Chapter 2 - Governance

  1. Governance

Data, risk assessments, policies and procedures, statements of expectation and intent

Introduction

2.1This chapter deals with aspects of regulator governance, in particular, how entities collect, use and manage data; the extent to which risk-based assessments of compliance are undertaken; the nature and extent of policies, procedures and plans for compliance management; and the existence of ministerial statements of expectations and regulator statements of intent.

2.2To set the context for regulatory responsibilities, the chapter first discusses the broad obligations on regulators with regard to these governance matters. The audits in the inquiry referenced regulatory performance criteria drawn from a number of sources including the Australian Government Regulatory Policy, Practice & Performance Framework (Framework), as well as the Department of Finance’s (Finance) resource management guides.

2.3The discussion in this chapter also draws on insights from the Australian National Audit Office’s (ANAO) Administering Regulation publication. This publication consolidates lessons from the ANAO’s audit work so as to promote their application more broadly across the public sector. It can often provide more informative insights than other guidance available.

2.4As to regulator performance on governance issues, the audits found a broad range of practices, both effective and not effective. The chapter discusses key evidence provided in the audits and received during the inquiry as to entities that performed well and poorly in terms of their collection and use of data. It examines the risk-based approaches taken by regulators including where entities demonstrated best practice and where there was no risk-based regulatory approach or where compliance activities were not demonstrably risk-based. Several of the audits found policies and procedures to support regulatory activities were deficient and the chapter discusses these findings. Finally, the chapter examines the appropriateness, in addition to thecomplete absence of, statements of expectations and intent.

2.5A risk-based regulatory approach requires: the collection, use and management of data; a risk-based assessment of compliance risk that focusses on the likelihood of harm; and policies and procedures that are contemporary, reflect legislative responsibilities, and provide for compliance that is informed by data and assessment of compliance risk. Regulators should also have in place a statement of expectations from their minister, and corresponding regulator statement of intent.

2.6Key insights of the ANAO’s audits in these areas is provided in the table below, and some of these issues are discussed further in this chapter.

Table 2.1Audit findings on regulator performance – Governance

Therapeutic goods

Aged care reforms

Migration agents

Trade measurement

GST fraud risk

Audit finding

Largely effective

Largely effective

Not effective

Partly effective

Partly effective

Data collection & management

Intelligence gathering and data analysis; information used to provide threat assessment[1]

Data warehouse updated to ingest reports on compliance[2]

Data not used to inform regulatory approach[3]

Shortcomings in accuracy and consistency of data[4]

Extensive collection and use of data; no aggregation of data across business lines for GST[5]

Risk-based approach

Risk-based strategic approach[6]

No structured risk analysis; plans to increase capability for risk profiling[7]

No risk-based regulatory approach[8]

Compliance activities not demonstrably risk-based[9]

No business line GST fraud risk assessments since 2020[10]

Policies and procedures

Most compliance plans and procedures out of date or in draft form[11]

Policies and procedures being developed but not finalised[12]

Policies and procedures out of date[13]

Gaps, overlays,inconsistencies in policies and procedures; not updated in a timely manner[14]

Fraud control and corruption plans not based on identified fraud risks; key artefacts not available[15]

Statements of expectations and intent

N/A

Statement of intent does not address aged care regulation[16]

No statement of expectations or intent[17]

No appropriate statement of expectations or intent[18]

N/A

Source: Australian National Audit Office

Framework policy advice

2.7The Framework, produced by Finance, contains principles that require regulation to be, amongst other things: evidence-based and data-driven; and risk-based, targeted and proportionate.[19] Advice on how this might occur comes from different sources including the Framework itself, in addition to Finance’s resource management guides.

2.8An evidence-based regulatory system requires regulators to plan for, collect and use evidence throughout the regulatory life cycle to deliver fit-for-purpose practice and performance outcomes.[20] Regulators, according to the Framework, should establish evidence-based and data-driven regulatory governance and management policies and practices.[21]

2.9According to the Framework, a risk-based approach identifies and assesses risk factors to develop and implement targeted solutions.[22] A risk-based approach allows for regulatory intervention that is proportionate, drives compliance and acts as an effective deterrent.[23]

2.10The Framework refers regulators to RMG 128: Regulator performance (RMG 128) for best-practice advice on taking a risk-based and data-driven approach.[24]

Resource management guide policy advice

2.11The best-practice advice contained in RMG 128 characterises risk-based approaches as:

  • informed by data, evidence and intelligence to allow regulators to properly assess the risks of non-compliance and respond in a proportionate way to the harm being managed
  • providing for the strategic management of risk and improving efficiency by prioritising resources to the areas of highest risk, thereby increasing compliance
  • requiring regulators to continually monitor the environment in which they operate to ensure the regulatory approach keeps pace with changes in technology, industry practices and community expectations.[25]
    1. In practice, Finance advises adopting a risk-based and data-driven approach means regulators would, amongst other things:
  • consider the risks, cost-effectiveness and impact of regulatory action
  • focus on risk culture within the entity, including by building staff understanding
  • build staff and organisational data capability and digital literacy
  • use intelligence and data to inform compliance and enforcement strategies.[26]

