Accountability and scrutiny

In 2014-15 the Australian National Audit Office (ANAO) tabled five performance audit reports involving the department.


External audits

In 2014-15 the Australian National Audit Office (ANAO) tabled 5 performance audit reports involving the department. The department agreed with all recommendations. One recommendation, arising from the ANAO’s performance audit of the Management of Smart Centres’ Centrelink Telephone Services (Report No. 37 2014-15), was agreed with qualifications about the resources required to implement the recommendation. The Audit Committee was responsible for monitoring the implementation of ANAO recommendations. ANAO representatives were invited to attend all Audit Committee meetings as observers.

In some cases ANAO recommendations directly involved the responsibilities of policy departments. As the service delivery department, we worked with policy departments to help them effectively respond to the recommendations.

The Joint Committee of Public Accounts and Audit is required by the Public Accounts and Audit Committee Act 1951 to examine all Auditor-General reports that are tabled in Parliament. The department was required to provide a response to the committee in 2014-15 relating to the ANAO audit of Trials of Intensive Service Delivery (Report No. 40 2013-14) and attend public hearings of the committee relating to the following ANAO audits:

Report No. 262013-14: Medicare Compliance Audits

Report No. 272013-14: Integrity of Medicare Customer Data

Report No. 502013-14: Cyber Attacks: Securing Agencies’ ICT Systems

For more information about ANAO audit reports see Appendix E on page 264.

Commonwealth Ombudsman

In 2014-15 the Commonwealth Ombudsman approached the department about 804 investigations. This is a decrease of 2.9% compared to 2013-14.

The Ombudsman published 1 section 15 report involving the department. For more information see Appendix E on page 267.

Freedom of information

The department has an Information Publication Scheme page on its website—see Appendix H on page 275.

During the year the department received 4,477 Freedom of Information (FOI) requests for documents—a 2.5% increase on the previous year. The department received 42 requests for amendment or annotation of personal records. The number of complex requests seeking non-personal information fell by 19.4%.

Taking into account cases pending from previous years, 4,489 requests were finalised. Of these:

  • applicants withdrew 974 requests before decisions on access were made
  • full access was granted in 1,702 cases
  • part access was granted in 1,374 cases
  • access was refused in 430 cases
  • 9 cases were transferred to other agencies

Reviews of freedom of information decisions

In 2014-15 the department received 85 FOI requests for an internal review of access and amendment decisions. Of the reviews of access decisions completed in 2014-15, and taking into account requests pending from previous years, 27 requests resulted in access or part access. The original decision was affirmed in 40 of the reviews completed compared to 52 in 2013-14.

Office of the Australian Information Commissioner

During the year the Office of the Australian Information Commissioner (OAIC) published 15 review decisions in relation to applications for review of access decisions made by the department. Five of those affirmed the department’s decision and 10 varied, set aside or substituted the department’s decisions.

On 2 December 2014 the OAIC provided the department with its report following an own motion investigation. We are committed to continually improving service delivery in all areas of our business and have noted the recommendations in the Commissioner’s report and developed a plan to implement them.

Personal information requests

The department provides various ways for people to access their own information including through our online services.

We also respond to requests for personal information in the public interest and under specific provisions in the legislation we administer.

In 2014-15 the department processed 136,838 personal information requests compared to 132,663 in 2013-14, an increase of 3%.

Judicial decisions and tribunal appeals

In 2014-15 there were no judicial decisions that had a significant impact on the operations of the department.

A large number of the department’s decisions are subject to merit review by the Social Security Appeals Tribunal and the Administrative Appeals Tribunal. For more information see Merit reviews on page 101.


Internal audits

The department completed 39 internal audits in 2014-15 (including 15 audits that were carried over from 2013-14).

Every 6 months the department develops a rolling Audit Work Programme (AWP) that establishes internal audit priorities for the coming 12 months. The AWPs for 1 July 2014 and 1 January 2015 were developed in consultation with the Audit Committee and the Executive, before being approved by the Secretary.

The priorities are based on the ‘3 lines of defence’ model to ensure adequate coverage and prioritisation of assurance activities and alignment with corporate strategic risks. Regular audits of the department’s ‘first line of defence’—the system of internal control—are undertaken. A key focus is on improving the department’s risk oversight arrangements—the ‘second line of defence’. The department’s third line of defence are internal audits.

In 2014-15 the AWP provided independent assurance on the department’s performance in managing strategic priorities, achieving operational objectives in line with organisational and legislative requirements, and ensuring that high standards of probity and accountability were met.

Managing internal fraud

The department takes internal fraud control seriously and our systems respond to fraudulent activity, including through data-matching programmes, links to criminal intelligence information and financial intelligence tools. Our fraud awareness strategies promote key messages about how we view fraud, how to report suspected fraud, and awareness of current and emerging risks.

As required under section 10 of the Public Governance, Performance and Accountability Rule 2014, which relates to managing the risk and incidents of fraud within Commonwealth entities, the department takes a comprehensive strategic approach to fraud risk assessments. This approach underpins our 2014-15 Fraud Control Plan.

