files.transtutors.com€¦ · web viewcase study assignment. ffp pty ltd . student name _____...

CASE STUDY ASSIGNMENTFFP PTY LTD STUDENT NAME ___________________

STUDENT NUMBER_________________(Found in your confirmation email. It is not your

USI)

COURSE 10131NAT Certificate IV in Compliance and Risk Management

TRAINER __________________________

DATE _____________________________

Drawing upon the knowledge you have learned since commencing your training in the Certificate IV in Compliance & Risk Management, you are to complete the following case study.

1

CASE STUDY – FFP PTY LTD

BACKGROUNDFFP Pty Ltd is one of Australia’s largest manufacturers and distributors of spectacle frames and is a major importer of many of the world’s leading brands of premium frames and sunglasses. They operate solely as a wholesaler and have relationships within a dealer network Australia wide.

Cecil Fitzgibbon is the CEO, owner and founder of the company.

Cecil can recall the days he started the company operating out of a small facility on the outskirts of Mildura, Victoria. Business grew rapidly and Cecil brought in several close acquaintances to assist with the growth – like Cecil they possessed strong entrepreneurial skills and a focus on sales.

PAST ISSUESAfter approximately 12 months of continued business growth Cecil was constrained in his current location because:

Mildura was not a central location for a distribution business and was adding a 10% premium to his costs;

His premises had reached storage capacity; His current business support had largely been run from his study and there was

insufficient room for all the required staff.

To address these issues he leased an office/warehouse suite on the outskirts of Melbourne.

Following his relocation to Melbourne his business continued to grow and he successfully won the distribution rights of another 2 leading sunglass brands. FFP continue to pride themselves on their large market ‘footprint’ whilst still maintaining a lean sales focused operation. Whilst Cecil was required to bring in some staff to support operations he tried to minimise what he considered were non-revenue generating resources.

CURRENT ISSUESCecil is concerned that a number of issues have distracted his management team in the past 12 months. They include: Six months ago, it became apparent that the top-selling sunglasses frame (‘Flash’)

had a design fault. A number of customers have complained that the sunglasses easily snap on the nose bridge, resulting in shards of plastic flying into the face of the wearer. One customer required plastic surgery and is suing FFP. FFP has now

1

addressed the design fault, but does not want to issue a product recall due to the bad publicity that will result. It prefers to settle matters on a case by case basis when a customer complains. He also decided the injuries were not that serious so he didn’t bother to report them.

Cecil noticed that a number of distributors were selling one of his premium brands (‘Peace’) at prices below the recommended retail price (RRP). Cecil met with them and urged that they not sell below the RRP. The competition regulator (Australian Competition and Consumer Commission [ACCC]) became aware of this and fined both FFP and Cecil personally for undertaking this action. Cecil’s (unsuccessful) defense was that he did not know it was illegal to do this.

As part of the cost-cutting measures, Cecil has essentially removed the ‘middle layer’ of management from the factories which manufacture the frames. He understands the need for ongoing communication however, and has instituted a ‘hand-over’ book. When team leaders sign off from their shift they must write down any issues or concerns that happened and the new team leader must read it before commencing their shift. Despite monthly certificates signed by the team leaders that they read the hand-over book, the accident rate has increased by 60% in the past 6 months. Tragically, one was a death which appears to be due to an employee not knowing about a faulty safety guard and was killed carrying out maintenance on a machine. Workcover is investigating.

A large number of imitation frames have recently entered the Australian market. While sold primarily at local suburban markets (and not retail outlets), Cecil has noticed that the number of fakes is on the increase and having a direct impact on his profit.

CURRENT SIZE AND MANAGEMENT STRUCTURE OF FFP OPERATIONSFFP’s total employee count is approximately 1000 and the management team comprises:

CEO, Sales Manager, Compliance Officer, Marketing Manager, Finance & Strategy Manager, Operations Manager and Head of Product Sourcing.

COMPLIANCE ASSIGNMENT INSTRUCTIONSYou are the Compliance Officer for the organisation and have only been appointed to the position in the last month. The previous compliance officer was Cecil’s uncle (a failed financial planner) who retired after only 1 year in the position.

Using the information contained in the Case Study, you are to produce the following deliverables:

1. Part 1: REVIEW CURRENT COMPLIANCE PROGRAM

2

Refer to part 1 in the following assessment for instruction

2. Part 2: PERFORM A COMPLIANCE RISK ASSESSMENTRefer to part 2 of the assessment for instructions

3. Part 3: DEVELOP A COMPLIANCE RISK TREATMENT PLANRefer to part 3 of the assessment for instructions

4. Part 4: DEVELOP AN AWARENESS COMMUNICATION AND TRAINING PLAN (ACT PLAN)Refer to part 4 of the assessment for instructions

5. Part 5: DEVELOP A COMPLIANCE MONITORING PROGRAMRefer to part 5 of the assessment for instructions

ASSESSMENTYou must carefully read the attached assessment criteria at ANNEX C. This is the marking guide that will be used by the assessor to assess your work. NOTE: the various units are colour coded

