View Current

Compliance Management Procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This procedure:

  1. sets out Charles Sturt University’s (the University) commitment to compliance and compliance management in line with the Risk Management Policy
  2. outlines the requirements for compliance management for the University
  3. sets out the process for reporting any actual or potential compliance breaches and ensuring corrective and preventative measures are actioned, and
  4. seeks to create a safe environment for staff to report risk and compliance issues.


(2) See the Risk Management Policy.

Top of Page

Section 2 - Policy

(3) This procedure supports the Risk Management Policy.

Top of Page

Section 3 - Procedure

Compliance principles

(4) Meeting the University's compliance obligations is an essential part of everyone’s role at the University. The University recognises that effective compliance management supports accountability, good governance and achievement of its strategic objectives.

(5) The University is committed to ensuring that compliance is integrated into day-to-day operations and decision-making, to support an appropriate risk culture of ethical conduct, compliance, continuous improvement and quality enhancements within a framework of public accountability.

(6) Doing the right thing underpins the University’s values and is a key part of its culture and reputation. Escalating and reporting compliance breaches is part of everyone’s role at the University.

Compliance management processes

(7) This procedure leverages the principles of AS ISO 37301 – Compliance Management Systems – Requirements with Guidance for Use.

(8) To assist staff to effectively manage compliance, the University has established a set of interrelated systems, controls and processes, supported by the University's policies and procedures, that support a culture of compliance and ethical conduct at the University, under the guiding principles of the Risk Management Policy.

(9) The compliance management processes provide consistent, transparent and measurable processes for:

  1. oversight of compliance with legislative requirements
  2. oversight of compliance with the University's policies and procedures
  3. monitoring and reporting of actual or potential compliance breaches, and
  4. education and training to support continuous improvement of the compliance culture within the University.

(10) All staff actively engage in compliance management in day-to-day operations in all areas of responsibility and must:

  1. develop and maintain an understanding and awareness of their mandatory and voluntary compliance obligations
  2. perform tasks and duties with due diligence, in line with the University's compliance obligations, policies and procedures
  3. ensure third-party partners meet the University's compliance obligations and relevant University policies and procedures
  4. complete compulsory training in a timely manner
  5. report any actual or potential compliance breaches to their supervisor and the Risk and Compliance Unit
  6. treat staff who raise concerns and report potential or actual compliance breaches, or are the subject of a compliance report, with courtesy and respect, and
  7. keep reports or investigations of compliance breaches confidential.

Compliance with legislation

(11) Compliance with legislation, regulations and substantive standards and codes is managed through reference to the Legislative Compliance Guide (the LCG). The LCG identifies the University's substantive legislative obligations and assigns management and oversight of each of those obligations to relevant staff.

(12) All staff should refer to the LCG for relevant compliance obligations any time they are introducing new, or making changes to, existing systems, processes or policies.

(13) Staff assigned obligations in the LCG are:

  1. accountable for their obligations and for ensuring that internal controls within their area of responsibility are:
    1. embedded as business-as-usual work and management activity, and
    2. regularly monitored and reviewed so that compliance is maintained
  2. responsible for monitoring for changes and advising the Risk and Compliance Unit of any changes or amendments to legislative obligations, as they arise. Changes and amendments include new legislation, changes in interpretation of legislative obligations by the courts and new or changed regulations or legislative requirements. The University’s Legal Services also monitors the legal environment and advises the Risk and Compliance Unit of any changes or amendments to legislative obligations, and
  3. required to complete an annual attestation of compliance with their legislative obligations.

(14) The Risk and Compliance Unit is responsible for coordinating the annual attestation process and reporting the outcome of the attestation to the Audit and Risk Committee.

(15) Compulsory training courses, such as through the ELMO platform, must be completed by all relevant staff for key legislative instruments. Retraining for these courses is required periodically.

(16) Students must also complete relevant compulsory online training regarding key legislative obligations, as required either at the commencement of or during the course of their studies.

(17) Relevant staff and students must complete their compulsory training courses within the required timeframe:

  1. Supervisors must follow up any staff member who fails to complete a course within the required timeframe.
  2. Students who fail to complete their compulsory training courses within the required timeframe will be followed up in accordance with the relevant policy.

Other compliance requirements

(18) In addition to the University's legislative obligations, staff must also comply with voluntary compliance obligations the University has chosen to meet, managed through reference to the University's policies, procedures, guidelines and processes. Voluntary compliance obligations may be derived from a range of sources, including but not limited to:

  1. codes of practice
  2. professional accreditation requirements
  3. industry standards
  4. contractual obligations
  5. product specifications, and
  6. community and ethical standards.

(19) Persons affiliated with the University must also conduct themselves in accordance with their legal obligations and the University's policies and procedures (this includes but is not limited to the University's rules, policies, procedures, guidelines and processes).

Third-party arrangements

(20) Where operational processes are delivered by a third party, the University retains responsibility for ensuring the third party meets the University's compliance obligations. As a result, the University must satisfy itself that the third party’s processes and internal controls are adequate to meet the University's compliance obligations.

