Setting up a council’s Audit and Risk Committee

What is an Audit and Risk Committee?

An Audit and Risk Committee (the Committee) provides your council’s governing body – the set of all elected councillors – and your community with confidence that your council is managing its risks. Councils operate in a complex and rapidly changing environment. The Committee can be a powerful advisory group that helps councils manage their risks and strengthen their internal control systems.

It’s a Committee set up by the Council drawing on the advice of the chief executive. Members of the Committee are increasingly a mix of councillors and independent members.

At the Council’s discretion, there might be independent (external to the council) members and/or an independent chairperson.

We recommend having an independent chairperson. This is often the best way to promote free and frank debate during Committee meetings. It also gives councillors confidence, knowing that they are receiving objective advice and assurance.

Why have such a committee?

The Committee provides an important “check and balance” in the council’s systems of governance and internal control. An effective Committee will help engender trust and confidence in council decision making.

What does the Committee do?

The Committee is responsible for offering advice about governance, risk management, and internal control matters, external reporting and audit matters. For example, the Committee’s work includes providing assurance to the council’s governing body that the right current and emerging risks are being identified, there are appropriate “right sized” mitigations in place for those risks, and confidence that mitigations are working effectively.

The Committee can make recommendations to the governing body and/or the chief executive, and request information and advice through the chief executive when necessary.

The Committee does not make decisions. It has no other powers nor responsibility other than those related to its risk and assurance mandate, such as making recommendations to the governing body, or reviewing and approving key documents (for example, the risk and assurance work programme, the arrangements for the audit of the annual report and long-term plan).

One of the key documents the Committee reviews is the council’s annual report. A new Committee and a newly elected council will sometimes need to adopt an annual report for the previous council. There are no issues with this; it is quite common for the leaders of an organisation who sign statements of responsibility and other reporting documents to differ from those who led or governed during the reporting period.

What is the optimal size for the Committee?

This is a decision for each council to make. However, good practice indicates approximately 5-7 members. In determining the right size, it is important to consider what the significant risks facing the council are. Then determine how many members you need on the Committee to get the right mix of competencies and experience for those risks.

That said, having too many Committee members can result in inefficient, unwieldly meetings and unfocused discussions.

What skills do you need on the Committee?

The (ideally independent) chairperson needs to facilitate discussion so that all relevant and significant risks are explored and deliberated on.

The chairperson should have a broad range of work experience (ideally from the public and private sectors), have a general understanding of the key issues relevant to the council, and have a track record of facilitating and chairing in a political environment.

Collectively, members of the Committee should have a broad range of skills and experiences, both relevant to the operations of the council as well as to the risk profile of the council. For example, the risks in a council’s financial and borrowing policies might require the appointment of someone with treasury and finance expertise.

At least one member should have expertise in accounting and finance. All members should have at least some accounting and financial literacy. The council should also consider the need for the professional development of members.

How can the Committee stay independent?

Independence allows the Committee to provide the best objective advice for Council decision making. We strongly recommend that neither the chief executive nor members of the senior management team be members of the Committee. This reflects the Committee’s responsibility to the governing body, rather than the management, of the council.

All elected members should have visibility of the Committee’s work. They should have a standing invitation to attend and participate in the Committee’s discussions. However, to maintain the independence of the Committee, they should not have voting rights unless they are Committee members.

It is good practice to regularly change the independent Committee members. This enables fresh thinking and new skills to join the Committee, avoids Committee discussions from becoming stagnant, and ensures that the Committee maintains its independent perspective over time.

For continuity reasons, it’s also a good idea to stagger the members’ terms so that they overlap. Committees also need to plan early for rotations of members.

What is the optimal tenure for Committee members?

Good practice is to appoint independent members for an initial period not exceeding three years (consistent with a council term). After that, they can have their tenure extended or be re-appointed – up to a maximum of two terms.

Councillors appointed to the Committee will automatically cease to hold office when the 3-yearly council elections are held. Similarly, its good practice to stipulate that the maximum period of membership of the Committee is two terms.

What is the governing body’s role in the Committee’s work programme?

The Committee’s role is to discharge its work programme on behalf of the governing body (the full council). The governing body should have oversight of the Committee’s work programme.

A “top risk report”, provided to the governing body by the Committee, is a useful way of informing the governing body of the most significant risks. It would include the mitigation actions and the work being done to provide assurance that the risk is indeed mitigated.

The Committee should also have a way to regularly report to the governing body about progress with the Committee’s work programme.

Once a year, the Committee should assess and report on its overall performance and activities, and its contribution to the council’s governance and strategic objectives, to the governing body. That report would feature in the council’s annual report.

