Section 7-18 Updated, Appendices A-D included Appendices 1-5 Updated V03.1 Amend Feb 13 Policy number changed to Operational (NTW(O)25)

Transcription

1 Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Internal Audit Process NTW(O)25 Director of Finance Caroline Wild - Deputy Director of Corporate Relations and Communications, Chief Executive Office (June16) Audit Committee Date ratified 21 November 2012 Implementation Date 1 December 2012 Date of full implementation 1 December 2012 Review Date June 2017 Version number V03.4 Review and Amendment Log Version This policy supersedes: Type of Change Date V03 Update Nov 12 Description of Change Section 1 (revision) - Introduction guidance also covers counter fraud reports Sections, 2, 3, Updated in formation Section 4 (revision) Background to Internal Audit: 4.3 Annual Governance Statement (previously known as Statement on Internal Control) Audit Plan inclusions Section 5 (revision) Internal Audit stages Intervention by director (previously Audit Liaison Officer (ALO)) Board Secretary (previously ALO) Exit meeting -arranged by the key contact and Change to timescales Response of further discussion needed acceptable Internal Audit will highlight issues to the Audit Committee Director s confirmation Head of Assurance (previously Business Support / Project Manager) Progress report for reports with limited or no assurance 5.8.2, and SMT involvement Questionnaires for Executive Directors and the Audit Committee Section 7-18 Updated, Appendices A-D included Appendices 1-5 Updated V03.1 Amend Feb 13 Policy number changed to Operational (NTW(O)25) V03.2 Update Dec 15 Extension to Review June 2016 V03.3 Update Jun 16 Extension to Review December 2016 V03.4 Update Dec 16 Extension to Review June 2017 Document Number Title NTW(F)11 V03.2 Guidance on the internal audit process

2 Internal Audit Process Section Contents Page No. 1 Introduction 1 2 Duties and Responsibilities 1 3 Definition of Terms 2 4 Background to Internal Audit 2 5 Internal Audit Stages 4 6 Identification of Stakeholders 9 7 Training 9 8 Implementation 9 9 Standard Key Performance Indicators 9 10 Monitoring Compliance Equality and Diversity Fair Blame Fraud and Corruption Conclusion Associated Documents References 11 Standard Appendices attached to policy A Equality and Diversity Impact Assessment - 12 B Training Checklist and Training Needs Analysis 15 C Audit Monitoring Tool 17 D Policy Notification Record Sheet - click here Appendices (listed within policy) Appendix 1 Key Contact (for specific audits) - Role and responsibilities 20 Appendix 2 Director s responsibility 22 Appendix 3 Levels of assurance provided by Internal Audit reports 23 Appendix 4 Provision of information, timescales and performance indicators 24 Appendix 5 Processes for considering limited assurance, no assurance; reporting progress on management actions 25

3 1. Introduction NTW(O) This guidance is designed to ensure that Northumberland, Tyne and Wear NHS Foundation Trust, (the Trust/NTW) officers involved at any stage of the audit process are aware of the process relating to an internal audit report. As the approach to internal audit and counter fraud reports is very similar, the guidance also covers counter fraud reports. It also includes details of the roles and responsibilities of key officers within the process. 1.2 The guidance has been produced by the Deputy Director of Corporate Relations and Communications in conjunction with the Head of Internal Audit. 1.3 Please note the following with regard to Equality and Diversity : If a version of this policy or an individual form used in the policy procedure is required in a larger font-size, please contact the Author (see front sheet) to request If any part or all of this policy procedure is required in a language other than English, please contact the Author to discuss your requirement 2 Duties and Accountabilities 2.1 Executive Directors The executive directors are collectively responsible for proposing areas for inclusion in the audit plan, which sets out details of the assignments to be carried out Each executive director has overall responsibility for audits in his/her responsibility. A summary of executive director responsibilities is shown at Appendix Executive Director of Finance The Executive Director of Finance is responsible for establishing an internal audit function as per Standing Financial Instructions. 2.3 Audit Committee The Audit Committee is a committee of the Board of Directors consisting of 3 independent Non Executive Directors The Committee approves the audit plan and any subsequent changes to it, and reviews progress against the audit plan It reviews the findings of internal audit and counter fraud work, associated management responses and progress against action plans Its primary role is to conclude upon the adequacy and effective operation of the Trust s overall internal control system, on behalf of the Board of Directors. 1