Audit office insights

2.13The ANAO states that risk-based compliance approaches require a robust process to understand which regulated entities, activities and individuals pose the highest risk of non-compliance with regulatory requirements. This assessment should inform the regulatory plans and the activities subsequently undertaken by the regulator.[27]

Data collection and management of information

2.14In its audit insight on administering regulation, the ANAO states that effectively assessing the risk of non-compliance so as to develop targeted compliance and enforcement strategies requires regulators to have accurate, integrated and reliable information on the entities and activities they regulate.[28]

2.15The audits uncovered variable approaches to data collection, management, and use. The ANAO found that while the Department of Home Affairs (Home Affairs) collected and stored data in its Migration Agents Regulatory System (MARS) about registered migration agents through the registration process, providers of continuing professional development (CPD), and complaints from a range of sources, it did not subsequently use this to conduct a documented assessment of risk.[29]

2.16An absence of guidance on recording information collected during trader audits in the Department of Industry Science and Resources’ (DISR) Trade Measurement Activity Recording System (TMARS) resulted in errors and inconsistencies in DISR’s data. Further, most issues identified in data quality reports were not being resolved, and those reports were not identifying all issues and inconsistencies.[30]

2.17While the Australian Taxation Office (ATO) made extensive use of data in risk assessment and detection, the audit found it did not collate or aggregate data from its various fraud detection methods in each business line to develop a ‘whole of GST’ (goods and services tax) product perspective of fraud.[31]

2.18The Department of Health and Aged Care (Health) gathered and analysed intelligence and engaged with other government entities in order to identify non-compliance related to the import and supply of therapeutic goods. In particular Health has an officer to gather and analyse operational information to help identify areas of compliance and enforcement action that will have the largest impact in disrupting non-compliant behaviour related to unapproved therapeutic goods.[32]

2.19The advice provided by Health to government on the aged care reforms had been informed by workforce data and modelling, notwithstanding the failure to complete a risk potential assessment tool. While some of the data that informed the modelling had methodological limitations, Health made attempts over time to improve the data. Further, both Health and the Aged Care Quality and Safety Commission (ACQSC) updated their systems to incorporate data on the new requirements into regulatory intelligence production.[33]

2.20To identify and address instances of non-compliance with the new aged care obligations, Health used data analytics to identify areas of highest risk, including comparisons of the cost of providing care minutes.[34]

2.21The ACQSC made use of data to formulate intelligence briefs that provide insights into service and provider risk and a view of sector performance over time. The ACQSC used data for risk profiling to assess the likelihood a provider was managing risks and making efforts to meet workforce-related responsibilities. It has used data to gain insights into causation and refined its profiling by comparing performance of geographically proximate services, expenditure on direct care, and trend data to target persistent sustained, unexplained poor performing providers.[35]

Assessment of compliance risk

2.22A compliance approach is a set of plans, policies and procedures that establish how a regulator will manage compliance with regulations. A risk-based compliance approach is characterised by the use of intelligence to target regulatory efforts at the areas of highest risk of non-compliance, and to respond in a proportionate way to the harm being managed. A risk-based compliance approach does not necessarily focus solely on compliance failure, but considers the harm that may result from compliance failure.[36]

2.23The following examines four cases from the audits and illustrates the different approaches entities have taken to assessing risk and targeting compliance:

  • Home Affairs’ failure to undertake and document assessment of risk
  • the National Measurement Institute’s (NMIs) failure to take a comprehensive risk-based approach to industry and trader selection, and its continuing practice of basing compliance on accuracy and efficiency rather than on harm
  • the ATO’s diffused model of risk assessment and its implications for a holistic view of GST fraud risk
  • Health’s risk-based compliance approach for unapproved therapeutic goods.

Home Affairs—Regulation of migration agents

2.24The ANAO found that notwithstanding a profusion of data upon which to draw, HomeAffairs had simply not undertaken and documented an assessment of risk consistent with the requirement for a risk-based approach to regulation. The ANAO judged that by taking a risk-based approach, Home Affairs would have been in a position to focus on a small proportion of agents where an educative approach would not be appropriate.[37]

2.25The audit made a recommendation that Home Affairs develops and maintains a documented risk assessment based on data, evidence and intelligence for its regulation of migration agents. Home Affairs agreed to this recommendation.[38]

2.26Home Affairs advised the Joint Committee of Public Accounts and Audit (Committee) it had subsequently assessed the risks of non-compliance with the legislation for which it was responsible and documented these in the 2024–25 OMARA (Office of the Migration Agents Registration Authority) Risk Register. Home Affairs stated it was in the process of developing risk treatments for each of the identified risks.[39]

2.27Home Affairs also advised the Committee in December 2024 it was ‘in the process of procuring a regulatory compliance specialist to assist with maturing OMARA’s regulatory framework’, and through this, a documented risk assessment would be developed.[40] No timeframe was indicated for the completion of this work.

2.28Home Affairs assured the Committee it understood an assessment of compliance risk enabled it to target regulatory activities to the areas of greatest impact.[41]

Department of Industry, Science and Resources—Trade measurement

2.29The ANAO found DISR’s regulatory approach was not fully and appropriately informed by an assessment of compliance risk and audits were not being effectively and demonstrably targeted to market sectors and traders at higher risk of regulatory non-compliance.[42] This was not a new finding—DISR had been aware of this issue for some time.

