Interim Management Letter 2011/2012 for NHS Tayside

Transcription

1 Interim Management Letter 2011/2012 for NHS Tayside

2 1. Introduction 2 2. Understanding NHS Tayside 4 3. Understanding and validation of controls Other matters 13 Appendix 1. Action Plan 15 The principal objective of our audit procedures is to enable us to express our opinion, in line with the requirements of the Audit Scotland Code of Audit Practice, on the financial statements as a whole. Our audit opinion does not guarantee that the financial statements are free from misstatement. Our audit responsibilities and their limitations are explained in our letter of appointment. Any oral comments made in discussions with you relating to this report are not intended to have any greater significance than explanations of matters contained in the report. Any oral comments that we make do not constitute oral advice unless we confirm any such advice formally in writing. The matters raised in this and other reports that will flow from the audit are only those which have come to our attention arising from or relevant to our audit that we believe need to be brought to your attention. They are not a comprehensive record of all the matters arising, and in particular we cannot be held responsible for reporting all risks at the Board or all internal control weaknesses. This report has been prepared solely for your use and should not be quoted in whole or in part without our prior written consent. No responsibility to any third party is accepted as the report has not been prepared for, and is not intended for, any other purpose. PwC Contents

3 Introduction 1.01 As part of our interim audit process we enclose our interim management report arising from our visit to NHS Tayside ( the Board ) during December 2011 and March We have assessed the Board s overall governance arrangements including a review of Board and key committee structures and minutes, financial reporting to the Board, and risk management This report considers the Board s arrangements for the production of the financial statements, internal audit arrangements, corporate governance arrangements and performance management. This includes consideration of the high-level risks identified through our work at the Board in addition to those contained in the Priorities and Risk Framework ( PRF ) document used by all NHS Board external auditors see section 2. Our Audit Approach 1.03 The table below outlines our audit approach and shows how it links to the work performed during the interim visit, and our reporting in this Interim Management Letter. Step Our Audit Approach Reference 1 Understanding your strategy, business objectives and associated risks to focus our audit on those risks that impact your financial reporting. 2 Understanding and validating the controls that management has in place around the key risk areas. 3 Detailed testing performed as necessary based on our assessment of the control environment and operation of management controls. Section 2 Priorities and Risks Framework Section 3 Controls To be performed during the final audit visit in May/June 2012 PwC 2

4 Findings and recommendations 1.04 Our detailed findings and recommendations, which have been agreed with management, are included in the Action Plan in Appendix 1. The recommendations have associated management responses and agreed implementation dates and responsible officers. Risk Assessment Definition Number High Significant control weakness requiring immediate attention by management 2 Medium Control weakness identified which needs to be rectified but where there is no material impact on the achievement of the control objectives Low Minor control weakness identified 2 Total Recommendations 7 Acknowledgment 1.05 We would like to formally extend our thanks to the Board s managers and staff for the assistance they have given us during the course of our fieldwork. 3 PwC 3

5 2.01 Our principal objective is to perform an audit in accordance with the Audit Scotland Code of Audit Practice. In addition, we are required to comply with International Standards on Auditing (UK & Ireland). Gaining an understanding of NHS Tayside s business is a key feature of achieving that objective The Priorities and Risks Framework (PRF) for NHS Scotland is one element of the audit approach which has been designed to meet the requirements of both the Code of Audit Practice and International Standards on Auditing We have therefore highlighted some observations against each of the PRF risk categories below. Service Redesign and Sustainability Vision and Consultation Service redesign and sustainability continues to be a key focus for the Board and presents ongoing challenges due to the tightening budget and increasing demand for services. Steps to Better Healthcare is the Board s programme of activity to redesign services. It aims to use innovative ways to improve the delivery of services in Tayside. The Board has included service redesign as a key risk in the Corporate Risk Register and is proactive in listening to staff suggestions to identify areas of efficiency. Integrated Planning The Board recognises that development and innovation in e-health are key to integrating high quality healthcare and the Board has taken steps to increase its ability to deliver dynamic, real-time clinical management information to aid improvement in patient care and safety. Further advances in the secure sharing of information between primary care, secondary care and other agencies supports a different approach to managing patients with long term conditions and help reduce the number of unplanned admissions to hospitals. Performance Management The Board has overall responsibility for performance management of NHS Tayside which includes risk management. The Board s Finance and Resources Committee (FRC) is responsible for monitoring the use of all resources available to the Board. The FRC also has key responsibilities to review all resource allocation proposals and to make recommendations to the Board. Each month the FRC reviews the corporate financial report and the capital report against budgets. Re-Allocation of Resources The Board is responsible for development of a single Local Delivery Plan for Tayside which addresses the health priorities and health care needs of the population. To do this effectively, resources must be allocated to address local priorities and the Board is responsible for deciding how the funds allocated by the Scottish Government are deployed locally to meet the strategic objectives of NHS Tayside. In particular, through succession planning, the board should ensure appropriate knowledge and experience is retained among key officers to maintain the Board's capacity to deliver quality services. Appendix 1, Action Point 1 PwC 4

