Audit and Risk Committee Charter

The objective of the Audit and Risk Committee is to provide independent advice to the Chief Executive on the appropriateness of the Agency's financial and performance reporting, system of risk oversight and management, and system of internal control.

Consistent with subsection 17(2) of the PGPA Rule, the Chief Executive has determined that

the functions of the Audit and Risk Committee are to review and give independent advice

about the appropriateness of the Agency's:

1. Financial reporting - including providing a written advice to the Chief Executive as to whether:

   • The annual financial statements, in the committee's view, comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance;

   • Additional entity information (other than financial statements) required by the Department of Finance for the purpose of preparing the Australian Government consolidated financial statements (including the supplementary reporting package) complies with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance; and

   • The Agency's financial reporting is appropriate, with reference to any specific areas of concern or suggestions for improvement.

2. Performance reporting - including providing written advice to the Chief Executive as to whether:

   • The approach to developing performance information is appropriate, including compliance with mandatory requirements of the PGPA Act and PGPA Rule;

   • Performance information included in the Portfolio Budget Statements is appropriate;

   • Performance information included in the Corporate Plan is appropriate;

   • Annual performance statements are appropriate and comply with the PGPA Act and Rule; and

   • Performance reporting as a whole is appropriate, with reference to any specific areas of concern or suggestions for improvement.

3. System of risk oversight and management - including providing written advice to the Chief Executive as to whether:

   • The Agency's systems for risk oversight and risk management as a whole, including the approach to managing key risks, project and program risks, are appropriate, with reference to the Commonwealth Risk Management Policy and any specific areas of concern or suggestions for improvement; and

   • The Agency's fraud control arrangements are appropriate, and the Agency has implemented appropriate processes and systems to detect, capture and effectively respond to fraud risks consistent with the Commonwealth Fraud Control Framework.

4. System of internal control - including providing written advice to the Chief Executive in relation to the appropriateness of the Agency's systems for internal control, with reference to any specific areas of concern or suggestions for improvement. This would consider:

   • The Agency’s overall control environment, as reflected in its governance, risk management, and assurance arrangements, including whether relevant processes and policies are in place;

   • The Agency’s arrangements to ensure legislative and policy compliance;

   • Compliance with the requirements of the Protective Security Policy Framework (PSPF);

   • Internal audit resourcing and coverage in relation to the Agency's key risks, and recommending approval of the Annual Internal Audit Work Program by the Chief Executive; reviewing the Internal Audit Charter, and reviewing the performance of Internal Audit.

   • Internal and external audit reports, providing advice to the Chief Executive about significant issues identified, and monitoring the implementation of agreed actions;

   • Business continuity planning arrangements including whether business continuity and disaster recovery plans are appropriate and periodically updated and tested;

   • Controls for the access, security and provision of ICT services, including cyber security controls;

   • Steps taken by management to embed a culture of ethical and lawful behaviour; and

   • Mechanisms to review relevant Parliamentary Committee reports and external reviews and recommendations from these.

As far as is practicable, the Audit and Risk Committee should indicate which matters it will consider during any given year in a forward plan, noting that it may consider other or additional matters in response to changes in the Agency's operations and environment. 

1. The Audit and Risk Committee is directly accountable to the Chief Executive for the performance of its functions. 

2. The Chief Executive authorises the Audit and Risk Committee, within the scope of its role and responsibilities, to: 

   • Obtain any information it needs from any official or external party (subject to their legal obligation to protect information) to meet its objective

   • Discuss any matters with the external auditor, internal audit service provider or other external parties (subject to confidentiality considerations)

   • Request the attendance of any official, including the Chief Executive, at Audit and Risk Committee meetings

   • And obtain external legal or other professional advice (e.g. external advisors or other parties), as considered necessary to meet its responsibilities, at the Agency's expense. 

3. The Audit and Risk Committee has no executive powers in relation to the operations of the Agency. The Audit and Risk Committee may only review the appropriateness of aspects of those operations consistent with its functions and advise the Chief Executive accordingly.

4. Committee members must not use or disclose information obtained by the committee except in meeting the committee’s responsibilities, or unless expressly agreed by the CEO.

Responsibility for the appropriateness of the Agency's financial reporting, performance reporting, system of risk oversight and management, and system of internal control rests with the Chief Executive and officials of the Agency. 

Section 17 of the PGPA Rule establishes the requirements in relation to membership of an Audit Committee. The Audit and Risk Committee will consist of at least four independent members appointed by the Chief Executive. The committee can be made up of members who are: independent members who are not Commonwealth Officials; or Commonwealth Officials from other agencies. 

The committee will be comprised of a majority of independent members, with no more than one member being a Commonwealth Official from another agency. The committee may have a temporary increase in the number of members as a result of staggering the rotation of members. 

Audit and Risk Committee members will be appointed for an initial period determined by the Chief Executive. Members may be re-appointed after a formal review of their performance for further periods as specified by the Chief Executive, but for no longer than a total membership period of 5 years.

