Audit and risk management
18.5 AUDIT AND RISK MANAGEMENT
The ABS Risk Management Framework and Guidelines provides a mechanism for monitoring and identifying shifts in the risk exposure and the emergence of 'new' risks.
ABS senior management are closely involved in monitoring and managing those risks identified as enterprise risks. These are risks that are strategic in nature and have the potential to significantly impact on the organisation. During 2005–06, the ABS executive reviewed the key enterprise risks to confirm their currency and to plan ongoing treatment strategies.
A work program is set, by the Audit Committee, for reviews drawing on the outcomes of risk assessments, the fraud control plan, and recommendations from ABS managers and the Australian National Audit Office. The work program is undertaken by an external audit contractor and covers compliance and risk management issues. A broader review program, involving internal and external reviewers, looks at other issues of efficiency and effectiveness. The Audit Committee meets four times a year and reports to the executive meetings as appropriate.
Internal audits undertaken during 2005–06 included reviews of: the quality of metadata; compliance with legislation in relation to the release of tables; use of the Australian government credit card; performance management; probation system; human resource planning, management and it processes; and salary sacrifice arrangements.
At the operational level, the program of facilitated risk management workshops for key areas was continued, to ensure that risk assessments for these areas were applied consistently and given priority. These workshops assist program directors in ensuring that risks that have the potential to impact on a program's objectives are appropriately identified and managed.
The management of project risks is largely facilitated through the inclusion of risk management templates in the ABS Project Management Framework. Project managers have the responsibility for identifying and managing risks at the project level.
During 2005–06, a review of the ABS control framework was completed. A paper was produced setting out the legislative framework in which the ABS operates, the types of controls used by the ABS to meet its legislative requirements, and the dimensions in which these controls are applied.
As required by the Commonwealth Fraud Control Guidelines, the Australian Statistician has certified that the ABS has prepared appropriate fraud risk assessments and fraud control plans, and has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the ABS and comply with the guidelines.
During 2005–06, the ABS commissioned an external review of its Fraud Control Plan. A fraud risk assessment was undertaken and an updated Fraud Control Plan, including a risk register, was produced.
Regular status reporting against each risk treatment option identified will be integrated with normal reporting to ABS management and the Audit Committee.
Security of premises
Ensuring the security of ABS premises is key to minimising risks in a number of areas, including fraud.
All ABS premises are physically secure against unauthorised access. Entry is through electronically controlled access systems activated by individually coded access cards and monitored by closed circuit television. Particularly sensitive output data are subject to further physical security measures.
The ABS computer network has a secure gateway, which allows connection to some Internet services. The secure gateway has been established in accordance with Australian Government guidelines and is subject to annual accreditation by the National Communications and Computer Security Advisory Authority, Defence Signals Directorate.
Internal access to ABS computing systems is based on personal identifiers that are password protected. Specific databases are only accessible by approved users. The computer systems are regularly monitored and usage audited. There were no unauthorised access incidents into the ABS computing systems during 2005–06.
Additional access control systems are used to protect any data designated 'sensitive'. Access to sensitive data is only granted under the authority of area line management (the 'owners' of the data) on the basis that access is required by the staff member to carry out their duties.
Included in the ABS strategic audit plan is an ongoing program of security audits and reviews of computer systems and the physical environment.