Effectiveness of audit committees in state government entities

In this report I draw a connection between effective audit committees and the success of an entity’s governance framework.

There are 92 audit committees for departments and statutory bodies in Queensland’s public sector. Effective audit committees can require a significant investment in time and resources from entities and committee members. Of the 74 audit committee chairs who responded to our survey, over 80 per cent said they spend up to five hours reading papers for meetings, that for most are held four times a year for at least two hours.

Good governance is critical to ensure an entity effectively manages its business operations, programs, projects, and risks. Unfortunately, some entities still do not embrace good governance and do not move beyond compliance, thereby not realising the value good governance can bring to an entity.

Recent project failures in both the public and private sectors have often been symptomatic of ineffective governance frameworks and practices, resulting in poor program and project management and delivery due to insufficient oversight of business risks and decisions. A number of my reports to parliament over the last three years have observed failures in programs and projects that have stemmed from poor governance within and across entities. This indicates that governance is an area requiring greater attention and improvement across the Queensland public sector.

My past reports covering topics such as the effectiveness of the State Penalties Enforcement Registry ICT reform, monitoring and managing ICT projects, the National Disability and Insurance Scheme, and digitising public hospitals each demonstrated how poor governance practices can lead to significant issues, unidentified risks, and overspend and/or misspend on government programs and projects. Common weaknesses in governance included, for example:

• inadequate oversight from governance committees
• failure to keep those charged with governance fully informed
• unclear roles and responsibilities for program and project delivery and accountability within and across entities.

Instances of poor governance can expose all public sector entities to risks including financial loss, reputational damage, and missed business opportunities.

For the reasons above, I propose to build on this report in the future by assessing the effectiveness of audit committees in the local government sector. I will continue to focus on key elements of governance frameworks, such as program and project governance, and undertake a review of board appointment and renewal processes.

Brendan Worrall
Auditor-General

This report covers the audit committees of departments and statutory bodies, but the insights can also be applied to government owned corporations.

In the departmental context, the audit committee is an advisory committee to the director‑general, who is the accountable officer. For statutory bodies, the audit committee is typically a sub‑committee of the board and, as such, reports to the statutory body board.

When we say chief executive officer (CEO) in this report, we are referring to both directors‑general of departments and chief executives of statutory bodies.

We have identified the following actions for the sector to consider.

The chief executive officer and statutory body board’s support and influence are the most important enablers of an effective audit committee. Without them, an audit committee loses relevance and becomes less effective, regardless of its skills and expertise.

Does your chief executive officer or statutory body board effectively engage with the audit committee?

A chief executive officer is integral in setting the culture of an entity and influencing how its employees will engage with its audit committee. Audit committee chairs directly link the effectiveness of their committee to regular and open communication, and support from their entity’s leader.

If a chief executive officer does not engage with and support the committee, it is more difficult for the committee to influence the entity’s executive leadership team and decision-makers.

Audit committee chairs believe the best way a chief executive officer can show their support for an audit committee’s work is to periodically attend meetings and provide an update on the business from their unique perspective. Their attendance and presentation help audit committees focus on the entity’s most significant risks, developments, and major projects.

Audit committee chairs should regularly consult with, and report to, their chief executive officer to ensure the committee’s agenda, style and discussion are providing the level of assurance they need and expect.

Audit committees traditionally focused on overseeing entities’ internal control environments, financial reporting processes, risk management and their internal and external audit functions. However, as the business environment evolves, audit committees need to cover a diverse range of complex topics that require specialist knowledge. For example, the Queensland public sector is facing a range of emerging risks and issues including cyber security, complex large-scale infrastructure, and the implications of COVID-19.

Effective audit committees understand how best to use their time, experience, and available resources, including specialist support. This helps them to define their role and maximise their value to the entity.

Is your audit committee’s charter fit-for-purpose?

An audit committee’s charter or terms of reference is a critical governance document that it should tailor to changes in the entity’s business environment.

Most of Queensland’s public sector entities are not tailoring their charter as much as they could. In more than 40 per cent of entities, the audit committee’s charter uses identical language to Queensland Treasury’s example in Appendix A of the audit committee guidelines. For example, requirements that the committee:

• satisfy itself that insurance arrangements are appropriate for the risk management framework
• ensure the entity adopts correct accounting policies
• approve the entity’s internal audit plan.

