Social Security Scotland: framework document

Annex D: Agency Audit and Assurance Committee Terms of Reference

a.) Purpose

a.1 The Accountable Officer has established an Audit and Assurance Committee as a Committee of the Executive Advisory Body to provide them with support in their responsibilities for issues of risk, control and governance and associated assurance through a process of constructive challenge.

a.2 The overall risk management process will be reviewed at least once a year to deliver assurance that it remains appropriate and effective. The Committee formally reports to both the Accountable Officer and Social Security Scotland's Executive Advisory Body.

b.) Membership

b.1) The Audit and Assurance Committee will be independent of Social Security Scotland's management. Membership will be composed of at least three non-executive or independent external members. A non-executive member will chair the Committee, and at least one member will have significant financial experience.

b.2) The period of non-executive member appointments to the committee will be linked to their appointment to the Executive Advisory Body. Independent Audit and Assurance Committee members, if applicable, will be appointed for a period of up to three years, renewable once by mutual consent, and will be timed to maintain relevant membership of the committee.

b.3) Committee meetings will normally be attended by the Accountable Officer, the Head of Finance, Scottish Government Internal Audit, and a representative of External Audit.

b.4) The committee may ask any other officials from within the Agency to attend to assist it with its discussions on any particular matter, or request that those who normally attend but who are not members to withdraw to facilitate open and frank discussion on particular matters.

b.5) The members of the committee are:

• non-executive members: (To be appointed by September 2018);
• independent external members: (To be appointed by September 2018)

b.6) The Committee will be Chaired by a non-executive member.

b.7) The Committee will be provided with secretarial support by the Agency's Governance and Strategy Unit.

c.) Reporting

c.1) The Committee will formally report in writing to the Executive Advisory Body and Accountable Officer after each meeting. A copy of minutes of the meeting may form the basis of the report.

c.2) The Committee will provide the Executive Advisory Body and Accountable Officer with an Annual Report, timed to support finalisation of the accounts and the governance statement, summarising its conclusions from the work it has done during the year.

d.) Responsibilities of the Committee

d.1) The Audit and Assurance Committee's responsibilities will include scrutinising the adequacy of risk management, internal control and governance arrangements and the efficient and effective use of public funds.

d.2) The Audit and Assurance Committee will advise the Executive Advisory Body and the Accountable Officer on the:

• Strategic processes for risk, control, and governance and the governance statement;
• Accounting policies, the accounts, and the annual report of the Agency, including the process for review of the accounts before submission for audit, levels of error identified, and management's letter of representation to the external auditors;
• Planned activity and results of both internal and external audit;
• The adequacy of management response to issues identified by audit activity, including external audit's management letter/report;
• The effectiveness of the internal control environment;
• Assurances relating to the corporate governance requirements for the Agency;
• Proposals for tendering for either internal or external audit services or for purchase of non-audit services from contractors who provide audit services; and
• Anti-fraud policies, whistle-blowing processes, and arrangements for special investigations.

d.3) In relation to risk management specifically, the Committee will support the Accountable Officer in monitoring the corporate governance and control systems by:

• Gaining assurance that risks are being monitored;
• Commenting on the appropriateness of the risk management and assurance processes which are in place;
• Receiving risk management assurance information and consequently delivering an assurance about risk management as part of the annual assurance exercise; and
• Assist the identification of emerging risks and challenging mitigating actions.

d.4) The Audit and Assurance Committee will also periodically review its own effectiveness and report the results of that review to the Executive Advisory Body and Accountable Officer.

The Committee may, in its annual report to the Accountable Officer, draw attention to areas where risk is appropriately managed, risk is inadequately controlled, risk is over-controlled, or where there is a lack of evidence to support a conclusion. The d.5) Committee is also responsible for drawing any significant matters to the attention of the relevant DG Quarterly Assurance meeting, and the Scottish Government Audit and Assurance Committee. However, the Audit and Assurance Committee will not own or manage risks.

d.6) Examples of enquiry members might wish to pursue when considering risk management is set out in Annex A.

e) Rights

e.1) The Committee may:

