Annual Report 2016-17

Accountability and Scrutiny - Annual Report 2015-16


External audits

In 2015-16 the Australian National Audit Office (ANAO) tabled 5 performance audit reports involving the department, making a total of 9 recommendations. The department agreed with all recommendations relevant to the department. ANAO representatives were invited to attend all Audit Committee meetings as observers.

In some cases ANAO recommendations directly involved the responsibilities of policy departments. As the service delivery department, we worked with policy departments to help them effectively respond to the recommendations.

The Joint Committee of Public Accounts and Audit is required by the Public Accounts and Audit Committee Act 1951 to examine all Auditor-General reports that are tabled in Parliament.

The department was required to attend public hearings of the committee relating to the following ANAO audits:

  • Report No. 25 2014-15: Administration of the Fifth Community Pharmacy Agreement, resulting in Report 451: Community Pharmacy Agreements
  • Report No. 37 2014-15: Management of Smart Centres’ Centrelink Telephone Services, resulting in Report 452: Natural Disaster Recovery; Centrelink Telephone Services; and Safer Streets Program

For more information about ANAO audit reports see Appendix C.

Commonwealth Ombudsman

In 2015-16 the Commonwealth Ombudsman approached the department in relation to 777 investigations. This is a decrease of 3.4% compared to 2014-15.

The Ombudsman published three section 15 reports involving the department. For more information see Appendix C.

Freedom of information

In 2015-16 the department had an Information Publication Scheme page on its website (see Appendix D).

During the year the department received 4,667 Freedom of Information (FOI) requests for documents. This represents a 4% increase on the previous year. The department received 38 requests for amendment or annotation of personal records. There was also a decrease of 4% in the number of complex requests seeking non-personal information.

Taking into account cases pending from previous years, 4,624 requests were finalised. Of these requests:

  • applicants withdrew 902 requests before decisions on access were made
  • full access was granted in 1,719 cases
  • part access was granted in 1,492 cases
  • access was refused in 494 cases
  • 17 cases were transferred to other agencies

Reviews of freedom of information decisions

In 2015-16 the department received 95 FOI requests for an internal review of access decisions and amendment decisions. Of the reviews of access decisions completed in 2015-16, and taking into account requests pending from previous years, 33 requests resulted in access or part access. The original decision was affirmed in 42 of the reviews completed compared to 40 in 2014-15.

Office of the Australian Information Commissioner

During the year the Office of the Australian Information Commissioner (OAIC) published one review decision in relation to applications for review of FOI access decisions made by the department. This review affirmed the department’s decision.

Personal information requests

The department provides various ways for people to access their own information including through our online services.

We also respond to requests for personal information in the public interest and under specific provisions in the legislation we administer.

In 2015-16 the department processed 105,687 personal information requests compared to 136,838 in 2014-15, a decrease of 23%.

Judicial decisions and tribunal appeals

In 2015-16 there were no judicial decisions that had a significant impact on the operations of the department.

A large number of the department’s decisions are subject to merit review by the Administrative Appeals Tribunal. For more information see Merit reviews.


Internal audits

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The department completed 59 internal audits in 2015-16. Every 6 months the department develops a rolling Audit Work Programme that establishes internal audit priorities for the coming 12 months. The programmes for 1 July 2015 and 1 January 2016 were developed in consultation with the Audit Committee and the Executive and were approved by the Secretary.

Internal audit priorities are based on the ‘3 lines of defence’ model that positions the Audit Division as the department’s independent assurer (the ‘third line’). Consistent with the Audit Committee’s mandatory functions under the Public Governance, Performance and Accountability Act 2013, audits focus on enhancing the effectiveness of the system of risk oversight (the ‘second line’) so that improvements flow to wider areas of the system of internal control (the ‘first line’).

Managing internal fraud

The department has a zero tolerance approach to fraud and takes internal fraud control seriously. Our fraud detection programme takes a multifaceted approach that includes internal data-matching, risk profiling and environmental scanning. To support fraud prevention our fraud awareness strategies promote key messages about how we identify and report suspected fraud, staff responsibilities, and awareness of current and emerging risks.

The department’s 2015-16 Fraud Control Plan provides assurance that the department’s identified fraud risks are managed appropriately. The Fraud Control Plan meets the department’s responsibility for compliance under section 10 of the Public Governance, Performance and Accountability Rule 2014 and the Commonwealth Fraud Control Framework 2014. The plan ensures that the department takes a comprehensive strategic approach to fraud risk, and that all reasonable measures are in place to prevent, detect and deal with fraud.

The department uses a range of strategies to prevent and respond to internal fraud including:

  • fraud control planning, monitoring and reporting
  • a Fraud Strategy Statement to which all staff are required to adhere
  • internal and external reporting mechanisms
  • collecting and analysing information and data to detect fraud
  • receiving and analysing allegations from internal and external sources
  • testing and analysing the effectiveness of fraud controls, and making recommendations where appropriate to strengthen controls to prevent and detect fraudulent activity
  • conducting investigations in accordance with Australian Government Investigation Standards

Substantiated incidents of internal fraud are referred to the Commonwealth Director of Public Prosecutions (CDPP) for consideration of criminal prosecutions. The department also considers the need for administrative action against breaches of the Australian Public Service Code of Conduct (see Standards of behaviour).

The department promotes fraud prevention and awareness to staff across the organisation. Activities include:

  • Fraud Awareness Week, including articles and executive messaging on fraud
  • mandatory fraud awareness training
  • tailored fraud awareness communication activities and presentations
  • an Intranet page linking all relevant awareness information and tip-off forms

Business continuity

The department has a Business Continuity Programme based on the international standard BS ISO 22301:2012 Societal security: Business continuity management systems requirements.