2.30In 2015, an internal audit found the risk framework for legal metrology[43] was ‘unsophisticated’. The framework did not specify the risks of non-compliance—specifically, the harm or detriment; and was not proportionate to risk. Rather than focussing on minimising harm, the NMI focussed on ensuring accuracy of measurement. Its risk framework was considered ‘ineffectual’ in directing compliance and enforcement activities to areas of high non-compliance. The audit noted ‘introducing a risk-based approach to regulation will require a significant program of change within the Legal Metrology Branch that will impact every facet of its operations and will require a strong change agent to drive these reforms’.[44]

2.31The internal audit made three recommendations and by June 2017, implementation of the recommendations was recorded as ‘complete’ with a delivery confidence of ‘high’. The ANAO found DISR had not in fact implemented any of the recommendations.[45]

2.32A similar approach to closing audit recommendations occurred following an internal audit completed in 2020. The audit found the selection of traders for audits may not have been targeting the areas of highest risk because there was no clearly defined methodology for trader selection. The NMI was advised by Internal Audit that to close the recommendation, the NMI would need to produce a methodology during the development of the 2021/22 Annual Program Plans. The recommendation was closed on the basis of the NMI providing a risk principles document. The document did not contain a methodology.[46]

2.33Notwithstanding the findings of the ANAO audit, DISR continued to maintain its approach to risk was ‘best practice’.[47] The Committee was told DISR had amended its regulatory risk assessment process to address ANAO concerns.[48] The ANAO was clear during the inquiry ‘our assessment here wouldn’t be characterised as best practice or even approaching best practice’.[49]

2.34The ANAO added that data it had obtained since the audit showed a continuing failure to focus compliance activities on areas assessed as high-risk. The majority of DISR’s compliance activities focus on low-risk assessments.[50]

Industry level risk assessments

2.35The ANAO found shortcomings in the NMI’s risk-based assessments upon which the targeting of market sectors and selection of individual traders for audit within the sectors being targeted should be based.[51] These included:

  • the 43 market sectors included in industry risk assessment calculations (spreadsheets) were only a subset of the 59 market sectors listed in DISR’s database[52]
  • more trader audits were completed in one excluded market sector than 70percent of the sectors contained in the spreadsheets[53]
  • there were shortcomings in the calculation of the numerical ‘risk factor’ used to rank the 43 market sectors which reduced the reliability of the rankings and the extent to which risk was being measured in terms of the harm of regulatory noncompliance, not just the likelihood.[54]
    1. DISR informed the Committee it had added several new datasets to its risk assessments.[55] These datasets appear to deal with the size and revenue of an industry. DISR stated larger industries possibly have a reduced likelihood of non-compliance due to greater resources for training (the resources for training was not identified as a dataset); and a high-revenue industry possibly carries greater potential for harm arising from non-compliance (there did not appear to be a dataset indicating whether high-revenue industries had a greater risk of non-compliance). DISR stated that since 2023, trade measurement inspectors have been collecting data on trader quality processes, such as the use of a quality management system. In 2026, DISR will review the dataset to determine if there is a relationship between trader quality processes and trader compliance.[56]
    2. Regardless of the quality and sophistication of the risk assessments, these are not the basis upon which the NMI targets its monitoring. DISR stated that when making decisions on target sectors, it ‘supplemented’ its data-driven risk assessment process with other information, including stakeholder feedback, trade measurement inspector feedback, consumer sentiment, consideration of broader government priorities, and operational constraints.[57] The relative weight given to these factors was not identified.
    3. The NMI’s legal metrology priorities for 2024–25 continues to specify compliance targets are informed by risk assessments for industry sectors and businesses, stakeholder feedback, current cost-of-living pressures, and anecdotal feedback from trade measurement inspectors.[58]
    4. The ANAO found it was not evident from the records it examined how DISR used the risk assessments as a key component when selecting industries for targeting in its ‘concentrated national audit’ and ‘compliance confidence’ programs.[59]
    5. There was ‘weak alignment’ between the assessed risk of a trader type and its selection for targeting under the concentrated national audit program.[60]
    6. The NMI did not use the industry risk assessment spreadsheet to identify target industries under the compliance confidence program, rather target industries were ‘determined with reference to the previous year’s targeted industries’ and industries or trader types previously non-compliant or subject to an enforcement action.[61] ANAO analysis found a moderate alignment between the selection of industries/trader types for targeting and the rate of non-compliance and enforcement actions in the previous years.[62]

Trader level risk assessments

2.42The ANAO examined trader-level risk assessments for DISR’s 2022–23 ‘Tare It’ program. It found shortcomings in the calculation of trader-level risk assessments, including the risk rating of datasets being offset by other datasets, resulting in a risk assessment at odds with guidance for other compliance programs; and incomplete lists of traders.[63]

‘Getting bang for your buck’ or efficiency

2.43DISR agreed to an ANAO recommendation that it put in place an improved approach to assessing the risk of legal metrology regulatory non-compliance at the industry and trader levels and a transparent process that reflects the assessment of risk for selecting industries for targeting under its annual National Compliance plans.[64]

