Effective Audit and Risk Assurance Committees

Foreword

An Audit and Risk Assurance Committee (ARAC) has a vital role in helping public sector organisations ensure that Accounting Officers and Boards gain the assurance they need on:

governance;
risk management;
the control environment;
the integrity of the financial statements; and
other elements of the Annual Report and Accounts.

The ARAC provides an important governance function, helping to ensure that an organisation has good corporate governance and that it is effective and well managed.

ARAC plays a crucial role in supporting the Board in meeting its obligations for setting an organisation’s risk appetite and ensuring that the framework of governance, risk management and controls is in place. This is highlighted in HM Treasury’s Corporate governance in central government departments: code of good practice guidance (April 2017).

ARAC’s role is a demanding one and requires strong and independent members with an appropriate range of skills and experience. It benefits from a collaborative relationship with the organisation to ensure that the committee gets the support and information that it needs.

An ARAC is essentially an oversight committee, however it has to satisfy itself that key controls are operating, that risks are being properly managed, that key accounting estimates and judgements are being properly made and that internal and external audits are effective.

ARAC should act as the conscience of the organisation, providing insight and constructive challenge where required, such as on risks arising from fiscal and resource constraints, new service delivery models, information flows on risk and control, and the agility of the organisation to respond to existing and emerging risks.

In the course of our work, the Northern Ireland Audit Office has worked closely with ARACs across the public sector, and this good practice guide draws on insights and learnings from NIAO’s attendance at many ARAC meetings. It examines the role of ARACs in local government in Northern Ireland in accordance with CIPFA’s Position Statement (2022) and how the principles apply to local government bodies in Northern Ireland.

I hope that ARAC Members, and the organisations they support, find this guide a useful tool in their continued efforts to ensure the highest standards in the delivery of public services in Northern Ireland.

Dorinnia Carville

Comptroller and Auditor General

March 2025

List of abbreviations

AI Artificial Intelligence

ALB Arm’s Length Body

ARAC Audit and Risk Assurance Committee

CIPFA Chartered Institute of Public Finance and Accountancy

DAO Dear Accounting Officer

DoF Department of Finance

ESG Environmental, Social and Governance

FRC Financial Reporting Council

GDPR General Data Protection Regulation

HMT His Majesty’s Treasury

ISA International Standard on Auditing

MoR Memorandum of Reply

NAO National Audit Office

NEBM Non-Executive Board Member (A member of ARAC who is not part of the organisation’s senior executive team)

NIAO Northern Ireland Audit Office

NICS HR Northern Ireland Civil Service Human Resources

RTTCWG Report to those charged with governance

SIRO Senior Information Risk Owner

ToR Terms of Reference

Introduction

1. An organisation’s Board is responsible for ensuring that there are effective arrangements for governance, risk management and internal control. The Board, however, should be supported by:

an Audit and Risk Assurance Committee chaired by a suitably experienced non-executive Board member (NEBM); and
an Internal Audit service operating to the professional standards mandated for Internal Audit in the public sector.

2. The Department of Finance’s ARAC Handbook (April 2018) states that an ARAC should:

be made up of at least three members;
support the Board in its role on advising the organisation on key risks;
not have any executive responsibilities or be charged with making or endorsing any decisions;
have adequate support, including a secretariat function;
lead the assessment of the annual Governance Statement for the Board; and
make publicly available its Terms of Reference (ToR).

3. The Northern Ireland Audit Office (NIAO) has a unique oversight role over a wide and diverse range of central government, arms-length and local government bodies. This good practice guide:

supplements the large amount of relevant guidance already available from the Department of Finance (DoF), HM Treasury (HMT) and the National Audit Office (NAO) and is intended to bring all this guidance into one document to be used by all ARACs within both Central and Local Government in Northern Ireland;
is intended to be used by ARAC members, secretariats and executive officers;
provides examples of good practice from our own work with organisations in this area; and
is written to promote good practice at ARACs.

4. HM Treasury’s latest guidance on Audit and Risk Assurance Committees (July 2024) sets out the following five good practice principles for ARACs, stating that each principle is of equal importance:

Principle 1: Membership, independence, objectivity and understanding
Principle 2: Skills
Principle 3: The role of the ARAC
Principle 4: Scope of work
Principle 5: Communication and reporting

5. This guide has been split into seven core sections. The first five sections reflect the good practice principles set out in the HM Treasury’s guide. Section 6 provides details on how a high-performing ARAC can continually improve as the challenges and requirements facing it evolve. Section 7 provides guidance specific to local councils in Northern Ireland.

Membership, independence, objectivity and understanding

6. ARAC should be independent and objective; in addition, the Chairperson and at least one other member should be a non-executive, who should have a good understanding of the objectives and priorities of the organisation and of their role as an ARAC member.

Skills and experience

7. ARAC should collectively own an appropriate skill mix to allow it to carry out its overall function and duties.

Roles and responsibilities

8. ARAC should support the Accounting Officer and Board by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report.

Scope

9. The scope of ARAC work should be defined in its terms of reference and encompass all the assurance needs of the Accounting Officer and Board. Within this, ARAC should have particular engagement with the work of Internal Audit, risk management, External Audit, counter fraud and financial management and reporting issues.

Communication and reporting

10. ARAC should ensure that it has effective communication with all key stakeholders, for example, the Board, the Head of Internal Audit, the External Auditor, Executives of the organisation including the risk manager and other relevant assurance providers, such as the counter fraud manager.

Continuous Improvement

11. As the challenges and requirements of ARACs evolve, a high-performing ARAC will strive for continuous improvement. It is important that ARACs adopt a positive attitude to learning and development, regularly appraises its performance and is open to feedback from others.

Council Specific

12. ARACs of local councils within Northern Ireland differ somewhat to central government ARACs. Section 7 seeks to provide guidance specific to local councils.

13. Included in this guide are four appendices designed to assist ARACs in their role and to help promote and maintain good practice.

Appendix 1 - Audit and Risk Assurance Committee Self-Assessment Checklist

14. This self-assessment checklist allows for ARACs to review their overall effectiveness. It is recommended that ARACs should aim to assess their effectiveness against this checklist on an annual basis.

Appendix 2 - Example of Annual ARAC core work programme (for bodies with a March year-end)

15. This example of an annual ARAC core work programme gives suggested agenda items to present at the Audit and Risk Assurance Committee meetings.

Appendix 3 - Example of ARAC Annual Report Structure

16. Part of good practice for ARAC is producing an Annual Report to the Board highlighting the activities of ARAC for the year. Included in this guide is a template for the ARAC’s Annual Report to the Board. This template includes key areas and should be tailored to each organisation.

Appendix 4 – The role of the Chair of the Audit and Risk Assurance Committee

17. Appendix 4 provides details on a number of additional responsibilities for the Chair of ARACs.

Part One: Membership, Independence, Objectivity and Understanding

1.1 To properly fulfil its role, an effective ARAC needs to be both independent and objective:

It should comprise at least three members.
The Chairperson should be a Non-Executive Board Member (NEBM) with relevant experience.
The Chairperson of the Board should not be a member of ARAC.
There should be at least one other NEBM on ARAC.
There should be no Senior Executive appointments to ARAC (a Senior Executive has a managing role within the organisation).
ARAC should possess the requisite knowledge and skills to effectively engage with and challenge the organisation.
ARAC should seek additional independent, non-executive membership to ensure an appropriate level of skills and experience, as and when required.

1.2 Whilst Executive Members of the organisation should not be appointed to ARAC, it is important for the management of ARAC business that there must be regular attendance and appropriate input from all attendees including:

the Accounting Officer;
the Finance Director;
the Head of Internal Audit; and
a representative of the External Auditor, who should routinely attend and be available to meet privately with the Committee members outside of the meeting.

1.3 It is also good practice for the Chair of ARAC to have regular meetings with the Accounting Officer and Finance Director. The Chair should also meet with the Head of Internal Audit and the External Auditor’s senior representative separate from executive members to discuss any significant issues.

1.4 In order for members to have a clear understanding of their role, all ARAC members should be provided with up-to-date ToR which incorporate:

what is expected of them in their role, including time commitments;
how they will be appraised;
the duration of their appointment; and
training required and how this will be provided.

1.5 The efficient management of ARAC business is essential. The regularity, timing and duration of meetings is therefore critical to ARAC being able to exercise its responsibilities effectively throughout the year. Strong agenda planning and management by the Chair is vital to ensuring ARAC devotes the right amount of time to issues competing for priority. A full committee cycle agenda is necessary to ensure all items are covered that are applicable throughout the financial year, including separate audit and risk requirements, especially when the committee is interacting with the Board on risk issues. Where necessary, ARAC members may wish to invite key individuals from the organisation to ARAC meetings to discuss specific issues/projects.

1.6 ARAC members must take personal responsibility for ensuring that possible conflicts of interest are properly declared. If a conflict of interest declaration is made by any ARAC member (including the Chair), the ARAC should then consider the nature of the conflict of interest before determining the course of action. This could include asking the member to leave while a particular item is being discussed or suggesting that the member should stand down where a conflict of interest is likely to exist for a long period.

1.7 We regularly observe public servants from an organisation who, because of their particular skill set, are appointed to sit on other ARACs within the public sector. It is important that these appointments are truly independent and free from any conflict of interest, and that they are able to contribute independently and objectively to each of the meetings.

1.8 Section 6.01 of the Northern Ireland Civil Service Handbook provides guidance on conflicts of interest and outlines that if a civil servant wishes to undertake any private work (paid or unpaid) with another public sector body (including another Government Department) approval must first be obtained from NICS HR Employee Relations, outlining if this work is paid or unpaid. Civil Servants may choose to apply for unpaid leave or use a portion of personal leave allowance to allow them to undertake paid work in another public sector post.

