHAIR: That is fine. Let's apply that test to the Audit Office. Your submission points out that the Audit Office was the first of our integrity agencies to be established. Does it make a difference?

Mr Hehir : We would argue that there is a fair amount of evidence that the integrity of financial reporting, which is one of our core roles, is substantially enhanced by the oversight provisions that we undertake. The fact that we are there and people know we are there checking and making sure that systems and processes are robust and reporting is accurate, I would argue, does improve the quality of it. On the performance auditing side, the fact that people know that we are going to come in and check on the performance efficiency, effectiveness, economy and ethical activities within agencies is an important component in the framework of providing assurance to parliament of how well government works in those areas. I would hope that we make a difference there.

CHAIR: One of the matters that we have discussed with the Federal Police is some of the work they have been doing since the Fraud and Anti-Corruption Centre was established in around 2014. They indicate that a fair degree of their work is around working with departments and agencies on improving their risk-management processes and handling cases or matters themselves. Have you seen any improvement over that period in the departments that you deal with?

Mr Hehir : I have been in the role for two years.

Dr Ioannou : It is not coming immediately to mind that we have done any work specifically in that area to try to measure improvement. We have done a variety of work over the years around, for example, entities' internal fraud control in the performance audit space. We observed quite an active community of practice led in part by the Attorney-General's Department, which of course has the policy-owner role. We observed that, where entities were active in that community of practice, they tended to have a more mature internal set of fraud control arrangements, for example. I think the main learning there is to keep abreast of the requirements and the more recent thinking in the community of practice. Compare notes, stay active and keep working the problem continuously. They seem to be the key preconditions for at least having a reasonable prospect of success on the prevention side, because prevention is the thing that is being emphasised more these days around fraud control.

CHAIR: Thank you.

Senator GALLAGHER: I noticed that your submission said:

Existing Commonwealth integrity bodies are subject to review by the Auditor-General, including annual audits of their financial statements and periodic performance audits.

Have you done periodic performance audits on the integrity bodies?

Mr Hehir : Yes.

Senator GALLACHER: I had a look through as much as I could. I went back a few years. Have you ever done a system- or government-wide review of how the integrity functions are operating alongside each other?

Dr Ioannou : No. We would tend to look at a single entity. We look at the efficiency and effectiveness of their systems—whether they are meeting their purpose well in a performance audit sense.

Ms Mellor : System-wide, when we do it, there is a framework to audit against. Behind the question, the contemplation of a system-wide performance audit of integrity bodies would require us to think about what is the framework of performance that we are actually looking at. When we do one entity, we look at their purpose, their performance indicators and the legal and internal frameworks that they operate under. To do that across would require quite a deal of thinking about what is the framework that you are doing it to, because their purposes can be quite different.

Senator GALLAGHER: Yes, sure. I guess I was looking at it from the point of view of whether, if I were in government and had that many various integrity agencies, the coordination and integration of them—notwithstanding the fact that they have specific roles—were working as effectively as they could be. With some of the issues that have been raised, there is no clear path for reporting that everyone necessarily understands, and perhaps there are some crossed functions where there is an overlap. That is why I asked the question about whether there has been any kind of look across the board at how they all interrelate and function and whether that is the most effective way of managing integrity across government agencies.

Mr Hehir : Certainly we have not undertaken that work.

Senator GALLAGHER: Yes, but you have done it on individual agencies and on individual integrity arms—is that right?

Mr Hehir : And for different things. For example, we have an audit of the Federal Police at the moment, looking at how they deal with mental health issues in their staff, so it is on activities like that.

Ms Mellor : We looked at their training around the use of arms last year.

Dr Ioannou : There are two types of audits, and they are often cross-entity ones, as we say. As Mr Hehir and Ms Mellor said, often we will look at the entities as entities and their application of various frameworks, such as the cybercontrol framework et cetera. Then there are thematic audits, such as the one I mentioned on fraud control, where you will look at, say, a selection of entities and their application of framework requirements, but you will also look at the policy owner's administration of the framework across the system. So, to that extent, we do look across the system, but it tends to be in terms of a policy owner's administration of a particular framework, such as A-GD's administration of, say, the fraud control framework.

Senator GALLAGHER: Yes, sure. But there is nothing to stop you, say, looking at how fraud, corruption and misconduct are dealt with across every government entity, if you wanted to. It would be a big piece of work, I accept.

Mr Hehir : The thing that would probably stop us would be the scale of the piece of work and whether, for us, it was an achievable task to do something of that scale and that complexity and draw a conclusion from it. That would be the challenge for us.

Senator GALLAGHER: Thank you.

CHAIR: Thank you very much. I do not think there are any further questions. Thank you for your attendance this morning.