Good Governance Guide: Issues to consider when constituting audit

advertisement
Good Governance Guide
Issues to consider when constituting audit
and risk committees
Board structure
The board of directors is charged with oversight of
the audit and risk management of the company. While
the Australian Securities Exchange (ASX) Listing Rules
require all companies on the S&P All Ordinaries Index to
have an audit committee, and the Australian Prudential
Regulation Authority (APRA) prudential standards
require most APRA-regulated companies to have a risk
committee, it is good governance for all entities to
consider the manner in which audit and risk is managed
within their organisation.
While it is recommended practice for all organisations to
have an audit committee, which for many organisations
will also include oversight of the company’s risk
management strategy, it should be noted that there is no
consensus as to whether it is preferable to have a standalone audit committee and stand-alone risk committee,
or a combined risk and audit committee, or no dedicated
committee on risk on the basis that risk management is
the responsibility of every board and board committee.
For those entities with legislative or prudential
obligations, there may also be a requirement for them to
disclose the reasons for their approach to audit and risk.
Companies in the S&P/ASX 300 must report against the
recommendations of the ASX Corporate Governance
Council in relation to the composition, operation and
responsibility of their audit committee. Similarly, APRAregulated entities must comply with the terms of the
prudential standard in relation to the composition,
operation and responsibility of their risk committee.
The ASX Corporate Governance Council’s Corporate
Governance Principles and Recommendations also asks
S&P All Ordinaries Index companies to strongly consider
the need for a risk committee within their organisations
and provides some guidance in this respect.
It is good governance, therefore, for all entities to
consider whether to constitute:
• a stand-alone audit committee also charged with
oversight of the company’s risk management strategy, or
• a stand-alone audit committee and stand-alone risk
committee, or
• a combined audit and risk committee
having regard to factors such as the size or complexity
of their operations, stakeholders and any governance or
legislative requirements.
It is good governance for all entities to detail to their
stakeholders their approach to audit and risk . This is
particularly important where a company may not have a
separate committee structure to consider risk.
Composition and operation
It is good governance for:
• all public companies to have an audit committee. If
the audit committee is a stand-alone committee, its
scope or purpose should also extend to oversight of
the company’s risk management strategy
• all companies to consider the need for a standalone risk committee, or a combined audit and risk
committee
• a stand-alone audit committee, a stand-alone risk
committee, or a combined audit and risk committee to
be committees of the board
• each committee to comprise at least three members,
as appropriate
• each committee to comprise non-executive directors
with at least a majority being independent (entities
should also consider whether full independence is
desired), as appropriate
• the committee as a whole to have suitable
experience and knowledge to fulfill the committee’s
responsibilities/and any regulatory requirements
• all members of the audit committee to have an
understanding of the content of financial statements
and the key financial issues facing the entity
• members of the risk committee to have a good
understanding of the business, in order to cover all
the material business risks facing the entity
• consideration to be given, where the company does
not have a combined audit and risk committee, to
having different members on the company’s audit
committee and risk committee if different skill sets
are required or accommodate workload obligations
© Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute
of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held
liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice.
Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance.
Good Governance Guide
• the chair of the company not to be the chair of any
stand-alone audit committee, and/or a stand-alone risk
committee, or a combined audit and risk committee
• entities to consider any legal or regulatory requirements
in relation to the composition and operation of their
committees dealing with audit and risk (for example,
APRA Prudential Standard requirements for ADIs and
insurers, Sarbanes-Oxley Act/NYSE requirements for
companies with a US listing)
• the various audit and risk committees to regularly
review their charter and their performance (for
example, every two or three years), making
recommendations for change to the board
• the various audit and risk committees to establish
appropriate means for regular and formal reporting to
the board, for example, the chair of the committee to
present at the next board meeting, or the minutes of
the committee meeting to be tabled at the next board
meeting, or a regular report to be tabled at board
meetings, such as a report on material business risks.
