Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

This Australian Standard was prepared by Committee , Risk Management. It was

approved on behalf of the Council of Standards Australia on 11 August 2005.
This Standard was published on 10 October 2005.

The following are represented on Committee :

Australian and New Zealand Institute of Insurance & Finance

Australian Computer Society
Business Continuity Institute
CSIRO Atmospheric Research
Department of Defence (Australia)
Department of Finance & Administration (Federal)
Emergency Management Australia
Engineers Australia
Environmental Risk Management Authority New Zealand
Institution of Professional Engineers New Zealand
Local Government New Zealand
Massey University
Minerals Council of Australia
Ministry of Agriculture and Forestry New Zealand
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Ministry of Economic Development (New Zealand)

New Zealand Society for Risk Management
NSW Treasury Managed Fund
Property Council of Australia
Risk Management Institution of Australasia
Safety Institute of Australia (Incorporated)
Securities Institute of Australia
The University of New South Wales
Victorian WorkCover Authority

Keeping Standards up-to-date

Standards are living documents which reflect progress in science, technology and
systems. To maintain their currency, all Standards are periodically reviewed, and
new editions are published. Between editions, amendments may be issued.
Standards may also be withdrawn. It is important that readers assure themselves
they are using a current Standard, which should include any amendments which
may have been published since the Standard was purchased.
Detailed information about Standards can be found by visiting the Standards Web
Shop at www.standards.com.au and looking up the relevant Standard in the on-line
catalogue.
Alternatively, the printed Catalogue provides information current at 1 January each
year, and the monthly magazine, The Global Standard, has a full listing of revisions
and amendments published each month.
Australian StandardsTM and other products and services developed by Standards
Australia are published and distributed under contract by SAI Global, which
operates the Standards Web Shop.
We also welcome suggestions for improvement in our Standards, and especially
encourage readers to notify us immediately of any apparent inaccuracies or
ambiguities. Contact us via email at [email protected], or write to the Chief
Executive, Standards Australia, GPO Box 476, Sydney, NSW 2001.
 HB 254—2005

Handbook

Governance, risk management and

Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

control assurance

Originated as HB 254—2003.
Second edition 2004.
Third edition 2005.

COPYRIGHT
© Standards Australia
All rights are reserved. No part of this work may be reproduced or copied in any form or by
any means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Published by Standards Australia, GPO Box 476, Sydney, NSW 2001, Australia
ISBN 0 7337 6892 X
 HB 254—2005 2

Preface
This Handbook was prepared by the Corporate Governance
Working Group under the Joint Standards Australia/Standards
New Zealand Technical Committee OB-007, Risk Management,
and forms part of the series of publications based on
AS/NZS 4360, Risk management. It supersedes HB 254—2004,
Guide to Controls Assurance and Risk Management.
It was prepared to—
• provide guidance on the benefits to Boards from
implementing an enterprise-wide risk management framework
in their organisation; and
• outline the methodologies involved in implementing risk
management and control assurance frameworks in support of
sound governance.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Dr Ted Dahms, representing the Risk Management Institution of

Australasia is the principal author of this Handbook.
Other key contributors, from Standards Australia's Joint
Technical Committee on Risk Management, include—
• Dr Dale Cooper, representing the Securities Institute of
Australia
• Mr Kevin Knight, representing the Risk Management
Institution of Australasia
• Mr Grant Purdy, representing the Minerals Council of
Australia.
Standards Australia would like to give particular
acknowledgement to the contributions of the following
organisations in the development of the Handbook—
• Australian National Audit Office
• Australian Stock Exchange
• Institute of Internal Auditors
• Queensland Audit Office
 3 HB 254—2005

Contents
Page

Executive summary ........................................................................ 4

1 Introduction
1.1 Corporate Governance................................................ 12
1.2 Governance Frameworks and Management
Practices ..................................................................... 14
1.3 Governance, Risk Management and Control ............. 15
1.4 Definitions ................................................................... 17

2 Key benefits to the board ...................................................... 20

Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

3 Risk management and the risk management process

3.1 What is Risk? .............................................................. 22
3.2 What is Risk Management? ........................................ 23
3.3 The Risk Management Process .................................. 23
3.4 Implementing a risk management framework.............. 28

4 Control assurance plan

4.1 General ....................................................................... 32
4.2 Assurance control elements........................................ 34
4.3 Control criteria ............................................................ 36
4.4 Inherent control assurance.......................................... 39

5 Implementation–How effective control can provide

assurance to the board
5.1 Application of the Control Criteria ............................... 42
5.2 Medium to Small Organisations .................................. 52

6 Managing change ................................................................. 54

 HB 254—2005 4

Executive summary
Introduction
Traditional governance internal control and risk management
guides are systems-based with a strong focus on legislative and
regulatory compliance. Recent spectacular company failures
however, indicate that compliance alone does not guarantee
sound corporate governance. This Handbook outlines a Controls
Assurance Plan for Boards and senior managers that refines and
aligns current management practices to complement the more
traditional compliance-based guides. It aims to promote amongst
Directors, senior managers and employees—
• a sense of organisational and personal purpose; and
• capability and commitment in relation to the organisation’s
corporate objectives.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

The philosophical foundation of the Controls Assurance Plan is

the alignment of the risk management process with corporate
governance by the—
• application of risk management process to objective setting
at all levels of the organisation to develop controls that are at
the same time strategies; and
• building of an underlying value system in the form of a self-
sustaining system of inherent controls with a reduction in the
reliance on formal compliance control.
The proposed system of inherent controls is developed by
refining and aligning current management practices. This means
that the Plan can be implemented within existing resources and
without additional infrastructure. The leadership skill for the
Board and senior managers is to achieve an effective balance
between inherent and formal control appropriate for their
organisation’s level of control/risk maturity.
Although the Handbook is primarily designed with the private
sector in mind, its concepts and frameworks are independent of
legislative or regulatory constraints and can be applied with
minimal modification in any jurisdiction, across all sectors
including not-for-profits and to organisations of any size. Smaller
organisations should keep their procedures simple and within the
bounds of existing resources. The aim is to sharpen up, rather
than add, resources to the risk management and control
1.
activities
Where organisations do not have the resources to adequately
fund an internal audit unit they need to implement alternative

1
Implementing Turnbull. Institute of Chartered Accountants, England and Wales,
1999: p10.
 5 HB 254—2005

procedures to provide control assurance to the Board. A

methodology for providing Independent control assurance in
smaller organisations is outlined in Clause 5.2 at the end of this
Handbook.
Implementation of the Control Assurance Plan is facilitated by an
appreciation of the relationship between governance frameworks
and management practices together with an understanding of
the linkages between governance, risk management and control.
Governance frameworks and management
Practices
Essentially corporate governance is a guidance system
composed of standard management practices operating within a
governance framework designed to suit the organisation.
The Practices are essentially common management tools drawn
together into a logical, interrelated system focused on achieving
results. They can be universally applied to any organisation
irrespective of their size, or statutory and regulatory
environments.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Governance frameworks provide the structure within which the

management practices operate. Parts of this structure are
mandatory and set by legislation, regulation or listing rules in
different jurisdictions, or by policy directives for public-sector
organisations. Others are discretionary and set by Boards and
senior management to address the management practices and
can vary from organisation to organisation even within the same
statutory environment. For this reason there is no one
governance framework that suits all organisations, i.e. one size
does not fit all.
Standard management practices are Control Activities for
ensuring—
• corporate and operational objectives are developed and
integrated throughout the organisation;
• competencies match objectives;
• clarity of roles and responsibilities;
• authority matches assigned responsibilities;
• high standards of ethical behaviour;
• effective monitoring and reporting systems; and
• effective and timely information flow throughout the
organisation.
Goals and objectives–The focus
An understanding of the relationship between corporate
governance, risk management, controls and strategies is
fundamental to the successful implementation of the proposed
Controls Assurance Plan. This relationship may be summarised
as follows:
 HB 254—2005 6

• Corporate governance is a guidance system for the

achievement of planned objectives–it is an objectives-focused
concept.
• Management of risk is part of each objective at all levels of
the organisation.
• Risk management develops risk treatment plans that are at
the same time the controls and strategies associated with
achieving each objective.
• The meaning of control is broader than internal financial
control and is expanded to include all planning and strategies
put in place after the corporate objectives have been set.
Transparency and probity are part of this control environment.
• The control environment provides reasonable assurance to
Boards and senior managers that the organisational
objectives will be achieved within an acceptable degree of
residual risk.
• Corporate governance is an organisation’s strategic
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

2
response to risk .
• Reporting against performance measures for each objective
is also a report on the effectiveness of strategies, controls
and the risk management process for that objective. Risk
management reporting is therefore part of performance
reporting and not a separate exercise.
Effective risk management is therefore the cornerstone of sound
governance and the Handbook provides an overview of the risk
management process in line with AS/NZS 4360:2004, Risk
management together with an implementation plan (Control
Assurance Plan).
Benefits for the Board
The implementation of effective risk and control assurance
frameworks provides a number of important outcomes in the
corporate governance context, including:
• More effective strategic and operational planning with
established linkages.
• Greater confidence in achieving planned operational and
strategic objectives.
• Enhanced organisational resilience that reduces the time lost
on ‘fighting fires’, and improves the organisation’s potential to
exploit opportunities.
• Greater confidence in the decision-making process.

