Surrey and Sussex Healthcare NHS Trust

Transcription

1 Surrey and Sussex Healthcare NHS Trust Internal audit strategy 2014/ /2017 Presented at the Audit Committee meeting of: 17 July

2 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Contents 1 Introduction Developing the internal audit strategy Internal audit resources Audit committee requirements... 9 Appendix A: Internal audit plan 2015/ Appendix B: Internal audit strategy Appendix C: Factors influencing the internal audit strategy Appendix D: Internal audit charter Appendix E: Our internal audit approach to an assignment Appendix F: Overview of internal audit assignment opinions For further information contact... 31

3 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Introduction Our approach to developing your internal audit plan is based on analysing your corporate objectives, risk profile and assurance framework as well as other, factors affecting Surrey and Sussex Healthcare NHS Trust in the year ahead including changes within the sector. 1.1 Background Surrey and Sussex Healthcare NHS Trust continues to improve and is proud to be one of the best performing Trusts in England. In the past year, , the Trust has succeeded in meeting clinical standards and delivering high quality care and a positive experience for its patients through a number of elements. The application to become a Foundation Trust has successfully completed a number of key milestones: November 2014: Formal Board-to-Board with the Trust Development Authority (TDA) March 2015: The TDA Board gives approval for us to move to the final Monitor assessment stage April 2015: Monitor assessment begins At the end of March 2015 the Trust had recruited over 10,000 members. 1.2 Vision The Trust s vision is Safe, high quality healthcare that puts our community first. The Trust s values are Dignity and respect: we value each person as an individual and will challenge disrespectful and inappropriate behaviour One team: we work together and have a can do approach to all that we do recognising that we all add value with equal worth Compassion: we respond with humanity and kindness and search for things we can do, however small; we do not wait to be asked, because we care Safety and quality: we take responsibility for our actions, decisions and behaviours in delivering safe, high quality care

4 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Objectives This year, as part of its ongoing development of the Trust, the Trust has reviewed its strategic objectives to align them with the five domains of Care Quality Commission (CQC) inspection standards and to focus its priorities as: 1. Safe: Deliver safe services and be in the top 20% against our peers. 2. Effective: Deliver effective and sustainable clinical services within the local health economy. 3. Caring: Ensure patients are cared for and feel cared about. 4. Responsive: Become the secondary care provider of choice for our catchment population. 5. Well-led: Become an employer of choice and deliver financial and clinical sustainability around a clinical leadership model.

5 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Developing the internal audit strategy We use your objectives as the starting point in the development of your internal audit plan. 2.1 Risk management processes We have evaluated your risk management processes and consider that we can place reliance on your risk registers / assurance framework to inform the internal audit strategy. We have used various sources of information (see Figure A below) and discussed priorities for internal audit coverage with the following people: Chief Finance Officer Director of Corporate Affairs Audit Committee Chair Executive Committee Audit Committee (to be discussed in July 2015) The plan is based on their comments and our assessment of your needs based on prior working, issues elsewhere in the Sector and our Strategic Internal Audit plan. Based on our understanding of the organisation, and the information provided to us by the stakeholders above, we have developed an annual internal plan for the coming year, and a high level strategic plan. This was also supplemented by linking our work to the Trust s own Internal Control System Map which has been aligned to Board Committees. Figure A: Sources considered when developing the Internal Audit Strategy.

6 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ How the plan links to your strategic objectives Each of the reviews that we propose to undertake is detailed in the internal audit plan and strategy within Appendices A and B. In the table below we bring to your attention particular key audit areas and discuss the rationale for their inclusion or exclusion within the strategy. As well as assignments designed to provide assurance or advisory input around specific risks, the strategy also includes: time for tracking the implementation of actions and an audit management allocation. Full details of these can be found in Appendices A and B.

