Paul Scarr (Queensland, Liberal Party, Shadow Assistant Minister for Multicultural Engagement) Share this | Hansard source

In respect of the Auditor-General's report No. 42 of 2023-24, Financial statements audit: interim report on key financial controls of major entities, I move:

That the Senate take note of the document.

This is quite a concerning report that has been prepared by the Auditor-General. I used to sit on the Joint Committee of Public Accounts and Audit, and I have great regard for the audit process which is undertaken by the Australian National Audit Office. I note that there are some key findings in the review which has been undertaken of the governance arrangements and internal control frameworks of Commonwealth entities. This is extremely important. These are entities which are given budgets of hundreds of millions of dollars, and in some cases billions of dollars, of taxpayers' money, and it is absolutely crucial that they have in place governance arrangements which are proportionate to those funds which they are managing. There were some deeply concerning matters raised in this report, which is quite extensive, and I want to run through some of those.

The first is in relation to key management personnel turnover. I quote from paragraph 6 of the report's executive summary:

From 1 July 2023 to 31 January 2024—

so that's in a period of just seven months—

there was a turnover of KMP—

key management personnel—

in 85 per cent of entities. The average rate of turnover at these entities was 21 per cent.

So more than one-fifth of the key management personnel were turned over at those organisations in a seven-month period. That is deeply concerning, and it raises questions as to what is happening at those organisations.

Second, paragraph 7, with respect to audit committee performance, says:

Seventy-seven per cent of entities had undertaken a recent review of the effectiveness of their audit committee.

The corollary is that 23 per cent of entities hadn't, and I query what those organisations are doing if they haven't undertaken a recent review of the effectiveness of their audit committees. The paragraph continues:

These reviews—

from the ones who did the reviews—

mainly relied on self-assessments of committee performance by audit committee members …

Well, self-assessment by the members of the audit committee themselves—and the audit committee is absolutely key to internal controls within these organisations—doesn't really cut the mustard. You actually need to have an independent review of the performance of the audit committees.

Then I move on to some other concerning findings. Seventy-seven per cent of entities did not meet all of the relevant requirements under the Protective Security Policy Framework, which contains the essential eight mitigation strategies and controls to mitigate cyberthreats. We then find out, in paragraph 13, that 22 of the 27 entities included in this report indicated they collected personal information and, therefore, were required to comply with the requirements of the Privacy Act and the Australian Privacy Principles, but 41 per cent of entities had not assessed their compliance with the privacy requirements under the APPs. Forty-one per cent is nearly half of the entities, so maybe 10 out of the 22 had not even assessed their compliance with the Australian Privacy Principles. It's hard to understand why that would be the case.

Lastly, my friend and colleague Senator Canavan will remember the Queensland payroll debacle from 2010, as will you, Acting Deputy President McGrath, when an initial payroll contract to put in place a new payroll system for the Queensland department of health blew out from an initial contract of A$6 million to A$1.4 billion. Just reflect on that: the initial contract with IBM blew out from A$6 million to A$1.2 billion. It's an example used of how not to manage large IT projects. In that context, I note that the compliance of the organisations with the standards we'd expect with respect to software development and implementation is wanting in some organisations, and that is a cause for concern.

I seek leave to continue my remarks later.

Leave granted; debate adjourned.