Internal Audit/Client Liaison Protocol · B Training Checklist and Training Needs Analysis 15 ......

Document Title Internal Audit Process

Reference Number NTW(O)25

Lead Officer Director of Finance

Author(s)

(name and designation)

Caroline Wild -

Deputy Director of Corporate Relations and Communications, Chief Executive Office (June16)

Ratified by Audit Committee

Date ratified 21 November 2012

Implementation Date 1 December 2012

Date of full implementation

1 December 2012

Review Date June 2017

Version number V03.4

Review and Amendment Log

Version Type of Change

Date Description of Change

V03

Update

Nov 12

Section 1 (revision) - Introduction – guidance also covers counter fraud reports

Sections, 2, 3, Updated in formation Section 4 (revision) – Background to Internal Audit:

4.3 Annual Governance Statement (previously known as Statement on Internal Control)

4.4.1 Audit Plan inclusions Section 5 (revision) – Internal Audit stages

5.4.2 - Intervention by director (previously Audit Liaison Officer (ALO))

5.5.3 - Board Secretary (previously ALO)

5.5.4 – Exit meeting -arranged by the key contact

5.6.1 and 5.6.3 – Change to timescales

5.6.4 - Response of further discussion needed acceptable.

5.6.6 – Internal Audit will highlight issues to the Audit Committee

5.7.2 – Director’s confirmation

5.7.6 – Head of Assurance (previously Business Support / Project Manager)

5.8.1 – Progress report for reports with “limited” or “no” assurance

5.8.2, 5.8.5 and 5.8.6 – SMT involvement

5.8.8 – Questionnaires for Executive Directors and the Audit Committee

Section 7-18 Updated, Appendices A-D included Appendices 1-5 Updated

V03.1 Amend Feb 13 Policy number changed to Operational (NTW(O)25)

V03.2 Update Dec 15 Extension to Review – June 2016

V03.3 Update Jun 16 Extension to Review – December 2016

V03.4 Update Dec 16 Extension to Review – June 2017

This policy supersedes:

Document Number Title

NTW(F)11 – V03.2 Guidance on the internal audit process

Internal Audit Process

Section Contents Page No.

1 Introduction 1

2 Duties and Responsibilities 1

3 Definition of Terms 2

4 Background to Internal Audit 2

5 Internal Audit Stages 4

6 Identification of Stakeholders 9

7 Training 9

8 Implementation 9

9 Standard Key Performance Indicators 9

10 Monitoring Compliance 10

11 Equality and Diversity 10

12 Fair Blame 11

13 Fraud and Corruption 11

14 Conclusion 11

15 Associated Documents 11

16 References 11

Standard Appendices – attached to policy

A Equality and Diversity Impact Assessment - 12

B Training Checklist and Training Needs Analysis 15

C Audit Monitoring Tool 17

D Policy Notification Record Sheet - click here

Appendices (listed within policy)

Appendix 1 Key Contact (for specific audits) - Role and responsibilities 20

Appendix 2 Director’s responsibility 22

Appendix 3 Levels of assurance provided by Internal Audit reports 23

Appendix 4 Provision of information, timescales and performance indicators 24

Appendix 5 Processes for considering limited assurance, no assurance; reporting progress on management actions

25

http://nww1.ntw.nhs.uk/services/?id=5950&p=5539&sp=5545

NTW(O)25

Northumberland, Tyne and Wear NHS Foundation Trust NTW(O)25 – Guidance on the Internal Audit Process - V03.4 – Issued Jan 17

1

1. Introduction 1.1 This guidance is designed to ensure that Northumberland, Tyne and Wear NHS

Foundation Trust, (the Trust/NTW) officers involved at any stage of the audit process are aware of the process relating to an internal audit report. As the approach to internal audit and counter fraud reports is very similar, the guidance also covers counter fraud reports. It also includes details of the roles and responsibilities of key officers within the process.

