Human Tissue Authority · 2014. 11. 12. · Human Tissue Authority 151 Buckingham Palace Road...
Transcript of Human Tissue Authority · 2014. 11. 12. · Human Tissue Authority 151 Buckingham Palace Road...
Human Tissue Authority
151 Buckingham Palace Road
London
SW1W 9SZ
Tel
Web www.hta.gov.uk
Date 13 June 2014
By email
Dear
Freedom of Information request
Thank you for your request for information dated 24 April 2014, which we received as
follows:
I am writing to request information that sets out internal audit’s role in your organisation’s
governance, which will assist me with I have
checked your website but not been able to locate all of what I am looking for. Please would
you send through to me any information on or electronic copies of the following:
Internal audit’s role within your governance framework or framework document
Your internal audit team’s Charter
Internal Audit plans and assignment coverage from 2010 to date
Internal Audit plans and assignment coverage for 2014-15
Reports from the Internal Audit team to the Audit Committee or management on
internal audit’s role or work undertaken
Internal Audit opinion statements or governance statements/ Statements of Internal
Control from 2010 to date
Your audit committee’s terms of reference
Response
The HTA is an Arms Length Body (ALB) of the Department of Health. As an ALB we are
required to utilise the Department of Health’s Internal Audit Group Framework.
Our Internal Auditors are appointed by the Department of Health and therefore are not
employed by the HTA.
2
Internal Audit’s role is to review and evaluate the risk management, control and
governance arrangements that the HTA has in place to:
• establish and monitor the achievement of the HTA’s objectives
• identify, assess and manage the risks to achieving the HTA’s objectives
• ensure the economical, effective and efficient use of resources
• ensure compliance with established policies, procedures, laws and
regulations, including the HTA’s governance arrangements
• safeguard HTA’s assets and interests from losses of all kinds, including
those arising from fraud, irregularity or corruption
• ensure the integrity and reliability of information, accounts and data.
You clarified that you do not require full audit reports. The attached files contain the
information you asked for, except Annual Governance Statements (originally Statements
on Internal Control) which can be found on our website at this link
http://www.hta.gov.uk/publications/annualreviewsandreports.cfm.
The documents are provided for your information – you will see that some of the
documents include statements that their content cannot be relied upon by others, for
assurance purposes.
If you are unhappy with the way the HTA has handled your request for information in this
case, you may in the first instance ask us for an internal review by writing to us at the
above postal or email address.
If you remain dissatisfied with the handling of your request or complaint, you have the right
to appeal directly to the Information Commissioner for a decision, at the address below:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 08456 30 60 60
or 01625 54 57 45
Website: www.ico.gov.uk
There is no charge for making an appeal.
Yours sincerely
(AUD 43-11)
Human Tissue Authority
Internal Audit Plan 2011-12
June 2011
Final Draft (for Audit Committee meeting)
Preparation
GT prepared by: xxxxxxxxx
GT reviewed by: xxxxxxxxx
GT sign off: xxxxxxxxx
Client Review and Approval Timetable
Draft Plan issued: 20 May 2011
Discussed with College Management: 24 May 2011
Presented to Audit Committee:
Final Management feedback received:
Final Plan issued:
© 2014 Grant Thornton UK LLP. All rights reserved
Contents Page
1 Internal Audit Approach 1
2 Proposed Resources and Outputs 4
Appendices
A Key themes raised in planning discussions
B Annual Internal Audit Plan 2011-12
© 2014 Grant Thornton UK LLP. All rights reserved Page 1
1 Internal Audit Approach
1.1 Internal Audit at the Human Tissue Authority
Grant Thornton LLP UK has been asked to provide internal audit services to the Human Tissue Authority (HTA) for the period 1 April 2011 to 31 March 2012.
1.2 Basis for the Internal Audit service
We propose that the internal audit service should be delivered via the service level agreement that is being established between the Department of Health Internal Audit (DHIA) and the Department’s Arm’s Length Bodies. The agreement will enable HTA to commission, via DHIA’s co-source contract with Grant Thornton UK LLP, this firm to provide internal audit services.
1.3 Our role and approach to the Internal Audit of HTA
Our role as internal auditor is to provide objective and independent assurance to the Authority and the Chief Executive, as Accounting Officer, on risk management, control and governance arrangements, by measuring and evaluating the effectiveness of the HTA's arrangements to achieve its agreed objectives.
Our audit approach:
aims to provide objective and independent assurance to the Authority and the Chief Executive that the HTA is successfully identifying, assessing and managing risks that are significant to the achievement of the HTA’s overall strategic aims
focuses on helping the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the adequacy and effectiveness of its risk management, control and governance processes
complies with professional practice, including Government Internal Audit Standards (February 2011), the Institute of Internal Auditors’ guidance on risk-based internal auditing (December 2005).
For each of the key business risks it faces, the HTA should have in place controls and activities to address those risks. Our approach is therefore to identify those business risks and associated controls and activities, evaluate their effectiveness and confirm their operation.
1.4 Internal Audit planning 2011-12
The planning process
To the extent that it is relevant and appropriate, our approach is to base the internal audit plan upon the HTA’s identification of strategic risk. The HTA’s own risk assessments provide a starting point for developing our 2011-12 Plan. However, it was important that we tested its completeness because of the emerging impact of:
the continued economic downturn and its impact on funding streams
the continuing transition programme. This is particularly relevant given that potential changes to the Health and Social Care Bill may impact on which bodies ultimately take responsibility for the functions that are currently undertaken by HTA.
© 2014 Grant Thornton UK LLP. All rights reserved Page 2
We have obtained an up to date understanding by:
holding planning meetings with members of the Senior Management Team and a discussion with the Chair of the Audit Committee to understand their views on key risks facing the HTA
considering our knowledge of other emerging sector issues
analysing legislative, funding and audit regime changes.
Having collated a list of key risk areas for the HTA, we have prioritised using the following criteria:
provide an appropriate balance of assurance and advisory work
balance coverage across core business risks and financial risks, focusing on areas where change has taken place or is planned
account for uncertainty over timescales around the Public Bodies Bill and the Health and Social Care Bill and impact on appropriate internal audit work, recognising that the timing of internal audit work may need to be altered or deferred during the year.
Planning outcomes
Inevitably, our planning work has identified a broad spectrum of issues and challenges facing the HTA. We explain below how the information gathered has been used to derive our proposals for the 2011-12 Plan:
Appendix A summarises the outcomes of our consultation with the Senior Management Team. It also incorporates information gathered from other sources (e.g. risk register, etc) to develop an overall map of the assurance needs of the HTA.
Appendix B outlines our proposed Plan for 2011-12, including the indicative resources and how our work will inform our annual opinions on risk management, control and governance.
Based upon our experience elsewhere in the sector, we confirm that an audit plan of around 30 days per annum is in line with that adopted by other similar Arms Length Bodies (ALB). We have prepared our plan on this basis.
Senior Management team and Audit Committee are invited to consider:
whether a plan of 30 days remains appropriate to meet its current assurance needs
whether it agrees our proposed options for business risk reviews (Appendix A)
how the HTA wishes those options should be prioritised
the balance between high-level assurance and more detailed improvement support required in each of the areas.
1.5 Planning for individual reviews
The scope and nature of every piece of work included in the annual Plan at Appendix B will be agreed with the nominated lead member of the Senior Management Team before the start of the fieldwork, and summarised in an Audit Planning Brief that will be issued to all those involved in the audit.
It is difficult, at this stage, to be precise about the number of days likely to be required for each review. For this reasons, budget allocations at Appendix B should be regarded as a provisional
© 2014 Grant Thornton UK LLP. All rights reserved Page 3
indication. When we scope each review, we will reconsider our estimates of the inputs required to achieve the objectives established for the work and to complete it to a satisfactory standard.
