Three new priorities for NHS audit committees

26 May 2020

NHS trust boards have been asked to lighten the load on executives as much as possible during the first and immediate phase of COVID-19, and there is a perceived wisdom by some that much of this lightening can remain permanent.

GGI has always encouraged leaner governance systems and a ‘mechanisation’ of the assurance elements of board work. We advocate a governance rhythm starting with an authentically board-owned and generated board assurance framework (BAF), through a management assurance system designed using the LEAN systems management approach, that is then tested through triangulation, constructive challenge and scrutiny by a board committee system.

It is only through a designed governance process such as this that boards stand any realistic chance of ‘lightening’ (we would say prioritising) their assurance role and the consequent reporting work for their executives.

Audit committee role

The role of the audit committee is key to achieving this nirvana. As the HFMA ‘Audit Committee Handbook’ (4th Edition, 2018) puts it: “Given that governing bodies rely on an assurance framework to monitor strategic objectives and identify significant inherent risks, the audit committee’s primary role is to look behind it to provide assurance that the framework itself is valid and suitable for the governing body’s requirements.”

In short, the audit committee checks the integrity of the organisation’s overall governance processes, leaving other board committees and management reporting to scrutinise the content.

GGI will soon be publishing a comprehensive briefing on how the role of NHS audit committees is being reframed by the immediate pandemic – and then by the heightened risks and challenges of a longer phase of living with COVID-19 until a global vaccination programme extinguishes the virus.

We have identified three areas where audit committees need to up their game. We are sharing these now as we consult further on our substantive briefing nationally as its final phase of development.

Crises, risks and issues

The risk register and/or board assurance framework can never hope to anticipate all crises. The current COVID-19 pandemic is unprecedented since the establishment of the NHS so there is no shame in not having seen it coming. It is a serious issue for a trust to deal with but the actions and responses are largely centrally determined and its place on a BAF is questionable.

However, now COVID-19 is here, boards should have adapted the BAF to recognise the impact to strategic objectives and indeed whether these objectives are now appropriate.

What is unarguable is the inclusion of a risk on the register to deal with the unexpected, how to deal with business interruption and what the acceptable consequences of crisis management should be. The audit committee therefore should expect to see such a risk and to be involved in the mitigations – business interruption policies, escalation plans and, after an event has been resolved, making sure there has been a thorough review to learn from the event and that the relevant plans and policies are updated. This is likely to need an external perspective to be included in the consideration.

Cyber security

Cyber security is a serious 21st century issue and there have been a number of high-profile incidents. The Treasury’s guidance makes it clear that audit committees should scrutinise cyber security arrangements and have robust and rapid responses in place. In practice this needs to involve the senior information risk owner (SIRO). The National Audit Office suggests three questions for audit committees:

  • Has a formal regime or structured approach to cyber security which guides its activities and expenditure been implemented?

How has management decided what risk it will accept, will tolerate and then how it manages that risk – GGI’s risk appetite board briefing

  • provides a useful guide to boards.
  • Have you identified and deployed the capabilities needed in this area?

In practice, this suggests that the committee will want to:

  • evaluate the governance and controls in place
  • understand the potential threats and system weaknesses
  • be reassured there is capable management resource in place to deal with cyber security matters
  • see that there is an incident response plan in place, tested and ready to go
  • know that the workforce has been briefed and trained about cyber security.

Collaborative working

Collaborative or partnership working is going to become a larger part of all NHS lives in the coming years and setting out the role of an audit committee is important but potentially tricky.

It is important because the sovereign organisations remain the participants and not the integrated care system (ICS), which is not a legal entity.

It is tricky because balancing progress, co-operation and achieving more for local people where the balance of risks may fall in complex ways across the various organisations within an ICS may not always be comfortable for board members of individual trusts.

It’s easy to advocate ‘light touch’, but the reality may well be more complex as the strengths, challenges and influences of the various participants make themselves felt and will be unevenly spread within an ICS.

Local health economies are multi-faceted and need a similar response. However, the guiding light must be the potential for sustainable improvement for patients, citizens and service users through the better management of population health.

Questions for audit committees

An audit committee should first and foremost understand what the local arrangements are – their overall aims, ambitions, strategies and intentions, including their alignment across the system:

  • What do these mean for delegation – what will the ICS be able to decide and what matters remain reserved for participants to make?
  • What are the shared decision-making arrangements?
  • Do you understand the accounting arrangements being put in place, especially when participants may have completely different funding mechanisms – as in local authorities and the voluntary sector?
  • Is there an agreed risk management set-up – including whether there is an appetite for drawing risk appetite and tolerance together?
  • Are you going to be assured by the flow and quality of information that will become available?

It would be helpful if the partnership only had to provide this reassurance once so it is incumbent on audit committees across the collaboration to agree what assurance they are collectively seeking. Ultimately, as the partnership matures, moving to an audit committee in common, including the deployment of internal audit resources, is likely to be the right solution.

We are keen to hear your views. If this briefing prompts any comments or questions, please call us on 07732 681120 or email

Andrew Corbett-Nolan

Chief Executive

Meet the author: Andrew Corbett-Nolan

Chief Executive

Find out more

Prepared by GGI Development and Research LLP for the Good Governance Institute.

Enquire about this article

Here to help