1.2 The guidance has been produced by the Deputy Director of Corporate Relations and

Communications in conjunction with the Head of Internal Audit. 1.3 Please note the following with regard to “Equality and Diversity”:

If a version of this policy or an individual form used in the policy procedure is required in a larger font-size, please contact the “Author” (see front sheet) to request

If any part or all of this policy procedure is required in a language other than English, please contact the “Author” to discuss your requirement

2 Duties and Accountabilities 2.1 Executive Directors 2.1.1 The executive directors are collectively responsible for proposing areas for inclusion in the audit plan, which sets out details of the assignments to be carried out. 2.1.2 Each executive director has overall responsibility for audits in his/her responsibility. A summary of executive director responsibilities is shown at Appendix 2. 2.2 Executive Director of Finance 2.2.1 The Executive Director of Finance is responsible for establishing an internal audit function as per Standing Financial Instructions. 2.3 Audit Committee 2.3.1 The Audit Committee is a committee of the Board of Directors consisting of 3

independent Non Executive Directors. 2.3.2 The Committee approves the audit plan and any subsequent changes to it, and

reviews progress against the audit plan. 2.3.3 It reviews the findings of internal audit and counter fraud work, associated

management responses and progress against action plans. 2.3.4 Its primary role is to conclude upon the adequacy and effective operation of the Trust’s

overall internal control system, on behalf of the Board of Directors.

NTW(O)25


2

2.3.5 An effective Audit Committee is dependent on an effective internal audit function. As

part of the review of the effectiveness of Internal Audit, the Audit Committee completes a questionnaire on overall performance on an annual basis.

2.4 Chief Executive 2.4.1 The Chief Executive is responsible for conducting an annual review of the effectiveness of the system of internal control, which is formally reported in the Annual Governance Statement and is subject to Board of Directors’ approval and external audit review. The annual Head of Internal Audit’s opinion on the overall adequacy and effectiveness of the Trust’s risk management, control and governance processes contributes to the assurances available. 2.5 Key contacts 2.5.1 This role is performed by a senior manager nominated by the executive director and is responsible for the smooth running of the audit. A summary of responsibilities is shown at Appendix 1 2.6. Deputy Director of Corporate Relations and Communications

2.6.1 The Deputy Director of Corporate Relations and Communications acts as secretary for the Audit Committee and is regarded as the link between the Audit Committee and the Corporate Decision Team (CDT), presenting reports to the CDT where appropriate.

2.6.2 Where there are difficulties identified in obtaining information or access to staff that the

key contact is unable to resolve within 1 week, the Deputy Director of Corporate Relations and Communications will discuss the issues and impact with the relevant director and maintain a log of the details for Audit Committee information.

2.7 Corporate Decision Team (CDT) 2.7.1 The CDT comprises of the Chief Executive, Executive Directors, Group directors

(Planned Care, Urgent Care and Specialist Care groups) and other senior officers. Prior to Audit Committee review, the CDT considers a summary of every final report and may request the consideration of a full report if appropriate.

2.7.2 If necessary, the CDT may intervene with applying the lessons from a report more

widely within the Trust, implement a more robust action plan or complete the action plan and/or the addressing of risks sooner than the original response, etc.

2.7.3 The CDT also considers routine reports from Internal Audit on progress against action

plans prior to Audit Committee review.

NTW(O)25


3

3 Definition of Terms

CDT Corporate Decision Team

SLA Service Level Agreement

SFI’s Standing Financial Instructions

4. Background to Internal Audit

4.1 Internal Audit is an independent and objective appraisal service within an organisation which exists to provide an opinion to the Chief Executive, the Board of Directors and the Audit Committee on the degree to which risk management, control and governance support the achievement of the organisations agreed objectives. In addition, Internal Audit’s findings and recommendations are beneficial to line management in the audited areas. Risk management, control and governance comprise the policies, procedures and operations established to ensure the achievement of objectives, the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations, and compliance with the behavioural and ethical standards set for the organisation.

4.2 An NHS Foundation Trust must establish an Audit Committee, which is a non- executive committee of the Board of Directors, and whose primary role is to conclude upon the adequacy and effective operation of the Trust’s overall internal control system, on behalf of the Board of Directors. An effective Audit Committee is dependent on an effective internal audit function. The cycle of approving and monitoring the progress of Internal Audit plans and reports culminates in the annual Head of Internal Audit’s opinion on the system of internal control.