Responsibilities of the audit committee
The following activities are the usual responsibilities of
a stand-alone audit committee. It is good governance
for entities to consider them for their audit committees
(or whether they are to be carried out by another board
committee or the full board):
• reviewing the integrity of the company’s financial
reporting, including:
- reviewing and recommending to the board the
annual and interim results
- reviewing accounting policies adopted by the
company and alternative treatments available
- reviewing compliance with relevant statutory
and regulatory requirements
- consideration of continuous disclosure
requirements with regard to financial reporting
- reviewing any applicable overseas financial
reporting requirements depending on the nature
of the company (for example, UK forward-looking
risk disclosures)
- providing oversight to management putting in
place systems of risk management, compliance
(where a separate risk committee or function
has not been enacted) and control over financial
reporting
• overseeing the entity’s relationship with its external
auditors, including:
Board structure
- the appointment, removal, effectiveness and
remuneration of the auditors
- approval of annual audit plan
- monitoring progress of audits and relationships
between external auditors and management
- monitoring independence and providing written
advice to the board regarding that
- monitoring/approval of all audit/non-audit
services provided to the company by the external
auditor
- monitoring processes for employment of former
members of the external auditor by the company
- meeting with the external auditors at least
annually without management present
• providing oversight of the entity’s internal auditors
• reviewing controls of other material business risks
(where a separate risk committee or function has not
been enacted)
• reviewing the delegation of authorities within the
entity
• overseeing whistleblower policies and
implementation
• overseeing the code of ethics for financial officers
• reviewing due diligence procedures (capital raisings,
mergers/acquisitions)
• reviewing the propriety of related party transactions.
The committee should satisfy itself that appropriate
declarations have been made by the CEO and CFO in
accordance with the requirements of the Corporations
Act
Responsibilities of the risk committee
The following activities are the usual responsibilities
of a risk committee. It is good governance for entities
to consider these for their risk committees (or whether
they are to be carried out by another board committee
or the full board):
• reviewing and recommending to the board the
company’s risk management framework on an annual
basis
• reviewing the effectiveness of the risk management
framework, including key risk management and
compliance policies
• overseeing and monitoring management’s
effectiveness in managing key risks and internal
controls
© Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute
of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held
liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice.
Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance.
Good Governance Guide
• reviewing the company’s compliance with relevant
statutory and regulatory requirements for risk
management, where applicable
• reviewing and recommending to the board on the
overall current and future risk appetite
• profiling the risks of the company by analysing the
business units, identifying risks and providing action
plans for managing risk
• reviewing the performance and setting the objectives
of the Chief Risk Officer (CRO — for APRA-regulated
entities), and ensuring the CRO (or equivalent) has
unfettered access to the board and the committee
• oversight of the appointment and the removal of the
CRO (APRA-regulated entities only).
Responsibilities of combined audit and
risk committees
Some companies have combined audit and risk
committees, thereby utilising the same committee
members to review both the audit and risk functions
of the organisation. A combined audit and risk
committee would be expected to attend to all the
responsibilities noted above for separate audit and
risk committees.
Board structure
Other responsibilities of audit
committees, risk committees, or
combined audit and risk committees
In all cases, where the board of an entity constitutes
a stand-alone audit committee, a stand-alone risk
committee or a combined audit and risk committee,
it should consider whether to empower the committee
with the authority to carry out certain acts or whether
the remit of the committee is advisory in nature only.
In doing so, the board of the entity must consider how
the committee and board interact, taking account of
common law and statutory requirements in relation to
delegating authority and relying on information/advice
from others.
See Good Governance Guides: Who should sit on board
committees; What a board committee charter should
address; Board committees — reporting to the board;
Auditor independence, Risk management overview
ASX Listing Rules — Chapter 12
ASX Corporate Governance Council’s Corporate
Governance Principles and Recommendations
(Principles 4 and 7)
APRA Prudential Standards 510 (Governance)
© Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute
of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held
liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice.
Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance.
Download