Commissioner for Superannuation
2010-11 Annual Report
Section 2B: Corporate governance
In this section:
ComSuper maintained coherent and effective governance arrangements in 2010-11. This section is structured on the key components of our corporate governance framework which are:
- Audit and assurance
- Risk management
- Quality assurance
- Knowledge and records management
- Values and ethical standards
- Fraud control and Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF)
- Security and privacy
- Business continuity and disaster recovery
- Business planning and performance reporting.
Audit and assurance
ComSuper maintains a comprehensive audit and assurance framework which we continued to improve in 2010-11. The framework is based on four pillars: internal audit, external audit, output monitoring and management assurance.
ComSuper's Audit & Risk Committee and Chief Governance Officer maintained active oversight of the audit and assurance strategy and program of work. They also monitored the implementation of audit recommendations.
Strong external audit assurance was provided by our principal external auditor, the Australian National Audit Office (ANAO), and their service provider, Deloitte. As part of our assurance process, we monitored cross-portfolio audits, considered relevant recommendations and participated in a cross-portfolio audit on information security.
We worked closely with our internal audit service provider, Oakton, on a range of audit work across our operations. The Internal Audit Program has delivered sound assurance, and identified potential improvements in ComSuper's operations
- consolidation of the APS and military scheme-based compliance teams under the Corporate Governance Group
- introducing a program of output monitoring to test the overall quality and accuracy of the services we provide to members
- further enhancement of formal controls reporting to Trustees and other external clients, in accordance with superannuation industry practice and Guidance Statement GS 007 issued by the Auditing and Assurance Standards Board.
ComSuper Audit & Risk Committee Chair's Report 2010-11
The ComSuper Audit & Risk Committee worked closely with the CEO, management and staff in supporting and promoting good governance across the agency in 2010–11.
During 2010–11, ComSuper's Audit & Risk Committee comprised two external members, including myself as Chair, and two ComSuper Executives. The Committee met on six occasions over the course of the year to fulfil its charter and complete its program of work. The Committee's first meeting in 2010–11 focused on planning for the year ahead, especially around audit and assurance activity. The second meeting aimed at providing guidance to the CEO on ComSuper's financial statements and related processes. An end of year report was provided to the CEO on the Committee's work program. The balance of the meetings covered the range of the Audit & Risk Committee's work program set out below.
The Committee maintained a strong focus on risk management over the year, especially as a key driver for ComSuper's audit and assurance program. The Audit & Risk Committee Planning Day, in particular, examined ComSuper's strategic and management-level risks as a key input to audit and assurance work in 2010–11. The Committee's deliberations helped to set the direction of the audit and assurance program which was further developed and finalised at subsequent meetings.
The Committee provided appropriate oversight of ComSuper's fraud control, forensic data analysis improvements and major capability improvements to ComSuper's business continuity arrangements in 2010–11.
The Committee paid close attention to ComSuper's internal control framework in 2010–11. A key aspect of this work was the continuing improvement of the framework under Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Management Investment Services issued by the Auditing and Assurance Standards Board. This framework is better superannuation industry practice and provides a high level of assurance to ComSuper's key external stakeholders, as well as to the Audit & Risk Committee and ComSuper's Executive.
The Committee was also satisfied with the introduction of formal output monitoring to measure the quality and accuracy of ComSuper's key business outputs.
The Audit & Risk Committee also considered ComSuper's external accountability obligations, including through its work on ComSuper's financial statements, the Certificate of Compliance and performance reporting.
The Committee maintained active oversight of ComSuper's audit and assurance program in 2010 11. ComSuper's arrangements are assessed as sound and effective. The Committee received valuable internal audit services, principally delivered by Oakton. The Committee continued to monitor and work with ComSuper management on the timely implementation of agreed audit recommendations.
The Committee received excellent service and advice from our external audit providers, the Australian National Audit Office (ANAO) and Deloitte. The ANAO's cross-portfolio audits and better practice guides were a valuable source of information for the Committee and ComSuper.
The Committee thanks the ComSuper Executive and staff for their assistance and cooperation, in particular, the Corporate Governance and Financial Management areas, for their strong support during the year.
Will Laurie FAICD & F. Fin.
Chair (external Chair)
ComSuper Audit & Risk Committee
Reports by the Auditor-General, a parliamentary committee or the Commonwealth Ombudsman
ComSuper pursues continuous improvement by reviewing relevant ANAO audit reports and Better Practice Guides and implementing recommendations where appropriate. ANAO reports and our responses are monitored by the ComSuper Audit & Risk Committee.
