Guide / NHS audit committee handbook

20 March 2024

This handbook is designed to help NHS governing bodies and audit committees in reviewing and reassessing their system of governance, risk management, and control. This is to make sure the governance remains effective and fit for purpose, whilst also ensuring that there is a robust system of assurance to evidence it. 

While every care has been taken in the preparation of this briefing, the HFMA cannot in any circumstances accept responsibility for errors or omissions and are not responsible for any loss occasioned to any person or organisation acting of refraining from action as a result of any material within it.

The NHS is always changing and developing – this edition reflects the structures and processes in place as at writing. We are keen to obtain any feedback.  Please forward your comments to [email protected] or the address above.

Free printed copies for NHS organisations

We are offering 5 free printed copies of this guide to NHS organisations. Find out more and register for free copies.


The HFMA NHS audit committee handbook (the handbook), developed by the HFMA Governance and Audit Committee, is designed to help NHS governing bodies and audit committees as they review and continually re-assess their system of governance, risk management and control to ensure that it remains effective and ‘fit for purpose’, while also ensuring that there is a robust system of assurance to evidence it.

The handbook has had a complete rewrite and replaces previous editions, including the last full hard copy version printed in 2018 and the online supplement published in 2022. The HFMA is grateful for the support provided by NHS England in providing this handbook. The handbook is freely available online and will be updated on a regular basis to ensure it remains relevant.

In terms of its content, the handbook starts by explaining why governing bodies need audit committees and how they provide support in fulfilling statutory duties and organisational objectives. It then looks at how audit committees should be set up, before moving on to focus in detail on what they do and how they work with others. Practical examples are included throughout to bring the theory to life and cross references to further sources of guidance are included. The appendices also include example tools such as self-assessment checklists, agendas and terms of reference, as well as a comprehensive glossary of terms. 

Further detail on how the NHS finance regime works, as well as the wider landscape in which it operates can be found in the on-line HFMA introductory guide to NHS financeHFMA, Introductory guide to NHS finance, January 2024.

The handbook applies to NHS organisations in England. However, the principles and much of the practical guidance is broadly relevant across the rest of the United Kingdom.

Audit committees and their members continue to play a crucial role in the governance of every NHS organisation and members must take seriously their responsibility for scrutinising the risks and controls affecting every aspect of the business – not just in the finance and financial management sphere. We hope that you find this handbook of real practical benefit as you carry out this demanding role.

The handbook is developed under the direction of the HFMA's Governance and Audit CommitteeHFMA, Governance and Audit Committee, March 2024and with the help of a wide range of practitioners, all of whom give their time and expertise free of charge. The HFMA is extremely grateful to everyone who is involved in the handbook’s production.

Nicky Lloyd, 
Chair, HFMA Governance and Audit Committee
Chief finance officer, The Royal Berkshire NHS Foundation Trust



Chapter 1: Introduction                                                      
Chapter 2: Constitutional position
Chapter 3: Membership and attendance
Chapter 4: Formality of meetings
Chapter 5: Private meetings and rights of access
Chapter 6: Committee effectiveness
Chapter 7: Committee reporting
Chapter 8: Annual report and accounts
Chapter 9: Internal audit
Chapter 10: External audit
Chapter 11: Counter fraud
Chapter 12: Other assurance functions
Chapter 13: Governance
Chapter 14: Risk management
Chapter 15: Assurance
Chapter 16: Speaking up and whistleblowing
Chapter 17: Information governance and cyber security
Chapter 18: Exception reporting
Chapter 19: Audit committees and integrated care systems
Chapter 20: Current issues
Appendix A: Example terms of reference
Appendix B: Self-assessment checklists
Appendix C: Example agenda and timetable
Appendix D: Glossary 


Chapter 1: Introduction


An NHS audit committee brings an independent and objective oversight of an organisation’s arrangements for governance, risk management and internal control, protecting the interests of stakeholders. This chapter looks at how its role has evolved from an initial focus on financial reporting to, on behalf of the board, a corporate-wide remit. The role that it plays in terms of risk assurance will depend on how the organisation has agreed its arrangements.

1.1 Purpose

Audit committees were first introduced in the private sector in the late 1930s by the New York Stock Exchange and gained more traction in the 1970s and 1980s following corporate governance and financial reporting failings. At their heart is the role of the independent non-executive directors to protect the interest of shareholders with regards to the truth and fairness of financial reporting and, subsequently, on the operation of the organisation that creates shareholder value.

Within the UK public sector, and the NHS in particular, the independent non-executive directors carry out the same function, but to protect the interests of a much wider range of stakeholders (from the Department of Health and Social Care (DHSC) to patients). While the initial focus of audit committees was on financial reporting (and financial control) the remit has broadened to cover both financial and non-financial areas, best described as the system of governance, risk management and internal control, across the whole of the organisation’s activities (clinical and non-clinical), that supports the achievement of the organisation’s objectives.

As with many corporate governance developments over the years, failings in corporate governance continue to impact on the role and responsibilities of audit committees. 

1.2 Overview of current role

The remit of the committee is set out in the detailed terms of reference (see models in appendix A), but the main aspects that it covers are:

  • establishing and maintaining an effective system of governance, risk management and internal control, across the whole of the organisation’s activities
  • ensuring that there is an effective internal audit function
  • reviewing the work and findings of the external auditors
  • receiving updates from the local counter fraud service on national and local matters
  • reviewing the findings of other significant assurance functions
  • satisfying itself that the organisation has adequate arrangements in place for counter fraud, bribery and corruption
  • monitoring the integrity of the financial statements
  • reviewing the effectiveness of the arrangements in place for allowing staff (and contractors) to raise (in confidence) concerns about possible improprieties.

Most of the above aspects are inter-related, but the ultimate goal is to ensure that the organisation is being managed effectively and thereby meeting its strategic objectives, including safeguarding taxpayer resources so that they are utilised for the benefit of delivering patient services.

1.3 History in the NHS

Audit committees became regular parts of the governance of NHS bodies in the 1980s, particularly with the creation of the purchaser/provider split and the greater autonomy given to NHS trusts (and subsequently NHS foundation trusts).

A series of corporate governance failings in the 1990s led to a number of initiatives to improve governance; from model standing orders (SOs), standing financial instructions (SFIs) and schemes of delegations (SoDs) to greater guidance for audit committees. Continuing corporate governance failings led to further developments, most notably in areas of clinical governance, but at the same time widening the focus of audit committees from systems of internal ‘financial’ control to systems of internal control, encompassing the whole organisation.

Developments have continued apace, most notably as a result of the Mid Staffordshire NHS Foundation Trust Public InquiryMid Staffordshire NHS Foundation Trust Public Inquiry 2013, Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry, February 2013, which have increasingly looked at the importance of culture in achieving effective governance.

1.4 What type of committee?

As audit committees have developed, both in the NHS and the wider public sector, three broad models have evolved:

  • the ‘audit’ committee: this type of committee focuses on audit (internal and external) and uses the work of the auditors to assist in its oversight (such as internal audit review of the system of risk management)
  • the ‘audit and risk’ committee: this type of committee takes a more active oversight of the system of risk management, and associated assurance framework, ensuring that the system works as a whole (such as ensuring that other committees provide oversight of risks)
  • the ‘audit and risk assurance’ committee: this type of committee takes a more active role in looking at the management of individual risks, the effectiveness of controls and the sources of assurance. 

The way that an organisation’s audit committee works, in terms of which model above is adopted, should depend on how it has arranged its governance around risk management and assurance.

1.5 Role of the audit committee member

The audit committee is unique, in a number of ways, to other committees and groups within an NHS organisation, not just because its membership is made up of non-executives (similar to a nomination and remuneration committee), but because its members need to look at issues from a different perspective; being independent and objective. This can mean that the members may need to say things that are unpopular or that executive management may not wish to hear (speaking truth to power) to ensure that the right thing is done.

It is important that, while committee members may deal with issues in detail, they also need to be able to take a ‘step back’, using the advantage of non-executives not being swamped by daily operational pressures. They also need to bring – proportionately – their depth of knowledge and experience from their careers, many of which may not have been within the NHS, so that they can compare and contrast and use that independent perspective.

As set out by the Institute of Chartered Accountants in England and Wales (ICAEW) ICAEW, Nine traits of an effective audit committee, June 2018, ‘intellectual curiosity and professional scepticism are necessary attributes in an audit committee member. It’s not enough to request confirmation from the external auditors and the executive team as this can provide a false sense of comfort. Members of the modern audit committee must understand the business and ask the right questions’.

Audit committee members, as for all board members, need to ensure that they are competent to undertake their role. The audit committee member role does not necessarily require expertise (other than that one member should be financially competent), but they should ensure that they understand their role. 

Executive and other attendees need to understand the importance of this constructive challenge and the benefit that it can bring.

1.6 Being ‘independent’

Central to the effectiveness of the audit committee is that its members are independent of day-to-day management and therefore not conflicted in their work, so that that they can bring their professional judgement to issues under consideration. This is why membership is limited to non-executive directors and excludes the chair.


1.7 Being ‘objective’

Associated with independence is the fact that members of the audit committee should bring objective judgement to their work, basing their conclusions on the facts and evidence presented to them, avoiding any bias or undue weighting of opinions.

A key skill of audit committee members is therefore to listen to the evidence provided (or more realistically to read the papers), hence the name of the audit committee derived from the Latin ‘audio’ meaning to listen or hear. 

The judgement that they bring should be in the best interest of the stakeholders of the organisation as a whole – primarily that of the patients and taxpayers.

It is important that one member, who is usually the chair of the audit committee, but need not necessarily be so, has professional financial training and is a member of a recognised professional body, which requires up to date continuous professional development (CPD) to provide the appropriate level of professional leadership for this important role. 

1.8 Assurance versus re-assurance

Assurance is gained through information, evidence and triangulation that validates an assertion, whereas re-assurance comes from an individual providing comfort to allay a concern, without evidence to support the assertion. The role of the committee is to challenge assurances, and not (overly) rely on re-assurances.

Assurance: 'The year-end forecast is to break-even, which follows a process where all budget managers signed off their forecasts (as shown by this report), having been through a challenge process by the executive directors and has been subject to a review by internal audit that provided a substantial level of assurance that the process was effective.'

Reassurance: 'Trust me, there are no financial problems.'

1.9 Effectiveness and compliance

An audit committee’s key role is to look at the ‘effectiveness’ of internal control systems (more than economy and efficiency, using the traditional ‘three E’s’ of value for money (VFM)). In this context, effectiveness is seen in the light of achievement of objectives, the management of the risks to those objectives and the operation of the controls and mitigations put in place for those risks.

Once management have designed their systems of control, including the desired mitigations and controls that are required, then being assured on the level of compliance with the policies and procedures, and how effective they are at achieving the stated objectives, becomes a key role for the committee. 

Key learning points

  • Audit committees started with a focus on resolving disputes on financial reporting and stewardship between management and external auditors.
  • Over time their remit has grown to where they now oversee the organisation’s arrangements for governance, risk management and internal control.

  • Some of this they directly oversee, for other areas they need to satisfy themselves that they are being appropriately covered elsewhere.

  • Audit committee members (all of whom are non-executive) must be independent and objective in undertaking their role.



Chapter 2: Constitutional position


All NHS organisations must have an audit committee and they should carry out their role as delegated by the board under terms of reference.

2.1 Statutory basis

Every NHS organisation is required to have an audit committee that reports to its board. The formal requirements to have an audit committee are set out in different documents, depending on the organisation.

For integrated care boards (ICBs), guidance on ICB constitutions states:

'Which committees the ICB board chooses to establish will depend on decisions taken locally about how the functions will be exercised and how assurance will be generated and reported. However, all ICBs are expected to establish as a minimum remuneration, audit and quality committees.

The audit committee is accountable to the board and provides an independent and objective view of the ICB’s compliance with its statutory responsibilities. The committee is responsible for arranging appropriate internal and external audits. It will be chaired by a non-executive board member who has qualifications, expertise or experience that enables them to express credible opinions on finance and audit matters.'NHS England, Guidance to clinical commissioning groups on preparing integrated care board constitutions, May 2022

For NHS trusts and NHS foundation trusts, paragraph 2.1 of the Code of Governance for NHS provider trustsNHS England, Code of governance for NHS provider trusts, February 2023.sets out that ‘the board of directors should establish an audit committee of independent non-executive directors.’ For NHS foundation trusts, the NHS Act 2006The National Archives, Schedule 7 to the NHS Act 2006, July 2022also explicitly specifies the requirement.

NHS governing bodies have an oversight role, as part of this they are responsible for putting in place governance structures and processes to:

  • ensure the organisation operates effectively and meets its statutory and strategic objectives

  • provide it (the board) with assurance that this is the case

Audit committees play a key role in supporting the board by critically reviewing and reporting on the relevance and robustness of the governance structures and assurance processes (on risk management and systems of control) on which the board places reliance.

2.2 Links to other committees

In its role of assessing the overall effectiveness of governance arrangements, the audit committee will need to work with other board committees to avoid both duplication and omission, as well as to understand where the various assurance flows come from and go to. At a high level it should assure itself that, for instance, clinical governance is being effectively overseen by a quality committee. 

This does not mean that it needs to have detailed oversight of the work of the committee, but that such work is within the committee’s remit. 

2.3 Terms of reference

The board should adopt formal terms of reference that clarify the authority and responsibilities of the audit committee, that are also consistent with the body’s wider constitution.

Example terms of reference are provided in Appendix A, with separate examples for NHS provider organisations and ICBs. These seek to represent best practices, but individual organisations may wish to tailor them to fit their own governance arrangements. In line with good corporate governance practices, there is a general presumption of ‘comply or explain’ and if model terms of reference are not adopted, the material differences should be explained. 

2.4 Authority

The audit committee has no executive responsibilities and must not take on any roles or duties that are not relevant to those of an audit committee. 

The committee’s terms of reference provide specific authority to investigate matters within its remit, require information and co-operation from employees and can access legal or professional advice. This tends to happen by exception, and usually when there has been a breakdown in controls, crystallisation of a risk, failure of a project or a near miss.

Where decisions are needed, it would be expected that the audit committee would report to the governing body (see chapter 7) and advise on the decisions to be made. 

Key learning points

  • All NHS organisations are required to have an audit committee.
  • They work to terms of reference delegated by the board and work with other committees.
  • The audit committee has no executive powers, unless expressly delegated, but has influence.

Chapter 3: Membership and attendance


Members of the audit committee are drawn from the non-executive members of the organisation, as appointed by the organisation’s governing body, to maintain its independence and objectivity. It is usual for the chief finance officer (CFO), external auditors and internal auditors to attend all meetings, along with secretariat support.

3.1 Membership

Membership of the audit committee is limited to non-executive directors of the governing body, to reinforce its role as an independent and objective oversight body, but it excludes the chair of the governing body. Members should not be employed by the organisation other than in their capacity as non-executive directors.

Members are appointed by the governing body, including the committee chair. The chair is a critical appointment for the organisation. HM Treasury guidance requires the audit committee chair to be a non-executive board member with relevant experienceHM Treasury, Audit and risk assurance committee handbook, March 2016. In accordance with NHS England guidance (code of governance and model terms of reference)NHS England, Code of governance for NHS provider trusts, February 2023 NHS England, Model audit and remuneration terms of reference, November 2021 (FutureNHS login required), there should be a minimum of three members (allowing for a quoracy of two), although some organisations may seek a higher number of both members and quoracy. 

To maintain independence the chair of the audit committee should not chair any other committees. Ideally, they should not be a member of any other committee, although in some cases this may be impractical due to the number of non-executive directors available to cover all required committees. 

One of the members of the audit committee (and it need not be the committee chair, although often is) should have recent and relevant financial experience, so as to allow the committee a degree of expertise in this area; such as in financial reporting or working with auditors. There may be value in having some members of the audit committee who are also members of other sub-committees; primarily around quality, safety, finance and performance. This allows a more rounded view of how assurances are covered across committees.

It is not usual for the senior independent director (SID)The senior independent director (SID) has a key role in supporting the chair in leading the board of directors and acting as a sounding board and source of advice for the chair. The SID will be available if there are concerns through which contact via the usual channels of chair, chief executive, finance director and company secretary has failed to resolve or where it would be inappropriate to use such be a member of the audit committee, because of the nature of their role, but if the collective skill set of the non-executives is such that the SID is the most appropriate, then this arrangement should be recognised and suitably managed.

Some audit committees have included lay members in their membership (in other words, they are not non-executive directors (NEDs), but provide independence and expertise). These members would not be voting members (if a vote were needed), but would take a full part in proceedings.

As set out in the model terms of reference for integrated care boards (ICBs) (see appendix A), 'when determining the membership of the committee, active consideration will be made to diversity and equality.'

Membership of the audit committee should be disclosed in the organisation’s directors’/members’ report within the annual report.

3.2 Attendance

Attendance at an audit committee meeting is at the invitation of the committee chair. 

However, it would be expected that the following would attend for most, or all, parts of each meeting:

  • the chief finance officer

  • the head of internal audit (or representative of the internal audit service)

  • a representative from external audit

  • the board secretary or equivalent.

While the above would be expected to attend to address the agenda items that relate to their work, the committee will benefit from contributions from them to other agenda items, given the experience and knowledge that they bring.

In addition, the following would be expected to attend more regularly, but might not be expected to attend all meetings, or all parts of a meeting:

  • the local counter fraud specialist (LCFS) (or representative of the service) – usually a minimum of twice a year

  • the governance lead, such as the company secretary

  • the risk management lead.

On occasions the following might be asked to attend:

  • representative from NHS Counter Fraud Authority

  • representative from wider assurance providers

  • executive directors and senior managers where appropriate. 

It would be expected that, at the invitation of the committee chair, the chair and chief executive officer (CEO) would attend some (or part of some) meetings and it is good practice for them to provide the audit committee with a business update including pertinent issues that may be of particular interest to the committee. However, this should be managed to maintain independence, being clear that they do not have a right of attendance.

The chair would attend to ensure that the committee is operating as expected and that the non-executives are carrying out their tasks appropriately.

The CEO, as an accountable officer, would be particularly expected to attend for items around the annual report and accounts, including the annual governance statement, for which they are directly accountable. 

