Risk, Compliance and Audit

Generating PDFGenerating PDF

Policy framework statement

The Risk, Compliance and Audit Policy Framework specifies the risk, compliance and audit requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent risk management, compliance management and independent audit assurance across the WA health system.

Purpose

The Director General (DG) of the Department of Health is the System Manager responsible for the overall management, strategic direction and stewardship of the WA health system. The DG will use policy frameworks to ensure a consistent approach to a range of matters undertaken by HSPs. Policy frameworks must be complied with and implemented as a part of ongoing operations.

The purpose of this policy framework is to ensure:

  • good governance and outcomes through effective risk management, compliance management and audit assurance in and across the WA health system
  • the DG, having overall management responsibility for the WA health system, is appropriately informed of material risks, compliance and audit findings.  

Applicability

This policy framework is binding on each HSP to which it applies or relates.

Principles

The key principles that underpin this policy framework are:

Risk Management

The risk management principles included in AS/NZS ISO 31000:2009 [footnote 1] should be adopted in addition to those expressed or implied in Treasurer's Instruction 825 [footnote 2] including:

Risk management

  • response to risk is proportional to its materiality
  • creates, protects and adds value
  • is integrated with all organisational processes
  • is part of decision-making
  • is integrated with strategic and operational planning
  • facilitates continual improvement of the organisation
  • responsibilities are consistent with organisational responsibilities.

Risk management actions

  • explicitly address uncertainty
  • are based on the best available information
  • take human and cultural factors into account
  • are dynamic, iterative and responsive to change
  • system impact risks are to be escalated to the System Manager.

Risk management implementation

  • is tailored to local circumstances
  • systematic, structured and timely
  • transparent and inclusive of all stakeholders.

Compliance
The following compliance principles apply (expressed in Australian Standard 3806:2006 superseded by AS ISO 19600:2015 in which they are implicit):

Commitment

  • Commitment by the governing body and senior management to effective compliance that permeates the whole organisation.
  • The compliance policy is aligned to the organisation’s strategy and business objectives, and is endorsed by the governing body.
  • Appropriate resources are allocated to develop, implement, maintain and improve the compliance program.
  • The governing body and senior management endorse the objectives and strategy of the compliance program.
  • Compliance obligations are identified and assessed.

Implementation

  • Responsibility for compliance outcomes is clearly articulated and assigned.
  • Competence and training needs are identified and addressed to enable employees to fulfil their compliance obligations.
  • Behaviours that create and support compliance programs are encouraged, and behaviours that compromise compliance are not tolerated.
  • Controls are in place to manage the identified compliance obligations and achieve desired behaviours.

Monitoring and measuring

  • Performance of the compliance program is monitored, measured and reported.
  • The organisation is able to demonstrate its compliance program through both documentation and practice.

Continual improvement

  • The compliance program is regularly reviewed and continually improved.

Audit
In addition to those expressed or implied in Treasurer’s Instruction Part XII, the Core Principles for the Professional Practice of Internal Auditing [footnote 3] issued by The Institute of Internal Auditors, when taken collectively, articulate internal audit effectiveness. For an internal audit function to be considered effective, the following principles should all be present and operating effectively:

  • demonstrates integrity
  • demonstrates competence and due professional care
  • is objective and free from undue influence (independent)
  • aligns with the strategies, objectives, and risks of the organisation
  • is appropriately positioned and adequately resourced
  • demonstrates quality and continuous improvement
  • communicates effectively
  • provides risk-based assurance
  • is insightful, proactive, and future-focused
  • promotes organisational improvement. 

Legislative context

The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). Other relevant parts in the Act that relate specifically to this policy framework include s. 62 and Part 13. 

The below legislation, may also apply: 
  • Financial Management Act 2006 s. 53 (1)(d) 

Mandatory requirements

Under this policy framework HSPs must comply with all mandatory requirements* including:

*Any mandatory requirement document that references the Hospitals and Health Act 1927 must be interpreted as a requirement under the Health Services Act 2016.

Policy framework custodian

A/Assistant Director General
Strategy and Governance


Enquiries relating to this policy framework may be directed to:
PolicyFrameworkSupport@health.wa.gov.au

Review

This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.

Version Effective from Effective to Amendment(s)
1 1 July 2016 5 April 2017 Original version
2 5 April 2017 9 August 2018 New MP 0046/17, superseded OD 0476/13.
3 9 August 2018 Current Rescindment of MP 0046/17 WA Health System Policy Governance Policy

Approval

This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.

Approval byDr D J Russell-Weisz, Director General, Department of Health
Approval date01 July 2016
Date published09 August 2018
File numberF-AA-40158

Compliance

This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.

Glossary of terms

Term Meaning
Applicability Under Section 26 of the Health Services Act 2016, policy frameworks may apply to:
  • All Health Service Providers
  • A type of public health service facility
  • A type of public health service
  • A type of staff member of a health service provider.
Audit "An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes" (Treasurer's Instruction Part XII - Internal Audit and as defined by The Institute of Internal Auditors' Professional Practice Framework).
Compliance [footnote 4] Meeting all the organisation's compliance obligations.
Health Service Provider Means a Health Service Provider established by an order made under section 32(1)(b) of the Health Services Act 2016.
Risk "The effect of uncertainty on objectives" (AS/NZS ISO 31000:2009).
Risk management "Coordinated activities to direct and control an organisation with regard to risk" (AS/NZS ISO 31000:2009).
WA health system Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.

1 AS/NZS ISO 31000:2009 - Australian, New Zealand and ISO Standard 31000:2009 Risk Management - Principles and Guidelines

2 Treasurer's Instruction 825 - Risk Management and Security Treasurer's Instruction PART XII - Internal Audit. The Treasurer's instructions issued under section 58 of the Financial Administration and Audit Act 1985 came into operation on 1 July 1986 and are continued under the transitional provisions of the Financial Legislation Amendment and Repeal Act 2006 so as to have effect from 1 February 2007 as if they were issued under s.78 of the Act.

3 International Standards for the Professional Practice of Internal Auditing (IIA) The IIA is the internal audit profession's guidance-setting body, global voice, chief advocate, recognised authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United States.

4 AS ISO 19600:2015 – Australian Standard - Compliance Management Systems - Guidelines