HRA Audit and Risk Committee Manual

1. HRA Audit and Risk Committee Terms of Reference

1.1. Constitution

1.1.1. The Health Research Authority (HRA) Board resolves to establish an independent Committee known as the Audit and Risk Committee (ARC).

1.1.2. The ARC will have no executive powers other than those specifically delegated in these Terms of Reference. The ARC in its workings will be required to adhere to the Authority’s Standing Orders and Code of Conduct.

1.1.3. The principles of the HM Treasury Audit and Risk Assurance Committee Handbook are captured within this manual.

1.2. Purpose

1.2.1. The role of the ARC is to advise the HRA Accounting Officer and the HRA Board on internal and external audit services, risk management, corporate governance and assurance arrangements in the HRA.

1.2.2. The authority Standing Orders (SOs) state that the committee will advise the Board and Accounting Officer on:

1.2.2.1. the strategic processes for risk, control and governance and the Governance statement

1.2.2.2. the accounting policies, the accounts, and the annual report of the organisation, including the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors

1.2.2.3. the planned activity and results of both internal and external audit

1.2.2.4. adequacy of management response to issues identified by audit activity, including external audit’s management letter

1.2.2.5. assurances relating to the management of risk and corporate governance requirements for the organisation

1.2.2.6. (where appropriate) proposals for tendering for either Internal or External Audit services or for purchase of non-audit services from contractors who provide audit services

1.2.2.7. anti-fraud policies, whistle-blowing processes and arrangements for special investigations;

1.2.2.8. losses and special payments, and

1.2.2.9. single tender actions, any novel procurement practices and contracts entered into above £100,000

1.2.3. The ARC will also periodically review its own effectiveness and report the results of the review to the Board

1.3. Membership

1.3.1. Membership will be made up of 3 non-executive directors of the HRA, and, in addition, up to 2 external members of the ARC. All members should be independent and should have considerable professional and leadership experience, one must have recent and relevant financial experience and at least one member should have experience from outside the NHS or public sector.

1.3.2. One of the members will be appointed Chair of the ARC by the Board.

1.3.3. The ARC has the right to bring in additional independent, non-executive members from sources other than the Board to ensure an appropriate level of skills and experience as required.

1.4. Attendance

1.4.1. The Deputy Chief Executive & Director of Resources and appropriate Internal and External Audit representatives shall normally attend meetings. At least once a year the ARC should meet privately with the External and Internal Auditors. The ARC will aim to meet with Internal Auditors prior to each meeting where possible.

1.4.2. The Chief Executive and other Executive Directors or nominated deputies, should be invited to attend as appropriate, but particularly when the ARC is discussing areas of risk or operation that are the responsibility of that director.

1.4.3. The Chief Executive should be invited to attend at least annually to discuss with the ARC the process for assurance that supports the governance statement. They may attend when the ARC considers the Annual Accounts and Draft Internal Audit Plan.

1.4.4. Any other person may also attend with the agreement of the Chair of the ARC.

1.4.5. The Company Secretary will ensure that an efficient secretariat service is provided to the ARC.

1.4.6. A representative from the Department of Health & Social Care Sponsor Team should be invited to attend the ARC annually to discuss relevant matters including risks affecting the wider system.

1.4.7. The ARC may meet in private, without management present, as and when required.

1.5. Quorum

1.5.1. A quorum shall be three members, two of whom must be non-executive members.

1.6. Frequency of meetings

1.6.1. Meetings shall be held not less than four times a year and are well-aligned with the audit and assurance cycle.

1.6.2. The External Auditor or Head of Internal Audit may request a meeting.

1.6.3. The Chair of the ARC may convene additional meetings as they deem necessary.

1.7. Authority

1.7.1. The ARC is authorised by the HRA Board to investigate any activity within its terms of reference and is authorised to seek any information it requires from any employee and all employees are directed to co-operate with any request made by the ARC.

1.7.2. The ARC is authorised by the Board to obtain outside legal or other independent professional advice and to secure that attendance of outsiders with relevant experience and expertise if it considers this necessary.

1.8. Duties

1.8.1. Governance, Risk Management and Internal Control

1.8.1.1. The ARC shall review the establishment and maintenance of an effective system of integrated governance, risk management and internal control, across the whole of the organisation’s activities that supports the achievement of the organisation’s objectives. In particular, the ARC will review the adequacy of:

1.8.1.1.1. All risk and control related disclosure statements (in particular the governance statement), together with any accompanying Head of Internal Audit statement, external audit opinions or other appropriate independent assurances, prior to endorsement by the HRA Board.

