|
1 |
|
|
2 |
|
|
- Governing the public-private sectors’ interrelationship |
|
|
3 |
|
|
4 |
|
|
- Private financing of government activities |
|
|
- The information technology (IT) outsourcing lessons |
|
|
5 |
|
|
- Access to information and premises |
|
|
- Commercial-in-confidence information |
|
|
- Privacy and security |
|
|
- Administrative law considerations |
|
|
- Equity law and natural justice |
|
|
- Values and ethics |
|
|
- Service credits as part of the contractual arrangements |
|
|
6 |
|
|
- Dealing with risk in a control framework |
|
|
- Transition to the contractor |
|
|
- Service standards and performance measurement |
|
|
- Contract relationships |
|
|
7 |
|
|
- System controls |
|
|
- Record-keeping |
|
|
8 |
|
How the public sector relates to the private sector to achieve public outcomes is a major challenge facing both sectors in many of the countries represented here today. My concern is to ensure that the Australian National Audit Office (ANAO), as a Supreme Audit Institution (SAI), is able to contribute effectively in meeting that challenge. In that respect, we are fortunate to be a Member of this Working Group in order to share our experiences and develop frameworks that can help us to reduce any problems being confronted to manageable proportions.
This paper reflects upon some of the audit-related issues being experienced by the Australian public sector in outsourcing situations. The catalyst for this paper was primarily the performance audit we undertook of the Implementation of Whole-of-Government Information Technology Infrastructure Consolidation and Outsourcing Initiative last year1. Following that report, the Government commissioned a separate review, in part to test our conclusions. The review generally agreed with the audit findings, but also made a number of interesting observations which I will draw on later.
I will discuss the issues we have identified under the following headings:
An interesting outcome of the recent public sector reform directions in Australia is that nearly all of the results the government strives to achieve require the collaborative efforts of two or more agencies/parties/levels of government. Unfocussed and uncoordinated programs waste scarce resources, confuse and frustrate customers or clients (citizens) and limit overall program effectiveness. The development of effective working relationships with stakeholders is, therefore, an important element in a functioning corporate governance framework and can help to identify, overcome and even avoid fragmentation and overlaps in government programs. Market mechanisms may actually create ‘islands’ or ‘silos’ within agencies, particularly where activities are more commercially based and make coordination of services to citizens in a seamless manner that much more difficult for providers, whether in the public or private sectors.
In this respect, it is interesting to consider the United Kingdom (UK) ‘Modernising Government’ approach which stresses ‘partnership delivery’ by all parts of government as well as with the private sector.2 The UK National Audit Office subsequently reported on its response (and strategies) to that policy, including the notion of ‘joined-up’ government,3 with particular comments on risk management. The changes that are occurring at least reflect different risks, perhaps even additional risks, that need to be managed. A particular issue was whether the audit approach would be consistent with the need to manage those risks to achieve the required results. Auditors, generally, have continued to stress the basic differences between risk and risky management.
As governments rethink their roles in society they are being required to develop new approaches to policymaking and service delivery that are increasingly involving new partnership arrangements. As well, the evolving environment is drawing the private sector increasingly into partnerships, mergers and alliances as a means of better coordinating economic activity and generating greater returns. Consequently, networking or partnering is beginning to play a major role at the local, national and international levels and across all sectors of the economy for improved performance and effectiveness.
Such arrangements are also likely to be encouraged through the increased adoption and impact of e-government with its focus on coordination and collaboration in the business environment and with shared databases as well as greater electronic integration in a virtual 'one-stop' service delivery environment. Between agencies, these arrangements are quasi-contractual and tend to be based on 'relational', rather than 'legal', agreements, for example by Memoranda of Understanding. Nevertheless, there are compelling reasons in a number of areas for considering the extension of the relational/partnering approach involving the private sector in a more networked environment. As usual, a balance has to be struck in particular cases between the various demands on managers, which can change depending on circumstances and the environment. The following is a related observation from a private sector perspective:
…the move to collaborative outsourcing agreements is an admission that the most successful outsourcing organisations are the ones that have a clear idea what they want the outcomes to be, rather than trying to manage (my underlining) the outsourcer.4
In Australia, there do appear to be indications that greater coordination, collaboration, or networking, across agencies is gaining favour as a means of delivering more responsive public services to citizens. For example, a recent ANAO report5 discussed how three welfare agencies were defining their particular outcomes and outputs and how the outputs of one of these agencies were directly related to the outcomes of the purchasing departments. These arrangements have been managed through a strategic partnering process rather than a legal contractual framework. These arrangements have subsequently expanded such that the particular Commonwealth agency, Centrelink, now delivers services on behalf of a total of four agencies under formal purchaser-provider arrangements.6 Centrelink's partnership agreement with the now Department of Family and Community Services reflects their emphasis on building trust; maintaining productive relationships and dealing positively with legal limitations.7
A further indication of a possible move towards network bureaucracies is the renewed focus on the needs of citizens as clients or customers. This is, at least partly, a consequence of a government decision in March 1997 to introduce Service Charters in order to promote a more open and customer-focused Commonwealth Public Service. All Commonwealth Departments, agencies and Government Business Enterprises that have an impact on the public must develop a Service Charter. These Charters are to represent a public commitment by each agency to deliver high quality services to their customers. Two whole-of-government reports have been presented to Parliament reporting, among other things, performance against the ‘principles for developing a Service Charter’ launched in 1997. The second report concluded that:
Service Charters are proving to be key instruments for innovation and for driving effective service delivery in the 21st Century.8
Where service delivery has been outsourced, Service Charters will clearly have a direct impact on the private sector contractor. In particular, it is to be expected that outsourcing contracts will need to reflect the Service Charter commitments if the Charters are to have any real meaning. It will also be important to require, as part of the contractual arrangement, the provider to supply outcome, output and input information against which the provider's performance can be assessed, including whether processes are efficient and the service quality is satisfactory. In this way, even if the client is one or more steps removed from the responsible department, it should still be possible to ensure clients are receiving the appropriate level and quality of service, consistent with the Service Charter. Such an approach may also be expected to reinforce the notion of both the private sector provider and the contracting agency being dependent on one-another for delivering a satisfactory level of performance and accounting for their performance – in effect trading-off some degree of their individual control for agreement about their joint performance and results to be achieved.
It has been generally recognised that networked arrangements for service delivery, which envisage more sophisticated and cooperative approaches to cross-cutting issues, are likely to focus on the importance of partnerships, coordination and joint working agreements. This is increasingly occurring at the inter-agency level. As well, networking can be expected to evolve to include strategic arrangements and structures between public organisations, private operators and voluntary associations as well as individual clients and the community generally. Such interaction should in turn generate new forms of service delivery and probably redefine the various relationships between government and the community over time. These moves have important ramifications for both responsibility and accountability and raise the question, again, as to ‘who is accountable for what?’
A major aim has been to deliver services that appear seamless to the recipient.9 In such arrangements, where there is joint responsibility for overseeing and implementing programs across a number of bodies, involving public and/or private sector organisations, a clear governance framework and accountability and reporting arrangements, which clearly define roles and responsibilities of the various participants, may be required. Increasingly, relevant governance arrangements will need to cross organisational boundaries to better align activities and reduce barriers to effective cooperation and coordination. Of note, in this respect, is the fact that globalisation has resulted in an increasing number of business networks operating across national borders. Networks do not necessarily require formal organisational structures to be effective but any arrangements for networking, or coordination, of activities have to be at least transparent.
More networked or partnering arrangements can also help overcome any apparent inflexibilities of a contract. Such networked arrangements are seen to enable a greater exchange of ideas and information and to allow partners to gain access to knowledge and resources of the other parties which contribute to their joint performance and results. Contract re-negotiations and variations are more likely to involve WIN-LOSE than WIN-WIN perceptions, including a greater propensity to resort to contract clauses to resolve any problems in working arrangements.
Realising the benefits of networking in a cross-cutting mode requires further cultural transformation in government agencies. For example, hierarchical management approaches may need to yield to more ‘partnering-type’ approaches. Process oriented ways of doing business will need to be at least complemented, if not largely replaced, by results-oriented ones. Organisations operating as virtual ‘silos or islands’ of activity under devolved authority arrangements will not only need to become more integrated with their partners, but will also have to become more externally focussed if they are to meet the needs of their ultimate clients cost-effectively. What is needed is a positive and encouraging framework for building relationships, dialogue and cooperation that can lead to:
Another important aspect of developing networked solutions is the greater availability of information and access to citizens as clients or customers. Information technology is providing significant opportunities for government to ensure that existing and potential clients have access to the information they require. Information technology provides both the basis to facilitate partnerships and a compelling justification for partnering. It has been suggested that one effect upon businesses of the electronic era, with its emphasis on e-commerce and related technology based service delivery, is that they are going to work more closely together. To fully exploit opportunities created by the Internet will require organisations to develop closer working relationships with stakeholders.11 Indeed, rapid advances in information and communication technologies are likely to demand the establishment of effective partnering and networking to ensure a responsive, efficient and cost-effective public sector providing seamless availability of information and other services to all stakeholders.
Governing the public-private sectors’ interrelationships
Convergence between the public and private sectors has drawn attention to sharing approaches and experiences in relation to corporate governance, particularly in managing the interrelationships. The main focus, however, has been on managing contracts and outsourcing arrangements.
Managing the risks associated with the increased involvement of the private sector in the delivery of government services, particularly through contract arrangements, has required the development and/or enhancement of a range of commercial, negotiating, project and contract management skills across the public sector. We have learnt quickly that outsourcing places considerable focus and emphasis on project and contract management, including management of the underlying risks involved both within and outside the public sector. The problem has been to achieve both management understanding of, and action on, these imperatives in a reasonable time period.
Over recent years, there has been considerable attention through the audits of the ANAO on the necessity of having in place the ‘right’ contract, as well as appropriate contract management arrangements, to assist in meeting organisational objectives and strategies. This reflects the greater involvement of the private sector in providing a wide range of public services. One important lesson we have learnt, and that is being reinforced constantly, is that:
… clear identification and articulation of contract requirements at the outset can save considerable time, cost and effort later in contract management.12
A common theme of these audit reports has been the deficiencies in the project management skills of agency decision-makers. This is of concern given that some of these projects involve substantial resources and complexity. As well, reports have flagged a need for care in assessing value for money and negotiating, preparing, administering and amending major contracts.
Our Parliament and media have also paid particular attention to these issues during recent years with several agencies receiving significant adverse comments and publicity. I am not alone, therefore, in stating that this situation has to be addressed as a matter of urgency. The various elements of the public sector that are involved in contract administration have to reverse such concerns to win back the confidence of all stakeholders and future audit reports will closely examine relevant contracting issues to ensure that this happens.
3. IMPLICATIONS FOR THE ROLE OF SAIs
There are many implications and consequences for public audit in the current changing governance environment. While there are variations in the mandate, focus and operating arrangements across constituencies, the fundamental role of SAIs remains substantially the same. That role is to provide the elected representatives of the community (the Parliament in our case) with an independent, apolitical and objective assessment of the way the government of the day is administering their electoral mandate and using resources approved by democratic processes, albeit in differing governance frameworks.
In my view, SAIs are an essential element in the accountability process by providing that unique blend of independence, objectivity and professionalism to the work they do. Indeed, the four national audit agencies making up the Public Audit Forum in the United Kingdom believe that:
... there are three fundamental principles which underpin public audit:
Corresponding with the public sector changes over time, the role of the SAI and the place of auditing in democratic government has also changed. In today’s environment, my role includes providing independent assurance on the overall performance and accountability of the public sector in delivering the Government’s programs and services and in implementing effectively a wide range of public sector reforms. And I cannot overstate the importance of the independence of the SAI in those respects. As the public and private sectors converge; as the management environment becomes inherently riskier; and as concerns for public accountability heighten; it is vital that SAIs have the professional and functional freedom required to fulfil, fearlessly and independently, the role demanded of them.
