Beruflich Dokumente
Kultur Dokumente
2007-08
June 2007
South Central Strategic Health Authority Annual Audit Plan 2007-08
1. INTRODUCTION................................................................................................................................................................................................................................2
4. CONSULTATION...............................................................................................................................................................................................................................8
5. SUMMARY........................................................................................................................................................................................................................................11
APPENDIX B EXTRACT FROM BUILDING THE ASSURANCE FRAMEWORK: A PRACTICAL GUIDE FOR NHS BOARDS ..............................31
Deloitte & Touche Public Sector Internal Audit Limited June 2007 1
South Central Strategic Health Authority Annual Audit Plan 2007-08
1. INTRODUCTION
1.1 A one-year Operational Audit Plan has been prepared by Deloitte & Touche Public Sector Internal Audit Ltd for the period 1st April
2007 to 31st March 2008. The plan was compiled on the basis of identified risk and materiality, which was drawn together through
reference to the Assurance Framework, discussions with Key Staff and from the previous Internal Audit coverage.
1.2 The plan is prepared on the basis of resource input of 135 days in 2007-2008 to be scheduled across the final three quarterly
periods of the financial year. Details of the plan are shown at Appendix A.
Deloitte & Touche Public Sector Internal Audit Limited June 2007 2
South Central Strategic Health Authority Annual Audit Plan 2007-08
2.1 Internal Audits primary role is to provide the SCSHAs management with independent assurance on the effectiveness of the
internal control systems that contribute to the achievement of the SCSHAs business objectives. In so doing, this will enable the
Chief Executive to sign off the Statement of Internal Control. It is also Internal Audits role to provide the Board with assurance that
it has in place effective processes for the management of risk. This is referred to in detail within published guidance Building the
Assurance Framework: A Practical Guide for NHS Boards, which details how to provide evidence of assurances that support the
Statement of Internal Control.
The Board is accountable for internal control. The Chief Executive is responsible for maintaining a sound system of internal
control that supports the achievement of the organisations objectives, and for reviewing its effectiveness.
The system of internal control is designed to manage rather than eliminate the risk of failure to achieve these objectives.
The system of internal control can therefore only provide reasonable and not absolute assurance of effectiveness.
The system of internal control is based on an ongoing risk management process designed to identify the principal risks to
the achievement of the organisations objectives; to evaluate the nature and extent of those risks; and to manage them
efficiently, effectively and economically.
Deloitte & Touche Public Sector Internal Audit Limited June 2007 3
South Central Strategic Health Authority Annual Audit Plan 2007-08
3.1 The Assurance Framework (see extract at Appendix B which provides organisations with a simple but comprehensive method for
the effective and focused management of the principal risks to meeting their objectives. It also provides a structure for the
evidence to support the Statement on Internal Control. It refers to four key elements:
1. Principal objectives
2. Principal risks
3. Key controls
4. Assurance and co-ordination
3.2 In summary, it requires Boards to:
Deloitte & Touche Public Sector Internal Audit Limited June 2007 4
South Central Strategic Health Authority Annual Audit Plan 2007-08
4. CONSULTATION
4.1 Internal Audit will continue to work along side colleagues and other organisations in preparing, and then delivering, a co-ordinated
approach to the provision of assurance.
4.2 We view close liaison with external audit as fundamental to an effective audit service. Internal Audit will meet regularly with
External Audit to consult on audit plans, discuss matters of mutual interest, discuss common understanding of audit techniques,
methods and terminology, and to seek opportunities for co-operation in the conduct of audit work. In particular, Internal Audit
allows External Audit to rely on its work where appropriate, provided this does not prejudice Internal Audits independence.
4.3 Internal Audit forms a significant part of the SCSHAs governance arrangements and it is, therefore, also important that internal
and external audit have an effective working relationship. To facilitate this relationship, we have a protocol which sets out an
agreed framework showing how we will work together with your officers, including external audit, to meet the responsibilities under
the Code of Audit Practice. The key principles behind this agreement are:
4.4 We view our relationship with the SCSHAs Local Counter Fraud Specialist (LCFS) as equally important. Through regular meetings
with the organisations LCFS, together with an exchange of reports, the separate but complementary skills of both parties ensure
an effective and co-ordinated approach to risk management can be brought to bear on the contract. It is also envisaged that,
where it is appropriate to do so, we will work alongside the LCFS on specific pro-active counter fraud exercises.
4.5 Finally, we have taken account of the issues raised in previous internal audit activity in arriving at our audit coverage for the period.
Additionally, as with any internal audit assignment, we take into account the recommendations made from previous internal audit
activity on our forthcoming work.
