The Audit and Risk Committee provides independent advice to the Chief Executive on the Agency’s accountability and control framework, including independently verifying and safeguarding the integrity of the entity’s financial and performance reporting.
Background
The Chief Executive of the Australian Financial Security Authority (the Agency) has established the Audit and Risk Committee in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).
Objective
The objective of the Audit and Risk Committee is to provide independent advice to the Chief Executive on the appropriateness of the Agency’s financial and performance reporting, system of risk oversight and management, and system of internal control.
Functions
Section 17 of the PGPA Rule establishes mandatory functions for an audit committee
Functions of the Audit Committee
- The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee for the entity.
- The functions must include reviewing the appropriateness of the accountable authority’s:
- financial reporting; and
- performance reporting; and
- system of risk oversight and management; and
- system of internal control
- for the entity.
Consistent with subsection 17(2) of the PGPA Rule, the Chief Executive has determined that the functions of the Audit and Risk Committee are to review and give independent advice about the appropriateness of the Agency’s:
a) financial reporting – including providing a written advice to the Chief Executive as to whether:
- the annual financial statements, in the committee’s view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance;
- additional entity information (other than financial statements) required by the Department of Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package) complies with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance; and
- the Agency’s financial reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
b) performance reporting – including providing written advice to the Chief Executive as to whether:
- the approach to developing performance information is appropriate, including compliance with mandatory requirements of the PGPA Act and PGPA Rule;
- performance information included in the Portfolio Budget Statements is appropriate;
- performance information included in the Corporate Plan is appropriate;
- annual performance statements are appropriate and comply with the PGPA Act and Rule; and
- performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
c) system of risk oversight and management – including providing written advice to the Chief Executive as to whether:
- the Agency’s systems for risk oversight and risk management as a whole, including the approach to managing key risks, project and program risks, are appropriate, with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement; and
- the Agency’s fraud control arrangements are appropriate, and the Agency has implemented appropriate processes and systems to detect, capture and effectively respond to fraud risks consistent with the Commonwealth Fraud Control Framework.
d) system of internal control– including providing written advice to the Chief Executive in relation to the appropriateness of the Agency’s systems for internal control, with reference to any specific areas of concern or suggestions for improvement. This would consider:
- the Agency’s overall control environment, as reflected in its governance, risk management, and including whether relevant processes and policies are in place;
- the Agency’s arrangements to ensure legislative and policy compliance and to meet the requirements of the Protective Security Policy Framework;
- internal audit resourcing and coverage in relation to the Agency’s key risks, and recommending approval of the Annual Internal Audit Work Program by the Chief Executive;
- internal and external audit reports, providing advice to the Chief Executive about significant issues identified, and monitoring the implementation of agreed actions;
- business continuity planning arrangements including whether business continuity and disaster recovery plans are appropriate and periodically updated and tested;
- controls for the access, security and provision of ICT services, including cyber security controls;
- steps taken by management to embed a culture of ethical and lawful behaviour; and
- mechanisms to review relevant Parliamentary Committee reports and external reviews and recommendations from these.
As far as is practicable, the Audit and Risk Committee should indicate which matters it will consider during any given year in a forward plan, noting that it may consider other or additional matters in response to changes in the Agency’s operations and environment.
Authority
The Chief Executive authorises the Audit and Risk Committee, within the scope of its role and responsibilities, to:
- obtain any information it needs from any official or external party (subject to their legal obligation to protect information) to meet its objective;
- discuss any matters with the external auditor, internal audit service provider or other external parties (subject to confidentiality considerations);
- request the attendance of any official, including the Chief Executive, at Audit and Risk Committee meetings; and
- obtain external legal or other professional advice (e.g. external advisors or other parties), as considered necessary to meet its responsibilities, at the Agency’s expense.
Membership
Section 17 of the PGPA Rule establishes the following requirements in relation to membership of an Audit Committee:
Membership of the Audit Committee
- The audit committee must consist of at least 3 persons who have appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions.
- On and after 1 July 2021, the members of the audit committee must:
- For a non-corporate Commonwealth entity, all of the members of the audit committee must be persons who are not officials of the entity; and a majority of the members must be persons who are not officials of any Commonwealth entity
- Despite subsections (3) and (4), the following persons must not be a member of the audit committee:
- the accountable authority or, if the accountable authority has more than one member, the head (however described) of the accountable authority;
- the Chief Financial Officer (however described) of the entity;
- the Chief Executive Officer (however described) of the entity.
