Skip to main content
English Cymraeg

Annual Report to the FSA Board from the Chair of the Audit and Risk Assurance Committee (ARAC)

FSA 29/09/11 - Report by Anthony Harbinson, Chair, FSA ARAC

Last updated: 5 September 2024
Last updated: 5 September 2024

1. Summary

1.1      To provide the Board with a summary of the work undertaken by the FSA ARAC during 2023/24 in accordance with the ARAC’s Terms of Reference (see Annex C).

1.2      The Board is asked to:

  • Note the work that has been undertaken by the ARAC during the 2023/24 financial year; and

  • Note that this report has been agreed with the other members of the ARAC.

2. Introduction

2.1      The report sets out the work of the ARAC that I have chaired since the 1 January 2024 in relation to the Committee’s activities in England, Wales, and Northern Ireland (NI) during the year to 31 March 2024.

2.2      I would like to thank all my fellow Board Members who served on the ARAC during the year, including my predecessor as Chair of ARAC, Tim Riley, the Executive and in particular, the Chief Executive (CE), Emily Miles, as well as the Board Secretariat team for their supportive and professional approach.

2.3      I would also like to thank the FSA’s Internal Audit Team, Catherine Andrews, the Head of Internal Audit, Ruth Nolan, the Director of People and Resources, other FSA officials and representatives of the National Audit Office (NAO) who have attended the meetings during the year to present reports which have provided the basis for much of the ARAC’s work.

2.4      The respective roles of the Chief Executive, ARAC and Board are set out at Annex A.

3. Discussion

Key Events in 2023/24

3.1      ARAC meetings took place in May, June, August, September, and November 2023 as well as March 2024.  ARAC meetings continued to be held virtually except for November which was in person. I replaced Tim Riley as Chair of ARAC after he was appointed Deputy Chair of the Board in January 2024. For details of ARAC membership see Annex B.

3.2      The drafts of the Head of Internal Audit’s 2022/23 annual report and opinion and the Chair’s Annual Report to the Board for 2022/23 were discussed at the May 2023 meeting.  The draft 2022/23 Annual Report, Governance Statement and Accounts were discussed at the May, June, September and November meetings.

3.3      The corporate risk register was presented to, and discussed by, the ARAC at the June, September, and November 2023 meetings.  The Committee also received regular risk management updates at ARAC meetings on the FSA’s mitigations for cyber security risks. Deep dives into risks around Cost of Living, Delivery of Official Controls retender, and Lessons from CBD were also presented to, and considered by ARAC during the year.

3.4      ARAC reviewed, discussed and approved the draft internal audit and regulatory audit plans for 2024/25 when we met in March 2024.  The audit plans were approved with the understanding that these may be subject to revision over the year in response to changes in the FSA’s risk profile or other events impacting on the FSA.

3.5      ARAC received notification of and regular updates on any investigations conducted during the year where there was potential for compliance, financial, or reputational risk.

The FSA’s 2022/23 Annual Report and Accounts (ARA)

3.6      The draft 2022/23 accounts and annual report were initially presented to ARAC in May 2023 with further discussion at the June 2023 meeting.  An updated version was presented at the ARAC meeting in September 2023.  Four sets of accounts were provided to the Committee: the consolidated set of accounts and one set each for England, Wales, and NI.  No significant issues were raised by members in relation to the accounts.

3.7      Due to the several factors, which included the timing of the Local Government Pension Scheme (LGPS) pension audit, accounting disclosure improvements and increased work resulting from new auditing standards (ISA 315), the NAO did not complete their audit of the accounts until January 2024.  At the November 2023 meeting, ARAC acknowledged the changes to the ARA since the previous meeting and NAO presented their draft audit completion report. 

3.8      FSA and NAO continued to work together following the ARAC meeting, agreeing that the four sets of accounts would be submitted to the Comptroller and Auditor General (C&AG) for certification in January.  The Accounting Officer signed the accounts on 26 January 2024 and the C&AG certified the accounts on 30 January with an unqualified audit opinion.

