Management and accountability
Throughout 2011–12, Austrade continued to manage its exposure to risk and mitigate adverse consequences through implementation of risk management principles and practices, as outlined in the Chief Executive Instruction on Risk Management and the Corporate Governance Framework.
The Agency Risk Management Plan 2011–12 was prepared in accordance with the risk management standard, ISO 31000:2009. The plan identifies key risks with the potential to impact on Austrade's ability to achieve the objectives and priorities set out in the Corporate Plan. Risks identified in the plan covered strategic risks, including evolution and development of services, models and channels to meet contemporary needs; transitional processes, such as implementation of the change process flowing from the Austrade review; and operational and corporate risks, including a range of security risks, and issues such as effective business continuity and emergency management.
Austrade managers develop mitigation strategies and actions for identified agency risks, and report progress against these mitigation strategies to the Audit and Risk Committee quarterly to assist in the assurance process to the CEO that Austrade risks are being managed and monitored.
The Audit and Risk Committee and the internal auditor have noted the mature nature of Austrade's internal control framework. The main features of the internal control framework include:
- policies and procedures (including chief executive instructions) that support compliance with legislative and administrative requirements
- a positive compliance and management environment supported by an effective schedule of delegations
- an effective internal audit function that seeks to appropriately balance performance and compliance audits
- an effective risk management framework, including fraud control, risk management plans, security and business continuity management and disaster recovery
- compliance with the Australian Public Service and Austrade values and codes of conduct
- monitoring controls through effective planning at the corporate, operational and business unit level, reviews of business units and ongoing budget management
- accountability mechanisms, including reports, reviews and individual performance management arrangements.
Austrade maintains fraud prevention, detection, investigation and reporting procedures and processes that are compliant with the Commonwealth Fraud Control Guidelines.
A revised Fraud Control Plan, effective from 2011 to 2013, has been endorsed by the Audit and Risk Committee and is consistent with the Australian standards applying at the time (AS/NZS ISO 31000:2009 Risk Management and AS 8001:2003 Fraud Corruption and Control). A principles-based ethics and integrity approach underpins the strategies of awareness, prevention, identification, reporting, prosecution and continuous improvement. This approach includes an anti-bribery and corruption awareness program for all staff.
Austrade's internal auditor in 2011–12, KPMG Australia, took a systematic and objective approach to evaluating and improving risk management, control and governance processes. The internal auditor's activities are defined by a three-year rolling plan and an annual internal audit plan approved by the Audit and Risk Committee and the CEO. All significant Austrade activities are considered to be within the ambit of the function and the annual plan seeks to coordinate internal audit activity with other assurance activities and mechanisms, including external audit and better practice guides of the Australian National Audit Office. During the year, 31 compliance and performance-based audits and reviews were undertaken.
Austrade's contract with KPMG for internal audit services concluded on 30 June 2012. After a competitive public tender process, PricewaterhouseCoopers has been appointed to provide future internal audit services for Austrade.