View Current

Governance (Audit and Risk Committee) Rule 2022

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

Name of Rule

(1) This Rule is the Governance (Audit and Risk Committee) Rule 2022.


(2) This Rule commences on 1 January 2022 under resolution CNL171/16.


(3) This Rule is enacted to establish the Audit and Risk Committee and to confer on that committee certain functions under the Charles Sturt University Act 1989.


(4) This Rule is made pursuant to authority granted to the Council under clause 4(1) of Schedule 1 of the Act, and sections 20 and 32 of the Act.

Notes: Clause 4(1) of Schedule 1 of the Act states that the Council may establish committees to assist it in the exercise of its functions and may delegate to the committee, under section 20 of the Act, all or any of its functions. Section 32 of the Act states that the Council may make rules with respect to the functions, processes and procedures of committees of the Council.


(5) In this Rule, unless the contrary intention appears:

  1. Act – means the Charles Sturt University Act 1989.
  2. By-law - means the Charles Sturt University By-law 2005.
  3. Committee - means the Audit and Risk Committee established under this Rule in accordance with clause 4(1) of Schedule 1 of the Act.
  4. Council - means the University Council established under Part 3 of the Act.
  5. External independent person – means an external person who is also not an external member of the Council.
  6. External person - means a person other than a member of the academic or general staff of the University or an undergraduate or graduate student of the University, as set out in section 8A of the Act. The University Governance Framework further provides that the person may not be an executive, employee or student of the University’s controlled entities, and must be free from any business or other relationship which could materially interfere with the unfettered and independent exercise of their judgement (refer clause 76).
  7. University Secretary - means the Secretary appointed under the By-law and includes a person or persons appointed to act on behalf of the Secretary from time to time.

(6) In this Rule, unless the contrary intention appears:

  1. a word or term that has not been defined in this Rule has the same meaning attributed to that word or term in the Act or By-law,
  2. a reference to an officer of the University includes any person acting in that position, and
  3. headings and notes do not form part of this Rule.
Top of Page

Section 2 - Committee

Establishment of committee

(7) There is to be an Audit and Risk Committee.

Delegated authority

(8) The Council authorises the committee to exercise the functions specified in clause 12 and any functions delegated to the committee by the Council listed in the Delegations and Authorisations Policy and the delegation schedules.

(9) The committee has such other functions as may be necessary to enable it to exercise the functions specified in clause 12.

(10) The Council authorises the committee, within the scope of its role and responsibilities, to:

  1. obtain any information it needs from any employee and/or external party (subject to their legal obligation to protect information),
  2. discuss any matters with the external auditor, or other external parties (subject to confidentiality considerations),
  3. request the attendance of any employee, including members of the University Council, at committee meetings, and
  4. obtain external legal or other professional advice, as considered necessary to meet its responsibilities. The payment of costs for that advice by the University is subject to prior approval of the Council in accordance with delegations.

Terms of reference

(11) The committee provides independent assistance to the Council by monitoring, reviewing and providing advice about the University’s governance processes, risk management and control frameworks and its external accountability obligations.

(12) The principal functions of the committee are:

  1. with respect to internal audit activities:
    1. approve the internal audit policies for the University,
    2. approve the annual internal audit program, monitor its scope and progress, ensure alignment with risk management, and approve any significant changes to the program,
    3. oversee the risk-based audit methodology,
    4. receive reports of the internal auditor (as well as those of internal audit contractors), and monitor management implementation of audit recommendations,
    5. provide advice to management on significant issues identified in audit reports, particularly those identified as high risk, including identification and dissemination of good practice,
    6. evaluate the performance and effectiveness of the internal audit function by reference to the University's audit program and strategy,
    7. provide advice to the Council on the performance and appointment of the internal auditors,
  2. with respect to external audit activities:
    1. approve the appointment of external auditors (where applicable) and the scope and depth of the external audit program,
    2. jointly with the Finance Committee, review the financial statements and provide advice to the Council (including whether appropriate action has been taken in response to audit recommendations and adjustments) and recommend their signing by the Council,
    3. satisfy itself that the financial statements are supported by appropriate management signoff on the statements, including review the Chief Financial Officer Letter of Certification and supporting documentation,
    4. oversee the processes in place designed to ensure that financial information included in the University’s annual report is consistent with the signed financial statements,
    5. receive reports from external auditors, including implementation plans prepared by management to respond to each report,
  3. with respect to compliance activities:
    1. approve the compliance policies for the University,
    2. review the effectiveness of the system for monitoring the University's compliance with applicable laws, regulations and associated policies, and seek assurance that changes in key laws, regulations, internal policies and Accounting Standards affecting the University’s operations are being monitored at least once a year, and appropriately addressed,
    3. determine whether management has appropriately considered legal and compliance risks as part of the University’s risk assessment and management arrangements,
    4. seek assurance that the appropriate exercise of delegations is monitored and reviewed,
    5. receive reports on compliance (including staff and student complaints, misconduct, and whistleblower activities) and seek assurance as to the effectiveness of processes for identifying, analysing and addressing issues raised,
    6. follow-up on, and obtain regular updates about, issues of material non-compliance that may have a substantive impact on the University's operations,
    7. oversee findings of any compliance investigations or audits carried out by regulatory agencies,
    8. receive reports on safety and wellbeing and seek assurance that appropriate mechanisms of identifying, addressing and reporting matters are in place,
    9. review any matter that the committee reasonably feels may impact on the risk or compliance profile of the University,
    10. oversee whether management has taken steps to embed a culture that is committed to ethical and lawful behaviour,
  4. with respect to risk activities:
    1. approve the risk management policies for the University,
    2. assess and advise management and the Council on the University’s risk management culture and framework, including level of maturity and whether management has in place a current and appropriate risk management framework,
    3. review risks (including principal and academic risks), risk appetite, risk mitigation and reputation management, as well as associated documentation, and make recommendations to management and/or the Council,
    4. consider the adequacy and effectiveness of the internal control and risk management frameworks, including the framework for third party arrangements, by reviewing reports from management, internal audit and external audit, and by monitoring management responses and actions to correct any noted deficiencies,
    5. review the impact of the University's risk management on its control environment and insurance arrangements, 
      receive the University Insurances Report, including Directors and Other Officers insurance policies,
    6. oversee the University’s fraud and corruption control framework including the fraud control plan and be satisfied that the University has appropriate processes and systems in place to capture and effectively investigate fraud related information,
    7. seek assurance from management that emerging risks (including cybersecurity, foreign interference, and sexual assault and sexual harassment) are being identified and addressed,
    8. seek assurance from management and internal audit that risk management processes are operating effectively, including that relevant internal control policies and procedures are in place and that these are periodically reviewed and updated,
    9. oversee whether a sound and effective approach has been followed in developing risk management plans for major projects, programs or undertakings,
    10. oversee whether a sound and effective approach has been followed in establishing the University’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically,
  5. provide an annual assurance statement to the Council on the matters within the scope of its responsibility.


(13) The committee shall comprise at least four members including:

  1. at least two external members of the Council (e.g. not a member of staff or a student of the University), and
  2. up to three external independent persons.

(14) The Council will appoint a suitably qualified external independent person to act as chair of the committee. To the extent practicable, the chair should be a person with skills and experience at a senior level relevant to the functions of the committee.

(15) Members will be appointed at a meeting of the Council for a term not exceeding four years or their term on the Council. Members may be re-appointed at the end of a term for a maximum of three consecutive terms unless otherwise determined by resolution of the Council.

(16) Members should collectively develop, possess and maintain a broad range of skills and experience relevant to the operations, governance and financial management of the University, the environment in which the University operates and the contribution that the committee makes to the University.

(17) At least one member of the committee shall have accounting or related financial management experience with an understanding of accounting and auditing standards in a public sector environment.

(18) Notwithstanding clauses 13 to 17, the following persons may not be members of the Audit and Risk Committee:

  1. Chancellor
  2. Vice-Chancellor
  3. A member of the staff of the University.


(19) The chair may approve for the whole, or any part, of a meeting of the committee, the attendance of:

  1. the Chancellor,
  2. a member of the Council,
  3. the Vice-Chancellor,
  4. Chair, Academic Senate,
  5. the Chief Financial Officer,
  6. the Director, Risk and Compliance,
  7. the External Auditor,
  8. the Internal Auditor,
  9. an external auditor engaged to conduct an internal audit, and
  10. an employee or contractor of the University or any external persons, for the purpose of providing advice or consultation to the committee.

(20) The committee shall meet at least four times per year.

(21) The committee may meet at other times in accordance with the Governance (Council Meetings) Rule 2023.

Consultation with the Internal Auditor

(22) The committee and the Internal Auditor should meet in-camera once per year, or as required, as scheduled by the University Secretary in consultation with the chair.

Consultation with the External Auditor

(23) The committee and the External Auditor should meet in-camera once per year, or as required, as scheduled by the University Secretary in consultation with the chair.