Audit Committee Governance
Overview
Audit committees play a key role in providing departmental management with independent and objective advice on matters including financial reporting, risk management and internal and external audit. This audit reviewed the governance arrangements for audit committees in all seven state government departments and Victoria Police.
This audit found that the governance arrangements for audit committees are generally effective, however, there are key areas for improvement. These areas include the need for agencies to ensure that their committee maintains the required mix of skills, and for agencies to regularly and comprehensively assess the performance of individual members and effectiveness of their audit committee as a whole. The Standing Directions of the Minister for Finance were recently reviewed and these changes make addressing these gaps even more important.
Other changes to the Standing Directions reduce the obligations on audit committees. In particular, the changes limit the management actions that audit committees are now required to monitor, and abolish the requirement for committees to review whether underlying issues identified by internal and external audit have been effectively resolved. This is a backward step that could lead to the failure of agencies to address important issues and risks.
The recommendations in this audit are designed to improve gaps in the governance arrangements for audit committees and to ensure committees are fully effective in light of the recent changes to legislative requirements.
Audit Committee Governance: Message
Ordered to be published
VICTORIAN GOVERNMENT PRINTER August 2016
PP No 183, Session 2014–16
President
Legislative Council
Parliament House
Melbourne
Speaker
Legislative Assembly
Parliament House
Melbourne
Dear Presiding Officers
Under the provisions of section 16AB of the Audit Act 1994, I transmit my report on the audit Audit Committee Governance.
Yours faithfully
Dr Peter Frost
Acting Auditor-General
31 August 2016
Auditor-General's comments
Dr Peter Frost Acting Auditor-General |
Audit team Andrew Evans—Engagement Leader Verena Juebner—Team Leader Stefania Colla—Team member Engagement Quality Control Reviewer Matthew Zappulla |
Audit committees play a key role in the governance framework of government departments in Victoria. Their role is to provide departmental management with an independent and objective source of advice on matters including financial reporting, risk management, and internal and external audit.
My audit reviewed the governance arrangements for audit committees in all seven state government departments as well as Victoria Police. It also assessed the level of compliance with the Standing Directions of the Minister for Finance (Standing Directions) and the extent to which good practice is being applied across the audited agencies.
While the governance arrangements for audit committees are generally effective, there are several key areas where there is room for improvement. These include the need for agencies to:
- ensure that their audit committee maintains the required mix of skills
- regularly and comprehensively assess the performance of committee members and the effectiveness of their audit committee.
The Standing Directions were recently reviewed, and the changes make addressing these gaps even more important.
I am most concerned that the revised requirements reduce the obligations on audit committees by limiting the management actions they are required to monitor—under the 2016 Standing Directions, audit committees are only required to monitor actions that relate to or impact on 'financial management, performance and sustainability'. The express requirement to review the impact of management actions―ensuring that underlying issues have been effectively resolved―has also been removed.
These changes are a backward step that could lead to agencies failing to address the underlying issues and risks that have been identified by internal and external audits. Further, these changes underscore the importance of effective governance arrangements for audit committees. While these changes were made in response to concerns that the previous Standing Directions went beyond the bounds of the Financial Management Act 1994, they have resulted in Victoria's legislative framework now being inconsistent with best practice for audit committees—including the Department of Treasury & Finance's own guidance which recommends that committees monitor all recommendations. It also puts Victoria behind New South Wales and the Australian Capital Territory where this is a requirement.
My recommendations are designed to improve gaps in the governance arrangements for audit committees and to ensure committees are fully effective in light of the recent changes to legislative requirements.
I extend my thanks to the officers and audit committee members from the departments and Victoria Police who participated in this audit.
Dr Peter Frost
Acting Auditor-General
August 2016
Audit Summary
Audit committees play a key accountability role in the governance framework of Victorian public sector agencies. While management retains ultimate accountability for operations, audit committees independently review and assess the effectiveness of key aspects of an agency's operations.
The Standing Directions of the Minister for Finance (Standing Directions) set out the core requirements, responsibilities and functions of audit committees. The Standing Directions were recently reviewed by the Department of Treasury & Finance (DTF), and the revised 2016 Standing Directions came into effect on 1 July 2016, replacing the 2003 Standing Directions. Key requirements of the Standing Directions expect audit committees to:
- have a charter that outlines the committee's roles and responsibilities
- be independent and have the appropriate skills to discharge committee responsibilities
- oversee risk management, the internal audit function and the implementation of management actions in response to internal and external audit recommendations
- undertake annual self-assessments and review committee membership at least once every three years.
This audit examined the effectiveness of governance arrangements for audit committees, including their composition, operational arrangements and the information they receive. It included the seven portfolio departments and Victoria Police.
For Part 2 of this report, we assessed the governance and operations of all eight audit committees. For Parts 3, 4 and 5, we selected a sample of agencies with varying processes and procedures. We have de‑identified the agencies for these Parts to focus on the lessons that can be applied to all audit committees.
Conclusions
The governance arrangements for audit committees are generally effective, although there is room for improvement in some areas. The recent changes to the Standing Directions heighten the need for agencies to make sure audit committees have the appropriate membership, independence and capability, and are performing their functions effectively. These functions include overseeing risk management and internal audit, and ensuring that management actions taken in response to audit recommendations are effective.
We examined the oversight of risk management of three audit committees and found that two had fulfilled the 2003 Standing Directions requirements. While the third audit committee did not fully comply, it is working to improve its oversight.
Audit committee oversight of the internal audit function is generally appropriate, but information provided to audit committees could be improved, specifically the alignment of the internal audit plan with organisational risks. Two audit committees are establishing processes to fix gaps in their governance arrangements—one for approving detailed internal audit scopes and the other for ensuring internal audit providers have no conflict of interest.
Some agencies are considering reducing the role that audit committees have in monitoring management actions in response to internal and external audit recommendations, in line with the revised Standing Directions. However, these changes are concerning—they decrease the level of accountability for management and, importantly, could lead to agencies failing to effectively address the underlying issues and risks that have been identified by audits. Audit committees should continue to monitor all management actions in response to internal and external audit recommendations, and implement a risk-based process to assess whether completed management actions have adequately addressed the underlying risks or issues.
Findings
Audit committee governance and operations
Composition, capability and induction
The eight audit committees we assessed largely meet the requirements for membership, independence and capability under the 2003 Standing Directions. Only one audit committee is not currently compliant with the new Standing Directions requirement to have an equal number or majority of independent members, but it is working towards an equal membership.
Currently only three agencies have robust processes for determining the skills required for their audit committee members, or for identifying and addressing any material gaps. The quality and comprehensiveness of induction processes for new members varies across agencies. In light of the reduced prescriptiveness of the 2016 Standing Directions regarding skills and induction requirements, improving these aspects will be even more important.
Effective operational support for audit committees
While audit committees' access to information and agency staff is generally appropriate, the biggest concern for committee members is the volume of the papers received and the time available to review that information prior to meetings. As a priority, audit committees must work with management to address the volume, quality and timeliness of information provided to members.
Further, not all agencies had an annual work program that clearly showed how the audit committee's charter responsibilities would be addressed throughout the year.
Effective evaluation of audit committee performance
Agencies must become more rigorous in periodically assessing whether their audit committees are meeting their functions. All audit committees have undertaken or intend to undertake the mandatory annual self-assessments. However, the 2016 Standing Directions now require that agencies formally review the audit committee's performance and membership at least once every three years. Of the eight agencies we assessed, two agencies have commissioned performance reviews and two plan to do so. Agencies are also required to review the performance of individual committee members in line with the new Standing Directions requirements.
Overseeing risk management
Audit committees must maintain oversight of agency-wide risk, despite the narrowing of the focus of the 2016 Standing Directions. This is because the 2016 Standing Directions continue to mandate the application of the Victorian Government Risk Management Framework, and audit committees must verify the agency's compliance with these requirements. Two out of the three audit committees examined in Part 3 have been fulfilling the requirements under the Standing Directions and their charters to oversee risk management. These committees have been supported by consistent risk reporting, and there is evidence that the audit committees have improved agency risk management.
For one of these agencies, we observed good discussion on risk at the committee meeting that we attended, but we found limited evidence of discussion in the audit committee minutes. While the agency advised that minutes are intended to mainly capture actions, agencies should consider the benefits of detailing elements of the discussion and noting where members have questioned and/or provided advice to management. This would provide assurance to the head of the agency that the committee is sufficiently testing the material that comes before it and would assist with assessing the performance of committee members.
The third audit committee's oversight of risk has been hampered by inconsistent risk management practices across the agency and unclear responsibilities. The agency is working to address this.
Overseeing internal audit
The internal audit function is an important source of information and assurance for the audit committee on an agency's performance and risk management activities. Under the Standing Directions, the audit committee has a key role in directing and reviewing the work of the agency's internal audit function.
Only one of the three examined audit committees had mapped its internal audit plan to its risks prior to the plan's approval. While the remaining two audit committees had received some information on how the internal audit plan aligns with the agency's risk profile, this information could be improved by ensuring the committees receive detailed mapping of the plan to the agency's risks prior to the plan's approval. The examined audit committees maintained control over the internal audit plan by reviewing changes to the timing of audits and reviewing the final internal audit reports, recommendations and management actions, which is in line with better practice.
One audit committee is establishing a new process for approving the detailed internal audit scopes and another is ensuring it reviews and approves all consulting work its outsourced internal audit firm conducts to ensure the firm is not conflicted. The third audit committee has effective procedures for approval of internal audit scopes and has in place a process to review non-audit activities.
Monitoring implementation and impact of audit actions
Changes to the Standing Directions
The revised 2016 Standing Directions limit the responsibility of audit committees to monitoring the implementation of only those audit recommendations that 'relate to or impact on financial management, performance and sustainability'. The previous 2003 requirement was for audit committees to monitor all audit recommendations, whether they be related to finance, health, safety or any other area.
DTF advised that these limitations were made so that the Standing Directions do not extend beyond the Minister for Finance's powers under the Financial Management Act 1994. However, these changes are a backward step that decrease the level of accountability for and governance of management actions that fall outside this definition and could lead to agencies failing to address important issues. While guidance accompanying the 2016 Standing Directions notes the expectation that audit committees continue to monitor all recommendations, audit committees may choose to be selective.
The 2016 Standing Directions also reduce the requirement for audit committees to review whether management actions resolve the underlying issues identified by audits. Nevertheless, DTF advised that it expects audit committees to take a risk‑based approach to this function.
Compliance with Standing Directions requirements
In line with the 2003 Standing Directions, all audit committees have been monitoring the implementation of management actions in response to all internal and external audit recommendations. Members consistently highlighted that their role in monitoring these actions—particularly the high number of outstanding and overdue actions—is one of their greatest challenges and takes up a significant amount of their time. As a result, they are working to reduce the number of outstanding and overdue actions. However, only one of the audit committees we examined has a follow-up process in place for assessing whether completed management actions have effectively mitigated the risks and issues they are meant to address.
This audit committee's 2016 follow-up review found that management actions are inconsistently implemented across divisions and business units and that there is no clear consideration of the original audit finding or of risk mitigation. This reinforces the value of such follow-up reviews and indicates that agencies still have work to do to improve the effective implementation of audit actions across the organisation.
