Audit and Risk Management Committee Charter
The Commission’s Audit and Risk Management Committee (ARMC) has been established in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 and section 17 of the Public Governance, Performance and Accountability Rule 2014. The full charter for the ARMC is available here:
The ARMC’s role is to provide independent advice to the Commissioner, consistent with the mandatory requirements outlined above. It is not responsible for the executive management of these functions.
The ARMC oversights the Commission’s internal audit function. This function is responsible for delivering an internal audit program in line with the ARMC’s guidance and subject to approval by the Commissioner.
Consistent with the requirements of the PGPA Act, membership consists of 3 external members. Members of the ARMC bring their own knowledge, experience and skills and do not represent any particular interest or part of the Commission.
Development and Purpose of the Audit and Risk Management Committee
- financial reporting
- performance reporting
- systems of risk oversight and management and
- systems of internal control.
This Charter sets out the ARMC's:
- role
- authority
- membership and tenure and
- reporting and administrative arrangements.
The ARMC's administrative arrangements are set out in Attachment A, its functions in Attachment B, and its statutory requirements in Attachment C.
Role
The ARMC's role is to provide independent advice to the Commissioner, consistent with the mandatory requirements as outlined above. The ARMC will also provide assurance on external accountability requirements.
The ARMC is not responsible for the executive management of any functions. The ARMC will constructively engage with management in discharging its responsibilities to the Commissioner.
Members of the ARMC are expected to understand and observe the legal requirements of the PGPA Act and PGPA Rule. Members are also expected to:
- act in the best interests of the APSC as a whole
- apply good analytical skills, objectivity and judgment
- express opinions constructively and openly, raise issues that relate to the ARMC's responsibilities and pursue independent lines of enquiry, and
- contribute the time required to meet their responsibilities.
ARMC members must not use or disclose information obtained by the ARMC except in meeting the ARMC's responsibilities, or unless expressly agreed by the Commissioner.
The ARMC will be assisted by the APSC's internal audit function. This function is responsible for delivering an internal audit program in line with the ARMC's guidance, and subject to approval by the Commissioner. The ARMC will exercise a governance role in relation to the APSC's internal audit function.
Authority
The Commissioner authorises the ARMC, within the scope of its role and responsibilities, to:
- obtain any information it needs from any employee and/or external party (subject to their legal obligation to protect information)
- discuss any matters with the external auditor, or other external parties (subject to confidentiality considerations)
- request the attendance of the Commissioner or any employee at ARMC meetings, and
- obtain legal or other professional advice, as considered necessary to meet its responsibilities, at the APSC's expense.
Membership
The ARMC will consist of at least three members appointed by the Commissioner - PGPA Rule section 17(3). From 1 July 2021, all of the members of the audit committee must be persons who are not officials of the entity; and a majority of the members must be persons who are not officials of any Commonwealth entity. The Commissioner will appoint the Chair of the ARMC.
The Commissioner must not be a member of the ARMC, but may attend meetings as an observer as determined by the Chair - PGPA Rule section 17(5a).
At the discretion of the Chair, the Chief Financial Officer or other APSC official may be offered a standing invitation to attend and participate in discussion at ARMC meetings. The Chief Financial Officer must not, however, be a member of the ARMC (PGPA Rule section 17(5b)).
The members, taken collectively, will have a broad range of skills and experience relevant to the operations of the APSC. At least one member of the ARMC should have broad corporate governance / senior management or financial management experience, with an understanding of accounting and auditing standards in a public sector environment.
Reporting
The ARMC will:
- provide advice to the Commissioner - including whether appropriate action has been taken in response to audit recommendations and adjustments - and recommend the signing of the financial and performance statements by the Commissioner, having regard to advice from the Australian National Audit Office (ANAO) and
- as often as necessary, and at least once a year, report to the Commissioner on its operation and activities during the year. The report should include:
- a summary of the work the ARMC performed to fully discharge its responsibilities during the preceding year
- an assessment of the appropriateness of the APSC’s financial reporting, performance reporting, and systems of risk oversight and management and internal control, and
- details of meetings, including the number of meetings held during the relevant period.
The ARMC may, at any time, report to the Commissioner any other matter it deems of sufficient importance to do so. In addition, at any time an individual ARMC member may request a meeting with the Commissioner.
Peter Woolcott AO
Australian Public Service Commissioner
25 April 2021
Attachment A
Administrative Arrangements
Meetings
The ARMC will meet at least four times per year.
A special meeting may be held to review the APSC's annual financial and performance statements.