3.3 Role of the audit committee chair

The role of the chair of the audit committee is, in many respects, the same as that of any committee chair (liaising with secretariat over agendas, agreeing draft minutes, chairing the meeting, and so on).

For NHS audit committees there are some particular aspects to consider:

  • building relationships with internal audit, external audit and LCFS (as well as the security management specialist where they do not report elsewhere) between meetings so that they are clear that their right of access to the audit committee (via the chair) is wholly supported - this should include scheduled conversations between meetings or ahead of specific events 
  • working with other committee chairs to ensure that the oversight of the individual and collective committees is most effective; avoiding duplication and omission - this is particularly so in areas around risk assurance.

The audit chair also has a key role in supporting the CFO and developing a strong working relationship, particularly as the role of the CFO has become much more complicated in recent years.

3.4 Conflicts of interest

NHS England defines conflicts of interest are defined as:

'A set of circumstances by which a reasonable person would consider that an individual’s ability to apply judgement or act, in the context of delivering, commissioning or assuring taxpayer-funded health and care services is, or could be, impaired or influenced by another interest they hold.'NHS England, Managing conflicts of interest: guidance for staff and organisations, August 2017

As with any meeting, any conflicts of interests – perceived or actual – should be formally declared and appropriately managed. Examples include: recent employment with the health service body; close family ties to its directors, members, advisors or senior employees; or a material business relationship with the health service body. For NHS audit committees, more particular conflicts could include relationships with audit providers (internal and external), particularly around the time of procurement for the services.

The Health Care Act of 2022The National Archives, Health and Care Act 2022, July 2022places specific conflicts of interest duties upon ICBs, as included in the guidance on ICB constitutionsNHS England, Guidance to clinical commissioning groups on preparing integrated care board constitutions, May 2022. With the increase in collaborative working, there is likely to also be an increase in potential conflicts of interest. The audit committee chair should ensure that a written protocol setting out how conflicts of interest will be addressed and recorded is in place.

3.5 Competence and training

Members of the audit committee should ensure that, individually, they are competent in their understanding of audit and risk assurance; including corporate governance, risk management, internal control and assurance. 

In addition to having one member with particular competency in financial reporting and audit, the audit committee members should look – individually or collectively – to have more advanced competency in such areas as procurement and compliance.

The committee should regularly consider its own training needs so that members have the skills that will allow them to perform their role effectively. As well as a basic understanding of finance and internal control, along with their role as audit committee members, this should include a good understanding of the local finance and governance arrangements across health and care, and wider partners, in the local system (see further consideration of system working in chapter 19). 

The board secretary or governance lead should seek to support the members (and attenders) in accessing suitable training and development.

3.6 Behaviour

Members’ behaviour needs to embody the highest ethical standards, both as generally accepted in public life (see Nolan principlesCommittee on Standards in Public Life, The seven principles of public life, May 1995below) and as applied in the NHS (codes of conductNHS England, Standards of business conduct policy, January 2024), not least because of the clear link between effective governance and culture. 

NHS England’s Fit and proper person test framework for board members NHS England, Fit and proper person test framework for board members, January 2024sets out three core elements: 

  • good character

  • possessing the qualifications, competence, skills required and experience

  • financial soundness.

As well as meeting these requirements, they should ensure that they provide an example by being pro-active in their compliance. 

The Nolan principles of public lifeCommittee on Standards in Public Life, The seven principles of public life, May 1995

Selflessness: holders of public office should take decisions solely in terms of the public interest. They should not do so in order to gain financial or other material benefits for themselves, their family, or their friends.
Integrity:  holders of public office should not place themselves under any financial or other obligation to outside individuals or organisations that might influence them in the performance of their official duties.
Objectivity: in carrying out public business, including making public appointments, awarding contracts, or recommending individuals for rewards and benefits, holders of public office should make choices on merit.
Accountability: holders of public office are accountable for their decisions and actions to the public and must submit to whatever scrutiny is appropriate to their office.
Openness: holders of public office should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider public interest clearly demands it.
Honesty:  holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest.
Leadership: holders of public office should promote and support these principles by leadership and example.


Key learning points 

  • Membership of the audit committee is limited to non-executive members of the board.

  • The CFO, along with representatives from external audit, internal audit and the local counter-fraud specialist would normally be expected to attend audit committee meetings.

  • The role of the committee chair is important in not only running an effective meeting but also building relationships with auditors and management.

  • All members and attendees should ensure that they maintain their competence and are supported in their training and development. 


Chapter 4: Formality of meetings


Formal meetings of the committee should cover the requirements within the terms of reference, generally following an annual cycle with some regular items at each meeting. Good secretariat support will help the effectiveness of meetings, both in their arrangement, commissioning of papers and recording of minutes.

4.1 Frequency of meetings

It is normal for audit committees to meet four or five times a year, with a possible additional meeting to specifically review the annual report and accounts.

These meetings should fit into both the audit cycle (planning, progress and reporting) for internal and external audit, as well as the financial year (annual report and accounts planning and reporting). Some elements of the audit committee remit are subject to a periodic review (often annually), such as its own self effectiveness review, or reviewing arrangements for raising concerns. These can best be scheduled at those meetings that are likely to have fewer substantial agenda items.

4.2 Quoracy  

Membership of the committee is limited to the non-executive directors (see chapter 3), with an expected minimum of three. Quoracy is therefore normally set at two, although a larger membership might have a different quoracy.

If quoracy cannot be achieved there can be options to invite other non-executive directors to attend for a single meeting (excluding the chair), or the meeting can go ahead and any actions or decisions (dependent on the nature) could be ratified at the next committee meeting, or by the next board. Neither of these is ideal, but pragmatic if the reason for the lack of quoracy is short-term and the papers have already been read and the attenders are available.

4.3 Agenda and timetable  

The chair, with secretariat support, should ensure that the remit of the committee, as set out in its terms of reference, is covered over the course of the year in its workplan, with some items occurring at each committee meeting and others less regularly.

Example items to be covered in agendas over an audit year is set out in appendix C.

In commissioning papers for the committee meetings, particularly from managers who do not regularly attend committee meetings, it is important that the purpose of the agenda item is explained, as well as the expectations from the audit committee members. It would be appropriate for the board secretary, or CFO/executive lead to offer this support to managers, while in some circumstances a pre-meet with the audit committee chair might be of value.

4.4 Delegated decision-making  

While the audit committee is a non-executive committee, and does not normally have any decision-making powers, some decisions can be delegated to the committee by the governing body. These tend to be around the detailed review of the annual report and accounts, but can also include investigation into specific incidents or deep dives into particular topics.

The committee will also be involved in the decisions about the appointment of internal auditors (see chapter 9), external auditors (see chapter 10) and local counter fraud specialists (see chapter 11).

4.5 Secretariat support  

Secretariat support, which is more than just the logistics of arranging the meeting and co-ordinating the papers – important as they are – is critical in ensuring that the audit committee is effective and keeps to its remit.

The audit committee secretary is commonly the organisation’s secretary or governance lead. The secretary should meet with the chair of the committee, between meetings, to help plan the next agenda and the commissioning of papers.

Draft minutes of each meeting should initially be shared with the chair and executive lead, as soon as practical after the meeting, to confirm accuracy and ensure that all actions have been identified.

The secretary should take an active lead in following up the actions from each meeting, usually maintained in a log, and reminding action owners of when the action is due.

4.6 Quality of papers  

It is best practice for any committee to give guidance on what it requires from the papers that support the agenda. It is important that, when commissioning papers, the secretariat are clear that the paper is designed to inform a discussion and therefore give a steer on what that discussion needs to cover, what information is needed (and not needed) and what outcome the agenda item is seeking to achieve (assurance on an area, an action that will need to be implemented, and so on). 

In some instances, such as for external audit, the content of their reports is set out in professional standards. Other functions, such as internal audit and counter fraud, will also have standard practices.

Some organisations have a standard practice of header sheets that help summarise the main points. The point of this is to help the committee by highlighting the critical issues that need drawing to the committee’s attention, for discussion or for action.

4.7 Quality of minutes  

Different organisations will have different policies on how minutes are produced, including the level of detail that is recorded. It is important, particularly with regards to sensitive discussions, that the minutes reflect what has been discussed, how well the discussion went, the different opinions heard and the level of importance given to the agenda item.

Actions that come out of this discussion need to be clearly recorded and kept on an action log that the secretariat keep up to date.

4.8 Collaboration with other audit committees

There is the ability, in some circumstances, for audit committees to work together through collaborative audit committee arrangements. This is a developing area with increasing examples of committees in common resulting from group models between NHS organisations.

A committee in common is defined by NHS Providers as ‘an arrangement where each participating organisation uses its statutory powers to establish a statutory committee which has delegated functions or decision-making powers in respect of the parent organisation only. Decisions delegated to the committees do not need to be referred back to the boards of the participating organisations. Decisions are made by the committees collectively and all committees need to be in agreement for decisions to be binding. Terms of reference for each committee will be shared or aligned’NHS Providers, Provider collaboration: a practical guide to lawful, well-governed collaboratives, November 2023.

As integrated care systems (ICSs) mature and look at different ways of working there needs to be clarity on the relative roles and responsibilities. Chapters 19 and 20 look at some of these broader issues.

Key learning points

  • The audit committee should meet for a minimum of four times a year (possibly holding one extra meeting for the annual report and accounts).

  • The agenda for each meeting can be supported by an annual workplan that ensures that the terms of reference are met.

  • Good secretariat support will ensure that, in meeting the terms of reference, papers that are commissioned are clear in what is being sought from them, and that minutes accurately reflect the discussion and actions to be taken forward.

Chapter 5: Private meetings and rights of access


Audit committee members should have time to meet on their own, as well as time to meet with auditors without management present. Auditors should also have the right of access to the chair of the committee, when they wish to raise issues that are sensitive or have been unable to resolve with management.

5.1 Private meetings: committee members only

It is sometimes useful for just the committee members to meet on their own, without anyone else in attendance. This is an opportunity for them to discuss the agenda, the matters being discussed and any particular issues that they want to raise or discuss. Given that most non-executives have busy lives, there may not have been a chance for this to have happened before.

It would be usual, after such a meeting, to then note this meeting with the attendees in the formal meeting and any points that they may wish to highlight. This is in part to re-assure those attending the full committee meeting about what has been covered, as well as to keep a record and maintain a culture of openness.

There may be instances where the committee meets with just secretariat support, especially if they are undertaking a specific review into a piece of work or investigating a break down in controls. In such instances this meeting should be appropriately minuted and regarded as a formal meeting.

A final alternative would be where the committee meets with just a few attendees. This would primarily be where there was a potential conflict of interest, and usually that would be to discuss the tendering and appointment of internal or external audit. Again, this meeting would be a formal meeting, duly minuted but the contents kept confidential.

5.2 Private meetings with auditors

The more normal practice is for the committee to meet with representatives of internal and external audit, as well as the local counter fraud specialist, outside of the formal meeting (normally before). This can be either meeting with them individually, or as a group, or some permutation of the two.

The point of this meeting is to allow the auditors to raise issues that they might feel hindered in raising with management in attendance, but it can also be used by committee members to seek clarification on details in the papers that they may feel more comfortable asking outside of the meeting. It is also an opportunity for committee members to ask about working relationships, both with management but also between the auditors and with the local counter fraud specialist.

In some respects, given the right of access, nothing should emerge from these meetings that comes as a surprise.

It is for the committee chair to agree how any matters that do arise in these discussions are handled. They need to be aware that, to benefit from these sessions, confidentiality needs to be maintained where necessary, and that auditors are reassured on this point. Poor handling of this could have an adverse impact on the relationships between management and auditors.

The sort of questions and topics that could be covered are set out below.

Example questions that could be covered in private meetings with auditors:

Did the auditors receive all the co-operation they needed?
Was any attempt made to restrict the scope of the auditors’ work in any way?
Was the original audit strategy or plan modified due to deficiencies in internal control or accounting records?
What is the auditors’ view of their relationship with management?
Did the auditors have any significant disagreements with management? If so, how were these resolved?
Do the auditors have any concerns about management’s control consciousness or operating style?
Do the auditors/local counter fraud specialists have any views on the culture of the organisation that could compromise the control environment?
Do the auditors believe they are under any undue pressure to give a particular opinion?
Do the auditors believe management are under undue pressure – for example, to report performance in a particular way, or that their workload constrains their capacity to maintain the control environment?
Are there any other matters that, in the opinion of the auditors, should be considered by the audit committee?

5.3 Right of access

Both sets of auditors, and the local counter fraud specialist, have a right of access to the audit committee, which is primarily carried out through the committee chair. This is a vitally important ‘safety valve’ to ensure that the auditors can operate in an independent and objective fashion, but also ensures that significant issues can be raised between meetings.

It is more likely that the non-executives will meet, in other fora, with their executive director colleagues, and therefore may receive one side of an argument (see chapters 9 to 11 on handling disagreements), so the ‘independent and objective’ role of the non-executives need this balance.

With the right of access comes responsibility to use the right carefully. Auditors should not over-use the right, nor should non-executives use this to undermine their relationship with management. 

Clearly, when an auditor asks for a meeting with the audit committee chair, this should be seen as a significant matter and the chair should seek a timely meeting, respecting confidentiality. How they handle the results of the meeting will depend on the matter raised.

Key learning points

  • Audit committee members should have some time to meet on their own to review agenda items and important discussions.

  • At least once a year, the committee should meet with external audit, internal audit and the local counter fraud specialist (jointly or individually) to ensure that they can speak freely.

  • Outside the formal meetings, auditors and the local counter fraud specialist have a right to access the committee chair, which should be used when other routes have been exhausted.


Chapter 6: Committee effectiveness


As is good governance practice, the audit committee should carry out an annual effectiveness review. There are a number of tools available to assist in this process, to ensure that the committee has met its terms of reference and been effective in achieving its overall purpose.

6.1 Good practice requirement

It is good governance practice for boards and their sub-committees to carry out a review of their effectiveness on an annual basis, with the option to use external assessments on a three or five year cycle to provide an added degree of independence.

Any review of effectiveness should seek to ensure that the committee is meeting its terms of reference and, in particular, its duties and responsibilities with regard to the oversight of a robust system of governance, risk management and control. 

For a review of effectiveness, it is important that, while using best practice models as a basis, any review is adjusted to ensure that it is appropriately tailored for the NHS organisation and the specific issues that it covers such as working within an integrated care system (ICS), the importance of the freedom to speak up, the patient safety agenda and challenging financial climate. 

Where the audit committee works with, or relies upon, other committees, it should consider specific questions about these relationships. These are most often based around the completeness and effectiveness of assurance on assigned board assurance frameworks or strategic risks.

One of the reasons for inviting the chair of the board to attend an occasional audit committee meeting is to feed into the chair’s wider understanding of how the overall governance arrangements are working in practice, and they can then provide their own impressions on the audit committee’s effectiveness, including that of the audit committee chair.

6.2 Use of checklists  

To assist the audit committee in its review, the usual practice is to ask members and attenders to complete a self-assessment against a standard checklist. These can range from generic ones used within their organisation, to more ‘industry wide’ checklists that are NHS specific (see examples in appendix B) to some bespoke checklist that might come from good practice (for instance the National Audit Office (NAO) checklist toolkit for central governmentNational Audit Office, Audit and risk assurance committee effectiveness tool, May 2022or ones from accountancy of consultancy firms). 

Sometimes the completion of the checklists can be seen as burdensome, and there may be value in a two-stage report; for instance that the audit committee chair and secretariat complete the sections that cover the more ‘administrative’ elements of the committee, thus leaving the members and attendees to provide more qualitative feedback.

For some of the checklists the assurance may come from simple yes/no responses to ensure that the committee is covering standard practice. In others there can be more value in a scoring system across a range, in terms of the level of effectiveness. Wherever possible it is most helpful if comments can also be collected, both in support of good points, as well as how areas for improvement can be developed.

The collation of the results of the checklists should be undertaken by the secretariat and the committee should discuss prioritisation of any improvements.

6.3 Elements of an effective audit committee

While checklists can be useful in ensuring that the audit committee is generally compliant with its terms of reference, an effective audit committee is probably more about the conduct and behaviour of the members and attendees. A number of professional bodies set out traits of an effective audit committee including the International Federation of Accountants (IFAC)The International Federation of Accountants, Five key factors to enhance audit committee effectiveness, September 2019and the Institute of Chartered Accountants in England and Wales (ICAEW)ICAEW, Nine traits of an effective audit committee, June 2018. Possible matters to consider are set out below. 

Questions to consider on assessing effective audit committee behaviours:

What difference has the committee made to the organisation’s governance, risk and control environment?
Did the committee encounter any ‘surprises’ during the year that it should have seen coming, for example, unexpected adverse inspection reports?
What learning has there been in terms of looking at root causes and embedding improvements?
How effective have the systems for internal reporting been, both in terms of escalation up and communication of ‘board to ward’ down?
How helpful was the internal audit programme coverage, in terms of its risk-based responsiveness?
How good have the committee chairs been in ensuring triangulation of intelligence with each other’s committees?
Did the committee have to re-focus its planned activities during the year, if so, was this a pro-active decision or for reactive reasons?
Where there has been any limited assurance report, how effectively has the committee gained assurance on the follow up of implementation of remedial actions?
Has there been an open and honest relationship with internal and external auditors, as well as the local counter fraud specialist, directly with audit committee members?
Is everyone respectful of the opinions of others, and give them due attention?
Does the audit committee chair review each meeting’s effectiveness with members and pick up feedback for future improvement?
Is it clear that no one (or two) people dominate or lead the discussion (such as the chair or the chief finance officer), but each member and attendee is given a fair opportunity to contribute?

Key learning points

  • Reviewing the effectiveness of the audit committee is an annual exercise required to ensure good governance.

  • A number of checklists are available to help guide the review, but attention should be given to matters that are specific to NHS organisations.

  • Effective audit committees are not just about fulfilling their terms of reference, but also about the culture and behaviour of the committee, and how it achieves its overall purpose.



Chapter 7: Committee reporting


The audit committee needs to report to the board (and other committees) on the most significant issues that it has covered on its behalf, so that all board members are aware of what is being done. The work of the committee needs to be summarised, on an annual basis, to support the annual governance statement.

