Internal Audit Operational Annual Plan

2007-08

South Central Strategic Health Authority

June 2007
South Central Strategic Health Authority Annual Audit Plan 2007-08

1. INTRODUCTION................................................................................................................................................................................................................................2

2. STATEMENT OF INTERNAL CONTROL......................................................................................................................................................................................3

3. THE ASSURANCE FRAMEWORK AND THE ROLE OF INTERNAL AUDIT ........................................................................................................................5

4. CONSULTATION...............................................................................................................................................................................................................................8

5. SUMMARY........................................................................................................................................................................................................................................11

APPENDIX A INTERNAL AUDIT OPERATIONAL PLAN ........................................................................................................................................................12

APPENDIX B EXTRACT FROM BUILDING THE ASSURANCE FRAMEWORK: A PRACTICAL GUIDE FOR NHS BOARDS ..............................31

Deloitte & Touche Public Sector Internal Audit Limited June 2007 1
South Central Strategic Health Authority Annual Audit Plan 2007-08

1. INTRODUCTION

1.1 A one-year Operational Audit Plan has been prepared by Deloitte & Touche Public Sector Internal Audit Ltd for the period 1st April
2007 to 31st March 2008. The plan was compiled on the basis of identified risk and materiality, which was drawn together through
reference to the Assurance Framework, discussions with Key Staff and from the previous Internal Audit coverage.

1.2 The plan is prepared on the basis of resource input of 135 days in 2007-2008 to be scheduled across the final three quarterly
periods of the financial year. Details of the plan are shown at Appendix A.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 2
South Central Strategic Health Authority Annual Audit Plan 2007-08

2. STATEMENT OF INTERNAL CONTROL

2.1 Internal Audits primary role is to provide the SCSHAs management with independent assurance on the effectiveness of the
internal control systems that contribute to the achievement of the SCSHAs business objectives. In so doing, this will enable the
Chief Executive to sign off the Statement of Internal Control. It is also Internal Audits role to provide the Board with assurance that
it has in place effective processes for the management of risk. This is referred to in detail within published guidance Building the
Assurance Framework: A Practical Guide for NHS Boards, which details how to provide evidence of assurances that support the
Statement of Internal Control.

2.2 The requirements of Statement of Internal Control can be summarised as follows:

The Board is accountable for internal control. The Chief Executive is responsible for maintaining a sound system of internal
control that supports the achievement of the organisations objectives, and for reviewing its effectiveness.

The system of internal control is designed to manage rather than eliminate the risk of failure to achieve these objectives.

The system of internal control can therefore only provide reasonable and not absolute assurance of effectiveness.

The system of internal control is based on an ongoing risk management process designed to identify the principal risks to
the achievement of the organisations objectives; to evaluate the nature and extent of those risks; and to manage them
efficiently, effectively and economically.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 3
South Central Strategic Health Authority Annual Audit Plan 2007-08

3. THE ASSURANCE FRAMEWORK AND THE ROLE OF INTERNAL AUDIT

3.1 The Assurance Framework (see extract at Appendix B which provides organisations with a simple but comprehensive method for
the effective and focused management of the principal risks to meeting their objectives. It also provides a structure for the
evidence to support the Statement on Internal Control. It refers to four key elements:
1. Principal objectives
2. Principal risks
3. Key controls
4. Assurance and co-ordination
3.2 In summary, it requires Boards to:

Establish principal objectives (strategic & directorate).

Identify the principal risks that may threaten the achievement of these objectives
Identify and evaluate the design of key controls intended to manage these principal risks
Set out the arrangements for obtaining assurance on the effectiveness of key controls across all areas of principal risk
Evaluate the assurance across all areas of principal risk
Identify positive assurances and areas where there are gaps in controls and / or assurances
Put in place plans to take corrective action where gaps have been identified in relation to principal risks
Maintain dynamic risk management arrangements including, crucially, a well founded risk register
3.3 NHS Internal Auditors are required to comply with the NHS Internal Audit Standards that are based closely on the Government
Internal Audit Standards. This provides for consistency of audit across government bodies including the NHS. As part of their
responsibilities NHS Internal Auditors are required to provide assurances about the effectiveness of controls in place across all of
the organisations activities. The NHS is highly complex and internal auditors will not necessarily have the full range of skills to
provide all of the assurances needed by the Board. Therefore, to fulfil their function they will review the overall arrangements the
Board has in place for securing adequate assurances, and provide an opinion on those arrangements to support the SIC. This will
entail reviewing the way in which the Board has identified objectives, risks, controls and sources of assurances on those controls
and assessed the value of assurances obtained. In addition they will provide specific assurances about the areas covered in their
audit plan, as approved by the Audit Committee, and will work alongside other professionals wherever possible to advise on
systems of control and assurance arrangements. This is a distinct role, which is quite different to reviewing and commenting on
the reliance of the assurances themselves, which is the responsibility of the Board.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 4
South Central Strategic Health Authority Annual Audit Plan 2007-08