1.8.1.1.2. The underlying assurance processes that indicate the degree of the achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure statements.

1.8.1.1.3. The policies and procedures for all work related to fraud and corruption as set out in Secretary of State Directions and as required by the Counter Fraud Specialists.

1.8.1.1.4. In carrying out this work the ARC will utilise the work of Internal Audit, External Audit and other assurance functions, but will not be limited to these audit functions. It will also seek reports and assurances from directors and managers as appropriate, concentrating on the over-arching systems of integrated governance, risk management and internal control, together with indicators of their effectiveness

1.8.1.1.5. This will be evidenced through the ARC’s use of an effective forward agenda planner to guide its work and that of the audit and assurance functions that report to it.

1.8.1.1.6. The ARC will monitor compliance with SOs and SFIs and make recommendations to the Board.

1.8.1.1.7. The ARC will ensure that HRA is operating appropriate and effective raising concern practices (with any concerns raised regularly considered by the ARC).

1.8.1.1.8. The ARC will provide assurance to the Board that the organisation is properly managing its cyber risk including appropriate risk mitigation strategies.

1.8.1.1.9. The ARC will review the Authority’s Risk Register to satisfy themselves that assurance can be gained from the work of the Executive Directors and their Senior Managers who are responsible for managing risk as is reasonable.

1.8.1.1.10. To review the risks escalated from Strategic and Corporate Risk Registers, which are reviewed by the Executive Committee, to assess the status of risks at a corporate and operational level and the progress of control implementation, contingencies and action plans.

1.8.1.1.11. To undertake deep dives in core and emerging risk areas to understand the risk and challenge management as required.

1.8.1.1.12. The ARC shall review Losses and Special Payments, which will include the write off of bad debts and payments outside the scope of contractual arrangements.

1.8.1.1.13. The ARC will review its own effectiveness and that of internal and external audit on an annual basis. The National Audit Office effectiveness tool will be utilised in combination with an open discussion by the Committee.

1.9. Internal Audit

1.9.1. The ARC shall ensure that there is an effective internal audit function that meets mandatory Internal Audit Standards and provides appropriate independent assurance to the ARC, Chief Executive and HRA Board. This will be achieved by:

1.9.1.1. Consideration of the provision of the Internal Audit service, the cost of the audit and any questions of resignation and dismissal.

1.9.1.2. Review and approval of the Internal Audit strategy, operational plan and more detailed programme of work, ensuring that this is consistent with the audit needs of the organisation, consideration of the major findings of internal audit work (and management’s response) and ensure co-ordination between the Internal and External Auditors to optimise audit resources.

1.9.1.3. Ensuring that the Internal Audit function is adequately resourced and has appropriate standing with the organisation.

1.9.1.4. Regular review of the effectiveness of internal audit.

1.9.1.5. Ensuring the internal auditors’ access to the ARC, encouraging communication beyond scheduled committee meetings.

1.10. External Audit

1.10.1. The ARC shall review the work and findings of the External Auditor and consider the implications and management’s responses to their work. This will be achieved by:

1.10.1.1. Consideration of the performance of the External Auditor.

1.10.1.2. Regular review of the effectiveness of external audit.

1.10.1.3. Discussion and agreement with the External Auditor, before the audit commences, of the nature and scope of the audit as set out in the Annual Plan, and ensure co-ordination, as appropriate, with Internal Audit.

1.10.1.4. Discussion with the External Auditors of their evaluation and audit risks and assessment of the HRA and associated impact on the audit fee.

1.10.1.5. Review all External Audit reports, including agreement of the annual audit letter before submission to the HRA Board and any work carried outside the annual audit plan together with the appropriateness of management responses.

1.11. Risk Management Assurance

1.11.1. To ensure the HRA has an effective risk management strategy and that a review of the main risks managed by the Executive is undertaken annually to support the governance assurance statement and the annual report.

1.11.2. To ensure the Board is provided with regular assessments of the risks facing the Authority.

1.11.3. To ensure the HRA has a suitable management structure and the necessary resources to manage risk effectively.

1.11.4. To ensure that the HRA has a suitable risk management policy and submit to the Board for approval.

1.11.5. To ensure the HRA has a communications plan for risk management and it is incorporated into the Authority’s communication strategy.

