Audit and Risk Management Committee Terms of Reference

Constitution

The NHS Business Services Authority (NHSBSA) hereby establishes a Committee to be known as the Audit and Risk Management Committee (the Committee). It is constituted as a non-executive committee of the NHSBSA’s Board, which determines its membership and Terms of Reference. The Committee is authorised to investigate any activity within the Terms of Reference and can seek any information from employees of the NHSBSA, who must comply with any such request. The Committee is authorised to seek outside legal or other independent professional advice and secure the attendance of outsiders with relevant expertise if considered necessary.

The Committee will adhere to all external standards that are applicable to the work of the NHSBSA. (Appropriate standards include, but are not limited to: HM Treasury Audit Committee Handbook; Audit Committees and the External Audit: Minimum Standard.)

Membership

The Committee shall consist of not less than three members. Two of these will be appointed by the Board. The third member will be appointed by the Department of Health and Social Care (DHSC) as Chair of the Committee. At least one member shall have significant relevant financial experience. The NHSBSA’s Chair shall not be one of these members, although they may be invited to attend meetings where the issues discussed are relevant to the whole Board or to the Chair directly. The Committee shall be quorate providing there are two members present.

Attendance

The Chief Executive, Executive Director of Financial and Commercial Services, Executive Director of People and Corporate Services, appropriate Internal Audit service provider and External Audit representatives shall normally attend meetings. However, at least once a year, the Committee shall meet with the auditors without any other person present. Other Directors, managers or relevant staff may be invited to attend on occasion, particularly when the Committee is discussing significant matters relating to risks or operations that are the responsibility of a particular director. The Chief Executive must attend the meeting that reviews and agrees the Annual Governance Statement (AGS), to discuss the process for assurance that supports the AGS, the Annual Report and Accounts and the NHS Pension Scheme.

The Internal Auditors and External Auditors shall have confidential and direct access where required, to members of the Committee on matters arising from, or relevant to, the Committee. The Committee members may meet privately without the presence of non-members for all or part of a meeting, as requested.

Frequency

Meetings shall be held as required and not less than four times in one financial year. The Chief Executive, Executive Director of Finance and Commercial Services, Executive Director of People and Corporate Services, Internal Audit or External Audit may request a meeting if they consider that one is necessary.

Duties

The Committee shall undertake the following duties:

Governance, Risk Management and Control

1. Provide the NHSBSA’s Board with an independent and objective review of the adequacy and effectiveness of the NHSBSA’s Assurance Framework (the framework of governance, risk management, controls and related assurances). In particular, it will review:
   • all risk and control related disclosure statements (in particular the Annual Governance Statement together with the accompanying Internal Audit statement)
   • the underlying assurance process that governs the management of principal risks and issues, and the achievement of business objectives
   • the appropriateness of policies and procedures for ensuring compliance with law, guidance and codes of conduct, and their effectiveness
   • policies and procedures related to physical security, bribery and the detection and prevention of fraud
   • policies and procedures related to Freedom to Speak Up (whistleblowing)
   • matters relating to Information Governance (including Information Security)
   • matters relating to the management of major incidents, near misses and lessons learned, as part of the regular reports for items listed above
2. Advise the Chief Executive and Board, where appropriate, on proposals for the appointment of either Internal or External Audit services or on the purchase of non-audit services from contractors who provide audit services.
3. Consider other topics as requested by the Board.
4. The Committee may procure specialist ad-hoc advice relevant to the work of the Committee at the expense of the organisation, subject to budgets agreed by the Board.

Internal Audit

1. Provide assurance to the Board that an effective Internal Audit function is established at an appropriate fee that meets mandatory UK Public Sector Internal Audit Standards and provides appropriate independent assurance to the Committee.
2. Review and approve the annual Internal Audit Plan, monitor progress to deliver the plan and ensure co-ordination between the Internal and External Auditors to optimise audit resources. Review and approve any in-year changes to the Internal Audit Plan.
3. Review the outcomes and recommendations of Internal Audit reports, the status of planned audits and monitor the agreed management actions.
4. Ensure that the Internal Audit function is adequately resourced and has appropriate standing within the organisation.
5. The members will meet privately at least once a year with the Internal Auditors.

External Audit

1. Discuss and provide input for the External Audit planning report with the External Auditors before the commencement of the audit, and where appropriate ensure co-ordination with other External Auditors in the system.
2. Review External Audit reports, including annual audit letters and management’s responses.
3. The members will meet privately at least once a year with the External Auditors.
4. Review other sources of external audit and assurance, as appropriate.

Finance

1. Review the Annual Report (including the AGS) and Financial Statements (NHSBSA Administration ad NHS Pension Scheme) before submission to the Board, challenging assumptions and judgements made during their compilation, and focusing particularly on:
   • changes in, and compliance with, accounting policies and practices
   • unadjusted misstatements in the financial statements
   • major judgemental areas
   • significant adjustments resulting from the audit
2. Consider the context of any report involving the NHSBSA issued by the Public Accounts Committee or the Comptroller and Auditor General and review management’s proposed response before presentation to the Board for agreement.
3. Review schedules of losses and special payments.

Reporting Arrangements and Mechanisms

The Committee meetings shall be formally recorded, and the confirmed minutes submitted to the Board.

The Committee shall provide a report to the Board following each meeting, providing a summary of its key activities, assurances given and any advice to the Board. The report shall also be shared with the Accounting Officer, Internal Audit and External Audit representatives.

The Committee shall undertake an annual review of its own effectiveness.

The Committee shall submit an annual report of its work to the Board. The timing of this report will coincide with the production of the Annual Report and Accounts.