The Australian National Audit Office (ANAO) has released preliminary details of five potential audits concerning the digital and technology activities led by Services Australia.

All reported to be processed or tabled in 2024 to 2025, the audits cover a variety of activity across service delivery, governance and procurement.

Digital Identity System audit

Also concerning the Australian Taxation Office (ATO) and the Department of Finance, this audit is set to check the progress made on the “implementation, design and functionality” of the Digital Identity System, which includes the Trusted Digital Identity Framework, the Identity Exchanges (delivered by Services Australia), myGovID (the Commonwealth’s Identity Provider, delivered by ATO) and other connected services to the system.

The audit surfaced as a result of the Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act now set to come into effect on 1 December after legislation was passed earlier this year. The audit will ensure roles and responsibilities are clearly stated and the allocation and expenditure of funding is properly managed. It will also review how the new laws have driven the Digital ID system and future accreditation schemes.

Automated decision-making audit

This audit follows the Royal Commission into the Robodebt Scheme report handed down in July last year, which found several risks related to automation including the elimination of human decision-making and reducing the ability of citizens to challenge decisions.

It will ensure Services Australia is managing its exposure to automated decision-making in a way that is aligned with the Commonwealth Ombudsman’s 2019 Better Practice Guide on Automated Decision-Making and the Australian Government’s Artificial Intelligence (AI) Ethics Principles, which guide entities on the development, implementation and monitoring of automated decision-making processes.

Network Transformation Partner (NTP) procurement audit

This audit follows Services Australia’s request for tender earlier this year for ‘Provision of a Network Transformation Partner Services Stage 1’ to support the agency in replacing its wide area network (WAN) with a “software defined solution across WAN, local area network (LAN) and wireless local-area network (WLAN), and mobile satellite services”.

The audit will review all stages of the procurement process including “planning, achieving value for money, design of performance measures in the contract with the successful tenderer and progress to date in managing the contract”.

Privacy of client information audit

This audit, in addition to Services Australia, also concerns the ATO and the Office of the Australian Information Commissioner (OAIC) in the handling of the privacy of clients’ personal information and the management of privacy complaints and investigations for the latter.

The audit comes in the wake of amendments to the Privacy Act in 2022 and 2023 to enhance the OAIC’s powers and increase penalties. It will assess the handling of client data and information across service delivery and in the oversight of the tax and superannuation systems, with risks identified in data breaches due to both human error and system faults. The ANAO said “29 per cent of all notifiable data breaches in agencies covered by the Privacy Act from January to June 2023 were from human error and system faults and 70 per cent were from malicious and criminal attack, with 60 per cent of all data breaches resulting from cyber security incidents”.

Data Exchange (DEX) performance reporting portal audit

This audit will investigate the management of the DEX performance reporting portal by the Department of Social Services, which has been operated by Services Australia since 2021 as part of its shared IT service delivery remit.

The portal allows providers receiving government funding to describe program results and outcomes, and it is primarily used to measure the performance of initiatives under the Families and Communities and Disability and Carers programs.

“It is underpinned by three principles: providers should spend less time collecting and reporting administrative data and more time helping clients; data collection should focus on client outcomes; and client personal information and privacy is protected,” the ANAO said.