Risk, Compliance and Audit
Generating PDF
Policy framework statement
The Risk, Compliance and Audit Policy Framework specifies the risk, compliance and audit requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent risk management, compliance management and independent audit assurance across the WA health system.
Purpose
The purpose of this policy framework is to ensure:
- good governance and outcomes through effective risk management, compliance management and audit assurance in and across the WA health system
- the DG, having overall management responsibility for the WA health system, is appropriately informed of material risks, compliance and audit findings.
Applicability
This policy framework is binding on each HSP to which it applies or relates.
Principles
The key principles that underpin this policy framework are:
Risk Management
The risk management principles included in AS ISO 31000:2018 Risk Management – Guidelines should be adopted in addition to those expressed or implied in Treasurer's Instruction 825 - Risk Management including:
Risk management
- response to risk is proportional to its materiality
- creates, protects and adds value
- is integrated with all organisational processes
- is part of decision-making
- is integrated with strategic and operational planning
- facilitates continual improvement of the organisation
- responsibilities are consistent with organisational responsibilities.
Risk management actions
- explicitly address uncertainty
- are based on the best available information
- take human and cultural factors into account
- are dynamic, iterative and responsive to change
- system impact risks are to be escalated to the System Manager.
Risk management implementation
- is tailored to local circumstances
- systematic, structured and timely
- transparent and inclusive of all stakeholders.
Compliance
The following compliance principles apply (expressed in Australian Standard 3806:2006 superseded by AS ISO 19600:2015 Compliance Management Systems – Guidelines in which they are implicit):
Commitment
- Commitment by the governing body and senior management to effective compliance that permeates the whole organisation.
- The compliance policy is aligned to the organisation’s strategy and business objectives, and is endorsed by the governing body.
- Appropriate resources are allocated to develop, implement, maintain and improve the compliance program.
- The governing body and senior management endorse the objectives and strategy of the compliance program.
- Compliance obligations are identified and assessed.
Implementation
- Responsibility for compliance outcomes is clearly articulated and assigned.
- Competence and training needs are identified and addressed to enable employees to fulfil their compliance obligations.
- Behaviours that create and support compliance programs are encouraged, and behaviours that compromise compliance are not tolerated.
- Controls are in place to manage the identified compliance obligations and achieve desired behaviours.
Monitoring and measuring
- Performance of the compliance program is monitored, measured and reported.
- The organisation is able to demonstrate its compliance program through both documentation and practice.
Continual improvement
- The compliance program is regularly reviewed and continually improved.
Audit
In addition to those expressed or implied in Treasurer’s Instruction Part XII, the Core Principles for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors, when taken collectively, articulate internal audit effectiveness. For an internal audit function to be considered effective, the following principles should all be present and operating effectively:
- demonstrates integrity
- demonstrates competence and due professional care
- is objective and free from undue influence (independent)
- aligns with the strategies, objectives, and risks of the organisation
- is appropriately positioned and adequately resourced
- demonstrates quality and continuous improvement
- communicates effectively
- provides risk-based assurance
- is insightful, proactive, and future-focused
- promotes organisational improvement.
Legislative context
This policy framework is made pursuant to ss 26(2)(l) of the Health Services Act 2016.
The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). Other relevant parts in the Act that relate specifically to this policy framework include s. 62 and Part 13.
The below legislation, may also apply:
- Financial Management Act 2006
s. 53 (1)(d)
Mandatory requirements
Under this policy framework HSPs must comply with all mandatory requirements* including:
Policy framework custodian
Assistant Director General
Strategy and Governance
Review
Show allHide review details
This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.
| Version |
Effective from |
Effective to |
Amendment(s) |
| 7 |
21 December 2022 |
Current |
Rescindment: MP 0008/16 Internal Audit Policy. The reasons for rescindment include: In 2019, the requirements stipulated in the Financial Management Act 2006 (FMA) and Treasure's Instructions (TI) (1201 and 1202) expanded significantly requiring health service providers to establish an internal audit committee and to conduct mandatory periodic internal and external audit assessments. The results and recommendations of these assessments are to be reported to both the internal audit committee and the Director General and System Manager. Due to the current TI requirements, policy compliance for health service providers to submit a separate statement to the Director General is redundant and a replication of reporting. |
| 6 |
30 September 2022 |
21 December 2022 |
Rescindment: MP 0009/16 Monitoring of External Reviews Policy. The reasons for rescindment include: Compliance with the mandatory policy requirements by HSPs is onerous and impractical due to parliamentary privilege and legislative restrictions and Department of Health, System Risk and Assurance Unit are unable to effectively monitor HSP policy compliance due to the lack of a prescribed reporting mechanism. |
| 5 |
30 June 2021
|
30 September 2022
|
Retitle of OD 0595/16 and relocation from Mandatory requirements to Supporting information as part of the OD/IC Project while under redevelopment to a Mandatory Policy.
|
| 4.1 |
1 October 2019
|
30 June 2021
|
Major Amendment to MP 0006/16 Risk Management Policy. Due to the extensive nature of amendments please refer to the document control (section 9) of the policy for details.
|
| 4 |
27 May 2019
|
1 October 2019
|
Business continuity management is a component of risk management that addresses disruption related risks. Accordingly, the Business Continuity Management OD 0595/15 has been relocated from the Public Health Policy Framework to the Risk, Compliance and Audit Policy Framework.
|
| 3 |
9 August 2018
|
27 May 2019
|
Rescindment of MP 0046/17 WA Health System Policy Governance Policy.
|
| 2 |
5 April 2017
|
9 August 2018
|
New MP 0046/17 WA Health System Policy Governance Policy, superseded OD 0476/13.
|
| 1 |
1 July 2016 |
5 April 2017 |
Original version |
Approval
This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.
| Approval by | Dr D J Russell-Weisz, Director General, Department of Health |
|---|
| Approval date | 01 July 2016 |
|---|
| Date published | 09 August 2018 |
|---|
| File number | F-AA-40158 |
|---|
Compliance
This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.
Glossary of terms
| Term |
Meaning |
| Applicability |
Under Section 26 of the Health Services Act 2016, policy frameworks may apply to:
- All Health Service Providers
- A type of public health service facility
- A type of public health service
- A type of staff member of a health service provider.
|
| Audit |
"An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes" (Treasurer's Instruction Part XII - Internal Audit and as defined by The Institute of Internal Auditors' Professional Practice Framework). |
| Compliance |
Meeting all the organisation's compliance obligations. |
| Health Service Provider |
Means a Health Service Provider established by an order made under section 32(1)(b) of the Health Services Act 2016. |
| Risk |
"The effect of uncertainty on objectives"(AS ISO 31000:2018) |
| Risk management |
"Coordinated activities to direct and control an organisation with regard to risk" (AS ISO 31000:2018) |
| WA health system |
Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities. |