• Abstract and Figures
• Public Full-text

Audit South West Internal Audit, Counter Fraud and Consultancy Services

Weston Area Health NHS Trust

2013/14 Head of Internal Audit Opinion

PRIVATE & CONFIDENTIAL

Prepared By: Jenny McCall, Director of Audit May 2014

Audit South West May 2014 Page 1 of 7 HEAD OF INTERNAL AUDIT OPINION ON THE EFFECTIVENESS OF THE SYSTEM OF INTERNAL CONTROL AT THE WESTON AREA HEALTH NHS TRUST FOR THE YEAR ENDED 31 MARCH 2014

Roles and Responsibilities

The whole Board is collectively accountable for maintaining a sound system of internal control and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system.

The Annual Governance Statement is an annual statement by the Accountable Officer, on behalf of the Board, setting out:

 How the individual responsibilities of the Accountable Officer are discharged with regard to maintaining a sound system of internal control that supports the achievement of policies, aims and objectives.  The governance framework of the organisation including the Board’s committee structure, the structure and use of the Board Assurance Framework, as assessment of the Board’s effectiveness and its compliance with the Corporate Governance Code.  How risk is assessed and managed including a description of the risk management and review processes.  The conduct and results of the review of the effectiveness of the system of internal control including any disclosures of significant control deficiencies together with assurances that actions are or will be taken where appropriate to address issues arising.

The organisation’s Assurance Framework should bring together all of the evidence required to support the Annual Governance Statement requirements.

In accordance with Public Sector Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes (i.e. the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described below. The opinion does not imply that Internal Audit has reviewed all risks and assurances relating to the organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a robust and organisation-led Assurance Framework. As such, it is one component that the Board takes into account in making its Annual Governance Statement.

The Head of Internal Audit Opinion

The purpose of my annual HoIA Opinion is to contribute to the assurances available to the Accountable Officer and the Board which underpin the Board’s own assessment of the effectiveness of the organisation’s system of internal control. This Opinion will, in turn, assist the Board in the completion of its Annual Governance Statement, and may also be taken into account by the Care Quality Commission in relation to compliance with Outcomes.

My opinion is set out as follows:

1. Overall opinion; 2. Basis for the opinion; 3. Commentary.

My overall opinion is that

Significant assurance can be given that there is a generally sound system of internal control, designed to meet the organisation’s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls put the achievement of particular objectives at risk.

The basis for forming my opinion is as follows:

Audit South West May 2014 Page 2 of 7 Audit South West Internal Audit, Counter Fraud and Consultancy Services

1. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes.

2. An assessment of the range of individual opinions arising from risk-based audit assignments contained within Internal Audit’s risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management’s progress in respect of addressing control weaknesses.

3. Any reliance that is being placed upon third party assurances.

Internal Audit’s work has been taken forward in three broad categories. The following summarises the opinions and assurances from the reviews undertaken in these areas.

Governance Assurance

Internal Audit has undertaken reviews on the following areas associated with governance within the Trust:

Audit Assurance Impact Rating assessment Governance & Risk Management Green Low Business Continuity/ Emergency Planning Red High

In relation to the reviews noted above the following comments are made.

Governance & Risk Management – April 2014 The WAHT Corporate Governance structure is comprehensive and well thought out. Dissemination of information has been arranged to flow upwards, which should ensure all board members are well- informed and kept up to date with regards to key issues and performance of the Trust across all divisions and departments.

The Trust has implemented a comprehensive and uniform Corporate Governance Framework to lead the organisation. Up to date Terms of Reference for each committee provides clear guidance of how to operate to consistently high standards and the Terms of Reference are observed and adhered to.

Agendas for each committee are clearly stated and follow a standard professional format. Meeting minutes also follow a standard professional format.

Risk Management is well managed and reported, with registers managed by seven departments, which report into the Risk Management Committee that also addresses the Corporate Risk Register. The recorded risks have been evaluated and scored on a raw and residual risk basis and each risk is regularly reviewed by the responsible officer. This action is recorded as it occurs.

Board Assurance Framework During the audit year we have reviewed the Board Assurance Framework and established that it is a dynamic tool that contains the key issues facing the Trust. The Trust has been carrying out a review of the format of the Board Assurance Framework during the year to ensure that it provides the Board with relevant information.

The Board received the Assurance Framework in May 2013 and again in August 2013. Work was ongoing to ensure that assurance was gained from a variety of sources. The Assurance Framework and Corporate Risk Register (Clinical & Non-Clinical risks) were reviewed at every Audit & Assurance Committee and the minutes of those meetings were presented to the Board.

The Framework contains all component parts to ensure compliance with Department of Health guidance and the Board and the Audit and Assurance Committee has been appropriately engaged in developing and maintaining the Assurance Framework through the year.

Business Continuity/ Emergency Planning – August 2013 Activity surrounding business continuity and emergency planning has clearly taken place in recent months. The Trust has appointed an Interim Emergency Planning Lead and the Trust is participating in a group Audit South West May 2014 Page 3 of 7 formed by NHS England (BNSSG Area Team) to ensure South West wide continuity in emergency planning. However, we have found that a number of the recommendations made in the previous audit (2012/13) have only been partially completed or actions have not yet started.

