The Audit Findings for NHS Dorset Clinical Commissioning Group

The Audit Findings for NHS Dorset Clinical Commissioning Group Year ended 31 March 2015 27 th May 2015 Barrie Morris Director T 0117 305 7708 E barrie.morris@uk.gt.com Hannah Morris Manager T 0117 305 7860 E hannah.l.morris@uk.gt.com Nicky Norris Executive T 0117 305 7892 E nicky.h.norris@uk.gt.com 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Private and Confidential NHS Dorset CCG Vespasian House Barrack Road Dorchester DT1 1TG 27 th May 2015 Dear members of the Audit and Quality Committee, Grant Thornton UK LLP Hartwell House 55-61 Victoria Street Bristol BS1 6FT T +44 (0)117 305 7600 www.grant-thornton.co.uk Audit Findings for NHS Dorset Clinical Commissioning Group for the year ending 31 March 2015 This Audit Findings report highlights the significant findings arising from the audit for the benefit of those charged with governance, as required by International Standard on Auditing (UK & Ireland) 260. Its contents have been discussed with management. As auditors we are responsible for performing the audit, in accordance with International Standards on Auditing (UK & Ireland), which is directed towards forming and expressing an opinion on the financial statements that have been prepared by management with the oversight of those charged with governance. The audit of the financial statements does not relieve management or those charged with governance of their responsibilities for the preparation of the financial statements. The contents of this report relate only to those matters which came to our attention during the conduct of our normal audit procedures which are designed primarily for the purpose of expressing our opinion on the financial statements. Our audit is not designed to test all internal controls or identify all areas of control weakness. However, where, as part of our testing, we identify any control weaknesses, we will report these to you. In consequence, our work cannot be relied upon to disclose defalcations or other irregularities, or to include all possible improvements in internal control that a more extensive special examination might identify. We do not accept any responsibility for any loss occasioned to any third party acting, or refraining from acting on the basis of the content of this report, as this report was not prepared for, nor intended for, any other purpose. We would like to take this opportunity to record our appreciation for the kind assistance provided by the finance team and other staff during our audit. Yours faithfully, Barrie Morris Engagement Lead, for Grant Thornton UK LLP Chartered Accountants Member firm within Grant Thornton International Ltd Grant Thornton UK LLP is a limited liability partnership registered in England and Wales No: OC307742. Registered office: Grant Thornton House, Melton Street, Euston Square, London NW1 2EP. A list of members is available from our registered office. Grant Thornton UK LLP is authorised and regulated by the Financial Services Authority for investment business. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 2

Contents Section Page 1. Executive summary 4 2. Audit findings 8 3. Value for Money 20 4. Fees, non-audit services and independence 24 5. Communication of audit matters 26 Appendices A Action plan B Audit opinion 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 3

Section 1: Executive summary 01. Executive summary 02. Audit findings 03. Value for Money 04. Fees, non audit services and independence 05. Communication of audit matters 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Executive summary Executive summary Purpose of this report This report highlights the key issues affecting the results of NHS Dorset Clinical Commissioning Group (the CCG) and the preparation of the CCG's financial statements for the year ended 31 March 2015. It is also used to report our audit findings to management and those charged with governance in accordance with the requirements of International Standard on Auditing (UK & Ireland) 260. Under the Audit Commission's Code of Audit Practice (the Code) we are required to report whether, in our opinion, the CCG's financial statements present a true and fair view of the financial position. We are also required to: reach a formal conclusion on whether the CCG has put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources (the Value for Money Conclusion) report our opinion on whether in all material respects the expenditure and income reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them (the Regularity Opinion). Introduction In the conduct of our audit we have not had to alter or change our audit approach, which we communicated to you in our Audit Plan dated 8 April 2015. Our audit is substantially complete although we are finalising our procedures in the following areas: Engagement Lead review of solicitor's response regarding potential legal claims review of approved management responses and going concern assessment obtaining and reviewing the management letter of representation and updating our post balance sheet events review, to the date of signing the opinion. We received draft financial statements and accompanying working papers at the commencement of our work, in accordance with the national deadline. Key audit and financial reporting issues Financial statements opinion We have not identified any adjustments affecting the CCG's comprehensive net expenditure position. The draft and audited financial statements for the year ended 31 March 2015 recorded a total comprehensive net expenditure of 955,641K. We have recommended a number of adjustments to improve the presentation of the financial statements and the CCG has implemented these. The key messages arising from our audit of the CCG's financial statements are: the draft accounts and annual report presented for audit were of good quality with appropriate supporting working papers; whilst our initial review of the annual report, remuneration report and annual governance statement identified some presentational, all of the required sections, as detailed in the manual for accounts, had been covered; and further presentational changes were also required to the financial statements including a misclassification between NHS receivables and payables totalling 1.057 million. Further details are set out in section two of this report. We anticipate providing a unqualified audit opinion in respect of the financial statements (see Appendix B). 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 5

