Compliance Management Framework Home …：合规管理框架的家—… .docx

fraud and corruption control plan university of new englandcompliance management framework and proceduresdocument data:document type:framework and proceduresadministering entity:audit and risk directoraterecords management system number: d12/50959date approved:4th october 2012approved by:vice-chancellorindicative time for review:maximum 2 years from approval dateresponsibility for review:audit and risk directoraterelated policies or other documents:compliance policy risk management policy and guidelinescode of conductrecords management policyas3806- 2006 compliance programsstaff contact for advice:legal counsel and executive director of governancedirector audit and riskrevision history:page 51 of 51 d:filerootfileroot_1_201503162019-121879c81f0e-89ca-4cbd-acf2-627933600db6fd521c97c5c13e23a8b83ec3ae9233a0.pdfcompliance management frameworktable of contentssection 1: compliance management framework41.purpose42.scope43.compliance management introduction44.the policy75.risk management76.compliance management process87.responsibility and accountability structure97.1overview97.2council97.3vice-chancellor and ceo107.4executive management107.5managers117.6audit and risk directorate (ard)117.7employees128.reporting responsibilities128.1annual reporting128.2obligations register128.3breach reporting and management138.4external reporting requirements139.annual compliance management calender14section 2: compliance management operating procedure161.application162.purpose163.the compliance management process173.1understand the legal, regulatory and business environment183.2create and maintain compliance requirements and obligations registers213.3compliance risk assessment - identify, analyse and evaluate compliance risks243.4manage obligations263.5continual monitoring and evaluation283.6communications & reporting32attachments 30acknowledgementswe wish to thank and recognise the assistance of the compliance manager at unsw and aknowledge that our template of the compliance obligations register is based on the unsw template. in addition we thank and acknowledge the victorian managed insurance authority as the primary source for the basis of our framework and procedures. section 1 : compliance management framework 1. purposethe purpose of the compliance management framework (the framework) is to implement the university of new englands compliance policy one component of an integrated governance risk compliance (grc) approach to effective corporate governance, enterprise risk management and corporate compliance with applicable laws and legislation.along with the australian standard as3806-2006 compliance programs, the audit office of nsw has identified compliance management as a key component of corporate governance. this framework establishes an appropriate strategic framework that defines the responsibilities of both management and employees and facilitates the implementation of robust practices for the effective management of compliance obligations.establishment of an effective compliance management framework will reduce and/or mitigate the following risks: damage to unes reputation especially through external agency investigations. inadequate internal control systems that may lead to fraud, corruption and/or inefficiencies. financial loss. staff health and safety issues not being met.2. scopethe policy and this framework apply to all employees and students of une and its controlled entities. employees are those who are permanent, temporary or casual and include contractors and consultants.exclusionscompliance framework and procedures falling within the portfolio of the academic board are outside the scope of this framework, except for, the provisions contained within section 8.1, annual reporting, of the compliance management framework. 3. compliance management introduction the compliance management framework is one component of an integrated grc approach, and specifically consists of the policies, processes, tools and structures that help identify and manage the risks around meeting our objectives. it therefore has important links to the risk management policy, and includes elements of both the risk management processes and internal control. the framework and procedures provides the following information: an alphabetical listing of regulatory and business requirements. (compliance requirements register). the obligations that each piece of legislation imposes (compliance obligations register). links to the policies and procedures developed by the university to address the requirements of each piece of legislation. key contacts responsible for coordinating compliance with each act. training available to assist employees in meeting their obligations.unes compliance policy (the policy) is available on unes policy webpage. unes compliance framework (the framework) and procedures is set-out here and gives effect to the policy. the framework and procedures are also available on unes webpage.the success of the framework relies heavily on the commitment and attitude of all employees and management. une will not tolerate any instances of deliberate non-compliance.definition of compliancecompliance is defined in australian standard compliance programs, as3806-2006, as “adhering to the requirements of laws, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards.”the compliance management framework components are shown diagrammatically below:4. the policythe compliance policy d09/85794, sets out unes principles and responsibilities for compliance.the policy has been endorsed by the audit and risk management committee and approved by the council on 