Skip to main content
English Cymraeg

Audit & Risk Assurance Committee - March 2023

INFO 23-03-02

Summary Report of 10 February 2023 meeting

The Committee considered the following:

Draft Internal Audit Plan 2023/24

The Head of Internal Audit presented the draft internal audit plan for 2023/24 which consists of ten assurance, 2 advisory and 3 reserve reviews.  ARAC discussed the plan and requested a few minor changes which will be reflected in the final version to be presented to ARAC on the 14 March 2023.

Draft Regulatory Audit Plan 2023/24

ARAC discussed the draft regulatory audit plan for 2023/24 presented by The Head of Delivery Assurance.  A final version will be presented to the ARAC on the 14 March 2023.

Review of FSA Policies for managing "Regulatory Capture" risks

The Deputy Head of Internal Audit presented the results of a review requested by the Chief Executive Officer looking at the comprehensiveness and adequacy of FSA policies and guidance, on conflicts of interest and the tactics that corporations use to influence regulatory policy and operational decision making. ARAC noted and discussed the report.  The recommendations will go to the Executive Management Team for their consideration.

Deep Dive: Cyber Security and Data Governance

FSA officials presented a deep dive to explain how data governance and cyber security controls work within the FSA.  Consideration was given to case studies of the HMRC Strategic Solution data ingestion and E-mail security.  Cyber Security will be further discussed at the ARAC on the 14 March 2023.

Date of next meeting:

14 March 2023 11:00 -13:00

Updated Terms of Reference

Following the split of the Audit Assurance team the ARAC terms of reference have been updated to reflect the current FSA structure (Annex A).  

The Board is asked to note the changes prior to the formal review of the terms of reference at the end of the year.

Summary Report of 14 March 2023 meeting

The Committee considered the following:

Executive Update

The Director of People and Resources updated the ARAC on the period 11 financial position, the timing of the annual report and accounts for 2022/23 which will be post recess with the audit in the autumn, the Connect programme, Pay and Benefits and the ongoing governance review.  The Chief Executive Officer also detailed the areas she sees as highest risk / areas of concern.   ARAC welcomed the update and noted the current areas of concern.

Internal Audit and Regulatory Audit Progress Report

The Head of Internal Audit and Head of Delivery Assurance presented the report detailing progress in delivering the audit plan for 2022/23.  It summarised the work of internal audit within the FSA and regulatory audit in England, Wales and Northern Ireland.  ARAC noted the report and discussed some aspects of regulatory audit.  

National Audit Office (NAO) Management Letter 2021/22

NAO presented their management letter in respect of the 2021/22 financial audit, noting that the annual report and accounts for the FSA entities were certified without qualification by the Comptroller and Auditor General on 16 January 2023.

Interim Accounts Update 

The Financial Controller gave ARAC members an oral update as to the progress of the interim audit which started last week.  There are no issues to note.

Governance Statement

The Financial Assurance Manager presented the first draft of the governance statement which will be part of the annual report and accounts for 2022/23.  ARAC members gave their views which will be fed into the next iteration of the governance statement.

Information Security Risk Update

FSA officials presented a paper following on from the data governance and cyber security deep dive at the 10 February 2023 meeting.  It summarised risks in these areas and mitigating actions in place.  ARAC noted the paper and discussed some of the detail.

ARAC Forward Look and Deep Dives

ARAC Members discussed potential deep dives and their focus.  FSA colleagues will provide ARAC members with a suggested protocol / options for determining future deep dives. 

Date of next meeting:

16 May 2023 11:00 -13:00

Annex A - 
Terms of Reference for the Audit and Risk Assurance Committee

Purpose

The Audit and Risk Assurance Committee (ARAC) is an advisory Committee of the FSA Board with no executive powers. It is responsible for reviewing, in a non-executive capacity, the comprehensiveness and reliability of assurances on governance, risk management and the control environment. 

The ARAC will approve the Annual Reports and Accounts (ARAs) on behalf of the FSA Board, with the recommendation that the Accounting Officer sign the accounts on approval. It shall additionally have responsibility for reviewing the integrity of financial statements.

Membership

A minimum of four Members of the FSA Board appointed by the FSA Chair under delegated powers following consultation with the Committee Chair. At least one of those appointed will be a Board Member for Wales or Northern Ireland.

The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board and will automatically cease if an individual ceases to be a Board Member. 

At least one of the Committee members should have recent and relevant financial experience.

All new members will be provided with induction training and the FSA will provide for any additional development which is deemed necessary for the member to fulfil their role on the Committee. The Chair of the ARAC will hold an annual review with each member and any training or development needs will be taken forward with the agreement of the Chair and Accounting Officer.

