Guidance

Using Functional Standards: A guide for audit and assurance activities

Published 30 September 2024

1. Purpose of guide

The purpose of this reference guide is to set out how functional standards can support and form part of the evidence required by those carrying out assurance or audit activities across government.

2. What are functions and standards

A government function is a cross government grouping embedded into departments and arm’s length bodies to manage specialist work such as HR, project delivery and security. The purpose of each function is summarised on the government functions guidance page on gov.uk. A function harnesses the skills of people from any relevant government profession.

A functional standard sets the expectations for the management of a function’s work across government. 

Functional standard GovS 001, Government functions, addresses the purpose of functions and what is required of their leaders. The other standards set expectations for the management of their respective function’s work. 

The standards clarify what should already be happening in every organisation and working as a suite cross-reference, where appropriate, to the functional standards they rely on.

The standards drive coherence, consistency and continuous improvement, to support the enduring principles and requirements set out in Managing Public Money.

Continuous improvement assessment frameworks set levels of maturity (using ‘good’, ‘better’ and ‘best’ criteria) against the most important aspects of a standard and makes it easy for organisations to understand how mature they are in relation the standard, and where they should aim to improve.

3. Mandate of standards

Functional standards were mandated for use across government (including arm’s length bodies) in September 2021, and may also be adopted by other public sector organisations, see Dear Accounting Officer letter DAO 05/21.

4. Consistent language used in standards

A functional standard uses consistent language and agreed definitions. Standards state what is mandatory (shall) and strongly advisory (should). They also share a common glossary of terms to be used in the organisation’s documentation so people are clear on what is meant – avoiding misunderstandings.

5. Appropriate and proportionate use of standards

The standards should be applied proportionately to the size and complexity of the functional work done in an organisation, and used together with continuous improvement assessment frameworks to drive improvement over time. 

Each organisation may decide how to conform with the standard in practice, taking advice from the relevant functional leader either in an organisation/parent department or across government.  

6. Expectations for assurance

Each functional standard mandates that organisations shall have a defined and established approach to assurance, and should typically be on three separate and defined levels (‘The Three Lines Model’).

Each standard mandates that the requirements of the Orange Book: management of risk – principles and concepts shall be met, annex 2 explains The Three Lines Model further.

7. Using standards to support audit or assurance

Functional standards provide a consistent understanding of a function’s scope, and are designed to support existing risk management, assurance and control arrangements at all levels, without creating new burdens.

Each standard sets expectations for what needs to be done, and why, relating to the work within its scope. How work should be done is set out in associated documentation, which is defined and organised through the governance and management framework (PDF, 533KB).

Standards provide a baseline of expectations that accounting officers; audit, risk and assurance Committees; and assurance providers can draw upon. Part II of the Orange Book: management of risk – principles and concepts, The Risk Control Framework (XLSX, 977KB) outlines the accounting officer’s responsibility for ensuring organisational compliance with existing rules and guidance, including all relevant functional standards. The Risk Control Framework may be used by assurance areas within organisations to provide assistance, oversight, advice and/or assurance to accounting officers, as well as by internal auditors seeking a consistent structure for audit planning and results reporting.

GovS 009: Internal Audit sets the expectations for internal audit activity.

There is an expectation when planning an audit engagement that internal auditors consider how well relevant government standards, including functional standards, are being met and that relevant functional standards are followed when undertaking audits.

In most cases business activities draw on more than one functional standard. Those using the functional standards to support assurance or audit activities should familiarise themselves with the purpose and scope of each standard, together with standards directly related to each other - which is listed in the opening clause of each standard.

Auditors and assurance reviewers should verify whether the methods, process and arrangements in the organisation’s governance and management framework are compliant with the relevant functional standards,are being followed and are having the desired effect.

8. Continuous improvement 

Continuous improvement assessment frameworks are a management tool designed to give organisations an objective way to see how they’re doing, and how good they need (and aspire) to be against a particular functional standard.

The frameworks help organisations understand their aspiration, through setting levels of maturity against the most important aspects of a standard (good, better or best). They can help assurance providers by providing consistent, comparable and evidence based information on how an organisation is adhering to and applying a particular functional standard.

The continuous improvement frameworks draw on, but do not replace the requirements of the functional standards themselves. What they facilitate is honest self-appraisal and improvement action.