Executive summary Regularity opinion As well as an opinion on the accounts, we are required to give a regularity opinion on whether expenditure has been incurred 'as intended by Parliament'. Failure to meet statutory financial targets automatically results in a qualified regularity opinion. We are pleased to report that, based on our review of the CCG's expenditure we propose to give an unqualified regularity opinion. Value for money conclusion We are also pleased to report that, based on our review of the CCG's arrangements to secure economy, efficiency and effectiveness in its use of resources, we propose to give an unqualified VFM conclusion. Further detail of our work on Value for Money is set out in section three of this report. Agreement of Balances and Whole of Government Accounts (WGA) Our audit work has identified the following variances in the NHS agreement of balances (AoB) process: Variance of 1.152m with The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust which relates to real time transfers and maternity pathways which have not been recorded by the hospital trust. Two consistency differences have been noted in agreeing the final accounts to the NHS template. 1. Relates to the opening cost and opening depreciation on IT assets both of which should be 575k. Due to limitations within the template and protected cells this cannot be adjusted in prior year balances. 2. Services for Local Authorities have been reclassified in the accounts totalling 8.894m to purchase of healthcare from non NHS rather than Supplies and Services General as they are shown in the template. Whilst the variances described are not material to the CCG's financial statements, we are required to report them in our assurance letter to the National Audit Office (NAO) for Whole of Government Accounts purposes. The NAO has stated that where significant variances exist they may conduct further detailed investigation. Controls Roles and responsibilities The CCG's management is responsible for the identification, assessment, management and monitoring of risk, and for developing, operating and monitoring the system of internal control. Our audit is not designed to test all internal controls or identify all areas of control weakness. However, where, as part of our testing, we identify any control weaknesses, we report these to the CCG. Findings We draw your attention in particular to IT control issues identified: there are 11 people with full domain administrator rights. This is an inappropriately high number for the size of the IT function and the organisation it supports; the system does not lock out users after a reasonable number of unauthorised entry attempts; there are no proactive reviews of user access permissions within active directory and IT applications; and there is a lack of routine penetration tests and vulnerability assessments. Further details are provided within section two of this report. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 6

Executive summary The way forward Matters arising from the financial statements audit and our review of the CCG's arrangements for securing economy, efficiency and effectiveness in its use of resources have been discussed with the Chief Finance Officer and the finance team. We have made a small number of recommendations, which are set out in the action plan. Recommendations have been discussed and agreed with the Chief Finance Officer and the finance team. Acknowledgement We would like to take this opportunity to record our appreciation for the assistance provided by the finance team and other staff during our audit. Grant Thornton UK LLP 27 May 2015 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 7

Section 2: Audit findings 01. Executive summary 02. Audit findings 03. Value for Money 04. Fees, non-audit services and independence 05. Communication of audit matters 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Audit findings Audit findings against significant risks "Significant risks often relate to significant non-routine transactions and judgmental matters. Non-routine transactions are transactions that are unusual, either due to size or nature, and that therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty" (ISA (UK&I) 315). In this section we detail our response to the significant risks of material misstatement which we identified in the Audit Plan. As we noted in our plan, there are two presumed significant risks which are applicable to all audits under auditing standards. Risks identified in our audit plan Work completed Assurance gained and issues arising 1. Improper revenue recognition Under ISA (UK&I) 240 there is a presumed risk that revenue may be misstated due to the improper recognition of revenue. Auditors may rebut this presumption depending on the circumstances of the client. 2. Management override of controls Under ISA (UK&I) 240 there is a presumed risk that the risk of management over-ride of controls is present in all entities. We have rebutted this presumption for NHS Dorset CCG because: revenue does not primarily involve cash transactions revenue is principally an allocation from NHS England We therefore do not consider this to be a significant risk for NHS Dorset CCG. As part of our audit work we have completed; review and testing of revenue recognition policies review of unusual significant transactions As part of our audit work we have completed: review of accounting estimates, judgements and decisions made by management testing of journals entries review of unusual significant transactions Our audit work has not identified any issues in respect of revenue recognition. Our audit work has not identified any evidence of management override of controls. In particular, the findings of our review of journal controls and testing of journal entries has not identified any significant issues. We set out later in this section of the report our work and findings on key accounting estimates and judgements. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 9