2
David McNamee and Georges Selim. Changing the Paradigm 2000.
www.mc2consulting.com/riskart8.htm
 7 HB 254—2005

• Improved stakeholder confidence leading to enhanced

capital raising.
• Director protection.
Implementation
General
The principles underpinning an effective risk and control
assurance framework are in essence standard management
practices. Implementation, therefore, does not involve
abandoning everything that is currently in place, but rather
entails refining and aligning current practices.
The establishment of a risk and control assurance framework
without an underlying value system encourages compliance
rather than commitment. A compliance culture is neither
responsive to change nor focused on innovation and
performance improvement.
An underlying value system is set by inherent control, a central
concept in the Control Assurance Plan, that has a different focus
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

to formal control as follows:

• Inherent controls are proactive promoting purpose, capability
and commitment throughout the organisation, including the
Board, and are reliant on sound HR practices, ethics and
communication. They occur continuously and consistently
throughout the organisation as part of normal business
practice and are to a large extent self sustaining. Elements
that contribute to an inherent control system include systems
thinking, developing a learning organisation, motivating trust
and relationships, and matching competencies with
objectives.
• Formal control involves assigning, monitoring, reviewing and
reporting that are traditional command-control style
processes based upon an organisational hierarchy.
The leadership skill for the Board, CEO and senior managers is
to develop an effective balance between the two assurance
processes. By increasing assurance through inherent controls,
formal control can concentrate on areas of critical risk, the
organisational focus becomes one of performance rather than
compliance and the governance style is based upon an
innovation–results model rather than command–control model.
An effective risk management framework
Framework
Risk management touches all of the organisation’s activities. It is
the foundation of the control environment and sound corporate
governance. For this reason the implementation of an effective
enterprise-wide risk management framework requires careful
planning.
The risk management implementation plan proposed in the
Handbook involves two phases as follows:
 HB 254—2005 8

• An initial phase wherein the risk management

implementation plan is developed and Board and senior
management support is generated through processes such
as policy development, information sessions and assigning
risk management responsibilities to co-ordinators.
• An ongoing phase by which the risk management framework
is—
• embedded throughout the organisation as part of
normal business practice; and
• maintained through monitoring and reviewing
risks, controls, and changes in the internal and
external environments.
The Control Assurance Plan
The benefits to the Board from implementing an enterprise-wide
risk management framework can be further improved by
increasing the focus on inherent or in–built control and reducing
the reliance on formal control. The Handbook outlines a Control
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Assurance Plan that provides a methodology for implementing

Inherent control.
The focus of the Plan is five control elements (Figure 3) linked by
an information system. These are:
• Planning (setting and communicating the purpose for the
organisation).
• Board (shareholder representatives accountable for
organisational performance to key stakeholders—sets
organisational direction, develops broad policy and
supervises management).
• Organisation (CEO, senior managers and employees—
responsible for the delivery of organisation outputs in line with
the Board’s strategic objectives).
• Independent Assurance (provides risk management and
control assurance to the Board independent of
management—supports the Board’s accountability).
• Management Assurance (management’s risk and control
assurance to the Board—supports management’s
accountability).
The Plan operates by addressing the control criteria of purpose,
capability, commitment, monitoring and learning, and information
in each Control Element according to the control assurance
focus in each. The various aspects of the control criteria are
addressed by applying standard management practices to each
Control Element. The management practices are in essence
Control Activities.
Control Activities address the Criteria in different ways in each
Element depending upon the Element’s control assurance focus.
A high level methodology for aligning Control Activities with the
 9 HB 254—2005

Criteria in each Element is set out in Section 4 in the form of a

Control Assurance Plan.
Purpose
The Board is directly responsible for setting the organisation’s
strategic direction. It achieves this by developing the mission and
vision from which are developed the corporate objectives. The
Board is indirectly responsible through the CEO for ensuring that
these objectives cascade throughout the organisation by
translation into integrated and aligned operational, business,
team and individual objectives. In association with this
responsibility the Board and senior management have a duty to
ensure that the significant internal and external risks associated
with these objectives are identified and assessed.
Capability and Commitment
Capable and committed employees, teams and committees are
the key to providing reasonable assurance that the
organisation’s objectives will be met within an acceptable degree
of residual risk. Capability and Commitment are facilitated
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

through communication and human resource strategies aligned

to the corporate objectives. An important issue is the
development of an awareness by all members of the
organisation that they share the responsibility for the
effectiveness of its risk management and control frameworks.
Monitoring and Learning
Effective monitoring and reporting processes maintain a watch
over the achievement of objectives at all levels and ensure
compliance within the organisation’s statutory and policy
environments. A key element in this area is ensuring the
continuing effectiveness of the organisation’s risk management
and control frameworks. Learning is achieved through
identification of non-compliance, post-event analysis, variances
from planned targets and the identification of opportunities.
Information
Information plays a vital role in supporting the criteria of Purpose,
Capability and Commitment that form the basis of inherent
control. Similarly, information is the vital link in formal control
through its support of effective decision-making, and monitoring
and reporting against targets and critical risks.
The Handbook
The Handbook contains six Sections—
Section 1—examines the relationship of risk management,
control and corporate governance.
Section 2—outlines the key benefits to the Board from ensuring
that an appropriate system of risk management is in place.
Section 3—defines risk management, outlines the risk
management process and provides an implementation plan for
an enterprise-wide risk management framework.
 HB 254—2005 10

Section 4—outlines a control assurance plan for Boards and

senior managers, and introduces the concepts of inherent and
formal control.
Section 5—contains advice on the practical implementation of a
Control Assurance Plan.
Section 6—provides brief advice on managing change in order
to achieve successful Control Assurance Plans.
The key messages in the Handbook are that—
• risk management is an essential tool underpinning all of the
Board’s functions, as well as assisting the Board to discharge
its obligations;
• enterprise-wide risk management develops the
organisation’s control environment and strategies that support
sound corporate governance;
• increasing reliance on inherent control over formal control
reduces compliance costs and allows an increased focus on
performance; and
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• risk and opportunity for gain are partners, thus broadening

the risk management process to opportunity identification and
assessment.
 11 HB 254—2005

1 Introduction
The Handbook sets out the close relationship between
governance, control and risk management and indicates how this
relationship underpins sound governance.
The conceptual foundation of the Handbook is the linkage of risk
management to objectives at all levels to develop controls that
are also strategies.
Further advantages are to had by Boards and senior managers
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

through the separation of control into inherent and formal control

where inherent controls are self sustaining and allow greater
focus on performance.
Inherent controls are developed by Control Activities (standard
management practices) that address the Control Criteria of
purpose, capability, commitment, monitoring and learning, and
effective information flow throughout the organisation, including
the Board, and are reliant on sound HR, ethics and
communication.
Formal control processes involve assigning, monitoring,
reviewing and reporting (command-control style based upon a
hierarchy).
The Handbook employs the above conceptual view of risk
management to formulate a Control Assurance Plan based on
five Control Elements (Fig 3), each with its own Assurance
Focus, as follows—
Planning (the core control element setting the purpose for the
organisation in the form of linked corporate plans, operational
plans and risk management).
Board (shareholder representatives accountable for
organisational performance to key stakeholders—sets
organisational direction, develops broad policy and supervises
management).
Organisation (CEO, senior managers and employees—
responsible for the delivery of organisation outputs in line with
the Board’s corporate objectives).
Independent Assurance (provides risk management and
control assurance to the Board independent of management—
supports the Board’s accountability).

www.standards.com.au  Standards Australia

 HB 254—2005 12

Management Assurance (management’s performance

reporting, including the associated risk and control assurance to
the Board—supports management’s accountability).
The control elements are linked by an information framework that
promotes—
• effective decision-making;
• clarity of roles, responsibilities and authorities; and
• the performance processes of monitoring, reviewing and
reporting.
Control assurance is achieved in each Element by applying
Control Activities to each Element according to its Assurance
Focus.
The aim of the Control Assurance Plan is to achieve a balance
between the two assurance processes whereby there is
increased reliance on inherent control assurance and formal
control assurance is limited to compliance matters.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

The Plan provides a number of benefits including:

• Development of an underlying value system that
complements compliance-based guides focused on the
mandatory governance frameworks set by legislation and
regulation.
• Implementation is achieved within existing resources and
infrastructure through the refinement and alignment of current
management practices.
• Wide application to any statutory environment including not-
for-profits, any jurisdiction and to organisations of any size.
Implementation of the Control Assurance Plan is facilitated by—
• a clear conceptual understanding of corporate governance;
• an appreciation of the relationship between governance
frameworks and management practices; and
• an understanding of the linkages between governance, risk
management and control.

1.1 Corporate Governance

There are a number of definitions of corporate governance each
with a slightly different emphasis. For the purposes of the
Handbook, the definition and framework for corporate
governance outlined in AS 8000, Corporate governance—Good
governance principles has been adopted as follows—
‘The system by which entities are directed and controlled.’
The Standard also refers to the following relevant statements
about corporate governance—

 Standards Australia www.standards.com.au

 13 HB 254—2005

‘Corporate Governance is concerned with improving the

performance of companies for the benefit of shareholders,
stakeholders and economic growth. It focuses on the
conduct of, and relationships between, the Board of
directors, managers and the company shareholders.’
‘Corporate governance generally refers to the processes by
which organisations are directed, controlled and held to
account. It encompasses authority, accountability,
stewardship, leadership, direction and control exercised in
the organisation.’
The Australian Stock Exchange Corporate Governance Council
has articulated ten core principles that underlie sound corporate
3
governance , including—
• laying solid foundations for management and oversight;
• structuring the Board to add value; and
• recognising and managing risk.
The Control Assurance Plan addresses all of the above through
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

its control activities and control criteria for—

• direction (purpose, leadership);
• control (inherent and formal control systems);
• accountability (monitoring and learning);
• authority (delegations);
• stewardship (capability, commitment, and ethics);
• structuring the Board to add value (purpose, capability and
commitment);
• management oversight (purpose, capability and
commitment); and
• recognising and managing risk (the Plan’s integrated risk
management framework linked to objectives)
All of the above are part of the Plan’s control environment. In
addition, the Plan is formulated to promote—
• functional relationships between the Board, senior managers
and employees; and
• reasonable assurance in relation to performance through its
promotion of an effective balance between formal and
inherent control in favour of the latter.