The full assessment is to be no more than 5000 words (including annexures and attachments). Assessments that exceed the maximum word limit (i.e. less than 3,500 words or greater than 6,000 words) may be rated Not Yet Satisfactory. (NOTE: the word count does not include the instructions etc. that are about 6,500 word)

While working through the parts you can contact GRC Institute for assistance by phone 612 9290 1788, email questions to [email protected] or send work in progress (WIP) to [email protected]

The assessment includes: BSBWRT401 Write complex documents. This means the assessment MUST be completed using a word processor and submitted as an electronic file with a version controlled file names as in: Cert IV FFP 99999 (Student ID) v1.docx. resubmission become v2 etc

Your report can be graded as: S = Satisfactory (pass) NYS = Not Yet Satisfactory (resubmission required)

SATISFACTORY GRADE

To obtain a satisfactory grade (pass) you must satisfactorily meet all the criteria set out in the assessment sheet at Annex C.

NOT YET SATISFACTORY GRADE (‘NYS’)

If you are rated NYS on one or more of the assessment criteria at Annex C, your entire assignment will also be assessed as NYS.

You will be advised by your assessor what is required to achieve a satisfactory grade and you will need to resubmit a fully amended assignment for reassessment within a specified timeframe. For minor issues the resubmission will not be charged. Only the minor rectifications will be reviewed on the second submission.

3

mailto:[email protected]


For major resubmissions (rare) a fee of $250 + GST may be charged in order for the external assessor to review your assignment. You will be advised of this fee once again when you receive your results should they be deemed not satisfactory.

4

Part 1: REVIEW CURRENT COMPLIANCE PROGRAM

Read the PRESENT ISSUES on page 2 and outline three significant compliance requirements for the Case Study Organisation (FFP). The three issues should be what you consider to be the most obvious issues.

NOTE: to ensure that you are on track send this part to [email protected] for a WIP check. This will ensure that you are not spending too much time/over killing obvious answers to simple questions.

Significant Compliance Requirement

Description

e.g. Australian Product Safety (APS)

(note this is an example ONLY and not necessarily obvious. You should choose obvious examples to keep it simple)

APS has a recalls advisory service on ACCC’s webThis website lists information that should be taken into account when making a decision to recall or not to recall a product. FFP did not investigate this when weighing its decision not to recall.

NOTE: keep the description brief. No solutions required here

1. Certificate of design Six months ago it Become apparent that top selling Sunglass frame had design Fault is that sunglass easily snap on the nose bridge.

2. WH&S

He did not report customer injury to WH&S because he thought injury is not serious

3. Product Testing Tragically, one was a death which appears to be due to an employee not knowing about a faulty safety guard and was killed

5


Q: Using the Three Lines of Responsibility model (Module 1), outline the compliance responsibilities for each of the following members of Cecil’s management team and the external auditor. The appropriate Line of Responsibility must be identified.

NOTE: Three Lines of Responsibility refer to who is, or should be, accountable at the appropriate level. This may be different to the three lines of defence where, for example, the CEO may be placed in the third line or second line of defence. For the Three Lines of Responsibility ask yourself, “who is or should be accountable at the front line?”, “who sets the tone from the top?”, “where should the buck stop?” or who, in the light of the Royal Commission is to be held responsible and be included in the First Line?.

Appointment Line Responsibility AccountabilitySales Manager

First Line

Sales Team Fraud prevention Misleading & deceptive conduct Diversity issues WH&S (OHS)

CEO, creating, planning, implementing, and integrating the strategic direction and day to day operations.

All Operational Decision of the company

Board of Directors

determining and implementing the company's policy, directors' meetings, Appoint a Company CEO

Compliance Officer,

Marketing Manager,

Finance & Strategy Manager,

Operations Manager

Head of Product Sourcing.

6

External Auditor

7

FFP COMPLIANCE PROGRAM ANNEX AThe following is the current compliance program for FFP…Read it ‘as is’ and complete the following table. Ensure you complete the Problem heading (Xxxxx) and the ISO 19600 code.e.g. 4.5 Compliance obligations

Board adoption of corporate governance principles and practices. Needs to develop these. Board and senior management also need to identify the resources required to implement a program on a 3-year rolling budget. Develop, document and implement business processes and controls and develop, document and implement a review business units and roles against Key Performance Indicators (KPIs). Also need to think about a training program at some stage. Establish a reporting regime? Document and capture compliance activities as records. Establish a program and timeline for review and then update against regular compliance risk and compliance maturity assessment. During the implementation period of the new compliance program, the compliance function team should provide a training session to all related parties about the new policy. A clear written policy (which signed off from CEO) should be handed to the staff during the training. Other than briefing of the handling of new policy, the compliance function team should also remind the importance of being complied with any regulation or any potential violation. This was not only for teaching the staff about the new policy, but also to promote a compliance culture in the company. The training might provide a chance of understanding the advantage of being compliance in order to encourage the staff to follow with positive motivation. The compliance function team should report the indicators to management team periodically. Reviewed the effectiveness and advised any possible enhancement for improvement, moreover, to update the policy if there was any new change of regulation. Management may review the effectiveness of the compliance program by checking the training materials and attending lists, moreover the evaluation of the training course in order to understand the quality of the training and the acceptance in the company. Also, the finding report or complaint report from internal or external parties may show the picture of the effectiveness of the policy.

