Report to Trust Board of Directors Date of Meeting · Report to Trust Board of Directors Date of Meeting: ... the reports issued and current KPI’s. ... The draft Head of Internal

N:\Corporate Administration\Committee and Meeting Papers\Public Trust Board\2015\28 July 2015\Enc 12 - IA Annual Report.doc

Report to Trust Board of Directors

Date of Meeting:

28 July 2015

Enclosure Number:

12

Title of Report:

Internal Auditor’s Annual Report 2014/15

Author:

Vivien Blenkey, Senior Audit Manager

Executive Lead:

Steve Shanahan, Executive Director of Finance

Responsible Sub-Committee (if appropriate):

Audit Committee

Executive Summary:

The purpose of this paper is to provide the Trust Board with an annual summary of the performance of Internal Audit for 2014/15 together with details of the reports issued and current KPI’s. This report was discussed by the Audit Committee on 21st July 2015.

Risk Rating (high, medium, low risk) and any recommended changes to risk rating:

Any risks identified within the individual reports should be transferred into the relevant risk registers by the responsible officers.

Board Assurance Framework Reference:

Various references contained within the details on the individual audit reports within the Head of Audit Opinion.

Compliance, legal and national policy regulatory requirements:

None

Financial Implications:

N/A

Actions required by the Board:

To approve:

Discussion and decision

To note: Where the Board is made aware of key points but no decision required

For information: For reading and consideration and for discussion by exception only

Trust Board is asked to approve the 2014/15 Internal Audit Annual Report.

Data quality: Source:

Validated by:

Date:

Northern Internal Audit and Fraud Service

The Northern Internal Audit and Fraud Service is provided through a Consortium of NHS Trusts, Primary Care Trusts and a Strategic Health Authority, of which the Northumberland, Tyne and Wear NHS Trust is the host organisation.

North Cumbria University Hospitals

ANNUAL REPORT AND HEAD OF INTERNAL AUDIT OPINION

YEAR ENDED 31 MARCH 2015

ANNUAL REPORT AND HEAD OF INTERNAL AUDIT OPINION YEAR ENDED 31 MARCH 2015

CONTENTS 1. Introduction............................................................................................................ 1

2. Outturn Position as Compared to the Annual Plan ............................................ 1

3. Head of Internal Audit Opinion ............................................................................. 3

4. Performance Indicators ........................................................................................ 4

5. Service Developments……………………………………………………………………7

6. Adherence to NHS Internal Audit Standards ...................................................... 9

7. Recommendation ................................................................................................ 10

Appendix 1 – Annual Plan Outturn Report ............................................................ 11

Appendix 2 – Final Head of Internal Audit Opinion .............................................. 15

Appendix 3 – Compliance with NHS Internal Audit Standards ............................ 29


1

1 Introduction The purpose of the Internal Audit Annual Report is to provide the Audit

Committee with:

The actual outturn compared to the Annual Audit Plan for 2014-15.

The overall Head of Internal Audit Opinion for 2014-15, which provides the Audit Committee with our opinion on the overall adequacy and effectiveness of the organisation’s system of internal control, including its risk management, control and governance processes.

Assurance that all aspects of the internal audit service have met the requirements set out within the NHS Internal Audit Standards.

2 Outturn Position as Compared to the Annual Plan The audit 14-15 plan evolved during the year following discussion with the

Audit Committee and Directors to clarify the scope of the original plan. A number of changes have been made which are detailed below to maintain an audit trail. Currently audit reports have been issued for the agreed areas included in the 2014-15 Internal Audit Plan with the following exceptions:

Cancelled

One audit on project management was cancelled by the audit due to assurances being received elsewhere.

The audit of the SLA for medical staffing was cancelled as no SLA was in place. Carried Forward

The audit on the CQC process was asked to be carried forward by the Trust due to changes in the system and standards that were being implemented when the audit was due to take place.

Outpatient booking system was carried forward following discussion at the audit committee

The scope of the audit of Patient transfer was discussed with the committee and clinical audit. It has now been rescheduled for 15-16 and discussed with the change management team.

Diagnostic services was looked at under cancer services but a detailed review will be covered in 15-16

Payroll services are provided by Northumbria Trust but work on the validity of data submitted from the Trust is on-going and will be combined with 15/16 work.

Work on safe staffing has been reviewed and further work requested which has delayed issue.


2

Appendix 1 gives the detailed outturn of activity against the agreed Internal Audit Plan for 2014/15. Where audit areas were deferred or cancelled due to circumstances within the organisation, this has been communicated to the Audit Committee in the quarterly progress reports.

The actual skill mix to deliver the 14/15 plan was not available at the start of the year and therefore actual split for days proved by NIAS is compared to the proposed staffing for 15/16.

Role % of planned days 15/16

% of actual days 14/15 ( part year)

Director of Audit 1 2

Senior Manager 7 10

Senior Auditor 34 27

Auditor 43 46

Specialist 15 15

Problems recruiting permanent staff in 14/15 have now been addressed by the appointment of two new permanent staff.


3

3 Head of Internal Audit Opinion

In accordance with NHS Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes (i.e. the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described in Appendix 2.

The draft Head of Internal Audit Opinion was issued to the Trust on 20st April 2015 and the final version was taken to the Audit Committee meeting on 2nd June 2015, together with the final accounts.

Based upon the work undertaken, my overall opinion is that significant assurance can be given that there is a generally sound system of internal control in relation to key financial systems, designed to meet the organisation’s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk I can provide only limited assurance that there is a sound system of control in relation to other areas reviewed during 2014-15. A number of reviews are not yet finalised and this opinion may change as management responses are received

Included within our Head of Internal Audit Opinion was a review of the organisation’s assurance framework. The work carried out on the Assurance Framework gave the following opinion:

The framework is regularly approved and reviewed by the Board during the year and is updated by the relevant Directors. Nevertheless, like other NHS organisations, the Trust could still develop its processes further to ensure the completeness, consistency and clarity of the document across all objectives. This will assist in informing the Board on how they receive assurance on strategic objectives. In particular, ensuring the range, scope and clarity of assurances is available to map against clearly defined risks.

