Skip to main content
About the OAIC
  • On this page

Last updated: 12 September 2024

The OAIC’s Audit and Risk Committee provides independent advice to the Information Commissioner on the appropriateness of the OAIC’s financial reporting, performance measurement, system of risk oversight and management, and systems of internal control.

Below is the Audit and Risk Committee’s Charter.

Legislative functions of audit committees

The Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires that the accountable authority of the Office of the Australian Information Commissioner (OAIC) ensures that it has an audit committee (subsection 45(1)) and that committee is constituted and performs functions in accordance with any requirements prescribed by the associated rules (subsection 45(2)).

Under the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), the accountable authority of the OAIC must determine the functions of the audit committee by written charter (the charter) (subsection 17(1)).

Consistent with subsection 17(2) of the PGPA Rule, the role of the OAIC Audit and Risk Committee (the committee) is to provide independent advice to the Australian Information Commissioner on the appropriateness of the OAIC’s:

  • financial reporting,
  • performance reporting,
  • system of risk oversight and management, and
  • the system of internal control, for the entity.

Engaging with stakeholders

The Australian Information Commissioner authorises the committee, within its responsibilities, to:

  • obtain any information it requires from any official or external party (subject to any legal obligation to protect information)
  • discuss any matters with the Australian National Audit Office (ANAO), or other external parties (subject to confidentiality considerations)
  • request the attendance of any official, including the Australian Information Commissioner, at committee meetings, and
  • obtain legal or other professional advice at the OAIC's expense, as considered necessary to meet its responsibilities.

Audit and Risk Committee functions

Financial reporting

The committee will review the appropriateness of the OAIC’s financial reporting in accordance with the requirements of subsection 17(2)(a) of the PGPA Rule.

Responsibilities:

  • Review and provide advice on the appropriateness of:
  1. the OAIC’s financial statements
  2. information (other than the annual financial statements) requested by the Department of Finance in preparing the Australian Government’s consolidated financial statements, including the supplementary reporting package
  3. processes and systems for preparing financial reporting information
  4. financial record keeping
  5. compliance with the relevant accounting standards and the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 requirements
  6. accounting policies and disclosures, including any significant changes to accounting policies
  7. areas of significant judgement and financial statement balances that require estimation
  8. significant or unusual transactions
  9. internal controls and compliance
  10. the adequacy of the accounting policies and the quality of the processes for the preparation of the annual financial statements, through discussions with the ANAO
  11. whether appropriate management action has been taken in response to any issues raised by the ANAO, including financial statement adjustments or revised disclosures.
  • Act as a forum for communication between OAIC management and the ANAO.
  • Review processes to ensure that financial information included in the OAIC annual report is consistent with the signed financial statements.

The committee will provide a statement to the Australian Information Commissioner regarding:

  • whether, in its view, the annual financial statements and additional entity information comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance, and
  • in respect of the appropriateness of the OAIC’s financial reporting as a whole, with reference to any specific areas of concern or suggestions for improvement.

Performance reporting

The committee will review and provide advice on the appropriateness of the OAIC’s performance reporting in accordance with the requirements of subsection 17(2)(b) of the PGPA Rule. This includes reviewing the mandatory requirements of the PGPA Act, the PGPA Rule and information provided in the OAIC’s Corporate Plan, Portfolio Budget Statement and Annual Performance Statement.

  • The committee will satisfy itself that:
  1. the OAIC’s Portfolio Budget Statement and Corporate Plan include details of how the OAIC's performance will be measured and assessed
  2. the OAIC’s approach to measuring its performance throughout the financial year against the performance measures included in the Portfolio Budget Statement and Corporate Plan is appropriate and in accordance with the Commonwealth performance framework, and has considered guidance issued by the Department of Finance
  3. the OAIC has appropriate systems and processes in place for preparation of its Annual Performance Statement and the inclusion of the Statement in its annual report
  4. the proposed annual performance statement is not inconsistent with the OAIC’s financial information, including its financial statements, which it proposed to include in its annual report.
  • Review the Annual Performance Statement and provide advice on appropriateness to the OAIC.

The committee will provide a statement to the Australian Information Commissioner regarding whether, in its view, the OAIC’s annual performance statements and performance reporting as a whole is appropriate, with reference to any specific suggestions for improvement or areas of concern.

Risk oversight and management

The committee will review the appropriateness of the OAIC’s system of risk oversight and management in accordance with the requirements of subsection 17(2)(c) of the PGPA Rule. This includes reviewing the mandatory requirements of the PGPA Act, the PGPA Rule and the Commonwealth Risk Management Policy.