4. CONSULTATION

4.1 Internal Audit will continue to work along side colleagues and other organisations in preparing, and then delivering, a co-ordinated
approach to the provision of assurance.

4.2 We view close liaison with external audit as fundamental to an effective audit service. Internal Audit will meet regularly with
External Audit to consult on audit plans, discuss matters of mutual interest, discuss common understanding of audit techniques,
methods and terminology, and to seek opportunities for co-operation in the conduct of audit work. In particular, Internal Audit
allows External Audit to rely on its work where appropriate, provided this does not prejudice Internal Audits independence.

4.3 Internal Audit forms a significant part of the SCSHAs governance arrangements and it is, therefore, also important that internal
and external audit have an effective working relationship. To facilitate this relationship, we have a protocol which sets out an
agreed framework showing how we will work together with your officers, including external audit, to meet the responsibilities under
the Code of Audit Practice. The key principles behind this agreement are:

a willingness and commitment to working together;

clear and open lines of communication;
avoidance of duplication of work where possible.

4.4 We view our relationship with the SCSHAs Local Counter Fraud Specialist (LCFS) as equally important. Through regular meetings
with the organisations LCFS, together with an exchange of reports, the separate but complementary skills of both parties ensure
an effective and co-ordinated approach to risk management can be brought to bear on the contract. It is also envisaged that,
where it is appropriate to do so, we will work alongside the LCFS on specific pro-active counter fraud exercises.

4.5 Finally, we have taken account of the issues raised in previous internal audit activity in arriving at our audit coverage for the period.
Additionally, as with any internal audit assignment, we take into account the recommendations made from previous internal audit
activity on our forthcoming work.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 5
South Central Strategic Health Authority Annual Audit Plan 2007-08

5. SUMMARY

5.1 The attached Operational Audit Plan is the result of an assessment of the current assurance framework, discussions with key staff
within the SCSHA, and the review of previous audit work. The plan will continue to be reviewed and updated as new factors come
to light and through the results of ongoing liaison with the SCSHAs management team.

5.2 The Audit Committee is asked to approve the Operational Plan for 2007-2008.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 6
South Central Strategic Health Authority Annual Audit Plan 2007-08

APPENDIX A INTERNAL AUDIT OPERATIONAL PLAN

AUDITABLE AREA Priority Days Timing Coverage

Financial
Contract management arrangements (or in-house processes where
appropriate) to ensure that all of the following points are completed
satisfactorily:

All transactions of the organisation are recorded;

All input to the financial ledger is complete, accurate, timely

and valid;

All journals within the financial ledger are authorised and

documented;

Output from the ledger is controlled, secure, timely and

appropriate to need;

Data within the financial ledger is secure and free from risks of
Financial Ledger, Financial Reporting and loss or corruption;
Medium 10 Q3
Budgetary Control.

The structure of the financial ledger reflects the information
needs of the SHA

Budgetary control objectives are clearly identified in the

business plan;

Budgetary responsibility is clearly delegated to budget holders

and consistent with the scheme of delegation;

Risks in relation to the business plan and budget are

established and controlled;

The budget is set in a controlled manner and is soundly based

on justifiable assumptions;

Sufficient relevant, reliable information is available to budget

holders, including non-financial information and forecasts of

Deloitte & Touche Public Sector Internal Audit Limited June 2007 7
South Central Strategic Health Authority Annual Audit Plan 2007-08

the year end position;

Budgeted variations are analysed, investigated, explained and

acted upon; and

Information reported to the Board, or committees, is complete,

appropriate, accurate, timely and clear.

