View Current

Organisational Assurance Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This policy establishes the framework for whole-of-institution continuous improvement and quality enhancement.

(2) This policy:

  1. identifies and explains the elements and inter-linkages that make up the organisational assurance framework,
  2. establishes the relationship between assurance, continuous improvement and quality enhancement,
  3. sets out the requirements for functions and areas to undertake assurance management planning, and
  4. defines the roles and responsibilities that apply across Charles Sturt University (the University) for the development and implementation of assurance mechanisms.

Scope

(3) This policy applies to all academic and professional/general staff of the University, controlled entities, educational partners, contractors and adjunct staff.

Top of Page

Section 2 - Glossary

(4) For the purpose of this policy, the following terms have the definitions stated:

  1. Assurance – means independent confirmation and confidence over the achievement of objectives.
  2. Assurance functions – means the business units within the University that assure the delivery of objectives and includes those functions primarily concerned with governance, risk management and control processes.
  3. Assurance mechanisms – means the systems, processes, and activities that provide assurance regarding the achievement of organisational objectives.
  4. Assurance roles – means the distinctive roles held by University staff, functions, or external providers from which independent confirmation and confidence over the achievement of objectives can be drawn.
  5. External assurance providers – means the government authorities, regulators, accrediting bodies and other external bodies tasked with assessing the University’s performance relative to the achievement of its objectives.
  6. Managers – means those persons employed as Band 5 or above as defined in the Delegations and Authorisations Policy.
  7. Organisational objectives – means the goals the University sets out to deliver on its mission, vision, values, with consideration to its risk appetite. Objectives are classified as strategic, academic, operational, financial and compliance.
  8. Quality enhancement – means the continuous improvement of the quality of products and services delivered internally and externally by the University, including the quality of academic and non-academic activities.
  9. Risk appetite – means the degree of risk, on a broad-based level, that the University is willing to pursue or retain.
  10. Stakeholders – means those groups and individuals whose interests are served or impacted by the University.
Top of Page

Section 3 - Policy

Organisational assurance framework

(5) The organisational assurance framework underpins the University’s confidence over the achievement of its objectives, while supporting a culture of continuous improvement and quality enhancement.

Continuous improvement and quality enhancement (Plan-Do-Check-Act)

(6) Continuous improvement and quality enhancement are delivered through the Plan-Do-Check-Act (PDCA) cycle, based on the method of establishing performance expectations, implementing mechanisms to achieve performance expectations, monitoring performance results, and adjusting or maintaining mechanisms as appropriate.

(7) The PDCA cycle comprises four steps:

  1. Plan – Establish performance objectives and standards (e.g. quality criteria), as well as resources, systems, processes, and activities to achieve desired results.
  2. Do – Implement the plan established in the previous step, which can be conducted incrementally or at a larger scale, as necessary.
  3. Check – Deploy assurance mechanisms (e.g. monitoring controls) to assess the results of the plan against performance objectives and standards.
  4. Act – If the desired performance is achieved, embed the plan into business-as-usual processes and establish continuous monitoring mechanisms. Where results fall short of expectations, review and modify the plan as appropriate, returning to the first step of the PDCA cycle.

(8) Continuous improvement and quality enhancement will be supported by specific frameworks that establish mechanisms for defining, monitoring, and improving performance against quality standards. Given the core nature of academic activities at the University, a framework will be developed to determine continuous improvement and quality enhancement structures and processes relating to learning, teaching, research, and research training.

(9) Functions within the University will monitor their continuous improvement and quality enhancement initiatives in assurance management plans described below.

Assurance management plans

(10) Assurance management plans operationalise the assurance framework by identifying mechanisms within a function that provide assurance on the achievement of objectives, continuous improvement, and quality enhancement.

(11) Functions holding first, second, and third line assurance roles will develop assurance management plans, as appropriate. Assurance management plans can be implemented at any level of the University (e.g. portfolio, division, office, faculty, school) and can be self-initiated or required by management.

(12) The Risk and Compliance Unit will work with relevant areas to assist in the development, monitoring and review of their assurance management plans.

(13) Assurance management plans will contain or refer to the following, as appropriate:

  1. The University’s mission, vision, values and risk appetite.
  2. The University’s strategic focus areas and objectives, key performance indicators and operational measures.
  3. The University’s risk profile.
  4. The area’s risk management plan, quality enhancement plan, and continuous improvement measures.
  5. Resources to assist functions and areas to develop their assurance management plans.

(14) To ensure that assurance mechanisms remain relevant as objectives change, functions will routinely monitor, review, and update their assurance management plans.

