Human Tissue Authority · 2014. 11. 12. · Human Tissue Authority 151 Buckingham Palace Road...

Human Tissue Authority

151 Buckingham Palace Road

London

SW1W 9SZ

Tel

Web www.hta.gov.uk

Date 13 June 2014

By email

Dear

Freedom of Information request

Thank you for your request for information dated 24 April 2014, which we received as

follows:

I am writing to request information that sets out internal audit’s role in your organisation’s

governance, which will assist me with I have

checked your website but not been able to locate all of what I am looking for. Please would

you send through to me any information on or electronic copies of the following:

Internal audit’s role within your governance framework or framework document

Your internal audit team’s Charter

Internal Audit plans and assignment coverage from 2010 to date

Internal Audit plans and assignment coverage for 2014-15

Reports from the Internal Audit team to the Audit Committee or management on

internal audit’s role or work undertaken

Internal Audit opinion statements or governance statements/ Statements of Internal

Control from 2010 to date

Your audit committee’s terms of reference

Response

The HTA is an Arms Length Body (ALB) of the Department of Health. As an ALB we are

required to utilise the Department of Health’s Internal Audit Group Framework.

Our Internal Auditors are appointed by the Department of Health and therefore are not

employed by the HTA.

2

Internal Audit’s role is to review and evaluate the risk management, control and

governance arrangements that the HTA has in place to:

• establish and monitor the achievement of the HTA’s objectives

• identify, assess and manage the risks to achieving the HTA’s objectives

• ensure the economical, effective and efficient use of resources

• ensure compliance with established policies, procedures, laws and

regulations, including the HTA’s governance arrangements

• safeguard HTA’s assets and interests from losses of all kinds, including

those arising from fraud, irregularity or corruption

• ensure the integrity and reliability of information, accounts and data.

You clarified that you do not require full audit reports. The attached files contain the

information you asked for, except Annual Governance Statements (originally Statements

on Internal Control) which can be found on our website at this link

http://www.hta.gov.uk/publications/annualreviewsandreports.cfm.

The documents are provided for your information – you will see that some of the

documents include statements that their content cannot be relied upon by others, for

assurance purposes.

If you are unhappy with the way the HTA has handled your request for information in this

case, you may in the first instance ask us for an internal review by writing to us at the

above postal or email address.

If you remain dissatisfied with the handling of your request or complaint, you have the right

to appeal directly to the Information Commissioner for a decision, at the address below:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Telephone: 08456 30 60 60

or 01625 54 57 45

Website: www.ico.gov.uk

There is no charge for making an appeal.

Yours sincerely

(AUD 43-11)


Internal Audit Plan 2011-12

June 2011

Final Draft (for Audit Committee meeting)

Preparation

GT prepared by: xxxxxxxxx

GT reviewed by: xxxxxxxxx

GT sign off: xxxxxxxxx

Client Review and Approval Timetable

Draft Plan issued: 20 May 2011

Discussed with College Management: 24 May 2011

Presented to Audit Committee:

Final Management feedback received:

Final Plan issued:

© 2014 Grant Thornton UK LLP. All rights reserved

Contents Page

1 Internal Audit Approach 1

2 Proposed Resources and Outputs 4

Appendices

A Key themes raised in planning discussions

B Annual Internal Audit Plan 2011-12

© 2014 Grant Thornton UK LLP. All rights reserved Page 1

1 Internal Audit Approach

1.1 Internal Audit at the Human Tissue Authority

Grant Thornton LLP UK has been asked to provide internal audit services to the Human Tissue Authority (HTA) for the period 1 April 2011 to 31 March 2012.

1.2 Basis for the Internal Audit service

We propose that the internal audit service should be delivered via the service level agreement that is being established between the Department of Health Internal Audit (DHIA) and the Department’s Arm’s Length Bodies. The agreement will enable HTA to commission, via DHIA’s co-source contract with Grant Thornton UK LLP, this firm to provide internal audit services.

1.3 Our role and approach to the Internal Audit of HTA

Our role as internal auditor is to provide objective and independent assurance to the Authority and the Chief Executive, as Accounting Officer, on risk management, control and governance arrangements, by measuring and evaluating the effectiveness of the HTA's arrangements to achieve its agreed objectives.

Our audit approach:

aims to provide objective and independent assurance to the Authority and the Chief Executive that the HTA is successfully identifying, assessing and managing risks that are significant to the achievement of the HTA’s overall strategic aims

focuses on helping the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the adequacy and effectiveness of its risk management, control and governance processes

complies with professional practice, including Government Internal Audit Standards (February 2011), the Institute of Internal Auditors’ guidance on risk-based internal auditing (December 2005).

For each of the key business risks it faces, the HTA should have in place controls and activities to address those risks. Our approach is therefore to identify those business risks and associated controls and activities, evaluate their effectiveness and confirm their operation.

1.4 Internal Audit planning 2011-12

The planning process

To the extent that it is relevant and appropriate, our approach is to base the internal audit plan upon the HTA’s identification of strategic risk. The HTA’s own risk assessments provide a starting point for developing our 2011-12 Plan. However, it was important that we tested its completeness because of the emerging impact of:

the continued economic downturn and its impact on funding streams

the continuing transition programme. This is particularly relevant given that potential changes to the Health and Social Care Bill may impact on which bodies ultimately take responsibility for the functions that are currently undertaken by HTA.


We have obtained an up to date understanding by:

holding planning meetings with members of the Senior Management Team and a discussion with the Chair of the Audit Committee to understand their views on key risks facing the HTA

considering our knowledge of other emerging sector issues

analysing legislative, funding and audit regime changes.

Having collated a list of key risk areas for the HTA, we have prioritised using the following criteria:

provide an appropriate balance of assurance and advisory work

balance coverage across core business risks and financial risks, focusing on areas where change has taken place or is planned

account for uncertainty over timescales around the Public Bodies Bill and the Health and Social Care Bill and impact on appropriate internal audit work, recognising that the timing of internal audit work may need to be altered or deferred during the year.

Planning outcomes

Inevitably, our planning work has identified a broad spectrum of issues and challenges facing the HTA. We explain below how the information gathered has been used to derive our proposals for the 2011-12 Plan:

Appendix A summarises the outcomes of our consultation with the Senior Management Team. It also incorporates information gathered from other sources (e.g. risk register, etc) to develop an overall map of the assurance needs of the HTA.

Appendix B outlines our proposed Plan for 2011-12, including the indicative resources and how our work will inform our annual opinions on risk management, control and governance.

Based upon our experience elsewhere in the sector, we confirm that an audit plan of around 30 days per annum is in line with that adopted by other similar Arms Length Bodies (ALB). We have prepared our plan on this basis.

Senior Management team and Audit Committee are invited to consider:

whether a plan of 30 days remains appropriate to meet its current assurance needs

whether it agrees our proposed options for business risk reviews (Appendix A)

how the HTA wishes those options should be prioritised

the balance between high-level assurance and more detailed improvement support required in each of the areas.

1.5 Planning for individual reviews

The scope and nature of every piece of work included in the annual Plan at Appendix B will be agreed with the nominated lead member of the Senior Management Team before the start of the fieldwork, and summarised in an Audit Planning Brief that will be issued to all those involved in the audit.

It is difficult, at this stage, to be precise about the number of days likely to be required for each review. For this reasons, budget allocations at Appendix B should be regarded as a provisional


indication. When we scope each review, we will reconsider our estimates of the inputs required to achieve the objectives established for the work and to complete it to a satisfactory standard.

1.6 Changes to the Annual Internal Audit Plan

In line with good practice, we will keep the internal audit plan under review during the year and will revise it to take account of significant areas of emerging risk that management, the Authority or we identify during the period. Changes to the Plan will be discussed with the Chief Executive, the Director of Resources and the Audit Committee, and approved by the Audit Committee (or the Chair of the Audit Committee if approval is required between meetings).