The Chair is required to call a meeting if requested to do so by the Commissioner, or another ARMC member.
A forward meeting plan, including meeting dates and agenda items, will be agreed by the ARMC each year. The forward meeting plan will cover the ARMC's responsibilities as detailed in this Charter.
Attendance at meetings and quorums
A quorum will consist of a majority of ARMC members.
Meetings may be held in person, by telephone or by video conference.
Where a majority is not available for a scheduled meeting, the Chair may appoint a substitute member if considered appropriate.
If the Chair is absent from any meeting or part of a meeting, the Commissioner may appoint a temporary Chair. Or in the absence of such an appointment, the ARMC will select an internal Member to chair that particular meeting or part.
The internal auditors and representatives of ANAO will be invited to attend each meeting, unless requested not to do so by the Chair of the ARMC. The Chief Financial Officer will usually attend meetings and the ARMC may request the attendance of any APSC employees at particular ARMC meetings or for certain agenda items.
The Commissioner may be invited to attend ARMC meetings to participate in specific discussions or provide strategic briefings to the ARMC.
Secretariat
The Assistant Commissioner, Enabling and Digital Services will be responsible for arranging secretarial support to the ARMC. The secretariat will ensure that an agenda is circulated approximately two weeks, and no later than one week, prior to the meeting together with any supporting papers. The secretariat will ensure that minutes for the meetings are maintained and circulated promptly to members, the external and internal auditor; as well as a summary of each meeting to the Commissioner.
Conflicts of interest
Once a year ARMC members will provide written declarations, through the Chair, to the Commissioner declaring any material personal interest that would preclude them from being members of the ARMC.
ARMC members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.
Where members or observers at ARMC meetings are deemed to have a real, or perceived, conflict of interest, it may be appropriate that they are excused from ARMC deliberations on the issue where a conflict of interest exists.
Induction
The ARMC will ensure that new members receive an appropriate induction to assist them to meet their ARMC responsibilities. It is anticipated that this will include the provision of relevant information, as well as personal briefings by ARMC members, including by an external member.
Briefings
ARMC members may request a briefing or further information on agenda items prior to any ARMC meetings. Requests should be made to the secretariat.
Assessment Arrangements
The Chair of the ARMC will initiate a bi-annual review of the performance of the ARMC. The review will be conducted on a self-assessment basis (unless otherwise determined by the Commissioner) using the ANAO Better Practice Guide tool.
Review of charter
At least once every two years, the ARMC will review this charter. This review will include consultation with the Commissioner.
Any substantive changes to the charter will be formally approved by the Commissioner.
Attachment B
Functions
Consistent with Section 17 of the Public Governance and Performance Accountability Rule 2014, the ARMC functions are:
- Financial reporting
- The ARMC review and provide advice on the appropriateness of the APSC’s:
- annual financial statements
- information (other than annual financial statements) requested by the Department of Finance (Finance) in preparing the Australian Government’s consolidated financial statements, including the supplementary reporting package
- processes and systems for preparing financial reporting information
- financial record keeping, and
- processes in place to allow the entity to stay informed throughout the year of any changes or additional requirements in relation to the financial reporting.
- The ARMC provide a statement to the Commissioner:
- whether the annual financial statements, in the committee’s view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance
- whether additional entity information (other than financial statements) required by Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package) comply with the PGPA Act, the PGPA Rule, the Accounting Standards and supporting guidance, and
- in respect of the appropriateness of the entity’s financial reporting as a whole, with reference to any specific areas of concern or suggestions for improvement.
- Performance reporting
- The ARMC review and provide advice on the appropriateness of the APSC’s:
- systems and procedures for assessing, monitoring and reporting on achievement of the APSC’s performance. In particular, the committee could satisfy itself that:
- the APSC’s Portfolio Budget Statements and corporate plan contain appropriate details of how the entity’s performance will be measured and assessed
- the APSC’s approach to measuring its performance throughout the financial year against the performance measures included in its Portfolio Budget Statements and corporate plan is appropriate and in accordance with the Commonwealth Performance Framework. This may include reviewing, over time, particular elements of the performance measures, and
- the APSC has appropriate systems and processes for preparation of its annual performance statement and inclusion of the statement in its annual report.
- The ARMC review the annual performance statements and provide advice to the accountable authority on their appropriateness to the entity.
- The ARMC provide a statement to the Commissioner whether, in their view, the accountable authority’s annual performance statements and performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.
