NHS Scotland - blueprint for good governance: second edition

D. The Audit Arrangements

D.1 The integrated governance system includes the audit arrangements required to provide the Board and key stakeholders with assurance that the system of internal controls is functioning as intended.

D.2 The main contributors to the audit arrangements are the NHS Board, the Internal Auditors, the External Auditors and the Audit and Risk Committee.

D.3 NHS Boards have the primary responsibility for ensuring the proper financial stewardship of public funds, compliance with relevant legislation and establishing effective arrangements for governance, propriety and regularity. This includes ensuring that accurate accounting records are maintained and financial statements are prepared that give a true and fair view.

D.4 The Code of Audit Practice (2021)^[45] prepared by Audit Scotland sets out the respective functions and responsibilities of the internal and external auditors.

D.5 Internal audit is a function of management and it operates under the Public Sector Internal Audit Standards^[46]. This defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. To deliver these outcomes the role the internal audit team should include:

• Reviewing accounting and internal control systems
• Reviewing the economy efficiency and effectiveness of operations
• Assisting with the identification of significant risks
• Examining financial and operating information
• Special investigations
• Reviewing compliance with legislation and other external regulations.

D.6 To ensure that internal audit is an independent and objective assurance activity, the Board should seek assurance that the internal auditors are independent of executive management and should not have any involvement in the operations or systems they audit. The Head of Internal Audit should report to the Chief Executive or one of their direct reports. They also should report functionally to the audit committee and have right of access to the Chair of the Audit and Risk Committee, the Chief Executive and the NHS Board Chair. These arrangements should be clearly set out in the Board’s Standing Financial Instructions and the terms of reference for its Audit and Risk Committee.

D.7 External audit provides independent challenge and assurance on the Board’s annual accounts and provide a view on matters relating to regularity, propriety, performance and the use of resources. NHS Boards are assigned external auditors by the Auditor General for Scotland who is a Crown appointment and is independent of Government. The responsibilities of independent auditors are established by the Public Finance and Accountability (Scotland) Act 2000^[47] and the Code of Audit Practice^[48] and their work is guided by the Financial Reporting Council’s Ethical Standard^[49].

D.8 The key responsibilities of the external auditors can be summarised as follows:

• To give an independent opinion on the financial statements and other information within the annual report and accounts
• To review and report on the arrangements within the audited body to manage its performance, regularity and use of resources
• To support improvement and accountability.

D.9 To deliver the internal and external audit functions, an annual audit programme should be put in place to deliver a comprehensive portfolio of system audits that ensures the main contributors are all able to meet their statutory responsibilities and the NHS Board and the Scottish Government can be assured on the effectiveness of the management, leadership and governance of the organisation.

D.10 The audit plans included in the programme should document how the internal and external auditors intend to meet their responsibilities and it is important that these plans are joined-up, effective and proportionate. They should be linked to the delivery of corporate objectives and operational priorities and should focus on the areas identified as corporate and operational risks.

D.11 The Board’s Audit and Risk Committee has a key role in ensuring the effectiveness of the internal audit functions including:

• Reviewing and agreeing the annual internal audit work plan
• Ensuring recommendations are actioned by the Executive Leadership Team
• Disseminating audit reports to the relevant Board committees
• Encouraging the use of audit reports as improvement tools
• Monitoring and assessing the effectiveness of the audit team
• Making recommendations to the Board for the award of the internal audit contract and the appointment and termination of the Head of Internal Audit
• Overseeing the Board’s relations with the external auditors, including reviewing the scope of their annual audit plan.

D.12 Guidance on the principles and best practice for the organisation and delivery of Audit and Risk Committees is available in the Audit and Assurance Committee Handbook^[50] published by the Scottish Government.

D.13 It is important that the Audit and Risk Committee adopt a robust approach to the oversight of the completion of actions identified in the audit reports. Where possible, actions should be dealt with in the current financial year rather than being carried forward from one financial year to the next. Any exceptions to this should be closely scrutinised by the Audit and Risk Committee who should seek assurance that the timeline proposed for addressing the risks or issues identified by the auditors is both reasonable and achievable.

D.14 The final component of the integrated governance system is the NHS Scotland Performance Management Framework. The following section of the supplementary guidance describes this arrangement in more detail.