6 Effective Partnership Working Commitment and leadership The Board engages with various partners including Local Authorities, voluntary and charitable organisations, other NHS Boards and the Scottish Government Health Department (SGHD). The Board is actively engaged with Dundee, Angus and Perth and Kinross Councils as main statutory partners. The other statutory partners that NHS Tayside has committed to work with include Tayside Police, Tayside Fire and Rescue Service, Scottish Enterprise Tayside, Communities Scotland as well as academic institutions and representatives of the private sector. The Board also has Community Health Partnerships (CHP) in Angus, Dundee and Perth and Kinross. However, as per Cabinet Secretary s announcement in December 2011 these will be replaced by Health and Social Care Partnerships. Responsibility and Accountability In the Strategic Plan the Board acknowledge that partnership working with Local Authorities and the Voluntary Sector will become increasingly important in the coming years given the demand for improved healthcare and tighter budgets. The Single Outcome Agreement governs the relationship between the Board and its Local Authority Partners and identifies the improved outcomes for service users and communities that the Community Planning Partnerships serve. Planning The Board has been actively involved with regional planning as a means of providing the full range of modern, integrated and sustainable health services for their respective populations. Sharing Information The National Planning Forum (NPF) was established in July 2009 to develop for agreement by Board Chief Executives and the Scottish Government, firm proposals to address specific planning issues facing NHS Scotland that result from national policy or which require planning across regional, or NHS Board boundaries. The Staff Governance Committee has also established an Area Partnership Forum that has the responsibility for facilitation and monitoring the effectiveness of partnership working between management and staff at all levels in NHS Tayside and Contractors and to develop and approve Employment Policies through the Partnership process. Service Delivery The Board recognises that partnership working with Local Authorities and the Voluntary Sector will become increasingly important as will the relationship with the people of Tayside. In March 2010, NHS Tayside approved the Health Equity Strategy (Communities in Control) which set out a vision for the future. Over the past 18 months, various workstreams have been taken forward by Community Health Partnerships and Community Planning Partnerships and these are reported in the paper Progress Report on Implementation of Health Equity Strategy (Communities in Control). Other projects and initiatives within Tayside have been positively contributing to this agenda, for example the Dundee Healthy Living Initiative. PwC 5

