Audit and Risk Assurance Committee Handbook
The Audit and Risk Assurance Committee handbook reflects developing best practice in governance.
Documents
Details
This Audit and Risk Assurance Committee (ARAC) handbook covers the roles and responsibilities of an ARAC and provides guidance on good governance processes for ARACs.
Whilst it is not intended to provide guidance on areas that an ARAC may need to review, Annex F ’Key questions for an ARAC to ask’ does provide prompts of what ARACs should consider on a range of topics, including whistleblowing and cyber security. This Annex is not meant to be an exhaustive (or restrictive) list of questions relating to a particular topic.
The Handbook was updated in March 2025, to include changes resulting from the introduction of the Global Internal Audit Standards. This resulted in the introduction of Annex H ‘Governing the Internal Audit Function’, which outlines the key requirements contained in the Global Internal Audit Standards, for ARACs. Consequently, the checklist which an ARAC could use to review its effectiveness is now at Annex I. To help with an effectiveness review and take account of each member’s views, a checklist for reviewing the effectiveness of the ARAC is contained in Annex I of this Handbook and is also published as a standalone self-assessment tool allowing all ARAC members (and the views of others) to be collated and analysed. This tool is a modified version of the National Audit Office’s Outcome Analyser and includes changes resulting from the introduction of the Global Internal Audit Standards. As an alternative, ARACs can consider using the NAO’s ARAC effectiveness tool and its outcome analyser, which incorporates leading practice alongside the essentials set out in the ARAC Handbook. This may be particularly appropriate for ARACs of large or complex organisations.
The current (August 2025) minor update to the Handbook makes clear that the self-assessment tool does not need to be completed annually, but it should be completed at least once every three years. The self-assessment tool has also been amended to allow some questions to have a not applicable response.
Updates to this page
-
Minor updates to the Handbook have been made, to make clear that the self-assessment tool does not need to be completed annually, but it should be completed at least once every three years. The self-assessment tool has also been amended for this requirement and to allow some questions to have a not applicable response.
-
ARAC handbook and GIAA Audit and Risk Assurance Committee Self-Assessment Tool updated.
-
Updates made to body copy about the Audit and Risk Assurance Committee self-assessment tool.
-
The Handbook has been fully refreshed to improve clarity and reflect changes in best practice in governance. The annexes on whistleblowing and cyber security have been removed, and some questions on these topics are now incorporated into Annex F ‘Key questions for an ARAC to ask’. A checklist for ARACs to use to review their effectiveness has been added at Annex H. To help with this review and take account of each member’s views, the questions from Annex H have been transferred to a spreadsheet allowing all ARAC members (and the views of others) to be collated and analysed.
-
Added Audit and Risk Assurance Committee Handbook Annex J Cyber Security
-
new, updated PDF
-
First published.