7 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Area Right Bed First Time Supervision For Temporary Staff Reason for inclusion or exclusion in the audit plan/strategy The Trust needs to find patients the right bed, the first time they are admitted through the Emergency Department (ED) which should lead to improvements in health outcomes and patient experience, and reduce overall length of stay. The Trust needs the ability to make fast, informed decisions about patient placement from ED admission to the subsequent placement of the patient onto an appropriate ward and is seeking to have an effective real time bed tracker as part of this process. Despite pressures on capacity and demands on time it is important that supervision of temporary staff remains a priority as ineffective processes could have a detrimental effect on patient safety and quality of clinical care. We will review processes to record supervision of temporary staff to demonstrate that it is taking place and effective actions are being taken where extra support and/or training is required. We will consider the accuracy, completeness and timeliness of reporting of compliance. Link to strategic objective 1. Safe: Deliver safe services and be in the top 20% against our peers. 3. Caring: Ensure patients are cared for and feel cared about. 1. Safe: Deliver safe services and be in the top 20% against our peers. Capital Schemes As the Trust has limited availability of revenue funding and the focus is on service delivery and patient care it becomes difficult to reduce funds to maintain and improve environment where services are provided. We will consider the overarching setting of the Capital Programme, Business Case processes and the management and reporting against the programme. Additionally for a sample of projects we will undertake testing in regards to value for money around the capital procurement. In addition, we will focus on how the backlog maintenance is prioritised and delivered. We will also incorporate some review of former IT Capital Projects to determine whether the intended benefits have been realised. 5. Well-led: Become an employer of choice and deliver financial and clinical sustainability around a clinical leadership model. Agency Cost Improvement Plans Recent letters have been issued from the Secretary of State regarding the use of Agency, the need to control expenditure and additional assurance required In addition, annually the challenge is becoming harder to drive through financial efficiencies and Agency cost in 14/15 was still one of the Trust main areas of overspend/ standardisation and compliance issues. This area will link in with the Trust CIP and also Workforce planning We will the review the new arrangements for managing Agency across the Trust in particularly at ward/unit level. This will build on work already undertaken in 14/15. We will focus the review on assumptions made, timing of development of CIP schemes and also inclusion of quality assessments. We will also assess longer term CIP planning and review how projects are delivering against plan. 5. Well-led: Become an employer of choice and deliver financial and clinical sustainability around a clinical leadership model. 5. Well-led: Become an employer of choice and deliver financial and clinical sustainability around a clinical leadership model.

8 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Working with other assurance providers The Audit Committee is reminded that internal audit is only one source of assurance and through the delivery of our plan we will not, and do not, seek to cover all risks and processes within the organisation. We will however continue to work closely with other assurance providers, such as External Audit and Local Counter Fraud to ensure that duplication is minimised and a suitable breadth of assurance obtained.

9 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Internal audit resources Your internal audit service is provided by Baker Tilly Risk Advisory Services LLP. The team will be led by Nick Atkinson - Partner, supported by David May as your Client Manager. 3.1 Fees Our fee to deliver the plan of 250 days is 84,435 (excluding VAT). There are additionally ten days carried forwards from 2014/15 to create an overall 260 day plan. 3.2 Conformance with internal auditing standards Baker Tilly affirms that our internal audit services are designed to conform to the Public Sector Internal Audit Standards (PSIAS). Further details of our responsibilities are set out in our internal audit charter within Appendix D. Under PSIAS, internal audit services are required to have an external quality assessment every five years. Our Risk Advisory service line commissioned an external independent review of our internal audit services in 2011 to provide assurance whether our approach meets the requirements of the International Professional Practices Framework (IPPF) published by the Global Institute of Internal Auditors (IIA) on which PSIAS is based. The external review concluded that the design and implementation of systems for the delivery of internal audit provides substantial assurance that the standards established by the IIA in the IPPF will be delivered in an adequate and effective manner. 3.3 Conflicts of Interest We are not aware of any relationships that may affect the independence and objectivity of the team, and which are required to be disclosed under internal auditing standards.

10 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit committee requirements In approving the internal audit strategy, the committee is asked to consider the following: Is the Audit Committee satisfied that sufficient assurances are being received within our annual plan (as set out at Appendix A) to monitor the organisation s risk profile effectively? Does the strategy for internal audit (as set out at Appendix B) cover the organisation s key risks as they are recognised by the Audit Committee? Are the areas selected for coverage this coming year appropriate? Is the Audit Committee content that the standards within the charter in Appendix D are appropriate to monitor the performance of internal audit? It may be necessary to update our plan in year, should your risk profile change and different risks emerge that could benefit from internal audit input. We will ensure that management and the audit committee approve such any amendments to this plan.