7 Scrutiny and Governance Committee Structures & Scrutiny The Board has an established committee framework in place. All committees have Terms of Reference governing their activities and these are listed on the Boards intranet/website. The Audit Committee is in place to assist the Board to deliver its responsibilities for the conduct of public business and the stewardship of funds under its control. In particular, the Audit Committee aims to provide assurance to the Board that an appropriate system of internal control is in place to ensure that: Business is conducted in accordance with the law and proper standards; Public money is safeguarded and properly accounted for; Financial Statements are prepared timeously and give a true and fair view of the financial position of the Board for the period in question; Affairs are managed to secure economic, efficient and effective use of resources; and Reasonable steps are taken to prevent and detect fraud and other irregularities. The Board has developed a governance section on the public website in order to comply with the Good Governance Standard. Risk Management Risk management continues to be one of the most important areas for the Board and the risk profile is managed within the electronic risk register system (SMART) which covers all corporate and operational risks identified by the Board. The risks are rated by likelihood and consequence and each one has a risk owner and risk manager. The Strategic Risk Management Group (SRMG) is accountable and responsible for the management and control of risks that threaten the organisation. Members of the Group are responsible for the integration of risk management into all aspects of planning, business management and service provision within NHS Tayside. As part of the governance reporting arrangements for risk management, the Board receives and reviews the Corporate Risk Profile each quarter. The 6 high rated risks as at December 2011 are: Emergency & Continuity Planning (inclusive of flu pandemic) Healthcare Associated Infection Workforce and Staff Governance Individual Complex Care Needs Shifting the Balance of Care Transfer of Prisoner Healthcare to NHS Tayside The Strategic Risk Management Group is chaired by the Deputy Chief Executive. Information Governance Information Governance is a Corporate Risk on the Boards risk register and is a focus for the Board throughout the year. In addition, the Improvement and Quality Committee prepares an annual assurance improvement/action plan to provide assurance that NHS Tayside has the necessary assurance arrangements in place for information; this is reported to the Board. PwC 6

8 Patient Safety and Clinical Governance Financial Management and Affordability Leadership and culture The Improvement and Quality Committee (IQC) meets quarterly to provide the Board with the assurance that robust governance and management systems and processes are in place and effective throughout NHS Tayside. The IQC reports directly to Tayside NHS Board and the minutes are presented at Board meetings. Patient Safety & Strategic Change The IQC is responsible for reviewing progress on all aspects of Patient Safety, Clinical Governance and Clinical Risk. The Committee receives assurance reports across all the clinical governance/quality activities within NHS Tayside from its established Clinical Quality Forum. The purpose of the Clinical Quality Forum is to manage the clinical governance and quality assurance activities within NHS Tayside, through prioritising and agreeing a work programme in order to provide assurance to the Board through the IQC that appropriate systems for clinical governance and quality activities are in place in NHS Tayside. The minutes of the Clinical Quality Forum are presented at the subsequent meeting of the IQC. Continuous Improvement The Board continues to promote a culture of learning and lessons learned are recorded through the completion of Critical Incident Reviews. Ongoing training is also provided and targets in this area are built into staff objectives. Communication and Support The IQC prepare an annual work plan detailing the work to be taken forward by the Committee. The IQC also receive an annual report on the Corporate Communications and Engagement Strategy as well as the Participation Standards Self Assessment Framework to be assured NHS Tayside is meeting the required standards. Long Term Strategy The Board approved the Strategic Plan which sets out the strategic aims and objectives for the Board over the period. Each year the Finance and Resources Committee also prepare the Strategic Financial and Capital Plans for the ensuing five-year period. Cost Pressures The position going forward is challenging with limited funding increases, increasing cost pressures and challenging savings targets. For 2011/12 the Board had to achieve significant savings in order to maintain its financial position and this proved particularly challenging given cost pressures, such as incremental pay growth and increasing prescribing costs. The significant financial challenges that the Board faces in 2011/12 and beyond will require the Board to prioritise its use of resources. Project workstreams adopted by the Steps to Better Healthcare Programme Board (SBH) include optimising healthcare facilities, procurement and workforce efficiencies. Savings The approved Strategic Financial Plan for the Board included an efficiency savings target for 2011/12 of 25.0 million, equivalent to 4.2% of the Board s general allocation. The Efficient Government target of 3.0% ( 17.6 million) is included within the 25.0 million target. PwC 7