Internal and External Assurance 2023/24

3.9      All final internal audit (IA) and regulatory audit (RA) reports issued during the year were shared with me (or the previous ARAC Chair).  Other ARAC members received a copy of audit reports with a “limited” or “unsatisfactory” opinion (see Annex D for audit assurance level definitions) and relevant Directors were invited to discuss such reports with ARAC.

3.10   Two audits completed during 2023/24 which resulted in a “limited” opinion were discussed at ARAC, these being Counter Fraud, Bribery & Corruption (IA) and Microbiological Criteria Sampling and Testing (RA).  The Committee had productive discussions with the executive on issues highlighted by these reports and management have either implemented or are taking forward agreed actions to reduce the risks in these areas.  No audits had an “unsatisfactory” opinion.

3.11   The executive summary of each report with a “substantial” or “moderate” opinion was shared with ARAC members as part of the respective progress reports on internal and regulatory audit activities presented to ARAC meetings.  The Committee was updated regularly on actions taken by management teams to address the issues raised in all internal and regulatory audit reports.

3.12   A summary of assurance activities and outputs for 2023/24 is in the table below.  The figures for 2022/23 are provided for comparison.

 

Internal Audit Reports
Assurance activities and outputs No. of reports 2022/23 No. of reports 2023/24
Substantial 2 4
Moderate 4 6
Limited 1 1
Unsatisfactory 0 0
Advisory Reports/Management Letters 1 1
Total number of reports issued 8 12
Number of Planned Audits 9 12

 

Regulatory Audit Reports
Assurance activities and outputs No. of reports 2022/23 No. of reports 2023/24
Substantial 0 0
Moderate 3 1
Limited 0 1
Unsatisfactory 0 0
Opinion not applicable 2 0
Total number of reports issued 5 2
Number of Planned Audits 6 *3

*The Regulatory Audit Team had 3 new starters in 2023/24 and one long term auditor absence reducing capacity by 25% compared to 2022/23.

3.13   The Committee also received summaries of reports in relation to external audits and reviews conducted by third parties such as a review of the acquisition of communication data by the Investigatory Powers Commissioner’s Office, an independent evaluation of the efficacy of withdrawals and a review of the FSA’s Risk and Crisis Management capabilities.  Full reports of such reviews and audit reports are provided to ARAC members on request.

3.14   At the November meeting the ARAC received the first iteration of an assurance framework and map aligned with the risk appetite which has been developed in line with the new Risk Control Framework set out in the updated Orange Book: Management of Risk – Principles and Concepts.  We were supportive of the approach and noted that the map will evolve and change as further iterations are developed.  

ARAC Effectiveness

3.15   During the year committee members and standing attendees completed our annual self-assessment on the effectiveness of the ARAC in line with HM Treasury guidance utilising the NAO self-assessment tool.  In general, we thought we were meeting or excelling against the criteria.  However, we identified some areas where we could improve such as range of skills, training and development, climate change and ESG assurance mapping and financial reporting.  An action plan to improve these areas was developed and has been implemented.

3.16   ARAC members continued to access a range of training opportunities during the year especially those members who joined the committee in 2022.

3.17   In June 2023, members of the Committee held bilateral meetings with representatives of the FSA’s external auditors, the NAO, and the Head of Internal Audit.  These meetings ensured that there is a clear understanding of expectations and mutual understanding of current issues.  The Committee also concluded that there is a good working relationship between Finance, external auditors, and internal and regulatory audit.

Adequacy of Risk Management, Control and Governance Arrangements

3.18   I am satisfied that sufficient and comprehensive work was undertaken by ARAC, and internal and external assurances were received during the year to adequately inform ARAC’s assessment on the effectiveness of FSA risk management, control and governance arrangements.  Based on this, it is my view, as Chair of the Committee, that the arrangements in place during the year were satisfactory.

4. Future ARAC Meetings

4.1      During 2023/24 ARAC meetings were held approximately two weeks before Board meetings to enable a written report of ARAC meetings to be presented at the Board meeting.  It is expected that the Committee will continue with this approach and will meet four times in 2024/25 with no increase in resource requirements anticipated.

Annex A - Role of the ARAC

1     The Committee’s prime purpose is to provide advice to the Board and the Accounting Officer on internal control, risk management and governance.

