Audit and Risk Assurance Committee (ARAC) terms of reference

Terms of Reference agreed: March 2026
Next review date: March 2027

These Natural Resources Wales (NRW) ARAC Terms of Reference and the Appendix to them are to be read in tandem with the NRW Standing Orders for the Conduct of Board and Board Committee Business.

Purpose

The Audit and Risk Assurance Committee (ARAC) is a standing committee of the NRW Board (the Board). It is a requirement of the Welsh Government’s Framework Document for NRW (the Framework Document) that NRW establishes an Audit and Risk Committee, which is chaired by a non-executive (but not the Chair) and reports and is accountable to the Board. The principal purpose of ARAC, therefore, as set out in the Framework Document is:

Providing the Board with independent advice; and
Advising NRW’s Accounting Officer and the Board on the adequacy of arrangements within the organisation for internal and external audit and corporate governance matters.

ARAC’s role, therefore, includes supporting the Board and NRW’s Accounting Officer by reviewing the comprehensiveness and reliability of assurances on risk management, financial stewardship and accountability, internal control and governance.

Scope

ARAC shall report, and be accountable, to the Board.

ARAC shall provide assurance to the Board and NRW’s Chief Executive Officer/Accounting Officer on the establishment and maintenance of an effective control environment to ensure financial and wider business integrity, sustainability and continuity.

ARAC shall scrutinise and provide assurance to the Board on performance towards the Corporate Plan Wellbeing Objectives as relevant to ARAC.

Responsibilities

The particular responsibilities of ARAC in fulfilling its purpose and carrying out its role are set out in the following paragraphs. ARAC shall:

Ensure the Board gains appropriate assurance of the:

Policies and procedures in respect of fraud, irregularity and public interest disclosure; and
Management of Information, Data, and Cyber security risks, seeking confidence that those risks are managed appropriately, and necessary controls are in place;

Scrutinise all significant contracts let without competition (individually or collectively) in order to support transparency of decision;

Advise the NRW Accounting Officer and the NRW Board on the adequacy of arrangements within the organisation for financial and other internal control frameworks and the strategic processes for control;
Oversee NRW’s assurance arrangements to ensure their effectiveness and provide leadership, scrutiny, and guidance on assurance activity, ensuring alignment with the organisation’s strategic risks and with Internal Audit activity and findings. Specific ARAC responsibilities include:

Financial Stewardship

Provide the Board with independent advice to help the Board assure itself of the effectiveness of the arrangements in place to provide assurance on NRW’s financial stewardship, financial reporting and management of financial risks and opportunities;

Review the accounting policies relating to the financial statements, particularly in relation to any changes, and to comment on their adequacy;

Gain assurance on issues of fraud, losses and special payments, including the Annual Report (see below);
Consider elements of the annual financial statements in the presence of the external auditors, including the auditors’ formal opinion, the statement of members’ responsibilities and the Annual Governance Statement;
Scrutinise and report to the Board on the Annual Accounts of NRW and recommend approval for the Chief Executive/Accounting Officer to sign off the Annual Accounts;

Corporate Governance

Provide the Board with independent advice to help it assure itself of the effectiveness of the arrangements in place to provide assurance on NRW’s corporate governance arrangements;

Advise the Board and the Chief Executive/Accounting Officer on the assurances relating to corporate governance requirements for NRW, on the strategic processes for governance and the Annual Governance Statement and the adequacy of arrangements within the organisation for corporate governance matters. This advice shall include how governance and internal control arrangements support the achievements of the organisation’s strategies and objectives, especially:

The Board operating framework, including the organisation’s vision and purpose;
Mechanisms to ensure effective organisational accountability, performance and risk management;
Role definitions, committee and other structures to support effective discharge of responsibilities, decision making and reporting;
The development, operation and monitoring of the system of internal controls and whether these will provide timely warnings of any failings;
Promotion of appropriate ethics and values within the organisation;
Communication of management information, including on risk and control among the Board and to appropriate areas of the organisation; and
Relations with other arm’s length bodies and the Welsh Government Sponsorship Team.