Rather than initially replicating the wording of Queensland Treasury’s guidelines, better practice would be for audit committees to tailor their charters to match the entity’s business environment so they can remain relevant and effective.  

An audit committee’s charter should not include responsibility for approving entity policies, procedures or endorsing decisions made by the entity. Audit committees should instead provide oversight and seek assurance on a risk informed basis that appropriate controls, systems and processes are in place to support:

• an effective control environment
• informed risk management
• good quality financial reporting
• frameworks that promote compliance with legislative requirements.

The charter should define the role and responsibilities of the audit committee to inform:

• annual work plans
• agendas for meetings
• the committee’s reporting to those charged with governance
• assessment of the committee’s performance.

In not-for-profit public sector entities, the accountable body is responsible for the entity’s performance and reporting. The audit committee’s role is to provide assurance and advice to support the chief executive officer and statutory body board, to meet their statutory obligations with accuracy and integrity.

Have you focused your committee’s role?

Audit committee chairs noted that their committees could provide more detailed oversight on the entity’s core corporate governance systems. Specifically, several mentioned their oversight of the entity’s compliance frameworks as an area for improvement. The Queensland Audit Office’s (QAO) directors and managers who attended the audit committees of 21 entities, reported that audit committees spent less than 15 minutes discussing legal compliance in a meeting. Audit committees should consider the nature of regulatory and other legislative requirements for their entities, to determine an appropriate amount of time to dedicate during meeting discussions.   

Significant deficiencies in an entity’s corporate governance systems can have a pervasive impact on the entity’s integrity and accountability, which can affect the entity’s ability to achieve its objectives or improve other aspects of its business.

The maturity of financial reporting, risk management, governance and compliance systems will vary from one entity to another. This means the approach of an audit committee for one public sector entity may not work for all public sector entities.

Audit committees can focus on several areas. With limited time and resources, committees must focus energy on the right areas. To determine where it will spend its effort, an audit committee should have a clear view of the maturity and performance of the entity’s core corporate governance systems. This includes the entity’s:

• financial accounting processes, reporting and financial sustainability
• compliance frameworks
• governance structure, including financial delegations, adequate oversight, and reporting on significant projects or outsourced functions
• internal audit and other assurance providers, including external audit
• operational performance monitoring
• risk management, including fraud risk (if it is part of the audit committee’s scope).

Have you defined your role in overseeing the financial reporting process?

Audit committees play a significant role in overseeing financial reporting processes to provide assurance to the accountable body over the accuracy and integrity of an entity’s financial information and financial statements.

Effective audit committees are involved throughout the financial reporting process. If committees are only involved in reviewing the financial statements at the end of the process, they significantly reduce their ability to provide effective oversight and ensure a quality outcome.

Audit committees should start with reviewing the financial reporting project plan prepared by management and agreed with the auditors. This project plan should identify major processes, milestones and deliverables that the committee can factor into its own agenda-setting and work plan.

The audit committee should integrate the financial reporting plan into its own annual plan. In Appendix C we have included an example of an audit committee’s annual plan, which includes the audit committee overseeing the entity’s delivery of its financial statement project plan. This includes the audit committee’s review and approval of:

• pro forma financial statements
• key accounting position papers
• changes to key financial reporting systems and processes
• other significant project deliverables, such as valuations of property, plant and equipment.

The committee should also assess whether management has the required level of staff with necessary skills and qualifications.

Are you providing the right oversight for risk management?

All 20 audit committees we reviewed with oversight of risk management discussed risk as a standing agenda item during committee meetings. However, to provide effective oversight, an audit committee needs to do more than acquit the information the entity provides in a risk register. We found significant variation between committees in how they discuss risk management.

An effective audit committee will discuss the sufficiency and effectiveness of the entity’s risk mitigations and conduct detailed reviews of significant and emerging risks. The Australian Securities Exchange's Corporate Governance Principles and Recommendations (4th Edition) February 2019 includes the following in its description of a risk committee’s role, whether it is a stand-alone committee or as part of a combined audit and risk committee:

• Monitor management’s performance against the entity’s risk management framework, including whether it is operating within the risk appetite set by the accountable body.
• Review any material incidents involving fraud or a break-down of the entity’s risk controls and the ‘lessons learned’.
• Assess reports from management on new and emerging sources of risk and the risk controls and mitigation measures that management has put in place to deal with those risks.
• Make recommendations to the chief executive officer and board in relation to the entity’s risk management framework.

