Audit and Risk Committee

Context

The Chief Executive of the Australian Financial Security Authority (the Agency) has established the Audit and Risk Committee in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

Section 17 of the PGPA Rule establishes mandatory functions for an audit committee:

“Functions of the Audit Committee

1. The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee for the entity.
2. The functions must include reviewing the appropriateness of the accountable authority's:
   1. financial reporting, and
   2. performance reporting, and
   3. system of risk oversight and management, and
   4. system of internal control
   5. for the entity.”

Role

The objective of the Audit and Risk Committee is to provide independent advice to the Chief Executive on the appropriateness of the Agency's financial and performance reporting, system of risk oversight and management, and system of internal control.

Responsibilities and Scope

Consistent with subsection 17(2) of the PGPA Rule, the Chief Executive has determined that the functions of the Audit and Risk Committee are to review and give independent advice about the appropriateness of the Agency's:

1. Financial reporting - including providing a written advice to the Chief Executive as to whether:
   • The annual financial statements, in the committee's view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance;
   • Additional entity information (other than financial statements) required by the Department of Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package) complies with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance; and
   • The Agency's financial reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
2. Performance reporting - including providing written advice to the Chief Executive as to whether:
   • The approach to developing performance information is appropriate, including compliance with mandatory requirements of the PGPA Act and PGPA Rule;
   • Performance information included in the Portfolio Budget Statements is appropriate;
   • Performance information included in the Corporate Plan is appropriate;
   • Annual performance statements are appropriate and comply with the PGPA Act and Rule; and
   • Performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
3. System of risk oversight and management - including providing written advice to the Chief Executive as to whether:
   • The Agency's systems for risk oversight and risk management as a whole, including the approach to managing key risks, project and program risks, are appropriate, with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement; and
   • The Agency's fraud control arrangements are appropriate, and the Agency has implemented appropriate processes and systems to detect, capture and effectively respond to fraud risks consistent with the Commonwealth Fraud Control Framework.
4. System of internal control - including providing written advice to the Chief Executive in relation to the appropriateness of the Agency's systems for internal control, with reference to any specific areas of concern or suggestions for improvement. This would consider:
   • The Agency’s overall control environment, as reflected in its governance, risk management, and assurance arrangements, including whether relevant processes and policies are in place;
   • The Agency’s arrangements to ensure legislative and policy compliance;
   • Compliance with the requirements of the Protective Security Policy Framework;
   • Internal audit resourcing and coverage in relation to the Agency's key risks, and recommending approval of the Annual Internal Audit Work Program by the Chief Executive;
   • Internal and external audit reports, providing advice to the Chief Executive about significant issues identified, and monitoring the implementation of agreed actions;
   • Business continuity planning arrangements including whether business continuity and disaster recovery plans are appropriate and periodically updated and tested;
   • Controls for the access, security and provision of ICT services, including cyber security controls;
   • Steps taken by management to embed a culture of ethical and lawful behaviour; and
   • Mechanisms to review relevant Parliamentary Committee reports and external reviews and recommendations from these.

As far as is practicable, the Audit and Risk Committee should indicate which matters it will consider during any given year in a forward plan, noting that it may consider other or additional matters in response to changes in the Agency's operations and environment.

Authority

The Audit and Risk Committee is directly accountable to the Chief Executive for the performance of its functions.

The Chief Executive authorises the Audit and Risk Committee, within the scope of its role and responsibilities, to:

• Obtain any information it needs from any official or external party (subject to their legal obligation to protect information) to meet its objective;
• Discuss any matters with the external auditor, internal audit service provider or other external parties (subject to confidentiality considerations);
• Request the attendance of any official, including the Chief Executive, at Audit and Risk Committee meetings;
• And obtain external legal or other professional advice (e.g. external advisors or other parties), as considered necessary to meet its responsibilities, at the Agency's expense.

The Audit and Risk Committee has no executive powers in relation to the operations of the Agency. The Audit and Risk Committee may only review the appropriateness of aspects of those operations consistent with its functions, and advise the Chief Executive accordingly.

Responsibility for the appropriateness of the Agency's financial reporting, performance reporting, system of risk oversight and management, and system of internal control rests with the Chief Executive and officials of the Agency. 

Membership and Expertise on the Committee

Section 17 of the PGPA Rule establishes the requirements in relation to membership of an Audit Committee.

The Audit and Risk Committee will consist of at least three independent members appointed by the Chief Executive.

Audit and Risk Committee members will be appointed for an initial period determined by the Chief Executive. Members may be re-appointed after a formal review of their performance for further periods as specified by the Chief Executive.