  • Review and provide advice on the appropriateness of:
  1. the OAIC’s risk management framework and associated internal controls for the effective identification and management of the OAIC’s risks in keeping with the Commonwealth Risk Management Policy
  2. the OAIC’s approach to managing key risks, including those associated with legislative change, program implementation and other activities
  3. the process for developing and implementing the OAIC’s fraud control arrangements consistent with the fraud control framework, and satisfy itself that the OAIC has adequate processes for detecting, capturing and effectively responding to fraud and corruption risks
  4. articulation of key roles and responsibilities relating to risk management and adherence to them by officials of the OAIC.

The committee will provide a statement to the Australian Information Commissioner regarding whether, in its view, the OAIC’s system of risk oversight and management is appropriate (with reference to the Commonwealth Risk Management Policy) and any specific areas of concern or suggestions for improvement.

System of internal control

The committee will review the appropriateness of the OAIC’s system of internal control in accordance with the requirements of subsection 17(2)(d) of the PGPA Rule. This includes understanding the OAIC’s operating context, governance requirements, and reviewing the mandatory requirements of the PGPA Act and PGPA Rule.

  • Review and provide advice on the appropriateness of the internal control framework:
  1. review management’s approach to maintaining an effective internal control framework and whether processes are in place for assessing whether key policies and procedures are complied with
  2. review whether management has in place relevant policies and procedures, such as Accountable Authority Instructions, delegations, a business continuity management plan and that these are periodically reviewed and updated.
  • Review and provide advice on the appropriateness of legislative and policy compliance:
  1. review the effectiveness of systems for monitoring the OAIC’s compliance with laws, regulations and associated government policies with which the OAIC must comply
  2. whether the OAIC has adequately considered legal and compliance risks as part of the enterprise risk management framework, fraud control framework and planning.
  • Review and provide advice on the appropriateness of security compliance:
  1. review the OAIC’s approach to an effective internal security system including complying with the Protective Security Policy Framework.
  • Review and provide advice on the appropriateness of the internal audit coverage:
  1. review the OAIC’s proposed internal audit coverage, ensuring the coverage considers the OAIC’s primary risks, and recommending the Australian Information Commissioner’s approval of the internal audit work plan
  2. review   all internal audit reports (and where relevant external audit reports), providing   advice to the Australian Information Commissioner on major concerns   identified in those reports, and recommending action on significant matters   raised, including identification and dissemination of information on good   practice
  3. monitor   the OAIC’s implementation of internal audit recommendations

The committee will provide a statement to the Australian Information Commissioner regarding whether, in its view, the OAIC’s system of internal control is appropriate, referring to any specific areas of concern or suggestions for improvement.

Reporting

The committee will regularly update the Australian Information Commissioner on its activities and make recommendations, as appropriate. The Chair of the committee will report to the Australian Information Commissioner following a meeting of the committee on any matters that the committee considers should be brought to the attention of the Australian Information Commissioner.

The committee will at least once annually confirm to the Australian Information Commissioner that all functions/responsibilities outlined in this Charter have been carried out and comply with any other reporting requirements specified by the Australian Information Commissioner from time to time. This will include whether, in its view:

  • the annual financial statements and additional entity information comply with the PGPA Act, the PGPA Rules, the Accounting Standards and supporting guidance
  • the OAIC’s financial reporting is appropriate
  • the OAIC’s annual performance statements and performance reporting as a whole is appropriate
  • the OAIC’s system of risk oversight and management is appropriate (with reference to the Commonwealth Risk Management Policy)
  • the OAIC’s system of internal control is appropriate.

In providing this view to the Australian Information Commissioner, the committee should also note any areas of concern, non-remediation of significant recommendations, and/or suggestions for system or process improvement.

Membership

Composition

The committee is independent from the executive management of the OAIC. In accordance with subsections 17(3) and 17(4) of the PGPA Rule, membership of the Audit and Risk Committee comprises three members who are not officials of the OAIC; and a majority of the members must be persons who are not officials of any Commonwealth entity.

The Australian Information Commissioner will appoint the Chair of the committee. The Chair shall not be the Australian Information Commissioner.

The committee is authorised to appoint a Deputy Chair who will act as chair in the absence of the Chair.

The Australian Information Commissioner may attend committee meetings and when they elect to do so will require copies of committee papers.

The Australian Information Commissioner, FOI Commissioner, Deputy Commissioner, Chief Risk Officer, Chief Financial Officer, Chief Information Officer, General Counsel or other management representatives may attend meetings as advisors and observers, as determined by the Chair, but will not be members of the committee.

Representatives of the firms appointed as Internal Auditor and External Auditor, and representatives of the ANAO, may attend meetings as observers, as determined by the Chair, but will not be members of the committee.