The audit committee also needs to ensure risk management systems escalate all residual risks that sit outside the entity’s risk appetite to their chief executive officer and statutory body board.

Have you identified other areas for oversight?

An audit committee can spend a greater proportion of its time providing tailored or specialised oversight once it has comfort about the entity’s corporate governance systems.  

Audit committee members and an entity’s leadership should consider how the committee can add the most value to the entity, by considering:

• the entity’s strategic objectives and core business
• significant projects and events
• the entity’s maturity, strengths and weaknesses
• the entity’s assurance map (shows sources of assurance for the entity’s governance, control environment, and risk mitigations)
• unidentified and unmitigated risks.

Audit committee members can better equip themselves for effective oversight and assurance in more specialised areas by getting additional training. Alternatively, audit committees can invite guests with specialist knowledge to attend meetings.

Are you maximising the value of your internal audit function?

Effective audit committees need to foster strong working relationships with the entity’s internal auditors. Internal audit gives the audit committee crucial insight into the entity by providing an objective and risk-based view on the entity’s internal control environment.

To maximise the value of an internal audit function, audit committees should have input into internal audit’s annual and strategic plans and support internal audit to effect positive change in an entity.

The audit committee’s roles and responsibilities regarding internal audit should include:

• reviewing the internal audit plan to ensure it aligns with the entity’s risks and provides adequate coverage
• assessing the independence of the internal audit function to ensure it is appropriate
• making recommendations to the chief executive officer (CEO) and board about the independence, adequacy of skills and resourcing for internal audit
• reviewing internal audit reports and recommendations and advising the board or CEO on significant findings
• assessing the sufficiency of management’s planned actions to address findings and recommendations
• monitoring management’s implementation of agreed actions.

The audit committee should also provide annual feedback to their CEO or board on the performance of the entity’s internal audit function. Assessments could include:

• suitability of the internal audit model for the entity. For example, whether the internal audit function could operate more efficiently and effectively if it were in-house, outsourced or a hybrid model (which may include outsourcing audits that require specialist knowledge)
• the quality and timeliness of internal audit’s work
• the appropriateness of their annual scope of work
• management’s engagement and responsiveness to internal audit.

One in four audit committee chairs believe specific barriers prevent their members from making effective contributions to committee discussions. Figure 3A summarises the main barriers.

Entities can overcome these barriers by careful consideration of their committee’s membership and training needs. This includes managing any potential conflicts; recruiting members to suit the needs of the audit committee and the entity; and careful succession and rotation planning.

Entities should also invest in training for members with gaps in their skills or experience that may limit their contributions.

What is the right mix of independent and internal members?

Why should the committee have independent members?

The right independent members can help an entity identify gaps and weaknesses in its corporate governance systems and the collective skills of its internal management. Independent members also provide valuable and diverse experience of governance models from working with other government entities, the private sector, and industry, or sitting on boards. For Queensland state government entities, audit committee members should not only be independent of the entity, but should not be employees of other Queensland state government entities.

The chair of an audit committee should be independent of management and have the expertise to:

• provide advice and assurance to the chief executive officer and statutory body board from an objective and independent perspective
• address issues without preconceived ideas or bias and assist in encouraging objective debate on issues
• provide an insight into best practice procedures adopted in other entities.

Several independent audit committee chairs also believe that at least one other member on the committee should be an independent external member.

Should the committee include internal members?

Audit committees are more effective where the members are independent of management because they are objective and have more diverse experience. This creates a better foundation for robust and incisive discussions and questions.

Departments often appoint deputy directors-general to the audit committees. This can blur the lines of accountability and transparency as the individual scrutinises their own activities, or that of their colleagues or chief executive officer. Further, in a government department, an audit committee may be the only committee in the entity that has independent experts as members.

Entities should assess whether a potential internal member could make the same contribution to the audit committee as a guest before adding them to their committee. If an entity’s chief executive officer or statutory body board feels strongly about including an internal member on their audit committee, they should manage the inherent risks this brings. This should include strictly enforcing requirements for members to declare interests at every meeting to mitigate the risk of actual or perceived conflicts or independence issues. Entities can also provide internal members with additional training about their roles and responsibilities or implement shorter tenures for internal members.