Some agencies are considering reducing the role that audit committees have in monitoring management actions. While this is in line with the revised Standing Directions, these changes are concerning. They decrease the level of accountability and, importantly, could lead to agencies failing to effectively address the underlying issues and risks identified by audits. Audit committees need to establish effective processes for implementing all management actions, and a risk-based approach for assessing whether completed management actions have effectively addressed the underlying risks or issues.
Recommendations
That agencies:
- develop and maintain mechanisms to identify the appropriate mix of skills and experience needed for audit committee membership and to identify any gaps
- ensure that annual work programs cover each audit committee charter responsibility
- work with the audit committee to better define, or refine, the committee's information needs, including whether reported information is reliable and understandable
- align audit committee meeting materials and agendas with priority areas
- conduct formal reviews of the performance and independence of independent audit committee members before reappointing them for additional terms
- consider offering continuing education that addresses topics relevant to the audit committee's needs
- work with the audit committee to evaluate whether it has the capacity to fully acquit its obligations under the Standing Directions and charter, or whether there is a need to review its role, structure and/or operational arrangements
- ensure that the risk oversight responsibilities of the audit committee are clear and that its role is supported by consistent risk reporting
- consider whether audit committee minutes should include relevant elements of the committee's discussion to transparently demonstrate the committee's performance
- ensure that the audit committee approves final internal audit scopes.
- develop and implement a process where the audit committee makes the final decision on potential conflicts of interest for outsourced internal audit providers who perform other consultancy work for the agency
- ensure that the audit committee has a formal process to review the performance of the internal audit function and report the results to the head of the agency
- ensure that the audit committee continues to monitor all audit actions, even if they fall outside the scope of financial management, performance and sustainability
- have the audit committee require internal auditors to conduct periodic testing of whether audit actions reported as completed by management have been effectively implemented
- have the audit committee require the internal audit function to undertake periodic assessments of a sample of closed audit actions to ensure that underlying issues have been effectively resolved—these should be selected in a risk-based manner.
Submissions and comments received
Throughout the course of the audit we have professionally engaged with:
- the Department of Economic Development, Jobs, Transport & Resources
- the Department of Education & Training
- the Department of Environment, Land, Water & Planning
- the Department of Health & Human Services
- the Department of Justice & Regulation
- the Department of Premier & Cabinet
- the Department of Treasury & Finance
- Victoria Police.
In accordance with section 16(3) of the Audit Act 1994 we provided a copy of this report to those agencies and requested their submissions or comments.
We have considered those views in reaching our audit conclusions and have represented them to the extent relevant and warranted. Their full section 16(3) submissions and comments are included in Appendix B.
1 Background
1.1 Introduction
1.1.1 The importance of good public sector governance
Good governance is integral to the Victorian public sector effectively managing its operations, conforming to applicable legislative and policy requirements, and being accountable for the expenditure of public funds and the achievement of outcomes. Good governance also assists in meeting public expectations of transparency and integrity and enhances confidence in decisions and actions.
There are a number of elements that underpin good governance, such as having strong leadership and effective systems and processes. Victorian public sector agencies[1] also typically have a number of committees covering areas such as audit and risk, procurement, human resources, and performance and evaluation, among others.
1.1.2 The role and composition of audit committees
Audit committees play a key accountability role in the governance framework of Victorian public sector agencies. While management retains ultimate accountability for operations, audit committees enhance governance practices by independently reviewing and assessing the effectiveness of key aspects of an agency's operations. These aspects include:
- risk management―systems and processes that facilitate the identification, assessment, evaluation and treatment of risk
- financial statements―form part of the financial reporting process; a full statement normally includes, among other things, a balance sheet, an income statement, a statement of cash flows and a statement of changes in equity
- internal controls―including legislative and policy compliance, business continuity management, delegations and ethical and lawful conduct
- compliance requirements―laws, policies and regulations agencies must comply with
- internal audit―reviews on the performance of an agency and its control environment
- implementation of management actions in response to internal and external audit recommendations―actions taken to address recommendations arising from internal and external audits are followed up and addressed.
The effectiveness of an audit committee is significantly impacted by its member composition, its roles and responsibilities, and its operating arrangements, including the quality and timeliness of information it receives from management and its lines of communication and reporting. To be fully effective, an audit committee must be sufficiently independent from management and free from any undue influence. Audit committees therefore typically have an independent chair and have either a majority or equal number of independent members. They also exclude from membership certain agency employees who would represent a conflict of interest, such as the head of the agency, the chief financial officer and internal auditors. However, audit committees usually do have members from within the agency in addition to independent members, with around six to eight members in total. All members are required to exercise independent judgement and be objective in their deliberations, decisions and advice.
1.1.3 Support for audit committees
Under the Standing Directions of the Minister for Finance (Standing Directions), discussed in detail in Section 1.2.1, agencies are required to:
- establish an audit committee and appoint members
- approve the audit committee charter, which outlines the committee's roles and responsibilities
- enable the committee to have access to the head of the agency, the chief financial officer, and internal and external auditors, when required
- review committee membership at least once every three years.
Audit committees are also supported by secretariat functions, which are usually fulfilled by agency staff. The secretariat is responsible for arranging committee meetings, collating and distributing meeting papers, attending meetings and drafting meeting minutes.
All audit committees are currently in the process of updating their charters because of the changes to the Standing Directions, discussed in the following Section.
1.2 Legislation and guidance
1.2.1 Standing Directions of the Minister for Finance
The Standing Directions under the Financial Management Act 1994 set out the core requirements, responsibilities and functions of audit committees. The Standing Directions were recently reviewed by the Department of Treasury & Finance (DTF), and the revised 2016 Standing Directions came into effect on 1 July 2016, replacing the 2003 Standing Directions. The review aimed, in part, to:
- ensure that the Standing Directions requirements did not extend beyond the legislative authority of the Financial Management Act1994
- reduce the prescriptiveness of individual requirements, by moving substantial content to the non-mandatory guidance—this is to allow for the application to be tailored to the size and risk profile of the agency.
Key requirements that are common to both versions of the Standing Directions expect audit committees to:
- have a charter
- be independent, with an independent member as chair
- exclude from membership the head of the agency and the chief financial officer
- have the appropriate skills to discharge committee responsibilities
- undertake annual self-assessments.
The 2016 Standing Directions reduce the requirements of audit committees in some areas, such as by limiting the management actions that audit committees are required to monitor to those that relate to or impact on 'financial management, performance and sustainability'. Appendix A compares the 2003 and 2016 Standing Directions requirements relevant to audit committees.
1.2.2 Guidance
Both versions of the Standing Directions are accompanied by guidance material developed by DTF to support agencies to implement the Standing Directions. For example, despite the change to the Standing Directions discussed above, the guidance expects that audit committees continue to monitor all audit actions. Other relevant better practice guidance includes the Australian National Audit Office's Public Sector Audit Committees: Independent assurance and advice for Accountable Authorities (March 2015).
1.2.3 Reporting compliance with the Standing Directions
The role of public sector agencies
Under both versions of the Standing Directions, public sector agencies are required to annually certify their compliance with all applicable Standing Directions. However, the 2016 regime requires more rigour, transparency and accountability:
- Under the 2003 Standing Directions, agencies made an annual certification of compliance that was internal to government. The only public attestation was for risk management and insurance compliance.
- The 2016 Standing Directions require a public attestation in annual reports against all applicable requirements as well as the disclosure of all material noncompliance.
Audit committees are required to review the accuracy of the agency's compliance reporting under both versions of the Standing Directions.
The role of the Department of Treasury & Finance
DTF is responsible for reporting whole-of-government compliance levels with the Standing Directions to the Minister for Finance.
VAGO's May 2012 audit Personal Expense Reimbursement, Travel Expenses and Corporate Credit Cards found that DTF had not adequately scrutinised the accuracy of agencies' reports and did not detect agencies' reporting failures. The report noted that DTF must apply greater scrutiny to agencies' submissions under the 2003 Standing Directions.
Under the 2016 Standing Directions, DTF is not required to test the accuracy of compliance reporting, although it is able to conduct assurance programs 'as part of monitoring the effectiveness of the whole of state financial management framework'. DTF advises that it intends to conduct future assurance programs for this purpose.
1.3 Audit committees in different governance structures
How an audit committee is constituted, to whom it provides advice and what information is available to independent audit committee members depends on whether the responsible body has a statutory board or not.
The agencies included in this audit—the seven portfolio departments and Victoria Police—do not have statutory boards. Therefore, the head of the agency (the secretary or chief commissioner) retains ultimate accountability for agency operations. It is also the head of the agency who appoints audit committee members. The audit committee's role is to provide independent advice on key aspects of operations to the head of the agency.
This differs considerably from private sector entities and from public sector entities that have a statutory board. In those organisations, board members are generally appointed by a third party―the relevant minister, in the case of public sector entities, and shareholders, in the case of private sector organisations. The role and duties of the board include setting the agency's strategic direction, establishing and reviewing policies, monitoring and reviewing the effectiveness of risk management and ensuring that the entity operates within legislation. The audit committee is a subcommittee of the board and, accordingly, the role of the audit committee is usually to review and make recommendations to the board, which has the power to action these recommendations. As head of the organisation, the chief executive officer is responsible for the day-to-day management of the public entity in accordance with the law, government policies, and the decisions of the board.
Independent members that we interviewed as part of this audit, who are also members of audit committees in organisations where there is a board, informed us that being a member of the board generally gave them more oversight of entity operations. On the other hand, independent members of audit committees of agencies with no board―such as in the eight audited agencies―do not have the same level of exposure to the internal workings of the agency. Therefore, there is greater reliance on internal briefings and other information provided to the audit committee.
1.4 Machinery-of-government changes
Machinery-of-government changes are the transfer of functions between departments. They are used by governments to align responsibilities in a way that they believe will assist in delivering policy priorities.
Machinery-of-government changes are one of the key factors that can impact the effectiveness of audit committees. This is because these changes can result in:
- agency staff turnover which can, in turn, result in the loss of corporate knowledge
- the addition of new portfolio responsibilities and therefore new portfolio risks which management must identify and mitigate, including through the coverage of internal audits
- additional outstanding audit actions inherited from previous iterations of the department which management must monitor and action
- the need for the committee to adapt to and oversee new agency functions.
Apart from Victoria Police, all of the agencies included in this audit were affected by the most recent machinery-of-government changes, shown in Figure 1A. These changes saw nine departments merged into seven and the reallocation of functions between departments.
Figure 1A
Victorian public service machinery-of-government changes effective 1 January 2015
Source: Victorian Auditor-General's Office.
There have also been several more changes since this time, creating further challenges for audit committees. For example, responsibility for the energy portfolio was recently moved from the Department of Economic Development, Jobs, Transport & Resources (DEDJTR) to the Department of Environment, Land, Water & Planning (DELWP).
1.4.1 Distribution of audit committee members before and after machinery-of-government changes
Figure 1B shows the movement of audit committee members from pre-machinery-of-government audit committees to the audit committees for the newly developed agencies shown in Figure 1A. We only looked at the Department of Health & Human Services (DHHS), DEDJTR and DELWP, as these were most significantly affected by the changes. Figure 1B shows that, in forming the new audit committees, departments:
- included a fairly equal representation of members from previous audit committees
- generally appointed members with a good mix of experience in the sectors the new agencies would be responsible for overseeing.
Figure 1B
Distribution of audit committee members before and after machinery‑of‑government changes
(a) A fourth independent member joined DELWP's audit committee, who was not from the Department of Transport, Planning & Local Infrastructure or the Department of Environment & Primary Industries.