- Systems of risk oversight and management
- The ARMC review and provide advice on the appropriateness of the APSC’s:
- enterprise risk management policy framework and the necessary internal controls for the effective identification and management of the APSC’s risks, in keeping with the Commonwealth Risk Management Policy
- approach to managing the APSC’s key risks - including those associated with individual projects and program implementation and activities
- process for developing and implementing the APSC’s fraud control arrangements consistent with the fraud control plan, and satisfy itself that the APSC has adequate processes for detecting, capturing and effectively responding to fraud risks, and
- articulation of key roles and responsibilities relating to risk management and adherence to them by officials of the APSC.
- The ARMC provide a statement to the Commissioner whether in their view, the APSC’s system of risk oversight and management as a whole is appropriate with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement.
- Systems of internal control
- The ARMC review and provide advice on the appropriateness of the APSC’s:
- internal control framework:
- reviewing management’s approach to maintaining an effective internal control framework and whether appropriate processes are in place for assessing whether key policies and procedures are complied with, and
- reviewing whether management has in operation relevant policies and procedures - such as accountable authority instructions, delegations, a business continuity management plan, or bullying and harassment policies.
- legislative and policy compliance:
- reviewing the effectiveness of systems for monitoring the APSC’s compliance with laws, regulations and associated government policies with which the APSC must comply
- determining whether management has adequately considered legal and compliance risks as part of the entity’s enterprise risk management framework, fraud control framework and planning.
- determining whether an appropriate approach has been taken in establishing business continuity planning arrangements - including whether business continuity and disaster recovery plans have been periodically updated and tested.
- assessing whether steps have been taken to embed a culture that promotes the proper use and management of public resources and is committed to ethical and lawful conduct.
- reviewing mechanisms for reviewing relevant parliamentary committee reports, external reviews and evaluations of the APSC and implementing, where appropriate, any resultant recommendations.
- security compliance:
- reviewing management’s approach to maintaining an effective internal security system - including complying with the Protective Security Policy Framework - and ICT security policy.
- internal audit coverage:
- reviewing the proposed internal audit coverage, ensuring that the coverage takes into account the APSC’s primary risks, and is adequate, and recommending approval of the internal audit work plan by the accountable authority or the nominated delegate
- reviewing all internal audit reports, providing advice on major concerns identified in those reports, monitoring implementation and recommending action on significant matters raised - including identification and dissemination of information on good practice.
- reviewing the internal audit charter to ensure appropriate organisational structures, authority, access and reporting arrangements are in place.
- periodically reviewing the performance of internal audit.
- The ARMC provide a statement to the Commissioner whether the accountable authority’s system of internal control is appropriate for the APSC, with reference to any specific areas of concern or suggestions for improvement.
Attachment C
Statutory requirements
Public Governance, Performance an d Accountability Act 2013
Section 45 – Audit committees for Commonwealth entities
- The accountable authority of a Commonwealth entity must ensure that the entity has an audit committee.
- The Committee must be constituted, and perform functions, in accordance with any requirements prescribed by the rules.
Public Governance, Performance and Accountability Rule 2014
Section 17 – Audit committee for Commonwealth entities
Guide to this section
The purpose of this section is to set out minimum requirements relating to the audit committee for a Commonwealth entity to help ensure that the committee provides independent advice and assurance to the entity’s accountable authority. It is also to require the accountable authority to determine the functions the audit committee is to perform for the entity.
This section does not prevent the same audit committee performing functions for multiple Commonwealth entities.
This section is made for subsection 45(2) of the Act.
Functions of the audit committee
- The accountable authority of a Commonwealth entity must, by written charter, determine the functions of the audit committee that is established for the entity as required by subsection 45(1) of the Act.
- The functions must include reviewing the appropriateness of the accountable authority's:
- financial reporting; and
- performance reporting; and
- system of risk oversight and management; and
- system of internal control;
for the entity
Membership of the Audit Committee
- The audit committee must consist of at least three persons who have appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions.
- The majority of the members of the audit committee must be persons who are not officials of any Commonwealth entity.
4AA. If the entity is a corporate Commonwealth entity, all of the members of the audit committee must be persons who are not employees of the entity.
4A. However, a person employed or engaged primarily for the purpose of being a member of the audit committee is to be treated, for the purpose of subsection (4) or (4AA), as not being an official or employee of the entity.
- Despite subsections (3) and (4), the following persons must not be a member of the audit committee:
- the accountable authority or, if the accountable authority has more than one member, the head (however described) of the accountable authority, or
- the Chief Financial Officer (however described) of the entity, or
- the Chief Executive Officer (however described) of the entity.