IPC Audit and Risk Committee Charter 2020-2021

The IPC Audit and Risk Committee Charter 2020-2021 appears below. You can also view and download a PDF of the IPC Audit and Risk Committee Charter 2020-2021

The Chief Executive Officer of the Information and Privacy Commission NSW (CEO/Information Commissioner) has established the Audit and Risk Committee (Committee) in compliance with the NSW Treasury Policy Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15-03).

NSW Treasury has updated its policy and it is now provided for in NSW Treasury TPP20-08 Internal Audit & Risk Management Policy for the General Government Sector and Treasury Risk Maturity Assessment Tool Guidance Paper TPP 20-06. This Charter is to be reviewed further for its compliance with the new policy, however the Information and Privacy Commission satisfies the requirements of TPP20-08 to maintain a separate independent Audit and Risk Committee from the Department of Customer Service.[1]

This charter sets out the Committee’s objectives, authority, composition and tenure, roles and responsibilities, reporting and administrative arrangements.

1. Objective

The objective of the Committee is to provide advice and independent assistance to the Chief Executive Officer by monitoring, reviewing and providing advice about the IPC’s governance, risk management and control frameworks, and its external accountability obligations.

2. Authority

The CEO/Information Commissioner authorises the Committee, within the scope of its role and responsibilities, to:

  • obtain any information it needs from any employee and/or external party (subject to their legal obligation to protect information)
  • discuss any matters with the external auditor, or other external parties (subject to confidentiality considerations)
  • request the attendance of any employee, including the CEO/Information Commissioner, at Committee meetings
  • obtain external legal or other professional advice, as considered necessary to meet its responsibilities, at IPC’s expense. The payment of costs for that advice by the agency is subject to the prior approval of the agency head.

3. Composition & Tenure

The Committee will consist of three (3) members appointed by the CEO/Information Commissioner.

The CEO/Information Commissioner will appoint the Chair and members of the Committee. The Chair is counted as one of the members of the Committee.

Members will be appointed for an initial period no less than three (3) years and not exceeding five (5) years, after which they will be eligible for extension or re-appointment for a further term/s subject to a formal review of their performance (noting that the total term on the Committee will not exceed eight (8) years).

The chair must be appointed for one (1) term only for a period of at least three (3) years, with a maximum period of five (5) years. The term of appointment for the chair can be extended but any extension must not cause the total term to exceed five (5) years as a chair of the Audit and Risk Committee.

The CEO/Information Commissioner and Chief Audit Executive will not be members of the Committee but may attend as observers as determined by the Chair.

The members should collectively develop, possess and maintain a broad range of skills and experience relevant to the operations, governance and financial management of IPC, the environment in which IPC operates and the contribution that the Committee makes to IPC. At least one member of the Committee must have accounting or related financial management experience with an understanding of accounting and auditing standards in a public sector environment.

4. Roles and Responsibilities

The Committee has no executive powers.

The Committee is directly responsible and accountable to the CEO/Information Commissioner, for the exercise of its responsibilities.

In carrying out its responsibilities, the Committee must at all times recognise that primary responsibility for management of IPC rests with the CEO/Information Commissioner. The responsibilities of the Committee may be revised or expanded in consultation with, or as requested by, the CEO/Information Commissioner from time to time.

The Committee’s responsibilities are to:

