Draft Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust.
Contents Introduction 1 The Head of Internal Audit Opinion 2 Commentary 3 Appendix 1 - Key to Assurance Levels 7 Appendix 2 - Statement of Responsibility 8 This report and the work connected there with are subject to the Terms and Conditions of the Contract dated the 16th June 2010 between Portsmouth Hospitals NHS Trust on behalf of the Audit Consortium and Deloitte & Touche Public Sector Internal Audit Limited. The report is confidential and produced solely for the use of the Isle of Wight NHS Trust. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust
Introduction Purpose of this Report Based on the work that Internal Audit has undertaken in 2012/13, this report provides the Head of Internal Audit Opinion on the effectiveness of the system of internal control at Isle of Wight NHS Trust for the year ended 31 March 2013. Roles and Responsibilities The whole Board is collectively accountable for maintaining a sound system of internal control and is responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system. The Annual Governance Statement (AGS) is an annual statement by the Accountable Officer, on behalf of the Board, setting out: how the individual responsibilities of the Accountable Officer are discharged with regard to maintaining a sound system of internal control that supports the achievement of policies, aims and objectives, whilst safeguarding public funds; the purpose of the system of internal control as evidenced by a description of the risk management and review processes, including the Assurance Framework process; and the conduct and results of the review of the effectiveness of the system of internal control including any disclosures of significant control failures together with assurances that actions are or will be taken where appropriate to address issues arising. The organisation s Assurance Framework should bring together all of the evidence required to support the AGS requirements. In accordance with NHS Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of the organisation s risk management, control and governance processes (i.e. the organisation s system of internal control). This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described below. The opinion does not imply that Internal Audit have reviewed all risks and assurances relating to the organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a robust and organisation-led Assurance Framework. As such, it is one component that the Board takes into account in making its AGS. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 1
The Head of Internal Audit Opinion The purpose of my Annual HoIA Opinion is to contribute to the assurances available to the Accountable Officer and the Board which underpin the Board s own assessment of the effectiveness of the organisation s system of internal control. This Opinion will in turn assist the Board in the completion of its AGS. My opinion is set out as follows: 1. Overall Opinion; 2. Basis for the Opinion; and 3. Commentary. Overall Opinion My overall opinion is that: Significant assurance can be given that there is a generally sound system of internal control, designed to meet the organisation s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk. Basis for the Opinion The basis for forming my opinion is as follows: 1. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes; 2. An assessment of the range of individual opinions arising from risk-based audit assignments contained within internal audit risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management s progress in respect of addressing control weaknesses; and 3. Any reliance that is being placed upon third party assurances. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 2
Commentary The commentary below provides the context for my opinion and together with the opinion should be read in its entirety. The Design and Operation of the Assurance Framework and Associated Processes Our work in relation to the Assurance Framework and Risk Management consisted of an evaluation of the processes by which the Board obtains assurance on the effective management of significant risks relevant to the organisation s principal objectives. An Assurance Framework has been developed aligned with organisational objectives. Significant risks and key controls are identified and included on the framework which is subject to regular review. Controls and assurances are evaluated to identify gaps. Management have accepted a number of recommendations to strengthen the Assurance Framework. Areas for improvement include the need for the review dates of action plans on the Board Assurance Framework to be adhered to or reasons for delays recorded and the assurance level RAG ratings on the Board Assurance Framework to be consistent with the Trust s methodology. Conclusion It is my opinion that we can provide Substantial Assurance that the Assurance Framework is sufficient to meet the requirements of the 2012/13 AGS and provide a reasonable assurance that there is an adequate and effective system of internal control to manage the significant risks identified by the Trust. The Range of Individual Opinions Arising from Risk-Based Audit Assignments, contained within risk-based plans that have been reported throughout the year Planning The Assurance Framework provides a high level governance framework to ensure that the key risk areas likely to impact the organisation s business objectives are properly controlled. We therefore use the Assurance Framework to drive our annual planning. As part of the Risk Assessment that feeds into our planning, we use information contained in business plans, committee minutes, risk registers and the assurance framework, as well as interviewing directors and managers to aid our understanding of organisational processes. No limitation of scope or coverage was placed upon our internal audit work. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 3
