The Chief Executive of the Australian Financial Security Authority (the Agency) has established the Audit and Risk Committee in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).
The objective of the Audit and Risk Committee is to provide independent advice to the Chief Executive on the appropriateness of the Agency’s financial and performance reporting responsibilities, risk oversight and management, and system of internal control.
Section 17 of the PGPA Rule establishes mandatory functions for an audit committee:
Functions of the Audit Committee
1) The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee for the entity.
2) The functions must include reviewing the appropriateness of the accountable authority’s:
Consistent with subsection 17(2) of the PGPA Rule, the Chief Executive has determined that the functions of the Audit and Risk Committee are to review and give independent advice about the appropriateness of the Agency’s:
a) financial reporting – including providing a written advice to the Chief Executive as to whether:
- the annual financial statements, in the committee’s view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance;
- additional entity information (other than financial statements) required by Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package) comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance; and
- the Agency’s financial reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
b) performance reporting – including the framework for developing and reporting key performance indicators for inclusion in the Agency’s Portfolio Budget Statements, corporate plan and annual performance statements. The Committee will provide written advice to the Chief Executive as to whether the Agency’s:
- annual performance statements are appropriate and comply with the PGPA Act and Rule; and
- performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
c) system of risk oversight and management – including providing written advice to the accountable authority as to whether:
- the Agency’s systems for risk oversight and risk management as a whole are appropriate, with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement; and
- the process for implementing the Agency’s fraud control arrangements is sound, and the Agency has appropriate processes and systems in place to detect, capture and effectively respond to fraud risks.
d) system of internal control – including considering:
- the Agency’s overall control environment, as reflected in its governance, risk management, and assurance arrangements;
- the Agency’s arrangements to ensure legislative and policy compliance and to meet the requirements of the Protective Security Policy Framework;
- internal audit resourcing and coverage in relation to the Agency’s key risks, and recommending approval of the Annual Internal Audit Work Program by the Chief Executive;
- internal and external audit reports, providing advice to the Chief Executive about significant issues identified, and monitoring the implementation of agreed actions; and
- providing written advice to the Chief Executive in relation to the appropriateness of the entity’s systems for internal control, with reference to any specific areas of concern or suggestions for improvement.
As far as is practicable, the Audit and Risk Committee should indicate which matters it will consider during any given year in a forward plan, noting that it may consider other or additional matters in response to changes in the Agency’s operations and environment.
The Chief Executive authorises the Audit and Risk Committee, within the scope of its role and responsibilities, to:
- obtain any information it needs from any official or external party (subject to their legal obligation to protect information) to meet its objective;
- discuss any matters with the external auditor, internal audit service provider or other external parties (subject to confidentiality considerations);
- request the attendance of any official, including the Chief Executive, at Audit and Risk Committee meetings; and
- obtain external legal or other professional advice (e.g. external advisors or other parties), as considered necessary to meet its responsibilities, at the Agency’s expense.
Section 17 of the PGPA Rule establishes the following requirements in relation to membership of an Audit Committee:
Membership of the Audit Committee
(3) The audit committee must consist of at least 3 persons who have appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions.
(4) On and after 1 July 2021, the members of the audit committee must:
(5) Despite subsections (3) and (4), the following persons must not be a member of the audit committee:
The Audit and Risk Committee will consist of at least three independent members appointed by the Chief Executive.
Audit and Risk Committee members will be appointed for an initial period determined by the Chief Executive. Members may be re-appointed after a formal review of their performance for further periods as specified by the Chief Executive.
Consistent with subsection 17(3) of the PGPA Rule the members of the Audit and Risk Committee, taken collectively, will have a broad range of knowledge, skills and experience relevant to the operations of the Agency, including its information technology environment. All members should be conversant with financial management reporting and at least one member of the Audit and Risk Committee should have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards.
The Chief Executive will appoint the Chair of the Audit and Risk Committee. The Chair of the Committee is authorised to appoint a Deputy Chair, who will act as Chair in the absence of the Chair.
Members will be supported at meetings by one or more Senior Advisors with standing invitations issued by the Chair. Senior Advisors will be appointed by the Chief Executive and will be senior members of the AFSA executive. Senior Advisors will receive all papers, attend all meetings and attend any in camera discussions.
Representatives from the Australian National Audit Office (the ANAO) and internal audit will not be members of the Audit and Risk Committee, however, may attend relevant Audit and Risk Committee meetings (in whole or in part) as observers, as determined by the Chair.
The Audit and Risk Committee will meet separately with both the internal and external auditors at least once a year.
The Chief Executive may be invited to attend Audit and Risk Committee meetings to participate in specific discussions or provide strategic briefings to the Audit and Risk Committee. Other advisors from management of the Agency, including the DCEO, COO, CAE, CFO and CIO, may attend all or part of the meeting to provide advice to the Committee as determined by the Chair.
New members will receive relevant information and briefings on their appointment to assist them to meet their Committee responsibilities. Members will be required to hold a relevant security clearance as determined by the Agency.
The Audit and Risk Committee is directly accountable to the Chief Executive for the performance of its functions.
The Audit and Risk Committee has no executive powers in relation to the operations of the Agency. The Audit and Risk Committee may only review the appropriateness of particular aspects of those operations, consistent with its functions, and advise the Chief Executive accordingly.
Responsibility for the appropriateness of the Agency’s financial reporting, performance reporting, system of risk oversight and management, and system of internal control rests with the Chief Executive and officials of the Agency.
Members with a conflict of interest will notify the Audit and Risk Committee as soon as these issues become apparent. Any member with a conflict of interest will absent themselves from discussions about relevant matters.
Meetings and quorum
The Audit and Risk Committee will meet at least four times per year, and more often if required. Special meetings may be held to review the Agency’s annual financial statements and annual performance statements or to meet other specific responsibilities of the Audit and Risk Committee.
The Chair will call a meeting if requested to do so by the Chief Executive, and may call a meeting if requested by another Audit and Risk Committee member.
A quorum for any Audit and Risk Committee meeting will be two members, one of whom must be the Chair or the Deputy Chair (if appointed).
The Chair will report to the Chief Executive after each meeting. Any matter deemed of sufficient importance will be reported to the Chief Executive immediately.
The Audit and Risk Committee will, as often as necessary, and at least once a year, provide a written report to the Chief Executive on its operation and activities during the year.
Information relating to disclosure of the Audit and Risk Committee and its members will be included in the annual report. The Secretariat will liaise with members where necessary to obtain this information.
The Chief Executive will provide resources to provide secretariat support to the Audit and Risk Committee. The Secretariat will ensure the agenda for each meeting and supporting papers are circulated, after approval from the Chair, at least one week before the meeting, and ensure the minutes of the meetings are prepared and maintained. Minutes must be approved by the Chair and circulated within two weeks of the meeting to each member and observers, as appropriate.
Conflicts of interest
Once a year, Audit and Risk Committee members will provide written declarations to the Chair for provision to the Chief Executive declaring any potential or actual conflicts of interest they may have in relation to their responsibilities.
Audit and Risk Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.
Review of performance
The Chair will initiate a review of the performance of the Audit and Risk Committee at least once every two years. The outcomes of this assessment will be reported to the Chief Executive.
Review of the Audit and Risk Committee Charter
At least once a year the Audit and Risk Committee will review this charter. This review will include consultation with the Chief Executive.
Any substantive changes to the Audit and Risk Committee Charter will be recommended by the Audit and Risk Committee and formally approved by the Chief Executive.