1.6 Changes to the Annual Internal Audit Plan
In line with good practice, we will keep the internal audit plan under review during the year and will revise it to take account of significant areas of emerging risk that management, the Authority or we identify during the period. Changes to the Plan will be discussed with the Chief Executive, the Director of Resources and the Audit Committee, and approved by the Audit Committee (or the Chair of the Audit Committee if approval is required between meetings).
© 2014 Grant Thornton UK LLP. All rights reserved Page 4
2 Proposed Resources and Outputs
2.1 Resources
We estimate that the input days necessary for 2011-12 would be as follows:
Grade Daily rates 2011-12 (£)
Proposed 2011-12
Days percentage
Partner 1,440 1.0 3.0
Senior Manager 855 2.5 8.0
Manager 765 10.0 34.0
Lead Auditor 450 5.0 17.0
Associate 382 11.5 38.0
30.0 100.0
The table also confirms our fee rates, which are as set out in our proposal (April 11). On the basis of the staff mix illustrated above, the total fee for 2011-12 for this resource envelope of 30 days will be £17,870. Our fees quoted exclude VAT and expenses. We will cap our expenses at £1,500 per annum.
Any additional work we might be requested to undertake during the audit cycle will be discussed with the Chief Executive and Director of Resources and an appropriate fee agreed, prior to the start of any work.
2.1 Our team
The key members of our team are outlined below:
Name Role Contact Details
xxxxxxxxx Partner - Business Risk Services xxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx
xxxxxxxxx Senior Manager - Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx
xxxxxxxxx Manager- Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx
2.2 Timing of visits
We will endeavour to undertake our reviews in 2011-12 in two visits, phased to ensure balanced presence throughout the year and a balanced provision of reports to the Audit Committee. Dependent on the nature of the review however, it may be necessary to undertake certain assignments at times that do not align with our main visits.
© 2014 Grant Thornton UK LLP. All rights reserved Page 5
Based on our draft proposals for the internal audit plan 2011-12, we outline indicative timing below.
Reviews Timing
Regulatory arrangements
Fee Generation
Core Financial Controls
June - August 11
Risk Workshops (HTA Transition)
Major Incident Reporting Jan – March 12
Following feedback from management and the Audit Committee to confirm priorities for the Plan, we will meet with senior management to agree the sponsor for and timing of each review.
2.3 Reporting to the Audit Committee
Our Internal Audit Plan for 2011-12 will be presented to the Audit Committee in June 11.
Our internal audit reports summarising the results of our visits for 2011-12 will be presented to the appropriate Audit Committee meetings.
Following completion of the internal audit work for 2011-12 we will produce an Annual Report summarising our key findings and evaluating our performance in accordance with agreed service requirements.
Grant Thornton UK LLP
June 2011
© 2014 Grant Thornton UK LLP. All rights reserved Page 6
A Key themes raised in planning discussions
Areas proposed for review in 2011-12
External drivers
Public Bodies Bill and HTA Transition
Context
The new coalition government undertook a significant review of Arm’s Length Bodies (ALBs) and is progressing with the Public Bodies Bill to enact the changes resulting from the review of ALBs.
This review included coverage of HTA and the functions it performs, concluding that:
HTA’s functions should be transferred to other existing bodies (e.g. Care Quality Commission and the Health and Social Care Information Centre (HSCIC)) or other ALBs being created under the Health transition; and
HTA should cease to exist as a standalone entity.
At the third reading of the Bill on 9 May 2011 it was agreed that the HTA’s functions would not be separated and all functions (with regulation related to research to be reviewed) would be handed over to one successor in their entirety.
Due to the progress of legislation and implementation, there is a potential that transition of HTA’s functions may not initiate in 2013.
The Bill stipulates that the HTA will retain its current remit until this transfer takes place. The HTA will maintain its existing role and remit in the interim and for a period longer than initially envisaged.
The HTA is part of a formal project that has been initiated in conjunction with the Care Quality Commission and the Human Embryology and Fertility Authority (HEFA) to identify synergies to streamline activities and ensure the transition is managed in an effective way. Other bodies may also be drawn to support the project, for example subject to decisions on which body will take over responsibility for the HTA’s current role to oversee research regulation.
Approach to internal audit work
Given that HTA’s transition programme remains at an early stage, our work as part of the 2011-12 internal audit programme will primarily take the form of advisory support. This will work to support, take the form of a risk workshop to assist the Senior Management Team and the Authority in identifying the key risks associated with transition and bring our experience of how other organsiations have dealt with similar risks. We will draw on our experience within the ALB sector and wide public and private sector.
As the transition programme progresses during 2012-13, our work will take more of an assurance focus around HTA’s own transition arrangements and how HTA engages with the broader transition project to ensure its key risks are being adequately managed. This will be considered as part of the 2012-13 planning process.
© 2014 Grant Thornton UK LLP. All rights reserved Page 7
Internal drivers
Regulatory arrangements
Context
The HTA regulates organisations (clinics etc) that frequently fall under the remit of more than one regulator and are therefore likely to be subject to several inspection regimes.
In line with the principles of good regulation (proportionate, accountable, consistent, transparent, targeted) the HTA is committed to continuously improving, and achieving efficiencies with regard to its own methods of regulation, but is also keen to consider the impact of its regulatory requirements on establishments that are required to adhere to a number of inspection regimes.
The HTA last undertook an internal “light touch” review of its regulatory framework at the end of 2010-11 and as a result a number of Standard Operating Procedures (SOPs) were refined, developed and implemented.
Management plans to integrate aspects of the regulatory process into the HTA’s overall key performance indicator framework to ensure that performance overview of this key area of activity and other areas is undertaken in an integrated way.
HTA expects to undertake a more in-depth review of its approach to regulation in advance of the transition of its functions to a successor body. The existing regulatory approach is modelled on that followed by HFEA. Management is keen on an independent review that assesses existing approach to regulation with broader good practice and makes practical recommendations for improvement.
HTA recognises “Inability to carry out its statutory remit” as a significant risk in the strategic risk register.
Approach to internal audit work
During our assurance and advisory review we will:
Conduct a walk-through of the current regulatory process to provide assurance this is sufficiently robust
Interview a sample of regulated establishments to obtain their reviews on how well HTA inspections integrate with the rest of the regulatory landscape
Share best practice in relation to how other regulators undertake such activity with a view to identifying learning opportunities.
Our work will be planned so that it is completed before September 11 to enable the findings to be incorporated into forward work plan for the 3rd Quarter for 2011-12.
Fee Generation and recognition
Context
HTA has a new system whereby licence fees will be raised via the ‘Great Plains’ CRM system. Management is seeking assurance that the new process is being effective in raising accurate and timely license fees and whether the CRM system’s interface with the finance system is being effective.
© 2014 Grant Thornton UK LLP. All rights reserved Page 8
Internal drivers
Approach to internal audit work We will carry out an assurance review of the arrangements in place relating to the recording and recognition of due fees on the CRM system, the raising of fee notices and the interface of the CRM system with the finance system. Particularly, as part of scoping our work, we will discuss and agree with the National Audit Office an approach so that they can place reliance on our work (to the extent it is relevant).
Core financial controls
Context
Following the 2010-11 external audit of the HTA, conducted by the National Audit Office (NAO) in May 2011, the HTA will be issued with a management letter, highlighting any issues that need to be considered by HTA (although they are not expected to be any significant issues). In carrying out the 2011-12 external audit, the NAO will also be, where appropriate, seeking to place reliance on internal audit work.
Approach to internal audit work
We will discuss with management key financial risks as part of our scoping process and will agree a prioritised risk area for coverage as part of this review.
