If you are not a Queensland Government department, it can be difficult to determine whether you need to apply the QGEA. This page has been developed to guide Queensland Government bodies and help them make an informed decision on how the QGEA may apply to them and the benefits of adopting the QGEA.
As each government body is formed under different legislation, we recommend government bodies seek legal advice on their obligations.
Why adopt the QGEA?
Digital and ICT touches on everything we do, whether it’s our external or internal services, our behind-the-scenes processes, the information we handle, or the underpinning applications and technologies we use. The QGEA can help you navigate this complex environment. The QGEA contains a repository of directions, principles, policies and best practice advice to help guide decision makers operating in a digital and ICT environment.
Who must apply the QGEA?
The QGEA applicability web page sets out which Queensland Government bodies must apply the QGEA. While the QGEA generally only applies to departments as defined under the Public Service Act 2008, some government bodies may be directed to comply or have specific QGEA documents that apply to them.
Further, the remake of the Financial and Performance Management Standard 2019 (FPMS 2019) has extended the scenarios of when accountable officers and statutory bodies must have regard to the QGEA (see QGEA applicability under the Financial and Performance Management Standard 2019 below).
Government bodies using departmental owned services and assets
Where other government bodies use a service, application or technology owned by a department, that government body must also apply the relevant policies applicable for that asset.
For example, Statutory Body ABC may be using the department’s payroll and timekeeping solution. The department may have decided to implement 2 factor authentication, and other security related processes to align with security best practice. As such government bodies that use this service (including Statutory Body ABC), should also adhere to the practices and processes that the department has put in place to ensure the continued security of this asset. Departments may choose to put service level agreements in place to ensure obligations are clearly documented, communicated and understood by the government bodies that are using their services/asset.
QGEA applicability under the Financial and Performance Management Standard 2019
If you are a department or directed government body, this section does not apply to you.
Under the FPMS 2019 accountable officers and statutory bodies must have regard to the QGEA in relation to:
- internal control structure (section s7(4))
- financial information management systems (section s22(2)(c)
- risk management (section 23(5)).
See Queensland Treasury’s Financial Accountability Handbook for further information on each of these sections or a summary in Does the QGEA 'apply in the circumstances'?
What does ‘must have regard to’ mean?
Accountable officers and statutory bodies under the FPMS 2019 must ‘have regard’ to the QGEA. Section 5 explains this to mean that the accountable officer or statutory body complies by:
- considering the contents of the document (here the QGEA)
- deciding whether the contents apply in the circumstances
- if the contents apply – applying the contents.
That is, making a conscious and documented decision to follow or not to follow the QGEA.
How do I decide?
The following decision tree has been developed to help guide government bodies on QGEA applicability.
Does the QGEA ‘apply in the circumstances?’
The FPMS 2019 provides a framework for the development and implementation of systems, practices and controls for the efficient, effective and economical financial and performance management of a department or statutory body. Key themes throughout the standard are the importance of accountability, governance and internal controls.
The QGEA provides a range of policies and best practice guidance that can assist government bodies to meet their obligations in the standard and should be considered when determining if it applies in your circumstances.
The following table provides examples on how the QGEA can support relevant sections of the FPMS 2019.
Section 7(4) - Internal controls
This section is concerned with ensuring the efficiency and effectiveness of government body operations, objectives and delivery of services; and ensuring the accuracy and reliability of financial and management information; and managing risk exposure
The QGEA can help with internal controls methods or procedures in the areas of:
- digital and ICT planning and investment management, planning and analysis
- information management and security management,
- project, program and portfolio management approaches
- assurance that projects and programs will deliver
Section 22(2)(c) – Financial information management systems
This section covers the management of financial information including recording, storing, keeping, retrieving, destroying and securing financial information.
The QGEA can help with the management and security of information, including information governance, asset management, custodianship and records governance.
Section 23(5) – Risk management
This section includes managing risk and risk mitigation to ensure the continued operation of the department and the delivery of services.
The QGEA is a central repository of digital and ICT risk management information, including asset risks, project, program and portfolio risks, security risks, procurement risks just to name a few.
The QGEA covers many subjects so we encourage you to explore our website further (see I’m new to the QGEA – where should I start? below). See also the Financial Accountability Handbook for further guidance.
I’m new to the QGEA – where should I start?
If the QGEA does apply in your circumstances then we suggest you become a registered user of the QGCIO website and start familiarising yourself with the QGEA, in particular:
Please note that at this time reporting to the QGCIO as per policy reporting requirements is not required from government bodies other than departments. If broader reporting is required, such obligations will be listed within each policy itself. For further information see the QGEA reporting requirements web page.
Prioritise, plan and apply the QGEA
We recommend that government bodies become familiar with all the mandatory elements of the QGEA, namely the principles and policies (see QGEA document hierarchy for further information). One handy resource that lists all principles and policy requirements in the one location is the QGEA self-assessment workbook.
We know that limited resources and time means that no government body could implement the QGEA in its entirety in a short time frame. As such we understand that some planning and prioritisation is required.
The QGEA implementation prioritisation guideline and spreadsheet is a handy tool that uses attractiveness and achievability assessments to prioritise implementation of QGEA policies (and principles), with the aim of developing an implementation plan.
Reassess in the future
Policies will be amended, resources may grow and shrink, and business priorities may change – so it is always a good idea to reassess your decision not to apply the QGEA.
For these reasons we also recommend that government bodies who are applying the QGEA regularly reassess their implementation plan and its progress regularly to incorporate any changes in circumstance and the ever changing digital and ICT landscape.
Are you making a decision not to follow the QGEA?
The QGEA is based on best practice, and we hope that government bodies find the direction, guidance and tools in the QGEA to be helpful when running your business.
Where a government body is making a conscious and documented decision NOT to follow the QGEA, then we highly recommend that you undertake a risk assessment to understand the associated risks.
Conduct a risk assessment (accept risk)
We encourage government bodies to utilise the risk management practices already in use by your body when undertaking risk assessments and having such risk assessments signed off by the body’s accountable officer. Government bodies may wish to look at the ICT risk management web page which details the range of risk management tools and techniques that are currently available to the Queensland Government.
Contact us at email@example.com.