The work carried out on the risk management gave the following opinion:

The risk management process by which individual risk registers are fed into overarching registers should be followed by all departments to ensure the completeness of risk monitoring within the Trust. The identification and incorporation of existing, as well as new risks, into the process should be continuously under review to identify any potential gaps as well as the consistency of approach. The Trust has developed a corporate risk register to underpin the assurance framework to ensure significant risks can be escalated up to the framework and down to departmental registers. Risk registers are reviewed and challenged at the Assurance Committee but it is the responsibility of the business units and departments to ensure their completeness.


4

4 Performance Indicators 4.1 Outturns and Response Times

The Audit Committee discussed a number of performance indicators that measure Internal Audit’s ability to produce timely reports for management and the performance of management in responding to the issues raised within audit reports. The key indicators and performance for 2014-15, demonstrating performance in relation to reports finalised, are set out in Figure 1. In future comparisons year on year will be provided. Figure 1: Key Performance Indicators

As can be seen from Figure 1, this is the first year in which performance in relation to issuing reports after the close of work, receiving management responses and issuing the final report following receipt of adequate management responses, has been monitored. Targets set by the committee were 3 weeks and there has been a learning curve for all. The introduction of new IT software should help to monitor the progress more effectively in 15/16

4.2 Assurance Opinions A review of the assurance levels given in reports issued is shown in Figure 2 for 2014-15. Figure 2: Assurance Levels


5

4.3 Risk Ratings

From the reports issued we have assessed the number of findings identified by risk rating, and the outcome of this analysis is shown in Figure 3. The majority of findings fall into the low risk category. Figure 3: Findings by Risk Rating

This is the first year these indicators have been produced . in future it will be possible

to compare year on year which will be more meaningful.


6

4.4 Implementation of Actions.

Information was not available for the full year to calculate the implementation of actions by the first due date.

4.5 Post Audit Questionnaires

Post audit questionnaires were introduced in 14/15 and will form part of the new software process to be sent out after the completion of all audits in 15/16. A limited number of questionnaires have been received for 14/15 and are summarised below. Questionnaires were sent to executive directors but to date no responses were received prior to papers being submitted. Going forward for 15/16 questionnaires will be sent to the following:

An appropriate member of staff when each final audit report was issued.

Members of the audit committee (Non- Executive Directors) annually.

Executive Directors annually.

Figure 5 Post Audit Questionnaires from Trust Staff


7

5 Service Developments

We are committed to continually improving the quality and efficiency of the service that we offer to our consortium members and our customers, and have undertaken a number of steps during 2014-15 to this end. A brief summary of the most significant developments is set out below.

5.1 In-house Developments During 13/14 we undertook significant work on comparing plans and approaches to audits across all of our clients with a view to developing a comprehensive audit universe that would ensure that all key risks or systems are considered when plans are being drawn up. This work has been extended during 2014-15 across the Audit England network. Whilst the full results are not yet published it has already shown that we are not missing any fundamental systems/risks from our plans. This work has also included an indication of when specific audits are planned and will allow us to share ideas and programmes between the Audit England members.

During the latter part of 2014-15 the department procured dedicated audit software, ‘MKinsight’, from a commercial supplier. The procurement was in partnership with audit colleagues in the Durham and Tees area. Over a period of months the software was configured to our requirements and staff trained in its use, with go live from April 2015. The aims of the procurement were twofold: To improve the quality of the audit service through:

Consistent application of a risk based audit process

A more timely and focussed manager review process

Better audit trails on audit work, changes, review points and responses To improve the efficiency of the service provision through:

Savings on administration of our time control

Ready access by all teams to our full suite of work programmes

Integration of planning, resource allocation, audit work, library documents

More timely discussions on audit progress

Less time on data input and referencing

Real time work at a client location

Reduction in use of paper We are currently producing some bespoke user guides to ensure consistent use of the system across our teams. In the coming months, as well as delivering the benefits outlined above, we will explore use of an automated follow up process which should increase departmental productivity further.


8

5.2 Working with other organisations nationally We are members of NHS Audit England, which is a group representing NHS based internal audit and counter fraud service providers across England. Its purpose is to facilitate collaboration between members; help strengthen and broaden the services members provide; strengthen and modernise the NHS service provider model; and facilitate retention and development of market share in the NHS. These objectives are met through the design and implementation of an annual work programme and by the maintenance of strong outward facing links with key NHS stakeholders (for example, Monitor, the Department of Health, the CQC, NHS Protect etc.). As well as attending the main group, the Director of Internal Audit also is an active member of the Professional and Technical Sub Group. Examples of key service improvement activities we undertook as part of NHS Audit England during the year include: - the development and piloting of an Internal Audit peer review process to

enable compliance with Public Sector Internal Audit Standards and to provide an effective ‘internal’ mechanism for providing quality assurance

- benchmarking work on Audit Plans

- building up of a profile of specialist skills within NHS providers of Internal Audit to allow for knowledge exchange and, if needed, access to specialised advice.

5.3 Working with local NHS providers of Internal Audit

As well as our close collaboration with colleagues nationally via NHS Audit England, we also have a very active Regional Heads of Audit Group who work together on developments and exchange information on current issues, potential emerging risks etc, Underpinning the work of the Group are active sub-groups covering both training and delivery of counter fraud work. We are also working with Audit North to consider how we can increase the co-operation and co-ordination between us to improve efficiency for all of our clients. We already work closely together in terms of providing specialised IT Audit and have jointly commissioned an automated internal audit system (MKI). We also share a LCFS post with Sunderland IAS and share a LCFS post with Audit North to provide a service to the NHS in Cumbria.

5.4 Training and Development As well as on-going training and development within the workplace, we support our staff in obtaining a range of professional qualifications to both enable their development as valued contributors to our team and their longer term career prospects.


9

As noted above, Northern Internal Audit and Fraud Service is also an active member of the NHS Internal Audit Training Group, which provides training to internal audit staff across the Northern, Yorkshire and the Humber, and Cumbria areas. The group is self-financing, with course fees set to cover costs, and courses are also open to attendance by staff from client organisations where this is appropriate or of interest to them. The group has a remit to establish collaborative links with other NHS training groups, to share knowledge and ensure that delivery of internal audit training across the NHS is cost-effective. Courses provided during 2014-15 include:

- Risk Management Workshop: Attempting to Organise Uncertainty in NHS

Healthcare – a one day workshop aimed at both internal audit and staff within client organisations, covering risk management arrangements. Topics included how to ensure that organisations develop robust risk management arrangements; ensuring adequate Board buy in; and Board assurance mapping, as well as a session on the currently emerging risks within the NHS

- Topical Issues Day – this course is run twice a year, and covers developments within the NHS, with a range of speakers on an array of topics

- National NHS Audit and Governance Conference – the theme of this year’s conference was ‘Assuring the NHS’, and the topics covered were chosen to appeal to both Heads of Internal Audit and those senior staff within NHS organisations responsible for governance. The Conference featured sessions from a range of eminent speakers, from both the NHS family of organisation and from other organisations of national importance.

