Audit and Risk Committee charter

Establishment

In accordance with subsection 45(1) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the accountable authority (secretary) of the department must ensure that the entity has an audit committee.

Role and function of the committee

Subsections 17(1) and 17(2) of the Public Governance, Performance and Accountability Rule 2014 (the Rule) establish mandatory functions for audit committees:

• The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee for the entity.
• The functions must include reviewing the appropriateness of the accountable authority's:
  • financial reporting
  • performance reporting
  • system of risk oversight and management
  • system of internal control.

The Committee will also review:

• internal audit resourcing and coverage in relation to the department's key risks, and recommend approval of the internal annual audit plan by the secretary
• internal and Australian National Audit Office (ANAO) audit reports, providing advice to the secretary about significant issues identified, and the implementation of agreed actions in accordance with the department's agreed approach.

To address the functions of the Committee, as far as is practicable, the Committee should indicate which matters it will consider during any given year in a forward plan (the work plan), noting that it may consider other or additional matters in response to changes in the department's operations and environment.

Financial reporting

The Committee will review the appropriateness of the department’s financial reporting, in compliance with subsection 17(2)(a) of the Rule.

This will include a review of the financial information systems and the appropriateness of the department’s financial reporting in compliance with the mandatory requirements of the PGPA Act, the Rule and the Australian Accounting Standards Board Accounting Standards.

The Committee, in fulfilling its review of the appropriateness of financial reporting, will:

• review the department’s processes and systems for preparing financial reporting information and financial recordkeeping
• review the processes in place to allow the department to stay informed throughout the year of any changes or additional requirements in relation to financial reporting
• review the:
  
  • annual financial statements, including compliance with the PGPA Act, the Rule and the Accounting Standards
  • additional department information (other than financial statements) required by the Department of Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package)
• provide written advice to the secretary about the appropriateness of the department’s financial reporting, including its annual financial statements and identify any areas of concern and suggestions for improvement.

Performance reporting

The Committee will review the appropriateness of the accountable authority’s performance reporting for the department, in compliance with subsection 17(2)(b) of the Rule. This will include a review of the department’s performance information, systems and framework and the completeness and appropriateness of its performance reporting.

The Committee, in fulfilling its review of the appropriateness of performance reporting, will:

• review the department’s systems and procedures for assessing, monitoring and reporting on the department’s performance. Specifically, the Committee will satisfy itself that:
  • the department’s portfolio budget statements and corporate plan contain appropriate details of how the department’s performance will be measured and assessed
  • the department’s approach to measuring its performance throughout the financial year against its performance measures included in the portfolio budget statements and corporate plan is appropriate, and in accordance with the Commonwealth Performance Framework
  • the department has appropriate systems and processes for preparation of its annual performance statement and inclusion of the statement in its annual report
• provide written advice to the secretary of its view on the appropriateness of the department’s performance reporting, including its annual performance statement, and identify any areas of concern and suggestions for improvement.

System of risk oversight and management

The Committee will support the secretary, who is required to establish and maintain an appropriate system of risk oversight and management for the department (in compliance with section 16(a) of the PGPA Act and subsection 17(2)(c) of the Rule, as well as the Commonwealth Risk Management Policy), by reviewing the appropriateness of the department’s system of risk oversight and management. This review will include reviewing whether identified risks and their treatments are consistent with the Committee’s:

• understanding of the department’s operating context
• experience in risk management.

In undertaking this function, the Committee will take into account whether:

• management has a current and appropriate enterprise risk management framework and the necessary internal controls for the effective identification and management of the department’s risks, in keeping with the Commonwealth Risk Management Policy
• an appropriate approach has been followed in managing the department’s key risks (including those associated with individual projects and program implementation and activities)
• the department’s processes for developing and implementing fraud control arrangements are consistent with the Commonwealth Fraud Control Framework, and in compliance with section 10 of the Rule requirements, and satisfy itself that the department has adequate process design for detecting, capturing and effectively responding to fraud risks
• management has adequately developed risk management capability in the department and whether key roles, responsibilities and authorities relating to risk management are clearly articulated.