2     Internal and external auditors attend ARAC meetings.  Others may be asked to attend where the Committee wishes to review progress on specific issues.

The role of the FSA Board

3       This annual report by the Chair of the ARAC provides the Board with an independent view of how assurance and risk matters are being handled within the FSA.  The Board’s role is to note and comment on the activities of the ARAC.

The role of the Chief Executive

4       HM Treasury has appointed the Chief Executive as the Principal Accounting Officer of the FSA.  The Chief Executive has a direct, personal responsibility to the Westminster Parliament for the propriety and regularity of FSA expenditure.  The Chief Executive also signs the financial statements in respect of the monies from the National Assembly for Wales and the NI Assembly.

5       The Chief Executive is required to sign the annual Governance Statement, which is published in the Annual Report and Accounts.

Annex B – Membership of the FSA Audit and Risk Assurance Committee 2023/24

Members:

Tim Riley Chair (until 31 December 2023)
Anthony Harbinson Chair (from 1 January 2024)
Ruth Hussey Member (until 30 June 2023)
Margaret Gilmore Member
Justin Varney Member
Mark Rolfe Interim Member (from 12 July 2023 until 31 December 2023)

Standing Attendees:

Emily Miles Chief Executive
Tara Smith Director of People and Resources (until 30 June 2023)
Ruth Nolan Deputy Director of Finance and Planning (until 20 August 2023)
  Director of People and Resources (from 21 August 2023)
Ed Clift Deputy Director of Finance and Planning (from 29 January 2024)
Catherine Andrews Head of Internal Audit
Nathan Philippo Head of Delivery Assurance
Michael Todd Head of Planning & Performance
James Edmands NAO
Andrew Jackson NAO

Annex C - Terms of Reference for the FSA Audit & Risk Assurance Committee

Purpose

The Audit and Risk Assurance Committee (ARAC) is an advisory Committee of the FSA Board with no executive powers.  It is responsible for reviewing, in a non-executive capacity, the comprehensiveness and reliability of assurances on governance, risk management and the control environment. 

The ARAC will approve the Annual Reports and Accounts (ARAs) on behalf of the FSA Board, with the recommendation that the Accounting Officer sign the accounts on approval.  It shall additionally have responsibility for reviewing the integrity of financial statements.

Membership

A minimum of four Members of the FSA Board appointed by the FSA Chair under delegated powers following consultation with the Committee Chair.  At least one of those appointed will be a Board Member for Wales or Northern Ireland. 

The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board and will automatically cease if an individual ceases to be a Board Member. 

At least one of the Committee members should have recent and relevant financial experience.

All new members will be provided with induction training and the FSA will provide for any additional development which is deemed necessary for the member to fulfil their role on the Committee.  The Chair of the ARAC will hold an annual review with each member and any training or development needs will be taken forward with the agreement of the Chair and Accounting Officer.

Committee Chair 

Appointed from the membership of the Committee by the Chair of the FSA under delegated powers.  The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board.

Co-option

The Committee may co-opt additional members (whether members of the FSA Board or not) for a period of up to one year to provide specialist skills, knowledge or experience.  Co-opted members will have a right to speak, but not vote.  Co-opted members will not be included in any calculation of the quorum.

Quorum

Three Non-Executive Board Members.

Attendance 

The Chief Executive, as Accounting Officer, the Director of People and Resources, the Deputy Director of Finance and Planning, the Head of Planning and Performance, the Head of Internal Audit, the Head of Delivery Assurance and a representative of the external auditors would normally be invited to attend.

Directors and other officials will be invited to attend as required.

Reporting 

The ARAC Chair will provide the Chair of the FSA and the Board with a written update on the key elements of Committee meetings.  The ARAC will report formally in writing to the Board, annually, to support the finalisation of the accounts and the Governance Statement and to update the Board on the work of the Committee, internal and external audit and any areas requiring specific attention.

Meetings

The ARAC will meet at least four times a year.  The Chair of the Committee will convene additional meetings as necessary.  The Committee has the right to sit privately without any non-members present for all or part of a meeting. 

Additionally, the members of the Committee will meet with the Head of Internal Audit and, separately, the External Auditors, annually, in closed meetings when the efficacy of the processes, trust, co-operation and any other issues can be discussed, and future action agreed.