Major incident management
Context The occurrence of a major incident in any of the establishments that are regulated and licensed by HTA could result in considerable reputational impact. This is recognised as a strategic risk (risk reference 3) in HTA’s risk register as follows “Inability to manage an actual or potential major event, such as retention of tissue or serious injury or death to a person resulting from a treatment involving processes regulated by the HTA (underpins delivery of all strategic objectives)” The HTA has in place a major incident protocol. Management is aware that its practical application has not been recently tested (due to absence of any major incidents) and are keen for an independent review to assess whether the framework itself could be further improved.
Approach to internal audit work
We will review the design of the HTA’s major incident protocol and management arrangements. This review will have both an assurance and advisory focus, sharing our knowledge of best practice from other regulators.
Summary of areas proposed for review in 2012-13
Review of project management and governance arrangements in relation to transition
Review of CRM protocols, usage and data quality
Review of arrangements for organisational knowledge capture
Review of assurance framework
© 2014 Grant Thornton UK LLP. All rights reserved Page 9
B Annual Internal Audit Plan 2011-12
No Audit Area SMT Sponsor Indicative
days 2011-12
Supports opinion on
Governance Risk
Management Internal Control
1 Transition Workshop Chief
Executive/Director of Resources
4
2 Regulatory arrangements xxxxxxxx/xxxxxx 10
3 Fee Generation Director of Resources
4
4 Core Financial Controls 2
5 Major Incident Reporting TBC 3
Follow Up 2
Sub total 25
Audit Management (Audit strategy, planning and liaison, Audit Committee, etc)
5
Totals 30
© 2014 Grant Thornton UK LLP. All rights reserved Page 10
www.grant-thornton.co.uk
© 2014 Grant Thornton UK LLP. All rights reserved.
"Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership.
Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.
This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication
(AUD 73-12)
Human Tissue Authority
Internal Audit Plan 2012-13
June 2012
Draft
Preparation
GT prepared by: xxxxxxxxxxx
GT reviewed by: xxxxxxxxxxx
GT sign off: xxxxxxxxxxx
Client Review and Approval Timetable
Draft Plan issued: 4 May 2012
Discussed with Management: 17 May 2012
Presented to Audit Committee: 6 June 2012
Final Plan issued: 9 July 2012
© 2014 Grant Thornton UK LLP. All rights reserved
Contents Page
1 Internal Audit Approach 1
2 Proposed Resources and Outputs 4
Appendices
A Key themes raised in planning discussions
B Possible areas for internal audit coverage
C Annual Internal Audit Plan 2012-13
1
1 Internal Audit Approach
1.1 Internal Audit at the Human Tissue Authority
Grant Thornton LLP UK has been asked to provide internal audit services to the Human Tissue Authority (HTA) for the period 1 April 2012 to 31 March 2013.
1.2 Basis for the Internal Audit service
As in 2011-12, the internal audit service will be delivered via the service level agreement established between the Department of Health Internal Audit (DHIA) and HTA. This enables HTA to commission, via DHIA’s co-source contract with Grant Thornton UK LLP, this firm to provide internal audit services.
1.3 Our role and approach to the Internal Audit of HTA
Our role as internal auditor is to provide objective and independent assurance to the Authority and the Chief Executive, as Accounting Officer, on risk management, control and governance arrangements, by measuring and evaluating the effectiveness of the HTA's arrangements to achieve its agreed objectives.
Our audit approach:
aims to provide objective and independent assurance to the Authority and the Chief Executive that the HTA is successfully identifying, assessing and managing risks that are significant to the achievement of the HTA’s overall strategic aims
focuses on helping the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the adequacy and effectiveness of its risk management, control and governance processes
complies with professional practice, including Government Internal Audit Standards (February 2011), the Institute of Internal Auditors’ guidance on risk-based internal auditing (December 2005).
For each of the key business risks it faces, the HTA should have in place controls and activities to address those risks. Our approach is therefore to identify those business risks and associated controls and activities, evaluate their effectiveness and confirm their operation.
1.4 Internal Audit planning 2012-13
The planning process
To the extent that it is relevant and appropriate, our approach is to base the internal audit plan upon the HTA’s own identification of strategic risk. The HTA’s risk assessments have therefore provided a starting point for developing our 2012-13 Plan, and we have also had regard to the emerging impact of:
the continued economic downturn
the continuing transition programme which remains particularly relevant given the impact which the potential changes from the Health and Social Care Act may have on which bodies ultimately take responsibility for the HTA's current functions.
2
We have obtained an up to date understanding by:
holding planning meetings with members of the Senior Management Team to understand their views on key risks facing the HTA
considering our knowledge of other emerging sector issues
analysing legislative, funding and audit regime changes.
On the basis of this analysis we have collated a list of key risk areas for the HTA, which we have prioritised using the following criteria:
provide an appropriate balance of assurance and advisory work
balance coverage across core business risks and financial risks, focusing on areas where change has taken place or is planned
account for uncertainty over timescales following the Public Bodies Act and impact on appropriate internal audit work, recognising that the timing of internal audit work may need to be altered or deferred during the year.
Planning outcomes
Inevitably, our planning work has identified a broad range of issues and challenges facing the HTA. We explain below how the information gathered has been used to derive our proposals for the 2012-13 Plan:
Appendix A summarises the outcomes of our consultation with the Senior Management Team. It also incorporates information gathered from other sources (e.g. risk register, etc) to develop an overall map of the assurance needs of the HTA.
Appendix B outlines the recommended reviews for inclusion in the 2012-13 Plan, the indicative resources required to deliver them, and how our work will inform our annual opinions on risk management, control and governance.
We invite the Audit Committee to confirm the reviews it considers should be included in the 2012-13 Plan (Appendix B). For reference, in 2011-12 we delivered a 30 day internal audit plan, which was in line with that adopted by other similar Arms Length Bodies (ALB).
The Audit Committee are invited to consider:
That the correct options for business risk reviews (Appendix A)are included in the 2012-13 Plan (Appendix B)
whether a plan of 30 days remains appropriate to meet its current assurance needs (indicative days for the proposed options are set out at Appendix B)
the balance between high-level assurance and more detailed improvement support required in each of the areas.
1.5 Planning for individual reviews
The scope and nature of every piece of work included in the annual Plan at Appendix B will be agreed with the nominated lead member of the Senior Management Team before the start of the fieldwork, and summarised in an Audit Planning Brief that will be issued to all those involved in the audit.
3
It is difficult, at this stage, to be precise about the number of days likely to be required for each review. When we scope each review, we will reconsider our estimates of the inputs required to achieve the objectives established for the work and to complete it to a satisfactory standard, and agree the detailed budget with the nominated lead. Variations from the proposed Plan will be reported to the Audit Committee for consideration and approval.
1.6 Changes to the Annual Internal Audit Plan
In line with good practice, we will keep the Internal Audit Plan under review during the year and will revise it to take account of significant areas of emerging risk that management, the Authority or we identify during the period. Changes to the Plan will be discussed with the Chief Executive, the Director of Resources and the Audit Committee, and approved by the Audit Committee, or the Chair of the Audit Committee if approval is required between meetings.
4
2 Proposed Resources and Outputs
2.1 Resources
Our daily fee rate for 2012-13, based on the staff mix set out in our original proposal, is as follows:
Grade Daily rates 2012-13 (£)
Proposed 2012-13
Staff Days Annual Fee
Partner 1,370 1.0 1,370
Director 1,190 3.0 3,570
Manager 730 8.0 5,840
Lead Auditor 425 9.5 4,030
Associate 360 8.5 3,060
30.0 17,870
The daily rates reflect the rates applicable through the DH contract. Our total proposed fee for 2012-13 is £17,870, which is the same level as previous financial period. . Our fees quoted exclude VAT and expenses. We will cap our expenses at £1,500 per annum.
Any additional work to this plan shall be discussed and an appropriate fee agreed in the first instance with the Chief Executive and Director of Resources.
