Health Department Directorate of Performance Management and Finance

Transcription

1 NHS HDL (2002)11 abcdefghijklm Health Department Directorate of Performance Management and Finance Dear Colleague Corporate Governance: Statement on Internal Control (SIC) Introduction 1. The Internal Financial Control Statement included in the annual accounts and signed by Chief Executives, acknowledged the effect of the Turnbull report. This report extends the requirement to provide a statement in respect of financial controls to cover all controls, including financial, operational, compliance and the management of risk. 2. As Accountable Officers, Chief Executives have responsibility for maintaining a sound system of internal control. Mrs MacPhail informed Chief Executives of the new format of the Statement on Internal Control in October 2001, and undertook to report progress on discussions around the implications to NHSScotland of the reporting requirements under the new statement. Summary 3. The Technical Accounting Group (TAG) has accepted the advice of Audit Scotland who recommended that there should be no changes made to the format of the SIC as suggested by Finance Guidance Note 2001/13, in order to maintain consistency of reporting throughout the Scottish Executive. 4. Through the HFMA Corporate Governance & Audit Group (CG&AG), Chief Internal Auditors have considered guidance on the sources of assurance and evidence of compliance which can be used by health bodies when preparing the SIC. 1 st March 2002 Addresses For action Chief Executives NHS Boards NHS Trusts Special Health Boards For information Directors of Finance NHS Boards NHS Trusts Special Health Boards Audit Scotland Enquiries to: Mrs Janice MacPhail Room Waterloo Place EDINBURGH EH1 3DG Tel: Fax: janice.macphail2@scotland.gsi.gov.uk 5. Guidance is provided on Annex A to assist the Chief Executive in identifying sources of assurance and evidence of compliance to be considered when preparing the SIC. 6. Annex B provides a summary of the Turnbull requirements which you may also find helpful. abcde abc a

2 Action 7. Chief executives are required to complete a Statement of Internal Control for inclusion with the annual accounts for The format of the Statement should be developed in accordance with the proforma and examples contained in Finance Guidance Note, which was issued to Chief executives in the letter issued in October 2001, and is reproduced here as Annex C. 8. A SIC may be adopted for each of the financial years and which indicates that further work is to be done. Bodies which anticipate having to prepare such a statement for will be asked to verify that they will be able to produce a statement in accordance with Annex 1 of the FGN for Chief Executives should refer to the guidance provided in this circular to identify sources of assurance and evidence of compliance to enable them to produce a meaningful statement on the system of internal control within the organisation. Yours sincerely JOHN ALDRIDGE Director of Performance Management and Finance abcde abc a

3 Annex A GUIDANCE TO BE USED WHEN PREPARING THE STATEMENT ON INTERNAL CONTROL Scope Of the SIC The SIC is designed to replace the Internal Financial Control Statement in the accounts. However, as the SIC incorporates financial controls, the framework of minimum financial control standards appended to MEL (1999) 83 is still relevant and should be used as a reference document when considering compliance in respect of financial controls. The SIC requires bodies to report that they have risk management and review processes in place. Reviewing the effectiveness of controls is a Board responsibility with the Board having regard to the assurances obtained from the audit committee and any other standing committee, which covers internal control e.g. clinical governance or risk management. In addition to financial controls, the scope of the SIC also covers - Clinical Governance - Operational Controls - Compliance Controls Form of the SIC For 2001/02 and 2002/03 there are two acceptable forms of the SIC as provided in Annex 2 and Annex 3 of Finance Guidance Note 2001/13. From 2003/04 all bodies will be required to have risk management and review processes fully in place for the whole of the accounting period. Risk Management is hardly a new concept for NHSScotland. Boards and Trusts are already progressing towards full implementation of a Risk Management Strategy and should be fully aware of the processes involved in identifying, and reviewing risks, and implementing controls to minimise exposure to those risks. It is accepted that risks will never be eliminated, the SIC should be the end result of a process of management that is embedded in the planning, operational, monitoring and review activities of the organisation. It its these activities that are the critical elements of the statement. The SIC should explain the nature of control, and any material changes in control, exercised through the whole of the accounting period. Internal Control Systems will need to identify risks relating to the achievement of aims and objectives and be capable of evaluating the nature and extent of those risks and of managing them with proper regard for efficiency, effectiveness and economy. Evidence of Risk management and review processes In Turnbull terms 'corporate governance is about achieving objectives, including VFM, and upholding public service values'. The current Internal Financial Control Statement already covers wider organisational controls such as risk management and its main headings already comply with those 'effectiveness characteristics' set out in the Turnbull report. However the overall system of abcde abc a

