Guidance

Audit and Risk Assurance Committee: terms of reference

Published 13 May 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dbt-audit-and-risk-assurance-committee-terms-of-reference/audit-and-risk-assurance-committee-terms-of-reference

The Departmental Board (“the Board”) establishes the DBT Audit and Risk Assurance Committee (ARAC) (“the Committee”) to support the Board and Accounting Officer in their responsibilities for issues of risk, control, and governance.

The committee reviews the comprehensiveness of assurances in meeting the Board and Accounting Officer’s assurance needs. The committee reviews the reliability and integrity of these assurances.

The purpose of the Audit and Risk Assurance Committee is to support the Departmental Board and Accounting Officer in their responsibility to ensure that DBT is a financially sound and efficient organisation which makes effective use of its resources in pursuit of its strategic objectives. Specifically, the Audit and Risk Assurance Committee reviews the effectiveness of the risk management framework established by management to identify, assess, and manage risk; thereby playing an important role in supporting DBT’s reputation for excellent financial and risk management.

Membership

Members of the Audit and Risk Assurance Committee are non-executives and Independent Members appointed by the Permanent Secretary. The Chair should be a suitably experienced Non-Executive Board Member.

The Committee is considered quorate when at least 3 members are present. Others may be invited to attend Committee meetings as and when subjects for which they are responsible are discussed.

DBT’s governance page lists the current members of the Audit and Risk Assurance Committee.

The following non-members also attend:

  • a representative of External Audit
  • the Head of Internal Audit
  • the Permanent Secretary
  • the Chief Finance Officer
  • Deputy Director, Assurance, Partnerships and Financial Governance
  • Deputy Director, Financial Control

Appointments

Members will be appointed for periods of up to 3 years, extendable by no more than 1 additional 3-year period which is subject to approval by the DBT Accounting Officer in conjunction with the Chair.

Reporting

Reporting lines are:

  • the Audit and Risk Assurance Committee will report to the Board and Accounting Officer
  • the Chair of ARAC will report on the business of ARAC to the Board unless, in the opinion of the ARAC Chair, an earlier report is required
  • the Chair will call on members of the committee to routinely declare any potential conflicts of interest to allow appropriate action to be taken
  • the Audit and Risk Assurance Committee will provide the Board and Accounting Officer with an annual report, timed to support finalisation of the accounts and the governance statement, summarising its conclusions from the work it has done during the year
  • the Audit and Risk Assurance Committee will periodically review its own effectiveness and report the results of that review to the Board

The ARAC terms of reference will be made publicly available on GOV.UK.

Responsibilities

The Committee operates in an independent advisory capacity, providing advice to the Board and Accounting Officer on:

  • the effective operation of the overall control (including financial), risk and governance arrangements, including ensuring adequate assurance is available to the Accounting Officer for the annual governance statement
  • the accounting policies, the accounts, and the annual report of the organisation, including the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors
  • the planned activity and results of both internal and external audit
  • adequacy of management response to issues identified by audit activity, including external audit’s management letter
  • ARAC members will take the lead on allocated director general areas and partner organisations and will report to the ARAC orally at a frequency to be agreed each year
  • assurances relating to the management of risk and corporate governance requirements for the organisation and for this to include environmental, social and governance (ESG) areas (for example; diversity and inclusion, capability, climate and environmental targets and the like) to be reported to the ARAC at a frequency to be agreed each year
  • anti-fraud policies, whistle-blowing processes, and arrangements for special investigations
  • effective enforcement of business appointment rules

Rights

The Committee may:

  • co-opt additional members for a period not exceeding a year to provide specialist skills, knowledge and experience

  • ask any other officials of the organisation to attend and/or provide it with a written report to assist it with its discussions on any particular matter

Access

The Head of Internal Audit and the representative of External Audit will have free and confidential access to the Chair of the Audit and Risk Assurance Committee.

Secretariat

The Audit and Risk Assurance Committee will be provided with a secretariat function by DBT governance team.

Conflicts of interest

A committee member or attendee, who becomes aware of a potential conflict of interest relating to matters being discussed by the committee, should give prior notification to the Chair.

If this is not possible, declare this at the meeting and, where necessary, withdraw during discussion of the relevant agenda item.