11 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix A: Internal audit plan 2015/2016 Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date Risk based assurance Pharmacy Stock We will focus on the controls in place regarding stock ordering and management of Pharmacy with particular focus on the CIP aspect of Drug wastage. 10 July 2015 September 2015 Supervision For Temporary Staff We will review processes to record supervision of temporary staff to demonstrate that it is taking place and effective actions are being taken where extra support and/or training is required. We will consider the accuracy, completeness and timeliness of compliance. 10 January 2016 March 2016 Data Quality For a sample of key performance figures reported to the Board we will review the underlying data quality to provide assurance that the information reported is accurate. In addition we will review the indicator as determined by either the Trust or Monitor & the Governors for Quality Accounts depending on its FT Status. The review includes tracing data from source through collection, validation to report to ensure processes are robust. 13 April 2016 July 2016 Cost Improvement Plans To consider the approach to development of CIPs including assumptions and Quality Impact assessments. We will review progress to deliver to date and how longer term (16/17) CIP plans are being developed and planned for development. We will undertake some deep dive reviews into progress on delivery on specific projects. 12 September 2015 November 2015 Backlog Maintenance & Capital Schemes We will consider the overarching setting of the Capital Programme, Business Case processes and the management and reporting against the programme. Additionally for a sample of projects we will undertake testing in regards to value for money around the capital procurement. In addition, we will focus how the backlog maintenance is priortised and delivered. 10 November 2015 January 2016

12 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date Temporary Staffing We will the review the new arrangements for managing Agency usage across the Trust in particularly at ward/unit level. This will build on work already undertaken in 14/15. It will also provide assurance around use of appropriate agencies and consultants following the letter from the Secretary of State requiring additional assurances. 14 January 2016 March 2016 Mortality Reporting To ensure a consistent and coordinated approach for the review of adult deaths in hospital. The need to consider mortality rates and national mortality indicators, available at diagnosis and individual patient level, to ensure that deaths are reviewed and patients are safe. Ensure that there are clear reporting mechanisms in place, to escalate any areas of concern identified, so that the Trust is aware and can take appropriate action 10 October 2015 January 2016 Infection Control We will assess Trust arrangements and ensure that there is robust evidence of compliance in all criteria with the Health and Social Care Act (2008) Code of Practice for the Prevention and Control of Health Care Associated Infections. Our review will focus on how well the Trust s departments are equipped to prevent and deal with infectious disease, particularly HCAI. We will review action plans in place to address identified weakness as well as review lessons learnt and how best practice can be disseminated across the Trust to ensure that the Trust maintains a top decile performance. 10 November 2015 January 2016

13 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date Duty of Candour We will consider the adequacy of the Duty of Candour arrangements in the Trust This will, include; the adequacy of the revised Duty of Candour Policy ; Assess its understanding amongst staff and whether staff are confident to use it within the Trust and have had appropriate training. For a sample of complaints and near misses we will track through to see how the Duty of Candour is evidenced. How the outcomes are measured in light of the duty of candour. Lessons Learned feedback into improving Patient Experience & Patient Care 10 January 2016 March 2016 Overseas Patient Income Our review will have a specific focus on the new guidelines coming into place for overseas visitors and whether the Trust can demonstrate through its systems that it is doing everything to ensure it qualifies for any payments. This will also take into account the new funding arrangements on income due from CCGs. 10 November 2015 January 2016 Right Bed First Time To ensure the Trust is finding patients the right bed, the first time they are admitted through the Emergency Department (ED) which leads to improvements in health outcomes and patient experience, and reduces overall length of stay. To evaluate the Trust s ability to make fast, informed decisions about patient placement from ED admission to the subsequent placement of the patient onto an appropriate ward, using effective real time bed management functionality. To consider adding some specialist support in this area around the current plans. 12 August 2015 September 2015

