The ANAO audit examined three selected Australian Government entities — the Attorney General’s Department (AGD), the Civil Aviation Safety Authority (CASA) and the Office of the Inspector-General of Intelligence and Security (IGIS). Here is what they found.

Attorney General’s Department - In April 2016, AGD identified 160 paper-based processes within the department. Of these paper-based processes, 117 required that the associated documents be digitised at the conclusion of the process. In August 2016, AGD released its information management policy which identified that emails are to be used to record business decisions and then transferred into the department’s EDRMS. AGD’s financial, human resource and case management systems have digital workflows embedded. AGD has identified that the 43 remaining paper-based processes will have digital workflows and authorisations embedded where practical as supporting business systems are upgraded or refreshed.

AGD’s information management framework stipulates that all business records must be captured into the approved EDRMS, unless there is a specific exemption in place, and a digitisation guide has been created to support the migration of analogue documents into digital formats. In June 2017, AGD reported that 90 per cent of the department’s information is created and managed digitally, with the remaining 10 per cent of files created and managed physically. AGD has therefore fully implemented the target to appropriately manage records created in digital format.

Civil Aviation Safety Authority - CASA’s Electronic Transactions policy allows for electronic approvals and deems them the equivalent of a physical signature. The Electronic Transactions policy was due to be reviewed in 2016. However, the review did not take place and the policy does not align with the Digital Continuity 2020 policy. As part of a broader Service Delivery Transformation Project, CASA has commenced work to develop and implement digital authorisation and workflows into ICT systems, and has commenced a forms improvement project. This work is ongoing, and a recent internal audit identified instances where new hard copy files were being created, and of decisions being stored in personal drives. As such, CASA has partially implemented this target.

CASA’s information management manual requires that staff capture and manage all business records in electronic format in a compliant recordkeeping system, and CASA has created a digitisation guide to support the migration of analogue documents into digital formats. In 2017, CASA developed an Enterprise Information Management Strategy, which sets out a program of work over three years (2017–2020) that includes ensuring that information in analogue formats is migrated to digital format where there is value for money. CASA has also commenced work to identify and catalogue physical records holdings. CASA has therefore fully implemented the target to appropriately manage records created in digital format.

Inspector-General of Intelligence and Security (IGIS) - IGIS has not developed or implemented digital authorisations and workflows into business processes. While emails may record decisions, the email record must then be printed and filed in accordance with IGIS’ information and records management policy, which states that ‘the electronic version of any document is regarded as an unreliable reference and must not be used for decision making’. As at June 2019, IGIS has procured licences for, and is in the process of building and installing an EDRMS, and finalising the design and functional specifications of a case management system. When completed, the installation of these two systems should allow IGIS to incorporate digital authorisations and workflows into some business processes. However, work to implement these systems is not yet complete and as such IGIS cannot be considered to have implemented this target.

All IGIS information assets are currently paper-based, with any records created digitally required to be printed and stored in hardcopy. IGIS’ information and records management policy states that ‘the electronic version of any document is regarded as an unreliable reference and must not be used for decision making’. As such, IGIS has not implemented this target.

IGIS’s business operations utilise email correspondence, Microsoft Word and Microsoft Excel spreadsheets stored on group drives, and an Access database to manage complaints. There is no evidence that metadata assessments have been undertaken of these existing systems, and in accordance with the IGIS’ information and records management policy, the output from the processes conducted using these systems is to be printed out and stored on the hard-copy file.