What does good practice look like?

An ARAC needs to have a good understanding of the objectives and priorities of the organisation.
There should be clear up-to-date Terms of Reference.
An ARAC needs to be independent.
An ARAC needs to have the requisite breadth of skills and experience.
An ARAC needs to have sufficient time and access to all relevant information to allow it to perform its functions effectively and efficiently.
An ARAC needs to have regular attendance and appropriate input from all attendees.
The Chair should have regular meetings with the Accounting Officer and the Finance Director to discuss any significant issues.
The Chair should have regular meetings with the Head of Internal Audit and the External Auditor separate from executive officers to discuss any significant issues.
An ARAC needs to have strong agenda planning and management with strong secretariat support.
All potential conflicts of interest need to be declared.
ARAC members meet privately prior to ARAC meetings to discuss the papers and any issues that they feel need further discussion or more information on.

Our Observations

We have observed ARACs that have organised private meetings with Internal Audit and External Audit. Typically, these meetings are scheduled prior to the ARAC meeting. These pre-meetings give ARAC members the opportunity to ask questions of Internal and External Auditors and for both bodies to provide feedback to ARAC on any issues arising out of their work. These meetings are typically held at least twice per year, although we have seen instances where these meetings happen before every ARAC meeting.

Part Two: Skills and Experience

2.1 ARAC members require a wide range of skills and experience in relation to governance, risk and control. Members need to be mindful of when they need to upskill, build expertise and draw on specialist skills from elsewhere.

2.2 At least one member of ARAC should have recent and relevant financial experience sufficient to allow them to competently analyse the financial statements and recognise good financial management disciplines. The Accounting Officer and Board, in conjunction with the Chair of ARAC, should periodically review and agree on any additional skills that ARAC may require to maintain its effectiveness.

2.3 Where necessary, ARAC should have the authority to co-opt members or procure specialist advice to provide required skills, knowledge and experience to properly fulfil its role. It is important to ensure that any co-opted members are free from any conflicts of interest.

2.4 All ARAC members, whatever their status or background, will have training and development needs, especially for recent developments or emerging risk areas. Those who have recently joined ARAC will need induction training, to help them understand their role and/or the organisation. Those joining a public sector ARAC for the first time with no experience of government will need training to help them understand the public sector accountability framework, especially those elements relating to governance and accountability.

2.5 The Chair should, in addition, ensure that all committee members have an appropriate programme of engagement with the organisation and its activities to help them understand the organisation, its objectives, business needs, priorities and risk profile. The Department of Finance’s ARAC Handbook (April 2018) provides further guidance on the role of the Chair (included at Appendix 4).

2.6 An effective Chair should display the following characteristics:

an ability to plan the work of ARAC over the year and beyond;
skills to manage meetings;
an ability to bring an objective attitude;
a core knowledge and skills required of other ARAC members; and
a clear focus on the role of ARAC and the ambition to lead ARAC in line with good governance principles.

What does good practice look like?

ARAC as a whole should have an appropriate mix of skills that enables it to provide assurance to the Accounting Officer and Board.
ARAC members should have a timely induction programme which outlines the requirements of the role, the organisation and, for those new to government, an understanding of public sector governance principles and processes.
Training and development should be flexible, timely and tailored to individual member’s needs.
Skills and experience should be tailored to the challenges and objectives of the organisation.
The skills mix should be regularly reviewed to ensure ARAC is equipped to discharge its responsibilities to the Accounting Officer and Board.
ARAC members should be made aware of any relevant training opportunities and encouraged to attend where necessary.
ARAC members should engage with the organisation to understand its objectives, business needs, priorities and risk profile.

Other skills

2.7 ARACs should additionally consider whether they have the skills and capabilities to challenge organisations across a number of existing and emerging risk areas, some of which are outlined in this section. Areas requiring skills and expertise develop over time and differ from organisation to organisation. Skills requirements and gaps should be continually monitored. Examples of skills requirements we have seen in relation to existing and emerging risks in recent years include:

Cyber and digital
Information Security
Climate Change and Environmental, Social and Governance (ESG)
Artificial Intelligence
Projects and Programmes
Procurement

Cyber and digital

2.8 Cyber security is a key area of management activity that ARACs should review on a regular basis. In such circumstances, ARAC should support the Accounting Officer and Board in reviewing and mitigating cyber and digital risks. ARAC should be confident in its ability to challenge management’s assessment of cyber and digital risk – and know when and how to draw upon expertise as and when required. ARACs should be able to understand whether the organisation is adopting a clear approach to cyber risk.

2.9 The assurance provided by ARACs to the Board that the organisation is properly managing its cyber risk does not necessitate understanding the full detail of the technology involved; rather that it can confirm that the appropriate framework is in place and that continuous monitoring and improvement initiatives are adopted and sustained.

2.10 In particular, to assess the organisation’s cyber resilience, ARAC should evaluate whether the organisation has reviewed its cyber risk in relation to:

governance, including management of system access;
threat to protecting critical infrastructure;
the identification and deployment of skills and capability in this area;
training available for all staff to ensure appropriate levels of compliance;
structure and resources;
incident response; and
the impact of any governance failings publicly reported elsewhere.

2.11ARAC could consider using the organisation’s Senior Information Risk Owner (SIRO) to provide assurance over these and other issues through regular briefs, including an annual report at year end.

What does good practice look like?

The ARAC should regularly be provided with a paper setting out an evaluation of the organisation’s response to cyber security which confirms that:
- the organisation has properly identified and evaluated the cyber security risk;
- there is sufficient assurance that the organisation is properly managing its cyber risk;
- there are proper governance arrangements and controls to protect from, detect and respond to cyber security attacks/incidents;
- the organisation has suitably skilled and experienced staff, or access to such staff, to deal with any cyber security related incidents; and
- there is suitable awareness and ongoing training within the organisation on the risk from cyber-attack.
The ARAC should understand how cyber and digital risks impact on the organisation.
The ARAC should have the level of skills and expertise required to challenge management and provide assurance to the Board that the organisation is properly managing its cyber and digital risks.

Information Security

2.12Information security is the protection of sensitive information against unauthorised access, disclosure, use, alteration or disruption. ARAC should support the Accounting Officer and Board in reviewing information risks. ARAC should be confident in its ability to challenge management’s assessment of information security. ARAC should regularly review the organisation’s information security policies, ensuring that they comply with General Data Protection Regulations (GDPR).

What does good practice look like?

ARAC members are aware of the organisation’s plans to manage information risk.
ARAC should understand the requirements for information security set out in GDPR.
ARAC members should obtain assurance that an appropriate information security policy in place which is regularly reviewed and updated.
ARAC members should obtain assurance that suitable processes are in place to ensure information is guarded (i.e. controls are designed to prevent and detect security breaches).
ARAC members should obtain assurance that information security incidents are suitably recorded, and the organisational response is reviewed to ensure it is appropriate.

Climate change and Environmental, Social and Governance (ESG)

2.13 ARAC should critically assess the organisation’s progress with ESG responsibilities and commitments. Disclosures should be in line with relevant up-to-date standards and ARAC should be satisfied that the organisation is appropriately managing its ESG risks.

2.14 ARACs should have the ability to assess the process for managing climate-related risks and understand how they can impact on organisations.

What does good practice look like?

ARAC is aware and understands how management:

is managing its ESG responsibilities and risks;
has introduced and implemented its governance of climate change risk;
builds awareness and understanding of climate change responsibilities across the organisation;
identifies, assesses, mitigates and evaluates climate risk; and
monitors and reports on climate risk.

Artificial Intelligence

2.15 The use of Artificial Intelligence (AI) has been expanding rapidly across society, particularly with the development of generative AI. AI has the potential to transform public services, but also presents risks and challenges and is becoming an emerging oversight responsibility for ARACs. ARAC should ensure that its members have sufficient training when it comes to emerging risk areas such as AI.

What does good practice look like?

ARAC is aware and understands how management:

is responding to the emerging risks and challenges associated with AI, both in relation to its use within the organisation and its use by any services or suppliers of the organisation/stakeholders;
is managing any AI services and risks and ensuring they are aligned with ARAC’s risk appetite.
has prepared the organisation for any new regulations regarding AI.

Projects and programmes

2.16 Government organisations regularly manage a number of projects and programmes. ARACs play a key role in challenging management throughout the project or programme lifecycle, so it is important that ARACs understand how and when to assess and challenge any significant project and programme risks.

What does good practice look like?

ARAC is appropriately briefed on significant projects and programmes throughout their lifecycle.
ARAC has the skills and expertise to provide effective critical challenge on the financial management, delivery risks and overall progress of projects or programmes.

Procurement

2.17 In providing assurance to the Accounting Officer and Board over risk management and the control environment, ARAC should have the necessary skills and expertise to understand the complexities of procurement and challenge organisations to provide value for money for goods and services.

2.18 Additionally, the Department of Finance’s Procurement policy notes outline mandatory procurement guidance for government public bodies.

2.19 Depending on the size of the organisation, there may be other committees with Terms of Reference related to projects, programmes and procurement and ARACs will need to understand the remits and activities of these committees as part of overall governance arrangements.

What does good practice look like?

ARAC is aware of key procurement activities.
ARAC has an appreciation of the risks associated with procurement in the public sector context.
ARAC has the skills and expertise to challenge commercial activities and the procurement of goods and services.

Our Observations

We have observed ARACs which have included training and development as a standing item on their meeting agenda. A record of all formal training courses attended by members is maintained to ensure that ARAC has adequate knowledge of issues currently affecting the organisation, or new areas that have the potential to affect the organisation. This agenda item also provides the opportunity to highlight upcoming training courses available to ARAC members.

