Browse our range of publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
This edition of audit insights outlines key messages from a series of recent audits examining the effectiveness of governance boards in four corporate Commonwealth entities. The audit observations from this series of audits relate primarily to the ‘soft’ attributes of effective governance such as relationships, behaviours and culture, while also recognising the important interplay with the ‘hard’ attributes of governance such as board composition, appointment processes and independence. The key messages may be relevant for the operations of other Commonwealth boards as well as broader governance arrangements in Commonwealth entities.
Audit insights — board governance
The ANAO audit program includes topics that examine the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Public Governance, Performance and Accountability Rule 2014.
Under the PGPA Act, the governing board of a corporate Commonwealth entity is responsible for leading, governing and setting the strategic direction for the entity. The Auditor-General presented a series of audits in April and May 2019 that reviewed whether the boards of four corporate Commonwealth entities had established effective arrangements to comply with selected legislative and policy requirements, and adopted practices that support effective governance:
- Report No. 34 of 2018–19 —published on 18 April 2019;
- Report No. 35 of 2018–19 —published on 26 April 2019;
- Report No. 36 of 2018–19 —published on 30 April 2019; and
- Report No. 37 of 2018–19 —published on 2 May 2019.
This edition of audit insights outlines a number of the key messages from this series of audits that may be relevant for the operations of other Commonwealth boards as well as broader governance arrangements in Commonwealth entities.
In this series of reports the Auditor-General concluded that the governance and oversight arrangements adopted by the selected boards were effective. The small number of recommendations directed to the audited entities indicates a high level of compliance with the key governance requirements of the principles-based framework established by the PGPA Act and PGPA Rule. The Auditor-General observed that the Department of Finance (Finance) has issued guidance, such as of December 2016, to assist accountable authorities in the discharge of their legal obligations. This guidance is principally a factual and procedural guide with a focus on legal compliance.
The audit observations from this series of reports, which were largely welcomed by boards, relate primarily to the ‘soft’ attributes of effective governance and culture highlighted in key independent reviews of organisational behaviour. These include the 2018 APRA Prudential Inquiry into the Commonwealth Bank of Australia and the 2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (2019 Hayne Royal Commission).
The Auditor-General observed that there is no equivalent in the Commonwealth public sector of resources built up over time—such as the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations and the resources made available by the Australian Institute of Company Directors—to support public sector governance boards in this respect. In consequence, public sector accountable authorities would need to rely on a combination of personal experience and other resources to supplement the guidance released by Finance. The included a recommendation that Finance issue guidance which has regard to the key insights and messages of those inquiries directed to accountable authorities. Finance agreed to the recommendation.
Boards and corporate governance
Boards play a key role in the effective governance of an entity. Corporate governance involves two dimensions, which are the responsibility of the governing board:
- performance—which involves monitoring the performance of the organisation and CEO. This also includes strategy, the process of setting organisational goals and developing strategies for achieving them. The objective is to enhance organisational performance; and
- conformance—which involves compliance with legal requirements and corporate governance and industry standards, and accountability to relevant stakeholders.
Governing is not the same as managing. Governance involves the systems and processes in place that shape, enable and oversee the management of an organisation. Management is concerned with doing, such as coordinating and managing the day-to-day operations of the entity’s business.
The interplay of the ‘hard’ attributes of governance (such as board composition, appointment processes and independence) and the ‘soft’ attributes of governance (such as the chair/CEO relationship, board behaviours and board culture) are critical to good governance and organisational performance. This interplay and the importance of board and organisational culture to an entity’s performance, values and conduct have been central themes in notable Australian reviews into organisational misconduct.
Key reviews—a focus on culture and governance
Notable reviews that have examined governance and its role in organisational performance have included the 2003 Royal Commission into the failure of HIH Insurance, the 2018 APRA Prudential Inquiry into the Commonwealth Bank of Australia and the 2019 Hayne Royal Commission into the financial services industry.
While the specific focus of these inquiries was on financial institutions, their key insights on culture and governance have wider applicability and provide lessons for all Commonwealth accountable authorities, including governance boards. Many Auditor-General reports have made findings consistent with these reviews.
The 2019 Hayne Royal Commission emphasised the need for boards to get the right information about emerging non-financial risks; to seek further or better information where what they had was clearly deficient; and ensure they use information to oversee and challenge management’s approach to these risks. The 2019 Hayne Royal Commission further emphasised that every entity must ask the questions raised by the 2018 APRA Prudential Inquiry:
- Is there adequate oversight and challenge by the board and its gatekeeper committees of emerging non-financial risks?