4.1 Risk Management
  • Review whether management has in place a current and appropriate risk management framework that is consistent with AS/NZS ISO 31000:2009
  • Review risk management plans and provide advice to the CEO/Information Commissioner
  • Seek assurance from management and Internal Audit that risk management processes are operating effectively
  • Seek assurance from management and Internal Audit as to the adequacy and effectiveness of internal controls
  • Review risk reports and provide advice to the agency head
  • Review whether a sound and effective approach has been followed in developing risk management plans for major projects or undertakings
  • Review the impact of the IPC’s risk management on its control environment and insurance arrangements
  • Review IPC’s fraud control plan and be satisfied that the agency has appropriate processes and systems in place to capture and effectively investigate fraud related information
  • Review whether a sound and effective approach has been followed in establishing the IPC’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically.
4.2 Control Framework
  • Review whether management’s approach to maintaining an effective internal control framework, including over external parties such as contractors and advisors, is sound and effective
  • Review whether management has in place relevant policies and procedures, and that these are periodically reviewed and updated
  • Determine whether the appropriate processes are in place to assess, at least once a year, whether policies and procedures are complied with
  • Review whether appropriate policies and procedures are in place for the management and exercise of delegations, at least annually, or whenever there are major changes that require a significant update to the manual
  • Consider how management identifies any required changes to the design or implementation of internal controls
  • Review whether management has taken steps to embed a culture which is committed to ethical and lawful behaviour
  • Receive from management reports on all suspected and actual frauds, thefts and breaches of laws.
4.3 External Accountability
  • Assess the policies and procedures for management review and consideration of the financial position and performance of the agency including the frequency and nature of that review (including the approach taken to addressing variances and budget risks)
  • Review procedures around early close and year-end reporting
  • Review the financial statements and provide advice to the CEO/Information Commissioner (including whether appropriate action has been taken in response to audit recommendations and adjustments), and recommend their signing by the CEO/Information Commissioner
  • Satisfy itself that the financial statements are supported by appropriate management signoff on the statements
  • Review the Chief Financial Officer Letter of Certification and supporting documentation (consistent with NSW Treasury Policy and Guidelines Paper Certifying the Effectiveness of Internal Controls over Financial Information (TPP 17-06)
  • Review cash management policies and procedures
  • Review policies and procedures for collection, management and disbursement of grants and tied funding
  • Review the processes in place designed to ensure that financial information included in the IPC’s annual report is consistent with the signed financial statements
  • Satisfy itself that the IPC has a performance management framework that is linked to organisational objectives and outcomes.
4.4 Compliance with Applicable Laws & Regulations
  • Determine whether management has appropriately considered legal and compliance risks as part of IPC’s risk assessment and management arrangements
  • Review the effectiveness of the system for monitoring IPC’s compliance with applicable laws and regulations, and associated government policies.
4.5 Internal Audit
  • Act as a forum for communication between the CEO/Information Commissioner, senior management and internal and external audit
  • Review and provide advice to the CEO/Information Commissioner on the internal audit policies and procedures
  • Review the risk-based audit methodology
  • Review the internal audit coverage and annual work plan, ensure the plan is based on the IPC’s risk management plan, and recommend approval of the plan by the CEO/Information Commissioner
  • Advise the CEO/Information Commissioner on the adequacy of internal audit resources to carry out its responsibilities, including completion of the approved internal audit plan
  • Oversee the coordination of audit programs conducted by internal and external audit and other review functions
  • Review audit findings and related recommendations that have been assessed as the most significant according to the risk the audit finding represents to the agency if the recommendation(s) related to the finding are not implemented
  • Provide advice to the CEO/Information Commissioner on significant issues identified in audit reports and action taken on these issues, including identification and dissemination of good practice
  • Monitor management’s implementation of internal audit recommendations
  • Review the internal audit charter to ensure appropriate organisational structures, authority, access and reporting arrangements are in place
  • Periodically review the performance of internal audit and the chief audit executive
  • Provide advice to the CEO/Information Commissioner on the results of any external assessments of the internal audit function
  • Provide advice to the CEO/Information Commissioner on whether the Chief Audit Executive should be a dedicated role within the agency
  • Provide advice to the CEO/Information Commissioner on the appointment or replacement of the Chief Audit Executive and recommend to the CEO/Information Commissioner the appointment or replacement of external internal audit service providers (in the case of an outsourced internal audit function).
4.6 External Audit
  • Act as a forum for communication between the CEO/Information Commissioner, senior management and internal and external audit
  • Provide input and feedback on the financial statements and performance audit coverage proposed by external audit and provide feedback on the audit services provided
  • Review all external plans and reports in respect of planned or completed audits and monitor management’s implementation of audit recommendations
  • Provide advice to the CEO/Information Commissioner on action taken on significant issues raised in relevant external audit report and better practice guides.

5. Responsibilities of members

Members of the Committee are expected to understand and observe the requirements of the Internal Audit and Risk Management Policy. Members are also expected to:

  • Make themselves available as required to attend and participate in meetings
  • Contribute the time needed to study and understand the papers provided
  • Apply good analytical skills, objectivity and good judgement
  • Abide by the relevant ethical codes that apply to employment within the NSW public sector
  • Express opinions frankly, ask questions that go to the fundamental core of the issue and pursue independent lines of enquiry
  • Maintain strict confidentiality, even after their terms on the Committee end, and declare any real or perceived conflicts of interest proactively and promptly.

6. Reporting

The Committee will regularly, but at least once a year, report to the CEO/Information Commissioner on its operation and activities during the year. The report should include:

  • An overall assessment of the IPC’s risk, control and compliance framework, including details of any significant emerging risks or legislative changes impacting IPC
  • A summary of the work the Committee performed to fully discharge its responsibilities during the preceding year
  • Details of meetings, including the number of meetings held during the relevant period, and the number of meetings each member attended.
  • A summary of the IPC’s progress in addressing the findings and recommendations made in internal and external reports
  • A summary of the Committee’s assessment of the performance of internal audit.

