NHS Dorset Clinical Commissioning Group. Internal Audit Annual Report 2014/15. May 2015

Transcription

1 Internal Audit Annual Report 2014/15 May 2015

2 Internal Audit Annual Report INTRODUCTION This is the 2014/15 Annual Report by TIAA on the internal control environment at Dorset Clinical Commissioning Group. The annual internal audit report summarises the outcomes of the reviews we have carried out on the organisation s framework of governance, risk management and control. The Head of Internal Audit s annual opinion is designed to assist the Accountable Officer and the Governing Body in making their annual governance statement on internal controls assurance. SUMMARY HEAD OF INTERNAL AUDIT S ANNUAL OPINION I am satisfied that sufficient internal audit work has been undertaken to allow me to draw a reasonable conclusion as to the adequacy and effectiveness of Dorset Clinical Commissioning Group s internal control processes. In my opinion, I can give reasonable assurance that Dorset Clinical Commissioning Group has adequate and effective management, internal control processes to manage the achievement of its objectives. (Detailed Opinion statement is at Annex A) INTERNAL AUDIT PLANNED COVERAGE AND OUTPUT The 2014/15 Annual Audit Plan approved by the Audit and Quality Committee was for 210 days of internal audit coverage in the year. All the planned work has been carried out and the reports have been issued (Annex B). There was no work carried out which was in addition to the work set out in the Annual Audit Plan. OPERATIONAL ASSURANCE A number of factors have been considered as the contextual setting for our Head of Audit Opinion including: The Clinical Commissioning Group had an original planned surplus of 12,610k, which had been revised to 14,832k, as reported as being achieved in the draft accounts. This had arisen due to 2,222k returned to the Clinical Commissioning Group by NHS England under the risk pool for legacy continuing healthcare payments. TIAA carried out 16 assurance reviews, which were designed to ascertain the extent to which the internal controls in the system are adequate to ensure that activities and procedures are operating to achieve Dorset Clinical Commissioning Group s objectives. For each assurance review an assessment of the combined effectiveness of the controls in mitigating the key control risks was provided. Details of these are provided in Annex C and a summary is set out below. Assurance Assessments Number of Reviews Substantial Assurance 3 Reasonable Assurance 9 Limited Assurance 4 No Assurance 0 The areas on which the assurance assessments have been provided can only provide reasonable and not absolute assurance against misstatement or loss and their effectiveness is reduced if the internal audit recommendations made during the year have not been fully implemented. Page 2

3 We made the following total number of recommendations on our audit work carried out in 2014/15. The number in brackets refers to the number of these recommendations which had not been cleared by the year end. Urgent Important Routine 10(3) 44(19) 28(15) Control weaknesses: There were four areas reviewed by internal audit where it was assessed that the effectiveness of some of the internal control arrangements provided limited' assurance. Recommendations were made to further strengthen the control environment in these areas and the management responses indicated that the recommendations had been accepted. Follow up audit work has shown that progress is being made to implement the agreed actions. AUDIT SUMMARY Direction of Travel: This was the first year that we have analysed our findings/recommendations by risk area and these are summarised below. Urgent Important Routine Urgent Important Routine Operational Effectiveness Opportunities: One of the roles of internal audit is to add value and during the financial year we provided advice on opportunities to enhance the operational effectiveness of the areas reviewed and the number of these opportunities is summarised below. Operational 12 Urgent Important Routine Urgent Important Routine SIGNIFICANT ISSUES IDENTIFIED There were a number of issues identified during the course of our work in 2014/15 and these are summarised in Annex D. DESIGN & OPERATION OF ASSURANCE FRAMEWORK AND ASSOCIATED PROCESSES The Governing Body Assurance Framework was revised during the year to make it a more practical tool. It is a live document with better engagement from executives and it is updated monthly with links to evidence of positive assurance obtained. The strategic risks have been identified with their individual related corporate risks. A reasonable assurance opinion was provided on the audit work as some areas of improvement were noted, see Annex D. Page 3

