Audit & Risk Committee - Terms of Reference

The DCU Governing Authority has established the Audit and Risk Committee as a Committee of the Governing Authority. Its purpose is to assist the Governing Authority in discharging its responsibilities in relation to financial reporting, internal audit, external audit, internal control and risk management oversight. The Committee is also responsible for reviewing and monitoring the objectivity and independence of the external auditor.

2.1 Members of the Committee shall be appointed by the Governing Authority. The Committee shall be made up of at least three members.

2.2 No member of the Committee shall be an employee of the University or hold responsibility within its subsidiaries, associated companies, or any other body controlled or funded by the University.

2.3 A minimum of three external members of the Governing Authority shall be appointed as members of the Committee.

2.4 The Governing Authority may appoint up to three additional members that are external to the University and not being members of the Governing Authority.

2.5 At least one member shall have recent and relevant financial experience, and at least one will have recent and relevant risk management experience.

2.6 Only members of the Committee have the right to attend Committee meetings. However, other individuals such as the Chancellor, the President, the Chief Operating Officer, Chief Financial Officer, senior managers, the Head of Internal Audit, the Risk and Compliance Officer, and others as selected by the Committee may be invited to attend, or may request to attend, all or part of any meeting as and when appropriate.

2.7 The external auditors will be invited to attend meetings of the Committee on a regular basis.

2.8 Appointments to the Committee shall be for an initial period of up to four years, which may be extended for one further period of up to four years.

2.9 The Governing Authority shall appoint the Committee Chairperson. In the absence of the Committee Chairperson and/or an appointed Deputy, the remaining members present shall elect one of themselves to chair the meeting.

3.1 The Chairperson has responsibility for ensuring:

a) That the Committee is appropriately resourced and there is at least one qualified Accountant on the Committee;

b) Reports to the Committee contain relevant information and are provided in a timely manner in the appropriate format;

c) Absent Committee members are briefed on meetings and attendance records are maintained;

d) Reports on Committee activities are provided at meetings of the Governing Authority and regular written reports are provided, normally by way of Committee minutes;

e) Action items and matters arising are reported on at each subsequent meeting; and

f) Training is provided and succession planning for the Committee is undertaken.

4.1 The Secretary to the Governing Authority (or their nominee) shall act as the Secretary of the Committee.

4.2 The Secretary shall ensure these terms of reference are reviewed annually and updated if required.

4.3 The Committee shall be supported by the Office of the Chief Operations Officer.

The quorum necessary for the transaction of business shall be not less than half of the members of the Committee. A duly convened meeting of the Committee at which a quorum is present shall be competent to exercise all or any of the authorities, powers and discretions vested in or exercisable by the Committee.

6.1 The Committee shall meet at least four times a year. Meetings will be scheduled to align to the financial reporting and audit cycle, and on other occasions as required, and in the fortnight prior to a Governing Authority meeting where possible.

7.1 Meetings of the Committee shall be called by the Secretary of the Committee at the request of any of its members or at the request of external or internal auditors if they consider it necessary.

7.2 Unless otherwise agreed, notice of each meeting confirming the venue, time and date together with an agenda of items to be discussed, shall be forwarded to each member of the Committee and any other person required to attend within a reasonable period prior to the date of the meeting, which normally shall be five working days prior to the meeting. Supporting papers shall be provided to Committee members and to other attendees as appropriate at the same time.

8.1 The Committee shall determine its own procedures for the conduct of its meetings and other business.

8.2 Each question at a meeting of the Committee shall be determined by consensus, but where in the opinion of the Chairperson consensus is not possible the question shall be decided by a majority.

8.3 In the case of an equal division of votes, the Chairperson shall have a second and casting vote.

9.1 The Secretary shall minute the proceedings and resolutions of all meetings of the Committee, including recording the names of those present and in attendance.

9.2 The Secretary shall ascertain, at the beginning of each meeting, the existence of any conflicts of interest and minute them accordingly. The process for recording declarations of interest in the Committee shall be the same as at the Governing Authority.

9.3 Draft minutes of Committee meetings shall be circulated promptly to all Committee members. Once approved by the Committee, minutes should be submitted to the next meeting of the Governing Authority unless, in the Committee Chairperson’s opinion, it would be inappropriate to do so and any minutes so submitted may be subject to any redactions the Chairperson deems appropriate prior to circulation to the Governing Authority.

The Committee has explicit authority to investigate any matters within its terms of reference, to access/requisition the resources it needs to do so, and to have full access to information it requires.

10.1 Financial Reporting

10.1.1 The Committee shall monitor the integrity of the financial statements of Dublin City University (“the University”), reviewing significant financial reporting issues and judgements which they contain. The Committee shall also review summary financial statements, significant financial returns to regulators (including the Comptroller and Auditor General and the Higher Education Authority) and any financial information contained in certain other documents as appropriate.