14 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date RTT Data (Performance Management) RTT is a key quality and performance indicator and the audit would support the Trust s return (which meets expected target) and provide some assurance that this data is sound and accurate.. This will be performed twice during the year 15 October 2015 & June 2016 November 2015 & July 2016 Workforce Reporting (Data Quality) For a sample of key performance figures reported to the Finance & Workforce Committee we will review the underlying data quality to provide assurance that the information reported is accurate. In particular we will focus on the appropriateness of the establishment levels information and the links between HR and Finance and ESR. 10 October 2015 January 2016 Provider to Provider Services We will review the arrangements to ensure that all activity is captured, billed accurately and completely and supported by a Provider to Provider agreement. Also to ensure there is adequate engagement with the other providers and an understanding of future risks and opportunities for income generation and shared/joint working. 10 September 2015 November 2015 Mobile Devices Core assurance We will review Trust arrangements for managing these risks associated with mobile devices and arrangements for ensuring that appropriate safeguards are in place for handling and processing patient data on mobile devices. 10 April 2016 July 2016 Information Governance Toolkit The purpose of the review is to examine the attainment levels submitted for a number of requirements within the toolkit, with a view to providing an opinion on the appropriateness of the information submitted and the adequacy of the documentation held to support these scores. This also ensures that if investigated the Trust can demonstrate actual compliance. 10 March 2016 July 2016

15 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date Financial Feeder Systems Cash Forecasting Payments to staff We will conduct a risk assessment on the function and test the higher risk elements to give assurance over the adequacy of the financial controls. This will include elements of the payroll system. As part of this process we will also undertake a review of cash handling, controls and security arrangements of cash collected at Surrey and Sussex Healthcare. This work is done on a rotation basis and in consultation with management. The Audit Committee would like assurance over the effectiveness of the cash forecasting processes, recognising the challenges around cash management. Our review will look at the payments that are made to staff in the course of their employment, including expenses, be it travel or petty cash expenditure. 9 6 February 2016 September 2015 March 2016 November March 2016 July 2016 Assurance Framework Failure to assess and manage clinical and non-clinical risks effectively, resulting in harm 9 Throughout the Year Each Meeting Capital Projects Benefits Realisation We will support the Trusts with a specialist review to consider how benefits are realised from Capital Projects with a specific focus on large scale IT Projects to determine whether they have achieved what they set out to achieve and how the establishment of such projects might lead to greater value moving forwards. 10 October 2015 January 2016 Other internal audit input Follow Up To meet internal auditing standards and to provide management with on-going assurance regarding implementation of recommendations 10 Throughout the Year Each Meeting

16 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Audit area Scope for 2015/16 Audit days Proposed timing Estimated audit committee date Advisory Audit To allow for additional advisory audits to be undertaken at the request of the Audit Committee or management based on the demand to reduce costs: This could include some of the following areas: Assistance in technical issues around VAT, Salary Sacrifice, PAYE etc. Cash Release from Improvement in Quality Contract Management (Procurement) 10 To be determined To be confirmed Audit Management This will include: Annual planning Preparation for, and attendance at, Audit Committee meetings Regular liaison and progress updates Liaison with external audit Preparation of the annual internal audit opinion 20 Throughout the Year Each Meeting TOTAL 260 Please note the 260 days includes 10 days bought forward from the 14/15 plan which are to be utilised in 15/16 in particular around the advisory audits and the focus on the demand to reduce costs.

17 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix B: Internal audit strategy Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Risk based assurance Safeguarding Children Clinical Governance Safeguarding Adults Data Quality (including Quality Accounts) Mortality Duty of Candour Management Concern for the Internal Control System Map - Failure to safeguard children from exploitation and/or abuse 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties. Management Concern for the Internal Control System Map - Failure to safeguard vulnerable Adults from exploitation and/or abuse 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties. 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties. 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties.

