internal audit operational plan 2013/14 and audit strategy ... · pdf filecardiff and vale...

Draft Internal Audit Operational Plan 2013/14 Audit Committee And Audit Strategy 2013/16 21 May 2013

Cardiff and Vale University Health Board

Internal Audit Operational Plan 2013/14 and Audit Strategy 2013/16

March 2013

NHS Wales Shared Services Partnership

Audit and Assurance Services

AGENDA ITEM 2.3

Contents Page

1 Introduction 2

2 Developing the audit strategy 2

3 Audit risk assessment 7

4 Planned audit coverage 7

5 Resource needs assessment 9

6 Action required 10

Appendix A – High Level Audit Universe – Grouped by Assurance Domains Appendix B – Audit Risk Assessment Methodology Appendix C – Strategic Audit Plan 2013/14 to 2015/16 Appendix D – Operational Audit Plan 2013/14

NHS Wales Audit & Assurance Services Page | 1

Cardiff and Vale University Health Board Internal Audit Operational Plan 2013/14 and Audit Strategy 2013/16

HIA Report

1. Introduction

The Accountable Officer is required to certify in the Annual Governance Statement that they have reviewed the effectiveness of the organisation’s governance arrangements, including the internal control systems, and provide confirmation that these arrangements have been effective, with any qualifications as necessary including required developments and improvement to address any issues identified. The purpose of Internal Audit is to provide the Accountable Officer and the Board, through the Audit Committee, with an independent and objective opinion on the degree to which the Health Board’s risk management, control and governance arrangements support the achievement of its agreed objectives. The opinion should be used to inform the Annual Governance Statement. Additionally, the findings and recommendations from internal audit reviews may be used by Health Board management to improve risk management, control and governance within their operational areas. The Welsh Government’s Internal Audit Standards for the NHS in Wales requires the Head of Internal Audit to develop and maintain an internal audit strategy designed to meet the main purpose of the internal audit activity and its service provision needs. This strategy must advocate a systematic and prioritised review, outlining the resources required to meet the assurance needs of the Accountable Officer, Board and Audit Committee. Accordingly this report sets out the risk based audit strategy for the period April 2013 to March 2016 for Cardiff and Vale University Local Health Board. The strategy includes an operational audit plan for the year 2013/14 and an indication of proposed coverage for the out-years 2014/15 and 2015/16. The internal audit activity will be provided by NHS Wales Audit & Assurance Services, a division of the NHS Wales Shared Services Partnership.



HIA Report

2. Developing the Audit Strategy

2.1 Link to Auditing Standards

The Audit Strategy for 2013/14 – 2015/16 has been developed in accordance with the Internal Audit Standard 2010 Planning to enable the Head of Internal Audit to meet the following key audit planning objectives:

• Provision to the Accountable Officer of an overall annual opinion on the

organisation’s risk management, control and governance, which may in turn support the preparation of the Annual Governance Statement;

• Audit of the organisation’s risk management, internal control and governance arrangements through periodic risk based plans which afford suitable priority to the organisation’s objectives and risks;

• Improvement of the organisation’s risk management, control and governance by providing line management with recommendations arising from audit work;

• Quantification of the audit resources required to deliver the planned audit strategy;

• Effective co-operation with external auditors and other review bodies functioning in the organisation; and

• Provision of both assurance and advice by internal audit.

2.2 Risk based audit planning approach

The risk based planning approach recognises the need for prioritisation of audit cover to provide assurance on management of risk and the strategy addresses these fundamental planning issues by considering the: • organisations risk assessment and maturity; • coverage of the audit universe; • coverage of through previous years activities; and • audit resources required to provide a balanced and comprehensive view. The audit strategy is also mindful of the significant national changes that are taking place through the Together for Health programme. In addition, the audit strategy aims to reflect the significant changes occurring locally within Healthcare in South Wales and changes within the organisation, including the introduction of Clinical Service Boards, assurance needs and key concerns identified from our discussions with management and emerging risks. Whilst some areas of risk control and governance require annual review, the risk based planning approach recognises that it is not possible to audit every area of an organisation’s activities every year and therefore provides a rational basis for the prioritised allocation of audit resources. A summary of our approach to developing the strategic audit plan is Figure 1 below.