The Committee, in fulfilling its review of the appropriateness of the department’s system of risk oversight and management, will provide written advice to the secretary of its view in relation to the appropriateness of the department’s system of risk oversight and management (with reference to the Commonwealth Risk Management Policy), and identify any areas of concern and suggestions for improvement.

System of internal control

The Committee will review the appropriateness of the system of internal control for the department, in compliance with subsection 17(2)(d) of the Rule.

In undertaking this function, the committee will take into account the following:

• internal control framework:
  • management's approach to maintaining an effective internal control framework and whether appropriate processes are in place for assessing whether key policies and procedures are complied with
  • whether management has in operation relevant policies and procedures (e.g. accountable authority instructions, delegations/authorisations, a business continuity management plan or bullying and harassment policies)
• legislative and policy compliance:
  • the effectiveness of systems for monitoring the department’s compliance with laws, regulations and associated government policies with which the department must comply
  • whether management has adequately considered legal and compliance risks as part of the department’s enterprise risk management framework and fraud control framework
• security compliance
  • management’s approach to maintaining an effective internal security system and information, communication and technology security policy (including complying with the Protective Security Policy Framework)
• internal audit coverage:
  • ensuring that the coverage takes into account the department’s primary risks, and recommend approval of the internal audit work plan by the secretary
  •  provide advice to the secretary on major concerns identified in internal audit reports, and recommend action on significant matters raised, including identification and dissemination of information on good practice
  • periodically reviewing the performance of internal audit
• ethical and lawful conduct:
  • assess whether management has taken steps to embed a culture that promotes the proper use and management of public resources and ethical and lawful conduct
• business continuity:
  • determine whether a sound and effective approach has been taken to establish business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested
• parliamentary committee reports and external audit and reviews:
  • determine that the department has appropriate mechanisms for reviewing relevant parliamentary committee reports, external reports (Auditor-General, Joint Committee of Public Accounts and Audit (JCPAA) and royal commissions etc),
  • reviewing the implementation of agreed recommendations from ANAO audits or JCPAA and other parliamentary committee reports directed to the department.

The Committee will provide written advice to the secretary on the appropriateness of the department’s system of internal control and identify any areas of concern and suggestions for improvement.

Membership

Composition

Consistent with subsection 17(4) of the Rule, a majority of members must be persons who are not official of any Commonwealth entity.

The Committee comprises:

• 3 members at minimum who have appropriate qualifications, knowledge, skills or experience to assist the Committee to perform its functions and who are not officials of the department
• up to 2 Australian Public Service (APS) senior executive service level members external to the department.

The Committee will be supported by up to 2 departmental advisors.

The deputy chair of the Committee will be appointed by the chair of the Committee in consultation with the secretary and may act in the chair’s absence.

Selection and appointment

The identification and selection of members and departmental advisors is at the discretion of the secretary in consultation with the chair.

In identifying and selecting candidates, the secretary, in consultation with the chair will have regard to the collective knowledge, skills and experience the Committee requires to fulfil its responsibilities under this charter.

Members are appointed by the accountable authority for a term determined by the accountable authority. The accountable authority appoints a member as Chair. The Chair appoints a Deputy Chair.

Skills and knowledge

Consistent with subsection 17(3) of the Rule the members, taken collectively, will have a broad range of knowledge, skills and experience relevant to the operations of the department, including its information technology environment.

All members should be conversant with financial management reporting and

• at least one member must have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards
• at least one member must have ICT-related experience and/or qualifications, and a comprehensive understanding of ICT risk management.

Departmental advisors should collectively contribute knowledge of the breadth of the department’s business and its operating context. Departmental advisors will receive all papers and attend all meetings.

Remuneration

Independent Committee members will be remunerated at a level that reflects:

• the particular skills and expertise the member brings to the Committee
• the time required for meeting preparation, attendance at meetings and interaction with management outside of committee meetings.

The members from other Commonwealth entities are not remunerated.

Observers

Consistent with subsection 17(5) of the Rule and the department’s governance structure, the secretary, chief financial officer, the chief information officer, chief internal auditor, chief operating officer, and the general counsel, may not be members of the Committee but may attend meetings as observers.

Representatives from the ANAO and external providers of internal audit services will not be members of the Committee however, may attend relevant Committee meetings (in whole or in part) as observers, as determined by the chair or by the Committee.

