page
Annual Report from the Chair of the Audit and Risk Assurance Committee (ARAC)
FSA 25/09/09 - Report by Anthony Harbinson, Chair, FSA ARAC
1. Summary
1.1 To provide the Board with a summary of the work undertaken by the FSA ARAC during 2024/25 in accordance with the ARAC’s Terms of Reference (see Annex C).
1.2 The Board is asked to:
-
Note the work that has been undertaken by the ARAC during the 2024/25 financial year; and
-
Note that this report has been agreed with the other members of the ARAC.
2. Introduction
2.1 The report sets out the work of the ARAC that I have chaired since the 1 January 2024 in relation to the Committee’s activities in England, Wales, and Northern Ireland (NI) during the year to 31 March 2025.
2.2 I would like to thank all my fellow Board Members who served on the ARAC during the year, and in particular, the previous Chief Executive (CE), Emily Miles, the current CE, Katie Pettifer, as well as the Board Secretariat team for their supportive and professional approach.
2.3 I would also like to thank the FSA’s Internal Audit Team, Catherine Andrews, the Head of Internal Audit, Ruth Nolan, the Director of People and Resources, other FSA officials and representatives of the National Audit Office (NAO) who have attended the meetings during the year to present reports which have provided the basis for much of the ARAC’s work.
2.4 The respective roles of the CE, ARAC and Board are set out at Annex A.
3. Discussion
Key Events in 2024/25
3.1 ARAC meetings took place in June, September, and November 2024 and March 2025. ARAC meetings are now held in person apart from the September meeting which was held virtually. For details of ARAC membership see Annex B.
3.2 The drafts of the Head of Internal Audit’s 2023/24 Annual Report and Opinion and the ARAC Chair’s Annual Report to the Board for 2023/24 were discussed at the June 2024 meeting. The draft 2023/24 Annual Report and Accounts were discussed at the September and November 2024 meetings. We expected to receive NAO’s Management Letter on the 2023/24 financial statements audit at the March 2025 meeting, but this was not presented until the June 2025 meeting.
3.3 The corporate risk register was presented to and discussed by the ARAC at the June and November 2024 and March 2025 meetings with a below the line paper received in September 2024. The Committee also received regular risk management updates at ARAC meetings on the FSA’s mitigations for information security risks and those in the change portfolio of programmes and projects.
3.4 ARAC reviewed, discussed and approved the draft internal audit and regulatory audit plans for 2025/26 when we met in March 2025. The audit plans were approved with the understanding that these may be subject to revision over the year in response to changes in the FSA’s risk profile or other events impacting on the FSA.
3.5 ARAC received notification of, and regular updates on, any investigations conducted during the year where there was potential for compliance, financial, or reputational risk. No new fraud cases required formal investigation during 2024/25 (in 2023/24 there were two new cases).
3.6 In May 2025, following a high-profile case, I requested that internal audit undertake a short review of the process reviewing abattoirs when non-compliance has been escalated to the point that their approval to operate may be suspended / withdrawn. The report gave a moderate assurance opinion.
The FSA’s 2023/24 Annual Report and Accounts (ARA)
3.7 The Governance Statement was presented to ARAC in June 2024, and the first versions of the Annual Report and Accounts for Westminster, Wales, Northern Ireland and Consolidated were presented at the September 2024 meeting. No significant issues were raised by Members.
3.8 Due to several factors, which included the timing of the Local Government Pension Scheme (LGPS) pension audit and complexities arising from the change in accounting system, the NAO did not complete their audit of the accounts until January 2025. At the November 2024 meeting, ARAC acknowledged the changes to the ARA since the previous meeting and agreed that I, as Chair of ARAC, could make the final recommendation to the CEO to sign the ARA outside of ARAC, once the Annual Report and Accounts had been finalised and the audit concluded satisfactorily.
3.9 FSA and NAO continued to work together following the ARAC meeting, agreeing that the four sets of accounts would be submitted to the Comptroller and Auditor General (C&AG) for certification in January. The Accounting Officer signed the accounts on 16 January 2025, and the C&AG certified the accounts on 23 January 2025 with an unqualified audit opinion.
