View Current

Compliance Assurance Procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) The purpose of this procedure is to:

  1. set out the University’s commitment to compliance and compliance management, and
  2. outline the requirements for compliance management for Charles Sturt University (the University).

(2) This procedure aligns the University’s compliance management with the principles of ISO 37301 – Compliance Management Systems – Requirements with Guidance for Use.


(3) This procedure applies to all staff, students, customers, volunteers, contractors, business associates, partners, and third party service providers of the University and its controlled entities.

Top of Page

Section 2 - Glossary

(4) For the purpose of this procedure, the following terms have the definitions stated:

  1. Compliance issue – means a compliance gap or weakness, where evidence of compliance is not demonstrated or where there is a need to strengthen our compliance, to meet our external or internal obligations.
  2. Compliance management system – means the University's set of interrelated systems, controls and processes, supported by the University’s policies, procedures, which supports a culture of compliance and ethical conduct at the University.
  3. Compliance obligation – means a legislative, regulatory or other requirement that the University must comply with or voluntarily wishes to comply with.
Top of Page

Section 3 - Policy

(5) This procedure supports the Organisational Assurance Policy.

Top of Page

Section 4 - Procedure

Authorities and responsibilities

(6) Charles Sturt University recognises that effective compliance management supports accountability, good governance and achievement of its strategy and objectives. The University is committed to ensuring that compliance is integrated as a fundamental part of its organisational structure and processes to support a culture of ethical conduct, compliance, continuous improvement and quality enhancement.

(7) The following authorities and responsibilities for compliance are assigned through this procedure or as otherwise noted:

Officer or body Authorities and responsibilities
University Council
1. Have overall responsibility for compliance management, through approval of assurance principles, control and accountability systems.
2. Undertake compliance monitoring through reports and audits. 
Audit and Risk Committee
1. Approve and oversee compliance processes in the University.
2. Monitor the compliance framework.
3. Obtain and review compliance reports.
4. Report to University Council on compliance issues.
Vice-Chancellor and Executive Leadership Team
1. Manage compliance in accordance with statutory requirements and University policies and procedures.
2. Define and pursue compliance objectives.
3. In accordance with this procedure, promote, demonstrate and facilitate a culture of compliance that emphasises the University's requirement for ethical conduct and personal accountability.  This includes oversight of annual legislative compliance attestations.
Risk and Compliance Unit
1. Maintain the University's legislative compliance database.
2. Investigate compliance issues.
3. Provide information, education and training to staff on compliance and assistance to resolve compliance issues.
4. Report on compliance issues and rectification plans to the Audit and Risk Committee.
All persons subject to this procedure
1. Obtain and maintain awareness of their compliance obligations, including those under our laws and the University’s policies and procedures.
2. Discharge their compliance obligations in good faith and to the best of their capability.
3. Promptly report all known or suspected compliance issues.
4. Treat staff who are the subject of a compliance issue with courtesy and respect.
5. Maintain confidentiality regarding the review, reporting or investigation of any known or suspected compliance issue.

Compliance management program

(8) To assist responsible parties to effectively manage compliance and reduce instances of compliance issues, the University has established a compliance management program, under the guiding principles of the University’s Organisational Assurance Framework.

(9) The compliance management program provides consistent, transparent and measurable processes for:

  1. oversight of compliance with legislative requirements,
  2. oversight of compliance with the University's policies and procedures,
  3. monitoring and reporting of compliance issues, and
  4. education and training to support continuous improvement of the compliance culture within the University.

Compliance with legislation

(10) Legislative compliance is managed through reference to the legislation compliance database. The database identifies the University's substantive legislative obligations and assigns management and oversight of each of those obligations to relevant staff.

(11) Staff to whom obligations are assigned in the database are accountable for their obligations and for ensuring that internal controls within their area of responsibility are regularly monitored and reviewed so that compliance is maintained.

(12) Managers are responsible for monitoring for changes and advising the Risk and Compliance Unit of any changes or amendments to legal obligations, as they arise. Changes and amendments include new legislation, changes in interpretation of legislative obligations by the courts and new or changed regulations or legislative requirements. The University’s Legal Services will also monitor the legal environment and advise the Risk and Compliance Unit of any changes or amendments to legal obligations.

(13) Legislative compliance will inform business processes and be embedded as a business-as-usual work and management activity.

(14) Staff who are assigned obligations in the database are required to complete an annual attestation of compliance with their legislative obligations. The Risk and Compliance Unit is responsible for management of the annual attestation process and will report on the outcome of the attestation to the Audit and Risk Committee. The requirement for an annual attestation process is included in the Audit and Risk Committee annual plan.

(15) Compulsory training courses, such as through the ELMO platform, must be completed by all relevant staff for key legislative instruments. Retraining for these courses is required periodically. Students must also complete relevant compulsory online training regarding key legislative obligations, as required either at the commencement of or during the course of their studies.

(16) Relevant staff and students must complete their compulsory training courses within the required timeframe:

  1. Supervisors must follow up any staff member who fails to complete a course within the required timeframe.
  2. Students who fail to complete their compulsory training courses within the required timeframe will be followed up in accordance with the relevant policy.

