Head of Internal Audit Opinion and Annual Report...1.4 Summary of Audit Assignments The audit coverage has been focused on key strategic and operational risk areas, the outcome of

INTERNAL AUDIT REPORT

Cardiff and Vale University Health Board Head of Internal Audit Opinion and Annual

Report 2012/13

Private and Confidential

NHS Wales Shared Services Partnership

Audit and Assurance Services

Cardiff and Vale University Health Board Report Contents

Head of Internal Audit Opinion and Annual Report

CONTENTS 1. EXECUTIVE SUMMARY........................................................................3

1.1 Purpose of this Report .....................................................................3 1.2 Head of Internal Audit Opinion..........................................................3 1.3 Delivery of the Audit Plan.................................................................3 1.4 Summary of Audit Assignments ........................................................3

2. HEAD OF INTERNAL AUDIT OPINION....................................................4 2.1 Roles and Responsibilities ................................................................4 2.2 The Head of Internal Audit Opinion....................................................4 2.3 Standards for Health Services in Wales ..............................................7 2.4 Risk Based Internal Audit Assignments ..............................................8 2.6 Statement of Independence ........................................................... 10 2.7 Completion of the Governance Statement ........................................ 10

3. DELIVERY OF THE INTERNAL AUDIT PLAN........................................... 11 3.1 Internal Audit Standards for the NHS in Wales .................................. 11 3.2 Quality Assurance and Performance Indicators .................................. 11 3.3 Performance against the Audit Plan ................................................. 11

4 RISK BASED AUDIT ASSIGNMENTS ...................................................... 12 4.1 Substantial Assurance ................................................................... 12 4.2 Reasonable Assurance ................................................................... 13 4.3 Limited Assurance......................................................................... 15 4.4 No Assurance ............................................................................... 16 4.5 Assurance Not Applicable ............................................................... 17 4.6 Other Assurance Reports ............................................................... 17

5 ACKNOWLEDGEMENT ......................................................................... 19

Appendix A Appendix B

Compliance with Audit Standards Assignment Summary – General Audit

Appendix C Assignment Summary – Capital and Estates Audit Appendix D Assignment Summary – NWSSP Audit Appendix E Performance Indicators Appendix F Audit Assurance Ratings Appendix G Recommendation Priorities Appendix H Responsibility Statement

Report status: Final Draft report issued: April 2013 Final report issued: May 2013 Auditor: Head of Internal Audit Executive sign off Director of Finance Distribution Board Secretary, Deputy CEO,

Chief Executive. Committee Audit Committee

NHS Wales Audit & Assurance Services Page | 2

Cardiff and Vale University Health Board


Audit Opinion


1. EXECUTIVE SUMMARY

1.1 Purpose of this Report

The Board is collectively accountable for maintaining a sound system of internal control that supports the achievement of the organisation’s objectives, and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system. A key element in that flow of assurance is the overall assurance opinion from the Head of Internal Audit.

This report sets out the Head of Internal Audit opinion together with the summarised results of the internal audit work performed during the year. The report also includes a summary of audit performance in comparison to the plan and an assessment of compliance with auditing standards.

1.2 Head of Internal Audit Opinion

The purpose of my annual Head of Internal Audit opinion is to contribute to the assurances available to the Accountable Officer and the Board which underpin the Board’s own assessment of the effectiveness of the system of internal control. This opinion will in turn assist the Board in the completion of its Annual Governance Statement.

In my opinion The Board can take Limited Assurance that arrangement to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. More significant matters require management attention with moderate impact on residual risk exposure until resolved.

1.3 Delivery of the Audit Plan

The internal audit plan has been delivered substantially in accordance with the schedule agreed with the Audit Committee. Regular audit progress reports have been submitted to the Audit Committee during the year. Our assessment has confirmed compliance with the mandatory requirements of the Internal Audit Standards for NHS Wales. This view is confirmed by the independent review performed by the Wales Audit Office.

1.4 Summary of Audit Assignments

The audit coverage has been focused on key strategic and operational risk areas, the outcome of these reviews will naturally highlight control weaknesses that impact on the overall assurance opinion. In overall terms the majority of assignments provide positive assurance to the Board that arrangements to secure governance, risk management and internal control are suitably designed and applied effectively. However the significance of the matters raised in those areas with more negative findings impacts on the overall audit judgement expressed in the opinion.