Selection and Appointment

The Chair will be appointed for an initial term of three years.

Member appointments will ordinarily be for an initial term of three years, with appointments staggered to enable continuity of knowledge. Committee membership constitutes a personal and specific appointment and as such, proxies are not permitted.

Members may be re-appointed for further periods, having regard to the length of their original appointment, after a formal review of their performance by the Australian Information Commissioner. The Chair may be requested to provide advice to the Australian Information Commissioner on a member’s performance where an extension of the member’s appointment is being considered.

Membership of the committee will be reviewed periodically (at least every three years) by the Australian Information Commissioner with the aim of ensuring an appropriate balance between continuity of membership, the contribution of fresh perspectives and a suitable mix of appropriate qualifications, knowledge, skills and experience to assist the committee to perform its functions.

Skills and Knowledge

Consistent with subsection 17(3) of the PGPA Rule, the members of the committee will have appropriate qualifications, knowledge, skills or experience to assist the committee perform its functions.

The committee is a skill-based governance committee. Members should collectively possess sufficient knowledge of governance, assurance, audit, finance, information technology, legislation, risk management, compliance and control plus any attributes relevant to the OAIC and its regulatory environment.

All members should be conversant with financial management reporting and at least one member of the committee must have accounting or related financial management experience and/or qualifications, and a comprehensive understanding of accounting and auditing standards.

The committee will adopt and maintain a program of induction, training and awareness-raising for its members, with the objective of enabling the committee to keep abreast of contemporary developments and leading practices in relation to its functions.

Remuneration

Remuneration for members of the committee will be determined by the Australian Information Commissioner from time to time. The level of remuneration will be set with reference to market conditions and will reflect:

  • the committee’s composition;
  • market conditions;
  • individual member qualifications, knowledge, skills and experience;
  • the size and complexity of the OAIC and its impact on the effort from committee members to deliver their functions effectively; and
  • any additional functions to be undertaken, beyond those mandated by the PGPA Act, which will affect the committee members’ scope of work.

The remuneration of Audit and Risk Committee members will be formally reviewed every three (3) years.

In between the formal reviews, the remuneration of Audit and Risk Committee members will be adjusted by the same percentage as is reflected in any SES pay determinations impacting the SES Band 2 top of range rate during the term of the member’s appointment.

All remuneration set will be inclusive of any superannuation entitlements.

Payment will be made after each meeting following receipt of a tax invoice.

The remuneration of the Chair will be set at 150% of the member remuneration to reflect the additional responsibilities of that position.

The remuneration of the committee will be based on a rate of payment per meeting for all meetings in the annual schedule as agreed in advance by the accountable authority and the committee. The payment per meeting will include all preparation for the relevant meeting as well as the attendance at the meeting itself.

No additional remuneration will be paid to members of the committee unless approved in advance by the accountable authority or their delegate.

Conduct of the Audit and Risk Committee

Membership expectations

The committee will engage with management in a constructive and professional manner in discharging its advisory responsibilities and formulating its advice to the Australian Information Commissioner.

Members of the committee are expected to understand and observe the legal requirements of the PGPA Act and PGPA Rule. Members are also expected to:

  1. act in the best interests of the OAIC as whole,
  2. apply good analytical skills, objectivity and good judgement,
  3. express opinions constructively and openly, raise issues that relate to the committee’s responsibilities and pursue independent lines of enquiry, and
  4. contribute the time required to meet their responsibilities.

Committee values

The committee members will conduct themselves in accordance with the Australian Public Service (APS) Code of Conduct and uphold the APS Values, insofar as it is relevant and applicable to a non-APS employee.

Relationships and Communication

The committee is directly accountable to the Australian Information Commissioner for the performance of its functions. The committee will generally communicate with the Australian Information Commissioner through the secretariat, Director Governance and Risk, Assistant Commissioner Corporate and Chief Operating Officer.

Administrative arrangements

Meetings

The committee will meet at least four times per year. One or more special meetings may be held to review annual financial statements and performance statements, or to meet other responsibilities of the committee.

All committee members are expected to attend each meeting, in person or via tele-or-video conference.

The Chair is required to call a meeting if asked to do so by the Australian Information Commissioner and decide if a meeting is required if requested by another member, the Partner of the firm appointed as internal auditor or the ANAO.

Decisions without meetings

With the approval of the Chair, the committee can agree to items out-of-session by email communication. The committee can make decisions without a meeting in the following circumstances:

  1. all committee members have been informed of the proposed decision (or reasonable efforts have been made to inform all members), and
  2. a majority of committee members entitled to vote on the proposed decisions indicate agreement.

