Good Governance Guide: Issues to consider when constituting audit
advertisement
Good Governance Guide Issues to consider when constituting audit and risk committees Board structure The board of directors is charged with oversight of the audit and risk management of the company. While the Australian Securities Exchange (ASX) Listing Rules require all companies on the S&P All Ordinaries Index to have an audit committee, and the Australian Prudential Regulation Authority (APRA) prudential standards require most APRA-regulated companies to have a risk committee, it is good governance for all entities to consider the manner in which audit and risk is managed within their organisation. While it is recommended practice for all organisations to have an audit committee, which for many organisations will also include oversight of the company’s risk management strategy, it should be noted that there is no consensus as to whether it is preferable to have a standalone audit committee and stand-alone risk committee, or a combined risk and audit committee, or no dedicated committee on risk on the basis that risk management is the responsibility of every board and board committee. For those entities with legislative or prudential obligations, there may also be a requirement for them to disclose the reasons for their approach to audit and risk. Companies in the S&P/ASX 300 must report against the recommendations of the ASX Corporate Governance Council in relation to the composition, operation and responsibility of their audit committee. Similarly, APRAregulated entities must comply with the terms of the prudential standard in relation to the composition, operation and responsibility of their risk committee. The ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations also asks S&P All Ordinaries Index companies to strongly consider the need for a risk committee within their organisations and provides some guidance in this respect. It is good governance, therefore, for all entities to consider whether to constitute: • a stand-alone audit committee also charged with oversight of the company’s risk management strategy, or • a stand-alone audit committee and stand-alone risk committee, or • a combined audit and risk committee having regard to factors such as the size or complexity of their operations, stakeholders and any governance or legislative requirements. It is good governance for all entities to detail to their stakeholders their approach to audit and risk . This is particularly important where a company may not have a separate committee structure to consider risk. Composition and operation It is good governance for: • all public companies to have an audit committee. If the audit committee is a stand-alone committee, its scope or purpose should also extend to oversight of the company’s risk management strategy • all companies to consider the need for a standalone risk committee, or a combined audit and risk committee • a stand-alone audit committee, a stand-alone risk committee, or a combined audit and risk committee to be committees of the board • each committee to comprise at least three members, as appropriate • each committee to comprise non-executive directors with at least a majority being independent (entities should also consider whether full independence is desired), as appropriate • the committee as a whole to have suitable experience and knowledge to fulfill the committee’s responsibilities/and any regulatory requirements • all members of the audit committee to have an understanding of the content of financial statements and the key financial issues facing the entity • members of the risk committee to have a good understanding of the business, in order to cover all the material business risks facing the entity • consideration to be given, where the company does not have a combined audit and risk committee, to having different members on the company’s audit committee and risk committee if different skill sets are required or accommodate workload obligations © Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice. Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance. Good Governance Guide • the chair of the company not to be the chair of any stand-alone audit committee, and/or a stand-alone risk committee, or a combined audit and risk committee • entities to consider any legal or regulatory requirements in relation to the composition and operation of their committees dealing with audit and risk (for example, APRA Prudential Standard requirements for ADIs and insurers, Sarbanes-Oxley Act/NYSE requirements for companies with a US listing) • the various audit and risk committees to regularly review their charter and their performance (for example, every two or three years), making recommendations for change to the board • the various audit and risk committees to establish appropriate means for regular and formal reporting to the board, for example, the chair of the committee to present at the next board meeting, or the minutes of the committee meeting to be tabled at the next board meeting, or a regular report to be tabled at board meetings, such as a report on material business risks. Responsibilities of the audit committee The following activities are the usual responsibilities of a stand-alone audit committee. It is good governance for entities to consider them for their audit committees (or whether they are to be carried out by another board committee or the full board): • reviewing the integrity of the company’s financial reporting, including: - reviewing and recommending to the board the annual and interim results - reviewing accounting policies adopted by the company and alternative treatments available - reviewing compliance with relevant statutory and regulatory requirements - consideration of continuous disclosure requirements with regard to financial reporting - reviewing any applicable overseas financial reporting requirements depending on the nature of the company (for example, UK forward-looking risk disclosures) - providing oversight to management putting in place systems of risk management, compliance (where a separate risk committee or function has not been enacted) and control over financial reporting • overseeing the entity’s relationship with its external auditors, including: Board structure - the appointment, removal, effectiveness and remuneration of the auditors - approval of annual audit plan - monitoring progress of audits and relationships between external auditors and management - monitoring independence and providing written advice to the board regarding that - monitoring/approval of all audit/non-audit services provided to the company by the external auditor - monitoring processes for employment of former members of the external auditor by the company - meeting with the external auditors at least annually without management present • providing oversight of the entity’s internal auditors • reviewing controls of other material business risks (where a separate risk committee or function has not been enacted) • reviewing the delegation of authorities within the entity • overseeing whistleblower policies and implementation • overseeing the code of ethics for financial officers • reviewing due diligence procedures (capital raisings, mergers/acquisitions) • reviewing the propriety of related party transactions. The committee should satisfy itself that appropriate declarations have been made by the CEO and CFO in accordance with the requirements of the Corporations Act Responsibilities of the risk committee The following activities are the usual responsibilities of a risk committee. It is good governance for entities to consider these for their risk committees (or whether they are to be carried out by another board committee or the full board): • reviewing and recommending to the board the company’s risk management framework on an annual basis • reviewing the effectiveness of the risk management framework, including key risk management and compliance policies • overseeing and monitoring management’s effectiveness in managing key risks and internal controls © Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice. Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance. Good Governance Guide • reviewing the company’s compliance with relevant statutory and regulatory requirements for risk management, where applicable • reviewing and recommending to the board on the overall current and future risk appetite • profiling the risks of the company by analysing the business units, identifying risks and providing action plans for managing risk • reviewing the performance and setting the objectives of the Chief Risk Officer (CRO — for APRA-regulated entities), and ensuring the CRO (or equivalent) has unfettered access to the board and the committee • oversight of the appointment and the removal of the CRO (APRA-regulated entities only). Responsibilities of combined audit and risk committees Some companies have combined audit and risk committees, thereby utilising the same committee members to review both the audit and risk functions of the organisation. A combined audit and risk committee would be expected to attend to all the responsibilities noted above for separate audit and risk committees. Board structure Other responsibilities of audit committees, risk committees, or combined audit and risk committees In all cases, where the board of an entity constitutes a stand-alone audit committee, a stand-alone risk committee or a combined audit and risk committee, it should consider whether to empower the committee with the authority to carry out certain acts or whether the remit of the committee is advisory in nature only. In doing so, the board of the entity must consider how the committee and board interact, taking account of common law and statutory requirements in relation to delegating authority and relying on information/advice from others. See Good Governance Guides: Who should sit on board committees; What a board committee charter should address; Board committees — reporting to the board; Auditor independence, Risk management overview ASX Listing Rules — Chapter 12 ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations (Principles 4 and 7) APRA Prudential Standards 510 (Governance) © Governance Institute of Australia 2014. This material is subject to copyright. The Good Governance Guides indicate, in the view of Governance Institute of Australia Ltd, one interpretation of good practice. They are not designed to cover or comply with all applicable legislation or case law. We cannot be held liable or accountable to any person who acts or relies upon the information provided. The guides are not a substitute for professional advice. Visit our website at governanceinstitute.com.au to find more Good Governance Guides and information on governance.