Audit committee chairs and chief executive officers have mixed views on whether internal management are effective audit committee members. Some believe that an internal member’s normal employment conflicts with their role as a committee member.

However, some believe that internal members contributed in ways that independent external members could not, by providing:

• on-the-ground insights
• traction with the executive management team to effect change in the entity.

Chief executive officers also noted that bringing internal members onto their audit committee provided second- and third-line benefits for the entity and the public sector by:

• increasing that employee’s skillset and future contribution to their entity
• expanding the pipeline of experienced audit committee members to broaden the pool in the Queensland state government.

For an effective audit committee, entities should focus on recruiting the right independent members and developing a culture of engagement and support amongst its employees. This would help committees provide objective oversight and better understand the business, without needing to recruit internal members to the committee.

Are you recruiting the right members in the right way?

Queensland’s public sector entities need more robust and transparent recruitment of audit committee members to improve their accountability and outcomes.

Entities select committee members from a small pool of members that sit on multiple committees. This can reduce the quality and variety of members and perspectives on a committee.

Do you know what the committee needs?

An audit committee needs collective knowledge and understanding of the entity’s business and its industry, as well as expertise in areas including governance, risk management, financial reporting and public sector regulatory frameworks. It is equally important to ensure diversity when selecting members, including cognitive diversity to encourage different skillsets and ways of thinking. Audit committees should not only align the skills and experience of their members with the entity’s key risks and weaknesses but consider if it has sufficient diversity to ensure appropriate balance and scrutiny from members.

Figure 3B provides a summary of the process an entity may undertake to assess the needs of the entity and determine the current profile and skills lacking in its committee membership.

Do you know how to attract the right members?

Very few audit committees use formal recruitment processes to find the best person for their committee. Instead, entity’s executive management teams identify and appoint new members based on existing relationships or word-of-mouth. 

Audit committee chairs believe there are three common reasons why entities struggle to attract the right members:

• The remuneration is often not commensurate with the work and skills required.
• A lack of awareness exists about the positions amongst suitable candidates.
• Regional areas have thin markets for professional labour.

The Department of the Premier and Cabinet maintains a confidential register of people interested in serving on government boards, committees, and statutory authorities, called the Queensland Register of Nominees. The register is an online portal for public sector entities to search applicants when a position becomes available.

In our interviews, no audit committee chairs reported using the Queensland Register of Nominees to find new members for their audit committee. This is partly because, in Queensland, any resident can register regardless of their skills and experience.

Audit committee chairs also said they had more confidence adding a new member if an existing member of the committee, board or executive management referred them based on their previous experience with the person.

Very few audit committee chairs reported undertaking a formal recruitment process to find a new member. They found the process expensive and ineffective at attracting the right type of applicants.

Are you paying your members appropriately?

Audit committee chairs, internal auditors and chief executive officers agreed that remuneration for audit committee members is not commensurate with the demands or expertise required of their role. Like any market for skilled labour, the remuneration an entity offers is a contributing factor in the quality of candidates it can attract.

Entities should consider the complexity and risk of their business when selecting a new committee member. If the entity’s core business is highly specialised or public-sector specific, they will require audit committee members who have the necessary skills and experience to understand and contribute to those areas. This may mean an entity in this kind of environment needs to pay more to recruit committee members than an entity with a relatively straightforward business. While the level of complexity and risk relating to an entity may drive the level of remuneration, the quality of the individual’s performance and contribution to the committee should also be a consideration.

Under Queensland Treasury’s audit committee guidelines, the chief executive officer or statutory body board has discretion to set the amount of remuneration for independent non‑public sector audit committee members. In some cases, independent members negotiate their remuneration directly with the entity’s chief executive officer or statutory body board. However, in our interviews with audit committee chairs, they told us that most entities set audit committee remuneration based on the rates in the Queensland Government’s Remuneration Procedures for Part-Time Chairs and Members of Queensland Government Bodies.

Those procedures set out remuneration for chairs and members of sub-committees, which ranges from $500 per annum for a member in a level three entity, to $6,000 per annum for a chair in a level one entity. Entities determine their level based on a range of quantitative and qualitative indicators.

How can regional audit committees attract appropriate members?

In regional areas, or for small statutory bodies, audit committee chairs highlight a struggle to find and attract appropriately skilled members. Many of these entities cannot tap into the network of members that sit on multiple committees in South East Queensland.