I would argue, therefore, that the role of SAIs is more important to effective, accountable and democratic governance today than at any time in the past. As the Public Audit Forum in the United Kingdom has observed:
Public audit plays an essential role in maintaining confidence in the stewardship of public funds and in those to whom the responsibility of stewardship is entrusted. Public auditors are, of course, themselves accountable for their performance and are duty bound to undertake their work in a professional, objective and cost-effective manner and with due regard to the needs of the organisations they audit.14
I would also suggest that, as we move into the future, and as the pace of change remains unabated, this trend will not decline, rather it is likely to increase. The roles and responsibilities of the public and private sectors will converge and, perhaps, the differences between the two will become more apparent than real in many aspects of the management task. However, the political environment and the notion of public interest will continue to create fundamental differences between the two sectors.
In Australia, the interests of the ANAO now go well beyond the efficient and effective stewardship of public finances which is said to be fundamental to good national governance.15 While I recognise the importance of legislation as a central element of public sector management, I also stress the Parliament’s concerns with the ‘rule of law’ as a fundamental element of governance. The ANAO is increasing its expenditure on legal advisings each year as a consequence of the extension of such concerns to the greater involvement of the private sector in government activities and service delivery, including considerations of ‘natural justice’.
From my Office’s perspective, reduced central oversight has meant a broadening of our approach to auditing, which once focussed largely on compliance and conformance, to a more pro-active involvement with agencies and entities with the goal of making more real-time contributions to enhancing public administration. For example, our better practice guides are designed to assist organisations test their own systems and where applicable, improve their practice and performance in line with recognised principles of better practice. Such practice is being derived from both public and private experience but, increasingly, is having to be developed by both parties in the new environment being created with apparently changing notions of accountability and performance assessment. On the other hand, there might be some kind of mixture of traditional public service ‘assurance’ accountability, aimed at protecting public moneys and other assets, and an accountability for results which reflects both sophisticated risk management approaches and commercial considerations as part of generating required outputs and outcomes.
That said, we are nevertheless conscious of our audit responsibility, particularly to the Parliament as our major stakeholder, to report, for example, significant and/or material breaches of approved guidelines, standards and/or legislation. From my experience, agencies generally understand this obligation even where such breaches are inadvertent. My preferred position would be to work with agencies to implement effective processes which are preventative and not just detective, so avoiding such situations. In this context, I see the relationship between internal and external audit and that with agency audit committees as being in the nature of an open partnership sharing common goals thus generating total confidence in the relationship. For most organisations, it is a maturing relationship that is still being tested as a major contributor to good corporate governance.
In my view, SAIs have a particular responsibility to the Parliament and to the Government to help ensure that accepted notions of responsibility, accountability and performance, including results, are being properly implemented by the public sector. This is a recognition of the supremacy of Parliament and the Government in the governance framework. Tensions have arisen, particularly in the context of Australian Parliamentary Committees, about the unfulfilled expectations arising from the trade-offs between providing greater management flexibility and the accountability for improved performance. In part, this perceived ‘failure’ can be explained by an inevitable time gap between the two events. There would also seem to be scope for agencies to not only take more initiatives to better inform the Parliament and its Committees about what they are doing, particularly in promoting greater accountability and performance management, but also to ensure that they are more attuned to the views and concerns being expressed by those stakeholders. As a result, public sector agencies and bodies should be better equipped to know just how Parliamentary expectations can be met, thus building up a more productive relationship.
While clearly having a responsibility to provide assurance about the observance of proper accountability by agencies for the protection and use of public sector resources, there is a parallel audit responsibility for reporting on agency performance. Such reporting can, and should, assist the political stakeholders to determine the nature and practice of accountability in the changing environment. The reality is, that without such determination, the everyday operational imperatives may mean that the nature and practice of accountability may be changing, virtually by default, in ways that may not be subsequently endorsed at the political level. This would be an untenable situation if public confidence is to be maintained in the governance framework.
The foregoing observation suggests to me that SAIs need to be more positive in their involvement in reviewing decisions and action being taken in the strategic management phases of an outsourcing situation, including in the latter’s implementation and not just after the event. No doubt such an approach would be greatly facilitated by the electronic capability to conduct audits in real time with direct access to agency systems and data banks. Admittedly, such auditing is still in its infancy in many constituencies but, as with the growth of the use of the Internet, Intranets and e-mail, we need to anticipate the demands of our various stakeholders, particularly those whose functions and business are substantially dependent on information technology and electronic communications. This need could also be met in part by a more pro-active approach either by an SAI itself, or in cooperation with other interested organisations, to produce suitable Better Practice Guides as an aid to agencies in developing areas of public administration, including for use in future audit examinations, for example as a basis for audit criteria.
The ANAO’s experience with outsourcing in recent years16, indicates that there is a range of challenges to organisations in seeking innovative solutions to the achievement of business outputs and outcomes through contracting. In particular, the audits have drawn attention to agency deficiencies, particularly in commercial and management skills, to implement risk management effectively in a contractual environment. This is basically a corporate governance issue exacerbated in some ways by the more restricted roles of central agencies in an era where the centrepiece of public service reforms is devolution of authority complemented by principles-based legislation that forms the governance framework for public sector agencies and other bodies.
Management of key business risks tailored to a contractual environment will ensure contracting achieves benefits such as increased flexibility in service delivery, greater focus on outputs and outcomes, freedom of public sector management to focus on higher priorities, suppliers encouraged to provide innovative solutions, and cost savings in providing services.17 The following is a checklist of risks and benefits of contracting versus in-house provision which was provided in a report18 of a study conducted into government contracts in the State of Victoria last year.
Table 1. Risk and Benefits
|
Contracted provision: benefits |
Contracted provision: risks |
|
|
|
Direct public provision: benefits |
Direct public provision: risks |
|
|
Managing the risks associated with the increased involvement of the private sector in the delivery of government services, in particular the delivery of services through contract arrangements, will require the development and/or enhancement of a range of commercial, negotiating, project and contract management skills across the public sector. As such they will be a key accountability requirement of public sector managers. Agencies have quickly learnt that contracting places considerable focus and emphasis on project and contract management, including management of the underlying risks involved both within and outside the public sector. The problem has been to achieve both management understanding of, and action on, these imperatives in a reasonable time period. The transition periods have usually left little scope for planned and managed adjustment. Failure to install planned transitional arrangements is not only increasing organisational risk, but also reducing management’s capacity to deal with it effectively, both in avoiding unnecessary costs and forgoing opportunities for enhanced performance.
Although the public sector may contract out service delivery, this does not necessarily equate to contracting out the total responsibility for the delivery of the service or program. The expectation of each agency and its management is to ensure that the government’s objectives are delivered in a cost-effective manner and to be accountable for that outcome and the manner of its delivery. The bottom line, as is often reiterated, is that accountability cannot be outsourced. However, in the more networked environment discussed earlier, we may need to re-think the practicality of the notion of some sharing of accountability where there is apparent sharing of responsibility.
The process of risk assessment and its treatment needs to be dealt with by agencies in an increasingly devolved environment, where they are also facing the challenges of managing outsourced service delivery and support. The following comment by Professor Richard Mulgan of the Australian National University on the accountability dilemma associated with the greater involvement of the private sector, particularly in the delivery of public services, is very challenging in these respects:
Contracting out inevitably involves some reduction in accountability through the removal of direct departmental and Ministerial control over the day-to-day actions of contractors and their staff. Indeed, the removal of such control is essential to the rationale for contracting out because the main increases in efficiency come from the greater freedom allowed to contracting providers. Accountability is also likely to be reduced through the reduced availability of citizen redress… At the same time, accountability may on occasion be increased through improved departmental and Ministerial control following from greater clarification of objectives and specification of standards. Providers may also become more responsive to public needs through the forces of market competition. Potential losses (and gains) in accountability need to be balanced against potential efficiency gains in each case.19
To be effective, the risk management process needs to be rigorous and systematic.20 If organisations do not take a comprehensive approach to risk management then directors and managers may not adequately identify or analyse risks. Compounding the problem, inappropriate treatment regimes may be designed which do not appropriately mitigate the actual risks confronting their organisations and programs. Recent ANAO audits have highlighted the need for:
I will say more later about dealing with risk in a control framework, not just as part of good corporate governance, but also as an important element of contract management.
Business continuity is at the core of effective corporate governance. When it comes to the crunch, there is little point in establishing a best practice governance framework, with all the associated discipline, if, at the end of the day, the business becomes impaired for some foreseeable reason or, worse still, ceases to operate for any length of time. Whilst there is clearly a cost that needs to be taken into account as part of any risk assessment, and indeed of the application of risk management approaches and techniques, I would suggest that a more positive approach by decision-makers would regard such a cost as an investment in the future of the business.
As a result of the greater interest in, and attention applied to, related issues, last year my Office prepared a Business Continuity Management Guide.21 The Guide includes two major features: the first part deals with business continuity management concepts in a risk management context; the second part identifies the processes and procedures required to be undertaken to produce a business continuity plan. (An accompanying Workbook provides a number of pro-forma schedules, working papers and questionnaires to facilitate the business continuity implementation process within agencies).
As I said when I launched the Guide in February last year:
The Guide … recommends that the business continuity plan be developed in conjunction with the risk management plan for the organisation. There are no short cuts in this area and no substitutes for systematic risk identification, assessment, prioritisation, treatment, monitoring and review, including systems testing.22
The Guide makes the point that organisations, through a structured, systematic process, must attempt to manage all significant business risks pro-actively, by implementing appropriate preventative controls and other risk treatments. This risk management process is designed to reduce the residual risk of an event—in terms of its likelihood of occurrence and/or its consequences, to an acceptable level. Moreover, for effective risk management, the Guide notes that it is equally important that organisations design controls that are implemented once a risk event has occurred. After all, it is the business interruption consequences that mainly determine the process. And this is a major concern in any outsourcing arrangement which has to be managed, particularly in transition stages. No-one wants to ‘bet their business’ and/or fail in their responsibilities to stakeholders, particularly citizens.
Private financing of government activities
A related topic is that of the use of private finance in areas of the public sector such as infrastructure, property, defence and information technology (IT) and the way in which this can lead to risk transfer. Again, the use of such a facility is a test of corporate governance arrangements, literally with shared responsibility, if not accountability. The key message in this context is the need for public sector managers to fully appreciate the nature of the commercial arrangements and attendant risks involved in private financing initiatives.
In the current budgetary environment, public sector entities in many countries have often found it difficult to provide dedicated funding for large projects out of annual budgets. The encouragement of private sector investment in public infrastructure by governments is one response to fiscal pressures. This gives rise to additional challenges and demands for public accountability and transparency because the parameters of risk are far different from those involved in traditional approaches to funding public infrastructure. Indeed, the potential liabilities accruing to governments may be significant.
Extensive use has been made of private financing in the United Kingdom (UK). The Private Finance Initiative (PFI) was introduced in 1992 to harness private sector management and expertise in the delivery of public services.23 By December 1999, agreements for more than 250 PFI projects had been signed by central and local government for procurement of services across a wide range of sectors, including roads, rail, hospitals, prisons, office accommodation and IT systems. The aggregate capital value of these projects was estimated to be some £Stg 16 billion.24
The UK National Audit Office (NAO) has noted that the private finance approach is both new and more complicated than traditional methods of funding public infrastructure.25 It brings new risks to value for money and requires new skills on the part of the public sector. Since 1997, the NAO has published eight reports on such projects. These reports collectively suggest that for privately financed projects to represent value for money, the price must be in line with the market, the contract must provide a suitable framework for delivering the service or goods specified, and the cost of the privately financed option (taking into account risk) should be no more than that of a publicly funded alternative.26
It is not easy to evaluate the overall benefits that accrue from PFIs. In financial terms, it has been recognised that it is difficult for the private sector to borrow as cheaply as governments can. This is because government borrowings are considered by markets to be risk-free relating to governments’ capacity to raise taxes and because of the absence of default by most sovereign borrowers. Accordingly, delivering financial benefits from private financing requires cost savings in other aspects of the project and/or the effective transfer of risk.