The Audit and Risk Committee will consist of at least three independent members appointed by the Chief Executive.
Audit and Risk Committee members will be appointed for an initial period determined by the Chief Executive. Members may be re-appointed after a formal review of their performance for further periods as specified by the Chief Executive.
Consistent with subsection 17(3) of the PGPA Rule the members of the Audit and Risk Committee, taken collectively, will have a broad range of knowledge, skills and experience relevant to the operations of the Agency, including its information technology environment. All members should be conversant with financial management reporting and at least one member of the Audit and Risk Committee should have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards.
The Chief Executive will appoint the Chair of the Audit and Risk Committee. The Chair of the Committee is authorised to appoint a Deputy Chair, who will act as Chair in the absence of the Chair.
Members will be supported at meetings by one or more Senior Advisors with standing invitations issued by the Chair. Senior Advisors will be appointed by the Chief Executive and will be senior members of the AFSA executive. Senior Advisors will receive all papers, attend all meetings and attend any in camera discussions.
Representatives from the Australian National Audit Office (the ANAO) and internal audit will not be members of the Audit and Risk Committee, however, may attend relevant Audit and Risk Committee meetings (in whole or in part) as observers, as determined by the Chair.
The Audit and Risk Committee will meet separately with both the internal and external auditors at least once a year.
The Chief Executive may be invited to attend Audit and Risk Committee meetings to participate in specific discussions or provide strategic briefings to the Audit and Risk Committee. Other advisors from management of the Agency, including the DCEO, COO, CAE, CFO and CIO, may attend all or part of the meeting to provide advice to the Committee as determined by the Chair.
Induction
New members will receive relevant information and briefings on their appointment to assist them to meet their Committee responsibilities. Members will be required to hold a relevant security clearance as determined by the Agency.
Independence
The Audit and Risk Committee is directly accountable to the Chief Executive for the performance of its functions.
The Audit and Risk Committee has no executive powers in relation to the operations of the Agency. The Audit and Risk Committee may only review the appropriateness of particular aspects of those operations, consistent with its functions, and advise the Chief Executive accordingly.
Responsibility for the appropriateness of the Agency’s financial reporting, performance reporting, system of risk oversight and management, and system of internal control rests with the Chief Executive and officials of the Agency.
Members with a conflict of interest will notify the Audit and Risk Committee as soon as these issues become apparent. Any member with a conflict of interest will absent themselves from discussions about relevant matters.
Meetings and quorum
The Audit and Risk Committee will meet at least four times per year, and more often if required. Special meetings may be held to review the Agency’s annual financial statements and annual performance statements or to meet other specific responsibilities of the Audit and Risk Committee.
The Chair will call a meeting if requested to do so by the Chief Executive, and may call a meeting if requested by another Audit and Risk Committee member.
A quorum for any Audit and Risk Committee meeting will be two members.
Reporting
The Chair will report to the Chief Executive after each meeting. Any matter deemed of sufficient importance will be reported to the Chief Executive immediately.
The Audit and Risk Committee will, as often as necessary, and at least once a year, provide a written report to the Chief Executive on its operation and activities during the year.
Information relating to disclosure of the Audit and Risk Committee and its members will be included in the annual report. The Secretariat will liaise with members where necessary to obtain this information.
Secretariat
The Chief Executive will provide resources to provide secretariat support to the Audit and Risk Committee. The Secretariat will ensure the agenda for each meeting and supporting papers are circulated, after approval from the Chair, at least one week before the meeting, and ensure the minutes of the meetings are prepared and maintained. Minutes must be approved by the Chair and circulated within two weeks of the meeting to each member and observers, as appropriate.
Conflicts of interest
Once a year, Audit and Risk Committee members will provide written declarations to the Chair for provision to the Chief Executive declaring any potential or actual conflicts of interest they may have in relation to their responsibilities.
Audit and Risk Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.
Review of performance
The Chair will initiate a review of the performance of the Audit and Risk Committee at least once every two years. The outcomes of this assessment will be reported to the Chief Executive.
Review of the Audit and Risk Committee Charter
At least once a year the Audit and Risk Committee will review this charter.
Any changes to the Audit and Risk Committee Charter will be recommended by the Audit and Risk Committee and formally approved by the Chief Executive.