7.1 Reporting to board

The audit committee’s work should be aligned to the board’s agenda, consequently its in-year reporting to the board is vital. After each audit committee meeting the audit committee should report to the board, drawing attention to the important issues discussed, and raising any matters requiring attention such as new risks, new assurance and progress with actions to close gaps in control or assurance. 

While this can be achieved by a copy of the minutes (if appropriate for public or private board), it is probably more effective if the key points for the board’s attention are included in a summary report from the committee chair. Given the audit committee cycle of meetings, waiting for approved minutes may make reporting by minutes untimely.

Reporting to the board on the annual report and accounts should be an opportunity for the chief finance officer (CFO) and audit committee chair to emphasise the board’s overall responsibility for the truth and fairness of the report and accounts. While detailed scrutiny may have been delegated to the audit committee, it does not remove that ultimate responsibility from the board, and some form of challenge and review from the board would still be expected.

7.2 Reporting and liaising with other committees

It is unlikely that the audit committee will report to any other committee in the organisation, but matters may arise at the audit committee that were either directed to the audit committee to discuss (for instance the results of some form of external assurance), or where the audit committee may wish to direct a matter to another committee (for instance assurance on the oversight of particular risks or an internal audit review on patient safety to the quality committee).

It would be usual for the secretariat to arrange this reporting, as part of any action log, ensuring that the actions were followed up and completed. 

7.3 Annual report in support of the annual governance statement (AGS)

In signing the AGS, the chief executive officer (CEO) will normally include a statement on their reliance on the audit committee for certain matters.

This is best met by the requirement for the audit committee to provide an annual report, in support of the annual governance statement, that aligns with the committee’s responsibilities and duties set out in its terms of reference. The report should look to provide an overview that:

  • the organisation’s system of risk management is adequate in identifying risks and allowing the governing body to understand the appropriate management of those risks

  • the committee believes that the assurance framework is fit for purpose and that the ‘comprehensiveness’ of the assurances and the reliability and integrity of the sources of assurance are sufficient to support the governing body’s decisions and declarations

  • there are no outstanding areas of significant duplication or omission in the organisation’s systems of governance that have come to the committee’s attention. 

In addition, the report should highlight the main areas that the committee has reviewed and any particular concerns or issues that it has addressed. 

These could include:

  • the reliability and quality of the organisation’s financial reporting systems that sit behind the financial position reported to the governing body

  • any significant issues that the committee has considered in relation to the financial statements 

  • any major break-down in internal control or crystallisation of risk that has led to a significant loss in one form or another

  • any major weakness in the governance systems that has exposed, or continues to expose, the organisation to an unacceptable risk

  • an assessment of the performance of the external auditor and other assurance functions.

This is not a definitive listing and the audit committee will want to summarise the work that it has carried out, the topics that it has delved into and how it has used the work of the auditors. The report should not just focus on process and the number and type of assurances considered during the year, but include the outcome of the committee’s work, its conclusions and actions taken. 

The report should not be long (three or four pages should be sufficient) and may be drafted by the committee’s secretary under the direction of the committee’s chair. The committee chair should take overall responsibility for the report’s preparation and share drafts of the report with committee members. 

A first draft of the report should be produced promptly after the year-end, so that the major themes can be captured and fed into the AGS. The report can then be finalised later, to reflect such events as the completion of the external audit, receipt of the head of internal audit opinion, and so on.

Key learning points

  • The audit committee needs to report to the board on the most important issues that it has discussed.

  • The audit committee needs to report to, and be reported to, by other committees that it works with to ensure that there is appropriate and proportionate oversight between the board and its committees.

  • An annual report should be produced by the committee, in support of the AGS, on how it has met its terms of reference over the previous year, and highlighting the significant matters that it has discussed. 


Chapter 8: Annual report and accounts


The committee undertakes the detailed review and scrutiny of the annual report and accounts on behalf of the board, using its independence and objectivity to ensure that they present a true and fair view. The committee will focus on areas of significance and risk, as well as receive a report from the external auditor.

8.1 Role of the committee

Responsibility for preparing the annual report and accounts rests with the full board and the chief executive officer (CEO) as accountable officer. As set out in HM Treasury’s Managing public moneyHM Treasury, Managing public money, May 2023, although detailed scrutiny of the annual report and accounts is undertaken by the audit committee, the full board retains overall responsibility for their preparation.

While the preparation of the annual report and accounts is a management responsibility, the audit committee plays a key role in seeking assurance that there is an effective timetable (agreed by all parties), with proper co-ordination across the multiple stakeholders, to ensure that the document is brought together completely and accurately, and within time.

The audit committee’s role is to review the annual report and accounts, together with assurances from management, external audit, internal audit and other governance committees, before they are submitted to the board for formal adoption (and council of governors for NHS foundation trusts). Usually this involves considering a report from the chief finance officer (CFO) in April or May that highlights particular points of interest, explanation of significant variances from the prior year and in-year forecasts, and any areas that are under discussion with external audit.

However, where there are significant accounting matters (such as complex or large accounting matters, changes to accounting and reporting standards or significant new commitments or changes to service delivery), these need to be discussed at the audit committee well before the year-end, so that the full implications are worked through, and areas of potential disagreement identified and a plan put in place.

The committee will also consider a ‘report to those charged with governance’ from the external auditor (referred to as the ISA260 report - see chapter 10), that sets out the audit risks to the accounts, how these have been addressed and the findings from the audit.


8.2 Annual accounts

Detail on the annual report and accounts is included in HFMA’s Introductory guide to NHS financeHFMA, Introductory guide to NHS finance, January 2024(How NHS bodies demonstrate financial accountability chapter). While the audit committee’s role is to cover the annual report and accounts, a particular focus will be on the annual accounts, remuneration report and the annual governance statement (AGS) included within that.

The audit committee’s review of the accounts is an important step in the governing body’s approval process and provides an opportunity for constructive challenge and scrutiny of the organisation’s financial information and the systems of control that produce it. Accordingly, committee members need to be able to understand the annual report and accounts before recommending their approval. 

When reviewing the accounts, the committee may wish to pay particular attention to the following:

  • compliance with relevant requirements

  • the going concern assessment

  • changes in accounting policies and any deviation from the Group accounting manual (GAM)Department of Health and Social Care, DHSC group accounting manuals, February 2024

  • changes in accounting practice due to changes in accounting standards

  • changes in estimation techniques

  • significant judgements made in preparing the financial statements

  • significant adjustments resulting from the audit

  • any unadjusted misstatements in the financial statements

  • explanations for significant variances

  • consistency between the financial outturn and the month 12 management accounts

  • any letters of representation.

The HFMA’s briefings, How to review and scrutinise the numbers during the yearHFMA, How to review and scrutinise the numbers during the year, April 2022and How to review and scrutinise the annual accountsHFMA, How to review and scrutinise the annual accounts, June 2022set out a series of questions that non-executives could ask at audit committee meetings to assess how things are going in financial and governance terms and identify any areas of potential concern. The HFMA also publishes each year a set of year-end reminders to support audit committees as they review the annual report and accountsHFMA, 2022/23 year-end reminders for NHS audit committees, March 2023(2023/24 update is due to be published in March 2024).

8.3 Annual governance statement (AGS)

In addition to the financial statements, the part of the annual report that is particularly relevant to the work of the audit committee is the AGS. The AGS focuses on the stewardship of the organisation and draws together position statements and evidence on governance, risk management and control, to provide a coherent and consistent reporting mechanism. The HFMA’s Introductory guide to NHS financeHFMA, Introductory guide to NHS finance, January 2024provides further detail on the AGS and there is also a useful explanation of what the AGS is designed to achieve in annex 3.1 of the HM Treasury’s Managing public money HM Treasury, Managing public money, May 2023.

In reviewing the AGS the committee should be seeking consistency of its understanding of governance within the organisation with the public declaration included within the AGS.

The AGS must be set out in line with the GAM issued to NHS organisations each year, as well as specific requirements for NHS foundations trusts in the NHS foundation trust annual reporting manual (FT ARM)NHS England, NHS foundation trusts annual reporting manual, February 2024. Although the prescribed format must be followed, it does allow for some free form text. 

The key areas covered include: 

  • scope of the organisation’s accountable officer’s responsibilities

  • information about the organisation’s governance framework

  • a description of how risk is assessed and managed

  • information about how the risk and control framework works

  • a review of the effectiveness of risk management and internal control

  • a review as to how well resources have been used

  • any significant risks and how they are being addressed.

Issues that the committee may wish to consider are:

  • whether the statement includes all the elements required in relevant guidance  

  • whether there are any inconsistencies between the statements made and reports the committee has received from auditors or other sources of assurance

  • whether any significant control issues or gaps in control or assurance recorded in the statement are consistent with reports the committee has received

  • whether the statement gives a balanced view of the organisation’s governance arrangements over the last year.

The committee should also consider the annual head of internal audit opinion (HoIA)HFMA, Head of internal audit opinion, March 2024at this meeting as it is designed to be one of the elements that informs the AGS.

The committee will then report to the governing body confirming that the draft AGS is consistent with the view of the committee on the organisation’s system of internal control and that it supports the governing body’s approval of the statement, subject to any reasonable limitations that the committee may draw attention to. To be able to carry out this review effectively, the audit committee will wish to look out for any possible problem areas or gaps throughout the year and discuss them as they arise.


8.4 Accounting policies and judgements

The annual report and accounts of NHS organisations are bound by the Financial reporting manual (FReM)HM Treasury, Government financial reporting manual, December 2023which is updated each year and reflected in the GAM. This reflects changes in financial reporting standards, as well as guidance on the interpretation of them in the public sector context.

A key area of focus, for management, auditors and the committee will be on areas where these policies have changed or can have different interpretations. Before the year-end (see example agenda and timetable at appendix C), the committee should review the proposed accounting policies, in particular any new or amended ones, understanding the implications of the change and gaining assurance that management and auditors have a plan in place.

In recent years, some changes in accounting policies have had significant resource implications, such as IFRS 16 on lease accounting. The committee should be assured that a realistic plan is in place to comply with any new accounting standards issued and their impact on the financial position of the organisation. 

There will also be areas where judgements will be needed, either because accounting policies are not prescriptive, or the area is inherently uncertain. An example of this might be over the likelihood of legal cases being successful and so requiring a level of provision. Where these are material (see glossary at appendix D), it is important that the process to make judgements is agreed in advance, is consistent year on year and has some form of challenge to avoid bias. The audit committee can have a role in reviewing the process and discussing any differences between management and auditors.

8.5 Annual report

The terms of reference note that, in reviewing the annual report and accounts, the committee will focus on certain areas that are closest to its terms of reference, but the committee is still reviewing the annual report in advance of the board and should therefore cover the full annual report.

The size of annual reports have increased over recent years and contain a whole range of information; from workforce data to environmental measures, patient activity and outcomes measures. The committee should seek assurance that the compilation of the annual report has been carried out in a managed manner, and should have its attention drawn to any areas of particular sensitivity.

Given the independence of the non-executives, and their wider knowledge, they should look to ensure that management have given a balanced review of the year gone by, avoiding over optimistic interpretation of the results or omission of significant matters.

8.6 Logistics of delivering the annual report and accounts

NHS organisations are required to follow a timetable for submitting both draft and final audited accounts that is set by NHS EnglandNHS England, NHS accounts timetable 2023/24 – with provider annex, February 2024.

In recent years, this timetable has required draft submission by late April and final audited submission towards the end of June, in other words within three months of the end of the financial year.

To achieve this requires very detailed planning by management and auditors, with the audit committee seeking assurance – from both parties – that there is an agreed and detailed understanding of each parties needs, a jointly developed and deliverable timetable and plan, an escalation procedure and strong relationships in place.

Early sight of issues that may result in delays is important, and both the CFO and the external audit representative should keep the committee chair up to date on developments.

Anything that emerges after the audit committee has reviewed the accounts, or is a matter that the audit committee only agrees the accounts ‘subject to’, needs to be communicated to the audit committee members, not least so that they can assure their fellow board members when it comes to the formal approval. 

8.7 Quality accounts

In prior years some elements of the quality accounts were subject to external audit review (see chapter 10), but this ceased during the Covid-19 pandemic and is unlikely to recommence as a mandated requirement.

Oversight of the quality accounts will usually be delegated to any quality committee, but the audit committee may work with that committee to seek assurance on data quality of key indicators, potentially as part of any internal audit plan, as well as reviewing consistency between the quality accounts and the annual report and accounts in relation to quality and performance reporting.

Key learning points

  • The audit committee undertakes the detailed review and scrutiny of the annual report and accounts on behalf of the board, but does not take responsibility away from the full board.

  • The audit committee focus will be on the elements of the annual report and accounts covered by external audit, such as the financial statements, remuneration report and AGS, but the committee should ensure that the wording in the full annual report is consistent with their understanding.

  • The focus of the audit committee will be on the areas of greatest significance and risk to the truth and fairness of the financial statements such as accounting policy changes, judgements and estimates.

  • A particular focus will be the wording in the AGS.

  • Delivering the final signed and audited accounts will require careful planning and timetabling.


Chapter 9: Internal audit


Internal audit provides objective assurance, following Public sector internal audit standards (PSIAS)HM Treasury and Internal Audit Profession, Public sector internal audit standards, August 2017, and works to a risk-based plan. It is a critical source of assurance for the audit committee and can also provide advice on good practice. 

9.1 Role and regulation

The Institute of Internal Auditors define internal audit as providing: 

'An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes'.The Institute of Internal Auditors, Definition of internal auditing, January 2024

There are two clear roles from this definition: assurance and consultancy. For the audit committee the focus of its attention will tend to be on the assurance role, but there are many opportunities to use the skills, knowledge and experience of internal audit to support management in the improvement of governance, risk management and control. However, the blend of the two needs to be carefully balanced, as well as ensuring that there is no conflict between the work internal audit undertakes (in other words it cannot audit an area that it has previously advised on).

All public sector internal auditors are required to follow UK PSIAS. The PSIAS are based on standards issued by the Institute of Internal Auditors (IIA), with additional requirements and interpretations to make them applicable to the UK public sector. In January 2024, the IIA announced the release of Global internal audit standards (GIAS)The Institute of Internal Auditors, Global internal audit standards, January 2024to take effect from January 2025 (see further detail in chapter 20).

The current standards set out:

  • the mission, definition and core principles of internal audit

  • code of ethics

  • attribute standards (for example, purpose, independence, proficiency, quality assurance)

  • performance standards (for example, planning, performing, communicating).

Central government has adopted a number of functional standardsGovernment Internal Audit Agency, Government functional standard 009: internal audit, March 2024, one of which covers internal audit. While NHS internal auditors are not directly required to comply with the standard (although it is relevant for the Department of Health and Social Care (DHSC) and its arm’s length bodies), it is a useful source of additional information on the expectations of an internal audit service. 

On appointment, and reviewed regularly, there should be an agreed internal audit charter that sets out the authority and responsibilities for internal audit, both for the internal auditors as well as management. This charter should be agreed by the audit committee on behalf of the organisation. 

9.2 Appointment and tendering 

While some internal audit teams are in-house, the majority are delivered by either NHS, not-for-profit consortia or private sector firms. There is therefore a market for internal audit services and the audit committee will need to evaluate the internal audit delivery and assess its effectiveness and, where outsourced, be involved in the tendering and contracting for internal audit services.

Unlike external audit (see chapter 10), where the role and requirements are very specific, the nature and extent of internal audit coverage is more open to interpretation. The organisation, through its audit committee, should clarify its assurance requirements (see chapter 15) to help direct the requirements and expectations from internal audit.

When tendering, the service specification sent out to tenderers is an important document to set out the organisation’s requirements. 

In developing this there needs to be consideration of:

  • the desired level of assurance required by the organisation, on the basis that the lowest proposed audit plan may not be the most appropriate

  • quality and mix of staff that would be available, in terms of skills and experience (including specialists in such areas as NHS clinical systems, IT or project management)

  • suitable key performance indicators

  • breadth and depth of coverage taking into account other sources of assurance

  • consistency with the audit committee’s terms of reference and working practices

  • comparison to current charter and plan. 

While the detail of the service specification will be drafted by management, the audit committee should have a role in reviewing it before finalisation. While tendering will often be off framework agreements, it is important that any specification is suitably tailored to reflect specific needs.

9.3 Planning 

The internal auditors should produce an overarching strategy on how they will fulfil their role, from which more detailed operational plans should follow. The standards require a three-year plan (generally indicative) and an annual plan (which will change), while there are moves to consider more flexible plans (from 15 month rolling plans to six monthly). This strategy, and resulting plans, should be agreed by the committee. The plan should be flexible and reviewed by the audit committee quarterly to ensure it remains focused on the organisation’s assurance needs. 

In undertaking their planning, the internal auditors should include:

  • a risk assessment of the external environment, system and organisation (including the board assurance framework)

  • consideration of previous internal audit coverage

  • engagement with the audit committee, executive directors and management

  • coverage of critical business systems (such as core financial systems and those that ensure compliance with legislation and requirements, deliver key services or support the delivery of business objectives).

Professional standards require that the internal audit plan should be risk-based, designed to provide independent assurance focused on the principal risks of the organisation. Part of this can be achieved by internal audit reviewing the system of risk management, to ensure that it is effective in identifying, assessing and reporting on the management of risks (see chapter 14).

The audit committee will need to ensure that individual audit assignments are appropriately focused on principal risk areas, particularly those that are being reported by management as not being effectively managed. Assignments should review arrangements in place for ensuring appropriate risk management (by design and operation) is in place and that the risks are being effectively managed.

The planning process is ultimately designed to allow the head of internal audit (HoIA) to provide an annual opinion in support of the annual governance statement (AGS). This would suggest that some critical areas would be subject to annual review (for example, the system of risk management), others within a rolling long-term cycle (for example, individual financial systems), while others are audited due to particular issues (for example, individual major projects at key stages of their life). There have been instances where audits have been mandated by NHS England (for example, financial sustainability) or there is a contractual need (for example, data security protection toolkit).

The potential areas that internal audit might review are numerous and are commonly known as the internal audit universe. 

These cover a range of specific areas of focus within overriding themes such as:

  • governance

  • clinical and patient safety

  • quality and performance

  • financial control

  • information management and technology

  • human resources and workforce

  • estates and facilities

  • commissioning procurement and contract management.  