Minutes of each Committee meeting should be tabled at the next meeting of the Council. At least annually the Committee chair should brief the Council on the work of the Committee.

How does “collective responsibility” work?

A Committee is expected to consist of a combination of independent (appointed based on experience and competencies) and elected members. In addition to the critical role of an independent chairperson, members of the Committee should take collective responsibility for the work of the Committee and not rely on independent members to do all the “heavy lifting”.

The independent chairperson and independent members have an important role to play in sharing their subject matter expertise with the members of the Committee to enable them to effectively discharge their responsibilities. An example is the ability to ask relevant and insightful questions, such as questions about risks to council operations.

Who should the Committee report to?

We have seen that in some councils the Committee is a subcommittee of the Finance Committee (or equivalent) of the council. The Committee makes recommendations to the Finance Committee (on matters such as risk management) as appropriate, rather than directly to the governing body. In some councils, the Finance Committee and the Committee are one.

In our view, the Committee should be a subcommittee of the governing body (the full council). To be a subcommittee of any other committee limits the Committee’s scope and the ability to have access to the full council.

Furthermore, the Audit and Risk Committee should be separate from the Finance Committee. This is because the Finance Committee has responsibility for approvals, such as approving significant transactions. The Audit and Risk Committee’s independence would be compromised because it would be responsible for reviewing its own decisions. Further there is significant value to the Council to have an independent and objective view from the Committee on financial and accounting matters.

Having the Audit and Risk Committee being part of the Finance Committee may also deprioritise the risk and audit responsibilities of the Committee in favour of its finance responsibilities.

What does a good Committee work programme look like?

Risks should drive the work programme and its priorities.

In our view, a good work programme should, at a high level, cover:

  • risk management (including oversight of council-controlled organisation risks);
  • integrity;
  • internal control;
  • statutory reporting;
  • assurance and internal audit; and
  • external audit.

The work programme should take into account how the Committee interacts with council-controlled organisations. This includes ensuring that there are adequate processes at a governance level to identify and manage risks facing council-controlled organisations, that are relevant to the Council group. It also includes ensuring that organisations under the council’s control are aware of any risks that do emerge.

Internal and external audits should be part of the Committee’s work programme. However, they should not drive its priorities.

The frequency and duration of Committee meetings are best informed by what is in the work programme, to give the work programme enough time and attention. Good practice is a minimum of four standard meetings each year, with an additional meeting focused on the annual report.

It is good practice for “deep dives” to be regularly done on the council’s top risks as part of the regular meetings. The topics of the “deep dives” should be set out in the work programme. Given the limited time available to the Committee, and the complexity of councils, “deep dives” are a useful way of focusing the Committee’s attention on what is most critical.

A “deep dive” could be conducted as a workshop, where subject matter experts on top risks (such as cyber-security or health and safety) facing the council facilitate a discussion with the Committee on the risk mitigation strategies.1 The purpose is to give the Committee, the council, and ratepayers insight into whether a risk is being managed appropriately.

The Committee’s work programme needs to strike the right balance between risk, assurance, and internal and external audit, based on the council’s priorities. The shape of the work programme would ordinarily be discussed by the governing body. However, the Committee has responsibility for annually agreeing to, and approving, its work programme.

Given that councils operate in a complex and changing environment, it is important for the work programme to be flexible. Although the work programme is agreed to annually, it is best practice for the Committee’s work programme to be reviewed at every Committee meeting.

An example of a work programme is attached as an Appendix.

What should the terms of reference look like?

To ensure that the Committee has a clear purpose, a good terms of reference document or charter is critical.

Good practice is for the governing body to make a series of delegations to the Audit and Risk Committee, and for them to be recorded in the Committee’s terms of reference (or charter). The terms of reference may also be used to keep certain responsibilities with the governing body.

At a minimum, the terms of reference should include:

  • a clear statement on the purpose of the Committee;
  • a clear statement on the Committee’s decision-making powers (if any);
  • membership and tenure;
  • appointment processes, tenure of the members, and the competencies needed;
  • the responsibilities of the Committee over its work programme;
  • reporting arrangements, from the Committee to the governing body; and
  • an outline of the work programme.

The outline of the work programme could include:

  • enterprise risks;
  • oversight of council-controlled organisation risks;
  • health, safety, and well-being;
  • legal risks;
  • insurance;
  • assurance and internal audit;
  • the council’s annual report;
  • the annual budget;
  • the council’s long-term plan; and
  • the external audit.

1: With a formal record of the workshop tabled in the full meeting.