2 Proposed Resources and Outputs

2.1 Resources

We estimate that the input days necessary for 2011-12 would be as follows:

Grade Daily rates 2011-12 (£)

Proposed 2011-12

Days percentage

Partner 1,440 1.0 3.0

Senior Manager 855 2.5 8.0

Manager 765 10.0 34.0

Lead Auditor 450 5.0 17.0

Associate 382 11.5 38.0

30.0 100.0

The table also confirms our fee rates, which are as set out in our proposal (April 11). On the basis of the staff mix illustrated above, the total fee for 2011-12 for this resource envelope of 30 days will be £17,870. Our fees quoted exclude VAT and expenses. We will cap our expenses at £1,500 per annum.

Any additional work we might be requested to undertake during the audit cycle will be discussed with the Chief Executive and Director of Resources and an appropriate fee agreed, prior to the start of any work.

2.1 Our team

The key members of our team are outlined below:

Name Role Contact Details

xxxxxxxxx Partner - Business Risk Services xxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxx

xxxxxxxxx Senior Manager - Business Risk Services xxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxx

xxxxxxxxx Manager- Business Risk Services xxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxx

2.2 Timing of visits

We will endeavour to undertake our reviews in 2011-12 in two visits, phased to ensure balanced presence throughout the year and a balanced provision of reports to the Audit Committee. Dependent on the nature of the review however, it may be necessary to undertake certain assignments at times that do not align with our main visits.

mailto:[email protected]

mailto:[email protected]


Based on our draft proposals for the internal audit plan 2011-12, we outline indicative timing below.

Reviews Timing

Regulatory arrangements

Fee Generation

Core Financial Controls

June - August 11

Risk Workshops (HTA Transition)

Major Incident Reporting Jan – March 12

Following feedback from management and the Audit Committee to confirm priorities for the Plan, we will meet with senior management to agree the sponsor for and timing of each review.

2.3 Reporting to the Audit Committee

Our Internal Audit Plan for 2011-12 will be presented to the Audit Committee in June 11.

Our internal audit reports summarising the results of our visits for 2011-12 will be presented to the appropriate Audit Committee meetings.

Following completion of the internal audit work for 2011-12 we will produce an Annual Report summarising our key findings and evaluating our performance in accordance with agreed service requirements.

Grant Thornton UK LLP

June 2011



Areas proposed for review in 2011-12

External drivers

Public Bodies Bill and HTA Transition

Context

The new coalition government undertook a significant review of Arm’s Length Bodies (ALBs) and is progressing with the Public Bodies Bill to enact the changes resulting from the review of ALBs.

This review included coverage of HTA and the functions it performs, concluding that:

HTA’s functions should be transferred to other existing bodies (e.g. Care Quality Commission and the Health and Social Care Information Centre (HSCIC)) or other ALBs being created under the Health transition; and

HTA should cease to exist as a standalone entity.

At the third reading of the Bill on 9 May 2011 it was agreed that the HTA’s functions would not be separated and all functions (with regulation related to research to be reviewed) would be handed over to one successor in their entirety.

Due to the progress of legislation and implementation, there is a potential that transition of HTA’s functions may not initiate in 2013.

The Bill stipulates that the HTA will retain its current remit until this transfer takes place. The HTA will maintain its existing role and remit in the interim and for a period longer than initially envisaged.

The HTA is part of a formal project that has been initiated in conjunction with the Care Quality Commission and the Human Embryology and Fertility Authority (HEFA) to identify synergies to streamline activities and ensure the transition is managed in an effective way. Other bodies may also be drawn to support the project, for example subject to decisions on which body will take over responsibility for the HTA’s current role to oversee research regulation.

Approach to internal audit work

Given that HTA’s transition programme remains at an early stage, our work as part of the 2011-12 internal audit programme will primarily take the form of advisory support. This will work to support, take the form of a risk workshop to assist the Senior Management Team and the Authority in identifying the key risks associated with transition and bring our experience of how other organsiations have dealt with similar risks. We will draw on our experience within the ALB sector and wide public and private sector.

As the transition programme progresses during 2012-13, our work will take more of an assurance focus around HTA’s own transition arrangements and how HTA engages with the broader transition project to ensure its key risks are being adequately managed. This will be considered as part of the 2012-13 planning process.


Internal drivers

Regulatory arrangements

Context

The HTA regulates organisations (clinics etc) that frequently fall under the remit of more than one regulator and are therefore likely to be subject to several inspection regimes.

In line with the principles of good regulation (proportionate, accountable, consistent, transparent, targeted) the HTA is committed to continuously improving, and achieving efficiencies with regard to its own methods of regulation, but is also keen to consider the impact of its regulatory requirements on establishments that are required to adhere to a number of inspection regimes.

The HTA last undertook an internal “light touch” review of its regulatory framework at the end of 2010-11 and as a result a number of Standard Operating Procedures (SOPs) were refined, developed and implemented.

Management plans to integrate aspects of the regulatory process into the HTA’s overall key performance indicator framework to ensure that performance overview of this key area of activity and other areas is undertaken in an integrated way.

HTA expects to undertake a more in-depth review of its approach to regulation in advance of the transition of its functions to a successor body. The existing regulatory approach is modelled on that followed by HFEA. Management is keen on an independent review that assesses existing approach to regulation with broader good practice and makes practical recommendations for improvement.

HTA recognises “Inability to carry out its statutory remit” as a significant risk in the strategic risk register.


During our assurance and advisory review we will:

Conduct a walk-through of the current regulatory process to provide assurance this is sufficiently robust

Interview a sample of regulated establishments to obtain their reviews on how well HTA inspections integrate with the rest of the regulatory landscape

Share best practice in relation to how other regulators undertake such activity with a view to identifying learning opportunities.

Our work will be planned so that it is completed before September 11 to enable the findings to be incorporated into forward work plan for the 3rd Quarter for 2011-12.

Fee Generation and recognition

Context

HTA has a new system whereby licence fees will be raised via the ‘Great Plains’ CRM system. Management is seeking assurance that the new process is being effective in raising accurate and timely license fees and whether the CRM system’s interface with the finance system is being effective.


Internal drivers

Approach to internal audit work We will carry out an assurance review of the arrangements in place relating to the recording and recognition of due fees on the CRM system, the raising of fee notices and the interface of the CRM system with the finance system. Particularly, as part of scoping our work, we will discuss and agree with the National Audit Office an approach so that they can place reliance on our work (to the extent it is relevant).

Core financial controls

Context

Following the 2010-11 external audit of the HTA, conducted by the National Audit Office (NAO) in May 2011, the HTA will be issued with a management letter, highlighting any issues that need to be considered by HTA (although they are not expected to be any significant issues). In carrying out the 2011-12 external audit, the NAO will also be, where appropriate, seeking to place reliance on internal audit work.


We will discuss with management key financial risks as part of our scoping process and will agree a prioritised risk area for coverage as part of this review.

Major incident management

Context The occurrence of a major incident in any of the establishments that are regulated and licensed by HTA could result in considerable reputational impact. This is recognised as a strategic risk (risk reference 3) in HTA’s risk register as follows “Inability to manage an actual or potential major event, such as retention of tissue or serious injury or death to a person resulting from a treatment involving processes regulated by the HTA (underpins delivery of all strategic objectives)” The HTA has in place a major incident protocol. Management is aware that its practical application has not been recently tested (due to absence of any major incidents) and are keen for an independent review to assess whether the framework itself could be further improved.


We will review the design of the HTA’s major incident protocol and management arrangements. This review will have both an assurance and advisory focus, sharing our knowledge of best practice from other regulators.