Internal and External Assurance 2024/25
3.10 All final internal audit (IA) and regulatory audit (RA) reports issued during the year were shared with me. Other ARAC members received a copy of audit reports with a “limited” or “unsatisfactory” opinion (see Annex D for audit assurance level definitions) and relevant Directors are invited to discuss such reports with ARAC.
3.11 Two IA audits completed during 2024/25 and one RA audit completed during 2023/24 which resulted in a “limited” opinion have been discussed at ARAC during 2025/26 (due to the reports being issued towards the end of 2024/25). No audits had an “unsatisfactory” opinion.
3.12 The executive summary of each report with a “substantial” or “moderate” opinion was shared with ARAC Members as part of the respective progress reports on internal and regulatory audit activities presented to ARAC meetings. The Committee was updated regularly on actions taken by management teams to address the issues raised in all internal and regulatory audit reports.
3.13 A summary of assurance activities and outputs for 2024/25 is in the table below. The figures for 2023/24 are provided for comparison.
|
Internal Audit Reports |
||
|---|---|---|
|
Assurance activities and outputs |
No. of reports 2023/24 |
No. of reports 2024/25 |
|
Substantial |
4 |
0 |
|
Moderate |
6 |
2 |
|
Limited |
1 |
2 |
|
Unsatisfactory |
0 |
0 |
|
Advisory Reports/Management Letters |
1 |
4 |
|
Total number of reports issued |
12 |
8 |
|
Number of Planned Audits |
12 |
9 |
|
Regulatory Audit Reports |
||
|---|---|---|
|
Assurance activities and outputs |
No. of reports 2023/24 |
No. of reports 2024/25 |
|
Substantial |
0 |
2 |
|
Moderate |
1 |
0 |
|
Limited |
1 |
0 |
|
Unsatisfactory |
0 |
0 |
|
Opinion Not applicable |
2 |
0 |
|
Total number of reports issued |
2 |
2 |
|
Number of Planned Audits |
3 |
4 |
3.14 The Committee also received summaries of reports in relation to external audits and reviews conducted by third parties such as an in-country audit from Mexico reviewing pork meat production controls, a security test of the Food Hygiene Ratings System website and an assessment from the Royal Society for Public Health of the FSA’s Direct Claim status for various qualifications. Full reports of such reviews and audit reports are provided to ARAC Members on request.
3.15 At the November meeting the ARAC received the latest iteration of our assurance map, with an evolved structure which more clearly linked risk appetite with the FSA’s strategic objectives and aligned with the Risk Control Framework set in the updated UK Government guidance for risk management, the ‘Orange Book’. This was followed by a progress update at the March meeting where the ARAC also received a proposal on an approach to verify and assess the effectiveness and quality of controls in place for our organisational control framework. We were supportive of the evolved assurance map and verification approach.
ARAC Effectiveness
3.16 During the year Committee Members and standing attendees completed our annual self-assessment on the effectiveness of the ARAC in line with HM Treasury guidance utilising the NAO self-assessment tool. We saw a small improvement in our scores from last year and are either meeting or excelling against the required criteria. However, we identified some areas where we could improve such as range of skills, training and development, other skills and assurance mapping. An action plan to improve these areas was developed and has been implemented.
3.17 ARAC Members continued to access a range of training opportunities during the year, especially those new to the Committee. I have introduced ‘information sessions’ after ARAC meetings to upskill the Committee in areas such as assurance mapping, the Global Internal Audit Standards and the HM Treasury ARAC handbook.
3.18 In June 2024, Members of the Committee held bilateral meetings with representatives of the FSA’s external auditors, the NAO, and the Head of Internal Audit. These meetings ensured that there is a clear understanding of expectations and mutual understanding of current issues. The Committee also concluded that there is a good working relationship between finance, external auditors, and internal and regulatory audit.
Adequacy of Risk Management, Control and Governance Arrangements
3.19 I am satisfied that sufficient and comprehensive work was undertaken by ARAC, and internal and external assurances were received during the year to adequately inform ARAC’s assessment on the effectiveness of FSA risk management, control and governance arrangements. Based on this, it is my view, as Chair of the Committee, that the arrangements in place during the year were satisfactory.
