Australian Government - Attorney-General's Department

Protective
Security Policy
Framework

Achieving a Just and Secure Society

Skip breadcrumbHome » Governance » Audit reviews and reporting

Audit, reviews and reporting

The audit, review and reporting process aims to assess how well non-corporate Commonwealth entities (agencies) are ensuring the confidentiality, integrity and availability of essential resources. The audit process includes:

GOV-7: For internal audit and reporting, agencies must:

  • undertake an annual security assessment against the mandatory requirements detailed within the PSPF, and
  • report their compliance with the mandatory requirements to the relevant portfolio Minister.

The report must:

  • contain a declaration of compliance by the agency head, and
  • state any areas of non-compliance, including details on measures taken to lessen identified risks.

In addition to their portfolio Minister, agencies must send a copy of their annual report on compliance with the mandatory requirements to:

  • the Secretary, Attorney-General's Department, and
  • the Auditor-General.

Agencies must also advise any non-compliance with mandatory requirements to:

  • the Director, Australian Signals Directorate for matters relating to the Australian Government Information Security Manual (ISM)
  • the Director-General, Australian Security Intelligence Organisation for matters relating to national security, and
  • the heads of any agencies whose people, information or assets may be affected by the non-compliance.

Compliance reporting guidelines

The following guidelines contain the underlying principles and outline the responsibilities that non-corporate Commonwealth entities (agencies) are required to follow when measuring their compliance against the PSPF mandatory requirements.

Through the process of mapping their compliance, agencies will be able to:

  • identify any entity non-compliance and address this through mitigation and education actions
  • evaluate the effectiveness of entity protective security controls
  • improve entity protective security policies and procedures.

The results of compliance reporting will inform whole-of-government protective security policies.