Summary of areas proposed for review in 2012-13

Review of project management and governance arrangements in relation to transition

Review of CRM protocols, usage and data quality

Review of arrangements for organisational knowledge capture

Review of assurance framework


B Annual Internal Audit Plan 2011-12

No Audit Area SMT Sponsor Indicative

days 2011-12

Supports opinion on

Governance Risk

Management Internal Control

1 Transition Workshop Chief

Executive/Director of Resources

4

2 Regulatory arrangements xxxxxxxx/xxxxxx 10

3 Fee Generation Director of Resources

4

4 Core Financial Controls 2

5 Major Incident Reporting TBC 3

Follow Up 2

Sub total 25

Audit Management (Audit strategy, planning and liaison, Audit Committee, etc)

5

Totals 30


www.grant-thornton.co.uk

© 2014 Grant Thornton UK LLP. All rights reserved.

"Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership.

Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication

(AUD 73-12)


Internal Audit Plan 2012-13

June 2012

Draft

Preparation

GT prepared by: xxxxxxxxxxx

GT reviewed by: xxxxxxxxxxx

GT sign off: xxxxxxxxxxx

Client Review and Approval Timetable

Draft Plan issued: 4 May 2012

Discussed with Management: 17 May 2012

Presented to Audit Committee: 6 June 2012

Final Plan issued: 9 July 2012

© 2014 Grant Thornton UK LLP. All rights reserved

Contents Page

1 Internal Audit Approach 1

2 Proposed Resources and Outputs 4

Appendices


B Possible areas for internal audit coverage

C Annual Internal Audit Plan 2012-13

1

1 Internal Audit Approach

1.1 Internal Audit at the Human Tissue Authority

Grant Thornton LLP UK has been asked to provide internal audit services to the Human Tissue Authority (HTA) for the period 1 April 2012 to 31 March 2013.

1.2 Basis for the Internal Audit service

As in 2011-12, the internal audit service will be delivered via the service level agreement established between the Department of Health Internal Audit (DHIA) and HTA. This enables HTA to commission, via DHIA’s co-source contract with Grant Thornton UK LLP, this firm to provide internal audit services.

1.3 Our role and approach to the Internal Audit of HTA

Our role as internal auditor is to provide objective and independent assurance to the Authority and the Chief Executive, as Accounting Officer, on risk management, control and governance arrangements, by measuring and evaluating the effectiveness of the HTA's arrangements to achieve its agreed objectives.

Our audit approach:

aims to provide objective and independent assurance to the Authority and the Chief Executive that the HTA is successfully identifying, assessing and managing risks that are significant to the achievement of the HTA’s overall strategic aims

focuses on helping the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the adequacy and effectiveness of its risk management, control and governance processes

complies with professional practice, including Government Internal Audit Standards (February 2011), the Institute of Internal Auditors’ guidance on risk-based internal auditing (December 2005).

For each of the key business risks it faces, the HTA should have in place controls and activities to address those risks. Our approach is therefore to identify those business risks and associated controls and activities, evaluate their effectiveness and confirm their operation.

1.4 Internal Audit planning 2012-13

The planning process

To the extent that it is relevant and appropriate, our approach is to base the internal audit plan upon the HTA’s own identification of strategic risk. The HTA’s risk assessments have therefore provided a starting point for developing our 2012-13 Plan, and we have also had regard to the emerging impact of:

the continued economic downturn

the continuing transition programme which remains particularly relevant given the impact which the potential changes from the Health and Social Care Act may have on which bodies ultimately take responsibility for the HTA's current functions.

2

We have obtained an up to date understanding by:

holding planning meetings with members of the Senior Management Team to understand their views on key risks facing the HTA

considering our knowledge of other emerging sector issues

analysing legislative, funding and audit regime changes.

On the basis of this analysis we have collated a list of key risk areas for the HTA, which we have prioritised using the following criteria:

provide an appropriate balance of assurance and advisory work

balance coverage across core business risks and financial risks, focusing on areas where change has taken place or is planned

account for uncertainty over timescales following the Public Bodies Act and impact on appropriate internal audit work, recognising that the timing of internal audit work may need to be altered or deferred during the year.

Planning outcomes

Inevitably, our planning work has identified a broad range of issues and challenges facing the HTA. We explain below how the information gathered has been used to derive our proposals for the 2012-13 Plan:

Appendix A summarises the outcomes of our consultation with the Senior Management Team. It also incorporates information gathered from other sources (e.g. risk register, etc) to develop an overall map of the assurance needs of the HTA.

Appendix B outlines the recommended reviews for inclusion in the 2012-13 Plan, the indicative resources required to deliver them, and how our work will inform our annual opinions on risk management, control and governance.

We invite the Audit Committee to confirm the reviews it considers should be included in the 2012-13 Plan (Appendix B). For reference, in 2011-12 we delivered a 30 day internal audit plan, which was in line with that adopted by other similar Arms Length Bodies (ALB).

The Audit Committee are invited to consider:

That the correct options for business risk reviews (Appendix A)are included in the 2012-13 Plan (Appendix B)

whether a plan of 30 days remains appropriate to meet its current assurance needs (indicative days for the proposed options are set out at Appendix B)

the balance between high-level assurance and more detailed improvement support required in each of the areas.

1.5 Planning for individual reviews

The scope and nature of every piece of work included in the annual Plan at Appendix B will be agreed with the nominated lead member of the Senior Management Team before the start of the fieldwork, and summarised in an Audit Planning Brief that will be issued to all those involved in the audit.

3

It is difficult, at this stage, to be precise about the number of days likely to be required for each review. When we scope each review, we will reconsider our estimates of the inputs required to achieve the objectives established for the work and to complete it to a satisfactory standard, and agree the detailed budget with the nominated lead. Variations from the proposed Plan will be reported to the Audit Committee for consideration and approval.

1.6 Changes to the Annual Internal Audit Plan

In line with good practice, we will keep the Internal Audit Plan under review during the year and will revise it to take account of significant areas of emerging risk that management, the Authority or we identify during the period. Changes to the Plan will be discussed with the Chief Executive, the Director of Resources and the Audit Committee, and approved by the Audit Committee, or the Chair of the Audit Committee if approval is required between meetings.

4

2 Proposed Resources and Outputs

2.1 Resources

Our daily fee rate for 2012-13, based on the staff mix set out in our original proposal, is as follows:

Grade Daily rates 2012-13 (£)

Proposed 2012-13

Staff Days Annual Fee

Partner 1,370 1.0 1,370

Director 1,190 3.0 3,570

Manager 730 8.0 5,840

Lead Auditor 425 9.5 4,030

Associate 360 8.5 3,060

30.0 17,870

The daily rates reflect the rates applicable through the DH contract. Our total proposed fee for 2012-13 is £17,870, which is the same level as previous financial period. . Our fees quoted exclude VAT and expenses. We will cap our expenses at £1,500 per annum.

Any additional work to this plan shall be discussed and an appropriate fee agreed in the first instance with the Chief Executive and Director of Resources.

2.1 Our team

The key members of our team are outlined below:

Name Role Contact Details

xxxxxxxxxxxx Partner - Business Risk Services xxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxx Director- Business Risk Services xxxxxxxxxxxxxxxx


xxxxxxxxxxxx Manager- Business Risk Services xxxxxxxxxxxxxxxx


xxxxxxxxxxxx Executive – Business Risk Services xxxxxxxxxxxxxxxx


2.2 Timing of visits

We undertook a planning session with the senior management team in May 2012 that determined the detailed scope and timing of all the agreed reviews in the audit plan. From these planning discussions, we envisage to undertake our first visit in July 2012.