2.44During the hearings, which were held more than a year after DISR had agreed to the recommendation,[65] the NMI explained that while small traders, like butchers and individual fruit-and-vegetable manufacturers, were groups at higher risk of non-compliance, it used the principle ‘getting more bang for buck’ to target larger traders that have a national footprint. ‘If we ensure that that cohort is doing appropriate measurement based transactions that are accurate, that outweighs the higher risk category of, for example, the butchers’.[66] This approach, targeting of large-footprint national retailers was considered, ‘a better outcome for the resources that we have’.[67]

2.45Further, DISR stated that a decision on whether to inspect a high risk trader was made on the basis of ‘“Have we visited them before? Have there been issues?” etcetera. For us, it's about the best utilisation of the resources that we have to drive maximum compliance’.[68]

Australian Taxation Office—Management of GST fraud risk

2.46The audit into the ATO’s management and oversight of fraud control arrangements for the GST found the ATO did not develop GST-specific fraud risk assessments:

  • the GST is administered by business lines structured around taxpayer types and each business line is required to identify, assess and manage GST fraud risks within its area of responsibility
  • there was no collation or aggregation of data from the various fraud detection methods in each business line to develop a whole of GST product perspective of fraud.[69]
  • an internal ATO audit found the ATO’s analysis and assessment of its GST fraud risks was ‘not holistic or based on robust evidence’
  • shortcomings in the conformance process, which provides an ATO-wide view on external fraud risks (including GST fraud risk) and their management, did not provide adequate assurance the ATO was complying with external fraud obligations[70]
  • at the business line level, there had been no fraud risk assessments relevant to GST fraud since 2020.[71]
    1. While the ATO’s existing practice was to consider GST fraud risk as part of its external and internal fraud risk assessments,[72] it agreed to a recommendation that it conduct and document assessments of its GST fraud risks regularly and ensure it had a contemporary and holistic view of its GST fraud risks.[73] The ATO subsequently advised the Committee it had completed a holistic GST fraud risk assessment in 2024.[74]
    2. The ATO has since redesigned its conformance process and combined this with the external fraud risk assessment process, which it advised ‘allows us to obtain a much broader scope of conformance information aligned to 10 external fraud sub risks as well as ATO business lines with specific external fraud accountabilities.’[75]
    3. The ATO has also developed a holistic GST intelligence strategy to improve the collection, integration, and dissemination of intelligence across the organisation.[76]

Department of Health—Therapeutic Goods Act non-compliance

2.50The audit found Health took a risk-based strategic approach to the management of non-compliance for unapproved therapeutic goods, and assessed risks to compliance through three key mechanisms: the departmental risk management framework; a Regulatory Compliance Risk Committee to promote consistency in the management of regulatory and compliance risks; and compliance risk assessments.[77]

2.51Health’s risk assessment to set advertising compliance priorities had focussed on advertising for 17 types of therapeutic goods and issues, and assessed the level of risk for each item of the therapeutic goods according to three factors—threat, vulnerability of the target audience, and harm.[78]

2.52Health’s ‘strategic threat assessment’ underpinning its 2022–23 compliance priorities rated the risk levels of the compliance priorities and emerging priorities; forecast whether the risk levels were stable or increasing; and provided information on key drivers behind each risk area and recommendations for updating compliance priorities.[79]

Policies, procedures and plans

2.53Contemporary and comprehensive policy, guidance and procedural documents are necessary for the sound governance of regulatory functions and ensure the delivery of regulation is consistent with the intended outcomes.[80]

2.54As discussed below, across the five entities that were subject to audit, the ANAO found shortcomings in the maintenance and updating of policies and procedures including:

  • Home Affairs’ policy, procedure and planning documents did not reflect changes to legislation or regulatory practices, and some had not been put into effect
  • an absence of policies and procedures at DISR led to concerns about the legality of some compliance activities
  • in the context of a dispersed management approach at the ATO, key policies and procedures were not available, and in some cases there was a lack of alignment within and between some documents
  • guidance materials and standard operating procedures were not completely finalised by Health and the ACQSC prior to implementation of new requirements in the aged care sector
  • there was a lack of maturity in the underpinning procedures and arrangements for Health’s risk-based compliance approach for unapproved therapeutic goods.

Home Affairs—Regulation of migration agents

2.55At the time the audit was conducted into the regulation of migration agents, the primary governance document supporting OMARA’s activities was a procedural instruction, issued in August 2016, and revised in May 2019. The 2019 document did not reflect significant legislated changes in the regulation of providers of immigration assistance or advice. It did not reflect aspects of the regulatory approach taken by Home Affairs including application of the current complaint risk matrix, implementation of the current early resolution model, and re-registration of agents for whom there were serious integrity concerns.[81]

2.56The procedural instruction was a consolidation of a previous procedures advice manual, and policy and procedures manual—108 pages had been consolidated into 35 pages. Significant detail on operationalising aspects of Home Affairs’ regulatory responsibilities under the Migration Act had been omitted during consolidation. This included guidance on the operation of section 309, which requires OMARA to provide for procedural fairness when considering decisions on whether to refuse registration or sanction agents. Home Affairs stated its practice was not to provide this in every instance.[82]

