The Audit and Risk Assurance Committee, referred to hereafter as “the Committee”, will review the effectiveness of the college's governance arrangements, financial systems, internal control environment and risk management arrangements and provide appropriate assurances to the Board of Management on these areas.
Authority
- The Audit and Risk Assurance Committee is a committee of the Board of Management of Edinburgh College, from which it derives its authority and to which it shall regularly report.
- The Committee is authorised by the Board to investigate any matters within its terms of reference and to seek any information it requires from any Board member or employee of the College to carry out its duties.
- The Board authorises the Committee to obtain independent legal or other professional advice at the College’s expense. The Board secretary will facilitate this. The Committee may also commission reports and require the attendance at meetings of staff and/or other individuals with relevant experience and expertise, if it considers this necessary.
Remit
- The Committee will support the Board by reviewing the comprehensiveness, reliability and integrity of the assurances provided to the Committee regarding the College’s internal controls, risk framework, including cyber risk, and governance. This includes financial, operational, and compliance controls, as well as the quality and reliability of financial reporting. Based on the assurances provided to it, the Committee will form an overall view on the state of risk management, governance, and internal control in the College, which it will report to the Board.
- To discharge the responsibilities delegated to it by the Board, the Committee shall seek assurance that:
- A proper framework of prudent and effective controls exists, allowing risks to be assessed and managed prudently.
- Clear accountabilities exist for managing risks.
- College managers are equipped with the relevant skills and guidance to oversee these risks.
Undertakings
Financial Statements
- The Committee shall monitor the integrity of the College’s financial statements, including its annual report and accounts, as well as any other formal announcements relating to its financial performance, and review significant financial reporting issues and judgments they contain.
- The Committee shall also review the statement of financial impacts and any financial information provided by the Scottish Funding Council or Scottish Government.
- The Committee will take into account the findings and recommendations of reports from the College’s external and internal auditors when making its decisions.
- The Committee shall review and constructively challenge where necessary:
- Assurances about the financial systems which provide the figures for the accounts and the quality of the controls over the preparation of the accounts.
- The consistency of, and any changes to, accounting policies and disclosures on a year-on-year basis.
- The methods used to account for significant or unusual transactions, where different approaches are possible.
- Whether the College has followed appropriate accounting standards and made appropriate estimates and judgements, taking into account the views of the external auditor.
- Whether there were any disputes arising between those responsible for preparing the accounts and the auditors.
- The accuracy and clarity of disclosure in the College’s financial reports and the context in which statements are made.
- All material information presented with the financial statements, which will include but is not limited to: the management commentary, the statement of accounting officer’s responsibilities, the statement of financial impact and statements on corporate governance (insofar as these relate to the audit, internal controls and risk management.
Risk Management
- The Committee shall support and advise the Board in overseeing and seeking suitable assurance on risk management by:
- Reviewing the effectiveness of the College’s risk management framework, policies, and processes, including challenging management on these matters.
- Determining whether there is a comprehensive process for identifying and evaluating risk, and for deciding the levels of risk appetite and risk tolerance.
- Determining whether management’s approach to identifying risks is broad enough to effectively identify new and emerging risks, ensuring management is taking corrective action when necessary.
- Promoting the importance of a positive risk culture in the College.
Internal Controls and Corporate Governance
The Committee shall:
- Keep the adequacy and effectiveness of the College’s internal controls under regular review.
- Evaluate whether the corporate governance arrangements comply with legal requirements and best practices.
Cyber Risk
- The Committee shall evaluate the College’s cyber resilience by seeking assurance that an appropriate framework is in place to manage the College’s cyber risk effectively, and that continuous monitoring and improvement initiatives are adopted and sustained.
- To assess the College’s resilience, the Committee shall pay particular attention to the College’s:
- Cyber security governance and risk arrangements;
- Controls framework;
- Threat intelligence, including Third Party and Supply Chain.
- Structures and resources;
- Business Continuity and incident response arrangements; and
- Staff training and awareness.
Whistleblowing and Fraud
- The Committee shall review the College’s arrangements by which staff can raise concerns, in confidence, about possible wrongdoing in financial reporting or other matters. The Committee shall ensure that these arrangements allow for a proportionate and independent investigation of such issues and appropriate follow-up action.
- The Committee shall include in its annual report to the Board any observations or lessons learnt from the application of the internal whistleblowing policy, including progress on recommendations for improvement.
- The Committee shall review the College’s procedures for detecting, responding to, and reporting fraud.
Internal Audit
The internal auditors will advise the Committee. The Committee shall:
- Monitor and review the independence and effectiveness of the internal audit function in the context of the College’s overall risk management system at least once a year.
- Consider and approve the remit of the internal audit function, ensuring it has adequate resources and appropriate access to information to enable it to perform its duties effectively.
- Review and approve the internal audit strategy and annual audit plans to ensure that the scope is appropriate and prioritise tasks as necessary. The Committee may discuss specific assurance matters with the director of internal audit as required.
- Consider promptly all reports from the internal auditors and assurances.
- Review and monitor the adequacy of management responses to internal audit findings and where they are accepted by management, ensure recommendations are implemented.
External Audit
- The College’s annual accounts will be subject to yearly audit by an external auditor appointed by Audit Scotland. The external auditor shall have the power to carry out economy, efficiency and effectiveness (value for money) reviews of the College.
Membership and Attendance
Membership
- At least three non-executive Board members will be members of the Committee, at least one of whom will have a recent and relevant background in finance, accounting and/or auditing.
- The Chair of the Board shall be invited to observe one meeting of the Audit & Risk Assurance Committee per academic year. Subject to the approval of the Committee Chair, the Chair of the Board may be invited to observe additional Committee meetings upon request.
- Attendees should include the Accountable Officer, the Chief Operating Officer, and a representative from both Internal and External Audit.
- The Chief Operating Officer shall act as Executive Lead to the Committee.
- Additional members may be co-opted to the Committee with the approval of the Board of Management. Co-opted members shall contribute to the business of the Committee but will not have the right to vote.
- The Committee may request that some regular attendees who are not members of the Committee withdraw to allow an open and frank discussion of some issues as appropriate.
The Chair
- The Board shall appoint and may remove the Committee Chair.
- Where the Chair ceases to be a member of the Committee, that individual shall cease to be Chair.
Meetings and Quoracy
- The Committee shall meet at least four times in each academic year. Meetings will be conducted in accordance with the Standing Orders as approved and issued by the Board of Management.
- The quorum for a meeting of the Committee shall be no less than one-half of the members, as outlined in Membership and Attendance, who are entitled to vote.
Review
- Members will review the Committee’s Terms of Reference at least annually. Any amendments shall be submitted to the Governance and Nominations Committee for consideration and approval.