Source: Victorian Auditor-General's Office.
1.5 Audit objective and scope
The objective of the audit was to examine the effectiveness of governance arrangements for audit committees, including their composition, operational arrangements and the information they received. The audit focused on eight agencies:
- the Department of Economic Development, Jobs, Transport & Resources
- the Department of Education & Training
- the Department of Environment, Land, Water & Planning
- the Department of Health & Human Services
- the Department of Justice & Regulation
- the Department of Premier & Cabinet
- the Department of Treasury & Finance
- Victoria Police.
This audit assessed all eight agencies for Part 2 of the report. A sample of agencies with varying processes and procedures was selected for Parts 3, 4 and 5. We have de‑identified the agencies for these Parts to focus on the lessons that can be applied to all audit committees.
1.6 Audit method and cost
The audit examined audit committee governance through document reviews and interviews with audit committee members and agency staff. We also attended and observed audit committee meetings.
The audit was carried out under sector 15 of the Audit Act 1994, in keeping with the Australian Auditing and Assurance Standards. Pursuant to section 20(3) of the Audit Act 1994, unless otherwise indicated, any persons named in this report are not the subject of adverse comment or opinion.
Total cost of the audit was $410 000.
1.7 Structure of the report
The report is structured as follows:
- Part 2 examines principles that help audit committees to add value
- Part 3 examines committee oversight of risk management
- Part 4 examines committee oversight of internal audit
- Part 5 examines committee monitoring of actions taken in response to audit recommendations
- Appendix A compares the 2003 and 2016 Standing Directions requirements for audit committees.
[1] We acknowledge that the Victorian public sector includes both public sector bodies (departments and administrative offices) and public entities. For readability, we use the term 'agency' in this report to cover all types of public bodies and entities.
2 Audit committee governance and operations
At a glance
Background
To maximise the effectiveness of the audit committee, it must have appropriate membership, access to information and operational support, and be subject to regular performance reviews.
Conclusion
Overall, audit committees largely meet the requirements for membership, independence and capability under the Standing Directions of the Minister for Finance (Standing Directions). However, agencies need to better assure themselves that audit committees have the appropriate skills and capabilities to discharge their responsibilities. In light of the reduced prescriptiveness of the 2016 Standing Directions, it is even more important that agencies have a mechanism to determine the right mix of skills and capabilities for the audit committee.
While audit committees had appropriate access to information and agency staff, agencies should work with audit committees to decrease the volume of information provided to them, seek ways to improve the readability of papers and/or increase the amount of time available to review them.
Agencies need to be more rigorous in periodically assessing whether audit committees are meeting their functions. Agencies need to appropriately review the performance of individual committee members in accordance with the performance criteria in their contracts.
Recommendations
That agencies ensure that the audit committee has the appropriate mix of skills, receives quality and timely information, addresses all its charter responsibilities, has well‑planned meetings and effectively acquits its responsibilities throughout the year.
2.1 Introduction
For audit committees to be effective, it is important that:
- members are independent of management and act objectively and impartially
- members have an appropriate mix of skills and experience relevant to the agency's activities and to the responsibilities of the committee
- new members receive an appropriate induction and that all members are kept abreast of developments within the agency and sector
- the committee is appropriately supported by effective operational arrangements, such as having well-planned meetings and access to good-quality information.
Audit committees and agencies alike must also take steps to periodically review the performance of the committee and its members to ensure the committee is meeting its roles and responsibilities effectively.
2.2 Conclusion
Overall, audit committees largely meet the requirements for membership, independence and capability under both the 2003 and 2016 Standing Directions of the Minister for Finance (Standing Directions). Of the eight audited agencies, seven currently comply with the new Standing Directions requirement to have equal or majority independent members, and the eighth agency is working to address this. Currently, only three agencies have robust processes for identifying material skills gaps, and the quality and comprehensiveness of induction and training for members varied across audit committees. The reduced prescriptiveness of the 2016 Standing Directions means that addressing these issues will be even more important.
While the audit committees have appropriate access to agency information and staff, committee members' biggest concern is the volume of papers they receive and the time available in which to review them. Where this is a problem, agency management should decrease the volume of information, seek ways to improve the readability of papers and/or increase the amount of time available for committee members to review them. Further, not all agencies had an annual work program that clearly showed how all charter responsibilities would be addressed throughout the year.
Agencies need to become more rigorous in periodically assessing whether their audit committee is meeting its function. While machinery-of-government changes have had an impact in this regard, only three agencies have reviewed their audit committees' performance in the past three years. The 2016 Standing Directions require that this occurs every three years. Agencies also need to appropriately review the performance of individual committee members in accordance with the performance criteria in their contracts.
2.3 Composition, capability and induction
2.3.1 Appropriate independence and capability
The number of members on an audit committee, and the skills and experience they require, depends on the complexity, nature and scale of the agency's responsibilities, activities and systems. Agencies need to balance the need for audit committees to be sufficiently independent and provide a strategic perspective while maintaining up‑to‑date agency and sector knowledge.
Figure 2A summarises the key Standing Directions requirements and better practice guidance for composition and capability and our assessment of compliance across the eight audited agencies.
Figure 2A
Audit committee composition and capability
Category |
Source |
Compliance |
---|---|---|
At least two independent members |
2003 Standing Directions |
8/8 |
Majority independent members |
2016 Standing Directions |
6/8 |
Equal independent and agency members |
2016 Standing Directions guidance |
1/8 |
Agency completes skills matrix |
Australian National Audit Office (ANAO) better practice(a) |
3/8 |
Where a skills matrix is not completed, is the skills mix assessed: |
||
|
ANAO better practice |
2/5(b) |
|
ANAO better practice |
5/5(b) |
Regional representation on audit committee |
ANAO better practice |
2/6(c) |
(a) ANAO, Public Sector Audit Committees: Independent assurance and advice for Accountable Authorities, March 2015.
(b) Five agencies do not complete skills matrices.
(c) The Department of Treasury & Finance and the Department of Premier & Cabinet are not required to have regional representation.
Source: Victorian Auditor-General's Office.
Number of independent members
Audit committees provide an independent source of assurance and advice to entities on key aspects of the entity's operations. They need to be independent of management and act objectively and impartially, and should be free from conflicts of interest, inherent bias or undue external influence.
The Department of Justice & Regulation (DJR) had equal independent and agency members on its committee as at 1 July 2016, when the 2016 Standing Directions came into effect. This complies with the new requirements, as the accompanying guidance notes that committees with equal membership are permitted where the chair has the casting vote on decisions. However, DJR has recently approved the appointment of an additional independent member.
Victoria Police has, until recently, had two independent members and six agency members—it was the only audit committee where independent members were in the minority for several years. While it met the 2003 Standing Directions requirements of having two independent members, the agency will not comply with the 2016 Standing Directions until later in 2016, although it has significantly progressed towards this. At 1 July 2016, it had reduced the number of agency members to four and appointed a third independent member. It is currently in the process of appointing a fourth independent member.
The Department of Premier & Cabinet's (DPC) audit committee is composed of only independent members. This is discussed in Figure 2B.
Figure 2B
Case Study: Independent members only on the audit committee
Since 2015, DPC's audit committee has been made up solely of independent members, with attendance by management through a standing invitation or as required by the committee. The department notes a number of advantages of this structure, including:
|
Source: Victorian Auditor-General's Office.
Regional representation
Several agencies that have significant operations in regional areas have recognised the benefits of having a regional representative on their audit committee. This is discussed in Figure 2C.
Figure 2C
Case Study: Regional representation on the audit committee
DJR and the Department of Environment, Land, Water & Planning (DELWP) both include an agency member from one of their regions in their audit committee, who provides an operational perspective and assists with the identification of service delivery risks. Regional representation also helps to communicate what the audit committee is focusing on back to the regions. DELWP periodically rotates members from each of its regions onto its audit committee and holds some audit committee meetings in regional locations to enable staff based in regional locations to attend. The Department of Health & Human Services (DHHS) also has an agency member on its committee who was until recently the deputy secretary for one of the regions. The member's role within the department has now changed, and DHHS has advised that it will review regional representation on the committee. |
Source: Victorian Auditor-General's Office.
Appropriate skills and experience
While the 2016 Standing Directions are less prescriptive than the 2003 Standing Directions in terms of the specific skills and experience an audit committee member requires, the committee must be constituted by members with 'appropriate skills and experience to discharge their responsibilities', who have an understanding of the business environment in which the agency operates. At least one member must also have appropriate expertise in financial accounting or auditing.
Agencies must assure themselves that the audit committee, as a collective, maintains the required mix of skills. To do this, better-practice agencies develop and maintain skills matrices, described in Figure 2D.
Figure 2D
Skills matrices
Agencies should develop and maintain a skills matrix that identifies the skills that the audit committee needs and how those needs are currently being met. Ideally, the matrix will identify gaps in the committee's capability that must be filled. It is also a good way to assure the head of the agency that the appropriate skills are in place. Matrices might specify:
In order to develop a skills matrix, agencies should identify the desired skills mix and each member should undertake a high-level assessment of their contribution to each skill. To preserve an appropriate level of experience on the committee, particularly given the need for audit committees to periodically rotate their members, skills matrices might also include the aggregate number of years members have been on the audit committee. |
Source: Victorian Auditor-General's Office.
As shown in Figure 2A, only three of the eight audit committees we assessed have skills matrices in place, but two agencies advised that they are developing them for their committees. A better-practice example is DELWP's audit committee which completes a skills matrix annually and includes it in the audit committee's annual report to the secretary. DELWP's 2014–15 matrix identified the need for some members to access training on how to understand financial statements, and DELWP intends to provide this.
While the other audit committees do not maintain and regularly update a skills matrix they do assess the mix of skills of their audit committees in several ways:
- Recruitment exercises―assessing the current mix of skills on the committee is common when recruiting new members and specifying the skill requirements and selection criteria for a new member.
- Performance reviews of the committee―an internal audit review of the Department of Education & Training's (DET) audit committee surveyed members and key stakeholders on the skills and experience of the committee and gave members the opportunity to suggest additional skills and experience for future appointments to the committee.
- Committee self-assessments―self-assessments allow members to comment on the committee's skills and experience. This type of self-assessment enabled Victoria Police's audit committee to identify the need to improve members' skills mix by focusing on information technology and risk management experience when appointing future independent members.
Reviewing member appointments
In reviewing membership, agencies should consider the guidance accompanying the 2016 Standing Directions. This states that audit committee members should be appointed for an initial term of up to three years and for no more than three terms of three years—a nine-year maximum term. The ANAO better practice guide suggests that agencies should assess a member's performance when his or her tenure is being considered for extension. This assessment should include whether the member has:
- a good understanding of the agency's business
- displayed the ability to act objectively and independently
- adequately prepared for committee meetings
- made a constructive contribution to the work of the committee.
Figure 2E discusses some observations about appointment duration.