8

Q: Provide a one-page (single sided) point-form brief for Cecil identifying a minimum of 5 problems in relation to ISO19600 (Compliance Management Systems) with the operation of the current compliance program (attached as Annex A above). You must briefly explain each problem. You may use the template below.

Problems in relation to ISO19600

Summary of current policy andExplanation of problems

Problem 1 Xxxxxx

ISO19600 standard?

Problem 2 Xxxxxx

ISO19600 standard?

Problem 3 Xxxxxx

ISO19600 standard?

Problem 4 Xxxxxx

ISO19600 standard?

Problem 5 Xxxxxx

ISO19600 standard?

NOTE: Is it time for another WIP check?

9

ANNEX BPart 2: PERFORM A COMPLIANCE RISK ASSESSMENTWith reference to ISO 31000:2009 Risk Management - Principles and Guidelines, assess a minimum of 5 compliance risks evident in the organisation’s operations (Re-read BACKGROUND, PAST ISSUES, CURRENT ISSUES and the CURRENT COMPLIANCE PROGRAM). Two of the 5 risks assessed must include Corporate Governance and at least one Legal Risk.

a. Risk Description. Each risk must be specific to the Case Study organisation and must be assessed in the context of the information provided. General assessments of risk that appear generic and are not clearly applied to the Case Study organisation or the context of the case study will result in the assignment being assessed as ‘Not Yet Satisfactory’.

b. Risk Rating. You are to rate each risk using the risk rating criteria in tables 1.4, 1.5 and 1.6 of your course notes (Module 1). You are not required to develop your own risk rating criteria.

c. Risk Tolerance. Weighed down by his various "run-ins" with the law over the past 12 months, Cecil has become quite risk averse. He has advised you that he wants no more problems with regulators and that his risk tolerance for anything "illegal" is very low. When completing the risk assessment you are to provide risk tolerance levels that you believe are appropriate for FFP in light of Cecil's concerns. You are not to consider the likely risk tolerance levels prior to your arrival as FFP's compliance officer. As a general rule where WHS issues may result in death or physical harm it usually best to keep the tolerance level at low.

d. Risk Priority . Refer to module 1. “Risk priority can be determined by the gap between the risk rating and the risk tolerance. Where the risk rating is greater than the organisation’s risk tolerance it is likely that the organisation will decide MUST treat, especially where the risk is a regulatory/legislative risk.”

e. If Legislative and/or Regulatory write YES and state the legislation e.g. WHS, ACL etc. f. If NOT legislative/regulatory state the ISO31000 code e.g. 4.2 Communication and consultation

Presentation. The risk assessment report is most efficiently presented in tabular form. As a minimum, the Compliance Risk Assessment must address all the elements contained in the model in Annex A of Module 1 course material and provided overleaf.

For this assessment may use the matrix in Module 1 -shown below. Alternatively, you can use another matrix BUT you must insert a copy of it here.An example of a risk matrix, using the likelihood and consequences risk criteria (refer Module 1 Tables 1.4 and 1.5 and Table 1.6).

CONSEQUENCETable 1.6 Sample Risk Matrix (ACT Insurance Association, 2004)

10

LIKELIHOOD Insignificant

Minor Moderate MajorCatastrophi

cAlmost Certain

Medium High High Extreme Extreme

Likely Medium Medium High High Extreme

Possible Low Medium Medium High Extreme

Unlikely Low Medium Medium High High

Rare Low Low Medium Medium High

ANNEX BPerform a Compliance Risk Assessment (using Model compliance Risk Register from Module 1)© GRCI

Reference ID

Describe the risk / areas of risk

Current risk Risk tolerance

Risk Priority

Legislative and/or Regulatory Obligation(Yes/No)

Rate the likelihood =

Rate the consequence =

Risk Rating -based on risk matrix

Almost certainLikelyPossibleUnlikelyRare

CatastrophicMajorModerateMinorInsignificant

LowMediumHighExtreme

LowMediumHigh

A MustB ShouldC Could

For YES include legislation/reg (e.g. WHS)For NO include ISO 31000 (Risk)

ID 1 Y/N?

ISO 31000 code OR Reg?

ID 2

ID 3

ID 4

ID 5

11

ANNEX BPart 3: DEVELOP A COMPLIANCE RISK TREATMENT PLAN

Develop Compliance Risk Treatment Plans that clearly and explicitly treats at least three risks that require treatment. The treatment plan must be benchmarked against the relevant Principles contained in ISO 19600. As a minimum, the Compliance Risk Treatment Plans must address all the elements contained in the model in Annex B of Module 1 (Assessment 1.2) course material and provided below.

Develop a compliance risk treatment plan© GRCI –Plan 1

ID ? - Non-compliance with ????? (align with ID # above)Risk Priority

A - Must

12

ANNEX B

ASSE

SS

Risk Description Current Controls Gap / Issues to Address ISO 19600Compliance

ISO19600 code?

