FSA 22-09-08 Annual report to the FSA Board from the Chair of the Audit and Risk Assurance Committee (ARAC)
This paper provides the Board with a summary of the work undertaken by the FSA ARAC during 2021/22 in accordance with the ARAC’s Terms of Reference.
1. Summary
1.1 To provide the Board with a summary of the work undertaken by the FSA ARAC during 2021/22 in accordance with the ARAC’s Terms of Reference.
1.2 The Board is asked to:
- Note the work that has been undertaken by the ARAC during the 2021/22 financial year; and
- Note that this report has been agreed with the other members of the ARAC.
2. Introduction
2.1 The report sets out the work of the ARAC that I have chaired during the year to 31 March 2022 in relation to the Committee’s activities in England, Wales, and Northern Ireland (NI).
2.2 I would like to begin the report by thanking all my fellow Board Members who served on the ARAC during the year, the Executive and in particular, the Chief Executive (CE), Emily Miles, as well as the Board Secretariat team for their supportive and professional approach.
2.3 I would also like to thank Freedom Mpande the FSA’s Interim Head of Audit Assurance (HAA), Pam Beadnell, FSA Director of Finance and Performance Group, other FSA officials and representatives of the National Audit Office (NAO) and Mazars who have attended the meetings during the year to present reports which have provided the basis for much of the ARAC’s work.
2.4 The respective roles of the Chief Executive, ARAC and Board are set out at Annex A. Membership of the FSA ARAC during the year is detailed in Annex B.
3. Discussion
Key events in 2021/22
3.1 Due to the COVID-19 pandemic all ARAC meetings this year were held remotely. They took place in May, June, September and November 2021 as well as January and March 2022. In addition to myself, other Board Members who served on the ARAC were Ruth Hussey, Peter Price, Timothy Riley and Margaret Gilmore. Membership is in line with minimum requirement listed in the ARAC Terms of Reference.
3.2 ARAC reviewed and discussed the draft FSA audit assurance plans for 2022/23 when we met in January 2022. The audit assurance strategy was approved at the March 2022 meeting as was the 2022/23 audit plan but this may be subject to revision over the year in response to changes in the FSA’s risk profile or other emergencies impacting on the FSA.
3.3 At the June 2021 ARAC meeting, the 2020/21 annual report and accounts, the Head of Audit Assurance’s annual report and opinion (2020/21), the remuneration report and the NAO/Mazar’s audit completion report were discussed. Due to delays in the Local Government Pension Scheme (LGPS) pension valuation only the devolved accounts were approved in June 2021.
3.4 The corporate risk register was presented to, and discussed by, the ARAC at the September 2021 and November 2021 full meetings. ARAC also received regular risk management updates at ARAC meetings on the FSAs mitigations in relation to risks associated with the COVID-19 pandemic and cyber security .
3.5 All Audit Assurance reports issued during the year are sent to the ARAC Chair. The Committee had productive discussions with the executive on issues highlighted by the reports and was updated regularly on actions taken by management teams to address these.
3.6 At the March 2022 ARAC meeting, the Head of Data, Information Governance and Security presented the information security annual report and gave an update on FSA security risk assessment and mitigations. Topics covered included the status of the ongoing security plan, security incident management plan, changes being implemented to improve security resilience, ongoing work to mitigate risk of security breaches and measures implemented during the year to increase engagement with the security community in government.
3.7 Throughout the year ARAC had received regular updates on external cyber security audits commissioned by the FSA to provide independent assurance on the effectiveness of the FSA’s policies and procedures. The FSA has good security controls in place as is evident from the results of the departmental security health check report to the Cabinet Office (the FSA’s self-assessment against the minimum-security standards)..
3.8 There were no whistleblowing cases reported to ARAC during the year.
3.9 Mazars ceased to be FSA’s external auditors after presenting their completion report the for 2020/21 audit with this role reverting back to the NAO.
3.10 The draft version of this report was presented to the May 2022 ARAC meeting for comments.
Adherence to HM Treasury (HMT) ARAC principles
3.11 The HMT ARAC handbook sets out good practice principles which ARACs in central government are expected to follow. Areas of good practice suggested in the handbook that were included in ARAC activities during the year are explained in the following paragraphs.