We have also recently begun working with the Organisational Development Lead from our host trust, with the aim of identifying any departmental or team wide development needs that may improve our efficiency as a department.

6. Adherence to NHS Internal Audit Standards

Internal Audit Services are provided by Northern Internal Audit and Fraud Service [NIAFS], which is managed under a consortium arrangement and hosted by Northumberland, Tyne and Wear NHS Foundation Trust. We have assessed ourselves against the revised NHS Internal Audit Standards, which were issued in final draft with a proposed implementation date of April 2010. While these standards have not yet been formally issued, they were intended to replace the 2002 version of the standards and have been revised to reflect enhanced requirements that are in line with best global practice and the International Standards for the Professional Practice of Internal Auditing.


10

We can confirm that all aspects of the internal audit service delivered by NIAFS have met the requirements set out within the revised NHS Internal Audit Standards.

There are agreed terms of reference in place with all clients, establishing the way in which the internal audit service provided will meet client requirements, and NIAFS has established robust internal procedures for the completion of internal audit assignments, including establishing quality assurance arrangements. More detail on how individual requirements within the NHS Internal Audit Standards are met is set out in Appendix 3.

7 Recommendation The Audit Committee is asked to note the contents of this report and the Head

of Internal Audit Opinion.


11

Outturn

MAIN HEADING

SCOPE OF WORK CURRENT STATUS

Assurance

CORPORATE GOVERNANCE

1 Head of Audit Opinion

Opinion on adequacy and effectiveness of the organisation’s risk management processes to support the Annual Governance Statement

Final report issued

Split

Opinion

2 Assurance Framework

Review of the comprehensiveness, relevance and the extent to which the Board Assurance Framework is embedded.

Final report issued

Significant with issues of note

3

Risk Management

Review of risk management strategy and procedures. Review of the format and effectiveness of department registers.

Final report issued


OTHER ASSURANCE FUNCTIONS

4 Internal Assurance Functions – Clinical Audit

Review of the structures in place, programme, reporting arrangements and completeness of assurance provided. To include internal compliance functions such as clinical assurance.

Final report issued

Split Opinion

5 Third Party Assurance

Review and summary of the Third party assurances required from and to other bodies.

Included in HOAO

Significant with

no issues of note

DECLARATIONS, SELF-ASSESSMENTS AND EXTERNAL REVIEWS

6 CQC Process Hospital inspection regime Compliance and actions

Review of high level arrangements for co-ordinating, receiving and reviewing the assurances/evidence to support declaration, review of monitoring arrangements for actions plans arising from inspection visits.

Work re the inspectors of hospital visit has resulted in the work being c/fwd. to 15/16

n/a

7 Patient satisfaction Changed to cancer targets

Review of high level arrangements for co-ordinating, receiving and reviewing the assurances/evidence to support the declaration.

Final report issued

Split

Opinion

8

Information Governance Toolkit


Final report issued

Limited

9 Human tissue authority compliance

Review of the adequacy and compliance with the quality management system

Final report Issued


NON-FINANCIAL SYSTEMS

10 Information

Review that the TDA recommendations and requirements are being addressed.

Final report issued


11 Records Management

High level review of the internal monitoring and reporting tools looking at the robustness of storage, collection and disposal and tracking

Final report Issued

Limited

12 Estates Compliance

High level review of the internal monitoring and reporting tools to ensure estates compliance.

Final report issued

Limited

13 Safety & Suitability of Medical Equipment - Follow Up 3

Follow up review of the internal monitoring and reporting tools, the adequacy of the monitoring and training. This is a continuation of recent work to ensure actions remains on track.

Final report issued

Split Opinion

14 Transport

This is a high level review of the management of transport by Trust into

Final report

Limited


12

MAIN HEADING


Assurance

community i.e. deliveries

15 Use of NHS numbers

Review of the use of NHS numbers as the key reference source

Final report Limited

16

Patient flows between CIC &WCH

Scope to be determined

Audit committee agreed cfwd to

15/16 working with change

team.

n/a

INTERNAL BUSINESS OPERATIONS

17 Cost Control / Reduction Programmes

Review of the robustness of plans and monitor of actual savings and the inclusion of a quality impact assessment for all proposals.

Final report issued

Limited

18 Project management

High level review of the trusts approach to project management

Cancelled by audit committee

n/a

CONTRACTUAL AND LEGAL

19 Change process – minor work

Review of processes in place to monitor PFI change order process.

Final report issued


20 NHS Healthcare Agreements (Contract income)

Healthcare agreements, variations, coding assurance, invoicing, activity management.

Draft Report


CAPITAL AND ASSET MANAGEMENT

21 Capital Planning and Monitoring

Management of Capital Programme. High level review.

Final Report Significant with issues of note

22

Asset Management

Asset identification, Asset Register Maintenance Transfers, disposals, Indexation, revaluation, Depreciation, Capital charges, Asset verification.

Final Report

Split Opinion

FINANCIAL CONTROL SYSTEMS

23 Financial Reporting and Budgetary Control

Service line reporting. Budget production, virements, monitoring.

Final report Significant with issues of note

24 Financial Ledger

Timetables, input controls, journals, suspense and control accounts, chart of accounts.

Draft Report Significant with issues of note

25 Accounts Payable

Supplier creation, coding, invoice authorization, payment authorization (BACS, Chaps, Cheque), discounts.

Draft report


26 Accounts Receivable

Notification of debt, invoicing, debt recovery.

Final Report


27 Treasury Management and Bank Management

Review of borrowing, investments. Forecasts. Review of bank mandates, transfers, bank recs, cash flow.

Final Report


28 Payroll system

Review of the new working arrangements and issues highlighted to date.

