Ensuring the security and resilience of Australia’s critical infrastructure is a responsibility shared by the Commonwealth, state and territory governments, infrastructure owners and operators.

The Department of Home Affairs (the department) is the lead Australian Government agency responsible for the administration of critical infrastructure policy and regulation. The Critical Infrastructure Centre was established in 2017 to coordinate the management of risks to Australia’s critical infrastructure and deliver more coordinated national security assessments to inform foreign investment decisions in significant and complex cases.

The objective of this audit was to assess the effectiveness of the Department of Home Affairs’ administration and regulation of critical infrastructure protection policy.

Key findings:

• The department’s administration and regulation of critical infrastructure protection policy was partly effective.
• The department has partly effective governance arrangements to administer critical infrastructure protection policy. Implementation of critical infrastructure related risk assessments and reporting was not captured in risk documentation. The effectiveness of the department’s stakeholder coordination arrangements is reduced by not having an engagement strategy and providing limited support to other critical infrastructure regulators. The department’s performance framework as it related to critical infrastructure was not adequate, with performance statements, regulatory performance assessment, and use of internal measures to inform policy and regulation requiring improvement.
• The department’s administration of compliance activities consistent with critical infrastructure protection requirements is partly effective. The department’s compliance framework does not reflect existing responsibilities or compliance requirements. Compliance activities are not supported by approved procedures or systems controls. The department has not established a risk‐based decision framework for achieving compliance outcomes or demonstrating its impact on asset security or resilience. The department does not have a process of effectively reviewing its use of regulation tools, impact on industry or to inform continuous improvement.