Audit and Risk Committee Charter

Effective Date: 1 July 2023 

You can download an electronic version of our Audit and Risk Committee Charter 2023 (PDF, 250KB).

The Chief Executive Officer (CEO) has established an Audit and Risk Committee (committee) accordance to section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and PGPA Rule section 17 – Audit committee for Commonwealth entities. 

1. Role and responsibilities 

The committee provides an independent source of advice to the CEO on the appropriateness of the Digital Transformation Agency’s (DTA’s):

• financial and performance reporting
• system of risk oversight and management
• system of internal control. 

The committee has an exclusively advisory role. It is not responsible for the executive management of the agency’s functions.

DTA’s line management is responsible for developing and implementing systems, processes and internal controls for the management of risks. The committee will engage with management in a constructive and professional manner when executing advisory responsibilities and formulating advice to the CEO. 

The committee will be assisted by the internal audit function that will be responsible for delivering an internal audit program in line with the committee’s guidance and subject to approval by the CEO. The committee will exercise a governance role in relation to the DTA’s internal audit function. 

2. Authority 

The CEO authorises the committee, in accordance with its role and responsibilities, to: 

• obtain any information it requires from any official or external party, subject to any legal obligation to protect information
• discuss any matters with the Australian National Audit Office (ANAO) or other external parties, subject to confidentiality considerations
• request the attendance of any official at committee meetings
• obtain legal or other professional advice, as considered necessary, to fulfil its role, at the DTA‘s expense, subject to approval by the CEO or delegate.  

Committee members must not use or disclose information obtained by the committee except in meeting the committee’s responsibilities or unless expressly agreed by the CEO. 

3. Membership 

The committee comprises at least 4 members, appointed by the CEO.  

The committee can be made up of members who are: 

• independent members, not Commonwealth Officials
• Commonwealth Officials from other agencies. 

The majority of the committee will be comprised of independent members, with no more than 1 member being a Commonwealth Official from another agency. The committee may have a temporary increase in the number of members as a result of staggering the rotation of members.  

• the CEO will appoint the Chair of the committee, who will be selected from the external members 
• external committee members will be appointed by the CEO for an initial period not exceeding 2 years  
• the committee is authorised to appoint a Deputy Chair who will act as chair in the absence of the Chair. 

Members cannot delegate their responsibilities as members of the committee, there will not be alternates or temporary members appointed for the purpose of delegating or to meet quorum. 

Rotation of Members 

The CEO will consider the rotation of members in line with the following principles: 

• maintaining continuity of corporate knowledge
• managing the threat of familiarity to a member’s judgement. 

Commonwealth Officials on the Committee will have their membership reviewed annually.

External members placed on the committee will be reviewed in line with contractual requirements.  

Appropriate qualifications, knowledge, skills or experience 

Collectively, the committee needs sufficient expertise to provide independent advice and on the appropriateness of the agency’s financial and performance reporting, the systems of risk management and oversight and internal controls.

At a minimum, it is expected that members of the committee will understand and observe the legal requirements of the PGPA Act, the PGPA Rule and Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (FRR) and any official guidance relevant to performing their functions. 

Members are also expected to do the following: 

• gain a good understanding of the DTA’s functions, objectives and operational context
• act in the best interests of the DTA and the Commonwealth
• apply good analytical skills, objectivity and sound judgement
• continuously build, apply and maintain experience and awareness of the challenges and opportunities associated with the DTA’s and the public sector’s operating context
• express opinions constructively and openly, raise matters that relate to the committee’s responsibilities and pursue independent lines of inquiry
• contribute the time required to meet their responsibilities. 

Observers 

The CEO, Chief Financial Officer (CFO), Head of Corporate, Assistant Director, Governance and Performance or other management representatives may attend meetings as observers as determined by the Chair but will not be members of the committee. 

The CEO may recommend to the Chair a standing appointment of a Senior Executive Observer from among the Senior Executive Service of the DTA. This is intended to preserve the insights from having an internal member. This Observer may attend meetings and provide information as requested by the Chair but is not a member of the committee.    

Representatives of the ANAO will be invited to attend meetings of the committee, as observers. 

4. Functions of the Committee 

Financial reporting 

The committee will review and provide advice on the appropriateness of the accountable authority’s:  

• annual financial statements
• information other than annual financial statements requested by the Department of Finance (Finance) in preparing the Australian Government’s consolidated financial statements, including the supplementary reporting package
• processes and systems for preparing financial reporting information
• financial record keeping
• processes in place to allow the entity to stay informed throughout the year of any changes or additional requirements in relations to financial reporting. 