4 Annex A internal control in the NHS consists of financial, organisational clinical and compliance components. Table 1 below indicates where assurance may be obtained. Table 1 : Sources of Assurance Clinical Care The Care Environment Financial Resources Area Clinical Governance Organisational controls Financial controls Assurance Clinical Governance Committee/ Annual report Internal Audit / Inspectorates (H&S) Internal Control Risk Self-Assessment reviews etc. Internal Audit / Annual Accounts/ External Audit The risk management work currently underway within NHS bodies will provide much of the framework to support the evaluation of internal control effectiveness. The development of prioritised risk registers with integrated action plans will allow NHS bodies to link internal control to risk management and importantly allow the internal control system to develop with the changing NHS environment. Health Bodies and in particular Risk Managers are encouraged to make use of the output from the Controls Assurance project administered by the NHS executive in England ( The project provides examples of recognised best practice which, whilst not mandatory in Scotland, are a clear point of reference in determining the adequacy of internal controls. CNORIS standards and progress through the accreditation levels will provide further evidence of the existence and effectiveness of operational and clinical controls. NHSScotland bodies should also refer to the evolving standards set by the Clinical Standards Board which will provide evidence of the effectiveness of clinical controls. As senior management is responsible for implementing the policies set by the board, the executive team is a key source of assurance to the board on policy implementation. Other key sources of assurance to the board are the Audit Committee and board sub-committees overseeing Clinical Governance and risk management. abcde abc a

5 Annex A The following diagram illustrates the relationships between the Board, its committees and internal audit which support the process: Management assurance Independent assurance Board Clinical Governance Committee CEO Executive Team Risk Management Committee Audit Committee Miscellaneous risk groups Internal Audit Reporting of Control breakdown The proforma for the SIC at Annex 1 of the guidance note indicates that bodies should record details of actions taken, or proposed, to deal with material internal control aspects of any significant problems disclosed in the annual report and accounts. The wording should be tailored to reflect the circumstances of the case. Whilst bodies will not be expected to give details of the breakdown, they will need to identify the control area which failed and give details of the steps taken to improve control processes as a consequence of the failure. It is expected that all bodies whether or not they are satisfied that there is a full system of internal control in place, should report in this way. abcde abc a

6 Internal Control - Guidance for Directors on the Combined Code (Turnbull Report) Assessing the effectiveness of the Organisation s risk and control processes Annex B Some questions which the board may wish to consider and discuss with management when regularly reviewing reports on internal control and carrying out its annual assessment are set out below. The questions are not intended to be exhaustive and will need to be tailored to the particular circumstances of the organisation. Risk Assessment Does the organisation have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues? For example, do objectives and related plans include measurable performance targets and indicators? Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? (Significant risks may, for example, include those related to market, credit, liquidity, technological, legal, health, safety and environmental, reputation, and business probity issues.) Is there a clear understanding by management and others within the organisation of what risks are acceptable to the board? Control Environment and Control Activities Does the board have clear strategies for dealing with the significant risks that have been identified? Is there a policy on how to manage these risks? Do the organisation s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control system? Does senior management demonstrate, through its actions as well as its policies, the necessary commitment to competence, integrity and fostering a climate of trust within the organisation? Are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people? Are the decisions and actions of different parts of the organisation appropriately co-ordinated? Does the organisation communicate to its employees what is expected of them and the scope of their freedom to act? This may apply to areas such as customer relations; service levels for both internal and outsourced activities; health, safety and environmental protection; security of tangible and intangible assets; business continuity issues; expenditure matters; accounting; and financial and other reporting. Do people in the organisation (and in its providers of outsourced services) have the knowledge, skills and tools to support the achievement of the organisation s objectives and to manage effectively risks to their achievement? How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?