2.1 Our team
The key members of our team are outlined below:
Name Role Contact Details
xxxxxxxxxxxx Partner - Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx Director- Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx Manager- Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxx Executive – Business Risk Services xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2.2 Timing of visits
We undertook a planning session with the senior management team in May 2012 that determined the detailed scope and timing of all the agreed reviews in the audit plan. From these planning discussions, we envisage to undertake our first visit in July 2012.
5
2.3 Reporting to the Audit Committee
Our Internal Audit Plan for 2012-13 was presented to the Audit Committee at its meeting June 2012.
Our internal audit reports summarising the results of our visits for 2012-13 shall be presented to the appropriate Audit Committee meetings.
Following completion of the internal audit work for 2012-13 we shall produce an Annual Report summarising our key findings and evaluating our performance in accordance with agreed service requirements.
Grant Thornton UK LLP
July 2012
A Key themes raised in planning discussions
Areas proposed for review in 2012-13
External drivers
Public Bodies Act and HTA Transition
Context
Under the Public Bodies Act, the coalition government will streamline the number of public bodies in the UK. Following the enactment of the Public Bodies Act in February 2012, a consultation is planned to determine the future of HTA functions.
It is anticipated that the consultation will lead to the functions of HTA being transferred to one or more existing bodies. HTA has proposed that all its functions should be transferred to the same body as the research function is seen as integral to regulatory activity. We understand that the transfer of all HTA functions to one body is Government’s preferred position too.
It is anticipated that the consultation will take place in 2012-13, with the transfer taking effect at some point towards the end of 2014-15.
Our 2011-12 Internal Audit work included a risk facilitation workshop to support SMT in identifying possible risks associated with transition. We have agreed that our 2012-13 work will build on this, concentrating on actions identified to mitigate risks arising from the agreed transition.
Approach to internal audit work
Our internal audit work will focus on actions to mitigate risks associated with the transition option agreed by the coalition government. The form of this work will be agreed in detailed scoping, however a possible option discussed at initial planning discussions is an assurance piece, evaluating the process undertaken to identify mitigating actions and action taken.
7
Internal drivers
Corporate Governance
Context
Decisions made by the HTA are open to a significant degree of public scrutiny. The senior management team is aware of the need to demonstrate that decisions are transparent, consistent and that individuals are held appropriately accountable. The HTA has an established governance structure, including a scheme of delegation that outlines the authority and accountability for decision making.
The senior management team identified that it would be valuable to review the scheme of delegation in order to ensure there is clarity as to where and at what level decisions sit within the organisation with regards to fulfilling its statutory role and remit. This is driven in part by the recognition that that the transition will result in decisions of a nature and scale that were not anticipated when the current scheme of delegation was designed.
Mapping existing arrangements will provide assurance on the suitability of arrangements for business as usual decisions, and enable an evaluation to be made as to what changes may be required to support effective decision making during the transition period.
Approach to internal audit work
Our review will aim to build up a picture of the HTA's scheme of delegation. This will consist of an assurance element involving:
a desk based review of key Authority papers and SMT papers to identify which decisions are currently being made where;
workshops to identify the senior management teams and Authority's perceptions of where key organisational decisions sit; and
analysis of any discrepancy between the actual and perceived scheme of delegation to understand whether this presents opportunity or risk to effective decision making.
And an advisory element to:
evaluate the extent to which the scheme of delegation may be applicable to the transition process; and
outline, based on our experience of other regulatory bodies experiencing transition, good practice that may be applicable to HTA.
Staff Retention
Context
Due to the relatively small size of HTA, the importance of relationships with key stakeholders, and the specialised nature of its work, significant staff turnover may critically impact day to day operations.
The senior management team recognise that continued uncertainty about job security as a result of the transition may be affecting staff to consider alternative options (where available).
The senior management team have established a range of measures to mitigate this risk, including facilitating contingency planning where needed. Exit interviews are also used to understand the motivation behind employees that leave.
8
Approach to internal audit work Our assurance and advisory review shall:
evaluate the existing staff retention and contingency planning arrangements;
draw on our experience of good practice at other organisations with a view to identifying learning opportunities; and
test the range of measures being undertaken, assess their coherence with each other and comment on (potentially informed by stakeholder feedback) which measures are perceived to be more effective and which are less so.
Possible additional areas for review
Independent Assessors
Context
HTA has an established team of 140 independent assessors who assess living donor cases on its behalf. The assessors, many of whom are in full time employment, work on a voluntary basis. HTA provides initial training, methodology and quality assurance. Due to the remote nature of assessment work and the varied background of the assessors, HTA’s assessment methodology and quality controls are critical to ensuring the consistency and quality of outputs.
Inevitably, significant reliance is placed on assessor judgements. This is illustrated by the current escalation structure, whereby only assessments that identify weaknesses are subject to quality review by more senior peers. This means where an assessor’s work does not identify any issues, it will not be subject to a full review by other HTA staff.
Approach to internal audit work
During our assurance and advisory review we would:
consider arrangements to ensure that assessors are appropriately qualified, experienced and trained;
conduct a walk-through of the current quality assurance process to provide assurance this is sufficiently robust;
perform a sample of ‘cold’ file reviews to confirm that methodology is being applied consistently and conclusions are appropriately evidenced; and
share best practice in relation to how other organisations undertake such activity with a view to identifying learning opportunities.
IT Security
Context HTA has an IT security framework, including firewalls to protect the network from external attack. SMT is satisfied that the control structure is appropriate; however the system has not yet been subjected to live testing. There are, however, currently no known examples where there have been any instances of actual security threats (i.e. hacking attempts etc.) that have tested current arrangements.
Approach to internal audit work
Our assurance review would:
provide assurance from our specialist Technology Risk Services team on the design of the security framework; and
carry out live penetration testing to confirm the operation of the controls.
Information Assurance
9
Context Due to the sensitive nature of the activity that the HTA regulates, it is often the subject of Freedom of Information requests.
A data security framework is in place and all staff receive training to enable them to apply it. Nevertheless, given the potential reputational risk arising from breach of the policy, SMT has asked for external assurance that the processes are designed and operating effectively.
Approach to internal audit work
Our assurance and advisory review would:
evaluate the existing data security framework;
undertake sample testing to confirm that it is operating consistently across the organisation; and
draw on our experience of good practice at other organisations with a view to identifying learning opportunities.
B Assurance Themes
This section provides details of:
Assurance reviews 2011-12: detailing reviews and reports provided to management and the Audit Committee during the reporting periods 2011-12;
Emerging risks2012-13: risks identified from planning discussions with management, document review and other planning work; and
Core assurance areas: which are areas that management and the Audit Committee might reasonably expect to receive assurance over in a 5-7 year period.
Assurance Reviews 2011-12 Emerging risks 2012-13 Core assurance areas
Risk management
Transition workshops Transition Arrangements Risk management
Governance
Regulatory Arrangements
Corporate Governance (assurance)
Corporate Governance (advisory)
Freedom of information/ data protection
Policy and stakeholder governance
Strategic Management
Internal Control
Business risk reviews
Major Incident Reporting
Staff retention Stakeholder relationships
Communications
Compliance with policies/ procedures
Environmental policy
Human Resources
Learning and Development
Management Information
Information Assurance
Estates/ facilities
Diversity/equal ops
Independent Assessors
Health and Safety
IS/IT
IT Strategy
IT Controls
Data security
Business Continuity
IT project management
Core financials
Purchasing
Licence Fee Income
Transition Management Internal Financial Control
Procurement
Payroll
Financial regulations
Cash flow and treasury management
Anti-fraud and corruption
Financial Planning
11
C Annual Internal Audit Plan 2012-13
Our internal audit proposal (April 2011) agreed a resource envelope of 30 days per annum. We outline below the proposed areas for internal audit review in 2012-13, based on our planning work. Given the profile of risks facing HTA, we propose to perform fewer, more in depth reviews coupled with a significant advisory element.