4 2.3.5 An effective Audit Committee is dependent on an effective internal audit function. As part of the review of the effectiveness of Internal Audit, the Audit Committee completes a questionnaire on overall performance on an annual basis. 2.4 Chief Executive The Chief Executive is responsible for conducting an annual review of the effectiveness of the system of internal control, which is formally reported in the Annual Governance Statement and is subject to Board of Directors approval and external audit review. The annual Head of Internal Audit s opinion on the overall adequacy and effectiveness of the Trust s risk management, control and governance processes contributes to the assurances available. 2.5 Key contacts This role is performed by a senior manager nominated by the executive director and is responsible for the smooth running of the audit. A summary of responsibilities is shown at Appendix Deputy Director of Corporate Relations and Communications The Deputy Director of Corporate Relations and Communications acts as secretary for the Audit Committee and is regarded as the link between the Audit Committee and the Corporate Decision Team (CDT), presenting reports to the CDT where appropriate Where there are difficulties identified in obtaining information or access to staff that the key contact is unable to resolve within 1 week, the Deputy Director of Corporate Relations and Communications will discuss the issues and impact with the relevant director and maintain a log of the details for Audit Committee information. 2.7 Corporate Decision Team (CDT) The CDT comprises of the Chief Executive, Executive Directors, Group directors (Planned Care, Urgent Care and Specialist Care groups) and other senior officers. Prior to Audit Committee review, the CDT considers a summary of every final report and may request the consideration of a full report if appropriate If necessary, the CDT may intervene with applying the lessons from a report more widely within the Trust, implement a more robust action plan or complete the action plan and/or the addressing of risks sooner than the original response, etc The CDT also considers routine reports from Internal Audit on progress against action plans prior to Audit Committee review. 2

5 3 Definition of Terms CDT Corporate Decision Team SLA Service Level Agreement SFI s Standing Financial Instructions 4. Background to Internal Audit 4.1 Internal Audit is an independent and objective appraisal service within an organisation which exists to provide an opinion to the Chief Executive, the Board of Directors and the Audit Committee on the degree to which risk management, control and governance support the achievement of the organisations agreed objectives. In addition, Internal Audit s findings and recommendations are beneficial to line management in the audited areas. Risk management, control and governance comprise the policies, procedures and operations established to ensure the achievement of objectives, the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations, and compliance with the behavioural and ethical standards set for the organisation. 4.2 An NHS Foundation Trust must establish an Audit Committee, which is a nonexecutive committee of the Board of Directors, and whose primary role is to conclude upon the adequacy and effective operation of the Trust s overall internal control system, on behalf of the Board of Directors. An effective Audit Committee is dependent on an effective internal audit function. The cycle of approving and monitoring the progress of Internal Audit plans and reports culminates in the annual Head of Internal Audit s opinion on the system of internal control. 4.3 Each year the Chief Executive conducts an annual review of the effectiveness of the system of internal control, gains sufficient documented assurances and formally reports on this in the Annual Governance Statement, which is subject to Board of Directors approval and external audit review as part of the annual accounts. The annual Head of Internal Audit s opinion on the overall adequacy and effectiveness of the Trust s risk management, control and governance processes (i.e. the organisation s system of internal control) contributes to the assurances available and underpins the Board of Directors own assessment of the effectiveness of the organisation s system of internal control. 4.4 The Audit Committee s terms of reference includes the consideration of the major findings of internal audit work and management s responses. The internal audit annual plan sets out details of the assignments to be carried out, providing sufficient detail for the Audit Committee and other recipients to understand the purpose and scope of the defined assignments and their level of priority. 3

6 4.4.1 The Trust s management (i.e. executive directors) identify areas from the Assurance Framework that are proposed for inclusion in the audit plan. Other risks identified by management, the Audit Committee, Local Counter Fraud Specialists, Internal Audit or other external bodies will be considered for inclusion in the plan. In addition, the plan may include systems (usually financial processes) for which the external auditor may wish to place reliance to enable an opinion to be given on the Trust s Final Accounts This plan and any changes to it must have Audit Committee approval. The Audit Committee should be clear on the risks and controls that Internal Audit will be addressing and where else the Committee needs to turn to be assured on the risks and controls that are not contained within the Internal Audit plan. 4.5 The requirements of the internal audit service in terms of responsibilities and objectives, how the service is resourced, the relationship of the Head of Internal Audit with the Trust and rights of access are set out in the Internal Audit terms of reference. In addition there is an agreed Service Level Agreement (SLA) for the provision of Internal Audit services, which sets out both the client s and Internal Audit s responsibilities, charging mechanisms, key performance indicators, etc. 4.6 Rights of access are also set out in Standing Financial Instructions (SFIs), which states that Internal Audit are entitled without necessarily giving prior notice to require and receive: (a) (b) (c) (d) Access to all records, documents and correspondence relating to any financial or other relevant transactions, including documents of a confidential nature, e.g. work diaries Access at all reasonable times to any land, premises or officer of the Trust The production of any cash, stores or other property of the Trust under a member of the Board of Directors and an employee's control; and Explanations concerning any matter under investigation 5 Internal Audit Stages 5.1 From the background described above, it is clear that the subject matter for an individual Internal Audit report will either be included in the Internal Audit annual plan or as the result of a request from the Audit Committee to provide specific assurance. The timing of audits is also key so that assurances are received at the correct time or when they are needed. It is therefore important that the internal audit process should, as far as possible, stick to the planned timings and turnaround deadlines. 5.2 The internal audit process has the following stages: 1 Advance notice 2 Entry meeting 3 During the course of the audit 4