Audit findings Audit findings against other risks In this section we detail our response to the other risks of material misstatement which we identified in the Audit Plan. Transaction cycle Description of risk Work completed Assurance gained & issues arising Healthcare Commissioning Contract costs not accounted for properly We have undertaken the following work in relation to this risk: Our audit work has not identified any significant issues in relation to the risk identified. Documentation of our understanding of processes and key controls over the transaction cycle Walkthrough of the key controls to confirm our understanding of the system. Substantive testing of healthcare commissioning costs including substantive testing of block and activity based contract expenditure Review partially completed spells and inclusion in the NHS agreement of balances exercise Testing around the year end to ensure that accruals are complete Agree NHS creditors to agreement of balances confirmation Healthcare Commissioning Activity variation adjustments to expenditures not correct We have undertaken the following work in relation to this risk: Our audit work has not identified any significant issues in relation to the risk identified. Documentation of our understanding of processes and key controls over the transaction cycle Walkthrough of the key controls to confirm our understanding of the system. Substantive testing of healthcare commissioning costs including substantive testing of activity based contract expenditure 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 10

Audit findings Significant matters discussed with management Significant matter 1. Business conditions affecting the CCG, and business plans and strategies that may affect the risks of material misstatement. 2. Concerns about management's consultations with other accountants on accounting or auditing matters Commentary We have discussed the CCG's future provider contracts and financial plans with the Chief Officer and Chief Finance Officer. We did not consider these issues to present a risk of material misstatement in the financial statements. Nothing impacting on our work. 3. Discussions or correspondence with management regarding accounting practices, the application of auditing standards, the application of auditing standards, or fees for audit or other services. No significant issues of concern. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 11

Audit findings Accounting policies, Estimates & Judgements In this section we report on our consideration of accounting policies, in particular revenue recognition policies, and key estimates and judgements made and included with the CCG's financial statements. Accounting area Summary of policy Comments Assessment Revenue recognition Judgements and estimates Going concern Revenue in respect of services provided is recognised when, and to the extent that, performance occurs, and is measured at the fair value of the consideration receivable. Where income is received for a specific activity that is to be delivered in the following year, that income is deferred. In the application of the CCG's accounting policies, management is required to make judgements, estimates and assumptions about the carrying amounts of assets and liabilities that are not readily apparent from other sources. The estimates and associated assumptions are based on the historical experience and other factors that are considered to be relevant. Revisions to accounting estimates are recognised in the period in which the estimate is revised if the revision affects only that period or in the period of the revision and future periods if the revision affect both current and future periods. Key estimates and judgements include : Provisions Accruals and prescribing The Directors have a reasonable expectation that the services provided by the CCG will continue for the foreseeable future. For this reason, they continue to adopt the going concern basis in preparing the financial statements. We have no issues over the: appropriateness of policy under relevant accounting framework adequacy of disclosure of accounting policy We have no issues over the: appropriateness of policy under relevant accounting framework extent of judgement involved adequacy of disclosure of accounting policy We have reviewed the Directors' assessment and are satisfied with management's assessment that the going concern basis is appropriate for the 2014/15 financial statements. Green Green Green Other accounting policies The CCG has adopted the standard accounting policies for the NHS as set out in the manual for accounts. We have reviewed the CCG's policies against the requirements of the Manual for Accounts and do not have any significant comments to make. Green Assessment Marginal accounting policy which could potentially attract attention from regulators Accounting policy appropriate but scope for improved disclosure Accounting policy appropriate and disclosures sufficient 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 12

Audit findings Other communication requirements We set out below details of other matters which we, as auditors, are required by auditing standards to communicate to those charged with governance. Issue Commentary 1. Matters in relation to fraud We have not been made aware of any other incidents in the period and no other issues have been identified during the course of our audit procedures 2. Matters in relation to related parties 3. Matters in relation to laws and regulations We are not aware of any related party transactions which have not been disclosed. We are not aware of any significant incidences of non-compliance with relevant laws and regulations. 4. Written representations A standard letter of representation has been requested from the CCG. 5. Confirmation requests from third parties We obtained direct confirmations from the National Audit Office for bank balances. These requests were returned with positive confirmation. We requested management to send a letter to DAC Beachcroft, the main solicitor who worked with the CCG during the year. We have received the solicitor's responses and these are subject to Engagement Lead review. 6. Disclosures Our review found no material omissions in the financial statements but several trivial issues have been noted. These have all been amended in the financial statements. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 13

