Realists don't expect government agencies to be perfect. They do however expect agencies to learn from mistakes. That's a legitimate expectation. It's thus disquieting to see the ANAO report Planning For The 2021 Census, which implies the ABS has not taken on board the lessons of what people identified through the #CensusFail hashtag in 2016.
The ANAO states
1. The Census of Population and Housing (the Census), undertaken by the Australian Bureau of Statistics (ABS), is Australia’s largest statistical collection. The purpose of the Census is to accurately measure the number and key characteristics of all people in Australia, Norfolk Island, and the Territories of Cocos (Keeling) Islands and Christmas Island on Census night every five years.
2. The 2016 Census was the first Census to be ‘digital first’, whereby the ABS sought to obtain 65 per cent of responses through an online eCensus form. On Census night on 9 August 2016, there was a failure of multiple information technology (IT) controls, particularly for the online eCensus form, which resulted in the closure of the Census webpage for two days.
3. The Senate, the Department of Prime Minister and Cabinet, and the ABS initiated reviews into the events on Census night, ABS governance and the broader implications for cyber security across the Australian Public Service. In total, the reviews made 36 recommendations, 29 of which were directed at the ABS and agreed.
4. The failure of multiple IT controls during the 2016 Census reinforced the need for the ABS to implement robust planning arrangements for the 2021 Census including for cyber security, procurement, and review recommendations. An audit of the ABS’ preparedness for the 2021 Census would provide assurance on whether the ABS is on track to delivering its objectives for the Census.
5. The objective of the audit was to assess whether the ABS is effectively preparing for the 2021 Census.
6. In assessing this objective, the following three high-level criteria were adopted: Has the ABS established appropriate oversight frameworks for the Census? Is the ABS taking appropriate steps in developing IT systems for the Census? Is the ABS addressing key Census risks and implementing Census recommendations?
7. The ABS’ planning for the 2021 Census is partly effective.
8. The ABS has established largely appropriate planning and governance arrangements for the Census. The risk framework is compromised by weaknesses in the assurance arrangements.
9. The ABS is partly effective in its development of IT systems for the 2021 Census. Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers. The ABS has not put in place arrangements to ensure that improvements to its architecture framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.
10. The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations and ensuring timely delivery of the 2021 Census. Further management attention is required on the implementation and assessment of risk controls.
11. The planning and governance arrangements for the Census are appropriate, except that the ABS does not have an overarching plan to coordinate activity plans and enable a clear view of progress against planned activities.
12. The ABS largely complies with the Commonwealth Risk Management Policy and has established a risk management plan for the 2021 Census. While the ABS has engaged an external program assurer to report to its Census Executive Board, their assurance activities are not well aligned with the identified Census risks. The Audit Committee has not been well positioned to provide consistent risk oversight or assurance on the Census.
13. The ABS has been implementing largely appropriate project management practices from December 2019. It has established monitoring processes and in July 2020 finalised arrangements to assess and approve changes to the Census project.
14. The ABS has an efficiency measure for the Census. The ANAO was unable to provide assurance on the validity and reliability of the measure, however, it is consistent with a proxy measure developed by the ANAO from published ABS information. A report by the United Nations Economic Commission for Europe ranks Australia’s cost per capita as just under the average of a group of countries with similar Census methods.
15. The IT framework that the ABS has established for the 2021 Census is largely appropriate. However, the ABS’ implementation of its IT framework is not complete. The ABS has not established a systematic process for managing risks associated with non-compliance. Census systems do not fully align with the ABS enterprise IT framework giving rise to risks in relation to system integration and compliance with legislation and ABS policy. The ABS has not established a process to mitigate the risk of unauthorised changes being implemented across systems supporting the Census.
16. The ABS is establishing partly appropriate data handling practices for the 2021 Census. The ABS has designed controls and arrangements to manage risks relating to data quality and protection of privacy. The ABS has not fully implemented controls for managing the quality and protection of 2021 Census data and does not have in place appropriate arrangements to monitor control implementation.
17. The ABS has established partly appropriate cyber security measures for the 2021 Census. The high-level measures and controls in the ABS’ cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented.
18. The ABS has established IT supplier contracts that support value for money outcomes. The ABS has largely met key legal requirements for its Census IT procurements of $1 million or more.
19. The ABS has been partly effective in addressing key Census risks. The ABS has identified, reviewed and reported risk in accordance with its Risk and Issues Management Plan and the broader ABS framework, and has mostly embedded risk management in its key business processes. The ABS has not consistently implemented key risk controls and has not fully assessed control effectiveness as required in its Risk and Issues Management Plan.
20. ANAO analysis indicates that the ABS’ post-review activities align with 27 out of the 29 agreed recommendations. In the absence of effective governance oversight arrangements to monitor and report on the implementation of recommendations, the ABS does not have sufficient assurance that it has appropriately addressed the identified issues.
21. Since January 2020, the ABS has been largely effective at monitoring the progress of activities for the 2021 Census. ABS Census projections in 2018 and 2019 were generally ‘on track’. Throughout 2020 the Census has been ‘at risk’. ANAO testing of 17 key tasks indicated that four were reported complete at least three months prior to actual completion. The ABS has accurately reported key activities, decisions and issues to the Minister in a timely manner. Public reporting on progress with the Census is accurate but could cover a wider range of topics.
The ANAO recommendations are -
R no.1 The Australian Bureau of Statistics strengthen its planning and governance arrangements for the 2021 Census by: establishing a high-level plan of the Census integrating the objectives, activities, and their dependencies; and ensuring that the required reporting is provided to the Census Executive Board.
ABS response: Agreed.
R no.2 To assist the Australian Bureau of Statistics in complying with section 16 EA of the Public Governance, Performance and Accountability Rule 2014, the Australian Bureau of Statistics: include an efficiency measure in its performance framework; and develop procedures to support the validity and reliability of the existing Census efficiency measure.
Australian Bureau of Statistics response: Agreed.
R no.3 The Australian Bureau of Statistics strengthen its IT framework for the Census by: assessing the impact of non-compliance with Australian Bureau of Statistics standard architectures, including the impact on meeting legislative and policy requirements; and establishing appropriate controls for mitigating unauthorised and inappropriate system changes, specifically focussing on developers that have access to migrate their own changes to Census-related systems.
ABS response: Agreed.
R no.4 The Australian Bureau of Statistics obtain an appropriate level of assurance that the systems supporting the 2021 Census are meeting legal and Australian Bureau of Statistics policy requirements on data quality and privacy.
ABS response: Agreed.
R no.5 The Australian Bureau of Statistics: define timeframes and responsibilities for implementing the 2021 Census Security Strategy and the Essential Eight Uplift Program, especially for areas that are required prior to the 2021 Census; and ensure contracted services meet Australian Bureau of Statistics specific design and cyber security requirements, and performance of security controls are regularly assessed.
ABS response: Agreed.
R no.6 The Australian Bureau of Statistics implement its risk controls and regularly and consistently monitor the effectiveness of those controls.
ABS response: Agreed.
R no.7 The Australian Bureau of Statistics: establish oversight arrangements to monitor the progress of the implementation of agreed recommendations from external reviews; and assure itself that it has fully implemented all agreed recommendations.
ABS response: Agreed.