Audit Opinion


2. HEAD OF INTERNAL AUDIT OPINION

2.1 Roles and Responsibilities

The Board is collectively accountable for maintaining a sound system of internal control that supports the achievement of the organisation’s objectives, and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system.

The Governance Statement is an annual statement by the Accountable Officer, on behalf of the Board, setting out:

• How the individual responsibilities of the Accountable Officer are discharged with regard to maintaining a sound system of internal control that supports the achievement of policies, aims and objectives.

• The purpose of the system of internal control, as evidenced by a description of the risk management and review processes, including compliance with the Standards for Health Services in Wales.

• The conduct and results of the review of the effectiveness of the system of internal control including any disclosures of significant control failures, together with assurances that actions are or will be taken where appropriate to address issues arising.

The organisation’s risk management process and system of assurance should bring together all of the evidence required to support the Annual Governance Statement.

In accordance with the Internal Audit Standards for the NHS in Wales, the Head of Internal Audit (HIA) is required to provide an annual opinion, based upon and limited to the work performed on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes (i.e. the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide an appropriate level of assurance.

The Opinion does not imply that Internal Audit have reviewed all risks and assurances relating to the organisation. The opinion is substantially derived from the conduct of risk-based internal audit plan formulated around a selection of key organisations systems and risks. As such, it is one component that the Board takes into account. The Board will need to consider assurances from other sources including reports issued by other review bodies, assurances given by management and other relevant information in completing its Governance Statement.

2.2 The Head of Internal Audit Opinion

The purpose of my annual Head of Internal Audit Opinion is to contribute to the assurances available to the Accountable Officer and the Board of Cardiff and Vale University Health Board which underpin the Board’s own assessment of the effectiveness of the organisation’s system of internal control. This Opinion will in

Cardiff and Vale University Health Board Audit Opinion


turn assist the Board in the completion of its Governance Statement, and may also be taken into account by Healthcare Inspectorate Wales in assessing compliance with the Standards for Health Services in Wales.

Assurance Rating System for HIA Opinion

In consultation with key stakeholders across NHS Wales further developmental work was undertaken during 2012/13 to refine and embed an improved assurance rating system based upon a colour-coded barometer. The descriptive narrative used in these new definitions has been clarified to give an objective and consistent measure of assurance in the context of assessed risk and associated control.

The assurance rating system is applied to the overall HIA opinion on governance, risk management and control as well individual assignment audit reviews. The assurance rating system together with definitions is included at Appendix F.

A quality assurance review process has been applied by the Director of Audit & Assurance and the Head of Internal Audit in the annual reporting process to ensure auditor judgements are supported by the evidence base and opinions are calibrated in the context of the new rating system. In particular consideration has been given to the exposure to risk across the organisations business activities as identified from audit findings and the associated impact on the overall control assessment.

Head of Internal Audit Opinion

My assurance assessment on the overall adequacy and effectiveness of the organisation’s governance, risk management, and control processes is set out below. Whilst a number of audit assignments undertaken provide positive assurance on control the significance of the matters raised in those areas with more negative findings impacts on the overall audit judgement expressed in the opinion.

Lim

ited

ass

ura

nce

- +

Amber

The Board can take limited assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. More significant matters require management attention with moderate impact on residual risk exposure until resolved.




Audit Opinion


This opinion will need to be reflected within the Annual Governance Statement along with confirmation of action planned to address the issues raised. Particular focus should be placed on the agreed response to any limited assurance reports issued during the year and the significance of the recommendations made.

Basis for Forming the Opinion

The evidence base upon which the opinion is formed is as follows:

• The review of the process for self-assessment of Standards for Health Services in Wales. Evidence available by which the Board has arrived at its declaration in respect of the assessment for the Governance and Accountability module.

• An assessment of the range of individual opinions arising from risk-based audit assignments contained within the internal audit risk-based plan that have been reported to the Audit Committee throughout the year. This assessment has taken account of the relative materiality of these areas and management’s progress in respect of addressing control weaknesses.

• Other assurance reviews including: reviews undertaken under the capital and estates audit programme; audit work performed in relation to systems operated by the NHS Wales Shared Services Partnership;

A summary of the findings in each area of work is set out in the main section of this annual report.

Limitations to the Audit Opinion

Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding the achievement of an organisation’s objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems.

As mentioned above the scope of the audit opinion is restricted to those areas which were the subject of audit review through the performance of the risk-based internal audit plan. These various reviews relate to the systems in operation during 2012/13 unless otherwise stated and reflect the condition of internal controls pertaining at the point of audit assessment.