Contract management arrangements to ensure that all of the following

points are completed satisfactorily:

Only employees of the SHA are paid and for all and only the
work performed for the SHA;

Payroll tasks are appropriately assigned to ensure efficient

operations and adequate segregation of duties;

Payroll costs and related items are accurately accounted for;

There are procedures in place to identify overpayments and

Payroll High 5 Q3
recover the overpayments in full;

The output of payroll information is periodically reconciled to

the Human Resources database;

Information on the system is accurate;

Relevant, timely and accurate management information on

payroll costs is produced; and

The security of payroll data is adequately maintained.

Up to date guidance on staff expenses is available to staff;

Documented procedure notes for the processing of expense

claim forms have been produced and are in use. Procedure
Staff Expenses Medium 6 Q3 notes are be up to date and subject to regular review;

The expense reimbursement arrangements make use of

standard claim forms that readily show the amount claimed
and the reason for the expense.; and

Deloitte & Touche Public Sector Internal Audit Limited June 2007 8
South Central Strategic Health Authority Annual Audit Plan 2007-08

Expense claims are correctly calculated, checked and

appropriately authorized before submission for payment.

The ordering of goods and services complies with Standing

Financial Instructions and Policies. Orders are raised in
respect of all goods and services required by the SHA, except
those areas specifically exempted;

Only goods and services required by the SHA are ordered;

Orders for goods and services are placed with the most
appropriate suppliers in terms of cost, quality and delivery;

Creditors Low 5 Q3
Goods and services received and signed for by the
department that ordered the goods and the goods are in
accordance with those ordered;

Payments are properly accounted for;

Payments are made only in respect of invoices which have

been authorized and appropriately coded by the budget
manager; and

Management information is timely and adequate.

Physical security over records, stationery and income

received is adequate to prevent loss or misuse;

All potential sources of income are identified and investigated

to ensure that the SHA receives the maximum income
available;

All income due via cash or payroll deduction is collected and

Income & Debtors Low 4 Q3 accounted for promptly, properly and in full to prevent the risk
of delay, loss or error;

Debt recording, collection and write-off procedures are

sufficient to ensure delays in receiving payment are minimised
and loss of credit income is minimal; and

Adequate and timely management information is generated in

respect of past and future income to provide a sound basis for

Deloitte & Touche Public Sector Internal Audit Limited June 2007 9
South Central Strategic Health Authority Annual Audit Plan 2007-08

control and decision making.

Fixed assets are identified and accurately recorded in the

asset register in accordance with current guidance;

Assets are appropriately capitalised, in accordance with

Financial Regulations / procedures;

Capital charges including depreciation are accurately

calculated and are accurately recorded in the financial ledger;
Fixed Assets Low 4 Q3

Highly valuable items are securely tagged and responsible
officers identified;

The fixed asset system is secure against unauthorized access

or data loss; and

All fixed asset disposals, transfers and write-offs are

identified, appropriately authorised and the asset register
amended accordingly.

Physical security over cash, cheques and bank accounts is

adequate;

Bank and PGO accounts have been properly established and

maintained in accordance with the authoritys regulations and
are operated in accordance with a mandate approved by the
authority and notified to the bank in writing;

Receipts are accounted for properly, promptly and in full;

Treasury Management, Cash & Banking Medium 5 Q3

Cash book and bank account reconciliations are performed in
accordance with Financial Regulations and good practice;

Procedures for the production of cash flow forecasts have

been established;

Cash management projections are geared towards managing

the outturn within available funding. The SHA has an
appropriate strategy in place for addressing an anticipated
shortfall in cash; and

Deloitte & Touche Public Sector Internal Audit Limited June 2007 10
South Central Strategic Health Authority Annual Audit Plan 2007-08

Arrangements for the control of cash investments have been

established.
Operational and Governance

Up to date policies and procedures are in place;

A clear, approved, procurement strategy has been

established;

Segregation of duties is maintained;

An approved supplier catalogue has been established and is

in use;

System standing data is held securely;

Procurement: Including Consultancy (4
Supplier contracts are used appropriately;

High 8 Q2
Days) and Purchase Cards (4 Days)

Requisitioning and ordering of items is performed with
appropriate authorization;

Receipting of items are checked and matched (where

applicable) against orders and approved;

Invoices received are checked and matched (where

applicable) against orders prior to authorization and payment;
and

Tendering procedures are robust and are applied.