It is apparent that the PFI in the UK is being driven heavily by the objective to transfer risk.27 For example, in contracting the funding, design and management of IT and infrastructure projects to the private sector, the associated transfer of risk to private sector managers is being justified on the basis that they are better able to manage the risks involved. However, a report commissioned by the UK Treasury indicated that some invitations by public sector bodies to negotiate contract provisions included risks that could not realistically be best managed by the contractor.28 The report went on to advocate an approach involving the ‘optimum’ transfer of risk, which simply means allocating individual risks to those best placed to manage them. As usual, the devil is in the detail but experience is indicating some useful means of deciding on an appropriate allocation of such risks.
In Australia, most of the activity in private financing initiatives has occurred at the State Government level, particularly in relation to infrastructure projects such as roads. Prominent examples include the Sydney Harbour Tunnel and the M2 Motorway in Sydney29 and the City Link project in Melbourne. Of note is that these high profile projects have been the subject of external scrutiny that has raised concerns about the exact distribution of risk and financial benefits between the public and private sectors, for example as indicated by the following audit observations:
Significantly, there have also been concerns raised about public accountability for privately financed projects. These have stemmed from difficulties Parliaments have experienced in gaining access to contract documents. For example, in relation to the aforementioned M2 Motorway in New South Wales, the NSW Parliament was denied access to the contract deed between the public sector roads authority and the private sector counterpart.33
At the national level, there has been increasing interest in private financing initiatives, although to date there has been limited actual adoption, notably in the property and defence projects areas. The Department of Defence has recently committed itself to examining the merits of using private financing in the delivery of Defence services, with the aim of realising financial savings or improving effectiveness. Defence services included in this examination are to cover capital equipment as well as Defence facilities, logistical support and IT programs. The clear intention on the part of Defence in widening the use of private financing, reportedly for as much as 25 to 35 per cent of all future acquisition projects,34 is to achieve the best affordable operational capability.
As an aside, I note that, in rebutting some criticism that PFI in the Defence context has been seen as ‘simply putting Defence capital expenditure on the plastic’, the Under Secretary of the Defence Materiel Organisation has made the point that PFI will link the provision of the capital item or capacity with its life-cycle cost, and hence provide Defence with one payment for availability.35
An associated move that Defence is making in the area of private financing is to encourage increased participation in such financing methods by small to medium enterprises (SMEs). There are strong indications that SMEs presently feel that the opportunities presented by such initiatives are only within the scope of larger, national and international defence industry players.36 Interestingly, the Leader of the Opposition in the Federal Parliament recently indicated that a Labor Government would:
Of course, any substantial move towards private financing of Defence activities would need to consider what core business the Department needs to maintain in order to manage effectively the longer-term risks that are involved in any outsourcing. With this in mind, the Department has indicated in a Discussion Paper that private financing is to be considered for all capability proposals and tested as an acquisition method unless the capability:
In view of the growing interest in and use of private financing initiatives and the important financial, risk transfer and accountability issues raised, it can be expected that SAIs will increasingly focus their attention on examining such activities. It is hoped that such scrutiny can assist in optimising outcomes and providing assurance to the public and Parliaments about the processes adopted and outcomes achieved. The particular challenge for SAIs will be to determine what is meant as value for money in terms of the government purchasing policy of the day.
In testing value for money, specific attention, including close consideration, will need to be given by SAIs to ensuring that an adequate assessment (pricing) of risk to be transferred between the public and private sectors occurs before such transfer takes place. In that respect, there has to be an appropriate public sector comparator, including an assessment being made on a whole-of-government basis. In the latter respect, consideration needs to be given to, for example, the level of expenditure involved and the nature and extent of regulatory arrangements. Any savings determined are sensitive to the underlying assumptions used for any comparator as well as consistency of treatment between both the public and private sectors. A perceived lack of consistency has been an issue raised by the private sector in the context of the Government’s policy to market test corporate services in all public sector agencies.
The initial benchmark for comparison purposes is often the incumbent public service provision of similar goods or services. However, it is not uncommon for such benchmarks to be adjusted to improve comparability. This introduces further assumptions and subjectivity to the evaluation process. Unless risk is substantially transferred to the private sector, private financing may achieve little other than provide the private sector with the benefit of a very secure income stream, similar to a government debt security, but with the private sector able to earn returns above those available from investing in government debt securities. However, the transfer of risk to the private sector is only really cost-effective where the private sector is better able to manage and price these risks. Even where the risk has been transferred, there can remain a residual risk that the public sector may have to step-in where the private sector contractor experiences difficulties in meeting its obligations. This is because, where the provision of public services or goods is involved, private financing does not equate to contracting out ultimate responsibility and accountability for the outputs and/or outcomes concerned.
In this context, I commend the work done by the UK NAO in examining privately financed projects and in providing sound guidance to auditors on how to examine value for money of privately financed deals.39
The information technology (IT) outsourcing lessons
The outsourcing of IT in the Commonwealth sphere in Australia arose from a government decision known as the IT Initiative, which was to transfer around $A4 billion of IT provision in Federal agencies to the private sector. The Office of Asset Sales and Information Technology Outsourcing (OASITO) managed the Initiative centrally for the government through a series of tenders dealing with groupings of agencies (clusters). These clusters were determined without adequate consultation and involvement of the agencies concerned and, in effect mandated, as opposed to agencies being allowed voluntary participation in groupings with accepted synergy and shared purpose. Within the public service, there was a variable degree of support for the Office in the way it went about letting the tenders. Several Chief Executives had significant doubts about the ability of the Initiative to deliver the savings projected for it and/or to deliver the quality of service required.
In particular, those agencies where the IT requirement was predominantly scientific (for example the Bureau of Meteorology or the Commonwealth Scientific and Industrial Research Organisation) or otherwise related to the core activities of a particular agency (for example, the payment of pensions) the arrangement posed significant problems of corporate governance for them. The approach taken by OASITO was designed to implement the Government’s policy agenda under centralised direction (and control) despite the perceived reluctance (buy-in) of some of the agency heads because they did not have the degree of control necessary to best manage transition risks, and because they were ultimately responsible for the agency outputs and outcomes and the budgets involved.40
Preliminary studies identified significant savings that would accrue from implementing the Initiative. Indeed, the projected savings from the implementation of the IT Initiative were removed, upfront, from the respective agency’s forward estimates. What is significant is that the financial evaluation methodology applied in the tenders did not allow for two key factors that were material to the assessment of savings arising from outsourcing the services. The evaluations did not consider the service potential associated with agency assets expected to be on hand at the end of the evaluation period under the business-as-usual case, or the costs arising from the Commonwealth’s guarantee of the external service provider’s (ESP) asset values under the outsourcing case. Consequently, the financial savings realised by the agencies from outsourcing, as quantified in the tender evaluations, were overstated. This was disputed by OASITO, the central oversighting agency (the Department of Finance and Administration) and by the Minister concerned.
A major issue turned on interpretation of the accounting standard dealing with financial and operational leases. The different interpretations extended into the private sector which were later reviewed by the Joint Committee of Public Accounts and Audit (JCPAA). At the time of preparation of this paper, the JCPAA was still conducting its own inquiries into the IT Initiative and the outsourcing experience to date.
The ANAO identified a range of issues on which agencies should place particular focus in the management of IT outsourcing arrangements as follows:
As a response to the audit, the Government commissioned the recent review of IT outsourcing conducted by Richard Humphry (Managing Director, Australian Stock Exchange). The independent review recognised the implicit management dilemma described above and recommended that, because Chief Executive Officers (CEOs) of agencies had the statutory responsibility, they should be responsible for the outsourcing decisions. In particular, decisions that impacted upon the core business of the agency needed to be taken at agency level. Mr Humphry remarked:
Priority has been given to executing outsourced contracts without adequate regard to the highly sensitive risk and complex processes of transition and the ongoing management of the outsourced business arrangement.41
The review pointed out that there were several risk management lessons to be learned as follows:
The review drew heavily on the Standards Australia publication HB 240:2000, Guidelines for Managing Risk in Outsourcing.
The Government agreed with the ten recommendations made by the review, some with qualification.43 This included that responsibility for implementation of the IT Initiative be devolved to Commonwealth agencies in accordance with the culture of performance and accountability incorporated in the relevant financial management legislation. Agencies are required to obtain value for money (including savings) and maximise Australian industry development outcomes. Agency heads will be held directly accountable for achieving these objectives within a reasonable timeframe, as well as grouping with other agencies at their discretion, wherever possible, to establish the economies of scale required to maximise outcomes.
Agencies will also be responsible for addressing implementation risks. A separate body will be established within the Department of Finance and Administration to advise agencies, at their request and on a fee for service basis, on managing their transition. Audit experience indicates that the agency emphasis has to be on developing a robust analysis of business requirements at the initial stage, which would be the basis of a strong business case for whatever IT strategy is developed. Without OASITO’s involvement, the industry can now deal directly, from the outset, with the people responsible for the function and related outputs and outcomes, as well as with those who will be managing the contract. The inability to have this relationship was the subject of criticism by the industry under the previous arrangements managed by OASITO. This is a significant lesson for all future outsourcing arrangements.
Of particular concern to contract managers, in an outsourcing situation, is how to establish a sound contract and contracting environment. One area of expertise they seek in this process is legal advice. For example, there are legal risks in terms of determining who is liable for the service delivery deficiencies—these questions bear on the strength and completeness of the contract arrangements. Outcomes can be difficult to specify and indeed may even be the combined product of more than one agency, as I noted earlier. Given these complex linkages, it can therefore be difficult to specify, in order to press for successful contractor performance, the circumstances in which ‘non-performance’ has occurred or what constitute enforceable responses.
Legal advice should be framed with reference not only to the contract but should also give consideration to the relationship between the contractor and government organisation and the risks the government is exposed to by contracting-out that particular service. OASITO’s legal advisers conducted a high level assessment of the legal risks associated with the provision by an external contractor of IT infrastructure services to agencies within a cluster. A considerable number of such risks were identified.44 Inevitably, so-called transactions costs associated with outsourcing arrangements seem to be overlooked and/or under-stated. Equally, unfortunately, is that experience to date has generally shown a risk averse approach to contracting and contract management which has led, in some cases, to an ineffective and inefficient provision of the services under contract. The issue is not simply about a process or rules-based culture of public service as opposed to being more responsive and results oriented. The concern is about achieving the ‘right’ balance of complementary behaviour and approach to meet both accountability and performance imperatives in sometimes widely varying situations. A robust corporate governance framework can help achieve such a balance.
Effective contract administration in the public sector goes beyond simply trying to hold contractors to account for each minute detail of the contract. To get the most from a contract, the contract manager and contractor alike need to nurture a relationship supporting not only the objectives of both parties but also one that recognises their functional and business imperatives. It is a question of achieving a suitable balance between ensuring strict contract compliance and working with providers in a partnership context to achieve the required result. According to the OECD:
‘A good contract is one that strikes, at a level which will be robust over time, a balance between specification and trust which is appropriate to the risks of non-performance but does not impose unnecessary transaction costs or inhibit the capacity or motivation of the agency to contribute anonymously and creatively to the enterprise in question.’45
A recent innovation, at least in the Australian context of public sector contracting, has been the use of project alliancing, for the construction of the National Museum of Australia (NMA) and the Australian Institute of Aboriginal and Torres Strait Islander Studies (AIATSIS).46 A relatively new method of contracting, a project alliance is an agreement between two or more parties, the project owner and the contractor/s, who undertake work cooperatively, on the basis of sharing the risks and rewards of the project. Although project alliancing is a business relationship, the aim is to achieve agreed commercial outcomes based on the principles of good faith and trust. As such it offers potential benefits over traditional contracting but also raises new and different risks that have to be managed. Again it is important that staff required to manage the project have the appropriate skills and knowledge in order to ensure that the project results are effectively achieved. In a recent presentation to ANAO staff, Professor John Langford of the University of Victoria in Canada observed that the general consensus about managing alliances was that it was as difficult as ‘stirring concrete with eyelashes’, a mind-boggling thought.