TREA

T

Treatment Options in order of Priority Reason for Selection / Rejection

1. Xxxxx2. Zzzzz

1. ACCEPT….2. ACCEPT….

IMPL

EMEN

T

Actions Resources Time Frames Accountable Appointment

1. 1. 1.

MO

NIT

OR

Key Performance Indicator Monitoring / Reporting Residual Risk

1.

13

IMPL

EMEN

T

ANNEX B

14

ANNEX B


ID ? - Non-compliance with …….Risk Priority

A - Must

ASSE

SS

Risk Description Current Controls Gap / Issues to Address ISO 19600

ISO19600 code?

15

ANNEX B

TREA

T


1.

IMPL

EMEN

T

Actions Resources Time Frames Accountable Appointment

1. 1. 1.

MO

NIT

OR


1. 1.

16

IMPL

EMEN

T

ANNEX B


ID ? - Non-compliance with …….Risk Priority

A - Must

ASSE

SS

Risk Description Current Controls Gap / Issues to Address ISO 19600

ISO19600 code?

TREA

T


1.

17

ANNEX B

IMPL

EMEN

TActions Resources Time Frames Accountable Appointment

1. 1. 1.

MO

NIT

OR


1.

18

IMPL

EMEN

T

ANNEX B

Part 4: DEVELOP AN AWARENESS COMMUNICATION AND TRAINING PLAN (ACT PLAN)

You are required to develop an ACT Plan for one of the risks requiring treatment. For each component of the ACT model (ie Awareness Communication and Training) you are to

provide a point-form brief for the CEO. Each brief is to provide the following:1. Identify the audience for each component (ie Awareness Communication and Training)2. Develop a successful strategy for each component (ie Awareness Communication and

Training) following the 5 elements as defied in Module 4. These elements are:

Objectives - what do we want to achieve? Strategy - how are we going to do it? Messages - what are we going to say? Implementation - what are we going to do, and when? Evaluation - what was the impact and did we achieve our objectives? Budget - estimate any direct costs for each strategy

Each brief is to be no more than one page (single sided). You may wish to use the templates overleaf.

19

ANNEX B

4. Develop an awareness communication and training plan (ACT plan) Awareness

NOTE: the following A4 portrait page can be read side by side for each component of the ACT plan

ID (Insert ID and title of the risk to be treated from the 3 listed above in part 3)

Component 1 AwarenessAudience/Target (who is involved in the ACT Plan?)

1.2.3. NOTE: At least one group is to be included here

Objectives (what you want to achieve from the ACT Plan?)

1.2.3. NOTE: At least two objectives

Strategy (how you are going achieve Awareness, Communication and Training)

1.2.3. Minimum 2

Messages (what do you the them to be aware of, communicated to them, and the key point of training?)

1.2.3. Minimum 2

Implementation (how is each component of Awareness, Communication and training be done?)

1.2.3. Minimum 2

Evaluation (was awareness, communication and training effective)

1.2.3. Minimum 2

Budget (include all costs + an estimate of internal resource and staff costs)

1.2.3.

20

ANNEX B


Component 2 CommunicationAudience 1.

2.3.

Objectives 1.2.3.

Strategy 1.2.3.

Messages 1.2.3.

Implementation 1.2.3.

Evaluation 1.2.3.

Budget 1.2.3.

21

ANNEX B


Component 3 TrainingAudience 1.

2.3.

Objectives 1.2.3.

Strategy 1.2.3.

Messages 1.2.3.

Implementation 1.2.3.

Evaluation 1.2.3.

Budget 1.2.3.

22

ANNEX B

Part 5: DEVELOP A COMPLIANCE MONITORING PROGRAM

Drawing upon the knowledge you have learned on the course and following the steps outlined in Module 7 you are to conduct a Compliance Monitoring Program for one of the risks treated in Part 3: DEVELOP A COMPLIANCE RISK TREATMENT PLAN of the assignment. You are to assume that 6 months has passed since the breaches / issues were identified and appropriate controls implemented. In addition, you are to draw upon your own experience in a compliance workplace and your limited knowledge of the central actors in the case study to imagine the types of behaviours and problems that may have arisen that would undermine or compromise the controls you implemented. Accordingly you may use some creative licence to complete this final task.

Part A – Planning

Document Monitoring Plan - Prepare a compliance monitoring plan for FFP Pty Ltd that will evaluate and test the controls that were implemented to remedy any breaches or issues identified in the Compliance Risk Assessment. You only need to do this for one of the treated risks.

Document your monitoring plan in the “Planning” section of the template provided overleaf.

Part B – Execution

Conduct Monitoring – Based on the controls implemented to rectify the breaches and / or issues identified evaluate the likely effectiveness of these controls. Complete the relevant sections of the Compliance Monitoring Program in the “Execution” section.

Part C – Delivery

Report Monitoring Results - Document the potential findings in the “Delivery” section of the Compliance Monitoring Program. In addition, you must make appropriate recommendations and consider the next steps required to address potential concerns.

You should use the templates overleaf.

ANNEX B

5. Develop a Compliance Monitoring Program using model from Module 7 © GRCIID (Insert ID and title of the risk to be treated from the 3 listed above in part 3)

Plan

ning

Monitoring ObjectiveWhat is the purpose of the monitoring?

