Risk, Compliance and Audit Policy Framework
View the PDF document of the Risk, Compliance and Audit Policy Framework.
1. Policy framework statement
The Risk, Compliance and Audit Policy Framework specifies the risk, compliance and audit requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent risk management, compliance management and independent audit assurance across the WA health system.
The Director General (DG) of the Department of Health is the System Manager responsible for the overall management, strategic direction and stewardship of the WA health system. The DG will use policy frameworks to ensure a consistent approach to a range of matters undertaken by HSPs. Policy frameworks must be complied with and implemented as a part of ongoing operations.
The purpose of this policy framework is to ensure:
- good governance and outcomes through effective risk management, compliance management and audit assurance in and across the WA health system
- the DG, having overall management responsibility for the WA health system, is appropriately informed of material risks, compliance and audit findings.
This policy framework is binding on each HSP to which it applies or relates.
The key principles that underpin this policy framework are:
The risk management principles included in AS/NZS ISO 31000:20091 should be adopted in addition to those expressed or implied in Treasurer's Instruction 8252 including:
- response to risk is proportional to its materiality
- creates, protects and adds value
- is integrated with all organisational processes
- is part of decision-making
- is integrated with strategic and operational planning
- facilitates continual improvement of the organisation
- responsibilities are consistent with organisational responsibilities.
Risk management actions
- explicitly address uncertainty
- are based on the best available information
- take human and cultural factors into account
- are dynamic, iterative and responsive to change
- system impact risks are to be escalated to the System Manager.
Risk management implementation
- is tailored to local circumstances
- systematic, structured and timely
- transparent and inclusive of all stakeholders.
The following compliance principles apply (expressed in Australian Standard 3806:2006 superseded by AS ISO 19600:2015 in which they are implicit):
- Commitment by the governing body and senior management to effective compliance that permeates the whole organisation.
- The compliance policy is aligned to the organisation’s strategy and business objectives, and is endorsed by the governing body.
- Appropriate resources are allocated to develop, implement, maintain and improve the compliance program.
- The governing body and senior management endorse the objectives and strategy of the compliance program.
- Compliance obligations are identified and assessed.
- Responsibility for compliance outcomes is clearly articulated and assigned.
- Competence and training needs are identified and addressed to enable employees to fulfil their compliance obligations.
- Behaviours that create and support compliance programs are encouraged, and behaviours that compromise compliance are not tolerated.
- Controls are in place to manage the identified compliance obligations and achieve desired behaviours.
Monitoring and measuring
- Performance of the compliance program is monitored, measured and reported.
- The organisation is able to demonstrate its compliance program through both documentation and practice.
- The compliance program is regularly reviewed and continually improved.
In addition to those expressed or implied in Treasurer’s Instruction Part XII, the Core Principles for the Professional Practice of Internal Auditing3 issued by The Institute of Internal Auditors, when taken collectively, articulate internal audit effectiveness. For an internal audit function to be considered effective, the following principles should all be present and operating effectively:
- demonstrates integrity
- demonstrates competence and due professional care
- is objective and free from undue influence (independent)
- aligns with the strategies, objectives, and risks of the organisation
- is appropriately positioned and adequately resourced
- demonstrates quality and continuous improvement
- communicates effectively
- provides risk-based assurance
- is insightful, proactive, and future-focused
- promotes organisational improvement.
5. Legislative context
The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). Other relevant parts in the Act that relate specifically to this policy framework include s. 62 and Part 13.
The below legislation, may also apply:
- Financial Management Act 2006
s. 53 (1)(d)
6. Mandatory requirements
Under this policy framework HSPs must comply with all mandatory requirements* including:
- Internal Audit Policy - MP 0008/16
- Monitoring of External Reviews Policy - MP 0009/16
- WA Health Compliance Management Policy - MP 0007/16
- WA Health Risk Management Policy - MP 0006/16
- WA Health System Policy Governance Policy - MP 0046/17
- WA Health Integrated Corporate & Clinical Risk Analysis Tables and Evaluation Criteria 2009 (as amended 2011)
*Any mandatory requirement document that references the Hospitals and Health Act 1927 must be interpreted as a requirement under the Health Services Act 2016.
7. Supporting information
The following documents support and inform the implementation of the mandatory requirements:
- Good Governance Guide for Public Sector Agencies
- Good Governance Principles for WA Boards and Committees
- Professional Practices Framework of The Institute of Internal Auditors
- Western Australian Government Risk Management Guidelines
8. Policy framework custodian
Deputy Director General
Office of the Deputy Director General
Enquiries relating to this policy framework may be directed to:
This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.
|Version||Effective from||Effective to||Amendment(s)|
|1||1 July 2016||5 April 2017||Original version|
|2||5 April 2017||Current||New MP 0046/17, superseded OD 0476/13.|
This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.
|Approval by||Dr David Russell-Weisz, Director General, Department of Health|
|Approval date||1 July 2016|
|Date published||5 April 2017|
|Dept. File No||F-AA-40158|
This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.
12. Glossary of terms
|Applicability||Under Section 26 of the Health Services Act 2016, policy frameworks may apply to:
|Audit||"An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes" (Treasurer's Instruction Part XII - Internal Audit and as defined by The Institute of Internal Auditors' Professional Practice Framework).|
|Compliance4||Meeting all the organisation's compliance obligations.|
|Health Service Provider||Health Service Provider means a health service provider established under s. 32 of the Health Services Act 2016 and may include North Metropolitan Health Service (NMHS), South Metropolitan Health Service (SMHS), Child and Adolescent Health Service (CAHS), WA Country Health Service (WACHS), East Metropolitan Health Service (EMHS), Quadriplegic Centre and Health Support Services (HSS).|
|Risk||"The effect of uncertainty on objectives" (AS/NZS ISO 31000:2009).|
|Risk management||"Coordinated activities to direct and control an organisation with regard to risk" (AS/NZS ISO 31000:2009).|
|WA health system||The WA health system is comprised of the Department of Health, Health Service Providers (NMHS, SMHS, CAHS, WACHS, EMHS, Quadriplegic Centre and HSS) and to the extent that contracted health entities provide health services to the State, the contracted health entities.|
1 AS/NZS ISO 31000:2009 - Australian, New Zealand and ISO Standard 31000:2009 Risk Management - Principles and Guidelines
2 Treasurer's Instruction 825 - Risk Management and Security Treasurer's Instruction PART XII - Internal Audit. The Treasurer's instructions issued under section 58 of the Financial Administration and Audit Act 1985 came into operation on 1 July 1986 and are continued under the transitional provisions of the Financial Legislation Amendment and Repeal Act 2006 so as to have effect from 1 February 2007 as if they were issued under s.78 of the Act.
3 International Standards for the Professional Practice of Internal Auditing (IIA) The IIA is the internal audit profession's guidance-setting body, global voice, chief advocate, recognised authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United States.
4 AS ISO 19600:2015 Ė Australian Standard - Compliance Management Systems - Guidelines