• co-opt additional members for a period not exceeding a year to provide specialist skills, knowledge and experience; and
• procure specialist ad-hoc advice at the expense of the Agency, subject to budgets agreed by the Executive Advisory Body or Accountable Officer.

f) Access to the Chair

1.f) SG internal audit and the representative of external audit will have free and confidential access to the Chair of the Audit and Assurance Committee and vice versa. It is expected, however, that exercise of this right will be on an exceptional basis.

g) Escalation and Reporting

g.1) The Committee is authorised by the Accountable Officer to undertake any activity within this Terms of Reference. However, it does not have any executive responsibilities nor is it charged with making or endorsing any decisions, although it may draw attention to strengths and weaknesses in control and make recommendations for how weaknesses should be addressed. The overarching purpose of the Audit and Assurance Committee is to advise the Accountable Officer. It is then for the Accountable Officer to take the relevant decisions.

g.2) If a member fundamentally disagrees with a decision taken by the Audit and Assurance Committee, they have the option of recording their disagreement in the minutes. However, ultimately, members should accept and support the collective decision of the Committee. Members will not undermine Committee decisions or distance themselves outside of Committee Meetings.

g.3) Where a disagreement between Audit and Assurance Committee and Agency executives cannot be resolved, or where the Committee has specific concerns about the manner in which the Agency is managed these concerns will be recorded in the minutes and brought to the attention of the Executive Advisory Body and Accountable Officer. The Executive Advisory Body may, in turn, escalate issues to the Agency's Portfolio Sponsor, the Director of Social Security.

g.4) The Director General (Portfolio Accountable Officer) reserves the right to have appropriate representatives ( e.g. internal audit) undertake any work required to provide independent assurance of the Agency's management and control if he or she considers it necessary.

g.5) The Agency is subject to external audit by the Auditor General for Scotland ( AGS) or by auditors appointed by the AGS.

h) Meeting Frequency and Operating Arrangements

h.1) The procedures for meetings are:

• The Committee will meet at least four times per year; however, the Chair of the Committee may convene additional meetings, as he/she deems necessary;
• The Committee may also meet, in private, with auditors immediately prior to, or after, an Audit and Assurance Committee meeting;
• The Chair and Accountable Officer should be advised before the meeting of any non-attendance of members;
• Papers for the Committee meetings will be circulated to members and attending officials five working days ahead of the meeting date;
• A minimum of three members of the Committee will be present for the meeting to be deemed quorate;

h.2) Details of the yearly core work programme of the Committee can be found in Annex B. It is not exhaustive or in any way restrictive, additional issues can be considered with the agreement of the Chair.

i) Information Requirements

i.1) Information management arrangements include the numbering and storage of all papers within the Audit and Assurance Committee Objective file, the use of an agenda template, minute template, and covering paper template, and action point tracker.

i.2) In order to provide the secretariat with sufficient time to prepare the agenda for the Chair's approval, agenda items and accompanying papers will be submitted at least five working days in advance of the meeting. Documents received after the five day deadline will only be accepted with the approval of Chair.

i.3) The secretariat will consider if the submitted papers and agenda are fit for purpose before distributing these to members, providing members with sufficient time to read and digest the information provided. The agenda and minutes will be published on both the Agency's intranet and website. Generally, the Committee will be provided with:

• A report summarising any significant changes to the Agency's Risk Register;
• A progress report from the Scottish Government internal audit detailing:
  • Work performed and a comparison with work planned;
  • Key issues emerging from internal audit work;
  • Management response to audit recommendations;
  • Any significant changes to the audit plan; and
  • Any resourcing issues affecting the delivery of internal audit objectives.
• A progress report from External Audit summarising the work done and emerging findings.

i.4) As and when appropriate, the committee will also be provided with:

