Australian National Audit Office – Public Sector Audit Committees – Independent Assurance and Advice for Chief Executives and Boards – August 2011 – Best Practice Guide.
On 31 August 2011 the Australian National Audit Office (the office of the Australian Commonwealth Auditor-General) released its latest best practice guide for Audit Committees in the Commonwealth Public Sector.
Given the advancement in other public sector jurisdictions in Australia, and significant improvements in the private sector, this is an exceptionally disappointing body of work and may not lead to the improvement in governance in the Australian Commonwealth Public Sector. I am disappointed that the Commonwealth Auditor-General has not provided effective leadership in the Commonwealth in this area.
Rather than providing this guide, it is my opinion that the ANAO would have served the Australian citizens, better by undertaking an “audit” of the various legislation supporting strong governance and the structure of Audit & Risk Committees in the sector. This may have included benchmarking the current Commonwealth arrangements with those in other government jurisdictions and the private sector. Finally it could have provide recommendations to Government to significant improve the structures and processes of Corporate Governance in the Australian Commonwealth Public Sector.
Finally, given that an Audit Committee should be providing a level of review and oversight of the performance of their external auditor (which most likely is undertaken by the ANAO or their agent), it may be more appropriate for an Australian Commonwealth Best Practice Guide on Audit Committee, to be published by the Department of Finance and Deregulation or The Treasury, to ensure appropriate independence from the ANAO.
My commentary is based on a preliminary review of the document and I hope this provides a framework for discussion on this important area for experts in corporate governance.
It is my opinion that this guide does not represent best practice for Audit Committees in the Commonwealth Sector, with critical failures or weaknesses in the following key areas:
- Lack of recommendation for truly Independent Members on the Audit Committees;
- Lack of a recommendation for a majority of Independent Members on the Audit Committees;
- Lack of a recommendation for using ISO3100:2010 as the base line for Risk Management;
- Lack of a recommendation for the use of the Institute of Internal Audit “International Professional Practice Framework” as the base line for Internal Audit standards;
- Lack of recommendation for the Audit Committee to review and endorse or otherwise make recommendations, in relation to the removal of the Chief Audit Executive (Head of Internal Audit);
- Has a confusing approach in risk with an over emphasis on fraud risk and lack of focus on Project Implementation, Privacy, Procurement, Information Security etc., and the document has a separate section on external service provision which is just another risk; and
- Lack of effective recommendations relating to the recruitment of Independent Audit Committee members, their contractual arrangements, protection and insurance.
Some Detailed Commentary
- In the introduction section to the Guide the ANAO states “The principles and practices outlined in this Guide are generally applicable to all public sector agencies”. Given that this Guide, in my opinion is inadequate and of a lower standard that those in some other Australian Government jurisdictions, it would have been helpful that this guide be clearly limited to the Commonwealth public sector entities.
- Section 1 – The Audit Committee’s function and responsibilities
I have a number of concerns in relation to the framework as outlined in this section:
- Risk Management
- Lack of recommendation to use ISO 3100, as a minimum, for the risk management framework.
- Lack of considering the integration of risk management into the day to day operations of the entity rather than just limited to risk assessments.
- Limitation of the Audit Committee’s review of risks associated to project, program implementations and activities, being subject to the Chief Executive/Board’s agreement. Why would the ANAO want to provide such a limitation, when this is a major area of risk and failure in entities, such as the well documented (and ANAO reviewed) failure of major IT projects? Major project and programs should be a major area of consideration of an Audit Committee with the review of the associated risks.
- The ANAO has a major risk focus on fraud and has not added or provided a balanced focus on major risks such, as IT Systems, Delivery of Services, Procurement and Probity, Privacy, Information Security and CyberCrime etc. Whilst fraud is of concern, generally over the decades, it is my view that fraud is a relative minor risk to the entities, compared to Information Security, Project and Program Implementation, and the community’s increasing concern with the use, control and management of their private information by government agencies.
- The way this section is written could infer a lower level of importance on risk than other areas such as Internal Controls. In the sub section on Internal Controls, for example it states the the Audit Committee “will generally be responsible for reviewing”. However, in the subsection on risk management it states the “Chief Executive/Board will generally seek assurance from the Audit Committee”. Given that risks in the public sector are sometimes not well managed, it is unfortunate that the ANAO indicates a lower level of oversight by the Audit Committee in the area of risk management.
- Internal Controls
- There is come confusion in this area between internal controls and compliance, particularly given there is a separate section on compliance.
- Financial Statements
- The statement of responsibilities is unfortunately limiting and lacks effective advice. Given that the ANAO has reference the Centro case, it would have been appropriate to provide guidance on what may assist the Audit Committee members to help then understand the financial accounts, such as;
- Provision of regular management accounts through out the year, so the Audit Committee members can monitor the entity’s financial performance throughout the year, to understand the financial movement and have insights into the entities financial position leading into the final financial statements.
- Provision of information on a regular basis on financial instruments, provided or received, and assurance over the management of those financial instruments.
- Review of budgeting and forecasting as a mechanism to assess the integrity of the financial reporting skills within the entity and to assist in identifying issues for consideration when reviewing the financial accounts.
- It is good that the ANAO has identified that compliance with legislation and policy is a highly complex area.
- Further is is appropriate that consideration of appropriate international conventions be considered. However, the specific conventions mentioned should have been provided in the discussion section as examples, rather than specified in the requirements, which may lead to an undue focus on two particular international conventions, which may not the highest risk conventions relevant to a particular entity.