HIA Report

Figure 1 Audit planning flow diagram



HIA Report

2.3 Link to the system of assurance

The risk based planning approach integrates with the Health Board’s system of assurance, thus we have considered the following: • A review of the Boards values and priorities; • An assessment of the Health Board’s governance and assurance

arrangements and the contents of the Risk Register and Assurance Framework;

• Risks identified in papers to the Board and its Committees (in particular the Audit Committee and Quality & Safety Committee);

• Key strategic risks identified within the corporate risk register and assurance processes;

• Cumulative internal audit knowledge of risk management, control and governance arrangements (including a consideration of past internal audit opinions);

• New developments and service changes; • Legislative requirements to which the organisation is required to

comply; • Other assurance processes including planned audit coverage of systems

and processes now provided through NHS Wales Shared Services Partnership (NWSSP);

• Work undertaken by other review bodies including Wales Audit Office (WAO) and Healthcare Inspectorate Wales (HIW); and

• Coverage necessary to provide reasonable assurance to the Accountable Officer in support of the Governance Statement.

An overview of the relationship between the organisational objectives key assurance domains and the internal audit plan is provided in the diagram in Figure 2. The mapping of the audit plan to the seven assurance domains is designed to give balance to the overall annual audit opinion which supports the annual governance statement. The identified auditable areas within these assurance domains are presented at a more granular level in Appendix A. The planned coverage of these areas within the annual and strategic planning timeframe is explained within the following section.



HIA Report

Figure 2 Internal audit assurance on key domains

Annual Governance Statement Assurance Domain

Annual Internal Audit

Opinion

Internal Audit Assurance



HIA Report

2.4 Audit planning meetings

In developing the plan, the Head of Internal Audit has met to discuss or made contact with each of the Executives including the Chief Executive at the Health Board to discuss current areas of risk and related assurance needs.

The first draft of this plan was discussed with Director of Finance and Audit Committee Chairman and also the Executive Management Team to ensure that the Internal Audit work was proving assurance across an appropriate range of risks.

3. Audit risk assessment The prioritisation of audit coverage across the audit universe is based on the organisations assessment of risk and assurance requirements as defined in the board assurance framework. The maturity of these risk and assurance systems allows us to consider both inherent risk (impact and likelihood) and mitigation (adequacy and effectiveness of internal control). Our assessment also takes into account corporate risk, materiality or significance, system complexity, previous audit findings, potential for fraud and sensitivity. The relationship between audit risk and frequency of coverage is documented at Appendix B.

4. Planned audit coverage

4.1 Strategic audit plan

The desired frequency of rotational coverage of the audit universe in Appendix A is determined by the audit risk assessment matrix in Appendix B. In practice audit judgement is applied in programming the strategic plan. This audit judgement is required to prioritise audits for the operational year ahead, give balanced coverage across seven assurance domains, recognise other sources of assurance, and reconcile needs with available audit resources. The sequencing in the strategic planning period also takes into account previous audit coverage and strategic coordination with other review agencies including Wales Audit Office and Health Inspectorate Wales. The proposed strategic coverage for the period 2013/14 – 2015/16 has been determined and is included in Appendix C.



HIA Report

Assurance on national transaction processing systems operated by NWSSP will be covered through the NWSSP audit plan and are cross referenced for completeness. Similarly those aspects of the plan which relate to capital and estates assurance to be covered through our Specialist Services Unit are also marked for reference. Given the specialist nature of this work and the assurance link with the all-Wales capital programme a separate plan will be provided in due course to address capital, procurement and estates management. Provision has also been made in the strategic plan for other essential audit work including audit planning, management, reporting and follow-up.

