Audit and Risk Committee charter

Establishment

The accountable authority (secretary) of the department must ensure that the entity has an audit committee. This is in accordance with subsection 45(1) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

Role and function of the committee

Subsections 17(1) and 17(2) of the Public Governance, Performance and Accountability Rule 2014 (the Rule) establish the audit committee’s mandatory functions:

• The accountable authority of a Commonwealth entity must, by written charter, decide the functions of the audit committee for the entity.
• The functions must include reviewing the appropriateness of the accountable authority's:
  • financial reporting
  • performance reporting
  • system of risk oversight and management
  • system of internal control.

The committee will also review:

• internal audit resourcing and coverage about the department's key risks, and recommend approval of the internal annual audit plan by the secretary
• internal and Australian National Audit Office (ANAO) audit reports. The committee will advise the secretary about significant issues and adoption of actions according to the department's agreed approach.

To address its functions, the committee should indicate which matters it will consider during any given year in a forward plan (the work plan). It may consider other matters in response to changes in the department's operations and environment.

Financial reporting

The committee will review the appropriateness of the department’s financial reporting, to comply with subsection 17(2)(a) of the Rule.

This includes a review of the financial information systems and the appropriateness of the department’s financial reporting in compliance with the mandatory requirements of the:

• PGPA Act
• Rule
• Australian Accounting Standards Board (AASB) Accounting Standards.

In fulfilling its review of the appropriateness of financial reporting, the committee will:

• review the department’s processes and systems for preparing financial reporting information and financial record keeping
• review the processes in place, allowing the department to stay informed throughout the year of any changes or extra requirements about financial reporting
• review the:
  • annual financial statements, including complying with the PGPA Act, the Rule and the Accounting Standards
  • extra department information (other than financial statements) required by the Department of Finance to prepare the Australian Government consolidated financial statements. This includes the supplementary reporting package.
• give written advice to the secretary about the appropriateness of the department’s financial reporting. This includes its annual financial statements and identifying any areas of concern and suggestions for improvement.

Performance reporting

The committee will review the appropriateness of the accountable authority’s performance reporting for the department, in compliance with subsection 17(2)(b) of the Rule. This will include a review of the department’s performance information, systems and framework, and the completeness and appropriateness of its performance reporting.

The committee, in fulfilling its review of the appropriateness of performance reporting, will:

• review the department’s systems and procedures for assessing, monitoring and reporting on the department’s performance. Specifically, the committee will satisfy itself that the department’s:
  • portfolio budget statements and corporate plan contain appropriate details of how to measure and assess the department’s performance
  • approach to measuring its performance over the financial year against the performance measures in the portfolio budget statements and corporate plan is appropriate. The approach must also follow the Commonwealth Performance Framework
  • systems and processes to prepare its annual performance statement and inclusion of the statement in its annual report is appropriate.
• give written advice to the secretary of its view on the appropriateness of the department’s performance reporting. This includes its annual performance statement and identifies any areas of concern and suggestions for improvement.

System of risk oversight and management

The committee will support the secretary, who must create and maintain an appropriate system of risk oversight and management for the department. This follows compliance with section 16(a) of the PGPA Act and subsection 17(2)(c) of the Rule, as well as the Commonwealth Risk Management Policy. This will involve reviewing appropriateness of the department’s risk and oversight and management system. The review will look at whether identified risks and their treatments are consistent with the committee’s:

• understanding of the department’s operating context
• experience in risk management.

In undertaking this function, the committee will consider if:

• management has a current and appropriate enterprise risk management framework and the necessary internal controls for the effective identification and management of the department’s risks. This is in keeping with the Commonwealth Risk Management Policy.
• an appropriate approach has been followed in managing the department’s key risks. This includes those associated with individual projects and program implementation and activities.
• the department’s processes for developing and adopting fraud control arrangements are consistent with the Commonwealth Fraud Control Framework, and that they comply with section 10 of the Rule requirements. The committee must be sure that the department has good process design for detecting, capturing and effectively responding to fraud risks.
• management has developed risk management capability in the department and if key roles, responsibilities and authorities about risk management are clearly articulated.