Part Three: Roles and Responsibilities

Assurance

3.1 The scope of ARAC’s work should be clearly defined in its ToR and should encompass all the assurance needs of the Accounting Officer and Board. It is vital that ARACs understand how they receive its assurance and can identify any significant gaps. This will give ARACs the best possible chance of focusing on high-priority issues and fulfilling their role effectively.

3.2 An effective ARAC can help the Accounting Officer and Board to formulate their assurance needs, and then consider how well the assurance received actually meets these needs by gauging the extent to which assurance on the management of risk is comprehensive and reliable.

3.3 An effective model used widely across both the public and private sectors to categorise the various sources of assurance is the ‘three lines of defence’. An understanding of the three lines of defence can help ARAC play a key role in helping the Accounting Officer and Board establish an optimum mix of assurance. The three lines of defence are as follows:

First line of defence – Managers and staff who are responsible for identifying and managing risk;
Second line of defence – Risk Management and Compliance Function; and
Third line of defence – Independent and more objective assurance, including the role of Internal Audit.

3.4 Overall assurances provided to the Accounting Officer and Board should be reviewed and constructively challenged by ARAC. Where it identifies any significant risk, governance and control issues which are not being subjected to sufficient review, it should also be proactive in commissioning assurance work from appropriate sources.

What does good practice look like?

Assurance is central to ARAC’s role in providing an independent assessment on governance, risk management and control processes.
Assurance modelling, such as the “three lines of defence”, will draw attention to the aspects of risk management, governance and control that are functioning effectively and, just as importantly, the aspects which need to be given more attention.
ARAC should be proactive in commissioning work where assurance gaps have been identified from appropriate sources.

Governance

3.5 It is essential that ARAC understands how governance arrangements support achievement of the organisation’s strategies and objectives.

3.6 It should understand the operational systems in place to ensure effective organisational accountability, performance and risk management.

What does good practice look like?

ARAC must have a clear understanding of how governance arrangements support achievement of the organisation’s strategic objectives.
ARAC should monitor developments in corporate governance so that it can proactively advise the Accounting Officer and Board on any changes to assurance requirements.

Risk management and internal controls

3.7 It is essential that ARAC understands the organisation’s business strategy, operating environment, the framework for risk assessment and the associated risks. It should critically challenge and review the risk management and assurance framework and the adequacy and the effectiveness of associated control processes, to provide assurance that the arrangements are actively working in the organisation.

3.8 ARAC should discuss with the Board its policies, attitude to and appetite for risk, to ensure these are appropriately defined and communicated and that management operates within these parameters. Its role should include horizon scanning for potential issues that could affect the organisation in the future, together with reviewing and challenging, where appropriate, the risk management and assurance framework. It then can help provide assurance that the arrangements are actively working.

3.9 It should challenge and review the adequacy and effectiveness of the systems of control (including risk registers) in responding to risks within the organisation’s governance, operations, compliance and information systems, including undertaking deep dives into significant risks.

3.10 It should invite risk owners along to ARAC meetings to challenge and review the classification of the risk and any control mitigations.

What does good practice look like?

ARAC has a key role to play in providing assurance regarding the organisation’s risk management processes.
ARAC understands the risk management framework of the organisation and the assignment of responsibilities.
ARAC critically challenges the effectiveness of the organisation’s risk management frameworks, policies and processes.
ARAC regularly reviews the Corporate Risk Register.
ARAC monitors the organisation’s risk culture, in addition to reviewing how well risk appetite is understood across the organisation.
ARAC has a key role in providing assurance on systems of internal control and assuring the Accounting Officer and Board that controls are effective in mitigating the risks identified by management.
ARACs should have a clear understanding of management’s control environment and how it is designed to mitigate risk across the organisation.

Counter fraud and raising concerns

3.11 ARAC should consider counter fraud arrangements on a regular basis to understand the main fraud and error risks affecting the organisation and management actions to mitigate these risks. They should satisfy themselves that there is an appropriate anti-fraud policy in place which is regularly reviewed and updated.

3.12 NIAO has published a range of guidance on managing different types of fraud risks, including:

Planning Fraud Risk Guide (published March 2023)
Internal Fraud Risk Guide (published February 2022)
Grant Fraud Risk Guide (published October 2021)
Procurement Fraud Risk Guide (published November 2020)
COVID-19 Fraud Risk Guide (published August 2020)

3.13 ARAC should assure themselves that suitable processes are in place to ensure fraud is guarded against and that losses and responses to them are suitably recorded and appropriate.

3.14 ARAC should review regular reports on any major incidents and near misses as well as details of any special investigations, raising concerns incidents and their outcome.

What does good practice look like?

An appropriate anti-fraud policy and fraud response plan is in place and is regularly reviewed and updated.
Suitable processes are in place to ensure fraud is guarded against (i.e. controls are designed to prevent and detect fraud and error).
Losses are suitably recorded and the organisational response is reviewed to ensure it is appropriate.
Raising concerns incidents are regularly reviewed and updated.

Financial reporting

3.15 ARAC should consider significant relevant accounting policies, any changes to them and any significant estimates and judgements, if possible before the start of the financial year.

3.16 At year end, ARAC should receive a comprehensive overview of the financial statements from the Finance Director, including comparisons with the prior year and current year budget, and an explanation for any significant issues arising. It should also review the clarity and completeness of disclosures in the year-end financial statements and consider whether the disclosures made are set properly in context.

3.17 ARAC should consider the control arrangements in place within the organisation for the preparation of the accounts. It should consider the advice and findings from External Audit and, if required, engage constructively with it to assist in the resolution of any disputes between External Audit and those preparing the accounts.

What does good practice look like?

ARAC should have a thorough understanding of the processes in place to produce the financial statements to enable it to challenge the quality of the annual report and accounts;
ARAC should seek assurances from senior management on the quality of the disclosures within the organisation’s annual reports and accounts;
ARAC should consider the contents of the Annual Report to ensure it is reasonable and in accordance with its understanding of the organisation;
ARAC should engage constructively with the External Auditor, consider their reports and findings, especially the Report to those Charged with Governance, and follow up on all recommendations; and
ARAC should hold the finance team accountable for adhering to the timetable agreed with External Audit for the production of the annual report and accounts.
All ARAC members should be in attendance at the meeting that the Annual Report and Accounts are being proposed to be signed.

Our Observations

We have observed “deep dive” sessions by ARACs into significant risks affecting organisations. At these “deep dive” sessions during ARAC meetings, risk owners are invited to present in detail information relating to the risk. This allows ARAC members to fully understand the risk, critically challenge and review the adequacy and effectiveness of control processes in place.

Part Four: Scope

4.1 It is important that ARAC fully understands the scope of its work, and that this is set out clearly in its ToR. ARAC, the Accounting Officer and Board must be clear on their respective responsibilities – particularly when it comes to assurance requirements. Being clear on expectations and accountabilities will ensure that ARAC focuses its time and resources on its core requirements. ARAC should understand how it interacts with the organisation’s various safeguards and how it should engage with other providers of assurance, such as Internal and External Audit.

Terms of Reference

4.2 ARAC’s ToR should be agreed by the Accounting Officer/Board and made publicly available (including on the organisation’s website). They should be reviewed regularly alongside the performance of ARAC. The responsibilities assigned to ARAC should not compromise its independence; it should not have any executive responsibilities or be charged with making or endorsing any decisions.

4.3 Under its ToR, ARAC should be able to request any employee of the organisation to report on the management of risk or on the control environment within their areas of responsibility. It should set a minimum number of meetings (at least four a year) and should have access to funding to cover the costs incurred in fulfilling its role. It will also need adequate secretariat support to perform its function.

4.4 A schedule of ARAC’s agreed delegations from the Board, and the mechanisms for feedback and assurance, should be documented in the Board Operating Framework.

What does good practice look like?

The ToR should:

be reviewed by ARAC on an annual basis;
be agreed by the Board, made publicly available and reviewed regularly;
clearly establish the independence and core responsibilities of ARAC;
set a minimum number of meetings (at least four a year);
include the possibility to hold a separate meeting to discuss the Annual Report and Accounts; and
ensure access to funding to cover the costs incurred in fulfilling its role.

Internal Audit

4.5 The work of Internal Audit must be independent from the operations that it evaluates, reporting their work directly to the Board, typically via ARAC to provide effective oversight and governance. It is likely to be the single most significant resource used by ARAC in discharging its responsibilities. This is because the head of Internal Audit, in accordance with Internal Audit professional standards, has a responsibility to provide an annual opinion on the overall adequacy and effectiveness of the organisation’s governance, risk management and control processes. The role of ARAC in relation to Internal Audit should include advising the Accounting Officer and Board (through ARAC) on:

the Internal Audit strategy and periodic Internal Audit plans, forming a view on how well they reflect the organisation’s risk exposure and support the Head of Internal Audit’s responsibility to provide an annual opinion;
the adequacy of the resources available to Internal Audit;
the Internal Audit Charter/Terms of Reference for Internal Audit;
the results of Internal Audit work, including reports on the effectiveness of systems for governance, risk management and control, management responses to issues raised, and progress made by management addressing all recommendations;
the annual Internal Audit opinion and annual report; and
the performance of Internal Audit, including conformance with the applicable standards, expected performance measures, and the results of both internal and external quality assessments.

What does good practice look like?

There is effective cooperation between the Head of Internal Audit and ARAC.
ARAC advises the Accounting Officer and Board on the work of Internal Audit as a key strand of its assurance.
ARAC seeks assurance from the Accounting Officer that any weaknesses identified are promptly addressed or mitigated.
ARAC follows up on all recommendations raised in Internal Audit reports, while taking into account the priority rating of each point raised.