Other compliance requirements

(17) Persons affiliated with the University must conduct themselves in accordance with their legal obligations and the University's policies and procedures (this includes, but is not limited, to the University's rules, policies, procedures, guidelines and processes).  

(18) Familiarity with the University's policies and procedures is assisted through induction processes, upon commencement of employment and the undertaking of ELMO or like courses, which are required to be completed at regular intervals throughout the time of employment.

Identifying and reporting compliance issues

(19) Each organisational unit across the University will incorporate assurance management planning into their business as usual processes.

(20) Staff are required to work in accordance with the requirements of their organisational unit’s assurance management plan.

(21) Organisational unit leads are responsible for conducting regular reviews of their plan and timely identification, rectification and reporting of any compliance issues that arise.

(22) Compliance issues with legislative and other obligations may be identified through monitoring of day-to-day activities or compliance review processes, including annual attestations, periodic self-assessments, internal and external audits, risk assessments, review of annual assurance management plans and other approved compliance reviews.

(23) Compliance issues identified by staff, students or University affiliates must be reported to the head of the relevant division/faculty/office, including what the compliance issue is and how it has occurred. 

(24) The head of the relevant organisational unit will report on the compliance issue to Director, Risk and Compliance.

(25) Where a compliance issue has been identified that requires a rectification plan, a detailed report on the compliance issue including rectification plan must be provided to the Risk and Compliance Unit.

(26) The Risk and Compliance Unit will provide assistance, where appropriate, in relation to compliance issues, reporting and rectification plans.

(27) Compliance issues are also identified through reporting mechanisms available to all members of the University community. These mechanisms include those set out in the Whistleblowing (Reporting Wrongdoing) Policy and the Whistleblowing (Reporting Wrongdoing) Guidelines. Compliance issues may also be reported through the Complaints Management Policy and Complaints Management Procedure, the Complaints Procedure – Workplace, the Research Misconduct Procedure and the Student Misconduct Rule.

(28) The University Secretary is responsible for recording and reviewing reports of compliance issues, where applicable under the policies, procedures and guidelines listed in clause 27 and any compliance issues identified by a regulator or external agency.

(29) The Director, Risk and Compliance, is responsible for recording and reviewing reports of compliance issues, which are not considered under the policies, procedures and guidelines listed in clause 27.

Response to compliance issues

(30) Where a compliance issue is identified and reported to the University Secretary or the Director, Risk and Compliance, the University Secretary or the Director, Risk and Compliance, will assess the report and may determine that:

  1. there is not enough evidence or information to take any further action,
  2. the matter should be dealt with under another policy and refer it to the relevant stakeholder, as identified in that policy,
  3. a compliance issue is noted and a rectification plan will be monitored by the Risk and Compliance Unit,
  4. the matter is to be referred to a specified staff member or team for coordination of a full investigation,
  5. the matter should be referred elsewhere in the University for investigation. This may include recommending to the Audit and Risk Committee that an internal audit may be appropriate, or
  6. the matter should be referred to an external investigating authority or to the police.

(31) Where immediate action is required to protect the wellbeing of people, animals or the environment, the University Secretary will refer the matter to the relevant portfolio leader, the Chief Security Officer and the Vice-Chancellor to ensure urgent rectification.

(32) If the University Secretary or Director, Risk and Compliance determine that a compliance issue is proven, either may:

  1. instruct the relevant portfolio leader, or other delegate, to ensure that the compliance issue is to be rectified in accordance with the documented rectification plan and to provide periodic progress reports on the implementation of the rectification plan. The rectification plan will include remedial actions to resolve compliance issues, responsibilities, timeframes for compliance and the strategies and controls that have been or are being implemented to better manage compliance, or
  2. report the matter to the Executive Leadership Team for consideration. This may include escalation or resolution of significant compliance issues.

(33) The Vice-Chancellor, in consultation with the University Secretary, will determine if reporting of a compliance issue to TEQSA or other relevant government department or other regulator is required.

(34) The Vice-Chancellor, in consultation with the University Secretary, will determine which compliance issues are required to be reported to Council, via the Audit and Risk Committee and Academic Senate, as required.

(35) Where it appears through a compliance review process that a compliance issue has occurred, or where there is a report of a compliance issue, the University will ensure that any persons involved in the compliance issue (including those involved in the reporting process) will be treated fairly and reasonably, in accordance with relevant University policies.

(36) The identity of persons involved in a compliance issue, or who reported a compliance issue, should be kept confidential where practicable and appropriate.

(37)  When a compliance issue is reported, the Risk and Compliance Unit will provide a written response to that reporter, advising of any recommendations and/or actions taken in regard to the compliance issue.

(38) The University does not tolerate adverse action in reprisal against a person who reports a compliance issue. If a person believes that adverse action has been or is being taken against them for reporting a compliance issue, they should follow the processes set out in the Whistleblowing (Reporting Wrongdoing) Policy.

(39) Where an allegation of reprisal has been made, the University will respond in accordance with the processes outlined in the Whistleblowing (Reporting Wrongdoing) Procedure.

Education and training

(40) The University supports education and training in compliance as an essential mechanism in developing and maintaining a culture of compliance.

(41) The University will implement education and training programs to increase awareness of compliance and the responsibilities of managers and all members of staff to understand and fulfil their obligations.

Top of Page

Section 5 - Guidelines

(42) Nil.