2.57The ANAO found OMARA’s most recent compliance strategy and plan were prepared for the 2018–19 year and as such did not deal with several significant changes to the regulatory environment that had occurred since 2018–19, and had not, in any case, been implemented by Home Affairs. A planned evaluation of the impact of the compliance strategy was not undertaken,[83] and neither were risk treatment activities that were provided for in the plan, including:

  • completing 200 website audits each year to address the risk of misleading advertising by migration agents
  • undertaking 35 client file audits each year
  • applying risk treatments relating to the regulation of CPD providers.[84]
    1. The Committee was advised Home Affairs has implemented a Compliance and Monitoring Framework, setting out that OMARA’s approach to monitoring would be risk-based, evidence-based, proportionate to risk, collaborative, focussed on outcomes and lawful and fair. Home Affairs has developed a strategy that identifies the harms arising from non-compliance, and a plan that identifies the monitoring activities it will undertake. Proactive monitoring was scheduled to commence in September 2024.[85]

Department of Industry, Science and Resources—Trade measurement

2.59The audit found there were gaps, overlaps and inconsistencies in the policy and procedural documents produced to support DISR’s regulatory function.[86] Some of the shortcomings identified were:

  • the absence of a policy or procedure relating to the appointment of trade measurement inspectors, and an absence of evidence some trade measurement inspectors had been appropriately appointed, impacting DISRs ability to take valid enforcement actions
  • a total of 184 documents were listed as being in effect and 263 were listed with the status of ‘potential’[87] but there was nevertheless an absence of specific guidance on how data was to be entered into TMARS, and no policy or guidance on the management of hard copy inspector notebooks and non-compliance notices
  • existing policies and procedures were not updated in a timely manner.[88]
    1. The audit recommended that DISR improve its record-keeping processes to ensure information and records were accurate, fit-for-purpose and appropriately stored. DISR agreed to the recommendation and provided information on steps it had taken towards implementation.[89]

Australian Taxation Office—Management of GST fraud risk

2.61The ATO has a dispersed GST fraud risk management approach: the GST is administered by business lines structured around taxpayer types; each business line is required to identify, assess and manage GST fraud risks within its area of responsibility; each business line maintains its own risk register and risk treatment plans; there is no centralised register of controls used to detect potential GST fraud, these are dispersed across business lines.[90]

2.62The ATO explained its decentralised approached allowed it to leverage the expertise and insights of those closest to the risks, ensuring tailored treatments.[91]

2.63The audit had found that the ATO’s own internal assessments identified key risk ‘artefacts’ like assessments, reviews, treatment strategies/plans and updates, were not available to demonstrate GST compliance risks were being managed effectively; and that assessment of GST fraud risks was ‘not holistic or based on robust evidence’.[92]

2.64In general, the ANAO found some shortcomings in the alignment between and within documents. For instance, the 2020 external fraud risk assessment included an assessment of the effectiveness of the ATO’s controls on 13 external fraud risks. It also listed 13 preventative, detective and corrections controls that required improvement to raise the effectiveness of the ATO’s control assessment level. The controls, however, were not attributed in the document to the 13 external fraud risks. Neither was the external fraud risk assessment underpinned by a documented record of specific risks and corresponding controls for each of the 13 external fraud risks.[93]

2.65The audit also found the ATO’s 2023 Fraud and Corruption Control Plan did not clearly deal with all the external fraud risks identified in the 2020 external fraud risk assessment. It was not possible to determine whether controls and strategies for external fraud were commensurate with assessed fraud risks because the risks identified in the two documents could not be reconciled.[94]

2.66The ANAO recommended the ATO ensures its fraud control and corruption plans were based on identified fraud risks documented in risk assessments. The ATO advised the fraud control and corruption plan would be updated to incorporate fraud risks identified in the external fraud risk assessment and this was on schedule for implementation by the end of 2024.[95]

2.67As part of the redesign of its conformance process, the ATO advised that artefacts and annual external fraud risk assessment process outcomes were now maintained centrally by the External Fraud Risk Owner.[96] Further, the ATO had now clearly identified the GST Fraud Risk Owner.[97]

Department of Health and ACQSC—Aged Care Reforms

2.68The audit found that while Health and the ACQSC were developing guidance materials and standard operating procedures for monitoring and enforcing compliance with the new aged care requirements, these were mostly not finalised prior to the implementation of the new requirements.[98]

2.69In particular, the ACQSC had not updated its standard operating procedures for preparing and disseminating intelligence briefs to accommodate the aged care changes. The ACQSC agreed to a recommendation that it improve its documentation processes for preparing and disseminating intelligence briefs. There were also delays in the ACQSC’s delivery of training materials and other guidance documentation.[99]

2.70The ACQSC confirmed it had improved its documentation of the process for preparing and disseminating intelligence reports and had produced a range of other documents.[100] The standard operating procedures for care minutes had been updated to include technical procedures for the Risk Based Targeting and Information Sharing system; collating data from Health; processing, sanitising and validating data; triage criteria and classification into high, moderate and low risk; longitudinal analysis of provider performance; summary intelligence assessments; and quality control and dissemination of intelligence briefs.[101]