There are some specific assurance reviews which remain relevant to the reporting of the Annual Report required to be published by 30 September rather than the accounts reporting stage required by 7 June. These new assurance requirements relate to the following two additional public disclosure statements:

• Annual Quality Statement

• Environmental Sustainability Report

The specified assurance work on these statements has been aligned with the timeline for production of the Annual Report and accordingly will be completed and reported to management and the Audit Committee subsequent to this HIA opinion.



Audit Opinion


Caution should be exercised when making comparisons with prior years. Audit coverage will vary from year to year based upon risk assessment and cyclical coverage on key control systems. Furthermore the introduction of the revised rating system has recalibrated the current year assessment on nationally consistent terms.

2.3 Standards for Health Services in Wales

The objective of the audit review was to evaluate and determine the adequacy of the systems and controls in place for the embedding, utilisation and assessment of the Standards for Health Services in Wales. In undertaking our work across the audit plan we take the opportunity to consider compliance any relevant service specific standard.

The overall objectives of the review were to:

• Ensure that processes were in place for the preparation and completion of the self assessment.

• Ensure the standards are embedded in the organisation at all levels and across all activities.

• Ensure that the requirements for the Annual Governance Statement were addressed.

• Review a risk based sample of individual Corporate and Divisional self assessments.

The audit of the Standards for Health Services in Wales identified the following:

• The review found that satisfactory processes are in place within the UHB to ensure that the Standards for Health Services 2012/13 Self Assessments were effectively completed in a timely manner. The assessments were also supported by appropriate narrative and scoring at both Corporate and Divisional levels.

• All Corporate and Divisional Self Assessments sampled were appropriately supported by Key Improvement Actions to be undertaken during 2013/14. Additionally, Key Improvement Actions stated in the 2011/12 Self Assessments were implemented during 2012/13.

• Satisfactory ongoing progress continues to be made towards embedding the Standards across all Divisions within the organisation and this can be evidenced by the range of practice examples sourced across UHB departments and specialities compared to the previous years submissions.

Overall, we concluded and reported Substantial assurance rating for this review.

Cardiff and Vale University Health Board Audit Opinion


Governance and Accountability Module

In addition the review of the Standards above, a review on the Governance and Accountability Module has been undertaken. A Board session, including independent members, took place on 22nd May 2013 to undertake the self assessment. Internal Audit attended this meeting to observe the process and nature of discussions to ensure that an appropriate level of discussions and scrutiny took place.

A thorough assessment took place at the session, with a significant level of discussion and challenge occurring and concluding in an appropriate level of assessment being made.

2.4 Risk Based Internal Audit Assignments

The audit coverage has focused on key strategic and operational risk areas, the outcome of the reviews therefore naturally highlight control weaknesses that impact on the assurance provided.

The overall audit opinion takes account of the relative materiality of each of the systems reviewed. Each of the reviews provides an opinion as at the point in time the work was completed with the possibility that some reviews have been subject to follow-up review within the financial year and should therefore have been subject to management action. It should also be recognised that many of the reviews were selected on a risk basis, which will impact upon the level of the assurance provided.

The overall picture of assurance across the assignments included in the audit plan is summarised in Figure 1 below.

Figure 1 Assignment Assurance Summary




Audit Opinion


Key outcomes arising from our work reported in 2012/13 and informing the overall opinion included:

• The audits of the health board managed financial systems have confirmed that a generally sound system of internal financial control is in place within the health board with the General Ledger, Income & Cash and Asset Register gaining Substantial Assurance.

• Among the audits in the corporate assurance areas, a number of

reports were allocated a mix of substantial and reasonable assurance indicating that controls are generally sound; however there were also a number where limited assurance was given where there remains significant risk that control objectives may not be met.

• Key amongst these corporate assurance reports are the Medicines Management, Risk Management, Patient Access, Financial Plan and Medical Locum reviews which each received Limited Assurance, along with the Medicine top up payments review was allocated No assurance. Management action was agreed to address this specific issue and therefore strengthen the system going forward.

• The thematic review of health and safety management arrangements reported Reasonable assurance overall and an improvement plan has been developed in this area.

• In the area of information governance and IM&T there was a mix of

outcomes with two reports being given Substantial assurance and two Limited assurance.

• The capital audit programme has issued two reports in particular which

identified significant areas for improvement in relation to the capital schemes in respect of both CRI and Llandough Stroke Unit and No assurance was given in each case.