Consistent with subsection 17(3) of the PGPA Rule the members of the Audit and Risk Committee, taken collectively, will have a broad range of knowledge, skills and experience relevant to the operations of the Agency, including its information technology environment. All members should be conversant with financial management reporting and at least one member of the Audit and Risk Committee should have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards. Membership will consider the government’s diversity targets and AFSA’s diversity strategy.

The Chief Executive will appoint the Chair of the Audit and Risk Committee. The Chair of the Committee is authorised to appoint a Deputy Chair, who will act as Chair in the absence of the Chair.

Members will be supported at meetings by one or more Senior Advisors with standing invitations issued by the Chair. Senior Advisors will be appointed by the Chief Executive and will be senior members of the AFSA executive. Senior Advisors will receive all papers, attend all meetings and attend any in camera discussions.

Representatives from the Australian National Audit Office (the ANAO) and internal audit will not be members of the Audit and Risk Committee, however, may attend relevant Audit and Risk Committee meetings (in whole or in part) as observers, as determined by the Chair.

The Audit and Risk Committee will meet separately with both the internal and external auditors at least once a year.

The Chief Executive may be invited to attend Audit and Risk Committee meetings to participate in specific discussions or provide strategic briefings to the Audit and Risk Committee. Other advisors from management of the Agency, including the DCEO, COO, CAE, CFO and CIO, may attend all or part of the meeting to provide advice to the Committee as determined by the Chair.

Operation of the Committee

Meeting schedule and details

The Audit and Risk Committee will meet at least four times per year, and more often if required. Special meetings may be held to review the Agency’s annual financial statements and annual performance statements or to meet other specific responsibilities of the Audit and Risk Committee.

The Chair will call a meeting if requested to do so by the Chief Executive, and may call a meeting if requested by another Audit and Risk Committee member.

Quorum

A quorum for any Audit and Risk Committee meeting will be two members.

Secretariat

The Chief Executive will provide resources to provide secretariat support to the Audit and Risk Committee. The Secretariat will ensure the agenda for each meeting and supporting papers are circulated, after approval from the Chair, at least one week before the meeting, and ensure the minutes of the meetings are prepared and maintained.

The secretariat will provide a clear record of meetings, minutes, decisions, and actions made at each meeting.

Any papers requiring a decision between scheduled meetings are only to be circulated out of session with the consent of the Chair. Approval from the Chair must also be sought prior to circulating papers for noting out-of-session (unless previously discussed and agreed at a meeting).

Where it is appropriate, meetings dates should be added to the upcoming events and activities section on AFSAnet by the Secretariat.

Minutes

Draft minutes must be approved by the Chair and circulated within two weeks of the meeting to each member and observers, as appropriate.

Minutes of the preceding meeting will be confirmed at each meeting, which includes a review of the action items outstanding.

Reporting and Communications

The Chair will report to the Chief Executive after each meeting. Any matter deemed of sufficient importance will be reported to the Chief Executive immediately.

The Audit and Risk Committee will, as often as necessary, and at least once a year, provide a written report to the Chief Executive on its operation and activities during the year.

Information relating to disclosure of the Audit and Risk Committee and its members will be included in the annual report. The Secretariat will Iiaise with members where necessary to obtain this information.

Following each Audit and Risk Committee meeting, a summary of matters discussed will be provided to the Executive Committee. This will be developed by the Secretariat drawing from the approved minutes and may also involve a briefing from the Chair of the Committee.

Induction

New members will receive relevant information and briefings on their appointment to assist them to meet their Committee responsibilities. Members will be required to hold a relevant security clearance as determined by the Agency.

Conflict of Interest Management

To the extent possible, Audit and Risk Committee members should avoid interests that conflict, or could be seen to conflict, with the role and independence of the Audit and Risk Committee.

Once a year, Audit and Risk Committee members will provide written declarations to the Chair for provision to the Chief Executive declaring any potential or actual conflicts of interest they may have in relation to their responsibilities.

Audit and Risk Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.

Members with a conflict of interest will notify the Audit and Risk Committee Chair as soon as these issues become apparent. Any member with a conflict of interest will absent themselves from discussions about relevant matters.

Review of Performance

The Chair will initiate a review of the performance of the Audit and Risk Committee at least once every two years. The outcomes of this assessment will be reported to the Chief Executive.

Review of the Charter

At least once a year the Audit and Risk Committee will review this Charter. A review of the Charter may also be initiated at any time by the Chief Executive.

Any changes to the Audit and Risk Committee Charter will be recommended by the Audit and Risk Committee and formally approved by the Chief Executive.