7 4 Draft report 5 Final report 6 Post audit NTW(O) Advance Notice Internal Audit will the relevant director who has overall responsibility for the area, to notify him/her that the audit is required and to ask him/her to nominate a key contact. The key contact is a senior officer, who will be responsible for the smooth running of the audit. The role and responsibilities of the key contact are summarised in Appendix 1. The responsibilities of the director are summarised in Appendix The key contact will arrange a set up meeting with Internal Audit, and include all key people in the area under review, while recognising that he/she has the lead role. Prior to the start of the audit, where applicable, the key contact will be provided with a copy of previous systems notes and a control evaluation schedule for comment and agreement; (this details the expected controls for the particular system). 5.4 Entry meeting This meeting is to discuss the scope and objectives of the audit. It will also help clarify management and the auditor s expectations, in terms of arrangements, information requirements, access to key staff, timings, areas to be reported on, etc, and will assist the auditor with his/her general overview of operations The key contact is responsible for: Discussing the scope of the audit and the estimated number of days, together with communicating to Internal Audit any specific risks or incidents that have occurred within the system to be audited Ensuring suitable accommodation is available for any period when the auditors need to be on site Agreeing the start date, which should be within at most 4 weeks of the setup meeting and less if information requirements can be met sooner. The director will intervene if there are issues that cannot be agreed, e.g. difficulties in agreeing start dates Providing information about systems or details of where this information is to be obtained, e.g. risk register (if exists), policies, practice guidance notes, and highlighting any specific issues around rights of access, e.g. the need for Caldicott approval, which need to be addressed before starting the audit Being the lead for receiving and processing information from the internal auditor. This may include copies of last year s system notes for agreement, copies of systems notes drafted following meetings (for new areas), copies of control evaluation schedules with expected controls, etc 5

8 5.5 During the course of the audit NTW(O) At the agreed start date for the audit, information requested at the entry meeting should be available from the key contact. This will include availability of key personnel. If this information or personnel are not available, this will impact upon both the ability of the auditor to carry out the work in line with agreed timescales and within agreed budgets, and will have a financial implication for the Trust or could result in assurances being received too late. In addition, during the audit additional information may be requested and this should be provided without delay The auditor has a document, i.e. audit programme, which specifies detailed work that needs to be undertaken as part of the fieldwork. Fieldwork concentrates on determining the systems and controls in place, how well risks are being managed and the effectiveness of controls. The approach is likely to be a combination of interviewing and detailed testing/analysis of documents or transactions The key contact will be kept informed of any key issues arising during the course of the audit, both in terms of difficulties and significant findings. Where difficulties in obtaining information/access to staff are identified, the key contact will be expected to resolve / assist. Where issues are identified with the provision of information and the key contact can not resolve these within 1 week, the auditor should escalate this by to the relevant director. If this action fails to resolve the issue(s) within 1 week of the , the auditor should notify the Deputy Director of Corporate Relations and Communications, who will discuss the issues and impact with the director concerned. The Deputy Director of Corporate Relations and Communications shall maintain a log of the details for Audit Committee information In addition, on completion of the fieldwork an exit meeting will be held to discuss and agree findings, i.e. a no surprises approach. This meeting should be arranged by the key contact. This can help clear any misunderstandings and assist in determining the best method of resolving any issues that arise prior to the draft report being issued. However at this stage, the audit file will not have been quality reviewed by an audit manager, so on occasions it will be necessary to revisit the audit or request additional information following the exit meeting Any cancellation of meetings will be done with adequate notice, except in exceptional circumstances, e.g. sickness absence or emergency. Meetings will be rearranged within a reasonable timescale, which would normally be taken to be within one week Failure to give sufficient notice of cancellation or to rearrange meetings within reasonable timescales may result in extra costs to the Trust and the receipt of late assurances. 5.6 Draft Report When the fieldwork is completed, a report is drafted. The target date for issue of the draft report from completion of the fieldwork is 4 weeks. However, if a closedown meeting has been arranged, the target date is within 2 weeks of the closedown meeting. The Audit Manager reviews the fieldwork and the draft report in line with professional auditing standards. 6