Where weaknesses have been reported, our follow-up work indicates that management are progressing recommendations to strengthen controls although further work is still required in some areas. Notwithstanding these management actions, the exposure to significant risk in several areas causes the limitation in the overall assurance opinion for 2012/13.

A full list of assignment assurance ratings is included along with the assignment objective in section 4. The assurance ratings and definitions used for reporting audit assignments are included in Appendix F.



Audit Opinion


2.5 Systems operated by NWSSP The audits of the financial systems operated by NWSSP processing transactions on behalf of the health board have also confirmed a generally sound system of internal control within the shared service centre with Accounts Payable being allocated Substantial assurance and Payroll and Procurement (draft) Reasonable assurance. The audit of the contractor services systems have confirmed that a sound system of control is in operation with each assignment either being allocated Substantial or Reasonable assurance. A summary of the NWSSP assignment assurance objectives and outcomes is included in section 4.6 and these are detailed in Appendix D.

2.6 Statement of Independence

The Opinion contained within this report to support the Annual Governance Statement and the assurances provided on each audit review, as detailed within section 4, have been made objectively and independently of the organisation in accordance with the Code of Ethics of the Internal Audit Standards for the NHS Wales and the respective Professional Body.

2.7 Completion of the Governance Statement

Whilst the overall opinion provided should inform the Annual Governance Statement the Accountable Officer and the Board need to take in to account other assurances and risks when preparing their statement. These include, but are not limited to:

• Reviews completed by other audit, review and inspection bodies including the Wales Audit Office and Healthcare Inspectorate Wales.

• Reported compliance via the Welsh Risk Pool regarding claims standards.

James Johns

Head of Internal Audit (Cardiff and Vale University Health Board)

May 2013



Annual Report


3. DELIVERY OF THE INTERNAL AUDIT PLAN

3.1 Internal Audit Standards for the NHS in Wales

The Welsh Government has determined standards for Internal Audit for the NHS in Wales which the internal audit service is required to comply with. The NWSSP Audit and Assurance Services can assure the Audit Committee that it has conducted its audit at Cardiff and Vale University Health Board both in accordance with these mandatory standards and our own internal quality assurance systems. Accordingly the service complies with the mandatory requirements as detailed in Appendix A.

3.2 Quality Assurance and Performance Indicators

The provision of a high quality internal audit service is a fundamental aim of our service delivery methodology and compliance with the mandatory standards is central to our approach. Quality is controlled by the Head of Internal Audit on an ongoing basis and monitored by the Director of Audit & Assurance. The work of the audit service is also subject to an annual assessment by the Wales Audit Office under the International Standard on Auditing 610. The outcome of the Wales Audit Office review at the Health Board confirms compliance with the NHS Wales Internal Audit Standards.

In order to be able to demonstrate the quality of the service delivered by the Internal Audit service, a range of service performance indicators supported by monitoring systems have been developed. The key performance indicators are summarised in Appendix E.

3.3 Performance against the Audit Plan

The Internal Audit Plan has been delivered substantially in accordance with the schedule agreed with the Audit Committee, subject to changes agreed as the year progressed. Regular audit progress reports have been submitted to the Audit Committee during the year.

The assignment status summary is reported at Appendix B. There are a small number of reports which are reported in draft and await finalisation with management.

The reported outputs from the capital audit and estates assurance programme are in Appendix C. The relevant aspect of the NWSSP audit plan is detailed in Appendix D.

The approved plan for the year contained 1250 audit days with 1232 delivered which is 98%.

Cardiff and Vale University Health Board Annual Report


4 RISK BASED AUDIT ASSIGNMENTS

The risk based audit assignment element of the Opinion provided in Section 2 above is limited to the scope and objective of the reviews we have undertaken, detailed information on which has been provided within the individual audit reports.

The following schedules provide a summary of the reviews and objectives for each assignment contributing to this element of the Opinion along with the assurance rating. The assurance ratings for the reports issued in draft have still been utilised in the formation of the overall audit opinion. A complete schedule of these risk based audit assignments undertaken within the audit plan for 2012/13 is provided at Appendix B.

4.1 Substantial Assurance

In the following review areas the Board can take substantial assurance that arrangements to secure governance, risk management and internal control are suitably designed and applied effectively. Those few matters that may require attention are compliance or advisory in nature with low impact on residual risk exposure.

Review Title Objective

Standards for Health Services in Wales

To assess the adequacy of the systems and controls in place for embedding the standards, assessing compliance and improvement planning.