Figure 2E
Appointment durations
The two independent members of Victoria Police's audit committee have served on the committee continuously since 2002 and early 2007 respectively. Neither have been subject to reviews of their performance or independence at any stage. Victoria Police informed us that it intends to appoint new members for three-year terms and that current members will be removed in a staggered manner to enable orderly succession and effective handover of corporate knowledge. Another independent member we interviewed is on the audit committees at the Department of Economic Development, Jobs, Transport & Resources (DEDJTR) and DHHS and has served on several government department audit committees since 2001, including on the predecessor departments for DEDJTR and DHHS. While there was an initial assessment of the member's skills and experience, there is no evidence of the member's performance being specifically assessed against the criteria in the contract prior to the member's reappointment. DEDJTR considered the member's broad experience an asset that would ensure an effective transition to the new committee. Due to concerns that the significant length of service could impact on the member's ability to be independent, DEDJTR limited the member's appointment to six months. DEDJTR has developed a revised audit committee charter, supported by an operations manual, that establishes a new process—members may only be reappointed after a formal review of their performance. The charter and operations manual are not yet approved. While it is important to maintain corporate knowledge, agencies should monitor and consider members' aggregate years of experience on the committee, including previous audit committees, before reappointing them. This is in line with ANAO better practice guidance, which notes the importance of balancing stability of membership against introducing new knowledge and experience. |
Source: Victorian Auditor-General's Office.
While agencies brief the head of the agency on the rationale for reappointing members, they do not undertake assessments as outlined in the ANAO better practice guidance above. Figure 2F highlights a DJR practice that is a step in the right direction, although it could be further improved.
Figure 2F
Case study: Deciding whether to extend members' terms
In a 2016 briefing, DJR proposed extending the contracts of two independent members, noting both met all required criteria and key performance indicators (KPI). However, they only assessed the members' performance against three of the four KPIs in their contracts―attendance at meetings, timely responses to out-of-session requests, and meeting the Code of Conduct for Victorian Public Sector Employees. While this is good, DJR did not assess the members against the fourth KPI, which is arguably the most crucial aspect of an independent member's performance―participation in discussions and providing meaningful independent contributions and input regarding audit committee matters. The measures that DJR identified for this KPI were:
DJR advised that this fourth KPI was not formally assessed as part of the process, because no performance issues had been identified with members at any stage during their term on the committee. DJR also advised that any assessment of 'participation and meaningful independent contribution' would be highly subjective and difficult to substantiate with sufficient and appropriate evidence. Agencies should develop ways to record and assess important aspects of a member's preparation for and contribution to meetings, to enable the agency to make informed decisions about reappointing members. As noted in Part 3, DJR (and other audit committees) should consider recording where members have questioned and probed and/or provided advice to management in the meeting minutes, which will also assist in building a record of a member's performance. |
Source: Victorian Auditor-General's Office.
2.3.2 Induction and training of new committee members
Specific induction and training requirements that were in the 2003 Standing Directions have been removed from the 2016 version. Better practice is to have a formal induction process that is tailored to new members' prior knowledge and experience and provides them with the additional knowledge required to properly understand and discharge their responsibilities.
While selection processes for new members clearly aim to confirm that prospective committee members have the expected level of competence, skills and experience prior to appointment, induction processes are still required to introduce new members to specific aspects of the agency or audit committee's role. For example:
- independent audit committee members may require an introduction to the agency, its operating environment, and its specific risks and controls
- agency audit committee members may require training on the functions of the committee, such as how to adequately oversee risk management and internal audits, or how to interpret basic financial statements.
Figure 2G discusses some of the training and induction practices at the audited agencies.
Figure 2G
Training and induction of audit committee members
Induction packs―all agencies provide members with induction packs, with varying degrees of detail. DET's induction pack was thorough and included an organisational chart, the latest departmental annual report and strategic plan, as well as key organisational policies such as the risk management policy. The pack also included the audit committee's charter, annual forward plan, latest minutes and the internal audit function's charter and plan. Briefings by representatives of the agency and the chair, and introduction to key senior executives―the induction of independent audit committee members at DELWP and DJR included short presentations by various senior staff about their areas of responsibility. This was considered to be a productive way for independent members to understand the department, its history and the challenges involved in managing each area and to meet senior executives. Site visits―several audit committees went on site visits that showcased key organisational operations and initiatives, which is in line with ANAO's better practice guide. Training for agency members―agency members have different training needs to independent members. For example, they may be more familiar with the organisation but may not be experienced in reading or evaluating basic financial statements or fulfilling other key responsibilities of an audit committee. At DHHS, an agency member asked for 'masterclasses' on key committee responsibilities, such as financial statements and risk management, to be made available to members. 'On-boarding' process rather than one-off induction―agencies should consider establishing a process that identifies ongoing training or information needs of new members. This is in line with ANAO better practice guidance and comments from several independent members (at DHHS and DPC), who suggested an 'on-boarding' process for their first 12 months. This may take the form of an initial induction followed by assessment of their further information or training needs at six months and 12 months from their commencement. |
Source: Victorian Auditor-General's Office.
2.4 Effective operational support for audit committees
The operation of an audit committee is enhanced by having information that is high quality, meeting papers that are timely, complete and accurate, and meetings that are well planned and conducted efficiently. Further, audit committees and agencies alike must make certain that all of the committee's responsibilities are discharged adequately throughout the year.
2.4.1 Getting the right information
Meeting papers—managing information overload and providing sufficient time for review
To fully appreciate the relevant issues, audit committees rely heavily on the information provided by management. This is particularly so in agencies where there is no board, as the independent members of the audit committee do not have the same level of exposure to the agency's internal workings as board members would.
Audit committee self-assessments showed that members considered the volume and timing of papers a problem in most of the audited agencies. Two of the key concerns were that papers were not provided sufficiently in advance of meetings and that committee members were struggling with 'information overload'. These themes were also reflected in our discussions with audit committee members:
- There is not enough time to get through everything, especially after the machinery-of-government changes.
- Papers are voluminous and could be more concise.
- More guidance around what is important to read would be good for agency members, as they do not need to read some of the background elements because they already know the information.
- The volume of papers is a big issue and they usually come out three to four days prior to the meeting.
- Papers are not produced specifically for the audit committee, and there is not enough time to read them in detail.
- The committee does not discuss who targets what area, but this happens naturally based on specific skills.
- Papers are consistently late due to excessive layers of management oversight.
Agencies need to strike a balance between providing committee members with enough information and not overwhelming them with too much. Several committee members made suggestions for improvement, including:
- ensuring reports have concise executive summaries, where the key issues within the material are drawn out more to support discussion and consideration of relevant items
- including materiality levels on the papers indicating their importance
- presenting relevant information in a 'dashboard' style
- restricting late papers or handout material at the meeting to urgent priorities only.
The ANAO better practice guidance notes that it is up to the chair to work closely with the secretariat and other management to ensure that papers are of an appropriate quality and length and are available far enough in advance of meetings to allow members to review and critique them. This is echoed by the Centro decision[1], where the Federal Court of Australia questioned whether directors are required to apply their own minds to, and carry out a careful review of, statements and reports purporting to give a true and fair view of the position and performance of an entity they represent. Although the context of this case related to financial reporting in the private sector, its findings are relevant to and could be applied in principle to public sector audit committees. The Centro decision found that:
- information overload is not an excuse for failing to read, understand and focus on material provided
- directors could control the information they received
- if there was information overload, board members should have prevented it
- if there was still a lot of material to digest, board members had to allow more time to read and understand it.
Further, some committee members advised us that they do not read all the papers because, as experienced committee members, they know what to focus on. This highlights the importance for audit committees and agencies reviewing as a priority the volume and quality of information provided to committee members prior to each meeting.
Keeping members informed about the agency
Audit committee members must also be kept abreast of developments affecting the agency in areas such as risk management, program management, information management and security, performance measurement, and financial management and reporting.
Across the audited agencies, several mechanisms are used to ensure audit committee members are kept informed:
- A rolling program of briefings by senior executives at each audit committee meeting to provide an overview of their division—the majority of audit committees we examined schedule 20–30 minute presentations by senior executives at each meeting. Some agencies provide templates for these presentations, to help senior executives align their updates with the corporate plan and outline key priorities, opportunities and challenges for the future, as well as noting how the business unit is tracking against strategic risks and audit recommendations. This helps audit committees to receive high-value presentations that provide information relevant to audit committee members.
- Regular meetings between the secretariat and independent members—independent members of the Victoria Police audit committee have bimonthly meetings with the secretariat, internal audit team and chief risk officer to discuss emerging issues in the sector.
- Forwarding organisational updates out of session—independent members at DELWP, DHHS and DPC receive copies of departmental communications from the secretary.
- Inviting independent members to attend key organisational events—independent members at DJR were invited to attend the risk resilience awards, which are annual awards given across the department for special achievements in inculcating a culture of risk awareness and making the most of opportunities that arise.
2.4.2 Planning for and conducting meetings
Annual forward plan—addressing each charter responsibility
Audit committees must comply with all aspects of their charter responsibilities throughout the year. The 2016 Standing Directions removed the requirement for audit committees to develop an annual work program, but it is generally considered a minimum requirement for audit committees to develop an annual forward meeting schedule that includes the dates and agenda items for each meeting. This schedule should cover all the responsibilities outlined in the committee's charter. This is particularly important, as noted by the ANAO better practice guidance, in an environment where agencies are seeking a greater level of assurance and advice from audit committees, especially with the increasing complexity of agency responsibilities.
All audited agencies except Victoria Police had an annual work program for their audit committees. However, not all of these work programs appeared to be clearly mapped to all aspects of the committee's charter responsibilities. While the DHHS 2015–16 work plan did not specifically cross-reference the charter at all, the department noted that it will include this for the 2016–17 annual forward plan.
To ensure that all charter responsibilities are addressed throughout the year, agencies should clearly set out the audit committee annual plan in a way that references each responsibility, as shown in Figure 2H.
Figure 2H
Sample audit committee annual plan referencing charter responsibilities
Charter responsibility and reference |
Meeting 1 |
Meeting 2 |
Meeting 3 |
Meeting 4 |
---|---|---|---|---|
1.1 .............. |
Agenda item 1 |
Agenda item 2 |
Agenda item 4 |
|
1.2 .............. |
Agenda item 1 |
|||
2.1 .............. |
Agenda item 4 |
Agenda item 2 |
Agenda item 3 |
Source: Victorian Auditor-General's Office.
Setting the agendas and conducting meetings efficiently
Meetings should be well planned and structured in a way that allows the committee to make the most of its time together. Meeting agendas are generally settled by the chair, together with the committee secretariat, based on the annual forward plan and any other arising matters. We found a number of good practices at several committees:
- The chair ensures that agenda items are prioritised for each meeting so that the most important items are discussed first. This helps to ensure that members are fresh and that, if the meeting runs out of time, the most important items are not missed.
- Agenda items are marked for 'discussion', 'presentation', 'endorsement' or 'noting' to provide clear direction to the members.
- Any in-camera sessions (private meetings with the internal or external auditors and the committee members, excluding agency management) are held 15 minutes before the official start of the meeting, so that departmental staff are not left waiting.
Many audit committee members supported the practice of streamlining meetings by limiting or excluding presentations on agenda items that are taken as read. Many members noted that these presentations do not add to the content but take up a lot of time that could be used for more meaningful discussion.
As a further step, audit committees can streamline their meetings and focus on substantive issues by using 'consent agendas', where routine, procedural, informational and self-explanatory and/or non-controversial items are presented to the committee in a single motion and only discussed in detail if requested by members.
2.5 Effective evaluation of audit committee performance
2.5.1 Audit committee self-assessments
Both the 2003 and 2016 Standing Directions require audit committees to self-assess their performance annually. DELWP, DHHS and DEDJTR were impacted by machinery-of-government changes, meaning their committees in their current form have only been in place since early 2015. As a result, there has only been enough time for one self‑assessment:
- In 2015, DELWP audit committee members evaluated the performance of the committee against its charter and the action plan developed from the evaluation of the former Department of Environment & Primary Industries (DEPI) audit committee. Outcomes were discussed at the committee's strategic planning workshop in October of the same year.