Guideline indicative days are given, however actual budgets will be agreed with SMT and Audit Committee at detailed planning. Following discussion with SMT, it was identified that the NAO have not raised any recommendations in relation to financial control and SMT do not have any significant concerns at this time. As a result, shall consider financial control as part of our work on transition arrangements and follow up.
No Audit Area Indicative days
2012-13
Supports opinion on
Governance Risk
Management Internal Control
Corporate Governance (assurance)
3
Corporate Governance (advisory)
6
Transition Arrangements 5
Staff Retention 8
Follow up 3
Total days 25
Account management 5
Total days 30
12
www.grant-thornton.co.uk
© 2014 Grant Thornton UK LLP. All rights reserved.
"Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership.
Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.
This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication
[Client Name] Strategy for Internal Audit
1
HUMAN TISSUE AUTHORITY Updated Strategy for Internal Audit 2008/09 – 2010/11
For presentation at the Audit Committee meeting of 6th May 2010 Approved by xxxxxxxx as Head of Internal Audit
Human Tissue Authority Strategy for Internal Audit
CONTENTS
Section Page 1 Introduction 1 2 Developing your Strategy for Internal Audit 2 3 Internal Audit Resources 2 4 Considerations required of the Audit Committee 3 Appendices A Risk Maturity Matrix 4 B Detailed Internal Audit Plan 2010/11 5 C Updated Strategy for Internal Audit: 2008/09 – 2010/11 8
This report is prepared solely for the use of Board and senior management of Human Tissue Authority. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.
© 2010 RSM Tenon Limited
RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
1
1 INTRODUCTION
1.1 THE PURPOSE OF INTERNAL AUDIT
The purpose of internal audit is to provide the Board, through the Audit Committee, with an independent and objective opinion on risk management, control and governance and their effectiveness in achieving the organisation’s agreed objectives. This opinion forms part of the framework of assurances that the Board receives and should be used to help inform the annual Statement on Internal Control. Internal Audit also has an independent and objective consultancy role to help line managers improve risk management, governance and control.
Our strategy for 2008/2011 was approved by the Audit Committee on the 20th May 2008. The
purpose of this document is to update that strategy and to provide a more detailed internal audit plan for 2010/11.
1.2 OUR RESPONSIBILITIES
Our professional responsibilities as internal auditors are set out in the International Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA).
HM Treasury’s Government Internal Audit Standards (GIAS) are closely linked to the IIA’s Standards, with some additional requirements specific to government departments and agencies.
In line with these requirements, we perform our internal audit work with a view to reviewing and evaluating the risk management, control and governance arrangements that the organisation has in place, in particular to how those elements contribute to how the organisation will achieve its objectives.
Figure 1: The Assurance Cycle
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
2
2 THE UPDATED INTERNAL AUDIT PLAN
2.1 HOW THE STRATEGY WAS DEVELOPED
In 2008/09 we undertook a review of the organisation’s risk maturity and concluded that the HTA is a risk defined organisation. In 2009/10 a follow up review of the recommendations raised in the Risk Maturity review confirmed that reasonable progress had been made by management in strengthening the Authority’s risk management framework. We are therefore able to place reliance on your risk registers / assurance framework to inform the update of the internal audit strategy (see the Risk Maturity Matrix at Appendix A). In 2010/11 an assurance stocktake is proposed, building on the previous risk maturity audits, to review the effectiveness of the arrangements for mapping assurances.
We will continually liaise with management and review the areas for internal audit coverage and timing, and amend the strategy as appropriate to ensure that assurance provided by internal audit remains relevant as the risks facing the organisation change. Any changes made to the strategy will be discussed with our key contacts and will be taken to the Audit Committee for approval.
3 INTERNAL AUDIT RESOURCES
3.1 YOUR INTERNAL AUDIT TEAM
Your internal audit team is led by xxxxxxxx, HIA, supported by xxxxxxxxx, Associate Director.
Your Client Manager is xxxxxxxxx.
We are not aware of any relationships that may affect the independence and objectivity of the team, and which are required to be disclosed under auditing standards.
3.2 INTERNAL AUDIT FEES
In line with our tender and subsequent engagement letter, the fee for your internal audit service for 2010/11, based on an individual daily rate is £19, 578. The following skills mix will be utilised:
Grade of IA Staff Proportion
HIA / Director 6%
Client Manager 15%
Assistant Manager / Senior Auditor 33%
Auditor 33%
ISA Specialist 13%
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
3
4 CONSIDERATIONS REQUIRED OF THE AUDIT COMMITTEE Does the detailed internal audit plan for the coming financial year (see Appendix B) reflect the
areas that the Audit Committee believe should be covered as priority?
Does the updated Strategy for Internal Audit (as set out at Appendix C) cover the organisation’s key risks as they are recognised by the Audit Committee?
Does the audit strategy include all those areas that the Audit Committee would expect to be subject to internal audit coverage, both in terms of our professional responsibilities as well as covering areas of concern flagged by management?
Is the level of audit resource accepted by the Committee and agreed as appropriate, given the level of assurance required?
RSM Tenon April 2010
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
1
APPENDIX A: RISK MATURITY MATRIX
Risk Maturity Characteristics of your risk management arrangements
RSM Tenon’s Internal Audit Approach
Risk Naïve No formal approach developed for risk management
Promote risk management, advisory work to help put the risk management framework in place.
Rely on internal audit’s assessment of risk to drive the internal audit plan.
Risk Aware Scattered silo based approach to risk management
Promote embedded and joined up risk management activities.
Rely on internal audit’s assessment of risk to drive the internal audit plan.
Risk Defined Strategy and policies in place and communicated. Risk appetite defined
Facilitate risk management/liaise with risk management. Review of risk management processes already in place.
Internal Audit rely on your assessment of risk, but will also identify other risk areas for internal audit coverage.
Risk Managed Enterprise wide approach to risk management developed and communicated.
Risk management is considered at the highest level of the business, but could be further developed to inform decision making.
Depending on the business’s attitude to risk management, provide advice and support to move to a risk enabled organisation. Audit existing risk management processes to confirm effectiveness.
Management’s assessment of risk drives the audit plan, although internal audit will continue to challenge whether there are other risks that require internal audit coverage.
Risk Enabled Risk management and internal control fully embedded into the operations.
Risk management is used to help manage the business; consequently the business is able to take risks on an informed basis to achieve its objectives.
Audit risk management processes to confirm effectiveness.
Management’s assessment of risk drives the audit plan, although internal audit will continue challenge whether there are other risks that require internal audit coverage.
Source: Based on Risk Maturity Matrix, Institute of Internal Auditors, Risk Based Auditing Position Statement
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
2
APPENDIX B: DETAILED INTERNAL AUDIT PLAN 2010/2011 RISK BASED COVERAGE
Risk Audit Title Mitigating Controls / areas of
coverage to be considered in IA review
Days Timing
Reputational damage due to failure to comply with regulatory framework and/or losses due to potential frauds.
Governance
A review of HTA’s governance arrangements with particular reference to compliance with external control and reporting requirements in respect of Cabinet Office rules and expenses policies.
CEO and Director of Resources
Sound framework for collating, processing and validating source HR and finance data.
Quarterly performance reporting.
Board Scrutiny.
3 June 2010
The Assurance Framework does not reflect current priorities.
New objectives and risks are not incorporated into the Assurance Framework.
The Board is unaware of the principle risks affecting achievement of objectives, and therefore objectives may not be achieved.
There are inconsistencies or lack of linkage between the assurance framework and other risk management activities. This could lead to some risks not being monitored, or duplicating effort
Sources of independent assurance and action plans do not address key risks, therefore the Board may consider risks are being managed when they are not.
Risk Management
High level review of the Authority’s risk management framework to ensure risks to the achievement of the organisation’s aims are effectively identified and mitigated with appropriate assurances reported to the Audit Committee.