5

2.3 Reporting to the Audit Committee

Our Internal Audit Plan for 2012-13 was presented to the Audit Committee at its meeting June 2012.

Our internal audit reports summarising the results of our visits for 2012-13 shall be presented to the appropriate Audit Committee meetings.

Following completion of the internal audit work for 2012-13 we shall produce an Annual Report summarising our key findings and evaluating our performance in accordance with agreed service requirements.

Grant Thornton UK LLP

July 2012


Areas proposed for review in 2012-13

External drivers

Public Bodies Act and HTA Transition

Context

Under the Public Bodies Act, the coalition government will streamline the number of public bodies in the UK. Following the enactment of the Public Bodies Act in February 2012, a consultation is planned to determine the future of HTA functions.

It is anticipated that the consultation will lead to the functions of HTA being transferred to one or more existing bodies. HTA has proposed that all its functions should be transferred to the same body as the research function is seen as integral to regulatory activity. We understand that the transfer of all HTA functions to one body is Government’s preferred position too.

It is anticipated that the consultation will take place in 2012-13, with the transfer taking effect at some point towards the end of 2014-15.

Our 2011-12 Internal Audit work included a risk facilitation workshop to support SMT in identifying possible risks associated with transition. We have agreed that our 2012-13 work will build on this, concentrating on actions identified to mitigate risks arising from the agreed transition.


Our internal audit work will focus on actions to mitigate risks associated with the transition option agreed by the coalition government. The form of this work will be agreed in detailed scoping, however a possible option discussed at initial planning discussions is an assurance piece, evaluating the process undertaken to identify mitigating actions and action taken.

7

Internal drivers

Corporate Governance

Context

Decisions made by the HTA are open to a significant degree of public scrutiny. The senior management team is aware of the need to demonstrate that decisions are transparent, consistent and that individuals are held appropriately accountable. The HTA has an established governance structure, including a scheme of delegation that outlines the authority and accountability for decision making.

The senior management team identified that it would be valuable to review the scheme of delegation in order to ensure there is clarity as to where and at what level decisions sit within the organisation with regards to fulfilling its statutory role and remit. This is driven in part by the recognition that that the transition will result in decisions of a nature and scale that were not anticipated when the current scheme of delegation was designed.

Mapping existing arrangements will provide assurance on the suitability of arrangements for business as usual decisions, and enable an evaluation to be made as to what changes may be required to support effective decision making during the transition period.


Our review will aim to build up a picture of the HTA's scheme of delegation. This will consist of an assurance element involving:

a desk based review of key Authority papers and SMT papers to identify which decisions are currently being made where;

workshops to identify the senior management teams and Authority's perceptions of where key organisational decisions sit; and

analysis of any discrepancy between the actual and perceived scheme of delegation to understand whether this presents opportunity or risk to effective decision making.

And an advisory element to:

evaluate the extent to which the scheme of delegation may be applicable to the transition process; and

outline, based on our experience of other regulatory bodies experiencing transition, good practice that may be applicable to HTA.

Staff Retention

Context

Due to the relatively small size of HTA, the importance of relationships with key stakeholders, and the specialised nature of its work, significant staff turnover may critically impact day to day operations.

The senior management team recognise that continued uncertainty about job security as a result of the transition may be affecting staff to consider alternative options (where available).

The senior management team have established a range of measures to mitigate this risk, including facilitating contingency planning where needed. Exit interviews are also used to understand the motivation behind employees that leave.

8

Approach to internal audit work Our assurance and advisory review shall:

evaluate the existing staff retention and contingency planning arrangements;

draw on our experience of good practice at other organisations with a view to identifying learning opportunities; and

test the range of measures being undertaken, assess their coherence with each other and comment on (potentially informed by stakeholder feedback) which measures are perceived to be more effective and which are less so.

Possible additional areas for review

Independent Assessors

Context

HTA has an established team of 140 independent assessors who assess living donor cases on its behalf. The assessors, many of whom are in full time employment, work on a voluntary basis. HTA provides initial training, methodology and quality assurance. Due to the remote nature of assessment work and the varied background of the assessors, HTA’s assessment methodology and quality controls are critical to ensuring the consistency and quality of outputs.

Inevitably, significant reliance is placed on assessor judgements. This is illustrated by the current escalation structure, whereby only assessments that identify weaknesses are subject to quality review by more senior peers. This means where an assessor’s work does not identify any issues, it will not be subject to a full review by other HTA staff.


During our assurance and advisory review we would:

consider arrangements to ensure that assessors are appropriately qualified, experienced and trained;

conduct a walk-through of the current quality assurance process to provide assurance this is sufficiently robust;

perform a sample of ‘cold’ file reviews to confirm that methodology is being applied consistently and conclusions are appropriately evidenced; and

share best practice in relation to how other organisations undertake such activity with a view to identifying learning opportunities.

IT Security

Context HTA has an IT security framework, including firewalls to protect the network from external attack. SMT is satisfied that the control structure is appropriate; however the system has not yet been subjected to live testing. There are, however, currently no known examples where there have been any instances of actual security threats (i.e. hacking attempts etc.) that have tested current arrangements.


Our assurance review would:

provide assurance from our specialist Technology Risk Services team on the design of the security framework; and

carry out live penetration testing to confirm the operation of the controls.

Information Assurance

9

Context Due to the sensitive nature of the activity that the HTA regulates, it is often the subject of Freedom of Information requests.

A data security framework is in place and all staff receive training to enable them to apply it. Nevertheless, given the potential reputational risk arising from breach of the policy, SMT has asked for external assurance that the processes are designed and operating effectively.


Our assurance and advisory review would:

evaluate the existing data security framework;

undertake sample testing to confirm that it is operating consistently across the organisation; and

draw on our experience of good practice at other organisations with a view to identifying learning opportunities.

B Assurance Themes

This section provides details of:

Assurance reviews 2011-12: detailing reviews and reports provided to management and the Audit Committee during the reporting periods 2011-12;

Emerging risks2012-13: risks identified from planning discussions with management, document review and other planning work; and

Core assurance areas: which are areas that management and the Audit Committee might reasonably expect to receive assurance over in a 5-7 year period.

Assurance Reviews 2011-12 Emerging risks 2012-13 Core assurance areas

Risk management

Transition workshops Transition Arrangements Risk management

Governance

Regulatory Arrangements

Corporate Governance (assurance)

Corporate Governance (advisory)

Freedom of information/ data protection

Policy and stakeholder governance

Strategic Management

Internal Control

Business risk reviews

Major Incident Reporting

Staff retention Stakeholder relationships

Communications

Compliance with policies/ procedures

Environmental policy

Human Resources

Learning and Development

Management Information

Information Assurance

Estates/ facilities

Diversity/equal ops


Health and Safety

IS/IT

IT Strategy

IT Controls

Data security

Business Continuity

IT project management

Core financials

Purchasing

Licence Fee Income

Transition Management Internal Financial Control

Procurement

Payroll

Financial regulations

Cash flow and treasury management

Anti-fraud and corruption

Financial Planning

11

C Annual Internal Audit Plan 2012-13

Our internal audit proposal (April 2011) agreed a resource envelope of 30 days per annum. We outline below the proposed areas for internal audit review in 2012-13, based on our planning work. Given the profile of risks facing HTA, we propose to perform fewer, more in depth reviews coupled with a significant advisory element.

Guideline indicative days are given, however actual budgets will be agreed with SMT and Audit Committee at detailed planning. Following discussion with SMT, it was identified that the NAO have not raised any recommendations in relation to financial control and SMT do not have any significant concerns at this time. As a result, shall consider financial control as part of our work on transition arrangements and follow up.

