The board of a $5 billion Australian government fund, run by several former investment bankers, has been admonished for using non-official email accounts to conduct business with political and commercial sensitivities.
The Auditor General said some of the Northern Australia Infrastructure Facility (NAIF) board members used non-official email accounts to share commercially sensitive information and make investment decisions.
The NAIF's board comprises a number of legal and finance experts including Gilbert and Tobin partner and former Macquarie Capital executive director Justin Mannolini.
Meanwhile, the NAIF's chief executive Laurie Walker is a former global head of loan product and execution at ANZ, and its chief financial officer is a former chief operating officer of JP Morgan Chase Australia.
The findings, released in a performance audit report on the fund conducted by the Auditor General, show the NAIF failed to implement a proper Protective Security Policy framework.
As a result of board members were using non-official email accounts, sensitive information was stored on private servers and consumer-grade email servers.
The Auditor General pointed out that by using consumer-grade email servers the NAIF was relying on "service providers' security risk management policies and practices".
And, it seems some board members continued using their non-official accounts after the issue was first brought to light.
The report reveals the NAIF board made a decision to cease the use of non-official email accounts in August 2017 but there is evidence some board members continued to conduct official business through non-official email accounts well into the following year.
The Auditor General is clear in saying: "The use of non-official emails compromised the integrity of these control systems and placed commercially sensitive information on non-government servers potentially accessible to non-government IT personnel."
One board member sent over 7000 emails from their non-official account, another 1600 and another 1500.
The report also reveals the NAIF failed to use security classifications or mark official documents for limited dissemination.
As well as the security issue, deletion of Commonwealth government records from these accounts may have contravened the record keeping requirements of the Archives Act 1983.
The Auditor General was clear in recommending: "The NAIF cease use of all non-official email accounts and servers to conduct official business."
The report states: "The NAIF did not implement effective arrangements to support integrity and transparency throughout all elements of its operations."
Alongside the email issue, the Auditor General found issues with the transparency of decision making in the NAIF.
According to the report: "Arrangements for ensuring the integrity of decision support processes were not effective, with insufficient evidence that all applicants were evaluated in a consistent manner throughout the assessment stages."
At least some of those decisions were made via non-official email accounts.
The report said: "The NAIF recruits and manages executives and other staff with access to market sensitive information."
"As an assessor of potential government financing to major infrastructure projects, the NAIF manages high value information assets of commercial and political sensitivity.
"The NAIF also faces potential risks to the physical security of people and property across a number of locations arising from its actual or perceived involvement with controversial projects and proponents."
NAIF agreed with the Auditor General's findings and responded, saying: "NAIF has ceased all use of non-official email accounts, for any NAIF business. This does not extend to stakeholder or proponent engagement via the email accounts provided by those parties. "