Getting the most out of your department's Audit and Risk Committee
Building and maintaining the public’s trust
The public’s trust in the public sector is built through public organisations demonstrating competence, reliability, and honesty in all that they do. Showing these characteristics also requires the building of genuine and enduring relationships between public organisations and the public they serve.
None of this is easy to do. It requires public organisations to have robust policies, processes, and systems, competent and motivated staff, management and governance that is strong and effective, and constant attention to risk from those who lead and serve in public organisations.
Additional challenges that arise in government departments include:
- governance and management being more closely entwined compared to organisations where governance is formally separated from management (for example, organisations with a board of governors);
- the scale and complexity of operations; and
- high levels of political and public scrutiny and accountability.
Understanding and managing risk in a government department is particularly challenging. This is where a well-functioning Audit and Risk Committee (the Committee) can add significant value.
What does an Audit and Risk Committee do and not do?
The Committee is responsible for offering advice about governance, risk identification and management, internal controls, external reporting, and audit matters.
The Committee is best seen as a group of “critical friends” – a group of highly experienced advisors who provide advice directly to the chief executive and senior leadership team of a government department.
The Committee does not replace existing governance, management, or other accountability mechanisms in a government department. It cannot take decisions or direct activities that are the responsibility of the chief executive.
The Committee has no powers or responsibilities other than those related to its risk and assurance mandate.1
What are the benefits of an Audit and Risk Committee?
A Committee offers a range of benefits, including:
- A dedicated forum for governance discussions. Separating governance and management is important for governance to be effective.2 However, the separation between management and governance in a government department is sometimes difficult given the multiple management and governance responsibilities that the senior leadership team has.
As it has been set up specifically to focus on governance questions related to the performance of, and accountability and risks in, a government department, the Committee should support a different type of discussion to that which occurs in management committees. - Additional perspectives on the risks the department faces. The Committee sits outside the day-to-day imperatives of running a government department. This enables the Committee to provide a well-informed but independent perspective on the department’s operating environment and the risks and challenges it faces.
Committee members are usually appointed because of their own experience and expertise as leaders who have worked in complex environments before. This gives them an ability to challenge management’s thinking and provide fresh insight to the chief executive and senior leadership team. - A safe place to test ideas. Although there is immense capability in the public service, issues will arise that have no obvious answers or require experience and skills outside what is already available in the government department. The Committee offers a confidential forum to speak openly, test ideas, receive direct feedback, and to have free and frank conversations on issues and risks the department is facing.
What are the foundations of an effective Audit and Risk Committee?
To be most effective, there are four foundations a Committee will need:
- Clarity of purpose. It is important that the Committee has a clear purpose, and that its work programme reflects that purpose. In practice, the purpose of the Committee should be clearly laid out in a Charter/Terms of Reference document, as well as an annual work plan or work programme.
- Independence. Members of a Committee are in the best position to provide objective and impartial advice when they have no executive powers or delegated responsibilities in the department. Through independent perspectives, experience, and knowledge, the Committee can test and challenge ideas in a way that adds value to the governance of the department.
- Competence. Members of the Committee should have a complementary and relevant mix of competencies and technical expertise, such as different career backgrounds or skills. This mix is important so that members of the Committee can bring diversity of thought and insights on the department’s priorities and strategic risks.
- Respected and trusted relationships. For the Committee to be effective, its members need to able to ask questions and raise issues in a culture of respect, openness, and trust. The senior leadership team needs to see the continuous improvement value that arises from the questions and challenges raised by the Committee. Other staff need to see the process of engaging with the Committee as useful and constructive.
An effective Committee has these foundations and also knows and considers the environment the department is operating in. For example:
- An independent Committee is less useful if it knows little about the department, sector, or context within which the department operates.
- An experienced Committee needs to think about succession planning for those who will take over the Committee roles.
- A Committee needs confidence that the chief executive and senior leadership team respect the purpose of the Committee and its members and make time to consider the Committee’s advice.
Finally, a full induction for every Committee member – from induction information packs to discussions about roles and responsibilities with key leaders and officials – is essential to familiarise each member with the department.
How can this work in practice?
Chief executive’s support for the Committee
The relationship between the Committee’s chairperson and the chief executive is critical to the success of the Committee.
It is good practice for the chief executive to meet regularly with the chairperson outside of committee meetings. This allows the Committee’s chairperson to share observations and advice which may not be appropriate to discuss in a formal meeting of the Committee. It allows the chief executive to reflect on the work of the Committee and where it could add the most value.
