Julian Hill (Bruce, Australian Labor Party) Share this | Link to this | Hansard source

On behalf of the Joint Committee of Public Accounts and Audit, I present Report 471: security of overseas missions.

Madeleine King (Brand, Australian Labor Party) Share this | Link to this | Hansard source

Cracking committee!

Julian Hill (Bruce, Australian Labor Party) Share this | Link to this | Hansard source

It is a cracking report, Member for Brand.

Report made a parliamentary paper in accordance with standing order 39(e).

by leave—This report outlines findings of the committee's inquiry into the security of overseas missions as managed by the Department of Foreign Affairs and Trade. This, I might note, is the first JCPAA inquiry in a number of years to focus on DFAT. It is not a regular focus of our attention.

DFAT's purpose includes promoting and protecting Australia's interests internationally and contributing to global stability and economic growth. To support this work, DFAT maintains a presence overseas of 106 diplomatic posts or missions and is responsible for the security arrangements at these posts—that also includes responsibility for the security of more than 3,000 DFAT locally engaged staff and staff from 20 other agencies—and those are measures to protect staff, property and confidential information critical to national security.

In DFAT's own words, 'Elsewhere poor risk management could be financial loss, but here the results could be catastrophic.' In that very real sense, this is life-and-death stuff. Yet the committee found—and this is a government-controlled committee—that, despite this, a recurring theme of this inquiry was the lack of consistency and coordination in DFAT's management of overseas security.

This matter has a long history. The Audit Office previously reviewed DFAT's protection of missions and staff overseas in 2004-05. In this follow-on audit tabled in August last year, more than a decade later, the Auditor-General identified a number of issues which still remain unresolved. The ANAO concluded that DFAT had arrangements in place to provide security to overseas missions and staff, but it added that some aspects, in particular the strategic planning management of security measures and elements of the framework supporting staff training, were not entirely effective.

The ANAO's findings, in addition to the further evidence provided to the committee during the inquiry, raised a number of concerns for the committee. The committee noted that poor coordination and lack of consistency have had an impact on the delivery of core security functions. A number of issues identified were also characterised by inadequate monitoring and assurance. The committee considered that the ANAO's findings and the persistence of weaknesses relating to overseas security measures undermined the department's credibility before parliamentary committees. It wasn't their finest day out.

The committee heard that DFAT's departmental security framework, which was to be launched in March 2018, is intended to address various issues highlighted by the ANAO and previous reviews. The department also noted actions it's taking to reduce inconsistencies in record keeping and risk management.

The committee supports the Auditor-General's position that organisations must impose consequences for noncompliance in order to drive cultural change, and the leadership of the organisation has to provide the clear direction for that change. Compliance can be monitored then via independent assurance activities such as internal audit.

The committee also turned its attention to and appreciates the critical importance of cyber-resilience to protecting organisational systems and information and acknowledges DFAT's stated commitment to achieving cyber-resilience by June 2018 with respect to the Essential Eight mitigation strategies. We've asked for a report back in July to check that that's done, because, as I said, this is not just about property and the lives of Australian personnel but also about critical confidential information.

There were a range of other findings that you'll be pleased to know I chopped out of my statement and won't go to in detail, but they relate to the need for DFAT to improve the quality of its performance indicators and discrepancies we identified in a previous annual report. As the chair of the committee stated, the annual report's a critical document. It is signed by the secretary, and the parliament has to have full confidence in what's signed off and presented.

Finally, it's the committee's view that governance arrangements can only be effective with the necessary staff skills and capability underpinning them. The committee noted that limitations to DFAT's information systems actually prevent the consistent monitoring and assurance over whether staff even receive the required mandatory preposting security training. DFAT advised that work was underway to address that, but we were not fully confident from the repetitive, process-based answers which we received. Of particular interest to the committee was staff awareness and training in cybersecurity. DFAT indicated that it's considering mandating cybersecurity training for locally engaged staff.

Overall, in summary, the committee made eight recommendations. That's a large number for us. Several were aimed at improving DFAT's governance of post security, while others address aspects of staff training. We've sought further advice from DFAT and recommended that DFAT reports back to us on a range of issues. Thank you for the House's attention to a lengthy statement, but these are not trivial matters. They go to the security and the lives of more than 3,000 staff working around the world and their families. In conclusion, I would like to thank officials from the Department of Foreign Affairs and Trade and the ANAO for assisting the committee in its inquiry. I commend the report to the House, and I seek leave to table some documents.

Leave granted.

I present executive minutes on reports Nos 463, 464, 465 and 467 of the Joint Committee of Public Accounts and Audit.