Income & Cash To assess the adequacy of the processes with the Health Board to manage operational banking and cash management systems.

General Ledger To provide assurance as to whether the management of the General Ledger is adequate so that the Trusts’ financial performance is accurately recorded and reported.

Asset Register To provide assurance as to whether the management of the Trust’s Capital Asset Register is sufficient to ensure that all capital assets are identified and properly accounted for.

Welsh Risk Pools Claims To assess the adequacy and effectiveness of controls in operation regarding the Welsh Risk Pool (WRP) Claim Procedure.

Coroner Rule 43s To establish if the UHB has adequate procedures in place to ensure that all Rule 43 Coroners Reports received are appropriately managed





and responded to in the required format and within the required timescales:

IT system -Poisons To provide assurance to the Board that data held

within the Poisons IT System is accurate, secure from unauthorised access and loss and that the system is used fully.

Mobile computing To provide assurance to the Board that the use of

mobile computing provides benefits to the UHB and that data is protected from unauthorised access and loss.

Non Emergency Patient transport (draft)

To establish if the UHB has adequate contracts and procedures in place to ensure that all required non-emergency patient transport is provided in an efficient and cost effective way:

4.2 Reasonable Assurance

In the following review areas the Board can take reasonable assurance that arrangements to secure governance, risk management and internal control are suitably designed and applied effectively. Some matters require management attention in either control design or operational compliance and these will have low to moderate impact on residual risk exposure until resolved.


Absence Management To establish if adequate controls are in place for the management of Absence.

Establishment Controls To evaluate and determine the adequacy of the systems and controls in place for the management of establishments including staff rotas and additional hours




Annual Report



PADR The objective of the audit was to evaluate and determine the adequacy of the processes in place across the UHB for the completion of PADRs.

CHAP( Asylum Seekers Service) The objective of the audit was to evaluate and determine the adequacy of the systems and controls in place for the management of CHAP, including Risk Mgt, Workforce, Performance and concerns management.

Out of Hours Service To evaluate and determine the adequacy of the systems and controls in place for the management of OOH. The review covered a range of management processes including, rotas, absence management and training.

Concerns Management To establish if the UHB manages concerns effectively and in accordance with the NHS (Concerns, Complaints & Redress Arrangements) (Wales) Regulations 2011. The audit will review management responsibilities, structures, policies and processes in place to manage concerns

Dignity and respect To establish if appropriate policies, procedures and systems are in place to ensure that the UHB complies with Welsh Government Dignity and Respect requirements, the Older People’s Commissioner for Wales Review recommendations and all other associated reviews and legislation.

Quality Outcome Framework To ensure that the QOF process is appropriately structured to properly assess the quality of service provided by the contractor and that the outcomes of QOF reviews feed onto the payment process.

Consultant’s job planning To ensure that consultant contracts are managed and monitored appropriately and that sufficient activity is undertaken to meet the needs of the Health Baord.

Non NHS Placements Follow up (draft)

To ensure that there is are appropriate systems and processes are in place for the commissioning of placements in non NHS facilities to ensure the safety of, and quality of care provided to, vulnerable individuals




Health and Safety (draft) To assess the overall arrangements for the management and reporting of health and safety risks within the health board.

4.3 Limited Assurance

In the following review areas the Board can take only limited assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. More significant matters require management attention with moderate impact on residual risk exposure until resolved.


Risk Management

To assess the adequacy of risk management arrangements across the organisation. To ensure that there is an appropriate mechanism in place that ensures risk is appropriately identified and managed

Financial Plan To ensure that there is an appropriate mechanism in place that ensures the UHB develops sustainable cost reduction plans and that performance against these is monitored.

Patient Access

To ensure that there are appropriate systems and processes are in place to allow for patients adjusted waiting times to be accurately recorded.

Medicines Management To provide assurance to the Board that ensure that the UHB has a robust framework in place for Medicines Management with mechanisms in place to ensure the safe and legal ordering, storage, administration and disposal of Controlled Drugs within the UHB.

Medical Locums Tto provide assurance to the Board that expenditure on medical locums is appropriate, authorised and minimised.

ALAS IT To provide assurance to the Board that data held within the ALAS IT System is accurate, secure from unauthorised access





and loss and that the system is used fully.

PC security To ensure that UHB data is appropriately secure form unauthorised access, that the UHB is not storing proscribed material and that only legitimate software is in use.

