COMMONWEALTH OMBUDSMAN MISCONDUCT

Audit Committee functions and responsibilities

The functions and responsibilities of a better practice Audit Committee will generally be to provide independent assurance and advice in the following areas:

risk management;
internal control;
financial statements;
compliance requirements;
internal audit;
external audit; and
other relevant functions including review of an entity’s governance arrangement [5]; performance framework; relevant parliamentary committee reports and recommendations; and portfolio responsibilities.

In total, these represent a broad set of functions and responsibilities. It is therefore important that each committee, in consultation with the Chief Executive/Board, decide those aspects of an entity’s operations that the committee will give priority to and particularly focus on.

[3] Section 46 of the FMA Act and FMA Regulation 22C are reproduced in Appendix 2 at pages 51 to 54

2.4. Compliance requirements

Reviewing the effectiveness of how an entity is monitoring its compliance with relevant legislation, regulations and associated government policies is generally an established function of Audit Committees.
Entity compliance can be grouped into four broad categories:

legislation and policy administered by the entity that it also needs to comply with;
framework legislation and policy such as the FMA Act, the CAC Act and the Public Service Act 1999 and related policies;
legislation and policy that has general application to the entity in areas such as security, occupational health and safety, privacy, and freedom of information; and
international conventions.

Entities must comply with a considerable volume and complexity of legislation and policy. It would therefore be expected that Audit Committees will focus on those aspects that pose the highest risk to the entity, and on how the entity manages its compliance responsibilities.
An important responsibility of Audit Committees is reviewing the processes management has in place designed to ensure the entity is kept up to date with new legislation or changes to existing legislation relevant to the entity.

Audit Committee compliance with legislative and policy requirements
An Audit Committee’s responsibilities in relation to legislative and policy compliance would generally be to: review the effectiveness of the system for monitoring the entity’s compliance with those laws, regulations and associated government policies that the entity administers and must comply with; determine whether management has appropriately considered legal and compliance risks as part of the entity’s enterprise risk management plan; provide advice to the Chief Executive/Board regarding the issue of the entity’s annual Certificate of Compliance/Compliance Report;[14] review, where relevant, the entity’s compliance with International Conventions, particularly the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions [15] ; and provide advice to the Chief Executive/Board regarding the entity’s reporting responsibilities in relation to fraud and security.[16]

Audit Committee compliance with legislative and policy requirements

An Audit Committee’s responsibilities in relation to legislative and policy compliance would generally be to:

review the effectiveness of the system for monitoring the entity’s compliance with those laws, regulations and associated government policies that the entity administers and must comply with;
determine whether management has appropriately considered legal and compliance risks as part of the entity’s enterprise risk management plan;
provide advice to the Chief Executive/Board regarding the issue of the entity’s annual Certificate of Compliance/Compliance Report;[14]
review, where relevant, the entity’s compliance with International Conventions, particularly the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions [15] ; and
provide advice to the Chief Executive/Board regarding the entity’s reporting responsibilities in relation to fraud and security.[16]

Appendix 2 details the legal status and legislative and policy requirements for Audit Committees.
Part 3 includes a committee and a management checklist in relation to compliance with legislative and policy requirements (pages 98 to 104).

Cross-agency governance

In meeting their responsibilities, it is important that Audit Committees consider the implications of cross-agency governance arrangements.
These arrangements are becoming more common as governments address increasingly complex and/or wide-ranging policy and operational issues that involve more than one agency and/or jurisdiction. As a result, audit committees’ responsibilities increasingly involve consideration of such arrangements.
Where an entity’s activities involve cross-agency arrangements, it would be expected that they would require specific consideration when the Audit Committee is reviewing the entity’s risk management and control frameworks, legislative compliance, financial statement and other obligations.
In considering cross-agency issues, the Audit Committee should be cognisant of its general responsibility to ensure entity information and documents to which it has access remain confidential. Where there are benefits in sharing information with another entity, the Audit Committee should seek the authority of the Chief Executive/Board, if not already provided.

Better practice tip: Sharing information between Audit Committees

Where cross-agency arrangements exist, there may be benefit in sharing information between Audit Committees. Before doing this, it is important to obtain approval from the Chief Executive/Board to share information outside the entity.

Often cross-agency arrangements involve multiple legislative requirements, contracts, service-level agreements or memoranda of understanding with other entities, and can involve complex monitoring and reporting arrangements. Audit Committees should explicitly consider, in consultation with the Chief Executive/Board and other entities involved, the role they will play in providing assurance and advice on these arrangements. In considering their role, Audit Committees must recognise the likely additional time, effort and resources this may involve, and the impact on the committee’s work program and meeting schedule.
In particular, some cross-agency arrangements will be material in the context of the entity’s financial statements. In this case, the Audit Committee may be required to play a pivotal role in reviewing the mechanisms that provide the required assurance to the Chief Executive/Board.

External service provision

In a similar way to cross-agency arrangements, program and service delivery using external service providers can have important risk management, control, security, and accountability implications. Reviewing the legal and administrative arrangements in place to effectively manage external service providers can be part of an Audit Committee’s responsibilities.
Generally, as part of the committee’s internal control responsibilities, it would review whether management’s approach to maintaining an effective internal control framework, including over external parties such as contractors, is sound and effective.

[14]. Chief Executives of FMA agencies are required to provide a Certificate of Compliance, in the form prescribed by the Department of Finance and Deregulation, to their portfolio minister and copied to the Finance Minister by 15 October each year. The Board of General Government Sector CAC authorities and wholly-owned companies are also required to provide a Compliance Report in the form prescribed by the Department of Finance and Deregulation, to the Secretary of Finance on behalf of the Finance Minister by the fifteenth day of the fourth month after the end of the financial year of the body. Although in most cases an entity’s financial statements will be signed before the deadline for the submission of an entity’s certificate of compliance, it would be expected that the Audit Committee will consider the entity’s compliance with relevant legislation and policies to assess the extent to which any non-compliance may affect the entity’s financial statements.

[15]. In line with this convention, the Australian Parliament has enacted the Criminal Code Amendment (Bribery of Foreign Public Officials) Act 1999. It is recognised that this matter is likely to be low risk for many entities. The Institute of Chartered Accountants in Australia and PricewaterhouseCoopers’ Guide to Foreign Bribery and Corruption provides guidance to Audit Committees on meeting their responsibilities in this area.

[16]. IThe Commonwealth Fraud Control Guidelines require Chief Executives of FMA agencies and certain CAC bodies to report annually to their minister on fraud risk and fraud control measures. The Australian Government Protective Security Policy Framework requires agencies and relevant CAC bodies to report compliance with the mandatory requirements of the Policy to the relevant portfolio minister.