In fulfilling its review of the appropriateness of the department’s system of risk oversight and management, the committee will give written advice to the secretary. The advice will cover the committee’s view of the appropriateness of the department’s system of risk oversight and management. It will also identify any areas of concern and suggestions for improvement. Given advice will relate to the Commonwealth Risk Management Policy.

System of internal control

The committee will review the appropriateness of the system of internal control for the department, to comply with subsection 17(2)(d) of the Rule.

In undertaking this function, the committee will consider:

• internal control framework:
  • management's approach to maintain an effective internal control framework and if processes are in place to assess if key policies and procedures are complied with
  • if management has relevant policies and procedures in operation. For example, accountable authority instructions, delegations/authorisations, a business continuity management plan or bullying and harassment policies.
• legislative and policy compliance:
  • the effectiveness of systems for monitoring the department’s compliance with laws, regulations and associated government policies with which the department must comply
  • if management has adequately considered legal and compliance risks as part of the department’s enterprise risk management framework and fraud control framework
• security compliance
  • management’s approach to maintaining an effective internal security system and information, communication and technology security policy (including complying with the Protective Security Policy Framework)
• internal audit coverage:
  • ensure that the coverage considers the department’s primary risks, and recommend approval of the internal audit work plan by the secretary
  • give advice to the secretary on major concerns identified in internal audit reports and recommend action on significant matters raised. This includes finding and sharing information on good practice.
  • periodically reviewing the performance of internal audit
• ethical and lawful conduct:
  • assess if management has taken steps to embed a culture that promotes the proper use and management of public resources and ethical and lawful conduct
• business continuity:
  • decide if the approach to set up business continuity planning arrangements is sound and effective. This includes if business continuity and disaster recovery plans have been periodically updated and tested.
• parliamentary committee reports and external audit and reviews:
  • decide that the department has appropriate mechanisms for reviewing relevant parliamentary committee reports, external reports (Auditor-General, Joint Committee of Public Accounts and Audit (JCPAA) and royal commissions etc.)
  • reviewing the adoption of agreed recommendations from ANAO audits or JCPAA and other parliamentary committee reports directed to the department.

The committee will give written advice to the secretary on the appropriateness of the department’s internal control system. It will also identify any areas of concern and suggestions for improvement.

Membership

Composition

Consistent with subsection 17(4) of the Rule, a majority of members must be persons who are not official of any Commonwealth entity.

The committee consists of:

• a minimum of 3 members who have appropriate qualifications, knowledge, skills or experience to help the committee to perform its functions. They cannot be officials of the department.
• up to 2 Australian Public Service (APS) senior executive service level members external to the department.

Up to 2 departmental advisors will support the committee.

The committee chair will appoint the deputy chair in consultation with the secretary, who may act in the chair’s absence.

Selection and appointment

The identification and selection of members and departmental advisors is at the discretion of the secretary, in consultation with the chair.

The secretary, in consultation with the chair, will have regard to the collective knowledge, skills and experience the committee needs to fulfil its responsibilities under this charter.

The accountable authority appoints members and decides their term length. The accountable authority appoints a member as chair.

Skills and knowledge

Consistent with subsection 17(3) of the Rule, members will collectively have a broad range of knowledge, skills and experience relevant to department operations. This includes its information technology environment.

All members should be conversant with financial management reporting and at least one member must have:

• accounting or related financial management experience or qualifications, and a full understanding of accounting and auditing standards
• ICT-related experience or qualifications, and a full understanding of ICT risk management.

Departmental advisors should collectively contribute knowledge of the breadth of the department’s business and its operating context. Departmental advisors will receive all papers and attend all meetings.

Remuneration

Independent committee members will receive remuneration at a level that reflects the:

• skills and expertise the member brings to the committee
• time needed for meeting preparation, attendance at meetings and interaction with management outside of committee meetings.

The members from other Commonwealth entities will not receive remuneration.

Observers

Consistent with subsection 17(5) of the Rule and the department’s governance structure, certain members of the department cannot be members of the committee. However, they may attend meetings as observers.

This includes the:

• secretary
• chief financial officer
• chief information officer
• chief internal auditor
• chief operating officer
• general counsel.