Lead the assessment of the Annual Governance Statement for the Board, scrutinising and reporting to the Board on the Annual Report of NRW and the Chief Executive/Accounting Officer’s Governance Statement and recommending approval for the Chief Executive/Accounting Officer to sign off the Annual Report;

Risk Management and Risk Control

Alert the Board and the Chief Executive/Accounting Officer to issues that pose a material risk, help the Board address key financial and other risks and support the Board in their role in advising on key risks;

Provide the Board with independent advice to help the Board assure itself of the effectiveness of the arrangements in place to provide assurance on NRW’s risk management systems and framework, including aligning its own review of risk matters with deep dives conducted by other Board Committees. ARAC shall critically challenge and review the risk management and assurance framework, without second guessing management, to provide assurance that the arrangements are actively working in the organisations;

Advise the Board and Chief Executive/Accounting Officer on the strategic processes for risk management and support the Board to gains appropriate assurance of the strategic risks relevant to compliance, by undertaking a programme of deep dives to scrutinise current and target scores, seeking confidence on the appropriateness of planned actions to manage risks and secure the target scores identified;

Review and monitor NRW’s risk management systems and processes to ensure their effectiveness in anticipating future risks as well as addressing the here and now, and that risk mitigation measures are consistent with NRW’s risk appetite;

Advise the Board on its policies, attitude to and appetite for, risk to ensure these are appropriately defined and communicated so management operates within these parameters;

Advise the Board and Chief Executive/Accounting Officer on assurances relating to the management of risk for the organisation and critically challenge and review the adequacy and effectiveness of control processes (including risk registers) in responding to risks within the organisation’s governance, operations, compliance and information systems, including undertaking deep dives into significant risks;

Champion and scrutinise the development of risk assurance, and the embedding of a holistic approach to risk management, controls and assurance. ARAC shall support NRW’s Chief Executive/Accounting Officer and the Board to formulate their assurance needs by reviewing risks, systems and processes and considering how well the assurance provided actually meets these needs, gauging the extent to which assurance on the management of risk is comprehensive and reliable;

External Audit

Advise the Chief Executive/Accounting Officer and Board on the adequacy of arrangements within the organisation for external audit matters, including the planned activity and results of external audit;

Review the work of the Auditor General for Wales, as NRW’s statutory external auditor (External Auditor) and consider their findings and management’s response to them, helping the Board in gaining appropriate assurance of the implementation of approved recommendations to external audit reports and management responses. Specific ARAC responsibilities include reviewing:

The annual external audit plan and audit fee, including whether this is appropriate for the work to be undertaken, and recommending (to the Chief Executive/Accounting Officer) approval of the external audit plan and audit fee;
All external audit reports, including the audit completion report before final submission to the Chief Executive/Accounting Officer and the Board, as well as any work undertaken outside of the annual external audit plan and management’s response thereto;
The External Auditor’s planned audit approach, the performance of the External Auditor to date and whether this is adequate;
The results of external audit work and resolution of identified weaknesses;
The way in which the External Auditor is co-operating with internal audit to maximise overall audit efficiency, capture opportunities to derive a greater level of assurance and minimise duplication of work;
The potential implications to the organisation of the wider work carried out by the External Auditor, for example, value for money reports and good practice findings;
The adequacy of management response to issues identified by audit activity, including external audit’s management letter; and
The questionnaire to those charged with governance and the letter of representation to the External Auditor at the end of the year, to ensure ARAC is aware of the key areas within the documents, or to discuss those issues which have not been previously reported to ARAC or are unusual;

Internal Audit

Fulfil the role of the ‘Board’ under the Global Internal Audit Standards (GIAS).

Approve and advise on the mandate and charter that empowers internal audit to provide ARAC and the Accounting Officer with objective assurance, advice, insight and foresight (the Internal Audit function receives its mandate from ARAC, which specifies the authority, role and responsibilities of the Internal Audit function and is documented in the Internal Audit Charter).

Approve changes to the Internal Audit Plan, as well as request additional specific pieces of assurance and advisory work.

Champion the Internal Audit function to fulfil the purpose of internal auditing and pursue its strategy and objectives (an essential condition under the GIAS).

Work with the Executive Team and Accounting Officer to enable the Internal Audit function to have unrestricted access to the data, records, information, personnel and physical properties of NRW necessary to fulfil the Internal Audit mandate.