External Audit

4.6 ARAC should have ongoing engagement with the External Audit function (which for most Northern Ireland public sector bodies is the Northern Ireland Audit Office (NIAO)). It should consider both the External Auditor’s audit strategy and the results of External Audit work as well as resolution of any identified weaknesses. It should seek assurance that the External Auditor has liaised with Internal Audit and where appropriate has taken assurance from their work where their objectives cover areas of joint interest.

4.7 In addition, it should review and consider the potential implications for the organisation of the wider work carried out by the External Auditor, for example, any relevant recommendations from its programme of Public Reporting, including the content of any relevant good practice guides.

What does good practice look like?

ARAC Chair has regular informal meetings with the External Auditor separately from the organisation’s executive staff to establish open working relationships and provide auditors with the opportunity to discuss any issues of concern.
ARAC asks open-ended questions to provide an understanding of the External Auditor’s perspectives about sensitive and judgemental accounting policies, accounts and transactions.
The work of External Audit is normally primarily conducted for the benefit of the NI Assembly/Council – but the process and conclusions are a significant source of independent and objective assurance for ARAC to draw on.
ARAC follows up on all recommendations raised by External Audit, while taking into account the priority rating of each point raised.

Our Observations

We have observed ARACs that have performed annual reviews of their ToR at one ARAC meeting during the year. The ToR was presented to each ARAC member for review prior to the meeting. At the meeting, members were invited to provide their comments on the updated ToR and to approve it prior to being brought to the Board for approval. After the Board approved the updated ToR, it was then published on the organisation’s website.

Part Five: Communication and Reporting

5.1 To be successful, ARAC must have clear lines of communication with the Accounting Officer, the Board and other key stakeholders. Establishing an effective mechanism for working with the Board is particularly important.

5.2 Communication should be tailored to the requirements of key stakeholders and should be a way to ensure that ARAC can perform at its optimum effectiveness.

5.3 After each ARAC meeting, a report/minute should be prepared for the Accounting Officer and Board, setting out the business discussed by ARAC and offering advice on those issues that the Accounting Officer and Board should act upon. Such reports should be shared with the Internal Auditor and External Auditor.

5.4 ARAC should also provide an Annual Report, timed to support the preparation of the Annual Governance Statement, taking into account assurances from other parts of the organisation in respect of key risks. The Annual Report should summarise ARAC’s work for the past year, as set out in para 6.5 of the Audit Risk and Assurance Committee Handbook. Appendix 3 provides further guidance on the structure of ARAC Annual Report.

5.5 The reports received by ARAC to exercise its responsibilities should be at the right level of detail and presented in a manner which makes it easy for members to review and challenge. Reports from ARAC to the Board should meet the Board’s expectations in terms of content, scope and proportionality.

5.6 There should be mutual rights of access to information between the Chair of ARAC, the Board, risk manager, head of Internal Audit and the External Auditor. Regular discussions should take place (at least annually) outside formal meetings to ensure that expectations are managed and that there is mutual understanding of current risks and issues.

What does good practice look like?

ARAC has identified its key stakeholders and ensures that there is effective two-way communication with them. Relevant stakeholders include, for example, the Board, the head of Internal Audit, the External Auditor, and any other relevant assurance providers.
There are regular reports from ARAC to the Board.
An annual report is completed to support the preparation of the Annual Governance Statement.

Our Observations

We have observed numerous ARACs producing its annual report to the Board. The annual report is presented at an ARAC meeting (in advance of the Annual Governance Statement being prepared) inviting comments from all ARAC members. The report provides a detailed account of the work of ARAC during the year and is presented in a clear, concise and easily understandable manner.

Part Six: Continuous Improvement

6.1 As the challenges and requirements of ARACs evolve, a high-performing ARAC will strive for continuous improvement. It is important that ARAC adopts a positive attitude to learning and development, regularly appraises its performance and is open to feedback from others.

6.2 An ARAC’s effectiveness should be judged by the contribution it makes to, and the beneficial impact it has on, the organisation’s business. Evidence of effectiveness will usually be characterised as ‘influence’, ‘persuasion’ and ‘support’. A good standard of performance against recommended practice, together with a knowledgeable and experienced membership, are essential requirements for delivering effectiveness.

6.3 The Chair should take the lead in ensuring that ARAC members are provided with appropriate appraisal of their performance as a committee member and that training needs are identified and met. The Chair should seek appraisal of their own performance from the Accounting Officer (or Chair of the Board, as appropriate).

6.4 The Chair should ensure that there is a periodic review (at least annually) of the overall effectiveness of ARAC – Appendix 1 provides a self-assessment checklist to aid this process. The Chair should ensure any areas of concern from the reviews are considered and actioned.

What does good practice look like?

As part of the self-assessment process, the Chair assesses the performance of individual members and ARAC as a whole and as a team. In addition, the Chair should seek appraisal of their own performance from the Accounting Officer.
Feedback is sought from ARAC’s key stakeholders, for example, the Executive, Internal Audit, External Audit.
Clear actions are identified and addressed to drive improvement.

Our Observations

We have observed ARACs that have included requirements for their self-assessment review within their ToR. Comments provided on the self-assessment review are relevant and provide insightful detail of ARAC’s performance. Reflecting on self-awareness adds value to ARACs and gives ARAC members greater confidence that they are fully meeting the demands of their challenging roles, particularly where self-assessment is undertaken on an ongoing basis and includes training. We have also seen some ARACs benchmark against other similar or same group ARACs and also the development of a network of ARAC chairs/members within the same departmental family and holding regular relevant training events to discuss similar type issues.

Part Seven: Local Government Guidance

7.1 The constitution and membership of ARACs in local councils in Northern Ireland differs somewhat from central government public bodies. Core membership is made up of elected representatives and ARAC often has different titles and ancillary responsibilities, and reports to the Council rather than a Board. Notwithstanding these differences, they should strive to follow best practice in line with a central government ARAC.

Membership, Independence, Objectivity and Understanding

7.2 It is recommended that suitable independent members are appointed to all local council ARACs. The role of the Chair of ARAC is key to the effectiveness of the Committee and best practice of having an independent chair comes from other sectors. Whilst there is no requirement for local authorities to adopt this, consideration should be given to having an independent member to chair ARAC as:

it helps to ensure that the committee is chaired by someone with appropriate knowledge and expertise;
it reinforces the independent and objective nature of the work of an ARAC; and
it provides continuity in the chairing of the committee.

7.3 An external and independent view can often bring new experiences and approaches to ARAC discussions. Independent members’ appointments should be for a fixed term and be formally approved by the Council. While operating as a member of ARAC, all independent members should follow the organisation’s code of conduct and a register of interests should be maintained.

Skills and Experience

7.4 Consideration should be given by full Council to extending the appointment of the Chair of ARAC and all ARAC members for more than one year, which would bring continuity and experience to the role. ARAC members require a wide range of skills and experience in relation to governance, risk and control and it is important that ARAC members are appointed with the right skills.

7.5 The selection of the Chair should take into account the characteristics required of an effective Chair, as outlined in paragraph 2.6 of this guide.

Roles and Responsibilities

7.6 ARAC members should have a timely induction programme which outlines the requirements of the role including the Council’s accountability framework, priorities and risk profile.

7.7 ARACs are a key component of a council’s governance framework. ARAC’s purpose is to provide an independent and high-level focus on the adequacy of governance, risk and control arrangements. ARAC’s role in ensuring that there is sufficient assurance over governance, risk and control gives greater confidence to all those charged with governance that those arrangements are effective.

7.8 The full council is the body charged with governance. ARAC may be delegated some governance responsibilities but is accountable to the full council.

7.9 ARAC has oversight of both Internal and External Audit together with the financial and governance reports, helping to ensure that there are adequate arrangements in place for both internal challenge and public accountability.

Scope

7.10 CIPFA’s Position Statement for local government bodies (2022) outlines that the core functions of ARAC are to provide oversight of a range of core governance and accountability arrangements, responses to the recommendations of assurance providers, and assist in ensuring robust arrangements are maintained.

7.11 The specific responsibilities include:

maintenance of governance, risk and control arrangements;
financial and governance reporting; and
establishing appropriate and effective arrangements for audit and assurance.

Communication and Reporting

7.12 ARAC should report annually on how it has discharged its responsibilities and include an assessment of its performance.

Continuous Improvement

7.13 The Chair should take the lead in ensuring that training needs are identified and met for all ARAC members and that there is a periodic review (at least annually) of the overall effectiveness of ARAC – Appendix 1 provides a self-assessment checklist to aid this process, with Part 7 of this Appendix providing further details on ARACs for local councils in Northern Ireland. The Chair should ensure any areas of concern from the reviews are considered and actioned.

What does good practice look like?

The Council ARAC reports directly to the full Council rather than another committee.
At least one independent member should be appointed to the Council ARAC.
The Chair should be strong and independently minded, displaying a depth of knowledge, skills and experience.
Consideration should be given to appointing an independent member as Chair of the Council ARAC.
ARAC members should strive to be in attendance at each meeting of the ARAC.
All ARAC members should be in attendance at the meeting that the Annual Report and Accounts are being proposed to be signed.

Our Observations

We have observed a local council that has appointed an independent member as Chair of the Council ARAC. This independent Chair has been in this position for more than one year, bringing continuity, knowledge and experience to the ARAC. Having an independent member as Chair reinforces the independence and objective nature of the work of the Council ARAC.

Appendix 1: Audit and Risk Assurance Committee Self-Assessment Checklist

This self-assessment checklist is a comprehensive way for ARACs to review their overall effectiveness. We recommend that it is completed annually.