4.3 Each year the Chief Executive conducts an annual review of the effectiveness of the

system of internal control, gains sufficient documented assurances and formally reports on this in the Annual Governance Statement, which is subject to Board of Directors’ approval and external audit review as part of the annual accounts. The annual Head of Internal Audit’s opinion on the overall adequacy and effectiveness of the Trust’s risk management, control and governance processes (i.e. the organisation’s system of internal control) contributes to the assurances available and underpins the Board of Directors’ own assessment of the effectiveness of the organisation’s system of internal control.

4.4 The Audit Committee’s terms of reference includes the consideration of the major

findings of internal audit work and management’s responses. The internal audit annual plan sets out details of the assignments to be carried out, providing sufficient detail for the Audit Committee and other recipients to understand the purpose and scope of the defined assignments and their level of priority.

NTW(O)25


4

4.4.1 The Trust’s management (i.e. executive directors) identify areas from the Assurance

Framework that are proposed for inclusion in the audit plan. Other risks identified by management, the Audit Committee, Local Counter Fraud Specialists, Internal Audit or other external bodies will be considered for inclusion in the plan. In addition, the plan may include systems (usually financial processes) for which the external auditor may wish to place reliance to enable an opinion to be given on the Trust’s Final Accounts.

4.4.2 This plan and any changes to it must have Audit Committee approval. The Audit

Committee should be clear on the risks and controls that Internal Audit will be addressing and where else the Committee needs to turn to be assured on the risks and controls that are not contained within the Internal Audit plan.

4.5 The requirements of the internal audit service in terms of responsibilities and objectives, how the service is resourced, the relationship of the Head of Internal Audit with the Trust and rights of access are set out in the Internal Audit terms of reference. In addition there is an agreed Service Level Agreement (SLA) for the provision of Internal Audit services, which sets out both the client’s and Internal Audit’s responsibilities, charging mechanisms, key performance indicators, etc.

4.6 Rights of access are also set out in Standing Financial Instructions (SFIs), which

states that Internal Audit are entitled without necessarily giving prior notice to require and receive:

(a) Access to all records, documents and correspondence relating to any financial or other relevant transactions, including documents of a confidential nature, e.g. work diaries

(b) Access at all reasonable times to any land, premises or officer of the Trust

(c) The production of any cash, stores or other property of the Trust under a member of the Board of Directors and an employee's control; and

(d) Explanations concerning any matter under investigation

5 Internal Audit Stages 5.1 From the “background” described above, it is clear that the subject matter for an

individual Internal Audit report will either be included in the Internal Audit annual plan or as the result of a request from the Audit Committee to provide specific assurance. The timing of audits is also key so that assurances are received at the correct time or when they are needed. It is therefore important that the internal audit process should, as far as possible, stick to the planned timings and turnaround deadlines.

5.2 The internal audit process has the following stages:

1 Advance notice

2 Entry meeting

3 During the course of the audit

NTW(O)25


5

4 Draft report

5 Final report

6 Post audit

5.3 Advance Notice 5.3.1 Internal Audit will email the relevant director who has overall responsibility for the area,

to notify him/her that the audit is required and to ask him/her to nominate a key contact. The key contact is a senior officer, who will be responsible for the smooth running of the audit. The role and responsibilities of the key contact are summarised in Appendix 1. The responsibilities of the director are summarised in Appendix 2.

5.3.2 The key contact will arrange a set up meeting with Internal Audit, and include all key people in the area under review, while recognising that he/she has the lead role. Prior to the start of the audit, where applicable, the key contact will be provided with a copy of previous systems notes and a control evaluation schedule for comment and agreement; (this details the expected controls for the particular system).

5.4 Entry meeting 5.4.1 This meeting is to discuss the scope and objectives of the audit. It will also help clarify

management and the auditor’s expectations, in terms of arrangements, information requirements, access to key staff, timings, areas to be reported on, etc, and will assist the auditor with his/her general overview of operations.

