5.1 Role of the Audit and Risk Management Committee
The Audit and Risk Management Committee assists the Board in overseeing the integrity of financial reporting, the effectiveness of risk management and compliance systems and internal control framework and the external and internal audit functions.
The Audit and Risk Management Committee has (in conjunction with management) reported to the Board as to CSL’s effective management of its material business risks in respect of the financial year ended 30 June 2016.
Senior executives and internal and external auditors frequently attend meetings on invitation by the Audit and Risk Management Committee. The Audit and Risk Management Committee holds regular meetings with both the internal and external auditors without management or executive directors present. Any director who is not a member of the Audit and Risk Management Committee may attend any meeting of the committee in an ex-officio capacity.
5.2 Risk Framework
CSL has adopted and follows a detailed and structured Risk Framework to ensure that risks in the CSL Group are identified, evaluated, monitored and managed. This Risk Framework sets out the risk management processes and internal compliance and control systems, the roles and responsibilities for different levels of management, the matrix of risk impact and likelihood for assessing risk and risk management reporting requirements.
The risk management processes and internal compliance and control systems are made up of various CSL policies, processes, practices and procedures, which have been established by management and/or the Board to provide reasonable assurance that:
As part of the Risk Framework, an Operational Risk Management Team of responsible executives reports to a Global Risk Leadership Team which in turn reports to the Audit and Risk Management Committee, including as to the effectiveness of CSL’s management of material risks. These teams are responsible for implementing, coordinating and facilitating the risk management process across the CSL Group. This includes quantifying and monitoring certain business risks identified and evaluated as part of the risk management process, including those relating to operating systems, the environment, health and safety, product quality, physical assets, security, disaster recovery, insurance and compliance. Each manufacturing site and each major function in the Group has its own Risk Management Committee which reports to the Operational Risk Management Team on a quarterly basis.The CSL Group also has a Global Risk and Insurance Manager who is responsible for monitoring and coordinating the implementation of the Risk Framework throughout the CSL Group. The governance and oversight of risk management as described above is illustrated below.
The oversight of risk management associated with research and development projects is one of the responsibilities of the Innovation and Development Committee (see above). The research and development operations have a number of management committees that report into the Innovation and Development Committee.
The oversight of the management of risks which are not the subject of the Risk Framework or associated with research and development projects, such as strategic and reputational risk, is a responsibility of the Board.
Risk assessment and management policies are reviewed periodically, including by the CSL Group’s internal audit function.
5.3 Sustainability Risks
In the course of CSL’s business operations, CSL is exposed to a variety of risks that are inherent to the pharmaceutical industry, and in particular the plasma therapies industry. Key business/industry risks are tabled in section 5 of the Director’s Report (see pages 56 to 59 of this Report) and key financial risks are tabled in Note 11 to the Financial Statements (see pages 100 to 105 of this Report).
In addition, further detail regarding CSL’s ongoing efforts to operate ethically and responsibly in respect of sustainability are set out in CSL’s annual Corporate Responsibility Report.
5.4 External Auditor
One of the chief functions of the Audit and Risk Management Committee is to review and monitor the performance and independence of the external auditor. CSL’s external auditor for the financial year was Ernst & Young, who were appointed by shareholders at the 2002 Annual General Meeting.
The Audit and Risk Management Committee has established a policy in relation to the engagement of the external auditor for nonaudit services so as to ensure the independence of the external auditor.
The signing partner for the external auditor is normally to be rotated at least every five years, and the auditor is required to make an independence declaration annually. CSL notes that, in accordance with the requirements of the Corporations Act, the Board and the Audit and Risk Management Committee approved Mr Glenn Carmody to act as the signing partner for Ernst & Young for a sixth year in 2015-2016 (as a result of some changes in personnel at Ernst & Young which directly affected the transition plans for the replacement of Ernst & Young’s signing partner). Mr Rodney Piltz has been approved to act as the signing partner for Ernst & Young for the 2016-2017 financial year.
The external auditor attends each Annual General Meeting and is available to answer questions from shareholders relevant to the audit and the preparation and content of the auditor’s report.
5.5 Internal Auditor
Another important function of the Audit and Risk Management Committee is to review and monitor the performance of CSL’s internal audit operation. CSL’s internal auditor for the financial year was PricewaterhouseCoopers.
The role of CSL’s internal audit function is to provide independent and objective assurance to the Audit and Risk Management Committee and executive management regarding the effectiveness of CSL’s risk management processes (including the state of any material risks) and internal compliance and control systems.
As noted above in section 5.2, the internal compliance and control systems are made up of various CSL policies, processes, practices and procedures.
An internal audit plan is prepared by the internal auditor, and reviewed and approved by the Audit and Risk Management Committee on an annual basis (for the upcoming financial year). The internal audit plan seeks to cover, over a rolling basis, all significant activities of CSL, including its controlled entities and their operations.
In addition, CSL’s internal auditor may be requested to perform investigative reviews on suspected fraudulent activities or Whistleblower complaints. In line with CSL’s Whistleblower Policy, any complaint made against the Managing Director, any member of CSL’s Global Leadership Group or any regional Whistleblower reports co-ordinator, must be investigated by CSL’s internal auditor, and the internal auditor’s written report in respect of that investigation must be provided directly to the Audit and Risk Management Committee.
5.6 Integrity in Financial Reporting and Regulatory Compliance
The Board is committed to ensuring the integrity and quality of its financial reporting, risk management and compliance and control systems.
Prior to giving their directors’ declaration in respect of the annual and half-year financial statements, the Board requires the Managing Director and the Chief Financial Officer to sign written declarations to the Board that, in their opinion:
These written declarations were received by the Board prior to its approval of the financial statements for the financial year ended 30 June 2016.