The Australian National Audit Office’s (ANAO) has recently emphasised the importance of agencies having effective and specific AI governance frameworks. This was the key message coming out of the ANAO’s performance audit report on the ATO’s Governance of Artificial intelligence.
The Upshot: agencies need to ensure they have:
- centralised visibility and oversight of AI use
- AI-focused governance bodies
- integrated AI-specific considerations into existing governance structures, and
- clearly defined roles and responsibilities for managing the agency’s AI implementation.
Welcome to the third in our series of articles on AI in Government. If you’d like a refresher on the series, see our first and second articles.
Why did the ANAO do this audit?
The Commonwealth is committed to ‘gaining public confidence and trust in the safe and responsible use of AI’ as it navigates the digital era. However, the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2024 found that of the 56 entities using AI that year, just 36 had AI governance policies and only 15 had AI assurance policies. As such, the ANAO indicates in the Governance of Artificial intelligence audit report, that it will first focus on AI governance while also building its capability to conduct more technical audits of the public sector’s AI tools.
The ATO was chosen as the first agency as it uses both publicly available generative AI and AI models built in-house in a wide variety of contexts. For example, the ATO has used its own models to support decision making, draft communications, review large quantities of unstructured data, and analyse data to assess non-compliance risks. It also uses AI in call centres and its website’s virtual assistant program.
Key Findings
The ANAO found that the ATO only had partly effective governance arrangements supporting its use of AI in 3 key areas.
|
Area
|
The ATO needs...
|
Example
uses 2
|
|
AI adoption |
It has a policy on the use of publicly available generative AI tools and an automation and AI strategy. It still needs:
|
|
|
Design, development and deployment of AI models |
|
|
|
Monitoring, evaluating and reporting on AI adoption |
|
|
What did the ANAO recommend?
The ANAO recommended that the ATO:
- align implementation arrangements for the automation and AI strategy with agency-wide requirements
- clearly define and communicate agency-wide organisational structures and governance arrangements supporting its AI adoption.
- review the misuse of data and analytics risks according to the ATO’s risk management framework and risk appetite, and update and incorporate controls relating to AI’s impact on this risk
- improve the alignment of its use of AI (including at the design, development and deployment stages) with ethical principles
- align its design, development, deployment and assurance of AI to relevant pre-existing ATO policies and procedures
- establish performance measurement and evaluation arrangements for its AI strategy, and
- ensure that its approach to managing information supports transparency and accountability in AI adoption.
The ATO agreed to these recommendations.
What the ANAO wants you to know
Agencies should prepare for audits on their AI governance – think about how your agency would perform against the things the ANAO critiqued the ATO for. Would your agency perform better or worse?
Agencies should be adaptable and responsive to the ethical and legal risks of their AI adoption.
The ANAO expects agencies to:
- take consistent approaches to monitoring, evaluating and reporting on their AI models’ utility, performance, and risks
- have robust policies and procedures to manage and respond to AI-specific risks and to comply with Australian Government policy requirements
- have effective AI governance frameworks with centralised visibility and oversight of AI use, AI-focused governance bodies and the integration of AI-specific considerations into existing governance structures
- have in place effective arrangements supporting AI design, development and deployment (including ethical AI implementation), and
- have clearly defined roles and responsibilities for managing the agency’s AI implementation.
What should you do now?
We expect that agencies are reviewing their existing arrangements (including AI-specific governance arrangements):
- to support the adoption of AI
- for designing, developing and deploying AI, and
- for monitoring, evaluating and reporting on their AI implementation.
Finally, the February deadline for publishing AI transparency statements has now passed. Any agencies who have missed this date should be working towards releasing their statement as soon as possible!