2.71The ACQSC stated 24/7 Registered Nurse intelligence briefs were produced and disseminated to the Commission’s Quality Assessment and Monitoring Group on a monthly basis and were prepared by categorising services on a matrix. The Quality Assessment and Monitoring Group uses the briefs to inform risk profiling for the broader Commission regulatory approach by identifying services where non-compliance and other contextual risks indicate a requirement to validate that safe and appropriate clinical assessment and care is delivered in line with provider obligations.[102]

2.72Care minutes intelligence briefs were produced and disseminated to the ACQSC Sector Risk Committee quarterly, and grouped services into risk profiles based on the degree of non-compliance.[103]

Department of Health—Therapeutic Goods Act non-compliance

2.73The ANAO stated that although the audit had found Health’s management of non-compliance for unapproved therapeutic goods was largely effective, there were potential areas for improvement including documentation of standard operating procedures and other daily operational tasks, in addition to improving record keeping.[104]

2.74Recognising the need for a ‘one stop shop’ to support its activities, in October 2022 Health commenced a project to develop, review, consolidate and implement a range of governance documents and measures within the Regulatory Compliance Branch. This included reference materials, standard operating procedures and templates. The project found of the 37 standard operating procedures and guides for the Regulatory Compliance Branch, 81 per cent were in draft or overdue for review. It also found there were 11 process documents in use and 10 topics where standard operating procedures could have been developed but had not been.[105]

2.75During the hearing, Health acknowledged it had not looked at its standard operating procedures on a regular basis but had taken a number of steps to rectify this.[106] Health stated all required written investigation procedures for compliance investigations had been finalised and implemented.[107]

Statements of expectations and intent

2.76While regulators often operate independently of government, as noted by Finance, this does not mean they are independent of expectations of how their statutory roles are fulfilled.[108]

2.77RMG 128 states that Executive Government will set out guidance for regulators through a ministerial statement of expectations, issued by the responsible minister to provide greater clarity around government policies and objectives relevant to the regulator’s statutory objectives and how it conducts its operations. The regulator is to respond with a regulator statement of intent that identifies how it will deliver on the government’s expectations.[109]

2.78A ministerial statement of expectations should be issued every two years, or earlier if there is a change of minister, regulator leadership, or Commonwealth policy. Regulators should integrate the statements into performance reporting, and they should be made publicly available.[110]

Department of Industry, Science and Resources—Trade measurement

2.79During the course of the ANAO’s audit, DISR did not have in place an appropriate ministerial statement of expectations and regulator statement of intent.[111] In June 2016, the Secretary of the department issued a statement of expectations for the NMI. The NMI signed a statement of intent in September 2016.[112] The Minister for Industry, Science and Technology provided a statement of expectations in September 2021. There was a change in minister before the regulator statement of intent was provided.[113]

2.80In February 2022, the Minister for Science and Technology issued a statement of expectations for the NMI. This was the same as the previously issued statement of expectations and included that the NMI ‘apply a proportionate and risk-based approach to compliance and enforcement actions’ and take a proactive approach to continuously improving regulatory performance by embedding the regulator best practice principles.[114]

2.81A federal election was called prior to DISR responding with a regulator statement of intent. There was a change in minister on 1 June 2022 and as of 24 May 2023, the ANAO found the ministerial statement of expectations had not been published or referenced, and there had been no regulator statement of intent issued.[115]

2.82The NMI received a statement of expectations on 26 November 2024 and in December 2024 was drafting its statement of intent.[116]

Department of Health and ACQSC—Aged Care Reforms

2.83In December 2022, the Aged Care Quality and Safety Commissioner issued a statement of intent establishing its approach to regulating the aged care sector. The Secretary of Health issued a regulator statement of intent in July 2023 that identified six regulatory functions undertaken by the Health. The ANAO found none of the six functions encompassed Health’s program of activities to verify aged care provider reporting or any other activities in relation to the aged care sector. The ANAO suggested, as an opportunity for improvement, that Health could update its regulator statement of intent to address departmental regulatory functions in relation to aged care providers.[117]

Home Affairs—Regulation of migration agents

2.84The ANAO found with regard to the regulation of migration agents, there was no ministerial statement of expectations or responding regulator statement of intent from Home Affairs.[118] The Minister for Home Affairs issued a statement of expectations to Home Affairs in January 2022, but this was not specific to OMARA. Home Affairs did not respond with a statement of intent. Following the election in May 2022 and the change in minister, no statement of expectations had been issued. At the time of the audit, Home Affairs had no statement of intent.[119]

2.85The ANAO recommended Home Affairs advise the minister of the requirements and prepare for the minister’s approval a ministerial statement of expectations that outlined the regulatory functions within Home Affairs and prepare and issue in a timely manner a responding regulator statement of intent. Home Affairs agreed to the recommendation.[120]

Footnotes

[1]Australian National Audit Office (ANAO), Management of Non-Compliance with the Therapeutic Goods Act 1989 for Unapproved Therapeutic Goods, Auditor-General Report No. 3 2023–24, hereafter TGA report, paragraphs 2.10, 3.20–3.21.

[2]ANAO, Design and Early Implementation of Residential Aged Care Reforms, Auditor-General Report No. 8 2023–24, hereafter Aged care report, paragraph 4.19.

