Audit and Risk Committee terms of reference
The Council of the University of Canterbury has established an Audit and Risk Committee to maintain on its behalf, independent oversight of the financial reporting process, the internal control structure and the legal and ethical conduct of the University. The Audit and Risk Committee is responsible for ensuring that the Council is properly informed that:
- Risks facing the University are identified by management and their potential impact on the objectives of the University are assessed.
- Risks that have been identified are managed and the controls necessary for compliance with policy are built into the business process.
Note: The role of the Committee is to make recommendations to the University Council rather than to make decisions on behalf of the Council.
The Audit and Risk Committee will comprise not less than four Council members, none of whom will be staff or students, and up to two external co-opted members appointed by the Council. The Chair of the Audit and Risk Committee (who will not be the Chancellor) will be appointed by the committee, with the agreement of the Chancellor. The Chancellor and Pro-Chancellor are ex officio members of the Audit and Risk Committee. Three members of the Committee will form a quorum. Following recommendations by the Committee, any vacancies may be filled by the Council at any time during the year should they occur.
Neither the Vice-Chancellor, nor any member of staff of the University of Canterbury shall be a member of the Committee (NZX listing rules and code).
Scope of Activities
Without limiting the Audit and Risk Committee’s responsibility to fulfil its mission, as set out above, the scope of its activities will include reviewing periodic operating statements and service reports, from a risk perspective and it may, through the offices of the Vice-Chancellor, obtain direct reports from management responsible, or other sources, in regard to specific areas of risk e.g. health and safety. The scope of activities include:
- Reviewing and endorsing (with management) the annual internal audit plan and other internal reviews
- Reviewing the adequacy of the University’s internal control structure and security and protection of information and assets
- Reviewing the adequacy of the University’s enterprise risk framework and mitigations
- Monitoring the broader aspects of responsible corporate governance including general ethical and legal conduct and ensuring that Council is appropriately informed on the University’s financial matters
- Monitoring the University’s legislative compliance programme (including tax compliance) and risk management strategies.
- Monitoring the University’s compliance with health & safety regulations and statutes and reporting to Council
- Monitoring the adequacy of the University’s insurances
- Annual assessment of the appropriateness of financial and other delegations
- Review the status (including management action taken) of recommendations made by the internal auditors
- Oversee the organisation’s policy on fraud and irregularity, including being notified of any action taken under the policy
- Where reported difficulties are encountered during the course of an internal audit the committee will monitor, through the normal lines of reporting, solutions suggested and implemented to ensure positive outcomes
- Periodic review of the University’s internal audit services
- Reviewing and making recommendations on:
- Policies as requested by the Vice-Chancellor, Council, or at the initiative of the Chair of the Audit and Risk Committee
- Any changes required on the planned scope of the Internal Audit plan
- The results of any special investigations conducted by the Internal Auditors or management
- Protected disclosure reports
- Any emerging issues or other matters raised.
- Reviewing the appointment of, and scope and approach to audit proposed by the External Auditors
- Reviewing financial statements, and recommending to Council the adoption of the year-end financial statements and half year statements and reports
- Ensuring appropriate solutions are identified, and implemented, for difficulties encountered during the course of external audits
- Reviewing the status (including management action taken) of recommendations made by the External Auditors.
- Reviewing NZ Stock Exchange announcements.
- Ensuring that in regard to the NZ Stock Exchange:
- Requirements are complied with
- Continuous disclosure requirements are met
- Review and recommend to Council NZ Stock Exchange reports
Functional Relationships and Access
The Internal Auditor is appointed by Council on the recommendation of the Audit and Risk Committee (Appendix A).
The Audit and Risk Committee is supported by the University’s Internal Auditor, who has an open line of communication and unrestricted access to the Audit and Risk Committee.
In regard to the foregoing paragraph the Internal Auditor, following advice to the Vice-Chancellor, is responsible for keeping the Chair of the Audit and Risk Committee and its members informed as to significant results of internal audits and significant audit issues as, and when, they arise.
The Audit and Risk Committee will maintain a full and open dialogue with management to ensure that systems and procedures are in place to assist in the good management of the University.
In line with best practice the Audit and Risk Committee shall consult with both the External and Internal Auditors as required and may meet privately with them, with advice to the Vice-Chancellor prior to the meeting.
The Audit and Risk Committee has the authority to seek through the Vice-Chancellor any information it requires.
The Audit and Risk Committee may consult with independent experts in furtherance of its responsibilities.
The Audit and Risk Committee will hold at least four regular meetings per year, and shall hold such additional meetings as the Chair of the Audit and Risk Committee shall decide to fulfil its duties.
Members of management, through the Vice-Chancellor, the UCSA Student President and the Chair of the Finance, Planning and Resources Committee (if not already a member) may attend on the invitation of the Chair. Both the Internal Auditor and the Director in charge of external audit, and their associates will be invited to attend meetings as required.