9 5.6.2 A formal draft report is then produced taking into account any revisions resulting from the exit meeting and any other subsequent work performed as a result of feedback. The draft report will include the preliminary findings in terms of level of assurance The formal draft report is then sent to the key contact to formally respond to the audit findings and risks (including agreement of the risk rating) included in the action plan, including the quoting of a responsible officer and target dates. A copy will also be sent to the relevant director for information. At this point a further meeting with the auditors may be necessary to discuss the issues raised in the draft report if they are particularly complex or were not fully covered at the exit meeting. If the preliminary finding is that the level of assurance is below significant, the director responsible must take appropriate action to ensure that the findings are accurate and that the management responses are appropriate and timely, before the report is finalised. If the report contains any inaccuracies or areas of dispute, the key contact must inform Internal Audit immediately and where relevant provide any additional information Internal Audit need to verify this. If it is agreed that there is an inaccuracy or Internal Audit had not been made aware of the true position, then the finding will be removed from the draft report. The formal response should be within 5 weeks, which includes 1 week for clearance by the Executive Director On rare occasions where a management response cannot be agreed within the expected timescales due to complexity, multi staff/departments involvement, etc, it is acceptable to include a management response as "further discussion needed" with a brief summary of the issues and a definite timescale for providing the full response Please note that although the report does not contain recommendations, Internal Audit reserve the right to make specific recommendations on action to be taken and report these to the Audit Committee, if it is considered the proposed action by management does not suitably address the risk The report will include the following: Introduction, objectives and scope, including details of the timing of the audit and the sample period covered Conclusion, which is a summary of the main points contained in the full report and provides the reader with a quick overview of the area reviewed and the recommendations that have been made. This also quotes the level of assurance provided by the audit. See Appendix 3 for details. This level of assurance may change between the draft and the final depending on the outcome of the report clearance process Action Plan, which includes findings and risks, a risk rating for each finding, a management response and responsible officer and target date. The risk ratings are defined within the Trust s policy, NTW(O)33 - Risk Management. Although Internal Audit will put indicative risk ratings in the draft report, these should also be considered by management and where applicable a case can be put forward for increasing or decreasing the 7

10 rating. However the final decision on this will rest with Internal Audit, who will highlight the issues to the Audit Committee 5.7 Final Report On receipt of the draft report with management responses, responsible officers and target dates, the Audit Manager will forward the report to the relevant director who should confirm within 1 week that he/she has accepted the management responses and timescales Alternatively, the director s confirmation may have been submitted along with management responses, responsible officers and target dates If Internal Audit considers that the responses given are inadequate for the risks identified they should indicate this to the director responsible. If in accepting the report there remains a dispute between the director and Internal Audit on the adequacy of responses in the final report this will be brought to the attention of the Audit Committee The report can then be finalised. The target date for issue of the final report is 1 week from clearance by the director The director is responsible for ensuring any relevant risks identified are fed into the risk register for their area of responsibility A copy of the report will also be provided to the Head of Assurance to ensure where relevant that it is included in the assurance framework. 5.8 Post audit Brief details of every final report are included in the next report by Internal Audit to the Audit Committee on progress against the Internal Audit Plan. Where a report has limited assurance or no assurance, the full report will be appended to the progress report Prior to Audit Committee review, the Corporate Decision Team (CDT) considers a summary of every final report, prepared by the Deputy Director of Corporate Relations and Communications, and may request the consideration of a full report if appropriate. Following CDT consideration, the Audit Committee will therefore consider reports that are owned by senior management, rather than just the individual director, and CDT may intervene with applying the lessons more widely within the Trust, having a more robust action plan or completing the action plan/addressing risks sooner than the original response, etc The director is responsible for monitoring performance against the report s agreed action plan (management responses), including providing updates of current position against plan when required to Internal Audit The Trust s policy NTW(O)33 - Risk Management, provides definitions of the levels of risks, in the categories of very low, low, moderate and high, and the related timescales and the appropriate type of group or officer to monitor progress. 8