4. Future ARAC Meetings
4.1 During 2024/25 ARAC meetings were held approximately two weeks before Board meetings to enable a written report of ARAC meetings to be presented at the Board meeting. It is expected that the Committee will continue with this approach and will meet four times in 2025/26 with no increase in resource requirements anticipated.
Annex A - Role of the ARAC
-
The Committee’s prime purpose is to provide advice to the Board and the Accounting Officer on internal control, risk management and governance.
-
Internal and external auditors attend ARAC meetings. Others may be asked to attend where the Committee wishes to review progress on specific issues.
The role of the FSA Board
-
This annual report by the Chair of the ARAC provides the Board with an independent view of how assurance and risk matters are being handled within the FSA. The Board’s role is to note and comment on the activities of the ARAC.
The role of the Chief Executive
-
HM Treasury has appointed the Chief Executive as the Principal Accounting Officer of the FSA. The Chief Executive has a direct, personal responsibility to the Westminster Parliament for the propriety and regularity of FSA expenditure. The Chief Executive also signs the financial statements in respect of the monies from the National Assembly for Wales and the NI Assembly.
-
The Chief Executive is required to sign the annual Governance Statement, which is published in the Annual Report and Accounts.
Annex B – Membership of the FSA Audit and Risk Assurance Committee 2024/25
Members:
Anthony Harbinson Chair
Timothy Riley Member
Margaret Gilmore Member
Fiona Gatley Member (from 1 July 2024)
Mark Rolfe Member (from 27 September 2024)
Justin Varney Member (until 30 June 2024)
Standing Attendees:
Emily Miles Chief Executive (until 8 September 2024)
Katie Pettifer Chief Executive (from 9 September 2024)
Ruth Nolan Director of People and Resources
Ed Clift Deputy Director of Finance, Planning and Commercial
Catherine Andrews Head of Internal Audit
Michael Todd Head of Planning, Performance and Risk
James Edmands NAO
Andrew Jackson NAO
Annex C - Terms of Reference for the FSA Audit & Risk Assurance Committee
Purpose
The Audit and Risk Assurance Committee (ARAC) is an advisory Committee of the FSA Board with no executive powers. It is responsible for reviewing, in a non-executive capacity, the comprehensiveness and reliability of assurances on governance, risk management and the control environment.
The ARAC will approve the Annual Reports and Accounts (ARAs) on behalf of the FSA Board, with the recommendation that the Accounting Officer sign the accounts on approval. It shall additionally have responsibility for reviewing the integrity of financial statements.
Membership
A minimum of four Members of the FSA Board appointed by the FSA Chair under delegated powers following consultation with the Committee Chair. At least one of those appointed will be a Board Member for Wales or Northern Ireland. The Deputy Chair, Chair of the Business Committee, will attend ARAC to ensure effective communication and co-ordination between the committees.
The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board and will automatically cease if an individual ceases to be a Board Member.
At least one of the Committee members should have recent and relevant financial experience.
All new members will be provided with induction training and the FSA will provide for any additional development which is deemed necessary for the member to fulfil their role on the Committee. The Chair of the ARAC will hold an annual review with each member and any training or development needs will be taken forward with the agreement of the Chair and Accounting Officer.
Committee Chair
Appointed from the membership of the Committee by the Chair of the FSA under delegated powers. The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board.
Co-option
The Committee may co-opt additional members (whether members of the FSA Board or not) for a period of up to one year to provide specialist skills, knowledge or experience. Co-opted members will have a right to speak, but not vote. Co-opted members will not be included in any calculation of the quorum.
Quorum
Three Non-Executive Board Members.
Attendance
The Chief Executive, as Accounting Officer, the Director of People and Resources, the Deputy Director of Finance and Planning, the Head of Planning and Performance, the Head of Internal Audit, and a representative of the external auditors would normally be invited to attend. Directors and other officials will be invited to attend as required.
