Chapter 4: Role and Scope
Supporting the Board and Accountable Officer
4.1 Accountable Officers and Boards have many issues competing for their attention. One of the challenges they face is knowing whether they are giving their attention to the right issues. Key to addressing this is assurance, defined as: "an evaluated opinion, based on evidence gained from review, on the organisation's governance, risk management and internal control framework"
4.2 Assurance draws attention to the aspects of risk management, governance and control that are functioning effectively and, just as importantly, the aspects which need to be given attention to improve them. An effective risk management framework and a risk-based approach to assurance helps an Accountable Officer and Board to judge whether or not its agenda is focussing on the issues that are most significant to achieving the organisation's objectives and whether best use of resources is being made. The Audit and Assurance Committee can help the Accountable Officer and Board to formulate their assurance needs, and then consider how well assurance received actually meets these needs by gauging the extent to which assurance on risk management is comprehensive and reliable. Assurance cannot be absolute so the committee will need to know that the organisation is making effective use of the finite assurance mechanisms at its disposal, targeting areas of greatest risk. This can include carrying out a 'Deep Dive' exercise of risks that the committee determine are key threats to the organisation.
4.3 Formulation of the specific assurance need is key to determining the resource that needs to be dedicated to delivery of assurance in the organisation. Key elements include:
- the strategic outcomes and objectives which the organisation is charged to deliver, and the associated risks and control mechanisms;
- the sources of assurance available; and
- the level of confidence required in assurances, including the extent to which the range of assurance providers can be relied on by Internal Audit in delivering its overall opinion on risk, control and governance in accordance with the Public Sector Internal Audit Standards.
4.4 A well designed assurance framework will help. At its simplest, this will identify all the key sources of assurance in the organisation and seeks to orchestrate them to best effect. This can help to ensure that gaps are reduced or eliminated and unnecessary duplication avoided. A conceptual model that is often used to help to categorise the various sources of assurance is the 'three lines of assurance'. By defining the sources of assurance in three broad categories, it helps to understand how the type and nature of the mechanisms can contribute to the bigger defence’, referenced in the HM Treasury document, ‘Assurance Frameworks’ (Dec 2012). The Global Institute of Internal Auditors produced an update paper, ‘Three Lines Model’ in July 2020 and the Scottish Government Directorate of Internal Audit and Assurance has interpreted it for the core Scottish Government and public bodies in the following diagram:
Further detail of the work of Internal Audit is provided later in this chapter.
4.5 An understanding of the three lines of assurance can help the Audit and Assurance Committee to play a key role in helping the Accountable Officer and Board establish an optimum mix of assurance. For example, management and oversight assurance activities can be harnessed to provide coverage of routine operations, with Internal Audit activity more effectively targeted at riskier or more complex areas. As well as strengthening assurance arrangements, this helps the Audit and Assurance Committee to demonstrate added value to the organisation.
4.6 The overall provision of assurances to the Accountable Officer and Board should be reviewed by the Audit and Assurance Committee, which should constructively challenge:
- whether the nature and scope of the assurance providers' activity meets the Accountable Officer's and Board's assurance needs;
- the credibility and independence of each provider; and
- where appropriate, the actual assurances to test that sufficient reliable evidence and that conclusions are reasonable in the context of the evidence.
The committee should also be proactive in commissioning assurance work from appropriate sources if it identifies any significant risk, governance and control issues which are not being subjected to sufficient review, and in seeking assurance on weaknesses identified by reviews are actually remedied by management.
A "prompt" list of questions for Audit and Risk Assurance Committees to ask is provided at Annex F.
4.7 The overall committee view may draw attention to areas where:
- risk is being appropriately managed (no action needed);
- risk is inadequately controlled (action needed to improve control);
- risk is over controlled (resource being wasted which could be diverted to other use); and/or
- there is lack of evidence to support a conclusion. If this concerns areas material to the organisation's operations more assurance work may be needed, subject to an assessment of costs and benefits.