3.12 In June 2020, members of the Committee held bilateral meetings with representatives of the FSA’s external auditors, the NAO, and the Head of Audit Assurance. These meetings ensure that there is a clear understanding of expectations and mutual understanding of current issues.
3.13 Committee members completed a self-assessment on the effectiveness of the ARAC in line with HM Treasury guidance which advises that a self-assessment is completed annually. Agreed actions from that assessment were taken forward for implementation including ARAC related induction for new Committee members.
3.14 ARAC members continued to have access to training opportunities where training needs were identified.
The FSA’s 2020/21 annual report and accounts
3.15 The 2020/21 accounts and annual report were discussed formally at the May 2021 ARAC meeting. Four sets of accounts were provided to the Committee: the consolidated set of accounts and one set each for England, Wales, and NI. No significant issues were raised by members in relation to the accounts. Subject to some minor points raised being clarified and where necessary amended, ARAC recommended separate sign off for the annual report and accounts for Wales and NI by the Accounting Officer. This was due to delays in resolving pension issues relating to the LGPS affecting the England and consolidated accounts
3.16 The Mazars completion report for 2020/21 indicated there were no issues of irregularity or impropriety found during their audits, however, as there were pension issues relating to the LGPS scheme, a significant risk remained outstanding at the June ARAC meeting. The NAO recommended to the Comptroller and Auditor General that he should certify the 2020/21 financial statements with an unqualified audit opinion, without modifications, for NI and Wales FSA accounts. The Accounting Officer subsequently signed the accounts for FSA in Wales and FSA in NI on 14th June 2021. The England and consolidated accounts were not signed by the Accounting Officer until 9 November 2021 and were laid before parliament on the 25th of November 2021.
3.17 Overall, the Committee concluded that there was a good working relationship between finance, external auditors, and the Head of Audit Assurance.
FSA audit assurance work undertaken in 2021/22
3.18 The Committee Chair received all the final audit assurance reports issued during the year. Other ARAC members only receive a copy of audit reports with a “limited” or “unsatisfactory” opinion and relevant Directors are invited to discuss such reports with ARAC. Two reports with a “limited” opinion were issued during the year; none were issued with an 'unsatisfactory' opinion.
3.19 Executive summaries of the audit reports with a “substantial” or “moderate” opinion are presented to, and discussed by, Committee members at each meeting, as well as actions by the Executive to deal with issues raised. Full reports are provided to ARAC members on request.
3.20 Pandemic related disruptions to audit assurance work continued during 2021/22 as auditors were redeployed to support the FSA’s emergency response to the pandemic and routine audits of Local Authorities remained suspended to enable LAs to implement the Recovery Plan but the impact of the disruptions was less severe compared to the previous year.
3.21 Despite the continuing challenges of the pandemic, the audit assurance team issued 7 full reports, 2 draft reports and 2 Management Letters in relation to the 18 audits in the original plans approved by ARAC. Only 4 full reports had been issued in connection with the audit plans for the previous year.
3.22 The FSA implemented the LA Recovery Plan in July 2021 to enable LAs to return to normal routine inspections of food businesses by April 2023. FSA’s LA auditors in England Wales started assessments of LA implementation of the Recovery Plan during the last quarter of 2021/22 to gain a broader understanding of how LAs have responded to and interpreted the requirements of the Recovery Plan and highlight any emerging concerns or common issues affecting LAs in relation to the delivery of the Plan. These assessments were scheduled to continue until June 2022. Routine audits of LAs are scheduled to resume after the assessments.
3.23 Under UK Public Sector Internal Audit Standards (PSIAS), the Head of Audit Assurance is required to arrange an External Quality Assurance (EQA) review of audit practices to assess conformance with the Standards once every five years. A planned EQA was conducted in the last quarter of 2021/22. This conclude that Audit Assurance’s internal audit practices generally conformed with the PSIAS. This is the highest rating possible under the assessment criteria. The assessment report also highlighted examples of best practice which the Head of Audit Assurance has agreed to implement as part of the team’s Quality Improvement Plan.
