Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Session 5: Risk Management, Assurance and AuditClaire Lea, Friday 7 October 2016, 4pm
My microphone is currently muted
Today’s plan
• Recap and introduction
• Principles and significance of risk management
• Effective risk management systems
• Board of director responsibilities for internal control
• Audit Committee and external audit
• Concluding remarks
Recap on last session
• Definitions of governance
• Complexity and diversity of
stakeholders
• Management vs governance
• NHS Structure & Constitution
• Governance and the Law
• Theoretical frameworks
• Board structure and
committees
• Directors duties and liabilities
• The effective board
• Role of the Chair, Executive
Directors, Non-Executive
Directors and the Company
Secretary
Risk management
Effective risk management can be
likened to that of the survival of a living
organism.
In Darwin's Theory of Evolution many
people interpret this with the phrase
‘the survival of the fittest’
However the most important element
is ‘the capacity of adaptation’.
Effective risk management is therefore
not only a system of processes but it
is also a series of behaviours.
FRC Guidance on risk management, internal control and related business reporting
Snappy title for the latest guidance (2014) on risk management! However, it
introduces a step change –
• New strategic report in corporate sector – require boards to report
annually on their principal risks
• Challenge is to include behavioural and organisational risk
• Risk has a higher profile in the NHS with work of Audit Committee and
the Board Assurance Framework
• Need to consider downside and upside risk
Board’s responsibilities
• Ensuring design/implementation of risk management and internal control
systems that identify risks and enables a robust assessment of the
principal risks;
• Determine the nature/extent of the principal risks faced and risks which
the organisation is willing to take to achieve its strategic objectives
(determining its ‘risk appetite’);
• Ensuring that culture and reward systems have been embedded
throughout the organisation;
• Agreeing how principal risks are managed/mitigated to reduce the
likelihood or impact;
Board’s responsibilities
• Monitoring and reviewing the risk management and internal control
systems, and the management’s process of monitoring and reviewing,
and satisfying itself that they are functioning effectively and that
corrective action is being taken where necessary; and
• Ensuring sound internal and external information and communication
processes and taking responsibility for external communication on risk
management and internal control.
Types of risk
What risks can you name?
Types of risk
• Financial risk
• Operational risk
• Reputational risk
• Behavioural risk
• Third-party or competition risk
• External risks
Risk management system
• Risk registers and risk identification
• Risk evaluation and scoring
• Risk management measures and mitigation
• Risk control and review
Risk management and governance
Internal control systems
• Financial controls
• Operational controls
• Compliance controls
• In-year reports and annual review
• Head of Internal Audit Opinion
Assurance
Performance reporting
• Single Oversight Framework replacing TDA, Monitor and CCG
assurance frameworks
Quality Governance
• CQUINs
• Quality Accounts
• CQC rating
Financial reporting
• Annual report and accounts
• Monthly reporting
• Directors duties and responsibilities – break even and going concern
Assurance statements
• Corporate governance statement
• Annual governance statement
• Board Assurance Framework
• Integrated reporting
The role of audit
• Function and scope of external audit – external scrutiny, true and fair
view, unqualified opinion.
• Independent
• Function and scope of internal audit – independent review of risk
management and internal control processes.
• Directors still responsible for preventing and detecting fraud and for the
information in the annual report and accounts.
Independence of external audit
• Self-interest threats:
• Self-review threat:
• Advocacy threat:
• Familiarity threat:
• Intimidation threat:
• Debate: non-audit work prohibited or restricted
regular rotation of audit firm or audit partner
• How do they protect the independence of the auditors?
Audit Committee
• HFMA Handbook for NHS Audit Committees extends role beyond
financial controls
• Membership is solely non-executive directors
• Chair is not allowed to be a member
• Training, induction and remuneration of members
• Appointment and removal of auditors
• Assessment of independence
• Non-audit work
• Whistleblowing/raising concerns/Freedom to Speak Up
Concluding remarks
• Assurance is a key mechanism for holding management to account.
• It also provides a regular assessment on progress towards an
organisation’s strategic objective.
• Assurance should be forward looking as well as backward looking.
Following this session
• Session slides and content
• Test your knowledge questions from the study guide
• Session 6: Foundation Trusts. Friday 14 October 9:30 am
• Results of Task 1 will be sent via email to you individually on Thursday 13
October by 5pm.
• Further questions
Thank you