On going

29 Miscellaneous Income

Review of residential accommodation systems

Final Report

Limited

30 Miscellaneous Income

Review of private patient systems Final Report Limited

LOCATION AUDITS / SERVICE PROVISION

31 Business Unit Audits

High level review of the governance and assurance arrangements in Clinical Support

Final Report


WORKFORCE


13

MAIN HEADING


Assurance

32 Medical Staffing

Review of the SLA with Northumbria and its operation in practice.

cancelled n/a

33

HR - performance metrics

New performance metrics structure with business units. How are these fed back up - see TDA accountability framework for NHS trusts.

Draft Report


34 Nurse escalation reporting (ward safety)

Monthly reports to Board - process reported as very manual - check data quality accuracy and process of collection

Under review n/a

PERFORMANCE

35

Performance Indicators

Patient experience – Referral to treatment time 18 weeks

Final report Limited

36

Diagnostic pathways time targets

c/fwd Cover under cancer more detail work in

15/16

IT TECHNICAL AUDITS

37

Operational Security

Review of · Anti-virus management · Back-up management · Server monitoring · Patch management · User account management

Final report

Limited

38

Pathology System General Controls

Testing of controls over critical and high priority systems, focusing on: -Assessment of procedures to ensure management of data including, - Back-up and recovery, -Disposal of media, -Storage and retention, -Security and safeguarding of information - Controls over the confidentiality, integrity and availability of the data held upon them.

Final report

Limited

39

IT Risk Management

Review of IT Risk Management. Focusing on how risks are effectively managed during periods of change management.

Final report

Limited

40 PAS Project Management Controls

Testing of controls over critical and high priority systems, focusing on: -Assessment of procedures to ensure management of data including, - Back-up and recovery, -Disposal of media, -Storage and retention, -Security and safeguarding of information - Controls over the confidentiality, integrity and availability of the data held upon them. .

Final Report

Too early to give an opinion. Revisited in 15/16

41

Real-time System Controls and Benefits Delivery

Key investment area by North Cumbria Acute Hospitals. It is a clinically driven programme designed to manage implementation and development of key systems to improve processes for managing patient journeys and patient care within the Trust. The audit will provide assurance over the realisation of the benefits from the investment made.

Final report

Limited

42 IT Disaster Recovery Review of strategy/policies/plans and Final report Limited


14

MAIN HEADING


Assurance

testing arrangements to ensure effective DR arrangements in place.

43

Follow up

These days have now been allocated to ensure the implementation of recommendations from previous IT reports

recommendation review

delayed

n/a

AD HOC

44 Expenses Patient Travel Monies Final report


APPENDIX 2 HEAD OF INTERNAL AUDIT OPINION


15

Roles and responsibilities The whole Board is collectively accountable for maintaining a sound system of internal control and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system. The Annual Governance Statement (AGS) is an annual statement by the Accountable Officer, on behalf of the Board, setting out:

how the individual responsibilities of the Accountable Officer are discharged with regard to maintaining a sound system of internal control that supports the achievement of policies, aims and objectives;

the purpose of the system of internal control as evidenced by a description of the risk management and review processes, including the Assurance Framework process;

the conduct and results of the review of the effectiveness of the system of internal control including any disclosures of significant control failures together with assurances that actions are or will be taken where appropriate to address issues arising.

The organisation’s Assurance Framework should bring together all of the evidence required to support the Annual Governance Statement requirements. In accordance with the Public Sector Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes (i.e. the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described below.

The opinion does not imply that Internal Audit have reviewed all risks and assurances relating to the organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a robust and organisation-led Assurance Framework. As such, it is one component that the Board takes into account in making its Annual Governance Statement.

The Head of Internal Audit Opinion The purpose of my annual Head of Internal Audit Opinion is to contribute to the assurances available to the Accountable Officer and the Board which underpin the Board’s own assessment of the effectiveness of the organisation’s system of internal control. This Opinion will in turn assist the Board in the completion of its Annual Governance Statement, and may also be taken into account by Care Quality Commission:

1. Overall opinion; 2. Basis for the opinion; 3. Commentary.

My overall opinion is that significant assurance can be given that there is a generally sound system of internal control in relation to key financial systems, designed to meet the organisation’s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk.



16

I can provide only limited assurance that there is a sound system of control in relation to other areas reviewed during 2014-15. A number of reviews are not yet finalised and this opinion may change as management responses are received. . The basis for forming my opinion is as follows:

1. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes;

2. An assessment of the range of individual opinions arising from audit assignments, contained within internal audit risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management’s progress in respect of addressing control weaknesses:

3. Any reliance that is being placed upon third party assurances.

The commentary below provides the context for my opinion and together with the opinion should be read in its entirety. The design and operation of the Assurance Framework and associated processes. The review of the Trust’s Assurance Framework is a critical piece of work on the central methodology through which the Trust conducts its review of the system of internal control. The framework is regularly approved and reviewed by the Board during the year and its format has been updated during the year to reflect key priorities. Nevertheless, like other NHS organisations, the Trust could still develop its processes further to ensure the completeness, consistency and clarity of the document across all objectives. This will assist in informing the Board on how they receive assurance on strategic objectives. In particular, ensuring the range, scope and clarity of assurances is available to map against clearly defined risks.

The risk management process by which individual risk registers are fed into overarching registers should be followed by all departments to ensure the completeness of risk monitoring within the Trust. The identification and incorporation of existing, as well as new risks, into the process should be continuously under review to identify any potential gaps as well as the consistency of approach. The Trust has developed a corporate risk register to underpin the assurance framework to ensure significant risks can be escalated up to the framework and down to departmental registers. Risk registers are reviewed and challenged at the Assurance Committee but it is the responsibility of the business units and departments to ensure their completeness.

It is for the Board to decide whether the framework contains all of the assurances it needs and whether the assurances in the framework are sufficient. The range of individual opinions arising from audit assignments, contained within risk-based plans that have been reported throughout the year.



