Julian Hill (Bruce, Australian Labor Party) | Hansard source

Great! I feel validated.

The second report I referred to is an interim report of the committee's inquiry. It details our review and is ruling a line under our consideration of the 2020-21 and 2021-22 major projects reports. The major projects reports are prepared annually by the Department of Defence and the Audit Office together to provide a greater level of assurance that taxpayer funds on major projects in Defence are used as efficiently and effectively as possible, and to increase the transparency of these projects to the parliament and the Australian public. The MPR is a comprehensive product containing detailed information from Defence on these major projects and the ANAO's examination of projects' performance.

The committee's report makes three recommendations: two which address fairly routine issues identified in previous years about how Defence accesses contingency funding, capturing the lessons learnt, and its use of caveats and deficiencies in its capability reporting—this stuff is pretty boring and arcane, but it's an incredibly important report that the parliament itself commissioned about 15 years ago to bring some greater order into capital acquisition, which constitutes still around one-third of the national defence budget—and one which seeks to have Defence elevate projects to the projects of concern list in a timely manner.

A sentence or two about that. The committee was concerned by what was revealed to be a seriously excessive 13-month delay between the then Minister for Defence making a formal decision that the civil-military air traffic management system project was off track and must become a project of concern. There was then, inexplicably, a 13-month delay in implementing that decision. The projects of concern list and the minister's new projects of interest list ensure that projects receive additional support as well as provide transparency to the parliament and the public on the performance of major projects. It's a fact of life that some major defence projects are going to be off track, and the earlier they get on these lists and get the attention they need the better. There's no point in having the system, though, if there are delays of over a year in adding projects to the list which the minister has decided are clearly off track. There's a little bit behind that, but I won't go into it.

The next phases of this inquiry—because this is an interim report—will examine the Department of Defence's procurement of the Hunter class frigate, which is a project included in the MPR as well as the MPR's scope and guidelines. We've had pretty much the same report for about 15 years. It's relatively narrow but very deep, so we pick a limited number of projects and go very deep. That might be the best approach, but it's about time we stepped back and thought, 'Well, what do the US congressional budget office and similar parliaments do?' For example, other parliaments go much broader but not as deep. We'll give that a bit of thought.

I want to thank Defence and the ANAO for their cooperation with the inquiry to date and look forward to engaging with them further as the inquiry continues. I thank the committee secretariat, and I thank my colleagues on the committee for their collegiate deliberation on these matters, particularly the deputy chair, Senator Reynolds, a former Minister for Defence. It's actually terrific having her experience and knowledge engaging in this kind of detail.

I turn now to the second tabling statement in relation to the Commonwealth financial statements: 'The Auditor-General works on behalf of the parliament to scrutinise the executive.' It's a statement of the obvious, but there's one very peculiar matter in this report, so that needs to be there as context. Every year the audit office examines all of the Commonwealth financial statements and reporting by 248 separate entities 'to assess risk, governance arrangements and internal control frameworks'. The report went on to say:

In the 2021-22 financial statements audit, the highest number of significant moderate findings were in the categories of IT security—

cyber security stuff—

and accounting and control of non-financial assets.

The main focus thematically that we took to the 2021-22 financial statements were:

and a very peculiar issue regarding—

I'll make some brief remarks on each; firstly, on home affairs' financial sustainability. I received a leaked document, which informed this part of the inquiry. It was prepared under the previous Liberal government. It was a secret independent budget review of Home Affairs in 2022, which:

… indicated that the department's baseline situation was misaligned with its core activities and that it was balancing risk, service delivery and the cost of doing business in an unsustainable manner.

It was like reading a dysfunctional family fight—an insight into the previous government.

One anonymous stakeholder stated to the review—it was there in bold in a little breakout box—that the Department of Home Affairs was set up to fail from the start. And it's not lost on anyone here that the minister that was in charge of the department is the now Leader of the Opposition. This serious mess was exacerbated by the former government's waste of $92 million—their own report outlined this—on a failed visa privatisation. They failed to privatise the visa processing system, which they were trying to do, and blew 92 million bucks along the way. Despite which, Home Affairs was still forced to cop their pencilled in savings of $180 million that couldn't be realised. Why? And we discussed this in the inquiry. Why couldn't they complete the privatisation? Well, everyone who tendered was a Liberal mate and a mate of the former Prime Minister sitting over there, including the infamous Scott Briggs. But, despite the fact they blew $92 million on a failed privatisation, and $42 million on a PowerPoint or something from one of the consultants, BCG, they still cut the budget of the department by $180 million. Shame! The report went on to say:

The Committee has therefore requested that Home Affairs provides it with an update within six months on how it has implemented the recommendations arising from the independent review and on its actions and those of Government to improve its budget sustainability.

Secondly, relation to agriculture's financial sustainability:

Evidence revealed—

and there was a lot of public debate through the inquiry—

that Agriculture has been facing an underlying structural cash deficit for many years, driven by the cost recovery of biosecurity functions.