Smaller or more remote committees without networks of potential candidates are more likely to benefit from a system like the Queensland Register of Nominees. However, most audit committee chairs we interviewed in small or regional statutory bodies were not aware of the register.

With technological advancements, audit committee members can attend through video or teleconferencing and do not have to be physically present at meetings. This means entities can broaden their search for members in other parts of Queensland or interstate without excluding candidates because they do not live in the same region. This widens the pool of potential audit committee members with diverse skills and knowledge who could be valuable to the audit committee.  

Do you have appropriate tenure and succession plans?

Queensland Treasury’s guidelines recommend that public sector entities give members an initial term of appointment of not more than three years and a maximum total period of service of six years.

As Figure 3C shows, many of Queensland’s public sector audit committee chairs have exceeded Queensland Treasury’s recommended maximum term of six years. In two cases, a committee chair’s tenure exceeds 15 years, well beyond the maximum term recommended by Queensland Treasury. However, the average term for current chairs is 3.5 years, falling within the recommended range.  

Other better practice guides such as Audit Committees: A guide to good practice, published by the Australian Auditing Standards Board and the Australian Institute of Company Directors, recommend that entities establish a policy for appointing audit committee members to ensure the regular rotation of the committee’s membership. However, the guide recommends that individual entities retain the flexibility to determine their own maximum tenures to fit their circumstances. While it is important for an entity to consider what is fit-for-purpose, once a chair or member approaches Queensland Treasury’s recommended six years on an audit committee, the entity should start considering if it would benefit from a replacement. Early consideration allows for a well-planned, staggered rotation, and a smooth transition to new members.  

Mixing insights and views from members with a longer tenure and deeper understanding of the entity with those of new members, who possess fresh insights and ideas, can improve the quality of advice from the committee. However, familiarity can lead to complacency amongst members, and audit committees and entities should rotate their chairs and members in accordance with recommended terms.

As part of their annual work plans, audit committees should document their plans for the rotation of long serving members and the skills and experience they will require when replacing these members.

Are you equipping your members to succeed?

Independent members bring a greater breadth of experience in corporate governance, risk and financial reporting, while internal members understand what is happening in the business. The audit committees that are providing induction training most commonly include an overview of the:

• nature of the business
• key strategic and operational risks facing the entity
• key financial reporting risks.

They also usually introduce all new members to the chief executive officer, the statutory body board and/or executive management.

Committees should identify and address the gaps in their members' knowledge or skills to ensure all members understand and can effectively contribute to the committee’s role and purpose.

Effective audit committee meetings are more than an acquittal of the information the business presents. Committees should strive for insights, questions, or challenges that the entity is not already aware of. However, facilitating that kind of discussion does not just happen without establishing some key behaviours and inputs.

We have identified a hierarchy of needs for an audit committee to achieve more effective meetings.

Queensland Treasury’s audit committee guidelines recommend that audit committees annually self-assess the effectiveness and efficiency of their performance against their charter. They also recommend that audit committees engage an external peer reviewer to assess their performance in conjunction with their chair’s term (usually every three years).

A meaningful performance assessment

Most audit committees that conduct annual self-assessments base the scope of their self‑assessment on the Queensland Treasury’s example questionnaire in Appendix M of its audit committee guidelines.

Queensland Treasury’s example checklist is a useful resource to assess some fundamental aspects of audit committee practices. However, audit committees should not rely on it exclusively. As audit committees tailor their annual work plan around the core activities and risks of their entity, they should also tailor their own performance assessment. By tailoring its performance assessment, the audit committee will more effectively measure and report on its impact in helping the entity to lift its maturity and performance.

Audit committee chairs see great value in conducting external reviews of committee performance, which many referred to as common practice in the private sector. Reasons audit committee chairs believe government entities do not engage external reviewers were:

• The entity was reluctant to fund an external review.
• Machinery-of-government changes disrupted their audit committee before the chair’s term expired.

Entities should consider what type of review makes sense for their audit committee. This includes weighing up the cost and benefits of engaging an independent reviewer for their audit committee.

Audit committees are a significant part of the effective governance in Queensland’s public sector entities. As the responsible central agency, Queensland Treasury has a stake in ensuring the committees are functioning effectively to provide appropriate assurance.