Audit findings Internal controls The purpose of an audit is to express an opinion on the financial statements. Our audit included consideration of internal controls relevant to the preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. The matters reported here are limited to those deficiencies that we have identified during the course of our audit and that we have concluded are of sufficient importance to merit being reported to you in accordance with auditing standards. These and other recommendations, together with management responses, are included in the action plan attached at appendix A. 1. Assessment Issue and risk Recommendations Green The number of people with administrator rights is not limited appropriately There are a large number of domain administrators enabled on active directory (11). This is deemed excessive for both the size of the IT function and the organisation it supports. We recommend management consider reducing the number of network-wide domain administrators (i.e. full domain administrator access is not required to create or amend users) and restrict access based on least privilege requirements based on individual roles. Excessive access can reduce the effectiveness of system-enforced internal control mechanisms through inappropriate use of administrator functionality, administrators making unauthorised changes to configuration parameters, creating unauthorised accounts or disabling audit logging to 'hide' unauthorised activity. Management response: Additional roles will be developed to reduce the number of staff with Domain Admin access. In particular the Service Desk function and the level of access should be reviewed. We anticipate that the number of staff with this level of access could be reduced to 5. This could be achieved by the end of June and undertaken as part of our review of our Service Desk function and support system. Assessment red Material weakness - risk of material misstatement amber Significant deficiency risk of significant misstatement green Deficiency risk of inconsequential misstatement 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 14

Audit findings Internal controls continued 2. Assessment Issue and risk Recommendations Green System does not lock out users after a reasonable number of unauthorised entry attempts Network intruder lock out settings are enabled at 10 attempts per 30 minutes and automatically reset after 30 minutes. This presents a risk of external password hacking and/or abuse of password controls We recommend that management should consider improving this security setting to 3 attempts followed by permanent lockout until reset by an administrator. Management response: We plan to reduce this to 5 attempts followed by a permanent lockout by end of June and then to move to 3 attempts by end of September 2015. 3. Green No proactive reviews of user access permissions within Active Directory and IT applications Dorset CCG have recently conducted a full user review to ensure that only current, relevant accounts were brought onto the updated IT systems. As it is our experience that access privileges tend to accumulate over time there is a need for management to continue to perform formal periodic reviews of the user accounts and permissions. This processes assists in identifying: gaps in user administration processes and controls which may not be identified and dealt with in a timely manner access to information resources and system functionality may not be restricted on the basis of legitimate business need enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls no-longer-needed permissions may granted to end-users may lead to segregation of duties conflicts access privileges may become disproportionate with respect to end users' job duties We recommend that management consider implementing a 6 monthly process to review user access requirements on the network and IT applications to ensure access privileges are in line with the user's job role for all IT system including the network. Management response: Active Directory file permissions will be reviewed with Directorate representatives to check that individual and group file permissions are appropriate. This will be scheduled as a biannual activity from and including September 2015. All IT applications used by the CCG have existing system owners / managers. We will request that each system manager review users and their associated level of access. This will be undertaken in conjunction with the file permissions review process. Assessment red Material weakness - risk of material misstatement amber Significant deficiency risk of significant misstatement green Deficiency risk of inconsequential misstatement 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 15

Audit findings Internal controls continued 4. Assessment Issue and risk Recommendations Green Lack of Routine Penetration Tests and Vulnerability Assessments (Advisory) Tests to identify information security vulnerabilities present at the network perimeter and inside the network were not being routinely conducted. Management should contract with an objective 3rd party service provider to conduct periodic vulnerability assessments and penetration tests against the internal network and against the network perimeter as quickly as possible. We understand that there is a tendering process underway to engage a testing partner, and we concur with this course of action, however due to the number of changes to the IT system over the last 12 months this should be done as a matter of urgency. Without regular intrusion testing including at times of major system changes, there is an increased risk that weaknesses in system security could be exploited by internal and external parties. This could allow unauthorised access to confidential information or the ability to make changes to critical financial information. Numerous weaknesses are discovered daily in both hardware and software that can compromise the confidentiality, integrity and availability of an organisation's information systems. This will assist in ensuring that information security weaknesses are proactively identified and minimized or remediated. Management Response: An updated quotation has already been requested from a network security provider that we have used in the past to provide IT security services. This report will be undertaken by September 2015. Assessment red Material weakness - risk of material misstatement amber Significant deficiency risk of significant misstatement green Deficiency risk of inconsequential misstatement 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 16