Private Patients (draft)

To ensure that there is an appropriate mechanism in place that ensures UHB (NHS) resources are not adversely affected by private work.

4.4 No Assurance

In the following review areas the Board has no assurance that arrangements to secure governance, risk management and internal control are suitably designed and applied effectively. Action is required to address the whole control framework in these areas with high impact on residual risk exposure until resolved.


Medicine Top up payments

To ensure that there is are appropriate systems and processes are in place to allow for patients to make top up payments.

Capital Scheme CRI To determine the adequacy of, and operational compliance with, the established systems for the management and control of capital projects at the Health Board, taking account of the Capital Investment Manual and other supporting regulatory and procedural requirements, as appropriate.

Capital Scheme Stroke Unit To determine the adequacy of, and operational compliance with, the established systems for the management and control of capital projects at the Health Board, taking account of the Capital Investment Manual and other supporting regulatory and procedural requirements, as





appropriate requirements, as appropriate.

4.5 Assurance Not Applicable

These are reviews and other assistance to management provided as part of the audit plan, to which the assurance definitions are not appropriate but which are relevant to the evidence base upon which the overall opinion is formed.


Linen Follow up

Follow up of key actions form the previous review.

4.6 NWSSP Assurance Reports

In forming my opinion I have had regard to other assurance reports, notably the internal audit reviews on the operation of internal controls within the NHS Wales Shared Services Partnership. These principally relate to transaction processing systems for primary care contractor services, accounts payable transactions through procurement services, and payroll transactions through employment services. The primary care transactions relating to Cardiff and Vale University Health Board are processed through the south east Wales regional contractor services centre.

The internal audit reviews in these areas indicate a generally sound system of internal control is operating for transactions processed by NWSSP on behalf of the Health Board. The table below summarises the results of these other assurance reviews.

Review Title

Objective Outcome

Payroll To assess whether the payroll system is adequate to ensure that timely and accurate payments are made to all eligible staff and sufficient accurate pay data is received.

Accounts Payable

To assess whether the purchasing and accounts payable procedures ensure that controls are operating over the ordering process and that only appropriately authorised payments are made on a timely basis.




Review Objective Outcome Title

Procurement

To assess whether the purchasing and accounts payable procedures ensure that controls are operating over the ordering process and that only appropriately authorised payments are made on a timely basis.

General Medical Services (GMS)

To assess the adequacy of the controls over payments to including General Medical Services primary care contractors.

General Dental Service (GDS)

To assess the adequacy of the controls over payments to General Dental Services primary care contractors.

General Ophthalmic Service (GOS)

To assess the adequacy of the controls over payments to including General Ophthalmic Services primary care contractors.

Community Pharmaceutical Service (CPS)

To assess the adequacy of the controls over payments to Community Pharmacists primary care contractors.

Prescribing Services

To assess the adequacy of the controls over payments to Prescription Pricing primary care contractors.

These other assurance reports are listed in full Appendix 4.




Annual Report


5 ACKNOWLEDGEMENT

In closing I would like to acknowledge the time and co-operation given by directors and staff of the Cardiff and Vale University Health Board in progressing the internal audit assignments undertaken within the 2012/13 plan.

James Johns

Head of Internal Audit (Cardiff and Vale University Health Board)

Audit & Assurance Services

NHS Wales Shared Services Partnership

May 2013

Cardiff and Vale University Health

Board


Appendix A

Compliance with Audit Standards


ATTRIBUTE STANDARDS: Purpose, authority and responsibility

Internal Audit arrangements are derived from the Health Board Standing orders and Financial Instructions. These arrangements are embodied in the Internal Audit Charter.

Independence and objectivity

Appropriate structures and reporting arrangements in place. Internal Audit does not have any management responsibilities. Internal audit staff are required to declare any conflicts of interests. The Head of Internal Audit has direct access to the Chief Executive and Audit Committee chair.

Proficiency and due professional care

Staff are aware of the NHS internal audit standards and code of ethics. Appropriate staff are allocated to assignments based on knowledge and experience. The Head of Internal Audit is professionally qualified (CMIIA). Liaison takes place regularly with LCFS.

Quality assurance and improvement programme

Head of Internal Audit undertakes quality reviews of assignments and reports as set out in internal procedures. Internal monitoring against standards by Head of Internal Audit and Director of Audit & Assurance.

