Audit & Risk Assurance Committee Terms of Reference

This page describes the operating terms of the Audit & Risk Assurance committee.

Published: 5 April 2023

Version: 2.8

Table of contents

  1. Terms of Reference - Purpose
  2. Duties
  3. Members
  4. Attendees
  5. Quorum
  6. Meeting Arrangements


The Audit & Risk Assurance Committee provides assurance to the Board and Accounting Officer on all aspects of risk management and internal control and governance arrangements. The Committee will review the comprehensiveness of assurance available to the Board and Accounting Officer and consider the reliability and integrity of this assurance.

The Committee is authorised to take decisions on behalf of the NHS Counter Fraud Authority(NHSCFA) on matters relevant to the purpose of the committee, (but not reserved to the Board), and to obtain outside, independent professional advice and secure attendance of outsiders with relevant experience and expertise if they consider this to be necessary. The Committee is authorised to co-opt additional members for a period not exceeding a year to provide specialist skills, knowledge and experience.


The Committee will advise the Board and Accounting Officer on:

  • The adequacy of the NHSCFA’s assurance processes for managing risk, internal control and governance.
  • The accounting policies, the annual accounts including governance statement and the annual report of NHSCFA.
  • The planned activity and reports from both internal and external audit;
  • Adequacy of management responses to issues identified by external audit, internal audit and NHSCFA governance & assurance recommendations, including external audit’s management letter;

The Committee will annually review its own effectiveness and report the results of that review to the Board.

A copy of the agreed minutes of each meeting of the committee will be presented by the chair of the committee to the Board. The Committee will also provide an annual report to the Board to support the approval of the annual report and accounts.

Governance, Risk Management and Internal Control:

  • The Committee will review the establishment and maintenance of an effective system of governance, risk management and internal control, covering all NHSCFA’s activities and supporting achievement of the organisation’s objectives
  • In particular, the Committee will review the adequacy and effectiveness of:
    1. All risk and control related disclosure statements (in particular the annual governance statement), together with the accompanying Head of Internal Audit opinion, external audit opinion or other appropriate independent assurances, prior to endorsement by the Board, where necessary;
    2. The underlying assurance processes that indicate the degree of achievement of corporate objectives, the effectiveness of the management of principal risks and the appropriateness of the above disclosure documents;
    3. The policies for ensuring compliance with relevant regulatory, legal and code of conduct requirements and related reporting and self-certification; and,
    4. The policies and procedures for all work related to whistle-blowing processes, countering fraud & corruption.
  • The Committee will consider the work of internal audit, external audit and NHSCFA internal governance & assurance function as well as any other sources of assurance considered necessary. It will also seek reports and assurances from Officers as appropriate, concentrating on the over-arching systems of governance, risk management and internal control, together with indicators of their effectiveness.
  • The committee will regularly review the risk management policy, the risk register, and the risk appetite. It will also review the adequacy of risk mitigation and periodically undertake “deep dives” into particular risk areas.

Internal Audit:

  • The Committee will ensure there is an effective internal audit function that meets mandatory Public Sector Internal Audit Standards & the requirements detailed in ‘HM Treasury Managing Public Money’ and provides appropriate independent assurance on the full range of strategic, financial and operational risks to the Audit Committee, Chief Executive and Board.
  • This will be achieved by:
    1. Consideration of the provision of the internal audit service, the cost of the audit and any questions of resignation and dismissal;
    2. Review and approval of the internal audit annual plan and more detailed programme of work ensuring that this is consistent with the audit needs of NHSCFA.
    3. Considering the findings of internal audit (and management’s response), and ensuring co-ordination between the internal and external auditors to optimise audit resources;
    4. Ensuring that the internal audit function is adequately resourced and has appropriate standing within NHSCFA; and
    5. Ensuring appropriate follow up of internal audit recommendations by management on a timely basis.
    6. Undertaking an annual review of the effectiveness of internal audit.