Audit findings Internal controls review of issues raised in prior year 1. Assessment Issue and risk previously communicated Update on actions taken to address the issue X Lack of routine penetration tests and vulnerability assessments We have raised this again in our IT work this year. An updated quotation has already been requested from a network security provider that we have used in the past to provide IT security services. This report will be undertaken by September 2015. 2. No reviews of information security logs created by Active Directory Information security logs are regularly reviewed Assessment Action completed X Not yet addressed 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 17

Audit findings Adjusted misstatements We are required to report all non trivial misstatements to those charged with governance, whether or not the accounts have been adjusted by management. Impact of adjusted misstatements We have no adjusted misstatements to report to you. Unadjusted misstatements We have no unadjusted misstatements to report to you. There are further opportunities to de-clutter the financial statements by removing nil lines from the primary statements. The CCG has opted not to do this for 2014-15. Impact of uncorrected misstatements in the prior year There are no unrecorded misstatements in the prior year which impact on the current year. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 18

Audit findings Misclassifications & disclosure changes The table below provides details of misclassification and disclosure changes identified during the audit which have been made in the final set of financial statements. Adjustment type Value '000 Account balance Impact on the financial statements 1 Misclassification 1,057 NHS receivables The re-classification of the debit balance from NHS receivables to NHS payables reduces both balances by 1,057k. 2 Disclosure Various Various Several disclosure adjustments were required to the financial statements to ensure compliance with the manual for accounts and supporting documentation. None of these were significant. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 19

Section 3: Value for Money 01. Executive summary 02. Audit findings 03. Value for Money 04. Fees, non-audit services and independence 05. Communication of audit matters 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Value for Money Value for Money Value for money conclusion The Code of Audit Practice 2010 (the Code) describes the CCG's responsibilities to put in place proper arrangements to: secure economy, efficiency and effectiveness in its use of resources; ensure proper stewardship and governance; and review regularly the adequacy and effectiveness of these arrangements. We are required under Section 5 of the Audit Commission Act 1998 to satisfy ourselves that the CCG has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources. In 2014/15 we are required to give our VFM conclusion based on two criteria specified by the Audit Commission. These criteria are: The CCG has proper arrangements in place for securing financial resilience. The CCG has robust systems and processes to manage effectively financial risks and opportunities, and to secure a stable financial position that enables it to continue to operate for the foreseeable future. The CCG has proper arrangements for challenging how it secures economy, efficiency and effectiveness. The CCG is prioritising its resources within tighter budgets, for example by achieving cost reductions and by improving efficiency and productivity. Key findings Securing financial resilience We have undertaken a review which considered the CCG's arrangements against the three expected characteristics of proper arrangements as defined by the Audit Commission: Financial governance; Financial planning; and Financial control Overall our work highlighted that growth funding has enabled the CCG to set a balanced budget for 2015/16. Significant cost pressures remain, however, notably continuing health care, non NHS contracts and urgent care. The CCG has been set a challenging target surplus of 15.698m. Achievement of this will require continued careful management of contracts and tight control of internal budgets. The clinical services review provides a unique opportunity for the CCG to drive the implementation of a sustainable health economy for Dorset in the medium to longer term. The concept and design of this project is a potential model for other health economies. Realising the opportunities presented by the review's outcomes will be challenging for all parties and continuing engagement and communication will be crucial. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 21

Value for Money Value for Money Challenging economy, efficiency and effectiveness We have reviewed whether the CCG has prioritised its resources to take account of the tighter constraints it is required to operate within and whether it has achieved cost reductions and improved productivity and efficiencies. In particular, we have reviewed the monitoring of commissioning support services performance and the work that Internal Audit has done to validate that process. We have concluded that these arrangements are robust. The clinical services review has provided us with evidence that the CCG is actively challenging economy, efficiency and effectiveness. Implementation of its outcomes should improve value for money across the whole of the local health economy. Overall VfM conclusion On the basis of our work, and having regard to the guidance on the specified criteria published by the Audit Commission, we are satisfied that in all significant respects the CCG put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources for the year ending 31 March 2015. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 22