4.2 Operational audit plan

Within this overall prioritisation and proposed strategic coverage the operational plan for the year ahead can be defined in more detail. The Operational Audit Plan is set out in Appendix D and identifies the audit assignment, lead executive officer, outline scope, and proposed timing. Where appropriate the operational plan makes cross reference to key strategic risks identified within the assurance framework and/or corporate risk register and related systems of assurance. Audit coverage required in terms of capital audit and estates assurance and delivered by our Specialist Services Unit within the NHS Wales Audit & Assurance Services will be submitted for approval subsequent to this general internal audit plan. The operational audit plan will then be updated to integrate this specialist coverage. The scope objectives and audit resource requirements and timing will be refined in each area when developing the audit scope in discussion with the responsible executive director and operational management. The scheduling takes account of the optimum timing for the performance of specific assignments in discussion with management and Wales Audit Office requirements. The Audit Committee will be kept appraised of performance in delivery of the Operational Audit Plan, and any required changes, through routine progress reports to each Audit Committee meeting.



HIA Report

4.3 Keeping the audit plan under review

Our risk assessment and audit plan is limited to matters emerging from the planning processes indicated above. We will review and update the risk assessment and rolling strategic audit plan annually giving definition to the upcoming operational year and extending the strategic view outward. Internal audit are committed to ensuring its service focuses on priority risk areas business critical systems and the provision of assurance to management across the medium term and in the operational year ahead. Hence the plan will be kept under review and may be subject to change to ensure it remains fit for purpose. In particular the plan will need to be periodically reviewed to ensure alignment with the developing systems of assurance. Consistent with previous years and in accordance with best professional practice an unallocated contingency provision has been retained in the plan to enable internal audit to respond to emergent risks and priorities identified by the Executive Management Team and endorsed by the Audit Committee. Any change to the plan will be based upon consideration of risk and need and presented to the Audit Committee for approval. Regular liaison with the Wales Audit Office as your External Auditor will take place to coordinate planned coverage and ensure optimum benefit is derived from the total audit resource.

5. Resource needs assessment The needs based strategic audit plan indicates an aggregate resource requirement of 1250 days to provide balanced assurance reporting to the Chief Executive as Accountable Officer in accordance with the NHS Wales Internal Audit Standards. A provision is made within this resource for reviews covering Capital Schemes and Estates Assurance. This assessment is based upon an estimate of the audit resource required to review the design and operation of controls in review area for the purpose of sizing the overall resource needs for the strategic audit plan. Provision has also been made in the strategic plan and needs assessment for other essential audit work including planning, management, reporting contingency and follow-up. The top-slice funding passed to NWSSP is sufficient to meet these audit resource needs. The inclusive internal provision through NWSSP Audit & Assurance Services represents best value for NHS Wales in comparison with external commercial rates for the equivalent provision of these professional services.



HIA Report


The NHS Wales audit standards enable internal audit to provide consulting and advisory services to management. The commissioning of these additional services by the Health Board is discretionary and therefore not included in the baseline strategic audit plan. Accordingly any requirements to service management consulting requests would be additional to the audit plan and will need to be negotiated separately.

6. Action required The Audit Committee is invited to consider the audit strategy and proposed operational plan and:

• Approve the operational audit plan for 2013/14; • Endorse the strategic view for the period 2014/15 and 2015/16; and • Note the associated audit resource requirements

James Johns Head of Internal Audit – Cardiff and Vale University Health Board Audit & Assurance Services NHS Wales Shared Services Partnership

Cardiff and Vale University Health Board High Level Audit Universe – Grouped by Assurance Domains

Appendix A


Cardiff and Vale University Health Board High Level Audit Universe – Grouped by Assurance Domains

Appendix A


Cardiff and Vale University Health Board Audit Risk Assessment Methodology

Appendix B


The prioritisation of each area is based on our assessment of audit risk in terms of inherent risk (consequence and likelihood) and mitigation (adequacy and effectiveness of internal control). Our assessment takes into account corporate risk, materiality or significance, system complexity, previous audit findings, potential for fraud and sensitivity.

