Red X iconGreen tick iconYellow tick icon
Skip to main content Skip to side navigation

Terms of Reference

The Audit and Risk Committee (ARC) is a Committee of the University Council, with the delegated responsibilities, authorities and accountabilities set out in this Terms of Reference approved by Council on 9 December 2025.

  1. Purpose

    The purpose of the Audit and Risk Committee is to assist the Council in discharging its oversight and approval responsibilities of the University1 for:

    • The integrity of the University’s financial reporting and public accountability.
    • The effectiveness of the University’s internal control, risk governance, legal and policy compliance frameworks.
    • The University’s risk management framework including material institutional risks.
    • The University’s internal audit and external audit function.
    • University’s fraud and corruption framework, including oversight of the timely reporting, investigation, and follow-up of fraud and corruption cases and related control improvements.2
    • The governance and effectiveness of data, information management, and privacy frameworks, particularly as the University transitions further into a digital operating environment.

    1. For the purposes of this Terms of Reference, the term “University” refers to the University and, for risk oversight purposes, its subsidiaries and the Foundation Trust, to the extent that risks in those entities may materially affect the University’s interests, obligations or objectives. This oversight relates to such risks only and does not extend to the University exercising management control or making operational or governance decisions for those entities.
    2. For the purposes of this Terms of Reference, the Fraud and Corruption Framework refers to the policy, procedures, and suite of internal controls designed to prevent and detect instances of fraud and corruption.

  2. Authority and scope

    • The Council delegates to the Committee the authority to review and make recommendations on matters within these Terms of Reference.
    • The Committee is authorised to consult with management, internal auditors and external auditors, request any information it requires, and obtain outside legal or other professional advice as needed.
    • Committee may request management, internal audit, or external audit to address specific issues and is empowered to ensure follow-up of its recommendations.
    • Committee is authorised to approve the insurances, with the ability to delegate to an Insurance Subcommittee that has the ability to co-opt Committee members as required, having regard to the Committee’s review responsibilities in relation to insurance adequacy and risk appetite.

  3. Responsibilities

    The Committee is responsible for:

    • 3.1 Financial reporting and external audit
      • Review the external audit plan, and fee proposal to ensure quality external audits.
      • Review the Annual Report including the annual Financial Statements, Statement of Service Performance and other published financial reports, to ensure compliance with reporting requirements and make a recommendation to Council concerning the adoption of the University’s Annual Report and Financial Statements.
      • Make recommendations to Council on key accounting and reporting issues including judgments, estimates, and significant changes in accounting policies.
      • Review audit findings and monitor responses and action plans.
      • Approve the external audit fee proposal and advise Council accordingly including the independence of the external auditor.
      • Review and recommend for Council approval the external auditor’s letter of engagement.
    • 3.2 Internal audit and assurance
      • Review and approve the Internal Audit Charter and Strategic Internal Audit programme.
      • Oversee the delivery and effectiveness of the Strategic Internal Audit Programme, to ensure it provides appropriate and risk-based coverage.
      • Receive and consider summary reports on all completed internal audits, including key findings, management responses, and progress against agreed actions, and monitor the timely implementation of high-risk and other material recommendations; and review any instances where management proposes to accept a significant residual risk rather than implement a recommendation.
      • Review the University-wide assurance map and high-risk findings dashboards, and oversee the timeliness and effectiveness of remediation.
      • Through the Council, ensure that the internal audit function is appropriately resourced, independent and effective, including the ability to commission suitably qualified external providers where this enhances independence or specialist capability, and to prevent any compromise of independence arising from the same provider delivering both consulting and internal audit services.
    • 3.3 Risk management
      • Oversight of the culture, behaviours and ethics within the University as they affect risk and control, in the following respects:
      • Review and recommend for Council approval the University’s Fraud and Corruption Framework, Risk Management Polic and Framework, Risk Appetite Statement and Risk Tolerance settings, and Key Risks.
      • Receive regular, exception-led reports on the University’s Key Risks and the key controls and enabling activities to manage these, and escalate material matters to Council where appropriate.
      • Review the adequacy and effectiveness of the internal control environment including systems for compliance, related policies, procedures and frameworks (e.g., fraud, whistleblowing and conflicts of interest).
      • Review the adequacy of insurances, policy terms and market comparison including the University’s Insurance (risk-transfer) Strategy for consistency with risk appetite and residual exposures, and provide advice to Council (and, where relevant, the Insurance Subcommittee) to inform insurance approval decisions.
      • Oversight of business continuity processes across the University and monitoring the implementation of appropriate testing and exercise programmes.
    • 3.4 Compliance
      • Review the effectiveness of systems for monitoring compliance with applicable laws, regulations, standards, codes, and sector good-practice guidelines.
      • Receive periodic reports on material breaches, near-misses, and emerging non-compliance risks, and monitor the timeliness and effectiveness of management responses.
      • Monitor investigations and outcomes relating to protected disclosures, suspected fraud/corruption, and other material compliance matters, escalating significant issues to Council as appropriate.
    • 3.5 Litigation
      • Monitor any legal proceedings involving potential or contingent liability for the University.
    • 3.6 Other matters
      • Any other matters as requested by Council, from time to time.

  4. Reporting

    • The Committee shall report at the next meeting of Council.

  5. Constitution

    The Constitution of the Audit and Risk Committee shall be as follows:

    • Up to three lay members of the University Council.
    • The Convener of the Health and Safety Committee (lay member of Council).
    • members appointed for their expertise in the area of accounting, auditing or risk management. This can include independent members as appointed by Council.
    • The Convener shall be appointed by Council from one of the Committee Members. The Convener shall not be the Chancellor or the Vice-Chancellor.
    • A quorum shall be defined in accordance with the Standing Orders of Council.

    In attendance:

    • Vice-Chancellor
    • Chief Operating Officer
    • Chief Financial Officer
    • Head of Risk, Assurance and Compliance
    • Registrar and Secretary to the Council
    • Audit New Zealand
    • Additional members of management may be invited to attend for particular items by either the Convener or the Vice-Chancellor
    • The Chancellor will attend meetings as an observer

  6. Meetings

    • The Committee will meet at least four times per year, with additional meetings as required by the Convener.
    • The Committee should meet the internal auditor and external auditor without Management present, as a standing agenda item at each meeting.
    • Meeting agendas will be drawn up by the secretary to Council and the Convener in consultation with Chief Operating Officer and the Head of Audit, Risk and Compliance.
    • The agenda and accompanying papers will be circulated at least one week prior to the meeting but may be shorter if approved by the Convener in certain circumstances.
    • Meeting may be conducted in person or electronically.

  7. Review of Terms of Reference

    • These Terms of Reference shall be reviewed at least every year and more frequently if required by changes in the University environment, regulatory changes or governance best practice.
    • The Committee shall conduct an annual self-assessment of its effectiveness, covering its composition, performance, and the value it adds to the University’s assurance framework.
    • Committee will coordinate with Council and other committees to manage areas of overlapping remit and avoid duplication of reporting.

These terms of reference approved by the University Council, 9 December 2025.

Sub-committees

Ethics Compliance Committee

Meeting dates

View the meeting dates for the University of Otago Council and Council Committee

Back to top