These are indicative areas and no strategy or plan could hope to cover them all, so a process of prioritisation will be needed. Internal auditors will undertake a risk assessment which brings together all the potential areas for internal review and these are then subject to a process of prioritisation for inclusion within the operational plan.

The audit committee needs to satisfy itself that the planning process is robust. This should include discussion with key executives, input from the audit committee, liaison with other assurance functions to avoid duplication and with external audit to ensure coordination with their work.

9.4 Reporting

At the end of each internal audit assignment, the findings of the audit should be reported to management, including an overall opinion on the effectiveness of the arrangements in that area (in terms of the governance, risk management and control arrangements) and recommendations or agreed actions for improvement.

The audit committee does not necessarily need to see the full detail of every internal audit report, although it may be appropriate for the chair of the committee to be copied into them. However, each committee meeting should, as a minimum, receive a summary of each report within a progress update from the internal auditors.

Where audit reports are assigned an adverse opinion rating (such as ‘limited’ or ‘unsatisfactory’) then the audit committee will want to review the findings in detail. These reports should be a separate agenda item, where the executive lead should attend the meeting to explain their position and provide assurance regarding the actions that they are taking to address the issues raised. The audit committee needs to be satisfied that the actions being taken by management are sufficient and timely enough to address the auditor’s findings and will succeed in ensuring that the area will be effectively managed.

At the end of the year the HoIA will produce an annual report and opinionHFMA, Head of internal audit opinion, March 2023 (due to be updated in March 2024). While this annual report and opinion is the responsibility of the HoIA (and would have been through their internal quality review), it should not come as a surprise to the audit committee when it is provided to the meeting where the final annual report and accounts are reviewed and agreed. Where the opinion level changes from a previous level (especially adversely) then this should be signalled in advance, either through an interim progress report or through contact with the audit committee chair. 

This report should set out the work undertaken in the year, summarise the results of that work and give the overall opinion on the effectiveness of governance, risk management and control. Providing a thematic analysis of internal audit results within the annual report can also be useful for committee members. The final annual opinion level (see 9.6 below) needs to be considered by the committee, in terms of the rationale for the opinion and the direction of travel, whether or not there is a positive or negative move year on year. It is important that the audit committee appreciates that the opinion is a judgement, rather than a calculation, and is based on an assessment of a range of factors; from the assurance framework, risk management system, results of individual assignments to management’s response to internal audit work.

9.5 Implementing agreed actions 

The implementation of agreed actions arising from internal audit reports (indeed arising from any report) is a key focus for the audit committee, meeting a couple of needs:

  • it can demonstrate whether, or not, management take internal audit and the need for assurance seriously, as well as whether there is an understanding of risk management

  • it can demonstrate whether management actions responding to issues being highlighted by internal audit are pragmatic solutions (as opposed to textbook answers).

In particular, the audit committee will want to review the timeliness and completeness of the management actions, and that they have been effective in improving the management of risks. If the action has been agreed, and it is based upon a risk not being managed effectively, then the longer that the action takes to implement, then the longer the organisation is exposed to that risk.

In some instances, it is perfectly right for management not to address an issue reported by internal audit. In these instances, management may believe that the cost of the additional controls outweighs the benefits, and therefore they are prepared to accept the risk. They may, alternatively, disagree with internal audit on the risk involved or believe that compensating controls are sufficient. Where this situation arises then it is the audit committee’s role to independently consider the issues and whether they concur with management’s assessment, or request that they reconsider their response.

9.6 Opinions 

While there has been some effort to try and standardise opinion levels, the terminology and ratings in use differ between providers. In 2020, CIPFACIPFA, Internal audit engagement opinions: setting common definitions, February 2020proposed a common set of opinions as below.

Internal audit engagement opinions, based on CIPFA definitions: 

Substantial assurance: A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.
Reasonable assurance: There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.
Limited assurance: Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.
No assurance: Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.


Other examples may use different terminology but tend to have a similar number of categories. For example, the Government Internal Audit Agency uses: ‘substantial’; ‘moderate’; ‘limited’; and ‘unsatisfactory’HM Government, Government functional standard, March 2024.

It is important to remember these ratings are not presented as a ‘statement’ or ‘fact’, but are called ‘opinions’ for a reason. They are a judgement determined by the HoIA, and it is often not a simple binary decision. This can often be a source of contention between management and auditors.

The audit committee will need to understand the logic behind the opinion. Where opinions are disputed the committee can give useful feedback on whether the issues and rating assigned are consistent with the control environment and risk appetite expected by the organisation.


9.7 Handling disagreements 

As with any audit function there will inevitably be occasions where auditors and management disagree. This is where the audit committee brings its independent and objective judgement to bear.

Most disagreements should be resolved through the normal audit process; from agreeing the scope of work at the planning stage, evidence review during fieldwork, discussions around the initial findings and agreeing the final report, including management response and agreed actions.

Where significant disagreements cannot be resolved, the HoIA should use their right of access to the chair of the audit committee to raise the matter, confidentially if needs be. As a matter of routine there should be regular time scheduled (at least annually) either before or after audit committees for the committee to meet auditors privately without management present. This time can be useful to help identify and address any problems being experienced by internal audit.


9.8 Reviewing effectiveness

At least annually the audit committee, without the internal auditors present, should consider the effectiveness of the internal audit service. 

For this the committee should:

  • consider whether they have been satisfied with the quality of work seen (for example, the breadth, depth and timeliness of work reported)

  • seek opinions from the lead executive (usually the chief finance officer (CFO)) and from other senior management who have regular involvement with them (for example, the director of governance or trust secretary)

  • review performance against agreed key performance indicators 

  • review the results of any internal quality assessments by the internal audit provider and the five yearly external quality assessment 

  • take into account other evidence available, such as added-value briefings supplied and the results of any post-audit feedback from management.

Where there are concerns about performance and effectiveness they should be raised with the HoIA and an improvement plan agreed. This plan should be monitored by the lead executive responsible for the service (usually the CFO).

The IIA’s report Harnessing the power of internal audit for audit committees includes eight key areas the audit committee may wish to consider in reviewing its internal audit arrangements.Chartered Institute of Internal Auditors and Inspiring Business, Harnessing the power of internal audit, February 2019


Key learning points

  • Internal audit is about both assurance and consultancy.

  • Internal auditors work to public sector internal audit standards and adopt a risk-based audit plan.

  • The committee will be involved in the tendering and appointment of internal auditors and should understand the scope of work that is required.

  • The audit cycle runs from an overall strategy, through an annual plan and individual assignment reporting, to an annual report in support of the annual governance statement.

  • The way that management reacts to internal audit reports, particularly in the implementation of agreed remedial actions, is an important indicator of the importance given to this function.


Chapter 10: External audit


NHS organisations must appoint their own external auditors to provide an opinion on the financial statements and commentary on value for money (VFM) arrangements. Non-executives have a key role in selecting, appointing and managing these contracts. The work of external auditors must be carried out in accordance with professional requirements, standards and guidance, which shape the audit work from initial planning through to reporting.

10.1 Role and regulation 

The external audit of an NHS organisation is required by law (Local Audit and Accountability Act 2014 and NHS Act 2006)The national archives, Local audit and accountability act 2014, January 2014 and The National Health Service Act 2006and the National Audit Office’s (NAO) Code of audit practice (the Code)National Audit Office, Code of audit practice, April 2020 sets out what local auditors are required to do including:

  • forming and expressing an opinion on whether the financial statements are prepared, in all material respects, in accordance with the Group accounting manual (GAM)Department of Health and Social Care, DHSC group accounting manuals, February 2024

  • to be satisfied that the VFM arrangements that the organisation has in place to secure economy, efficiency and effectiveness in its use of resources are working and to include a commentary (and associated recommendations) in their auditor’s report on financial sustainability, governance and improving economy, efficiency and effectiveness. Where auditors identify significant weaknesses in arrangements as part of their work, they should raise them promptly with those charged with governance 

  • reporting on regularity (ICBs only)

  • considering whether to exercise statutory powers such as a report in the public interest, written recommendations to the audited body (ICB and NHS trust only) or a referral to the Secretary of State.

The Code requires auditors to follow International standards for auditing (ISAs) issued by the Financial Reporting Council (FRC)Financial Reporting Council. Auditing standards, March 2024and in accordance with Practice note 10Public Audit Forum, Practice note 10: audit of financial statements and regularity of public sector bodies in the United Kingdom, November 2022. To support auditors in their work, and facilitate consistency of approach between auditors, the NAO issues a series of Auditor guidance notes (AGNs)National Audit Office, Auditor guidance notes, February 2024on areas such as planning, reporting, additional powers and duties, going concern and VFM arrangements.

Further detail on external audit reports and auditors’ additional powers and duties is set out in the HFMA’s briefing, External audit reports: the role of the audit committeeHFMA, External audit reports: the role of the audit committee, March 2023 (due to be updated March 2024).

In recent years, following corporate financial reporting failings, external audit firms have been under increasing regulatory pressure from the FRC and the Institute of Chartered Accountants in England and Wales (ICAEW) to improve audit quality. This has led to a strengthening of the ISAs, which, in turn, has led to an increased amount of audit work and greater assessment of evidence. 

Each year, the FRC publishes its inspection findings into the quality of major local body audits in EnglandFinancial Reporting Council, Major local audits; audit quality inspection, December 2023, which includes large health and local government audits. Audit committees should note that the key areas it considers as requiring improvements will be areas of particular focus for auditors in subsequent years. Common areas identified include pension valuations, valuation assumptions and evaluation, accuracy and occurrence of expenditure and testing of journal entries.

10.2 Appointment and tendering

All NHS organisations have a statutory responsibility to appoint an external auditor, albeit there are differences in the underlying legislation for ICBs, NHS trusts and NHS foundation trusts. 

NHS trusts and commissioners

The Local Audit and Accountability Act 2014 (LAAA)The national archives, Local audit and accountability act 2014, January 2014requires NHS trusts and ICBs to have an ‘auditor panel’ to advise on the selection, appointment and removal of external auditors and on maintaining an independent relationship with them. In most cases, existing audit committees (or members of those committees) have been nominated to act as the auditor panel. The body is required to appoint an external auditor to audit its accounts by 31 December in the financial year preceding the one to which the audit relates.

The LAAA also required that an NHS trust’s or ICB’s external auditor is registered with a recognised supervisory body (RSB) – the FRC has recognised the ICAEW and Institute of Chartered Accounts of Scotland (ICAS) as an RSB for the purpose of local audit. This means the RSBs approve and register audit firms to undertake local audit work and approve individuals in those firms that both meet the statutory qualification requirements and are judged to have the appropriate level of competence to carry out local audits on behalf of the registered firm. The LAAA uses the term ‘key audit partner' (KAP) to mean an individual identified by the firm as being primarily responsible for the audit. 

NHS foundation trusts

The NHS Act 2006The National Health Service Act 2006, March 2006requires the council of governors to appoint or remove the external auditor, supported by an audit committee to perform monitoring, reviewing and other functions as appropriate. 

The auditor must be: eligible for appointment as a statutory auditor (under the provisions of the Companies Act 2006); eligible for appointment as a local auditor (the regime in place for NHS trusts and ICBs); or a member of a body of accountants approved by NHS England. In appointing the auditor, the council of governors should ensure that the audit firm and audit engagement leader have an established and demonstrable standing and are able to show a high level of experience and expertise. 

Often an auditor that is proposing to be appointed at an NHS foundation trust will also be a ‘local auditor’ under the regime that applies for NHS trusts and ICBs. As explained above, the RSB consider an engagement leader’s experience in awarding KAP status under the local audit regime. It would be reasonable for an NHS foundation trust’s council of governors to use an engagement leader’s KAP status as evidence of their suitability to undertake the audit at an NHS foundation trust. 

KAP status is not a formal requirement to undertake an NHS foundation trust audit and the trust could perform other procedures to assure itself of the suitability and experience of the proposed appointment. If the NHS foundation trust appoints an external auditor outside of the local audit regime, the trust must ensure the auditor is eligible for appointment under the requirements of the Companies Act and has the necessary experience.

Appointment process

NHS England sets out expectations for good governance in local audit procurement (in its accounts timetable and guide)NHS England, NHS accounts timetable 2023/24 – with provider annex, February 2024NHS England, Audit and assurance: a guide to governance for providers and commissioners, December 2019. The length of external audit contract varies by organisation, with some including a basic contract period and the ability to extend. NHS England suggests best practice is for a three to five year period of appointment.

The actual tendering process will be carried out by the executive team, most probably by using a national framework agreement, but the audit committee will need to be involved, particularly with regards to:

  • the specification, such as the weighting of price versus quality, and what are the particular issues for the organisation that the tenderers need to take into account (good practice guidance is set out below)

  • one member (usually the chair) would be involved in the evaluation, both in assessing the tender responses and in the presentations

  • the decision on who to appoint, that will be taken to the governing body for final approval (for foundation trusts this will be the council of governors).

NHS England's good practice advice NHS England, NHS accounts timetable 2023/24 – with provider annex, February 2024when seeking to procure external audit service:

Allow enough time for bidders to receive and respond to the request for proposals. This period should be at least six weeks in all cases. If your entity has complexities and specific risks this should be longer. Any procurements for multiple entities should have a window of at least eight weeks.
Avoid issuing invitations to tender during periods when firms will obviously struggle to respond, such as the peak final audit season in the NHS or over the Christmas and new year period.
Ensure the procurement is run in good time in advance of the period where the work is required, so audit firms have an opportunity to plan resource: this should be at least a year before the first relevant audit visit.
Ensure appropriate evaluation criteria: if the price percentage is too high it may dissuade potential bidders.
Ensure you show a good understanding of external audit and its value.


An additional element arises with the development of ICSs as explored in chapter 19. There may be economies of scale from having the same audit firm in a geographical area, but responsibilities to the organisation will need to be balanced with the responsibilities for organisations to collaborate.

In recent years, finding sufficient auditors to tender for external audit has been difficult (see chapter 20 on current issues) and so careful planning and preparation will be needed. 

The committee also has a role in reviewing the performance of the external auditors, both against the contract but also in terms of the relationship with management and the committee. This feeds into the audit committee review of re-appointments and removal. The latter is usually the most extreme option and would result from a complete breakdown in relationships between management and the auditors. Given the unusual nature of such an action, it is likely to invite external oversight such as from NHS England.

10.3 Planning

The audit is an ongoing process throughout the year and involves regular reporting and discussion at audit committee meetings, from planning and interim work through to completion. Key stages of the audit, as set out in HFMA’s briefing, The external audit: best practice in working well togetherHFMA, The external audit: best practice in working well together, March 2023 (due to be updated in March 2024) are shown in the audit cycle below. 


The audit cycle:

Assess risk of material misstatement
Design an appropriate testing strategy 
Carry out that testing strategy
Conclude on whether testing has responded to the risk of material misstatement
Complete any additional testing required based on findings and conclude
Report the findings to those charged with governance
Issue the audit report 

An effective audit is based around detailed and sound planning, which should include early discussions with the audit committee. This will involve the identification of significant audit risks and potential problem areas, as well as clarification of timetables, resources and outputs. 

The formal output from the annual planning process, which will be presented to the audit committee, is the audit planning report. This sets out the significant risks identified during audit planning and the auditor’s planned approach to address them, covering both the work on the audit of the financial statements and review of VFM arrangements. ISAs embed the need for the consideration of the risk of management over-ride of controls. Other risks will depend on local circumstances but tend to focus on areas of subjective judgement or high estimation (for example, provisions), valuations (for example, land and buildings) or where there is a history of errors (for example, year-end cut-off for correct accruals).

The audit plan should be kept under review, as circumstances will change, and it would be expected that any significant changes between committee meetings should be raised with the committee chair as soon as they arise.

The audit committee has an important role in ensuring an effective and smooth external audit. Good practice examples are set out in the HFMA briefingHFMA, The external audit: best practice in working well together, March 2023 (due to be updated in March 2024 and include regular discussions, understanding changes in accounting standards, reflecting on previous lessons learned, handling disagreements and ensuring co-ordination with other bodies and assurance providers.

One of the original, and still central, roles of the audit committee is to facilitate resolution of disagreements between the auditors and management by providing an objective and balanced perspective on the issue, considering the best interests of the range of stakeholders. The majority of disagreements are resolved by management and auditors during the audit process with good communication. Most disagreements tend to be around the adoption or implementation of accounting policies and practices, but can also result from insufficient or inadequate audit evidence.

For organisations that are financially challenged, one area for potential disagreement between management and auditors is on the organisation’s ability to continue as a ‘going concern’. While this may appear to be a technical discussion, it is a critical one to avoid a qualification of the audit opinion, which would trigger external oversight. See the NAO’s Supplementary guidance note 1NAO, Supplementary guidance note 1, February 2023 for further information.

External auditors should be working with both management and other assurance functions to optimise each’s level of coverage. The committee will want to see that duplication with other functions is minimised wherever possible, consistent with the requirements of ISA 610 that external audit should not direct the work of internal audit and must be satisfied as to the role of internal audit as a whole.

10.4 Reporting

The Code requires auditors to issue four key outputs from the audit which will be presented to the audit committee:

audit findings report to those charged with governance (ISA260 report) covering:
– key judgements made during the audit
– how significant audit risks have been addressed
– what key accounting estimates have been assessed
– errors identified from the audit (corrected and uncorrected)
– recommendations to address internal control deficiencies and management’s response
– significant weaknesses in VFM arrangement
signed audit report containing the audit opinion within the annual report and accounts, and any matters to report by exception, for example, where the auditor is not satisfied that the body has arrangements to secure value for money. For ICBs there will also be a regularity opinion covering whether or not income and expenditure is in accordance with relevant laws and regulations
audit completion certificate which closes the audit and marks where the responsibilities for the period have been discharged (usually issued at the same time as the audit report) 
auditor’s annual report summarising the auditor’s work over the year and including the auditor’s commentary on VFM arrangements, against the reporting criteria; financial sustainability, governance, and improving economy, efficiency and effectiveness. 