The recently issued ANAO Better Practice Guide on Contract Management47 emphasises the importance of not only dealing effectively with risk in contracts but also in developing and maintaining a relationship with the contractor that supports the objectives of both parties and focuses on the agreed results to be achieved. However, as recently observed by the Senate Finance and Public Administration References Committee, there are also concerns that both parties do not understand, or are insufficiently aware of, the requirements for parliamentary accountability.48
Access to information and premises
A particular issue facing many of us49, is that of access to contractor records and other information relevant to public accountability. My Office has experienced problems in accessing contractor information both through audited agencies and in direct approaches to private sector providers. This matter is of concern not only to SAIs, but also to public agencies in their role as contract managers, to executive government as decision-makers, and to the Parliament when scrutinising public sector activities.
In this context, I noted with some interest in a recent United Kingdom (UK) National Audit Office Report50 that a public authority had faced great difficulty in getting timely information on the true extent of the private sector provider’s financial difficulties. This was because, under the contract, it had no access to the contractor’s underlying financial records.51 However, the Report also noted that greater rights of access to the private sector party’s financial records are now standard in that country.52
As part of performing a statutory duty to the Parliament, the SAI may require access to records and information relating to contractor performance. In my case, the legislative information-gathering powers53 are broad but they do not include a statutory right of access to contractors’ premises to obtain information.
In September 1997, my Office circulated draft model access clauses to agencies and recommended their insertion in appropriate contracts. These clauses give the agency and my Office access to contractors’ premises and the right to inspect and copy documentation and records associated with the contract.
The primary responsibility for ensuring there is sufficient access to relevant records and information pertaining to a contract lies with agency heads. A Chief Executive must manage the affairs of the Agency in a way that promotes proper use (meaning efficient, effective and ethical use) of the taxpayers’ resources. Such an arrangement reflects the principles of good governance accepted internationally.
For accountability measures to be effective, it is critical that agencies closely examine the nature and level of information to be supplied under the contract and the authority to access contractors’ records and premises as necessary to monitor adequately the performance of the contract. I stress ‘as necessary’ because I am not advocating carte blanche access. I consider that access to contract related records and information should generally be equivalent to that which should reasonably be specified by the contracting agency in order to fulfil its responsibilities for competent performance management and administration of the contract. Access to premises would not normally be necessary for ‘products’ or ‘commodity type’ services, such as cleaning, which are provided in the normal course of business. It would be a different matter where government information or other significant assets were located on private sector premises.
The inclusion of access provisions within the contract for performance and financial auditing is particularly important in maintaining the thread of accountability with government agencies’ growing reliance on partnering with the private sector and on contractors’ quality assurance systems. In some cases, such accountability is necessary in relation to government assets, including records, located on private sector premises. Recently, a Parliamentary Committee drew attention to its right to access documents and information necessary for it to effectively conduct an inquiry into the government’s IT Outsourcing Initiative, where, in its opinion, accountability had been undermined54.
The JCPAA has recommended that the Minister for Finance and administration make legislative provision for such access.55 The Government response to that report stated that:
its preferred approach is not to mandate obligations, through legislative or other means, to provide the Auditor-General and automatic right of access to contractors’ premises.
and that
the Government supports Commonwealth bodies including appropriate clauses in contracts as the best and most cost effective mechanism to facilitate access by the ANAO to a contractor’s premises in appropriate circumstances.56
The response also stated that:
the Commonwealth Procurement Guidelines would be amended to emphasise the importance of agencies ensuring they are able to satisfy all relevant accountability obligations, including ANAO access to records and premises.57
While noting the Government’s response, the ANAO continues to encourage the use of contractual provisions as the key mechanism for ensuring agency and ANAO access to contractor’s records for accountability purposes. The ANAO is currently in discussions with the Department of Finance and Administration to review the content of the standard access clauses and intend to write again to agencies recommending the use of the clauses once this consultation process is complete. This issue has implications for agencies’ security responsibilities particularly where direct control over Commonwealth assets and/or information reside with a private sector provider. Specific responsibility is set out in the Commonwealth Protective Security Manual 2000 (PSM 2000) as follows:
The agency must be able to carry out an examination of the contractor’s security procedures when undertaking its regular audit or review of the contractor’s methods and procedures. Access must be permitted for a security risk review to evaluate the contractor’s security procedures.58
Interestingly, PSM 2000 indicates that a contract must include a general clause providing the agency with rights of access to the contractor’s premises and, where necessary, a clause specifying the contractor’s right of access to agency premises. I will say more about privacy and security issues later.
Although the foregoing comments draw particularly on the Australian experience, the issue is one that faces many SAIs. The general principle is that SAI access to the premises and records of contractors should be at least a feature of all government contracts if it cannot be provided for legislatively. Such an arrangement is necessary to provide proper standards of accountability. A similar observation can be made in relation to the issue of legal professional privilege attached to advice given by private sector legal firms to agencies subject to audit. Practically, it is a matter for such agencies to determine how that privilege is exercised. Nevertheless, there is a question as to whether agencies could legally deny production of required documents to audit given that privilege resides in the legal entity covering both parties. However, in my view, this should be a matter that can be resolved by the recognition of the audit obligation as part of agency accountability, not as a test of my powers under the Auditor-General Act 1997.
Commercial-in-confidence information
Situations have arisen where performance data relevant to managing a contract is held exclusively by the private sector. Also, private sector providers have made, on many occasions, claims of commercial confidentiality that seek to limit or exclude data in agency hands from wider parliamentary scrutiny. Thus accountability can be impaired where outsourcing reduces openness and transparency in public administration.
The Australasian Council of Auditors-General has released a statement of Principles for Commercial Confidentiality and the Public Interest59. Of particular concern to Council members has been the insertion of confidentiality clauses in agreements/contracts that can impact adversely on Parliament’s ‘right to know’ even if they do not limit a legislatively protected capacity of an SAI to report to Parliament. For example, the then Auditor-General of Victoria commented that:
… the issue of commercial confidentiality and sensitivity should not override the fundamental obligation of government to be fully accountable at all times for all financial arrangements involving public moneys.60
This view has been echoed in almost every audit jurisdiction. For example, the Chairman of the Tasmanian Public Accounts Committee stated:
Maintaining secrecy by confidentiality clauses in contracts is adverse to the Parliament’s right to know. Confidentiality clauses should not, therefore, be used in contracts unless there are specific approvals for them by the Parliament itself.61
I am sensitive to the need to respect the confidentiality of genuine ‘commercial-in-confidence’ information. In my own experience, I have found that, almost without exception, the relevant issues of principle can be explored in an audit report without the need to disclose the precise information that could be regarded as commercial-in-confidence. In this way, the Parliament can be confident it is informed of the substance of the issues that impact on public administration. It is then up to the Parliament to decide the extent to which it requires additional information for its own purposes. This view is supported by the Victorian Public Accounts and Estimates Committee in a landmark report last year, as follows:
‘Commercial-in-Confidence should not prevent Auditor-General and Ombudsman from disclosing information where they assess its disclosure to be in the public interest’62
The Chairman of that Committee recently reiterated that a variety of options exist for dealing with commercially sensitive material and that, where genuine reasons exist, it is possible to take a middle ground between unrestricted access or total confidentiality.63 The Chairman went on to note that the only Committee recommendations rejected outright related to the disclosure of information contained in tenders (as opposed to contracts) and the conferral on the Ombudsman of an extended oversight role in relation to commercial-in-confidence claims64.
Commercial confidentiality concerns have also been addressed by a number of Commonwealth Parliamentary inquiries.65 Recently, the Senate Finance and Public Administration References Committee, in its Inquiry into the Mechanism for Providing Accountability to the Senate in Relation to Government Contracts, addressed a motion that had been put before the Senate by Senator Andrew Murray. Senator Murray’s motion sought to achieve greater transparency of government contracting through passage of a Senate Order that would require:
The Committee’s report noted that, at almost every estimates hearing, information is denied Senators on the grounds that it is commercially confidential.
Senator Murray’s motion can be taken as a further indication of Parliament’s frustration with insufficient accountability reporting associated with government contracting and a belief that commercial-in-confidence provisions are used excessively and unnecessarily in contracts. Most recently, the Senate Finance and Public Administration References Committee commented that:
The need for confidentiality should be interpreted as narrowly as possible to ensure that the maximum amount of information is in the public domain.66
My Office is currently undertaking a performance audit of the use of confidential provisions in the context of commercial contracts. The audit is seeking to:
The report of the audit has not yet been presented to Parliament so I am unable to provide details of the outcome. The audit approach has been to work cooperatively with several agencies to distil their experience and so provide a framework for wider applicability across the Australian public/private sector interface. I would expect that this framework would then provide criteria for future audit examinations that are relevant, robust and reasonable.
Privacy and security
For the public sector, the increased involvement of the private sector in the provision of public services, the security of agency data, and particularly electronic data, is another critical issue that needs to be effectively managed. Contracts negotiated between Australian federal public service agencies and their private sector providers must include provisions which acknowledge Australian Federal Government IT security requirements. In addition to the technical issues associated with the protection of the data held by government agencies from unauthorised access or improper use, there are also issues associated with the security of, for example, personal information held by government. Contracts for outsourcing service delivery need to ensure that prospective service providers are aware of the standard of protection that comes from dealing with people on behalf of the government and that the mechanisms in place do provide effective privacy protection. A watchful citizenry will want to be certain that agencies and their contractors cannot evade their obligations.
To fully address such concerns, a Better Practice Guide, recently prepared by the ANAO,67 suggests that agency Internet websites should incorporate a prominently displayed Privacy Statement which states what information is collected, for what purpose, and how this information is used, if it is disclosed and to whom. It should also address any other privacy issues.68
The risks involved in broadening networks and Internet use also raise issues associated with who has access to the records. This has consequences for the privacy and confidentiality of records, which are of considerable concern to Parliament. This is particularly the case during outsourcing, where private sector service providers have access to collections of personal records that could be used for inappropriate purposes, such as sales to other private sector organisations of mailing lists.
All Commonwealth agencies are subject to the Privacy Act 1998, which contains a number of Information Privacy Principles (IPPs) that provide for the security and storage of personal information. The Privacy Act defines personal information as:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.69
The IPPs state that if a record is to be given to a service provider, the recordkeeper (ie the agency) must do everything reasonably within its power to prevent unauthorised use or disclosure of information contained in the record.
The increased involvement of the private sector in the provision of public services raises issues about the security of agency data and records, particularly in electronic form. In the past, the obligations that apply to Commonwealth agencies under the Privacy Act have not applied to private sector organisations. However, the Privacy Amendment (Private Sector) Act 2000 passed in December last aims to provide privacy protection for personal records across the private sector, including those organisations providing outsourced services to the public sector. The Act enables a contract between a Commonwealth agency and the private sector supplier to be the primary source of the contractors’ privacy obligations regarding personal records. The contractual clauses must be consistent with the IPPs that apply to the agency itself, and details of these privacy clauses must be released on request. The Act:
aims to control the way information is used and stored, and bring to justice those who abuse private information for their own ends. Placed in the insecure context of e-commerce and e-mail transmission of personal details, issues of privacy have become more significant.70
For many organisations, including health services, the new private sector provisions will commence on 21 December 2001. For small businesses to which the provisions will apply (except health services), the new provisions will commence one year later. The Act will apply to ‘organisations’ in the private sector. An organisation can be an individual, a body corporate, a partnership, an unincorporated association or a trust. It will cover:
A key provision of the Act is the inclusion of ten ‘National Privacy Principles for the Fair Handling of Personal Information’. These Principles set standards about how business should collect, secure, store, use and disclose personal information72. The Act makes a distinction between ‘personal’ and ‘sensitive’ information. The latter includes information on a person’s religious and political beliefs and health, where the private sector is more strictly limited in its collection and handling. This legislation is likely to have a marked impact on that sector’s involvement in the delivery of public services.73
For those organisations and industry sectors seeking to develop their own privacy codes, the Privacy Commissioner released for comment a draft set of Guidelines on 10 April which are available on the Commissioner’s web-site (www.privacy.gov.au).