- Is it clear who is accountable for risks and how they are to be held accountable?
- Are issues, incidents and risks identified quickly, referred up the management chain, and then managed and resolved urgently? Or is bureaucracy getting in the way?
- Is enough attention being given to compliance? Is it working in practice? Or is it just ‘box ticking’?
- Do compensation, incentive or remuneration practices recognise and penalise poor conduct? How does the remuneration framework apply when there are poor risk outcomes or there are poor customer outcomes? Do senior managers and above feel the sting?
The 2019 Hayne Royal Commission recommended that entities should, as often as reasonably possible, take proper steps to:
- assess the entity’s culture and its governance;
- identify any problems with that culture and governance;
- deal with those problems; and
- determine whether the changes it has made have been effective.
The earlier HIH Royal Commission similarly warned in 2003 of the dangers of a ‘tick the box’ mentality towards corporate governance, and highlighted the benefits of periodic review by boards of corporate governance practices to ensure their suitability.
Audit insights—implementing effective governance
Establish a board charter
A board charter can support board members by providing a single reference point that clearly sets out the functions, powers and membership of the board, as well as roles, responsibilities and accountabilities, consistent with relevant legislative requirements. Including key behavioural and cultural expectations for board members can assist in articulating the desired culture of the board. The charter should be a living document, subject to thoughtful consideration and periodic review. The charter can also assist a board to formally set expectations for reporting to it by management.
The Sydney Harbour Federation Trust (SHFT) has a board charter that details the objects, functions and powers of SHFT and the responsibilities of the board. The charter contains behavioural expectations for board members via a code of conduct, as well as provision for sanctions to be imposed where the code of conduct has been breached. The SHFT board's inclusion of behavioural expectations in its board charter is a practice that other entities could consider adopting.
Report references: paragraphs 2.25–2.29
Periodically evaluate board performance
Periodically evaluating board performance can enable a board to reflect on its operations and assess whether it has effectively met its purpose, objectives and obligations. Lessons learned from this process can assist the board in setting priorities and goals and contribute to enhancing overall board and organisational effectiveness. Documenting the process, performance criteria and outcomes — as well as any actions taken in response to issues identified — can also assist in ensuring accountability and transparency. Boards could also consider reporting in their governed entities' annual report that a performance evaluation has been undertaken, insights it has gained from the evaluation and any governance changes it has made as a result.
The Special Broadcasting Service Corporation (SBS) board has engaged consultants and directed management to conduct reviews and evaluations aimed at improving the SBS's efficiency and effectiveness. These reviews and evaluations have related to process improvement, physical security and board effectiveness. The implementation of recommendations from a 2016 review of the SBS board's effectiveness is reassessed by the board periodically.
Report reference: paragraph 2.49
The board of the Australian Institute of Marine Science (AIMS) evaluates each meeting and records details in the meeting minutes. This is a practice that other entities could consider adopting.
Report reference: paragraph 2.34
Actively consider current and future board skill requirements
Actively engaging with the portfolio department and minister in relation to the skills requirements for future board appointments, and providing advice accordingly to the relevant decision-maker, can assist in achieving the optimum skill mix.
This series of audits identified that there would be benefit in the selected boards engaging with their respective portfolio department and ministers in relation to the skill requirements for future board appointments.
Recognise and manage conflicts of interest
Including conflicts of interest as a standing agenda item supports board members in focussing attention on this key issue. This can include having board members verbally declare conflicts of interest at each meeting. Including details of each board member's interests in board papers, including paid and unpaid external engagements, can also assist board members to ensure that all their interests are actively considered. Disclosure also increases board member awareness of the previously declared interests of fellow board members. Members should be clear on their obligations relating to gifts and hospitality, such as through codes of conduct, board charters, and gifts and hospitality policies. Gifts and hospitality registers can be useful in improving transparency in cases where gifts and hospitality are accepted.
The board charter and audit committee charter of Old Parliament House (OPH) describe the process for declaring conflicts of interest and define personal interest. Conflict of interests is a standing agenda item at board and audit committee meetings.
Report reference: paragraphs 2.21–2.22 and table 3.4
The SBS has established a legislative compliance reporting process wherein compliance with statutory obligations is monitored and reported to the Audit and Risk Committee on a quarterly cycle. Under the SBS Act, the managing director is required to give the chairperson written notice of all direct and indirect pecuniary interests that they have or acquire. SBS provided evidence of the disclosure made by the managing director in December 2018.