No Audit Area Indicative days

2012-13

Supports opinion on

Governance Risk

Management Internal Control

Corporate Governance (assurance)

3

Corporate Governance (advisory)

6

Transition Arrangements 5

Staff Retention 8

Follow up 3

Total days 25

Account management 5

Total days 30

12

www.grant-thornton.co.uk

© 2014 Grant Thornton UK LLP. All rights reserved.

"Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership.

Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication

[Client Name] Strategy for Internal Audit

1

HUMAN TISSUE AUTHORITY Updated Strategy for Internal Audit 2008/09 – 2010/11

For presentation at the Audit Committee meeting of 6th May 2010 Approved by xxxxxxxx as Head of Internal Audit

Human Tissue Authority Strategy for Internal Audit

CONTENTS

Section Page 1 Introduction 1 2 Developing your Strategy for Internal Audit 2 3 Internal Audit Resources 2 4 Considerations required of the Audit Committee 3 Appendices A Risk Maturity Matrix 4 B Detailed Internal Audit Plan 2010/11 5 C Updated Strategy for Internal Audit: 2008/09 – 2010/11 8

This report is prepared solely for the use of Board and senior management of Human Tissue Authority. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.

© 2010 RSM Tenon Limited

RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11

1

1 INTRODUCTION

1.1 THE PURPOSE OF INTERNAL AUDIT

The purpose of internal audit is to provide the Board, through the Audit Committee, with an independent and objective opinion on risk management, control and governance and their effectiveness in achieving the organisation’s agreed objectives. This opinion forms part of the framework of assurances that the Board receives and should be used to help inform the annual Statement on Internal Control. Internal Audit also has an independent and objective consultancy role to help line managers improve risk management, governance and control.

Our strategy for 2008/2011 was approved by the Audit Committee on the 20th May 2008. The

purpose of this document is to update that strategy and to provide a more detailed internal audit plan for 2010/11.

1.2 OUR RESPONSIBILITIES

Our professional responsibilities as internal auditors are set out in the International Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA).

HM Treasury’s Government Internal Audit Standards (GIAS) are closely linked to the IIA’s Standards, with some additional requirements specific to government departments and agencies.

In line with these requirements, we perform our internal audit work with a view to reviewing and evaluating the risk management, control and governance arrangements that the organisation has in place, in particular to how those elements contribute to how the organisation will achieve its objectives.

Figure 1: The Assurance Cycle


2

2 THE UPDATED INTERNAL AUDIT PLAN

2.1 HOW THE STRATEGY WAS DEVELOPED

In 2008/09 we undertook a review of the organisation’s risk maturity and concluded that the HTA is a risk defined organisation. In 2009/10 a follow up review of the recommendations raised in the Risk Maturity review confirmed that reasonable progress had been made by management in strengthening the Authority’s risk management framework. We are therefore able to place reliance on your risk registers / assurance framework to inform the update of the internal audit strategy (see the Risk Maturity Matrix at Appendix A). In 2010/11 an assurance stocktake is proposed, building on the previous risk maturity audits, to review the effectiveness of the arrangements for mapping assurances.

We will continually liaise with management and review the areas for internal audit coverage and timing, and amend the strategy as appropriate to ensure that assurance provided by internal audit remains relevant as the risks facing the organisation change. Any changes made to the strategy will be discussed with our key contacts and will be taken to the Audit Committee for approval.

3 INTERNAL AUDIT RESOURCES

3.1 YOUR INTERNAL AUDIT TEAM

Your internal audit team is led by xxxxxxxx, HIA, supported by xxxxxxxxx, Associate Director.

Your Client Manager is xxxxxxxxx.

We are not aware of any relationships that may affect the independence and objectivity of the team, and which are required to be disclosed under auditing standards.

3.2 INTERNAL AUDIT FEES

In line with our tender and subsequent engagement letter, the fee for your internal audit service for 2010/11, based on an individual daily rate is £19, 578. The following skills mix will be utilised:

Grade of IA Staff Proportion

HIA / Director 6%

Client Manager 15%

Assistant Manager / Senior Auditor 33%

Auditor 33%

ISA Specialist 13%


3

4 CONSIDERATIONS REQUIRED OF THE AUDIT COMMITTEE Does the detailed internal audit plan for the coming financial year (see Appendix B) reflect the

areas that the Audit Committee believe should be covered as priority?

Does the updated Strategy for Internal Audit (as set out at Appendix C) cover the organisation’s key risks as they are recognised by the Audit Committee?

Does the audit strategy include all those areas that the Audit Committee would expect to be subject to internal audit coverage, both in terms of our professional responsibilities as well as covering areas of concern flagged by management?

Is the level of audit resource accepted by the Committee and agreed as appropriate, given the level of assurance required?

RSM Tenon April 2010


1

APPENDIX A: RISK MATURITY MATRIX

Risk Maturity Characteristics of your risk management arrangements

RSM Tenon’s Internal Audit Approach

Risk Naïve No formal approach developed for risk management

Promote risk management, advisory work to help put the risk management framework in place.

Rely on internal audit’s assessment of risk to drive the internal audit plan.

Risk Aware Scattered silo based approach to risk management

Promote embedded and joined up risk management activities.

Rely on internal audit’s assessment of risk to drive the internal audit plan.

Risk Defined Strategy and policies in place and communicated. Risk appetite defined

Facilitate risk management/liaise with risk management. Review of risk management processes already in place.

Internal Audit rely on your assessment of risk, but will also identify other risk areas for internal audit coverage.

Risk Managed Enterprise wide approach to risk management developed and communicated.

Risk management is considered at the highest level of the business, but could be further developed to inform decision making.

Depending on the business’s attitude to risk management, provide advice and support to move to a risk enabled organisation. Audit existing risk management processes to confirm effectiveness.

Management’s assessment of risk drives the audit plan, although internal audit will continue to challenge whether there are other risks that require internal audit coverage.

Risk Enabled Risk management and internal control fully embedded into the operations.

Risk management is used to help manage the business; consequently the business is able to take risks on an informed basis to achieve its objectives.

Audit risk management processes to confirm effectiveness.

Management’s assessment of risk drives the audit plan, although internal audit will continue challenge whether there are other risks that require internal audit coverage.

Source: Based on Risk Maturity Matrix, Institute of Internal Auditors, Risk Based Auditing Position Statement


2

APPENDIX B: DETAILED INTERNAL AUDIT PLAN 2010/2011 RISK BASED COVERAGE

Risk Audit Title Mitigating Controls / areas of

coverage to be considered in IA review

Days Timing

Reputational damage due to failure to comply with regulatory framework and/or losses due to potential frauds.

Governance

A review of HTA’s governance arrangements with particular reference to compliance with external control and reporting requirements in respect of Cabinet Office rules and expenses policies.

CEO and Director of Resources

Sound framework for collating, processing and validating source HR and finance data.

Quarterly performance reporting.

Board Scrutiny.

3 June 2010

The Assurance Framework does not reflect current priorities.

New objectives and risks are not incorporated into the Assurance Framework.

The Board is unaware of the principle risks affecting achievement of objectives, and therefore objectives may not be achieved.

There are inconsistencies or lack of linkage between the assurance framework and other risk management activities. This could lead to some risks not being monitored, or duplicating effort

Sources of independent assurance and action plans do not address key risks, therefore the Board may consider risks are being managed when they are not.

Risk Management

High level review of the Authority’s risk management framework to ensure risks to the achievement of the organisation’s aims are effectively identified and mitigated with appropriate assurances reported to the Audit Committee.

In 2010/11 this audit will look in particular at the links between the risk register and ongoing business including the process for updating the registers in light of emerging issues and performance. In addition the process for establishing risks in respect of new projects will be assessed as well as the general process for assessing and recording risks in a consistent manner across the organisation

CEO and Director of Resources

Embedded Assurance framework.