17

The opinions, as shown in the table below were derived from work carried out in line with the Audit Committee approved Audit Plan for 2014/15, taking account of any adjustments agreed during the year. The agreed audit plan was compiled by the previous auditors and covers a range of areas within the Trust. Where issues of note have been raised or limited assurance has been given on individual audits, this has been considered when forming my overall opinion. Some areas may not be deemed to be high risk to the Trust, or may not be considered material systems. Areas audited by the previous audit team during 14/15 have been included in the work assessed. The following areas of internal audit work have resulted in ‘Limited Assurance’ outcomes and can be directly linked to areas identified in the Trust’s Assurance Framework. As such the control issues may warrant inclusion in the Assurance Framework and consideration in the Governance Statement. Assurance

Clinical assurance Non Financial

Records Management

Estates Compliance

Medical Equipment ( split assurance )

Transport ( Minor System) Business Processes

Cost Improvement Capital

Asset Management ( split assurance excluding land and buildings) Finance

Residential Accommodation Income ( minor system)

Miscellaneous Income ( minor system)

Private patients (split assurance minor system) Performance

18 weeks

62 day cancer target ( split assurance) IM&T


Server Operational Management

Pathology systems

IT Risk Management

Real Time systems

Use of NHS Numbers ( minor system)

IT Disaster Recovery Management have responded positively to the reports and are agreeing remedial action to address the findings raised.



18

The Audit Committee has adopted a pro-active approach to monitor outstanding actions arising from Internal Audit reports, with details of all outstanding issues being reported at every meeting. At the last time of reporting to the Audit Committee in March 2015, 25 actions were reported as still pending past their due date , 11 of these have a Trust accepted risk rating of high. Of the actions indicated by the Trust as complete, audit has been unable to obtain and verify evidence of 34, IT actions. Reliance on Third Party Assurances A list of the main outsourced or consortium services is summarised below: - Oracle business applications are provided by North East Patches and hosted by

Northumbria Healthcare NHS Foundation Trust. An ISAE 3402 report covering the period 1 April 2014 to 30 March 2015 was issued in May 2015. It gave the opinion that the systems of control as described to them were fairly presented; the controls included in the description were suitably designed to achieve the control objectives specified in the description; and that those controls were complied with satisfactorily.

- The Electronic Staff Record (ESR) service is provided by McKesson UK. A ISAE 3402 report was issued by Price Waterhouse Coopers in May 2015, covering the operation of the national system. It gave the opinion that overall, the control environment for the ESR Service is effective in helping to achieve the objectives laid out. Testing of the controls identified some instances where controls were either not designed or operating effectively. These exceptions did not adversely impact the overall achievement of the associated control objectives, as mitigating controls were determined for all but one instance, which was not considered a key control.

- Northumbria Healthcare NHS Foundation Trust provides payroll and financial services to

the Trust and a 3rd party report will be issued by them to the Trust In May 2015. The report provides significant assurance.

Lauretta McEvoy Director of Internal Audit



19

The following tables identify Internal Audit work during the period for which a final/draft report has been issued. See Table 1. External Assurances are identified in Table 2. Reports on key areas where work is under discussion have been included in this draft at the anticipated minimum assurance level, this level may rise following discussions with management.

TABLE 1: INTERNAL AUDIT REPORTS PROVIDING ASSURANCES Levels of assurance were changed in year from September 2014 to allow further clarification of the term significant assurance. This was split so that the reports could reflect whether within the overall system there were no issues of note (NOIN) or some issues of note (ION) with certain aspects of the system.

MAIN HEADING

SCOPE OF WORK ASSURANCE

LEVEL COMMENT

CORPORATE GOVERNANCE

Assurance Framework

Review of the comprehensiveness, relevance and the extent to which the Board Assurance Framework is embedded.

Significant with ION

Risk Management Review of risk management strategy and procedures. Review of the format and effectiveness of department registers.


OTHER ASSURANCE FUNCTIONS

Internal Assurance Functions – Clinical Assurance

Review of the structures in place, planning and reporting arrangements and completeness of assurance provided. .

Limited

The key requirement that the clinical audit plan is clearly linked to clinical risks and clinical assurance needs of the Trust should be more transparent. Monitoring of the implementation of management actions, resulting from clinical audit reviews, needs to be embedded across the Trust. It is recognised that significant progress has been made in centrally developing controls around clinical audits in terms of recording and monitoring

DECLARATIONS, SELF-ASSESSMENTS AND EXTERNAL REVIEWS



Limited

The scope of evidence submitted for previous versions of the toolkit was noted to be comprehensive and generally fit for purpose; however compliance needs to be demonstrated on an on going basis. At the time of the audit evidence for 14/15 had not been brought up to



20

MAIN HEADING


LEVEL COMMENT

date due to capacity issues, and this therefore impacted on many of the standards reviewed. Six of the fifteen standards did demonstrate compliance at level two or above.

Human tissue authority compliance

Review of the adequacy and compliance with the quality management system


NON-FINANCIAL SYSTEMS

Records Management

High level review of compliance with Data Protection and relevant legislation, timely accessibility, completeness, storage, security , retention and destruction.

Limited

Audits by the Trust identifying poor performance on DNAR forms which were not included in the PCA for compliance with CQC standards. The monitoring committee for corporate records continuing status to monitor compliance with the IG toolkit was in doubt. There were issues with the safe storage of records and the timely destruction of records.

Estates Compliance

High level review of the internal monitoring and reporting tools to ensure estates compliance.

Limited

Up to date SLAs were not in place between the Trust and key service providers. The lack of a clearly defined Estates & Facilities Strategy combined with the on going organisational and management changes exposes the trust to performance and compliance risks. Defect maintenance performance reporting was not always accurate Evidence from the monthly audit of performance reported by the PFI partner at CIC, is not retained for management or internal audit review

Safety & Suitability of Medical Equipment - Follow Up

Follow up review of the internal monitoring and reporting tools, the adequacy of the monitoring and training. This is a continuation of recent work to ensure actions remains on track.

Split assurance Significant/limited

Significant assurance was given on the safety and

suitability of medical equipment .In relation to data

quality and administration we maintain our opinion of

limited assurance.

While we recognise the significant improvements have been made to date, however the data quality of the medical equipment inventory needs to be improved to support the operation of processes which rely on it.



21

MAIN HEADING


LEVEL COMMENT

Medical devices training records remain in need of updating.

Transport

This is a high level review of the management of transport by Trust.

Limited

The Trust has no transport strategy /policy and has not assigned an officer responsible for monitoring the taxi contracts. The Trust has no assurance that the contractors have a current operator’s licence, public liability insurance; and that vehicles and drivers are appropriately licensed.

INTERNAL BUSINESS OPERATIONS

Cost Control / Reduction Programmes

Review of the robustness of plans and monitor of actual savings and the inclusion of a quality impact assessment for all proposals.