In reviewing the reports, where any significant issues should already have been communicated to the audit committee, the committee will want to consider whether the audit went according to plan, the extent to which responsibilities in the preparation of the annual report and accounts were met, the commentary on VFM arrangements and management’s response to any deficiencies.

The desired outcome of any audit is a clean, or unmodified, opinion on the truth and fairness of the accounts, the VFM arrangements and confirmation that no other matters are deemed appropriate to be reported. However, any indication by the auditors that they are considering modifying their opinion – or the possibility of the auditors considering a public interest report or a referral to the Secretary of State – should be a significant flag for the audit committee to give this their full attention. This is where the importance of being independent and objective takes primacy. 

There are three types of modified opinion, namely a qualified opinion: 

Qualified: The accounts present a true and fair view ‘except for’ a specific issue. For example, a material error that has not been corrected, or a qualified opinion on the opening balance of the previous year’s financial statements that the auditors did not audit. 
Adverse: The accounts do not present a true and fair view. For example, due to a number of material and pervasive errors that have not been – or could not be – corrected.
Disclaimer: The auditor is unable to give an opinion at all. For example, where financial systems are unable to be adequately tested or supporting records are such that it is impossible to quantify the size and nature of errors.

10.5 Letter of representation

At the completion of the audit, the board will be asked to agree a letter of representation to the auditors that sets out confirmation of the accuracy and completeness of the information provided to the auditors, that the responsibility for the financial statements rests with the board and on material matters related to the annual report and accounts.

While the letter will often be based upon a standard template from the audit firm, the audit committee should pay particular attention to any matters that are added. These may be related to material judgements or decisions, or where reliance has been placed on specific representations (for example, support in terms of going concern).

10.6 Non-audit work

Auditors should be, and be seen to be, impartial and independent. Accordingly, the auditor should not carry out any other work for an audited body that could impair their independence in carrying out any of their statutory duties, or that might reasonably be perceived to do so. This includes acting as both internal auditor and external auditor for the organisation or providing consultancy/accounting advice.

Where external auditors carry out any additional work for an organisation, this should be in line with a policy agreed by the audit committee and consistent with the ethical standards and the annex to AGN 1NAO, Auditor guidance note 1. September 2022. The annex includes a list of prohibited services as well as considerations of whether to undertake non-audit work within an integrated care system (ICS), especially where the auditor does not cover the whole of the system. All risks should be considered and an approval process followed to prevent the impairment of the auditor’s independence.

Key learning points

  • In addition to providing an opinion on the financial statements, the NHS external audit role also includes: reviewing the arrangements to secure VFM; the ability to make a report in the public interest; and regularity reporting (ICBs only).

  • The audit committee will have a central role in the tendering and appointment of the external auditor, as well as reviewing their performance (for foundation trusts, the audit committee supports the council of governors in this role).

  • The external audit cycle involves the audit committee in reviewing the planning, performance and reporting.

  • The audit committee brings an independent and objective view to any disagreement between management and auditors.


Chapter 11: Counter fraud


All NHS organisations are directed by the NHS Counter Fraud Authority (NHSCFA) and have a local counter fraud specialist function. The committee will be involved in the tendering and appointment of the local counter fraud function (if it is not in house), reviewing the work plan and the resultant findings.

11.1 Role and regulation

Every NHS organisation is required by the NHS standard contract to have a counter fraud function. The counter fraud function’s role and responsibilities are based on the Government functional standard 013: counter fraudCabinet Office, Government functional standard 013, August 2021(counter fraud standard) and its interpretation for the NHS, the NHS requirementsNHSCFA, NHS requirements, February 2022, which are defined and supported by the NHSCFA.

The NHSCFA is a special health authority charged with identifying, investigating and preventing fraud within the NHS and the wider health group. The NHSCFA sets the agenda for NHS counter fraud activity nationally, through the counter fraud standard and NHS requirements, against which each applicable NHS funded organisation must complete and submit an annual Counter fraud functional standard return (CFFSR) (see below). The NHSCFA also provide a case management system for investigations into fraud losses against the NHS, as well as sharing guidance, intelligence and providing support to aid local counter fraud activity. 

NHS organisations are required to provide the NHSCFA with nominations for key roles, with whom the NHSCFA will engage. 

These key positions are:

  • local counter fraud specialist (LCFS)NHSCFA, The local counter fraud specialist, February 2024: an accredited counter fraud professional who delivers counter fraud work to support the organisation in complying with the counter fraud standard, identifying and monitoring its key fraud risks, and progressing any investigations that arise 

  • accountable board member for counter fraud work (usually the chief finance officer (CFO)): has ultimate responsibility for counter fraud work within the organisation and should hold regular meetings with the LCFS to prioritise counter fraud work and agree a workplan for presentation and approval by the audit committee; and is required to authorise the organisation’s annual return to the NHSCFA, the accountable board member cannot delegate this responsibility for the organisation’s counter fraud function

  • audit committee chair: seeks assurance that counter fraud activity is progressing effectively, supporting the organisation in terms of compliance with the counter fraud standard and identification and management of key fraud risks. The audit committee chair also has a role in the submission of the organisation’s counter fraud functional standard return 

  • counter fraud championNHSCFA, The counter fraud champion, February 2024provides support to the LCFS by helping to break down barriers within the organisation, so that counter fraud work can be progressed efficiently and effectively. They should hold a sufficiently senior post within the organisation to enable the influence and action within committees they attend, providing a senior strategic voice to champion the counter fraud agenda and promote awareness of fraud and counter fraud work across the organisation.

11.2 Counter fraud functional standard return (CFFSR)

The CFFSR is a self-assessment of the organisation’s level of compliance with each individual component of the counter fraud standard and NHS requirements, as well as providing information about the organisation and the resources used to deliver counter fraud work (such as days used and cost) and is submitted to the NHSCFA on an annual basis. The CFFSR is submitted at the end of May each year (though the exact date is subject to change at the direction of the NHSCFA) and reflects work conducted in the preceding year (a submission made on 31 May 2024 will reflect work from the 2023/24 financial year). 

On completion of the NHSCFA's nomination process, each LCFS, accountable board member and audit committee chair is granted access to an online portal. The CFFSR is completed via this portal, with authorisation of the CFFSR required from the accountable board member and agreement from the audit committee chair that the content is consistent with what has been reported to the audit committee by the LCFS throughout the year. 

The CFFSR is not required to receive audit committee approval prior to submission. However, a copy should be presented to the audit committee for awareness and to demonstrate that the submission is consistent with counter fraud progress updates presented to the audit committee throughout the year. Dependent on the timing of audit committee meetings, this may occur prior to the CFFSR deadline or retrospectively, following submission of the CFFSR.

More information about the counter fraud standard and NHS requirements can be found on the NHSCFA’s websiteNHSCFA, Government functional standard 013, January 2024.

11.3 Professional requirements

Counter fraud work is led by the NHSCFA which sets out the expectations for those nominated into a LCFS role, who must hold an accredited counter fraud specialist qualification (or be able to demonstrate an equivalent, recognised qualification).

For the NHSCFA to accept a LCFS nomination, a suitably qualified individual needs to be put forward. The LCFS must hold the accredited counter fraud specialist qualification (or equivalent recognised qualification). The accredited qualification is aligned with the Government’s professional standards for counter fraud and counter fraud investigator apprenticeship; and is overseen by the Counter Fraud Professional Awards Board (CFPAB). 

Accredited counter fraud specialist training includes modules covering relevant legislation (in terms of criminal offences, the law governing investigative practice and other relevant legislation that could impact on LCFS work), case management, interviewing techniques and the creation of prosecution files.

11.4 Counter fraud provision

Each organisation must initially determine what they want from a counter fraud provision and then decide how best that should be delivered for them from the options available, whether that be a directly employed LCFS, or one provided on a contract basis, such as through an NHS or not-for-profit consortium or the private sector. There are likely to be advantages and disadvantages to all options, so the organisation must take a balanced view with consideration to all relevant factors, and decide which option represents the best fit to their needs.

In order to make an informed decision on how the counter fraud provision should be delivered, the organisation should consider its needs and requirements of an LCFS, including:

  • the budget, with awareness that the cheapest service may not be the most appropriate and the counter fraud provision is an investment rather than simply a cost

  • LCFS availability and responsiveness

  • access to all skills and experience required of an LCFS (such as expertise in areas including investigations and fraud risk assessments)

  • demonstration of commitment to counter fraud, ensuring there is an organisation-wide, cultural commitment to counter fraud rather than a tick box exercise

  • method for demonstrating counter fraud performance, such as use of key performance indicators

  • proposed scope of annual workplans 

  • business continuity arrangements

  • the quality and outcomes of the desired counter fraud provision overall.

Where a decision is made to seek a contract arrangement, this should be undertaken in line with the organisation’s standard procurement processes and the above considerations used in completing the tender specification document.

The counter fraud provision is separate to other functions of the organisation, including internal audit. As such, any decision-making for determining the most appropriate counter fraud provision should be made independently to any other decision making.

11.5 Planning  

The organisation should have an annual counter fraud workplan, which sets out the proposed scope of work to be achieved during the year. This is normally prepared by the LCFS, agreed by the accountable board member, and presented to the audit committee for approval.

Generally, the workplan will take into account a number of factors, including:

  • local and national fraud risks in the organisation’s local fraud risk assessment, which should consider the risks in terms of identification, assessment, mitigation and monitoring - fraud risks may be both inherent in nature (such as ghosts on payroll) and those emergent or current (such as internet scams)

  • the counter fraud workplan should include proactive work to respond to the organisation’s key fraud risks identified - this may include ensuring policies and procedures are fraud-proofed, delivery of training and awareness activities and local proactive exercises involving data analysis or targeted sampling to seek outliers, the impact of that proactive work should be subject to monitoring and measured through updated fraud risk scoring

  • compliance with the counter fraud standard, with any relevant work identified to improve or maintain the level of compliance

  • re-active work; undertaking criminal investigations into fraud allegations, recovering losses and seeking sanctions and redress, where appropriate.

Not all counter fraud work is within the area of responsibility of the LCFS, and as such the work plan may include LCFS work to support and guide areas of the organisation to make improvements that the LCFS cannot directly achieve.

The audit committee should ensure that the work of the LCFS is fully and appropriately supported, in terms of provision of adequate resources, granting authority and freedom to act as required to effectively undertake the agreed counter fraud work, as well demonstrable support and action, such as escalating issues outside the LCFS area of control.

11.6 Reporting 

The audit committee should receive regular progress reports from the LCFS, noting progress and work undertaken since the previous update, as well as an annual report summarising work undertaken throughout the year. All reports should detail achievement against the agreed workplan and the impact of that work on compliance with the counter fraud standard. 

Reports presented to audit committee should demonstrate a golden thread running from the local fraud risk assessments to the agreed counter fraud workplan, to the regular progress reports and then to the annual report, with any lessons learned or barriers and to the reduction of the local fraud risk identified and appropriate action followed through into the next year workplan and activities.

A mechanism should be in place to facilitate the audit committee tracking implementation of agreed actions arising from counter fraud work.


11.7 Handling disagreements

There may be occasions when management and the LCFS will disagree. This may range from management not implementing counter fraud actions recommended locally by the LCFS or nationally by the NHSCFA, to disagreements over the appropriate direction regarding fraud investigations. Most disagreements should be resolved through established escalation routes available to the LCFS, such as via the accountable board member and audit committee.

However, where significant disagreements arise and cannot be resolved through established escalation routes, or are of a particularly sensitive nature, the LCFS should use their right of access to the audit committee chair to raise the matter, confidentially if needs be, to facilitate an appropriate solution. 

11.8 Reviewing effectiveness

Regardless of which option the organisation chooses for the counter fraud provision, while the work may be undertaken by the LCFS, the risk and overall responsibility for fraud will remain with the organisation. It is essential that the audit committee understands its role in counter fraud and can challenge the LCFS where appropriate.

Where the counter fraud provision is through a contract arrangement, the audit committee should conduct an annual review of its effectiveness, with consideration of LCFS performance in activities throughout the year and against the contract. The audit committee should consider whether they have been satisfied with the quality of work, seek opinions from the senior leads in the organisation and consider other evidence such as value adding briefings and other feedback. 

Where the LCFS is directly employed, it is likely to be more appropriate to consider the review of counter fraud effectiveness as part of the appraisal process.

Key learning points

  • Counter fraud in the NHS is directed by the NHSCFA.

  • Every organisation is required to have a LCFS who will report to the audit committee.

  • The audit committee will be involved in the tendering and appointment of the LCFS (where this is not carried out in-house).

  • The audit committee chair is required to annually confirm that the CFFSR is consistent with their knowledge.

  • The audit committee will review the plan for both pro-active and re-active work undertaken locally, as well as the results of this work.


Chapter 12: Other assurance functions


Assurance is not limited to auditors and the audit committee takes a central role in ensuring that there is a proportionate framework of assurance in place that is appropriately overseen. Central to this is the three lines of defence model, as well as an understanding of the range of external bodies that have a regulatory role.


12.1 Lines of assurance model

The 'three lines of defence' modelThe Institute of Internal Auditors, The IIA’s three lines model: an update of the three lines of defence, July 2020helps executives and non-executives get information systematically on how objectives are being met and risks are being managed. The model has been widely adopted (and adapted) to help clarify the roles of management and audit.



The lines of defence are:

  • first line of defence is reporting by line management on the operation of the controls they are responsible for 

  • second line of defence is that of management oversight functions such as management of risk or compliance (see chapter 14), quality assurance and accreditation functions – the audit committee itself can be considered a second line of defence

  • third line of defence is internal audit and is clearly established as independent assurance, so highlighting that the first two lines could be considered dependent assurance 

  • additional assurance comes from external sources such as external auditors, inspectors and regulators.




The Institute for International Auditors diagram below shows the three lines model:

The Institute for Internal Auditors diagram

For the audit committee, while its work will often draw primarily from the third line of defence, its work will also draw upon reporting from the first two lines (such as through the assurance framework). The third line of defence will look at providing the committee with assurance that the first two lines are operating effectively, and that the reporting on them can be relied upon.

12.2 Clinical audit 

Clinical audit is significantly different from internal and external audit. Its origins lie more in terms of quality improvement and the topics are often driven by the professional development requirements of clinicians more than organisational needs.

However, the essence of clinical audits is to review the clinical performance against standards, using an evidential data base, to draw conclusions and suggest improvements.

How the clinical audit work will be reported will depend upon how the organisation has determined that it should, and there is no specific agreed model. Sometimes clinical audit will report direct to the audit committee, or alternatively the audit committee gets assurance on clinical audit from the quality committee. In the latter case the quality committee may wish to highlight the more significant and relevant findings from the work, given that the overall programme of work will be extensive.

Best practice in clinical audit is set out by the National Institute for Health and Care ExcellenceNational Institute for Health and Care Excellence, Best practice in clinical audit, 2002.

12.3 Shared services

NHS organisations will receive, and provide, a wide range of services from other NHS or Department of Health and Social Care (DHSC) bodies. It helps the audit committee to understand all these bodies, particularly the more significant ones. Common examples include shared services for back office functions such as processing of financial transactions and payroll. 

Where NHS organisations receive services from third parties, particularly those hosted within the NHS or DHSC, there will need to be a way that the audit committee can consider assurances on those services, because of their reliance on those parties to carry out controls on their behalf. Usually, such assurances should be part of executive management’s role in managing the relationship, but where they are significant (for instance, in providing payroll or payment systems that directly feed into financial reporting), then the audit committee would have a role in receiving these assurances as a matter of course, rather than by exception.

This can be assisted by use of an assurance map, that then feeds into the committee’s annual work plan.

One approach is to require third parties to follow International standards for assurance engagements (ISAE) 3402: assurance reports on controls at a service organisationInternational Auditing and Assurance Standards Board (IAASB), International standard on assurance engagements (ISAE) 3402, December 2009. An ISAE 3402 report gives stakeholders assurance over the key controls tested within the scope of the work. It is important that bodies relying on these reports understand the scope of the testing commissioned by the service organisation from their auditors and are satisfied that it appropriately covers all key objectives and risks. 

If material, external audit will want to review these service reports and the organisation’s consideration of them.

Service auditor reports are often commissioned nationally by NHS England and the audit committee should know which reports have been commissioned each year, receive copies of the reports and consider whether there is any local impact or action that needs to be taken, potentially if there is any impact on the annual governance statement (AGS). 

12.4 Oversight by NHS England and the Care Quality Commission

The main oversight of NHS organisations is carried out by NHS England, with the Care Quality Commission (CQC) the primary regulator.

Both these bodies monitor the performance of NHS organisations through a range of indicators, with the likelihood of intervention or increased oversight growing if those indicators show a concerning trend.

The audit committee will want to have a sight of the organisation’s preparedness for a CQC visit, with assurance that there are no significant gaps in its documentation. Of particular focus for the audit committee would be the ‘well-led’ domain (‘the leadership, management and governance of the organisation make sure it's providing high-quality care that's based around your individual needs, that it encourages learning and innovation, and that it promotes an open and fair culture’Care Quality Commission, The five key questions we ask, August 2022). 

Following any CQC visit the board should take responsibility for oversight of any resultant action plans, ensuring that there is oversight on the delivery of the actions. The audit committee may take oversight of particular actions that are governance related, or on the overall approach to achieving compliance.

Further detail on how the NHS is regulated is set out in chapter 12 of the HFMA's Introductory guide to NHS financeHFMA, Introductory guide to NHS finance, January 2024.

12.5 External regulators

NHS organisations are regulated by dozens of external bodies; ranging from the Health and Safety Executive and HM Revenue and Customs to professional bodies and a range of arm’s length bodies within the DHSC and wider government.

Pragmatically the audit committee needs to be aware of the results of significant regulator activity, particularly around negative reviews and the risks from, for instance, enforcement action. Its role is to assure itself on the appropriateness of management’s actions.

12.6 Other

From time to time NHS bodies commission ad hoc reviews from auditors (from internal audit, external audit or another audit firm) that are outside of the annual audit programmes, for example, reasonable assurance or limited reviews under ISAE (UK) 3000International Federation of Accountants, ISAE 3000 (revised): assurance engagements other than audits or reviews of historical financial information, December 2013or agreed upon procedures under ISRS 4400International Auditing and Assurance Standards Board, International standard on related services (ISRS) 4400 (revised), April 2020

Examples include the reasonable assurance reviews on the mental health investment standard for integrated care boards (ICBs) and research grant returns. The audit committee should also be aware of, and maintain oversight of, the results from these reviews. 