3.24 A summary of assurance activities and outputs for 2021/22 is in the table below. The figures for 2020/21 are provided for comparison and the audit assurance levels are explained in Annex D.
Assurance activities and outputs | Number of reports 2020/21 | Number of reports 2021/22 |
---|---|---|
Final assurance audit report opinions | - | - |
Substantial | 2 | 2 |
Moderate | 1 | 3 |
Limited | 1 | 2 |
Unsatisfactory | 0 | 0 |
Total number of assurance audit reports | 4 | 6 |
Consultancy reports | 2 | 0 |
Management letters | 2 | 1 |
Draft assurance audit reports | 2 | 3 |
Total number of reports | 10 | 10 |
3.25 The Committee also received summary reports in relation to external audits and reviews conducted by third parties for assurance purposes in relation to the Agency. Results of such reviews and audit reports are provided to other ARAC members on request.
3.26 The Committee continued to scrutinise resources available for audit assurance purposes and discussed this during the year. The HAA continues to work closely with the two FSA audit teams responsible for audits of official controls delivered by LAs in Wales and in NI.
3.27 Following the external review of LA audit approaches in England, Wales and NI carried by Ernst and Young (EY) in 2020, an action plan to implement the recommendations of EY’s report was presented to ARAC in March 2022. A key recommendation is that line management of internal audits and audits of official controls (regulatory audits) in England should be separated to ensure clarity of roles and responsibilities between internal audits and regulatory audits. As such EMT has agreed to a recommendation that line management of LA audits in England and internal audits official controls, should be transferred to the Regulatory Compliance Division (RCD) during 2022/23 while ARAC continues its scrutiny responsibilities for both internal audits and regulatory audits.
3.28 It has also been agreed that additional resources will be provided to help strengthen LA audit capacity and effectiveness in England.
3.29 Overall, I am satisfied that adequate and proportionate audit assurance resources were provided throughout the year to ensure continued effectiveness of audit assurance activities.
Governance statement
3.30 The Chief Executive, as Accounting Officer, is required to prepare the governance statement as part of the process for signing off the FSA annual accounts. The governance statement sets out the arrangements made to identify and manage the risk of failure to achieve the FSA’s policies, aims and objectives.
3.31 The draft statement for 2021/22 was discussed at the June 2022 ARAC meeting, with the final statement being discussed and agreed as part of the FSA consolidated accounts at the for the 2021/22 financial year.
3.32 The statement and supporting evidence are reviewed by the external auditor. FSA audit assurance auditors will also be asked from time to time to consider whether arrangements are satisfactory and best practice is being followed.
Adequacy of risk management, control and governance arrangements
3.33 ARAC has reviewed the risk management process and the high-level assurance framework. ARAC has also reviewed how the audit assurance plan is prioritised, on a risk basis, in relation to identified risks.
3.34 I am satisfied that sufficient and comprehensive work was undertaken by ARAC and internal and external assurances were received during the year to adequately inform ARAC assessment on the effectiveness of FSA risk management, control and governance arrangements. Based on this, it is my view, as Chair of the Committee, that the arrangements in place during the year were satisfactory.
4. Resource implications and sustainability issues for the committee
4.1 Last year, virtual ARAC meetings were held approximately two weeks before the Board meetings to enable a written report of ARAC meetings to be presented at the Board meeting. It is expected that the Committee will continue with this approach and will meet five times in 2022/23 with no increase in resource requirements anticipated.
5. Conclusion and recommendation
5.1 The Board is asked to:
- Note the work undertaken by the ARAC during the 2021/22 financial year; and
- Note that a draft of this report was agreed with the members of the ARAC in the meeting held in May 2022.
Annex A: Role of the ARAC
1. The Committee’s prime purpose is to provide advice to the Board and the Accounting Officer on internal control, risk management and governance.
2 . Internal and external auditors attend ARAC meetings. Others may be asked to attend where the Committee wishes to review progress on specific issues.