Section 95B of the Privacy Amendment (Private Sector) Act 2000 requires agencies to consider their own obligations under the Act when entering into Commonwealth contracts and obliges them to take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done by the agency. The obligation on the agency extends to ensuring that such an act or practice is not authorised by a subcontract.
To ensure that individuals can find out about the content of privacy clauses agreed between agencies and organisations and included in Commonwealth contracts, section 95C enables a person to ask a party to the contract for information about any provisions of the contract that are inconsistent with an approved privacy code binding the party or the National Privacy Principles. The party requested must inform the person in writing of any such provisions. This ensures that parties to a Commonwealth contract cannot claim that provisions are confidential in respect of privacy standards in Commonwealth contracts, thereby preserving accountability and openness in respect of these standards.
Agencies must also consider the privacy of personal records that are provided to other public sector entities for purposes such as data-matching. There are quite valid privacy protection reservations about the use of data matching, but there is no doubt that it has facilitated better decision-making as well as saving the taxpayer many hundreds of millions of dollars.
Although they probably do not come within an strict Privacy Act definition, the use of clickstream data (collecting information on access to the site, such as server address, top level domain name, pages accessed and so on) and cookies (that can be used to track individual’s activities on a web site) are important sources of data on performance that have privacy implications. Many users consider cookies, in particular, intrusive. For practical purposes they should be treated in the same way as other privacy related material. In the interests of transparency their use should be declared.
The current and emerging issues that I have mentioned will continue to become
significant as agencies grapple with the challenges presented by the present APS
environment, such as increased outsourcing and IT usage. As new high risk areas
emerge, public sector agencies need to adopt modern practices to correct
underlying management problems that impede effective system development and
operations, even where these are outsourced. Robust corporate governance
processes that are pervasive throughout an organisation will both help to
identify and deal with such problems. Record-keeping is basic to such processes.
That is also a focus of audit activity and which is also central to its
effectiveness.
Audit reports have also examined the usefulness of adequate and accessible register systems, and appropriate physical security measures for important and confidential documents, such as Commonwealth guarantees, indemnities and letters of comfort. The ANAO's audit of the Operation of the Classification System for Protecting Sensitive Information74 found that all organisations covered by the audit were not adequately protecting the confidentiality of sensitive information in accordance with the Commonwealth's security classification system, policy and standards, and recognised best practice. As a result, there was a high risk of unauthorised access to sensitive information within most of the organisations examined, particularly in relation to staff and other people dealing with the organisations, such as contractors and clients.
An audit survey found that security was an important issue for agencies intending to use the Internet. Fifty-three of all agencies covered rated data security as a high, or very high, impediment to the introduction of electronic service delivery (ESD). Indeed, this reflects the increasingly confidential, sensitive and, indeed valuable, information that is being shared over both internal and external networks. Such concerns are being exacerbated by the use of developing wireless technologies which have still to pass any stringent security testing. Access is both a technical and a security issue. The current trend towards increased contracting with the private sector for the provision of government services provides a challenge, not only for agencies' accountability, but also for the SAI's actual ability to access the relevant records, as I discussed earlier.
A particular issue bearing on the outsourcing question became apparent in an audit we conducted on internal fraud control arrangements in the Australian Taxation Office (ATO)75. The ANAO noted the significant risks associated with ensuring the security of the ATO IT systems. These risks related primarily to the storage of taxpayer data on the ATO Wide Area Network and the granting and monitoring of staff access to the ATO IT systems.
The audit also found that these risks factors increased due to the outsourcing of many IT systems functions. This was the result of the IT contractor’s staff having limited exposure to ATO fraud prevention, education and awareness material and programs in comparison to that of ATO employees.76 As well, the ATO could provide no evidence that the IT security section had monitored contractors’ activity to ensure compliance with taxpayer data security provisions of its outsourcing contracts.77
Administrative law considerations
Inevitably, contracting-out blurs the boundary between public and private law. In particular, the way in which citizens may seek remedy under administrative law for decisions taken by a body that is not itself a statutory body or a government agency.
As one commentator has noted:
The administrative law system is the principal means by which government is accountable to individuals. It also reinforces and complements the mechanisms for financial and political accountability.78
Unless great care is taken, contracts can have the effect of removing an individual’s access to:
Governments are responsible for a wide range of outcomes that affect the well-being of its citizens. That well-being can be understood differently in the context of a variety of social, economic, and political considerations. Governments are obliged to pursue that responsibility by selecting the most appropriate means available to them at the time. Contracts are one such instrument. The move to greater contracting by governments has been largely prompted by considerations of efficiency. But the efficient use of the public resources is not all there is to public governance. It is important that contracts entered into on behalf of the government do not have the effect of unnecessarily restricting the freedom of policy action by successive governments, while recognising the advantages in certain areas of longer term contracts for all parties concerned.
Contracts for the supply of goods and services often extend for periods in excess of the particular life of the Parliament or the government of the day. Some have consequences that can last for generations, for example, water or waste management. What is important in these circumstances is that administrators do not enter into contracts that have the effect of unnecessarily limiting the ability of governments to use their executive power flexibly for the public good. While there are clearly policy issues involved in this connexion, which are generally outside the SAI mandate, there are also resourcing and other issues which would be integral to any contract on which audit assurance would be sought.
Equity Law and natural justice
In any consideration of Government contractual arrangements there are also considerations of the law of equity. A former Chief Justice of the High Court of Australia, Sir Anthony Mason, has remarked:
One aspect of the latest developments in equity is the increasing penetration of equitable doctrine into contract and commercial law…
and
It seems inevitable that equity’s penetration of commercial transactions, which depends so much on the way in which parties formulate their contracts and shape their arrangements will increase.79
In Australia, the High Court has made it clear that equitable doctrines can apply to the Government as well as to individuals.80
My colleague, the Auditor-General of South Australia makes the following comment:
Where Government transactions are complex and the details of contractual arrangements are confidential the likelihood that outsiders will misunderstand the relationship between the Government agency and private parties increases substantially. The result is a potential future liability of Government for the reasonable reliance by those outsiders due to representations made either by the Government or the private parties involved in the transaction. It has been suggested that the protection of reasonable expectations is more important when government is involved because ‘government should act and be obliged to act as a "moral exemplar" in its relationships and dealings with members of the community’.81
Consistent with the Attorney-General’s responsibility for the maintenance of proper standards in litigation, the Commonwealth Government and its agencies must behave as a model litigant in the conduct of litigation. Being a model litigant requires us to act with complete propriety, fairly and in accordance with the highest professional standards. This expectation has been recognised by the Courts.82
In practical terms, the foregoing discussion suggests that there is a higher standard of integrity demanded of governments and administrators when dealing with the private sector. It is also important to see that where external service providers operate on the government’s behalf, they understand and abide by that higher level of expectation. Ultimately it is the government administrator who is responsible for ensuring that higher expectations of service are met but, as noted earlier, there may be scope in collaborative arrangements for shared responsibilities in this respect.
A particular issue has arisen in relation to our performance audits about the coverage of private sector individuals and firms. As with a number of other SAIs, we provide a copy of our draft reports, in part or whole, to those affected for their comment. Our legislation provides for a period of 28 days for submission of comments on draft reports, which I must consider before preparing a final report (Section 19 of the Auditor-General Act 1997). In english common law terms, we have to provide ‘natural justice’, or procedural fairness as some term it, to those identified in our reports. Because of some uncertainty as to the extension of Parliamentary Privilege to such reports, questions of defamation action have arisen. This has resulted in the ANAO having to seek legal opinions on some of its reports dealing with private sector participation in government activities.
However, there has also been a problem of the private sector seeing the draft report commentary process as being one for ‘negotiation’ as to what is to be included in the final report, rather than ensuring that the ANAO has an accurate understanding of the ‘facts’ of the situation and that those ‘facts’ are correct as would normally occur with public sector agencies and bodies. I made the point in my annual report last year that:
…full cooperation in responding on this basis will save all parties considerable time and cost and engender confidence in the process.83
I went on to observe that conflicts of public and private interests are not new, but their resolution in performance audit reports is a challenge to all parties without a genuine shared understanding of what constitutes public accountability and, indeed, performance and results.
Values and Ethics
It hardly needs to be emphasised that the ethical administration of government contracts is a key consideration of SAIs. In practical terms, however, this involves the application of a range of forensic auditing skills that are not often within the skillset of our public auditors. Conflicts of interest, whether real or apparent, can become increasingly difficult to define, let alone identify, as agencies become further removed from the locus of decision making. At least contracts should be examined to make sure that they establish suitable procedures to expose potential real or apparent conflicts of interest.
The Financial Management and Accountability Act 1997 requires Chief Executives to promote the efficient, effective and ethical use of Commonwealth resources for which the Chief Executives are responsible (part 7, section 44). The Public Service Act sets out the Australian Public Service (APS) Values (part 3, section 10), and the APS Code of Conduct (part 3, section 13). In addition, an agency head must uphold and promote the APS Values (part 3, section 12), as well as being bound by the Code of Conduct (part 3, section 14). The latter section also binds Statutory office holders. These Values and the Code of Conduct form the framework for the ANAO’s Code of Conduct which also includes our professional responsibilities.
At the very least, private sector providers need to have these Values and Codes of Conduct brought to their attention. It is highly desirable that they not only be informed of, but also make some effort to understand the requirements and implications for identified performance and results to be achieved. There are community concerns that private sector service providers are not subject to the same legal requirements as public servants are in these respects. However, it is clearly difficult to impose contractual conditions involving values and ethics that are practically enforceable. That conundrum points to the need to agree on a shared culture, including values and ethics as part of any partnership or collaborative agreement between public sector agencies and private sector providers.
Service credits as part of the contractual arrangements
In the IT Outsourcing audit, the agreements provided for the payment of service credits to the agencies by the respective ESPs where contracted service levels were not met. For technical legal reasons they were not referred to as penalties, although the concept is similar. Each agreement provided the relevant agencies with discretion to impose or not service credits accrued as a result of the ESP’s contractual non-performance. One of the groups audited exercised its discretion and applied a period of grace during which ESPs would not be liable for service credits, while the other applied the service credits as they fell due. Under this arrangement some $1.3 million in service credits were not imposed and a lower minimum level of service for business-critical services was agreed for a period of time.
In terms of the financial accountability requirements of the Commonwealth, better documentation of the analysis that supported this decision, and the subsequent monitoring arrangements, would have improved the transparency of decision-making on the matter. In other words, there is no inherent problem with providing agencies with discretion in various areas of agreement for outsourcing. However, where agencies exercise the discretion in favour of the ESP, the basis for that decision must be available for scrutiny. Any system of rewards and sanctions (penalties) has to be credible in terms of practical implementation but, importantly, the arrangements have to be handled transparently. This is not only to provide assurance about the possibility of fraudulent behaviour but also to ensure that there is a clear basis for assessing value-for-money outputs and outcomes. In short, there needs to be a clear audit trail for the benefit of all parties. There has been debate as to whether it is sensible to include rewards and sanctions in a legally binding contract or whether they can be better handled through relational agreements. The Humphry review of the IT Initiative, referred to earlier, noted that a number of agencies sometimes felt that, on occasions, some service providers:
might be prepared to accept financial sanctions if they were imposed under the terms of the contract, rather than to invest resources in resolving the performance issues.84
This would not be in the interests of the agency, nor of its stakeholders. Therefore, we need to have some more generally accepted approach. Whatever the arrangement, the bottom line is that it has to be auditable.
As a consequence of the greater use of contracted services as components of program delivery, contract management has become a more critical element in public administration. It is therefore incumbent on public managers to refine their skills and knowledge to embrace their role as managers of contractual arrangements, as well as the developers of policy.
The Australian Parliament, through the Joint Committee of Public Accounts and Audit (JCPAA) reinforced this view in their report on Contract Management noting
‘the search for excellence in contract management as one of the pressing challenges for the Australian Public Service’.85
The ANAO has produced a Better Practice Guide on Contract Management, which was developed from the experiences gained in an audit on the management of contracts for the delivery of business support processes.86 The audit concluded that elements of the control framework operating over the contract administration, monitoring and succession phases of the contract lifecycle required improvement in most of the organisations examined. In particular, management attention and action were required in relation to aspects of risk management, the control environment, information and communication, monitoring and review and performance measures for the quality of service delivery.