1.11.6. To ensure that an effective risk escalation process is in place to manage urgent and ad hoc issues.

1.11.7. To ensure there are robust arrangements around fraud risk management.

1.12. Other Assurance Functions

1.12.1. The ARC shall review the findings of other significant assurance functions, both internal and external to the organisation and consider the implications to the governance of the organisation.

1.12.2. In addition, the ARC may review the work of other committees within the organisation, whose work can provide relevant assurance to the ARC’s own scope of work.

1.13. Management

1.13.1. The ARC shall request and review reports and positive assurances from directors and managers on the overall arrangements for governance, risk management and internal control, this will include the review of the schedules of losses and special payments.

1.13.2. The ARC shall satisfy itself that the HRA has adequate arrangements in place for countering fraud and shall review the outcomes of counter-fraud work and approve the counter-fraud work programme for the HRA.

1.13.3. They may also request specific reports or deep dives from individual functions within the organisation as may be appropriate to the overall arrangements.

1.14. Financial reporting

1.14.1. The ARC shall review the Annual Report and Financial Statements before submission to the HRA Board focusing particularly on:

1.14.2. The wording in the Governance Statement and other disclosures relevant to the Terms of Reference of the Committee

1.14.3. Changes in, and compliance with, accounting policies and procedures.

1.14.4. Unadjusted misstatements in the financial statements. Major judgmental areas.

1.14.5. Significant adjustments resulting from the audit.

1.14.6. The ARC should also ensure that the systems for financial reporting to the HRA Board, including those of budgetary control, are subject to review as to completeness and accuracy of the information provided to the HRA Board.

1.14.7. Where it is decided that competitive tendering is not applicable and a Single Tender action is used, this fact and the reasons should be documented and recorded in an appropriate Authority record and reported to the ARC at each meeting if above the appropriate limit.

1.15. Reporting

1.15.1. The minutes of the ARC meetings shall be formally recorded. The minutes will be summarised and forwarded to the members of the HRA Board and published on the HRA website.

1.15.2. The Chair of the ARC shall draw to the attention of the HRA Board any issues that require further consideration at the full HRA Board, or require executive action. The circulation of any confidential minutes will be at the discretion of the ARC Chair. The final minutes will also be shared with the DHSC sponsor.

1.15.3. A summary of the work conducted by the ARC, and how it discharged its duties, will form part of the Governance Statement within the HRA Annual Report and Accounts.

1.15.4. The ARC will receive the following reports on an annual basis:

1.15.4.1. Information Governance annual report

1.15.4.2. Business continuity annual report

1.15.4.3. Environmental sustainability annual report

1.15.4.4. Health, safety and welfare annual report

1.15.4.5. Raising concerns annual report

1.15.4.6. Declaration of interest and gifts annual report

1.16. Other matters

1.16.1. The ARC shall be supported administratively by the Secretary to the Authority, whose duties in this respect will include:

1.16.1.1. Agreement of agenda with Chair and attendees and collation of papers.

1.16.1.2. Ensuring appropriate minutes are taken and a record of matters arising and issues to be carried forward is maintained.

1.16.1.3. Advising the ARC on pertinent areas.

1.17. Papers

1.17.1. All papers for the ARC meetings will be circulated at least 5 working days in advance of meetings and in a form prescribed by the ARC.

1.17.2. Draft minutes of each meeting will be circulated within 10 working days for comment and will provide a clear record of decisions reached and actions agreed. Minutes will be formally approved at the subsequent meeting.

1.17.3. The Secretary will maintain an action log, which will be reviewed at each meeting.

1.18. Review

1.18.1. The ARC will review the Terms of Reference every two years.

1.18.2. The HRA Board will be responsible for reviewing and agreeing the Terms of Reference.

1.18.3. Following Board approval, the Terms of Reference will be published on the HRA website.

2. Relationship with Internal audit

2.1. Role

2.1.1. Internal Audit is an appraisal or monitoring activity established by Management and directors to review and report on the adequacy and effectiveness of the system of internal control. This includes both financial and operational control and will encompass Risk Management, Governance, Accounting, Information Technology, Human Resources and Value for Money issues.