• Business update reports from the Accountable Officer;
• The Charter/Terms of Reference of the Internal Audit Directorate;
• The Internal Audit Strategy of the Scottish Government;
• The annual Internal Audit Plan
• The Scottish Governments Head of Internal Audit Annual Opinion and Report;
• Quality assurance reports on the internal audit function;
• The draft accounts of the Agency;
• The draft governance statement;
• A report on any changes to accounting policies;
• External Audit's management letter/report;
• A report on any proposals to tender for audit functions;
• A report on co-operation between Internal and External Audit;
• A report on the Counter Fraud and Bribery arrangements and performance;
• Reports from other sources within the "three lines of assurance" integrated assurance framework (eg Best Value self-assessment Reviews, Gateway Reviews, Health Check Reviews, ICT Assurance Reviews, Digital 1st Service Standard Reviews, Procurement Capability Reviews, Procurement Key Stage Reviews).

j) Review and Assessment of Performance of the Committee

j.1) Members and the Head of Governance and Strategy for the Agency will be responsible for reviewing the operating arrangements and effectiveness of the Committee on an annual basis.

Terms of Reference Annex A

Key Lines of enquiry for audit and assurance committee members

This list of questions is not intended to be exhaustive or restrictive nor should it be treated as a tick list substituting for detailed consideration of the issues it raises. Rather it is intended to act as a 'prompt' to help the committee ensure that their work is comprehensive.

On the strategic processes for risk, control and governance, how do we know:

• that the risk management culture is appropriate?
• that there is a comprehensive process for identifying and evaluating risk, and for deciding what levels of risk are tolerable?
• that the risk register is an accurate reflection of the risks facing the Agency?
• that appropriate ownership of risk is in place?
• that management has an appropriate view of how effective internal control is?
• that risk management is carried out in a way that really benefits the Agency or is it treated as a box ticking exercise?
• that the Agency as a whole is aware of the importance of risk management and of the Agency's risk priorities?
• that the system of internal control will provide indicators of things going wrong?
• that the AO's annual governance statement is meaningful, and what evidence underpins it?
• that the governance statement appropriately discloses action to deal with material problems?
• that the Agency is appropriately considering the results of the effectiveness review underpinning the governance statement?

On risk management processes, how do we know:

• how senior management (and Ministers where appropriate) support and promote risk management?
• how well are people equipped and supported to manage risk well?
• that there is a clear risk strategy and policies?
• that the Agency's risk appetite has been articulated?
• that there are effective arrangements for managing risks with partners?
• that the Agency's processes incorporate effective risk management?
• if risks are handled well:
  • key strategic risks can change very quickly?
  • scenario planning and stress testing?
  • bubbling under' risks?
• Risk focus is wide enough:
  • external and emerging risks are considered?
  • 'financial' risks and 'non-financial' risks are reviewed?
• if risk management contributes to achieving outcomes?
• that management are regularly reviewing top risks?

On the planned activity and results of both internal and external audit, how do we know:

• that the internal audit strategy is appropriate for delivery of a positive reasonable assurance on the whole of risk, control and governance?
• that the internal audit plan will achieve the objectives of the internal audit strategy, and in particular is it adequate to facilitate a positive, reasonable assurance on the key risks facing the Agency?
• that internal audit has appropriate resources, including skills, to deliver its objectives?
• that internal audit takes appropriate account of other assurance activity, especially in the first and second line (and that this assurance is understood and owned by management)? That internal audit recommendations that have been agreed by management are timeously implemented?
• that any issues arising from line management not accepting Internal Audit recommendations are appropriately escalated for consideration?
• that the quality of internal audit work is adequate? What does application of the internal audit quality assessment process tell us about the quality of the internal audit service?
• that there is appropriate co-operation between the internal and external auditors?
• the Accountable Officer and Board have taken all necessary steps to make themselves aware of any relevant information and that auditors are aware of that information?

A more detailed tool for evaluation of the quality of the Internal Audit service is the "Internal Audit Quality Assessment Framework" produced by HM Treasury.

