(based on ASX Principle 3)
The Audit Office is committed to protecting individual privacy and managing personal information in accordance with the Privacy and Personal Information Protection Act 1998 (Privacy Act). As required by the Privacy Act, the Audit Office has a Privacy Management Plan that sets out how we manage personal information in line with the Privacy Act and health information under the Health Records and Information Privacy Act 2002. This plan can be accessed on our website.
Each year, we undertake a self-assessment of our compliance with privacy legislation. In 2015−16, we assessed how our information management systems and external service providers manage personal information. Areas for improvement will be implemented during 2016−17.
In 2016–17, we will:
- release online training for staff dealing with personal information
- analyse the results of our biennial fraud control risk assessment and action any areas needing to be improved
- roll out fraud control training for key staff across the Audit Office.
High standards of conduct are instilled
Protecting the reputation of the Audit Office is vital to ensure our credibility and to maintain public trust in what we do. To do this we foster a culture that instils ethical behaviour, integrity, independence, respect and professionalism, which are embedded in our core values of purpose, people and professionalism.
Our Code of Conduct is based on these core values and is the foundation of our ethical framework. In addition to the Code of Conduct, the Audit Office's ethical framework includes policies covering conflicts of interest, gifts and benefits, diversity and inclusion, a respectful workplace, compliance, performance management and privacy management.
During induction, all new staff are trained on the Audit Office’s ethical framework before signing the Code of Conduct and completing a Conflict of Interest declaration. These sign-offs are then completed annually. As part of post-induction training and to support this year’s sign-off, an online governance and ethical behaviour training module was also rolled out to all staff.
In 2015−16, we also re-assessed our Conflict of Interest Policy (formerly known as the Professional Independence Policy). This included benchmarking against best practice. As a result, we strengthened the policy and supporting procedures by:
- making it relevant to all audit staff not just our professionally qualified staff
- including the potential impact of secondary employment and gifts and benefits
- requiring conflict of interest declarations to be made during high risk activities such as procurement and recruitment
- publicly disclosing the Office Executive’s and Audit and Risk Committee’s Conflict of Interest registers.
Prevent, detect and respond to fraud
The Audit Office has a zero tolerance for fraud and is committed to minimising the incidence of fraud by implementing and regularly reviewing strategies that prevent, detect and respond to fraud.
In February 2015, we released an updated ‘Better Practice Guide on Fraud Control’ for NSW government agencies. The guide sets out the ten attributes of fraud control which are necessary for an effective fraud control framework. During 2015−16, we updated the Audit Office’s fraud control policy to ensure it was in line with our guide.
During 2015−16, we conducted our biennial fraud control health check. Staff were asked to provide their views on how the Audit Office is managing fraud. In 2016−17, the results will be analysed to identify any areas for improvement.
One instance of suspected fraud against the Audit Office was detected during 2015−16. The issue was addressed immediately and the Audit Office did not incur any loss.
The Audit Office has many compliance obligations including legislation, central agency directions, standards and codes. To meet these obligations, our compliance program promotes the importance of compliance to all staff, identifies obligations and responds to non-compliance.
The Audit Office’s compliance framework is based on International Standard ISO 19600-2014 Compliance Management Systems - Guidelines, and includes:
- a Compliance Policy
- a Register of Compliance Obligations that includes a risk assessment formally reviewed by the Office Executive
- annual verification of compliance through the Management Internal Control Sign-Off
- financial and performance audit methodologies mapped to professional standards and legislation
- regular management reviews and reporting to the Office Executive and Audit and Risk Committee.
In 2015−16, we continued to maintain our centralised policy register which captures key internal policies and ensures policies are up-to-date and remain relevant. We also conducted an internal review of our key policies for currency, relevance, accessibility and completeness. Gaps identified have largely been addressed with the remaining few on track to being completed in early 2016–17.