AITSL’s Risk Management Policy and Framework communicate the principles, tolerance, appetite, and responsibilities regarding risk management throughout AITSL. Risk management has been integrated into AITSL’s governance, planning, and reporting framework.
Internal control framework
The AITSL Board is responsible for the overall internal control framework and for reviewing its effectiveness. The framework is intended to provide assurance that appropriate internal controls have been implemented to identify, evaluate, and manage significant risks to the achievement of AITSL’s objectives. These internal controls cover strategic, financial, operational, information technology, and compliance risk, and take the form of appropriate financial delegations, financial planning and reporting, strategic and operational planning, and internal audit practices.
AITSL operates under a risk management policy that is consistent with the Australian Standard: AS ISO 31000:2018 Risk management – Guidelines. The policy allows for the proactive identification, assessment, and management of risks.
The AITSL Board is ultimately accountable for the management of risk and ensuring effective risk management practices are in place across AITSL. To fulfil its risk management responsibilities, the AITSL Board is assisted by the Audit and Risk Committee.
During 2019–20, the Audit and Risk Committee has regularly considered major developments in the external environment, notably the COVID-19 pandemic, and updated AITSL’s Strategic Risk Register accordingly.
To ensure the AITSL risk management framework is not only fit-for-purpose but also meets the requirements of a maturing business, AITSL worked with Deloitte and Comcover to grow and further develop AITSL’s risk management framework.
As part of this process, AITSL will work with Deloitte and the Audit and Risk Committee over the next 18 months to embed risk management in the company and develop a standard framework across the organisation. The initial focus will be on refreshing AITSL’s strategic risks and developing formal risk appetite statements.
AITSL maintains appropriate fraud prevention, detection, investigation, and reporting procedures and processes that are compliant and aligned to section 10 of the PGPA Rule and the Commonwealth Fraud Control Guidelines 2017.
AITSL has made several changes to strengthen its Fraud and Risk Control Plan in line with a 2020 internal audit on fraud control and appointed a Fraud Control Officer. AITSL has an online fraud learning module that must be successfully completed by all staff annually and will be conducting annual fraud investigation surveys with staff.
Internal audit is a key component of AITSL’s governance framework. It provides independent and objective assurance and consulting activities designed to add value and improve AITSL’s operations.
The internal audit function is an independent, outsourced function, overseen by the AITSL Board through the Audit and Risk Committee. Internal audit reports are provided to the Audit and Risk Committee for review in compliance with section 28 of the PGPA Rule. The Audit and Risk Committee then advises the AITSL Board on any recommendations and actions.
At the start of 2020, AITSL conducted a procurement process and appointed RSM Global as its new internal auditor.
Under section 98 of the PGPA Act, the Auditor-General is responsible for auditing the financial statements of Commonwealth companies.