5.4.2 The key contact is responsible for:

Discussing the scope of the audit and the estimated number of days, together with communicating to Internal Audit any specific risks or incidents that have occurred within the system to be audited

Ensuring suitable accommodation is available for any period when the auditors need to be on site

Agreeing the start date, which should be within at most 4 weeks of the set-up meeting and less if information requirements can be met sooner. The director will intervene if there are issues that cannot be agreed, e.g. difficulties in agreeing start dates

Providing information about systems or details of where this information is to be obtained, e.g. risk register (if exists), policies, practice guidance notes, and highlighting any specific issues around rights of access, e.g. the need for Caldicott approval, which need to be addressed before starting the audit

Being the lead for receiving and processing information from the internal auditor. This may include copies of last year’s system notes for agreement, copies of systems notes drafted following meetings (for new areas), copies of control evaluation schedules with expected controls, etc

NTW(O)25


6

5.5 During the course of the audit

5.5.1 At the agreed start date for the audit, information requested at the entry meeting should be available from the key contact. This will include availability of key personnel. If this information or personnel are not available, this will impact upon both the ability of the auditor to carry out the work in line with agreed timescales and within agreed budgets, and will have a financial implication for the Trust or could result in assurances being received too late. In addition, during the audit additional information may be requested and this should be provided without delay.

5.5.2 The auditor has a document, i.e. audit programme, which specifies detailed work that needs to be undertaken as part of the fieldwork. Fieldwork concentrates on determining the systems and controls in place, how well risks are being managed and the effectiveness of controls. The approach is likely to be a combination of interviewing and detailed testing/analysis of documents or transactions.

5.5.3 The key contact will be kept informed of any key issues arising during the course of the audit, both in terms of difficulties and significant findings. Where difficulties in obtaining information/access to staff are identified, the key contact will be expected to resolve / assist. Where issues are identified with the provision of information and the key contact can not resolve these within 1 week, the auditor should escalate this by email to the relevant director. If this action fails to resolve the issue(s) within 1 week of the email, the auditor should notify the Deputy Director of Corporate Relations and Communications, who will discuss the issues and impact with the director concerned. The Deputy Director of Corporate Relations and Communications shall maintain a log of the details for Audit Committee information.

5.5.4 In addition, on completion of the fieldwork an exit meeting will be held to discuss and agree findings, i.e. a “no surprises” approach. This meeting should be arranged by the key contact. This can help clear any misunderstandings and assist in determining the best method of resolving any issues that arise prior to the draft report being issued. However at this stage, the audit file will not have been quality reviewed by an audit manager, so on occasions it will be necessary to revisit the audit or request additional information following the exit meeting.

5.5.5 Any cancellation of meetings will be done with adequate notice, except in exceptional circumstances, e.g. sickness absence or emergency. Meetings will be rearranged within a reasonable timescale, which would normally be taken to be within one week.

5.5.6 Failure to give sufficient notice of cancellation or to rearrange meetings within

reasonable timescales may result in extra costs to the Trust and the receipt of late assurances.

5.6 Draft Report

5.6.1 When the fieldwork is completed, a report is drafted. The target date for issue of the draft report from completion of the fieldwork is 4 weeks. However, if a closedown meeting has been arranged, the target date is within 2 weeks of the closedown meeting. The Audit Manager reviews the fieldwork and the draft report in line with professional auditing standards.

NTW(O)25


7

5.6.2 A formal draft report is then produced taking into account any revisions resulting from the exit meeting and any other subsequent work performed as a result of feedback. The draft report will include the preliminary findings in terms of level of assurance.