The desired frequency of rotational coverage is determined using the NHS standard 5x5 risk assessment matrix; however audit judgement will be applied in determining the proposed coverage in the strategic plan:

5

Every three years

10 Every two

years

15 Every year

20 Every Year

25 Every year

4 Selective

8

Every three years

12 Every two

years

16 Every year

20 Every Year

3 Unlikely

6

Every three years

9 Every two

years

12 Every two

years

15 Every year

2 Never

4 Selective

6

Every three years

8 Every three years

10 Every two

years

Lik

elih

oo

d o

f in

here

nt

risk

Rar

e (1

) U

nlik

ely

(2)

Po

ssib

le (

3)

Pr

obab

le (

4)

Alm

ost

ce

rtai

n (

5)

1 Never

2 Never

3 Unlikely

4 Selective

5

Every three years

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of inherent risk

Cardiff and Vale University Health Board Strategic Audit Plan 2013/4 to 2015/16

Appendix C

Audit Plan and Strategic View

Planned output Mandated Audit Area

NWSSP Audit Plan

Capital Audit Plan

Prior Year Audit

[RAYG]

Audit Risk Rating

[RAYG]

2013/ 14 2014/ 15 2015/ 16

Corporate governance, risk and regulatory compliance

Governance & Accountability module √ N/A √ √ √ Annual Governance Statement √ N/A √ √ √ Annual Report √ N/A √ √ √ Risk Management & Assurance √ N/A √ √ √ Review of Core Standards for Healthcare Services

√ N/A √ √ √

Policies and procedures N/A √ Fraud, theft & corruption N/A √ Corporate legislative compliance √

Legislative compliance: • Health & Safety Act • Human Tissue Act • MHRA • Waste Regulations • Equalities Act • Fire

√

√ √

√ √

Welsh Risk Pool – Claims Management Standard

√ Yellow √ √ √

Clinical service Boards Governance and accountability arrangements:

√



Appendix C


Planned output Mandated NWSSP Capital Prior Year Audit Risk 2013/ 14 2014/ 15 2015/ 16 Audit Audit Plan Audit Plan Audit Rating Area

[RAYG] [RAYG]

Risk management (inc. risk assessment and registers)

Amber √

Strategic planning performance management and reporting

Strategic planning √ Stakeholder engagement/ communication

√

Performance management/ reporting √ √ √ Commissioning and Contract Management

√ √

Partnership governance √ Environmental sustainability reporting √ N/A √ √ √ Business continuity planning √ Financial governance and management

Financial Improvements plans/ Financial management

Amber √ √

Income / Cash Debtors √ Green √ √ √ General Ledger Management √ Green √ √ √ Capital Asset Management √ Green √ √ √ NWSSP managed financial systems – Accounts Payable

√ √ √ √ √

NWSSP managed financial systems – Accounts Payable CAATS

√ √ √ √ √

NWSSP managed primary care √ √ √ √ √



Appendix C



[RAYG] [RAYG]

contractor payments: General Medical Services General Dental Services General Ophthalmic Services General Pharmaceutical Services

E-expenses √ Private Patients √ Charitable Funds Amber √ √ √

Losses and compensation √ Petty Cash √ Patients Monies and Property √ Management of Capital Schemes √ √ √ √ Clinical governance quality & safety

Annual Quality Statement √ N/A √ √ √ Clinical Governance Framework √ Clinical Audit √ Infection control √ Medical equipment & devices √ Medicines management √ POVA √ POCA √



Appendix C



[RAYG] [RAYG]

GP Out of Hours √ Continuing Healthcare √ √ Patient Experience √ Patient Outcomes √ Mortality Reviews √ Putting things right: complaints incidents & redress

√

Clinical Networks √ Learning from National Reviews / Alerts

√ √

Catering and food hygiene √ Information governance & security

Information management and governance

√ √ √

Medical records management including Caldicott compliance

√

Information management and technology

Information systems security √

Data protection

Freedom of Information

Data quality of non-financial performance information

√



Appendix C



[RAYG] [RAYG]

Operational service and functional management

Clinical Service Boards: Governance and Control Arrangements

√ √ √

Localities √

Home Oxygen Services √ Public Health √ Primary Care Services √ √ √ Cardiff Health Access Practice √ Facilities √ Stocks and Stores √ Estates Assurance Reviews √ √ √ √

Workforce management

NWSSP managed systems – Payroll/ ESR

√ √ √ √ √

Payroll CAATs Staff PADRs √ Recruitment – qualification and CRB checking

√

E-Rostering √ √ Medical Staffing √ √ √ Management of temporary staffing (Bank, Agency and Locum staff).