They can also commission specific independent reviews from third parties, which is within the powers of the committee to commission, and these tend to cover where there have been lapses in controls and lessons need to be learned.

12.7 Overseeing assurances

It is not the role of the audit committee to receive all assurances from across the whole organisation, covering all aspects of the work carried out, but it should seek to ensure that there are no significant areas of either omission or duplication.

This will be achieved, primarily, through an embedded system of board assurance framework (BAF) documents, which the committee will wish to review over a period of time. These can be relatively high level and generic, so some form of common sense focus is needed.

For example, with regards to patient safety, which has such a high profile, much of the work should be delegated down to clinical colleagues with oversight by an appropriate board sub-committee, but there is an advantage of this being reviewed by the audit committee, at a high level looking at the effectiveness of the governance arrangements in place. In the Patient safety standardsPatient Safety Learning, Patient safety standards - improve your standards by meeting ours, 2022, leadership and governance is one of the seven foundations for patient safety, requiring a patient safety plan and embedded governance. 

The audit committee can bring an independent, non-specialist, view which can constructively challenge management’s approach to implementing recommendations from patient safety inquiries; its understanding of the costs of unsafe care and how this informs risk assessments, mitigations and plans; and oversight arrangements in place to incentivise safer care.  

Key learning points

  • The three lines of defence model is a way of clarifying assurances, on a continuum between those driven by management and those from external regulators.

  • While the focus of the audit committee may be on the work carried out by auditors, it needs to have a wider oversight role on the range of other assurances, from those given by shared services to external regulators.

  • It should also consider the work of other internal assurance functions, such as clinical audit, but this can be achieved by assuring itself that they are receiving oversight by another committee.

  • An effective board assurance framework is a critical element in support of this work.


Chapter 13: Governance


The audit committee reviews the establishment and maintenance of the system of governance. This goes beyond reviewing the key constitutional documents and seeking assurance on compliance with their requirements, but also recognises the importance of culture and behaviour in making governance effective.

13.1 Establishment

As set out in the terms of reference (see appendix A), the first duty of the audit committee is to review the establishment and maintenance of an effective system of governance, risk management and internal control, across the whole of the organisation’s activities (clinical and non-clinical), that supports the achievement of the organisation’s objectives.

13.2 Constitutional documents 

The way that an NHS organisation is directed and controlled in terms of its corporate governance is set out through its suite of governing documents that include its:

  • constitution

  • standing orders (SOs)

  • standing financial instructions and procedures (SFIs)

  • reservation of powers to the board

  • scheme of delegation.

These should be reviewed at least annually and updated to ensure that they represent current best practice and national guidance (for example, approval requirements from NHS England) and are relevant (for example, that delegation and authorisation levels remain appropriate). It would be expected that the audit committee would undertake the detailed scrutiny of such changes before formal adoption by the governing body, but this will be guided by the executive and secretariat.

Compliance with the requirements of the constitutional documents is a key role for the audit committee, but generally carried out by exception reporting. The committee may wish to consider using some internal audit resource to provide positive assurance on some key requirements (appropriate delegation of decision-making, compliance with authorisation levels and so on).


13.3 Culture and values

While effective governance is enhanced by having appropriate policies and procedures in place, they will not be effective without the desired culture and values being embedded in an organisation.

One aspect of culture that the committee can review, is the level of ‘compliance culture’ within the organisation in relation to the governance arrangements. This can range from compliance with SOs and SFIs, but can also look at the level of compliance with policy – such as mandated statutory training and annual appraisals – where the board has set out a policy of what it requires. The committee should be interested in why there may be levels of non-compliance and the implications of this.

A focus on ‘safe’ decision-making can be helpful when disseminating messages within the wider organisation. For example, explaining how procurement controls can help to ensure minimum patient quality or safety standards are observed for medical equipment and supplies or fire safety, or how procurement frameworks can offer protections for continuity of the provision of services in the event of supplier failure. Effective governance is as much about safeguarding individuals as it is about ensuring robust systems of control. Messaging in this way can help to explain the ‘reason why’ and help to improve compliance.

13.4 Maintenance

The audit committee can seek assurance on the maintenance of the system of governance, risk management and control through its work; from looking at board assurance frameworks (BAFs) to the work of auditors and triangulation of their own knowledge as non-executive directors.

This is much more complex than the paragraph above may suggest and tends to be the culmination of the work programme of the committee over the year and accumulated intelligence on the relative balance of strategic and operational risks.

This should not detract from the importance of the executive directors taking responsibility for setting a culture of compliance with the requirements, as well as acting as an example in their own adherence. The audit committee may wish to ask executives questions along the lines of ‘how do you know that governance requirements are being followed?’

13.5 Integrated governance

Previous editions of this handbook have emphasised that the role of the committee is to oversee an effective system of integrated governance. This in part reflects how governance developments in the 1990s and 2000s tended to be slightly siloed as there were separate strands developing corporate, clinical, financial, information, security and so on. There is now a clearer understanding (if not absolute) that the whole system of governance is inter-twined.

A good starting point for new audit committee members is to consider the previous year’s annual governance statement (AGS). This can provide a helpful overview or ‘healthcheck’ of the effectiveness of systems of control and guide the committee’s forward annual work plan. 

That inter-twined governance means that there is an important inter-dependency between the roles of the different committees (area specific) and the audit committee (overall governance assurance, including seeking assurance from other committees) and their respective chairs. The board may assign key strategic risks to specific committees for oversight and assurance, with those committees then providing assurance to the audit committee, including on related controls and their impact on target risk scores, linked to the board’s agreed risk appetite.

The audit committee will want to assure itself that, as a whole, the system of governance covers the entirety of the organisation. While it may rely upon other committees to oversee clinical areas, and the overall patient safety agenda, the audit committee should be the one that takes the broader overview of ensuring that nothing is omitted.

Much of the work of an audit committee will be risk-based, including assessing the need for additional controls and management attention linked to:

  • assessing risks to delivery of the organisation strategy through reference to robust control measures in the BAF

  • a risk-based internal audit plan, with an agreed strategy to periodically review key controls

  • an external audit plan that is informed by key risks - for example, manipulation, misstatement or distortion of accuracy of values within the accounts impacting the true and fair view, and wider regulatory risks including those impacting ratings from CQC inspections (linking to value for money (VFM))

  • assessing risks to the organisation from past non-compliance with policies, SFIs and SOs (reputational, financial, qualitative, safety, fraud and so on)

  • internal and external auditors frequently support the work of audit committees through ‘value adding’ services included within the scope of their annual fees. Understanding ‘value adding’ activities is a helpful consideration when tendering for such services. This can include conferences, workshops, networking events, committee technical briefings on new accounting standards and NHS policy and so on to support anticipatory work of audit committees.

    Key learning points

  • The committee will undertake a detailed review of the constitutional documents of the organisation, ahead of their adoption by the full board.

  • The review of constitutional documents will ensure that they reflect the latest updated guidance and direction, as well as making them relevant to the organisation.

  • The committee will also seek to gain assurance that the requirements within the constitutional documents, designed to enable effective governance, are being complied with.

  • Effective governance is, increasingly, acknowledged as being heavily dependent on the right culture and behaviour within an organisation.

  • Governance covers the entire operation of any organisation.


Chapter 14: Risk management


The committee’s role is to review the effectiveness of the system of risk management; from the identification of the principal risks to remedial action plans to improve the management of risk to the desired level. As integrated care systems (ICS) mature, the audit committee will need to consider how it engages with risk management systems from across the ICS.

14.1 Risk management system

The committee’s role is to review the establishment and maintenance of an effective system of risk management within the organisation. This chapter focuses on the audit committee’s role in reviewing the ‘system’ of risk management (or the framework for risk management), with subsequent chapters looking at its role on individual risks and risk assurance. This approach may vary between organisations, dependent on how the oversight is arranged (see chapter 1) and the role allocated to the audit committee (or audit and risk committee, or audit and risk assurance committee). 

In reviewing the system of risk management, the committee should seek assurance that:

  • the principal risks to the achievement of objectives have been identified and are clearly articulated 

  • each risk has been assessed, in terms of its causes and consequences, and the likelihood and impact, to allow prioritisation

  • management has assessed the current effectiveness of the mitigations in place to manage the risk (residual risk) and have set the desired level of risk (target risk)

  • where there is a gap between residual and target risk, the action plan to achieve the target risk is acceptable and SMARTSpecific, measurable, achievable/agreed, relevant/realistic and timely 

  • the management information supporting the assessment of risk and the effectiveness of actions is timely and accurate.

While the committee, on behalf of the board, will focus on the principal risks to the achievement of strategic objectives, it should seek assurance that the system of risk management works through the organisation – at an operational level – in line with the agreed strategy and approach in a consistent and repeatable manner.

Ultimately the output from the system of risk management is to inform management decision-making and provide assurance that the principal risks to the organisation are being effectively managed or, if not, that there is an action plan to achieve this. In assessing the effectiveness of risk management, the organisation will have to accept a level of risk, which should be defined in terms of risk appetite. This will inform the decisions as to whether a risk needs to be mitigated or managed through the application of controls or avoided, transferred or accepted.

Further detail on the concept of risk management is set out in HM Treasury’s Orange bookHM Treasury, Orange book, May 2023.

14.2 Committee review

The audit committee should not be directly involved in the process of risk management. However, as the organisation’s risk management system underlies the assurance framework, it does have an impact on the committee’s work and it will therefore wish to consider whether the organisation’s approach to risk is effective and meaningful. When considering the risk management system, some basic questions that the audit committee may wish to ask management are set out below.

Key questions for the audit committee in considering the risk management system:

Is there a comprehensive risk management strategy?
Is there a clear process for identifying risk?
Is there a process for consistently assessing risk?
Is there assurance that risk identification and assessment is complete and consistent?
Is the organisation’s risk appetite clear and understood?
Are risks clearly assigned to ‘owners’?
Are risks reviewed regularly to ensure that they continue to be relevant?

In responding to these questions, management should provide evidence of the operation of the system in practice, rather than through stated policies and processes and look to assure that the process is systematic in its application.

14.3 Effectiveness of the risk management system

An effectively designed and operating risk management system (including the assurance framework) is critical to the success of the organisation. An effective system of risk management is one that leads to the improvement of the management of risks – in the way that an effective system of financial management leads to the improvement of financial performance – and can be seen through the achievement of objectives and outcomes, while also achieving VFM through the proportionate balance of economy, efficiency and effectiveness.

In undertaking a review of the system of risk management, it may be easiest for it to be based around an audit of the system by the internal auditors. The audit committee may wish to be clear about the scope of such an audit.

The audit committee’s review will link in with the annual governance statement (AGS) and the comments made by the accountable officer on its effectiveness.

14.4 Assessing the organisation’s risk maturity  

There are a number of models (for example, by The Institute of Internal Auditors (IIA)The Institute of Internal Auditors, Selecting, using and creating maturity models, January 2018or Investors in Risk Management (IRM)Investors in Risk Management, Risk management maturity model, 2016 , as well as from risk management practitioners) that help an organisation assess its maturity in risk management, which can either be self-assessed by the organisation, carried out by internal audit as part of their internal audit plan, or commissioned by a third party specialist.

The results of any such assessment should be reported to the audit committee, along with any action plan. It is important to recognise that it may be neither practical, nor desirable, to be at the highest level of maturity.

14.5 The system of ‘system’ risk management  

With the introduction of ICSs, the concept of ‘system’ risks (in other words risks to the ICS either as a whole or for two or more partners in the system) is a key area of development.  As set out in the HFMA and Good Governance Improvement (GGI) joint briefing on system risk management:

‘System risk management is going to be different to the risk management we are used to in individual NHS bodies. It is about bringing together partner organisations to share information and work through solutions together. It’s about collaboration and co-operation. There needs to be recognition that there are risks in individual organisations that will have an impact on other organisations – or indeed across the whole system. But the risk may be different, or impact differently.HFMA and GGI, System risk management: key considerations for evolving arrangements, August 2023

The committee should include, within its review of the system of risk management, how the organisation is engaging with ICS risks, particularly those with which it has an interest, any associated risks or where the ICS is reliant upon the organisation to take remedial action. Questions to consider are set out below. 

Key questions for the audit committee in considering the risk management system as part of the wider ICS:

Are system risks being recorded, measured and managed? 
Is information on risks being shared across system partners? 
Is the differential impact of risks understood and managed?
What are the risk management arrangements for provider collaboratives, place and so on?
Is there a whole-system risk management strategy?

See further considerations in chapter 19 on audit committees and ICSs and chapter 20 on current issues.

Key learning points

  • The committee should assure itself that the organisation has an effective system of risk management that captures the principal risks, assesses them, reviews the effectiveness of the mitigations and puts in place a remedial action plan where the risk is not yet at target level.
  • The committee should assess how mature the organisation’s risk management arrangements are and use this to develop an action plan for improvement.
  • As ICSs develop, the audit committee (whether belonging to an ICB or a provider) will need to ensure that integrated care system risks are incorporated.

Chapter 15: Assurance


Assurance is about receiving evidence that supports whether (or not) an objective is being met, a risk is being managed or controls are operating as intended. This is achieved, primarily, through the organisation’s adoption of an assurance framework. This becomes a critical tool for the audit committee to use to test out assurances.

15.1 Assurance framework

The assurance framework is an important component of the three lines of defence model (see chapter 12). Given that governing bodies rely on an assurance framework to monitor strategic objectives and identify significant inherent risks, the audit committee’s role is to review the rigour and relevance of the system that produces the assurance framework and the supporting arrangements, to ensure that it is valid and suitable for the governing body’s requirements. This includes ensuring that it is up to date, reflecting new risks and priorities and that it is meaningful to those using it.

Through its work, the audit committee can review whether:

  • the format of the assurance framework is appropriate for the organisation

  • the way that the framework is developed is robust and relevant

  • the objectives in the framework reflect the governing body’s priorities and that both the objectives and priorities are well defined, agreed and recorded 

  • the key risks are identified and linked to the strategic objectives

  • the controls in place are sound and complete

  • the assurances, whether on the operation of controls or other measures, are reliable and of good quality, with all key sources identified

  • the underlying data on which assurances are based is reliable, accurate and timely

  • there is sufficient assurance over the more critical areas, in particular that is independent of management

  • there are actions in place to address gaps in control and/ or assurance and that they are implemented in line with agreed timescales.

In this way, the audit committee provides valuable assurance to the board that the process that the organisation has adopted is reporting correctly on the effectiveness of the controls in place to manage the significant risks to achieving its strategic objectives. This may not specifically include the detailed review of each area, if this oversight is carried out by another committee (for example, the quality committee).

The committee should use the assurance framework to help support the focus of its work plan and agenda setting, as well as in assisting with the development of the internal audit plan.

The committee also alerts the governing body to any areas where controls are lacking or not operating as they should and where mitigating actions are needed. 

15.2 Objectives, risks or controls  

While the primary role of the audit committee is to ensure that the assurance framework is fit for purpose, both in its design and operation, as with risks there will be times when the audit committee will wish to undertake deep dives on specific areas, such as those not already overseen by the board or other committees.

In undertaking such deep dives the committee needs to consider:

  • whether objectives are being met

  • whether the risks to those objectives are being managed 

  • whether the controls to manage the risks and controls are sound in terms of their design and operation and that they are consistently applied over time.

15.3 Risk assurance  

It is good practice for the audit committee to request regular deep dives into risks within the assurance framework. These would be for areas not overseen by another committee, or ones that have particular relevance to the committee’s responsibilities around governance.

Any ‘deep dive’ into an individual risk (whether carried out at the audit committee or another board sub-committee) should focus on the evidence that supports management’s assessment of residual risk and whether the remedial action plan, to get the risk to target level, is achievable and within a realistic timeframe.

15.4 Evaluating assurances

In reviewing assurances, whether in the wider context of the assurance framework or for particular risks, the audit committee should consider:

  • the scope of the assurance coverage - it is very unlikely that any assurance, as with any audit, will promise to be a comprehensive review of everything and it is important to be aware of what is within scope and what is without

  • the timeliness of assurance - clearly current or recent assurance on an area is more relevant than that from a year or more ago

  • the reliability of assurance - given the continuum of the three lines of defence (see chapter 12), the more reliable assurance (i.e. free from management bias) will be the more independent

  • the overall conclusion - while there is a tendency to focus on negative assurances, it is important that positive assurances are given due consideration.

15.5 Assurance mapping  

One way of looking at the range of assurances available to an organisation is through developing an assurance map, that clearly sets out the varying level of assurances against objectives, risks, systems or functions.

This can be useful in helping identify areas where there is a lack of assurance, either in total or in particular lines of assurance. Efforts can also be made to look at the results of that assurance (some form of RAGRed-Amber-Green (RAG) ratings, also known as 'traffic lighting,' are used to summarise indicator values, where green denotes a favourable value, red an unfavourable value and amber a neutral valuerating) to help focus on areas of concern. 

In assessing the range of assurances, the committee should consider:

  • the purpose of the review

  • the nature and source of the body providing the assurance – for example, whether the source is internal or external and independent of management or not, as well as considering the providing body’s status and reputation

  • the skills and experience of those providing the assurance

  • the nature and extent of the work that lies behind the assurance – for example, what approach was taken including: whether the organisation was visited; whether it is a brief overview or an in-depth study; and whether comparative data has been used

  • how current the assurance is – for example, the timing of both the review and the work on which it is based.

Key learning points

  • The audit committee should ensure that the organisation has an appropriate assurance framework, both in design and operation.

  • The three lines of defence model is a helpful way of defining the different types of assurance available and their dependency.

  • The audit committee should then use the assurance framework to review the robustness of those assurances (either by itself or that they are being reviewed elsewhere in the organisation).

  • Assurance mapping can help to identify duplication or omission in assurances and help to provide an optimal balance of assurances.


Chapter 16: speaking up and whistleblowing


The audit committee, in reviewing the effectiveness of governance arrangements, will want to assure itself on how easily and effectively staff and contractors can raise their concerns where they see something wrong, ensuring that there are no barriers and that these issues – whether financial or clinical – are addressed effectively.