11 5.8.5 The Audit Committee also receives routine reports from Internal Audit on progress against action plans. Similarly the updates are considered by the CDT prior to Audit Committee review The Deputy Director of Corporate Relations and Communications should be regarded as the link between CDT and the Audit Committee Appendix 5 provides details of the process for considering limited assurance or no assurance Internal Audit reports, and the process for reporting progress on management actions Key contacts are asked to comment on the performance of Internal Audit for a particular audit, via a questionnaire that only takes a few minutes to complete. This is a valuable source of information, which could drive improvements in the audit process; it assists with appraising and assessing the performance of an individual auditor and is an indication of the effectiveness of the audit process via Key Performance Indicators. In addition, a further questionnaire is required on an annual basis aimed at Executive Directors to establish feedback on the overall audit service. Similarly a third questionnaire on overall performance is completed by the Audit Committee on an annual basis The outcome of the questionnaires is reviewed by the Audit Committee and helps inform their view of the effectiveness of the internal audit function It is imperative that these questionnaires are returned in a timely manner. 6 Identification of Stakeholders 6.1 This is an existing policy with additional/changed content that relates to operational and/or clinical practice and was therefore circulated to the following for a four week consultation period: Executive Directors 7 Training 7.1 This policy is approved by the Audit Committee for use by Executive Directors, the Senior Management Team, key contact officers and anyone else involved in the internal audit process. It tends to be the same people involved year on year. The Audit Committee has introduced changes by means of protocols in piecemeal fashion, which are operating efficiently. This policy therefore amalgamates and consolidates changes since the last version of the policy that are already implemented and being followed. This is supplemented by Internal Audit providing background information with their advance notice that an audit is to commence. 9

12 A draft Training Needs assessment is shown at Appendix B. NTW(O)25 8 Implementation 8.1 The principles of this policy are already implemented. The policy amalgamates and consolidates changes since the last version of the policy that are already implemented. 9 Standard Key Performance Indicators 9.1 Appendix 4 provides a summary of timescales. 9.2 It is important that anyone involved in an internal audit exercise recognises the importance of completing audits in a timely manner. The Service Level Agreement with Internal Audit requires a 4 weeks turnaround from receipt of draft report to issuing the final report to relevant officers. 9.3 Turnaround details are used in Key Performance Indicators and reported to the Audit Committee, who regard the indicator as being an important measure on the effectiveness of the internal audit function and the Committee will seek explanations of any outlying performance. 10 Monitoring Compliance 10.1 Internal Audit provides a report on progress against the audit plan to most Audit Committee meetings and at least every quarter. The Audit Committee meets on 7 occasions during the year. The report is received by the Audit Committee. It includes key performance indicators, which are monitored by the Audit Committee, on: The time elapsed from completion of the audit file to review stage to issue of the draft report by Internal Audit, for which the agreed timescale is 4 weeks Management responses to draft reports (a) overall and (b) by Executive Director, for which the agreed timescale is 4 weeks Production of final report after receipt of satisfactory management responses (a) overall and (b) by Executive Director, for which the agreed timescale is 1 week Progress on the completion of the audit plan 10.2 Internal Audit provides an Internal Audit Annual Report to the Audit Committee every July, which facilitates the Audit Committee monitoring the final position for the year for the indicators per 12.1, and also: The outcome of questionnaires on Internal Audit s performance completed by (a) key contacts, (b) Executive Directors and (c) the Audit Committee, for which at lease a satisfactory performance is required 10

13 NTW(O)25 The outcome of Internal Audit s self assessment on adherence to NHS Internal audit Standards, which are expected to be met 10.3 Internal Audit s role includes bringing any significant issues to the attention of the Audit Committee The Audit Committee is supported in its monitoring role by the Senior Management Team, if necessary. Any issues from the Audit Committee review are highlighted to the CDT with details of the discussion/action reported back to the Audit Committee and/or the Executive Director provides a briefing on any issues to the Audit Committee and/or the Executive Director attends the next Audit Committee meeting to explain issues personally Any lessons learned from the reporting and monitoring role of the Audit Committee are taken forward in the most appropriate manner. This could include CDT action in the form escalating a lesson, amendments to this guidance, e.g. the introduction or amendment of a protocol, etc. 11 Equality and Diversity Impact Assessment 11.1 This procedure has been assessed with regard to its relevance to equality and diversity. As a result of this assessment, no negative impacts were identified for any of the legislatively recognised equality strands, viz. Sex (including marital status and gender re-assignment) Race (including colour, nationality, national origin, ethnic origin) Disability Sexual Orientation Religion and Belief Age 12 Fair Blame 12.1 The Trust is committed to developing an open learning culture. It has endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken. 13 Fraud, Bribery and Corruption 13.1 In accordance with the Trust s policy, NTW(O)23 Fraud, Bribery and Corruption, all suspected cases of fraud and corruption should be reported immediately to the Trust's Local Counter Fraud Specialist or the Director of Finance or the NHS Fraud and Corruption Reporting Line on or online at 11