√

Management of sickness and absence √



Appendix C



[RAYG] [RAYG]

Occupational Health Services √


Cardiff and Vale University Health Board Internal Audit Operational Plan 2013/14

Appendix D

Planned output Audit Reference

Outline Scope Executive Lead

Outline timing

Corporate governance, risk and regulatory compliance (175)

Annual Governance Statement (5) Getting it right To provide an opinion and undertake specific areas of review to underpin the completion of the Statement.

Board Secretary

Q4

Governance & Accountability module (5)

Getting it right To provide an opinion on the process that has been adopted and the evidence recorded supports the self-assessment.

Board Secretary

Q4

Head of Internal Audit Annual Report (5)

Getting it right Mandatory requirement to comply with the Internal Audit Standards for the NHS in Wales and Annual Governance Statement.

Board Secretary

Q1

Risk Management & Assurance (40) Getting it right Overview of general governance and risk management arrangements. Undertake specific areas of review to support annual opinion.

Board Secretary

Q4

Standards for Healthcare Services (25)

Getting it right & Patient/ Citizen

To provide an opinion on the process that has been adopted for the Standards as approved by the Quality and Safety Committee

Director Nursing

Q4

Annual Quality Statement (15) Getting it right To provide an opinion on the process that has been adopted and the evidence recorded supports the self-assessment.

Board Secretary / Director Nursing

Q2

Claims Management (5) Getting it right / resources

In accordance with the Welsh Risk Pool Standards, we will review a sample of completed files to ensure that the required processes have been complied with.

Director Nursing

Q4



Appendix D

Planned output Audit Outline Scope Executive Lead Reference

Outline timing

Risk management and assessment (40)

Getting it right

Examine the embedding of risk management process across the UHB

Board Secretary

Q3

Clinical Service board governance and accountability arrangements. (35)

Getting it right & Patient / Citizen

To review the governance and accountability arrangements with new CSBs .

COO Q3/4

Strategic planning performance management and reporting (150)

Discharges / ALOS (25)

Getting it right & Resources

Review systems and controls in place to manage the associated risks.

Director of Planning / COO

Q1/2

Continuing health care (25) Getting it right & Resources

Review controls in place to mange key risk areas associated with CHC.

COO Q1/2

Patient Access (25) Getting it right & Resources

Compliance with specific aspects of the Patient Access policy.

COO Q2

Third Sector / Voluntary Sector (25) Getting it right & Resources

To review the final framework established and To ensure risks identified in original report have been addressed.

Director of Planning

Q1/2

Operational Planning (30) Getting it right & Resources

Review op plan for assessments of risk, equality and PH issues.


Q1/2

Sustainability Reporting (20) Getting it right To provide an opinion that the Health Board has robust systems in place to record and report minimum sustainability requirements as required by the Welsh Government.



Appendix D


Outline timing

Financial Governance and management (160)

General Ledger (20) Resources Review controls in place to mange key risk areas within the main financial systems

Director of Finance

Q3

Asset Management (20) Resources Review controls in place to mange key risk areas within the main financial systems

Director of Finance

Q3

Income / Cash / Debtors (20) Resources Review controls in place to mange key risk areas within the main financial systems

Director of Finance

Q3

Charitable Funds (25)

Resources Review governance arrangements, including the management of expenditure and donations. Review of controls in place for management of lottery.