4.8 Assurance should be obtained on risks across the organisation. The governance structure of the departmental family/group will therefore need to ensure that there is effective communication on risks and control to ensure appropriate visibility of and timely action on such matters as well as to feed into the annual Governance Statement.
4.9 Similarly assurance on the risk and control environment should also encompass services outsourced to external providers, including shared service arrangements, so that all key elements of the organisation are considered as parts of the wider organisation and business function.
4.10 It is also good practice to have reasonable oversight of risks that cross organisational boundaries, for example, in major projects. This could include a Chairs of Audit and Assurance Committee Forum. Any such forum should focus on assurances on cross organisational governance, risk and control arrangements.
Internal and external audit
4.11 For any government organisation there will always be two significant sources of independent and objective assurance: Internal Audit and External Audit.
4.12 The work of Internal Audit is carried out primarily for the benefit of the Accountable Officer and Board/Executive of the organisation and is likely to be the single most significant resource used by the committee in discharging its responsibilities. This is because the Head of Internal Audit, in accordance with the Public Sector Internal Audit Standards, has a responsibility to provide an annual opinion on the overall adequacy and effectiveness of the organisation's governance, risk management and control processes. There is consequently a major synergy between the purpose of the Head of Internal Audit and the role of the Audit and Assurance Committee.
4.13 The role of the Audit and Assurance Committee in relation to Internal Audit should include advising the Accounting Officer and Board on:
- the Internal Audit strategy and periodic Internal Audit plans, forming a view on how well they reflect the organisation’s risk exposure and support the Head of Internal Audit’s responsibility to provide an annual opinion;
- the adequacy of the resources available to Internal Audit;
- the Internal Audit charter/terms of reference for Internal Audit;
- the results of Internal Audit work, including reports on the effectiveness of systems for governance, risk management and control, and management responses to issues raised;
- the annual Internal Audit opinion and annual report; and
4.14 In central government, the Auditor General is responsible for securing the external audit of most public sector bodies in Scotland and reporting on their financial health and performance. Audit work is carried out by Audit Scotland staff and appointed auditors including private firms. This includes the audits of financial statements as well as performance and Best Value audits. All external auditors appointed by the Auditor General are required to follow the Code of Audit Practice which outlines their responsibilities. Once appointed, auditors act independently in carrying out their responsibilities and in exercising professional judgement.
4.15 External auditor responsibilities are derived from statute, the Code of Audit Practice, International Standards on Auditing (UK and Ireland) and professional requirements. These include:
- audit of financial statements and related matters: appointed auditors are required to give an opinion on the financial statements as to: whether they give a true and fair view of the financial position of audited bodies and their expenditure and income; whether they have been properly prepared in accordance with relevant legislation, the applicable accounting framework and 17 other reporting requirements; the regularity of the expenditure and income (not required for local government); and,
- wider scope audit: the Public Finance and Accountability (Scotland) Act 2000 gives the Auditor General the right to initiate examinations into the economy, efficiency and effectiveness with which audited bodies and certain other bodies have used their resources to discharge their functions. The results of such examinations (known as Section 22 and Section 23 Reports) may be presented to the Scottish Parliament and considered by its Public Audit Committee. Appointed auditors are responsible for notifying the Auditor General when circumstances indicate that such a statutory report may be required.
4.16 External auditors will report annually to those charged with governance on the results of their work covering both the financial statements and wider scope audit work. Audited annual financial statements including the independent auditors’ reports, and reports by the Auditor General are sent to Scottish ministers to be laid before the Scottish Parliament.
4.17 It is important that the Audit and Assurance Committee engages regularly with external audit. The committee should consider the results of external audit work and the proposed actions against audit recommendations. The committee should also consider planned external audit activity and enquire about the level of coordination and engagement between internal and external audit to ensure there is no unnecessary duplication of audit work.