Managing compliance breaches

Identifying actual or potential breaches (See it)

(21) All staff are responsible for identifying, assessing and managing compliance as part of their day-to-day activities, in line with their first line obligations defined in the Risk Management Policy.

(22) Executive Leadership Team members are responsible for ensuring their portfolio’s operating systems, processes and activities meet the University's compliance obligations including:

  1. addressing any training gaps or process inconsistencies before they become compliance issues
  2. assessing the efficiency and effectiveness of controls to identify continuous improvement opportunities
  3. being satisfied that third-party partners are meeting the University's compliance obligations, and
  4. ensuring the timely identification, rectification and reporting of any actual or potential compliance breaches that arise.

(23) Actual or potential compliance breaches with legislative and other obligations may be identified through monitoring of day-to-day activities, complaints or compliance review processes, including annual attestations, staff reporting, internal and external audits, risk assessments and compliance reviews.

Reporting actual or potential compliance breaches (Report it)

(24) Escalating and reporting actual or potential compliance breaches supports:

  1. protecting our students, staff and the reputation of the University
  2. enhancing and maintaining the quality of the University, including the student and staff experience
  3. the remediation of compliance breaches minimising further student, staff, regulatory, financial or reputational impacts
  4. minimising the likelihood of compliance breaches re-occurring or becoming systematically worse over time
  5. capturing lessons learnt to share knowledge with other relevant areas of the University which are susceptible to the same compliance risk
  6. improving the University's people, processes and systems, and
  7. providing appropriate visibility of risks and issues to senior management and Council.

(25) Staff must report actual or potential compliance breaches to their supervisor and the Risk and Compliance Unit as soon as reasonably practicable, generally within 24 hours of identification. Include as much information as possible about the matter and how it occurred.

(26) Management of the relevant business unit must ensure the matter has been reported to the Risk and Compliance Unit and work with the Risk and Compliance Unit to assess and resolve the matter.

(27) Actual or potential compliance breaches will be reviewed as soon as practicable to:

  1. understand the root cause of the issue for the purpose of continuous improvement
  2. assess the effectiveness of current controls in place
  3. identify whether the issue is an isolated or systemic issue, and
  4. identify the preventative and corrective actions to be implemented to reduce the risk of an issue occurring or re-occurring.

(28) Where immediate action is required to protect the wellbeing of people, animals or the environment, the Risk and Compliance Unit will escalate the matter to the relevant Executive Leadership Team member.

Response to reports of actual or potential compliance breaches (Sort it)

(29) The Director, Risk and Compliance, will assess the actual or potential compliance breach to determine:

  1. whether there is sufficient information to confirm the University has breached its legislative compliance obligations or if the matter needs further investigation
  2. if the matter should be dealt with under another policy and refer it to the relevant stakeholder as identified in that policy
  3. appropriateness of corrective and preventative actions agreed with management of the relevant business unit, and
  4. whether the matter is reportable to an external agency, in consultation with the University Secretary and Vice-Chancellor.

(30) The Risk and Compliance Unit maintains a compliance issues register as a record of all reported actual or potential compliance breaches, outcomes of root cause analysis, lessons learnt, and confirmation of any compliance breaches reported to external agencies.

(31) Preventative and corrective actions identified are included in the enterprise actions register and items will be monitored, validated and closed in line with the Risk Management Procedure.

(32) In consultation with the Vice-Chancellor and University Secretary, the Director, Risk and Compliance will report a summary of reported compliance issues to the Executive Leadership Team and Council.

(33) The Risk and Compliance Unit will provide updates to the individual who makes a report (where applicable and where appropriate to do so), advising of any recommendations and/or actions taken in regard to the actual or potential compliance breach.

(34) In line with the University's Code of Conduct, staff must report any breaches of the Code of Conduct and any suspected corrupt conduct, maladministration or serious or substantial waste of public money to an appropriate authority. For more details on staff obligations, see the Public Interest Disclosure (Whistleblowing) Policy.

(35) It is a breach of this procedure to victimise anyone for coming forward to provide information in respect of an actual or potential compliance breach. Allegations of victimisation should be referred to the University Ombudsman to be managed in line with the Complaints Management Policy.

Education and training

(36) The University supports education and training in compliance as an essential mechanism in developing and maintaining a culture of compliance.

(37) The University implements education and training programs to increase awareness of compliance and the responsibilities of managers and all members of staff to understand and fulfil their obligations.

Top of Page

Section 4 - Guidelines

(38) Nil.

Top of Page

Section 5 - Glossary

(39) This procedure uses the following terms:

  1. Compliance breach – means a compliance gap or weakness, where evidence of compliance is not demonstrated or where there is a need to strengthen our compliance, to meet our external or internal obligations.
  2. Compliance obligation – means a legislative obligation that the University must comply with and voluntary obligations that the University elects to comply with.
  3. Control – means any measure or mechanism that is put in place to reduce the impact or likelihood of identified risks and to manage compliance.
  4. Legislative obligation – means a legislative, regulatory or other requirement that the University must comply with.
Top of Page

Section 6 - Document context

Compliance drivers NA
Review requirements As per Policy Framework Policy
Document class Governance