Duty to establish and maintain systems relating to risk and control


Section 16 of the PGPA Act provides you with the flexibility to establish systems of risk oversight and management and internal control that are appropriate for your entity.

Taking appropriate risks in fulfilling the purposes of your entity is consistent with careful and proper use and management of public resources.

The internal controls you introduce need to reflect your entity’s level of tolerance for risk and assist officials to comply with the finance law.

You will be required to exercise your judgement in managing risks and establishing controls, informed by consideration of various factors, including the:

  • size of your entity
  • complexity of the policy environment
  • proportionality of risks
  • capability of your officials.

You will also need to review your internal controls periodically and when circumstances change.

Accountable Authority Instructions (AAIs) are written instruments that may be issued by the accountable authority to instruct officials on matters relating to the finance law. AAIs include instructions that the accountable authority expects officials to follow when exercising powers and carrying out functions and duties under the PGPA Act. RMG-206 Model accountable authority instructions (AAIs) provides more guidance to assist accountable authorities provide operational instructions to their officials.

System of risk oversight and management

An accountable authority of a non-corporate Commonwealth entity must, in accordance with the Commonwealth Risk Management Policy:

  • endorse your entity’s risk management policy and risk management framework
  • define responsibility for managing risk in your entity, including:
    • defining who is responsible for determining the entity’s appetite and tolerance for risk
    • allocating responsibility for implementing the risk management framework
    • defining roles and responsibilities in managing individual risks.

While the Commonwealth Risk Management Policy is not mandatory for corporate Commonwealth entities, it is good practice.

System of internal control

The PGPA Act requires you to establish and maintain an appropriate system of internal control for your entity.  You can use accountable authority instructions to direct officials on the proper use and management of public resources including:

  • delegating or authorising officials to exercise functions and powers
  • developing a fraud control framework for your entity
  • requiring, as a condition of employment, that officials of your entity comply with the finance law
  • specifying sanctions (such as termination) that apply to officials for contravening that condition
  • establishing contractual arrangements for consultants and contractors that reflect the requirements of the finance law.

You can establish internal controls for officials in written instructions on any matter relating to the finance law.

For example, you can issue instructions on such things as:

  • approving a commitment of relevant money
  • official banking or dealing with relevant money
  • debiting or crediting an appropriation.

RMG-206 Model accountable authority instructions (AAIs) provides more guidance on establishing appropriate systems of risk management and internal control, available under Tools and templates. 

Delegations or Authorisations

The accountable authority of a non-corporate Commonwealth entity can delegate many of the powers, functions and duties in the PGPA Act or PGPA Rule to officials. A corporate Commonwealth entity can authorise officials to exercise functions and powers under its enabling legislation.

Role of the Audit Committee

Your audit committee can provide you with regular independent advice and assurance on the appropriateness of your entity’s systems of risk oversight and management and internal control. For more information, see RMG-202 Audit committees.

Did you find this content useful?