9 The Board reported savings of circa 26 million for the year, against planned savings of 25 million for the year to 31 March Progress with identification and achievement of savings targets is monitored by the Executive Team which includes representation from service groups and Executive Directors. Capital Programme The capital investment at the end of February 2012 was 16.5 million, which largely represents progress on three major projects; Nuclear Medicine at Ninewells Hospital ( 6.2 million), endoscopy unit ( 0.6 million) and assisted conception unit ( 2 million). The balance of expenditure is on smaller items and projects including medical equipment and e-health. Affordability and Sustainability One of the key objectives of the Finance and Resources Committee (FRC) is to manage the level of reserves and to assess the impact of planned future policies and known or foreseeable future developments on the financial position. The FRC reports directly to the Board each month and annually prepares the following: Corporate Financial Plan for the following financial year; The Strategic Financial Plan for the ensuing five-year period; and The Capital Forecast for the ensuing five-year period. Scrutiny and Monitoring The FRC on behalf of the Board is responsible for ensuring that the financial position of the Board is sound and the Board is compliant with statutory financial requirements and financial targets. PwC 8

10 Performance Management Capacity to deliver Embedded Local Performance Management Performance reports are submitted to the Board on a monthly basis. The reports use a red, amber, green (RAG) system, supported by narrative, to record performance against the Board s corporate objectives. The performance management arrangements allow effective reporting on performance. Core Performance Management Principles The SGHD has issued a Balanced Scorecard for all NHS Boards to use. This will be used by NHS Tayside from 2012 and will be a recurring feature for the Board in the monthly dashboard report. Local Delivery Plan Targets The Local Delivery Plan, Single Outcome Agreements and Regional Planning Work Plans seek to ensure all activity in NHS Tayside supports the overall vision and helps progress towards the Strategic Aims and Outcomes. Efficient Government As noted above the Efficient Government target of 3.0% ( 17.6 million) is included within the 25.0 million savings target. recurring element of the 2010/11 programme of 8.6m forms part of the 2011/12 savings target. Public Reporting Arrangements The non Key publications are documented on the Boards external website and can be viewed by the general public. This includes the strategic plans, annual accounts alongside other key documents which are considered to be effective to allow robust reporting on performance. Reducing Greenhouse Gas Emissions The Board has taken initial steps (e.g. education of staff) to reduce its carbon footprint. Through the HEAT targets NHS Tayside has a responsibility to reduce energy-based carbon emissions and to continue a reduction in energy consumption to contribute to the greenhouse gas emissions reduction targets set in the Climate Change (Scotland) Act The Government s CRC Energy Efficiency Scheme will have financial implications for the Board since the Board will be taxed based on their carbon usage. Leadership and Management Capacity The Board has a clear vision statement: Working with you for better health and better care. The vision statement drives the strategic aims in the Strategic Plan for Workforce Capacity The Staff Governance Committee is responsible for monitoring and evaluating the workforce strategies and implementation plans. A Quarterly Workforce Information and Monitoring Report is prepared and reported to the Board. The staff headcount for September (13,428) has increased from the April 2011 position of 13,406. The staff turnover for September (8.3% annualised) is the highest for the year to date. The Staff Governance Committee has the responsibility to approve and monitor the Workforce plan and review the Corporate Risks relating to staff and workforce issues. The Committee meets monthly. PwC 9

11 Introduction 3.01 As part of the audit we have undertaken work to review the overall financial governance arrangements within the Board. We have summarised the findings of our work in this section of the report and highlighted any issues arising. Governance Responsibilities 3.02 It is the responsibility of Management to maintain adequate and effective financial systems and to arrange for an appropriate system of internal control. As your auditors, for the purposes of our audit assurance, we evaluate significant financial systems and associated controls within the Board. In practice, we do not examine every financial activity and as a result it cannot be expected that we will have identified all weaknesses or areas for improvement that may exist. Financial Governance and Controls 3.03 Our review of your financial governance arrangements focused on the following areas: Review of key systems of financial control; Discussions with Internal Audit and review of relevant documentation; and Prevention and detection of fraud and corruption Where we identify control weaknesses, we assess the materiality and impact on the reviewed system of the control weaknesses identified. We assess the significance of the weakness identified and the impact it would cause following a full breakdown in the control across the Board. Key systems of Financial Controls 3.05 Over the term of our appointment, we will review on a rotational basis the key financial controls in operation within the Board. The main cycles we will consider in 2011/12 include Budgetary Control, Purchases & Payables, Payroll and Information Technology General Controls ( ITGCs ) see below for conclusions on the work performed We also conducted walkthroughs of the key controls around Cash & Treasury and Revenue & Accounts Receivable to ensure the systems were working as intended. No weaknesses in the control design or operation were noted. PwC 10