18 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Consent Infection Control NICE Guidance Incident Management 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties. 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions Failure to maintain systems to control rates of HCAI will effect patient safety and quality of care 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties. 2.A Achieve the best possible clinical outcomes for our patients. There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties Right Bed, First Time Complaints 2.A Achieve the best possible clinical outcomes for our patients. There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties 2.A Achieve the best possible clinical outcomes for our patients. There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties Clinical Audit 2.A Achieve the best possible clinical outcomes for our patients. There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties

19 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Lessons Learned Temporary Staffing 2.A Achieve the best possible clinical outcomes for our patients There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties 3.B.1 Failure to recruit and retain clinical staff may result in excessive usage of agency and may impact negatively on Trust s quality of care provided to patients. Workforce Strategy & Recruitment Workforce Reporting E-Rostering Absence Management Statutory and Mandatory Training Nursing Revalidation Medical Revalidation Appraisals Supervision 3.B.1 Failure to recruit and retain clinical staff may result in excessive usage of agency and may impact negatively on Trust s quality of care provided to patients 3.B.1 Failure to recruit and retain clinical staff may result in excessive usage of agency and may impact negatively on Trust s quality of care provided to patients 3.B.1 Failure to recruit and retain clinical staff may result in excessive usage of agency and may impact negatively on Trust s quality of care provided to patients 3.B.1 Failure to recruit and retain clinical staff may result in excessive usage of agency and may impact negatively on Trust s quality of care provided to patients Ineffective staff development means that the Trust does not have the skilled workforce to deliver current and future services. Ineffective staff development means that the Trust does not have the skilled workforce to deliver current and future services. Ineffective staff development means that the Trust does not have the skilled workforce to deliver current and future services. If the Trust does not put into place systems to assess, monitor and evaluate nursing staffing levels there may be negative impact on Trust s quality of care provided to patients. 1.A.1 Consistently meet national patient safety standards in all specialties and across divisions There is a risk that the Trust will not meet its objective to deliver continuous improvement in reducing avoidable harm, if all national and local standards are not embedded within divisions and specialties.

20 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Patient Experience 2.A Achieve the best possible clinical outcomes for our patients There is a risk that patient outcomes will not continue to improve if monitoring and benchmarking is not utilized to improve clinical outcomes across divisions and specialties RTT Data (Performance Management) 5.A Live within our means to remain financially sustainable. As readmission rates are an indicator of high quality care, failure to improve the Trust s rate poses a risk to this objective. Procurement Disciplinary Procedures Whistleblowing Business Continuity Planning / Disaster Recovery 5.A Live within our means to remain financially sustainable. Failure to stop divisional overspending against budget 5.G.2 We are a well governed organisation. Failure to have a streamlined disciplinary process in place to enable the Trust to deal with these matters in a timely and effective manner 5.G.2 We are a well governed organisation. There is a risk that Clinical leadership efforts will not embed if staff do not feel empowered and supported in order to make positive changes regarding care pathways within specialties and directorates 5.F. Ensure IT support/optimise patient experience by improving patient interface, sharing and capture of patient information and patient communication Business planning Linked to all Risks under Objective 4. (BAF) IT Project Management & Implementation Mobile Devices IT Security Information Governance Toolkit 5.F. Ensure IT support/optimise patient experience by improving patient interface, sharing and capture of patient information and patient communication 5.F. Ensure IT support/optimise patient experience by improving patient interface, sharing and capture of patient information and patient communication 5.F. Ensure IT support/optimise patient experience by improving patient interface, sharing and capture of patient information and patient communication 5.F. Ensure IT support/optimise patient experience by improving patient interface, sharing and capture of patient information and patient communication