Deloitte & Touche Public Sector Internal Audit Limited June 2007 5
South Central Strategic Health Authority Annual Audit Plan 2007-08
5. SUMMARY
5.1 The attached Operational Audit Plan is the result of an assessment of the current assurance framework, discussions with key staff
within the SCSHA, and the review of previous audit work. The plan will continue to be reviewed and updated as new factors come
to light and through the results of ongoing liaison with the SCSHAs management team.
5.2 The Audit Committee is asked to approve the Operational Plan for 2007-2008.
Deloitte & Touche Public Sector Internal Audit Limited June 2007 6
South Central Strategic Health Authority Annual Audit Plan 2007-08
Data within the financial ledger is secure and free from risks of
Financial Ledger, Financial Reporting and loss or corruption;
Medium 10 Q3
Budgetary Control.
The structure of the financial ledger reflects the information
needs of the SHA
Deloitte & Touche Public Sector Internal Audit Limited June 2007 7
South Central Strategic Health Authority Annual Audit Plan 2007-08
Only employees of the SHA are paid and for all and only the
work performed for the SHA;
Deloitte & Touche Public Sector Internal Audit Limited June 2007 8
South Central Strategic Health Authority Annual Audit Plan 2007-08
Orders for goods and services are placed with the most
appropriate suppliers in terms of cost, quality and delivery;
Creditors Low 5 Q3 Goods and services received and signed for by the
department that ordered the goods and the goods are in
accordance with those ordered;
Deloitte & Touche Public Sector Internal Audit Limited June 2007 9
South Central Strategic Health Authority Annual Audit Plan 2007-08
Deloitte & Touche Public Sector Internal Audit Limited June 2007 10
South Central Strategic Health Authority Annual Audit Plan 2007-08
Performance Management High 12 Q2 The arrangements for the setting of performance standards
and the identification and monitoring of performance
indicators;
Deloitte & Touche Public Sector Internal Audit Limited June 2007 11
South Central Strategic Health Authority Annual Audit Plan 2007-08
Objective setting;
Sources of assurance.
The external review will cover the collation, monitoring and reporting
of the Assurance Framework and other governance submissions by
NHS bodies within the local health economy.
Emergency Planning This audit will be scoped in full and a detailed
Emergency Planning Med 3 Q2
brief will be submitted for approval well in advance of fieldwork.
Other
Information Technology High 18 To be arranged
Follow-up of Recommendations 5 Q2
Contingency 6
Management 12
TOTAL 135
Deloitte & Touche Public Sector Internal Audit Limited June 2007 12
South Central Strategic Health Authority Annual Audit Plan 2007-08
APPENDIX B EXTRACT FROM BUILDING THE ASSURANCE FRAMEWORK: A PRACTICAL GUIDE FOR NHS BOARDS
The Assurance Framework provides organisations with a simple but comprehensive method for the effective and focused management of
the principal risks to meeting their objectives. It also provides a structure for the evidence to support the Statement on Internal Control.
This simplifies Board reporting and the prioritisation of action plans, which, in turn, allow for more effective performance management.
Principal Risks
Key Controls
Deloitte & Touche Public Sector Internal Audit Limited June 2007 13
South Central Strategic Health Authority Annual Audit Plan 2007-08
Principal Objectives
The first step in preparing an assurance framework is for the Board to identify its organisations objectives, clinical, financial and generic. It
is necessary for Boards to focus on those that are crucial to the achievement of its overall goals and these are defined as the principal
objectives. These incorporate those at the strategic and directorate (or equivalent) level.
Principal Risks
Principal risks are defined as those that threaten the achievement of the organisations principal objectives. It is essential that boards
understand that they need to manage potential principal risks, rather than reacting to the consequences of risk exposure.
Key Controls
Organisations should ensure that they have key controls in place which are designed to manage their principal risks. Controls should be
documented and their design subject to scrutiny by independent reviewers, which include internal auditors, in conjunction with clinicians
and other specialists where necessary, Healthcare Commission and external audit. The key controls should be mapped to the principal
risks. When assessments are made about controls, consideration must be given not only to the design but also the likelihood of them
being effective in light of the governance and risk management framework within which they will operate - even the best controls can fail if
staff are not adequately trained.
One of the key challenges for Boards is to implement a system to gain assurances about the effectiveness of the operation of the controls
they have in place to manage their principal risks. They not only need to ensure they have the right level of assurance but they need to
make use, wherever possible, of the work of the many external reviewers and ensure the whole process is efficient.
A system that provides good co-ordination and evaluation of the work of the auditors, inspectors and reviewers will bring increased
benefits to both the organisation and the review bodies. It will help minimise the burden on the organisation by reducing overlap and allow
potential gaps in assurance to be identified and addressed.
Deloitte & Touche Public Sector Internal Audit Limited June 2007 14