Director of Finance

Q1

Research & Development (20)

Resources Review of systems implemented for managing Income and Expenditure

Medical Director

Q3

NWSSP managed financial systems (45)

• Accounts Payable • Procurement •

Resources Review controls in place to mange key risk areas within the main financial systems

Director of Finance

Q3

• NWSSP - Primary Care contractors ( nwssp plan)

Resources Review controls in place to mange key risk areas within the main financial systems

Director of Finance

Q3

Routine CAATs reviews (10) Resources Computer assisted audit techniques on accounts payable transactions

Director of Finance

Q1-3



Appendix D


Outline timing

Clinical governance quality and safety (135)

Infection Control (25) Patient /Citizen

Review the UHB’s systems and process implemented to manage key risk areas including structure, plans and monitoring.

Director of Nursing

Q1/2

Mortality & RAMI (25) Patient /Citizen

Review the UHB’s systems and process implemented to manage key risks, ensure accuracy of data and review key actions taken.

Medical Director

Q1/2

NPSA Alerts (25) Patient /Citizen

Review the UHB’s response to the dissemination and implementation of alerts

Director of Nursing

Q1/2

Medicines Management (15) Patient /Citizen

follow up - To ensure risks identified in original report have been addressed.

Medical Director

Q1/2

Catering Services and Food Safety Act (25)

Patient /Citizen

Review the UHB’s systems and process implemented to manage key risks

DCEO Q1/2

Prevention of Falls (20) Patient /Citizen

Review whether developed plans and pathways to reduce falls enacted

Director of Therapies

Q1/2

Information Governance and Security (65)

Information Governance – Caldicott, break glass (25)

Getting it right Review controls in place to mange key risk areas and following up of previous actions.

Medical Director

Q2/3

Individual IT Systems - Security Contingency / Recovery follow up (20)

Getting it right Review controls in implemented to improve contingency and back up arrangements

Medical Director/ D

Q3/4



Appendix D


Outline timing

following a previous system failure. CEO Individual IT Systems - Medical Physics System (20)

Getting it right Review controls in place to manage the system, including security, data, contingency planning and operations.

Medical Director / DCEO

Q1/2

Operational service and functional management (220)

Prison Health (20) Getting it right Review the UHB’s systems and process implemented to manage key risks to the service provided.

COO Q1/2

Stock & Stores (25) Getting it right Review the UHB’s systems and process for stock and stores management. Follow up on previous reviews

DCE/ COO Q1/2

Public health Improvement Targets (25)

Getting it right Review process in place to ensure that a selection of targets are to be achieved.

Director of Public Health

Q1/2

Prescribing (20) Getting it right To review the UHB’s systems and process implemented to manage key risks

COO / Medical Director

Q1/2

Management of Capital Schemes & Estates Assurance Work (130)

Getting it right / Resources

Specific schemes to be agreed by the Audit & Assurance Service Specialist Service Unit


TBA



Appendix D


Outline timing

Workforce management (125)

NWSSP – payroll (35) Resources Review controls in place to mange key risk areas within the main financial systems

Director WOD

Q3

NWSSP CAATs (10) Resources Computer assisted audit techniques on payroll transactions

Director WOD

Q3

Management of staff and variable pay

(45)


Review of Establishment Controls, authorisation, rostering, linked with Absence Management. Review of controls in place to manage key risks of inappropriate expenditure across a number of CSB and departments.

Director WOD /COO

Q1/2

Management of Medical Locums follow up (15)


Follow up review of previously agreed actions. Medical director

Q2

ESR MSS implementation (20)


Review of implementation, set up, procedures and control environment.

Director WOD / DoF

Q2

Audit Management (220)

Contingency This element of the plan allows the flexibility to respond to management requests in order to meet specific Health Board needs throughout the course of the financial year.

Follow-up We will conduct follow-up reviews throughout the year to provide the Audit Committee with



Appendix D


Outline timing

assurance regarding management’s implementation of agreed actions.

Management An allocation of time is required for the management of the service to the Health Board:- • Planning liaison and management –

Incorporating preparation and attendance at Audit Committee; completion of risk assessment and planning; liaison with key contacts and organisation of the audit reviews; and

• Reporting and meetings – Key reports will be provided to support this, including preparation of the annual plan and progress reports to the Audit Committee.


internal audit operational plan 2013/14 and audit strategy ... · pdf filecardiff and vale...

Documents