Limited

The main risk is failure to meet the CIP target and statutory break even position, issues identified related to: The completion, approval, recording and retention of Project Initiation Documents was not robust. There was no centralised programme management of CIP The CIP tracker had not always been subject to regular and timely update.

CONTRACTUAL AND LEGAL

Change orders – minor work

Review of processes in place to monitor PFI change order process.

Significant

The assurance level for this report was based on the samples tested in 14/15 when only one error was found. Subsequent checks done by the Trust related to the above issue highlighted that this has been a major problem over the life of the contract and therefore reduces the overall assurance level to limited.

NHS Healthcare Agreements (Contract income)

Healthcare agreements, variations, coding assurance, invoicing, activity management.


CAPITAL AND ASSET MANAGEMENT

Capital Planning and Monitoring

Management of Capital Programme. High level review. Significant with ION

Asset Management Asset identification, Significant /Limited Significant assurance as given with regard to land and



22

MAIN HEADING


LEVEL COMMENT

Asset Register Maintenance Transfers, disposals, Indexation, revaluation, Depreciation, Asset verification.

building which amount to over half the value of assets in the accounts. Limited assurance is given for the a lack of an embedded process to verify the existence of the remaining assets on an on going basis

FINANCIAL CONTROL SYSTEMS

Financial Reporting and Budgetary Control

Service line reporting. Budget production, virements, monitoring.


Financial Ledger Timetables, input controls, journals, suspense and control accounts, chart of accounts.


Accounts Payable Supplier creation, coding, invoice authorization, payment authorization (BACS, Chaps, Cheque), discounts.


Accounts Receivable

Notification of debt, invoicing, debt recovery. Significant with ION

Treasury Management and Bank Management

Review of borrowing, investments. Forecasts. Review of bank mandates, transfers, bank recs, cash flow.


Procurement pre contract

Significant

Expenses Review of Outpatient Travel Monies Significant

Miscellaneous Income

Generic High level review of the collection and monitoring of other income.

Limited For a significant number of revenue streams, the Trust does not have the protection of a current, agreed SLA or contract

residential accommodation systems

Review of the procedures for identification , collection , monitoring and reporting of residential accommodation

Limited

The issues identified were:

The lack of any performance management relating to operations. No KPIs or targets are set and no management reports are requested.

The absence of documented operational procedure notes resulting in potential single point of failure risk.

Risks are not identified, evaluated and recorded.



23

MAIN HEADING


LEVEL COMMENT

The inconsistent completion and retention of tenancy agreements

The absence of formalised contracts/agreements with third party providers

Insufficient cost analysis to support decision making

private patient systems

Review of the procedures for the identification, collection , monitoring and reporting of private patient income

Significant/limited Completeness of recording at CIC

WORKFORCE

HR - performance metrics

New performance metrics structure with business units. How are these fed back up - see TDA accountability framework for NHS trusts.


PERFORMANCE

Performance Indicators

Patient experience – Referral to treatment time 18 weeks Limited

The structured query language parameters applied to Referral to Treatment data could not be provided by the Trust without detailed investigation.

There historically booked outpatient appointments on Medifusion have no further information added to determine if the patient attended, or whether their pathway is continuing or should be closed.

Outpatient historical bookings are not included in Pathway Tracking Coordinators data quality reports for investigation.

There are resources gaps in specific specialities within pathway tracking, which is affecting the quality of data, and effectiveness of the pathway tracking process.

Some breaches are left unexplained on the Trust’s PTL.

The reliance on key personnel exposes the Trust to a single point of fail within the RTT process, following the departure of the Patient Access Manager.

62 Day Cancer Targets

Review of controls designed to mitigate the risks associated with 62 day cancer targets covering

Governance – the direction, scrutiny and supervision of operations

Split assurance Significant/limited

Significant assurance with issues of note that adequate controls are present and are being operated correctly. On actual performance against the 62 day standard only limited assurance is currently available as demand



24

MAIN HEADING


LEVEL COMMENT

Data – the collection, use and reporting of cancer pathway information

Performance reporting

Breaches – identification, investigation and resolution

exceeds capacity particularly for diagnostic procedures . However, key risk issues have been identified and assessed, and actions to address them have been identified and are ongoing.

IT TECHNICAL AUDITS

IT continuous testing

Review of a sample of servers for adequate controls re access , security and monitoring.

Significant

Server Operational Management

Interruptions to business activities, including system unavailability and loss of data due to ineffective management and configuration of:

Backup regime;

Anti-Malware software;

Server monitoring; and

Patch management. Inappropriate or unauthorised access to information as a result of poor user management controls; and Inappropriate or unauthorised changes applied impacting upon the integrity and availability of applications.

Limited

There was no SLA in place with CPFT which defined the operational management and responsibilities associated with the day to day administration of software installed to support the shared server and network infrastructures. A scheduled programme to carry test restores from backups for systems or servers had not been introduced. Records were not maintained to support the manual installation of Windows updates to over 50 servers that we were advised required updates to be applied manually. The WSUS ‘TEST’ group did not contain any servers; therefore Windows updates were being applied to servers without any prior testing on servers.

Pathology System General Controls

Testing of controls over critical and high priority systems, focusing on: -Assessment of procedures to ensure management of data including, - Back-up and recovery, -Disposal of media, -Storage and retention, -Security and safeguarding of information - Controls over the confidentiality, integrity and availability

Limited

The main issues relate to: a. Unauthorised and / or inappropriate access to

information within iLAb TP.

b. Service disruption through loss of both primary and

secondary servers in the event of an environmental or

physical impact on the computer room.



25

MAIN HEADING


LEVEL COMMENT

of the data held upon them.

c. Service disruption if security controls and monitoring

arrangements are not performed in the absence of the

system manager.

d. Unauthorised changes made by the supplier to the

production environment could cause the application to

fail leading to service disruption and / or data corruption.

IT Risk Management

Review of IT Risk Management. Focusing on how risks are effectively managed during periods of change management.

Limited

There was an inconsistent process for documenting and assessing IT related risks. The IMT Risk Register was incomplete as six risks out of the 26 documented had not been fully completed and all risks had missed their review dates. The Risk and Assurance Committee had a standing agenda item to review each department’s risk register, we noted limited discussion on IT related risks, or attendance by IT at this committee

PAS Project Management Controls

Testing of controls over critical and high priority systems, focusing on: -Assessment of procedures to ensure management of data including, - Back-up and recovery, -Disposal of media, -Storage and retention, -Security and safeguarding of information - Controls over the confidentiality, integrity and availability of the data held upon them. .