5.6.3 The formal draft report is then sent to the key contact to formally respond to the audit findings and risks (including agreement of the risk rating) included in the action plan, including the quoting of a responsible officer and target dates. A copy will also be sent to the relevant director for information. At this point a further meeting with the auditors may be necessary to discuss the issues raised in the draft report if they are particularly complex or were not fully covered at the exit meeting. If the preliminary finding is that the level of assurance is below significant, the director responsible must take appropriate action to ensure that the findings are accurate and that the management responses are appropriate and timely, before the report is finalised. If the report contains any inaccuracies or areas of dispute, the key contact must inform Internal Audit immediately and where relevant provide any additional information Internal Audit need to verify this. If it is agreed that there is an inaccuracy or Internal Audit had not been made aware of the true position, then the finding will be removed from the draft report. The formal response should be within 5 weeks, which includes 1 week for clearance by the Executive Director.

5.6.4 On rare occasions where a management response cannot be agreed within the

expected timescales due to complexity, multi staff/departments involvement, etc, it is acceptable to include a management response as "further discussion needed" with a brief summary of the issues and a definite timescale for providing the full response..

5.6.5 Please note that although the report does not contain recommendations, Internal Audit

reserve the right to make specific recommendations on action to be taken and report these to the Audit Committee, if it is considered the proposed action by management does not suitably address the risk.

5.6.6 The report will include the following:

Introduction, objectives and scope, including details of the timing of the audit and the sample period covered

Conclusion, which is a summary of the main points contained in the full report and provides the reader with a quick overview of the area reviewed and the recommendations that have been made. This also quotes the level of assurance provided by the audit. See Appendix 3 for details. This level of assurance may change between the draft and the final depending on the outcome of the report clearance process

Action Plan, which includes findings and risks, a risk rating for each finding, a management response and responsible officer and target date. The risk ratings are defined within the Trust’s policy, NTW(O)33 - Risk Management. Although Internal Audit will put indicative risk ratings in the draft report, these should also be considered by management and where applicable a case can be put forward for increasing or decreasing the

NTW(O)25


8

rating. However the final decision on this will rest with Internal Audit, who will highlight the issues to the Audit Committee

5.7 Final Report

5.7.1 On receipt of the draft report with management responses, responsible officers and target dates, the Audit Manager will forward the report to the relevant director who should confirm within 1 week that he/she has accepted the management responses and timescales.

5.7.2 Alternatively, the director’s confirmation may have been submitted along with management responses, responsible officers and target dates.

5.7.3 If Internal Audit considers that the responses given are inadequate for the risks identified they should indicate this to the director responsible. If in accepting the report there remains a dispute between the director and Internal Audit on the adequacy of responses in the final report this will be brought to the attention of the Audit Committee.

5.7.4 The report can then be finalised. The target date for issue of the final report is 1 week from clearance by the director.

5.7.5 The director is responsible for ensuring any relevant risks identified are fed into the risk register for their area of responsibility.

5.7.6 A copy of the report will also be provided to the Head of Assurance to ensure where relevant that it is included in the assurance framework.

5.8 Post audit

5.8.1 Brief details of every final report are included in the next report by Internal Audit to the Audit Committee on progress against the Internal Audit Plan. Where a report has “limited” assurance or “no” assurance, the full report will be appended to the progress report.

5.8.2 Prior to Audit Committee review, the Corporate Decision Team (CDT) considers a summary of every final report, prepared by the Deputy Director of Corporate Relations and Communications, and may request the consideration of a full report if appropriate. Following CDT consideration, the Audit Committee will therefore consider reports that are owned by senior management, rather than just the individual director, and CDT may intervene with applying the lessons more widely within the Trust, having a more robust action plan or completing the action plan/addressing risks sooner than the original response, etc.

5.8.3 The director is responsible for monitoring performance against the report’s agreed

action plan (management responses), including providing updates of current position against plan when required to Internal Audit.

5.8.4 The Trust’s policy NTW(O)33 - Risk Management, provides definitions of the levels of risks, in the categories of very low, low, moderate and high, and the related timescales and the appropriate type of group or officer to monitor progress.

NTW(O)25


9

5.8.5 The Audit Committee also receives routine reports from Internal Audit on progress against action plans. Similarly the updates are considered by the CDT prior to Audit Committee review.

5.8.6 The Deputy Director of Corporate Relations and Communications should be regarded as the link between CDT and the Audit Committee.