3
Principles of Good Corporate Governance and Best Practice
Recommendations, ASX Corporate Governance Council, April 2003.

www.standards.com.au  Standards Australia

 HB 254—2005 14

1.2 Governance Frameworks and Management

Practices
Essentially corporate governance is a guidance system
composed of standard management practices operating within a
governance framework designed to suit the organisation.
The distinction between management practices and governance
frameworks is fundamental to an understanding of governance.
The practices are essentially common management tools drawn
together into a logical, interrelated system focused on achieving
results. They can be universally applied to any organisation
irrespective of its size, or statutory and regulatory environments.
Governance frameworks provide the structure within which the
management practices operate. Parts of this structure are
mandatory and set by legislation, regulation or listing rules in
different jurisdictions, or by policy directives for public-sector
organisations. Others are discretionary and set by Boards and
senior management to address the management practices and
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

can vary from organisation to organisation even within the same

statutory environment. For this reason there is no one
governance framework that suits all organisations, i.e. one size
does not fit all.
Once the corporate objectives are set and the organisational
structure is established, the management practices applied
involve:
• Developing corporate objectives and integrating these
throughout the organisation as operational, divisional, project
and individual plans.
• Ensuring competencies match the organisation’s strategic
and operational objectives through effective strategic and
operational HR planning.
• Clearly setting out and communicating roles and
responsibilities to ensure that all members of the
organisation, committees and teams understand their roles
and how they contribute to the achievement of organisational
objectives. Instruments include job descriptions, inductions,
policies, procedures, terms of reference, charters, and
performance planning and review programs.
• Providing authority to match responsibilities through
delegations.
• Communicating the standard of behaviour expected of all
members of the organisation through a code of conduct. This
principle is directed at fraud prevention, probity, client service
and creating a culture which fosters trust and builds
relationships.
• Developing, monitoring and reporting processes to ensure—
• conformance with laws, policies, procedures,
and the code of conduct;

 Standards Australia www.standards.com.au

 15 HB 254—2005

• performance against the corporate and

operational objectives;
• timely responses to changes in the external and
internal environments;
• accountability through effective internal and
external reporting processes; and
• learning is achieved through identification of
non-compliance, post-event analysis, variances
from planned targets and the identification of
opportunities.
• Developing an information framework that provides—
• quality information to all members of the
organisation, committees and teams in a timely
manner to promote effective decision-making;
• information including roles, responsibilities,
authority, and senior management decisions
necessary for members of the organisation in the
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

discharge of their responsibilities; and

• an environment of open communication to foster
continuous improvement and innovation.
Management practices are the Control Activities in the Control
Assurance Plan.

1.3 Governance, Risk Management and Control

The Handbook adopts a broad concept of control underpinned
by the view that the control environment provides reasonable
assurance to Boards and senior management that the
organisation’s objectives will be reached within an acceptable
degree of residual risk. Further, it is the examination of strategic
and operational objectives, and the application of the risk
management process to these objectives that develops
strategies and controls. In essence, strategies, controls and risk
treatment plans are one and the same. In this way risk
management is effectively integrated throughout the
organisation.
The concepts of internal control and risk management had very
different origins, but they have now become inseparable. To
understand the relationships between these two concepts it is
necessary to examine their origins and the subsequent shifts in
perceptions.
Internal control had its origin with the accounting profession and
understandably its focus was financial controls and legal
compliance. Risk management arose from engineering practice
and was taken up by the insurance industry as an essential
methodology with a focus on managing hazards.

www.standards.com.au  Standards Australia

 HB 254—2005 16

4
The definition of control has been expanded to cover the
efficiency and effectiveness of all of an organisation’s operations,
and the associated processes and risks that impact on the
achievement of its objectives.
In this view, internal control is a process effected by an
organisation’s Board of Directors, Chief Executive Officer, senior
management and other members of the organisation, designed
to provide reasonable assurance regarding the achievement of
the organisation’s objectives.
Control is seen to comprise those elements of an organisation
(including resources, systems, processes, culture, structure and
tasks) that, taken together, support people in the achievement of
5
the organisation’s objectives.
Risk is defined as ‘the chance of something happening that will
have an impact upon objectives’ (AS/NZS 4360). Impacts may
be positive or negative.
From these definitions it is clear that the coverage of both
concepts have expanded to include all of an organisation’s
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

activities. The relationship between risk and control can be

revealed by examining the risk management processes of
establishing the context followed by the identification, analysis,
evaluation, monitoring and control of risks (see first dot point
below and Section 3). In essence, controls are the treatment
plans and monitoring procedures developed to manage identified
and evaluated risks and opportunities.
The key issues that arise from these definitions of control and
risk are that—
• control involves all aspects of an organisation’s operations–
its focus is no longer restricted to financial matters;
• the word ‘internal’ has been dropped in front of control in
recognition of external as well as internal environmental
issues and changes;
• the risk management process develops the control
environment;
• the focus of control and governance are one and the same–
the achievement of organisational objectives;
• although the responsibility for the organisation’s control
environment rests with the Board, there is a delegated
responsibility to everyone in relation to their assigned
responsibilities; and

4
Risk Management and Internal Control. A Step by Step Approach to Managing
Risks More Effectively. New South Wales Treasury, September 1997: 4
Volumes
5
Control and Governance No. 1. Guidance on Control. Canadian Institute of
Chartered Accountants, Ontario, Canada, November 1999. 32pp.

 Standards Australia www.standards.com.au

 17 HB 254—2005

• risk management not only provides a strategy for treating

risks which might prevent an organisation from achieving its
objectives, but also provides the flexibility for the organisation
to respond to unexpected threats and take advantage of
opportunities. Risk management therefore provides
organisational resilience as well as control.
Previously, control only involved bureaucratic processes such as
second party authorisation and segregation of duties. This is
typical of a command/control environment founded on what the
Handbook refers to as formal control.
Modern control frameworks and models now recognise the
6
essential contribution of what are referred to as ‘soft controls’
that include leadership, teamwork, culture, values,
communication, accountability, anticipation, flexibility and
capability. These controls are crucial for gaining commitment
when implementing and maintaining an effective governance
system. In the Handbook, they are considered important aspects
of inherent control.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

1.4 Definitions
For the purpose of this Standard, the definitions below apply.

1.4.1 Assurance
Assurance relates to the likelihood that planned objectives will be
achieved within an acceptable degree of residual risk i.e. it seeks
to ensure that an acceptable level of accountability will be
realised by those assigned responsibility and authority for the
achievement of an objective. Assurance is sought by the person
or body assigning the responsibility and authority.
The level of assurance is reliant on the effectiveness of the
systems and culture put in place by those persons or bodies
responsible for implementing and maintaining the control
environment. It follows that the persons or bodies assigning
responsibility and authority, as well as seeking assurance, are
responsible for the implementation of systems that provide and
enhance that assurance.

1.4.2 Assurance focus

Control assurance responsibility assigned by legislation,
regulation, listing rules or by an organisation’s governance
system. It may apply to individuals or parts of the organisation
including the Board.

6
LEITHHEAD, B. S. Control Self Assessment’s Contribution to Corporate
Governance. Institute of Internal Auditors Conference, Gold Coast,
Queensland, 1998: 14 pp.

www.standards.com.au  Standards Australia

 HB 254—2005 18

1.4.3 Control
Control comprises those elements of an organisation (including
its resources, systems, processes, culture, structure and tasks)
that, taken together, support people in the achievement of the
organisation’s objectives.
Once the strategic direction of the organisation is determined
everything that follows is part of the control environment.

1.4.4 Control activities

Routines established to provide assurance that processes
operate as designed and meet the requirements of the
organisation’s policies. (Management practices or principles)

1.4.5 Control criteria

Criteria that are the basis for understanding control in an
organisation and for making judgements about the effectiveness
of control.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

1.4.6 Control elements

Any part of an organisation, or the relationship between parts of
an organisation, that contributes to reliable achievement of its
objectives.

1.4.7 Formal control

Control processes of assigning, monitoring, reviewing and
reporting (command–control style based upon a hierarchy).

1.4.8 Inherent control

Control activities that promote purpose, capability, commitment,
monitoring and learning, and information throughout the
organisation, including the Board, and are reliant on sound HR,
ethics and communication.
They occur continuously and consistently throughout the
organisation, are embedded as normal management practices,
and are to a large extent self sustaining.

1.4.9 Organisation
A group of people working together to achieve objectives. This
includes the entity and its governing body.

1.4.10 Organisational objectives

The long-term results, with appropriate key performance
indicators, set by the organisation.

1.4.11 Risk management

The culture, processes and structures that are directed towards
realising potential opportunities whilst managing adverse events.

 Standards Australia www.standards.com.au

 19 HB 254—2005

NOTE: After Control and Governance, No. 1–-Guidance on Control.

Canadian Institute of Chartered Accountants, 1995 and AS/NZS
4360:2004
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

www.standards.com.au  Standards Australia

 HB 254—2005 20

2 Key benefits to the

board
The integration of a risk management process into an
organisation’s corporate governance framework has the
following advantages:
• More effective strategic and operational planning
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

By applying the risk management process to objective setting at

all levels of the organisation it becomes effectively integrated as
an enterprise-wide process. In addition, controls and strategies
are integrated and linked with the organisational objectives as
the unifying focus.
Risk management therefore ensures that the risks associated
with an organisation’s strategic and operational objectives are
identified and addressed by appropriate controls that also
function as strategies.
• Greater confidence in achieving planned operational
and strategic objectives
Risk management applied to the planning process provides
confidence regarding performance in two ways.
The application of the formula, strategies = objectives + risk
management, develops strategies that provide reasonable
assurance that an organisation will achieve its objectives within
an acceptable degree of residual risk.
An additional benefit is derived through the development of a
enterprise-wide risk management culture that engenders
capability and commitment with respect to the management of
risks and therefore to the achievement objectives.
• Enhanced organisational resilience
Risk management develops a framework for anticipating and
professionally managing risks thus reducing the time and energy
spent in crisis management. This advantage is further enhanced
by incorporating risk management throughout the workforce as
part of normal business practice to facilitate rapid organisational
response to unexpected threats and to take advantage of
opportunities.

 Standards Australia www.standards.com.au

 21 HB 254—2005

• Greater confidence in the decision-making process

The risk management methodology outlined in AS/NZS 4360
applies rigour to the decision-making process reducing the
probability and/or consequences of unforseen events.
In addition, risk management plays a multiple role in evaluating
opportunities. The decision-making process involves the
following questions:
• What are the risks of not taking up the opportunity?
• How are these risks balanced by those associated with
taking up the opportunity?
• Once the decision has been made to take up the
opportunity, what are the risks involved in managing the
opportunity effectively?
These processes assist in strategic decision-making processes
such as major investments or mergers and acquisitions.
In an organisation focused on performance the overall question
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

should be, ‘are we taking enough risks?’