Observers may, as determined by the chair or by the Committee, be provided with copies of Committee papers, as appropriate.

At the chair's discretion internal staff or external parties may attend meetings (in whole or in part) as invited guests.

Independence

The Committee is directly accountable to the secretary for the performance of its functions.

The Committee has no executive powers in relation to the operations of the department. The Committee may only review the appropriateness of particular aspects of those operations, consistent with its functions, and advise the secretary accordingly.

Responsibility for the appropriateness of the department's financial reporting, performance reporting, system of risk oversight and management, and system of internal control rests with the secretary and officials of the department.

Conflict of interest

On engagement and each year thereafter, members of the Committee and its sub-committees will provide written declarations to the secretary declaring any actual, perceived or potential conflict of interest they may have in relation to their responsibilities. Members should consider past employment, consultancy arrangements and related party issues in making these declarations. The secretary must be satisfied that the Committee has sufficient processes in place to manage any actual, perceived or potential conflict.

At the beginning of each Committee or sub-committee meeting, members are required to declare any actual, perceived or potential conflict of interest that may apply to specific matters on the meeting agenda. Where required by the chair, the member will be excused from the meeting or from the committee’s consideration of the relevant agenda item(s). Details of actual, perceived or potential conflicts of interest declared by members of the Committee and its sub-committees, and action taken, will be appropriately reflected in the minutes.

Conflicts of interest will be managed by the chair in consultation with the deputy chair.

If the chair has an actual, perceived or potential conflict, it must be declared prior to the meeting commencing to the secretary or in the secretary’s absence the deputy secretary with responsibility for governance matters.

Authority

The secretary authorises the Committee, in performing its functions to:

• seek any information it requires from:
  • any official of the department
  • external parties, including the ANAO (subject to any legal obligation to protect information)
• request legal or other professional advice at the department’s expense:
  
  • as considered necessary to meet its responsibilities
  • subject to approval by the appropriate delegate
• request the attendance of any official of the department at meetings, as appropriate
• request the attendance of a committee member, as selected by the Audit and Risk Committee, at internal committee meetings within the department (as an observer), as appropriate.

The secretary directs officials of the department to cooperate with the Committee.

Sub-committees

The Committee, in consultation with the secretary, may establish sub-committees to assist it in meeting its responsibilities. A member of the Committee will be appointed as the chair of the sub-committee.

The responsibilities, membership and reporting arrangements for each sub-committee shall be documented and approved by the Committee. Sub-committees are to develop their own terms of reference, to be reviewed annually by the Committee.

The actions of the sub-committee will be reported to the Committee at each meeting. Any matter deemed of sufficient importance will be reported to the secretary through the chair of the Committee.

Meetings

The Committee will meet at least 4 times per year, or more often if required. Special meetings may be held to review the department's annual financial statements and annual performance statements or to meet other specific responsibilities of the Committee.

The chair:

• will call a meeting if requested to do so by the secretary
• may call a meeting if requested by another committee member.

A quorum for any Committee meeting will be 3 members, one of whom must be the chair or the deputy chair. All Committee members are expected to attend each meeting in person or remotely. Attendance will be reported in accordance with legislative obligations.

Secretariat

In accordance with this charter, the department will provide secretariat services to the Committee as determined by the secretary. The secretariat will ensure:

• the agenda for each meeting is approved by the chair
• the agenda and supporting papers are circulated, where possible, at least one week before the meeting
• that minutes of the meeting are prepared and maintained.

Minutes must be forwarded in a timely manner to the chair and members for review and provided to Committee advisers and observers at the next meeting of the Committee.

Reporting

The chair will report to the secretary after each meeting. Any matter deemed of sufficient importance will be reported to the secretary immediately.

The Committee will, as often as necessary, and at least once a year, report to the secretary on its operation and activities during the year.

Review of functions

The chair of the Committee will initiate a review of the performance of the Committee and any sub-committees at least once every 2 years. The outcomes of this assessment will be reported to the secretary.

The Committee will review the appropriateness of this charter at least annually. The outcomes of this review will be reported to and approved by the secretary.

Disclosure and use of information

Committee members must not use or disclose information obtained by the Committee except in meeting the Committee’s responsibilities, or unless expressly agreed by the secretary.