21 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Patients Property and Monies EME Services Register of Interests & Gifts and Hospitality Risk of reputational damage as a result of poor management of patient property and monies. Sector Risk Management Concern - There is a risk that the Trust isn t able to deliver service in an effective timely manner due to the estate not fully supporting the clinical strategy Failure to maintain transparency and accountability across the organisation. Audit Committee Work plan Stock Control 5.A Live within our means to remain financially sustainable. Failure to stop divisional overspending against budget Income Contract Management Budgetary Control & Financial Reporting 5.A Live within our means to remain financially sustainable. Failure to stop divisional overspending against budget 5.A Live within our means to remain financially sustainable. Failure to deliver income plan Cost Improvement Planning Backlog Maintenance & Capital Schemes 5.A Live within our means to remain financially sustainable. Failure to stop divisional overspending against budget 5.A Live within our means to remain financially sustainable. Unable to deliver medium term financial plan. Monitor Licence The Health and Social Care Act 2012 makes changes to the way NHS service providers will be regulated. These changes include the introduction of a licence for providers of NHS services. Regulatory Requirement new for 14/15 for all provider non-foundation Trusts. We will review Trust arrangements for ensuring that the Trust meets and complies with the conditions for holding a Monitor Licence and will review compliance on a sample basis annually.

22 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Core assurance Financial Feeder Systems We will provide assurance as to the robustness of the core financial systems feeding into the overall financial ledger and financial reporting systems Cash and Treasury Management Payment to staff Fixed Asset Register Private & Overseas Patient Income We will undertake a review of cash handling, controls and security arrangements of cash collected at Surrey and Sussex Healthcare. This work is done on a rotation basis and in consultation with management. We will provide assurance as to the robustness of the core payroll systems operated locally at the Trust We will provide assurance as to the robustness of the core Fixed Asset System. Failure to deliver income plan Other Internal Audit input Assurance Framework We will continue to provide a rolling programme of reviews to give assurance to the Audit Committee concerning the various sections and risks with associated controls and assurances from within the Board Assurance Framework. Follow Up Contingency To meet internal auditing standards and to provide management with on-going assurance regarding implementation of recommendations To allow for additional audits to be undertaken at the request of the Audit Committee or management based on changes in assurance needs as they may arise during the year.

23 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Proposed area for coverage Scope and Associated risk Area 2014/ / /17 Audit Management This will include: Annual planning Preparation for, and attendance at, Audit Committee meetings Regular liaison and progress updates Liaison with external audit Preparation of the annual internal audit opinion

24 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix C: Factors influencing the internal audit strategy The diagram below highlights the planned internal audit coverage against the changing risk environment. This analysis allows us to ensure that the type and level of coverage proposed meets the organisation s assurance needs for the forthcoming and future years.

25 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix D: Internal audit charter 1.0 Need for the charter 1.1 This charter establishes the purpose, authority and responsibilities for the internal audit service for Surrey & Sussex NHS Healthcare Trust. The establishment of a charter is a requirement of the Public Sector Internal Audit Standards (PSIAS) and approval of the charter is the responsibility of the audit committee. 1.2 The internal audit service is provided by Baker Tilly Risk Advisory Services LLP ( Baker Tilly ). Your key internal audit contacts are: Partner Client manager Name Nick Atkinson David May Telephone address Nick.atkinson@bakertilly. co.uk David.may@bakertilly.co. uk 1.3 We plan and perform our internal audit work with a view to reviewing and evaluating the risk management, control and governance arrangements that the organisation has in place, focusing in particular on how these arrangements help you to achieve its objectives. 1.4 An overview of the individual internal audit assignment approach and our client care standards are included at Appendix E and F of the audit plan issued for 2015/ Role and definition of internal auditing Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by introducing a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control, and governance processes. Definition of Internal Auditing, Institute of Internal Auditors and the Public Sector Internal Audit Standards