An additional advantage of an effective risk management
process is that it documents the decision-making process
thereby enhancing accountability and traceability of decisions.
• Greater stakeholder confidence and enhanced capital
raising
Demonstration of a sound risk management framework applied
throughout the organisation as part of normal business practice
engenders confidence in investors, lenders and insurers
facilitating capital raising and protection.
• Director protection
Implementing an enterprise-wide risk management framework
and developing capability and commitment in this regard
amongst all members of the organisation enhances the quality of
information contained in reports. This is complemented by the
development of an effective organisational information
framework promoting clarity of roles, responsibilities and
accountabilities. Such frameworks can provide Directors with
confidence in the information they receive for their decision-
making purposes and that their due diligence responsibilities
have been effectively discharged.

www.standards.com.au  Standards Australia

 HB 254—2005 22

3 Risk management and

the risk management
process
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

3.1 What is Risk?

Risk is defined in AS/NZS 4360:2004, as ‘the chance of
something happening that will have an impact upon objectives’.
Risk arises out of uncertainty and is the exposure to the
possibility of such things as financial loss or gain, physical
damage, injury or delay as a consequence of pursuing or not
pursuing a particular course of action. It is measured in terms of
a combination of the probability of an event and its consequence.
7
Enterprise has been defined as the undertaking of risk for return
and underpins all activities of an organisation at all levels. Whilst
the Board has ultimate responsibility for the integrity of an
organisation’s risk management framework everyone who has
responsibility for an objective has responsibility for the risks and
controls associated with achieving that objective.
Notwithstanding this, the Board has its own portfolio of risks that
it will deal with directly and these risks may be related to—
• share value;
• corporate reputation;
• brand value;
• compliance;
• availability of funding; and
• the management of critical incidents.

7
KING, M. : The King Report on Corporate Governance (King I), Institute of
Directors in Southern Africa, November 1994.

 Standards Australia www.standards.com.au

 23 HB 254—2005

3.2 What is Risk Management?

Risk management is about identifying potential variations from
what is planned or desired and managing these to maximize
opportunity, minimize loss and improve decisions and outcomes.
It underpins sound management practices that are the
foundation of sound governance.
The process is iterative, consisting of steps that, when
undertaken in sequence, enable continuous improvement in
decision-making that facilitates continuous improvement in
business practices.
The risk management process involves—
• establishing an appropriate infrastructure and culture;
• understanding the organisation, and the context and
environment in which it operates; and then
• identifying, analysing, evaluating, treating, monitoring and
communicating risks associated with any activity, function or
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

process in a way that will enable organisations to minimise

losses and maximise gains.
Risk management is as much about identifying opportunities for
gain and improvement as it is about avoiding or mitigating
losses.

3.3 The Risk Management Process

3.3.1 General
The Australian and New Zealand Risk Management Standard
(AS/NZS 4360:2004) provides a generic risk management
process that can be applied to any organisation of any size and
in any jurisdiction. The following summary has been taken from
AS/NZS 4360:2004, but developed further to suit the Handbook’s
conceptual view through the—
• addition of a 'Key Outcomes' section following each step;
• linking of risk management with objectives at all levels to
provide a truly integrated risk management system; and
• inclusion of a methodology for implementing an integrated
risk management system.
The risk management process is illustrated in Figure 1, which is
reproduced from AS/NZS 4360:2004. The main elements of the
process are discussed in 3.3.2 to 3.3.8.

www.standards.com.au  Standards Australia

 HB 254—2005 24
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

FIGURE 1 THE RISK MANAGEMENT PROCESS

3.3.2 Communicate and consult

Communication and consultation are important adjuncts to each
step of the process. For this reason it is important that a
communication plan be developed at the outset for consulting
with internal and external stakeholders in regard to the overall
process and at each stage of the process as appropriate.
A consultative approach is useful to—
• help appropriately define the context;
• ensure risks are identified effectively;
• bring different areas of expertise together in analysing risks;
• ensure that different views are appropriately considered in
evaluating risks and appropriate change management occurs
during risk treatment; and
• promote the ‘ownership’ of risk by managers and facilitate
the engagement of stakeholders allowing them to appreciate
the benefits of particular controls and the need to endorse
and support a treatment plan.

 Standards Australia www.standards.com.au

 25 HB 254—2005

Key outcomes
• All key stakeholders have been consulted and involved as
appropriate.
• Stakeholder perceptions of risk have been addressed.
• Where necessary, a communication plan has been
developed.
• Ownership of risk and controls by all members of the
organisation.

3.3.3 Establish the context

The next step in the risk management process is to understand
the internal and external context in which the rest of the risk
management process will take place. Criteria against which risk
will be evaluated should be established and the structure of the
analysis defined.
The process occurs within the framework of an organisation’s
strategic, organisational and risk management context.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Establishment of the context is required to define the basic

parameters within which risks must be examined and managed,
and to provide guidance for decisions within more detailed risk
management studies. The context sets the scope for the rest of
the risk management process.
Key outcomes
An understanding of the organisation’s—
• external context (including the relationship between the
organisation and its environment, and the organisation’s
strengths, weaknesses, opportunities and threats);
• internal context (including the organisation’s capabilities, the
organisation’s goals and objectives and the strategies that
are in place to achieve them);
• risk management context (including the goals, objectives,
strategies, scope and parameters of the risk management
process, or the part of the organisation to which the risk
management process is being applied); and
• criteria for deciding when risk is tolerable.

3.3.4 Identify risks

The organisation must identify the risks to be managed.
Comprehensive identification using a well-structured systematic
process is critical, because a potential risk not identified at this
stage is excluded from further analysis. Identification should
include all risks whether or not they are under the influence of
the organisation.
The risks that relate to the organisation’s context and objectives
must be identified.

www.standards.com.au  Standards Australia

 HB 254—2005 26

Key outcomes
• Risk identification will be integrated as a part of the planning
process including strategic, operational, project and individual
plans by linking the process to objectives.
• The organisation will have an ongoing, comprehensive and
systematic process for identifying risks.
• The staff involved in risk identification will be knowledgeable
about the process or activity being reviewed and about the
risks that must be managed as a part of that activity.
• More effective decision-making process.

3.3.5 Analyse risks

The organisation must identify the existing controls and analyse
risks in terms of consequences and probability in the context of
those controls. The analysis should consider the probability of
the risk occurring and the potential consequences in terms of
their severity should they occur. Probability and consequences
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

may be combined to produce an estimated level of risk.

The objective of analysis is to provide data to assist in the
evaluation and treatment of risks. Risk analysis involves
consideration of the sources of risk, their consequences and the
probability of those risks occurring. Factors which affect
consequences and probability may be identified.
Risk is analysed in the context of existing controls and the level
of risk therefore will depend in part on the effectiveness of
existing controls. If these controls are critical in terms of the
management of risk, then Boards and senior managers should
seek appropriate assurance that the controls have been
implemented, are effective and remain in place. This concept is
discussed in more detail in Section 5.
Key outcomes
• Existing management and technical systems and procedures
used to control risks have been identified, assessed and
remain in place.
• Critical controls have been identified.
• Estimates of consequences and probability are based on the
most appropriate information available.

3.3.6 Evaluate risks

The estimated level of risk should be compared with pre-
established criteria and ranked to identify management priorities.
If the level of risk established is low, then the risk may be
tolerable and additional treatment may not be required.
The output of a risk evaluation generally consists of a prioritised
list of risks for further action. The objectives of the organisation
and the potential benefits and costs of taking the risks should be
considered.

 Standards Australia www.standards.com.au

 27 HB 254—2005

Key outcomes
• Risk will have been evaluated and prioritised using a
consistent process.
• The organisation will have established the need for
treatment plans for the higher priority risks, taking account of
benefits and costs.

3.3.7 Treat risks

Risk treatment involves identifying the range of options (controls)
for treating risk, assessing those options, preparing risk
treatment plans and implementing them.
Risk treatment plans may involve a range of options (controls)
directed towards the following:
• Avoiding the risk by deciding not to proceed with the activity
likely to create risk (where this is practicable).
• Changing the probability of the occurrence, to enhance the
probability of beneficial outcomes and reduce the probability
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

of losses.
• Changing the consequences of the risk, to increase the size
of the gains and reduce the size of the losses.
• Sharing the risk.
• Retaining the risk and making appropriate provisions for
dealing with the consequences should they arise.
Once risks have been prioritised through the evaluation process,
plans need to be developed. Risk treatment plans may involve
the re-design of existing controls, the introduction of new controls
or monitoring of existing controls. Low impact risks require only
periodic monitoring while major risks are likely to require more
intense management focus.
A cost/benefit analysis of a range of treatment plans (controls) is
essential to the decision-making process.
Similar processes should be used for the analysis and evaluation
of opportunities.
Key outcomes
• There is a risk treatment plan (control) for each major risk.
• Risk treatment plans include considerations of resourcing
and timing.
• The application of risk management to objectives at all levels
of the organisation facilitates planning and develops controls
that are also strategies. It follows that performance measures
for each objective are also measures of the effectiveness of
the controls and strategies for each objective. In addition,
risk management reporting is integrated and linked to
performance reporting against objectives.

www.standards.com.au  Standards Australia

 HB 254—2005 28

3.3.8 Monitor and review risks

Risk has a dynamic context resulting from the constantly
changing external and internal environments. For this reason the
organisation should monitor and review the performance of its
risk management process and changes in the internal and
external environments that might affect it.
In this process it is necessary to monitor not only the risks, but
also the effectiveness of the associated risk treatment plans and
the management processes for controlling their implementation.
These three levels of assurance activity are essential
components of both effective risk management and sound
corporate governance.
Key outcomes
• There is regular review and monitoring of the risk
management process including—
• the risks and opportunities the organisation
faces, and their priorities; and
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• the implementation and effectiveness of risk

treatment plans (controls, strategies).
• The organisation’s risk management processes have been
applied systematically to objectives at the corporate, business
unit and project levels.

3.4 Implementing a risk management framework

3.4.1 General
Risk management is the foundation of the control environment
and sound corporate governance, and touches all of the
organisation’s activities. For this reason the implementation of an
effective enterprise-wide risk management framework requires
careful planning.
A common issue for both large and small organisations is a
constraint on available resources for risk management and
control activities. It is therefore sensible to keep these
procedures as simple and straightforward as possible. Also,
there is no business sense in maintaining procedures where
costs outweigh the benefits to the business. Figure 2 sets out
some useful principles to bear in mind in keeping costs down.
The aim is to sharpen up, rather than add, resources to the risk
8
management and control activities.
For any organisation of any size however, the Handbook offers a
way of reducing costs. An integrated risk management system

8
Implementing Turnbull. Institute of Chartered Accountants, England and Wales
1999, p 10.

 Standards Australia www.standards.com.au

 29 HB 254—2005

does away with the concept of risk management as a separate

business process with its own planning and reporting process.
The linking of risk management to objectives fully integrates risk
management as part of normal business practice thereby
reducing resources requirements and costs.