02 november 2009. the policy is available on the une website.the university is committed to good corporate governance practices and demonstrates its commitment to compliance by:a) support and endorsement from the une council and audit and risk committee for the universitys compliance program.b) the active engagement of the senior executive in the identification and management of compliance issues and risks.c) the allocation of appropriate resources throughout the university to manage compliance obligations.5. risk management the key to compliance risk is to develop a systematic approach to managing compliance. as/nzs iso 31000:2009 risk management principles and guidelines, is the standard that describes the systematic and logic process of risk management. it outlines how “organizations of any kind face internal and external factors and influences that make it uncertain whether, when and the extent to which they will achieve or exceed their objectives. the effect this uncertainty has on the organizations objectives is “risk”.” it is important to understand that “all activities of an organization involve risk. organizations manage risk by anticipating, understanding and deciding whether to modify it. throughout this process they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk.”enterprise risk management (erm) is the practice of building an organisation-wide risk management program to identify, manage, mitigate and eliminate a diversity of risks from compliance and political risks to financial and operational risks. every organisation will have a different risk profile based on its business focus, geographical area of activity, regulatory environment and the type of business.une compliance management will address the key strategic risk operational consequence areas:1. reputation7. it strategy and infrastructure2. market and product development8. legal and legislative environment3. financial sustainability9. business interruption4. financial systems10. government policy changes5. human resource planning11. student performance and satisfaction6. project management12. international economic, political and social environment6. compliance management process compliance management uses the australian standard for compliance programs (as 3806-2006) as the basis for the framework. all compliance management processes must follow this framework. the diagram below depicts the six main phases of the compliance management process: procedures for managing compliance are documented in the compliance management operating procedures document attached to this framework. compliance management must be performed in accordance with these operating procedures.7. responsibility and accountability structure under the universitys code of conduct all staff members have a responsibility to the university to “comply with any relevant legislative, industrial and administrative requirements”. in addition, certain individuals and groups across the university have specific responsibilities they are expected to undertake. these are described below. 7.1 overviewthe council has ultimate accountability for approving the compliance management framework and the vice-chancellor has ultimate responsibility for ensuring an effective compliance management framework and procedures are operating. all employees of the university have a responsibility to undertake their duties in accordance with the framework and procedures. the most important factor to ensure success of the framework is the commitment and attitude of all employees. the responsibility structure for compliance management is depicted by:7.2 councilcouncil is accountable for determining the compliance management framework, maintaining an effective compliance management capability, and ensuring that all compliance risks associated with the universitys objectives are effectively managed. the council is responsible for: approving the policy. overseeing and monitoring risk management and risk assessment across the university, and therefore compliance management as it is a foundation component of the risk management framework. approving and monitoring systems of control and accountability for the university. establishing policies and procedural principles for the university consistent with legal requirements and community expectations.7.2.1 audit and risk committeegives advice to council on: compliance of une and related entities to laws and regulations, including those relating to governance, audit, risk management, the environment, employment practice and anti-discrimination. procedures, programs and policies of the university relating to compliance. risk management and risk assessment across the university. systems of control and accountability for the university.is responsible for: reviewing whether management has in place a current and appropriate enterprise risk management process, and associated procedures for effective identification and management of the university of new englands financial and business risks. determining whether management has appropriately considered legal and compliance risks. reviewing the effectiveness of the system for monitoring the university of new englands compliance with applicable laws and regulations, and associated government policies.7.3 vice-chancellor and ceo the vice-chancellor (vc) has ultimate responsibility for ensuring there is an effective compliance management framework and operating procedures in place. the vc is accountable for regular reviewing of the adequacy of the framework in managing compliance and reporting any significant compliance breaches to the audit and risk committee. is responsible for: approving the