Annex B: Audit and Risk Assurance Committee Terms of Reference
Published 1 October 2013
Purpose
1 . The purpose of the Audit and Risk Assurance Committee is to advise the Principal Accounting Officer (the Chief Executive) and the Board on the adequacy of audit arrangements (internal and external) and on the implications of assurances provided in respect of risk and control, with a view to enabling the Board to assure itself of the effectiveness of the CMA’s risk management system and procedures and its internal controls including business continuity and information technology.
Status
2 . The Audit and Risk Assurance Committee acts only in an advisory capacity and has no executive powers.
3 . The Audit and Risk Assurance Committee is authorised to investigate any activity within its terms of reference. It is authorised to seek any information it requires from any Board Member or employee of the CMA and all Board Members and employees of the CMA are directed to co-operate with any reasonable request made by the Committee.
4 . The Audit and Risk Assurance Committee is authorised to obtain independent professional advice (including legal advice) subject to estimated costs being approved by the Board or in case of emergency, the Principal Accounting Officer or the Additional Accounting Officer and to arrange for the attendance of persons who are not CMA employees with relevant experience and expertise if it considers this necessary.
Responsibilities
5 . The Audit and Risk Assurance Committee’s remit encompasses all aspects of corporate governance, risk management and internal control within the CMA. In particular, the Committee shall review, advise, and prepare a report, as appropriate, in relation to the following:
-
the effectiveness of mechanisms employed for the identification, assessment and management of risk.
-
the robustness of internal control systems, including the statements to be included in the annual report concerning internal controls and risk management.
-
compliance with the Government’s policies on Corporate Governance, together with such generally accepted principles of good corporate governance as it is reasonable to regard as applicable to the CMA.
-
the suitability of the whistle-blowing arrangements, whereby employees can raise concerns in confidence about possible wrongdoing in financial reporting or other matters, including the proportionate and independent investigation of such matters and the appropriateness of any follow-up action.
-
the effectiveness of the procedures for detecting fraud.
-
the Annual Account and Trust Statement, focussing particularly on:
-
the quality of financial reporting and ensuring that such reporting presents a balanced and understandable assessment of the position and performance of the CMA;
-
critical accounting policies and practices, including the consistency of accounting policies on a year to year basis;
-
major financial reporting issues and judgmental areas;
-
the extent to which the financial statements are affected by any unusual transactions in the year and how they are disclosed;
-
the propriety of major adjustments processed at year end; and
-
significant adjustments resulting from the audit.
-
-
external audit reports, including:
-
meeting with external auditors at least twice a year, once at the planning stage, where the scope of the audit will be considered, and once at the reporting stage;
-
discussing problems and reservations arising from the audit, and any matters the auditor may wish to discuss (where requested by the Committee, in the absence of Executive Members and any other person who is not a member of the Committee);
-
reviewing the external auditors’ proposed audit opinion;
-
reviewing the external auditors’ management letter and management’s response; and
-
facilitating the resolution of any difference between management and the auditor regarding financial reporting.
-
-
the effectiveness of the internal audit function in the context of the overall risk management system, including:
-
the internal audit strategy and plan;
-
its remit and resourcing;
-
its standing and freedom from management and other restrictions;
-
reviewing all internal audit reports promptly;
-
the adequacy of management responses to audit reports;
-
the performance of the internal auditor; and
-
the Principal Accounting Officer’s CMA governance statement.
-
6 . The Audit and Risk Assurance Committee shall recommend to the Board, Executive Committee and Principal Accounting Officer, as appropriate, such changes to existing practices and systems as is necessary.
Membership
7 . The Audit and Risk Assurance Committee shall have a minimum of three members comprised, as appropriate from time to time, of at least two Non-executive Directors of the Board and may include one or more independent members. In addition, the Committee shall have the power to co-opt a person or persons with appropriate specialist qualifications and/or experience for a period not exceeding a year. Any appointments to the Audit and Risk Assurance Committee, including where a person is co-opted, are made by the Board on the recommendation of the Committee.
8 . The Board may not delegate anything that it is required or permitted to do to committees and sub-committees that include people who are not members of the CMA or its staff.
