Audit and Risk Assurance Committee (ARAC) terms of reference

Terms of Reference agreed: November 2023
Next review date: September 2024


The Audit and Risk Assurance Committee (ARAC) is a standing committee that is a requirement of the Welsh Government’s Framework Document with NRW. Its principal role is to advise the Board and to support the Chief Executive/Accounting Officer on matters of risk, financial stewardship and accountability, internal control and governance.  


ARAC will provide assurance on the establishment and maintenance of an effective control environment to ensure financial and wider business integrity, sustainability and continuity.

ARAC will monitor NRW’s risk management processes to ensure their effectiveness in anticipating future risks as well as addressing the here and now, and that risk mitigation measures are consistent with NRW’s risk appetite.

ARAC will provide the Board and the Chief Executive/Accounting Officer with an Annual Report summarising the business it has conducted during the year and the conclusions it has drawn therefrom. This will also inform the production of the Chief Executive/Accounting Officer’s Governance Statement.

ARAC will scrutinise and provide assurance to the Board on performance towards the Corporate Plan Wellbeing Objectives as relevant to ARAC.


ARAC is responsible for effectiveness of key financial and other controls by ensuring it gains appropriate assurance of the:

Financial and other internal control frameworks;

  • Risk management framework, including aligning its own review of risks matters with deep dives conducted by other Board Committees;
  • Strategic risks relevant to compliance, by undertaking a programme of deep dives to scrutinise current and target scores, seeking confidence on the appropriateness of planned actions to manage risks and secure the target scores identified;
  • NRW Corporate governance arrangements;
  • Policies and procedures in respect of fraud, irregularity and public interest disclosure;
  • Management of Information, Data, and Cyber security risks, seeking confidence that those risks are managed appropriately, and necessary controls are in place;
  • Implementation of approved recommendations relating to both internal and external audit reports and management responses;
  • consider elements of the annual financial statements in the presence of the external auditors, including the auditors’ formal opinion, the statement of members’ responsibilities and the statement of internal control;
  • review the accounting policies relating to the financial statements, particularly in relation to any changes, and to comment on their adequacy;
  • scrutinise and report to the Board on the Annual Report and Accounts of NRW and the Chief Executive/Accounting Officer’s Governance Statement and recommend approval for the Chief Executive/Accounting Officer to sign off the Annual Report and Accounts;
  • alert the Board and the Chief Executive/Accounting Officer to issues that pose a material risk;
  • gain assurance on issues of fraud, losses and special payments, including the Annual Report;
  • scrutinise all significant contracts let without competition (individually or collectively) in order to support transparency of decision;
  • oversight and scrutiny of progress and delivery of the Vision for Good Governance business transformation programme.

External Audit 

Wales Audit Office is NRW’s external auditor.

ARAC will review the work of the external auditor and will consider their findings and management’s response to them. Specific responsibilities include to:

  • review and recommend (to the Chief Executive/Accounting Officer) approval of the annual external audit plan and audit fee;
  • review all external audit reports, including the audit completion report before final submission to the Chief Executive/Accounting Officer and the NRW Board, as well as any work undertaken outside of the annual external audit plan and management’s response thereto;
  • review the performance of the external auditor.

Internal Audit

ARAC will oversee NRW’s internal audit arrangements to ensure their effectiveness and will review the work and findings of the internal auditors, together with management’s responses. Specific responsibilities include to:

  • agree the internal audit strategy and annual internal audit plan;
  • receive and review topic-specific internal audit reports, together with management’s responses;
  • receive and review the Internal Audit Opinion;
  • review the performance of the internal audit service.


ARAC will oversee NRW’s assurance arrangements to ensure their effectiveness and will provide leadership, scrutiny, and guidance on assurance activity, ensure alignment with the organisation’s strategic risks and with Internal Audit activity and findings. Specific responsibilities include:

  • Agree the assurance strategy and annual assurance plan;
  • Receive and review periodic assurance reports;
  • Scrutinise performance over the three lines model, ensuring focus on areas of weakness
  • Champion and scrutinise the development of risk assurance, and the embedding of a holistic approach to risk management, controls and assurance


ARAC will aim to meet at least four times per year, typically to assist the programming and budgetary cycle. Additional meetings may be convened as and when required.

At least once a year, and otherwise as required, the internal and external auditors will meet with ARAC without members of the executive being present.


ARAC will be Chaired by Kath Palmer

ARAC and other attendees will include four non-executive Board members, at least one of whom must have appropriate expertise in financial management, accounting and auditing.

Audit Wales representatives will be invited to attend.

The Chief Executive/Accounting Officer, Executive Director of Finance and Corporate Services, and Head of Governance and Board Secretary, will normally attend meetings of ARAC except where specifically excluded for discussion of matters affecting their personal situation or performance.

Last updated