26 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Internal audit is a key part of the assurance cycle for your organisation and, if used appropriately, can assist in informing and updating the risk profile of the organisation. 3.0 Independence and ethics 3.1 To provide for the independence of Internal Audit, its personnel report directly to the Nick Atkinson (acting as your head of internal audit). The independence of Baker Tilly is assured by the internal audit service reporting to the Chief Executive, with further reporting lines to the Director of Finance and Director of Corporate Affairs. 3.2 The head of internal audit has unrestricted access to the Chair of Audit Committee to whom all significant concerns relating to the adequacy and effectiveness of risk management activities, internal control and governance are reported. Conflicts of Interest 3.3 Conflicts of interest may arise where Baker Tilly provides services other than internal audit to Surrey & Sussex NHS Healthcare Trust. Steps will be taken to avoid or manage transparently and openly such conflicts of interest so that there is no real or perceived threat or impairment to independence in providing the internal audit service. If a potential conflict arises through the provision of other services, disclosure will be reported to the audit committee. 3.4 The nature of the disclosure will depend upon the potential impairment and it is important that our role does not appear to be compromised in reporting the matter to the audit committee. Equally we do not want the organisation to be deprived of wider Baker Tilly expertise and will therefore raise awareness without compromising our independence. 4.0 Responsibilities 4.1 In providing your outsourced internal audit service, Baker Tilly has a responsibility to: Develop a flexible and risk based internal audit strategy with more detailed annual audit plans which align to the corporate objectives. The plan will be submitted to the audit committee for review and approval each year before work commences on delivery of that plan. Implement the audit plan as approved, including any additional reviews requested by management and the audit committee. Ensure the internal audit team consists of professional internal audit staff with sufficient knowledge, skills, and experience.

27 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Authority Establish a quality assurance and improvement program to ensure the quality and effective operation of internal audit activities. Perform advisory activities where appropriate, beyond internal audit s assurance services, to assist management in meeting its objectives. Bring a systematic disciplined approach to evaluate and report on the effectiveness of risk management, internal control and governance processes. Highlight control weaknesses and required associated improvements and agree corrective action with management based on an acceptable and practicable timeframe. Undertake action tracking reviews to ensure management has implemented agreed internal control improvements within specified and agreed timeframes. Provide a list of significant performance indicators and results to the audit committee to demonstrate the performance of the internal audit service. Liaise with the external auditor and other relevant assurance providers for the purpose of providing optimal assurance to the organisation. 5.1 The internal audit team is authorised to: Have unrestricted access to all functions, records, property and personnel which it considers necessary to fulfil its function. Have full and free access to the audit committee. Allocate resources, set timeframes, define review areas, develop scopes of work and apply techniques to accomplish the overall internal audit objectives. Obtain the required assistance from personnel within the organisation where audits will be performed, including other specialised services from within or outside the organisation. 5.2 The head of internal audit and internal audit staff are not authorised to: Perform any operational duties associated with the organisation. Initiate or approve accounting transactions on behalf of the organisation. Direct the activities of any employee not employed by Baker Tilly unless specifically seconded to internal audit.

28 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Key Performance Indicators (KPIs) 6.1 In delivering our services we require full cooperation from key stakeholders and relevant business areas to ensure a smooth delivery of the plan. We proposed the following KPIs for monitoring the delivery of the internal audit service: Delivery Audits commenced in line with original timescales agreed in the internal audit plan. Draft reports issued within 10 working days of debrief meeting. Management responses received from client management within 10 working days of draft report. Final report issued within 3 days from receipt of management responses. Completion of internal audit plan by the end of the financial year. Quality Conformance with the Public Sector Internal Audit Standards. Liaison with external audit to allow, where appropriate and required, the external auditor to place reliance on the work of internal audit. Response time for all general enquiries for assistance is completed within 2 working days. Response to emergencies such as concerns of potential fraud with 1 working day. Consideration of the feedback and scores from client satisfaction questionnaires. 7.0 Reporting 7.1 An assignment report will be issued following each internal audit assignment. The report will be issued in draft for comment by management, and then issued as a final report to management, with the executive summary being provided to the audit committee. The final report will contain an action plan agreed with management to address any weaknesses identified by internal audit. 7.2 The Head of Internal Audit will issue progress reports to the Audit Committee and management summarising outcomes of audit activities, including follow up reviews. 7.3 As your internal audit provider, the assignment opinions that Baker Tilly provides the organisation during the year are part of the framework of assurances that assist the board in taking decisions and managing its risks.

