Please refer to the University’s Glossary of Terms for policies and procedures.
2. Purpose of procedures
The procedures that follow must be read in association with the Compliance Management Framework - Governing Policy and other related procedures.
The intent of these procedures is to:
- provide detailed elements relating to the operation and implementation of the University’s Compliance Management Framework;
- assign specific accountabilities and responsibilities for components of the University’s Compliance Management Framework;
- enable the gathering of information to facilitate monitoring and reporting of compliance performance within the University;
- provide a systematic process for the reviewing of compliance obligations to enable the University to effectively and efficiently manage compliance risks;
- provide a systematic process for the reporting and investigation of compliance breaches or potential breaches so they can be appropriately addressed;
- reinforce the importance of compliance, so that all staff members are encouraged to proactively raise compliance issues as soon as possible and address any weaknesses in the control environment (1); and
- ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach and that repercussions of breaches themselves are determined on a case-by-case basis.
3. Elements of the Compliance Management Framework
Successful achievement of the policy objectives will require recognition and incorporation of the following elements:
3.1.1 The Compliance Management Framework - Governing Policy outlines the University’s commitment to maintain and improve the Compliance Management Framework and processes. Accordingly, the University will allocate appropriate resources to the development, implementation and continuous improvement of its Compliance Management Framework.
3.1.2 Council, through the Audit and Risk Management Committee, is responsible for overseeing the University’s compliance with legislation, regulatory requirements, reporting obligations, and University policies.
3.1.3 Compliance is the responsibility of all University staff.
3.1.4 Governance and Risk Management will have overarching responsibility for:
a. the design and implementation of the Compliance Management Framework;
b. coordinating, managing and maintaining the Register of Compliance Obligations; and
c. providing oversight of compliance across the University.
3.1.5 All Organisational Unit Managers are accountable for ensuring compliance with all legislative obligations, standards and best practice guidance and for putting the necessary controls and processes in place to manage their compliance obligations. This includes ensuring Higher Degree Research (HDR) students are aware of their obligations, with supervisors monitoring student compliance with relevant legislative requirements. Organisational Unit Managers are responsible for keeping abreast of changes and updates to existing legislation and identifying new obligations. Responsible Officers will need to attest to compliance annually.
3.1.6 All staff must be aware of compliance responsibilities that apply to their area of work or activities and ensure that their actions on behalf of the University comply with relevant laws, industry codes and organisational standards. It is the responsibility of Organisational Unit Managers to ensure staff have appropriate information to ensure compliance.
3.2.1 The University will adopt a risk-based approach to the implementation of its compliance obligations.
3.2.2 All compliance obligations are important, with the University having a conservative risk appetite for regulatory and compliance risk. Higher risk obligations require additional oversight and controls to ensure the risk of any potential non-compliance in any of these areas is minimised.
3.2.3 Compliance obligations will be classified as High, Medium or Low risk. The classification will be undertaken within Governance and Risk Management. Higher risk obligations have a major impact on the University and are critical to its functioning. The obligations will be assessed against the University’s risk tables.
3.2.4 If a Responsible Officer disagrees with the risk-rating of a compliance obligation, they should notify the Director, Governance and Risk Management.
3.2.5 Compliance responsibilities will be identified and promulgated through the Register of Compliance Obligations. The Director, Governance and Risk Management is responsible for maintaining a Register of Compliance Obligations.
3.2.6 Each Responsible Officer identified in the Register of Compliance Obligations is responsible for the currency of Compliance Obligations recorded in this Register against their Organisational Unit. Responsible Officers should convey to the Director, Governance and Risk Management advice of any new obligations or any changes to existing ones.
3.2.7 Each Responsible Officer must liaise with other areas of the University where the relevant obligation exists to ensure they are comfortable with the controls and processes in place for managing the obligations.
3.2.8 Behaviours that create and support compliance will be encouraged. Behaviours that compromise compliance will be investigated.
3.3 Monitoring and Review
3.3.1 Systems, procedures and controls will be implemented to support the monitoring of compliance obligations against the requirements of the Compliance Management Framework.
3.3.2 Governance and Risk Management will be responsible for reviewing and maintaining the Register of Compliance Obligations, the Compliance Management Framework - Governing Policy and systems which support the compliance management framework within the University.
3.3.3 The Director, Governance and Risk Management will report at least annually to Council on the University’s framework program, via the Audit and Risk Management Committee.
3.3.4 The Compliance Management Framework will be reviewed each year following the annual compliance attestation process.
3.3.5 If issues impacting compliance are identified throughout the year, Organisational Unit Managers will take appropriate action to address the issue and implement additional controls to strengthen compliance.
4. Compliance Reporting
4.1 The Director, Governance and Risk Management will coordinate an annual compliance risk report for the Audit and Risk Management Committee.
4.2 An attestation process will be conducted annually and will require all Responsible Officer’s to report on the status of compliance.
4.3 The annual compliance attestation process will include compliance with legislative obligations and University policy.
4.4 The Audit and Risk Management Committee is responsible for ensuring that it receives an annual report and any ad hoc reporting on compliance as required from the Director, Governance and Risk Management, and that it identifies and requests follow-up action on any issues of concern.
5. Breach Reporting
5.1.1 A number of processes are established across the University to manage complaints relating to compliance or breaches of laws and regulations. These are covered in various University policies, such as:
a. Staff Code of Conduct - Governing Policy
b. USC Enterprise Agreement
c. Health, Safety and Wellbeing - Governing Policy
d. Critical Incident Management - Governing Policy
e. Anti-Discrimination and Freedom from Bullying and Harassment (Staff) - Governing Policy and
Anti-Discrimination and Freedom from Bullying and Harassment (Students) - Governing Policy
f. Equity and Diversity - Governing Policy
g. Fraud and Corruption Control - Governing Policy
h. Financial Management Practices - Operational Policy
i. Information Management Framework - Governing Policy
j. Public Interest Disclosures - Governing Policy
k. Acceptable Use of ICT Resources - Governing Policy
l. Responsible Research Conduct - Governing Policy
m. Student Academic Integrity - Governing Policy
n. Copyright - Governing Policy
5.1.2 Any University policy or procedures or legislation that includes dedicated processes for handling compliance failures will take precedence over the following procedural steps and actions. Please refer to the specific subject area policy or legislative provisions in the first instance.
5.2 Procedure steps and actions
5.2.1 It is essential that all parties involved in breach reporting, investigation and rectification act in good faith to obtain a satisfactory outcome. Good faith includes acting sincerely, without malice and being truthful.
5.2.2 The University fosters a culture of compliance and no blame should be attached to the reporting of accidental breaches or those identifying process errors.
5.2.3 It should be noted that staff committing deliberate or negligent breaches may be subject to the University’s disciplinary processes or regulatory/criminal actions (where applicable and/or appropriate).
5.2.4 The required steps and actions to be followed for reporting and investigating compliance breaches, or potential breaches, are detailed in Table 1 below:
Table 1: Breach Reporting Procedures
6. Records Management
The Register of Compliance Obligations and responses that support the annual attestation process must be maintained according to the University’s Information and Records Management - Procedures.
(1) Compliance issues refer to those instances where there are concerns about the University’s compliance with legislative obligations.
(2) Significant breaches are determined based on a number of factors that are maintained separately.