Value for Money To support our VFM conclusion against the specified criteria we performed a risk assessment against VFM risk indicators specified by the Audit Commission. and additional indicators identified by ourselves. Following completion of our work we noted the following residual risks to our VFM conclusion: Residual risk identified Summary findings RAG rating In the medium term, the CCG's own forecasts have proven the Dorset Health Economy to be unsustainable in its current form. The CCG's own forecasts show that the current health economy in Dorset is unsustainable in the medium to longer term. All of the main NHS providers in Dorset are setting deficit budgets for 2015/16. The Clinical Services Review is designed to develop a modern and sustainable health service in the county for the future. The CCG has identified that one key to success of the project is engagement and ownership from key partners, clinicians, stakeholders and patients. Much work has been done in drawing in views and expertise of these parties. It is too early to say whether the project will present a viable outcome which will lead to positive change. Undoubtedly though, working together and forging joint solutions will have aided the various parties involved in identifying future efficiencies and quality improvements. The current plan is for the Governing Body to make a decision regarding the recommended outcome in March 2016. Amber 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 23

Section 4: Fees, non-audit services and independence 01. Executive summary 02. Audit findings 03. Value for Money 04. Fees, non audit services and independence 05. Communication of audit matters 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Fees, non audit services and independence Fees, non-audit services and independence We confirm below our final fees charged for the audit and provision of non-audit services. Fees CCG audit 100,000 Fees for other services Service Fees VAT advice 2,799 Total audit fees (excluding VAT) 100,000 The audit fee inclusive of VAT and paid by the CCG is 120,000. Independence and ethics We confirm that there are no significant facts or matters that impact on our independence as auditors that we are required or wish to draw to your attention. We have complied with the Auditing Practices Board's Ethical Standards and therefore we confirm that we are independent and are able to express an objective opinion on the financial statements. We confirm that we have implemented policies and procedures to meet the requirements of the Auditing Practices Board's Ethical Standards. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 25

Section 5: Communication of audit matters 01. Executive summary 02. Audit findings 03. Value for Money 04. Fees, non audit services and independence 05. Communication of audit matters 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015

Communication of audit matters Communication of audit matters to those charged with governance International Standards on Auditing ISA (UK&I) 260, as well as other ISAs, prescribe matters which we are required to communicate with those charged with governance, and which we set out in the table opposite. The Audit Plan outlined our audit strategy and plan to deliver the audit, while this Audit Findings report presents the key issues and other matters arising from the audit, together with an explanation as to how these have been resolved. Our communication plan Respective responsibilities of auditor and management/those charged with governance Overview of the planned scope and timing of the audit. Form, timing and expected general content of communications Audit Plan Audit Findings Respective responsibilities The Audit Findings Report has been prepared in the context of the Statement of Responsibilities of Auditors and Audited Bodies issued by the Audit Commission (www.audit-commission.gov.uk). We have been appointed as the CCG's independent external auditors by the Audit Commission, the body responsible for appointing external auditors to local public bodies in England. As external auditors, we have a broad remit covering finance and governance matters. Our annual work programme is set in accordance with the Code of Audit Practice ('the Code') issued by the Audit Commission and includes nationally prescribed and locally determined work. Our work considers the CCG's key risks when reaching our conclusions under the Code. It is the responsibility of the CCG to ensure that proper arrangements are in place for the conduct of its business, and that public money is safeguarded and properly accounted for. We have considered how the CCG is fulfilling these responsibilities. Views about the qualitative aspects of the entity's accounting and financial reporting practices, significant matters and issues arising during the audit and written representations that have been sought Confirmation of independence and objectivity A statement that we have complied with relevant ethical requirements regarding independence, relationships and other matters which might be thought to bear on independence. Details of non-audit work performed by Grant Thornton UK LLP and network firms, together with fees charged Details of safeguards applied to threats to independence Material weaknesses in internal control identified during the audit Identification or suspicion of fraud involving management and/or others which results in material misstatement of the financial statements Compliance with laws and regulations Expected unmodified auditor's report Uncorrected misstatements Significant matters arising in connection with related parties Significant matters in relation to going concern 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 27