[3]ANAO, Department of Home Affairs’ Regulation of Migration Agents, Auditor-General Report No. 26 2023–24, hereafter Migration agents report, p. 19.

[4]ANAO, Trade Measurement Compliance Activities, Auditor-General Report No. 5 2023–24, hereafter Trade measurement report, paragraphs 3.73–3.77.

[5]ANAO, Australian Taxation Office’s Management and Oversight of Fraud Control Arrangements for the Goods and Services Tax, Auditor-General Report No. 15 2023–24, hereafter ATO report, paragraph 3.33. See also: discussion on Contemporising GST Risk Models project, paragraphs 3.13–3.23.

[6]ANAO, TGA report, paragraph 13.

[7]ANAO, Aged care report, paragraphs 9, 12, p. 64.

[8]ANAO, Migration agents report, p. 19.

[9]ANAO, Trade measurement report, paragraph 9.

[10]ANAO, ATO report, paragraph 12. The Australian Taxation Office (ATO) was found to have largely appropriate methods to detect potential GST fraud (see paragraphs 16, 3.10–3.33).

[11]ANAO, TGA report, paragraph 13.

[12]ANAO, Aged care report, paragraph 23.

[13]ANAO, Migration agents report, paragraphs 2.12–2.16, p. 19.

[14]ANAO, Trade measurement report, paragraphs 10–11, 2.18.

[15]ANAO, GST fraud risk report, paragraphs 2.23, 2.45, 2.51, 4.14, 4.15.

[16]ANAO, Aged care report, paragraph 4.8.

[17]ANAO, Migration agents report, paragraph 10.

[18]ANAO, Trade measurement report, paragraphs 3.57–3.59.

[19]Department of Finance (Finance), Regulatory Policy, Practice & Performance Framework, 2024, hereafter Regulatory Framework, pages 7, 10.

[20]Finance, Regulatory Framework, p. 10.

[21]Finance, Regulatory Framework, pages 10–11.

[22]Finance, Regulatory Framework, p. 7.

[23]Finance, Regulatory Framework, p. 7.

[24]Finance, Regulatory Framework, pages 10–11.

[25]Finance, RMG 128: Regulator performance, July 2023, hereafter RMG 128, https://www.finance.gov.au/government/managing-commonwealth-resources/regulator-performance-rmg-128, viewed 26 February 2025.

[26]Finance, RMG 128, July 2023.

[27]ANAO, Insights: Administering regulation, January 2021, https://www.anao.gov.au/work/insights/administering-regulation, viewed 11 February 2025.

[28]ANAO, Insights: Administering Regulation, January 2021.

[29]ANAO, Migration agents report, paragraphs 8, 11, 2.30–2.32.

[30]ANAO, Trade measurement report, paragraphs 3.73–3.78.

[31]The ATO has subsequently improved its collection, integration and dissemination of intelligence relating to the GST. ANAO, ATO report, paragraph 3.33; ATO, Submission 7.1, p. 5. See also the discussion on Contemporising GST Risk Models project in: ANAO, ATO report, paragraphs 3.13–3.23.

[32]ANAO, TGA report, p. 40, paragraph 3.20–3.21.

[33]ANAO, Aged care report, paragraphs 9, 13, 14, 21.

[34]Department of Health (Health), Submission 5, p. [5].

[35]Aged Care Quality and Safety Commission (ACQSC), Submission 4.1, p. [10].

[36]ANAO, TGA report, paragraph 2.1.

[37]ANAO, Migration agents report, paragraphs 2.30–2.32.

[38]ANAO, Migration agents report, paragraphs 2.35–2.36.

[39]Department of Home Affairs (Home Affairs), Submission 1, p. 5.

[40]Home Affairs, Submission 1.1, p. [1].

[41]Home Affairs, Submission 1, p. 5.

[42]ANAO, Trade measurement report, paragraph 12.

[43]Legal metrology refers to the legislative and regulatory framework that underpins measurements and measuring instruments used for trade and legal purposes. Department of Industry, Science and Resources (DISR), Legal metrology priorities 2023–24, February 2024, p. 4.

[44]DISR internal audit findings quoted in, ANAO, Trade measurement report, paragraph 2.30.

[45]ANAO, Trade measurement report, paragraphs 2.31–2.38.

[46]ANAO, Trade measurement report, paragraphs 2.36–2.38.

[47]Mr Vasilios Loizides, General Manager, Legal Metrology, National Measurement Institute (NMI), DISR, Committee Hansard, Canberra, 22 November 2024, p. 17.

[48]DISR, Submission 6.1, p. [14].

[49]Mr Michael White, Acting Group Executive Director, ANAO, Committee Hansard, 22 November 2024, p. 20.

[50]Mr Michael White, ANAO, Committee Hansard, 22 November 2024, p. 20.

[51]ANAO, Trade measurement report, paragraph 12.

[52]ANAO, Trade measurement report, paragraph 2.40.

[53]ANAO, Trade measurement report, paragraph 2.40.

[54]ANAO, Trade measurement report, paragraph 2.42.

[55]Domestic demand; industry value-added; business enterprises that may comprise one or more establishments; employment; establishment locations; value of exports; industry revenue; value of imports; wages. DISR, Submission 6.1, pages [2]–[3].