Put primary Ensure Avoid

focus on objectives are duplication
significant risks prioritised
and related
controls
Allocate risk
Re-orient KEEPING IT management
training around SIMPLE AND responsibilities
to individuals
the significant
skills
STRAIGHT FORWARD
Produce a proper Don’t create Keep reports to
project plan and huge paper the board
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

monitor progress chases succinct and

avoid complexity

FIGURE 2 AVOIDING UNNECESSARY COMPLEXITY AND COST

(AFTER 'IMPLEMENTING TURNBULL')9
10
Implementation is best undertaken in two phases as follows—
• An initial phase wherein the implementation plan is
developed and Board and senior management support is
generated.
• An ongoing phase by which the framework is—
• embedded throughout the organisation; and
• maintained through monitoring and reviewing
risks, controls and changes to the internal and
external environments.

3.4.2 Initial implementation phase

The initial planning phase assists Boards and senior managers
in discharging their responsibility for the development of an
organisation-wide risk management culture. Supporting
processes include the—
• generation and communication of an implementation plan;

9
Implementing Turnbull. Institute of Chartered Accountants, England and Wales
1999, p 11.
10
Implementing Turnbull. Institute of Chartered Accountants, England and Wales
1999, p 11.

www.standards.com.au  Standards Australia

 HB 254—2005 30

• development and dissemination of a Risk Management

Policy;
• provision of information sessions to all employees in relation
to risk management and its pervasive role in the organisation;
and
• designation of risk management co-ordinators at appropriate
positions throughout the organisation.
Risk management policy
The development of a policy clearly identifying the organisation’s
approach and attitude to risk management and the expected
roles and responsibilities of all parties is a key governance tool.
The Risk Management Policy should clearly address issues such
as—
• objectives of the policy and the rationale for managing risk;
• the scope and coverage of the policy;
• the links between risk management and the organisation’s
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

goals, objectives and the nature of its business;

• who is responsible for managing risks and who has
responsibility for risk management co-ordination;
• risk methodology to be used;
• guidance on what might be regarded as acceptable risks;
• sources for support and guidance in relation to risk
management;
• the reporting protocols and the level of documentation
required;
• a plan for reviewing the organisation’s performance in
relation to the policy and the policy itself; and
• the need for business continuity plans, disaster recovery
plans and the regularity of testing of these plans.
Risk management co-ordinators
The appointment of risk management co-ordinators in key
positions throughout the organisation provides a group of risk
management champions to assist in implementing an enterprise-
wide risk management framework. The tasks of risk co-
ordinators include—
• monitoring the implementation of risk management in the
parts of the organisation in which they work;
• reporting on risks, and on risk management implementation,
as required;
• promoting the acceptance of risk management techniques;
• increasing awareness of the benefits of risk management;
• providing advice and support; and
• facilitating risk assessments and risk management activities.

 Standards Australia www.standards.com.au

 31 HB 254—2005

The appointment of risk co-ordinators does not remove the

responsibility from all employees to manage risks and controls.
Co-ordinators are just that—co-ordinators—and risk
management remains a line management responsibility.

3.4.3 Ongoing implementation phase

This phase involves embedding a risk management culture
throughout the organisation as part of normal business practice
to support the risk management policy. The aim is to promote an
understanding of purpose, develop capability and generate
commitment to the management of risk by—
• incorporating risk management as part of the planning
process at all levels of the organisation and linking these to
monitoring and reporting on risks;
• incorporating risk management processes into day-to-day
business processes and systems to provide for the dynamic
and continuous management of change and to ensure that
there is always an effective and appropriate control
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

environment;
• assigning risk co-ordinating and reporting responsibilities to
managers of divisions and cascading these responsibilities
throughout the organisation;
• training co-ordinators in their assigned responsibilities;
• providing information sessions on risk management and its
benefits to the organisation’s business to all members of the
organisation and to new employees through the induction
process;
• incorporating risk management responsibilities as part of job
descriptions and performance evaluation;
• continually monitoring the internal and external environment
for changes that may affect the organisation’s risks and
controls, and developing corrective action as necessary; and
• continually developing and monitoring corrective actions.

www.standards.com.au  Standards Australia

 HB 254—2005 32

4 Control assurance plan

4.1 General
Risk management develops the control environment and, as
outlined in Section 2, provides significant benefits to the Board. It
is possible to provide further benefits for the Board by separating
11
control into inherent and formal control . This is achieved by
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

integrating the underlying value system of a learning

12
organisation with a traditional systems/compliance view of
13
governance.
This Section outlines a Control Assurance Plan based upon
increasing the focus on inherent control and reducing the
reliance on formal control. In so doing, the Plan provides a
framework for moving the organisation towards self-management
at the operational level in support of a learning Board free to
concentrate on its key tasks of policy formulation, strategic
14
thinking, supervising management and accountability . Self
management relies upon developing an understanding of
purpose, and building trust, capability and commitment
throughout the organisation.
The foundation of the plan is five Control Elements linked by an
15
information system. A set of Control Criteria operate in each
Control Element and the criteria are addressed through the
application of Control Activities (standard management
practices) (Table 1).

11
DAHMS, T. Inherent Control, a concept for effective corporate governance.
Keeping good companies, Feb 2003, vol. 55, no 1 p. 26-29, Chartered
Secretaries Australia.
12
QUEENSLAND AUDIT OFFICE, 2002. Corporate Governance and Risk
Management Assessment Program for Departments, General Publications.
http://www.qao.qld.gov.au/
13
DAHMS, T. Systems and commitment in corporate governance. Keeping good
companies, 2002, vol.55, no. 1 p. 26-29. Chartered Secretaries Australia.
14
GARRETT, B. The Fish Rots From the Head. Harper Collins, 225 pp, 1997.
15
Control and Governance No. 1. Guidance on Control. Canadian Institute of
Chartered Accountants, Ontario, Canada, November 1995.

 Standards Australia www.standards.com.au

 33 HB 254—2005

The Control Elements, Control Criteria and Control Activities are

summarised in Table 1.

TABLE 1
CONCEPTS UNDERPINNING A CONTROL ASSURANCE FRAMEWORK

CONTROL ELEMENTS CONTROL CRITERIA CONTROL ACTIVITIES

(Management practices)
Planning Purpose Integrated planning
Competency development
Board Capability & commitment Matching authority
Expected standards of
behaviour (ethics)
Commitment Clarity of roles &
responsibilities

Organisation Monitoring & learning

Monitoring, review and
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

reporting
Management assurance Information Information framework

Independent assurance

The Plan is supported by the following premises:

• The purpose or focus of an organisation is defined by its
corporate objectives and by their translation into operational
objectives throughout the organisation.
• Strategies are developed by applying the risk management
process to the process for defining and setting corporate and
operational objectives, i.e. the risk management process
develops the risk treatment plans that are at the same time
the controls and strategies associated with each objective.
• Control is broader than internal financial control and is
expanded to include all planning and strategies put in place
after the corporate objectives have been set.
• The control environment provides the Board with reasonable
assurance that the organisation will achieve its objectives
within an acceptable degree of residual risk.
• Governance therefore may be considered as an
16
organisation’s strategic response to risk.
• Reporting is simplified because reporting on risks and their
management is linked to performance reporting. Key
Performance Indicators (KPIs) associated with each objective
are in essence measures of the effectiveness of their

16
David McNamee and Georges Selim. Changing the Paradigm 2000.
www.mc2consulting.com/riskart8.htm

www.standards.com.au  Standards Australia

 HB 254—2005 34

associated strategies and at the same time measures of the

effectiveness of controls.
• Risk Management not only provides a strategy for treating
risks that might prevent an organisation from achieving its
objectives, but also provides the flexibility for the organisation
to respond to unexpected threats and take advantage of
opportunities. Risk management therefore provides
organisational resilience as well as control.
• Transparency and probity are part of this control
environment.
• Control assurance is a balance of two aspects—
• inherent control that is based upon soft controls
occurring continuously and consistently
throughout the organisation, is embedded in
normal business practice, and to a large extent
self sustaining; and
• formal control processes of assigning,
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

monitoring, reviewing and reporting (command–

control style based upon a hierarchy).
• Although the Board has overall responsibility for the control
environment, everyone who has responsibility for an objective
has responsibility for the risks associated with that objective
and the controls to manage those risks.

4.2 Assurance control elements

The Board is responsible for the organisation’s overall control
framework that complements the strategic and operational
planning process. This responsibility is discharged by setting
appropriate risk and control policies, and by seeking regular
assurance regarding the effectiveness of the control
environment. Control assurance operates through the five key
Control Elements (Figure 3) as follows —
• Planning
• Board
• Organisation
• Management assurance
• Independent assurance
The Planning Control Element is the focal point of the
organisation in which the corporate and operational objectives
are developed, linked and integrated. Activity in this Control
Element provides organisational purpose and direction that
translates into operational purpose for committees, teams and
members of the organisation.
Theoretically, it is the Board’s responsibility to develop policy
(mission and vision) and strategy, and management’s

 Standards Australia www.standards.com.au

 35 HB 254—2005

responsibility to transfer this to operational plans. In practice,

there is a merging of responsibilities between the Board and
management in this Control Element. The Board brings to the
process its high level view of the organisation’s external
operating environment (mission and vision) and senior
management a view of the organisation’s internal and external
environments from an operational perspective. The two combine
to provide strategies that meet the mission and vision of the
organisation with a balance of effectiveness and efficiency.
Encircling the Planning Control Element are four structural
Control Elements connected by the Information framework.
• The Board as the shareholder representative has
responsibility and accountability for organisational
performance to key stakeholders. As well as its role in setting
policy (mission and vision) and strategy as discussed above
under Planning it has a tactical role in maintaining a watching
brief over the external and internal environments and CEO
performance, and obtaining balanced assurance over the
control environment from management and independent
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

sources.
• The Organisation includes the CEO, senior managers and
employees, and delivers organisational outputs in line with
the planned corporate outcomes. This Control Element
provides the opportunity to exercise a high degree of inherent
control through sound HR and ethical practices in an
environment of open communication. Monitoring and
performance review in this Control Element make significant
contributions to the Board’s strategy-setting responsibilities in
the Planning Control Element.
• Management Assurance provides the Board with assurance
through management monitoring, reviewing and reporting of
organisational performance against stated objectives and
compliance against laws, regulations, policies, procedures,
etc. Management teams or committees may be established to
assist in this process. This Control Element also makes
significant contributions to the Board’s responsibilities in the
Planning Control Element.
• Independent Assurance presents the Board with objective
information on the control environment through independent
bodies such as external and internal audit, and audit
committees. This Control Element provides a check and
balance for the outputs of the Management Assurance
Control Element. When the Board receives positive feedback
on the control environment from these independent bodies it
can have confidence in the assurance received from
management.

www.standards.com.au  Standards Australia

 HB 254—2005 36

Management
Practices

Control
Criteria
Reporting Reporting

Board

Management
Independent
Assurance

Assurance
Management

Management
Practices

Strategic Direction

Practices
Criteria
Control

Criteria
Control
Strategic Plan
Operational Plans

Organisation
Reviewing Reviewing
Control
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Criteria

Management
Practices

FIGURE 3 COMPONENTS OF CONTROL ASSURANCE

4.3 Control criteria

4.3.1 General
17
Assurance is based upon application of control criteria in the
Board, Organisation, Management Assurance and Independent
Assurance Control Elements (see Table 1). The proposed
18
control criteria are Purpose, Capability, Commitment and
Monitoring and Learning. Information operates across all criteria,
but because of its pervasive influence it is discussed separately
as a fifth control criterion. The five criteria and their relationship
within the control environment are discussed in 4.3.2 to 4.3.5.