Roles and responsibilities

Assurance roles

(15) The organisational assurance framework comprises three types of roles that provide assurance regarding the achievement of objectives, continuous improvement, and quality enhancement.

First line roles

(16) All University staff are responsible for delivering products and/or services to internal and external stakeholders and therefore hold first line assurance roles. First line roles apply to managers and staff, as outlined below.

(17) First line management roles extend from any person in a supervisory role to the Vice-Chancellor. First line management roles provide performance assurance commensurate with their delegated responsibility regarding the achievement of organisational objectives, continuous improvement, and quality enhancement by:

  1. leading, directing, and deploying resources,
  2. owning and managing risks by setting clear roles, responsibilities and accountabilities,
  3. ensuring compliance and quality of products and/or services according to internal and external standards,
  4. routinely reviewing the effectiveness of governance, risk management and control processes designed to assist the achievement of objectives,
  5. embedding risk management considerations in decision making,
  6. reporting on planned, actual, and expected outcomes concerning the achievement of objectives and associated risks to their achievement, and
  7. providing both formal and informal attestations on the achievement of objectives (e.g. by signing-off on compliance obligations).

(18) First line staff roles include all persons as they carry out their duties and provide performance assurance regarding the achievement of organisational objectives, continuous improvement, and quality enhancement by:

  1. supporting management in the achievement of organisational objectives,
  2. delivering products and/or service according to levels of quality and compliance as identified by formal or informal business practice,
  3. performing internal control activities and other risk mitigating processes,
  4. identifying improvement opportunities in governance, risk management and control processes, and
  5. where appropriate, raising issues regarding the achievement of objectives to first, second or third line assurance roles.

Second line roles

(19) Second line roles are held by University staff and functions responsible for providing expert advice, support, monitoring, continuous improvement relative to risk management and quality (e.g. risk and compliance, work health and safety, information and communications technology security).

(20) Second line roles provide complementary assurance regarding the achievement of organisational objectives by:

  1. establishing assurance frameworks and processes,
  2. monitoring the effectiveness of first line assurance roles, testing and challenging existing business practices,
  3. advising and implementing assurance improvement measures,
  4. gathering information and conducting analysis on the adequacy of business practices, and
  5. reporting to the Vice-Chancellor's Leadership Team, University Council, and Council committees on the effectiveness of governance, risk management and control processes.

(21) This policy recognises that complementary assurance is never fully independent because staff and functions holding second line roles self-assess the efficacy of their methods for the achievement of organisational objectives.

Third line roles

(22) Third line roles are held by University staff and functions characterised by a degree of independence and objectivity to advise on the achievement of organisational objectives (e.g. internal audit).

(23) Third line roles provide independent assurance regarding the achievement of organisational objectives by:

  1. objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the University and its controlled entities, and
  2. reporting to the University Council and the Finance, Audit and Risk Committee on the effectiveness of governance, risk management and control processes.

(24) Independent assurance provided by the internal audit function is conducted according to the Internal Audit Charter.

Governing body

(25) The University’s governance system consists of the University Council and Council committees, as per the University Governance Framework

(26) As the principal governing body, the University Council is accountable to stakeholders for the success of the University. 

(27) The University Council provides leadership, direction, and oversight to the University by:

  1. accepting accountability to stakeholders for oversight of the University,
  2. defining the University’s mission, vision, values, and risk appetite in line with stakeholder expectations,
  3. delegating responsibility and providing resources to management for the achievement of organisational objectives,
  4. ensuring that organisational objectives and activities are developed and pursued within the boundaries of stakeholder expectations,
  5. ensuring that structures and processes are in place to provide assurance regarding the achievement of objectives, continuous improvement, and quality enhancement,
  6. oversighting the efficacy of organisational assurance structures and processes,
  7. establishing an internal audit as a third line assurance function, and
  8. oversighting and promoting a culture of ethical behaviour and accountability.

(28) The University Council and relevant Council committees, in accordance with their respective terms of reference, are responsible for:

  1. ensuring organisational objectives are in line with stakeholder expectations and the University’s mission, vision, values and risk appetite,
  2. empowering management to implement the organisational assurance framework,
  3. establishing and oversighting third line assurance roles (e.g. internal audit),
  4. reviewing reports and other information related to assurance and directing, delegating and providing resources to address assurance issues, and
  5. ensuring the overall effectiveness of assurance mechanisms.

Executive management

(29) The University’s executive management comprises the Vice-Chancellor's Leadership Team.

(30) The Vice-Chancellor's Leadership Team, through the Vice-Chancellor, is accountable to the University Council for the achievement of organisational objectives.