5.8.7 Appendix 5 provides details of the process for considering “limited” assurance or “no” assurance Internal Audit reports, and the process for reporting progress on management actions.

5.8.8 Key contacts are asked to comment on the performance of Internal Audit for a

particular audit, via a questionnaire that only takes a few minutes to complete. This is a valuable source of information, which could drive improvements in the audit process; it assists with appraising and assessing the performance of an individual auditor and is an indication of the effectiveness of the audit process via Key Performance Indicators. In addition, a further questionnaire is required on an annual basis aimed at Executive Directors to establish feedback on the overall audit service. Similarly a third questionnaire on overall performance is completed by the Audit Committee on an annual basis.

5.8.9 The outcome of the questionnaires is reviewed by the Audit Committee and helps

inform their view of the effectiveness of the internal audit function. 5.8.10 It is imperative that these questionnaires are returned in a timely manner. 6 Identification of Stakeholders

6.1 This is an existing policy with additional/changed content that relates to operational and/or clinical practice and was therefore circulated to the following for a four week consultation period:

Executive Directors 7 Training

7.1 This policy is approved by the Audit Committee for use by Executive Directors, the Senior Management Team, key contact officers and anyone else involved in the internal audit process. It tends to be the same people involved year on year. The Audit Committee has introduced changes by means of protocols in piecemeal fashion, which are operating efficiently. This policy therefore amalgamates and consolidates changes since the last version of the policy that are already implemented and being followed. This is supplemented by Internal Audit providing background information with their advance notice that an audit is to commence.

NTW(O)25


10

A draft Training Needs assessment is shown at Appendix B.

8 Implementation 8.1 The principles of this policy are already implemented. The policy amalgamates and

consolidates changes since the last version of the policy that are already implemented.

9 Standard Key Performance Indicators 9.1 Appendix 4 provides a summary of timescales.

9.2 It is important that anyone involved in an internal audit exercise recognises the

importance of completing audits in a timely manner. The Service Level Agreement with Internal Audit requires a 4 weeks turnaround from receipt of draft report to issuing the final report to relevant officers.

9.3 Turnaround details are used in Key Performance Indicators and reported to the Audit Committee, who regard the indicator as being an important measure on the effectiveness of the internal audit function and the Committee will seek explanations of any outlying performance.

10 Monitoring Compliance 10.1 Internal Audit provides a report on progress against the audit plan to most Audit

Committee meetings and at least every quarter. The Audit Committee meets on 7 occasions during the year. The report is received by the Audit Committee. It includes key performance indicators, which are monitored by the Audit Committee, on:

The time elapsed from completion of the audit file to review stage to issue of the draft report by Internal Audit, for which the agreed timescale is 4 weeks

Management responses to draft reports (a) overall and (b) by Executive Director, for which the agreed timescale is 4 weeks

Production of final report after receipt of satisfactory management responses (a) overall and (b) by Executive Director, for which the agreed timescale is 1 week

Progress on the completion of the audit plan 10.2 Internal Audit provides an Internal Audit Annual Report to the Audit Committee every

July, which facilitates the Audit Committee monitoring the final position for the year for the indicators per 12.1, and also:

The outcome of questionnaires on Internal Audit’s performance completed by (a) key contacts, (b) Executive Directors and (c) the Audit Committee, for which at lease a “satisfactory” performance is required

NTW(O)25


11

The outcome of Internal Audit’s self assessment on adherence to NHS Internal audit Standards, which are expected to be met

10.3 Internal Audit’s role includes bringing any significant issues to the attention of the Audit Committee. 10.4 The Audit Committee is supported in its monitoring role by the Senior Management

Team, if necessary. Any issues from the Audit Committee review are highlighted to the CDT with details of the discussion/action reported back to the Audit Committee and/or the Executive Director provides a briefing on any issues to the Audit Committee and/or the Executive Director attends the next Audit Committee meeting to explain issues personally.

10.5 Any lessons learned from the reporting and monitoring role of the Audit Committee are taken forward in the most appropriate manner. This could include CDT action in the form escalating a lesson, amendments to this guidance, e.g. the introduction or amendment of a protocol, etc.