14 14 Conclusion 14.1 This guidance should make all officers involved at any stage of the audit process aware of the process relating to an Internal Audit report and the importance of sticking to agreed timescales. It should be recognised that the strength of the audit process in giving assurances and detailing weaknesses and corrective actions is diluted if the information is not timely, and could potentially be a waste of valuable resources. 15 Associated documentation NTW(O)01 - Development and Management of Procedural Documents NTW(O)23 Fraud, Bribery and Corruption Policy NTW(O)33 - Risk Management Policy 16 References NHS Audit Committee Handbook 12

15 Equality and Diversity Impact Assessment Screening Tool Appendix A Names of Individuals involved Date of Initial Review Date Service Area / in Review Screening Directorate Christopher Rowlands 10 Oct March 2015 Trustwide Policy or Service to be Assessed Guidance on the internal audit process V03 Describe the aims, objectives or purposes of the Policy or Service Is this a new or existing Policy or Service? Existing This guidance is designed to ensure that the Trust s officers involved at any stage of the audit process are aware of the process relating to an internal audit report. The guidance also includes counter fraud reports Are there any associated objectives of the Policy or Service? If so what are they? Does the policy unlawfully discriminate against equality target groups? Does the policy promote equality of opportunity for equality target groups? Does the policy or service promote good relations between different groups within the community, based on mutual understanding and respect? That the associated processes operate as efficiently as possible. No Yes Yes 13

16 Equality and Diversity Impact Assessment Screening Tool Which equality target groups of the population do you think will be affected by this policy or function? Equality Target Group (code in bold type) Black and Minority Ethnic People (including gypsy/travellers, refugees and asylum seekers) BME What positive and negative impacts do you think there may be for each equality target group(s)? Women and Men WM People in Religious/Faith groups RF Disabled People DP Older People OP Children C Young People YP Lesbian Gay Bisexual and Transgender People LGBT People involved in the criminal justice system CJS Staff S Any other group(s) AOG 14

17 Equality and Diversity Impact Assessment Screening Tool NTW(O)25 Screening Tool Checklist Summary Sheet Positive Impacts (Note the code of groups affected) Negative Impacts (Note the code of groups affected) Additional Information and Evidence Required Recommendations From the outcome of the Screening, have negative impacts been identified for race or other equality groups? Yes No If yes, has a Full Impact Assessment been recommended? If not, why not? Manager s signature: Christopher Rowlands Date: 10 October 2012 Should any advice be required in respect of answering the above questions contact: Equality and Diversity Officer

18 Appendix B Communication and Training Check list for policies Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy Is this a new policy with new training requirements or a change to an existing policy? If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below. Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice? Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHSLA etc. Please identify the risks if training does not occur. Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training. Is there a staff group that should be prioritised for this training / awareness? Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session, E Learning Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Admin; needs etc. Change to an existing policy. This policy is approved by the Audit Committee for use by Executive Directors, the Senior Management Team, key contact officers and anyone else involved in the internal audit process. It tends to be the same people involved year on year. The Audit Committee has introduced changes by means of protocols in piecemeal fashion, which are operating efficiently. This policy therefore amalgamates and consolidates changes since the last version of the policy that are already implemented and being followed. This is supplemented by Internal Audit providing background information with their advance notice that an audit is to commence. Local standard / best practice. Guidance already is being followed therefore no risk to not having additional training. Awareness is required by Executive Directors, the Senior Management Team, key contact officers and anyone involved in regular audits. As per previous response. Awareness training has already been delivered via the Senior Management Team, with Executive Directors cascading to relevant officers. This has been supported by Internal Audit providing background information with their advance notice that an audit is to commence. Deputy Director of Corporate Relations and Communications 16

19 Appendix B continued Training Needs Analysis Staff/Professional Group Type of training Duration of Training Frequency of Training Executive Directors Awareness SMT discussion 3 years Senior Management Team Key contact officers Other officers involved in regular audits. (15 minutes) Cascading to key contacts and other officers involved in regular audits. to all relevant officers. Guidance attached to all Internal audit notifications of advance work. Copy of completed form to be sent to: Training and Development Department, St. Nicholas Hospital Should any advice be required, please contact: (internal 56770) 17