Establish a direct reporting relationship with the Head of Internal Audit and the internal audit function to enable the internal audit function to fulfil its mandate.

Provide the Head of Internal Audit with opportunities to discuss significant and sensitive matters with ARAC, including meetings without the Accounting Officer or Executive Team present.

Authorise the appointment and removal of the Head of Internal Audit and provide input to senior management to support the performance evaluation of the Head of Internal Audit.

Require that the Head of Internal Audit is positioned at a level in NRW that enables the Internal Audit services and responsibilities to be performed without interference from management and that this positioning provides the organisational authority and status to bring matters directly to the Accounting Officer and escalate to ARAC and the Board when necessary.

Acknowledge the actual or potential impairments to the Internal Audit function’s independence when approving roles or responsibilities for the Head of Internal Audit that are beyond the scope of Internal Audit. ARAC is required to engage with the Accounting Officer and the Head of Internal Audit to establish appropriate safeguards if the Head of Internal Audit roles and responsibilities impair or appear to impair the Internal Audit functions’ independence.

Communicate with the Head of Internal Audit to understand how the internal audit function is fulfilling its mandate. The Head of Internal Audit must report to ARAC and the Accounting Officer for oversight of the following:

The Internal Audit Strategy, Plan and budget as well as any subsequent significant revisions to them;
Changes potentially affecting the Internal Audit Mandate and Charter;
Results of Internal Audit services, including conclusions, themes, assurance advice, insights and monitoring results;
Results from the External Quality Assurance Programme, which must be carried out at least once every five years in line with the GIAS; and
The annual Opinion of the Head of Internal Audit on the governance, risk management and control within NRW, prior to its submission to the Welsh Government Partnership Team.

Advise the Board on the maintenance of the internal audit arrangements in accordance with the objectives, standards and practices described in the Global Internal Audit Standards;

Counter fraud, Bribery and Corruption, raising a serious concern and special investigations

Advise the Board and Chief Executive Officer/Accounting Officer on the organisation’s anti-fraud, bribery and corruption policies (including the Counter Fraud, Bribery and Corruption Policy), whistleblowing processes, and arrangements for special investigations;

Consider NRW’s counter fraud arrangements on a regular basis to understand the main fraud and error risks and management actions to mitigate these. This will include considering counter fraud work plans for the coming year, including ensuring a review of the organisation’s counter fraud strategy and policy for the organisation and considering annual reports and updates on counter fraud and raising a serious concern in the public interest (whistleblowing);

Seek to gain satisfaction that:

There is an appropriate anti-fraud policy in place which is regularly reviewed and updated;
Suitable processes are in place to ensure fraud is guarded against (i.e., controls are designed to prevent and detect fraud and error); and
Losses are suitably recorded and responded to.

Receive reports on major incidents and near misses as well as details of special investigations, including any raising a serious concern in the public interest cases.

ARAC reporting

ARAC shall formally report to the Board and the Accounting Officer after each of its meetings.

ARAC shall provide the Board and the Chief Executive Officer/Accounting Officer with an Annual Report summarising the business it has conducted during the year and the conclusions it has drawn therefrom, which shall be timed to support the finalisation of the accounts, and timed to support and inform the production of, the Chief Executive/Accounting Officer’s Governance Statement.

ARAC’s Annual Report shall also provide ARAC opinion about:

The effectiveness of governance, risk management and control, including NRW’s proposed disclosure on compliance with the Orange Book;
The comprehensiveness of assurances in meeting the Board and Chief Executive Officer/Accounting Officer’s needs;
The reliability and integrity of these assurances;
If the assurance available is sufficient to support the Board and Chief Executive Officer/Accounting Officer in their decision taking and their accountability obligations;
The implications of these assurances for the overall management of risk;
Any issues ARAC considers pertinent to the Governance Statement and any long-term issues ARAC decides should draw the Board and/or Chief Executive Officer/Accounting Officer attention;
Financial reporting for the year;
The quality of both internal and external audit and their approach to their responsibilities; and
ARAC’s view of its own effectiveness (see below), including advice on ways in which it considers its needs to be strengthened and developed.

ARAC should also conduct an annual effectiveness review (see the Standing Orders for the Conduct of Board and Board Committee Business for further information).

Last updated