The Committee may, at any time, report to the CEO/Information Commissioner any other matter it deems of sufficient importance to do so. In addition, at any time an individual committee member may request a meeting with the CEO/Information Commissioner.

7. Reporting lines

The Committee must at all times ensures it maintains a direct reporting line to and from internal audit and act as a mechanism for internal audit to report to the CEO/Information Commissioner on functional matters.

IPCs’ reporting line is prescribed:

ARC Flowchart - Reporting Lines


8. Administrative arrangements


8.1 Meetings

The Committee will meet at least four (4) times per year. A special meeting may be held to review IPC’s annual financial statements.

The Chair is required to call a meeting if requested to do so by the CEO/Information Commissioner, or another Committee member.

A meeting plan, including meeting dates and agenda items, will be agreed by the Committee each year. The meeting plan will cover all the Committee’s responsibilities as detailed in this Charter.

The Committee may deal with matters out of session as appropriate including by email, teleconference or in person. Minutes of any matters the Committee addresses out of session will be maintained by the Committee Secretariat. Matters may be separately minuted or recorded in the minutes of the next formal meeting.

8.2 Attendance at Meetings & Quorums

A quorum will consist of a majority of Committee members. A quorum must include at least two (2) independent members.

Meetings can be held in person, by telephone or by video conference.

The agency head may attend the meetings of the Audit and Risk Committee. Committee members, if necessary, are able to have in-camera discussions. The Chief Audit Executive, external audit representatives and any other agency representatives may attend Committee meetings, except where the Committee members wish to have in-camera discussions. The Committee may also request the Director, Finance (DCS) or other employees attend committee meetings or participate for certain agenda items.

The Committee will meet separately with both the internal and external auditors at least once a year.

8.3 Dispute Resolution

Members of the Committee and IPC’s management should maintain an effective working relationship and seek to resolve differences by way of open negotiation. However, in the event of a disagreement between the Committee and management (including the CEO/Information Commissioner), the Chair may, as a last resort refer the matter to NSW Treasury to be dealt with independently.

8.4 Secretariat

The CEO/Information Commissioner will appoint a person to provide secretariat support to the Committee. The Secretariat will ensure the agenda and supporting papers are circulated, after approval from the Chair, at least one (1) week before the meeting, and ensure the minutes of the meetings are prepared and maintained.

Minutes must be approved by the Chair and circulated within one (1) week of the meeting to each member and committee observers, as appropriate.

8.5 Maintenance of Records

The Committee Secretariat shall maintain records of all meeting papers and minutes, of the Committee’s key functional and administrative arrangements (remuneration, reappointment, conflict of interest declarations, etc) of reviews of the Committee and its Charter and any other material relevant to the conduct of the Committee and its meetings.

8.6 Conflicts of Interest

Once a year the Committee members will provide written declarations to the CEO/Information Commissioner stating they do not have any conflicts of interest (perceived, actual or potential) that would preclude them from being members of the Committee.

Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflict of interest should be appropriately minuted.

Any external provider of internal audit services must also declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda topic. Details of any conflict of interest should be appropriately minuted.

Where members or observers at the committee meetings are deemed to have a real, or perceived, conflict of interest it may be appropriate that they are excused from committee deliberations on the issue where a conflict of interest exists.

8.7 Induction

New members will receive relevant information and briefing on their appointment to assist them to meet their committee responsibilities.

8.8 Assessment Arrangements

The CEO/Information Commissioner, in consultation with the Chair of the Committee, will establish a mechanism to review and report on the performance of the Committee, including the performance of the Chair and each member, at least annually.

The review will be conducted on a self-assessment basis (unless otherwise determined by the CEO/Information Commissioner) with appropriate input sought from the CEO/Information Commissioner, the internal and external auditors, management and any other relevant stakeholders as determined by the CEO/Information Commissioner.

8.9 Review of Charter

At least once a year the Committee will review this Charter. This review will include consultation with the CEO/Information Commissioner.

Any substantive changes to this Charter will be recommended by the Committee and formally approved by the CEO/Information Commissioner.

9. Signatories

Chief Audit Executive IPC 
Sonia Minutillo 

CEO/Information Commissioner 
Elizabeth Tydd 

Chair of IPC Audit & Risk Committee
Paul Crombie


[1] See Correspondence of 20 January 2021 from Chief Operating Officer, Department of Customer Service