In 2010/11 this audit will look in particular at the links between the risk register and ongoing business including the process for updating the registers in light of emerging issues and performance. In addition the process for establishing risks in respect of new projects will be assessed as well as the general process for assessing and recording risks in a consistent manner across the organisation
CEO and Director of Resources
Embedded Assurance framework.
Clear roles and accountabilities.
Routine monitoring of Strategic and operational risk registers.
Periodic testing of mitigating controls and independent assurances.
3 January 2011
Reputational damage due to failure to fulfil the organisation’s statutory duty to regulate organisations storing or using Human Tissue
Inspection and Licensing
These functions are core business processes for the organisation. At the request of the HTA this audit will concentrate in particular on whether the desk based assessment of compliance is borne out by the site visit inspection process. The objective is to provide assurance around the self
Existing procedures
Staff training
Quality Assessment and management process
External Assessment and review
8 August 2010
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
3
assessment processes undertaken, whether the standards used are the most appropriate and if there are specific sector anomalies. The intention is to help the organisation develop its self assessment and desk based assessment process going forward.
Director of Regulation
COVERAGE FOR EXTERNAL AUDIT RELIANCE OR TO MEET REGULATORY REQUIREMENTS
Audit Title Scope Days Provisional
Timing
Core Financial Controls and Management Accounts
Director of Resources
Cyclical coverage of the following finance systems of control:
Financial Management & Budgetary Control;
Fixed Asset Management;
Creditors and Purchases (including contract and tendering activities);
Income and Debtors;
Credit Card and expenses;
General Ledger; and
Payroll and Pensions.
Coverage may also include a review of the HTA management accounting system to provide assurance on the accuracy, robustness and timeliness of the information used for management decision making.
Specific finance systems of control to be reviewed will be agreed with management prior to commencement of field-work.
Controls to be tested will be agreed with External Audit prior to the commencement of fieldwork.
Key focus will be on substantive transaction testing.
12 November 2010
OTHER INTERNAL AUDIT WORK
Topic High Level Scope Days Provisional
Timing
IT Audit - Data Security / Information Governance
Director of Resources and Head of ICT
Two key issues to be covered at request of HTA:
System security to prevent external penetration; and
Compliance with DPA regulations
5 September 2010
Follow Up
Head of Finance
To meet the IIA Standards and to provide management with ongoing assurance regarding implementation of recommendations.
2 February 2010
End of year management
This will include preparation of the annual internal audit opinion. 1 March 2011
Audit Management and Quality Control
This will include:
Annual planning;
5 Ongoing
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
4
Topic High Level Scope Days Provisional
Timing
Preparation for, and attendance at, audit committee meetings;
Regular liaison and progress updates; and
Liaison with external audit
Total 39
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
5
APPENDIX C: UPDATED STRATEGY FOR INTERNAL AUDIT 2008/09 – 2010/11 RISK BASED COVERAGE
Risks Auditable Area Objective
Type 1
Source 2009/10
(Days)
2010/11
(Days)
2011/12
(Days)
Reputational damage due to failure to comply with regulatory framework and/or losses due to potential frauds.
Achievements of the Authority understated as reporting framework is inadequate.
Governance Strategic
Reporting
Compliance
Annual coverage informing HIA opinion
(3)
(3)
(3)
The Assurance Framework does not reflect current priorities.
New objectives and risks are not incorporated into the Assurance Framework.
The Board is unaware of the principle risks affecting achievement of objectives, and therefore objectives may not be achieved.
There are inconsistencies or lack of linkage between the assurance framework and other risk management activities. This could lead to some risks not being monitored, or duplicating effort
Sources of independent assurance and action plans do not address key risks, therefore the Board may consider risks are being managed when they are not.
Risk Management
Strategic
Operational
Reporting
Compliance
Annual coverage informing HIA opinion
(3)
(3)
(3)
Reputational damage due to failure to fulfil the organisation’s statutory duty to inspect and licence organisations storing or using Human Tissue
Inspection and Licensing
Strategic
Operational
Reporting
Compliance
Strategic risk register
(5)
(8)
Reputational damage due to ineffective transplant regulations and an insufficient Independent Assessment framework, resulting in breaches of the Human Tissue Act 2004.
Lack of policy on new or emerging issues leading to inaccurate or misleading advice.
Transplant approval turn-
Transplantation Strategic
Operational
Reporting
Compliance
Strategic risk register
(5)
1 Ref: COSO ERM Framework
Human Tissue Authority Strategy for Internal Audit 2008/09 – 2010/11
6
around time targets not met.
Strategic aims and objectives are not cascaded into operational and individual performance targets resulting in non congruence of activity and failure to deliver corporate aims.
Achievements of the Authority understated as performance monitoring and reporting framework is inadequate.
Performance Management
Strategic
Operational
Reporting
Compliance
Strategic risk register
(5)
COVERAGE FOR EXTERNAL AUDIT RELIANCE OR TO MEET REGULATORY REQUIREMENTS
Systems Source of Requirement 2009/10
(Days)
2010/11
(Days)
2011/12
(Days)
Core Financial Control Cyclical coverage of the organisations financial control systems.
Annual coverage informing HIA opinion
(12)
(12)
(12)
ADVISORY INPUT AND OTHER INTERNAL AUDIT COVERAGE
Internal Audit Coverage
Source / Rationale 2009/10
(Days)
2010/11
(Days)
2011/12
(Days)
ISA Audit Annual review of organisations ISA systems of control.
(5)
(5)
(5)
Follow Up To meet the IIA Standards and to provide management with ongoing assurance regarding implementation of recommendations.
(2)
(2)
(2)
End of year management This will include preparation of the annual internal audit opinion.
(1)
(1)
(1)
Audit Management and Quality Control
This will include:
Annual planning;
Preparation for, and attendance at, Audit Committee meetings;
Regular liaison and progress updates; and
Liaison with external audit
(3)
(3)
(5)
Total 39 34 39
Contingency* 5 5 5
*To be used at the discretion / approval of the Audit Committee.
Risk Assessment andInternal Audit Plan
2013/2016
Human Tissue Authority
June 2013
HTA Contents
Contents
1. Introduction and Approach 1
2. Audit Universe 3
3. Risk Assessment 4
4. Internal Audit Plan and Indicative Timeline 8
Appendix 1: Corporate Objectives and Risks 10
Appendix 2: Risk Assessment Criteria 11
Appendix 3: Detailed methodology 12
This document has been prepared only for the Human Tissue Authority and solely forthe purpose and on the terms agreed with the Human Tissue Authority.
Distribution List
For action: Accounting Officer
Audit Committee
National Audit Office
Department of Health Internal Audit
HTA 1
Introduction
This document sets out the Internal Audit Risk Assessment and Annual Plan for the Human Tissue Authority.
Approach
A summary of our approach to developing the Risk Assessment and Annual Internal Audit plan is set out below.A more detailed description can be found in Appendix 2 and 3.
1. Introduction and Approach
Identify all of the auditable units within the organisation.Auditable units can be functions, processes or locations.
Assess the inherent risk of each auditable unit based onimpact and likelihood criteria.
Calculate the audit requirement rating taking into accountthe inherent risk assessment and the strength of the controlenvironment for each auditable unit.
Obtain information and utilise sector knowledge to identifycorporate level objectives and risks.
Step 1
Understand corporate
objectives and risks
Assess the strength of the control environment within eachauditable unit to identify auditable units with a high relianceon controls.
Consider additional audit requirements to those identifiedfrom the risk assessment process.
Step 2
Define the audit universe
Step 3
Assess the inherent risk
Step 4
Assess the strength of the
control environment
Step 5
Calculate the audit requirement
rating
Steps 6
Other considerations
Step 7
Other considerations
Determine the timing and scope of audit work based on theorganisation’s risk appetite.