Each section of the questionnaire has been split into three distinct areas:

Essential Requirements – these questions reflect guidance set out in the body of the HM Treasury Audit and Risk Assurance Committee Handbook (July 2024). Paragraph references to the appropriate section in the HM Treasury ARAC Handbook are included in each question.
Other Good Practice arrangements – these questions go beyond basic requirements and set a standard for ARACs to demonstrate leading behaviours.
Additional Comments and key takeaways – at the end of each section is a space for ARAC to add its commentary and highlight any actions that have arisen.

A downloadable copy of the checklist is available on the NIAO website.

Section		Questions
Section 1 - Membership, Independence, Objectivity and Understanding	Membership, Independence, Objectivity and Understanding	1.1 – 1.30
Section 2 – Skills and Experience	Skills and Experience Training and Development Cyber and Digital Information security Climate change and ESG Projects and programmes Procurement	2.1 – 2.9 2.10 – 2.17 2.18 – 2.19 2.20 2.21 – 2.23 2.24 – 2.25 2.26 – 2.29
Section 3 – Roles and Responsibilities	Assurance Governance Risk management and internal controls Training and Development Financial Reporting	3.1 – 3.8 3.9 – 3.18 3.19 – 3.45 3.46 – 3.47 3.48 – 3.62
Section 4 - Scope	Term of Reference Internal Audit External Audit	4.1 – 4.17 4.18 – 4.28 4.29 – 4.45
Section 5 - Communications and Reporting	Communications and Reporting	5.1 – 5.13
Section 6 – Continuous Improvement	Continuous Improvement	6.1 – 6.9
Section 7 – Council Specific	Council Specific	7.1 – 7.10

Section 1: Membership, Independence, Objectivity and Understanding

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
1.1	The Chair is a non-executive Board member and possesses an appropriate level of relevant experience. (3.2)
1.2	Membership of ARAC has sufficient numbers to discharge its responsibilities. (3.1)
1.3	ARAC explores the option of bringing in additional independent, non-executive members from sources other than the Board to ensure an appropriate level of skills and experience. (3.2)
1.4	The Accounting Officer and the Finance Director routinely attend meetings. (3.4)
1.5	The heads of Internal Audit and External Audit routinely attend meetings. (3.4)
1.6	The Chair separately meets the Accounting Officer, Financial Director, Internal Audit and External Audit outside the formal committee structure on a regular basis and at least once per year. (3.5)
1.7	ARAC members understand their responsibilities regarding identifying, declaring and resolving conflicts of interest. (3.9)
1.8	ARAC members have a clear understanding of what is expected of them in their role, and this was set out clearly at the time of appointment. (3.10, 3.11)
1.9	Monitoring conflicts of interest - If any conflicts of interest are identified, the ARAC Chair is effective in ensuring the associated risks are effectively managed and continually monitored - see para 4.26 of NIAO Conflicts of Interest - Good Practice Guide.
1.10	Conflicts of interest policy - The conflict of interest policy is reviewed on an annual basis – see para 4.9 and 4.13 of NIAO Conflicts of Interest - Good Practice Guide.
1.11	Terms of Reference are reviewed and approved annually by the Accounting Officer and Board Chair and are tabled at each ARAC meeting. (5.26)
1.12	ARAC has access to sufficient funding to cover the costs incurred in fulfilling its role. (5.31) This should be sufficient to: • meet the remuneration and working expenses of its members; • meet the relevant training needs of its members; • provide specialist (external) advice or opinions when required; and • provide external review of the effectiveness of ARAC.
1.13	ARAC meets at least four times during the year. (5.30)
1.14	The number of meetings held during the year is sufficient to allow ARAC to perform as effectively as possible. (5.30)
1.15	Meetings are well-aligned with the audit and assurance cycle. (5.30 and Annex E)
1.16	All matters falling within the Terms of Reference of ARAC are covered adequately over the course of the year or a reasonable time period. (Annex D)
1.17	Meetings of ARAC are long enough to ensure that all agenda items are covered in sufficient detail. (Annex F)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
1.18	Contribution to meetings - All members and attendees make valuable contributions to meetings.
1.19	Deep dives - Deep dives are undertaken in core and emerging risk areas, and these are sufficiently detailed so ARAC can understand the risk and challenge management.
1.20	Private meetings - ARAC has the opportunity to meet Internal Auditors and External Auditors in private – without the presence of management – when necessary and this time is used effectively.
1.21	Appointments - ARAC is clear on the type of skills and experience which should be sought in a new member – and the Chair is involved in the appointment process. (Annex A, A.3)
1.22	Time between ARAC meetings and main Board meetings - There is sufficient time between ARAC meetings and main Board meetings to allow any work arising from ARAC meeting to be undertaken and reported to the Board as appropriate.
1.23	Culture and Behaviour - ARAC acts in an inclusive and respectful manner, avoids ‘group think’, and provides an appropriate balance between challenge and support.
1.24	Preparation - ARAC receives information and papers far enough in advance for members to fully consider before the meeting.
1.25	Resources - ARAC is provided with sufficient administrative and secretarial support to undertake its duties to the required standard.
1.26	Balance of Agenda - Sufficient time is afforded to the different providers of assurance to ARAC across the various lines of defence, notably risk management, Internal Audit and External Audit.
1.27	Forward Planning - ARAC has a forward plan for its meetings so it can consider issues at the right time and in the right level of detail.
1.28	Minute taker - There is a designated minute taker present at each meeting.
1.29	Record of reports presented - All papers presented at ARAC meetings are at the right level of detail and presented in a manner which makes it easy for members to review and challenge. All papers should include a cover page outlining the main issues arising and should be tabled for either information, discussion, noting or for approval.
1.30	Hybrid meetings - Where ARAC meetings are hosted online, a secure link to join the meeting on-line should be provided in advance. Appropriate technology should be in place prior to the meeting, ensuring all participants can be seen and heard clearly.
Additional comments and key takeaways

Section 2: Skills and Experience

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
2.1	ARAC possesses a good range of skills and experience in relation to governance, risk and control. (4.1)
2.2	At least one member of ARAC has recent and relevant financial experience sufficient to allow them to analyse the financial statements and understand good financial management disciplines. (4.1)
2.3	ARAC proactively identifies which skills it requires to discharge its responsibilities most effectively. (4.2)
2.4	The required skill sets for ARAC are reviewed at regular intervals. (4.2)
2.5	Co-opting members and procuring specialist skills - ARAC uses the powers of co-opting members and procuring specialist skills where these are required. (4.5)
2.6	Skills mapping - ARAC documents and maps the skills of its members so it can identify areas of strength and any skills gaps. (Annex G)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
2.7	Diversity - ARAC draws on a sufficiently diverse membership, containing a variety of demographic attributes and characteristics.
2.8	Relevance of financial reporting experience - The financial reporting expertise held by members is relevant and appropriate to the significant financial reporting risks of the organisation – particularly in respect of any complex estimates or judgements.
2.9	Non-Technical Skills - ARAC benefits from a good mix of non-technical skills – for example, communication, influencing, negotiating, leadership and facilitation skills.
Additional comments and key takeaways

Training and Development

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
2.10	Members who have recently joined ARAC have been provided with induction training to help them understand their role and the organisation. (4.6)
2.11	Members of ARAC who are unfamiliar with corporate governance and wider practice in government are specifically upskilled in this area. (4.6)
2.12	Members keep their skills and knowledge up-to-date through networking and conferences to allow them to focus on key issues facing the organisation. (4.3)
2.13	ARAC Chair ensures that members have an appropriate programme of engagement with the organisation and its activities to help them understand the organisation, its objectives, business needs, priorities and risk profile. (4.7)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
2.14	Learning culture - There is a positive culture of learning and personal development within ARAC.
2.15	Emerging developments - ARAC’s training and development programme takes account of developments in corporate governance and emerging risk areas.
2.16	Public sector context - For ARAC members unfamiliar with the operations of the public sector, special focus is given to this as part of their induction, focusing in particular on regularity.
2.17	Cross-government networking - ARAC Chair attends cross-governmental (if a government department) or cross-departmental (if an arm’s-length body) ARAC Chair meetings.
Additional comments and key takeaways

Cyber and Digital

Reference	Good Practice	Yes/No	Actions/Comments
2.18	ARAC understands how cyber and digital risks impact on the organisation.
2.19	ARAC has the level of skills and expertise required to challenge management and provide assurance to the Board that the organisation is properly managing its cyber and digital risks.

Information Security

Reference	Good Practice	Yes/No	Actions/Comments
2.20	ARAC understands the organisation’s approach to managing information risks, and how it manages its GDPR requirements.

Climate Change and ESG

Reference	Good Practice	Yes/No	Actions/Comments
2.21	ARAC is satisfied the organisation’s approach to managing ESG risks, and making appropriate disclosures, is in line with relevant standards such as the Greening Government Commitments and Sustainability Reporting Guidance.
2.22	ARAC is provided with the appropriate means to effectively assess the organisation’s approach to managing climate-related risks.
2.23	ARAC assesses the organisation’s net zero strategy with sufficient detail, and at regular intervals.

Projects and Programmes

Reference	Good Practice	Yes/No	Actions/Comments
2.24	ARAC is appropriately briefed on significant projects and programmes throughout their lifecycle e.g. provision of gateway reviews at each stage of the project.
2.25	ARAC has the skills and expertise to provide effective critical challenge on the financial management, delivery risks and overall progress of projects or programmes.