PERFORMANCE STANDARDS: Managing the internal audit activity

Internal audit strategy developed highlighting overall approach, plan development and risk analysis. This is supported by a risk based operational plan giving detail of specific assignments. Plan sets out overall resource requirement. Strategy and plan approved by Audit Committee. Liaison with WAO and HIW. An assurance statement and annual report is produced giving an opinion as to the adequacy of the organisation’s framework


Board


Appendix A

Compliance with Audit Standards


for risk, control and governance.

Nature of work

The assignments performed are developed in a way that allows for evaluation of and contribute to the improvement of governance, risk management and control processes, using a systematic and disciplined approach.

Engagement planning & Performing the engagement

Departmental procedures are in place for audit assignments. Each audit assignment and report is quality reviewed before issue.

Communicating results

Assignment reports are issued at draft and final stages. A progress report is presented at each meeting of the Audit Committee. An annual report and assurance statement is also prepared and presented to the Audit Committee.

Monitoring progress

An internal follow-up process is in place to monitor progress with implementation of agreed management action. This is reported to the Audit Committee.

Resolution of senior management’s acceptance of risks

If Internal Audit considers that a level of inappropriate risk is being accepted by management it would be discussed and will be escalated to Board level for resolution.



Appendix B

Core Audit Assignment Summary


Reference

Assignment Status Executive Lead Final Report

Assurance Level

AC Date

Mobile Computing Final report Director I&I June Substantial July

ALAS IT System (BEST) Final report COO July Limited Oct

Poisons Unit IT System Final report COO August Substantial Oct

Charitable Funds

Final report Director Finance Sept Limited Oct

P.A.D.R.s Final report Director of WOD Sept Reasonable Oct

Risk Management Final report Director of Governance

Sept Limited Oct

Absence Management Final report Director of WOD Sept Reasonable Oct

Job Planning Final report Medical Director Sept Reasonable Oct

Patients Money and Property Final report Director of Nursing Oct Limited Nov

Establishment Controls Final report Director of WOD Nov Reasonable Nov

Financial Planning Final report Director Finance Nov Limited Nov

General Ledger Final report Director Finance Nov Substantial Jan



Appendix B



Reference


Assurance Level

AC Date

Income, Cash, Debtors Final report Director Finance Dec Substantial Jan

Claims Reimbursement

Final report Director of Nursing Jan Substantial Jan

Out of hours Service Final report Director of PCMH Jan Reasonable Jan

Medical Locums Final report Medical Director Jan Limited Jan

Medicines Management Final report Medical Director Jan Limited Jan

Linen follow up Final report Director of Nursing March n/a March

Dignity and respect Final report Director of Nursing March Reasonable March

Quality Outcomes Framework Final report Director of PH March Reasonable March

Coroner Rule 43s Final report Director of Nursing March Substantial March

Asset Register Final report Director Finance March Substantial March

Concerns Final report Director of Nursing April Reasonable May

Medicine Top up Payments Final report Director of PH May No July



Appendix B



Reference


Assurance Level

AC Date

Information Governance / PC Security Final report Medical Director April Limited May

Asylum Seekers Service Final report COO April Reasonable May

Translation Final report Director of Nursing May Reasonable May

Waiting List Management Final report COO May Limited May

Standards for Health Services Final report Director of Nursing May Substantial May

Non Emergency Transport Final report Director of Planning May Substantial July

Non NHS Placements follow up draft report COO Reasonable July

Private Patients draft report Medical Director July



Appendix C

Capital and Estates Audit Summary


Reference


Assurance Level

AC Date

Capital – CRI Scheme ** Final Director of Planning May NO May

Capital - Stroke Unit Llandough ** Final Director of Planning May NO May

Health & Safety ** draft Director of Governance

Reasonable

Capital – EU Remodelling ** Director of Planning

Sustainability Reporting **

xxx University Health Board


Appendix D

NWSSP Audit Summary


Reference


Assurance Level

AC Date

Payroll Final report NWSSP March Reasonable May 2013

Accounts Payable Final report NWSSP March Substantial May 2013

Procurement Final report NWSSP May Reasonable

GMS Final report NWSSP March Substantial May 2013

GDS Final report NWSSP March Substantial May 2013

GOS Final report NWSSP March Reasonable May 2013

GPS Final report NWSSP March Substantial May 2013

Prescribing Final report NWSSP March Reasonable May 2013



Appendix E

Performance Indicators


Indicator

Status Actual Target Red Amber Green

Percentage of departmental productive days compared with departmental total available days.

Green 88 80% < 75% < 80% > 80%

Percentage of audit days completed against planned.