- The DHHS audit committee completed a self-assessment in 2015.
- DEDJTR's audit committee is in the process of conducting its first self‑assessment, due to be tabled in August 2016.
Audit committees from the agencies that were not subject to the machinery‑of‑government changes—DET, the Department of Treasury & Finance, DJR and Victoria Police—undertake annual self‑assessments.
Moving forward, agencies should be aware that the guidance accompanying the 2016 Standing Directions notes that, at a minimum, agencies should consider as part of their annual self-assessments:
- the effectiveness of the audit committee as a whole
- the performance of individual audit committee members (for external members, performance criteria may be included in their letter/contract of engagement; and for agency staff, performance criteria may be included in their performance plans)
- compliance with the audit committee's charter.
2.5.2 Agency reviews of the committee performance
The 2016 Standing Directions require agencies to formally review the performance of the audit committee at least once every three years. While not a specific requirement under the 2003 Standing Directions, two agencies have commissioned reviews of their audit committee's performance in its current form. Both reviews were undertaken by an independent contractor.
Two other agencies are planning to undertake agency reviews by early next year:
- DELWP intends to continue the practice of its predecessor department (the Department of Environment and Primary Industries), alternating audit committee self-assessments one year with agency reviews of the committee's performance the next year. DELWP's first agency assessment, to be undertaken by an independent contractor, is scheduled for tabling in October2016.
- DJR is planning to review its audit committee's performance in February 2017.
Recommendations
That agencies:
- develop and maintain mechanisms to identify the appropriate mix of skills and experience needed for audit committee membership and to identify any gaps
- ensure that annual work programs cover each audit committee charter responsibility
- work with the audit committee to better define, or refine, the committee's information needs, including whether reported information is reliable and understandable
- align audit committee meeting materials and agendas with priority areas
- conduct formal reviews of the performance and independence of independent audit committee members before reappointing them for additional terms
- consider offering continuing education that addresses topics relevant to the audit committee's needs
- work with the audit committee to evaluate whether it has the capacity to fully acquit its obligations under the Standing Directions and charter, or whether there is a need to review its role, structure and/or operational arrangements.
[1] ASIC v Healey & Ors [2011] FCA 717
3 Oversight of risk management
At a glance
Background
One of the primary tasks of an audit committee is to provide independent oversight of and advice on the agency's risk management framework.
Conclusion
Audit committees must maintain oversight of agency-wide risks, despite the narrowed focus of the 2016 Standing Directions of the Minister for Finance (Standing Directions). This is because the 2016 Standing Directions mandate the application of the Victorian Government Risk Management Framework, and audit committees need to verify agencies' compliance with these requirements.
Of the three examined audit committees, two had fulfilled the requirements of the Standing Directions and their charters to oversee risk management. They were supported by consistent risk reporting, and there is evidence that the audit committees improved their agency's risk management.
The third audit committee has been hampered by inconsistent risk management practices across the agency and unclear risk governance responsibility. The agency is working to address this.
Recommendations
That agencies:
- ensure that the risk oversight responsibilities of the audit committee are clear and that its role is supported by consistent risk reporting
- consider whether audit committee minutes should include relevant elements of the committee's discussion to transparently demonstrate the committee's performance.
3.1 Introduction
Providing independent oversight of and advice on the agency's risk management framework is a primary task of an audit committee.
In this Part of the report, we assessed the risk oversight of audit committees at three agencies―Agencies A, B and C―by examining the risk information presented by agencies and whether the audit committees effectively oversee the agency risk‑management processes.
3.2 Conclusion
Though the 2016 Standing Directions of the Minister for Finance (Standing Directions) have a narrower focus than the 2003 version, they still require audit committees to maintain oversight of agency-wide risk. This is because the 2016 Standing Directions continue to mandate that agencies apply the Victorian Government Risk Management Framework (VGRMF) and that audit committees verify agencies' compliance with these requirements.
Two of the three examined audit committees have been fulfilling the requirements of the Standing Directions and their charters to oversee risk management. They have been supported by consistent risk reporting, and there is evidence that the audit committees have effectively overseen the agency's risk management.
The third audit committee has been hampered by inconsistent risk management practices across the agency and unclear risk governance responsibility. The agency is working to address this.
3.3 Responsibility for risk management
3.3.1 Standing Directions
The 2016 Standing Directions appear to limit the responsibility of audit committees to independently review and assess an agency's risk management only as it relates to 'financial management, performance and sustainability'. However, despite this apparent narrowing of the focus, the 2003 and 2016 Standing Directions both mandate that agencies apply the VGRMF, which describes the minimum requirements agencies must meet to demonstrate that they are managing risk effectively. Audit committees have a role in verifying whether the agency has properly implemented the VGRMF:
- Under the 2003 Standing Directions, an audit committee had to verify the agency's risk management attestation published in its annual report.
- Under the 2016 Standing Directions, an audit committee must review and monitor the agency's compliance levels with all Standing Directions requirements, as well as reviewing the agency's public attestation in its annual reports about its compliance with all applicable requirements.
The VGRMF applies to any kind of risk—for example, financial, health, safety or environmental—that has an impact on the agency's objectives, at a strategic or operational level. As such, the audit committee's responsibility for overseeing the agency's risks extends beyond financial risks. Further, from March 2015, an update of the VGRMF means that agencies must also identify and contribute to the management of inter-agency and relevant state-significant risks. However, agencies did not need to report on these risks for 2014–15.
3.3.2 Charters
At the time of writing, the charters of all examined audit committees included providing independent oversight and assurance of the agency's risk management framework as a primary task. The charters also extend risk oversight beyond financial risks to include strategic, business and operational risks. Specific risk responsibilities identified within the charters included:
- reviewing the effectiveness of the agency's risk management framework
- understanding or maintaining awareness of the agency's or division's risk profiles
- reviewing and monitoring changes in the agency's risk profile
- ensuring the head of the organisation is aware of significant emerging or unmitigated risks
- engaging the internal audit service provider to provide supplementary or defined‑purpose audits where required.
3.4 Case studies on overseeing risk management
To assess the three audit committees' risk oversight, we examined the risk information presented by agencies over the last eight meetings and whether this provided an appropriate basis for effective oversight by the audit committee. Again, having the necessary information is important, particularly for audit committees where there is no board as the independent members do not have the same level of exposure to risk management as they otherwise would. We also assessed whether the audit committees effectively tested the information that came before them and oversaw the agency's risk management processes.
Examples of sufficient information would include:
- information on how risks have been assessed and control activities identified by the agency
- regular reporting on risks, in a way that lets the audit committee see quickly what is going on
- regular presentations by risk owners, to give the audit committee oversight of risk and to enforce the accountability of individual risk owners.
Examples of effective practice in overseeing risk management would include:
- scrutinising risks and controls
- requesting changes to risk identification, controls or reporting
- requesting ongoing or one-off evaluations, possibly through internal audit
- requesting agency presentations on risk areas
- communicating control deficiencies in a timely manner—to the individual risk owners, senior management or the head of the agency.
Figure 3A summarises our observations on risk oversight.
Figure 3A
Audit committee oversight of risk management during 2015
Criteria |
Agency A |
Agency B |
Agency C |
---|---|---|---|
Is the audit committee's role regarding risk oversight clear? |
Yes |
Yes |
Partial(a) |
Has the audit committee received and reviewed the risk register in the last year? |
Yes |
Yes |
No |
Does the audit committee receive regular reports on risk? |
Yes |
Yes |
Yes |
Does this reporting include information on how risks have been assessed and how control activities have been identified by the agency? |
Yes |
Yes |
Partial(b) |
Does the audit committee receive regular presentations on key risks by risk owners? |
Yes |
Yes |
No |
Is critical discussion captured in the minutes? |
7/8 meetings(c) |
3/8 meetings(c) |
0/8 meetings(c) |
Has the audit committee added value to the agency's risk management by, for example: |
|
|
|
|
Yes |
Yes |
No |
|
Yes |
Yes |
No |
|
Yes |
Yes |
No |
Does the audit committee communicate control deficiencies in a timely manner to the head of the organisation? |
Yes(d) |
No evidence(d) |
No evidence(d) |
(a) We assessed this as 'partially met' because the committee's role is clear in its charter but there are issues in practice, as discussed in Section 3.4.3.
(b) We assessed this as 'partially met' because the audit committee only received high-level information.
(c) We observed one audit committee meeting for each agency and observed discussion on risk. However, this assessment reflects our review of the audit committee minutes from the previous eight committee meetings, and not all minutes record discussion on risk.
(d) Agency A was the only audit committee to include in its minutes the key items from each meeting for the chair to discuss with the head of the agency. For all the agencies we assessed, the discussion between the chair and the head of the agency is not documented.
Source: Victorian Auditor-General's Office.
3.4.1 Agency A—effective oversight of risk management
The available evidence shows that Agency A's audit committee has been effectively fulfilling its risk oversight role under the Standing Directions and charter.
The agency's structure and functions were heavily affected by the machinery‑of‑government changes, but it developed a series of programs and works to establish its risk management approach within six to nine months of the changes being implemented. The agency's approach is characterised by:
- consistent monitoring of risk throughout the department
- quarterly risk reporting to senior management and to the audit committee, including how risks are identified and monitored
- risk registers for the strategic, operational and project-level risks
- active monitoring of risk treatment plans for identified strategic risks
- practices to encourage collective and individual responsibility for strategic risks by the deputy secretaries and the senior executive team (SET) through:
- providing a quarterly risk report to the SET and the audit committee
- having deputy secretaries complete a half-yearly risk attestation for their groups
- conducting a rolling program of monthly 'deep-dive' reviews focused on strategic risks, presented to the SET and the audit committee by the relevant risk owner.
During this audit, we observed a meeting of the audit committee and reviewed the minutes of eight audit committee meetings. We found evidence that the audit committee had reasonably scrutinised the agency's risks by:
- seeking more detail on risky areas—for example, by requesting that a deputy secretary present on a particular division within the agency, because this area was not previously covered by the risk and audit program of the predecessor department before the machinery-of-government changes
- critically reviewing risks and risk ratings, and requesting changes to reporting formats
- seeking additional information on risk—for example, that the executive summary of the risk management report contain more information on key treatments, particularly of 'high harm' operational risks
- fostering individual responsibility for risk management by asking the head of the organisation to encourage all deputy secretaries to take ownership of risk management in their groups.
Of the three agencies examined in this Part, Agency A was the only audit committee to include in its minutes the key items from each audit committee meeting for the audit committee chair to discuss with the secretary in a face-to-face meeting.
3.4.2 Agency B—appropriate risk information but limited recording of discussion
The structure and responsibilities of Agency B have remained largely intact over time. Over the period that we examined, it has maintained regular risk reporting to the audit committee and is continuing to improve this reporting, which supports the audit committee to analyse and provide advice on risk.
We reviewed the papers and minutes of eight committee meetings and found that the audit committee received regular risk management updates. The majority of these were verbal briefings, so we were unable to ascertain the depth of the update, but the audit committee also received several written briefings:
- The audit committee received two written reports that included information about corporate risks at the business unit and department level. These reports also include an attested departmental risk register, mapping business area risks against departmental risks, as well as grouping risks thematically.