In plain English, the department was flat bloke. They had been dipping into their accumulated surplus like bandaid and sticky tape and piggy bank for years, and they'd run out of money. That's what we inherited. For years the former government failed to act to make any tough decisions about biosecurity fees and charges, despite being advised they had to. It was National Party incompetence. The report went on to say:

Given the critical importance of biosecurity activities and the economic and environmental costs of breaches, the Committee is of the view that the situation was fundamentally unsustainable …

All the Liberal and National members signed up to this in the report, to their credit. I'm pleased to note that the minister took major decisions in the budget to put the department on a sustainable footing.

Thirdly, in relation to NDIA's financial sustainability:

… the costs of the National Disability Insurance Scheme (NDIS) have been increasing faster than anticipated, this poses real risks to its long-term sustainability. One of the aims of the current NDIS review is to shed some light on its operations and sustainability, and this is welcomed by the Committee.

The NDIA anticipates more certainty to the forward projections for NDIS expenditure. And the committee's requesting an update within six months on any gap between the projected and actual costs, and we're going to keep an eye on this.

The second big item that I mentioned—this is very peculiar, Deputy Speaker Claydon—is that the committee was concerned to learn from the Auditor-General—it was quite exercised by it—how the previous government made the payment by the Department of Defence to terminate the Attack-class submarine project. This contract cancellation was clearly an operating expense. But Defence used funds which had been appropriated by this parliament as equity funding, which is not operating expenditure. A real-world comparison: Defence used capital funding to pay an operating expense.

The committee concurs with the Auditor-General's view that these funds should not have been used for an operating expense without the permission of the parliament. This is a really arcane point. I know it's niche and nerdy. Frankly, no-one else in the world would care except, potentially, members of parliament. But it raises serious questions about both the constitutionality of the payments and, more fundamentally for this parliament, the controls that the parliament put over the executive when we appropriate money to a government. The Department of Defence and the Department of Finance clearly knew it was not appropriate, as they sought legal advice and tied themselves in knots throughout the inquiry trying to defend it. Frankly, it would have just been easier if they'd said: 'Yes, we shouldn't have done that; we won't do it again.' It would have saved a lot of angst.

Notwithstanding legal advice sought by the department of the potential constitutional implications, the committee concluded that this is not a matter for the courts. It's a matter for the parliament to determine the future financial controls over the executive. The committee is firmly standing up for this principle on behalf of this parliament to ensure it doesn't happen again, because if the principle isn't defended then it means that a future government may be able to spend whatever appropriation they want on whatever they want.

What is the point, then, of the financial controls in the appropriation bills when the parliament gives the government money? Odd-numbered bills are for the ordinary operating expenses of government which, under the Constitution, the Senate cannot amend. Even-numbered bills are for other things: new policy proposals, equity injections and so on. There's some weird, arcane 1960-something convention between the Senate and the House, that we had to look at, about how this stuff works.

The committee has recommended that the finance minister review this matter and accept our conclusion. The committee has also recommended that in the terminology in the framework, in future appropriation bills, that the finance minister clarifies that an equity injection or equity funding is non-operating expenditure.

The third and final point: cybersecurity vulnerabilities. We examined the important issue—like goldfish, on this committee, going around and around, here we are again: more cybersecurity issues. We examined vulnerabilities across Commonwealth entities. Unfortunately, IT issues have represented the majority of the Audit Office's adverse findings in its financial statements for many years now. The Attorney-General's Department has ownership of the Protective Security Policy Framework, which contains the cybersecurity strategies developed by the Australian Signals Directorate that are mandatory for most Commonwealth agencies. Each entity is responsible for the application of the PSPF and self-reports on its cybersecurity compliance.

However, the committee is concerned by the persistent optimism bias which the Auditor-General identified in these self-assessments. It suggests that agencies are understating the IT vulnerabilities that exist. Effectively, they're marking their own homework and they're putting it in centrally. The Auditor-General consistently finds that they understate the vulnerabilities. That means the ministers—it would be the same for the previous government and the same for this government—may well not be apprised of the full extent of vulnerabilities. We think that's a problem.

The committee has recommended two things. One is that the government consider implementing an assurance regime on agencies self-reporting on compliance so that the government is aware of the true situation in relation to public sector cybersecurity and that it's not disguised by agencies. We're not really saying that agencies are lying. There's a human optimism bias when you mark your own homework. You've got a bias with the exception of, I think, our national security agencies that are probably—as they said to us in a different forum—more conservative, and rightly so.

The second recommendation is that the Attorney-General's Department should value the fact that this is a core function and develop performance measures and put it out in lights in their annual performance statement and be accountable for it.

I thank the deputy chair and other committee members who participated in the inquiry. I thank contributors to the inquiry, the Auditor-General and especially the committee secretariat for their continued professionalism in supporting the work of the committee. I move:

That the House take note of report No. 497.

See this speech in context