4.18 It is essential that the committee understands how governance arrangements support achievement of the organisation's strategies and objectives, especially:
- the organisation's vision and purpose;
- mechanisms to ensure effective organisational accountability, performance and risk management;
- role definitions, committee and other structures to support effective discharge of responsibilities, decision making and reporting;
- promotion of appropriate ethics and values within the organisation;
- communication of management information, including on risk and control among the board and to appropriate areas of the organisation; and
- relations with arm’s length bodies, including reporting functions to relevant Audit and Assurance Committees and Scottish Government.
Risk management and the control environment
4.19 It is also essential that the committee:
- understands the organisation's business strategy, operating environment and the associated risks, taking into account all key elements of the organisation as parts of an "Extended Enterprise";
- understands, where applicable, the role and activities of the Board (or equivalent senior governance/advisory body) in relation to managing risk;
- discusses with the Board its policies, attitude to and appetite for risk to ensure these are appropriately defined and communicated so management operates within these parameters;
- understands the framework for risk assessment, management and assurance and the assignment of responsibilities;
- critically challenges and reviews the risk management and assurance framework, without second guessing management, to provide assurance that the arrangements are actively working in the organisations; and
- critically challenges and reviews the adequacy and effectiveness of control processes in responding to risks within the organisation's governance, operations, compliance and information systems.
Financial management and reporting
4.20 The committee should consider significant accounting policies, any changes to them and any significant estimates and judgements, if possible before the start of the financial year. It should also review the clarity and completeness of disclosures in the year-end financial statements and consider whether the disclosures made are set properly in context.
4.21 The committee will not itself be able to review the accounts in detail in order to advise the Accounting Officer whether they are true and fair. Ideally, the committee should expect a comprehensive overview of the financial statements by the Finance Director, including comparisons with the prior year and current year budget, and an explanation for any issues arising. In reaching a view on the accounts, the committee should consider:
- key accounting policies and disclosures;
- assurances about the financial systems which provide the figures for the accounts;
- the quality of the control arrangements over the preparation of the accounts;
- key judgements made in preparing the accounts;
- any disputes arising between those preparing the accounts and the auditors; and
- reports, advice and findings from external audit (especially the Audit Completion Report – ISA 260 Report).
Terms of reference
4.22 The committee's terms of reference should be agreed by the Accountable Officer/Board and made publicly available (including on the organisation's website). It is important that a balance is struck during meetings between corporate governance, risk management, control and financial reporting items. The terms of reference should be reviewed annually alongside the performance of the committee. Model terms of reference are suggested at Annex D. A suggested self-assessment checklist is provided at Annex H.
4.23 The responsibilities assigned to the committee should not provide any conflict with the guidance in this handbook, in particular by compromising independence. The committee should not have any executive responsibilities or be charged with making or endorsing any decisions, although it may draw attention to strengths and weaknesses in control and make suggestions for how such weaknesses might be dealt with. The overarching purpose of the committee is to advise the Accountable Officer and Board; it is then the Accountable Officer and Board that make the relevant decisions.
4.24 The committee should have appropriate authority to require any member of the organisation to report on the management of risk or on the control environment within their areas of responsibility, in general terms or in respect of specific issues, either by:
- attending a committee meeting; or
- providing written report(s) to the committee to help the committee in fulfilling its role.
4.25 The Accountable Officer and Board need adequate and timely feedback on the work of the committee in order to consider its contributions formally. A schedule of the committee's agreed delegations from the Board, and the mechanisms for feedback and assurance, should be formally documented.
4.26 To fulfil their role, most committees will need to meet at least four times a year. A model "core programme" of work for a Committee meeting four times a year is provided at Annex E.
4.27 The committee will require access to funding to cover the costs incurred in fulfilling its role. The funding should be sufficient to:
- meet any remuneration and working expenses of its members (where applicable);
- meet the relevant training needs of its members;
- provide specialist (external) advice or opinions when required; and
- (as agreed with the organisation) provide external review of the effectiveness of the committee.
There is a problem
Thanks for your feedback