N/a

At the time of our fieldwork the Project was in its early stages and a number of controls were still being established and implemented therefore an assurance opinion will not be given until further progress has been made.

Real-time System Controls and Benefits Delivery

Key investment area by North Cumbria Acute Hospitals. It is a clinically driven programme designed to manage implementation and development of key systems to improve processes for managing patient journeys and patient care within the Trust. The audit will provide

Limited

The anticipated benefits from implementing the RealTime system were included in the Business Case and the Benefits Matrix, however 27 of the 37 benefits documented in the Benefits Matrix had no baseline data. The benefits had not been sufficiently measured after



26

MAIN HEADING


LEVEL COMMENT

assurance over the realisation of the benefits from the investment made.

the system went live to assess if they had been realised and post go-live data for measuring benefits realisation after one year had been undertaken on only seven benefits;

IT Disaster Recovery

Review of the design and operation of arrangements to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

Limited The IT DR plan was developed when North Cumbria Informatics Service (NCIS) was in place and had not been reviewed or updated since 2012. There had been changes in key personnel named in the document and changes to IT systems and processes, which had not been reflected in the plan.

The priority order for system restoration had not been reviewed or updated since the NCIS IT DR Plan was first developed in 2011/12.

A forward test schedule for off-site recovery testing had not been created to ensure that all critical systems are subject to periodic recovery testing. Documentation provided during the audit indicated that formal test recoveries had been carried out on only a small number of Trust systems.

IT had set up DR ‘battle boxes’ at several locations but these contained the out of date IT DR plans.

Use of NHS number

Compliance with the requirements of the IGT Clinical Information Assurance Standard 401 ‘there is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements’.

Limited

Internal and external documentation does not have patients NHS numbers as the primary patient identifiers. Actions identified were not given responsible officers or time frames.



27

TABLE 3 THIRD PARTY ASSURANCES

Audit Report

Type of Review

Level of Assurance Comments

ESR – National system

ISAE3402 Type II report - PWC

Overall, the control environment for the ESR Service is effective in helping to achieve the objectives laid out.

Testing of the controls identified some instances where controls were either not designed or operating effectively. These exceptions did not adversely impact the overall achievement of the associated control objectives, as mitigating controls were determined for all but one instance, but we do not consider this as a key control.

NEP provision of the Oracle shared service.

ISAE3402 Type II report - KPMG

(a) The Description of controls fairly presents the NEP system as designed and implemented throughout the period from 1st April 2014 to 31st March 2015; (b) The controls related to the control objectives stated in the Description were suitably designed throughout the period from 1st April 2014 to 31st March 2015; and (c) The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the period from 1st April 2014 to 31st March 2015

Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in forming our opinion are those described in NEP Shared System Group’s and Capita IBS’s management’s assertions at pages 8-9 and pages 36-37 respectively within the full report. In our opinion, in all material respects:

Payroll Services

3rd

party assurance report Significant assurance

Financial Services

3rd

party assurance report Significant assurance

1 – The following definitions of assurance have been used throughout the table

Significant assurance Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives.

with no issues of note: However, some minor weakness in the design or inconsistent application of controls can put the achievement of particular objectives at risk



28

Significant assurance Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives.

with issues of note:: However, some weakness in the design or inconsistent application of controls can put the achievement of particular objectives at risk. An issue of note would be anything which was judged, using the risk register, to be a medium risk and above. Should there be a significant number of these which undermined the system as a whole the assurance would become limited.

Limited assurance: Limited assurance as weaknesses in the design or inconsistent application of controls can put the achievement of the organisation's objectives at

risk in the areas reviewed;

No assurance: No assurance as weaknesses in control, or consistent non-compliance with key controls, could result [have resulted] in failure to achieve the organisation's objectives in the areas reviewed.

APPENDIX 3 Northern Internal Audit and Fraud Service

Public Sector Internal Audit Standards Year Ended 31 March 2015 29 | P a g e

COMPLIANCE WITH PUBLIC SECTOR INTERNAL AUDIT STANDARDS

The Public Sector Internal Audit Standards issued in December 2012 came into effect on 1 April 2013. These standards are in line with best global practice and the International Standards for the Professional Practice of Internal Auditing, and our performance against these standards is set out below:

Public Sector Internal Audit Standards [April 2013]: Evidence of Compliance

Met

Yes Partial No

1000. Purpose, authority and responsibility: The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

An Internal Audit Charter for the provision of internal audit services has been established and agreed between NIAFS and all client organisations, including the Trust. This Charter formally defines the purpose, authority and responsibility of internal audit. The Internal Audit Charter establishes the internal audit activity’s position within the organisation; reporting arrangements; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. It also covers arrangements for appropriate resourcing, the role of internal audit in fraud related work and arrangements for avoiding conflicts of interest. The wording of the Charter is consistent with the Definition of Internal Auditing and the Standards, and the key components of the Code of Ethics are built into the Charter itself. The Charter was approved by the Trust’s Audit Committee at its July Audit Committee meeting.

1100. Independence and objectivity: the internal audit activity must be independent and internal auditors must be objective in performing their work.

NIAFS is managed entirely independently from the management of the Trust, and staff providing the service do not have any executive responsibilities in relation to any client organisations. The Director of Internal Audit, as head of the service, has free and unfettered access to both the Chair of the Audit Committee and the Chief Executive, in their role of Accountable Officer, of each client organisation. This right is built into the Internal Audit Charter. All members of internal audit staff have been issued with a copy of the Public Sector Internal Audit Standards and it is covered on




Met

Yes Partial No

induction for all new members of staff. The need to comply with the standards is also built into job descriptions and into the procedures of NIAFS, and staff understanding of these standards is monitored both via a review of work undertaken and via the NHS Joint Development Review Process. Confidentiality clauses are built into all employment contracts, and staff are also required to comply with the host Trust’s Codes of Conduct and Accountability. In addition, all members of staff are required to formally declare in writing any potential conflicts of interest (including personal relationships) that might impact on their objectivity, and complete an annual declaration of interest.

