Audit and Risk Management Committee Charter

Purpose of the Charter

The Australian Public Service Commissioner (the Commissioner) established the Audit and Risk Management Committee (the ARMC) in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 17 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). Section 17 requires the Commissioner, by written charter, to determine the functions the ARMC is to perform. The Charter must include reviewing the appropriateness of the APSC's:

1. financial reporting

2. performance reporting

3. systems of risk oversight and management

4. systems of internal control. This Charter sets out the ARMC's:

5. role

6. authority

7. membership and tenure

8. reporting and administrative arrangements.

The ARMC's administrative arrangements are set out in Attachment A and its functions in Attachment B.

Role

The ARMC's role is to provide independent advice to the Commissioner, consistent with the mandatory requirements as outlined above.

The ARMC is not responsible for the executive management of any functions. The ARMC will constructively engage with management in discharging its responsibilities to the Commissioner.

Members of the ARMC are expected to understand and observe the legal requirements of the PGPA Act and PGPA Rule. Members are also expected to:

• act in the best interests of the APSC as a whole
• apply good analytical skills, objectivity and judgment
• express opinions constructively and openly, raise issues that relate to the ARMC's responsibilities and pursue independent lines of enquiry
• contribute the time required to meet their responsibilities.

ARMC members must not use or disclose information obtained by the ARMC except in meeting the ARMC's responsibilities, or unless expressly agreed by the Commissioner.

The ARMC will be assisted by the APSC's internal audit function. This function is responsible for delivering an internal audit program in line with the ARMC's guidance, and subject to approval by the Commissioner.

Authority

The Commissioner authorises the ARMC, within the scope of its role and responsibilities, to:

• obtain any information it needs from any employee and/or external party (subject to their legal obligation to protect information)
• discuss any matters with the external auditor, or other external parties (subject to confidentiality considerations)
• request the attendance of the Commissioner or any employee at ARMC meetings
• obtain legal or other professional advice, as considered necessary to meet its responsibilities, at the APSC's expense.

Membership

The ARMC will consist of at least 3 independent members appointed by the Commissioner – PGPA Rule section 17(3). A majority of the members must be persons who are not officials of any Commonwealth entity.

The Commissioner and Chief Financial Officer must not be a member of the ARMC, but may attend meetings – PGPA Rule section 17(5a) and (b).

The members, taken collectively, will have a broad range of skills and experience relevant to the operations of the APSC. At least one member of the ARMC should have broad corporate governance / senior management or financial management experience, with an understanding of accounting and auditing standards in a public sector environment.

Reporting

The ARMC will:

• provide advice to the Commissioner – including whether appropriate action has been taken in response to audit recommendations – and recommend the signing of the financial and performance statements by the Commissioner, having regard to advice from the Australian National Audit Office (ANAO) (on the financial statements and performance statements, if audited)
• as often as necessary, and at least once a year, report to the Commissioner on its operation and activities during the year. The report should include:
  • a summary of the work the ARMC performed to fully discharge its responsibilities during the year
  • an assessment of the appropriateness of the APSC’s financial reporting, performance reporting, and systems of risk oversight and management and internal control
  • details of meetings, including the number of meetings held during the relevant period.

The ARMC may, at any time, report to the Commissioner any other matter it deems of sufficient importance to do so. In addition, at any time an individual ARMC member may request a meeting with the Commissioner.

Peter Woolcott AO

Australian Public Service Commissioner

5 December 2022

Attachment A

Administrative Arrangements

Meetings

• The ARMC will meet at least 4 times per year.
• A special meeting may be held to review the APSC's annual financial and performance statements.
• The Chair is required to call a meeting if requested to do so by the Commissioner, or another ARMC member.
• A forward meeting plan, including meeting dates and agenda items, will be agreed by the ARMC each year. The forward meeting plan will cover the ARMC's responsibilities as detailed in this Charter.

Attendance at meetings and quorums

• A quorum will consist of a majority of ARMC members.
• Meetings may be held in person, by telephone or by video conference.
• If the Chair is absent from any meeting or part of a meeting, another member can act as the Chair.
• The internal auditors and representatives of ANAO will be invited to attend each meeting, unless requested not to do so by the Chair of the ARMC. The Chief Financial Officer will usually attend meetings and the ARMC may request the attendance of any APSC employees at a particular ARMC meeting or for certain agenda items.
• The Commissioner may be invited to attend ARMC meetings to participate in specific discussions or provide strategic briefings to the ARMC.

Secretariat

• The Assistant Commissioner, Enabling Services will be responsible for arranging secretarial support to the ARMC. The secretariat will ensure that an agenda is circulated no later than one week prior to the meeting together with any supporting papers. The secretariat will ensure that minutes for the meetings are maintained and circulated promptly to members, the external and internal auditor; as well as a summary of each meeting to the Executive Board.

Conflicts of interest

• Once a year ARMC members will provide written declarations, through the Chair, to the Commissioner declaring any material personal interest that would preclude them from being members of the ARMC.
• ARMC members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.
• Where members or observers at ARMC meetings are deemed to have a real, or perceived, conflict of interest, it may be appropriate that they are excused from ARMC deliberations on the issue where a conflict of interest exists.