On the accounting policies, the accounts, and the annual report of the Agency, how do we know:

• how effective and accurate budgeting and in-year forecasting is?
• if the finance function is fit for purpose?
• what the "hidden" financial risks are, relating to (inter alia):
  • HR?
  • VAT?
  • Overruns?
  • Sudden loss of funding/revenue?
• that the accounting policies in place comply with relevant requirements, particularly the HMT Financial Reporting Manual?
• there has been due process in preparing the accounts and annual report and is that process robust?
• that the accounts and annual report have been subjected to sufficient review by management and by the Executive Advisory Body and Accountable Officer?
• that when new or novel accounting issues arise, appropriate advice on accounting treatment is gained?
• that there is an appropriate anti-fraud policy in place and losses are suitably recorded?
• that suitable processes are in place to ensure accurate financial records are kept?
• that suitable processes are in place to ensure fraud is guarded against and regularity and propriety is achieved?
• that financial control, including the structure of delegations, enables the Agency to achieve its objectives with good value for money?
• if there are any issues likely to lead to qualification of the accounts?
• if the accounts have been qualified, that appropriate action is being taken to deal with the reason for qualification?
• that issues raised by the External Auditors are given appropriate attention?

On the adequacy of management response to issues identified by audit activity, how do we know:

• that the implementation of recommendations is monitored and followed up?
• that there are suitable resolution procedures in place for cases when management reject audit recommendations which the auditors stand by as being important?
• On assurances relating to the corporate governance requirements for the Agency, how do we know:
• corporate governance arrangements operate effectively and are clear to the whole Agency?
• the Accountable Officer's Governance Statement is meaningful, and that robust evidence underpins it?
• the Governance Statement appropriately discloses action to deal with material problems?
• the Executive Advisory Body/Executive is appropriately considering the results of the effectiveness review underpinning the annual Governance Statement?
• the range of assurances available is sufficient to facilitate the drafting of a meaningful annual Governance Statement?
• those producing the assurances understand fully the scope of the assurance they are being asked to provide, and the purpose to which it will be put?
• effective mechanisms are in place to ensure that assurances are reliable and adequately evidenced?
• assurances are 'positively' stated i.e. premised on sufficient relevant evidence to support them)?
• the assurances draw appropriate attention to material weaknesses or losses which should be addressed?
• the annual Governance Statement realistically reflects the assurances on which it is premised?

On the work of the committee itself, how do we know:

• that we are being effective in achieving our terms of reference and adding value to corporate governance and control systems of the Agency?
• that we have the appropriate skills mix?
• that we have an appropriate level of understanding of the purpose and work of the Agency?
• that we understand all of the sources of assurance available to the Agency?
• that we have sufficient time to give proper consideration to our business?
• that our individual members are avoiding any conflict of interest?
• that we are avoiding "group think"
• what impact we are having on an Agency?

Terms of Reference Annex B

Draft Work Programme

Spring Meeting

• Review performance relating to risk management
• Review the Internal Audit charter / terms of reference, strategy and the periodic work plan for the coming financial year
• Consider External Audit plans for the coming financial year
• Consider any reports from Internal Audit and management responses
• Consider financial reports, including relevant information about financial performance and achievement of financial targets
• Consider any reports from other sources within the "three lines of assurance" integrated assurance framework

Summer Meeting

• Review performance relating to risk management
• Review and consider the accounts for the financial year just finished
• Consider (emerging) external audit opinion for the financial year just finished
• Review assurances provided by senior staff for the annual governance statement
• Consider internal audit opinion for the financial year just finished
• Consider an annual report on fraud and security
• Advise the Accountable Officer on signing the accounts and governance statement
• Consider any reports from internal audit and management responses
• Consider a financial report, including relevant information about financial performance and achievement of financial targets
• Consider an annual report to the Executive Advisory Body and Accountable Officer
• Consider any reports from other sources within the "three lines of assurance" integrated assurance framework

Autumn Meeting

• Review performance relating to risk management
• Review the performance management arrangements adopted by the body including, where appropriate, the timetable for reviewing such arrangements
• Consider any reports from internal audit and management responses
• Consider the External Audit management letter for the previous financial year and the response to/implementation of any recommendations
• Consider a financial report, including relevant information about financial performance and achievement of financial targets
• Consider any reports from other sources within the "three lines of assurance" integrated assurance framework

Winter Meeting

• Review performance relating to risk management
• Consider any reports from internal audit and management responses
• Consider a financial report, including relevant information about financial performance and achievement of financial targets
• Consider the committee's own effectiveness in its work
• Review the committee's Terms of Reference
• Consider any reports from other sources within the "three lines of assurance" integrated assurance framework