This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Finance

Under construction

This page is still under construction. Please check back later as we continue to work on it.

1 - Corporate Credit Card Policy

Corporate credit cards are useful tools, but need to be managed carefully to avoid misuse. This policy sets out the rules for issuing and using corporate credit cards at Vaxa.

Purpose

The purpose of this policy is to ensure corporate credit cards are issued and used appropriately for Vaxa related business, and all expenses incurred are properly approved and acquitted.

Scope

The Corporate Credit Card Policy sets out Vaxa’s policy on corporate credit cards (“Card”). It applies to all corporate credit cardholders (“Cardholder”), managers responsible for authorising credit card applications, and approvers of the Cardholder’s acquittals.

Responsibilities

  • All employees who are issued with a Corporate Credit Card are responsible for ensuring that the Card is used appropriately and in accordance with this policy.
  • Managers are responsible for ensuring that their staff are aware of and comply with this policy, including the acquittal of expenses.
  • The Finance team is responsible for the administration of the Card program, including the issuing of Cards, setting of limits, and monitoring of Card usage.

Policy/Process/Standard

Corporate Credit Cards must be used appropriately within relevant delegations, and in accordance with Vaxa policies and legislation.

Issuing of Corporate Credit Cards

The purpose of the Card is to facilitate and simplify the purchasing process for minor purchases and travel expenditure which are not able to be processed through Vaxa’s Purchase Order process.

The Card will only be issued to an employee who:

  • is required to travel for business purposes; and/or
  • can demonstrate an ongoing and regular need to purchase goods or services on behalf of a Group or Team which is best facilitated through the use of a credit card. Examples include paying for training courses, professional fees, publications, catering or any purchase where a credit card is the only acceptable form of payment.

Both ongoing and non-ongoing employees can apply for the Card provided they have a genuine business need such as that specified above.

Contractors will not be eligible for the Card. The exception to this is where a contractor is working on a long term contract for Vaxa, and will be required to undertake frequent travel as part of that engagement.

Credit Card Limits

Standard transaction and monthly limits are as follows

DelegationTransaction LimitMonthly Limit
Managing Director$1,000$5,000
Director$500$2,000
Executive Assistant$200$1,000
All other staff$200$1,000

Variations to the standard limits must be supported by genuine business need and approved by the Managing Director only.

Limits are subject to annual review.

Cancellation of Corporate Credit Cards

The Card is not transferable and may be cancelled by Finance when:

  • the Cardholder ceases employment with Vaxa
  • the Cardholder no longer requires the Card because of a change of duties or positions
  • the Cardholder is taking an extended period of absence of three months or more
  • the Cardholder fails to comply with any Managing Director’s direction, Vaxa’s policies or procedures relating to the use of the Card
  • requested to do so by a partner; or
  • the Card has not been used for more than twelve months.

General Terms of Use

Cardholders must obtain approval from an appropriate financial delegate before using the Card to pay for their own business expenses e.g. professional membership, training, travel etc., see Instrument of Delegations—Financial Authorisations.

Direct debit authorities must not be placed on the Card except where business conditions necessitate and are approved by the Managing Director.

Centrally purchased items such as assets, IT equipment, property/equipment, stationery and insurance should only be purchased by the Managing Director, unless the Cardholder has obtain specific approval from the respective teams to purchase items separately on the Card.

Compliance and Monitoring

Misuse of the Card is a serious matter and may constitute a breach to this policy.

Penalties apply for fraud or misuse of the Card under the Crimes Act 1914. Cardholders may be liable for any loss to Vaxa.

Suspected or inadvertent misuses of the Card must be reported, investigated and dealt with in accordance with the Corporate Credit Card Procedures. Disciplinary action against the cardholder includes, and is not limited to, a warning, full recovery of monies, criminal proceedings, or other direction at the discretion of the Managing Director.

Non-compliance with this policy may result in the cancellation of the Card and/or disciplinary action, up to and including termination of employment.

None.

2 - Funds Transfer Authentication Policy

This policy establishes authentication requirements for processing funds transfers and banking detail changes to protect Vaxa from fraudulent payment requests and business email compromise.

Purpose

The purpose of this policy is to protect Vaxa from fraudulent payment requests, business email compromise, and unauthorised banking detail changes by establishing mandatory authentication requirements for processing funds transfers and updating banking information.