12 Budgetary Control 3.07 We performed a review of the processes surrounding budgetary control, in particular a review of the budget setting process and the monitoring arrangements in place at the Board covering the following key control objectives: 1. The responsibilities of the Board for setting and control of budgets are properly defined; 2. Budgets are set in accordance with pre-determined approved policy objectives; 3. Revenue items are properly controlled by the effective periodic monitoring of financial outturns against budgets; 4. Significant variances are promptly identified, reported and acted upon; and 5. The system contributes to the Board s ability to demonstrate that resources are being used in an economic way No issues were noted in respect of either the design or effectiveness of the controls in operation. Property, Plant and Equipment; 3.09 We had planned to rely on the work of internal audit undertaken in December 2011 to reduce our year end testing of property, plant and equipment. The sample chosen by internal audit related to the prior year, therefore we are unable to rely on their findings for the year ending 31 March Substantive testing will be performed during our year end fieldwork in May Purchases & Payables 3.10 Our audit work focused on the authorisation and approval of purchases and specifically whether there are appropriate segregation of duties in place between staff who raise requisitions and those who authorise payments. We noted a minor exception in relation to credit cards payments as noted below Government procurement cards have been introduced to NHS Tayside in 2011/12 and at the time of our interim visit 8 cards had been issued, with 22 payments with a value of less than 2,000 having been made. For all Government procurement card purchases staff are required to complete the general expenses claim form and submit all receipts to support the expenses. The payment must also be authorised by an authorised signatory From our interim testing we noted two Government procurement card claims were not supported by an appropriate claim form and receipts. The receipts were subsequently supplied but the documentation was not completed and reviewed in line with the required procedures when the claim was submitted. We acknowledge that the Government procurement cards are new and the processes are still bedding in but it is important that Management ensure the controls over Government procurement cards expenses are robust and enforced from the start to minimise any problems in the future. A recommendation to reflect this has been raised in Appendix 1, Action Point 2. PwC 11

13 Payroll 3.13 Our audit work focused on changes to standing data (including starters and leavers), approval of timesheets and review of the payroll reconciliations. We noted the following: The net pay reconciliation was not reviewed in two months tested. Mitigating controls were identified that check and authorise the payroll figures before the BACS payments are made. Two new starter forms had not been signed as checked before being processed. Further investigation revealed that a mitigating control was in place as the amendment log, which identifies all changes to the system and included the new starts we identified, had been reviewed and checked by a different member of payroll from the person who input the information While we are still able to get the comfort from our work done, for best practice, recommendations have been raised for both issues above to ensure controls are operating as expected see Appendix 1, action points 3 and 4. Information Technology General Controls (ITGCs) 3.15 ISA (UK&I) , requires the auditor to obtain an understanding of how the entity has responded to risks arising from IT. ITGCs are controls put in place by management to mitigate those risks. ITGCs help ensure the continued proper operation of information systems to maintain the integrity of information and security of data. The following systems were included in our scope: efinancials SPSS eexpenses SSTS PECOS HEART ASCRIBE 3.16 The findings of our testing of the IT General control environment were largely satisfactory for the purposes of planning our year end audit approach. We draw your attention to weaknesses over the change management processes in place. In addition we identified some recurring themes on the lack of control over the consistency and timeliness of removing access for leavers and change controls. These findings are detailed in Appendix 1, recommendations 5, 6,and 7. PwC 12