29 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ As the provider of the internal audit service we are required to provide an annual opinion on the adequacy and effectiveness of the organisation s governance, risk management and control arrangements. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide to the board is a reasonable assurance that there are no major weaknesses in risk management, governance and control processes. The annual opinion will be provided to the organisation by Baker Tilly Risk Advisory Services LLP at the financial year end. The results of internal audit reviews, and the annual opinion, should be used by management and the Board to inform the organisation s annual governance statement. 8.0 Data Protection 8.1 Internal audit files need to include sufficient, reliable, relevant and useful evidence in order to support our findings and conclusions. Personal data is not shared with unauthorised persons unless there is a valid and lawful requirement to do so. We are authorised as providers of internal audit services to our clients (through the firm s Terms of Business and our engagement letter) to have access to all necessary documentation from our clients needed to carry out our duties. 8.2 Personal data is not shared outside of Baker Tilly. The only exception would be where there is information on an internal audit file that external auditors have access to as part of their review of internal audit work or where the firm has a legal or ethical obligation to do so (such as providing information to support a fraud investigation based on internal audit findings). 8.3 Baker Tilly has a Data Protection Policy in place that requires compliance by all of our employees. Non-compliance will be treated as gross misconduct. 9.0 Fraud 9.1 The audit committee recognises that management is responsible for controls to reasonably prevent and detect fraud. Furthermore, the audit committee recognises that internal audit is not responsible for identifying fraud; however internal audit will assess the risk of fraud and be aware of the risk of fraud when planning and undertaking any internal audit work Approval of the internal audit charter 10.1 By approving this document, the annual plan, the audit committee is also approving the internal audit charter.

30 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix E: Our internal audit approach to an assignment

31 Surrey & Sussex Healthcare NHS Trust Internal Audit Strategy 2015/ Appendix F: Overview of internal audit assignment opinions For internal audits classed as risk based assurance reviews (compared with advisory input), we use four opinion levels as shown below. Each assignment report will explain the scope of the review, and therefore the context and scope of the opinion. Increasing level of assurance Taking account of the issues identified, the Board cannot take assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective. Urgent action is needed to strengthen the control framework to manage the identified risk(s). Taking account of the issues identified, the Board can take partial assurance that the controls to manage this risk are suitably designed and consistently applied. Action is needed to strengthen the control framework to manage the identified risk(s). Taking account of the issues identified, the Board can take reasonable assurance that the controls in place to manage this risk are suitably designed and consistently applied. However, we have identified issues that need to be addressed in order to ensure that the control framework is effective in managing the identified risk(s). Taking account of the issues identified, the Board can take substantial assurance that the controls upon which the organisation relies to manage the identified risk(s) are suitably designed, consistently applied and operating effectively.

32 For further information contact Name Nick Atkinson Partner - Baker Tilly Risk Advisory Services LLP nick.atkinson@bakertilly.co.uk Direct Line: +44 (0) Mobile: +44 (0) Name David May Audit Manager Baker Tilly Risk Advisory Services LLP david.may@bakertilly.co.uk Phone: +44 (0) Mobile: +44 (0) This report, together with any attachments, is provided pursuant to the terms of our engagement. The use of the report is solely for internal purposes by the management and Board of our client and, pursuant to the terms of our engagement, should not be copied or disclosed to any third party without our written consent. No responsibility is accepted as the plan has not been prepared, and is not intended for, any other purpose. Baker Tilly Corporate Finance LLP, Baker Tilly Restructuring and Recovery LLP, Baker Tilly Risk Advisory Services LLP, Baker Tilly Tax and Advisory Services LLP, Baker Tilly UK Audit LLP, and Baker Tilly Tax and Accounting Limited are not authorised under the Financial Services and Markets Act 2000 but we are able in certain circumstances to offer a limited range of investment services because we are members of the Institute of Chartered Accountants in England and Wales. We can provide these investment services if they are an incidental part of the professional services we have been engaged to provide. Baker Tilly & Co Limited is authorised and regulated by the Financial Conduct Authority to conduct a range of investment business activities. Baker Tilly Creditor Services LLP is authorised and regulated by the Financial Conduct Authority for credit-related regulated activities. Before accepting an engagement, contact with the existing accountant will be made to request information on any matters of which, in the existing accountant's opinion, the firm needs to be aware before deciding whether to accept the engagement Baker Tilly UK Group LLP, all rights reserved.