Team RolesWho will be in the team?

TechniquesWhat will they do?

Individual Compliance Monitoring Plan (ICMP)

No of Days

Data Collection / Interviews

Contributors to final report

Person responsible for tracking outcomes

Pre Monitoring CommunicationWho will you talk to?

What Information System is being monitored? This may include both manual and electronic systems

Analytical check / Assessment – What are some potential causes that explain why the breach occurred?

Risk Assessment – In light of the breaches identified, update the risk assessment ratings

Reference Id Existing Risk Rating

Existing Risk Tolerance

Existing Risk Priority

From ANNEX B p9

Updated Risk Rating

Updated Risk Tolerance

Updated Risk Priority

**As a general rule where issues may result in death or physical harm it is usually best to keep the tolerance level at low.

ANNEX B

Exec

ution

List the data you would examine and analyse

What elements of the computer systems would you examine?

What processes would you examine? What people would you interview

What specialists might you contact

ANNEX B

Deliv

ery

Findings Recommendations Next Steps

Declaration of Own Work: Students MUST complete this declaration; refer to GRC Academic Integrity Policy (GRC-AIP) at the end of these assessments. I, (insert Student Number only)___________________________, certify that the submitted assessment is my own work based on personal experience, work experiences or research. If other sources have been used they have been referenced –refer GRC-AIP. If collaboration has been used it was in accordance with the assessment requirements and not the result of cheating. Online submissions: Tick Box ☐ Dated ___/___/____

ANNEX C

This completes the Case Study (FFP) assessment. Please forward the completed

document to [email protected]

THERE ARE 5 PARTS TO THE CASE STUDY ASSESSMENT AND ALL ARE TO BE ASSESSED AGAINST ALL RELEVANT COMPETENCIES

1. ASSESSMENT CRITERIA – REVIEW CURRENT COMPLIANCE PROGRAM2. ASSESSMENT CRITERIA – PERFORM A COMPLIANCE RISK ASSESSMENT3. ASSESSMENT CRITERIA – DEVELOP A COMPLIANCE RISK TREATMENT PLAN4. DEVELOP AN AWARENESS COMMUNICATION AND TRAINING PLAN (ACT)5. ASSESSMENT CRITERIA – DEVELOP A COMPLIANCE MONITORING PROGRAM

Each of these assessed separately as follows (note all are assessed against several holistically grouped competencies)


ANNEX C

Student name _____________________________________ Student No. _________________________

ASSESSOR USE ONLY: Students may wish to use this as a guide.1. ASSESSMENT CRITERIA – REVIEW CURRENT COMPLIANCE PROGRAM

LEGEND: UNIT & COLOUR BSBCOM401BSBRSK401BSBCOM402BSBCOM404BSBCOM403PSPREG017BSBWRT401

PERFORMANCE CRITERIA - ASSIGNMENT SATISFACTORY NOT YET SATISFACTORY COMMENTS(NYS ONLY)

1.1 Confirm and interpret the compliance requirements applicable to the organisation

Three significant compliance requirements are identified

Three significant compliance requirements are not identified

1.2 Examine the structure of the organisation to determine the roles, accountabilities and responsibilities of managers and operational staff in maintaining compliance within the organisation's planned compliance program/management system.

Compliance responsibility and accountability for each member of the management team is identified.

Compliance responsibility and accountability is not identified for each member of the executive team.

3.1 Gather information on the operation of the compliance program/management system from appropriate sources

5 or more legitimate problems regarding the existing compliance plan are identified and explained.

5 or more legitimate problems regarding the existing compliance plan are not identified.

One or more problems identified are not legitimate problems.

Problems are only listed

3.3 Identify problems in the operation of the compliance program/management system and in particular any breach of compliance requirements and take appropriate action to address problems

ANNEX C


without explaining why the issue identified is a problem.

4.2 Prepare and disseminate periodic reports on the operation of the compliance program/management system, identify any operational problems and take any related action to relevant internal and external personnel

29

ANNEX C

2. ASSESSMENT CRITERIA – PERFORM A COMPLIANCE RISK ASSESSMENT


1.2 Identify risks using tools, ensuring all reasonable steps have been taken to identify all risks

At least 5 compliance risks (including corporate governance and legal risk), are clearly identified.

Risks are assessed using risk assessment methodologies / tools required by AS/NZS 31000:2009.

Each risk is specific to the case study

Compliance Risk assessment includes all elements required by the Compliance Risk Assessment Model provided in Annex A of Module 1

Less than 5 compliance Risks, required by the assignment, are outlined or described.

Corporate governance and / or legal risk are not identified and assessed.

Risks are not assessed using risk assessment methodologies / tools required by AS/NZS 31000:2009.

Risks identified are generic and are not clearly linked to the case study.