4 RANGE OF INDIVIDUAL OPINIONS ARISING FROM RISK-BASED AUDITS IN THE YEAR Of the 16 reports issued during 2014/15, three were issued with a substantial assurance, nine with reasonable assurance and four with limited assurance opinions. See Annex C for further details. RELIANCE PLACED UPON THIRD PARTY ASSURANCES During the year I have liaised with the CCG s external auditors and Local Counter Fraud Specialist. We note that year end assurances have not yet been made available from the Shared Business System service auditors. INDEPENDENCE AND OBJECTIVITY OF INTERNAL AUDIT There were no limitations or restrictions placed on the internal audit service which impaired either the independence or objectivity of the service provided. PERFORMANCE AND QUALITY ASSURANCE The following Performance Targets were used to measure the performance of internal audit in delivering the Annual Plan. ADDED VALUE During the year TIAA has supported the CCG and its Audit and Quality Committee through the provision of regular updates, briefings, fraud alerts, networking opportunities, benchmarking reports and other technical digests. Our report formats and audit systems have continued to be enhanced in order to help clients focus on key issues arising. We have also invested in development of an online client portal, including action tracker, which will be made available from 2015/16. TIAA has been involved in the design phase of the Dorset Clinical Service Review project, providing timely input into governance arrangements, audit trails and reporting structures. RELEASE OF REPORT The table below sets out the history of this Annual Report. Date Report issued: 13 th May 2015 Performance Measure Target Attained Completion of Planned Audits 100% 100% Audits Completed in Time Allocation 100% 100% Final report issued within 10 working days of receipt of responses Compliance with Public Sector Internal Audit Standards 95% 100% 100% 100% Ongoing quality assurance work was carried out throughout the year and we continue to comply with ISO 9001 standards. An independent review was carried out and this confirmed our work was carried out in accordance with the IIA-UK Professional Standards. Page 4

5 Annexes Annex A Head of Internal Audit Opinion on the Effectiveness of the System of Internal Control for the Year Ended 31 March 2015 The purpose of my annual HoIA Opinion is to contribute to the assurances available to the Accountable Officer and the Governing Body which underpin the Governing Body s own assessment of the effectiveness of the organisation s system of internal control. This Opinion will in turn assist the Governing Body in the completion of its Annual Governance Statement. My opinion is set out as follows: 1. Overall opinion; 2. Basis for the opinion; and 3. Commentary. My overall opinion is that o Reasonable assurance can be given that there is a generally sound system of internal control, designed to meet the organisation s objectives, and that controls are generally being applied consistently. However, some weakness in the design and/or inconsistent application of controls, put the achievement of particular objectives at risk; The basis for forming my opinion is as follows: 1. An assessment of the design and operation of the underpinning Assurance Framework and supporting processes; and 2. An assessment of the range of individual opinions arising from risk-based audit assignments, contained within internal audit risk-based plans that have been reported throughout the year. This assessment has taken account of the relative materiality of these areas and management s progress in respect of addressing control weaknesses. Additional areas of work that may support the opinion will be determined locally but are not required for Department of Health purposes e.g. any reliance that is being placed upon Third Party Assurances. Page 5

6 Annex B Actual against planned Internal Audit Work 2014/15 System Type Planned Days Actual Days Comments Continuing Healthcare (Adults) Assurance Personal Healthcare (Adults) Assurance Governance Arrangements around the appointment and monitoring of the Facilities Contractor Assurance 5 5 IT Asset Hardware Management Assurance Contract Monitoring Provider Services Compliance Corporate Governance Arrangements Assurance Safeguarding Children Assurance Clinical Commissioning Programmes Assurance Financial Controls Compliance Information Governance Toolkit v12 Compliance Governance Arrangements around primary care Assurance Follow up audit on topics with limited assurance Assurance Assurance Framework and Risk Management Assurance 8 8 Organisational Development Assurance Contract Monitoring of the Commissioning Support Services Compliance Patient Transport Services Compliance Clinical Services Review Advisory Benchmarking Advisory 6 6 Audit & Quality Committee preparation and attendance N/A 8 8 Page 6

7 Attendance and preparation at the Quality Group, Information Governance Group and CSR Project Group N/A Annual Report, Annual Plan, Management of the plan N/A Follow up of progress on actions and liaison with other bodies N/A Page 7

