tiaa Head of Internal Audit Annual Opinion 2013/14 Wandsworth CCG FINAL May 2014 2013/14
FORMAL ANNUAL OPINION OF THE HEAD OF INTERNAL AUDIT ROLES AND RESPONSIBILITIES The whole Governing Body is collectively accountable for maintaining a sound system of internal control and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system. The Annual Governance Statement (AGS) is an annual statement by the Accountable Officer, on behalf of the Governing Body, setting out: how the individual responsibilities of the Accountable Officer are discharged with regard to maintaining a sound system of internal control that supports the achievement of policies, aims and objectives; the purpose of the system of internal control as evidenced by a description of the risk management and review processes, including the Assurance Framework process; the conduct and results of the review of the effectiveness of the system of internal control including any disclosures of significant control failures, together with assurances that actions are or will be taken where appropriate to address issues arising. The organisation s Assurance Framework should bring together all of the evidence required to support the AGS requirements. In accordance with Public Sector Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation s risk management, control and governance processes (i.e. the organisation s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described below. The opinion does not imply that Internal Audit have reviewed all risks and assurances relating to the organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a robust and organisation-led Assurance Framework. As such, it is one component that the Governing Body takes into account in making its AGS. THE HEAD OF INTERNAL AUDIT OPINION The purpose of the annual HoIA Opinion is to contribute to the assurances available to the Accountable Officer and the Governing Body which underpin the Governing Body s own assessment of the effectiveness of the organisation s system of internal control. This Opinion will in turn assist the Governing Body in the completion of its AGS. During the year, Parkhill merged with TIAA Limited. This opinion from TIAA Limited covers the whole of the year, and we have therefore relied on work carried out by Parkhill prior to their transfer to us on 1st October 2013. This opinion is not entirely based on work directly carried out by TIAA Limited for the whole period. When forming this opinion TIAA Limited has taken in good faith the audit assurances previously reported by Parkhill. TIAA does not however accept any liability for errors, omissions or other inaccuracies relating to work completed prior to TIAA taking over responsibility for delivery of audit work on 1st October 2013. Page 2 of 5
TIAA s opinion is set out as follows: 1. Overall opinion; 2. Basis for the opinion; and 3. Commentary. TIAA s overall opinion is that: Significant assurance can be given that there is a generally sound system of internal control, designed to meet the organisation s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk; The basis for forming TIAA s opinion is as follows: 1. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes; and 2. An assessment of the range of individual opinions arising from risk-based audit assignments, contained within internal audit risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management s progress in respect of addressing control weaknesses. Additional areas of work that may support the opinion will be determined locally but are not required for DH purposes e.g. 3. Any reliance that is being placed upon Third Party Assurances. The commentary below provides the context for TIAA s opinion and together with the opinion should be read in its entirety. 1. DESIGN & OPERATION OF ASSURANCE FRAMEWORK AND ASSOCIATED PROCESSES The Governing Body is responsible for putting in place arrangements for gaining assurance about the effectiveness of the organisation s system of internal control. The Assurance Framework (AF) provides NHS organisations with a simple but comprehensive method for the effective and focussed management of the principal risks that arise in meeting their objectives. It provides a structure for the evidence to support the Annual Governance Statement. The AF also facilitates reporting key information to Governing Body, providing it is maintained as a dynamic document. Assurance Frameworks must be in place for the full year ended 31 March 2014 and up to the date of approval of the annual accounts and report, to meet the requirements of the Annual Governance Statement. Keeping the above in mind, we carried out a review of Wandsworth CCG s Assurance Framework and associated arrangements on two separate occasions in this financial year. The first review finalised in August 2013 was a benchmarking exercise where we compared Wandsworth CCG's AF with those of ten other CCGs selected both within and outside of London. The AFs used were reported to the relevant Governing Boards in April or May 2013 and the information assessed was publicly available on CCG websites. A number of best practice recommendations were agreed as part of this review which have subsequently been satisfactorily implemented by management. Page 3 of 5
The second review completed in March 2014, assessed the management and control arrangements in place in respect of the following risks: The AF and Risk Management processes are not documented, or effectively understood and integrated with key processes; The AF document does not sufficiently cover organisational objectives, risks, controls and related assurance on these. The document does not adequately identify gaps and actions and is too long/short, unclear or poorly structured; Lack of ownership and oversight of the AF and Corporate Risk Register by Management and the Governing Body could lead to risks not being adequately managed We gave a Substantial Assurance audit opinion for this review based on the outcome of our discussions with staff and a review of key documentation such as the AF and the Risk Register, together with policy documents and minutes from relevant committees. We are satisfied that the CCG has an adequate AF document in place which is regularly monitored and updated. A total of six medium priority and best practice recommendations were raised in this review which will be implemented by management in 2014/15. The main concerns raised were around risk management processes as detailed below: The Risk Review Group set up in June 2013 whose responsibility was solely to scrutinise risks including mitigation plans, evidence, scoring, descriptions and highlighting changes to the risk register, had not met on a regular basis; There has been no formal risk management training in 2013/14; The CCG should review the items on the BAF listed as Gaps in Assurance and Controls to ensure that gaps identified are really gaps and not assurance or actions. 2. RANGE OF INDIVIDUAL OPINIONS ARISING FROM RISK-BASED AUDITS IN THE YEAR The following risk based audit assignments were carried out this financial year to date: Board Assurance Framework Benchmarking Letter Budget Setting & Budgetary Control - Adequate Assurance Delivery of Savings & QIPP Plans Substantial Assurance Business Intelligence Group Substantial Assurance Board Assurance Framework Substantial Assurance IG Toolkit Version 11.0 Substantial Assurance A Limited Assurance Opinion was provided for the following review: Management of Contracts Database Limited Assurance 3. RELIANCE PLACED UPON THIRD PARTY ASSURANCES KPMG the Internal Auditors for the South London Commissioning Support Unit (SLCSU) have provided a final report on Financial Systems in May 2014. We note from the report that there are no significant control weaknesses and the overall audit opinion provided is Adequate Assurance. Page 4 of 5
4. LIMITATIONS OF SCOPE The only limitation to the scope for this financial year was that our work covered the Wandsworth CCG operated controls whilst reliance is placed on KPMG for their assurances on controls operated on behalf of the CCG by SLCSU. The matters raised in this report are not necessarily a comprehensive statement of all the weaknesses that exist or all the improvements that might be made. This report has been prepared solely for management's use and must not be recited or referred to in whole or in part to third parties without our prior written consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended, for any other purpose. TIAA neither owes nor accepts any duty of care to any other party who may receive this report and specifically disclaims any liability for loss, damage or expense of whatsoever nature, which is caused by their reliance on our report. Page 5 of 5