Meeting agendas will be drawn up by the University Registrar and the Chair in consultation with the Chief Financial Officer, the Deputy Vice-Chancellors, the Vice-Chancellor and other staff as required, the Internal Auditor, the External Auditor, and the Chair of the Audit and Risk Committee. The agenda and accompanying papers shall be circulated at least four days prior to the meeting of the Committee, but where circumstances require and with the consent of the Chair, papers may be circulated nearer the meeting date.
At the discretion of the Chair meetings may be conducted by audio, audiovisual or electronic communication.
The Audit and Risk Committee reports back to Council after each meeting, providing its draft meeting minutes in confidence, a verbal briefing from the Chair and an opportunity for discussion.
Internal audit role and objectives
Internal Audit is established by authority of the University Council, and the terms of this are established by the engagement letter between the parties.
The existence of a proper system of controls over the management of risk is an essential feature of a successful organisation. It is management’s responsibility to establish and maintain proper controls; and it is Council’s responsibility to review the effectiveness of these controls. Internal Audit’s responsibility is to assist Council and management in monitoring and reporting upon the effectiveness of these controls and our risk management activities.
This document has been produced by management and Council to help explain Internal Audit’s role and objectives, and how it goes about its work.
Internal Audit Mission Statement
Provide management and Council with a professional and independent appraisal service that is appropriate to the needs of the University.
The Internal Auditor has independent status within the University and for that purpose:
- Reports to the Vice-Chancellor, but holds office on the authority of the Audit and Risk Committee, and has direct access to the Audit and Risk Committee.
- Has no executive or managerial powers, functions, or duties except those relating to the management of the internal audit office.
- Is not involved in the day to day operations of the University.
Scope of internal audit (IA)
The objective of IA is to assist all levels of management and University Council in the discharge of their responsibility to manage risks to the University and to establish sound systems of internal control by:
- Monitoring and reporting upon the effectiveness and efficiency of risk management activities, and through its operational assurance reviews.
- Reviewing and appraising the adequacy and applications of all systems of control, both existing and proposed, to promote effective control at reasonable cost.
- Ascertaining the level of compliance with established policies, procedures, directions, and appropriate legislation.
- Determining the effectiveness with which the University’s assets are accounted for and safeguarded from losses of all kinds.
- Ascertaining the accuracy, reliability and timeliness of management information produced within the University.
- Conducting special investigations, such as fraud reviews and other ad hoc assignments.
The responsibilities of the IA are defined by the Audit and Risk Committee, and embodied in the Terms of Reference approved by the Council. IA is responsible and accountable to the Vice-Chancellor and the Audit and Risk Committee. On a day-today basis this responsibility will be exercised via the Chief Financial Officer, to whom the Vice-Chancellor has delegated responsibility for supporting IA’s activities. Internal Audit retains right of direct access to the Vice-Chancellor, and the Audit and Risk Committee.
Authority and relations with management
To preserve independence the IA has the right of access to all University’s records, properties, and personnel relevant to its duties. IA staff will not, except in particular defined circumstances, develop, install or operate procedures, prepare records, or engage in any other activity which would normally be subject to audit review and appraisal, nor exercise direct authority over any part of the activities they review, or the persons responsible for any aspects of the associated work.
The relationship, which IA endeavours to establish with management, is one of oversight and partnership, with the joint objective of making effective improvements to the internal control environment and the management of risk.
Reporting and follow up
IA will advise management upon the proposed nature and scope of any reviews, including commencement date and duration. Management will have the opportunity to comment and suggest modifications before the review commences. As the review progresses, management will be kept informed of issues arising. Throughout this process, great importance is attached to regular discussion with management, to ensure that a proper balance is achieved in presenting conclusions and in reporting. Every effort is made to ensure that management agrees with the factual content, tone, balance, and conclusions reached before any report is published. However, ownership of any report belongs to IA and criticism, when justified, is to be succinctly expressed to the Chief Financial Officer and if appropriate the Audit and Risk Committee. The Registrar will monitor the implementation of recommendations, and if necessary follow up reviews will be undertaken.
Relations with external auditors (Audit New Zealand)
Whereas IA responsibility is to Council via the Audit and Risk Committee, with the full knowledge of the Vice-Chancellor, the External Auditors fulfil a statutory duty. The objectives and the approach are therefore different, although some of the work may be common. IA co-operates with the External Auditors, and copies of the IA plan and reports are made available to them in order to avoid duplication.
Role of the Audit and Risk Committee
As defined by the University Audit and Risk Committee “Terms of Reference”, one of the Committee’s roles is to monitor the work of IA. To enable it to do this it receives annually in advance, an Annual Work Plan, which will include a budget, to be mutually agreed between the Audit and Risk Committee, and the Vice-Chancellor. Quarterly in arrears, details of significant findings and conclusions shall form the basis of a full report to the Audit and Risk Committee and advice to Council.
For further information or to comment upon the Internal Audit service contact in the first instance the Chief Financial Officer.