10.1.2 Specifically, the Committee shall review and challenge where necessary:

(a) The consistency of, and any changes to, accounting policies year on year;

(b) The methods used to account for significant or unusual transactions where different approaches are possible;

(c) Whether the University has followed appropriate accounting standards and made appropriate estimates and judgements, taking into account the views of the external auditor;

(d) The clarity of disclosure in the University’s financial reports and the context in which statements are made;

(e) All material information presented with the financial statements, such as the operating and financial review and the corporate governance statement; and

(f) Content of the Annual Report (including the financial statements) and advise the Governing Authority on whether, taken as a whole, it is fair, balanced and understandable.

10.1.3 The Committee shall review the draft annual consolidated financial statements of the University before recommending their adoption by the Governing Authority, focusing particularly on:

(a) The consistency of, and any changes in accounting policies or practices year on year;

(b) Major judgmental areas and methods used to account for significant or unusual transactions;

(c) Significant audit adjustments;

(d) Compliance with appropriate accounting standards;

(e) Compliance with legal requirements; and

(f) All material presented with the financial statements and its consistency with the financial results.

10.1.4 The Committee shall review the University Letter of Representation and recommend to the Governing Authority whether it should be approved.

10.1.5 The Committee shall determine at least annually whether, in the Committee’s opinion, the University has kept proper books of account.

10.1.6 The Committee shall review the relevant sections of the annual governance statement provided to the Higher Education Authority and advise the Governing Authority on whether those sections are fair and balanced and comply with the Code of Practice for the Governance of State Bodies.

10.2 Office of the Comptroller and Auditor General

10.2.1 The Committee shall consider the report by the Office of the Comptroller and Auditor General and review management’s response prior to submission.

10.2.2 The Committee shall seek to meet with a representative of the Office of the Comptroller and Auditor General at least annually

10.3 Internal Controls, Compliance and Risk Management Systems

The Committee shall:

10.3.1 Risk Management

(a) Review and recommend to the Governing Authority for approval DCU’s Risk Management Policy;

(b) Recommend the Annual Strategic Risk Register and Risk Management Plan to the Governing Authority for approval;

(c) Review the Risk Appetite Statement annually and advise the Governing Authority in its consideration of the overall risk appetite, risk tolerance and risk strategy of the University. Review reports on any material breaches of risk limits, risk incidents and the adequacy of proposed corrective actions;

(d) Support the Governing Authority in carrying out its responsibilities for ensuring that there is a robust process in place to identify, assess, mitigate and report on risk;

(e) Review the adequacy and effectiveness of controls operated by management to mitigate business risk;

(f) Review and monitor the effectiveness of the arrangements for crisis management, business continuity planning and adequacy of scenario testing for the University;

(g) Monitor the effectiveness and resourcing of the risk management function, ensuring its continued adequacy and appropriateness;

(h) Keep under review the principal, emerging and high impact/low probability (HILPs) risks of the University via Quarterly Reporting and approve the statements of principal and emerging risks to be included in the annual report;

(i) Advise the Governing Authority on the need for periodic external review of the effectiveness of enterprise risk management; and

(j) Review and monitor the adequacy and effectiveness of the University’s ICT and cyber security framework, including strategy, controls, and technical resilience arrangements.

10.3.2 Compliance

(a) Review the processes adopted by DCU to achieve compliance with the Code of Code of Practice for the Governance of State Bodies (2016) and the Code of Governance for Irish Universities (2019), as appropriate, and their related Annexes and Guidelines;

(b) Provide assurance to the Governing Authority for the basis on which the Chancellor may sign-off on compliance with the Universities/State Code;

(c) Review compliance frameworks and the effectiveness and adequacy of the controls and procedures adopted to identify and give reasonable assurance concerning compliance with

DCU Policies and all statutory obligations applicable to the University;

(d) Review the results of Management’s investigation and follow-up of any instances of non- compliance; and

(e) Review and monitor the tax policies and procedures adopted by DCU.

10.3.3 Internal Control

(a) Keep under review the effectiveness of the University’s system of internal controls;

(b) Satisfy itself that the system of internal reporting gives early warning of internal control failures and emerging risks;

(c) Review and approve the statements to be included in the annual report concerning internal controls and risk management;

(d) understand the scope of internal audit and external auditors’ review of internal controls, and consider any significant findings and recommendations, together with Management responses;

(e) Seek consultation with a representative of the Office of the Comptroller and Auditor General and/or the external auditors regarding best practice in the operation of the Internal Audit function and on the work and effectiveness of the Committee; and

(f) consider whether suitable processes are in place to ensure regularity, probity and propriety is achieved.

10.4 Protected Disclosures and Fraud

10.4.1 The Committee shall:

(a) Review the University’s arrangements for its employees and contractors to raise concerns, in confidence, about possible wrongdoing in financial reporting or other matters and for the raising of a protected disclosure under the Protected Disclosures Act 2014, as amended by the Protected Disclosures (Amendment) Act 2022, as appropriate. The Committee shall ensure that these arrangements allow proportionate and independent investigation of such matters and appropriate follow up action; and

(b) Review the University’s procedures for preventing and detecting fraud.