Report reference: paragraph 3.12
The AIMS code of conduct includes guidance around conflict of interest. Declaration of interests is a standing agenda item at board and audit committee meetings. The board papers include a table with details of each board member's interests.
Report references: paragraphs 2.14–2.15, table 3.1 and table 3.4
The SHFT board charter contains behavioural expectations for board members which includes conflict of interest declaration requirements for board members. Declaration of interests is a standing agenda item at board meetings and often includes a list of current outside engagements for board members and the executive director in the board papers.
Report references: paragraphs 2.20–2.21table 3.4
Retain adequate documentation and records of decisions and actions
Keeping sufficient evidence of decision-making processes and outcomes is fundamental to effective governance, accountability and transparency. It also contributes to efficient practice, the utilisation of evidence and enabling a learning organisation. Board members and entities should be mindful of the need to ensure that information relating to the entity is handled and maintained in accordance with applicable Commonwealth information-security and record-keeping requirements. These requirements also apply to communication channels such as emails, as these are official records.
OPH board meeting minutes clearly indicate when items have been noted and when resolutions have been made by the board. The OPH board approved a mechanism for decisions without meetings. This involves emailing requests to board members to approve documents via a circular resolution.
Report references: paragraph 2.13, paragraph 2.43 and paragraph 2.46
AIMS board meeting minutes clearly indicate board actions, such as 'accepted', 'noted' and 'agreed'. The AIMS board has also established a process to enable decisions without meetings—flying minutes are sent out of session, the decision is made, and the minutes are ratified at the next board meeting.
Report references: paragraph 2.38 and paragraphs 2.40–2.41
Actively question and challenge management
Board members must hold management to account. Setting expectations for management reporting to the board can assist in ensuring that the board and management have a shared understanding of the board's requirements and can assist the board in meeting its obligations as the accountable authority. This series of audits observed that members of the selected boards displayed a willingness to challenge management.
OPH management reports to the board through standing agenda items and a standard format for presenting papers that has evolved over time. As part of the board's self-assessment process the board considered whether management reporting met board expectations.
Report references: paragraphs 2.22–2.25
Information from SBS Board committees, including annual performance reports and verbal updates by the relevant chair of each committee, are provided during board meetings. The SBS Board also receives a managing director's report and management reports from each operating division. The minutes of the SBS Board meetings indicate that members of the SBS Board make regular enquiries of management on matters relating to operations and strategic initiatives.
Report reference: paragraphs 2.41–2.46
The board has set expectations for reporting to it by management through occasional discussions at board meetings, including in their meeting evaluations. Management reports to the board through standing agenda items and a standard format for presenting papers that has evolved over time.
Report references: paragraphs 2.14–2.15 and paragraphs 2.32–2.33
Management reports to the board through standing agenda items and a standard format for presenting papers has evolved over time.
Report references: paragraphs 2.20–2.21
Review key strategic risks in corporate risk registers and set risk appetite
Maintaining a strategic focus on risk can assist a board in ensuring the risk management framework is appropriate and the entity is operating within its risk appetite, as well as enhancing the board's understanding of the strategic context and enabling it to govern more effectively. Including risk management as a standard agenda item for board meetings encourages the regular consideration of risk.
The oversight of risk by boards featured prominently in the 2003 HIH Royal Commission, 2018 APRA Prudential Inquiry and 2019 Hayne Royal Commission and this is discussed at paragraphs 1.7–1.13 of each audit report. The 2019 Hayne Royal Commission highlighted the importance of strategic oversight of non-financial risks such as compliance risk, conduct risk and regulatory risk.
SHFT board meetings have a standing agenda item on risk, governance and compliance involving the presentation of current risk issues, the strategic risk register, a risk treatment schedule, a risk heat map, the internal controls action plan, and a work health and safety report. Overall the board is provided with information to enable members to have a good understanding of SHFT's strategic environment and risks. SHFT has a risk management framework approved by the board.
Report references: paragraphs 2.44–2.47, table 3.1 and table 3.2
The SBS established a risk management framework, last approved by the board in August 2018. The board has primary responsibility for the risk management framework, including risk strategy and risk policy. The board determines the SBS risk appetite and tolerance. Board papers regularly include information on risk.
Report reference: paragraphs 3.14–3.39
Ensure that the audit committee and its operating arrangements support the board obtaining the external advice and assurance it requires
In establishing an audit committee, boards need to consider the structure, composition, size, skills and independence of members to enable the committee to be effective. Having the board establish, approve and periodically review its audit committee charter can assist the board in ensuring it is receiving the desired external advice and assurance. An audit committee charter can reflect the desired culture and set out such things as the committee's roles and responsibilities, authority, composition, membership requirements, structure and processes. Board oversight of audit committees should involve regular reporting from the committee, including on internal audit findings, the implementation of ANAO and parliamentary recommendations and regular review of the audit committee charter and work plan.