9 . The Chair of the Board, the Chief Executive (in her role as Principal Accounting Officer), the Chief Operating Officer, the Director of Finance, the Head of Risk, (“General Counsel”).[footnote 1], the Compliance Officer, the Head of Internal Audit and a representative from the External Audit team may also attend at the discretion of the Committee.
10 . A Non-executive Director shall chair the Audit and Risk Assurance Committee.
11 . The Chair of the Audit and Risk Assurance Committee shall be rotated on an appropriate cycle to provide for objectivity in the long term and to avoid over or under representation of particular aspects of the CMA’s business and administrative interests.
12 . A quorum shall be a minimum of two members, at least one of whom should be a Non-executive member of the CMA Board.
Meetings
13 . The Audit and Risk Assurance Committee shall meet as required, at least 4 times each year.
14 . The Committee may ask any or all of those who normally attend but who are not members to withdraw to facilitate open and frank discussion of particular matters.
15 . The Board or the Principal Accounting Officer may ask the Audit and Risk Assurance Committee to convene further meetings to discuss particular issues on which they want the Committee’s advice.
Reporting
16 . The Corporate Services Directorate and the Board Secretary support the work of the Audit and Risk Assurance Committee.
17 . The Audit and Risk Assurance Committee is a non-executive committee of the Board and its minutes shall be circulated to the Board, the head of internal audit and the external auditor.
18 . The Chair of the Audit and Risk Assurance Committee shall report at least once a year to the Principal Accounting Officer, and inform the Board, on the findings and conclusions of the Committee for the past year.
Access Rights
19 . The Head of Internal Audit and the representation of the External Audit team will have free and confidential access to the Committee Chair and shall normally be present at meetings (as attendees rather than members).
Conflicts of Interest
20 . Members of the Audit and Risk Assurance Committee will:
-
have regard to the CMA’s policy on conflicts of interest
-
review before each meeting whether there are any interests which may conflict with their duties as members of the Committee and, if so, disclose them to the Board Secretary and, where appropriate, the CMA Compliance Officer;
-
be asked by the Chair of the Committee at each meeting to confirm they have carried out such a review and made such disclosure; and
-
not participate in any activity of the Committee in relation to which they believe they have a conflict or possible conflict of interest without the consent of the Compliance Office, who will consult with the General Counsel as appropriate.
Information requirements
21 . For each meeting the Audit and Risk Assurance Committee will be provided (ahead of the meeting) with a:
- copy of the Corporate Risk Register including summaries of changes to the organisation’s strategic risks.
- progress report or update from the Head of Internal Audit summarising, where appropriate:
- work performed (and a comparison with work planned);
- key issues emerging from the work of internal audit;
- management response to audit recommendations;
- changes to the agreed internal audit plan; and
- any resourcing issues affecting the delivery of the objectives of internal audit.
- progress report or update (written/verbal) from the External Audit representative summarising, where appropriate, work done and emerging findings (this may include, where relevant to the CMA, aspects of the wider work carried out by the NAO.
- Finance update.
22 . As and when appropriate the Committee will also be provided with:
- a corporate Services Audit and Risk Quarterly Report.
- the complaints and enquiries dashboard.
- security updates.
- reports on the management of major incidents, “near misses” and lessons learned.
- proposals for the terms of reference of internal audit / the internal audit charter.
- the internal audit strategy.
- the Head of Internal Audit’s Annual Opinion and Report.
- quality Assurance reports on the internal audit function.
- the draft accounts of the CMA.
- the draft Governance Statement.
- a report on any changes to accounting policies.
- external Audit’s management letter.
- a report on any proposals to tender for audit functions.
- a report on co-operation between internal and external audit.
- the CMA’s Risk Management framework, including the CMA Board’s risk appetite.
Review
23 . These terms of reference will be reviewed by the Audit and Risk Assurance Committee at least every two years at least and any changes considered necessary will be recommended to the Board for approval.
Version control
24 . These terms of reference were last updated in February 2024.
-
General Counsel and Deputy General Counsel may share any such attendance ↩