Induction

• The ARMC will ensure that new members receive an appropriate induction to assist them to meet their ARMC responsibilities. It is anticipated that this will include the provision of relevant information, as well as personal briefings by the ARMC Chair.

Briefings

• ARMC members may request a briefing or further information on agenda items prior to any ARMC meetings. Requests should be made to the secretariat.

Assessment Arrangements

• The Chair of the ARMC will initiate a bi-annual review of the performance of the ARMC. The review will be conducted on a self-assessment basis (unless otherwise determined by the Commissioner).

Review of charter

• Each year, the ARMC will review this charter.
• Any changes to the charter will be formally approved by the Commissioner.

Attachment B

Functions

Consistent with Section 17 of the Public Governance and Performance Accountability Rule 2014, the ARMC functions are:

1.  Financial reporting

• The ARMC review and provide advice on the appropriateness of the APSC’s:
  • annual financial statements
  • information (other than annual financial statements) requested by the Department of Finance (Finance) in preparing the Australian Government’s consolidated financial statements, including the supplementary reporting package (SRP)
  • processes and systems for preparing financial reporting information
  • financial record keeping
  • processes in place to allow the APSC to stay informed throughout the year of any changes or additional requirements in relation to the financial reporting.
• The ARMC provide advice to the Commissioner:
  • whether the annual financial statements, in the ARMC’s view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance
  • whether additional entity information (other than financial statements) required by Finance for the purpose of preparing the Australian Government consolidated financial statements (including the SRP) comply with the PGPA Act, the PGPA Rule, the Accounting Standards and supporting guidance
  • in respect of the appropriateness of the APSC’s financial reporting as a whole, with reference to any specific areas of concern or suggestions for improvement.

2. Performance reporting

• The ARMC review and provide advice on the appropriateness of the APSC’s:
  • systems and procedures for assessing, monitoring and reporting on achievement of the APSC’s performance. In particular, the ARMC should satisfy itself that:
    • the APSC’s Portfolio Budget Statements (PBS) and Corporate Plan contain appropriate details of how the entity’s performance will be measured and assessed
    • the APSC’s approach to measuring its performance throughout the financial year against the performance measures included in its PBS and Corporate Plan is appropriate and in accordance with the Commonwealth Performance Framework. This may include reviewing, over time, particular elements of the performance measures
    • the APSC has appropriate systems and processes for preparation of its annual performance statement and inclusion of the statement in its annual report.
• The ARMC provide advice to the Commissioner on the appropriateness of APSC’s:
  • PBS performance measures
  • Corporate Plan performance measures
  • Annual Performance Statement.
• The ARMC provide advice to the Commissioner whether, in their view, performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.

3. Systems of risk oversight and management

• The ARMC review and provide advice on the appropriateness of the APSC’s:
  • enterprise risk management policy framework and the necessary internal controls for the effective identification and management of the APSC’s risks, in keeping with the Commonwealth Risk Management Policy
  • approach to managing the APSC’s key risks – including those associated with individual projects and program implementation and activities
  • process for developing and implementing the APSC’s fraud control arrangements consistent with the fraud control plan, and satisfy itself that the APSC has adequate processes for detecting, capturing and effectively responding to fraud risks
  • articulation of key roles and responsibilities relating to risk management and adherence to them by officials of the APSC.
• The ARMC provide advice to the Commissioner whether in their view, the APSC’s system of risk oversight and management as a whole is appropriate with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement.

4. Systems of internal control

• The ARMC review and provide advice on the appropriateness of the APSC’s:

  • internal control framework:
    • reviewing management’s approach to maintaining an effective internal control framework and whether appropriate processes are in place for assessing whether key policies and procedures are complied with
    • reviewing whether management has in operation relevant policies and procedures – such as accountable authority instructions, delegations and other key policies.
  • legislative and policy compliance:
    • reviewing the effectiveness of systems for monitoring the APSC’s compliance with laws, regulations and associated government policies with which the APSC must comply.
  • business continuity:
    • determining whether an appropriate approach has been taken in establishing business continuity planning arrangements – including whether business continuity and disaster recovery plans have been periodically updated and tested.
  • ethical and lawful conduct:
    • assessing whether steps have been taken to embed a culture that promotes the proper use and management of public resources and is committed to ethical and lawful conduct.
  • Parliamentary committee reports, external reviews and evaluations:
    • reviewing mechanisms for reviewing relevant parliamentary committee reports, external reviews and evaluations of the APSC and implementing, where appropriate, any resultant recommendations.
  • security compliance:
    • reviewing management’s approach to maintaining an effective internal security system – including complying with the Protective Security Policy Framework – and ICT security policy.
  • internal audit coverage:
    • reviewing the proposed internal audit coverage, ensuring that the coverage takes into account the APSC’s primary risks, and is adequate, and recommending approval of the internal audit work plan by the Commissioner or the nominated delegate
    • reviewing all internal audit reports, providing advice on major concerns identified in those reports, monitoring implementation  and recommending action on significant matters raised – including identification and dissemination of information on good practice
    • reviewing the internal audit charter to ensure appropriate organisational structures, authority, access and reporting arrangements are in place.

• The ARMC provide advice to the Commissioner whether the system of internal control is appropriate for the APSC, with reference to any specific areas of concern or suggestions for improvement.