External Audit:

  • The Committee will review the work and findings of the external auditors and consider the implications of and management’s response to their work.
  • This will be achieved by:
    1. Discussion with the external auditors, before the audit commences, of the nature and scope of the audit as set out in the annual plan
    2. Discussion with the external auditors of their evaluation of significant audit risks, their assessment of NHSCFA and the associated impact on the audit fee; and
    3. Review of all external audit reports, including the Audit Planning Report and the Audit Completion Report (both addressed to those charged with governance)
    4. Review any work undertaken outside the annual financial statement audit together with the appropriateness of management responses.

The Committee will meet at least annually with internal and external audit without management present to discuss their respective remits and any issues arising from their audits.

Other Assurance Functions:

  • The Committee will review findings of other significant assurance functions, both internal and external to NHSCFA and consider the implications for the governance of NHSCFA. These will include, but will not be limited to, any reviews by the Department of Health & Social Care.
  • In addition, the Committee will review the work of other groups within NHSCFA, whose work can provide relevant assurance to the Committee’s own scope of work.
  • The committee will review the NHSCFA’s overall assurance framework and consider its adequacy.

    (a) Counter Fraud

  • The Committee will satisfy itself that NHSCFA has adequate arrangements in place for countering internal fraud and will review the outcomes of that work.
  • The committee will review and approve the internal counter fraud arrangements on an annual basis

    (b) Whistleblowing

  • The committee will review the policies by which staff may, in confidence, raise concerns about the possible improprieties in matters of financial reporting or other matters.

    (c) Information Governance

  • The Committee will consider the adequacy of the NHSCFA’s Information governance and cyber security arrangements, including business continuity planning.

Financial Reporting

  • The Committee will monitor the integrity of the financial statements of NHSCFA and any formal announcements relating to NHSCFA’s financial performance.
  • The Committee should ensure that the systems for financial reporting to the Board, including those of budgetary control, are subject to review both as to the completeness, accuracy and fitness for purpose of the information provided to the Board and with regard to the effectiveness of the Board’s consideration of this information.
  • The committee will review the NHSCFA’s annual budget prior to consideration by the board.
  • At every meeting the Director of Finance will present a budget monitoring statement for the committee’s review and to consider the achievement of value for money.
  • The Committee will review the annual report and audited accounts before submission to the Board, focusing particularly on:
    1. The wording in the annual governance statement and other disclosures relevant to the terms of reference of the Committee;
    2. Changes in, and compliance with, accounting policies, practices and estimation techniques;
    3. Unadjusted misstatements in the financial statements;
    4. Significant judgments in preparation of the financial statements;
    5. Significant adjustments resulting from the audit;
    6. Letter of Representation; and
    7. Qualitative aspects of financial reporting


  • Chair – a Non-executive director who must be a CCAB qualified accountant (in the absence of the Chair another Non-executive director who is a member of the Committee) PLUS
  • Two other Non-executive directors.
  • The Chairperson of the board cannot be a member of the committee

Members will declare any conflicts of interest not previously notified.


The following are usually expected to attend committee meetings;

  • Director of Finance.
  • Representative(s) of Internal Audit.
  • Representative(s) of external audit (dependent on agenda)
  • Chief Executive.
  • Department of Health & Social Care sponsor representative
  • Board Secretary
  • Minute taker

The committee may require the attendance of any director, or member of staff, to discuss and review any area it considers relevant to the role of the Committee.


The meeting will be quorate if two or more members are present.

Meeting Arrangements

The committee will meet at least four times per annum, scheduled to allow the discharge of all of the Committee’s responsibilities.

At least once a year the members of the committee will meet on their own with the Internal and External Auditors.

The agenda will be agreed with the Chair before being issued.

Agendas and papers will be circulated at least one week prior to the meeting.

Draft minutes of the meeting will be available for the chair’s review within one week of the meeting.

The Terms of reference are to be agreed by the board and reviewed annually.

The Committee will maintain an annual work programme.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!