The OPH audit committee charter provides guidance on collective and individual skill requirements, including financial literacy.
Report references: paragraphs 2.56–2.62, table 3.2 and table 3.5
The SBS Audit and Risk Committee (ARC) comprises three members of the SBS board. The SBS board established the ARC with a charter that is required to be reviewed and approved by the board annually. The ARC charter was most recently reviewed and approved by the board in April 2018. The span of responsibility and the technical nature of some of the ARC's functions is reflected in the structure and management of its meetings and reporting to the SBS board. The ARC reports to the board on how it discharges its roles and responsibilities.
Report references: paragraph 2.6, paragraphs 3.1–3.2 and paragraphs 3.12–3.13
The AIMS audit committee charter, which is approved by the board, requires committee members, collectively, to have a broad range of skills and experience relevant to the operations of AIMS and at least one member of the committee to have accounting or related financial management experience.
Report references: paragraphs 2.49–2.53, table 3.1, table 3.2, table 3.4 and table 3.5
Approve and periodically review key policies and frameworks particularly those that relate to the duties of an accountable authority
Board approval of key policies and frameworks such as financial delegations, risk management, work health and safety, and fraud, can assist board members to gain assurance that they are effectively discharging their duties as the accountable authority, by setting the framework for compliance with relevant legislation.
Having the board approve policies such as the code of conduct, remuneration and key quality assurance frameworks (if applicable) enables boards to influence behaviour and can be an important mechanism in communicating the desired culture within the entity. Recent reviews such as the 2018 APRA Prudential Review and the 2019 Hayne Royal Commission have highlighted that boards need to be cognisant of how incentives and controls in organisations can drive behaviours and culture. Monitoring when policies are due for review, such as through the audit committee, can assist this process.
This series of audits identified opportunities for boards to consider the policies they review and endorse, with a view to ensuring the board periodically and systematically reviews and approves all key policies, and particularly those that relate to the duties of an accountable authority.
Provide appropriate induction to assist board members' understanding of their obligations
Induction processes should include details of members' legal responsibilities as part of the accountable authority and other legislative requirements. It is also important that board members receive all key policies and procedures related to their role as the accountable authority.
Upon induction, board members are provided with a range of appropriate information including documents such as the corporate plan, annual report, financial and contract delegations policy, AIMS risk management framework, health and safety framework, fraud control plan, deed of confidentiality and intellectual property, and code of conduct.
Report references: paragraphs 2.30–2.31, table 3.1 and table 3.4
Seek management assurance regarding internal controls and compliance
Obtaining assurance from management regarding internal controls and compliance with relevant legislation and government policies can assist a board directly, or through its audit committee, gain assurance of compliance. Maintaining a register of compliance breaches and providing board members with details of the nature of assurance mechanisms used within the entity can further assist board members.
The Audit and Risk Committee (ARC) reviews the appropriateness of the SBS's systems of risk oversight and management, and internal controls, and provides assurance to the board. The ARC receives quarterly reporting on the SBS's compliance against the PGPA Act and other legislative requirements. The SBS board meetings include a report on the activities of the ARC.
Report references: paragraph 3.12 and table 3.1
The board has established fit-for-purpose arrangements to oversight compliance with key legislative and other requirements. This includes an annual process for certifying compliance with the PGPA Act, the AIMS Act and various other legislative and policy requirements. The process is overseen by the audit committee.
Report references: paragraphs 3.1–3.10, table 3.1 and table 3.2
Seek consolidated progress reports on results against all performance targets in the corporate plan
Receiving regular reporting on progress against corporate plan performance criteria can assist board members in their ongoing oversight of entity performance. This can also support board member assurance over annual performance statement reporting.
At each meeting the board is provided with a corporate performance report that includes reporting of performance against the corporate plan performance criteria. Board meeting minutes indicate ongoing monitoring and discussion by the board of entity performance.
Report references: paragraph 2.42 and table 3.1
At each meeting the board is provided with an executive director report that includes reporting on performance against corporate plan performance criteria.
Report references: paragraph 2.43 and table 3.1
Further insights from related audit activity
For further insights from the ANAO's multiyear audit program relating to implementation of the PGPA Act and the PGPA Rule, see: