Audit and Risk Management Committees: Structuring and requirements
July 22, 2013
Some municipal managers and other senior managers, as well as councillors, sometimes have difficulty to decide on how audit committees and the risk management committees should be structured, positioned and implemented within their respective municipalities. The purpose of this article is to provide some clarity on this matter given the fact that different legislation and regulations, as well as policy guidelines issued by the national government, are governing the establishment of audit and risk management committees.
THE REQUIREMENTS FOR A TRADITIONAL AUDIT COMMITTEE
Section 166(1) of the MFMA (Municipal Finance Management Act 56 of 2003) requires that each municipality/municipal entity must have an audit committee, subject to subsection (6). According to subsection (6), a single audit committee may be established for (a) a district municipality and the local municipalities within that district municipality, or for (b) a municipality and the municipal entities under its sole control. It is required by section 166(2)(a) that an audit committee must be an independent advisory body, which must advise the municipal council, the political office-bearers, the accounting officer and the management staff of the municipality, or the board of directors, the accounting officer and the management staff of the municipal entity, on matters relating to amongst others risk management and performance management. Paragraph 23 of the Public Sector Risk Management Framework of April 2010 also emphasises the fact that the audit committee is an independent committee responsible for oversight of the institution’s control, governance and risk management.
REQUIREMENTS FOR PERFORMANCE AUDIT COMMITTEES
Regulation 14(2)(a) of the Municipal Planning and Performance Management Regulations of August 2001 requires that a municipality annually appoints and budget for a performance audit committee. According to Regulation 14(4)(a), a performance audit committee has the following responsibilities:
- To review the quarterly reports submitted to it;
- To review the municipality’s performance management system and make recommendations in this regard to the council of that municipality; and
- To submit an audit report to the municipal council concerned at least twice during a financial year.
In terms of Regulation 14(4)(b), the performance audit committee must focus on economy, efficiency and effectiveness (the 3E’s of performance management) as well as an impact in so far as the key performance indicators and targets set by the municipality are concerned, when reviewing the municipality’s performance management system. It is, however, envisaged by Regulation 14(2)(c) that a municipality may utilise any audit committee established in terms of other applicable legislation as the performance audit committee envisaged in paragraph (a), in which case the provisions of this sub-regulation, read with the necessary changes, apply to such an audit committee. The provisions of the Regulation 14(2)(c) above is strengthened by MFMA Circular 65 of November 2012 which recommends that a Municipality must review its committees to ensure that in cases where there is an audit committee and a performance audit committee, that these are combined into one committee for effective management, oversight and reporting, as envisaged by section 166 of the MFMA. The circular also suggests that during the transition period the Chairperson of the Performance Audit Committee should report progress on a quarterly basis to the Audit Committee.
REQUIREMENTS FOR RISK MANAGEMENT COMMITTEES
It is indicated in Paragraph 24 of the Public Sector Risk Management Framework of April 2010 that a Risk Management Committee should be appointed by the Council to assist them to discharge their responsibilities for risk management. Such a committee should comprise of both management and external members with the necessary blend of skills, competencies and attributes, including the following critical aspects:
- an intimate understanding of the Institution’s mandate and operations;
- the ability to act independently and objectively in the interest of the Institution; and
- thorough knowledge of risk management principles and their application.
It is also required that the chairperson of the Risk Management Committee should be an independent external person, appointed by the Council. The responsibilities of the Risk Management Committee should be formally defined in a charter approved by the Council. In terms of MFMA Circular 65 of November 2012, the Audit Committee will be required to review recommendations made by Risk Management Committee and consider these in line with the Audit Committee charter. Based on such a review the Audit Committee must provide feedback to the municipal manager and the Council on the adequacy and effectiveness of risk management in the municipality and its entities. According to paragraph 24(4) of the Public Sector Risk Management Framework, there might be instances where the scale, complexity and geographical dispersion of the municipality’s activities dictate the need for the Risk Management Committee to work through subcommittees. In those cases, it is necessary that the Risk Management Committee should ensure that:
- approval is obtained from the Council for the establishment of the sub-committees; and
- the terms of reference of the sub-committees are aligned to that of the Risk Management Committee; and
- the Risk Management Committee exercises control over the functioning of the subcommittees.
ALIGNMENT BETWEEN THE AUDIT AND RISK MANAGEMENT COMMITTEE
If there are both a risk management committee and an audit committee established for a municipality then it is necessary to consider how the responsibilities of the two committees could be separated. According to paragraph 24(5) of the Public Sector Risk Management Framework of April 2010, the Risk Management Committee should have the following responsibilities:
- Review and recommend for the approval of the municipal council, the (i) risk management policy; (ii) risk management strategy; (iii) risk management implementation plan; (iv) institution’s risk appetite, (v) institution’s risk tolerance (vi) institution’s risk identification and assessment methodologies,
- Evaluate the extent and effectiveness of the integration of risk management within the Institution;
- Assess the implementation of the risk management policy and strategy (including plan);
- Evaluate the effectiveness of the mitigating strategies implemented to address the material risks of the Institution;
- Review the material findings and recommendations by assurance providers on the system of risk management and monitor the implementation of such recommendations;
- Develop its own key performance indicators for approval by the Council;
- Interact with the Audit Committee to share information relating to material risks of the Institution; and
- Provide timely and useful reports to the Audit Committee on the state of risk management, together with accompanying recommendations to address any deficiencies identified by the Committee.
Paragraph 23(4) of the Framework indicated that where there is a separate Risk Management Committee, the responsibilities of the Audit Committee should include the following:
- Reviewing and recommending disclosures on matters of risk in the annual financial statements;
- Reviewing and recommending disclosures on matters of risk and risk management in the annual report;
- Providing regular feedback to the Accounting Officer / Authority on the adequacy and effectiveness of risk management in the Institution, including recommendations for improvement;
- Ensuring that the internal and external audit plans are aligned to the risk profile of the Institution;
- Satisfying itself that it has appropriately addressed the following areas: (i) Financial reporting risks, including the risk of fraud; (ii) Internal financial controls; and (iii) IT risks as they relate to financial reporting.
However, paragraph 23(5) of the Framework suggested that where there is no separate Risk Management Committee, the risk management responsibilities of the Audit Committee should be identical to those listed in paragraph 24(5) as indicated above. In terms of paragraph 23(6) the Audit Committee should evaluate the effectiveness of Internal Audit in terms of its responsibilities for risk management.
From the regulatory framework and policy guidelines of the national government, it should be clear that there is no reason why a municipality can’t have one Audit Committee dealing with the accounting and financial matters, as well as performance management and risk management. This approach is already recommended by the National Treasury in MFMA Circular 65 according to which the audit committee and the performance audit committee should be combined into one committee. Metropolitan municipalities (category C municipalities) might, however, have a need for a Risk Management Committee, separate from its Audit Committee. They are probably in a better financial position to afford the establishment and functioning of such a Committee. It is also necessary to keep in mind, from a financial affordability perspective, that most of the medium and smaller municipalities cannot afford their own Audit Committees and should, therefore (or have already) opt for a shared service. The advantage of having one Audit Committee is that such a Committee will be in a better position to be effective if exercising oversight over the financial/accounting matters as well as performance and risk management matters since they will have a holistic overview of institutional governance and the cause and effect that certain actions of management or council have on the achievement of the strategic and service delivery objectives of the municipality.
- Department of Provincial and Local Government (DPLG). 2001. Municipal Planning and Performance Management Regulations of 24 August 2001, issued under section 120 of the Local Government: Municipal Systems Act 32 of 2000. Available URL address: http://www.treasury.gov.za
- National Treasury. 2010. Public Sector Risk Management Framework of 1 April 2010. [Online]. Available URL address: http://www.treasury.gov.za
- National Treasury. 2012. MFMA Circular 65: Internal Audit and Audit Committee, issued in terms of Municipal Finance Management Act 56 of 2003 on 23 November 2012. [Online]. Available URL address: http://www.treasury.gov.za
- The South Africa Republic. 2003. Municipal Finance Management Act 56 of 2003. [Online]. Available URL address: http://www.treasury.gov.za