20 Statement Monitoring Tool Appendix C To demonstrate effective compliance, policy authors are required to include how monitoring of this policy is linked to auditable standards / key performance indicators will be undertaken using this framework. NTW(O)25 Guidance on the internal audit process - Monitoring Framework Auditable Standard/Key Performance Indicators Frequency/Method/Person Responsible Where Results and Any Associate Action Plan Will Be Reported To Implemented and Monitored (this will usually be via the relevant Governance Group). 1. Internal Audit function - Time elapse from completion of audit file to review stage to issue of draft report 4 weeks Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis. Reported to and monitored by the Audit Committee. Annual performance per the Internal Audit Annual Report (July) is reviewed by the Audit Committee (July). Any significant issues are brought to the attention of the Audit Committee by Internal Audit. 2. Management response to draft report 4 weeks a) overall b) by Executive Director As above Reported to and monitored by the Audit Committee with support from the SMT (if necessary) Any issues from the Audit Committee review are highlighted to the SMT with details of discussion / action reported back to the Audit Committee and / or the Executive Director provides a briefing on any issues to the Audit Committee and / or the Executive Director attends the next Audit Committee meeting to explain issues personally. 18

21 Guidance on the internal audit process - Monitoring Framework NTW(O)25 Auditable Standard/Key Performance Indicators Frequency/Method/Person Responsible Where Results and Any Associate Action Plan Will Be Reported To Implemented and Monitored (this will usually be via the relevant Governance Group) Production of final report after receipt of satisfactory management responses 1 week a) overall b) by Executive Director Internal Audit performance satisfaction Determined by: a) Key contacts b) Executive Directors c) Audit Committee Adherence to NHS Internal Audit Standards all met Completion of audit plan Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis. Annual performance per the Internal Audit Annual Report (July) is reviewed by the Audit Committee (July). Any significant issues are brought to the attention of the Audit Committee by Internal Audit. Outcome of questionnaires reported in the Internal Audit Annual Report (July) and reviewed by the Audit Committee (July). Self assessment per the Internal Audit Annual Report (July) and reviewed by the Audit Committee (July) Reported per the Internal Audit Annual Report (July) and reviewed by the Audit Committee (July). Progress during the year reported via the Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis. Any significant issues brought to the attention of the Audit Committee by Internal Audit. Reported to and monitored by the Audit Committee with support from the SMT (if necessary) Any issues from the Audit Committee review are highlighted to the SMT with details of discussion / action reported back to the Audit Committee and / or the Executive Director provides a briefing on any issues to the Audit Committee and / or the Executive Director attends the next Audit Committee meeting to explain issues personally Reported to and monitored by the Audit Committee. Reported to and monitored by the Audit Committee. Reported to and monitored by the Audit Committee. 19

22 Appendix 1 Key Contact (for specific audits) - Role and responsibilities This role is performed by a senior manager, nominated by the appropriate director in the area to be audited to be responsible for the smooth running of any specific audits in their area of responsibility, and includes: Advance Notice (5.3) Arranging an entry meeting with Internal Audit and all key people in the area under review If necessary, comment and agree previous systems notes and control evaluations sheets Entry Meeting (5.4) Discussing the scope of the audit and the estimated number of days, together with communicating to Internal Audit any specific risks or incidents that have occurred within the system to be audited Ensuring suitable accommodation is available for any period when the auditors need to be on site Providing information about systems or details of where this information is to be obtained, e.g. risk register (if exists), policies, procedure notes and highlighting any specific issues around rights of access, e.g. the need for Caldicott approval, which need to be addressed before starting the audit Being the lead for receiving and processing information from the internal auditor. This may include copies of last year s system notes for agreement, copies of systems notes drafted following meetings (for new areas), copies of control evaluation schedules with expected controls, etc During the course of the audit (5.5) To be kept informed of any key issues arising during the course of the audit, both in terms of difficulties and significant findings. Where difficulties in obtaining information/access to staff are identified, the key contact will be expected to resolve/assist 1

23 Arranging an exit meeting with the internal auditor at completion of fieldwork to discuss and agree findings Draft report (5.6) Receipt of draft report and agreement of findings Arranging when necessary a further meeting to discuss the draft report Provision of formal response within 5 weeks (which includes 1 week for clearance by the Executive Director) to the audit findings and risks included in the action plan, including the quoting of a responsible officer and target dates. Where this requires input from a variety of people or areas, the key contact may be asked to co-ordinate these with their colleagues and provide a complete set of management responses to the auditor. The key contact should be satisfied that his/her director accepts the management responses and timescales as they will be asked to agree the final report Post audit (5.8) Assisting the director (if asked) in monitoring performance against the report s agreed action plan (management responses), including providing updates of current position against plan when required to Internal Audit Commenting on Internal Audit s performance via a post audit questionnaire 2