- A new risk reporting format was trialled in February 2016 in response to feedback from the audit committee.
In March 2016, the agency prepared an assurance mapping report for the audit committee, identifying the agency's core assurance activities for each of its divisional risks and highlighting any gaps. The purpose of this mapping exercise was to enable the agency to better understand the mitigation of key risks and the accompanying controls. The report also helped the audit committee to understand current assurance activities, highlighting extensive- or low-coverage areas. This exercise enabled the agency and the audit committee to make informed decisions—for example, the decision to amend the internal audit plan to focus on a specific risk area in order to achieve a desired level of assurance.
Further, the audit committee approved a new reporting schedule, which includes a monthly divisional risk report and a biannual departmental risk report. This will continue to improve the audit committee's ability to scrutinise the department's risk management activities.
However, while the information provided to the audit committee is sufficient and we observed detailed discussion on risk at the committee meeting that we attended in February 2016, our review of the audit committee minutes from the previous eight committee meetings showed only occasional discussion on risk. The agency advises that this is because the purpose of its minutes is to record outcomes and actions, rather than discussion.
Purpose of audit committee minutes
While there is no requirement in the 2003 or 2016 Standing Directions for the minutes of audit committee meetings to record particular elements of the discussion, agencies should consider the benefits of doing so. Documenting certain details—such as emphasising where members have questioned and probed and/or provided advice to management—would provide assurance to the head of the agency that the committee is sufficiently testing the material that comes before it. Including this information in minutes may also help with performance assessments of committee members, as discussed in Part 2.
3.4.3 Agency C—unclear responsibility for risk management and oversight and inadequate information on risk
Like Agency B, Agency C has remained largely intact over time. The agency has systems and processes designed to bring together business planning, service delivery, and performance and risk management across the organisation, and the audit committee's risk oversight responsibility is clearly stated in its charter. However, there are some issues in the application of these processes.
The organisations' internal auditors recently found that 'decentralised processes for identifying, recording, reporting, monitoring and managing risks that exist across the organisation may be limiting its ability to effectively manage risk'. The internal auditors found gaps in the agency's risk management, such as:
- unclear definitions of roles and responsibilities in position descriptions and lack of alignment across the organisation
- absence of risk reporting that would enable it to actively manage its risks
- risk assessments not being performed on all organisational risks.
Further, the internal auditors identified deficiencies in the agency's risk governance. They found that multiple assurance activities were not aligned, resulting in duplication of effort and gaps in risk assurance. This meant that it was unclear who was ultimately accountable for risk management, including whether this task fell to the audit committee or another committee.
The deficiencies identified by the internal audit report were corroborated by stakeholder interviews and our review of the minutes from eight audit committee meetings. The minutes and papers from 2015 show that the audit committee received limited information on risk. The reporting it did receive was very brief and at a high level, and the audit committee never received a risk register during 2015. The minutes show very limited discussion from audit committee members and no critical discussion, despite some of the risk reports noting risk deficiencies. For example, minutes from a February 2015 meeting do not include any critical discussion even though the chief risk officer reported during the meeting that:
- updates on the 12 organisational risks from the executive—as individual risk owners—were of varying quality, with some providing sufficient detail and others failing to update at all
- the management and recording of each organisational risk was inconsistent across the organisation—which was corroborated by the March 2015 internal audit report
- the current risk management tool was not widely used across the organisation and did not meet user needs, which may limit oversight and coverage of identified risks.
Minutes of the April 2015 meeting, where the internal audit report was tabled, show that the audit committee members agreed with the recommendations and discussed how the recommendations could be 'project managed'. However, there was no evidence of critical discussion or scrutiny of the content of the report captured in the minutes. Like Agency B, Agency C advises that the purpose of its audit committee minutes is to record outcomes and actions. We encourage the agency to consider the benefit of recording particular elements of discussion.
Following an organisation-wide governance review, the audit committee's official role has now been clarified to include full responsibility for monitoring enterprise-level organisational risks. In the first meeting after this clarification, February 2016, the audit committee received its first organisational risk report, which is expected to be reported on a quarterly basis to the executive via the audit committee. However, the minutes do not show any critical discussion of the report despite it highlighting that, in some instances, the spreadsheets used to update on the risks were compiled with limited consultation with subject-matter experts.
Encouragingly, it was noted that future reports would analyse risk-rating trends, report on the progress of identified risk treatments, assess the effectiveness of controls, and give a thorough overview of the agency's risk profile. Agency C recently appointed an additional independent member who has a risk management background. The most recent self-assessment also noted that:
- greater focus on risk management could be achieved by setting aside time before the audit committee meeting for the independent members and the chief risk officer to provide guidance and advice
- the chief risk officer should formally report to the audit committee on the progress of the risk management framework against the risk roadmap endorsed by the committee.
The audit committee should work with management to determine and refine its information needs, should consider allowing more time on the agenda for risk oversight and should consider instituting a rolling program where nominated risk officers present on their risk management to the audit committee.
Recommendations
That agencies:
- ensure that the risk oversight responsibilities of the audit committee are clear and that its role is supported by consistent risk reporting
- consider whether audit committee minutes should include relevant elements of the committee's discussion to transparently demonstrate the committee's performance.
4 Oversight of internal
At a glance
Background
For an audit committee, the internal audit function is a major source of information and assurance about the agency's performance and risk management activities. The audit committee has a key role in directing and reviewing internal audit.
Conclusion
The three examined audit committees adequately review the internal audit plan based on its fit with the agency's risk profile, as well as other inputs. The audit committees also maintain control over the internal audit plan by reviewing changes to the timing of audits and the detailed scopes of internal audits. All the examined audit committees review the final internal audit reports, recommendations and management actions, which is in line with better practice.
However, we found a conflict of interest in the way that one audit committee approves the final audit scopes. We also found that one of the other agencies had no mechanism for its audit committee to ensure that its outsourced internal audit firm was not conflicted by other consulting arrangements within the agency. These deficiencies are being addressed.
Recommendations
That agencies:
- ensure that the audit committee approves final internal audit scopes
- develop and implement a process where the audit committee makes the final decision on potential conflicts of interest for outsourced internal audit providers who perform other consultancy work for the agency
- ensure that the audit committee has a formal process to review the performance of the internal audit function and report the results to the head of the agency.
4.1 Introduction
The relationship between the audit committee and the agency's internal audit function is central to the audit committee's ability to meet its responsibilities. The internal audit function is a major source of information and assurance for the audit committee about the entity's performance and risk management activities.
Common responsibilities for audit committees contained in both the 2003 and 2016 Standing Directions of the Minister for Finance (Standing Directions) include:
- reviewing and recommending approval of the agency's proposed internal audit coverage based on the agency's risk profile and other inputs
- reviewing the performance—efficiency and effectiveness—of the internal audit function
- taking steps to confirm that the internal auditor has not been unduly influenced, such as by reviewing the internal auditor's participation in non-assurance roles to assess potential impairment of independence or conflicts of interest.
All audit committees have the responsibility to oversee internal audits in their charters. In this Part, we examined the internal audit oversight of audit committees for three agencies—Agencies A, C and D.
4.2 Conclusion
The three audit committees we examined fulfilled most of the 2003 Standing Directions requirements, but there are some areas for improvement. It is encouraging that all committees review and approve the internal audit plan based on its fit with the agency's risk profile. However, agencies could improve the information they present to their committees to show the plan's alignment with risks.
All examined audit committees review the detailed scopes of internal audits, but only two of the committees officially approved them. In one agency, management had the final sign-off of the detailed scopes rather than the independent audit committee. This was a potential conflict of interest. The agency advised it is establishing procedures so that its audit committee approves the final internal audit scopes.
Two other areas for improvement include the way audit committees review the performance of the internal audit function and the way they assess whether the internal audit function is conflicted. Only one committee systematically reviews the performance of its internal auditors in a way that addresses key aspects of its service provider contract, the results of which are reported to the secretary. This is good practice that the other committees should follow.
Further, one of the three committees only recently established a process to ensure its audit committee makes the decision about whether the agency's outsourced internal audit function is conflicted by other advisory work. It is important that committees are aware of any other work that outsourced internal audit providers may be performing within the agency so they can assess whether this will create a conflict for the provider in its future internal audit work.
4.3 Effectively overseeing internal audit
Figure 4A summarises VAGO's assessment against key Standing Directions requirements and better practice elements for the three agencies.
Figure 4A
Audit committee oversight of internal audit
Criteria |
Source |
Agency A |
Agency C |
Agency D |
---|---|---|---|---|
Does the audit committee review and approve the internal audit plan and annual audit work program, based on its fit with the agency's risk profile? |
2003 and 2016 Standing Directions |
Yes |
Yes |
Yes |
Does the audit committee review internal audit scopes? |
Australian National Audit Office (ANAO) better practice guidance(a) |
Review and approve |
Review and approve |
No―but planning to |
Does the audit committee review changes to the timing of reports? |
ANAO better practice guidance |
Yes |
Yes |
Yes |
Does the audit committee review final reports and recommendations? |
ANAO better practice guidance |
Yes |
Yes |
Yes |
Does the audit committee review management actions in the final report? |
ANAO better practice guidance |
Yes |
Yes |
Yes |
Does the audit committee review the performance—efficiency and effectiveness—of the internal audit function? |
2003 and 2016 Standing Directions |
Yes |
No |
Yes |
Does the audit committee review the internal audit function's participation in non-assurance roles to assess potential impairment of independence or conflicts of interest? |
2003 and 2016 Standing Directions |
Yes |
Yes―recently implemented |
Yes |
(a) ANAO, Public Sector Audit Committees: Independent assurance and advice for Accountable Authorities, March 2015.
Source: Victorian Auditor-General's Office.
4.3.1 Ensuring that the internal audit plan covers key organisational risks
All three audit committees approve the internal audit plan based on its coverage of organisational risks, among other inputs.
Agencies A and D were affected by machinery-of-government changes. This makes the development of the internal audit plan difficult, as the agencies are typically required to establish new risk profiles and manage legacy internal audit providers and plans from the previous departments. Figure 4B outlines Agency A's approach as a good-practice case study.
Figure 4B
Case Study: Developing and approving the internal audit plan after machinery-of-government changes
Agency A developed an interim internal audit plan for its first six months of operation which consisted of four internal audits. The audits were chosen because they reflected agency-wide risks, impacts of machinery-of-government changes on the agency's financial statements, and recommendations from the 2013–14 management letters from the Auditor-General. The audit committee later approved the addition of four further audits to the interim plan. While the agency implemented the interim plan, its internal auditors began to develop a new strategic internal audit plan for 2015–18, to commence on 1 July 2015. The audit committee was briefed on the process the agency used to develop its strategic internal audit plan, which was to:
The audit committee approved the strategic internal audit plan in June 2015 and made certain that new functions transferred to the agency through machinery-of-government changes received attention in the new internal audit plan. This process was sound because the internal audit plan was clearly driven by risk‑based considerations and the audit committee was briefed on both the development of the strategic risks and the development of the internal audit plan. The audit committee could therefore satisfy itself that there is appropriate coverage in the internal audit plan to address and mitigate high-risk areas and activities. Mapping the internal audit plan to the approved risks After the audit committee approved the plan, the internal audit providers mapped the approved strategic risk register to the approved plan and provided this to the audit committee. This was a useful document that clearly showed the links to strategic risks. While this mapping confirmed that the plan appropriately addressed the agency's risk profile, the audit committee could have benefited from a document like this prior to approving the internal audit plan. |
Source: Victorian Auditor-General's Office.