The department uses a range of strategies to manage internal fraud including:

  • fraud control planning, monitoring and reporting
  • a Fraud Strategy Statement to which the department adheres
  • internal and external reporting mechanisms to enable reporting of internal fraud
  • collecting and analysing information and data to detect fraud
  • investigating incidents in accordance with Australian Government Investigation Standards

Substantiated incidents of internal fraud are referred to the Commonwealth Director of Public Prosecutions (CDPP) for consideration of criminal prosecutions. The department also considers the need for administrative action against breaches of the APS Code of Conduct.

The department promotes fraud prevention and awareness to staff across the organisation and activities include:

  • fraud awareness week including articles and executive messaging on fraud
  • mandatory fraud awareness training
  • screen savers on computers with fraud awareness images and key messages
  • an intranet page linking all relevant awareness information and tip-off forms

Business continuity

The department has a Business Continuity Programme based on the international standard BS ISO 22301:2012 Societal security: Business continuity management systems requirements.

In 2014-15 critical business functions for the department were developed into business continuity plans (BCPs) to support our response and recovery from potential business disruptions that may affect any of the critical functions. A formal programme thoroughly tests and regularly updates all BCPs.

The progress of business continuity activities is reported monthly to the department’s Risk, Business Continuity and Security Committee.

Corporate records management

The government’s Digital Transition Policy is moving Australian Government agencies to digital record keeping for efficiency purposes. We have continued to increase our digital record-keeping capability. In 2014-15 the growth in the department’s online and self-service capabilities resulted in further reductions in the volume of paper we received.

When the department does receive paper records the focus still remains on digitising them. Because the department relies less on paper records we have continued to consolidate existing warehouse storage facilities to improve the efficiency of our records management services.

Safeguarding privacy

Customer records and personal information

The department places emphasis on protecting the privacy of customers and staff. We have comprehensive processes to protect personal information. Our privacy framework is guided by the Operational Privacy Policy, which includes a number of requirements that staff must comply with. The policy reinforces that:

  • all staff must sign an undertaking outlining their privacy and confidentiality responsibilities every year
  • privacy incidents must be reported as soon as they are identified

Personal information related to the administration of the department’s programmes and services is protected by the Privacy Act 1988 and the secrecy provisions in the various laws under which services are delivered, for example, the Social Security (Administration) Act 1999. Requests for personal information are considered under the Australian Privacy Principles and relevant secrecy provisions.

Privacy impact assessments

As new projects and programme improvements are developed, the department considers their potential impact on privacy. The Operational Privacy Policy mandates the use of privacy impact assessments to:

  • minimise privacy risks and impacts
  • ensure compliance with legal obligations
  • ensure the department’s commitment to safeguarding customer privacy is met

Privacy incidents

The department investigates all privacy complaints. Escalation and reporting processes minimise the effects of any substantiated privacy incident. In 2014-15 there were 1,939 substantiated privacy incidents, which is 21% more than in 2013-14.

Compensating customers

Administrative errors

In 2014-15 the department received 2,820 customer compensation claims. This compares to 3,101 customer compensation claims received in 2013-14. Claims are paid when the department is legally liable to pay compensation, or under the Scheme for Compensation for Detriment Caused by Defective Administration.

The department approved 1,373 customer compensation claims in 2014-15. This represents 47% of all determined claims compared to 56% in 2013-14.

The department aims to process customer compensation claims within 90 days. In 2014-15, 86% of claims were completed within 90 days compared to 64% in 2013-14.

The most common reason for paying customer compensation is to reimburse people for financial losses caused by the department’s failure to follow proper procedure or to provide appropriate advice.

Risk management

The department’s Enterprise Risk Management Framework outlines the vision, direction and guiding principles of our risk management approach. The framework is consistent with the international risk management standard AS/NZS ISO 31000:2009 Risk Management: Principles and Guidelines.

In 2014-15 the department’s risk management policy and framework were revised following the commencement of the PGPA Act and are consistent with the new Commonwealth Risk Management Policy. This policy aims to embed risk management as part of the culture of Australian Government entities where shared understanding of risk leads to well-informed decision making.

The department has 10 strategic risks:

  • implementing government initiatives
  • service delivery and customer service
  • protecting staff, assets and customers on our premises
  • integrity of government outlays
  • progressing strategic priorities
  • providing good customer service
  • protecting customer information
  • delivering policy advice and working collaboratively with others
  • ICT capability
  • attracting and developing staff

As part of our business planning cycle, operational risks were also identified. Senior executive staff manage operational risks and report on them regularly.

To assist in managing risks associated with urgent or high-profile incidents and issues, the department has a system for quickly informing relevant stakeholders.

Comcover Risk Management Benchmarking Programme

In 2014-15 the department participated in the annual Comcover Risk Management Benchmarking Programme, giving us an opportunity to measure its capability using a flexible risk maturity model. Comcover rated the department as having an ‘advanced’ risk maturity level. This maturity level reflects the department’s investment in its risk management framework and the integration of its operational capabilities.

Page last updated: 5 February 2016

This information was printed Thursday 29 September 2016 from It may not include all of the relevant information on this topic. Please consider any relevant site notices at when using this material.