Procurement

Reference	Good Practice	Yes/No	Actions/Comments
2.26	ARAC has an appreciation of the risks associated with procurement in the public sector context.
2.27	ARAC has the skills and expertise to challenge commercial activities and the procurement of goods and services.
2.28	ARAC is informed of all Single Tender Action/Direct Award Contracts with supporting detail.
2.29	ARAC is provided with regular updates of any significant legislative changes in procurement practices and how management is preparing for these.
Additional comments and key takeaways

Section 3: Roles and Responsibilities - Assurance

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
3.1	ARAC helps the Accounting Officer and Board to formulate their assurance needs. (5.3)
3.2	ARAC assesses whether the assurance received is of sufficient quality to meet the assurance needs outlined in 3.1. (5.3)
3.3	ARAC understands the key sources of assurance in the organisation, and how and why each of these sources provides assurance to them. (5.5)
3.4	ARAC understands the three lines of defence model, as set out in the Orange Book 2023, Annex 2, and how this applies in practice to the organisation. (5.6)
3.5	ARAC is proactive in commissioning assurance work from appropriate sources where it identifies any significant governance, risk and control issues which have not been subject to sufficient review. (5.9)
3.6	ARAC ensures the organisation operates appropriate and effective whistleblowing practices, in keeping with NIAO’s good practice guide on Raising Concerns (June 2020), and has completed the associated self-assessment checklist.

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
3.7	Assurance Mapping - ARAC uses assurance mapping to identify where assurance is required and any key gaps where no assurance is provided, or where the quality of the assurance is poor.
3.8	Recommendation Tracking Department of Finance (DOF) Letters and other relevant guidance - ARAC has an effective system for monitoring management’s progress with recommendations from DoF Letters and other relevant guidance.
Additional comments and key takeaways

Governance

ARAC understands how governance arrangements support achievement of the organisation’s strategies and objectives. (5.19) In particular, ARAC understands:

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
3.9	the Board’s operating framework, including the organisation’s vision and purpose;
3.10	mechanisms which ensure effective organisational accountability, performance and risk management;
3.11	role definitions, committees and other structures which support the effective discharge of responsibilities, decision-making and reporting;
3.12	the development, operation and monitoring of the system of internal controls and whether these will provide timely warnings of any failings;
3.13	how appropriate ethics and values are promoted within the organisation;
3.14	how management information is communicated to the Board and other appropriate areas of the organisation; and
3.15	the nature of relationships with arm’s-length bodies, if applicable.

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
3.16	Future assurance requirements - ARAC monitors developments in corporate governance so it can proactively advise the Accounting Officer and Board on any changes to assurance requirements.
3.17	Annual governance statement - ARAC reconciles assurance from Internal Audit, External Audit and other sources of assurance with conclusions drawn in the organisation’s annual governance statement.
3.18	Corporate governance policy - Without duplicating the work of the Board, ARAC advises on – and scrutinises the implementation of – its organisation’s corporate governance policy.
Additional comments and key takeaways

Risk Management and internal controls

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
3.19	ARAC understands the organisation’s business strategy, operating environment and the associated risks to executing the strategy. (5.20)
3.20	ARAC is satisfied that management takes an enterprise-wide view of the organisation’s risks, including those that cross organisational boundaries. (5.20)
3.21	There is a clear understanding of the role and activities of the Board in relation to managing risk. (5.20)
3.22	ARAC discusses with the Board how its policies, attitude to, and appetite for risk are defined and communicated across the organisation.(5.20)
3.23	ARAC understands and challenges the risk management framework and the assignment of responsibilities. (5.20)
3.24	Adequate assurance has been obtained on the risk and control environment encompassing services outsourced to external providers, including shared service arrangements, and the wider supply chain. (5.12)
3.25	(For government departments and groups only) assurance has been obtained on risks from across the group – and there is timely communication and visibility of these risks. (5.11)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
3.26	Risk Culture - ARAC promotes the importance of a positive risk culture in the organisation as set out in NIAO’s good practice guide on Innovation and Risk Management.
3.27	Managing Innovation – ARAC is aware of how the organisation encourages best practice in innovation and risk management as set out in NIAO’s good practice guide on Innovation and Risk Management – Self Assessment Checklist.
3.28	Risk Tolerance - ARAC challenges management on whether there is a comprehensive process for identifying and evaluating risk, and for deciding what levels of risk are tolerable.
3.29	Risk Registers - ARAC has sufficient understanding of the organisation to assess whether the risk register is an appropriate reflection of the risks facing the organisation.
3.30	Resources - ARAC can assess whether there are sufficient resources to manage risk effectively across the organisation.
3.31	Emerging Risks - ARAC challenges whether management’s approach to identifying risks is broad enough to effectively identify new and emerging risks.

3.32	Risk Evaluation - ARAC challenges management on its approach to evaluating risks, including the effectiveness of scenario planning and stress testing.
3.33	Review of “Near Misses” - ARAC reviews information on ‘near misses’ to help determine whether the systems in place are sufficiently robust to mitigate future risk events.
3.34	Fraud and Error - ARAC understands the main fraud and error risks as set out in NIAO’s various Fraud Risk guides, and challenges management to consider timely options for tackling fraud and error risks.
3.35	Resilience - ARAC considers the cumulative impact of risks and how these could impact on the ongoing resilience of the organisation.
3.36	ARAC critically challenges and reviews the adequacy and effectiveness of control processes in responding to risks. (5.20)
3.37	ARAC challenges whether the extent of the controls in place to mitigate risks is excessive, and whether any action is needed to address this. (5.10)

3.38	Understanding of internal control - ARAC has a good understanding of how the organisation develops, operates and monitors the system of internal control.
3.39	Controls over material or significant risks ARAC seeks assurance on how any material or significant risks are managed through strategic, operational and compliance controls.
3.40	Timely indicators - ARAC assesses whether the system of internal control would provide timely indicators of weaknesses and failings.
3.41	Root cause analysis of significant failings or weaknesses in internal control - When any significant failings or weaknesses in internal control arise, ARAC reviews management’s analysis of the root cause and subsequent action plan.
3.42	Financial control - ARAC is satisfied that the organisation has a sound system of financial control – including the structure of delegations – which enables the organisation to achieve its objectives with good value for money.
3.43	IT controls - ARAC has sufficient assurance over the quality of IT controls.
3.44	Design of fraud controls - ARAC is satisfied that the organisation’s controls are designed to effectively prevent and detect known fraud and error risks as set out in NIAO’s fraud risk guides.
3.45	Evaluation of fraud controls - ARAC has oversight of how controls are evaluated so it can understand how effectively fraud and error risks are being addressed.
Additional comments and key takeaways

Training and Development

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
3.46	ARAC receives reports on major incidents as well as details of special investigations, including any whistleblowing cases. (5.22)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
3.47	Counter fraud arrangements – ARAC is satisfied that the organisation has adopted appropriate arrangements to identify and respond to the risk of fraud, including reporting losses and investigating fraud incidents as set out in NIAO’s good practice guide on Managing Fraud Risk in a Changing Environment.
Additional comments and key takeaways

Financial Reporting

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
3.48	ARAC reviews the clarity and completeness of disclosures in the year-end financial statements. (5.23)
3.49	ARAC considers significant accounting policies, any changes to them, and any significant estimates and judgements, if possible, before the start of the financial year. (5.23)
3.50	ARAC uses its understanding of the organisation to assess whether disclosures in the financial statements are set properly in context. (5.23)
3.51	In reviewing the Annual Accounts, ARAC specifically considers the following: • accounting policies comply with relevant requirements, particularly HM Treasury’s Financial Reporting Manual; • assurances about the financial systems which provide the figures for the accounts; • the quality of the control arrangements for preparing the accounts; • key judgements made in preparing the accounts, and management’s consideration of their ongoing relevance; • any disputes arising between those preparing the accounts and the auditors; and • reports, advice and findings from External Audit – especially the Report to those charged with governance (RTTCWG).

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
3.52	Annual Report - ARAC reviews the Annual Report to ensure that it is fair and balanced and is easily understandable.
3.53	Complex judgements and use of experts - Where novel accounting issues or complex judgements have arisen during the year, ARAC has satisfied itself that management took specialist advice or enlisted expertise.
3.54	Continual monitoring of significant issues - ARAC is effective in monitoring significant financial reporting issues throughout the year, particularly those which could lead to any potential qualification of the accounts.
3.55	Reports from third parties - In reaching a view on the accounts, ARAC considers the implications of reports from third parties – for example, on legal matters, valuations or reports from regulators.
3.56	Key Matters - ARAC considers key matters on its own initiative rather than relying solely on the work of the External Auditor.
3.57	Understanding of the Organisation - ARAC has a detailed understanding of the organisation and its context and can successfully challenge whether the accounts provide a fair representation of activity.
3.58	Going Concern - ARAC sufficiently challenges the going concern assessment in the context of its review of the financial statements and understanding of the business.
3.59	Use of financial models - ARAC offers appropriate challenge to any information which is generated through financial modelling.
3.60	Financial reporting developments - ARAC is familiar with developments in financial reporting standards and can challenge their application in financial statements.
3.61	Group Reporting - (For government groups only) ARAC has sufficient oversight of significant financial reporting risks from across the department or group.
3.62	Submission of unsigned Annual Report and Accounts (ARA) to the C&AG - (For central government bodies) The Annual Report and Accounts should be accompanied by a letter, signed by the Accounting Officer, confirming that the Accounting Officer takes full responsibility for the ARA. This letter should make clear that the Accounting Officer has • reviewed the ARA to ensure they have been properly prepared in accordance with the guidance; • enquired of staff to ensure adequate working papers are available to support the figures in the ARA; and • enquired of staff to ensure that it is not anticipated that the ARA will be subject to significant adjustment as a result of the audit procedures. ARAC should be provided with confirmation that the above has happened.