8 Annex C Assurance Assessments 2014/15 System Substantial Assurance Reasonable Assurance Limited Assurance No Assurance Continuing Healthcare (Adults) Personal Healthcare (Adults) Assurance Review of the Governance Arrangements around the appointment and monitoring of the Facilities Contractor IT Asset Hardware Management Contract Monitoring Provider Services Corporate Governance Arrangements Safeguarding Children Clinical Commissioning Programmes Financial Controls Information Governance Toolkit v12 Governance Arrangements around primary care Follow up audit on topics with limited assurance Assurance Framework Organisational Development Contract Monitoring of the Commissioning Support Services Patient Transport Services Page 8

9 Significant Issues Identified during 2014/15 Annex D The findings of all audit reports issued to date from the Annual Plan, as well as progress against any outstanding at this time, have been reported to the Audit and Quality Committee through interim reports during the year. The key issues, or themes, that emerged from the internal audit work are set out below. Continuing Healthcare (Adults) Progress in implementing the Information Governance action plan had been slow; There were inconsistencies between processes in the CHC departments in the East and the West of the county even though standard procedures are in place; specifically the use of medical records logs; Procedures to confirm changes in the status of clients require strengthening; and CHC adverse incident reports were not being closed on a timely basis. Personal Health budgets (Adults) Contract arrangements with PHB providers and independent support agencies do not exist for PRO-Disability and Enham and could not be obtained at the time of the audit for the other three agencies; PHB care and financial reviews were not always carried out after the first three months; and Action was not always taken to rectify the situation where the PHB bank balance considerably exceeds the threshold of six weeks allocated PHB budget. Governance Arrangements around the appointment and monitoring of the Facilities Contractor The Facilities Contractor utilised his own Company to undertake work and Dorset CCG was not aware of the conflict of interest; Non-compliance with SFIs for quotes and reports to the Governing Body; Lack of documentation to support financial monitoring; Lack of clear documentation to support changes to the works specification; and Lack of documentation to support some key decisions Page 9

10 IT Hardware Asset Management IT Hardware Asset Management policy and procedures are to be developed; The CCG s IT hardware assets were not recorded on one IT hardware asset management system; There was no process to reconcile IT hardware asset purchases with the IT Hardware Asset Register; The Deane IT hardware asset list was incorrect; No sample check had been performed of IT hardware for GPs in the East of the County; A check be performed to confirm software agents installed on IT assets are connecting to the Snow asset system; The information currently recorded on the Snow system was insufficient; and The CCG s hard drive destruction record was not complete and accurate. Corporate Governance Arrangements (including conflicts of interest) Dorset CCG has made progress in embedding conflicts of interest processes. Some recommendations were made to enhance this process; Dorset CCG has published on its website a number of registers of interests covering in excess of 150 individuals. Audit testing did identify that the register for Paid GPs, CCP members and Other register was incomplete; In some cases, Locality Group meeting lunches or events had been sponsored by drug companies. This had not been made aware to the Governing Body Secretary; and During the period tested, Dorset CCG had awarded a total of 37 contracts without competition. Since the introduction of the enhanced authorisation processes, scrutiny and reporting of these contracts is being undertaken. Assurance Framework The Governing Body Assurance Framework focusses on sources of assurance rather than an assessment of the control an assurance and its impact on the delivery of strategic risk. A number of areas were identified where more evidence does exist but it had not been included; and Page 10

11 Work on mapping the remit of committees and groups and the completion of a template by each to confirm that they have scrutinised and agreed with the assurances detailed is being introduced. The ordering of the controls in the document to reflect the level of assurance provided will assist in understanding the impact of the assurances provided. Clinical Services Review Advisory work by TIAA to support the Dorset Clinical Services Review project. Specific advice around the governance arrangements and documentation of audit trails to support the products from the work-streams. Financial Controls Robust financial accounting processes were operating throughout the organisation; Month end routines were established for the production of reliable and timely formal reports to the Governing Body; and Local payroll controls were operating effectively for the areas tested. Information Governance Toolkit (v12) The CCG had provided sufficient evidence to support its self-assessed scores. Page 11