Green 98 95% < 85% < 95% >95%

Actual days against planned days for each finalised routine audit assignment.

Amber 83 90% < 80% < 90% >90%

Issue of draft reports within ten working days of completion of fieldwork for each routine audit assignment.

Amber 77 80% < 75% < 80% > 80%

Draft report produced within three months of commencement of fieldwork for routine reviews.

Amber 83 90% < 80% < 90% >90%

Issue of final routine assignment reports within ten working days of the agreement of complete and adequate management responses.

Green 100 90% < 80% < 90% >90%

Cardiff and Vale University Health Board Appendix F

Head of Internal Audit Opinion and Audit Assurance Ratings

Annual Report

Audit Assurance Ratings

RATING INDICATOR DEFINITION

Su

bst

an

tial

ass

ura

nce

- +

Green

The Board can take substantial assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Few matters require attention and are compliance or advisory in nature with low impact on residual risk exposure.

Reaso

nab

le

ass

ura

nce

- +

Yellow

The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved.

Lim

ited

ass

ura

nce

- +

Amber

The Board can take limited assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. More significant matters require management attention with moderate impact on residual risk exposure until resolved.

No

ass

ura

nce

- +

Red

The Board has no assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Action is required to address the whole control framework in this area with high impact on residual risk exposure until resolved.


xxx University Health Board Appendix G

Head of Internal Audit Opinion and Recommendation Priorities

Annual Report

Prioritisation of Recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows.

Priority Level

Explanation

Timeframe for commencement of management action

Poor key control design OR widespread non-compliance with key controls

PLUS


Significant risk to achievement of a system objective OR evidence present of material loss, error or mis-statement

Immediate*

Minor weakness in control design OR limited non-compliance with established controls

PLUS

High

Some risk to achievement of a system objective

Within One Month*

Potential to enhance system design to improve efficiency or effectiveness of controls

These are generally issues of good practice for management consideration

Medium

Within Three Months*

Low

* unless a more appropriate timescale is identified / agreed at the

assignment.


Board

Head of Internal Audit Opinion and

Annual Report

Appendix H

Responsibility Statement


Confidentiality

This report is supplied on the understanding that it is for the sole use of the persons to whom it is addressed and for the purposes set out herein. No persons other than those to whom it is addressed may rely on it for any purposes whatsoever. Copies may be made available to the addressee's other advisers provided it is clearly understood by the recipients that we accept no responsibility to them in respect thereof. The report must not be made available or copied in whole or in part to any other person without our express written permission.

In the event that, pursuant to a request which the client has received under the Freedom of Information Act 2000, it is required to disclose any information contained in this report, it will notify the Head of Internal Audit promptly and consult with the Head of Internal Audit and Board Secretary prior to disclosing such report.

The Health Board shall apply any relevant exemptions which may exist under the Act. If, following consultation with the Head of Internal Audit this report or any part thereof is disclosed, management shall ensure that any disclaimer which NHS Wales Audit & Assurance Services has included or may subsequently wish to include in the information is reproduced in full in any copies disclosed.

Audit

The audit was undertaken using a risk-based auditing methodology. An evaluation was undertaken in relation to priority areas established after discussion and agreement with the Health Board. Following interviews with relevant personnel and a review of key documents, files and computer data, an evaluation was made against applicable policies procedures and regulatory requirements and guidance as appropriate.

Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding the achievement of an organisation’s objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgement in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances.

Where a control objective has not been achieved, or where it is viewed that improvements to the current internal control systems can be


Board


Annual Report

Appendix H

Responsibility Statement


attained, recommendations have been made that if implemented, should ensure that the control objectives are realised/ strengthened in future.

A basic aim is to provide proactive advice, identifying good practice and any systems weaknesses for management consideration.

Responsibilities

Responsibilities of management and internal auditors:

It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design and operation of these systems.

We plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we may carry out additional work directed towards identification of fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, cannot ensure fraud will be detected. The organisation’s Local Counter Fraud Officer should provide support for these processes.

xxx University Health Board


Annual Report

Office details: Cardiff and Vale / South Central Team Audit and Assurance Services First Floor Brecknock House University Hospital of Wales Heath Park Cardiff CF14 4XW

Contact details:

Tel • 02920 742724

NHS Wales Audit & Assurance Services

Documents

Head of Internal Audit Opinion and Annual Report...1.4 Summary of Audit Assignments The audit coverage has been focused on key strategic and operational risk areas, the outcome of