2.1.2. Effective internal audit requires the function to be a service to management at all levels, which identifies, evaluates and provides an opinion on the adequacy of the organisations internal control framework with reference to achieving the organisation’s objectives

2.1.3. Internal Audit is a key part of the HRA’s internal control system because it measures and evaluates the adequacy and effectiveness of other controls so that:

2.1.3.1. the Authority and senior management can know the extent to which they can rely on the whole system;

2.1.3.2. And individual managers can know how reliable the systems are and controls for which they are responsible and any remedial action required.

2.2. Approach to internal audit

2.2.1. Internal Audit’s approach is to take a risk-based approach to audit to comply fully with the requirements of the Global Internal Audit Standards. This not only ensures compliance with best professional standards, but also ensures that External Audit may place reliance on the results of the work and makes a positive contribution to the Authority’s Annual Governance Statement. In some areas different approaches are required. Therefore regularity, contract and VFM audit techniques are employed where appropriate.

2.3. Statement of assurance

2.3.1. In order to provide the required statement of assurance, the Internal Audit service will undertake a programme of work, over a cycle authorised by the Authority, to achieve the following objectives:

2.3.1.1. to review and appraise the soundness, adequacy and application of the whole system of control;

2.3.1.2. to ascertain the extent to which the whole system of internal control ensures compliance with established policies and procedures;

2.3.1.3. to ascertain the extent to which the assets and interests entrusted to, or funded by, the Authority are properly controlled and safeguarded from losses of all kinds;

2.3.1.4. to ascertain that management information is reliable as a basis for the production of financial and other returns;

2.3.1.5. to ascertain the integrity and reliability of information provided to management including that which is used in decision-making; and to ascertain that systems of control are laid down and operate to achieve the most economic, efficient and effective use of resources.

2.3.2. In providing the annual assurance opinion, it should be noted that assurance can never be absolute. The most that the Internal Audit service can provide to the Accounting Officer and Audit and Risk Committee is a reasonable assurance that there are no major weaknesses in risk management, governance and control processes

2.4. Reporting lines

2.4.1. Internal Audit is under the independent control and direction of the ARC on behalf of the Authority. It is the responsibility of the ARC to oversee the appointment and cost of Internal Audit provision.

2.4.2. The HRA has an assigned Head of Internal Audit provided through an agreement with the Government Internal Audit Agency.

2.4.3. The ARC each year approves a rolling programme of audit work which will be prioritised in line with an assessment of the Authority’s key risks. The Deputy Chief Executive & Director of Resources monitors progress against this programme in liaison with the Internal Auditors and they report regularly to the ARC Committee on this.

2.4.4. In respect of each Internal Audit assignment, the Internal Auditors present their findings to the Deputy Chief Executive & Director of Resources who will, with the appropriate Director and/or Head of Service, and support from the QA Team, co-ordinate a response. The Internal Auditors then present their report and recommendations, together with management’s response, to the next available meeting of the ARC.

2.4.5. Management responses to Internal Audit findings identify responsibility for implementing recommendations and the line Director ensures that this is done within the agreed timescale. The QA Manager provides a report at each meeting of the ARC on progress with implementing recommendations.

2.4.6. Internal Audit submits an annual report to the ARC that includes an overall assessment of Risk Management, Corporate Governance and the Control Environment for the year in question and a comparison of actual and planned activity for the period.

2.5. Rights of internal auditors

2.5.1. Internal Auditors have authority to:

2.5.1.1. Enter (or require entry) into HRA premises at any time

2.5.1.2. Access all records, documents and correspondence (including those held on computers) which may relate to financial or operational matters of the Authority

2.5.1.3. Require and receive from staff or Authority members such explanations as are necessary concerning any matter under review

2.5.1.4. Require any staff or member to produce upon request any cash, stores, documents or other Authority property under his/her control

2.5.1.5. Meet freely and confidentially with the ARC Chair.

2.5.2. Staff and Authority members will co-operate openly and honestly with reviews.

2.5.3. Board papers and other relevant papers will be shared with the Head of Internal Audit for information.

3. Relationship with External audit

3.1. Role

3.1.1. The External Auditor for the HRA is a statutory appointment. The Comptroller and Auditor General (C&AG) is the auditor for the Health Research Authority.

3.1.2. The C&AG is an officer of the House of Commons appointed by the King to report to Parliament on the spending of central government money. The C&AG is therefore independent of Government.

3.1.3. The C&AG is granted comprehensive audit and inspection rights and has appointed the staff of the National Audit Office (NAO) to act on his behalf.