4.3.2 Criterion 1–Purpose

The Board, with the assistance of senior management, is
responsible for setting the organisation’s strategic direction. It
achieves this by developing the organisation’s mission and vision

17
The control criteria are the basis for understanding control in an organisation
and for making judgements about the effectiveness of control.
18
Control and Governance No. 1. Guidance on Control. Canadian Institute of
Chartered Accountants, Ontario, Canada, November 1995.

 Standards Australia www.standards.com.au

 37 HB 254—2005

from which are developed the corporate objectives. The Board is

indirectly responsible through the CEO for ensuring that these
corporate objectives cascade throughout the organisation by
translation into integrated and aligned operational, business,
team and individual objectives.
The leadership challenge for the Board, CEO and senior
managers is in promoting an understanding throughout the
organisation that its sub-units and their objectives are part of an
interconnected whole with the corporate objectives as the
unifying force. The setting of objectives, development of
measurable performance targets and communication of these
aspects throughout the organisation provides the purpose for the
Board and the organisation.
In developing organisational objectives the Board and senior
management should ensure that the significant internal and
external risks associated with those objectives are identified and
assessed.
Cascading the corporate objectives throughout the organisation
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

and ensuring that all members of the organisation understand

how their role contributes to the organisational objectives
provides an important measure of inherent control. The
objectives themselves provide targets against which
organisational performance can be measured and this along with
compliance reviews is the basis of formal control.

4.3.3 Criteria 2 & 3–Capability & Commitment

Capable and committed employees, teams and committees are
the key to the development of a learning organisation focused on
innovation, continuous improvement and results. They are key
elements of inherent control and assist in providing reasonable
assurance that—
• the organisation’s objectives will be met within an acceptable
degree of residual risk; and
• opportunities will be recognised and assessed in a timely
manner.
Capability and Commitment are facilitated through human
resource and communication strategies aligned to the corporate
objectives to ensure—
• a direct link between objectives and competencies is
established, communicated throughout the organisation and
maintained;
• new competencies are anticipated and developed for
emerging opportunities;
• clarity of roles, responsibilities with matching authority
amongst all employees, committees and teams through clear
position descriptions, terms of reference, polices and
delegations;

www.standards.com.au  Standards Australia

 HB 254—2005 38

• a culture of ethical behaviour including respect for others is

developed and maintained by adoption of a code of conduct;
• risk management and control activities are incorporated as
part of normal business practice and systems; and
• implementation of an effective and efficient information
system that promotes an understanding of purpose, provides
for effective decision-making and facilitates open
communication.

4.3.4 Criterion 4–Monitoring and Learning

A measure of inherent control is provided through the system of
individual performance and compliance review at the individual
employee level and through self-evaluation of teams and
committees. These systems also provide opportunities for
learning and continuous improvement.
Board and management monitoring systems in the Independent
Assurance and Management Assurance Control Elements
perform a number of essential functions in providing formal
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

assurance in respect of the control environment and the

achievement of objectives. The following apply:
• Performance against corporate and business objectives
requires regular monitoring by management and the Board to
ensure objectives are being met. Suitable adjustments to
plans should be undertaken as identified.
• Compliance with the required laws, policies, standards,
procedures and guidelines both external and internal should
be reviewed regularly.
• The continuing effectiveness of the organisation’s planning,
information, risk management and control frameworks should
be reviewed and tested regularly.
• The external and internal environments are dynamic and
constantly changing as are the risks and the controls to
mitigate them. Opportunities add a further dynamic and all
require constant monitoring and assessment. As part of this
monitoring aspect the Board and management should
regularly test or question the underlying assumptions
underpinning the organisation’s strategic direction. This
aspect includes interaction with the Planning Control
Element.
• As business objectives are met or timelines pass, lessons
may be learnt from analyses of the root causes of both
successes and failures.
All of the above address the Monitoring control criterion. In doing
so, they provide information for the organisation to make
decisions on modifications to address variances from expected
performance or compliance, and to take advantage of
opportunities. These aspects address the control criterion of
Learning.

 Standards Australia www.standards.com.au

 39 HB 254—2005

4.3.5 Criterion 5–Information

Effective information systems are essential learning and control
mechanisms for assurance. Information should provide or
facilitate—
• timely and effective decision-making;
• clarity of roles, responsibilities, authority and expected
standards of behaviour at all levels of the organisation;
• timely relay of action items arising out of Board, Board
committee and management meetings to the appropriate
committee, team or employee;
• monitoring of the timely completion of action items;
• reports on periodical assessments of risks and controls;
• timely reporting in relation to organisational performance and
conformance; and
• communication and alignment of innovations (opportunities)
and continuous improvement.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Elements of useful information include—

• quality—matched to the purpose for which it is intended;
• quantity—just the right amount to provide clarity, neither too
brief nor too much; and
• timeliness—delivered at a time when required for decisions
or for communication purposes.
Consequently the Board and management should develop an
information framework for their organisation addressing the
above elements. Information plays a vital role in supporting the
criteria of Purpose, Capability and Commitment that form the
basis of inherent control. Similarly information is the vital link in
formal control through its support of effective decision-making,
and monitoring and reporting against critical risks.

4.4 Inherent control assurance

4.4.1 General
Inherent controls are those that promote purpose, capability and
commitment throughout the organisation, including the Board,
and are reliant on sound HR, ethics and communication.
Implementation of a governance system without attention to
inherent controls encourages compliance rather than
commitment and will not guarantee an effective control
environment.
Elements that contribute to an inherent control system include
systems thinking, developing a learning organisation, motivating
trust and relationships, and matching competencies with

www.standards.com.au  Standards Australia

 HB 254—2005 40

19
objectives . These elements, underpinned by Management
Principles, support the Control Criteria of Purpose, Capability
and Commitment and operate in all of the assurance Control
Elements proposed in this Handbook.

4.4.2 Systems thinking

Organisations are complex systems. The traditional method of
dealing with complexity is to break it down into component parts
and examine each part in isolation. This process is followed in
designing an organisational structure and assigning roles and
responsibilities throughout the structure. The very act of
assigning roles and responsibilities predisposes the organisation
to fragmentary or silo behaviour where individual parts
concentrate on their assigned tasks and function independently
rather than as an integrated whole focused on organisational
goals. Where fragmentary behaviour develops, a compliance
mentality follows and the worthy concepts of continuous
improvement and innovation fall by the wayside. Performance is
diminished and opportunities are lost.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Systems thinking takes a holistic view of an organisation based

upon the observation that autonomy is never absolute and that
all parts of the organisation are interdependent. Decisions are
never taken in isolation.
Additionally, organisations do not operate as closed isolated
systems but in a world that is both dynamic and complex. The
internal and external environments are constantly changing thus
creating situations that lead to competition and collaboration both
of which present opportunities and threats which must be
managed. Organisations are therefore continuously adapting to
change and are co-evolving with others.
In applying this concept to organisations the leadership skill is in
promoting an understanding that all divisions of the organisation
are part of an interconnected whole with the corporate objectives
as the unifying force. This aspect is facilitated in the planning
Control Element by integrating corporate, operational, team and
personal objectives.

4.4.3 Learning organisation

Learning organisations have cultures, which predispose them to
innovation and the early recognition of opportunities. The factors
that facilitate the change from a controlling to a learning
organisation include the development of a shared vision which in
turn relies upon open communication in a climate of commitment
and trust. New ideas are able to be shared allowing alignment of
ideas to give a common direction and this facilitates team
learning. In this environment risk taking is encouraged (are we

19
DAHMS, T. Systems and commitment in corporate governance. Keeping Good
Companies, 2002, Vol.55 no.1 p. 26-29 Chartered Secretaries Australia,.

 Standards Australia www.standards.com.au

 41 HB 254—2005

taking enough risk?), learning is shared and the focus of all

members is on organisational performance not conformance.

4.4.4 Trust and relationships

Where interdependent agents, both internal and external, wish to
co-ordinate their behaviours they must invest in creating, building
and maintaining trustful relationships. Without trust both parties
descend into non-communicative and defensive behaviour.
Innovation and synergy do not flourish and the opportunity is lost
for two to achieve more than they could by operating separately.
The more effort invested on building trust and relationships
within an organisation the lesser the need to retain
command/control structures founded on compliance. Where
members of an organisation, or co-operating organisations, are
willing to accept accountability and perceive that they are
operating in an environment of trust and synergy the reliance on
compliance is reduced. A greater focus on performance results.
Complementing the aspect of trust is the development and
maintaining a match of competencies with assigned
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

responsibilities.

4.4.5 Competencies
An organisation must align the competencies of its employees
with its objectives if it is to be successful. This alignment is
facilitated by sound HR practices involving job design with
matched position descriptions, recruitment and selection,
professional development, performance planning, staff retention
and succession planning.
Because of rapid external environmental changes currently
occurring these practices must be continually reviewed to ensure
the organisation maintains its core competencies and builds new
competencies to take advantage of opportunities. Senior
managers must view the organisation as a portfolio of
competencies, of underlying strengths and not just a portfolio of
business units. In short, strategic and operational HR planning
are fundamental tools for success and should not be neglected.

www.standards.com.au  Standards Australia

 HB 254—2005 42

5 Implementation–How
effective control can
provide assurance to
the board
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

5.1 Application of the Control Criteria

5.1.1 General
Control assurance is a balance between inherent and formal
control with inherent control assurance occurring seamlessly
throughout the organisation as part of normal business practice.
Formal control assurance is provided by the processes of
assigning tasks and monitoring and reporting on their
progress/completion. It has a compliance or command–control
focus.
The leadership skill required by the Board, CEO and senior
managers is to develop an effective balance between the two
assurance processes. By increasing assurance through inherent
control, formal control can concentrate on areas of critical risk,
the organisational focus becomes one of performance rather
than compliance and the governance style is based upon an
20
innovation–results model rather than command–control model .
Control assurance is based upon the application of the Control
Criteria across all of the Control Elements that are linked by an
Information System. These criteria are addressed in different
ways in each by varying the underlying Management Principles
according to the Control Element’s assurance focus as outlined
in the following discussion.