[56]DISR, Submission 6.1, pages [2]–[3].

[57]ANAO, Trade measurement report, paragraph 2.46.

[58]DISR, Legal metrology priorities 2024–25, 2024,p. 10.

[59]ANAO, Trade measurement report, paragraphs 2.47, 2.53–2.55.

[60]ANAO, Trade measurement report, paragraph 2.51.

[61]ANAO, Trade measurement report, paragraph 2.47.

[62]ANAO, Trade measurement report, paragraphs 2.56–2.57.

[63]ANAO, Trade measurement report, paragraphs 2.58–2.60.

[64]ANAO, Trade measurement report, paragraphs 2.61–2.62.

[65]The Secretary of DISR wrote to the ANAO on 11 August 2023 indicating it agreed with the recommendation. The public hearing was held on 22 November 2024. See, ANAO, Trade Measurement Report, pages 62–63.

[66]Mr Vasilios Loizides, DISR, Committee Hansard, Canberra, 22 November 2024, p. 17.

[67]Mr Vasilios Loizides, DISR, Committee Hansard, Canberra, 22 November 2024, p. 17.

[68]Mr Vasilios Loizides, DISR, Committee Hansard, Canberra, 22 November 2024, p. 20.

[69]ANAO, ATO report, paragraphs 3.12, 3.33.

[70]ANAO, ATO report, paragraphs 2.11–2.16.

[71]ANAO, ATO report, paragraphs 2.22–2.23, 2.25, 2.47, see also footnote 28.

[72]ANAO, ATO report, paragraph 2.22.

[73]ANAO, ATO report, paragraphs 2.36–2.37.

[74]Australian Taxation Office (ATO), Submission 7.1, p. 5.

[75]ATO, Submission 7.1, p. 3.

[76]ATO, Submission 7.1, p. 5.

[77]ANAO, TGA report, paragraphs 2.4–2.10.

[78]ANAO, TGA report, paragraph 2.9.

[79]ANAO, TGA report, paragraph 2.10.

[80]See general comments to this effect in: ANAO, Migration agents report, paragraph 2.1; ANAO, Trade measurement report, p. 17, paragraphs 2.1, 2.18.

[81]ANAO, Migration agents report, paragraphs 2.14–2.16.

[82]ANAO, Migration agents report, paragraphs 2.19–2.21.

[83]ANAO, Migration agents report, paragraph 2.38–2.39, p. 26.

[84]ANAO, Migration agents report, paragraph 2.38.

[85]Home Affairs, Submission 1.1, pages [2]–[3].

[86]ANAO, Trade measurement report, paragraph 9.

[87]ANAO, Trade measurement report, paragraph 2.15.

[88]ANAO, Trade measurement report, paragraphs 2.9–2.11, 2.15, 2.17–2.18.

[89]ANAO, Trade measurement report, paragraphs 2.25–2.28.

[90]ANAO, ATO report, paragraphs 2.22, 2.46–2.47, 3.33.

[91]ATO, Submission 7.1, p. 5.

[92]ANAO, ATO report, paragraphs 2.23, 2.47.

[93]ANAO, ATO report, paragraph 2.31.

[94]ANAO, ATO report, paragraph 2.45.

[95]ATO, Submission 7, p. 5.

[96]ATO, Submission 7.1, p. 3.

[97]ATO, Submission 7.1, p. 5.

[98]ANAO, Aged care report, paragraph 23.

[99]ANAO, Aged care report, paragraphs 4.22–4.26, 4.34–4.39.

[100]Ms Janet Anderson, Commissioner, ACQSC, Committee Hansard, Canberra, 22 November 2024, p. 13. See also: ACQSC, Submission 4, p. 3.

[101]ACQSC, Submission 4, pages 3–4.

[102]ACQSC, Submission 4, p. 4.

[103]ACQSC, Submission 4, p. 4.

[104]Ms Christine Chalmers, Executive Director, ANAO, Committee Hansard, Canberra, 22 November 2024, p. 2.

[105]ANAO, TGA report, paragraphs 2.18–2.19.

[106]Ms Tracey Lutton, Assistant Secretary, Regulatory Compliance Branch, Regulatory Practice and Support Division, Health, Committee Hansard, Canberra, 22 November 2024, pages2,4.

[107]Health, Submission 5.1, p. [6].

[108]Finance, RMG 128.

[109]Finance, RMG 128.

[110]Finance, RMG 128.

[111]ANAO, Trade measurement report, paragraph 17, p. 53.

[112]ANAO, Trade measurement report, paragraphs 3.57–3.59.

[113]ANAO, Trade measurement report, paragraph 3.61.

[114]ANAO, Trade measurement report, paragraph 3.61.

[115]ANAO, Trade measurement report, paragraph 3.62.

[116]DISR, Submission 6.1, p. [11].

[117]ANAO, Aged care report, paragraphs 4.8–4.9.

[118]ANAO, Migration agents report, paragraph 10.

[119]ANAO, Migration agents report, paragraphs 10, 2.5–2.6.

[120]ANAO, Migration agents report¸ paragraphs 2.7–2.8.

Contents
Previous Next