- Again there is confusion in the document, with a comment on the “entities reporting responsibility in relation to fraud and security” which is out of context to this section and indicates poor thought process and drafting in the document.
- Cross-agency governance
- This is a useful addition, however there is limited useful guidance in this area and this may indicate that the ANAO has not fully considered the issue and its implications.
- External service provision
- This is, in my opinion, totally out of context, and is in fact a specific risk, and should have be addressed as an example in the risk management section rather than being its own subsection.
- Internal audit
- This is a particularly disappointing section and is out of step with what is generally now well understood best practice;
- There is no reference to the application of the Institute of Internal Audit “International Professional Practice Framework” Standards or the Standards of the of the Information Systems Audit and Control Associations for IT audit activities. This is a major oversight and one has to wonder really what the ANAO was thinking given, these are highly regarded international standards.
- Whilst there is reference to reviewing the internal audit charter to ensure “appropriate authority, access and reporting arrangements are in place”, there is no reference to the independence of the internal audit function, which again is a major oversight.
- There is a reference to the “appointment of the Head of Internal Audit…or the appointment of the internal auditor where outsourced or co-sourced”. However there is no reference to the removal of this person/firm. Again, from a Audit Committee perspective, the removal of the Head of Internal Audit (or outsourced equivalent), would be a major discussion and review at an Audit Committee, particularly in relation to the independence and/or performance of the function. The failure of the ANAO in this regard, is taking the internal audit function backwards and into a battle that was resolved many years ago. Again, this is, in my opinion, an unacceptable oversight by the ANAO.
- Other relevant responsibilities
- This section contains “could” and “may” rather than should throughout. In each of the areas discussed, entity governance arrangement, performance reporting framework, parliamentary committee reports and recommendations, portfolio responsibilities, are all areas that the Audit committee should have a level of review and assurance oversight.
- Section 2 – The Audit Committee’s function and responsibilities
- Audit Committees
- The document states that the existence of an Audit Committee is subject to the decision of the Chief Executive/Board. It is my opinion that the ANAO should have been stronger and stated that entities should have Audit Committees. Further they should have required, that where an entity does not have an Audit Committee, to provide an explanation and justification in their Annual Financial Statement.
- Given ASX Corporate Governance Principles for AXS 300 companies to have Audit Committee, and that other Australian Government jurisdictions require Audit Committees, it is surprising that the ANAO has not been stronger in this area.
- Section 3 – Membership of the Audit Committee
- This section, in my opinion, is the area of greatest weakness and disappointment. In my view it indicates that the ANAO has not kept up to date with current thinking on corporate governance. Further, it is my view, that this will not encourage (push) the Commonwealth Public Sector to move towards what is current practice, let alone best or extended practice.
- Specifically the ANAO document does not recommend that;
- there be a majority of independent members on the Audit Committee;
- the Chair of the Audit Committee be an independent member; nor
- does not in fact require independent members, but accepts the lower concept of an external member. In fact there is a recommendation that “there may also be benefits in appointment a member from another Australian Government entity as an external member”, flies in the face of what most people would now understand or expect as an independent/external member.
- The ANAO suggests there may be circumstances where the Chair of the Audit Committee may be extended beyond 5 years, without outlining what exceptional or unusual circumstances may apply. Rotation of Independent Members and the Chair is a key element of ensuring effective independent review.
- The personal qualities do not include an expectation of a high standard of personal ethics nor that they should be independent of mind in dealing with matters before them.
- In the section on Knowledge and Expertise of Audit Committee members this is a statement “that its members have sufficient entity knowledge…a higher proportion of members who know the organisation can initially be helpful”. In my mind this is a dangerous recommendation by the ANAO, as this may lead to the entity limiting its pool of persons appoint to the Audit Committee and thereby provide a limitation on the view of risks and issues facing the entity.Often having a person with limited knowledge, but strong governance expertise, acting as the ‘“naive enquirer”, can be of far greater benefit to the entity, allowing them to challenge underlying views which may no longer be valid and bring to bear expertise and solutions from other industries or experience, that may provide superior recommendations.
- In the subsection on induction of new Audit Committee members, it is a very paper based process, which is in my opinion, a very old fashion approach and does not achieve what modern organisations would undertake such as;
- Meeting with the Chief Executive for a face to face briefing;
- Meeting with Senior Executives (such as the COO/CFO/CIO/CAE) to provide an over view of the entity, their organisation and issues/risk
- Walk around of major facilities to understand the entities operations.
- Section 5 – Conduct of the Audit Committee
- Unfortunately the ANAO has put the recruitment and arrangement of the Audit Committee members in this section, rather than recognising the importance of this process in its own right.
- The Contractual arrangement and remuneration fails to provide effective advice in the following areas:
- Conditions of appointment, should include a process of mediation, in the event of a dispute between the Independent (External) Members and the Chief Executive, to ensure that they can be independence of mind in their deliberations and advice;
- My own experience in reviewing proposed contracts for Independent Member of Audit Committees for Commonwealth Entities, they are inappropriate and are usually Consultant Agreements. Entities prefer compliance to their inappropriate contracts, so recommending changes in a tender response, may lead to a “lower evaluation score”, eliminating a person who actually understands the issues.
- ANAO has not recommended that the Commonwealth should set a scale of fees to ensure they are realistic fees. Often entities may use a tender process, which may lead to lowest cost Independent Member rather than a person with the right skills and experience.
- i.In this section the ANAO has failed to address the real issue of D&O insurance that should be provided. In the commercial world, the D&O coverage is organised (in consultation with the Board Members) and paid for by the company. Such insurances should be arranged for, and paid by the entity and not the Independent (external) members.