7 Internal Control - Guidance for Directors on the Combined Code (Turnbull Report) Information and Communication Annex B Do management and the board receive timely, relevant and reliable reports on progress against business objectives and the related risks that provide them with the information, from inside and outside the organisation, needed for decision-making and management review purposes? This could include performance reports and indicators of change, together with qualitative information such as on customer satisfaction, employee attitudes etc. Are information needs and related information systems reassessed as objectives and related risks change or as reporting deficiencies are identified? Are periodic reporting procedures, including half-yearly and annual reporting, effective in communicating a balanced and understandable account of the organisation s position and prospects? Are there established channels of communication for individuals to report suspected breaches of laws or regulations or other improprieties? Monitoring Are there ongoing processes embedded within the organisation s overall business operations, and addressed by senior management, which monitor the effective application of the policies, processes and activities related to internal control and risk management? (Such processes may include control self-assessment, confirmation by personnel of compliance with policies and codes of conduct, internal audit reviews or other management reviews). Do these processes monitor the organisation s ability to re-evaluate risks and adjust controls effectively in response to changes in its objectives, its business, and its external environment? Are there effective follow-up procedures to ensure that appropriate change or action occurs in response to changes in risk and control assessments? Is there appropriate communication to the board (or board committees) on the effectiveness of the ongoing monitoring processes on risk and control matters? This should include reporting any significant failings or weaknesses on a timely basis. Are there specific arrangements for management monitoring and reporting to the board on risk and control matters of particular importance? These could include, for example, actual or suspected fraud and other illegal or irregular acts, or matters that could adversely affect the organisation s reputation or financial position?

8 FINANCE GUIDANCE NOTE No 2001/13 CORPORATE GOVERNANCE: STATEMENT ON INTERNAL CONTROL (SIC) Purpose 1. This note gives guidance to Departments (and Agencies) of the Scottish Executive on the format of the Statement on Internal Control (SIC) to be included in annual accounts with effect from The guidance is equally applicable to other direct funded bodies and office-holders and relevant sponsored bodies preparing their financial statements in accordance with the Resource Accounting Manual and/or in accordance with an Accounts Direction issued or approved by Scottish Ministers. Key Points 2. Accountable Officers must complete a Statement on Internal Control in accordance with the pro-forma provided for accounts covering the period and subsequent financial years. 3. Development work should be completed and all the required processes e.g. risk management and review processes should be in place to enable full compliance with the guidance by the beginning of the financial period Background 4. Accountable Officers have been required to complete a Statement on Internal Financial Control (SIFC) covering all annual accounts since in line with the recommendations of the Cadbury and Rutteman Reports relating to the management and control of companies. Since then best practice in the private sector has developed with the introduction of the London Stock Exchange s Combined Code of requirements for listed companies and publication of Internal Control: Guidance for Directors on the Combined Code (the Turnbull Report ) which examines how specific requirements within the Combined Code should be implemented. These requirements are: 4.1 the Board should maintain a sound system of internal control to safeguard shareholders investment and the company s assets; 4.2 the directors should, at least annually, conduct a review of the effectiveness of the group s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management. 4.3 companies which do not have an internal audit function should from time to time review the need for one 5. Following the general principle that best practice in accounting requirements in the private sector should be reflected in central government, consideration has been given to how the provisions of the Turnbull Report can be adapted to the sector. 1.

9 Format of the Statement on Internal Control (SIC) 6. The SIC should be developed in accordance with the pro-forma format at Annex 1. The detail of the parts of the pro-forma that are in bold italic text should be drafted to provide a brief but comprehensive summary of the actual processes in place, including a description of how current initiatives (whether centrally or locally driven) are being taken forward. In particular, the narrative description of the processes in place should be used for reporting on progress or compliance with particular central initiatives which have a reporting requirement. 7. Accountable Officers may need to amend the opening paragraph of the pro-forma SIC to give a meaningful description of the boundaries of their accountabilities. In particular relevant sponsored bodies may need to reflect the relationship with the sponsor Department and the role of the sponsored body s Board. Whilst all SICs must encompass at least the responsibilities of the Accountable Officer, those bodies which have governance arrangements involving a wider base may consider preparing a SIC which encompasses those wider arrangements. The inter-relationship between the SIC for a sponsor Department and those of relevant sponsored bodies, and the manner of their presentation in the Departmental resource account will be for Departmental Accountable Officers to determine in the context of the actual structures of control. 8. An illustrative example of a SIC for an organisation which has all the risk management and review processes it considers necessary in place is at Annex 2. Organisations should aim to prepare that form of statement for wherever possible. However, it is recognised that some organisations may need to do further work before all relevant risk management and review processes are fully in place. In such cases the statement should include a description of planned work. An illustrative example is at Annex 3. The facility to produce a SIC which is indicative of further work to be done may be adopted for each of the financial years and Bodies which anticipate having to prepare such a statement for the second of these periods will be asked to verify that they will be able to produce a statement in accordance with Annex 1 in respect of the financial period beginning on or after 1 January That will mean that by the beginning of the financial year all development work should be complete and all the required processes should be in place. 9. SICs for signature by Departmental Accountable Officers will be prepared by Scottish Executive Finance. Status and Auditability of Statements of Internal Control 10. The SIC is an integral part of the annual reporting process, to be presented alongside the accounts. It should be prepared by the relevant Accountable Officer along with the accounts and passed to the external auditors for review. A summary of Audit Scotland s approach to the review of Statements on Internal Control is at Annex 4. Risk management 11. The Turnbull Report states that a sound system of internal control depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. It further states that the purpose of internal control is to help manage and control 2.