Appendices Appendices 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 28

Appendices Appendix A: Action plan Priority High - Significant effect on control system Medium - Effect on control system Low - Best practice Rec No. Recommendation Priority Management response Implementation date & responsibility 1 The number of people with administrator rights is not limited appropriately We recommend management consider reducing the number of network-wide domain administrators (i.e. full domain administrator access is not required to create or amend users) and restrict access based on least privilege requirements based on individual roles. Medium Additional roles will be developed to reduce the number of staff with Domain Admin access. In particular the Service Desk function and the level of access should be reviewed. We anticipate that the number of staff with this level of access could be reduced to 5. This could be achieved by the end of June and undertaken as part of our review of our Service Desk function and support system. End of June 2015 2 System does not lock out users after a reasonable number of unauthorised entry attempts We recommend that management should consider improving this security setting to 3 attempts followed by permanent lockout until reset by an administrator. Medium We plan to reduce this to 5 attempts followed by a permanent lockout by end of June and then to move to 3 attempts by end of September 2015. End of September 2015 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 29

Appendices Appendix A: Action plan continued Priority High - Significant effect on control system Medium - Effect on control system Low - Best practice Rec No. Recommendation Priority Management response Implementation date & responsibility 3 No proactive reviews of user access permissions within Active Directory and IT applications Dorset CCG have recently conducted a full user review to ensure that only current, relevant accounts were brought onto the updated IT systems. As it is our experience that access privileges tend to accumulate over time there is a need for management to continue to perform formal periodic reviews of the user accounts and permissions. This processes assists in identifying: gaps in user administration processes and controls which may not be identified and dealt with in a timely manner access to information resources and system functionality may not be restricted on the basis of legitimate business need enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls no-longer-needed permissions may granted to end-users may lead to segregation of duties conflicts access privileges may become disproportionate with respect to end users' job duties Medium Active Directory file permissions will be reviewed with Directorate representatives to check that individual and group file permissions are appropriate. This will be scheduled as a bi-annual activity from and including September 2015. All IT applications used by the CCG have existing system owners / managers. We will request that each system manager review users and their associated level of access. This will be undertaken in conjunction with the file permissions review process. End of September 2015 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 30

Appendices Appendix A: Action plan continued Priority High - Significant effect on control system Medium - Effect on control system Low - Best practice Rec No. Recommendation Priority Management response Implementation date & responsibility 4 Lack of Routine Penetration Tests and Vulnerability Assessments (Advisory) Tests to identify information security vulnerabilities present at the network perimeter and inside the network were not being routinely conducted. Low An updated quotation has already been requested from a network security provider that we have used in the past to provide IT security services. September 2015 We understand that there is a tendering process underway to engage a testing partner, and we concur with this course of action, however due to the number of changes to the IT system over the last 12 months this should be done as a matter of urgency. This report will be undertaken by September 2015. Without regular intrusion testing including at times of major system changes, there is an increased risk that weaknesses in system security could be exploited by internal and external parties. This could allow unauthorised access to confidential information or the ability to make changes to critical financial information. Numerous weaknesses are discovered daily in both hardware and software that can compromise the confidentiality, integrity and availability of an organisation's information systems. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 31

Appendices Appendix B: Audit opinion We anticipate we will provide the CCG with an unmodified audit report INDEPENDENT AUDITOR S REPORT TO THE MEMBERS OF NHS DORSET CCG We have audited the financial statements of NHS Dorset CCG for the year ended 31 March 2015 under the Audit Commission Act 1998. The financial statements comprise the Statement of Comprehensive Net Expenditure, the Statement of Financial Position, the Statement of Changes in Taxpayers Equity, the Statement of Cash Flows and the related notes. The financial reporting framework that has been applied in their preparation is applicable law and the accounting policies directed by the NHS Commissioning Board with the consent of the Secretary of State as relevant to the National Health Service in England. We have also audited the information in the Remuneration Report that is subject to audit, being: the table of salaries and allowances of senior managers [and related narrative notes] on pages 61 and 62 the table of pension benefits of senior managers [and related narrative notes] on page 63 the disclosure of pay multiples [and related narrative notes] on page 59 This report is made solely to the members of NHS Dorset CCG in accordance with Part II of the Audit Commission Act 1998 and for no other purpose, as set out in paragraph 44 of the Statement of Responsibilities of Auditors and Audited Bodies published by the Audit Commission in March 2014. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Clinical Commissioning Group (CCG)'s members and the CCG as a body, for our audit work, for this report, or for the opinions we have formed. Respective responsibilities of the Accountable Officer and auditor As explained more fully in the Statement of Accountable Officer s Responsibilities, the Accountable Officer is responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view. Our responsibility is to audit and express an opinion on the financial statements in accordance with applicable law and International Standards on Auditing (UK and Ireland). Those standards also require us to comply with the Auditing Practices Board s Ethical Standards for Auditors. Scope of the audit of the financial statements An audit involves obtaining evidence about the amounts and disclosures in the financial statements sufficient to give reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. This includes an assessment of: whether the accounting policies are appropriate to the CCG s circumstances and have been consistently applied and adequately disclosed; the reasonableness of significant accounting estimates made by the Accountable Officer; and the overall presentation of the financial statements. In addition, we read all the financial and non-financial information in the annual report which comprises the Introduction from Chair and Accountable Officer; Member Practice Introduction; Strategic Report; Members Report; Statement of the Accountable Officer, Governance Statement and Statement from Head of Internal Audit to identify material inconsistencies with the audited financial statements and to identify any information that is apparently materially incorrect based on, or materially inconsistent with, the knowledge acquired by us in the course of performing the audit. If we become aware of any apparent material misstatements or inconsistencies we consider the implications for our report. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 32

