(Effective 7 September 2023)
The Board of CSIRO, as CSIRO’s accountable authority, has established the Board Audit and Risk Committee (BARC) in compliance with section 45 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and PGPA Rule section 17, regarding Audit Committees for Commonwealth Entities.
Functions of audit and risk committee
The Public Governance, Performance and Accountability Act (PGPA Act) requires that accountable authorities of Commonwealth entities ensure that their entity has an audit committee (subsection 45(1)) and that committee is constituted and performs functions in accordance with any requirements prescribed by the associated rules (subsection 45(2)).
Under the Public Governance, Performance and Accountability Rule (PGPA Rule), the functions of the committee are reviewing the appropriateness of the accountable authority’s:
- financial reporting,
- performance reporting,
- system of risk oversight and management, and
- the system of internal control, for the entity (subsection 17(2))
2.1 Financial reporting
In order to assist the Board in ensuring the appropriateness of CSIRO’s financial reporting, the BARC will review, report and provide advice on:
- CSIRO’s areas of greatest financial risk and how they are managed
- the adequacy of the financial reporting process implemented by management and the annual financial statements to determine whether they meet all relevant requirements, are complete, reflect appropriate accounting standards and principles, contain appropriate disclosures, and that accounting policies and PGPA (Financial Reporting) Rule / Finance Secretary Directions are consistently applied.
- CSIRO’s financial record keeping arrangements
- the acceptability of correct accounting treatment for, and disclosure of significant transactions that are not part of CSIRO's normal course of business.
The BARC will also obtain the relevant representations from management as to the preparation of the financial statements, and—on recommendation from the Chief Executive (CE) and Chief Finance Officer (CFO)–will provide a statement to the Board on the results of the financial statement audit (including whether the annual financial statements comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance) and recommend the signing of the financial statements to the Board for publication in the Annual Report.
2.2 Performance Reporting
In order to assist the Board in ensuring the appropriateness of CSIRO’s performance measurement and reporting, the BARC will review, report and provide advice on the appropriateness of CSIRO’s systems and procedures for assessing, monitoring and reporting on achievement of the entity’s performance. In particular, the committee should satisfy itself that:
- The performance reporting system and framework is appropriate, with reference to the Commonwealth Performance Reporting Framework and relevant rules of the PGPA Act (including relevant requirements, directions or guidance)
- The entity’s approach to measuring its performance throughout the financial year against the performance measures included in its Portfolio Budget Statements and Corporate plan is appropriate and in accordance with the Commonwealth performance framework. This may include reviewing, over time, particular elements of the performance measures.
- The entity has appropriate systems and processes for preparation and publication of its annual performance statement.
The BARC will review the annual performance report prior to finalisation and provide advice to the Board on its appropriateness. This will include providing a statement to the Board on whether, in the BARC’s view, CSIRO’s annual performance statement and performance reporting as a whole is appropriate, with reference to any specific areas of concern of suggestions for improvement.
2.3 Risk Oversight and Management
In order to assist the Board in ensuring the appropriateness of CSIRO’s risk management arrangements, the BARC will review, report and provide advice on:
- the adequacy and effectiveness of CSIRO's enterprise risk management policy and framework and related processes to identify, and manage the entity’s risks , including business continuity planning processes;
- the Organisational Risk Profile and the process that underpins its development, and the appropriateness of the controls and risk mitigation strategies management implement to manage these risks.
The BARC will also provide an annual statement to the Board on whether, in the BARC’s view, CSIRO’s system of risk oversight and management as a whole is appropriate, identifying any specific areas of concern or suggestions for improvement.
2.4 Internal Control
In order to assist the Board in ensuring the appropriateness of CSIRO’s system of internal controls, the BARC will review, report and provide advice on:
Internal Control Framework
- CSIRO’s Internal Controls Framework, and the appropriateness, effectiveness and efficiency of, the system of internal controls, particularly those related to areas of significant risk.
- whether management has in operation, policies necessary to ensure that CSIRO achieves its objectives and complies with all applicable laws and Government policies and directives.
Legislative and Policy Compliance
- The effectiveness of CSIRO’s processes for identifying and reporting significant non‐compliance with the PGPA Act and Rules and other applicable legislation, including CSIRO’s Compliance Control Plan.
- The recommendations of management regarding any significant non-compliances with the PGPA Act and Rules to be disclosed in the CSIRO Annual Report.
The BARC will also regular updates from management and General Counsel regarding other significant regulatory compliance issues, and legal disputes and claims that may have a material impact on CSIRO's reputation or financial statements.
Security and Fraud
- The process for developing and implementing CSIRO’s fraud control arrangements consistent with the fraud control plan, and satisfy itself that CSIRO has adequate processes for detecting, capturing and effectively responding to fraud risks, and
- Management’s approach to maintaining an effective internal security system (including complying with the Protective Security Policy Framework);
- Regular updates from management regarding security matters reported, and alleged fraud incidents investigated, by the CSIRO Fraud and/or Security teams.
- The results of the biennial CSIRO Fraud Risk Assessment and CSIRO Fraud and Corruption Control Plan, completed in accordance with Paragraph (a) of the Fraud Rule (Section 10 of the PGPA Act) and guidance of the Commonwealth Fraud Control Framework.
2.5 Internal audit
To ensure the appropriate and effective operation of CSIRO’s internal audit function, the BARC will:
- Approve the Annual Operational Internal Audit Plan, ensuring that it is risk focused and covers any areas warranting specific attention by the BARC and that the plan makes provision for appropriate co‐ordination with the external auditor.
- Monitor the implementation of the Annual Operational Internal Audit Plan and review audit activity reports, complete with management responses to the significant audit issues raised.
- Monitor the implementation of agreed audit actions over time.
- Regularly review the Internal Audit Charter and the effectiveness, performance structure and resourcing of internal audit.
- Meet separately with the Internal Auditor to discuss any matters in camera privately, as required.
- On recommendation from management, ratify the appointment and termination of the Manager, Internal Audit.
2.6 External audit
To ensure maximum benefit to CSIRO from the activities of the external auditor, the BARC will:
- Review the external auditor’s proposed financial statements audit scope and audit approach, including materiality, for the current year.
- Review and discuss significant findings and recommendations made by the external auditor on a timely basis and require that management respond promptly to recommendations made by the external auditors.
- Review and provide advice to the Board on actions taken on significant issues raised in other relevant performance audit reports and better practice guides.
- Meet in –camera with the external auditor to discuss any matters, as required.
The Board appoints the BARC Chair and members.
The Committee comprises at least 2 non-executive members of the Board and external members appointed to the Committee to provide professional advice and consultation on all matters pertaining to Committee activities.
A quorum constitutes the majority of members on the Committee.
The BARC will meet at least four times a year. If required, additional meetings may be requested through the BARC Chair by any member, the Company Secretary, internal auditor or the external auditor.
Directors who are not Committee Members may attend Meetings.
At the invitation of the BARC Chair, appropriate management, the internal auditor and representatives of the external auditor are to attend BARC meetings. ,
Recommendations of the Committee are to be referred to the Board for approval.
The Corporate Secretary supports the Committee and attends the meetings.