Clear roles and accountabilities.

Routine monitoring of Strategic and operational risk registers.

Periodic testing of mitigating controls and independent assurances.

3 January 2011

Reputational damage due to failure to fulfil the organisation’s statutory duty to regulate organisations storing or using Human Tissue

Inspection and Licensing

These functions are core business processes for the organisation. At the request of the HTA this audit will concentrate in particular on whether the desk based assessment of compliance is borne out by the site visit inspection process. The objective is to provide assurance around the self

Existing procedures

Staff training

Quality Assessment and management process

External Assessment and review

8 August 2010


3

assessment processes undertaken, whether the standards used are the most appropriate and if there are specific sector anomalies. The intention is to help the organisation develop its self assessment and desk based assessment process going forward.

Director of Regulation

COVERAGE FOR EXTERNAL AUDIT RELIANCE OR TO MEET REGULATORY REQUIREMENTS

Audit Title Scope Days Provisional

Timing

Core Financial Controls and Management Accounts

Director of Resources

Cyclical coverage of the following finance systems of control:

Financial Management & Budgetary Control;

Fixed Asset Management;

Creditors and Purchases (including contract and tendering activities);

Income and Debtors;

Credit Card and expenses;

General Ledger; and

Payroll and Pensions.

Coverage may also include a review of the HTA management accounting system to provide assurance on the accuracy, robustness and timeliness of the information used for management decision making.

Specific finance systems of control to be reviewed will be agreed with management prior to commencement of field-work.

Controls to be tested will be agreed with External Audit prior to the commencement of fieldwork.

Key focus will be on substantive transaction testing.

12 November 2010

OTHER INTERNAL AUDIT WORK

Topic High Level Scope Days Provisional

Timing

IT Audit - Data Security / Information Governance

Director of Resources and Head of ICT

Two key issues to be covered at request of HTA:

System security to prevent external penetration; and

Compliance with DPA regulations

5 September 2010

Follow Up

Head of Finance

To meet the IIA Standards and to provide management with ongoing assurance regarding implementation of recommendations.

2 February 2010

End of year management

This will include preparation of the annual internal audit opinion. 1 March 2011

Audit Management and Quality Control

This will include:

Annual planning;

5 Ongoing


4

Topic High Level Scope Days Provisional

Timing

Preparation for, and attendance at, audit committee meetings;

Regular liaison and progress updates; and

Liaison with external audit

Total 39


5

APPENDIX C: UPDATED STRATEGY FOR INTERNAL AUDIT 2008/09 – 2010/11 RISK BASED COVERAGE

Risks Auditable Area Objective

Type 1

Source 2009/10

(Days)

2010/11

(Days)

2011/12

(Days)

Reputational damage due to failure to comply with regulatory framework and/or losses due to potential frauds.

Achievements of the Authority understated as reporting framework is inadequate.

Governance Strategic

Reporting

Compliance

Annual coverage informing HIA opinion

(3)

(3)

(3)

The Assurance Framework does not reflect current priorities.

New objectives and risks are not incorporated into the Assurance Framework.

The Board is unaware of the principle risks affecting achievement of objectives, and therefore objectives may not be achieved.

There are inconsistencies or lack of linkage between the assurance framework and other risk management activities. This could lead to some risks not being monitored, or duplicating effort

Sources of independent assurance and action plans do not address key risks, therefore the Board may consider risks are being managed when they are not.

Risk Management

Strategic

Operational

Reporting

Compliance


(3)

(3)

(3)

Reputational damage due to failure to fulfil the organisation’s statutory duty to inspect and licence organisations storing or using Human Tissue

Inspection and Licensing

Strategic

Operational

Reporting

Compliance

Strategic risk register

(5)

(8)

Reputational damage due to ineffective transplant regulations and an insufficient Independent Assessment framework, resulting in breaches of the Human Tissue Act 2004.

Lack of policy on new or emerging issues leading to inaccurate or misleading advice.

Transplant approval turn-

Transplantation Strategic

Operational

Reporting

Compliance


(5)

1 Ref: COSO ERM Framework


6

around time targets not met.

Strategic aims and objectives are not cascaded into operational and individual performance targets resulting in non congruence of activity and failure to deliver corporate aims.

Achievements of the Authority understated as performance monitoring and reporting framework is inadequate.

Performance Management

Strategic

Operational

Reporting

Compliance


(5)

COVERAGE FOR EXTERNAL AUDIT RELIANCE OR TO MEET REGULATORY REQUIREMENTS

Systems Source of Requirement 2009/10

(Days)

2010/11

(Days)

2011/12

(Days)

Core Financial Control Cyclical coverage of the organisations financial control systems.


(12)

(12)

(12)

ADVISORY INPUT AND OTHER INTERNAL AUDIT COVERAGE

Internal Audit Coverage

Source / Rationale 2009/10

(Days)

2010/11

(Days)

2011/12

(Days)

ISA Audit Annual review of organisations ISA systems of control.

(5)

(5)

(5)

Follow Up To meet the IIA Standards and to provide management with ongoing assurance regarding implementation of recommendations.

(2)

(2)

(2)

End of year management This will include preparation of the annual internal audit opinion.

(1)

(1)

(1)

Audit Management and Quality Control

This will include:

Annual planning;

Preparation for, and attendance at, Audit Committee meetings;

Regular liaison and progress updates; and

Liaison with external audit

(3)

(3)

(5)

Total 39 34 39

Contingency* 5 5 5

*To be used at the discretion / approval of the Audit Committee.

Risk Assessment andInternal Audit Plan

2013/2016


June 2013

HTA Contents

Contents

1. Introduction and Approach 1

2. Audit Universe 3

3. Risk Assessment 4

4. Internal Audit Plan and Indicative Timeline 8

Appendix 1: Corporate Objectives and Risks 10

Appendix 2: Risk Assessment Criteria 11

Appendix 3: Detailed methodology 12

This document has been prepared only for the Human Tissue Authority and solely forthe purpose and on the terms agreed with the Human Tissue Authority.

Distribution List

For action: Accounting Officer

Audit Committee

National Audit Office

Department of Health Internal Audit

HTA 1

Introduction

This document sets out the Internal Audit Risk Assessment and Annual Plan for the Human Tissue Authority.

Approach

A summary of our approach to developing the Risk Assessment and Annual Internal Audit plan is set out below.A more detailed description can be found in Appendix 2 and 3.

1. Introduction and Approach

Identify all of the auditable units within the organisation.Auditable units can be functions, processes or locations.

Assess the inherent risk of each auditable unit based onimpact and likelihood criteria.

Calculate the audit requirement rating taking into accountthe inherent risk assessment and the strength of the controlenvironment for each auditable unit.

Obtain information and utilise sector knowledge to identifycorporate level objectives and risks.

Step 1

Understand corporate

objectives and risks

Assess the strength of the control environment within eachauditable unit to identify auditable units with a high relianceon controls.

Consider additional audit requirements to those identifiedfrom the risk assessment process.

Step 2

Define the audit universe

Step 3

Assess the inherent risk

Step 4

Assess the strength of the

control environment

Step 5

Calculate the audit requirement

rating

Steps 6

Other considerations

Step 7

Other considerations

Determine the timing and scope of audit work based on theorganisation’s risk appetite.

Step 6

Determine the audit plan

HTA 2

Background

The Human Tissue Authority (‘HTA’) was established under the Human Tissue Act 2004 to regulate activitiesconcerning the removal, storage, use and disposal of human tissue and organs. The HTA is an Executive Non-Departmental Public Body sponsored by the Department of Health.

The performance of the HTA is monitored throughout the year by the Senior Management Team and theAuthority. Progress against targets and the business plan are reported to DH at quarterly accountabilitymeetings.