Reporting
The ARAC Chair will provide the Chair of the FSA and the Board with a written update on the key elements of Committee meetings. The ARAC will report formally in writing to the Board, annually, to support the finalisation of the accounts and the Governance Statement and to update the Board on the work of the Committee, internal and external audit and any areas requiring specific attention.
Meetings
The ARAC will meet at least four times a year. The Chair of the Committee will convene additional meetings as necessary. The Committee has the right to sit privately without any non-members present for all or part of a meeting.
Additionally, the members of the Committee will meet with the Head of Internal Audit and, separately, the External Auditors, annually, in closed meetings when the efficacy of the processes, trust, co-operation and any other issues can be discussed, and future action agreed.
The FSA Chair, the Board or the Accounting Officer may ask the ARAC to convene further meetings to discuss specific issues on which they want the Committee’s advice.
Responsibilities
The ARAC will advise the FSA Board and Chief Executive on:
1. The strategic processes for risk management, the high-level control and governance framework and the effectiveness of its operation in practice
2. The contents of the Governance Statement
3. The accounting policies, the accounts, and the annual report of the FSA, including the judgements used in producing the accounts, the adequacy of disclosures, the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors
4. The effectiveness of the design and operation of financial systems and controls
5. The planned activity and results of internal, regulatory and external audit and the results of other, external assurance reports
6. The resourcing and effectiveness of the internal audit function
7. Provide independent scrutiny of the audit process of the regulatory audit system
8. The adequacy of the management response to issues identified by audit activity, including external audit management letters
9. Assurances relating to the corporate governance requirements for the organisation
10. Proposals for tendering for either internal or external audit services or for the purchase of non-audit services from contractors who provide audit services
11. Counter-fraud and internal whistle-blowing policies and processes, and arrangements for special investigations; and
12. The Committee’s effectiveness having reviewed its own performance, constitution and terms of reference and recommending any changes it considers necessary
Information Requirements
The ARAC will be provided with, where appropriate:
1. Any changes to the organisation’s Corporate Risk Register that are relevant to the responsibilities of the Committee
2. The risk management strategy
3. Management assurance reports, and reports on the management of major incidents (which are relevant to governance, risk management and internal control) ‘near misses’ and lessons learned including those from serious case reviews
4. A bi-annual overview of external complaints and related data
5. An annual report of FSA’s Senior Civil Servant’s declarations of interest
6. An annual report on and the performance of the FSA’s arrangements for counter fraud, bribery and corruption
7. An annual overview of the Business Appointment Rules
8. Information Security annual report and periodic updates
9. Environmental, climate change and net zero annual update
10. Periodic updates summarising significant Projects and Programmes.
11. A bi-annual overview of current litigation and associated risks
12. Progress reports from both the Head of Internal Audit and Head of Delivery Assurance summarising:
-
work performed (and a comparison with work planned)
-
key issues emerging from their respective audit work
-
management action in response to issues identified and agreed
-
changes to their respective audit plans
-
any resourcing issues affecting the delivery of their objectives
13. Progress reports from the External Audit representatives summarising work done and emerging findings
14. External assurance and compliance reports in relation to the FSA’s activities
15. Internal audit and regulatory audit strategies and annual plans
16. The Head of Internal Audit’s Annual Opinion and Report
17. Quality Assurance reports on the internal audit and regulatory audit functions
18. An annual overview of the FSA’s assurance map
19. The draft accounts of the organisation
20. The draft Governance Statement
21. Any changes to accounting policies
22. Proposals to tender for audit functions
23. Summary of findings of every internal audit and regulatory audit report
24. External Audit’s management letter; and
25. A report on cooperation between the FSA auditors and external auditors
The ARAC will work with the FSA’s Executive Management Team to ensure that the Board can be confident that risk management processes, content, mitigating and recovery actions are appropriate and correctly resourced.
Notes
1. The Chair of the ARAC will have free and confidential access to the Chair and Chief Executive of the FSA whenever appropriate
2. The Head of Internal Audit and the representatives of External Audit will have free and confidential access to the Chair of the Committee
3. The Committee may procure specialist ad-hoc advice at the expense of the FSA, subject to the cost being agreed by the Chief Executive as Accounting Officer
(Agreed by the Board December 2024)