Committee Chair

Appointed from the membership of the Committee by the Chair of the FSA under delegated powers. The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board.

Co-option

The Committee may co-opt additional members (whether members of the FSA Board or not) for a period of up to one year to provide specialist skills, knowledge or experience. Co-opted members will have a right to speak, but not vote. Co-opted members will not be included in any calculation of the quorum.

Quorum

Three Non-Executive Board Members.

Attendance 

The Chief Executive, as Accounting Officer, the Director of People and Resources, the Deputy Director of Finance and Planning, the Head of Planning and Performance, the Head of Internal Audit, the Head of Delivery Assurance and a representative of the external auditors would normally be invited to attend.

Directors and other officials will be invited to attend as required.

Reporting 

The ARAC Chair will provide the Chair of the FSA and the Board with a written update on the key elements of Committee meetings. The ARAC will report formally in writing to the Board, annually, to support the finalisation of the accounts and the Governance Statement and to update the Board on the work of the Committee, internal and external audit and any areas requiring specific attention.

Meetings

The ARAC will meet at least four times a year. The Chair of the Committee will convene additional meetings as necessary. The Committee has the right to sit privately without any non-members present for all or part of a meeting.

Additionally, the members of the Committee will meet with the Head of Internal Audit and, separately, the External Auditors, annually, in closed meetings when the efficacy of the processes, trust, co-operation and any other issues can be discussed and future action agreed.

The FSA Chair, the Board or the Accounting Officer may ask the ARAC to convene further meetings to discuss specific issues on which they want the Committee’s advice.

Responsibilities

The ARAC will advise the FSA Board and Chief Executive on:

1. The strategic processes for risk management, the high-level control and governance framework and the effectiveness of its operation in practice;

2. The contents of the Governance Statement; 

3. The accounting policies, the accounts, and the annual report of the FSA, including the judgements used in producing the accounts, the adequacy of disclosures, the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors; 

4. The effectiveness of the design and operation of financial systems and controls;

5. The planned activity and results of internal, regulatory and external audit and the results of other, external assurance reports;

6. The resourcing and effectiveness of the internal audit function;

7. Provide independent scrutiny of the audit process of the regulatory audit system;

8. The adequacy of the management response to issues identified by audit activity, including external audit management letters; 

9. Assurances relating to the corporate governance requirements for the organisation; 

10. Proposals for tendering for either internal or external audit services or for the purchase of non-audit services from contractors who provide audit services; 

11. Anti-fraud policies and whistle-blowing processes, and arrangements for special investigations; and 

12. The Committee’s effectiveness having reviewed its own performance, constitution and terms of reference and recommending any changes it considers necessary.

Information Requirements

The ARAC will be provided with, where appropriate:

1. Any changes to the organisation’s Corporate Risk Register that are relevant to the responsibilities of the Committee; 

2. The risk management strategy;

3. Management assurance reports, and report on the management of major incidents, ‘near misses’ and lessons learned;

4.  Progress reports from both the Head of Internal Audit and Head of Delivery Assurance summarising: 

  1. work performed (and a comparison with work planned) 
  2. key issues emerging from their respective audit work 
  3. management action in response to issues identified and agreed 
  4. changes to their respective audit plans 
  5. any resourcing issues affecting the delivery of their objectives

5. Progress reports from the External Audit representatives summarising work done and emerging findings; 

6. External assurance and compliance reports in relation to the FSA’s activities;  

7. Internal audit and regulatory audit strategies and annual plans; 

8. The Head of Internal Audit’s Annual Opinion and Report; 

9. An annual report summarising the results of regulatory audits including an overall assessment / opinion on the effectiveness of official controls;

10. Quality Assurance reports on the internal audit and regulatory audit functions; 

11. The draft accounts of the organisation; 

12. The draft Governance Statement

13. Any changes to accounting policies; 

14. Proposals to tender for audit functions; 

15. Summary of findings of every internal audit and regulatory audit report; 

16. External Audit’s management letter; and 

17. A report on cooperation between the FSA auditors and external auditors.
The ARAC will work with the FSA’s Executive Management Team to ensure that the Board can be confident that risk management processes, content, mitigating and recovery actions are appropriate and correctly resourced.

Notes

1. The Chair of the ARAC will have free and confidential access to the Chair and Chief Executive of the FSA whenever appropriate. 

2. The Head of Internal Audit and the representatives of External Audit will have free and confidential access to the Chair of the Committee. 

3. The Committee may procure specialist ad-hoc advice at the expense of the FSA, subject to the cost being agreed by the Chief Executive as Accounting Officer.