It is also good practice for the chief executive to:
- attend Committee meetings, both to set an example for free and frank conversations and to show a personal commitment to the role the Committee plays;
- enable the Committee to meet with external auditors with no other members of management present so that auditors can freely draw attention to particular issues; and
- enable the Committee to (when it deems it appropriate) meet with other staff without the chief executive or members of management attending.
What does a good work programme look like?
Every government department is different and faces different risks. Regardless, it is good practice that the most critical risks in the department’s operating environment are what drives the Committee’s purpose and work programme.3
A good work programme often has these features:
- A chief executive’s report (written or oral) to each meeting.
- Review and regularly scheduled discussion of key operational areas of the organisation, risks, and strategic projects.
- Internal and external audit activities and reports, including a schedule of outstanding recommendations.
- Review and discussion of a risk report.
- Review of key accountability documents and strategies before their final approval.
- Strategic topics specific to the risks facing the department (for example, cyber security or operational performance risks). This enables the Committee to conduct “deep dives” into these topics in addition to business-as-usual work. The topics might be chosen by the Committee or by the chief executive.
It is important that Committee meetings do not become another layer of management. Rather, they should focus on the matters that would most benefit from the expertise and insight of the Committee members.
To assist with this, papers submitted to the Committee should be clear about what management is seeking from the Committee.
What are the considerations for appointing members?
The value and effectiveness of the Committee depends on the chief executive appointing independent members with competencies that reflect the department’s priorities and risks.
It is best practice to appoint Committee members (including the chairperson) who do not have any executive powers or functions, or delegated responsibilities, within the department. In other words, ideally there should be no members of management (including the chief executive) on the Committee. If there are members of management on the Committee, they should be in the minority.
Members should bring experience, skills, and diversity to the Committee. All members should have worked at senior levels in other organisations. Members also need to have a good appreciation of effective management practices and public sector accountability and where they differ to those in the private sector.
What goes in a Charter or Terms of Reference?
All Audit and Risk Committees should have a Charter/Terms of Reference. At a minimum, the Charter/Terms of Reference should include:
- a clear statement of the Committee’s purpose;
- an outline of the Committee’s work programme and responsibilities; and
- information about:
- membership;
- terms of appointment;
- how often there are meetings;
- confidentiality; and
- how conflicts of interests will be managed.
It is good practice for the Committee to review its own performance against the Charter/Terms of Reference annually, and for the Charter/Terms of Reference to also be reviewed regularly.
What does good secretariat support look like?
An effective Committee needs competent secretariat support.
At a minimum, good secretariat support should:
- enable meeting agendas to be set smoothly and efficiently;
- provide basic quality assurance over papers going to the Committee;
- provide meeting papers and minutes well in advance of meetings;
- ensure that action points are followed up;
- facilitate and support a periodic review of the effectiveness of the Committee; and
- carry out other administrative tasks, such as managing the Committee members’ contracts.
The secretariat might also provide advisory support with a degree of independence from management.
The department’s risk and assurance functions, including internal audit, also have an important relationship with the Committee. In many instances, these functions are the first choice to be the secretariat.
It is also good practice for the internal audit function to provide information directly to the Committee and attend Committee meetings (including, at times, without senior leadership team members in attendance) to enable independent and free and frank discussions.
What is the best size for a Committee?
Committees are generally made up of three to five members. However, the size of the Committee should be based on having the right mix of competencies.
What is the best tenure for Committee members?
The Committee’s chairperson and members are typically appointed for three to five years. Some members might be brought on for shorter terms (for example, to fill a specific skills gap).
Regularly rotating members allows fresh thinking and new skills to join the Committee. Members’ terms can be staggered to overlap and provide some continuity, with members who have experience interacting with the department and newer members who bring fresh perspectives.
How often should the Committee meet?
An effective Committee should meet at least four times a year. Meetings might also be held more often in response to matters such as significant projects or initiatives that would benefit from the Committee’s advice, major operational risks, or pressing organisational matters needing attention.
Committees might also choose to run “deep dive” sessions on higher-risk aspects of the department to better understand and advise on these areas outside their normal meeting schedule.
1: There are no specific legislative requirements for setting up Audit and Risk Committees in public organisations. However, there are several expectations of good governance that either require or strongly support public organisations having an Audit and Risk Committee. Examples include Four Pillars of Governance Best Practice by the Institute of Directors and the Three Lines Model by the Institute of Internal Auditors.
2: See our good practice research on effective governance at oag.parliament.nz/good-practice/governance.
3: Although internal and external audits should form part of the work programme, our view is that they should not be the work programme’s sole focus. This could create a risk that Committee meetings become a compliance exercise.