16.1 Raising concerns

Effective governance is dependent upon the culture in any organisation. There is a long history in the NHS (and wider public sector) of governance failings where the actual culture in operation was often in direct contrast to the adopted policy and accepted standards of behaviour.

Culture is a broad topic and the role of the audit committee is to gain assurance that the systems and processes in place to deal with concerns raised are effective. Specifically, that all concerns are appropriately investigated and that the organisation supports staff and contractors to raise any concerns, without fear of repercussions, where they have identified possible improprieties in any area; be they financial, clinical, safety or human resources.

While the main systems in place are based around policies on ‘freedom to speak up’ and ‘whistleblowing’ to raise concerns, the committee needs to recognise that these policies are usually only used where such issues have not been addressed properly through normal management lines, and so the committee should seek assurance on the management processes. For example, staff communication channels, acting on staff surveys and feedback received and effective people relations arrangements. This will include effective arrangements in place for staff engagement and inclusion policies and performance management systems.

There is no need for the audit committee to look at individual cases, thereby maintaining confidentiality. However, they should expect to receive regular assurance over these areas, including identifying and monitoring suitable key performance indicators and early warning indicators, and may wish to commission periodic independent assurance on some areas.

16.2 Freedom to speak up 

NHS organisations are required to have one (or more) freedom to speak up (FTSU) guardians. Their role is supported by a National Guardian’s OfficeNational Guardian, Welcome to the national guardian’s office, webpage January 2024, and should be widely publicised, but they are an important confidential conduit for staff to contact where they are uncertain how to address issues that they find unacceptable. The organisation’s FTSU guardian should be a suitably experienced and respected person who is empowered to report directly to the board. NHS England’s Freedom to speak up policyNHS England, Freedom to speak up policy, January 2024provides the minimum standard for local NHS policies. 

The audit committee’s role is to assess the effectiveness of arrangements for raising concerns, of which the FTSU guardians are one (albeit important) element. The FTSU will report to the board, but the audit committee should look to include FTSU reporting in its work.

16.3 Whistleblowing 

Whistleblowing is where staff raise concerns about wrong-doing but it is generally the term used when concerns have been raised with an external body, having been unsuccessful in raising their concerns through formal and informal routes within the organisation. It is important to distinguish between whistleblowing (which follows the Public Interest Disclosure Act 1998The National Archives, Public Interest Disclosure Act 1988, July 1988) and the freedom to speak up which is a specific NHS policy initiative.

The audit committee should be aware of the results of whistleblowing and also that it is a sign that the internal processes are not effective.

16.4 Assurance on disciplinary actions  

The central tenet of FTSU and whistleblowing is that, where the action is a genuine concern, there should be no repercussion for the individual raising concerns. Where an allegation is found to be malicious, then it is appropriate that that individual should be made accountable.

The audit committee should therefore seek assurance that, from all the disciplinary cases under review, there are no instances where the case was brought due to the individual ‘speaking up’ and thereby being discriminated against.

It is important to break down barriers to staff raising their concerns, so that the systems in place operate effectively.

The NHS England Speaking up support schemeNHS England, Speaking up support scheme, January 2024supports individuals who, following a formal speaking up process, have experienced significant adverse impact, leading to difficulties moving forward in both their professional and personal lives. 

Key learning points

  • Many failings in NHS governance have been exacerbated by concerns that staff did not, or were not able to, raise concerns and have them taken seriously.

  • Effective organisations have ways that staff can raise their concerns without fear of any reprisal, which the NHS has supplemented with a system of freedom to speak up guardians.

  • The audit committee will want to assure itself that the whole process of raising concerns; from staff talking to their line manager, through to freedom to speak up guardians and, ultimately, whistleblowing is in place and operating effectively.

  • The audit committee will also wish to gain assurance that there are no repercussions for anyone who genuinely raises a concern.


Chapter 17: Information governance and cyber security


With NHS organisations being increasingly reliant on digital and cyber solutions, the risks in this area become more critical. The audit committee should assure itself that these risks, while they may not be directly within their terms of reference, are being overseen and managed, with an appropriate level of assurance being received.

17.1 Oversight

HM Treasury’s Audit and risk assurance committee handbook (annex I) HM Treasury, Audit and risk assurance committee handbook, March 2016, makes it clear that assurance over cyber security arrangements should be provided by audit committees of public sector bodies:

'Audit and risk committees' (ARAC) role is to provide assurance to the board that the organisation is properly managing its cyber risk including appropriate risk mitigation strategies.'

The National Audit Office (NAO) guidance for audit committees sets out three key questions:

Has the organisation implemented a formal regime or structured approach to cyber security which guides its activities and expenditure?
How has management decided what risk it will tolerate and how it manages that risk?
Has the organisation identified and deployed the capability it needs in this area?

For NHS organisations it may be that oversight of cyber security (and wider risks around information technology, security and systems) will be covered in detail by committees other than the audit committee (which is one of the areas where central government governance models differ from the NHS).

Within the NHS, therefore, the audit committee should assure itself that there is adequate oversight and assurance in this area (much as it would do for clinical governance) including appropriate levels of independent scrutiny and assurance.


17.2 Information governance and data protection

Each NHS organisation will carry out a self-assessment annually against the Data security and protection (DSP) toolkit issued by NHS EnglandNHS England, Data security and protection toolkit, January 2024. Compliance with the DSP toolkit regime is a requirement for all organisations that handle NHS data (and so is applicable to private sector bodies, as well as all NHS organisations). The toolkit sets out minimum expected standards across a range of areas including cybersecurity, systems and software management and information governance. As part of the DSP toolkit validation process, there is a requirement on organisations to obtain an independent audit on their submission. This audit must be completed and reported in accordance with a detailed audit process defined by NHS England. It involves checking a sample of self-assessments to confirm their accuracy.

The audit committee should ensure that it receives the results of the annual DSP toolkit audit and that it receives assurance over the organisation’s plans to address any areas of improvement identified. Where these are significant, the audit committee should require evidence to be provided to confirm appropriate compliance with expected key controls. Audit committees should always be alert to any trends in level of control and compliance in this area and any significant lapses.

Depending on the extent and quality of other assurances available from other groups, the audit committee may also seek or commission additional assurances over important areas or emerging risks. These might include the adoption and use of artificial intelligence (AI) and the development or replacement of major new systems.

Where the organisation relies on third parties to manage or process significant or sensitive data or relies on outsourced systems in important areas (such as payroll or cloud storage suppliers) then the audit committee should ensure that the organisation obtains appropriate assurance over their operation and controls (chapter 12 covers ISAE 3402 service auditor or similar third party assurance reports).

The audit committee should expect to receive assurance reports at least annually on key information governance areas, such as compliance with data protection and freedom of information (FOI) rules. These should provide a high-level overview of activity in the area including performance levels against mandatory legal requirements such as: timescales for responding to FOI requests; number/type of breaches; and plans to develop and improve compliance. Where there may have been significant failings in data protection, then the audit committee would want to assure itself that lessons have been learned and applied.

Another key aspect of information governance is ensuring the quality of data relied on for decision-making by the board is fit for purpose. NHS England has previously written to all NHS providers setting out their expectation that they maintain proper controls over data quality, including regular independent audits.

A key role of the audit committee is to consider whether it has appropriate assurances that the data (including both that received directly and that used to provide assurances on activities and service provision) has undergone quality checks to ensure that it is robust. This involves the committee looking beyond the messages it receives to critically reviewing the underlying data and specifically, assessing whether the sources are reliable. The system(s) used to collect and record the data should also be reviewed to determine that there are sufficient controls in place to ensure accuracy.

The six key data quality dimensionsGovernment Data Quality Hub, Meet the data quality dimensions, June 2021for consideration are set out below: 

Accuracy: is data recorded correctly and is it in line with the methodology for calculation? 
Completeness: is all relevant information, as specified in the methodology, included in the calculation?
Uniqueness: does the data exclude any duplicates (a particular risk when combining datasets)?
Consistency:  has data been collected using a stable process in a consistent manner over a period of time? 
Timeliness: is data captured as close to the associated event as possible and available for use in a reasonable time period? 
Validity: has the data been produced in compliance with relevant requirements (such as format, type and range)?  

Audit committees should expect their internal audit provider to allow time in their annual plans to cover data quality. This might include a rolling programme testing the robustness of key performance indicators reported to the board and assuring that effective controls are operating over the accuracy and completeness of patient data.


17.3 Cyber security 

Most NHS organisations will seek to assess themselves against an accreditation system, which can provide a degree of assurance on their arrangements such as Cyber essentialsDepartment for Science, Innovation and Technology and Department for Digital, Culture, Media & Sport, Cyber essentials scheme: overview, March 2023. While organisations may have appropriate information technology management arrangements in place, there is a role for the audit committee to seek assurance that they are operating effectively in practice.

The audit committee, while relying on others to undertake detailed scrutiny, should have a particular interest in ensuring that the organisation maintains adequate cyber security arrangements. Where risks of cyber security failings have crystallised, the audit committee should expect to receive reports on how the lessons have been learned (both direct and root cause) and applied to minimise future risks. For any significant security breaches, the audit committee should also seek assurance that the organisation has proactively updated and liaised with relevant regulators (Information Commissioner’s Office and NHS England's national cyber security team) and how it has supported affected parties (for example, patients, staff, suppliers) where their sensitive data has (or may have been) illegally accessed.

Key learning points

  • The audit committee should assure itself that risks around cyber security and information are being effectively overseen, without necessarily doing it themselves.

  • Data security is subject to an annual ‘toolkit’ review and the audit committee should review the results of this assessment and the associated audit.


Chapter 18: Exception reporting


One way to review the effectiveness of governance arrangements is to review where there has been evidence of non-compliance or errors. The audit committee can use periodic exception reporting to assess the effectiveness and help drive improvements.

18.1 Use of exceptions in supporting the work of the committee

As part of its work programme the audit committee should receive regular reports, with appropriate supporting analysis, on areas where – on the face of it – controls have not been operating effectively or normal processes have not been followed. This is in addition to reporting from internal audit assignments on their testing of controls, as well as from lessons learned from frauds where preventive controls have not operated effectively.

The role of the audit committee is to challenge constructively the level and nature of these exceptions to help improve management. Where these are significant, in either size or length of the weakness operating, the committee may wish to consider if this is a relevant disclosure within the annual governance statement (AGS).

Traditionally this area has focused on financial areas, but the audit committee should consider its role in wider oversight (or seek assurance that others are doing this).

18.2 Bad debts and special payments  

The majority of NHS audit committees tend to have a periodic review of bed debts scheduled into their work plan, while other organisations may have this covered by a finance committee. 

Analysis of bad debts helps to understand why the debt has gone bad and what improvements can be made to the systems and controls that seek to prevent them by looking at underlying causes. These can be from looking at aged debtors to noting inter-NHS debts which are in dispute due to queries on data quality, or where debts due from third parties might suggest insufficient credit checking. Management can support the committee by analysing losses thematically.

Special payments can range from payments to patients for lost articles of clothing to compensation payments to staff or third parties in settlement of disputes (excluding those covered by the national clinical negligence scheme for trusts). There are certain thresholds set for both the process of approval and the reporting of special payments. The role of the audit committee is to consider the appropriateness of the management of the more significant payments and the lessons learned, particularly where these have arisen from control failures, as well as gain assurance that the proper approval process has been followed.

HM Treasury’s Managing public moneyHM Treasury, Managing public money, May 2023is the central guidance on this area, as well as being the key document on the responsibilities of the accountable officer. It sets out the requirements for when prospective approval is required for special payments; for instance in terms of novel, contentious or repercussive expenditure (such as special severance payments, which require pre-approval), as well as contractual or non-contractual payments.

18.3 Waivers to standing orders and financial instructions 

Any instances where standing orders (SOs) or standing financial instructions (SFIs) are not followed should, ideally, have been agreed in advance through a formal waiver process at the appropriate level of authority (from a formal agreement by the full board, via chair’s action or delegated approval). The audit committee should be concerned if there is a regular use of retrospective waivers.

Given the committee’s role in reviewing the maintenance of an effective system of governance, such waivers should be reported to the committee for it to consider, both to challenge the justification and to seek assurances that these are exceptions and improvements have been made. 

The reporting of waivers should be analysed by theme such as ‘only provider’ or ‘insufficient tenderers’ and so on. They should also highlight any retrospective tenders being used to regularise matters.

In reality, the majority of waivers to SOs tend to relate to waivers of procurement requirements and, in particular, to the use of single tender waivers.

18.4 Major incidents and near misses

Where there have been major incidents, particularly regarding governance, risk management and control, there is a role for the audit committee to scrutinise management’s actions on behalf of the board and ensure that lessons have both been learned and applied.

In reviewing this area, the audit committee may wish to consider some form of trend analysis to see if there are any common themes or root causes. Another good discipline is for management to also be open on ‘near misses’ and apply the same approach to lessons learned.

18.5 Legal and insurance  

Legal cases against the organisation (or taken by the organisation) can be a useful indicator of the control environment, although the committee does not need to get into the detail. Rather an annual review of the themes, cost and outcomes, with a view on how this reflects on the organisation’s control environment, would be appropriate.

Similarly, a review on insurance activity can help identify trends, with a focus on how improvements can be made to reduce claims (and premiums). This can be separated between those under the Clinical negligence scheme for trustsNHS Resolution, Clinical negligence schemes for trusts, webpage January 2024, which may be covered by a quality committee, and others (which may cover contractual, personnel and other matters).

18.6 Lessons learned  

Within the organisation, when there have been failures, it would be expected that a lessons learned exercise would be undertaken, to ensure that lessons have both been learned and that those lessons have been applied, in terms of changes to systems and processes. These reviews, while needing to be proportionate, should look at both direct and root causes.

The role of the audit committee, which can include commissioning such work under its powers, is primarily to seek assurance that the exercise has been robustly and fairly carried out, and then to seek assurance that the recommendations and management actions are effectively implemented.

Committees can also seek to use events outside the organisation to assure itself that these could not happen within their own organisation. For instance, cyber attacks against other organisations.

18.7 National studies and learning from governance failings 

The history of governance developments in the NHS is generally linked to responses to failings in governance. For the audit committee, it has a role in ensuring that all significant governance developments are picked up and implemented effectively. In some instances, this may wait until there has been a formal report or direction from NHS England or Department of Health and Social Care (DHSC), but there is also an opportunity to seek assurances from management where there are emerging issues.

Key learning points

  • Various forms of exception reporting allow the committee to look at where the governance arrangements have not been operating as designed.

  • These range from internal matters, such as single tender waivers, to those that require escalation, such as special payments.

  • The audit committee can also use lessons learned from both their own and other organisations to help improve their own governance.

Chapter 19: Audit committees and integrated care systems


Integrated care systems (ICSs) are still developing, with different ways of working across the country. While there is no ‘one size fits all’ both integrated care board (ICB) and provider audit committees need to be aware of the shared duties and risks, along with the opportunities that they bring.

19.1 New territory

Although the NHS has been working for many years to move towards more integrated working (ranging from the better care fund to sustainability and transformation partnerships), the introduction of ICSs and ICBs through the Health and Care Act 2022 (the Act)The National Archives, Health and Care Act 2022, July 2022has placed this on a statutory basis. The Act is a wide-ranging piece of legislation with the main aim to provide a legislative framework to facilitate greater collaboration within the NHS and between the NHS, local government and other partners.

The HFMA Introductory guide to NHS financeHFMA, Introductory guide to NHS finance, January 2024provides further detail on the current arrangements depicted in the diagram below. 

HFMA introductory guide to NHS finance

The Act introduced new requirements for all NHS bodies to have regard to the likely wider effect of their decisions in relation to: 

  • the health and well-being of the people of England

  • the quality of healthcare services provided to individuals 

  • efficiency and sustainability in relation to the use of resources.

The need to work together to meet joint financial objectives and duties is particularly important for audit committees. In some ways, the audit committee role will not change, as NHS bodies will still need to report to their own board and to the regulators. In other ways, everything will change as decisions will need to be made with a view to their impact on the wider system and the impact of those decisions on partner organisations. As such the audit committee will need to take a wider view when considering audit and assurance.

There has been a very definite decision that, in terms of ICBs and ICSs, there is a ‘no one size fits all’ and that each system should develop the arrangements that work for them, both in terms of their demographics and structures, as well as their relative maturity. In reviewing arrangements, there will be an importance in ensuring that fundamental principles of good governance are embedded.

19.2 The ICB audit committee

The primary role of the ICB audit committee is to provide the independent and objective oversight of its own organisation, however some committees are taking a lead in building relationships with other audit committees within their system. These can primarily be with NHS bodies, but can also include local authorities and the full range of partners, such as from the voluntary and charitable sectors.

ICB audit committees do not have the ability to direct and control other audit committees, but they do have convening authority to bring them together to discuss issues of mutual interest.

The main area that this is likely to have a practical impact is around risks within the ICS (see chapters 14 and 20).  

19.3 The provider audit committee

For provider audit committees, there is a need to consider the relationship of the provider with the ICB and, particularly the arrangements for oversight of the ‘system’ risks that the provider has some exposure to.

There may also be opportunities for working within provider collaboratives to look at assurance arrangements and agree ways of working that avoid omission and duplication, while respecting organisational boundaries.

The interaction between the system and individual providers regarding risks of income clawback, for example, have provided recent challenges as to where organisational boundaries merge into system positions, for both governance and income recognition. Increasingly organisational committees will need to be alert to the risks that poor performance at neighbouring organisations, and at system level, pose risks to their own organisation, since funding of both revenue and capital is now largely issued by NHS England to systems rather than individual organisations.

19.4 Collaborative audit committees/ committees in common

In some circumstances audit committees can work together – for example, one audit committee may meet at the same time as that of another NHS body within an ICS, using this joint meeting to discuss common issues and decisions. ‘Committees in common’, as described in chapter 4, are an option in the move to increased partnership working. 

Although this approach clearly offers the potential for some efficiencies and sharing of knowledge and expertise, it is essential that each individual organisation can demonstrate that it is discharging its own statutory duties and that no conflicts of interest impair its independence.