20
DAHMS, T. Implementing inherent control, improving performance, reducing
compliance. Keeping good companies, 2003, vol.55, no 2 p 78-82, Chartered
Secretaries Australia.

 Standards Australia www.standards.com.au

 43 HB 254—2005

5.1.2 Control Element 1–The Board

The Board is responsible for the strategic direction of the
organisation and its relationship with stakeholders.
Control Assurance focus
It is the Board’s responsibility to ensure—
• the capability and commitment of directors in relation to the
effective discharge of the Board’s responsibility;
• the organisation has an effective strategic direction;
• the implementation and maintenance of a control
environment that supports this strategic direction;
• the organisation operates within its legal and regulatory
obligations;
• the organisation can continue to function in the face of major
disruptions;
• the implementation of an information system that supports
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

effective decision-making and open communication;

• an effective linkage is developed between the Board and the
organisation through the CEO; and
• development of a capable and committed workforce that has
a clear understanding of the organisation’s purpose.
In short, the Board’s role is to promote the vitality of the
organisation thereby providing reasonable assurance as to its
viability.
Control Activities —
Control Assurance is facilitated by the following:
• Development of a Board operating manual setting out its
responsibilities, authority, operating procedures, and
relationships to the CEO and management.
• A Board code of conduct setting out expected ethical
behaviour and leading by example.
• An appropriate recruitment and selection policy and
procedures for directors that includes provisions for
succession planning.
• Induction procedures for new directors outlining the—
• nature of the organisation’s business and
operating environment; and
• Board responsibilities and accountabilities.
• Ongoing professional development to maintain and develop
new competencies amongst directors.
• Meetings and well maintained meeting papers that—
• are clearly laid out and circulated in advance of a
meeting to allow directors time to examine the
issues;

www.standards.com.au  Standards Australia

 HB 254—2005 44

• provide an indication of the outcome against

each agenda item;
• have an executive summary accompanying
detailed reports and submissions and where
necessary executive briefings at the meeting;
and
• contain all the necessary reports and information
for directors to make informed decisions;
• Regular review of information provided to the Board to
ensure its continuing support of Board decision-making.
• Regular self-evaluation of the Board, individual director
performance and operating charter.
• Recruitment and selection of a capable and committed CEO,
regular CEO performance reviews and CEO succession
planning.

5.1.3 Control Element 2–Organisation

Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Assurance in this Control Element is provided by the

development of capable and committed employees who have a
clear understanding of organisational and operational purpose.
These attributes can be facilitated by the CEO and management
through a number of processes that promote such
understanding.
The CEO has a pivotal role as the organisation’s representative
to the Board and the Board’s representative to the organisation.
In this role the CEO makes a significant contribution to control
assurance for the Board in a number of ways.
Control Assurance focus (CEO–Board relationship )
In this Control Element the CEO is responsible for inherent
control as follows:
• Providing purpose by ensuring the translation of corporate
objectives throughout the organisation in the form of
operational, business, team and individual plans.
• Designing and implementing the necessary HR and other
policies to ensure capability and commitment of employees
with respect to the objectives of the organisation.
• Providing assurance to the Board that effective inherent
controls have been implemented and are being appropriately
monitored.
• Developing risk management systems and strategies to
minimise negative outcomes, and identify, assess and
develop opportunities.
Control Activities (CEO–Board relationship)
In the Management Assurance Control Element the CEO
ensures that appropriate formal controls are implemented over
management functions and that these controls form the basis of

 Standards Australia www.standards.com.au

 45 HB 254—2005

effective monitoring and reporting systems to provide assurance

for the Board.
For this reason, Boards must have the highest confidence in the
CEO’s ability and ethics. CEO recruitment, selection,
performance review and succession planning are primary
inherent controls exercised by the Board.
Inherent control assurance in this Control Element is provided to
the Board through periodic reports on systems implemented by
the CEO and senior managers to address Purpose, Capability
and Commitment as follows:
• Planning and communication of objectives.
• Integrity and operation in relation to critical strategic and
operational HR systems involving policies such as
recruitment and selection, inductions, performance planning
and review, succession planning and reward systems.
• Periodic review of the organisation’s competency
requirements linked to professional development.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• Integrity of the organisation’s information systems.

Control Assurance Focus (Organisation)
The CEO, senior managers and employees should—
• be capable of performing their roles, and managing
associated risks and controls;
• understand the internal and external environments in which
their organisation operates;
• be committed to the mission and vision of the organisation
with an understanding of how their role contributes to the
achievement of the corporate mission and vision;
• have a clear understanding of their roles, responsibilities,
authority and expected standards of behaviour;
• readily accept accountability for their responsibilities
(objectives);
• support ethical behaviour through their actions, relationships
and dedication to duties, and through the endorsement of
principles such as those in AS 8002, Corporate governance—
Organizational codes of conduct; and
• have access to all the necessary information to discharge
their responsibilities and accountabilities, and to facilitate
innovation and continuous improvement (open
communication and ethical environment).
Control activities (Organisation)
Assurance is facilitated by—
• ensuring recruitment and selection processes are supported
by effective skills analysis and job design to ensure alignment
of competencies with corporate objectives;

www.standards.com.au  Standards Australia

 HB 254—2005 46

• ensuring competencies in risk management and control

issues are part of the selection criteria for recruitment and
selection processes;
• undertake and monitor corporate and work area inductions
to promote understanding of objectives, risk and control
associated with the organisation, work area and position;
• position descriptions, organisational and workplace
inductions, policies, procedures, delegations and codes of
conduct that provide clarity of roles, responsibilities, authority,
accountabilities and expected standards of behaviour;
• effective communication and professional development in
regard to risk and control issues, and their linkages to the
organisation’s business objectives;
• performance planning and review systems to monitor results
and identify personal development needs;
• regular job skills analysis to focus professional development
on the maintenance and development of competencies as
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

required;
• control self assessment programs;
• an information system to promote clarity of roles,
responsibilities and authorities and open communication
(supporting performance of duties and innovation); and
• senior management leading by example.

5.1.4 Control Element 3–Management Assurance

Assurance in this Control Element seeks to ensure that the
control environment is appropriate to risk, that the organisation is
performing against objectives and is complying with relevant
laws, regulations, policies and procedures.
This requires competencies in planning, risk management and
control, and the establishment and effective functioning of
committees and teams. The comments made under Independent
Assurance regarding the establishment and focused functioning
of committees applies here. These aspects are elements of
inherent control assurance with the outputs from these bodies
contributing to formal control assurance.
Formal control assurance is provided in two ways—firstly, by the
activities of bodies such as executive committees and teams,
and secondly, by internal reporting mechanisms that provide
assurance about compliance and the achievement of objectives
at all levels of the organisation.
The effective implementation and functioning of these assurance
mechanisms are key CEO responsibilities.
Control Assurance Focus (Employees)
Purpose, capability and commitment in this Control Element are
related to monitoring, review and reporting as follows—

 Standards Australia www.standards.com.au

 47 HB 254—2005

• appropriate skills and experience in planning, risk

management and accountability;
• knowledge of the organisation’s operational objectives, and
their integration and linkage to the organisational objectives;
• knowledge of the organisation’s control environment and its
relationship to organisational and operational objectives and
risks;
• clarity of roles, responsibilities and authorities in respect of
monitoring, reviewing and reporting;
• maintenance and development of new competencies as
necessary;
• commitment to ethical issues including conflicts of interest
and confidentiality of information.
• ready access to relevant information and reports.
Control activities (Employees)
Assurance is facilitated by the following—
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• recruitment and selection processes that include the

requirements for competencies in governance, planning,
monitoring, reviewing and reporting;
• position descriptions, policies, procedures and delegations
that provide clarity of assurance roles, risk management
responsibilities and authorities;
• organisational and workplace inductions that include
explanations of assurance responsibilities and authorities,
and promote understanding of the organisation’s business
environment, risk profile and expected standards of ethical
behaviour;
• promotion of ethical behaviour in relation to respect for the
system of law, respect for persons, integrity including
potential conflicts of interest, diligence and economy and
efficiency (includes leading by example);
• performance review in respect of assurance and ethical
behaviour;
• ongoing professional development programs to maintain and
develop new competencies in respect of governance and the
assurance function; and
• developing and maintaining information systems that provide
orderly pathways for timely and effective monitoring and
reporting, and facilitate innovation and continuous
improvement.
Control Assurance Focus (Committees/Teams)
Committees and Teams require—
• the necessary mix of skills and experience (competencies);
• clarity of roles, responsibilities and authority;

www.standards.com.au  Standards Australia

 HB 254—2005 48

• understanding of the business environment of the

organisation and operational area;
• maintenance or development of new competencies ;
• commitment to ethical issues such as potential conflicts of
interest and confidentiality of information;
• monitoring and assessment of performance;
• an information system that supports their monitoring, review
and reporting responsibilities.
Control activities (Committees/Teams)
Assurance is facilitated by—
• selection process to provide a mix of competencies relevant
to the committee/team’s area of responsibility;
• clear terms of reference setting out the roles, responsibilities,
powers and operational procedures of the committee/team;
• induction into the roles, responsibilities and powers of the
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

committee/team, its role in the governance of the

organisation, expected standards of behaviour and the
business environment of the organisation and operational
area;
• skills needs identification and ongoing personal development
programs to maintain and develop new competencies as
necessary;
• implementation of effective meeting procedures to ensure
active participation and informed decision-making by
members;
• development and maintenance of quality records to ensure
decisions are accurately recorded, and that action items are
noted and followed up;
• development and periodical review of reporting protocols to
ensure the committee/team provides and receives the
appropriate quality and quantity of the required information,
and in a timely manner;
• self-assessment against the terms of reference and annual
program set by the committee/team to gauge whether the
body is functioning as required and that its terms of reference
remain valid; and
• a management performance review of the committee/team
to ensure the body’s functions continue to add value to the
governance of the organisation.