Consistent with subsection 17(3) of the PGPA Rule the members of the Audit and Risk Committee, taken collectively, will have a broad range of knowledge, skills and experience relevant to the operations of the Agency, including its information technology environment. All members should be conversant with financial management reporting and at least one member of the Audit and Risk Committee should have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards. Membership will consider the government’s diversity targets and DTA’s diversity strategy.

The Chief Executive will appoint the Chair of the Audit and Risk Committee. The Chair of the Committee is authorised to appoint a Deputy Chair, who will act as Chair in the absence of the Chair.

Members will be supported at meetings by one or more Senior Advisors with standing invitations issued by the Chair. Senior Advisors will be appointed by the Chief Executive and will be senior members of the DTA executive. Senior Advisors will receive all papers, attend all meetings and attend any in camera discussions.

Representatives from the Australian National Audit Office (the ANAO) and internal audit will not be members of the Audit and Risk Committee, however, may attend relevant Audit and Risk Committee meetings (in whole or in part) as observers, as determined by the Chair.

The Audit and Risk Committee will meet separately with both the internal and external auditors at least once a year.

The Chief Executive may be invited to attend Audit and Risk Committee meetings to participate in specific discussions or provide strategic briefings to the Audit and Risk Committee. Other advisors from management of the Agency, including General Managers, COO, CTO, CFO and CIO, may attend all or part of the meeting to provide advice to the Committee as determined by the Chair.

Meeting schedule and details

The Audit and Risk Committee will meet at least four times per year, and more often if required. Special meetings may be held to review the Agency’s annual financial statements and annual performance statements or to meet other specific responsibilities of the Audit and Risk Committee. 

The Chair will call a meeting if requested to do so by the Chief Executive, and may call a meeting if requested by another Audit and Risk Committee member.

Quorum

A quorum for any Audit and Risk Committee meeting will be three members. The quorum must be in place at all times during the meeting.

Secretariat

The Chief Executive will provide resources to provide secretariat support to the Audit and Risk Committee. The Secretariat will ensure the agenda for each meeting and supporting papers are circulated, after approval from the Chair, at least one week before the meeting, and ensure the minutes of the meetings are prepared and maintained.

The secretariat will provide a clear record of meetings, minutes, decisions, and actions made at each meeting.

Any papers requiring a decision between scheduled meetings are only to be circulated out of session with the consent of the Chair. Approval from the Chair must also be sought prior to circulating papers for noting out-of-session (unless previously discussed and agreed at a meeting).

Minutes

Draft minutes must be drafted by the Secretariat and sent to the Chair within ten working days of each meeting. Following approval by the Chair, the minutes will be circulated within ten working days of the meeting to each member and observers, as appropriate. 

Minutes of the preceding meeting will be confirmed at each meeting, which includes a review of the action items outstanding.

Reporting and Communications

The Chair will advise the CEO of each meeting’s key matters discussed either by correspondence or through a meeting between the Chair and CEO. The form of advice will be as agreed with the CEO., . Any matter deemed of sufficient importance will be reported to the Chief Executive immediately.

The Audit and Risk Committee will, as often as necessary, and at least once a year, provide a written report to the Chief Executive on its operation and activities during the year and confirm to the CEO that all functions outlined in this charter have been satisfactorily addressed.

Information relating to disclosure of the Audit and Risk Committee and its members will be included in the annual report. The Secretariat will Iiaise with members where necessary to obtain this information.

Induction

New members will receive relevant information and briefings on their appointment to assist them to meet their Committee responsibilities. Members will be required to hold a minimum Baseline security clearance. 

Conflict of Interest Management

To the extent possible, Audit and Risk Committee members should avoid interests that conflict, or could be seen to conflict, with the role and independence of the Audit and Risk Committee.

Once a year, Audit and Risk Committee members will provide written declarations to the Chair for provision to the Chief Executive declaring any perceived potential or actual conflicts of interest they may have in relation to their responsibilities.

Audit and Risk Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflicts of interest should be appropriately minuted.

Members with a conflict of interest will notify the Audit and Risk Committee Chair as soon as these issues become apparent. Any member with a conflict of interest definition will absent themselves from discussions about relevant matters.

Review of Performance

The Chair will initiate a review of the performance of the Audit and Risk Committee at least once every two years. These reviews will be consistent with advice provided by the Department of Finance on the scope and approach of such audit and risk committee assessments. The outcomes of this assessment will be reported to the Chief Executive.

Review of the Charter

At least once a year the Audit and Risk Committee will review this Charter. A review of the Charter may also be initiated at any time by the Chief Executive.

Any changes to the Audit and Risk Committee Charter will be recommended by the Audit and Risk Committee and formally approved by the Chief Executive.

A copy of the current charter will be published on the DTA website as soon as possible after approval by the Chief Executive.