Key contacts

We have met some Directors and discussed our Internal Audit Strategy and Plan with the Senior Managementteam. The following stakeholders have been consulted during the planning process.

Area Contact Contact Contact

AccountingOfficer Chief Executive

- -

ExecutiveDirectors &SeniorManagers

Director of Resources Director of Regulation

Director of Strategy &Quality

Director of Communications& Public Affairs

Head of Finance &Governance

AuditChair of the AuditCommittee

Department of HealthInternal Audit

National Audit Office

HTA 3

2. Audit Universe

The diagram below represents the high level auditable units within the audit universe of the Human TissueAuthority:

Regulation Strategy and Quality

Chief Executive

External Stakeholders

DH & other ALBs

Ministers

Parliament &

Devolved

Administrations

Governance

Board & Quarterly

Accountability

Meeting

Risk Management

KPIs

Core Business

Licencing

Inspection

Case Management

Provision of Advice

European Competent

Authority Roles

Business Planning

Transplant Approvals


Quality Assurance

Resources Human

Resources

Finance

Legal

Business Technology

General HR functions

Training &

Development

Information

Governance

Communications and

Public Affairs

Website

Internal Communications

Media Relations

Stakeholder Management

Crisis Management

Cross Cutting Operations

Appendix A: Internal Audit Plan and Indicative Timeline

HTA 4

Each auditable unit (as illustrated in the diagram in Section 2) has been assessed for inherent risk and the strength ofthe control environment, in accordance with the methodology set out in Appendix 3.

Ref Auditable UnitC

or

po

ra

te

ob

jec

tiv

es

an

d

ris

ks

Inh

er

en

tR

isk

Ra

tin

g

Co

ntr

ol

En

vir

on

me

nt

Ind

ica

tor

Au

dit

Re

qu

ire

me

nt

Ra

tin

g

Fr

eq

ue

nc

y(s

ee

ke

y)

Suggested Frequency

A Chief Executive

A.1 External stakeholders

Allcorporateobjectivesand risks

Coversobjectives &

risks b, dand i in

Appendix 1in

particular.

N/a N/a N/a Relationship between CEO and key

stakeholders (e.g. DH) – not

considered auditable.

A.2 Governance 2 2 1 An understanding of Governance is

required as part of Public Sector

Internal Audit Standards.

We noted:

- Corporate Governance and

Decision Making Framework

reviewed in 2012 by Internal

Audit (green)

- Risk Management reviewed in

2010-11 (& regular review and

oversight by the Audit

Committee)

- Major Incident Reporting

reviewed in 2011-12.

No incidents of recent frauds. KPI

reporting was covered in an IA

report in 2009/10, and, due to

regular DH scrutiny it is not seen as

high risk.

We understand that an

independent review of how HTA

performs its work is in progress.

No work proposed.

3. Risk Assessment


HTA 5

Ref Auditable Unit

Co

rp

or

ate

ob

jec

tiv

es

an

d

ris

ks

Inh

er

en

tR

isk

Ra

tin

g

Co

ntr

ol

En

vir

on

me

nt

Ind

ica

tor

Au

dit

Re

qu

ire

me

nt

Ra

tin

g

Fr

eq

ue

nc

y(s

ee

ke

y)

Suggested Frequency

B Core Business

B.1 Regulation (covers

licencing of over 500

establishments,

including publishing

standards,

inspections/audits*,

and providing advice).

*Inspections are

either full or themed

reviews. HTA use

“audits” rather than

inspections for the

Organ Transplant

sector.

Covers

risks and

objectives

a, d, e and

g

(appendix

1)

5 5 3 Regulatory Arrangements audit

performed in 2012.

Two strategic risks are linked to

core regulatory objectives.

Suggest end-to-end process review

of a sample of key regulatory

processes within post mortem,

human application, research, public

display, and/or organ transplant.

This will include tracking of

inspection processes and case

management.

B.2 Strategy & Quality,

includes:

•Business Planning

•Transplant

Approvals

•Independent

Assessment of living

organ donations

•Quality Assurance

Coversrisks andobjectives

a, d, e, andg

(appendix1)

4 3 3 Higher risk areas relate to

independent assessors and

transplant approvals.

Suggest end to end process review

of one of these areas to be agreed

with the Director of Strategy &

Quality.

B.3 Communication &

Public Affairs

includes:

•Website

development

•Internal

Communications

•Media Relations

•Stakeholder

Management

•Crisis Management

See

objectives

and risks b,

g and i in

particular

in appendix

1

2 2 1 Perceived as low residual risk in

Strategic Risk Register.

Crisis Management Plan reviewed

at February 2013 Audit Committee.

No work proposed.


HTA 6

Ref Auditable Unit

Co

rp

or

ate

ob

jec

tiv

es

an

d

ris

ks

Inh

er

en

tR

isk

Ra

tin

g

Co

ntr

ol

En

vir

on

me

nt

Ind

ica

tor

Au

dit

Re

qu

ire

me

nt

Ra

tin

g

Fr

eq

ue

nc

y(s

ee

ke

y)

Suggested Frequency

C Cross Cutting

Operations

C.1 Resources - Finance

(core system Great

Plains)

All

corporate

objectives

and risks

See risk

and

objectives d

and h in

appendix 1

in

particular

2 2 1 Financial Controls last audited in

2011-12 (green).

Finance processes perceived as

lower risk; however there is an

ongoing need for coverage of core

controls and pressure to reduce

costs by a further 11%.

Suggest general financial controls

audit covering for example licence

income (£3.3m), payroll (£2.3m),

debt management, general ledger

reconciliations, journals, expenses

and purchases.

Terms of reference will be shared

with the NAO.

C.2 Resources - Legal - 2 2 1 Not identified as a high risk.

No work proposed.

C.3 Resources – Business

Technology

(including IT services

outsourced to

- 2 2 1 Focus to include IT security in

particular over the online portal.

Sensitive data includes for example

personal data in relation to

transplant approvals.

C.4 Resources –

Information

Governance

- 4 3 3 No areas of non-compliance

reported within the Statement of

Governance.

Propose independent review of the

evidence supporting the Security

Policy Framework Information Risk

Management Return.

C.5 Human Resources See

objectives c

and d in

particular

in appendix

1

3 3 2 Resourcing and capacity risks are

linked to two key strategic risks.

Audit of Staff Retention in 2012-13

(green).

Propose General HR Controls audit

in Year 3.


HTA 7

Key to frequency of audit work

We plan our internal audit work to progressively provide coverage over the main activities of the organisation. The keybelow is advisory, as the Internal Audit plan will also be contingent on key risks, other sources of assurance, and theappetite for assurance in each area by management and the Audit Committee. We will revisit the Internal Audit planannually and refresh it based upon changing business priorities and risks of the organisation.

Audit Requirement Rating Frequency – PwC standard approach Colour Code

6 Annual 5 Annual 4 Annual 3 Every two years 2 Every three years 1 No further work


HTA 8

Internal Audit Plan and Indicative TimelineThe following table sets out the proposed internal audit work days planned for to 31 March 2014, together with

indicative areas for 2015 and 2016.

Ref Auditable title Yr 1

y/e

2014

Yr 2

y/e

2015

Yr 3

y/e

2016

Comments (Refer to Section 3 – Risk

Assessment)

Core Business

B.1 Key Regulatory

Processes

- 15 - Review of a sample of key regulatory processes

within post mortem, human application, research,

public display, and/or organ transplant. This will

include tracking of inspection processes and case

management.

B.2 Independent

Assessors /

Transplant

Approvals

- - 13 Review of independent assessors or transplant

approvals (to be agreed).

Cross cutting

processes

C.1 General Financial

Controls

12 - - Assurance on fundamental core financial

controls. The approach will be discussed with

the NAO.