4.3.2 Reviewing and approving audit scopes and changes to the timing of reports
As audit committees approve the internal audit plan, and internal audit reports provide the audit committee with a key source of information on the agency's risk profile, audit committees should have a role in maximising the value of the internal audit function. They can do this by reviewing and approving:
- changes to the timing of audits and reasons for any delays
- detailed internal audit scopes.
Reviewing changes to report timing
All the audit committees we examined followed better practice by reviewing and approving changes to the timing of audits as part of their regular review of the internal audit function's progress in carrying out the approved work program.
Reviewing and approving internal audit scopes
Approval processes for internal audit scopes varied across the three audit committees. As noted in Figure 4A, at Agencies A and C, audit committees review and approve the detailed scopes for internal audits. For both of these audit committees, we observed instances where the audit committee added value to the internal audit by directing the scope into areas that were seen as risky or that had not received internal audit scrutiny in a while.
Agency D—Potential for conflict of interest where audit committee does not approve scopes
At Agency D, we found that the chief audit and risk officer approved final audit scopes after consultation with relevant audit sponsors at the executive management level. There was no provision within the agency's internal audit charter to consult with the audit committee on internal audit scopes, although the agency advises that scopes are tested with the chair out of session. This is a conflict of interest, as management is signing off on audits that will examine its area of responsibility. It is also not in line with better practice requirements.
Agency D has developed a revised audit committee charter, supported by an operations manual, that establishes a new process where the audit committee will review and approve all audit scopes. The charter and the operations have not yet been approved.
4.3.3 Reviewing final reports, recommendations and management actions
All the examined audit committees review the final internal audit reports, recommendations and management actions. This is in line with better practice requirements. Good examples that we observed included:
- inviting relevant auditees to an audit committee meeting to discuss the internal audit findings and recommendations that have significant organisational implications and to appraise action plans to address the recommendations
- assessing the implications of an internal audit report's findings on the department's risk and control framework—for example, due to the serious nature of an internal audit report, Agency A requested a follow-up audit be added to the internal audit plan as a post-implementation review
- questioning the use of ambiguous language in management responses to internal audit recommendations, such as the use of 'consider' in a number of the agreed management actions, and seeking an explanation from management
- recommending that management develop a project plan with time frames and costings to enable the audit recommendations to be appropriately managed—Agency C used this approach and requested relevant staff be invited to provide an update to the audit committee on the progress of outstanding recommendations highlighted in the reports
- discussing the results of internal audits and progress of management actions with the head of the agency.
4.3.4 Reviewing internal audit's potential for conflicts of interest
Where agencies have contracted to external consulting firms for all or part of their internal audit function, there is the possibility that the same firm may be undertaking other contract work for the agency. This situation can result in potential conflict of interest if the scope of an internal audit overlaps with the firm's other consulting work.
Two of the three examined audit committees—Agency A and Agency D—have processes in place to review the internal audit firm's participation in non-internal-audit roles to assess potential impairment of independence and/or conflicts of interest. In these two audit committees, we observed good practice:
- The internal audit firm has to declare every piece of work it tenders for across the agency. The audit committee receives this information as part of each internal audit status update.
- A detailed process is in place that requires the internal auditors to seek clearance from the audit committee before submitting bids for any non-internal-audit work at the agency.
Agency A has also set up an assurance panel alongside the internal auditor, which is made up of other firms who are able to do internal audits should the main internal auditor be conflicted. However, the agency reports that using this panel has not been necessary to date.
Until recently, Agency C did not have a documented process in place to ensure that the audit committee reviewed the outsourced internal auditor's participation in non‑internal‑audit roles. The conflict of interest assessment was done by the internal audit manager and only involved the audit committee if more contentious matters were escalated to it. During the course of this audit, Agency C has established a new, documented process that will ensure the audit committee reviews all potential conflict‑of-interest cases. In the new process, the internal audit manager assesses the conflict-of-interest potential based on the information provided by the outsourced contractor and provides a recommendation to the audit committee. The audit committee will then make the final decision based on that recommendation and the information provided.
4.3.5 Reviewing the performance of the internal audit function
Agency A's audit committee is the only examined committee that produced an internal audit performance assessment report for 2015. As the agency outsources its internal audit function, it assessed its internal audit service provider against the key performance indicators and criteria in the service provider contract.
Agency D has advised that it has developed a similar framework to Agency A for assessing the performance of the internal audit function and associated key performance criteria. This framework will be considered by the agency's audit committee, most likely at the end of 2016–17. Agency D also conducts a self-assessment of the internal audit function, and it advised that its internal audit service provider has conducted an audit of the agency's internal audit function. While a draft report was not available, the scoping document shows that the review intended to examine how effectively, efficiently and economically the agency utilises its internal audit function.
The self-assessment of Agency C's audit committee contained a question on the scope of work, performance and independence of the agency's internal audit function. The audit committee scored this question 8.2 out of 10, but there was no further analysis or discussion on the performance of the internal audit function. The agency should establish a formal review process for its internal audit function against key performance criteria and report this to the head of the agency.
Recommendations
That agencies:
- ensure that the audit committee approves final internal audit scopes
- develop and implement a process where the audit committee makes the final decision on potential conflicts of interest for outsourced internal audit providers who perform other consultancy work for the agency
- ensure that the audit committee has a formal process to review the performance of the internal audit function and report the results to the head of the agency.
5 Monitoring implementation of audit actions
At a glance
Background
Where significant risks have been identified through audits and agencies have committed to addressing those risks through proposed actions, it is important that actions are completed in a timely manner and in a way that fully addresses the underlying issues. If not, the agency could be exposed to risk.
Audit committees have a key role in monitoring agencies' implementation of agreed actions agreed in response to internal and external audits.
Conclusion
Although audit committees' oversight of audit actions is improving, there are opportunities for them to gain greater assurance that agencies are effectively addresses the underlying issues that have been identified by internal and external audits. Currently only one of the four audit committees we examined is doing this effectively.
Changes made to the Standing Directions of the Minister for Finance have caused some agencies to consider reducing the role their audit committees have in monitoring audit actions. This is concerning and decreases agency management's level of accountability and could lead to agencies failing to address the underlying issues and risks that have been identified by internal and external audits.
Recommendations
That agencies:
- ensure that the audit committee continues to monitor all audit actions, even if they fall outside the scope of financial management, performance and sustainability
- have the audit committee require internal auditors to conduct periodic testing of whether audit actions reported as completed by management have been effectively implemented
- have the audit committee require the internal audit function to undertake periodic assessments of a sample of closed audit actions to ensure that underlying issues have been effectively resolved—these should be selected in a risk-based manner.
5.1 Introduction
Internal and external audits and reviews identify risks or issues facing agencies and make recommendations to help them to address the underlying issues. Where agencies agree to address those recommendations through proposed actions (audit actions), it is important that the actions are completed in a timely manner and in a way that fully addresses the underlying issues.
Audit committees have a key role in monitoring agencies' implementation of agreed audit actions. If this does not occur, the risks or underlying issues may not be effectively addressed. Risks may not just be to agencies—they could also be to the public—for example, health and safety—or to the environment.
In this Part, we examine audit committees' practices for monitoring audit actions at four agencies—Agencies A, B, C and D.
5.2 Conclusion
Audit committees have consistently highlighted that their role in monitoring audit actions—particularly the high number of outstanding and overdue actions—is one of their greatest challenges and takes up a significant amount of their time and effort.
Audit committee oversight of audit actions is improving. This is largely due to agencies implementing more effective processes for tracking audit actions, which are better able to monitor progress and provide better reporting to audit committees. Committees have also identified several ways to reduce the number of outstanding and overdue management actions.
However, a challenging area for audit committees is monitoring audit actions reported as completed by management. Across the examined agencies, we found that audit committees had differing levels of oversight and that they could more effectively utilise the internal audit function or another independent body to test whether audit actions have in fact been implemented and whether the underlying risks identified by audits have been effectively addressed. Currently, only one of the four audit committees we examine in this Part has its internal auditor test closed audit actions. Moving forward, other audit committees should implement a similar approach.
The changes made to the Standing Directions of the Minister for Finance (Standing Directions) have caused some agencies to consider reducing the role their audit committees have in monitoring audit actions. This is concerning and decreases agency management's level of accountability and could lead to agencies failing to effectively address the underlying issues and risks identified by internal and external audits.
5.3 Audit committee responsibilities
5.3.1 Standing Directions
Figure 5A shows the 2003 and 2016 Standing Directions requirements for audit committees to monitor audit actions.
Figure 5A
2003 and 2016 Standing Directions requirements for audit committees to monitor implementation of audit actions
2003 Standing Directions |
2016 Standing Directions |
|
---|---|---|
Monitor the implementation of management actions |
Internal audit Audit committees should make appropriate enquiries to monitor actions taken by management to resolve issues. External audit Audit committees are to monitor whether accepted recommendations of the external auditors are adopted and addressed by management on a timely basis. |
Internal and external audit Audit committees are to consider recommendations made by internal and external auditors relating to or impacting on financial management, performance and sustainability and the actions to be taken by the agency to resolve issues raised. |
Monitor the impact of management actions |
Internal audit n/a External audit Audit committees are to review the impact of actions taken by management intended to resolve issues. |
Internal and external audit Audit committees are to regularly review implementation of actions in response to internal or external audits, including remedial actions to mitigate future instances of noncompliance. |
Source: 2003 and 2016 Standing Directions.
Monitoring audit actions
As shown in Figure 5A, the 2003 Standing Directions required audit committees to monitor all audit actions. In contrast, the 2016 Standing Directions narrow the scope of audit committees' responsibility for monitoring audit actions to only those that arise from recommendations 'relating to or impacting on financial management, performance and sustainability'. This change is concerning and decreases the level of accountability of management and could lead to agencies failing to address important issues.
VAGO acknowledges that:
- The Department of Treasury & Finance (DTF) adopted this approach in response to legal advice that the Standing Directions went beyond the bounds of the Financial Management Act 1994.
- DTF has encouraged audit committees to continue a more comprehensive approach via the non-mandatory guidance that sits under the Standing Directions. The guidance notes that DTF would expect audit committees to monitor a recommendation even if it falls outside the scope of financial management, performance and sustainability.
Measuring the impact of closed audit actions
Under the 2003 Standing Directions, audit committees were explicitly required to measure the impact of audit actions resulting from external audits. As shown in Figure 5A, the 2016 Standing Directions state that audit committees should 'regularly review implementation of actions in response to internal or external audits, including remedial actions to mitigate future instances of noncompliance'.
We asked DTF whether this means that audit committees should be reviewing the impact of actions to see if they resolve the original issue identified. DTF explained that, while it is ultimately a matter of legal interpretation, its view is that reviewing the impact of those actions may be appropriate in some circumstances even though it is not explicitly required by the 2016 Standing Directions. DTF noted it will expect audit committees to take a risk-based approach to this function, given it would be unreasonable to expect audit committees to review the impact of every individual action. In this regard, the changes to the 2016 Standing Directions are ambiguous and it is not clear why DTF has removed this requirement for audit committees. We would encourage all audit committees to have internal audit undertake periodic review of a risk-based sample of closed audit actions to see whether the underlying issues have been effectively mitigated.
