Risk, Compliance and Audit

Generating PDFGenerating PDF

Policy framework statement

The Risk, Compliance and Audit Policy Framework specifies the risk, compliance and audit requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent risk management, compliance management and independent audit assurance across the WA health system.


The purpose of this policy framework is to ensure:

  • good governance and outcomes through effective risk management, compliance management and audit assurance in and across the WA health system
  • the DG, having overall management responsibility for the WA health system, is appropriately informed of material risks, compliance and audit findings.  


This policy framework is binding on each HSP to which it applies or relates.


The key principles that underpin this policy framework are:

Risk Management

The risk management principles included in AS ISO 31000:2018 Risk Management – Guidelines should be adopted in addition to those expressed or implied in Treasurer's Instruction 825 - Risk Management including:

Risk management

  • response to risk is proportional to its materiality
  • creates, protects and adds value
  • is integrated with all organisational processes
  • is part of decision-making
  • is integrated with strategic and operational planning
  • facilitates continual improvement of the organisation
  • responsibilities are consistent with organisational responsibilities.

Risk management actions

  • explicitly address uncertainty
  • are based on the best available information
  • take human and cultural factors into account
  • are dynamic, iterative and responsive to change
  • system impact risks are to be escalated to the System Manager.

Risk management implementation

  • is tailored to local circumstances
  • systematic, structured and timely
  • transparent and inclusive of all stakeholders.


The following compliance principles apply (expressed in Australian Standard 3806:2006 superseded by AS ISO 19600:2015 Compliance Management Systems – Guidelines in which they are implicit):


  • Commitment by the governing body and senior management to effective compliance that permeates the whole organisation.
  • The compliance policy is aligned to the organisation’s strategy and business objectives, and is endorsed by the governing body.
  • Appropriate resources are allocated to develop, implement, maintain and improve the compliance program.
  • The governing body and senior management endorse the objectives and strategy of the compliance program.
  • Compliance obligations are identified and assessed.


  • Responsibility for compliance outcomes is clearly articulated and assigned.
  • Competence and training needs are identified and addressed to enable employees to fulfil their compliance obligations.
  • Behaviours that create and support compliance programs are encouraged, and behaviours that compromise compliance are not tolerated.
  • Controls are in place to manage the identified compliance obligations and achieve desired behaviours.

Monitoring and measuring

  • Performance of the compliance program is monitored, measured and reported.
  • The organisation is able to demonstrate its compliance program through both documentation and practice.

Continual improvement

  • The compliance program is regularly reviewed and continually improved.

In addition to those expressed or implied in Treasurer’s Instruction Part XII, the Core Principles for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors, when taken collectively, articulate internal audit effectiveness. For an internal audit function to be considered effective, the following principles should all be present and operating effectively:

  • demonstrates integrity
  • demonstrates competence and due professional care
  • is objective and free from undue influence (independent)
  • aligns with the strategies, objectives, and risks of the organisation
  • is appropriately positioned and adequately resourced
  • demonstrates quality and continuous improvement
  • communicates effectively
  • provides risk-based assurance
  • is insightful, proactive, and future-focused
  • promotes organisational improvement. 

Legislative context

This policy framework is made pursuant to ss 26(2)(l) of the Health Services Act 2016.

The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). Other relevant parts in the Act that relate specifically to this policy framework include s. 62 and Part 13. 

The below legislation, may also apply: 
  • Financial Management Act 2006 s. 53 (1)(d) 

Mandatory requirements

Under this policy framework HSPs must comply with all mandatory requirements* including:

Policy framework custodian

Assistant Director General
Strategy and Governance

Enquiries relating to this Policy Framework may be directed to: PolicyFrameworkSupport@health.wa.gov.au


This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.

Version Effective from Effective to Amendment(s)
21 December 2022  Current Rescindment: MP 0008/16 Internal Audit Policy. The reasons for rescindment include: In 2019, the requirements stipulated in the Financial Management Act 2006 (FMA) and Treasure's Instructions (TI) (1201 and 1202) expanded significantly requiring health service providers to establish an internal audit committee and to conduct mandatory periodic internal and external audit assessments.  The results and recommendations of these assessments are to be reported to both the internal audit committee and the Director General and System Manager.  Due to the current TI requirements, policy compliance for health service providers to submit a separate statement to the Director General is redundant and a replication of reporting. 
30 September 2022  21 December 2022 Rescindment: MP 0009/16 Monitoring of External Reviews Policy. The reasons for rescindment include: Compliance with the mandatory policy requirements by HSPs is onerous and impractical due to parliamentary privilege and legislative restrictions and Department of Health, System Risk and Assurance Unit are unable to effectively monitor HSP policy compliance due to the lack of a prescribed reporting mechanism. 
5 30 June 2021
30 September 2022
Retitle of OD 0595/16 and relocation from Mandatory requirements to Supporting information as part of the OD/IC Project while under redevelopment to a Mandatory Policy.
4.1 1 October 2019
30 June 2021
Major Amendment to MP 0006/16 Risk Management Policy. Due to the extensive nature of amendments please refer to the document control (section 9) of the policy for details.
4 27 May 2019 
1 October 2019
Business continuity management is a component of risk management that addresses disruption related risks. Accordingly, the Business Continuity Management OD 0595/15 has been relocated from the Public Health Policy Framework to the Risk, Compliance and Audit Policy Framework.
3 9 August 2018
27 May 2019 
Rescindment of MP 0046/17 WA Health System Policy Governance Policy.
2 5 April 2017
9 August 2018
New MP 0046/17 WA Health System Policy Governance Policy, superseded OD 0476/13.
1 1 July 2016 5 April 2017 Original version


This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.

Approval byDr D J Russell-Weisz, Director General, Department of Health
Approval date01 July 2016
Date published09 August 2018
File numberF-AA-40158


This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.

Glossary of terms

Term Meaning
Applicability Under Section 26 of the Health Services Act 2016, policy frameworks may apply to:
  • All Health Service Providers
  • A type of public health service facility
  • A type of public health service
  • A type of staff member of a health service provider.
Audit "An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes" (Treasurer's Instruction Part XII - Internal Audit and as defined by The Institute of Internal Auditors' Professional Practice Framework).
Compliance Meeting all the organisation's compliance obligations.
Health Service Provider Means a Health Service Provider established by an order made under section 32(1)(b) of the Health Services Act 2016.
Risk "The effect of uncertainty on objectives"(AS ISO 31000:2018)
Risk management "Coordinated activities to direct and control an organisation with regard to risk" (AS ISO 31000:2018)
WA health system Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.