Two government agencies share an IT platform. One, Veterans' Affairs, is required to monitor what its privileged users do inside it: the accounts that can change financial data. Asked to demonstrate that monitoring, it couldn't. Its answer was that the other agency did it for them, under the shared services agreement.
So the auditors asked the other agency. Yes, it produces a report of adverse activity and hands it over. No, it does not do the monitoring. That was always Veterans' Affairs' job.
Two agencies. Working systems on both sides. One control the whole arrangement depended on sitting in the gap between them, unrun, because each side understood the other to own it.
That's the cleanest finding in the Auditor-General's latest interim report on key financial controls. It's also the shape of the whole thing.
It's not an IT report
The ANAO assessed internal controls across the 27 largest Commonwealth entities: bodies that hold north of 94 per cent of the government's assets and expenditure. Of the findings raised, 71 per cent relate to the IT control environment, up from 65 per cent the year before. Read that as "fix your IT" and you've missed it.
Strip the label off the findings and look at what's actually contested in each one:
Access - who's allowed into this system, and who decided that.
Monitoring - who's responsible for watching, and who confirms they did.
Change - who authorised this change to a financial system, and who tested it.
Compliance - did anyone actually have authority to spend this money this way.
The systems work. What's missing, duplicated, or broken at a handover is the answer to who is allowed to decide and do what, and whether that authority holds end to end. That isn't an engineering question.
The sharpest case: spending no one authorised
The three most serious findings are legislative breaches at Social Services, Health, and Services Australia: payments made inconsistently with the law, including potential breaches of section 83 of the Constitution, which says money can't leave the Commonwealth except as legislation authorises.
The Social Services case is the one to sit with. By late 2025 there were 93 matters on the register, some known for years. Among those still needing legislative change to fix: the automation of advance payments the legislation does not actually permit.
A system was automated to make payments the law never authorised. The authority the code acted on had diverged from the authority the legislation granted and money flowed through the gap for years before anyone closed it. The roles were defined on paper, the break was in the chain between them.
Why they don't get fixed
Of the findings raised, 43 per cent have been open for two years or more. That's not a backlog. That's a structure.
You patch a bug. A structural fault regenerates the same finding every cycle, no matter how diligently the symptom is remediated. And it's invisible to conventional review, because each component looks fine in isolation: the Veterans' Affairs gap only exists in the relationship between two controls that no single audit, register or matrix holds in view at once. It's an emergent property. You only see it when you model the whole thing as one connected system.
Named properly
This is decision architecture: who holds authority, who enacts it, who verifies the enactment, across an organisation and its boundaries.
Mapped as a directed graph, the ANAO's findings resolve into a handful of recognisable faults.
The Veterans' Affairs case is an authority void - a responsibility each party attributes to the other, falling into the gap.
The unmonitored accounts are dead-end verification - a check assigned to no one who enacts it.
The unauthorised payments are divergent enactment - what the system does has drifted from what its authority permits.
These are not metaphors they are the literal shape of what was found, surfaced before the money moves, not after the audit lands.
Why it gets worse
The ANAO names the rising stake: AI. The same report notes only one of 22 entities met the baseline cyber standard, down from five with maturity falling on the very control that restricts administrative privileges. The control environment is thinning at the exact moment the sector is automating on top of it.
These arrangements have run on slack: a person noticing the odd payment, someone informally owning a control no document assigns, a human catching the dropped handover. Automation removes the slack. An agent doesn't improvise the missing check; it executes the authority it's given, at speed, and where that authority is malformed it produces malformed outcomes faster than anyone can notice. Compress the slack hard enough and the arrangement snaps.
What WorkLattice produces is, in effect, a credit score for whether an organisation can absorb AI: whether the decision architecture is sound enough to automate on, or whether automation will just industrialise the faults already in it.
The part that should worry you
These 27 entities are the most scrutinised organisations in the country, audited annually, against published standards, tabled in Parliament. The faults still persist for years, because audit surfaces the symptom, not the structure that generates it.
If that's the state of the most-audited organisations in Australia, the live question is what's undiagnosed in the ones never mapped at all and now rushing hardest to put AI on top of decision architectures no one has ever drawn.
The Auditor-General just published the evidence. The only thing the report doesn't do is name the shape, and the shape is the whole point.
WorkLattice is a decision-architecture diagnostic from Sagentivum. It models governance as a directed graph of decision rights and surfaces the structural failures - authority voids, broken enactment chains, dead-end verification - that conventional review can't see, before they reach an audit, a mispayment, or an automated system acting on authority no one granted.
To see WorkLattice in action: https://www.sagentivum.com/case-study-governance/