Representatives from the ANAO and external providers of internal audit services will not be members of the committee. However, they may attend relevant committee meetings (in whole or in part) as observers, as determined by the chair or by the committee.

Observers may, as determined by the chair or by the committee, receive copies of committee papers, as appropriate.

At the chair's discretion internal staff or external parties may attend meetings (in whole or in part) as invited guests.

Independence

The committee is directly accountable to the secretary for the performance of its functions.

The committee has no executive powers over the operations of the department. The committee may only review the appropriateness of aspects of those operations, consistent with its functions, and advise the secretary accordingly.

The secretary and officials of the department have responsibility for the appropriateness of the department's:

• financial reporting
• performance reporting
• system of risk oversight and management
• system of internal control.

Conflict of interest

Members of the committee and its sub-committees must declare in writing any actual, perceived or potential conflict of interest relating to their responsibilities. Members must submit their declaration to the secretary on engagement and each following year.

Members should consider past employment, consultancy arrangements and related party issues in their declarations. The secretary must be satisfied that the committee has sufficient processes in place to manage any actual, perceived or potential conflict.

Members must declare any actual, perceived or potential conflict of interest that may apply to specific matters on the meeting agenda. Members must declare this at the beginning of each committee or sub-committee meeting. Where needed, the chair will excuse the member from the meeting or from the committee’s consideration of the relevant agenda item(s).

The minutes will reflect the details of actual, perceived or potential conflicts of interest declared by members of the committee and its sub-committees. They will also cover actions taken by the members or committees.

The chair, in consultation with the deputy chair, will manage any conflicts of interest.

If the chair has an actual, perceived or potential conflict, they must declare it before the meeting starts to the secretary. In the secretary’s absence, the chair can declare them to the deputy secretary with responsibility for governance matters.

Authority

The secretary authorises the committee in performing its functions to:

• seek any information it needs from:
  • any official of the department
  • external parties, including the ANAO (subject to any legal obligation to protect information)
• request legal or other professional advice at the department’s expense:
  • as considered necessary to meet its responsibilities
  • subject to approval by the appropriate delegate
• request the attendance of any official of the department at meetings, as appropriate
• request the attendance of a committee member, as selected by the Audit and Risk Committee, at internal committee meetings in the department (as an observer), as appropriate.

The secretary directs officials of the department to cooperate with the committee.

Sub-committees

The committee, in consultation with the secretary, may create sub-committees to help it meet its responsibilities. It can appoint a member of the committee as the chair of the sub-committee.

The committee will approve and document the responsibilities, membership and reporting arrangements for each sub-committee. Sub-committees are to develop their own terms of reference, which the committee will review annually.

The actions of the sub-committee will be reported to the committee at each meeting. The chair of the committee will report any matter deemed important to the secretary.

Meetings

The committee will meet at least 4 times per year, or more often if needed. The committee may hold special meetings to review the department's annual financial statements and annual performance statements or to meet other specific committee responsibilities.

The chair:

• will call a meeting if requested to do so by the secretary
• may call a meeting if requested by another committee member.

A quorum for any committee meeting will be 3 members, one of which must be the chair or the deputy chair. All committee members must attend each meeting in person or remotely. Attendance reporting follows legislative obligations.

Secretariat

In accordance with this charter, the department will give secretariat services to the committee as determined by the secretary. The secretariat will make sure:

• the chair approves the agenda for each meeting
• the agenda and supporting papers circulate, where possible, at least one week before the meeting
• to prepare and maintain the minutes of the meeting.

The chair and members must receive the minutes in a timely manner for review. Committee advisers and observers must also receive the minutes at the next meeting of the committee.

Reporting

The chair will report to the secretary after each meeting. The secretary must immediately receive reports on any matter deemed of sufficient importance.

The committee will, as often as necessary, and at least once a year, report to the secretary on its operation and activities during the year.

Review of functions

The chair of the committee will initiate a performance review of the committee and any sub-committees at least once every 2 years. The secretary will receive the outcomes of this assessment.

The committee will review the appropriateness of this charter at least annually. The secretary will receive outcomes of this review.

Disclosure and use of information

Committee members must not use or disclose information obtained by the committee except in meeting the committee’s responsibilities, or unless agreed by the secretary.