The FSA Chair, the Board or the Accounting Officer may ask the ARAC to convene further meetings to discuss specific issues on which they want the Committee’s advice.

Responsibilities

The ARAC will advise the FSA Board and Chief Executive on:

  1. The strategic processes for risk management, the high-level control and governance framework and the effectiveness of its operation in practice.

  2. The contents of the Governance Statement. 

  3. The accounting policies, the accounts, and the annual report of the FSA, including the judgements used in producing the accounts, the adequacy of disclosures, the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors. 

  4. The effectiveness of the design and operation of financial systems and controls.

  5. The planned activity and results of internal, regulatory and external audit and the results of other, external assurance reports.

  6. The resourcing and effectiveness of the internal audit function.

  7. Provide independent scrutiny of the audit process of the regulatory audit system.

  8. The adequacy of the management response to issues identified by audit activity, including external audit management letters. 

  9. Assurances relating to the corporate governance requirements for the organisation. 

  10. Proposals for tendering for either internal or external audit services or for the purchase of non-audit services from contractors who provide audit services. 

  11. Counter-fraud and internal whistle-blowing policies and processes, and arrangements for special investigations; and 

  12. The Committee’s effectiveness having reviewed its own performance, constitution and terms of reference and recommending any changes it considers necessary.

Information Requirements

The ARAC will be provided with, where appropriate:

  1. Any changes to the organisation’s Corporate Risk Register that are relevant to the responsibilities of the Committee. 

  2. The risk management strategy.

  3. Management assurance reports, and reports on the management of major incidents (which are relevant to governance, risk management and internal control), ‘near misses’ and lessons learned including those from serious case reviews.

  4. A bi-annual overview of external complaints and related data.

  5. An annual report of FSA’s Senior Civil Servant’s declarations of interest.

  6. An annual report on and the performance of the FSA’s arrangements for counter fraud, bribery and corruption.

  7. Information Security annual report and periodic updates.

  8. Environmental, climate change and net zero annual update.

  9.  Progress reports from both the Head of Internal Audit and Head of Delivery Assurance summarising: 
    1) work performed (and a comparison with work planned)
    2) key issues emerging from their respective audit work 
    3) management action in response to issues identified and agreed 
    4) changes to their respective audit plans 
    5) any resourcing issues affecting the delivery of their objectives

  10. Progress reports from the External Audit representatives summarising work done and emerging findings. 

  11. External assurance and compliance reports in relation to the FSA’s activities.  

  12. Internal audit and regulatory audit strategies and annual plans. 

  13. The Head of Internal Audit’s Annual Opinion and Report. 

  14. An annual report summarising the results of regulatory audits including an overall assessment / opinion on the effectiveness of official controls.

  15. Quality Assurance reports on the internal audit and regulatory audit functions. 

  16. The draft accounts of the organisation. 

  17. The draft Governance Statement.

  18. Any changes to accounting policies. 

  19. Proposals to tender for audit functions. 

  20. Summary of findings of every internal audit and regulatory audit report. 

  21. External Audit’s management letter; and 

  22. A report on cooperation between the FSA auditors and external auditors.

The ARAC will work with the FSA’s Executive Management Team to ensure that the Board can be confident that risk management processes, content, mitigating and recovery actions are appropriate and correctly resourced.

Notes

  1. The Chair of the ARAC will have free and confidential access to the Chair and Chief Executive of the FSA whenever appropriate. 

  2. The Head of Internal Audit and the representatives of External Audit will have free and confidential access to the Chair of the Committee. 

  3. The Committee may procure specialist ad-hoc advice at the expense of the FSA, subject to the cost being agreed by the Chief Executive as Accounting Officer.

Annex D – Assurance level definitions as applied to FSA assurance audit reports (excluding LA audit reports)

Assurance levels assigned to assurance audits as defined in the Government Internal Audit Manual:
 

Audit Opinion Definition
Substantial

In my opinion, the framework of governance, risk management and control is adequate and effective.

Green  

Moderate

In my opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control.

Yellow 

Limited

In my opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective.

Amber 

Unsatisfactory

In my opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail.

Red