10 risk rather than to eliminate it. The SIC should therefore be the end result of a process of management that is embedded in the planning, operational, monitoring and review activities of the organisation, these activities being the critical elements of the statement. Production of the SIC should not be conducted as an add-on end of year activity. The SIC should explain the nature of control, and any material changes in control, exercised through the whole of the accounting period. Further Guidance on Corporate Governance 12. Further guidance covering various aspects of corporate governance including risk management, internal audit and Audit Committees and the implications of the Turnbull Report on Accountable Officer responsibilities will be issued in due course. Enquiries 13. Any enquiries on the content and application of this guidance should be addressed in the first instance to relevant Scottish Executive Finance Teams. Enquiries by sponsored bodies should be routed through sponsor Departments. Scottish Executive Finance April

11 FINANCE GUIDANCE NOTE No 2001/13: ANNEX 1 Annex C STATEMENT OF INTERNAL CONTROL: PROFORMA As Accountable Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of the organisation s policies, aims and objectives, set by Scottish Ministers, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me. The system of internal control is designed to manage rather than eliminate the risk of failure to achieve the organisation s policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of the organisation s policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. This process has been in place [for the year ended 31 March 200x/since XX] and up to the date of approval of the annual report and accounts and accords with guidance from Scottish Executive Finance. As Accountable Officer, I also have responsibility for reviewing the effectiveness of the system of internal control. Summarise here the process that has been applied in reviewing the effectiveness of the system of internal control as appropriate to the circumstances of the reporting organisation. Examples of some of the types of processes are: procedures for identifying the organisation s objectives and key risks; the development of the control strategy and risk management policy; the allocation of risk ownership; the role of the organisation s Audit Committee or other relevant committee; involvement and role of internal audit; procedures for ensuring that aspects of risk management and internal control are regularly reviewed and reported on; systems used to ensure compliance with specific regulations or procedures laid down by central departments details of monitoring procedures for subsidiary bodies monitoring of progress with current initiatives and compliance with extant external requirements My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letters and other reports. Record here details of actions taken, or proposed, to deal with material internal control aspects of any significant problems disclosed in the annual report and accounts. The wording should be tailored to reflect the circumstances of the case. 1.

12 FINANCE GUIDANCE NOTE No 2001/13: ANNEX 2 STATEMENT OF INTERNAL CONTROL: EXAMPLE 1 Example 1 provides an illustration of a statement on internal control for an organisation that is satisfied that it has a sound system of internal control that has been in place throughout the year. As Accountable Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of the organisation s policies, aims and objectives, set by Scottish Ministers, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me. The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of the organisation s policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. This process has been in place for the year ended 31 March 2002 and up to the date of approval of the annual report and accounts and accords with guidance from Scottish Executive Finance. As Accountable Officer, I also have responsibility for reviewing the effectiveness of the system of internal control. The following processes have been established: a management board which meets monthly to consider the plans and strategic direction of the organisation (the board comprises the senior members of the organisation and two external independent members); periodic reports from the chairman of the organisation s audit committee, to the board, concerning internal control; regular reports by internal audit which include the Head of Internal Audit s independent opinion on the adequacy and effectiveness of the system of internal control together with recommendations for improvement; regular reports from managers on the steps they are taking to manage risks in their areas of responsibility including progress reports on key projects; a regular programme of facilitated workshops to identify and keep up to date the record of risks facing the organisation; a programme of risk awareness training; implementation of a robust prioritisation methodology based on risk ranking and costbenefit analysis; 1.

13 establishment of key performance and risk indicators; maintenance of an organisation-wide risk register; My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letters and other reports. 2.