Section 4: Scope - Terms of Reference

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
4.1	ARAC’s Terms of Reference are agreed by the Accounting Officer and the Board. (5.26)
4.2	The Terms of Reference are reviewed on an annual basis. (5.26)
4.3	The Terms of Reference do not conflict with guidance in the HM Treasury’s Audit and Risk Assurance Committee Handbook. (5.27)
4.4	The Terms of Reference make clear ARAC’s independence as a committee. (5.27)
4.5	ARAC’s Terms of Reference are made publicly available, including on the organisation’s website. (5.26)
4.6	The Terms of Reference allow for ARAC to sit privately without any non-members present for all or part of a meeting if they wish. (3.4)

As a minimum, the following areas are covered by ARAC’s Terms of Reference (5.26):

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
4.7	details of ARAC membership.
4.8	the reporting requirements to the Board.
4.9	the key areas of responsibility on which ARAC will advise the Accounting Officer and Board.
4.10	rights of ARAC over co-opting additional members or procuring specialist advice.
4.11	the head of Internal Audit and a representative from External Audit will have free and confidential access to the Chair of ARAC.
4.12	meeting information, including the number per year, the number of members required for the meeting to be quorate, and expected invitees.
4.13	information requirements, including what information will be provided for each meeting, and what will be provided on request.

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
4.14	Benchmarking - ARAC has compared its Terms of Reference against those of similar profile organisations.
4.15	Expectations - In addition to core requirements, the Terms of Reference contain information which allows ARAC to function more effectively – for instance, expectations about how far in advance of meetings papers will be provided.
4.16	Proportionality - The Terms of Reference properly reflect the role and scope of ARAC and are proportionate to the way ARAC actually operates.
4.17	Standing Item – The Terms of Reference are included as a standing agenda item at every ARAC for reference purposes.
Additional comments and key takeaways

Internal Audit

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
4.18	ARAC performs a risk-based review of Internal Audit’s strategy and annual programme of work. (5.16)
4.19	ARAC assesses the adequacy of the budget and resources available to Internal Audit. (5.16)
4.20	ARAC reviews the Internal Audit charter or terms of reference. (5.16)
4.21	ARAC assesses the results of Internal Audit’s work, and management’s responses to the issues raised. (5.16)
4.22	ARAC reviews the annual Internal Audit Opinion and associated annual report. (5.16)
4.23	ARAC assesses the performance of Internal Audit against applicable standards, expected performance measures and the results of any internal or external quality assurance assessments. (5.16)
4.24	ARAC reviews progress made by management in addressing Internal Audit recommendations and is proactive in obtaining confirmation that the recommendations are actually implemented. (5.16)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
4.25	Other assurance activity - ARAC frames the work of Internal Audit in the context of other assurance activity that takes place in the first and second lines of defence.
4.26	Support - ARAC plays a role in providing support for, and acceptance of, the work of Internal Audit.
4.27	Coverage - ARAC challenges whether the effectiveness of the risk, compliance and finance functions is evaluated as a part of its Internal Audit strategy.
4.28	Overall opinion - ARAC considers how the individual components of the annual Internal Audit plan provide reasonable assurance on governance, risk and control for the organisation in totality.
Additional comments and key takeaways

External Audit

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
4.29	ARAC considers and makes relevant enquiries about the External Auditor’s planned audit approach. (5.17)
4.30	ARAC considers the impact of the results of External Audit work. (5.17)
4.31	ARAC promotes cooperation between External Audit and Internal Audit to maximise overall audit efficiency, capture opportunities to derive a greater level of assurance and minimise unnecessary duplication of work. (5.17)
4.32	Recommendations Tracking – NIAO Public Reports – Where relevant, ARAC has an effective system for monitoring management’s progress with recommendations from NIAO Public Reports. Management responses to recommendations should be included in a Memorandum of Reply (MOR) as set out in DAO 03/24 - Guidance on Responding to Northern Ireland Audit Office Public Reports
4.33	NIAO Good Practice Guides - ARAC has an effective system for monitoring management’s progress with any relevant recommendations arising from NIAO Good Practice Guides.
4.34	External Audit’s findings and recommendations – ARAC reviews and monitors management’s responses to any findings set out in External Audit’s RTTCWG.

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
4.35	Objectives of External Audit - ARAC has a clear understanding of the objectives, scope and remit of External Audit work.
4.36	Review of adequacy of scope - ARAC has the opportunity to review the scope of External Audit work and – if not satisfied as to its adequacy – challenge whether additional work should be undertaken by the External Auditor.
4.37	Level of fees - ARAC satisfies itself that the level of fees payable in respect of the audit services provided is appropriate and that an effective, high-quality audit could be conducted for such a fee.
4.38	Materiality - ARAC is satisfied that it has a good understanding of materiality, including the benchmarks used and the calculation of materiality and performance materiality, as set out in FRC ISA 320 - Materiality in Planning and Performing an Audit.
4.39	Audit quality - ARAC considers factors that could affect the quality of the audit during the year and discusses these with the auditor, as set out in FRC’s paper on Audit Quality Indicators.
4.40	Expert advice - ARAC is satisfied that the External Auditor has access to relevant expertise, for instance around pensions liabilities or property valuation.
4.41	Quality of review - ARAC focuses on priority issues when undertaking its review of the results of External Audit work.
4.42	Review of audit representation letters - ARAC reviews the audit representation letters before they are signed by the Accounting Officer and considers matters where representation has been requested that relates to non-standard issues.
4.43	Quality of information provided to External Audit - ARAC takes steps to ensure External Audit receives quality, robust and timely audit evidence from the finance function.
4.44	Support for External Audit - ARAC is supportive of External Audit’s challenge of management and does not act as management’s advocate.
4.45	Uncorrected Misstatements –ARAC should provide written endorsement of management’s reasons for not correcting any uncorrected misstatements identified by External Audit.
Additional comments and key takeaways

Section 5: Communications and Reporting

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
5.1	ARAC produces a report after each meeting for the Accounting Officer and Board (with a copy to the head of Internal Audit and the External Auditor) covering: • the key business taken by ARAC; and • ARAC’s views and advice on any issues they believe the Accounting Officer or Board should take action on. (6.1)
5.2	ARAC has effective communications with those it seeks briefings from (the executive and Internal and External Audit) and those it provides assurance to (the Board). (6.3)
5.3	ARAC provides an Annual Report timed to support the preparation of the Annual Governance Statement. (6.4)
5.4	ARAC’s Annual Report is open and honest in presenting the ARAC’s views. (6.4)
5.5	ARAC’s Annual Report summarises ARAC’s work for the past year and how it discharges its responsibilities in accordance with HM Treasury’s Audit and Risk Assurance Committee Handbook (July 2024) (1.5, 6.5)
5.6	There are mutual rights of access between each of the Chair of ARAC, the Accounting Officer, head of risk management (if a separate function), head of Internal Audit and the External Auditor. (6.7)
5.7	There are periodic discussions with key attendees outside of the formal meetings to help ensure that expectations are managed and there is mutual understanding of current risks and issues. (6.7)

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
5.8	Transparency - ARAC reports its work as transparently as possible within the limits of what is confidential and commercially sensitive.
5.9	Working with the Board - ARAC has a robust mechanism for working with the Board, so expectations and accountability are clear.
5.10	Technology - ARAC uses technology to its advantage and communicates as a group in a way which is effective, efficient and secure.
5.11	Reports from ARAC to the Board - Reports produced by ARAC are proportionate: there is enough information to provide the Board with the assurance it requires, but not too much that key information is diluted.
5.12	Visibility of risks across departments - (For government departments only) the departmental ARAC has an effective way of gaining visibility over key risks and issues arising from ARACs within the departmental group.
5.13	Attendance at ARAC meetings by Departmental officials - (For ALBs of government departments only) a departmental official is invited to and attends all ARAC meetings.
Additional comments and key takeaways

Section 6: Continuous Improvement

Reference	Essential Requirements (including Audit and Risk Assurance Committee Handbook Reference)	Yes/No	Actions/Comments
6.1	Chair’s performance - The Chair seeks appraisal of his or her performance from the Accounting Officer or Chair of the Board, as appropriate. (Annex A, A2)
6.2	ARAC members’ performance - The Chair assesses the performance of the individual members of ARAC, discusses their training and development needs and agrees a training and development plan. (Annex A, A2)
6.3	Periodic reviews - The Chair ensures a periodic review of the overall effectiveness of ARAC. (Annex A, A3)
6.4	Assessment of outcomes - After completing an effectiveness review, there is sufficient time and effort devoted to discussing results and agreeing an action plan based on the outcomes.
6.5	Monitoring of trends - Evaluation of performance is not done in isolation, and year-on-year trends in different areas of performance are measured.
6.6	Feedback from key stakeholders - The Chair considers ways in which to obtain feedback from the executive and other key stakeholders – for example, Internal and External Audit – on the performance of ARAC.