Appendices In addition, we are required to obtain evidence sufficient to give reasonable assurance that the expenditure and income reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them. Opinion on regularity In our opinion, in all material respects the expenditure and income reported in the financial statements have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them. Opinion on financial statements Matters on which we report by exception We report to you if: in our opinion the governance statement does not reflect compliance with NHS England s Guidance; we refer a matter to the Secretary of State under section 19 of the Audit Commission Act 1998 because we have reason to believe that the CCG, or an officer of the CCG, is about to make, or has made, a decision involving unlawful expenditure, or is about to take, or has taken, unlawful action likely to cause a loss or deficiency; or we issue a report in the public interest under section 8 of the Audit Commission Act 1998. We have nothing to report in these respects. In our opinion the financial statements: give a true and fair view of the financial position of NHS Dorset CCG as at 31 March 2015 and of its net operating costs for the year then ended; and have been prepared properly in accordance with the accounting policies directed by the NHS Commissioning Board with the consent of the Secretary of State as relevant to the National Health Service in England. Opinion on other matters In our opinion: the part of the Remuneration Report subject to audit has been prepared properly in accordance with the requirements directed by the NHS Commissioning Board with the consent of the Secretary of State as relevant to the National Health Service in England; and the information given in the annual report for the financial year for which the financial statements are prepared is consistent with the financial statements. Conclusion on the CCG s arrangements for securing economy, efficiency and effectiveness in the use of resources Respective responsibilities of the CCG and auditor The CCG is responsible for putting in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources, to ensure proper stewardship and governance, and to review regularly the adequacy and effectiveness of these arrangements. We are required under Section 5 of the Audit Commission Act 1998 to satisfy ourselves that the CCG has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources. The Code of Audit Practice issued by the Audit Commission requires us to report to you our conclusion relating to proper arrangements, having regard to relevant criteria specified by the Audit Commission in October 2014. 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 33

Appendices We report if significant matters have come to our attention which prevent us from concluding that the CCG has put in place proper arrangements for securing economy, efficiency and effectiveness in its use of resources. We are not required to consider, nor have we considered, whether all aspects of the CCG s arrangements for securing economy, efficiency and effectiveness in its use of resources are operating effectively. Scope of the review of arrangements for securing economy, efficiency and effectiveness in the use of resources We have undertaken our review in accordance with the Code of Audit Practice, having regard to the guidance on the specified criteria, published by the Audit Commission in October 2014, as to whether the CCG has proper arrangements for: Conclusion On the basis of our work, having regard to the guidance on the specified criteria published by the Audit Commission in October 2014, we are satisfied that, in all significant respects, NHS Dorset CCG put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources for the year ending 31 March 2015. Certificate We certify that we have completed the audit of the accounts of NHS Dorset CCG in accordance with the requirements of the Audit Commission Act 1998 and the Code of Audit Practice issued by the Audit Commission. securing financial resilience challenging how it secures economy, efficiency and effectiveness. The Audit Commission has determined these two criteria as those necessary for us to consider under the Code of Audit Practice in satisfying ourselves whether the CCG put in place proper arrangements for securing economy, efficiency and effectiveness in its use of resources for the year ended 31 March 2015. We planned our work in accordance with the Code of Audit Practice. Based on our risk assessment, we undertook such work as we considered necessary to form a view on whether, in all significant respects, the CCG had put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources. Barrie Morris for and on behalf of Grant Thornton UK LLP, Appointed Auditor Hartwell House 55-61 Victoria Street Bristol BS1 6FT 27 May 2015 2015 Grant Thornton UK LLP Audit Findings Report 2014/15 27 May 2015 34