24 Director s responsibility Appendix 2 The director who has overall responsibility for the area is required to: Advance notice (5.3) Upon receipt of the advance notice of an intended audit nominate a key contact. The key contact is a senior officer, who will be responsible for the smooth running of the audit Entry meeting (5.4) Inform Internal Audit of any relevant issues that he/she is aware of e.g. emerging risks, incidents, areas where they would like audit to pay specific attention During the course of the audit (5.5) Where issues are identified with the provision of information, the auditor will escalate this by to the relevant director who should ensure suitable action is taken to resolve the issue Draft report (5.6) Where the preliminary report contains a level of assurance below significant, the director should pay particular attention to ensuring the report is accurate and that the management responses are adequate and timely Final report (5.7) Confirm, within 1 week of receipt of the draft report containing management responses, that they have accepted the management responses and timescales Ensuring any relevant risks identified are fed into the risk register for their area of responsibility Post audit (5.8) Monitor performance against the report s agreed action plan (management responses), including providing updates of current position against plan when required to Internal Audit Where the final report contains a level of assurance below significant or where Internal Audit consider the final responses to be inadequate, to account for the position to the Audit Committee 3

25 To participate in Senior Management Team and Audit Committee meetings, if necessary, in accordance with the protocol for considering limited assurance or no assurance internal audit reports and for reporting progress on internal audit reports (Appendix 5) Comment annually on Internal Audit s overall performance via a questionnaire 4

26 Appendix 3 Levels of assurance provided by Internal Audit reports FULL assurance that the system of internal control is designed to meet the organisation's objectives, and controls are consistently applied in all the areas reviewed (this level of assurance only applies to a system which is of such importance in terms of impact and severity that (the Trust/NTW) would need to assure itself that no element of the system could fail, i.e. never incidents SIGNIFICANT assurance with no issues of note is based on, and limited to the work undertaken by Audit that the Trust has significant assurance with no issues of note that there is a generally sound system of control designed to meet the organisations objectives; SIGNIFICANT assurance with issues of note provides significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls can put the achievement of particular objectives at risk. LIMITED assurance as weaknesses in the design or inconsistent application of controls can put the achievement of the organisation's objectives at risk in the areas reviewed. NO assurance as weaknesses in control, or consistent non-compliance with key controls, could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed. In addition, there is a specific high level assurance relating to the Trust s arrangements for providing its own assurance that policies are an integral part of the organisation and that they are monitored for compliance and take into consideration current regulations and best practice. The assurance is stated as The Trust appears (does not appear) to have reasonable assurance processes in place to measure compliance with the policy/policies relevant to this area. 5

27 Appendix 4 Provision of information, timescales and performance indicators All requests for information or queries will be responded to within 1 week, whether these requests are made by internal auditors to client staff or vice versa Where information is not immediately available, an indication will be provided within the week of when the information will be available. Information will then be provided in line with this agreement Draft reports will be issued within 4 weeks of completion of fieldwork or if there is a closedown meeting, within 2 weeks of that Management responses will be provided by the key contact within 5 weeks (which includes 1 week for clearance by the Executive Director) of the issue of the draft report, in line with agreed service level agreements Management responses will: o Be complete, i.e. cover all findings raised or recommendations made. o Address the issues identified. o As well as actions to address weaknesses identified, will include timescales within which the action will be implemented and a named individual, who will be responsible for implementing this action. The individual should be of sufficient seniority to enable them to do this and timescales will be reasonable Final reports will be issued within 1 week of the receipt of adequate management responses, in line with agreed service level agreements Internal Audit will as part of their regular progress reports to the Audit Committee highlight significant areas where timescales for action are being exceeded The key contact will be asked to complete a post audit questionnaire, the results of which will be routinely reported to the Audit Committee and annually incorporated into the Internal Audit Annual Report Annually, the directors and the Audit Committee will be asked to complete a questionnaire on the overall performance of Internal Audit Internal Audit will present a progress report to every Audit Committee showing for each completed audit, the dates draft/final reports were issued, levels of assurance given and key issues. This report will also highlight any significant issues raised where Internal Audit feels management have not agreed to take action on a major issue or the timescales for action appear excessive Internal Audit will also provide to the Audit Committee a follow up report highlighting key issues where management have failed to take action within the agreed timescales 6