Step 6
Determine the audit plan
HTA 2
Background
The Human Tissue Authority (‘HTA’) was established under the Human Tissue Act 2004 to regulate activitiesconcerning the removal, storage, use and disposal of human tissue and organs. The HTA is an Executive Non-Departmental Public Body sponsored by the Department of Health.
The performance of the HTA is monitored throughout the year by the Senior Management Team and theAuthority. Progress against targets and the business plan are reported to DH at quarterly accountabilitymeetings.
Key contacts
We have met some Directors and discussed our Internal Audit Strategy and Plan with the Senior Managementteam. The following stakeholders have been consulted during the planning process.
Area Contact Contact Contact
AccountingOfficer Chief Executive
- -
ExecutiveDirectors &SeniorManagers
Director of Resources Director of Regulation
Director of Strategy &Quality
Director of Communications& Public Affairs
Head of Finance &Governance
AuditChair of the AuditCommittee
Department of HealthInternal Audit
National Audit Office
HTA 3
2. Audit Universe
The diagram below represents the high level auditable units within the audit universe of the Human TissueAuthority:
Regulation Strategy and Quality
Chief Executive
External Stakeholders
DH & other ALBs
Ministers
Parliament &
Devolved
Administrations
Governance
Board & Quarterly
Accountability
Meeting
Risk Management
KPIs
Core Business
Licencing
Inspection
Case Management
Provision of Advice
European Competent
Authority Roles
Business Planning
Transplant Approvals
Independent Assessors
Quality Assurance
Resources Human
Resources
Finance
Legal
Business Technology
General HR functions
Training &
Development
Information
Governance
Communications and
Public Affairs
Website
Internal Communications
Media Relations
Stakeholder Management
Crisis Management
Cross Cutting Operations
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 4
Each auditable unit (as illustrated in the diagram in Section 2) has been assessed for inherent risk and the strength ofthe control environment, in accordance with the methodology set out in Appendix 3.
Ref Auditable UnitC
or
po
ra
te
ob
jec
tiv
es
an
d
ris
ks
Inh
er
en
tR
isk
Ra
tin
g
Co
ntr
ol
En
vir
on
me
nt
Ind
ica
tor
Au
dit
Re
qu
ire
me
nt
Ra
tin
g
Fr
eq
ue
nc
y(s
ee
ke
y)
Suggested Frequency
A Chief Executive
A.1 External stakeholders
Allcorporateobjectivesand risks
Coversobjectives &
risks b, dand i in
Appendix 1in
particular.
N/a N/a N/a Relationship between CEO and key
stakeholders (e.g. DH) – not
considered auditable.
A.2 Governance 2 2 1 An understanding of Governance is
required as part of Public Sector
Internal Audit Standards.
We noted:
- Corporate Governance and
Decision Making Framework
reviewed in 2012 by Internal
Audit (green)
- Risk Management reviewed in
2010-11 (& regular review and
oversight by the Audit
Committee)
- Major Incident Reporting
reviewed in 2011-12.
No incidents of recent frauds. KPI
reporting was covered in an IA
report in 2009/10, and, due to
regular DH scrutiny it is not seen as
high risk.
We understand that an
independent review of how HTA
performs its work is in progress.
No work proposed.
3. Risk Assessment
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 5
Ref Auditable Unit
Co
rp
or
ate
ob
jec
tiv
es
an
d
ris
ks
Inh
er
en
tR
isk
Ra
tin
g
Co
ntr
ol
En
vir
on
me
nt
Ind
ica
tor
Au
dit
Re
qu
ire
me
nt
Ra
tin
g
Fr
eq
ue
nc
y(s
ee
ke
y)
Suggested Frequency
B Core Business
B.1 Regulation (covers
licencing of over 500
establishments,
including publishing
standards,
inspections/audits*,
and providing advice).
*Inspections are
either full or themed
reviews. HTA use
“audits” rather than
inspections for the
Organ Transplant
sector.
Covers
risks and
objectives
a, d, e and
g
(appendix
1)
5 5 3 Regulatory Arrangements audit
performed in 2012.
Two strategic risks are linked to
core regulatory objectives.
Suggest end-to-end process review
of a sample of key regulatory
processes within post mortem,
human application, research, public
display, and/or organ transplant.
This will include tracking of
inspection processes and case
management.
B.2 Strategy & Quality,
includes:
•Business Planning
•Transplant
Approvals
•Independent
Assessment of living
organ donations
•Quality Assurance
Coversrisks andobjectives
a, d, e, andg
(appendix1)
4 3 3 Higher risk areas relate to
independent assessors and
transplant approvals.
Suggest end to end process review
of one of these areas to be agreed
with the Director of Strategy &
Quality.
B.3 Communication &
Public Affairs
includes:
•Website
development
•Internal
Communications
•Media Relations
•Stakeholder
Management
•Crisis Management
See
objectives
and risks b,
g and i in
particular
in appendix
1
2 2 1 Perceived as low residual risk in
Strategic Risk Register.
Crisis Management Plan reviewed
at February 2013 Audit Committee.
No work proposed.
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 6
Ref Auditable Unit
Co
rp
or
ate
ob
jec
tiv
es
an
d
ris
ks
Inh
er
en
tR
isk
Ra
tin
g
Co
ntr
ol
En
vir
on
me
nt
Ind
ica
tor
Au
dit
Re
qu
ire
me
nt
Ra
tin
g
Fr
eq
ue
nc
y(s
ee
ke
y)
Suggested Frequency
C Cross Cutting
Operations
C.1 Resources - Finance
(core system Great
Plains)
All
corporate
objectives
and risks
See risk
and
objectives d
and h in
appendix 1
in
particular
2 2 1 Financial Controls last audited in
2011-12 (green).
Finance processes perceived as
lower risk; however there is an
ongoing need for coverage of core
controls and pressure to reduce
costs by a further 11%.
Suggest general financial controls
audit covering for example licence
income (£3.3m), payroll (£2.3m),
debt management, general ledger
reconciliations, journals, expenses
and purchases.
Terms of reference will be shared
with the NAO.
C.2 Resources - Legal - 2 2 1 Not identified as a high risk.
No work proposed.
C.3 Resources – Business
Technology
(including IT services
outsourced to
- 2 2 1 Focus to include IT security in
particular over the online portal.
Sensitive data includes for example
personal data in relation to
transplant approvals.
C.4 Resources –
Information
Governance
- 4 3 3 No areas of non-compliance
reported within the Statement of
Governance.
Propose independent review of the
evidence supporting the Security
Policy Framework Information Risk
Management Return.
C.5 Human Resources See
objectives c
and d in
particular
in appendix
1
3 3 2 Resourcing and capacity risks are
linked to two key strategic risks.
Audit of Staff Retention in 2012-13
(green).
Propose General HR Controls audit
in Year 3.
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 7
Key to frequency of audit work
We plan our internal audit work to progressively provide coverage over the main activities of the organisation. The keybelow is advisory, as the Internal Audit plan will also be contingent on key risks, other sources of assurance, and theappetite for assurance in each area by management and the Audit Committee. We will revisit the Internal Audit planannually and refresh it based upon changing business priorities and risks of the organisation.
Audit Requirement Rating Frequency – PwC standard approach Colour Code
6 Annual 5 Annual 4 Annual 3 Every two years 2 Every three years 1 No further work
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 8
Internal Audit Plan and Indicative TimelineThe following table sets out the proposed internal audit work days planned for to 31 March 2014, together with
indicative areas for 2015 and 2016.
Ref Auditable title Yr 1
y/e
2014
Yr 2
y/e
2015
Yr 3
y/e
2016
Comments (Refer to Section 3 – Risk
Assessment)
Core Business
B.1 Key Regulatory
Processes
- 15 - Review of a sample of key regulatory processes
within post mortem, human application, research,
public display, and/or organ transplant. This will
include tracking of inspection processes and case
management.