Frequency and timings of meetings

The Audit and Risk Assurance Committee:

  • will meet at least 5 times a year - the Chair of the committee may convene additional meetings, as they deem necessary
  • requires a minimum number of 3 members of the committee, including at least one non-executive board member, to be present for the meeting to be deemed quorate
  • will normally be attended by:
    • the Accounting Officer
    • the Chief Operating Officer or Chief Finance Officer
    • a Senior Civil Servant responsible for risk, assurance and control
    • representatives from Internal and External Audit
  • may ask any other officials of the organisation to attend to assist it with its discussions on any particular matter
  • may ask any or all of those who normally attend but who are not members to withdraw to facilitate open and frank discussion of particular matters
  • may be asked by the Board or the Accounting Officer to convene further meetings to discuss particular issues on which they want the Committee’s advice
  • will hold annual closed meetings with the Government Internal Audit Agency and the National Audit Office
  • business can be undertaken outside of a full meeting by for example email - all matters considered by this route should be reported to the committee at its next full meeting

Information requirements

The meeting will be provided with regular updates (on a quarterly basis unless otherwise stated) on the following:

  • risk and assurance including:
    • a quarterly risk update summarising any significant changes to the organisation’s strategic risks
    • a copy of the strategic risk register
    • the organisation’s risk management strategy
    • risk management and assurance on strategic projects and initiatives
    • the organisation’s risk appetite
    • twice yearly reports on corporate assurance
    • annual cyber security and information risk management and assurance
  • partner organisation risk management and assurance
  • a business update from the Permanent Secretary.
  • progress report from the Head of Internal Audit summarising:
    • work performed (and a comparison with work planned)
    • key issues emerging from the work of internal audit
    • management response to audit recommendations
    • changes to the agreed internal audit plan
    • any resourcing issues affecting the delivery of the objectives of internal audit
  • a progress report (written or verbal) from the External Audit representative summarising work done and emerging findings
  • management assurance reports
  • governance of business appointment rules
  • serious incidents log
  • internal audit tracker
  • Dear Accounting Officer letters

As and when appropriate the committee will also be provided with:

  • proposals for the terms of reference of internal audit and the internal audit charter
  • the internal audit strategy
  • the head of Internal Audit’s annual opinion and report
  • quality assurance reports on the internal audit function
  • the draft accounts of the organisation
  • the draft governance statement
  • a report on any changes to accounting policies
  • External Audit’s management letter
  • a report on any proposals to tender for audit functions
  • a report on co-operation between internal and external audit
  • an annual review of ARAC terms of reference
  • Board level key risk indicators (KRIs) once this has been developed and defined
  • directorate level assurance statement
  • a portfolio and project delivery update
  • the Senior Information Risk Owner (SIRO) annual review
  • the ARAC effectiveness review or ARAC annual report
  • DBT annual report and accounts
  • strategic risk deep dives at a frequency agreed by the committee

The Secretariat will ensure to provide all information and papers at least 72 hours before formal ARAC meetings.

Conflicts of interest and code of conduct

Each member of the Audit and Risk Assurance Committee should take personal responsibility to declare pro-actively any potential conflict of interest:

  • arising out of business undertaken by the department
  • arising on the agenda
  • from changes in the member’s personal circumstances

The Chair of the Audit and Risk Assurance Committee will then determine an appropriate course of action with the member. For example, the member might simply be asked to leave while a particular item of business is taken; or in more extreme cases the member could be asked to stand down from the committee.

If it is the Chair who has a conflict of interest, the Board should ask another member of the Audit and Risk Assurance Committee to lead in determining the appropriate course of action.

A key factor in determining the course of action will be the likely extent and duration of the conflict of interest: a conflict likely to endure for a long time is more likely to suggest that the member should stand down.  

Members should comply at all times with the code of conduct for board members of public bodies and other appropriate guidance including with the rules relating to the use of public funds and to have regard to the principles of public life: selflessness, integrity, objectivity, accountability, openness, honesty and leadership and act in the best interests of the department.

Partner organisations

The committee will, in consultation with the department’s Accounting Officer and the directors of finance and commercial, establish appropriate arrangements to identify the partner organisations with the greatest potential to impact the department’s objectives and its consolidated financial statements.  

The committee will support the department’s Accounting Officer by establishing appropriate relationships with DBT partner organisations. The committee will endeavour to ensure that additional opportunities for communication exist for the sharing of good practice and issues of mutual concern for example ARAC Chair networking meetings.

Back to top