framework and procedures. ensuring managers and employees are aware of their responsibilities under the framework. ensuring managers and employees are aware that deliberate non-compliance will not be tolerated. ensuring an effective risk management system is operating. ensuring appropriate cost effective internal control systems are in place. ensuring identified compliance risks are fully addressed. receiving reports on high and above risk non-compliance areas and breaches and approving any further action plans.7.4 executive management executive management is ultimately responsible for the effective management of, and compliance with, all applicable regulatory and business compliance requirements of the university including ensuring all breaches are managed and reported appropriately. executive management are responsible for: taking a leadership role in promoting a culture of compliance management and control in their area of responsibility. ensuring implementation of the framework and procedures. ensuring effective risk management. ensuring internal control systems are operating. ensuring employees are aware of the policy, framework and procedures and their responsibilities as part of the framework and procedures. implementing the policy, framework and procedures within their area. identifying risks and developing appropriate internal control systems to mitigate those risks. considering new and emerging risks on a regular basis and where necessary adjusting systems for control of these risks. ensuring employees understand the purpose of internal controls. ensuring employees are complying with internal controls.7.5 managers managers are responsible for ensuring compliance with all regulatory and business compliance requirements and obligations associated with the activities of their position including identification, reporting and managing any compliance breaches. specific responsibilities for managing compliance include: promoting a culture of compliance management and control in their area of responsibility. managing compliance in accordance with the compliance management operating procedures. identifying compliance requirements and obligations. maintaining compliance obligations register/s. developing and communicating the annual compliance plan. ensuring employees are adequately trained in compliance obligations relating to their position and that training is up to date. ensuring compliance is factored into position descriptions and performance management processes. ensuring compliance capabilities and performance is factored into contracts with external customers and suppliers. reporting, managing and resolving breaches. adhering to records management policies and procedures.7.6 audit and risk directorate (ard) the ard are responsible for ensuring that the compliance management framework is appropriate, effective and utilised in managing the risks of the university, and that the status of unes compliance obligations is regularly monitored, reviewed and reported to management and the audit and risk committee. key responsibilities include: developing and maintaining the compliance management policy, framework and operating procedures, making sure that expectations for managing compliance are properly documented, readily available to and clearly understood by relevant management and employees. continually reviewing and assessing the appropriateness and effectiveness of the compliance management framework in identifying and managing compliance obligations. regularly reporting on compliance management issues and any breaches to management and the audit and risk committee. promoting a culture of compliance management and control throughout une. communicating and implementing the compliance management framework and policy across une.7.7 employees every employee is responsible for ensuring their own compliance with all regulatory, legislative and internal policies and procedures associated with the activities of their position, including identification, management and reporting of any compliance breaches. in addition, employees are responsible for attending scheduled compliance training, and reporting and escalating any compliance concerns, issues and failures in accordance with the breach reporting process. 8. reporting responsibilities 8.1 annual reportingeach manager is required to complete and sign-off an annual compliance plan (see attachment e of the compliance management operating procedures document) for their area of responsibility; this details for their area: any compliance requirements and/or obligations impacting on their school/directorate/unit. annual reporting requirements for these areas of responsibility. annual mandatory audit requirements for these areas of responsibility. annual training requirements for these areas of responsibility.8.2 obligations registerall heads of schools/directors/managers are responsible identifying the compliance requirements (both regulatory and business) associated with their activities, and identifying, documenting and understanding the key obligations under each of the compliance requirements for which they have operational responsibility and documenting these in the compliance obligations register (procedures, attachment c). the compliance obligation registers should be completed for all compliance requirements; updated as required; and reviewed annually.8.3 breach reporting and management compliance breaches must be reported and managed in accordance with the breach reporting process and assessed utilising the breach assessment criteria. the level to which breaches are to be reported is detailed below:breach ratingreporting requir