In addition to the above, the audit identified a number of better practices in the management of contracts in public sector organisations, as well as the need for guidance to assist organisations in the achievement of effective contract management, particularly in the application of risk and measurement of supplier performance.
The Better Practice Guide contains research and experiences of better practices in contract management in Australia and internationally. It places considerable emphasis on achieving an appropriate contract relationship to best manage risk in each situation. While we expect contract managers to deal with these issues, it is the responsibility of chief executives and senior management to ensure their people are adequately skilled, empowered and resourced to enable them to do their job efficiently and effectively.
It is important that users take the ideas in the Guide and adapt them appropriately to suit the needs of their particular organisation and the risks, nature and complexity of individual contracts. One size does not fit all circumstances. The Guide does not promote change for the sake of change. Rather, it provides a basis on which administrative processes may be considered against a well-designed risk management framework that encourages a focus on outcomes and results.
The stages in the contract management lifecycle are addressed in terms of the application of practical risk management approaches and techniques. The contract management lifecycle has been broken down into seven steps as follows:87
Table 2: Contract management life cycle
|
Step |
Lifecycle Activity |
|
Step 1 |
Specifying the activity |
|
Step 2 |
Selecting the acquisition strategy |
|
Step 3 |
Developing and releasing the tender documentation |
|
Step 4 |
Evaluating the tender bids |
|
Step 5 |
Decision and implementation |
|
Step 6 |
Ongoing management |
|
Step 7 |
Evaluation and succession planning |
The Guide does not attempt to address issues associated with tender and contract negotiations, but rather focuses on providing guidance on the transition or implementation of the contract, ongoing management and succession planning. However, as the Guide indicates, there is an important relationship in the lifecycle that needs to be kept in mind:
One factor which experience shows can benefit all parties is to ensure at least some continuity between those involved in the tender stage and the contract negotiation stage and with (sic) the actual contract management.88
The following areas are key to contracting success.
Dealing with risk in a control framework
The competent management of the contract is often the key means of control over outputs and their contribution to outcomes. The Guide discusses in some detail the steps in the risk management process with specific regard to the risks involved in contracting, including how to establish the context, the process for assessing risks, the implementation of treatments and ongoing monitor and review. It also identifies characteristics of both internal and external risk (see Figure 1). The following observation in the Guide is well illustrated from both Australian and international experience:
The difference between a contract delivering benefits, and one that does not, can be often attributed to the way that the risks associated with the delivery of those services are managed.89
The application of risk to contract management is also presented in relation to the impact of risk on the most appropriate relationship style for the contract. This recognises the need to not only look at contract management as enforcement of the contract but to take a more holistic approach to delivering the goods or services. Contract relationships form a continuum from traditional to non-traditional, with the most effective mix dependent on the risks to the organisation in failure of the service provision and the likelihood of failure. I will discuss the importance of relationships in more detail later.
Potential risks that might arise from contracted arrangements with private sector interests, include:
There are also legal risks in terms of determining who is liable for the service delivery deficiencies—these questions bear on the strength and completeness of the contract arrangements. Because outputs can be difficult to specify (and indeed may even be the combined product of more than one agency, as noted earlier), it can be difficult to specify the circumstances in which ‘non-performance’ has occurred, in order to press for successful contractor performance, given these complex linkages and, moreover, to specify enforceable responses.
I would emphasise the importance of considering levels of poor performance and mechanisms to address such an issue in the early stages of negotiation. These mechanisms should then be built into the contract and agreed operating procedures. It is simply no longer sufficient to threaten cessation of the contract when poor performance is detected. Agencies need a more robust framework for working through the issue to ensure successful resolution and continuance of the service, including a better basis for future discussion and settlement of performance requirements. Such resolution might include the public sector agency having to take back particular risks which were previously allocated to the private sector provider. For example, in the UK National Audit Office Report quoted earlier, the Royal Armouries Museum in Leeds had to assume the demand risk that visitor numbers would be insufficient to ensure the Museum’s future survival.90
Transition to the contractor
The objectives of transition are to establish a strategy to manage the transition to contracted service delivery, minimising the chances of a loss of service delivery and the impact on clients and other stakeholders.
It is during the transition, as accountability arrangements and changed organisational structures are bedded down, that the greatest risk to effective decision-making arises. This was particularly apparent in the audit of the implementation of the IT outsourcing initiative, where it was found that both agencies and tenderers had underestimated the complexity involved in managing the delivery of services to a group of agencies, particularly in simultaneously transitioning those services to an outsourced provider.91 This lack of appreciation by the parties concerned contributed to service delivery failures and significant delays in the provision by the service providers of reliable invoicing and performance reporting.92
The latter problem also related to a gap in expectations between the agencies and the private sector providers as to the level of documentation and substantiating material needed to support public sector accountability requirements. This has created difficulties for agencies in satisfying their own accountability requirements in terms of the expenditure of public resources and the achievement of agency outcomes. It also has obvious implications for the effective auditing of the arrangements
This stage of the contract lifecycle largely tests the success of the contract arrangement and is generally seen as being the most resource intensive. One of the most important players in this stage will be the contract manager. During the initial transition phase the organisations must ensure the contract manager is appropriately selected and fully involved.
The key objectives for this stage include developing appropriate service level agreements, managing performance of the contract and the contractor through a performance measurement system, management of day-to-day issues and dealing with possible dissatisfaction with service delivery. During our audits of contract arrangements in the Commonwealth, application of risk and measurement of performance were acknowledged as key concerns, particularly as contracted goods and services become more complex. I will discuss performance management and standards briefly below.
Service standards and performance measurement
During the day-to-day management of the contract the risks become more focused and any problems with the establishment stages become more evident.
Any contract must clearly specify the service required; the relationship between the parties needs to be clearly defined, including identification of respective responsibilities; and appropriate arrangements for monitoring and reviewing contractors’ performance need to be put in place. These should all be addressed giving consideration to the identified risks the organisation is facing in relation to the specific contracted good or service and contract arrangement.
In our experience and that of some of our agencies, poorly framed or overly stringent service standards or requirements become unnecessary cost drivers. They distract the service provider’s resources and their focus away from the areas of most importance to the achievement of agencies’ overall objectives. Alternatively, contractors may feel the need to increase tendered prices to take account of the unnecessarily high level of performance. Equally, the service standards originally contracted for were found to not provide appropriate incentives for the provider to focus on the areas of service most important to agencies’ business. Again turning to a UK example, the NAO audit found that:
Bidders are incentivised by a payment mechanism to meet … targets and they incur penalties of performance declines.93
Performance based contracts can include sanctions for non-performance, such as a percentage fee for late completion or flat rate for substandard levels of performance. Any sanctions have to be seen to be ‘fair’. There should not be any equivocation about required performance nor about the obligations of both parties. I stress that this is as much about achieving the desired outcome as it is about meeting particular accountability requirements.
For example, the outsourcing contracts reviewed in the IT outsourcing audit placed certain obligations on the private sector service providers in regard to ensuring that agency data held on the outsourced IT infrastructure was protected to identified security and privacy standards. That audit94, and a subsequent audit of fraud control in the Australian Taxation Office95, found that agencies had not developed adequate strategies for monitoring the providers’ compliance with those obligations, and recommended improvements in this regard.
Sound contract management, and accountability for performance, are dependent on adequate and timely performance information. As noted above, it is important that agencies consider the level and nature of information to be supplied under the contract and the access they require to contractor records to monitor adequately the performance of the contractor. The more detailed the performance standards, the specific requirements for rigorous reporting and monitoring and the need for frequent renegotiation and renewal, the closer the contractual arrangements come to the degree of control and accountability exercised in the public sector.96 Once again, it is a matter of balancing any trade-offs in efficiency and/or accountability if optimal outcomes are to be secured. I should add that any such trade-off should be subject to Parliamentary and/or Executive Government guidance.
The main message from the public sector’s contracting experiences is that savings and other benefits do not flow automatically from their adoption. There is always the upfront cost of contracting out that needs to be taken into account, such as the initial legal costs involved in negotiating and drafting contracts. Other costs which also need to be taken into account in making a decision to contract out functions, include the cost of monitoring the contractor’s performance and the need for legal advice as to how to interpret particular clauses in the contract.97 Indeed, the contracting out process, like any other element of the business function, must be well managed and analysed within an overall business case which includes an assessment of its effect, either positive or negative, on other elements of the business.
Contract relationships
As I have already noted, contract management is more about effective delivery of goods and services than about ticking off the details of the contract. One of the most important aspects of this will be development of the most appropriate contract relationship style. The ANAO has identified four common relationship types on a continuum from traditional to cooperative, partnering and finally alliancing.
As the four relationship styles exist along the continuum of relationship styles different features may be ‘mixed and matched’ to develop the most appropriate relationship style for the organisation and the particular contract.
In designing the most appropriate relationship, the risks of providing the service are critical to the decision process. The likelihood and consequence of failure affect risk. The relationship chosen is part of the treatment of the identified risk, that is, a means by which the risk will be controlled. The following figure demonstrates the link between risk and the relationship type. While the figure provides some examples of the type of goods or services that may be provided under the various relationship styles, the choice depends on the organisation’s specific needs.
Whatever the choice, the relationship must fit the objectives of the service and the values and experience of both provider and purchaser.
The notion of partnerships and alliances within and between the public and private sectors and concepts such as ‘relational contracts’98 are challenging the current public management view of accountability.
In a recent audit of the management of the construction of the new National Museum and Australian Institute of Aboriginal and Torres Strait Islander Studies facilities, the ANAO considered the operation of an alliancing agreement. The objectives of the audit were to examine the project’s compliance with the Commonwealth requirements for the procurement of public works (that is, the Commonwealth Procurement Guidelines) and the effectiveness of project management. The ANAO was particularly interested in the openness and transparency of the selection process and the probity of those involved in selection panels and the fairness shown to proponents.
Adapting the auditing approach to the different styles of contract relationship is challenging. It seems to me that the key issue is to consider central doctrines of accountability within the context of the legal clothing of the particular contracting arrangement. The need for rigorous defensible criteria should not be taken as a need for an over-legalistic attitude. But at the end of the process we still need to be able to satisfy the Parliament that seen against a reasonable set of tests, the law has been complied with, the government’s services are being delivered and the processes being followed are efficient, effective and ethical.
Information technology is revolutionising the way the public sector actually operates. It has improved the ability of public organisations to communicate, to share critical information and to organise political and bureaucratic processes in a more efficient way.
Information technology has also enhanced productivity by providing new, more responsive and efficient ways of delivering public services and providing information to citizens. It potentially provides the vehicle to deliver better quality products to the public more quickly, cost effectively and conveniently. The result could be programs designed primarily around the needs of citizens, rather than just largely reflecting the organisational structure of the public sector. This will require the redesign of current governance systems.
Public policy has only begun to come to grips with the changing context. The time that policy makers need to process, structure and use knowledge so as to make informed decisions has become a scarce commodity, as 24 hour media coverage of events around the world exerts unrelenting pressure to act, or perhaps react, quickly. Already we are witnessing what has been termed ‘instant politics, where far-reaching decisions are often made on the first available information.99 Taking a longer-term perspective, there is little doubt that technological change will radically transform the framework conditions within which policy is made.