In particular, further work is required by the Trust to ensure there is effective evidence to demonstrate that:  All plans have been circulated and signed off by the Executive Committee.  Formal methods of feedback from testing are in place.  Training around this area is completed.  The Major Incident Committee is set up with formal time scales for completion of work.

The Trust is working as part of a group formed by NHS England (BNSSG Area Team) to put plans in place for communicable disease and mass casualties, they are also working in this team to be part of area wide tests.

Overall Governance Assurance Reviews have concluded, overall, that the current systems in place represent a low risk to the Trust and that positive assurance can be provided that the systems in place are operating satisfactorily.

Financial Assurance

Internal Audit has undertaken reviews on the following financial areas of the Trust:

Audit Assurance Impact Rating assessment Main Accounting Green Low Financial Efficiency Planning Amber High Contract Management & Income Collection Green Low HR/Payroll Green Low

The Audit work, as outlined above, has been undertaken during the year on the financial systems and processes of the Trust. Our reviews have concluded that the current systems and processes in place represent a low risk to the Trust and that positive assurance can be provided that the systems in place are operating satisfactorily. We make comment below on the areas which were assessed as high impact to the organisation following our review.

Financial Efficiency Planning – April 2014 Our overall opinion based on a review of systems and processes is that the SIP process has significant weaknesses and has failed to achieve savings targets by a very considerable margin projections in quarter 3 indicated a shortfall against the £4.5m target of some £2.3m by the year end.

Project Overview Documents (POD) were not completed as required for each scheme where the anticipated saving is greater than £40,000. Where PODs were completed there was not always sufficient information to justify the levels of savings anticipated. We also noted that the POD does not indicate when the documentation was last reviewed and, as such, it is not possible to determine whether the information contained is up to date and current.

Early in the annual cycle the Trust were forced to abandon the strategic and operational changes on which much of the intended savings were dependent. At the same time, internal and external savings development resources were re-directed to alternative initiatives.

Board reporting is frequent and factual in respect of the current position but how the slippage in the savings programme is to be recovered is not set out and there is no evidence that targets will be enforced. Despite the monitoring processes in place, which are successful in highlighting underachievement, at current levels of activity, the Trust is set to achieve less than half of its savings targets. Whilst there is a clear risk to the Trust in failing to deliver the savings plan we are not aware of any effective measures within the Trust to identify more savings or to motivate scheme owners to achieve their savings targets.

Third Party Assurances

ISAE 3402 Third Party Assurance report in respect of Payroll Controls in respect of University Hospitals Birmingham (UHB) Audit South West May 2014 Page 4 of 7 Audit South West Internal Audit, Counter Fraud and Consultancy Services

The Trust purchases its Payroll services from University Hospitals Birmingham NHS Foundation Trust (UHB). UHB have provided WAHT with a copy of their latest Internal Audit report of the Payroll Bureau of UHB which helps to inform the Trust’s Annual Governance Statement. Although the Internal Audit report covers all processes provided by UHB, WAHT only uses UHB to process payments and all other ESR functions are carried out by WAHT personnel.

We are satisfied that this report dated 4th March 2014, provided by KPMG, provides reasonable assurance in respect of the payroll services provided by UHB, which supports the Trust’s Annual Governance Statement.

Key messages in their overall audit opinion were as follows:  On the basis of this review, an assessment of significant assurance has been made. This reflects that whilst there are sound control and monitoring mechanisms in place, these could be further developed to enhance the level of assurance provided.  Payroll Bureau’s management have reacted very positively, accepting all recommendations.  Recommendations were due to have been implemented immediately.  Main issues arising were:  Overpayments occurred due to the late notification of leavers and amendments by bureau customers.  Random spot checks on carried out to confirm the accurate input of data. These spot checks may identify minor data errors that would be missed by the normal exception reports.

ISAE3402 Third Party Assurance report in respect of IT General Controls in respect of the Electronic Staff Record (ESR) In common with all NHS bodies, the Trust utilises the Electronic Staff Record (ESR) for its HR functions. An established routine is in place whereby third party assurance is provided annually within an Independent Service Auditor's ISAE 3402 third party assurance report, which helps to inform the Trust's Annual Governance Statement on Internal Control. This covers the IT general controls operated by McKesson UK in relation to the ESR.

We are satisfied that the 2013/14 Independent Service Auditor's report provided by PricewaterhouseCoopers, dated 30th April 2014, provides reasonable assurance in respect of the IT general controls operated by McKesson UK in relation to the national Electronic Staff Record. This supports the organisation's Annual Governance Statement.

The audit work conducted by PricewaterhouseCoopers covered the following six areas:

 Change Management;  Logical Security;  Problem Management and Performance and Capacity Planning;  Physical Security and Environmental Controls;  Computer Operations; and  Payslip Distribution.