ANAO audit reports that we reviewed in 2010-11 included:
- Confidentiality in Government Contracts: Senate Order for Departmental and Agency Contracts (Calendar Year 2009 Compliance) (Report No. 7)
- Centrelink Fraud Investigations (Report No. 10)
- Direct Source Procurement (Report No. 11)
- Capitalisation of Software (Report No. 14)
- Administration of the Superannuation Lost Members' Register [by the Australian Taxation Office] (Report No. 31)
- Protection and security of electronic information held by Australian Government agencies (Report No. 33)
- Better Practice Guide Fraud Control in Australian Government Entities, March 2011
- Management of the Certificate of Compliance Process for FMA Act Agencies (Report No. 38).
- Better Practice Guide Human Resource Information Systems, April 2011.
There was one report by the Senate Finance and Public Administration References Committee, Superannuation claims of former and current Commonwealth Public Service employees, relevant to ComSuper in 2010–11. The report was released
on 30 June 2011.
ComSuper's strategic risks are monitored and reviewed regularly by the Executive Committee. Operational risk management is captured in group business plans and supporting processes. Our risk management framework continued to mature over 2010-11 through improvements including:
- updating the risk management framework to match the new Risk Management Standard ISO 31000
- refining the risk and control framework established under the GS007 framework.
We participated in Comcover's annual risk management benchmarking program in 2011. We were assessed as meeting our risk management requirements and received a slight decline in our rating from 6.1 in 2010 to 6.0. This outcome compares with an average across surveyed agencies of 6.4. This rating also represents a 6.0% discount in our insurance premium for the year. Of particular note, ComSuper exceeded its target benchmarks in the areas of accountability and responsibility, and was the highest performing agency within its peer group in the area of business continuity.
In October 2010, we introduced a program of output monitoring which focuses on the quality of ComSuper's key business outputs such as benefit payments and customer information centre operations. Outputs are checked against objective criteria especially correctness and lawfulness.
We completed eight reviews since October 2010 across the PSS, CSS, MilitarySuper and DFRDB schemes. The results of these reviews show a high level of accuracy across operations with some areas for improvement identified.
ComSuper administers some of the largest and most complex superannuation schemes in Australia. Formally documenting and managing our key business processes underpins good administration, sound and transparent decision-making, and the retention of corporate knowledge. The Business Atlas is recognised as an industry leading knowledge management tool in capturing and reusing operational knowledge to support the management of these complex superannuation schemes.
The Business Atlas has become a valuable asset, being a 'virtual expert' available to staff undertaking the day-to-day administration of our schemes. In addition, information from the Business Atlas was used to help complete a variety of audit, costing and business continuity activities, reports and projects. Currently, it contains approximately 20,000 individual items of information including legislation, business rules, procedures, forms, letters and technical advice. The Business Atlas makes this information available to ComSuper staff through our Intranet.
The Business Atlas has now been a business-as-usual activity for a year and continues to be an integral tool utilised by an increasing number of staff.
Good recordkeeping is essential for the administration and management of our business.
The primary record keeping system used by ComSuper is an Electronic Document and Records Management System (EDRMS) using TRIM software.
During 2010-11, the scanning software was upgraded and trials conducted using optical character recognition to scan some of the commonly used forms. When fully implemented, this will improve the timeliness of getting member correspondence into the EDRMS. TRIM was also upgraded to version 6.2.5 which improved the functionality of the records management system. On 23 November 2010, a new records authority for ComSuper was formally signed by the National Archives of Australia. This outlines the requirements for keeping and destroying ComSuper records and allows us to better manage our record holdings.
Values and ethical standards
ComSuper is committed to the highest standards of ethics and good governance. We understand the decisions we make may affect our members, Trustee Boards, the government, our colleagues and ourselves and we have implemented a sound ethics framework to underpin our work.
To support an ethical culture, ComSuper maintains the corporate Ethical Decision Making Guideline. This guideline provides a practical model for decision making that seeks to assist employees in dealing with ethical dilemmas and discretionary decision making.
During the development of the ComSuper Strategic Plan 2010-13, we created our own values in support of the APS Values and Code of Conduct that we are bound to uphold. Some of ComSuper's values include: Transparent – Being open and fair, Optimistic – Being positive and forward looking and Accountable – Being responsible for your actions.
In 2010–11, ComSuper was invited to be part of the new APS-wide Ethics Advisory Group to share best practice approaches and ensure the consistency of the application and awareness of ethics throughout the public service.
We conducted mandatory annual awareness training to educate and reinforce staff obligations regarding APS Values and Code of Conduct, health and safety, security, freedom of information, fraud and privacy awareness, and financial compliance.
ComSuper met its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). The relevant cases of alleged money laundering were referred through our Trustee Boards to AUSTRAC as 'Suspicious Matter Reports'.