5.3.2 Audit committee charters
In response to the 2016 Standing Directions, some agencies are considering reducing the role their audit committees have in monitoring audit actions. Removing the explicit requirement for agencies to monitor management actions in response to all kinds of recommendations and to assess whether the outcomes of actions address the underlying issues and risks identified by audits could expose the agency or the public to significant risk.
5.4 Agency tracking and reporting
5.4.1 Agency audit action tracking processes
Agencies need an effective process for monitoring and reporting on audit actions so that audit committees can have confidence that agency management is accountable for addressing actions and for ensuring actions are effectively mitigating the risks identified by audits.
To better track audit actions, the audited agencies have moved from spreadsheet‑based systems to electronic tracking systems which enable the systematic recording, monitoring and reporting of performance. The audited agencies have also developed written policies and guidance tools to assist users with managing audit actions. Common elements across the four systems we examined include:
- the use of periodic prompting messages asking action owners to provide progress updates
- controls on who can input data or verify that data inputted is correct
- alignment to other project management tools such as risk management and the business planning cycle.
Differences across systems include:
- whether action owners can upload document attachments as evidence of completion of the action
- whether all recommendations across the agency are tracked.
Two agencies have recently undertaken a review of their audit action tracking systems. Both identified areas for improvement, such as:
- clarifying and communicating expectations of the evidence required to support action implementation and data recording
- implementing a quality review process to improve the accuracy and completeness of information
- reviewing user documentation and providing ongoing user training and workshops to address identified issues.
5.4.2 Information reported to audit committees
Audit committees require reliable information on the status of audit actions and their implementation. The tracking processes described above assist in this process, but we found that the level of detail presented to audit committees differs across agencies.
All audit committees receive, as a minimum, high-level reports showing the number of outstanding actions with various details included, such as the area responsible, risk rating, due date and actions assessed as completed by internal audit. In addition:
- at one agency, reports are presented to the audit committee by a member of the management team, enabling the audit committee to ask questions as needed
- another audit committee receives detailed division-level briefings, presented by the relevant member of the management team, enabling the audit committee to ask questions as needed.
5.5 Audit committee oversight of audit actions
All four audit committees examined fulfil the responsibilities of their charters and the requirements under the 2003 and 2016 Standing Directions to monitor audit actions. This is shown in Figure 5B.
Figure 5B
Do agencies meet the requirements of the 2003 and 2016 Standing Directions?
Standing Directions requirements |
Agency A |
Agency B |
Agency C |
Agency D |
---|---|---|---|---|
2003 Standing Directions |
||||
|
Yes |
Yes |
Yes |
Yes |
|
No |
Yes |
No |
No |
2016 Standing Directions |
||||
|
Yes |
Yes |
Yes |
Yes |
|
Yes(a) |
Yes(a) |
Yes(a) |
Yes(a) |
(a) We have assessed compliance against a strict reading of the 2016 Standing Directions. See Section 5.4.5 for further discussion.
Source: Victorian Auditor-General's Office.
5.5.1 Outstanding and overdue audit actions—strategies to reduce numbers
Interviews with audit committee members highlighted that the high number of outstanding audit actions—and, particularly, the high number of those that are overdue—is one of the greatest challenges for audit committees.
Figure 5C shows the number of audit actions, including the total outstanding and total overdue, that the four audit committees examined in this Part are responsible for monitoring.
Figure 5C
Number of outstanding and overdue audit actions
Agency A(a) |
Agency B(b) |
Agency C(c) |
Agency D(d) |
|
---|---|---|---|---|
Total number of outstanding audit actions (including on track and overdue) |
254 |
185–195 |
276 |
182 |
Total number of overdue audit actions |
131 |
135–140 |
126 |
63 |
|
14 |
n/a |
57 |
n/a |
|
61 |
n/a |
n/a |
n/a |
(a) Data as at 8 April 2016.
(b) Data for November 2015 to April 2016 attestation period.
(c) Data as at 15 May 2016.
(d) Data as at 8 April 2016.
Note: n/a = data not reported by agency.
Source: Victorian Auditor-General's Office.
Agencies have implemented several practices to reduce the number of outstanding recommendations. These include requiring senior executives to attend relevant audit committee meetings to discuss their outstanding actions, particularly those that are long overdue or significant. One agency's approach is discussed in Figure 5D.
Figure 5D
Case Study: Strategy to increase management accountability for outstanding audit actions
Agency B focuses on the outstanding actions of one or two divisions per audit committee meeting. The relevant deputy secretary attends the meeting and provides written and verbal briefings to the audit committee. Attendees and dates are scheduled ahead of time in the agency's annual forward plan. This approach is in line with the Australian National Audit Office's better practice guide Public Sector Audit Committees: Independent assurance and advice for Accountable Authorities, which notes that this as a key mechanism for reducing the number of outstanding audit actions. It enables the audit committee to obtain direct feedback on the agency's progress in implementing audit actions and holds management directly to account. |
Source: Victorian Auditor-General's Office.
Agency C recently conducted a survey of action owners to identify recurring reasons for overdue actions. Further, several audit committees separate issues related to information technology, an area with a large number of overdue audit actions.
5.5.2 Closed audit actions—verifying implementation
To ensure that agencies and the public are not exposed to risks identified by audits, agencies need to ensure that audit actions reported as 'closed' have in fact been implemented as intended. The agencies we examined have differing mechanisms and levels of assurance for testing whether actions are being effectively completed. Internal audit can play a key role in assisting the audit committee by conducting periodic follow‑up reviews to test whether audit actions have been implemented as intended.
At Agency A and Agency D, an internal audit staff member independently verifies the evidence that action owners provide to show that an action has been implemented. While this practice is good, Agency A takes it one step further—following this initial assessment, the internal audit contractor conducts its own independent assessment of whether the action was indeed implemented.
At Agency B and Agency C, responsibility for final closure of audit actions—including approval of any revisions to implementation dates—rests with members of the senior executive team. Similar to Agency A, Agency B has its internal audit contractor undertake annual follow-up reviews of a sample of audit actions, examining the supporting documentation provided and holding discussions with relevant personnel. Together, the internal audit contractor and agency management select audit actions with significant risk ratings from across internal and external audits.
Agency C does not currently have its internal auditor review closed audit actions. However, in April 2016, the agency's audit committee approved a proposal for the internal audit function to commence post-implementation follow-up reviews of closed audit actions. This change was likely in response to a review of the audit tracking process, undertaken by the agency's internal audit function, which identified the need for follow-ups.
5.5.3 Closed audit actions—measuring the impact
As well as ensuring that audit actions have been implemented as intended, it is critical that management actions effectively mitigate the original risks identified by audits. As noted in Section 5.3.1, despite the changes to the 2016 Standing Directions, DTF still expects audit committees to take a risk-based approach to this function.
Once again, the internal auditor can play a key role in assisting the audit committee to test whether completed management actions have adequately addressed the original risk identified.
In June 2016, VAGO tabled three follow-up audits that examined progress by agencies in implementing actions to address the recommendations arising from audits tabled in 2013–14. The three audits were:
- Residential Care Services for Children
- Asset Confiscation Scheme
- Recreational Maritime Safety.
One of the key finding of these follow-up audits was that, although agencies typically had processes in place to enable audit committees to monitor audit actions, the agencies could not clearly demonstrate that their audit committees had oversight of whether actions taken in response to the specific recommendations had effectively addressed underlying issues.
Similarly, only one of the four agencies assessed in this chapter—Agency B—was fulfilling the 2003 Standing Directions requirement to review the impact of management actions to resolve issues raised by external audit. Figure 5E describes this agency's approach.
Figure 5E
Case Study: Measuring the impact of audit actions
In undertaking its annual follows-ups of a sample of audit actions, Agency B's internal audit contractor assesses whether the risk identified by the audit has been effectively mitigated. Agency B's 2016 follow-up exercise also included a review of audit action follow-up activities conducted by divisions and business units. It found that these were inconsistent and that there was no clear consideration of the original audit finding or risk mitigation in the follow-up of audit action completion. This indicates that, despite having a policy and a follow-up process for a sample of closed audit actions, Agency B still has work to do to improve how it addresses audit actions across the organisation. |
Source: Victorian Auditor-General's Office.
Two other audit committees are intending to move toward a similar practice:
- As noted above, Agency C's audit committee has approved a proposal for post‑implementation follow-up reviews of closed audit actions which will, among others things, assess whether the original risks linked to audit recommendations have been reduced by management actions.
- Agency D has informed us that its internal audit plan for 2016–17 will include the follow-up of high-risk closed actions from 2015–16, to test whether measures implemented by management have been effective.
We have not seen evidence that Agency A is intending to commence measuring the impact of audit actions.
Recommendations
That agencies:
- ensure that the audit committee continues to monitor all audit actions, even if they fall outside the scope of financial management, performance and sustainability
- have the audit committee require internal auditors to conduct periodic testing of whether audit actions reported as completed by management have been effectively implemented
- have the audit committee require the internal audit function to undertake periodic assessments of a sample of closed audit actions to ensure that underlying issues have been effectively resolved—these should be selected in a risk‑based manner.
Appendix A. Key Standing Directions requirements for audit committees
Figure A1
Key 2003 and 2016 Standing Directions requirements for audit committees
Category |
2003 Standing Directions |
2016 Standing Directions |
---|---|---|
Role |
|
|
Charter |
|
|
Membership and independence |
|
|
Skills and experience |
|
|
Induction and training |
|
|
Membership reviews |
|
|
Self-assessments |
|
|
Administrative arrangements |
|
|
Risk management |
|
|
Internal audit |
|
|
Monitoring audit actions |
|
|
Compliance monitoring |
|
Note: The 2003 Standing Directions define 'Responsible Body' as (a) in relation to an agency with a statutory board or equivalent governing body established by or under statute, that board or governing body; and (b) in relation to an agency without a statutory board or equivalent governing body established by or under statute, that agency's accountable officer.
Note: Under the 2016 Standing Directions 'Responsible Body' means for a (a) government department, the accountable officer; and (b) every other public sector agency, the board.
Source: 2003 and 2016 Standing Directions of the Minister for Finance.
Appendix B. Audit Act 1994 section 16—submissions and comments
Introduction
In accordance with section 16(3) of the Audit Act 1994, a copy of this report, or part of this report, was provided to the Department of Economic Development, Jobs, Transport & Resources, the Department of Education & Training, the Department of Environment, Land, Water & Planning, the Department of Health & Human Services, the Department of Justice & Regulation, the Department of Premier & Cabinet, the Department of Treasury & Finance and Victoria Police.
The submissions and comments provided are not subject to audit nor the evidentiary standards required to reach an audit conclusion. Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.
Responses were received as follows:
- Department of Education & Training
- Department of Environment, Land, Water & Planning
- Department of Health & Human Services
- Department of Justice & Regulation
- Department of Premier & Cabinet
- Department of Treasury & Finance
- Victoria Police
- Department of Economic Development, Jobs, Transport & Resources
RESPONSE provided by the Secretary, Department of Education & Training
RESPONSE provided by the Secretary, Department of Environment, Land, Water & Planning
RESPONSE provided by the Secretary, Department of Health & Human Services
RESPONSE provided by the Secretary, Department of Justice & Regulation
RESPONSE provided by the Secretary, Department of Premier & Cabinet
RESPONSE provided by the Secretary, Department of Treasury & Finance
RESPONSE provided by the Chief Commissioner,Victoria Police
RESPONSE provided by the Secretary, Department of Economic Development, Jobs, Transport & Resources