The committee will provide an annual statement to the accountable authority acknowledging: 

• whether, in the committee's view, the annual financial statements comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance
• whether additional entity information other than financial statements required by Finance for the purpose of preparing the Australian Government’s consolidated financial statements (including the supplementary reporting package) comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance
• the appropriateness of the entity’s financial reporting as a whole, with respect to any specific areas of concern or suggestions for improvement. 

Performance reporting 

The committee will review and provide advice on the appropriateness of the accountable authority’s performance reporting, including systems and procedures for assessing, monitoring and reporting on achievement of the entity’s performance.

In particular, the committee could satisfy itself that:

• the entity’s Portfolio Budget Statements and corporate plan contain appropriate details of how the entity’s performance will be measured and assessed
• the entity’s approach to measuring its performance throughout the financial year against the performance measures included in its Portfolio Budget Statements and corporate plan is appropriate and in accordance with the Commonwealth performance framework – over time, this may include reviewing particular elements of the performance measures
• the entity has appropriate systems and processes to prepare its annual performance statement and inclusion of the statement in its annual report
• the annual performance statements provide advice to the accountable authority on its appropriateness to the entity. 

The committee will provide an annual statement to the accountable authority indicating whether, in their view, the accountable authority’s annual performance statements and performance reporting is appropriate, with reference to any specific areas of concern or suggestions for improvement.

Systems of risk oversight and management 

The committee will review the appropriateness of the accountable authority’s system of risk oversight and management for the entity. They will also gain a sufficient understanding of the accountable authority’s risk appetite and the entity’s operating environment and review the mandatory requirements of the PGPA Act, the PGPA Rule, the Commonwealth Risk Management Policy and consider advice in supporting guidance.  

The committee will also review and provide advice on the appropriateness of the accountable authority’s: 

• enterprise risk management policy framework and the necessary internal controls for the effective identification and management of the entity’s risks, in keeping with the Commonwealth Risk Management Policy
• approach to managing the entity’s key risks – including those associated with individual projects and program implementation and activities
• process for developing and implementing the entity’s fraud control arrangements consistent with the fraud control framework and satisfy itself that the entity has adequate processes for detecting, capturing and effectively responding to fraud risks
• articulation of key roles and responsibilities relating to risk management and adherence to them by officials of the entity.  

The committee will provide an annual statement to the accountable authority indicating whether, in their view, the accountable authority’s system of risk oversight and management as a whole is appropriate with reference to the Commonwealth Risk Management Policy for NCEs and any specific areas of concern or suggestions for improvement. 

System of internal control review 

The committee will take a risk-based approach to reviewing the agency’s System of Internal Control. This will include: 

Internal control framework 

• reviewing management’s approach to maintaining an effective internal control framework and whether appropriate processes are in place for assessing compliance with key policies and procedures 
• reviewing whether management has in operation relevant policies and procedures, such as accountable authority instructions, delegations, a business continuity management plan etc
• obtaining an annual report from the Assistant Director, Governance and Performance on the overall state of DTA’s internal controls. 

Legislative and Policy Compliance  

• reviewing the effectiveness of systems for monitoring the entity’s compliance with laws, regulations and associated government policies with which the entity must comply
• determining whether management has adequately considered legal and compliance risks as part of the entity’s enterprise risk management framework, fraud control framework and planning. 

Security Compliance  

• reviewing management's approach to maintaining an effective internal security system – including compliance with the Protective Security Policy Framework. 

Business continuity 

• satisfying itself that an appropriate approach has been taken in establishing business continuity planning arrangements – including whether business continuity and disaster recovery plans have been periodically updated and tested. 

Internal Audit  

• reviewing the proposed internal audit coverage, making sure the coverage takes into account the entity’s primary risks and recommending approval of the internal audit work program by the accountable authority or the nominated delegate
• periodically reviewing the Internal Audit Charter
• reviewing all internal audit reports, providing advice to the accountable authority on major concerns identified in those reports and recommending action on significant matters raised – including identification and dissemination of information on good practice
• reviewing the performance of internal audit. 

The committee will provide an annual statement to the accountable authority indicating whether the accountable authority’s systems for internal control is appropriate for the entity, with reference to any specific areas of concern or suggestions for improvement. 

Additional areas of concern for the Committee 

Parliamentary committee reports, external reviews and evaluations 

The committee will satisfy itself that the DTA has appropriate mechanisms for reviewing relevant parliamentary committee reports, external reviews and evaluations of the DTA and implementing, where appropriate, any resultant recommendations. 