B.2 Independent
Assessors /
Transplant
Approvals
- - 13 Review of independent assessors or transplant
approvals (to be agreed).
Cross cutting
processes
C.1 General Financial
Controls
12 - - Assurance on fundamental core financial
controls. The approach will be discussed with
the NAO.
Year 1 coverage may include:
- license income
- payroll
- debt management
- general ledger reconciliations
- journals
- expenses
- purchases
- reported efficiency savings
Suggested timing: September 2013
C.1 Resources -
Business continuity
- - 5 Progressive coverage of key controls, including:
Completeness of business continuity plans;
Robustness of plans and procedures;
Communication;
Testing of plans.
C.3 IT Security 10 - - IT Security health check over the online portal.
Suggested timing: September 2013
C.4 Information
Governance
- 5 - Propose independent review of the evidence
supporting the Security Policy Framework
Information Risk Management Return.
4. Internal Audit Plan andIndicative Timeline
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 9
Ref Auditable title Yr 1
y/e
2014
Yr 2
y/e
2015
Yr 3
y/e
2016
Comments (Refer to Section 3 – Risk
Assessment)
C.5 HR General
Controls
- - 5 To include review of controls over recruitment.
Z Audit Project
Management
Z.1 Planning and
Management
6.5 3 3 Audit Project Management, including attendance at
two Audit Committees and production of Annual
Internal Audit Report.
Z.2 Follow up audits 2 2 2 Sample testing of recommendations to provide
assurance of implementation.
Total days 30.5 25 28
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 10
These corporate level objectives and risks have been determined by The Human Tissue Authority and have beenextracted from the draft Corporate Plan for 2013 – 2016 and the Corporate Risk Register. The risks below will informindividual internal audit reviews; some areas have been highlighted as lower risk and are flagged as areas of possiblereview in years 4 or 5.
Ref Key Objectives Cross reference to Internal Audit
Plan (see Section 4)
a To improve further the effectiveness of our regulatory activity and
our advice and guidance
Regulatory arrangements reviewed in
2011-12 (green) – propose to review again
in 2015 as this is a core business activity
b To develop and consolidate productive stakeholder relationships
with the public and professionals
Not considered auditable
c To have a skilled, motivated and dedicated team equipped to do
the job in a challenging operational environment
Staff retention was carried out in 2013
(green). Key risks (below) link to HR
issues – propose review of core HR
controls in 2015.
d To ensure that HTA is effectively governed and is managed
effectively providing value for money for licensed establishments
and the taxpayer
Core financial controls reviewed in 2011-
12. Ongoing efficiency agenda and probity
outside of the external audit (particularly
in a period of change) – key financial
controls audit in 2013/14.
We have reviewed your corporate risk register and linked your top 5 risks to our audit plan as follows:
Ref Key Risks Cross reference to Internal Audit
Plan (see Section 4)
Strategic
e Inability to carry out its statutory remit Refer to audit of regulatory processes
and independent assessors.
f Failure to manage change Key focus on business as usual controls
and business processes (above).
g Inability to manage an actual or potential major event, such as
retention of tissue or serious injury or death to a person resulting
from a treatment involving processes regulated by the HTA
Crisis Management has been reviewed by
the Audit Committee – potential review
of business continuity proposed.
h Insufficient financial resources Review Financial Controls (going
concern will be assessed as part of the
NAO audit)
i Inadequate relationship and stakeholder management Not considered auditable.
Appendix 1: Corporate Objectivesand Risks
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 11
Determination of Inherent Risk
We determine inherent risk as a function of the estimated impact and likelihood for each auditable unit within theaudit universe as set out in the tables below.
Impact
rating
Assessment rationale
6 Critical impact on operational performance; or
Critical monetary or financial statement impact; or
Critical breach in laws and regulations that could result in material fines or consequences ; or
Critical impact on the reputation or brand of the organization which could threaten its future viability.
5 Significant impact on operational performance; or
Significant monetary or financial statement impact; or
Significant breach in laws and regulations resulting in large fines and consequences; or
Significant impact on the reputation or brand of the organization.
4 Major impact on operational performance; or
Major monetary or financial statement impact; or
Major breach in laws and regulations resulting in significant fines and consequences; or
Major impact on the reputation or brand of the organization.
3 Moderate impact on the organization’s operational performance; or
Moderate monetary or financial statement impact; or
Moderate breach in laws and regulations with moderate consequences; or
Moderate impact on the reputation of the organization.
2 Minor impact on the organization’s operational performance; or
Minor monetary or financial statement impact; or
Minor breach in laws and regulations with limited consequences; or
Minor impact on the reputation of the organization.
1 Insignificant impact on the organization’s operational performance; or
Insignificant monetary or financial statement impact; or
Insignificant breach in laws and regulations with little consequences; or
Insignificant impact on the reputation of the organization.
Likelihood rating Assessment rationale
6 Has occurred or probable in the near future
5 Possible in the next 12 months
4 Possible in the next 1-2 years
3 Possible in the medium term (2-5 years)
2 Possible in the long term (5-10 years)
1 Unlikely in the foreseeable future
Appendix 2: Risk AssessmentCriteria
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 12
Appendix 3: Detailed methodology
Step 1 - Understand corporate objectives and risks
In developing our understanding of your corporate objectives and risks, we have:
reviewed key corporate documents, including your strategy, business plan, financial statements, organisationalstructure and corporate risk register;
reviewed recent Audit Committee and Board minutes;
drawn on our knowledge of the Central Government; and
Considered coverage provided by Internal Audit previously.
Step 2 - Define the Audit Universe
In order that our internal audit plan reflects your management and operating structure we have identified the audit
universe for the Human Tissue Authority made up of a number of auditable units. Auditable units include functions,
processes, systems, products or locations. Any processes or systems which cover multiple locations are separated into
their own distinct cross cutting auditable unit.
Step 3 - Assess the inherent riskOur internal audit plan should focus on the most risky areas of the business. As a result each auditable unit is allocatedan inherent risk rating i.e. how risky the auditable unit is to the overall organisation and how likely the risks are toarise.
The inherent risk assessment is determined by:
Mapping the corporate risks to the auditable units;
Our knowledge of your business and Central Government;
Discussions with management.
Impact RatingLikelihood Rating
6 5 4 3 2 1
6 6 6 5 5 4 4
5 6 5 5 4 4 3
4 5 5 4 4 3 3
3 5 4 4 3 3 2
2 4 4 3 3 2 2
1 4 3 3 2 2 1
Step 4 - Assess the strength of the control environment
In order to effectively allocate internal audit resources we also need to understand the strength of the control
environment within each auditable unit. This is assessed based on:
our knowledge of your internal control environment
information obtained from other assurance providers, including the prior year assessment by the previousInternal Auditors
Appendix A: Internal Audit Plan and Indicative Timeline
HTA 13
Step 5 - Calculate the audit requirement rating
The inherent risk and the control environment indicator are used to calculate the audit requirement rating. The
formula ensures that our audit work is focused on areas of with high reliance on controls or a high residual risk.
Inherent Risk
Rating
Control design indicator
1 2 3 4 5 6
6 6 5 5 4 4 3
5 5 4 4 3 3 n/a
4 4 3 3 2 n/a n/a
3 3 2 2 n/a n/a n/a
2 2 1 n/a n/a n/a n/a
1 1 n/a n/a n/a n/a n/a
Step 6 - Determine the audit planYour risk appetite determines the frequency and scope of internal audit work at each level of audit requirement.
Your risk appetite determines the intensity of internal audit work at each level of audit requirement.
Step 7 - Other considerationsIn addition to the audit work defined through the risk assessment process described above, we may be requested toundertake a number of other internal audit reviews such as regulatory driven audits, value enhancement or consultingreview.