14 Internal Audit 4.01 International Statement of Auditing (ISA (UK&I) 610), Considering the Work of Internal Audit, states that "Where the work of internal auditing is to be a factor in determining the nature, timing and extent of the external auditor's procedures, it is desirable to agree in advance the timing of such work, the extent of audit coverage, materiality levels and proposed methods of sample selection, documentation of the work performed and review and reporting procedures", and "the external auditor would need to be advised of and have access to relevant internal audit reports and be kept informed of any significant matter that comes to the internal auditor s attention which may affect the work of the external auditor" During our visit, we reviewed the Internal Audit Plan and intend use the following Internal Audit reports to inform the scope of our audit work at the final audit visit in May 2012: Risk Management Strategy, Standards & Operations (report T16/10); Financial Planning (report T39/11); Efficient Government Efficiency and Productivity (report T34/11); Purchasing (report T41/11); Financial Process Compliance (report T43/11); Departmental Payroll Authorised Signatories (report T44/11); and Travel & Subsistence Departmental Process (report T45/11) We will continue to work with Internal Audit to ensure we use their work effectively where possible. Audit Scotland National Performance Reports 4.04 Audit Scotland undertakes a series of studies on financial management, governance and performance across the health sector and other public sector organisations on behalf of the Auditor General. For the 2011/12 year we are required to consider NHS Tayside s response to those national performance reports which are relevant to the Board A review of the national performance reports published by Audit Scotland between April 2011 and the time of this report identified the following reports that are of relevance to NHS Tayside: Community Health Partnerships (June 2011); Transport for health and social care (August 2011); and A review of telehealth in Scotland (October 2011). PwC 13

15 4.06 During our interim audit visit we held discussions with key members of management and noted that the above reports have been discussed within relevant committees including the Audit Committee during the year. Follow-up of prior year External Audit Recommendations 4.07 As part of our External Audit work we ordinarily conduct a follow-up of all prior year Internal and External Audit recommendations to ensure that they being monitored and implemented as recorded. However, NHS Tayside perform a follow-up exercise internally and therefore we have not duplicated the work but we have gained an understanding of the process and verified it through discussions with Management and a review of key systems and documentation From our work performed we note that NHS Tayside maintain a database of all recommendations raised by Internal and External Audit. The information held includes the origin and details of the recommendation, the responsible officer, its implementation date and its current status. Each quarter an update on the status of all open recommendations is obtained from the relevant responsible officers and the results are communicated to the Audit Committee. Prevention and detection of fraud and corruption 4.09 We plan our audit to have a reasonable expectation of detecting fraud where the potential effects would be material to the financial statements of the Board. The risk and potential for fraud is one of the areas we consider when assessing the appropriateness of the Board s control procedures During the course of our interim audit, we did not identify any control weaknesses that would increase the risk of fraud in the Board. PwC 14

16 Appendix 1. Action Plan Action Point 1 Succession planning Recommendation/Action Point The Board is undergoing a number of changes its non executive members. The Board should ensure that there are formal arrangements in place to ensure that knowledge of risks and priorities is passed to new Board members. This should also include clarification of new member responsibilities. Action plan Finding rating Management response Responsible person / title High A programme has been developed for the five new non executives (i.e.1 st April 2012 and a further potential four new non executive members in May 2012): Meeting with Chairman and members of the Board Secretary s office prior to official start date. Issues discussed: The role of Tayside NHS Board Pattern of meetings and development events Chairman s meeting with other Board Chairs and Cabinet Secretary Priorities and risks for the organisation as detailed in: The NHS Tayside Facing the Future Corporate Presentation NHS Tayside Investing in your Health Strategic Financial Plan 2012/ /17 NHS Tayside Local Delivery Plan 2012/13 NHS Tayside Strategic Health Plan Non Executive priorities and actions identified for 2012/13 Margaret Dunning Board Secretary Target date: 30 June 2012 Formal induction day with Executive Directors on 13 April 2012 and series of Development Events on Risk Management and Performance Scrutiny to be held. PwC 15

17 Action Point 2 Unsupported Government procurement card expenses Recommendation/Action Point From our sample of transactions, 2 Government procurement card payments were not supported by a claim form and relevant receipts as required per procedures. Management should ensure the controls over the Government procurement cards expenses are robust and consistently enforced in line with your procedures. Action plan Finding rating Management response Responsible person / title Medium At the time of the audit fieldwork the procedures were bedding in. We are satisfied that robust procedures are now in place. Assistant Director of Finance Financial Services and Partnership, Fraud Liaison Officer Target date: Completed 30th April 2012 PwC 16

