AUDIT AND RISK COMMITTEE CHARTER
The Chief Executive Officer (CEO) has established an Audit and Risk Committee in accordance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). The Audit and Risk Committee will provide independent advice to the CEO on the appropriateness of the AOFM’s: financial and performance reporting; risk oversight and management; internal control environment; and governance arrangements (including code of conduct).
The committee is not responsible for the executive management of these functions.
EXCLUSIONS FROM AUDIT AND RISK COMMITTEE REMIT
Responsibility for approving detailed debt management, investment and financial risk policies rests with the Secretary to the Treasury. The Secretary’s responsibilities include setting policy and operational limits with respect to credit, interest rate and liquidity risk. The committee should not overlap with the policy role of the Secretary.
The CEO authorises the committee, consistent with its Responsibilities and Functions, to obtain information from, hold discussions with, or request presentations by any official, external party or the external auditors, as it deems necessary to fulfil its objective. Any requests are to be done subject to appropriate legal and confidentiality considerations. The AOFM will meet reasonable expenditure in relation to legal or professional advice, provided the Committee first consults with the Chief Risk and Assurance Officer (CRAO) on the level of anticipated expenditure.
The committee Chair may directly access the Secretary to the Treasury on any audit matter judged to be of sufficient concern.
The Audit and Risk Committee will comprise three independent members, appointed by the CEO.
The CEO will appoint one of the members to be the Chair of the committee.
The members, taken collectively, will have a broad range of skills and experience relevant to the operations of the AOFM. The Audit and Risk Committee should comprise of members who collectively possess:
- Accounting or related financial management experience;
- Risk and performance management experience; and
- Financial markets experience.
The Chair is authorised to appoint a Deputy Chair, who will act as chair when required.
Members shall be appointed for an initial term of three (3) years. Members may be re-appointed for further periods, at the discretion of the CEO.
The CRAO, deemed to have relevant experience to assist the business of the committee, will attend meetings as a permanent advisor.
Individual responsibilities of Audit and Risk Committee members
Members of the committee are expected to understand and observe the legal requirements of the PGPA Act and rules. Members are also expected to:
- Have a sound understanding of the AOFM’s functions, objectives and operational context;
- Act in the best interests of the AOFM;
- Apply objectivity, sound analytical skills, and sound judgment in meeting the committee’s objective;
- Express opinions constructively and openly, raise issues that relate to the committee’s responsibilities and pursue independent lines of enquiry; and
- Contribute the time required to meet their responsibilities.
RESPONSIBILITIES AND FUNCTIONS
- Review the appropriateness of the financial statements and provide advice to the CEO on matters including compliance with the PGPA Framework and Accounting standards.
- Review whether there is a current and comprehensive financial reporting framework and associated procedures for effective internal control (including appropriate management sign-offs), management responses to audit recommendations and adjustments, and compliance with relevant accounting standards, laws or regulations; and
- Review the annual financial statements and recommend signing of the financial statements by the CEO.
- Satisfy itself that the approach to measuring performance covers the whole performance reporting lifecycle and sufficiently addresses the AOFM’s performance measurement and assessment, and has taken into account guidance issued by the Department of Finance and the ANAO;
- Consider the appropriateness, with reference to the Commonwealth’s performance reporting framework, of the processes that the AOFM has in place for the preparation of its annual Performance Statement and the inclusion of the Statement in its annual report;
- Satisfy itself that the AOFM has processes in place to ensure that the AOFM’s proposed Performance Statement is not inconsistent with its financial information, including the financial statements; and
- Provide advice to the CEO about the appropriateness of the AOFM’s performance information.
System of risk oversight and management
- Satisfy itself as to whether management has in place a current and comprehensive Enterprise Risk Management (ERM) framework and that this is consistent with the committee’s understanding of the AOFM’s operating context and the Commonwealth Risk Management Policy;
- Determine whether the ERM framework has been utilised in managing the AOFM’s major risks and identifying the prospect of emerging risks, including those associated with individual projects, program implementation, legal obligations and other business process activities;
- Determine whether an effective approach has been followed in establishing the AOFM’s business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested;
- Consider the impact of the entity’s culture and performance management on risk management outcomes (and internal control); and
- Review the adequacy and performance of the AOFM’s fraud control arrangements and enquire of management, the internal auditor and the external auditor whether they are aware of any actual, suspected or alleged fraud or corruption affecting the entity and how they responded to such instances.
- Provide advice to the CEO about the appropriateness of the AOFM’s system of risk oversight and management.
System of internal control
Internal control framework
- Provide advice to the CEO on the appropriateness of the internal control framework;
- Review whether AOFM’s approach to maintaining an effective internal control framework is effective, including for critical business processes, contract management, business continuity, delegations, and lawful conduct;
- Review the AOFM’s assurance map and strategy to assess whether planned assurance activities ensure key obligations, policies and procedures are complied with, and to identify gaps or inefficiencies in assurance activities; and
- Review the adequacy and performance of the AOFM’s protective security arrangements (Governance, Information Security, Physical Security and Personnel Security).