Year 1 coverage may include:

- license income

- payroll

- debt management

- general ledger reconciliations

- journals

- expenses

- purchases

- reported efficiency savings

Suggested timing: September 2013

C.1 Resources -

Business continuity

- - 5 Progressive coverage of key controls, including:

Completeness of business continuity plans;

Robustness of plans and procedures;

Communication;

Testing of plans.

C.3 IT Security 10 - - IT Security health check over the online portal.

Suggested timing: September 2013

C.4 Information

Governance

- 5 - Propose independent review of the evidence

supporting the Security Policy Framework

Information Risk Management Return.

4. Internal Audit Plan andIndicative Timeline


HTA 9

Ref Auditable title Yr 1

y/e

2014

Yr 2

y/e

2015

Yr 3

y/e

2016

Comments (Refer to Section 3 – Risk

Assessment)

C.5 HR General

Controls

- - 5 To include review of controls over recruitment.

Z Audit Project

Management

Z.1 Planning and

Management

6.5 3 3 Audit Project Management, including attendance at

two Audit Committees and production of Annual

Internal Audit Report.

Z.2 Follow up audits 2 2 2 Sample testing of recommendations to provide

assurance of implementation.

Total days 30.5 25 28


HTA 10

These corporate level objectives and risks have been determined by The Human Tissue Authority and have beenextracted from the draft Corporate Plan for 2013 – 2016 and the Corporate Risk Register. The risks below will informindividual internal audit reviews; some areas have been highlighted as lower risk and are flagged as areas of possiblereview in years 4 or 5.

Ref Key Objectives Cross reference to Internal Audit

Plan (see Section 4)

a To improve further the effectiveness of our regulatory activity and

our advice and guidance

Regulatory arrangements reviewed in

2011-12 (green) – propose to review again

in 2015 as this is a core business activity

b To develop and consolidate productive stakeholder relationships

with the public and professionals

Not considered auditable

c To have a skilled, motivated and dedicated team equipped to do

the job in a challenging operational environment

Staff retention was carried out in 2013

(green). Key risks (below) link to HR

issues – propose review of core HR

controls in 2015.

d To ensure that HTA is effectively governed and is managed

effectively providing value for money for licensed establishments

and the taxpayer

Core financial controls reviewed in 2011-

12. Ongoing efficiency agenda and probity

outside of the external audit (particularly

in a period of change) – key financial

controls audit in 2013/14.

We have reviewed your corporate risk register and linked your top 5 risks to our audit plan as follows:

Ref Key Risks Cross reference to Internal Audit

Plan (see Section 4)

Strategic

e Inability to carry out its statutory remit Refer to audit of regulatory processes

and independent assessors.

f Failure to manage change Key focus on business as usual controls

and business processes (above).

g Inability to manage an actual or potential major event, such as

retention of tissue or serious injury or death to a person resulting

from a treatment involving processes regulated by the HTA

Crisis Management has been reviewed by

the Audit Committee – potential review

of business continuity proposed.

h Insufficient financial resources Review Financial Controls (going

concern will be assessed as part of the

NAO audit)

i Inadequate relationship and stakeholder management Not considered auditable.

Appendix 1: Corporate Objectivesand Risks


HTA 11

Determination of Inherent Risk

We determine inherent risk as a function of the estimated impact and likelihood for each auditable unit within theaudit universe as set out in the tables below.

Impact

rating

Assessment rationale

6 Critical impact on operational performance; or

Critical monetary or financial statement impact; or

Critical breach in laws and regulations that could result in material fines or consequences ; or

Critical impact on the reputation or brand of the organization which could threaten its future viability.

5 Significant impact on operational performance; or

Significant monetary or financial statement impact; or

Significant breach in laws and regulations resulting in large fines and consequences; or

Significant impact on the reputation or brand of the organization.

4 Major impact on operational performance; or

Major monetary or financial statement impact; or

Major breach in laws and regulations resulting in significant fines and consequences; or

Major impact on the reputation or brand of the organization.

3 Moderate impact on the organization’s operational performance; or

Moderate monetary or financial statement impact; or

Moderate breach in laws and regulations with moderate consequences; or

Moderate impact on the reputation of the organization.

2 Minor impact on the organization’s operational performance; or

Minor monetary or financial statement impact; or

Minor breach in laws and regulations with limited consequences; or

Minor impact on the reputation of the organization.

1 Insignificant impact on the organization’s operational performance; or

Insignificant monetary or financial statement impact; or

Insignificant breach in laws and regulations with little consequences; or

Insignificant impact on the reputation of the organization.

Likelihood rating Assessment rationale

6 Has occurred or probable in the near future

5 Possible in the next 12 months

4 Possible in the next 1-2 years

3 Possible in the medium term (2-5 years)

2 Possible in the long term (5-10 years)

1 Unlikely in the foreseeable future

Appendix 2: Risk AssessmentCriteria


HTA 12

Appendix 3: Detailed methodology

Step 1 - Understand corporate objectives and risks

In developing our understanding of your corporate objectives and risks, we have:

reviewed key corporate documents, including your strategy, business plan, financial statements, organisationalstructure and corporate risk register;

reviewed recent Audit Committee and Board minutes;

drawn on our knowledge of the Central Government; and

Considered coverage provided by Internal Audit previously.

Step 2 - Define the Audit Universe

In order that our internal audit plan reflects your management and operating structure we have identified the audit

universe for the Human Tissue Authority made up of a number of auditable units. Auditable units include functions,

processes, systems, products or locations. Any processes or systems which cover multiple locations are separated into

their own distinct cross cutting auditable unit.

Step 3 - Assess the inherent riskOur internal audit plan should focus on the most risky areas of the business. As a result each auditable unit is allocatedan inherent risk rating i.e. how risky the auditable unit is to the overall organisation and how likely the risks are toarise.

The inherent risk assessment is determined by:

Mapping the corporate risks to the auditable units;

Our knowledge of your business and Central Government;

Discussions with management.

Impact RatingLikelihood Rating

6 5 4 3 2 1

6 6 6 5 5 4 4

5 6 5 5 4 4 3

4 5 5 4 4 3 3

3 5 4 4 3 3 2

2 4 4 3 3 2 2

1 4 3 3 2 2 1

Step 4 - Assess the strength of the control environment

In order to effectively allocate internal audit resources we also need to understand the strength of the control

environment within each auditable unit. This is assessed based on:

our knowledge of your internal control environment

information obtained from other assurance providers, including the prior year assessment by the previousInternal Auditors


HTA 13

Step 5 - Calculate the audit requirement rating

The inherent risk and the control environment indicator are used to calculate the audit requirement rating. The

formula ensures that our audit work is focused on areas of with high reliance on controls or a high residual risk.

Inherent Risk

Rating

Control design indicator

1 2 3 4 5 6

6 6 5 5 4 4 3

5 5 4 4 3 3 n/a

4 4 3 3 2 n/a n/a

3 3 2 2 n/a n/a n/a

2 2 1 n/a n/a n/a n/a

1 1 n/a n/a n/a n/a n/a

Step 6 - Determine the audit planYour risk appetite determines the frequency and scope of internal audit work at each level of audit requirement.

Your risk appetite determines the intensity of internal audit work at each level of audit requirement.

Step 7 - Other considerationsIn addition to the audit work defined through the risk assessment process described above, we may be requested toundertake a number of other internal audit reviews such as regulatory driven audits, value enhancement or consultingreview.

Human Tissue Authority · 2014. 11. 12. · Human Tissue Authority 151 Buckingham Palace Road...

Documents

Transcript of Human Tissue Authority · 2014. 11. 12. · Human Tissue Authority 151 Buckingham Palace Road...