3.1.4. The NAO conducts financial audits of all government departments and agencies and many other public bodies, and reports to Parliament on the value for money with which these bodies have spent public money. Its relations with Parliament are central to its work, and they work closely with other public audit bodies that have a role in other areas of public expenditure. The NAO has three main work streams – Financial Audit, Value for Money audits (VFM) and Investigations.

3.1.5. A representative from External Audit may meet freely and confidentially with the ARC Chair.

3.2. Financial audit

3.2.1. The NAO is responsible for auditing the accounts of all Government departments and agencies, and most ‘arm’s length’ public bodies including HRA and other Non-Departmental Public Bodies. The NAO is also responsible for auditing all National Loans Fund accounts and has several International clients.

3.2.2. The C&AG is required to form an opinion on whether the financial statements give a true and fair view, and that they have been properly prepared.

3.2.3. The C&AG is also required to form an opinion on regularity, i.e. that income and expenditure has been used as intended by Parliament, and that transactions have appropriate authority.

3.2.4. If the NAO identifies material misstatements, the C&AG will issue a qualified audit opinion.

3.2.5. Where there are no material misstatements or irregularities in the accounts, the C&AG may nonetheless prepare a report to Parliament on other significant matters. Such reports may be considered by the Committee of Public Accounts.

3.3. NAO timetable

3.3.1. Each year, the NAO is committed to presenting the following to the HRA:

3.3.1.1. Audit Planning Report (prior to commencement of the audit) – This document outlines the risks identified during audit planning and the audit approach taken to address those risks

3.3.1.2. Audit Completion Report, for May/June ARC – This letter contains:

3.3.1.2.1. unexpected modifications to the C&AG’s certificate and report;

3.3.1.2.2. unadjusted misstatements (other than those deemed to be trivial);

3.3.1.2.3. material adjusted misstatements; material weaknesses in accounting and internal control systems identified;

3.3.1.2.4. and NAO’s views about the qualitative aspects of the Authority’s accounting practices and financial reporting

4. Relationship with the Executive

4.1. The Chief Executive of the HRA is the Accounting Officer and is responsible for ensuring that the HRA operates:

4.1.1. sufficient and robust internal controls

4.1.2. comprehensive financial reporting systems

4.1.3. adequate systems for the identification and mitigation of risk

4.1.4. adequate governance arrangements

4.2. The Accounting Officer will discharge these duties through the Deputy Chief Executive & Director of Resources who will ensure that an adequate framework is in place so that suitable assurance and reliance can be derived. This is obtained through key documents submitted to the ARC such as financial / governance papers (e.g. accounts, policies), risk strategies / policies (e.g. risk register) and audit strategies / papers (e.g. audit plans, findings, reports)

4.3. The Accounting Officer will undertake the following activities:

4.3.1. Internal audit

4.3.1.1. Make recommendations to the ARC to appoint the HRA’s internal auditors.

4.3.1.2. Review its audit plan and agree with internal audit the plan to be presented for consideration by the ARC.

4.3.1.3. Review the content / scope of each audit that makes up the yearly audit programme. The annual audit programme will cover three areas: financial, governance and operational. These will be risk-based in nature.

4.3.1.4. Review and agree the audit findings prior to submission to the ARC. If audit findings are not agreed with the Accounting Officer, internal audit have a right to report independently to the ARC.

4.3.1.5. Agree a response to audit findings with time-frames for any actions necessary.

4.3.1.6. Present regular reports (assurance dashboard) to the ARC.

4.3.1.7. Note. The ARC can commission its own investigations / value for money studies.

4.3.2. External audit

4.3.2.1. Review external audit planning report and agree with the external auditors the plan to be presented for consideration by the ARC.

4.3.2.2. Review the content / scope of each audit that makes up the yearly audit programme. These will be risk-based and may include national initiatives.

4.3.2.3. Review and agree the audit findings prior to submission to the ARC. If audit findings are not agreed with the Accounting Officer, external audit has a right to report independently to the ARC.

4.3.2.4. Agree a response to audit findings with timeframes for any actions necessary.

4.3.2.5. Present regular reports to the ARC.

4.3.2.6. Note. The ARC can commission its own investigations / value for money studies.

4.3.3. Risk register

4.3.3.1. Produce a risk framework, including strategic and corporate risk registers, for review by ARC.

4.3.4. Governance

4.3.4.1. Ensure financial / governance policies / systems are presented to the Audit Committee for approval.