The role of the FSA Board
3. This annual report by the Chair of the ARAC provides the Board with an independent view of how audit matters are being handled. The Board’s role is to note and comment on the activities of the ARAC.
The role of the Chief Executive
4. HMT has appointed the Chief Executive as the Principal Accounting Officer. The Chief Executive has a direct, personal responsibility to the Westminster Parliament for the propriety and regularity of FSA expenditure. The Chief Executive also signs the financial statements in respect of the monies voted by the National Assembly for Wales and the NI Assembly. This is where the Chief Executive’s responsibilities are equivalent to that of an Accounting Officer.
5. The Chief Executive is required to sign the annual Governance Statement, which is published in the Annual Report and Accounts.
Annex B: Membership of the FSA Audit and Risk Assurance Committee 2021/22
Members:
- Colm McKenna (Chair)
- Ruth Hussey (from Jul 2021)
- Peter Price
- Margaret Gilmore
- Timothy Riley
Regular attendees:
- Simon Dwyer – Financial Controller
- Jenny Desira – Head of Knowledge Information Management and Security
- John Furley – Head of Audit Assurance (until September 2021)
- Freedom Mpande -Interim Head of Audit Assurance (from November 2021)
- Chris Hitchen – Director of Finance and Performance (until June 2021)
- Pam Beadman -Director of Finance and Performance (from Nov 2021)
- Emily Miles – Chief Executive
- Michael Todd – Performance Planning Manager
- Ross Woodley – Mazars (until June 2021)
- Richard Smith -NAO (from Sept 2021)
- James Edmands - NAO (from Sept 2021)
Annex C: Terms of Reference for the FSA Audit and Risk Assurance Committee
Purpose
The Audit and Risk Assurance Committee is an advisory Committee of the FSA Board with no executive powers. It is responsible for reviewing, in a non-executive capacity, the comprehensiveness and reliability of assurances on governance, risk management and the control environment.
The Audit and Risk Assurance Committee will approve the Annual Reports and Accounts (ARAs) on behalf of the FSA Board, with the recommendation that the Accounting officer sign the accounts on approval. It shall additionally have responsibility for reviewing the integrity of financial statements.
Membership
A minimum of four Members of the FSA Board appointed by the FSA Chair under delegated powers following consultation with the Committee Chair. At least one of those appointed will be a Board Member for Wales or Northern Ireland.
The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board and will automatically cease if an individual ceases to be a Board Member.
At least one of the Committee members should have recent and relevant financial experience.
All new members will be provided with induction training and the FSA will provide for any additional development which is deemed necessary for the member to fulfil their role on the Committee. The Chair of the Audit and Risk Assurance Committee will hold an annual review with each member and any training or development needs will be taken forward with the agreement of the Chair and Accounting Officer.
Committee Chair
Appointed from the membership of the Committee by the Chair of the FSA under delegated powers. The term of appointment will normally be coterminous with an individual’s term of appointment to the FSA Board.
Co-option
The Committee may co-opt additional members (whether members of the FSA Board or not) for a period of up to one year to provide specialist skills, knowledge or experience. Co-opted members will have a right to speak, but not vote. Co-opted members will not be included in any calculation of the quorum.
Quorum
Three Non-Executive Board Members.
Attendance
The Chief Executive, as Accounting Officer, the Director of Finance and Performance, the Head of Planning and Performance , the Head of Internal Audit, a representative of FSA Directors responsible for audits of Official controls (regulatory audits) in England, Wales and Northern Ireland and a representative of the external auditors would normally be invited to attend.
Directors and other officials will be invited to attend as required.
Reporting
The Audit and Risk Assurance Committee Chair will provide the Chair of the FSA and the Board with a written update on the key elements of Committee meetings. The Audit and Risk Assurance Committee will report formally in writing to the Board, annually, to support the finalisation of the accounts and the Governance Statement and to update the Board on the work of the Committee, Internal and External Audit and any areas requiring specific attention.