The key messages in the overall audit opinion of the Report of Independent Service Auditor are as follows:  The accompanying process description fairly presents the ESR service that had been designed and implemented throughout the period 1 April 2013 to 31 March 2014.  The IT general controls related to the control objectives stated in the description were suitably designed throughout the period 1 April 2013 to 31 March 2014.  The controls tested, which were those necessary to provide reasonable assurance that the IT general control objectives stated in the description were achieved, operated effectively throughout the period 1 April 2013 to 31 March 2014.

The overall conclusion from their audit opinion was that for the period 1 April 2013 to 31 March 2014, the control environment and IT general controls for the ESR service were suitably designed and effective in helping to achieve objectives in relation to the areas above. Detailed testing identified a small number of areas where controls were either not designed or operating efficiently, however these did not adversely Audit South West May 2014 Page 5 of 7 impact upon the overall control environment as appropriate mitigating controls were in place for all but one of the controls and this control was not regarded as a key control.

Corporate Assurance

We have conducted a number of reviews in relation to the corporate systems of internal control within the Trust.

Assurance Impact Audit Rating Assessment Clinical Audit Governance Red Medium Safeguarding Amber Low Information Governance Toolkit Amber Medium Internet & E-Mail Use Draft Draft Green Low Data Quality – Serious Incidents Draft Draft Amber Medium

The paragraphs below discuss the main findings of our audit reports where the impact assessment has been determined as being medium. There are a number of medium rated reviews being reported this year. This is reflective of the positive engagement we have with the Executive Team in terms of commissioning reviews to provide added value in areas where the Trust is looking to improve and enhance patient experience. We have included draft reports in the Opinion. The work on these audits has concluded and therefore the gradings will not change on finalisation of the reports.

Clinical Audit Governance – September 2013 Control activities in place to provide Trust Senior Management with assurance that the Clinical Audit function is achieving its mission are weak. It is clear that the Trust is engaged in a number of initiatives to improve the governance of clinical audit and the improvements to current practice suggested as part of this review could enhance the governance of the clinical audit function. These include:

 assurance to be obtained to ensure that the Trust objectives and goals are met in the audit programme;  the audit programme to differentiate national initiatives and local priorities from clinical leads’/team’s requests;  a formal process for ensuring that all clinical audits are registered with the Clinical Audit Team prior to their commencement;  clear reporting arrangements to ensure how the Clinical Audit and Effectiveness Committee will receive assurance in the delivery of the audit programme;  Quality and Governance Committee to receive assurance as to whether re-audits have been completed when appropriate;  a formalised Clinical Audit strategy to be put in place; and  clinical audit skills training to be provided to staff carrying out clinical audits

Data Quality – Serious Incidents – Medium impact Whilst there is a clear and robust structure in place for the management of Serious Incidents we have identified a number of areas where the operation of those processes may undermine the effectiveness of the controls.

The Trust has established appropriate policies which clearly establish the mechanism for reporting incidents that occur. A robust system for the capture of incidents is in place which is available to all staff to report an incident. The investigation of incidents is carried out by managers but whilst there is guidance on how to carry out investigations available there is insufficient training on investigation including Root Cause Analysis provided to managers.

There is a clear and sound methodology in place for the capture, analysis and assessment of incidents. Incident information reports are provided to managers which provide reliable and accurate information. Appropriate controls are in place to ensure that incident information is protected from unauthorised amendment and regularly backed up which would enable data to be retrieved should it become corrupted or lost. Whilst staff in the Divisions are following the processes set out in the relevant incident policy in the main there is a lack of knowledge in some areas of the Trust which may result in the incorrect process being

Audit South West May 2014 Page 6 of 7 Audit South West Internal Audit, Counter Fraud and Consultancy Services

followed. We have also identified a number of issues relating to the consistency of the recorded data which could cause the accuracy and validity of individual investigations to be thrown into doubt.

Information Governance – May 2014 The audit of the Information Governance Toolkit has indicated that there is a significant amount of attention required by the Trust to the requirements reviewed to ensure that Level 2 is met.

As part of this review the following issues were discovered which need to be considered:  there were instances where the evidence provided related to previous years and was therefore not applicable in support of a 2014 submission; and  many policies uploaded to the Toolkit were past their review dates.

From our review of evidence uploaded to the IG Toolkit at the time of our audit the following was noted:

Of the 30 requirements reviewed:  2 could be validated as Level 3  8 could be validated as Level 2  7 were validated as Level 1  1 could not be assessed as it was not relevant (Requirement 209)  12 were validated as Level 0 mainly because of documentation uploaded being out of date, wrong versions of policies uploaded and/or evidence missing to substantiate the scores.

Other Work

In respect of all reviews undertaken during the year, recommendations have been agreed with management to address gaps in control and assurance. We have monitored the status of these recommendations over the year and can report that recommendations are positively accepted. Outstanding recommendations are reported and monitored by the Audit and Assurance Committee at each meeting.

Jenny McCall Director of Audit Audit South West

Audit South West May 2014 Page 7 of 7

Load more

  7

Copy Link