Where audit committees are working together, they should therefore ensure that they have in place clear, agreed protocols defining their working arrangements and how the declaration and recording of any conflicts of interest is handled.

Key learning points

  • The development of ICSs is still continuing with various different models and ways of working.

  • Audit committees, whether from an ICB or a provider, need to be aware of this area.

  • Both ICB and provider audit committees need to be clear on how risks to the ICS are captured, communicated and managed, particularly where the management of that risk is either shared or transferred to another.

  • There is an ability for collaboration between organisations, but this remains an area of development.


Chapter 20: Current issues


The remit of the audit committee has changed over the years and will continue to do so. This chapter, which will be updated more regularly than others, highlights some of the main current issues that audit committees will want to monitor. 

20.1 The development of integrated care systems (ICSs)

Chapter 19 sets out some initial ideas about the ‘new world’ of ICSs and the implications for NHS audit committees. This is, however, new territory and the concept that ‘no one size fits all’ will mean that there is little specific direction on what good looks like.

Committees should therefore keep a watching brief on this, regularly asking executive management for relevant updates, but also being clear on the key principles behind integrated care – collaboration not competition – and opportunities for partnership working.

Of particular interest to audit committees will be matters around ICS risk management and how system risks (such as those relating to the wider ICS or two or more partners within the ICS) are being captured and clarity is achieved over their management.  As well as this, the audit committee will want to consider any arrangements for system wide assurance being provided by either internal auditors or another source of assurance.

20.2 External audit market            

As noted in chapter 10, the market for external audit has become much more restricted in recent years with a number of NHS bodies finding it difficult to appoint an external auditor, with little or no interest being shown in invitations to tender for external audit services. There are many complex and intertwined factors leading to the issues in the NHS external audit market, with similar issues being reported in local government. These issues are explored in HFMA’s briefing, The NHS external audit market: an update on current issuesHFMA, The NHS external audit market: an update on current issues, August 2022. Chapter 10 also includes good practice advice on external audit procurement.

The approach taken by external audit will also be changing. Effective use of digital technologies to supplement human judgement, will become increasingly necessary to ensure robust audit coverage and assurance. These might include progressively automating audit processes, client data mining and validation, sampling, analytics and predictive modelling to identify emerging risks.

20.3 Financial sustainability  

The financial sustainability of the NHS has always been a concern, as demand for care outstrips supply and the forces of change continue, whether they are demographic changes, clinical developments, digital or other. During the years of the Covid-19 pandemic, funding was found to enable the NHS to meet the demand, but the clear message is that this is no longer the case.

A key focus for an audit committee is to ensure that the basics of financial sustainability (financial planning, control and management) are effectively embedded in their organisation. This is particularly crucial in times of financial constraint. There is a clear link between the establishment of strong financial management disciplines and the financial sustainability of an organisation.

The HFMA’s briefings, Financial sustainability – essential building blocksHFMA, Financial sustainability – the essential building blocks, June 2022and Improving NHS financial sustainability: are you getting the basics right?HFMA, Improving NHS financial sustainability: are you getting the basics right?, April 2022set out the key areas for consideration. 

20.4 Environmental, social and corporate governance 

Developments in environmental, social and corporate governance – such as through green plans and addressing inequalities – and increasing reporting and transparency requirements concerning these, are amongst a number of demands and developments that boards need to consider. 

The Department of Health and Social Care (DHSC) consultation on proposed changes to the Group accounting manual (GAM)DHSC, Changes to DHSC group accounting manual 2024 to 2025, February 2024includes a change to the reporting requirements, backdated to 2023/24, relating to the HM Treasury’s approach to adopting Task force on climate-related financial disclosures recommendations. It also includes an update to wider reporting requirements on sustainability matters in the performance analysis. 

For audit committees there is a risk and assurance role for them to play; in terms of ensuring that the key strategic and operational risks are correctly identified, a management plan is in place and reporting requirements are adhered to. 

The Institute of Environmental Management and Assessment (IEMA) Guidance on sustainability for NHS non-executive directors (NEDs)IEMA, Guidance on sustainability for NHS non-executive directors, October 2022sets out sustainability risks, challenges and issues that face the NHS. The National Audit Office (NAO) has produced a good practice guide on climate change risk for audit committeesNational Audit Office, Climate change risk: a good practice guide for audit and risk assurance committees, August 2021and developments in environmental sustainability reporting are set out in the HFMA’s briefing, Sustainability reporting in the NHSHFMA, Sustainability reporting in the NHS, April 2023 (due to be updated in April 2024).

20.5 Digital developments

Developments in digital technologies, including the use of robotics and AI are widely expected to be transformative, both in the expectations of patients (for example, diagnostic timelines and personalised medicine) and in addressing many of the challenges facing NHS organisations. Digital adeptness, through continuous training and development, is an obvious pre-requisite. 

With such innovative changes come risks (for example, overcoming rapid technological obsolescence and harvesting, storing and deploying health data), and the audit committee will need to assure itself that such developments are being appropriately managed. This will, in part, draw on the oversight of major programmes and projects, and the assurance that organisations will require.

20.6 Internal audit standards

NHS internal auditors are currently required to comply with Public sector internal audit standards (PSIAS) (see chapter 9). However, the Global internal audit standards (GIAS)The Institute of Internal Auditors, Global internal audit standards, January 2024 will take effect from January 2025. CIPFA is reviewing the new standards and considering the implications for the new PSIAS and it is likely that standard setters for the PSIAS will issue a consultation on the new PSIAS in summer 2024 for implementation in 2025.  

At the heart of the GIAS are 15 guiding principles that enable effective internal auditing. Each principle is supported by standards that contain requirements, considerations for implementation and examples of evidence of conformance. Together, these elements help internal auditors achieve the principles and fulfill the purpose of internal auditing.  The diagram below provides an overview of the standards.  

Audit committees should expect to be briefed by their internal auditors on any proposed changes in practice as a result of the GIAS. 

Global Internal audit standards

Key learning points

  • Audit committees need to be aware of key developments that are emerging, that will have an impact – to a greater or lesser extent – within the next 12 to 18 months.

  • ICSs are still developing, evolving and maturing, in particular with regards to collaboration and shared duties. 

  • The market for external auditors has seen limited competition for some organisations, with increased fees but also increased demands on the external auditors.

  • Financial sustainability, of both individual organisations and systems, has become a major risk after the years of covid funding.

  • The demands for longer-term impacts in areas around environmental, social and corporate governance need to be addressed.

  • The importance of digital solutions, in both clinical and administrative areas, in driving improvements, is fully recognised, but needs to be achieved through effective management of the underlying risks.

  • NHS internal audit’s professional standards are likely to change to the wider professional framework.  



You can find the appendices documents below to download or print for your own use. The glossary for this guide is also available below in the PDF document.

Appendix A example terms of reference

Appendix B self assessment checklists

Appendix C example agenda and timetable

Appendix D: Glossary

This listing includes a brief explanation of some of the terms used in the handbook but is not exhaustive.

AccountabilityAccountability means demonstrating on an on-going basis that public money is being used wisely and effectively and for its intended purpose.
Accountable officerThe accountable officer (AO) in an NHS organisation is responsible for ensuring that the organisation: 
- operates effectively, economically and with probity
- makes good use of their resources
- keeps proper accounts

Accountable officers are ultimately accountable to Parliament via the tiers of the NHS. For example, in an NHS trust the accountable officer is the chief executive. They are accountable to Parliament via the Department of Health and social Care (DHSC) accounting officer and the Secretary of state for Health and Social Care. 

In NHS foundation trusts, accountable officers are known as accounting officers and are directly responsible to Parliament.
Accounting officerThe chief executive of an NHS foundation trust is designated as the accounting officer and is responsible for ensuring that the FT: 
- operates effectively, economically and with probity 
- makes good use of their resources
- keeps proper accounts

The individual is personally accountable to Parliament and can be called to give evidence to the Public Accounts Committee. 
The chief executive of a health and social care organisation in Northern Ireland is also designated as the accounting officer. 
Annual governance statement (AGS)/ Governance statementThe annual governance statement (AGS)/governance statement is a key component of the annual report and accounts and is signed by the accounting officer. The AGS is designed to provide assurance in relation to the system of internal control that has been operating throughout the preceding year. 
AssuranceIn the NHS, assurance refers to the process by which the board and its committees confirm that the organisation is operating as it should. Confidence in operating performance can be found through a number of sources - for example, internal and external audit reports; Care Quality Commission inspections and internal management reports.
AuditThe process of validating the accuracy, completeness and adequacy of disclosure in financial records. There are two types of audit relating to finance and governance – internal and external.
Audit committeeThe audit committee is a statutory committee of the board of all NHS organisations and has a key role in governance terms. Comprising only non-executive directors, its role is to review and report on the relevance and rigour of the governance structures in place and the assurances the board receives.
BoardThe board is an NHS organisation's pre-eminent group that takes corporate responsibility for the strategies and actions of the organisation and is accountable to the public and Parliament. It sets the strategy and objectives for the organisation, monitors their achievement and looks for potential problems and risks that might prevent them from being achieved.
Board assurance framework (BAF)Records the key processes used to manage the organisation and the principal risks to meeting its strategic objectives.
Care Quality Commission (CQC)The Care Quality Commission (CQC) is an independent body that operates at arm's length from the government and is responsible for registering and regulating all providers of health and adult social care in England.
Chief finance officerEach NHS organisation must have a chief finance officer (CFO) or director of finance who has a key role in governance terms. As members of the board they have a range of responsibilities from statutory duties relating to accountability, governance and probity; traditional treasurer activities; corporate strategic management and day-to-day operational management.
Clinical auditA quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change.
Clinical governanceA framework of processes, systems and controls that help NHS organisations demonstrate accountability for continuously improving the quality of their services and safeguarding high standards of care. Good clinical governance involves establishing an environment in which clinical excellence can flourish.
Clinical Negligence Scheme for Trusts (CNST)The clinical negligence scheme for trusts (CNST) is a risk pooling scheme that covers all liability arising from medical negligence for employees while operating under their contract of employment with an NHS organisation. The scheme is also available to private healthcare providers. It is operated by NHS Resolution.
Comptroller and Auditor General (C&AG)The individual in charge of the National Audit Office.
Code of accountabilityThis defines the public service values that must underpin the work of NHS governing bodies, sets out accountability regimes and describes the basis on which NHS organisations should fulfil their statutory duties.
Conflicts of interestA conflict of interest arises when a person or organisation has a relationship or is involved in something elsewhere that may influence their decision-making.
Constitution and/ or standing ordersConstitutions and/ or standing orders translate an organisation's statutory powers into a series of practical rules designed to protect the interests of the organisation, its staff and ‘customers’. They are similar to the articles of association of a private sector company and specify how functions will be carried out and how decisions will be made.
Corporate governanceCorporate governance is the system by which organisations are directed and controlled. It is concerned with how an organisation is run – how it structures itself and how it is led. Governance should underpin all that an organisation does. In the NHS this means it must encompass clinical, financial and organisational aspects.
Council of governorsNHS foundation trusts are required to have a council of governors, elected from their local community to hold non-executive directors to account for the performance of the board and to represent the interests of members and the public.
Department of Health and Social Care (DHSC)The Department of Health and Social Care (DHSC) is a government department responsible for policy on health and adult social care matters in England. It supports the Secretary of State and ministers in carrying out their ministerial responsibilities for health and social care services by setting national standards, policy and priorities for the NHS.
External auditExternal auditors have two key roles for public sector organisations: to review and report on the year end accounts and to scrutinise arrangements for securing value for money in the use of resources. They are independent of the NHS body to which they are appointed.
Financial Reporting Manual (FReM)The manual issued by HM Treasury that sets out how international financial reporting standards (IFRS) should be applied to government entities. All NHS financial reporting guidance must be consistent with the Financial reporting manual (FReM).
Foundation Trust Annual Reporting Manual (FT ARM)The NHS foundation trust annual reporting manual (FT ARM) provides guidance to foundation trusts on producing their annual reports. It is reviewed and produced annually by NHS England.
Going concernAll accounts prepared in accordance with international financial reporting standards (IFRS) are prepared on a going concern basis unless management either intends to liquidate the entity or to cease trading, or has no realistic alternative but to do so. For public sector bodies, such as NHS bodies and local authorities, this means focusing on whether the services provided by the entity are going to be continued rather than whether the entity providing the service will continue to exist.
GovernanceThe system by which organisations are directed and controlled. It is concerned with how an organisation is run - how it structures itself and how it is led.
Group accounting manual (GAM)Mandatory accounting guidance for all DHSC group bodies including integrated care boards, NHS trusts, NHS foundation trusts and arm’s length bodies (ALBs)
Integrated care board (ICB)Integrated care boards (ICBs) are the lead statutory NHS organisation within each of the 42 integrated care systems in England. They are allocated funding from NHS England and work with integrated care partnerships (ICPs) to plan how to use it. They commission NHS services via contracts with providers.
Integrated care partnership (ICP)In England integrated care partnerships (ICPs) are statutory committees of integrated care boards and local authorities within each of the 42 integrated care systems. They bring together NHS leaders, local authorities and other partners to prepare an integrated care strategy which other members of the integrated care system must follow when making decisions and delivering services. 
In Northern Ireland integrated care partnerships are committees working with local commissioning groups (LCGs) and HSC trusts ti improve the integration of primary care services. 
Integrated care system (ICS)Integrated care systems (ICSs) are geographically based partnerships of health and care organisations that come together to plan and deliver joined-up services and to improve the health of people who live in their area.
Integrated governanceAn approach to governance that translates the three fundamental principles of openness, integrity and accountability into a working model that applies across all activities.
Internal auditInternal audit has two aspects – firstly, providing an independent and objective opinion to the accountable officer, governing body and audit committee on the extent to which risk management, control and governance arrangements support the aims of the organisation. The second aspect provides an independent and objective consultancy service specifically to help line management improve the organisation's risk management, control and governance arrangements. Internal audit can be in-house or bought in from a consortium or accountancy firm.
Internal controlThe system of managing risks to an organisation. It is the system of checks and balances that give management assurance that the organisation can achieve its objectives effectively and efficiently in compliance with financial reporting and legal requirements. Examples of internal controls include segregation of duties, authorisation of transactions, supervision and data security.
Local Counter Fraud Specialist (LCFS)A local counter fraud specialist (LCFS) is a nominated individual who acts as the first line of defence against fraud and corruption. Every NHS organisation is assigned a LCFS. Their responsibilities are outlined in Secretary of State Directions/ Minister of Health and Social Services Directions.
National Audit Office (NAO)The National Audit Office (NAO) audits all government departments including the Department of Health and Social Care, NHS England and a large number of public sector organisations. The NAO reports to the government on how well these departments and organisations have used their resources in relation to economy, efficiency and effectiveness.
Nolan principlesThe Nolan principles of public life are the key principles of how individuals and organisations in the public sector should conduct themselves. The principles are:
- selflessness
- integrity
- objectivity
- accountability
- openness
- honesty
- leadership
Non-executive directorsA non-executive director (NED) is a member of the board of directors but is not employed by the organisation. NEDs are appointed by the organisation's nominations committee (or NHS England for NHS trusts) and are chosen based on their individual skills and what they will bring to the overall composition of the board. They are expected to challenge decisions and strategies.
NHS Counter Fraud Authority (NHSCFA)The NHS Counter Fraud Authority (NHSCFA) is special health authority responsible for identifying, investigating and preventing fraud and other economic crime within the NHS.
NHS EnglandNHS England is an executive non-departmental body working at arm's length from the Department of Health and Social Care. It is accountable to the Secretary of State for Health and Social Care for meeting its legal duties and fulfilling its mandate. NHS England is also accountable for staying within its allocated resources and delivering a wide range of improvements in healthcare. It is also responsible for managing the commissioning system and commissioning some services itself – for example, services for members of the armed forces and some specialised services.
Primary care network (PCN)A primary care network (PCN) is a grouping of local GP practices in England for sharing staff and collaborating while maintaining the independence of individual practices. PCNs receive additional funding to deliver commitments made in the NHS long term plan.
Prime financial policiesPrime financial policies, also known as standing financial instructions, set out an organisation's detailed financial procedures and responsibilities. They are designed to ensure that NHS organisations account fully and openly for all that they do. 
Provider collaborativeA provider collaborative is a partnership arrangement between two or more NHS providers working at scale across multiple places with a shared purpose. It enables providers to collaborate to plan, deliver and transform services at scale to improve outcomes and value.
Risk managementThe process by which risks to achieving an organisation's aims are identified, evaluated, managed and reviewed.
Risk registerA listing of an organisation's key risks that identifies the potential risks, their impact, likelihood, how they are to be managed and who is responsible. A review date and status for each risk must also be included.
Scheme of reservation and delegationThe scheme of delegation or scheme of reservation and delegation (SoD or SORD) is a detailed listing of who the board of an organisation empowers to take actions or make decisions on its behalf.
StakeholdersStakeholders are any groups of people or other organisations that have a contractual, legal or financial interest or involvement with an organisation. The stakeholders of a company will be its shareholders and employees. The NHS has a wide range of stakeholders with an interest in its work, including the government, patients and the public, staff, local authorities and social care providers, charities and the private, voluntary and community sectors.
Standards of business conductThe strict ethical standards to be applied by all staff when conducting NHS business
Standing financial instructions (SFIs)Standing financial instructions (SFIs) set out the organisation's detailed financial procedures and responsibilities. They may also be known as prime financial policies. They are designed to ensure that NHS organisations account fully and openly for all that they do.
Standing orders (SOs)Standing orders (SOs) provide a comprehensive framework for carrying out activities within NHS bodies. They translate an organisation's statutory powers into a series of practical rules designed to protect the interests of both the organisation and its staff.
System of internal controlThe system of internal control is established to minimise the risk of an NHS organisation not achieving its objectives. It is based on ongoing risk management processes designed to identify principal risks, evaluate the nature and extent of those risks and manage them. Examples of internal controls include segregation of duties, authorisation of transactions, supervision and data security.
Value for money (VFM)The term value for money (VFM) is used when assessing whether the maximum benefit has been obtained from the goods or services bought or an investment made. 
Value for money is usually assessed using the following criteria:
- economy (or spending less)
- efficiency (or spending well)
- effectiveness (or spending wisely).