14 FINANCE GUIDANCE NOTE No 2001/13: ANNEX 3 STATEMENT OF INTERNAL CONTROL: EXAMPLE 2 Example 2 provides an illustration for an organisation that is developing its internal control processes but considers that further elements are required to be introduced together with a continued period of trial and assessment prior to the preparation of a full statement on the system of internal control as illustrated in Example 1. As Accountable Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of the organisation s policies, aims and objectives, set by Scottish Ministers, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me. The system of internal control is designed to manage rather than eliminate the risk of failure to achieve the organisation s policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of the organisation s policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. I expect to have the procedures in place in March 2002 necessary to implement guidance from Scottish Executive Finance. This takes account of the time needed to fully embed the processes which the organisation has agreed should be established and to improve their robustness. We have held a risk management workshop, attended by representatives of all grades of staff throughout the organisation, during which we identified the organisation s objectives and risks and determined a control strategy for each of the significant risks. As a result of this workshop, a risk management policy document has been sent to all staff setting out our attitude to risk and to the achievement of objectives. The management board has changed its meeting calendar and agenda so that risk management and internal control will be considered on a regular basis during the year and there will be a full risk and control assessment before reporting on the year ending 31 March Risk management has been fully incorporated into the corporate planning and decision making processes of the organisation. The management board receives periodic reports from the chairman of the organisation s audit committee concerning internal control and we require regular reports from managers on the steps they are taking to manage risks in their areas of responsibility including progress reports on key projects. In addition to the actions mentioned above, in the coming year the organisation plans to: arrange a regular programme of facilitated workshops to identify and keep up to date the record of risks facing the organisation; introduce a programme of risk awareness training; 1.

15 establish a system of key performance and risk indicators; and develop and maintain an organisation-wide risk register; The organisation s internal auditors submit regular reports which include the Head of Internal Audit s independent opinion on the adequacy and effectiveness of the organisation s system of internal control together with recommendations for improvement. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letters and other reports. 2.

16 FINANCE GUIDANCE NOTE No 2001/13: ANNEX 4 AUDIT SCOTLAND S APPROACH TO THE REVIEW OF STATEMENTS ON INTERNAL CONTROL Review of Internal Control Statements The approach adopted by Audit Scotland staff or other auditors appointed by the Auditor General for Scotland to the review of internal control statements will, in essence, be the same as that for statements on the system of internal financial controls. The relevant part of their certificate will read along the following lines:- I review whether the statement on page? reflects the [name of audited organisation] s compliance with guidance from Scottish Executive Finance. I report if it does not meet the requirements for disclosure specified by Scottish Executive Finance, or if the statement is misleading or inconsistent with other information I am aware of from my audit of the financial statements. Auditors review procedures draw on the relevant section of the Auditing Practices Board s guidance, Bulletin 5/99 The Combined Code: Requirements of Auditors Under the Listing Rules of the London Stock Exchange, tailored as appropriate for a central government context. The objective of the review is to assess whether the audited organisation s description of the processes adopted in reviewing the effectiveness of the system of internal control appropriately reflects that process. This involves: consideration of whether the disclosures are consistent with the auditors review of board and committee minutes and their knowledge of the audited organisation obtained during the audit of the financial statements or other audit work; auditors attendance at the organisation s audit committee meetings at which corporate governance, internal control and risk management matters are considered; and consideration of the process adopted by the Accountable Officer for his/her effectiveness review, and of the documentation prepared to support the statement. Auditors work on internal control will not be sufficient to enable them to express any assurance on whether the audited organisation s controls are effective. In addition, the financial statement audit should not be relied upon to draw to the Accountable Officer s attention all matters that may be relevant to their consideration as to whether or not the system of internal control is effective. Auditors are not expected actively to search for misstatements or inconsistencies, but if they become aware of such a matter they will discuss it with senior management to establish the significance of the lack of proper disclosure. Understanding the Business and Controls As noted above, the auditor s work on the financial statements audit is not driven by the requirement for an internal control statement and cannot be relied upon to indicate that controls are effective. Nevertheless Audit Scotland s own audit approach and those of many other firms are risk based approaches based upon obtaining a good understanding of the

17 business, the risks that it faces and how those risks are managed. Although the emphasis remains to an extent on financial risks and controls, this work should provide a sound base for the auditor s consideration of the Accountable Officer s internal control statement. It should also provide opportunities to make recommendations for improvements to internal controls. Risk management and internal control issues are often a feature of Audit Scotland s wider 3Es (economy, efficiency and effectiveness) examination role. Audit Scotland recognises that risk-taking is essential if public bodies are to innovate and improve and, as a member of the Public Audit Forum, has stated that it will support well thought through risk taking and innovation.