(31) The Vice-Chancellor's Leadership Team manages the University's operations while ensuring that legal, regulatory, ethical and other stakeholder expectations are met by: 

  1. defining and pursuing strategic, academic, operational, financial, and compliance objectives,
  2. ensuring the University’s operational systems, processes and activities comply with: 
    1. internal rules, policies, procedures, and guidelines, as well as with legal, regulatory and ethical requirements, and
    2. matters of discretionary performance relating to industry standards and best practice within the higher education sector,
  3. routinely reporting to the University Council and Council committees on the progress towards the achievement of objectives,
  4. ensuring that first, second, and third line assurance functions, roles and mechanisms are resourced to meet the obligations arising from this policy, and
  5. championing a culture of organisational assurance, continuous improvement and quality enhancement.

(32) The Vice-Chancellor and the Vice-Chancellor's Leadership Team are responsible for:

  1. the overall management of the University’s capability to develop and implement the organisational assurance framework,
  2. reviewing reports and other information related to assurance and directing, delegating and providing resources for the effective functioning of assurance mechanisms,
  3. monitoring portfolio-level assurance management plans, including continuous improvement and quality enhancement initiatives,
  4. the efficacy of operational systems, processes and activities for the achievement of organisational objectives, and
  5. establishing continuous dialogue with the University Council in relation to the effectiveness of assurance mechanisms.

Key internal stakeholders

(33) Within their portfolios, portfolio leaders are responsible for:

  1. monitoring and overseeing the design and implementation of assurance mechanisms to ensure that organisational objectives are met,
  2. overseeing the development, implementation and continuous monitoring of assurance management plans,
  3. establishing clear roles, responsibilities, and accountabilities for implementing assurance mechanisms (e.g. internal controls),
  4. establishing a process of continuous improvement of assurance mechanisms, and
  5. reporting assurance issues to the Vice-Chancellor.

(34) Managers and management committees, in accordance with their delegations and/or terms of reference, are responsible for:

  1. designing and embedding assurance mechanisms into operational processes and activities,
  2. reviewing the effectiveness of assurance management plans,
  3. identifying and deploying measures to improve the effectiveness of assurance mechanisms,
  4. advising and training staff in their assurance responsibilities, and
  5. reporting assurance issues to their supervisors.

(35) All staff (including academic, professional/general staff members, contractors, and adjunct staff) are responsible for:

  1. performing their tasks and duties in line with legal, regulatory and ethical expectations,
  2. implementing assurance mechanisms within assurance management plans, and
  3. bringing assurance issues to the attention of their supervisors.

(36) The Risk and Compliance Unit is responsible for:

  1. reviewing the efficacy of and maintaining the organisational assurance framework,
  2. developing assurance management plan templates and resources to assist areas in performing their assurance responsibilities,
  3. providing support for the development of assurance management plans,
  4. providing advice to facilitate the implementation of assurance management plans, including in relation to the reporting of assurance issues,
  5. reviewing existing assurance mechanisms in relation to their design and operating effectiveness, and
  6. reporting to the Vice-Chancellor's Leadership Team, governing body and governance committees on the effectiveness of assurance mechanisms and opportunities for continuous improvement.

(37) The internal audit function is responsible for:

  1. independently evaluating the effectiveness of the first line and second line assurance roles and mechanisms,
  2. providing expert advice on measures to enhance organisational assurance, and
  3. reporting on the results of its independent assessments to the University Council through the Finance, Audit and Risk Committee.

External assurance providers

(38) External providers contribute additional assurance by reviewing the University's internal structures, processes, and activities relative to internal and external standards and expectations. Among others, external assurance providers include regulators, government authorities, external auditors and accrediting bodies.

(39) External assurance services (e.g. external reviews) may also be requested by the University Council, Council committees and management to complement internal sources of assurance.

Relationships across assurance roles

(40) To ensure the effectiveness of this framework the first, second, and third line assurance roles should communicate and collaborate, as well as align and coordinate their processes and activities. The purpose of this alignment is to create and protect value by providing overall assurance to University Council, Vice-Chancellor's Leadership Team and other stakeholders regarding the achievement of organisational objectives.

(41) Where appropriate, University staff and functions holding first, second, and third line assurance roles also interact with external assurance providers to address legal, regulatory and other matters.

(42) This policy does not seek to mandate how and when communication across assurance functions and through line management functions should occur. The intention of setting out these assurance relationships is to reinforce the concept that effective management systems of any form rely on the flow of information across and up and down through an organisation.

Top of Page

Section 4 - Procedures

(43) Nil.

Top of Page

Section 5 - Guidelines

(44) Nil.