Go to top of page

Risk management, internal audit and compliance

DHA operates in a complex environment and recognises that risk is inherent in all that we do.

We proactively identify, engage with and manage risk at all levels and across all facets of our business to create or protect value in support of improving performance, encouraging innovation and support in achieving our purposes, objectives and strategic priorities. The function is supported by a co-sourced internal audit function that provides independent assurance of the systems of control.

We have established formal, fit for purpose accountability and responsibility for risk and internal audit at an organisational level that is broadly consistent with risk principles.

The Board, as accountable authority for DHA under the PGPA Act, maintains oversight of organisational risk, management systems and internal controls.

The Managing Director and Leadership Team are responsible for implementing appropriate risk systems and ensuring resources and capability support effective risk management and its integration in decision making processes.

Risk management

Sound risk management continues to be an important and integral element that supports achievement of our purpose, objectives and strategic priorities.

In 2019–20, we delivered a revised fit for purpose Risk Management Framework (the Framework) which was approved by the Board. The Framework is a set of components that provide the foundation and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

DHA is committed to maintaining an effective, efficient and tailored Framework inclusive of supporting policies such as fraud control, business continuity management, workplace health and safety management and code of conduct.

The Framework assists DHA to meet the requirements of section 16 of the PGPA Act and the Commonwealth Risk Management Policy issued by the Department of Finance. It follows the International Standard on Risk Management (ISO 31000:2018).

DHA has continued to mature our risk philosophy and approach, embedding risk principles into our culture. A key element of this approach is increasing the risk capability at all levels of the organisation. To achieve this, we are educating and empowering our people to have the knowledge, judgment, confidence and support to make more informed risk based decisions. All new staff are required to complete risk management training as part of our induction process. In addition, ongoing staff complete mandatory refresher training annually.

We are confident increased risk based decision making will make our business better—more efficient, agile and responsive. However, we recognise that we need to continuously improve. To this end, we are developing measures to build, test and refine our approach. These measures will complement our integrated business planning and will assist us to better understand how we prioritise our resources.

Fraud control and anti-corruption

We are cognisant that fraud and corruption can damage the performance and reputation of our business. As a GBE, we consistently monitor and update our fraud and corruption control framework, which is consistent with the Commonwealth fraud control framework (section 10 of the PGPA Rule).

Fraud and corruption control is a subset of DHA’s risk portfolio and the disciplines reflect our risk philosophy and principles. We continue to prevent, detect, monitor and encourage our staff to report potential fraudulent or corrupt conduct.

Increased staff awareness has resulted in increased reporting of potential fraudulent or corrupt conduct, with seven allegations reported in 2019–20. As at 30 June 2020, there were two active investigations.


Resilience consists of business continuity, disaster recovery, crisis and emergency management. Despite being a standalone discipline, resilience forms part of our overarching risk management portfolio and we are improving it as a subset of our maturing risk philosophy and principles.

In accordance with improvements we are making to our risk management framework, we undertook significant steps to revise our approach to all resilience disciplines in the reporting period. We are undertaking further work to continue to progress maturity of DHA’s approach and to ensure it continues to remain consistent with the Government’s Protective Security Policy Framework and Australian National Audit Office guidance.

Internal audit

Internal audit is a central component of our governance framework. Audit strengthens accountability and promotes good governance and transparency through independent and objective assurance.

Each year, we develop a risk based rolling work program of internal audit priorities for the coming 12 months. The program is developed in consultation with the Managing Director, Leadership Team and the BARC, and is designed to ensure broad coverage of business areas and activities. The program of work is revised biannually to ensure alignment with current and emerging risks. The program assists the BARC to review organisational systems and procedures for managing performance, and to meet its performance reporting obligations in accordance with the PGPA Act.

In 2019–20, EY continued to provide internal audit services under a co-sourced arrangement. They completed reviews on our development and retail acquisition process, delegations, complaints management, repairs and maintenance contractors, fraud risk management, recruitment processes, business continuity management, financial processes and information management systems.