Legislative and policy compliance
- Review the effectiveness of the AOFM’s systems for monitoring compliance and other assurance activities regarding relevant laws, regulations and associated government policies; and
- Review reports on compliance from the AOFM’s Assurance Manager regarding breaches of legislative or policy compliance, the status of any ongoing remedial activities and any changes to risks of the AOFM.
Internal audit coverage
- Review the proposed internal audit coverage regarding its alignment with the AOFM’s key risks, and recommend approval of the Annual Work Plan by the CEO;
- Provide advice to the CEO on the allocation of internal audit resources (topics) either through review of the annual internal audit plan and/or requests for specific topics;
- Review all audit reports and provide advice to the CEO on significant issues identified in audit reports and action to be taken on issues raised;
- Monitor management’s implementation of internal audit recommendations;
- Review internal audit’s annual report on the overall state of the AOFM’s internal controls;
- Periodically review the internal audit charter to ensure appropriate authority, access and reporting arrangements are in place;
- Annually review the performance of internal audit; and
- Meet privately with Internal Audit at least once per year.
External audit coverage
- Review all external audit plans and reports in respect of planned or completed audits;
- Monitor management’s response to and implementation of audit recommendations;
- Provide advice to the CEO on action to be taken on significant issues raised in relevant external audit reports; and
- Meet privately with External Audit at least once per year.
The committee will report to the CEO annually on its operation and activities during the year to confirm to the CEO that all responsibilities and functions outlined in this charter have been satisfactorily addressed.
This will be in the form of an annual written statement outlining the committee’s view of the appropriateness of the AOFM’s financial reporting, performance reporting, system of internal control and risk oversight and management, with reference to the responsibilities and functions outlined in this charter.
The committee may, at any time, report to the CEO any other matter it deems of sufficient importance to do so. In addition, at any time an individual committee member may request a meeting with the CEO.
The committee will meet at least four times per year. Special meeting(s) may be convened, at the Chair’s discretion, in consultation with the CEO, to discuss any matter deemed sufficiently significant.
The Chair is required to call a meeting if asked to do so by the CEO or members of the Audit and Risk Committee.
Meeting attendance by non-members
The AOFM Chief Financial Officer (CFO), internal auditor and external auditor may also attend and participate in meetings as observers at the invitation of the Chair. The committee may, at its discretion, deal with issues or agenda items with none, some or all invitees listed in this paragraph. The committee may also ask such invitees to absent themselves from particular discussions.
The CEO may attend as an observer at their own discretion.
The committee will develop a forward Work Plan that includes the dates, and proposed agenda items for each meeting for the forthcoming year, and that covers all the responsibilities outlined in this charter.
A quorum will consist of a majority of committee members. The quorum must always be in place during the meeting.
The Secretariat function is managed by the CRAO, assisted by the Assurance Unit. The Secretariat will:
- ensure the agenda for each meeting is approved by the CEO and Chair;
- ensure that the agenda and supporting papers are circulated, at least one week before the meeting;
- ensure the minutes of the meetings are prepared and maintained; and
- follow up on actions agreed during the meeting.
Minutes must be reviewed by the Chair and circulated in a timely manner to each member.
Conflicts of interest
Once each year at the last Audit and Risk committee meeting of the calendar year, members of the committee will provide written declarations through the Chair, to the CEO declaring any potential or actual conflicts of interest they may have in relation to their responsibilities. Members should consider past employment, consultancy arrangements and related party issues in making these declarations and the CEO, in consultation with the Chair, should be satisfied that there are sufficient processes in place to manage any actual or apparent conflict.
At the beginning of each committee meeting, members are required to declare any potential or actual conflicts of interest that may apply to specific matters on the meeting agenda. Where required by the Chair, the member will be excused from the meeting or from the committee’s consideration of the relevant agenda item(s). The Chair is also responsible for deciding, in consultation with the CEO where appropriate, if he/she should excuse themselves from the meeting or from the committee’s consideration of the relevant agenda item(s). Details of potential or actual conflicts of interest declared by the Chair and other members, and action taken, will be appropriately recorded in the minutes.
New members will receive relevant information and briefings on their appointment to assist them to meet their committee responsibilities.
The Chair of the committee, in consultation with the CEO, will initiate a review of the performance of the committee biennially. The review will be conducted on a self-assessment basis (unless otherwise determined by the CEO) with appropriate input sought from the CEO, committee members, and any other relevant stakeholders, as determined by the CEO.
The committee will review this charter at least once per financial year. This review will include consultation with the CEO.
Any substantive changes to the charter will be recommended by the committee and formally approved by the CEO.