The 2016 Business Continuity Policy has refined the scope of the Business Continuity Programme. This is a direct outcome of the programme’s increased level of maturity and is intended to align more closely to departmental requirements.

The 2015-16 Business Impact Analysis supports development of business continuity plans under this revised scope. The endorsed validation programme formally tests the business continuity plans to confirm the response and recovery arrangements.

The progress of business continuity activities is reported monthly to the department’s Risk, Business Continuity and Security Committee.

Corporate records management

The government’s Digital Continuity 2020 Policy promotes a consistent approach to information governance. The department has increased its digital record-keeping capability and continued the transition to entirely digital work processes. In 2015-16 the department’s online and self-service capabilities led to further reductions in the volume of paper received. When the department receives paper records they are digitised as much as possible.

Internally the department is focused on creating and maintaining administrative records digitally and reducing reliance on paper records. During the year, the department continued to consolidate existing warehouse storage facilities to improve the efficiency of records management services.

Information management

Data collected by the department assists in determining eligibility for social and health-related services and payments. The data helps the department and other agencies to understand our service delivery and programmes. In addition, ad hoc data is provided to both internal and external stakeholders. The department’s website at contains statistical information and data. Users can also make requests for these via the website.

Beyond this direct activity, our data sets are also used to support a broader government agenda framed by the recommendations of the Public Sector Data Management Project (Department of the Prime Minister and Cabinet) and the release of the Australian Government Public Data Policy Statement. The use of the data sets for other purposes occurs within the strict boundaries of legislation, with a primary focus on privacy. The department:

  • publishes de-identified data to the website and has increased the number of published data sets from 6 to 12 during 2015-16
  • plays a key role in the Multi Agency Data Integration Project, which will result in the creation of an enduring, linked, de-identified and publicly-accessible research data set made available to researchers through safe and agreed access arrangements
  • develops its data analytics capability by investing in staff to build a workforce that better understands the value of data in strengthening its evidence base to help design more effective policy and services that improve people’s lives. As part of this, the department will offer a professional pathway in data analytics for the first time in 2017

Safeguarding privacy

Customer records and personal information

The department is committed to protecting the privacy of customers and staff. We have comprehensive processes to protect personal information. Our privacy framework is guided by the Operational Privacy Policy, which includes a number of requirements that staff must comply with. The policy reinforces that:

  • all staff acknowledge their privacy and confidentiality responsibilities every year
  • privacy incidents must be reported as soon as they are identified

Personal information related to the administration of the department’s programmes and services is protected by the Privacy Act 1988 and the secrecy provisions in the various laws under which services are delivered, for example, the Social Security (Administration) Act 1999. Requests for personal information are considered under the Australian Privacy Principles and relevant secrecy provisions.

Privacy impact assessments

As new projects and programme improvements are developed, the department considers their potential impact on privacy. Under the Operational Privacy Policy, privacy impact assessments are used to:

  • minimise privacy risks and impacts
  • ensure compliance with legal obligations
  • ensure the department’s commitment to safeguarding customer privacy is met

Privacy incidents

The department investigates all privacy complaints. Escalation and reporting processes minimise the effects of any substantiated privacy incident. In 2015-16 the total number of substantiated privacy incidents was 797, which is 59% less than in 2014-15.

Compensating customers

In 2015-16 the department received 2,101 customer compensation claims compared to 2,820 claims in 2014-15. Claims are paid when the department is legally liable to pay compensation, or under the Scheme for Compensation for Detriment Caused by Defective Administration.

The department approved a total of 1,393 customer compensation claims in 2015-16. This represents 57% of all determined claims compared to 47% in 2014-15.

The department aims to process customer compensation claims within 90 days. In 2015-16, 85% of claims were completed within 90 days compared to 86% in 2014-15.

Risk management

Risk management is integral to the department’s strategic and operational environment. Our governance framework and planning processes reflect this.

The department’s Enterprise Risk Management Policy and Risk Management Framework outline the vision, direction and guiding principles of our risk management approach. The policy and framework are consistent with the international risk management standard AS/NZS ISO 31000:2009 Risk Management: Principles and Guidelines, and the Commonwealth Risk Management Policy. The policy and framework are reviewed annually to ensure compliance with better practice.

Strategic risks are identified and developed during the strategic planning process through consideration of the department’s risk environment, wider factors impacting the government and the Australian Public Service, and the department’s operational risks.

The department has 10 enterprise-wide strategic risks:

  • implementing government initiatives
  • service delivery and customer service
  • protecting staff, assets and customers on our premises
  • integrity of government outlays
  • progressing strategic priorities
  • providing good customer service
  • protecting customer information
  • ICT capability
  • delivering policy advice and working collaboratively with others
  • attracting and developing staff

As part of our business planning cycle, operational risks are also identified across the department. Senior executive staff manage operational risks and report on them regularly.

Strategic and operational risks are reported on to the department’s Risk, Business Continuity and Security Committee. The Audit Committee’s functions include reviewing the appropriateness of the department’s system of oversight and risk management.

To assist in managing risks associated with urgent or high-profile incidents and issues, the department has a system for quickly informing relevant stakeholders.

Comcover risk management

In 2015-16 the department participated again in the annual Comcover Risk Management Benchmarking Programme, providing an opportunity to measure the department’s capability using a flexible risk maturity model. Comcover rated the department as having an ‘advanced’ risk maturity level. This maturity level reflects the department’s commitment to sound risk management and its integration with its operational capabilities.

This information was printed Monday 27 May 2019 from It may not include all of the relevant information on this topic. Please consider any relevant site notices at when using this material.

Page last updated: 5 July 2018