18 Action Point 3 Review of key pay control reconciliation Recommendation/Action Point The net pay reconciliation was not reviewed in two months tested. The net pay control reconciliation had not been reviewed as the Financial Accounting Team Leader was on holiday in September and compassionate leave in October. Management should ensure there is more than one member of staff with the appropriate authority to sign off the reconciliation in case of any unforeseen absences. Action plan Finding rating Management response Responsible person / title Low All payroll transactions that give rise to a payment, including the actual payment to employees, were and are signed off as authorised by a senior manager prior to payment being made. In addition a series of internal controls make sure that payroll expenditure is properly accounted for in the financial ledger, the net pay reconciliation is but one. All of these controls operated throughout the year with the exception of the net pay control account review for September and October. There was not at any point a risk to NHS Tayside. For the two months reviewed by Audit colleagues the net pay control account reconciliations were undertaken but not escalated for review by a senior manager because no unusual issues were identified during the reconciliation process. We have, since the date of the audit, updated our internal procedures and another member of staff would now undertake the review of the net pay control account reconciliation should the normal reviewer be absent from work. Head of Financial Services Target date: Completed 30 April 2012 PwC 17

19 Action Point 4 Starter forms not signed as checked by Payroll Recommendation/Action Point Two new starter forms had not been signed as checked before being processed. Further investigation revealed that a mitigating control was in place as the amendment log, which identifies all changes to the system and included the new starts we identified, had been reviewed and checked by a different member of payroll from the person who input the information. We recommend that management ensures all new starter forms are signed and checked as a preventive control. Action plan Finding rating Management response Responsible person / title Low Reminder sent to payroll staff asking them to be more diligent in ensuring the prime documentation is appropriately signed Head of Payroll Services Target date: Completed 30 April 2012 PwC 18

20 Action Point 5 Control over leavers Recommendation/Action Point Our testing of the leavers identified that they have not been removed from the system applications on a timely basis. Periodic reviews of access rights should be undertaken across key financial systems to minimise the risk of delays in removing leavers access rights. Action plan Finding rating Management response Responsible person / title Medium The underlying issue is considered to be one of communication of the list of leavers to the relevant departments, who are responsible for informing IT to remove access rights. There are plans to more closely align Workforce and Payroll to improve communication. A system will be developed to communicate the date when a leaver should be denied access to workforce and financial systems. Director of Workforce, Director of Finance Target date: 30 September 2012 PwC 19

21 Action Point 6 Change management processes Recommendation/Action Point There is currently no formalised process in place for the management of changes to the operating system. Changes are not consistently documented and the authorisation for changes, if obtained, can be informal. There are currently no controls in place that enforce appropriate authorisation or the testing of changes. Furthermore, responsibilities around the change process are not yet clearly defined or documented. The lack of controls in place cause an increased risk of unauthorised changes to the operating system. NHS Tayside has identified gaps around the management of changes and is in the early stages of implementing improvements. We recommended that this investigation continues until an effective control process is implemented. This should include the requirement for appropriate authorisation of changes, testing changes prior to implementation and clarifying roles and responsibilities. Action plan Finding rating Management response Responsible person / title High All applications in use are effectively national and changes required are effected by the relevant user groups. Desktop and server operating systems are managed locally. Changes to desktop operating systems are documented. For server operating systems change controls are being developed. Head of ICT Infrastructure Target date: 30 September 2012 PwC 20

22 Action Point 7 Authorisation for new users Recommendation/Action Point For three of the new Ascribe (pharmacy) system users selected for testing, it was not possible to demonstrate an audit trail for authorisation. Management should ensure that evidence is maintained to demonstrate the request and approval of new system users. Action plan Finding rating Management response Responsible person / title Medium The system security for ASCRIBE has now been reviewed and the ability to create accounts has been restricted to two members of staff based on the Ninewells site. They will provide this function for the whole of Tayside and are aware of the need for a user account form to be completed and retained for all members of staff. David Coulson, Principal Pharmacist Target date: Completed 30 April 2012 PwC 21

23 This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.