1200. Proficiency and due professional care: engagements must be performed with proficiency and due professional care.

The Director of Internal Audit holds a full professional qualification, as required by the NHS Internal Audit Standards. The members of staff providing the internal audit service to the Trust have extensive audit experience. All audit staff undertake a programme of continuing professional development, with training needs identified via use of the national KSF system linked to Joint Development Reviews. This process ensures that training needs are identified and action plans put in place to address them, either by means of formal programmes of study, on the job training or by directed personal study. All audit staff are encouraged to study for a professional accountancy or audit qualification, with support towards this provided by NIAFS. In addition, NIAFS are members of and contribute to the NHS Internal Audit Training Group, which provides specialised audit training, tailored to meet locally identified needs. Briefing notes are also issued to all managers on new or emerging issues, relevant circulars or publications etc for dissemination to all staff, and a library of relevant literature is maintained on the NIAFS intranet.

1300. Quality assurance and improvement programme: the chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity.

Quality assurance measures are built into the policies and procedures of NIAFS and cover all aspects of internal audit delivery. All assignments are reviewed by the engagement




Met

Yes Partial No

manager prior to the issue of draft reports. Where assignments are undertaken by managers, the resulting work is then reviewed by the Director of Internal Audit to provide independent oversight. In addition to the review of individual assignments, procedures are regularly reviewed to ensure that they continue to provide a quality service that meets client expectations. During 2014-15, the management team undertook work to identify a common audit universe, enabling the robust development of audit plans and the sharing of information around risks, and this sharing of information was further facilitated by the development of the new NIAFS website, which includes a staff only section. During the year work a project was undertaken to explore the potential for automation of internal audit processes, we worked together with internal audit colleagues from another local NHS providers to seek a common and cost effective solution. The system went live on the 1/4/15. The Public Sector Internal Audit Standards require external assessment on a five year basis as well as ongoing performance monitoring. NIAFS have been working with NHS internal audit colleagues nationally on how best to carry out these assessments in the most cost effective manner, and as a result of this work, the external review of NIAFS as required by the Standards has been scheduled for 2015-16. Progress in relation to work being carried out to improve the quality of the work undertaken is reported to the Consortium Board, which oversees NIAFS by means of an Annual Report to the Consortium, with the 2013-14 Annual Report presented to the May 2014 Consortium meeting. Developments are also reflected in the Annual Reports to individual clients, including the Trust.

2000. Managing the internal audit activity: the chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organisation.

A three year Internal Audit Strategy is drawn up for each internal audit client, outlining the resources and skills required to meet the on-going assurance needs of the Accountable Officer and Audit Committee. Work has been carried out around developing a common audit universe to ensure that all risks are identified and appropriately reflected in the strategic plan. Underpinning this, a risk based audit plan is developed on an annual basis, taking into account the organisation’s risk




Met

Yes Partial No

management framework, including the Board Assurance Framework, and prioritising assurance needs. Both the Strategy and the Annual Internal Audit Plan are subject to scrutiny and approval by the Audit Committee, including agreement of the resources and expertise required to deliver the plan.

2100. Nature of work: the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes, using a systematic and disciplined approach.

Internal audit are structured to deliver work intended to evaluate and contribute to the improvement of governance, risk management and control processes, and this is enshrined in the agreed Internal Audit Charter. The process for planning, conducting and reporting on individual audit assignments is documented within an Internal Audit Manual used by the department, and quality assurance processes ensure that these procedures are followed in practice. There are agreed liaison protocols in place with the Trust’s Local Counter Fraud Specialist and External Auditors and regular meetings and discussions take place.

2200. Engagement planning: internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations.

As well as the Annual Internal Audit Plan, which schedules assignments throughout the year, planning documentation complying with the above requirements is developed for each individual audit assignment. This documentation sets out the objectives of the audit, the scope of coverage, proposed timing of the audit and the resource allocated to the assignment. The key element of this documentation – the preliminary planning sheet – is shared with key contacts for the audit area to ensure that the planned audit meets client needs.

2300. Performing the engagement: internal auditors must identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives.

NIAFS has established formal procedures to ensure that all audits are carried out in line with best practice, and that auditors, when completing audit reviews, obtain sufficient, reliable and relevant information to enable them to draw appropriate conclusions. All audit assignments are subject to quality assurance review to ensure that these procedures are followed and that the audit is of a sufficiently robust standard.




Met

Yes Partial No

2400. Communicating results: internal auditors must communicate the results of engagements.

Reports are issued for all individual audit assignments, which set out the objectives and scope of the audit as well as any findings. Reports also give an opinion on the control system that is consistent with IAPG best practice guidance. Reports do not include specific recommendations but instead identify any unmanaged risks. It is then for management to set out how they intend to manage these risks, with NIAFS reserving the right to comment if the resulting action plan is not felt to adequately address the risk. This right forms part of the Internal Audit Charter agreed with each client. NIAFS procedures and the Internal Audit Protocol agreed with each client also set out required timescales for the issue of such reports. Draft reports are sent out following the completion of fieldwork, with management responses due within four weeks, and final reports are issued following the receipt of adequate management responses. Key client contacts are agreed for each assignment as part of the planning process and they, together with identified senior managers, form the basis of distribution lists for the reports. Regular progress reports summarising the outcomes of audit work to date are taken to the Audit Committee, and the conclusions from individual audit reports are included within both the Head of Internal Audit Opinion and the Internal Audit Annual Report each year.

2500. Monitoring progress: the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

A formal follow up process of significant risks identified in internal audit reports has been established and regular reports are taken to the Audit Committee on progress.

2600. Communicating the acceptance of risks: When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organisation, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

Audit reports include both the risks identified during the audit and the related management action, including those areas where the management action is to accept the risk. As noted above, NIAFS reserve the right to comment if the resulting action plan is not felt to




Met

Yes Partial No

adequately address the risk. This right forms part of the Internal Audit Charter agreed with each client, and all significant risks arising out of internal audit work are reported to the Audit Committee during the year. If, after discussion, the Audit Committee are felt to be accepting a level of risk that is unacceptable in light of the organisation’s stated risk appetite, the Internal Audit Charter agreed with each client gives the Director of Internal Audit direct access to the Trust’s Accountable Officer to escalate the issue, and any significant control gaps where action has not been taken or taken on a timely basis will also be reflected in the Head of Internal Audit Opinion, which underpins the Annual Governance Statement.


35 | P a g e

Comments Received from Staff and Directors