As organisations embrace modern networked communications, such as the World Wide Web, they are creating a need for different styles of governance in the information age. Consequently, in many areas, consideration has to be given to the extent that information technology is core business. This is evident where it is difficult to actually separate the technology from the service being delivered. Nevertheless, there are complexities in the migration process itself in the public sector environment as the following observation notes:
Calls for government service delivery to migrate from in-line to online sooner rather than later often overlook the complex social, regulatory and legal issues governments face in changing their service delivery models.100
The connectivity and interdependence made possible through information technology also creates vulnerabilities. The proliferation of computer viruses and hackers seeking to manipulate critical computer systems poses serious risks to government agencies, and in private domain, and the threat will only grow in the future. Such issues also raise questions about adequate business continuity arrangements. The risks involved also raise issues associated with the privacy and confidentiality of records which are of considerable concern to the Parliament. Unless appropriately controlled, computerised operations can offer numerous opportunities for committing fraud, unauthorised tampering with data or disrupting vital operations. As with many other aspects of the move to e-government, it is often a lack of awareness from the top down that is a major barrier to implementing appropriate security measures as part of sound risk management.
As dependence on information technology grows and new high risk areas emerge, public sector agencies need to adopt modern practices to correct underlying management problems that impede effective system development and operations even where these are outsourced. Effectively managing these risks will, in many cases, have a major impact on achieving business objectives. Robust corporate governance processes that are pervasive throughout an organisation will both help to identify and deal with such problems. As a practical example of this, the Victorian Department of Natural Resources and Environment decided that one of its first tasks in reforming its procurement processes to introduce a fully electronic procurement system was to:
Rewrite its purchasing policies to more closely link purchasing with business plans and outputs and to de-emphasise price as the overriding consideration and emphasise value for money and accountability.101
Another key element of the Department’s reform process was to re-align the delegation authorities of staff with their level of responsibility.
The delivery of services via the Internet introduces new risks and exposures that can result in a legal liability for government. Well-designed security and privacy policies can minimise risks and liabilities, while informing agencies’ clients of important aspects of the services they can expect to receive. Nevertheless, such policies need to be kept under close scrutiny particularly with the development of single portals102 which integrate the complete range of government services and provides a link to them that is based on function, or simply citizen demands, and not on an individual organisation. As such, a portal does offer the potential for complete coordination but, as Dr Jenny Stewart has observed:
The challenge for policy and administration is to recap the potential efficiency and compliance advantages while, at the same time, safeguarding security and privacy103
Criminal codes can also be directed at protecting the security, integrity and reliability of computer data and electronic communications. By addressing such threats as hacking, denial of service attacks and virus propagation, the definition of offences offers a suggested means for helping to ensure that the benefits of new technologies are not compromised by crime.104 However, the task of the public auditor is not directed per se at the detection of such offences. What is required is that systems are examined for the way in which contractors are suitably protected against such offences. The challenge for us lies in the application of forensic skills to determine whether there is adequate protection.
System controls
Security issues, such as unauthorised access and entry of virus infected programs have raised the risks to agencies’ computing environments. These issues are being addressed through so-called ‘firewalls’ (which are basically software protection) and/or through physical separation. As well, data encryption systems have been, and continue to be, developed to provide a degree of assurance to managers and users. Initiatives have been taken to implement some kind of public key encryption arrangement for general protection and assurance in a number of countries.
Government agencies wishing to embark on initiatives that do more than just disseminate information need to come to terms quickly with the potential applications of Public Key Infrastructure (PKI) technologies to encrypt, decrypt and verify data. Key issues addressed by PKI are as follows:
The responsibility for issuing the necessary accreditation and regulating data transmission in the Australian government environment has been issued to private enterprise. Where this occurs it is important that SAIs are actively engaged in the contract specification to the extent that their ability to audit the integrity of government data and rely upon the records so generated is maintained.
Record-keeping
Records are an indispensable element of transparency, and thus of accountability, both within the organisation and externally. As the Public Record Office in the United Kingdom observes:
All organisations need to keep records of business decisions and transactions to meet the demands of corporate accountability.105
Records are consulted as proof of activity by senior managers, auditors, members of the public or by anyone inquiring into a decision, a process or the performance of an organisation or an individual. As such, they are an appropriate example of not only the importance of good process but also how it often contributes importantly to the myriad of public sector outcomes or results. With the move to greater outsourcing to the private sector, there is increasing concern about organisations' ability to preserve those records that are needed to support the delivery of programs and services, and to meet their accountability, as well as archival, obligations. As you know, higher standards of accountability are expected in the public sector than is usual in the private sector. Recognising this, Parliament has passed legislation relevant to record-keeping that applies to all Commonwealth agencies, such as the Archives Act 1983, the Freedom of Information (FOI) Act 1982 and the Privacy Act 1988. These Acts deal with the overarching issues of maintenance, archiving and destruction of records, access to records by the public, and confidentiality of records. Also of relevance, particularly from a management viewpoint, are the Public Service Act 1999, the Financial Management and Accountability (FMA) Act 1997 and the Commonwealth Authorities and Companies (CAC) Act 1997.
As I noted earlier, the FMA Act requires that Chief Executive Officers (CEOs) manage the affairs of their agencies in a way that promotes proper use (that is, efficient, effective and ethical use) of the Commonwealth resources for which the Chief Executive or Board is responsible. A CEO must ensure that the accounts and records of the agency are kept as required by the Finance Minister's Orders. Record-keeping is also covered by the CAC Act, which requires a Commonwealth authority to keep accounting records that properly record and explain its transactions and financial position. These records have to be kept in a way that enables the preparation of financial statements and that allows those statements to be audited appropriately and effectively.
In addition to legislative requirements, there are several other significant reasons for emphasising the importance of record-keeping in the public sector. Up-to-date, accessible, relevant and accurate records can ensure that decisions made by an agency are consistent, based on accurate information; are cost-effective; engender a sense of ownership of decisions throughout the agency; and place the agency in a considerably better position to justify to Parliament and the public any decisions made. I stress that it is often not just outputs and outcomes that are of concern to Parliament and the public, but also the processes of decision-making and the reasons for decisions made. Such transparency is achieved by ensuring that the decision-making process, and the reasons for decisions made, are adequately documented by the agency.
Transparency, through record-keeping, is an agency's first line of defence against accusations of bias, unfair treatment and other negative public perceptions. It also promotes confidence in the integrity of the Australian Public Service (APS) and provides assurance to stakeholders that the APS is making decisions in the ‘public interest’, particularly where procurement is concerned, as well as meeting any requirements for fairness, equity, privacy and freedom of information. Transparency also provides some guarantee of integrity of information, which improves the scope for governments to make constructive use of the internet in dealing with their citizens.
Countering the loss of corporate knowledge is another area that can be greatly assisted by a sound record-keeping culture. Corporate knowledge is largely the wealth of information and experience that is stored on paper, electronically or mentally. Of course, we are well aware that such knowledge is only useful when something is actually done with it. Loss of corporate knowledge has been a significant issue for the public sector in recent years where, due to the trend towards high turnover and increasing mobility of staff, in part the result of outsourcing activity and privatisation of public sector organisations and activities, we have seen an enormous drain on the retained knowledge of the APS through the departure of many experienced individuals. The creation and maintenance of suitable records can alleviate this problem to some extent, particularly in relation to decision-making.
We also recognise that formal systems cannot easily store or transfer ‘tacit’ knowledge106. Nevertheless, a relatively inexperienced manager, unable to gain a more experienced colleague's advice on a decision-making matter, would be greatly assisted by access to records of a similar decision someone else in the agency may have made in the past, particularly where other related information is also readily available. Information Technology (IT)-based expert systems may also address this problem to some extent. Although this technology is still very much in its infancy, expert systems use artificial intelligence technology and are encoded with human knowledge and experience to achieve expert levels of problem solving, greatly reducing the reliance on retained staff knowledge. Such systems have been extensively used in agencies such as Centrelink and the Department of Veterans’ Affairs. However, the emphasis in recent years has been increasingly on developing knowledge management systems with their emphasis on people.
Apart from mitigating the loss of corporate knowledge,
record-keeping can assist the internal functioning of agencies by improving
performance. Records of performance information are important in allowing an
agency to monitor its performance and benchmark itself against other
organisations, to ensure that performance is at optimum level. As well, fraud is
less likely in a sound record-keeping environment that supports timely and
accurate recording of data, with sufficient separation of duties. We are all
aware that there is a cost associated with good record-keeping. In the main, it
is a risk management judgement that should be made on the basis of a systematic
risk assessment with sound identification and prioritisation of both internal
and external risks. This involves careful examination of what outcomes are
really being required and, therefore, what record-keeping practices are
necessary to achieve those outcomes. Any approach should also meet legislative
requirements for record-keeping. In short, records should be fit for their
purpose. This is particularly important in any outsourcing situation where such
records are being wholly or partially maintained by the private sector.
It is apparent that there is an increasing tendency for policy and
administrative decisions to be communicated and confirmed through e-mail
communications. E-mail, electronic files and e-commerce are replacing
traditional paper based records and transactions. This is a function of our
changing expectations about the speed of communications, a growing emphasis on
timely management of the ‘political’ dimensions of policy, and the
appropriation by the public sector of a ‘commercial paradigm’ in which ‘deals
are done’ (which is given added impetus by the involvement of private sector
‘partners’ in various aspects of government operations). Nevertheless, as
better practice private sector firms demonstrate, good record-keeping is an
integral part of a sound control environment and subject to a regularly reviewed
risk management strategy which is integral to their required outcomes and
accountability requirements.
As a particular instance of the task facing those of us who are required to oversight public sector operations and to provide important public accountability assurance, I note that the increasing use of e-mail poses significant challenges in terms of our traditional evidentiary standards (which customarily hinge on paper-based records) and the skills base of our auditors. As auditors, we are already confronting situations in which traditional forms of documentary evidence are not available. In such situations we are having to make links in the chain of decision-making in organisations which no longer keep paper records, or having to discover audit trails in electronic records, desktop office systems or archival data tapes. As communications between government agencies and outsourced service providers become increasingly electronic, it gives added urgency to making sure that the standards of accountability expected for the performance of government functions are understood and complied with by the relevant private sector partners. Particularly where there are still the hurdles of access and confidentiality to be overcome the outcome is problematic.
Sound corporate governance frameworks will enhance the development of suitable networks and partnerships and facilitate risk management so that opportunities can be taken to be more responsive and improve performance while minimising risk. Fundamentally, good governance arrangements increase participation; strengthen accountability mechanisms; and open channels of communication within, and across, organisations. In this way, the public sector can be more confident about delivering defined outcomes and being accountable for the way in which our results are achieved. These requirements are integral to the more market-oriented approach being taken to public administration in recent years. The disciplines involved have focussed greater attention on performance management and accountability for that performance whether the activity is performed by public or private sector organisations.
Public sector organisations have to recognise performance obligations to stakeholders and the negative aspects of being risk averse. We also have to be aware of the need for leadership and control and the confidence and assurance that the latter engenders for all stakeholders and the reputation of the organisation involved, particularly in any partnership arrangement with the private sector.
New technology should facilitate the sharing of information within whatever constraints of privacy and security and/or need to know that might apply. As well, technology can assist in the delivery systems reflecting ‘seamless’ government and greater responsiveness to citizens. Some writers have radically extended the possibilities of information technologies toward a vision of the automated state in which government would establish and manage contracts for project or service delivery largely through information technology. The suggestion is that the imperatives of technology are creating the conditions for the state to become ‘virtual government’.
It is unlikely that such ‘sharing’ could be definitively covered in present day ‘legally based’ contracts. Other forms of agreement and disciplines are emerging to ensure that both the parts and the whole are held responsible for their overall performance; and that accountability for the results is absolutely clear both to the immediate parties and to other stakeholders. It seems like a tall order. It has been said that:
Studies of accountability also tend to neglect the requirements of managing an interdependent program with independent organizational units.107
This is a particular challenge for government auditors if they are to maintain the appropriate balance that allows, perhaps assists, organisations to meet their objectives and satisfy the requirements of accountability.
But the pressures are only likely to increase, even in so-called ‘core’ areas of government, for more ‘cross-cutting’ approaches to better deliver program outcomes, with commensurate accountability for achievement of required results.
