The Protective Security Policy Framework (PSPF) outlines a suite of requirements and recommendations to assist Australian Government entities to protect their people, information and assets. Personnel security, a component of the PSPF, aims to provide a level of assurance as to the eligibility and suitability of individuals accessing government resources, through measures such as conducting employment screening and security vetting, managing the ongoing suitability of personnel and taking appropriate actions when personnel leave. In 2014, the Attorney-General announced reforms to the PSPF to mitigate insider threats by requiring more active management of personnel risks and greater information sharing between entities. At the time of the audit, further PSPF reforms were being considered by the Government.
The Australian Government Security Vetting Agency (AGSVA) was established within the Department of Defence (Defence) from October 2010 to centrally administer security vetting on behalf of most government entities (with the exception of five exempt intelligence and law enforcement entities). Centralised vetting was expected to result in: a single security clearance for each employee or contractor, recognised across government entities; a more efficient and cost-effective vetting service; and cost savings of $5.3 million per year. ANAO Audit Report No.45 of 2014–15 Central Administration of Security Vetting concluded that the performance of centralised vetting had been mixed and expectations of improved efficiency and cost-effectiveness had not been realised.
The ANAO chose to undertake this audit because effective personnel security arrangements underpin the protection of the Australian Government’s people, information and assets, and the previous audit had identified deficiencies in AGSVA’s performance. In addition, the 2014 personnel security reforms occurred after fieldwork for the previous audit had been completed, so there was an opportunity to review the implementation of these reforms by AGSVA and other government entities.
The objective of the audit was to assess the effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats. To form a conclusion on the audit objective, the ANAO adopted the following high-level criteria:
- Does AGSVA provide effective security vetting services?
- Are selected entities complying with personnel security requirements?
The entities assessed for criterion two were the Attorney-General’s Department (AGD), Australian Radiation Protection and Nuclear Safety Authority (ARPANSA), Australian Securities and Investments Commission (ASIC), Department of Home Affairs (Home Affairs) and Digital Transformation Agency (DTA).