Scope

This policy applies to:

  • All Vaxa employees, contractors, and third parties authorised to process payments or modify banking details
  • All funds transfer requests, regardless of payment method (electronic transfer, wire transfer, cheque, etc.)
  • All requests to add or modify banking details for suppliers, employees, or other payees

Responsibilities

  • Finance team is responsible for implementing and enforcing the authentication procedures outlined in this policy, including maintaining records of all verification activities.
  • Payment approvers are responsible for ensuring proper authentication is completed before authorising any funds transfer over $5,000 or any banking detail change.
  • All employees are responsible for following the authentication procedures when requesting or processing payments, and reporting any suspicious payment requests immediately.
  • Managing Director is responsible for approving exceptions to this policy and ensuring adequate resources are allocated for compliance.

Policy/Process/Standard

Funds Transfer Authentication Requirements

All funds transfer requests over $5,000 must be authenticated using a secondary means of communication before processing. The authentication must:

  1. Use a communication channel different from the original request channel
  2. Be documented with details of who verified, when, and how
  3. Confirm the legitimacy of the payment request with the authorised requester

Approved Secondary Communication Channels

The following communication methods are approved for secondary authentication (original request channel must not be reused):

  • Phone call to a verified contact number (from company directory or previously confirmed)
  • Video call with visual identification of the requester
  • SMS/text message to a verified mobile number
  • In-person verification (where practical)
  • Alternative email address that has been pre-registered and verified (not used for the original request)

Email alone is not acceptable as the sole secondary communication channel if the original request was also by email.

Authentication Procedure

When processing a funds transfer request over $5,000:

  1. Receive the payment request through standard channels (email, purchase order, invoice, etc.)
  2. Before processing, contact the requester using a different communication channel from the approved list above
  3. Verify the following details:
    • Payee name and amount
    • Purpose of payment
    • Banking details (if new or changed)
    • Authority to request the payment
  4. Document the verification including:
    • Date and time of verification
    • Method used (phone, video call, etc.)
    • Contact details used
    • Name of person who verified
    • Name of person performing verification
  5. Process the payment only after successful verification

Banking Detail Change Authentication

All requests to add or modify banking details must be authenticated using a secondary means of communication, regardless of transaction amount. This applies to:

  • New supplier banking details
  • Changes to existing supplier banking details
  • Employee banking details for payroll
  • Changes to any payee banking information

Authentication Procedure for Banking Detail Changes

  1. Receive the request to change or add banking details
  2. Contact the requester using a different communication channel from the approved list
  3. Verify the following:
    • Identity of the requester
    • Authority to request the change
    • Accuracy of the new banking details (read back the details)
    • Reason for the change
  4. For supplier banking detail changes, consider requesting supporting documentation (e.g., letter on company letterhead, bank statement)
  5. Document the verification as outlined above
  6. Update the banking details only after successful verification
  7. Notify the payee of the change via a separate communication confirming the update

Emergency and Exception Procedures

In exceptional circumstances where immediate payment is required and secondary authentication cannot be completed promptly, the following emergency procedure may be used:

  1. The Managing Director or designated delegate must approve the payment
  2. Enhanced due diligence must be performed, including additional verification steps where possible
  3. The payment must be documented as an exception with full justification
  4. Retrospective verification must be completed within one business day
  5. A report of all exceptions must be reviewed monthly by the Managing Director

All exceptions must be recorded and reviewed as part of the compliance monitoring process.

Suspicious Activity Reporting

Any of the following should be treated as red flags and warrant additional scrutiny:

  • Unexpected or unusual payment requests
  • Urgent or pressured requests to process payments quickly
  • Requests to change banking details without prior notice
  • Requests that bypass normal approval processes
  • Communication from unusual email addresses or phone numbers
  • Requests that deviate from established payment patterns

Suspected fraudulent requests must be reported immediately to the Finance team and the Managing Director. Do not process the payment until the matter has been investigated and resolved.

Compliance and Monitoring

Training

All staff involved in payment processing must complete training on this policy and fraud awareness annually. New staff must complete training within one month of commencing duties involving payment processing.

Auditing

The Finance team will:

  • Maintain records of all authentication activities for payments over $5,000 and banking detail changes
  • Conduct monthly reviews of compliance with this policy
  • Review all exceptions and assess whether policy adjustments are needed
  • Report compliance metrics and trends to the Managing Director quarterly

Non-Compliance

Failure to comply with this policy may result in:

  • Immediate review of payment processing privileges
  • Retraining requirements
  • Disciplinary action up to and including termination of employment
  • Personal liability for losses resulting from unauthorised payments where policy was not followed

Records Retention

All authentication records must be retained for a minimum of seven years in accordance with financial record-keeping requirements.

  • Corporate Credit Card Policy (POL-FIN-0001)
  • Instrument of Delegations—Financial Authorisations
  • Crimes Act 1914 (Cth)