• Section 1 - Establishment
• Background
• Purpose
• Authority
• Section 2 - Membership
• Section 3 - Functions and Responsibilities
• Section 4 - Meetings
• Section 5 - Variations
• Section 6 - Definitions

Section 1 - Establishment

Background

(1) The University Council (Council) has established the Audit and Risk Committee (the Committee). These Terms of Reference set out the Committee’s purpose, authority, membership and functions and responsibilities.

(2) The procedures for the Committee are set out in the Council and Council Committees Procedure.

Purpose

(3) The purpose of the Committee is to provide independent assistance to the University Council by overseeing and monitoring the governance, risk and control, and compliance frameworks and external accountability requirements of the University and its controlled entities (the University).

(4) The Committee is an integral component of the University’s corporate governance arrangements, and its responsibilities generally cover the review and oversight of the following areas:

1. Internal audit;
2. External audit;
3. Risk management;
4. Internal controls;
5. Corruption and fraud prevention;
6. External accountability (including the financial statements); and
7. Compliance with applicable laws and regulations.

Authority

(5) The Committee does not have delegated financial responsibility or any management functions and has no executive powers.

Section 2 - Membership

(6) The Committee will be constituted by up to five external members of Council appointed by Council on the recommendation of the Nominations and Remuneration Committee.

(7) Council may appoint up to three additional persons external to the University who are appropriately qualified on the recommendation of the Nominations and Remuneration Committee.

(8) The Nominations and Remuneration Committee will maintain a skills matrix to ensure the Committee is comprised of an appropriate mix of skills and any recommendations for changes to Committee membership will be in consultation with the Chair of the Committee.

(9) No member of the Committee may be a member of the University executive or management.

Section 3 - Functions and Responsibilities

(10) The Committee is directly responsible and accountable to Council for the exercise of its responsibilities.

(11) The Committee’s responsibilities are as follows:

1. Risk management:
   1. review whether management has in place a current and appropriate risk management process, and associated procedures for the effective identification and management of the University’s major risks, including financial, business, and fraud and corruption risks;
   2. review whether a sound and effective approach has been followed in developing strategic risk management plans for major operations or projects (including IT projects);
   3. review the impact of the University’s risk management process on its control environment and insurance arrangements;
   4. review the adequacy of the University’s insurance arrangements on an annual basis;
   5. review whether a sound and effective approach has been followed by the University in establishing credible business continuity planning and that adequately resourced financial and tuition arrangements are in place to mitigate disadvantage to students that may arise through a major adverse event, including whether disaster recovery plans are in place and have been tested periodically;
   6. monitor responses to any critical incidents of the University;
   7. review the University’s fraud control plan and satisfy itself that the University has appropriate processes and systems in place to capture and effectively investigate fraud related information;
   8. satisfy itself that management periodically assesses the adequacy of the University’s information security infrastructure (including cyber security);
2. Control framework:
   1. review whether management’s approach to maintaining an effective Internal Control Framework, including over external parties such as contractors, advisors, or outsourced service providers, is sound and effective;
   2. review whether management has in place relevant internal control policies and procedures, and that these are periodically reviewed and updated;
   3. determine whether the appropriate processes are in place to assess, at least once a year, whether policies and procedures are complied with;
   4. review whether appropriate policies and procedures are in place for management and exercise of delegations;
   5. assess how management identifies any required changes to the design or implementation of internal controls;
   6. monitor strategies to enhance a culture that is committed to ethical and lawful behaviour;
3. External accountability:
   1. review the annual statutory financial statements and provide advice to Council (including whether appropriate action has been taken in response to audit recommendations and adjustments), and recommend their approval and signing;
   2. satisfy itself that the financial statements are supported by appropriate management signoff on the statements and on the adequacy of the systems of internal controls;
4. Compliance with applicable laws and regulations:
   1. determine whether management has appropriately considered legal and compliance risks as part of the University’s risk assessment and management arrangements;
   2. review the effectiveness of the system for monitoring the University’s compliance with applicable laws and regulations, and associated government policies;
   3. provide advice to Council regarding the issue of the University’s annual Certificate of Compliance, or equivalent report;
5. Internal audit:
   1. act as a forum for communication between Council, senior executives and management and internal / external audit;
   2. review the internal audit coverage and annual work plan, ensure that the plan is consistent with the University’s risk profile, and approve the plan;
   3. review and assess the adequacy of internal audit resources to carry out its responsibilities including the completion of the internal audit plan;
   4. oversee the coordination of internal audit programs and other review functions;
   5. review all internal audit reports and provide advice, where appropriate, to Council on significant issues identified and action taken on issues raised, including identification and dissemination of better practice;
   6. monitor management’s implementation of internal audit recommendations;
   7. review and approve the Internal Audit Charter at least annually to ensure appropriate organisational structures, authority, access and reporting arrangements are in place;
   8. review the performance of internal audit annually;
   9. oversee a Tender for internal audit services to include review of tender documents and selection of candidates as required;
   10. report to Council on the appointment or replacement of the Internal Auditor;
   11. review the entity-wide assurance map that identifies the entity’s key assurance arrangements;
   12. meet with the Internal Auditor without management present when determined;
6. External audit:
   1. act as a forum for communication between Council, senior executives and management and internal and external auditor;
   2. provide input and feedback on the financial statements audit coverage and plans proposed by external audit;
   3. assess the performance of the external auditor annually and provide feedback to the auditor on the services provided;
   4. review reports issued by external audit and monitor management’s timely implementation of external audit recommendations;
   5. provide advice to Council on action taken on significant issues raised by external audit;
   6. meet with the External Auditor without management present when determined;
7. Controlled entities:
   1. review the Terms of Reference of Audit and Risk Committees constituted by controlled entities, and provide feedback and recommendations, if any, to the Chair of those committees as appropriate;
   2. receive and review the minutes of meetings of Audit and Risk Committees of controlled entities; and
   3. receive and review the minutes of meetings of controlled entity Boards/committees.

Section 4 - Meetings

(12) Refer to the Council and Council Committees Procedure for meeting requirements and protocols.

Section 5 - Variations

(13) Variations to this Terms of Reference must be approved by Council.

Section 6 - Definitions

(14) For the purpose of this document:

1. Committee – means the Audit and Risk Committee of Council.