Results of Internal Audit Work Our plan consisted of the following audits (and assurance levels): Financial Feeder Systems Substantial Assurance Financial Reporting and Budgetary Control Substantial Assurance Human Resources: Sickness Absence Management Substantial Assurance Human Resources: Starters and Leavers Substantial Assurance Patient Experience Substantial Assurance Emergency Planning Substantial Assurance Facilities and Estates Limited Assurance Location and Ward Visits Limited Assurance Pharmacy Substantial Assurance Waiting List Management / Patient Choice Substantial Assurance Theatre Usage Substantial Assurance Bed Management Substantial Assurance Clinical Governance Substantial Assurance Infection Control Substantial Assurance Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 4
CQC Requirements Substantial Assurance Safeguarding Children and Vulnerable Adults Limited Assurance Quality Accounts Substantial Assurance Board Assurance Framework and Risk Management Substantial Assurance Freedom of Information and Data Protection Substantial Assurance Information Governance No Opinion provided due to the nature of the work Information Technology Audit deferred to Q1 2013/14 at request of audit lead Contracting Substantial Assurance Balance Sheet Split Substantial Assurance Overall we have seen an improvement in the control environment based on the total number of recommendations raised and the assurance opinions issued. In particular, the percentage of substantial assurance opinions has increased from the previous year. This reflects the effort made by management to address key control recommendations raised in the year. The table below summarises the assurance gradings for our risk-based audit assignments: Assurance Gradings 2012/13 2011/12 Full 0-0 - Substantial 18 82% 23 76% Limited 3 14% 2 7% Nil 0-0 - No Opinion Provided 1 [1] 4% 5 17% Total 22 100% 30 100% [1] An Assurance opinion has not been provided for the Internal Audit of Information Governance. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 5
During the year good progress has been made in the implementation of outstanding audit recommendations and a significant number of recommendations from previous years have now been confirmed as completed. This focus on the implementation of recommendations needs to continue to ensure the Audit Committee is receiving adequate assurance that control weaknesses are being addressed. Independent verification of successful implementation was undertaken as part of our ongoing recommendation follow up work. In this report, we have drawn on the findings and assessments included in all internal audit reports issued in 2012/13, including those that, at this time, remain in draft. It should be noted therefore that the comments made in respect of any draft reports are still subject to management response. Performance of Internal Audit At the start of the contract, a number of performance indicators were formulated to monitor the delivery of the Internal Audit service to the Trust. The table below shows the actual and targets for each indicator for the period: Performance Measure Target Actual Percentage of Internal Audit plan completed 100% 100% A close out meeting to be held for each audit 100% 100% Average period between the close out meeting and issue of the draft report 15 days 10.5 days Average period between the receipt of final management responses and issue of the final report 10 days 0.1 days Average customer satisfaction score (measured by survey for each audit) (Target: average score of 4 or above) 4 4.05 Andy Jefford Head of Internal Audit 8 April 2013 Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 6
Appendix 1 - Key to Assurance Levels Assurance Gradings We have four categories by which we classify internal audit assurance over the processes we examine, and these are defined as follows: Assurance Level Full Substantial Limited Evaluating and Testing Conclusion There is a sound system of internal control designed to achieve the client s objectives. The control processes tested are being consistently applied. While there is a basically sound system of internal control, there are weaknesses, which put some of the client s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the client s objectives at risk. Weaknesses in the system of internal controls are such as to put the client s objectives at risk. The level of non-compliance puts the client s objectives at risk. Nil Control processes are generally weak leaving the processes/systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes/systems open to error or abuse. The assurance gradings provided above are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of Full Assurance does not imply that there are no risks to the stated objectives. Recommendation Gradings In order to assist management in using our internal audit reports, we categorise our recommendations according to their level of priority as follows: Priority Level Staff Consulted 1 Major issues for the attention of senior management and the audit committee. 2 Important issues to be addressed by management in their areas of responsibility 3 Minor issues resolved on site with local management. Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 7
Appendix 2 - Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited South West April 2013 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No 4585162. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust 8