Governance Arrangements contractual relationships/organisational

NHS Education South Central (NESC) and
High 10 Q2 chart. This audit will be scoped in full and a detailed brief will be
Associates
submitted for approval well in advance of fieldwork.
This audit will cover the external framework and management
arrangements for performance covering:

Performance Management High 12 Q2
The arrangements for the setting of performance standards
and the identification and monitoring of performance
indicators;

The arrangements for the review of performance including

Deloitte & Touche Public Sector Internal Audit Limited June 2007 11
South Central Strategic Health Authority Annual Audit Plan 2007-08

formal meetings, minutes of meetings, follow up of agreed

actions, etc. against set performance criteria;

The formal reporting of the performance to the Boards;

The results of reporting including feedback and the production

of action plans to address known issues; and

The arrangements in place for the receipt, collation,

verification and submission of information internally and of
that provided to the SHA.
Mid and end year review of AF, 7 days coverage of internal and 15
days external. The audit of the SHA Assurance Framework will cover:

Roles and responsibilities;

Objective setting;

Risk Management, Governance and
Key risks;

High 22 Q2/4
Assurance Framework

Control/mitigation activity; and

Sources of assurance.
The external review will cover the collation, monitoring and reporting
of the Assurance Framework and other governance submissions by
NHS bodies within the local health economy.
Emergency Planning This audit will be scoped in full and a detailed
Emergency Planning Med 3 Q2
brief will be submitted for approval well in advance of fieldwork.

Other
Information Technology High 18 To be arranged
Follow-up of Recommendations 5 Q2
Contingency 6
Management 12
TOTAL 135

Deloitte & Touche Public Sector Internal Audit Limited June 2007 12
South Central Strategic Health Authority Annual Audit Plan 2007-08

APPENDIX B EXTRACT FROM BUILDING THE ASSURANCE FRAMEWORK: A PRACTICAL GUIDE FOR NHS BOARDS

The Assurance Framework provides organisations with a simple but comprehensive method for the effective and focused management of
the principal risks to meeting their objectives. It also provides a structure for the evidence to support the Statement on Internal Control.
This simplifies Board reporting and the prioritisation of action plans, which, in turn, allow for more effective performance management.

Principal Objectives Strategic and Directorate Level

Objectives

Principal Risks

Key Controls

Assurances on Controls Management checks, Internal Audit, Clinical

Audit, Commission for Health Improvement,
External Audit, Local Counter Fraud Services,
NHS Litigation Authority, other reviews
Board Reports
positive assurances
gaps in control
gaps in assurance

Board Action Plan To improve control, ensure delivery of

principal objectives, gain assurance

Deloitte & Touche Public Sector Internal Audit Limited June 2007 13
South Central Strategic Health Authority Annual Audit Plan 2007-08

Principal Objectives

The first step in preparing an assurance framework is for the Board to identify its organisations objectives, clinical, financial and generic. It
is necessary for Boards to focus on those that are crucial to the achievement of its overall goals and these are defined as the principal
objectives. These incorporate those at the strategic and directorate (or equivalent) level.

Principal Risks

Principal risks are defined as those that threaten the achievement of the organisations principal objectives. It is essential that boards
understand that they need to manage potential principal risks, rather than reacting to the consequences of risk exposure.

Key Controls

Organisations should ensure that they have key controls in place which are designed to manage their principal risks. Controls should be
documented and their design subject to scrutiny by independent reviewers, which include internal auditors, in conjunction with clinicians
and other specialists where necessary, Healthcare Commission and external audit. The key controls should be mapped to the principal
risks. When assessments are made about controls, consideration must be given not only to the design but also the likelihood of them
being effective in light of the governance and risk management framework within which they will operate - even the best controls can fail if
staff are not adequately trained.

Assurances and co-ordination

One of the key challenges for Boards is to implement a system to gain assurances about the effectiveness of the operation of the controls
they have in place to manage their principal risks. They not only need to ensure they have the right level of assurance but they need to
make use, wherever possible, of the work of the many external reviewers and ensure the whole process is efficient.

A system that provides good co-ordination and evaluation of the work of the auditors, inspectors and reviewers will bring increased
benefits to both the organisation and the review bodies. It will help minimise the burden on the organisation by reducing overlap and allow
potential gaps in assurance to be identified and addressed.

Deloitte & Touche Public Sector Internal Audit Limited June 2007 14