10.4.2 The Chairperson shall be informed of any actual or potential protected disclosures.

10.5 Internal Audit

The Committee shall:

(a) Monitor and review the effectiveness of the Internal Audit function and facilitate an external review of the Internal Audit function once every five years at a minimum;

(b) Approve appointment and removal of the Head of Internal Audit and any advisory service expected to be procured from external market providers;

(c) Consider and approve the Internal Audit Charter. The Committee shall also ensure the function has adequate standing and is free from management or other restrictions;

(d) Monitor the effectiveness and resourcing of the internal audit function, ensuring its continued adequacy and appropriateness, and oversee performance review arrangements of the Head of Internal Audit.

(e) Provide input into the planned internal audits for the year, approving an internal audit plan annually, including any modifications, and monitoring progress against the plan;

(f) Receive reports on the results of the internal auditors’ work on a periodic basis, ideally quarterly reviewing such reports promptly;

(g) Review and monitor management’s responsiveness to the findings and recommendations of Internal Audit arising out of internal audits conducted and monitor action taken by management to implement recommendations; and

(h) Meet the Head of Internal Audit at least once a year, without management being present, to discuss their remit and any issues arising from the internal audits carried out.

10.6 External Audit

The Committee shall:

(a) Consider and make recommendations to the Governing Authority, in relation to the appointment, re-appointment and removal of the University’s external Auditor. The Committee shall oversee the selection process for new auditors and if an auditor resigns the Committee shall investigate the issues leading to this and decide whether any action is required;

(b) Oversee the relationship with the external auditor including (but not limited to):

(i) Approval of their remuneration, whether fees for audit or non-audit services and that the level of fees is appropriate to enable an adequate audit to be conducted;

(ii) Approval of their terms of engagement, including any engagement letter issued at the start of each audit and the scope of the audit;

(iii) Assessing annually their independence and objectivity taking into account relevant professional and regulatory requirements and the relationship with the auditor as a whole, including the provision of any non-audit services;

(iv) Satisfying itself that there are no relationships (such as family, employment, investment, financial or business) between the auditor and the company (other than in the ordinary course of business);

(v) Monitoring the auditor’s compliance with relevant ethical and professional guidance on the rotation of audit partners, the level of fees paid by the company compared to the overall fee income of the firm, office and partner and other related requirements;

(vi) Assessing annually their qualifications, expertise and resources and the effectiveness of the audit process which shall include a report from the external auditor on their own internal quality procedures; and

(vii) Promoting co-ordination between the University’s internal and external auditors and seeking confirmation from them on the effectiveness of their working relationship.

(c) Arrange its meetings to facilitate sessions with the external auditor:

(i) At least once at the planning stage before the audit;

(ii) At least once after the audit is at the reporting stage; and

(iii) At least once a year without management being present to discuss their remit and any issues arising from the audit.

(d) Review and approve the annual audit plan and ensure that it is consistent with the scope of the audit engagement;

(e) Review the findings of the audit with the external auditor. This shall include but not be limited to, the following:

(i) A discussion of any major issues which arose during the audit;

(ii) Any accounting and audit judgements;

(iii) Levels of errors identified during the audit;

(iv) The effectiveness of the audit process.

(f) Review any representation letter(s) requested by the external auditor before they are signed by management;

(g) Review the management letter and management’s response to the auditor’s findings and recommendations;

(h) Develop and implement a policy on the supply of non-audit services by the external auditor, taking into account any relevant ethical guidance on the matter; and

(i) Periodically consult with the external auditors regarding the operation of the Internal Audit function, with particular reference to the resourcing of the function, the audit work programmes being applied and the testing carried out in relation to the DCU’s compliance with governance requirements.

10.7 Reporting Responsibilities

(a) The Committee Chairperson shall report to the Governing Authority on its proceedings after each meeting on all matters within its duties and responsibilities;

(b) The Committee shall make whatever recommendations to the Governing Authority it deems appropriate on any area within its remit where action or improvement is needed; and

(c) The Committee shall compile a high-level overview report on its activities on an annual basis to be included as appropriate in the company’s annual report. The report will be timed to support the finalisation of the University financial statements and be within three months after the financial year.

10.8 Other Matters

The Committee shall:

(a) Have access to sufficient resources in order to carry out its duties, including access to the Office of the Chief Operations Officer for assistance as required;

(b) Be provided with appropriate and timely training, both in the form of an induction programme for new members and on an ongoing basis for all members;

(c) Consider all factors which it deems necessary including relevant laws, regulations and the provisions of the Code of Practice for the Governance of State Bodies (2016);

(d) Oversee implementation of the non-audit services policy; and

(e) Liaise with the Chairperson of the DCU Educational Support Services Audit Committee.

Both the Head of Internal Audit and the external audit representative have free and confidential access to the Chairperson of the Audit and Risk Committee.

The Committee is authorised:

(a) To seek any information it requires from any employee of the University in order to perform its duties;

(b) To obtain, at the University’s expense, outside legal or other professional advice on any matter within its terms of reference; and

(c) To request the attendance of any employee to be questioned at a meeting of the Committee as and when required.

As part of a periodic review of overall Governing Authority effectiveness, the Committee shall review its own performance and terms of reference to ensure it is operating at maximum effectiveness and recommend any changes it considers necessary to the Governing Authority for approval.