Compliance Risk Assessment does not include all elements required by the Compliance Risk Assessment Model provided in Annex A Module 1

1.3 Document identified risks in accordance with relevant policies, procedures and legislation

2.1 Analyse and document risks in consultation with relevant stakeholders2.2 Undertake risk categorisation and determine level of risk2.3 Document analysis processes &outcomes

1.1 Identify the context for risk management Each risk is clearly prioritised according to the context of the operating environment and the objectives of the organisation

Understanding of the organisations operating environment or objectives not demonstrated

Fails to prioritise the identified risks cognisant of the current risk context

30

ANNEX C

3. ASSESSMENT CRITERIA – DEVELOP A COMPLIANCE RISK TREATMENT PLAN


2.1 Confirm the components of the planned compliance program / management system and clarify the proposed structures, procedures and budgetary arrangements for their implementation

Only those Compliance Risks that require treatment (ie, where risk rating is equal to or less than risk tolerance rating) are selected for a Compliance Risk Treatment Plan

Appropriate Compliance Risk Treatment Plans are developed for each selected risk in accordance with Annex B of Module 1

Compliance Risk Treatment Plan clearly and explicitly identifies the relevant Principle/s contained in AS/NZS3806 (2006) against which the treatment is benchmarked .

Compliance Risks that do not require treatment (ie, where risk rating is equal to or less than risk tolerance rating) are selected for a Compliance Risk Treatment Plan.

Appropriate Compliance Risk Treatment Plans are not developed for each selected risk in accordance with Annex B of Module 1

Compliance Risk Treatment Plan does not identify the relevant Principle/s contained in AS/NZS3806 (2006) against which the treatment is benchmarked .

3.1 Determine appropriate control measures for risks and assess for strengths and weaknesses3.2 Identify control measures for all risks3.4 Choose and implement control measures for own area of operation and/or responsibilities3.5 Prepare and implement treatment plans4.3 Provide assistance to auditing risk in own area of operation4.1 Regularly review implemented treatment/s against measures of success4.2 Use review results to improve the treatment of risks2.2 Develop an implementation strategy and schedule for the establishment of the planned compliance program /management system in accordance with relevant Australian and international standards

3.4 Provide detailed compliance requirements in the case of breaches, initiate specific timely action and inform all relevant internal and external personnel through the established reporting systems

Appropriate timeframes for implementing and monitoring improvements / controls are provided in the Compliance Risk Treatment Plan.

Appropriate timeframes for implementing and monitoring improvements / controls are not provided in the Compliance Risk Treatment Plan.

4.4 Monitor and review management of risk in own area of operation1.1 Monitor fulfilment of compliance requirements in operations within areas of responsibility in accordance with the organisation's established compliance program/management system

31

ANNEX C


1.2 Examine the structure of the organisation to determine the roles, accountabilities and responsibilities of managers and operational staff in maintaining compliance within the organisation's planned compliance program/management system

Appropriate appointments for implementing and monitoring improvements / controls are provided in the Compliance Risk Treatment Plan.

Appropriate resources for implementing and monitoring improvements / controls are provided in the Compliance Risk Treatment Plan.

Appropriate appointments for implementing and monitoring improvements / controls are not provided in the Compliance Risk Treatment Plan.

Appropriate resources for implementing and monitoring improvements / controls are not provided in the Compliance Risk Treatment Plan.

2.3 Assign or acquire resources for the planned compliance program/management system in accordance with organisational procedures and policies

3.3 Refer risks relevant to whole of organisation or having an impact beyond own work responsibilities and area of operation to others as per established policies and procedures

32

ANNEX C

4. DEVELOP AN AWARENESS COMMUNICATION AND TRAINING PLAN (ACT)

PERFORMANCE CRITERIA - ASSIGNMENT

SATISFACTORY NOT YET SATISFACTORY COMMENTS(NYS ONLY)

1.1 Confirm and clarify with relevant internal and external personnel, compliance issues requiring communication

OBJ

ECTI

VES

Objectives are clearly outlined in each point form brief ACT)

Objectives are not clearly outlined in each point form brief (ACT)

1.2 Seek and/or obtain information during the liaison activity on applicable compliance requirements and related compliance program/management system and summarise in an appropriate format1.3 Identify, source and interpret sections of relevant Australian and international standards in terms of processes to be followed for promotional and liaison activities2.1 Develop compliance training objectives based on assessed training needs of personnel1.2 Confirm and document the organisation's obligations and responsibilities in providing induction and training activities2.1 Using appropriate means, identify groups that need to be aware of the organisation's compliance program /management system or that may need to be contacted about compliance issues

STRA

TEG

Y

Target groups for awareness, communication and training have been identified.

Personnel who must comply with the requirements of the Compliance Risk Treatment Plan, are identified for awareness, communication and training purposes. This will include personnel both internal and external to the organisation (eg contractors),

Target groups for promotional or liaison activities are not identified.

Personnel who must comply with the requirements of the Compliance Risk Treatment Plan, are not identified awareness, communication and training purposes.

4.2 List internal and external persons and organisations that need to be aware of specific aspects of the compliance program/management system in compliance management promotional and liaison activities2.2 Record information on identified target groups and store in an appropriate format for use in activities to promote the compliance program/management system

33

ANNEX C



4.1 Prepare and disseminate information on the operation of the compliance program/management system to relevant internal and external personnel in accordance with the communication strategy for the compliance program / management system

MES

SAG

E

The message is both aspirational and believable

The message contains information on how the objectives will be achieved

The message is consistent across all communication channels.

