Risk Management and Internal Controls
Risk concerns uncertainty of outcome. The delivery of an organisation's objectives is surrounded by uncertainty which both poses threats to success and offers opportunities for increasing success. Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.
Each public sector organisation's internal control systems should include arrangements for identifying, assessing and managing risks. Risk management should be closely linked to the business planning process.
Public bodies are required to provide a Governance Statement in order to comply with best practice as recommended by the Turnbull Committee Report. As part of that process, Directors (in the case of public bodies, the Board) are required to review, at least annually, the effectiveness of all controls, including financial, operational and compliance controls. Organisations need to show that they have established and maintained effective and on-going procedures for identifying, evaluating and managing business risks.
The Board must ensure that there is a system in place for continuous risk management which extends from the front-line services through to the Board. This involves having a framework of prudent and effective controls in place to enable risks to be identified, assessed and managed. The Board itself should regularly review key business risks affecting the organisation.
Where a body is responsible for a budget, an Audit Committee must be established to advise the Board and Accountable Officer on internal control (including corporate governance) and audit matters.
All accounting entities to which the SPFM is directly applicable should establish Audit Committees. The Board (or Accountable Officer) should establish an Audit Committee of at least three members, all of whom should be either Board members or independent external members.
All Audit Committees in organisations to which the SPFM is directly applicable are subject to the guidance in the Audit Committee Handbook published by the Scottish Government. A degree of flexibility will be appropriate in applying the guidance in the Handbook, particularly with regard to smaller accounting entities.
The exact role of the Audit Committee will depend on the particular circumstances of the organisation. Examples of issues affecting the role of the Audit Committee include the strategic risk management arrangements that the Board and/or Accountable Officer have established, whether or not there is a separate Risk Committee and the whistleblowing arrangements which have been put in place as part of the anti-fraud and corruption arrangements. An Audit Committee should not have any executive responsibilities or be charged with making or endorsing any decisions, although it may draw attention to strengths and weaknesses in control and make suggestions for how weaknesses might be dealt with. The overarching purpose of the Audit Committee is to advise the Board and/or Accountable Officer; it is then the Board and/or Accountable Officer that makes the relevant decisions.
To fulfil its role, an Audit Committee should meet at least four times per year. Additional meetings should be convened as deemed necessary.
All Audit Committee members, whatever their status or background, will have training and development needs. Those who have recently joined the Audit Committee will need induction training, either to help them understand their role; or if they have audit committee experience elsewhere, to help them understand the organisation. In particular, those joining a public sector Audit Committee for the first time will need training to help them understand public sector standards, especially those relating to governance and accountability.
The Audit Committee should:
- Have written terms of reference from the Board, which encompass all the assurance needs of the Board and Accountable Officer. Within this, the Audit Committee should have particular engagement with the work of Internal Audit, the work of the External Auditor and with financial reporting issues;
- Support the Board and Accountable Officer by reviewing the scope, reliability and integrity of the assurances provided to them;
- Highlight those aspects of risk management, governance and internal control that are functioning effectively and, just as importantly, those that need to be improved;
- Have at least three non-executive members, under the chairmanship of a non-executive member who should be someone other than the Chair of the public body or of any other sub-Committee of the Board;
- Own corporately an appropriate skills mix to allow it to carry out its overall function. At least one of the Committee members should have recent and relevant financial experience;
- Have a Chair whose role goes beyond chairing meetings - this is key to achieving Committee effectiveness. The additional workload should be taken into account in the appointment of the Chair;
- Have a Chair who is involved in the appointment of new Committee members, including providing advice on the skills and experience being sought by the Committee, and is responsible for ensuring that the work of the Audit Committee is appropriately resourced;
- Be independent and objective; in addition each member should have a good understanding of the objectives and priorities of the organisation and of their role as an Audit Committee member;
- Encourage the Accountable Officer, Head of Internal Audit and Director of Finance to attend meetings (though not as members of the Audit Committee);
- Should have regular and on-going liaison with External Auditors;
- Should ensure it has effective communication with the Board and Accountable Officer, the Head of Internal Audit, the External Auditor, and other stakeholders. In addition, the role of the Chair and provision of appropriate secretariat support are important elements in achieving Audit Committee effectiveness.
Email: Gordon Quinn