Additional papers may be circulated to committee members for review out-of-session. Committee members are to indicate agreement to a decision without a meeting by providing written advice to the Chair and secretariat of their agreement to the proposed decision. This can be done by electronic signature or by email advice.

Agenda, papers and minutes

The secretariat and Director Governance and Risk will prepare an agenda for each meeting in consultation with the Assistant Commissioner Corporate and the Chief Operating Officer. The Chair will approve the agenda for each meeting.

The secretariat will circulate the agenda and supporting papers, unless otherwise agreed by the Chair, no more than ten (10) and no fewer than five (5) working days prior to the date of the meeting. The agenda, papers and minutes will be conveyed to the committee using a format and platform that is determined by the OAIC, to ensure alignment with the agency’s privacy and security requirements.

Minutes must be reviewed by the Chair and circulated within two weeks of the meeting to each member and committee observers, as appropriate.

In-camera session

A private, independent member-only session at the beginning of a committee meeting is an opportunity for members to review matters from the previous meeting and ask the Chair for time on the agenda to raise specific issues or for discussion.

This session is primarily administrative, and the Chair and the members overall should be careful not to stray into topics that should otherwise be discussed in the open meeting, in the presence of other attendees.

Conducting an in-camera session before each meeting is optional.

Planning

In the last meeting of each calendar year, the committee will agree upon a forward meeting schedule for the subsequent year that includes the dates and location for the proposed meetings during that year.

The committee will develop an annual work plan aligned to each financial year, detailing activities to be undertaken to address the functions outlined in this Charter. The forward work plan will be used as the basis to drive and shape the agenda for upcoming meetings, noting that the committee may consider other or additional matters in response to changes in the OAIC’s operations and environment.

Additional or emerging items may be added to the forward work plan during the period of the plan if approved by the Chair.

Quorum

A quorum will consist of a majority of committee members, one of whom must be the Chair or the Deputy Chair. The quorum must be in attendance at all times during the meeting.

Secretariat

The OAIC Corporate Branch will provide secretariat services to the committee.

The secretariat will maintain records in accordance with the OAIC’s obligations under the Archives Act 1983 and section 37 of the PGPA Act.

Induction

New committee members will receive relevant information and briefings on their appointment to assist them to meet their committee responsibilities.

Conflicts of interest

On engagement and each year thereafter, members of the committee will provide written declarations, through the Chair, to the Australian Information Commissioner declaring any potential or actual conflicts of interest they may have in relation to their responsibilities. Members should consider past employment, consultancy arrangements and related party issues in making these declarations and the Australian Information Commissioner, in consultation with the Chair, should be satisfied that there are sufficient processes in place to manage any real or perceived conflict.

At the beginning of each committee meeting, members are required to declare any actual, perceived or potential conflict of interest that may apply to specific matters on the meeting agenda. Where required by the Chair, the member will be excused from the meeting or from the committee's consideration of the relevant agenda item(s). The Chair is also responsible for deciding, in consultation with the Australian Information Commissioner where appropriate, if they should excuse themselves from the meeting or from the committee's consideration of the relevant agenda item(s). Details of actual, perceived or potential conflicts of interest declared by the Chair and other members, and actions taken, will be appropriately recorded in the minutes.

A register of interests will be maintained for the Chair and members to demonstrate transparency and as a safeguard against conflicts of interest.

Travel Allowance

Where the OAIC has requested the in-person attendance of the members for a meeting, the OAIC is prepared to meet the reasonable travel costs of members for their attendance.

Travel will be booked in the same manner, and subject to the same requirements and restrictions, as when bookings are made for OAIC staff. Travel arrangements will be booked by the OAIC on behalf of members. The travel arrangements will be based on the SES travel rates.

Access and use of information

The committee will be provided with access to all relevant and necessary information to enable the committee to effectively advise the Australian Information Commissioner on its functions.

Committee members must not use or disclose information obtained by the committee except in meeting the committee’s responsibilities, or unless expressly agreed by the Australian Information Commissioner.

Evaluation

The Chair of the committee will initiate a self-assessment of the performance of the committee at least once every two years. The review will involve input from the Australian Information Commissioner, each committee member, and any other relevant stakeholders, as determined by the committee.

The outcomes of this assessment will be reported to the Australian Information Commissioner.

Review of charter

The committee will review the appropriateness of this Charter at least once every two years, to align it with current risks, challenges and opportunities the OAIC faces.  This review will include consultation with the Australian Information Commissioner.

Any substantive changes to the charter will be recommended by the committee and formally approved by the Australian Information Commissioner.