Managers are showing interest in exploring the notion of ‘relational contracts’ in particular environments to test their effectiveness both in terms of performance and accountability. These so-called ‘soft’ contracts focus on cooperation as the guiding principle of contracts. It is, perhaps, another example of the exercise of management flexibility to achieve required outcomes where real partnerships and full cooperation of a range of service suppliers are required to be citizen ‘centric’. On the other hand, is an inability to define adequately performance and accountability requirements or, indeed, lack of private sector acceptance particularly of the latter, sufficient reasons to reject contracting-out? SAIs need to keep abreast of these developments and contribute to their resolution.
We should be able to explore different partnership arrangements within the public sector to ascertain what will work in a cohesive and sensible fashion in particular situations. Moreover, it may also be possible to test arrangements within the private sector, where it is involved in the provision of public services, in a way that can accommodate both private and public interests. The future challenge to partnering in the public sector may be to go beyond strategic partnerships with particular contractors and to develop in association with other agencies, community and private sector organisations, public sector ecosystems as described in the private sector. If that is so, the SAI needs to be able to move at the same time. We cannot afford to be left behind.
Strategic combinations of public interest and private profit could generate new forms of service delivery and redefine the relationship between governments and the community. Whatever is attempted needs the support and endorsement of the Government and Parliament if it is to succeed. These are likely to be considerable challenges, not least in the notion of public accountability with its attendant implications for SAIs.
In all this we have to consider the changing skills base for auditors. Fortunately, many of us have had experience in dealing with the private sector and in commercial operations, including financial decision-making and accounting. On the other hand, it also makes our staff that much more in demand in both the public and private sectors. Consequently, we not only have a skills enhancement challenge for our offices in a more contractual oriented environment, but we also have a problem of retention of our valuable skills base. How we address any skill deficiencies and staff retention issues will be dependent on the particular environment in which we work. What seems obvious at this stage is that a solution will come from an suitable mixture of internal training, the use of universities and other educational institutions, interchanges between the private and public sectors, the judicious use of ‘bought-in’ resources, and suitable rewards and recognition, including the opportunity to work in other SAIs.
In short, the on-going challenge for the public sector auditor will continue to be meeting performance and accountability expectations, whatever the approach taken to our changing environment. This will increasingly involve establishing agreed modes of network governance to ensure proper integration and coordination of networking activities essential to the effective operation of strategic alliances. Such governance arrangements have to be well understood and accepted by all concerned. In my view, any arrangements have to be dynamic and flexible to meet the needs of all participants including, importantly, those of citizens. And is that not what governance, and corporate governance in the public sector, are basically all about when all is said and done?
Moreover, with the greater involvement of the private sector, particularly in service delivery as part of an outsourcing situation, there is the added complication of generating common understandings, cultures, values and notions of accountability and responsibility. In my view, this will mean that the SAI has to be more pro-active in helping to develop such a framework, without undermining the independence of the Office.
As part of this responsibility, the SAI will also need to be prepared, and equipped, to engage in real time auditing as electronic technology, particularly in communication, comes into more widespread use across the public sector. In this way, there will be more scope for preventative action and a learning process for all stakeholders in order to ensure that proper accountability and required performance and results are achieved by both individual agencies and private sector firms, particularly in any ‘shared’ arrangement or partnership.
3. United Kingdom National Audit Office 1999, ‘Modernising Government : The NAO Response’ (http://nao.gov.uk/publications/modgov1.pdf) [accessed 2 March 2000].
4. Abernethy, Mark 2001. New Rules of the Game, The Bulletin. 8 May. p.44
5. ANAO Report No 30 1998-99, The Use and Operation of Performance Information in the Service Level Agreements, ANAO, Canberra, 15 January. 6. Audit Report No. 1 1999-2000, Implementing Purchaser/Provider Arrangements between the Department of Health and Aged Care and Centrelink, , ANAO, Canberra, 13 July.7. OECD - Public Management Committee,
1999. Performance Contracting, Lessons from
Performance Contracting Case Studies, OECD, Paris, 17 November. p.16.
12. ANAO 2001, Contract Management Better Practice Guide, Canberra, February, p. 3.
13. Public Audit Forum 1999, The Principles of Public Audit - A Statement by the Public Audit Forum, p. 2, [Online], Available: http://www.public-audit-forum.gov.uk/popa.htm, [9 August 2000] 14. Public Audit Forum 1999, What Public Sector Bodies Can Expect From Their Auditors, Consultation Paper, London, p. 2. 15. Meyers Larry D, Sahgal Vinod and Glaude Ernie 1995. Strengthening Legislative Audit Institutions – A Tool for Good Governance. Opinions, Vol. 13, No. 1, Office of the Comptroller and Auditor-General, Canada, p. 31.16. Through, for example,
audits of the Management of Contracted Business Support Processes
(Audit Report No. 12 1999-2000), New Submarine Project (Audit Report No. 34,
1997-98) and
the Construction of the National Museum of Australia and the Australian
Institute of
Aboriginal Studies (Audit Report No. 34, 1999-2000)
17. Industry Commission 1996, Competitive Tendering and Contracting by Public Sector Agencies, Melbourne,
18. Audit Review of Government Contracts 2000, ‘Contracting, Privatisation, Probity and Disclosure in Victoria 1992-1999 : An Independent Report to Government’, Report, State Government of Victoria, Melbourne, May, p. 31.
19. Mulgan R 1997, Contracting Out and Accountability, Discussion paper 51, Graduate Public Policy Program Australian National University abstract. 20. Management Advisory Board/Management Improvement Advisory Committee, 1996, Guidelines for Managing Risk in the Australian Public Service, Report No 2 AGPS, Canberra, October. 21. ANAO 2000, Business Continuity Management—Keeping the Wheels in Motion, Better Practice Guide, Canberra, January. 22. Barrett, P. 2000, Business Continuity Management: Opening remarks at a launch of a Better Practice Guide, Canberra, 23 February.23. United Kingdom National Audit Office (NAO) 1999, Examining the Value for Money of Deals Under the Private Finance Initiative, Appendix 2: ‘Risk Allocation’, London, 13 August, p. 64.
24. Arthur Andersen and Enterprise LSE 2000, Value for Money Drivers in the Private Finance Initiative, report commissioned by The Treasury Task Force, London, 15 January.
25. UK NAO 1999, op. cit., Preface. 26. UK NAO 1999, op. cit., p. 52. 27. Arthur Andersen and Enterprise LSE 2000, op. cit., pp. 21–3. 28. ibid.29. These were the subjects of two Reports by the Audit Office of New South Wales: Private Participation in the Provision of Public Infrastructure–The Roads and Traffic Authority, 1994, and Roads and Traffic Authority: the M2 Motorway, 1995.
30. Audit Office of New South Wales 1997, Review of Eastern Distributor, July, p. 18. 31. ibid., p. 25. 32. Auditor-General’s Office Victoria 1999, Report on Ministerial Portfolios, May, pp. 123–4. 33. Audit Office of New South Wales 1995, Roads and Traffic Authority: The M2 Motorway, op. cit., p. 3. 34. La Franchi, P. 2000, Marching to private financing beat, Australian Financial Review, 2 May, p.40. 35. Roche, M. 2000, Roche rebuts criticism of PFIs, Australian Defence Report, 17 August, p. 8. 36. La Franchi, P. 2000, op. cit.37. Beazley, Kim C. The
Hon, and Lawrence, Carmen MP, and Tanner, Lindsay MP, 2001.
Labor’s Plan for Strategic Government Purchasing, Joint Statement. Brisbane 2
May, p.4
40. See Humphry Richard, 2000, Review of
the Whole of Government Information Technology
Initiative, Canberra, pp. 10, 13, 30, 31 and 32.
41. Ibid p.10.
42. Ibid p.11.
43. Fahey, John The Hon 2001. Review of the Implementation of the Whole of GovernmentThe legal risk assessment identifies the following areas of risk as possible events or incidents during the life of service agreements:
The legal risk assessment also identifies a number of areas of potential loss or damage that might result from the identified risk events including:
The legal risk assessment places primary focus on provisions in IT outsourcing contracts and Service Level Agreements (SLAs) to minimise the chance of a risk event occurring, as well as minimising the loss or damage to any of the agencies within the Group and to preserve remedies available.
45. Public Management Committee 1999, Performance Contracting, Lessons from Performance Contracting Case Studies, OECD, Paris, 17 November, p. 41.
46. ANAO Report No. 34 1999–2000, Construction of the National Museum of Australia and Australian Institute of Aboriginal and Torres Strait Islander Studies, ANAO, Canberra, 16 March. 47. ANAO 2001, Contract Management Better Practice Guide. Op.cit. 48. Senate Finance and Public Administration References Committee 2001. Accountability in aIt is essential that the private sector provides considering projects involving the storage, processing and security of government information and systems, be advised at an early stage of both government agency and Auditor-General rights in regard to access and audit. This matter requires due contractual and legal consideration by the Government and its agencies to ensure the adequacy of safeguards over the security, integrity and control of government information and processes, and to accommodate the Auditor-General’s statutory audit responsibilities.
50. UK National Audit Office (NAO) 2001. The Re-negotiation of the PFI-type deal for the Royal Armouries Museum in Leeds. Report, London, 18 January.
51. Ibid., p. 5. 52. Ibid., p. 7. 53. Set out in Part 5 of the Auditor-General Act 1997 54. Senate Finance and Public Administration References Committee 2001, Op.cit., para 1.9 55. Joint Committee of Public Accounts and Audit 1999, Review of Audit Report No. 34, 1997-98,‘Recommendation 5: The Committee recommends that the Minister for Finance make legislative provision, either through amendment of the Auditor-General Act or the Finance Minister’s Orders, to enable the Auditor-General to access the premises of a contractor for the purpose of inspecting and copying documentation and records directly related to a Commonwealth contract, and to inspect any Commonwealth assets held on the premises of the contractor, where such access is, in the opinion of the Auditor-General, required to assist in the performance of an Auditor-General function. (paragraph 6.20).’
56. Government response to Recommendation 5 of the 368th Report of the Joint Committee of Public Accounts and Audit : Review of Audit Report No. 34 1997-98, New Submarine Project Department of Defence. Letter from the Prime Minister to the Minister for Finance and Administration dated 12 August 2000.
57. Ibid. 58. Attorney-General’s Department 2000, Commonwealth Protective Security Manual 2000, Part A. Canberra, October, p. F45 (para 6.19). 59. Australasian Council of Auditors-General 1997, Statement of Principles: Commercial Confidentiality and the Public Interest, Canberra, November. 60. Baragwanath, Ches. 1996, citing his Report on the 1990-91 Finance Statement. 61. Schulze, Peter. MLC, Chairman, Tasmanian Public Accounts Committee, 1999. Commercial Confidentiality – Striking the Balance – A Contributing Paper, 1999 Australasian Council of Public Accounts Committees, 5th Biennial Conference, Perth, WA, 21-23 February. 62. Victorian Public Accounts and Estimates Committee 2000, Inquiry into Commercial in Confidence Material and the Public Interest, Report No. 35, Melbourne, March. 63. Loney, Peter. MP, 2001. Commercial-in-Confidence - Striking the Right Balance. 6th Biennial ACPAC Conference, 4-6 February, Canberra, p. 5. 64. Ibid., p. 7. 65. See Joint Committee of Public Accounts and Audit (JCPAA) 2000, Contract Management in the Australian Public Service, Canberra: Parliament of the Commonwealth of Australia, [October 2000]; Senate Finance and Public Administration References Committee (SFPARC) 2000, Inquiry into the mechanism for providing accountability to the Senate in relation to Government contracts, Canberra [Online] Available: http://www.aph.gov.au/senate/committee/fapa_ctte/accnt_contract/contract.pdf, [7 December 2000]; JCPAA 1999, Corporate Governance and Accountability Arrangements for Commonwealth Government Business Enterprises (R.E. Charles, Chairman), Report 372, JCPAA, Canberra, December, p.67; SFPARC, 1998, Inquiry into Contracting Out of Government Services-Second report; and SFPARC 1997, Contracting Out of Government Services—First Report: Information Technology, Canberra, November. 66. Senate Finance and Public Administration References Committee 2001. Op.cit. p.xii 67. ANAO 2001. Delivery Decisions – A Government Program Manager’s Guide to the Internet – A