Public trust depends on how well government entities manage public resources. It’s not just about following rules; it’s about demonstrating integrity, transparency, and accountability at every level. To standardize how Commonwealth entities approach governance, the Public Governance, Performance and Accountability (PGPA) Act 2013 was introduced.

 

This legislation lays the foundation for how public sector bodies handle financial performance, reporting obligations, and risk management. If you’re working within or with a Commonwealth entity, understanding the PGPA Act is essential to ensure compliance and maintain operational credibility.

 

This article explains what the PGPA Act is, who it applies to, and how organizations can meet its obligations through clear policies and structured governance practices.

 

What is the PGPA Act?

 

The PGPA Act is a central piece of Australian legislation that governs how Commonwealth entities and companies manage public resources. Enacted in 2013 and operational from July 1, 2014, it replaced multiple older frameworks that were fragmented and inconsistent across agencies.

 

At its core, the PGPA Act aims to:

 

• Ensure public funds are used properly, efficiently, and effectively.
• Promote accountability and transparency in decision-making.
• Support high standards of governance and performance reporting.
• Provide a consistent financial management framework for all Commonwealth bodies.

 

The Act doesn’t just cover financial matters; it also sets expectations around leadership, ethics, and risk oversight.

 

Quick read: What is the SOCI Act? A guide for critical infrastructure compliance

 

Who does the PGPA Act apply to?

 

The PGPA Act applies to two main types of government bodies:

 

1. Commonwealth entities

 

These include all government departments and agencies established under law. They’re further divided into:

 

• Corporate Commonwealth entities (CCEs): legally separate from the Commonwealth (e.g., CSIRO).

 

• Non-corporate Commonwealth entities (NCCEs): legally part of the Commonwealth (e.g., Department of Health).

 

2. Commonwealth companies

 

These are companies incorporated under the Corporations Act 2001 that the government controls. Examples include certain state-owned enterprises.

 

The responsibilities under the PGPA Act fall primarily on accountable authorities, usually the heads of departments or CEOs, who must ensure their entities comply with all governance, performance, and financial requirements.

 

Quick read: What is cyber crime? How to protect your organization

 

Key obligations under the PGPA Act

 

Entities governed by the PGPA Act have several core obligations. These aren’t just technical checkboxes; they are central to maintaining trust in government operations.

 

1. Duties of accountable authorities

 

Accountable authorities must promote:

 

• Proper use and management of public resources.
• Achievement of entity purposes efficiently.
• Transparent reporting and ethical conduct.

 

They are expected to lead governance efforts and foster a culture of integrity and accountability within their organizations.

 

2. Financial management and reporting

 

Entities must prepare annual performance statements and financial reports that are:

 

• Accurate
• Auditable by the Australian National Audit Office (ANAO)
• Delivered on time

 

This ensures transparency in how public funds are allocated and used.

 

3. Performance measurement

 

Entities must define performance criteria in their corporate plans and report on outcomes. This links funding to measurable results and helps Parliament and the public evaluate agency effectiveness.

 

4. Risk oversight

 

A formal approach to risk management is required, including:

 

• Identifying internal and external risks.
• Implementing controls.
• Regular monitoring and updates.

 

The Commonwealth Risk Management Policy supports this by outlining expectations around risk maturity.

 

5. Internal controls and compliance

 

Agencies must establish policies and procedures that ensure compliance with:

 

• The PGPA Act and Rules
• Government finance guidelines
• Ethics and conduct requirements

 

This includes procurement rules, grant reporting, and value-for-money assessments.

 

Why PGPA compliance matters

 

Failure to comply with the PGPA Act can result in more than just poor audit results. It can lead to:

 

• Loss of funding or reputational credibility.
• Auditor-General reports exposing mismanagement.
• Ministerial inquiries and accountability actions.
• Public scrutiny and loss of stakeholder trust.

 

Good governance isn’t just about avoiding negative outcomes. It also improves decision-making, enables efficient use of resources, and helps organizations deliver better public outcomes.

 

Quick read: PII examples and how mishandling them can lead to compliance violations

 

 

How to ensure compliance with the PGPA Act

 

Meeting PGPA obligations requires more than basic awareness; it takes structured planning, clear processes, and continuous oversight. Here’s how Commonwealth entities can prepare and maintain compliance:

 

1. Map your responsibilities

 

Understand where your entity fits under the PGPA Act, whether you are a corporate or non-corporate Commonwealth entity. Identify who the accountable authority is and what responsibilities flow from that role. Create a clear list of reporting and compliance obligations relevant to your structure.

 

2. Develop a robust governance framework

 

Build a governance model that defines how decisions are made, who is responsible, and what checks are in place. This includes:

 

• Delegation schedules
• Oversight committees
• Risk and audit structures

 

Each component should be clearly documented and periodically reviewed.

 

3. Formalize risk management processes

 

Risk oversight is a key requirement under the PGPA. To meet this, establish a risk management policy aligned with the Commonwealth Risk Management Policy. Your framework should:

 

• Define risk appetite.
• Identify strategic and operational risks.
• Assign responsibilities.
• Schedule regular risk reviews.

 

Make sure staff understand how risk impacts their daily roles.

 

4. Strengthen internal control systems

 

Create or refine internal procedures that cover:

 

• Procurement approvals.
• Financial delegations.
• Documented workflows for key transactions.
• Regular internal audits.

 

These controls act as safeguards against misuse of resources and unintentional errors.

 

5. Ensure accurate and timely reporting

 

Set clear responsibilities and schedules for:

 

• Annual performance statements.
• Corporate plans and budgets.
• Financial statements.
• Parliamentary submissions.

 

Data accuracy is crucial, so consider regular reconciliations and internal reviews before reports are finalized.

 

6. Promote a culture of accountability

 

Governance isn’t only about structures, it’s also about people. Provide regular training to staff and leadership teams on:

 

• The principles of the PGPA Act.
• Their specific duties.
• Reporting requirements.

 

Encourage ethical decision-making, open communication, and escalation of concerns when necessary.

 

7. Monitor and audit regularly

 

Establish internal audit functions or engage external auditors to assess compliance. Use these findings not only to fix issues but to strengthen your overall governance and performance framework.

 

Strengthen governance with smarter GRC automation

 

Building a strong compliance posture requires more than policies; it needs systems that support oversight, documentation, and continuous improvement.

 

CyberArrow GRC platform helps organizations streamline governance and accountability efforts through:

 

• Centralized risk and compliance dashboards.
• Real-time KPI and audit tracking.
• Automated evidence collection and reporting.
• Policy and document management with version control.
• Asset inventory, third-party risk assessments, and internal control tracking.

 

CyberArrow is designed to simplify complex compliance operations, reduce manual work, and support a culture of responsibility across teams.