ComSuper has a sound fraud control program that meets our legislative requirements and stakeholder expectations. In 2010-11 we investigated all cases of alleged fraud against ComSuper schemes. Of the cases investigated, some $1.1m has been recovered or is in the process of recovery, directly attributed to investigations conducted by ComSuper.
In our proactive approach to discovering incidents of fraud, we developed lists of high risk categories for investigation, as identified by the Fraud Control Plan 2010 and previous known cases of fraud against ComSuper.
Security and privacy
During 2010-11, the government progressively implemented the Protective Security Policy Framework (PSPF) to replace the Protective Security Manual (PSM). ComSuper is currently in the process of implementing the PSPF to underpin its protective and IT security governance framework.
ComSuper conducts all protective security clearance processes through the newly created Australian Government Security Vetting Agency (AGSVA). This is a new process for all government agencies and we have worked closely with AGSVA to ensure a smooth transition.
ComSuper participated in the ANAO audit:
The Protection and Security of Electronic Information Held by Australian Government Agencies. The report (Report No. 33) concluded ComSuper's protection of electronic information is sound, with some recommendations made to improve arrangements.
As part of the governance preparation we have worked closely with the newly appointed PSSap outsourced provider, Pillar, to align their security and privacy processes according to relevant legislation, and stakeholder requirements.
All persons who require access to ComSuper's member information, premises and basic systems must successfully pass a criminal history records check prior to any access being granted. These checks are conducted through CrimTrac via an online link.
Certification of fraud measures
I certify that I am satisfied that ComSuper has prepared fraud risk assessments and a fraud control plan, and has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet its specific needs and that comply with the Commonwealth Fraud Control Guidelines 2011. ComSuper has taken all reasonable measures to minimise the incidence of fraud and where necessary, investigated and sought to recover the proceeds of fraud against this agency.
Acting Chief Executive Officer
ComSuper maintained its compliance framework to ensure we met our legislative and scheme obligations.
Key elements of ComSuper's compliance framework include:
- Maintaining compliance registers
- Resolving any compliance issues
- Undertaking regular quality assurance and compliance reviews
- Providing quarterly compliance reports to the Trustees.
Our compliance capability has been further enhanced following consolidation of the APS and the military scheme-based compliance teams under the Corporate Governance Group. We have also implemented an office-wide training package and a change in focus from reviews based on a compliance audit to reviews to take into account the quality of outputs.
The recommendations made following a compliance audit undertaken in early 2010 have been implemented. These, as well as the review and updated compliance framework, associated policy and procedures documents, have enhanced ComSuper's compliance practices.
Business continuity and disaster recovery
ComSuper's business continuity and disaster recovery functions completed a major improvement during 2010-11. ComSuper achieved a robust business continuity and disaster recovery capability to successfully recover from business disruptions in a reasonable timeframe.
The focus during the year was to finalise the integration of business continuity and disaster recovery and test these arrangements. We conducted three auditor observed tests for the Incident Management Team (IMT) and Disaster Recovery during November – December 2010. And in March 2011, we successfully tested all critical business systems.
A comprehensive Incident Management Manual, containing continuity and recovery plans and checklists for each business group within ComSuper, was included in the testing program in 2010-11 and as a result was reviewed and improved.
Decision making committees such as the IMT, the Audit & Risk Committee and the Emergency Planning Committee played an active role in helping ComSuper meet its obligations to its stakeholders and customers in the event of an incident. Activities included:
- Oversight of all documentation and preparations supporting business continuity and disaster recovery
- A regular cycle of testing and training of emergency and incident management staff
- Strengthening communication channels through representation of all business areas on the IMT.
Key features of the improved capability include detailed business continuity plans, a second system and data centre, and a reciprocal agreement for emergency accommodation with the Department of Finance and Deregulation.
ComSuper participated in the ComCover Risk Management Benchmarking Survey 2011. Our business continuity and disaster recovery capability was rated the highest of our peer group in the survey.
ComSuper has a well-developed business planning framework. As part of our annual review of the framework, we developed a new strategic plan. The new plan reflects our values, mutual obligations, the reputation we want to create with stakeholders, in addition to our vision, mission and key focus and results areas.
Our business planning framework includes group level business plans, which form the basis for team and individual performance support plans, cascading our high level objectives from the strategic business plan to individual roles and responsibilities.
As part of ComSuper's Strategic Plan 2010-13, Key Results Areas—key business milestones mapped to the three year timeline—were identified and used as a corporate performance reporting tool. Progress against these milestones is reported to the Executive Committee and staff on a quarterly basis.
Additionally, administration reports—outlining our performance against service level agreements—on the APS and military schemes are provided to the Trustee Boards on a monthly basis. For more information, see Section 2A under 'Service level agreements'.
Last updated December 21, 2011