Engagement with ANAO 

The committee will engage with the ANAO, as the DTA’s external auditor, in relation to the ANAO’s financial statement and performance audit coverage.

In particular, the committee will: 

• provide input on planned ANAO financial statement and performance audit coverage
• act as one of the forums for communication between DTA management and the ANAO
• review management’s responses to all ANAO financial statement management letters and performance audit reports, including the implementation of audit recommendations
• provide advice to the CEO on action to be taken on significant issues raised in relevant ANAO reports or better practice guides
• meet privately with the ANAO at least once per year. 

5. Administrative Arrangements 

Annual Work Plan 

The committee will prepare a work plan that outlines the activities to be undertaken to achieve the committee’s functions.  

Reporting 

The committee will provide an annual report to the CEO on its operation and activities during the year and confirm to the CEO that all functions outlined in this charter have been satisfactorily addressed. 

The committee may, at any time, report to the CEO any other matter it deems of sufficient importance to do so. In addition, at any time an individual committee member may request a meeting with the CEO. 

The Chair will advise the CEO of each meeting’s key matters discussed either by correspondence or through a meeting between the Chair and CEO. The form of advice will be as agreed with the CEO. 

The committee will produce a report to be included in the DTA Annual Report which will include: 

• the names of the members during the relevant financial year
• the qualifications, knowledge, skills or experience of those members
• a record of attendance at committee meetings
• the remuneration of members. 

Meetings 

The committee will meet at least 4 times per year. One or more special meetings may be held to review DTA’s annual financial statements and performance statements or to meet other specific responsibilities of the committee. 

The Chair is required to call a meeting if asked to do so by the CEO, and decide if a meeting is required if requested by another member, internal audit or the ANAO. 

Planning 

The committee will develop a forward meeting schedule that includes the dates, location, and proposed agenda items for each meeting for the forthcoming year, and that covers all the functions outlined in this charter. 

Quorum 

A quorum will consist of a majority of committee members. The quorum must be in place at all times during the meeting.  

Secretariat 

The Assistant Director, Governance and Performance will manage the committee’s secretariat function (Secretariat). 

The Secretariat will: 

• ensure the agenda for each meeting is approved by the Chair
• circulate the approved agenda and supporting papers at least one week before the meeting
• ensure the meeting minutes are prepared and maintained.  

Minutes for each committee meeting will be drafted by the Secretariat and distributed for comment to the Chair within 10 working days of each meeting. Following review by the Chair, minutes will be circulated by the Secretariat within 5 working days to each committee member, Internal Adviser and observer(s) as appropriate. 

If there are significant disagreements regarding the contents of the minutes, the Secretariat will consult with the Chair before amendments are made. 

The minutes for each meeting will be put forward as an Agenda item for formal acceptance at the following meeting. Once accepted, the minutes will be considered to have been ratified. 

Conflicts of interest 

Once each year, members of the committee will provide written declarations, through the Chair, to the CEO declaring any material personal interests they may have in relation to their responsibilities. External members should consider past employment, consultancy arrangements and related party issues in making these declarations and the CEO, in consultation with the Chair, should be satisfied that there are sufficient processes in place to manage any real or perceived conflict.  

At the beginning of each committee meeting, members are required to declare any material personal interests that may apply to specific matters on the meeting agenda. Where required by the Chair, the member will be excused from the meeting or from the committee’s consideration of the relevant agenda item(s). The Chair is also responsible for deciding, in consultation with the CEO where appropriate, if that member should excuse themselves from the meeting or from the committee’s consideration of the relevant agenda item(s). Details of any material personal interests declared by the Chair and other members, and actions taken, will be appropriately recorded in the minutes. 

Induction 

New members will receive relevant information and briefings on their appointment to assist them to meet their committee responsibilities. 

Assessment arrangements 

The Chair of the committee, in consultation with the CEO, will undertake a review of the performance of the committee at least once every 2 years. The review will be conducted on a self-assessment basis (unless otherwise determined by the CEO) with appropriate input sought from the CEO, committee members, senior management, internal audit, and any other relevant stakeholders, as determined by the CEO. 

The Chair will provide advice to the CEO on an external member’s performance where an extension of the member’s tenure is being considered.  

Review of charter 

The committee will review this charter annually, or more often as required. This review will include consultation with the CEO. Any substantive changes to the charter will be recommended by the committee and formally approved by the CEO. 

A copy of the charter will be published on the DTA website.