5.1.5 Control Element 4–Independent Assurance

Assurance in this Control Element is provided through bodies
such as internal audit, external audit and audit committees. The
key characteristics of this Control Element are its objectivity and
independence from management.

 Standards Australia www.standards.com.au

 49 HB 254—2005

Small organisations, due to resource constraints, may decide not

to develop an internal audit unit. Alternative arrangements are
discussed at the end of this section.
Internal Audit
The roles and responsibilities of internal audit units include the
conduct of internal reviews of key financial and operational
activities, including information communication systems. The
reviews focus on operational effectiveness and efficiency as well
as compliance with financial and legal requirements. Through
these reviews, the audit committee and the Board can gain
assurance that—
• the internal control environment is operating as intended or
requires modification as necessary;
• there is a system for implementing new controls before
serious loss occurs rather than in response to loss; and
• there is a proactive system for anticipating change.
Board subcommittees function as special focus groups of
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

directors established to—

• ensure that a subject of particular interest to the Board will
receive adequate attention;
• bring independent judgment to bear in the committee’s
functional area of focus by selecting appropriately skilled and
experienced members to serve on the committee; and
• promote objectivity in committee decisions through the
outlining of functions in terms of reference that include the
specification of reporting duties to the Board.
Because of the extra administrative load that committees impose
and their leverage on directors’ time it is important to carry out a
cost/benefit analysis prior to establishing them. Once a decision
has been made to establish a committee, steps must be taken to
facilitate performance of the committee. Regular reviews are
required to assess the continuing contribution of a particular
committee to the governance of the organisation.
Because many jurisdictions have no statutory requirement to
establish particular committees, there is generally little uniformity
in relation to the types of committees across organisations.
Exceptions might be the audit, remuneration and nomination
committees. Of these the audit committee is of particular
importance in this Plan.
Audit Committees
Audit committees exist as advisory bodies to Boards and, among
other things, provide a quality assurance review as to the
effectiveness of the organisation’s control structures. This is
achieved through the provision of advice on audit and audit-
related matters and through its monitoring and review of the
audit function by —

www.standards.com.au  Standards Australia

 HB 254—2005 50

• approving a charter for internal audit setting out its role

responsibilities, authorities and reporting responsibilities;
• ensuring that the internal audit unit is adequately resourced
and its charter remains relevant;
• managing the selection and appointment process where
external service providers are utilised;
• directing internal and external audit resources towards the
coverage of high risk areas of the control and operating
environment;
• communicating internal and external audit issues and
recommendations to the executive group;
• ensuring an effective liaison is developed and maintained
between external and internal audit to reduce unnecessary
duplication and overlaps; and
• monitoring the implementation of adopted recommendations
from internal and external audit.
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

Processes addressing Purpose, Capability and Commitment

provide the inherent control assurance over the output of
committees. Internal and external audit by addressing Monitoring
and Learning provide formal control assurance. Implementation
of these processes is the responsibility of the Board assisted by
the CEO.
External audit
External audit’s assurance responsibility is primarily one of public
trust and it owes ultimate allegiance to external stakeholders.
Whilst the owners of the organisation—its shareholders—are a
primary audience, other important stakeholders may include
customers, creditors, regulators and the community. Audit
independence from the client organisation and the avoidance of
conflicts of interest are key principles.
Notwithstanding this external focus, external audit can provide
the audit committee and the Board with independent assurance
as to the functioning of the organisation’s control environment.
An important role for the audit committee is the facilitation of co-
operation between internal and external audit to reduce overlaps
or duplication in coverage.
Independent Control Assurance Focus (Internal Audit,
External audit and Board Committees)
Independent bodies responsible for independent control
assurance require—
• the necessary mix of skills and experience (competencies);
• clarity of roles, responsibilities and authority;
• understanding of the business environment of the
organisation;
• maintenance or development of new competencies as
necessary;

 Standards Australia www.standards.com.au

 51 HB 254—2005

• commitment to ethical issues such as conflicts of interest

and confidentiality of information;
• monitoring and assessment of performance; and
• an information system that supports their monitoring, review
and reporting responsibilities.
Control Activities to address the above control assurance focus
vary with the functional nature of each body as follows.
1 Control activities (Internal and External Audit)
Assurance is facilitated in both Internal and External Audit by a
mixture of internal resources and external service providers in
the case of internal audit and entirely external resources in the
case of external audit. External service providers have additional
assurance requirements over and above those applying to
internal resources. These additional requirements are outlined
below under External Service Providers.
(a) Internal Service Providers (Internal Audit)
Assurance is facilitated by—
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• an appropriate internal audit charter setting out the roles,

responsibilities, authority and reporting responsibilities for the
internal audit function;
• recruitment and selection processes to provide an
appropriate mix of skills;
• organisational and workplace inductions to promote
understanding of the business risk profile of the organisation,
the internal audit function and expected ethical behaviour;
• professional development programs aimed at maintaining
and developing new skills as necessary;
• effective information systems to provide effective control
assurance reporting; and
• monitoring and review to maintain quality in the performance
of responsibilities, including the extent and timing of the
implementation of audit recommendations.
(b) External Service Providers (Internal and External Audit)
Whilst it is recognised that internal and external audit differ
in their operational focus they share a number of risks and
controls associated with their selection, appointment and
operating protocols. Dealing with these common risks
requires—
• transparent and rigorous contract selection processes
addressing skills and experience to ensure competencies are
relevant to the tasks to be undertaken;
• contract agreements clearly setting out—
• expected roles, responsibilities and authorities;
• ethical issues especially addressing conflicts of
interest and confidentiality;

www.standards.com.au  Standards Australia

 HB 254—2005 52

• deliverables (reports with clear reporting

protocols); and
• performance measures and procedures for
performance review;
• induction into the business environment of the organisation;
and
• regular performance review against expectations.
2 Control Activities (Board Committees)
Assurance in Board committees is facilitated by—
• selection process to provide a mix of competencies relevant
to the committee’s area of responsibility;
• clear terms of reference setting out the roles, responsibilities,
powers and operational procedures of the committee;
• induction into the roles, responsibilities and powers of the
committee, its role in the governance of the organisation and
expected standards of behaviour;
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• ongoing professional development programs to maintain and

develop new competencies as necessary;
• implementation of effective meeting procedures to ensure
active participation and informed decision-making by
members;
• development and maintenance of quality records to ensure
decisions are accurately recorded and transmitted to the
appropriate employees, and that action items are noted and
followed up;
• development and periodical review of reporting protocols to
ensure the committee provides and receives the appropriate
quality and quantity of information in a timely manner;
• self-assessment against the terms of reference and annual
program set by the committee to gauge whether the body is
functioning as required and that its terms of reference remain
valid; and
• a Board performance review of the committee to ensure its
functions continue to add value to the governance of the
organisation.

5.2 Medium to Small Organisations

Where organisations do not have the resources to adequately
fund an internal audit unit they need to implement alternative
procedures to provide control assurance to the Board.
The Board should set out its decision in relation to internal audit
and any alternative arrangements in an Internal Audit Policy that
might include provisions for—

 Standards Australia www.standards.com.au

 53 HB 254—2005

• an annual review of the continuing relevance of the

organisation’s Internal Audit Policy;
• conducting workshops for directors and senior managers to
develop competencies in planning and risk management;
• ensuring all employees are capable and committed in
relation to the organisation’s mission and vision, and to risk
management and control (i.e. develop a sound system of
inherent control);
• developing effective risk/control reporting processes and
instigating discussions on the organisation’s risk environment
and controls at each Board meeting;
• assigning to each director a particular aspect of the
organisation’s activities and seeking regular reports on its
performance, risk (internal and external), emerging
opportunities and controls;
• requesting the external auditor to carry out additional work;
and
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

• the engagement of independent, external resources as

needed for reviews of areas of particular concern to the
Board, e.g. acquisition of new information systems; IT
security etc.

www.standards.com.au  Standards Australia

 HB 254—2005 54

6 Managing change
The concepts and processes outlined in the Control Assurance
Plan are underpinned by standard management practices
already utilised in all organisations. For this reason it is not
necessary to engage extra resources or develop additional
bureaucracies, but rather to refine and align current business
practice. Nevertheless, it is important to develop an
implementation plan and obtain buy-in initially from senior
21
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

managers and ultimately from all members of the organisation.

Priority should be given to developing a top-down bottom-up
planning process linking strategic and operational objectives,
and implementing enterprise-wide risk management and
information frameworks. Concurrent implementation processes
enhancing workforce capability and commitment will involve
cultural changes requiring time to generate buy-in. This being so,
the initial steps may involve a degree of compliance which will
diminish as capability and commitment grow. Effective change
management is therefore a critical instrument of control for
successful implementation.

21
Implementing Turnbull, A Boardroom Briefing. http://www.icaew.co.uk/

 Standards Australia www.standards.com.au

Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

NOTES
55
HB 254—2005
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

HB 254—2005

NOTES
56
 Standards Australia
Standards Australia is an independent company, limited by guarantee, which prepares and publishes
most of the voluntary technical and commercial standards used in Australia. These standards are
developed through an open process of consultation and consensus, in which all interested parties are
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

invited to participate. Through a Memorandum of Understanding with the Commonwealth government,

Standards Australia is recognized as Australia’s peak national standards body. For further information
on Standards Australia visit us at

www.standards.org.au

Australian Standards
Australian Standards are prepared by committees of experts from industry, governments, consumers
and other relevant sectors. The requirements or recommendations contained in published Standards are
a consensus of the views of representative interests and also take account of comments received from
other sources. They reflect the latest scientific and industry experience. Australian Standards are kept
under continuous review after publication and are updated regularly to take account of changing
technology.

International Involvement
Standards Australia is responsible for ensuring that the Australian viewpoint is considered in the
formulation of international Standards and that the latest international experience is incorporated in
national Standards. This role is vital in assisting local industry to compete in international markets.
Standards Australia represents Australia at both ISO (The International Organization
for Standardization) and the International Electrotechnical Commission (IEC).

Electronic Standards
All Australian Standards are available in electronic editions, either downloaded individually from our web
site, or via On-Line and DVD subscription services. For more information phone 1300 65 46 46 or visit
Standards Web Shop at

www.standards.com.au
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 08 Mar 2015 (Document currency not guaranteed when printed)

This page has been left intentionally blank.