The message is noto aspirational or believableo does not contains

information on how the objectives will be achieved

o consistent across all communication channels.

2.4 Arrange appropriate briefings and training to ensure relevant managers and operations staff are aware of their roles and responsibilities2.5 Launch the compliance program/management system in accordance with organisation's plan6.4 Provide accurate and clear details in written, electronic or oral form using appropriate techniques in accordance with relevant internal and external requirements7.1 Brief managers and personnel on their roles and responsibilities in the compliance management promotional and liaison activities

34

ANNEX C



4.1 Access and review details of the compliance program/management system

IMPL

EMEN

T - P

REPA

RATI

ON

Develop an action plan for the Awareness, Communication and Training activities. This includes:o Compliance training needs

identified in the process of developing the Compliance Risk Treatment Plan

o Internal or external option is identified

o Method of delivering training is justified.

o Time frame for delivering training is outlined.

o Assign resources for ACT activities

o A budget is proposed for the ACT activities. The budget includes both physical/human resource requirements

One or more of the following are not considered:o Compliance training needs

identified in the process of developing the Compliance Risk Treatment Plan

o Internal or external option is identified

o Method of delivering training is justified.

o Time frame for delivering training is outlined.

o Assign resources for ACT activities

o A budget is proposed for the ACT activities. The budget includes both physical/human resource requirements

4.3 Prepare an action plan for the compliance management promotional and liaison activities in collaboration with relevant internal and external personnel2.6 Prepare and negotiate budget for internal and external compliance training with appropriate organisational personnel2.7 Identify training personnel requirements and recruit and prepare appropriate staff5.1 Prepare to implement the planned compliance management promotional and liaison activities &negotiate suitable budget with authorised personnel for approval5.2 Assign or acquire physical and human resources for the execution of the planned promotional and liaison activities, in accordance with the approved action plan3.1 Identify suitable contacts from own network or with the assistance of relevant internal and external personnel

Suitable contacts for conducting the Awareness, Communication and Training activities are identified

Both internal and external options are considered for providing the ACT activities.

Suitable contacts for conducting the Awareness, Communication and Training activities are not identified

Either internal or external options have not been considered for providing the ACT activities.

3.2 Apply search techniques to establish the most suitable contacts for the liaison activities, where appropriate2.2 Assess and compare quality and costs of external training options

2.3 Assess ability of organisation to deliver required training internally

2.4 Select and organise appropriate internal compliance training programs and/or external compliance training options to meet assessed compliance management training needs

35

ANNEX C



2.5 Negotiate training options if required6.1 Make initial contact with identified internal and/or external contacts using appropriate communication techniques

IMPL

EMEN

T –

ROLL

OU

T

Appropriate activities are listed that will raise awareness.

Appropriate activities are listed that will communicate the message

Appropriate activities are listed that will train relevant staff members

Appropriate activities are not listed that will raise awareness.

Appropriate activities are not listed that will communicate the message

Appropriate activities are not listed that will train relevant staff members

6.2 Ensure the requirements for seeking information are clearly explained and communicated3.1 Organise appropriate training and assessment materials and facilities for development or acquisition (where required)3.2 Prepare and execute implementation plans for the internal and external compliance training as approved3.3 Negotiate and sign contract/s for required external compliance training as per organisational policies and procedures3.4 Implement planned corporate induction and training programs6.3 Apply effective interpersonal skills during all communication activities7.2 Monitor compliance management promotional and liaison activities against objectives, established performance criteria, milestones and budget targets

EVAL

UAT

ION

An effective method of collecting data and evaluating the awareness, communication and training activities against objectives is provided.

An effective method of collecting data and evaluating the awareness, communication and training activities against objectives is not provided.

7.3 Take appropriate action to ensure promotional activities achieve the planned outcomes within project limits8.1 Collect data and performance indicators from appropriate sources, on the outcomes of compliance management promotional and liaison activities8.2 Analyse collected evaluation data in terms of planned outcomes and performance criteria8.3 Summarise the results of the promotional and liaison activities and document identified issues and related recommendations

36

ANNEX C



6.5 Record details of communications conducted as part of compliance related promotional and liaison activities in an appropriate format

EVAL

UAT

ION

A point form brief for each activity (awareness, communication and training) is developed for the CEO and clearly documents the following elements

o Objectiveso Strategyo Messageso Implementationo Evaluation

A point form brief for each activity (awareness, communication and training) is not developed for the CEO or does not clearly documents the following elements

o Objectiveso Strategyo Messageso Implementationo Evaluation

9.1 Record, store and disseminate details of the execution of planned compliance management promotional and liaison activities in accordance with the organisation's policies and procedures9.2 Prepare and submit reports on the compliance management promotional and liaison activities and ensure the outcomes are relevant to internal and external personnel9.3 Refer recommendations on improvements to compliance management promotional and liaison activities to relevant managers for appropriate action9.4 Organise and incorporate information on contacts established during compliance management liaison activities in an appropriate listing of contacts for future liaison activities

37

ANNEX C

5. ASSESSMENT CRITERIA – DEVELOP A COMPLIANCE MONITORING PROGRAM


1.1 The audit objectives, scope and focus are identified

Purpose of monitoring is correctly identified.