Meetings
The Audit and Risk Assurance Committee will meet at least four times a year. The Chair of the Committee will convene additional meetings as necessary. The Committee has the right to sit privately without any non-members present for all or part of a meeting.
Additionally, the members of the Committee will meet with the Head of Audit Assurance and, separately, the External Auditors, annually, in closed meetings when the efficacy of the processes, trust, co-operation and any other issues can be discussed and future action agreed.
The FSA Chair, the Board or the Accounting Officer may ask the Audit and Risk Assurance Committee to convene further meetings to discuss specific issues on which they want the Committee’s advice.
Responsibilities
The Audit and Risk Assurance Committee will advise the FSA Board and Chief Executive on:
- The strategic processes for risk management, the high-level control and governance framework and the effectiveness of its operation in practice;
- The contents of the Governance Statement;
- The accounting policies, the accounts, and the annual report of the FSA, including the judgements used in producing the accounts, the adequacy of disclosures, the process for review of the accounts prior to submission for audit, levels of error identified, and management’s letter of representation to the external auditors;
- The effectiveness of the design and operation of financial systems and controls;
- The planned activity and results of, regulatory audits, internal and external audit and the results of other, external assurance reports;
- The resourcing and effectiveness of the internal audit and regulatory functions;
- Provide independent scrutiny of the audit process of the Local Authority audit system;
- The adequacy of the management response to issues identified by audit activity, including external audit management letters;
- Assurances relating to the corporate governance requirements for the organisation;
- Proposals for tendering for either Internal or External Audit services or for the purchase of non-audit services from contractors who provide audit services;
- Anti-fraud policies and whistle-blowing processes, and arrangements for special investigations; and
- The Committee’s effectiveness having reviewed its own performance, constitution and terms of reference and recommending any changes it considers necessary.
Information requirements
The Audit and Risk Assurance Committee will be provided with, where appropriate:
- any changes to the organisation’s Corporate Risk Register that are relevant to the responsibilities of the Committee;
- the risk management strategy;
- management assurance reports, and report on the management of major incidents, ‘near misses’ and lessons learned;
- progress reports from the Head of Audit Assurance summarising:
a) work performed (and a comparison with work planned)
b) key issues emerging from Internal and Regulatory audit work
c) management action in response to issues identified and agreed
d) changes to the Audit Assurance plans
e) any resourcing issues affecting the delivery of Audit Assurance objectives
- progress reports from the External Audit representatives summarising work done and emerging findings;
- external assurance and compliance reports in relation to the FSA’s activities;
- audit Assurance strategies and annual plans;
- the Head of Audit Assurance’s Annual Opinion and Report;
- quality Assurance reports on the Audit Assurance function;
- the draft accounts of the organisation;
- the draft Governance Statement
- any changes to accounting policies;
- proposals to tender for audit functions;
- summary of findings of every Audit Assurance report;
- external Audit’s management letter; and
- a report on cooperation between the FSA auditors and external auditors.
The Audit and Risk Assurance Committee will work with the FSA’s Executive Management Team to ensure that the Board can be confident that risk management processes, content, mitigating and recovery actions are appropriate and correctly resourced.
Notes
- The Chair of the Audit and Risk Assurance Committee will have free and confidential access to the Chair and Chief Executive of the FSA whenever appropriate.
- The Head of Audit Assurance, Regulatory audit leads and the representatives of External Audit will have free and confidential access to the Chair of the Committee.
- The Committee may procure specialist ad-hoc advice at the expense of the FSA, subject to the cost being agreed by the Chief Executive as Accounting Officer.
Annex D: Assurance level definitions as applied to FSA assurance audit reports
Assurance levels assigned to assurance audits as defined in the Government Internal Audit Manual:
Audit opinion | Definition |
---|---|
Substantial |
In my opinion, the framework of governance, risk management and control is adequate and effective. Colour for this assurance level: Green |
Moderate |
In my opinion, some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control. Colour for this assurance level: Yellow |
Limited |
In my opinion, there are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective. Colour for this assurance level: Amber |
Unsatisfactory |
In my opinion, there are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail. Colour for this assurance level: Red |