Other Good Practice Arrangements

Reference	Good Practice	Yes/No	Actions/Comments
6.7	Succession planning - The results of the performance evaluation are used to inform and influence succession planning – for instance in highlighting skills gaps or a lack of diversity, similar to the process set out for succession planning in the NIAO Report Board Effectiveness Good Practice Guide 2022 (Paras 1.23 to 1.25).
6.8	Method of evaluation - ARAC carefully considers the extent and method of performance evaluation – for instance, using peer evaluation forms similar to those used for Board members and Chairpersons as set out in the NIAO Report Board Effectiveness Good Practice Guide 2022.
6.9	Objectivity and rigour - The evaluation of performance is objective and rigorous enough for meaningful conclusions to be drawn.
Additional comments and key takeaways

Section 7: Council Specific

Reference	Good Practice	Yes/No	Actions/Comments
7.1	Does ARAC report directly to full Council?
7.2	Do the Terms of Reference clearly set out the purpose of ARAC?
7.3	Do ARAC’s terms of reference explicitly address all the core areas including: • Maintenance of governance, risk and control arrangements • Financial and governance reporting • Establishing appropriate and effective arrangements for audit and assurance
7.4	Is an annual evaluation undertaken to assess whether ARAC is fulfilling its terms of reference and that adequate consideration has been given to all core areas?
7.5	Where coverage of core areas has been found to be limited, are plans in place to address this?
7.6	Is ARAC independent of executive decision-making and able to provide objective oversight?
7.7	Does ARAC have sufficient importance in the local council so that its recommendations and opinions carry weight and have influence with the leadership team and those charged with governance?
7.8	Has an effective ARAC structure and composition of ARAC been selected? This should include: • separation from the executive • an appropriate mix of knowledge and skills among the membership • a size of ARAC that is not unwieldy • consideration as to the inclusion of at least one independent member • consideration as to the independent member chairing ARAC
7.9	Have independent members appointed to ARAC been recruited in an open and transparent way and approved by the full Council?
7.10	Does ARAC review progress from recommendations arising from NIAO’s: • annual audit of the accounts; and • performance improvement audit and assessment annual exercise.
Additional comments and key takeaways

Appendix 2: Example of Annual ARAC core work programme (for bodies with a March year-end)

Items	Spring	Summer	Autumn	Winter
Standing Items
Apologies	✓	✓	✓	✓
Conflicts of Interest	✓	✓	✓	✓
Review and approve the draft minutes from the previous meeting.	✓	✓	✓	✓
Update on matters arising from the previous meeting.	✓	✓	✓	✓
Review the organisation’s strategic risk register and risk management processes put in place by the executive team and consider undertaking deep dives into specific risks and how evolving risks are reported.	✓	✓	✓	✓
Consider Internal Audit update and any individual reports.	✓	✓	✓	✓
Consider External Audit update and any individual reports.	✓	✓	✓	✓
Report tracking the implementation of both Internal and External Audit recommendations.	✓	✓	✓	✓
Consider any Fraud/Raising Concerns reports.	✓	✓	✓	✓
Review of Single Tender Action/Direct Award Contracts.	✓	✓	✓	✓
AOB	✓	✓	✓	✓
Confidential meeting with Internal and External Auditors.	✓	✓	✓	✓
Other Items
Review and consider the annual report and accounts, including any changes to accounting estimates and judgements.	✓ Draft	✓ Final
Consider/advise on the contents of the (draft) Governance Statement for the financial year just ended.	✓	✓
Agree ARAC’s annual report to the Accounting Officer and Board/Chief Executive and Council.	✓ Draft	✓ Final
Review the Internal Audit mandate, charter, terms of reference, strategy and the periodic work plan for the coming financial year.	✓
Consider counter fraud work plans for the coming year, including ensuring a review of the counter fraud strategy and policy.	✓
Consider the External Audit strategy proposed in respect of current year’s annual report and accounts.	✓
Consider the (emerging) External Audit opinion and findings on the annual report and accounts.		✓
Consider Head of Internal Audit annual report and opinion.		✓
Discuss the implications of the result of the Accounting Officer’s review of effectiveness of the system of control in relation to the Annual Governance Statement.		✓
Consider annual reports on counter fraud, raising concerns, conflicts of interest, cyber security and any other sources of annual assurance.		✓
Review/Update Self-Assessment Assurance Checklist (See Appendix 1)			✓
Review the overall Assurance Framework.				✓
Review ARAC’s Terms of Reference.				✓
Consider any recommendations arising from External Audit’s performance improvement audit and assessment annual exercise (councils only).				✓

Appendix 3: Example of ARAC Annual Report Structure

Introduction

The introduction should provide a summary of the role and activities of ARAC within the organisation, including the reporting structure, its independence and the steps taken to obtain the necessary assurance around the year-end process, culminating in the Annual Report and Accounts, including the Governance Statement.

Membership

All ARAC members should be listed (including dates of appointment), highlighting who the Chairperson is, Non-Executive Board Members (NEBMs) and if there were any new appointments or resignations in the year.

Meetings

It is important that members are in regular attendance. The attendance statistics for each meeting during the year should be published. This ensures that the quorum is being met. See below a suggested table which should be tailored to each organisation.

	Spring	Summer	Autumn	Winter
ARAC Members
Chair	✓ / x	✓ / x	✓ / x	✓ / x
Non-Executive Board Member 1	✓ / x	✓ / x	✓ / x	✓ / x
Non-Executive Board Member 2	✓ / x	✓ / x	✓ / x	✓ / x
Non-Executive Board Member 3	✓ / x	✓ / x	✓ / x	✓ / x
Other attendees
Internal Auditors	✓ / x	✓ / x	✓ / x	✓ / x
External Auditors	✓ / x	✓ / x	✓ / x	✓ / x
Accounting Officer	✓ / x	✓ / x	✓ / x	✓ / x
Executive Members	✓ / x	✓ / x	✓ / x	✓ / x

In addition, commentary should be included as to how:

an agenda, together with relevant documentation, was circulated to Committee members in advance of each meeting;
conflicts of interest were handled;
minutes of each meeting were approved; and
at the end of each meeting, Committee members met privately with Internal Audit and External Audit.

Risk Management

There should be an update on the arrangements for risk management and the ongoing monitoring and oversight of the corporate risk register.

Internal Control Assurances

There should also be a section highlighting the internal control mechanisms, policies and additional assurance statements considered and discussed by the Committee during the year, examples such as:

Annual IT Assurance Statement;
Annual Report on complaints, fraud and raising concerns;
Annual Report on cyber-security;
Annual Report on procurement; and
Annual Report on ESG.

Internal Audit

This section provides an overview of the work performed by Internal Audit and their approach to their responsibilities during the year, including their Annual Report. See below a suggested table for providing details of Internal Audit reports.

Area	Recommendations	Status at Reporting Date	Assurance Rating
Title of Internal Audit report	X high priority X medium priority X low priority	Ongoing/Completed Implementation date:	Satisfactory/Limited/ Unacceptable

Area

Recommendations

Status at Reporting Date

Assurance Rating

Title of Internal Audit report

X high priority

X medium priority

X low priority

Ongoing/Completed

Implementation date:

Satisfactory/Limited/ Unacceptable

External Audit

This section provides an overview of the work performed by External Audit and their approach to their responsibilities during the year, including their reports. There is also the opportunity to include the findings of other public reports published by External Audit and any impact on the organisation.

Governance

This section provides an opportunity for ARAC to comment on any issues in relation to the Governance Statement or to bring to the attention of the Accounting Officer or Board.

Conclusion - ARAC Effectiveness

ARAC should conclude:

its view on its own effectiveness;
as to whether it is satisfied that it has fulfilled its duties as guided by its Terms of Reference;
that by reviewing the work of Internal and External Audit and other assurances provided to the Committee, every effort has been made to review and oversee internal control and risk management arrangements; and
if sufficient assurance has been provided to the Accounting Officer in the discharge of his/her accountability obligations.

Appendix 4: The role of the Chair of the Audit and Risk Assurance Committee

The role of the Chair of ARAC goes beyond chairing meetings. It is key to the effectiveness of the Committee. Their role includes a number of additional responsibilities beyond Committee meetings themselves, including:

Before each meeting the Chair and the Committee Secretary should meet to discuss and agree the scheduled business for the meeting. The Chair should take ownership of, and have final say in, the decisions about what business will be conducted at any particular meeting.
ARAC meeting time should be optimised by ensuring that all agenda papers are issued in good time. Each paper should be summarised with an outline provided of the key points, which are then cross referenced to the organisational business and risk agenda. In addition a brief comment should be included to clarify what Committee action is required.
Ensuring that after each meeting appropriate reports are prepared from ARAC to the Accounting Officer and Board. They should also provide an annual report to the Accounting Officer and Board.
The Chair should have bilateral meetings at least annually with the Accounting Officer, the Head of Internal Audit and the External Auditor. Where any person is appointed to these positions the Chair should meet them as soon as practicable after their appointment.
The Chair should ensure that all ARAC members have an appropriate programme of engagement with the organisation and its activities to help them understand the organisation, its objectives, business needs and priorities.
The Chair should establish a mechanism to enable key stakeholders to consider the overall risk and assurance needs.
The Chair should encourage good, open relationships between ARAC, Accounting Officer, Finance Director and Internal and External Auditors.
The profile of ARAC can be raised to support and add weight to audit work by:
- promoting audit issues with the Board and other directors to make sure they appreciate the purpose and value of audit;
- holding managers within the organisation to account for the implementation of all audit recommendations; and
- when appropriate calling business heads to meetings, for example, to clarify issues and explain how they are delivering agreed actions for risks for which they are responsible;
- arranging separate meetings for the Chair, NEBMs and Internal and External Auditors to help establish good open working relationships;
- arranging meetings with Internal Auditors and the Finance Director etc in the weeks leading up to ARAC meetings to discuss potential agenda items and papers that should be provided;
- arranging pre-meetings with the Internal Auditors (and possibly External Audit) immediately before ARAC meeting to help focus discussions; and
- the Chair should ensure that there is an appropriate process between meetings for action points arising from Committee business to be appropriately pursued. The Chair should also ensure that members who have missed a meeting are appropriately briefed on the business conducted in their absence. Chairs may choose to rely on the Secretariat to take responsibility for these actions.
Committee Appraisal: The Chair should take the lead in ensuring that Committee members are provided with appropriate appraisal of their performance as a Committee member and that training needs are identified and addressed. They should seek appraisal of their own performance from the Accounting Officer (or Chair of the Board, as appropriate). In addition, they should ensure that there is a periodic review of the overall effectiveness of ARAC and of its terms of reference.
Committee Appointments (Central Government only): The Chair should be involved in the appointment of new Committee members. Their advice should be sought in relation to the skills and experience being sought by the Committee when a new member is appointed.