Relevant monitoring systems identified One key role is correctly identified At least 1 key monitoring technique is

identified

Purpose of monitoring is not correctly identified.

Relevant monitoring systems not identified

One key role is not correctly identified

At least 1 key monitoring technique is not identified.

1.2 Relevant operational and information systems in the audit context are identified3.4 Technology is selected and used in line with audit requirements1.3 Audit team roles and key audit techniques are identified2.3 Assign or acquire resources for the planned compliance program/management system in accordance with organisational procedures and policies3.1 Sampling techniques are identified to suit audit requirements and are applied according to established procedures1.4 An audit plan is prepared that meets organisational requirements and the objectives of the audit

All elements of ICMP are completed with at least one correct entry per element.

Client is correctly identified for purposes of pre monitoring communication.

All elements of ICMP are completed with at least one correct entry per element

Client is not correctly identified for purposes of pre monitoring communication

1.5 Audit documentation is prepared according to organisational policies and guidelines1.6 Pre-audit communication is conducted with the client to be audited in accordance with organisational policy and procedures2.1 Concepts, systems and reports relevant to the audit are identified

At least one potential cause of the breach is identified.

At least one potential cause of the breach is not identified or is not appropriate.

2.2 Analytical checks are performed in accordance with organisational policy and procedures2.3 Initial assessment is made, and considered to ensure it is appropriate and accurate

38

ANNEX C


2.5 Risk assessment activities are undertaken to determine risks and risk treatments necessary

Risk rating and priority is correctly amended

Risk rating and priority is not correctly amended

2.4 Appropriate and significant controls are identified and control tests are designed

One or more data items, data entry, processes and people are identified for examination.

One or more data items, data entry, processes and people are not identified for examination or the item for examination is not appropriate.

3.2 Controls are tested and assessed in accordance with the audit plan3.3 Substantive testing is conducted3.1 Gather information on the operation of the compliance program/management system from appropriate sources

3.5 Audit documentation and working papers are prepared according to the established format4.1 Situations requiring specialist input are identified and referred for action

If an issue is uncovered, appropriate specialists are identified for input or to implement corrective action.

If an issue is uncovered, appropriate specialists are not identified for input or to implement corrective action.

4.2 Situations requiring referral to other areas are identified and referred in a timely manner4.3 Issues which arise during the audit are dealt with in a professional manner in accordance with organisational policy and procedures5.1 Audit reports are prepared in the approved format

At least one appropriate monitoring findings is correctly documented in the template provided

At least one monitoring finding is not appropriate or they are not correctly documented in the template provided

5.3 Internal reports are prepared in the required style and format5.2 Discussions with the client on audit findings are conducted in a professional manner 3.2 Review feedback and performance indicators on the operation of the compliance program/management system in terms of agreed criteria5.6 Audit findings are recorded in information management systems in accordance with organisational policy and procedures.

39

ANNEX C


5.4 Final recommendations on action are made according to organisational policies and guidelines, and in a timely manner

At least one appropriate recommendation is documented

At least one appropriate recommendation is not documented

5.5 Responses to audit recommendations are received and the audit is finalised in accordance with organisational policy and procedures

At least one appropriate “next step” is provided.

At least one appropriate “next step” is not provided

1-5 ASSESSMENT CRITERIA – WRITE COMPLEX DOCUMENTS


1 Plan Documents1.1 Determine the purposes of documents

Purpose is demonstrated by correctly completing tables based on case study facts

Format is consistent in style of text, i.e. font, size, formatting including bullets, indents etc as appropriate

Requirements and sequence is provided as per template

Content is understood by successfully completing all tables.

Purpose not demonstrated by incorrectly completing tables and cells

Format varies in font, size, style etc from one cell to another -that is there is no consistency in style

Structure of template not used as intended

1.2 Choose appropriate formats for documents 1.3 Establish means of communication 1.4 Determine requirements of documents 1.5 Determine categories and logical sequences of data, information and knowledge to achieve document objectives 1.6 Develop overview of structure and content of documents

2 Draft text2.1 Review and organise available data, information and knowledge according to proposed structure and content

.

ccc

40

ANNEX C


2.2 Ensure data, information and knowledge is aggregated, interpreted and summarised to prepare text that satisfies document purposes and objectives 2.3 Include graphics as appropriate 2.4 Identify gaps in required data and information, and collect additional material from relevant enterprise personnel

cc

ccc.

2.5 Draft text according to document requirements and genre 2.6 Use language appropriate to the audience3 Prepare final text3.1 Review draft text to ensure document objectives are achieved and requirements are met

.

3.2 Check grammar, spelling and style for accuracy and punctuation

.

3.3 Ensure draft text is approved by relevant enterprise personnel3.4 Incorporate revisions in final copy

4 Produce document4.1 Choose basic design elements for documents appropriate to audience and purpose

4.2 Use word processing software to apply basic design elements to text 4.3 Check documents to ensure all requirements are met

41