11 Equality and Diversity Impact Assessment

11.1 This procedure has been assessed with regard to its relevance to equality and diversity. As a result of this assessment, no negative impacts were identified for any of the legislatively recognised equality strands, viz.

Sex (including marital status and gender re-assignment)

Race (including colour, nationality, national origin, ethnic origin)

Disability

Sexual Orientation

Religion and Belief

Age

12 Fair Blame

12.1 The Trust is committed to developing an open learning culture. It has endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.

13 Fraud, Bribery and Corruption

13.1 In accordance with the Trust’s policy, NTW(O)23 Fraud, Bribery and Corruption, all

suspected cases of fraud and corruption should be reported immediately to the Trust's

Local Counter Fraud Specialist or the Director of Finance or the NHS Fraud and

Corruption Reporting Line on 0800 028 40 60 or online at www.reportnhsfraud.nhs.uk

http://www.reportnhsfraud.nhs.uk/

NTW(O)25


12

14 Conclusion 14.1 This guidance should make all officers involved at any stage of the audit process

aware of the process relating to an Internal Audit report and the importance of sticking to agreed timescales. It should be recognised that the strength of the audit process in giving assurances and detailing weaknesses and corrective actions is diluted if the information is not timely, and could potentially be a waste of valuable resources.

15 Associated documentation

NTW(O)01 - Development and Management of Procedural Documents

NTW(O)23 – Fraud, Bribery and Corruption Policy

NTW(O)33 - Risk Management Policy

16 References

NHS Audit Committee Handbook

NTW(O)25


13

Appendix A Equality and Diversity Impact Assessment Screening Tool

Names of Individuals involved in Review

Date of Initial Screening

Review Date Service Area / Directorate

Christopher Rowlands 10 Oct 2012 1 March 2015 Trustwide

Policy or Service to be Assessed Guidance on the internal audit process – V03

Is this a new or existing Policy or Service?

Existing

Describe the aims, objectives or purposes of the Policy or Service

This guidance is designed to ensure that the Trust’s officers involved at any stage of the audit process are aware of the process relating to an internal audit report. The guidance also includes counter fraud reports

Are there any associated objectives of the Policy or Service? If so what are they?

That the associated processes operate as efficiently as possible.

Does the policy unlawfully discriminate against equality target groups?

No

Does the policy promote equality of opportunity for equality target groups?

Yes

Does the policy or service promote good relations between different groups within the community, based on mutual understanding and respect?

Yes

NTW(O)25


14

Equality and Diversity Impact Assessment Screening Tool

Which equality target groups of the population do you think will be affected by this policy or function?

Equality Target Group

(code in bold type)

What positive and negative impacts do you think there may be for each equality target

group(s)?

Black and Minority Ethnic People (including gypsy/travellers, refugees and asylum seekers) BME

None

Women and Men WM

None

People in Religious/Faith groups RF

None

Disabled People DP

None

Older People OP

None

Children C

None

Young People YP

None

Lesbian Gay Bisexual and Transgender People LGBT

None

People involved in the criminal justice system CJS

None

Staff S

None

Any other group(s) AOG

None

NTW(O)25


15

Equality and Diversity Impact Assessment Screening Tool

Screening Tool Checklist – Summary Sheet

Positive Impacts (Note the code of groups affected)

None

Negative Impacts (Note the code of groups affected) None

Additional Information and Evidence Required None

Recommendations None

From the outcome of the Screening, have negative impacts been identified for race or other equality groups?

Yes No

If yes, has a Full Impact Assessment been recommended? If not, why not? Manager’s signature: Christopher Rowlands Date: 10 October 2012

Should any advice be required in respect of answering the above questions contact:

Equality and Diversity Officer 01670 394 848

NTW(O)25


16

Appendix B Communication and Training Check list for policies

Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy

Is this a new policy with new training requirements or a change to an existing policy?

Change to an existing policy.

If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.

This policy is approved by the Audit Committee for use by Executive Directors, the Senior Management Team, key contact officers and anyone else involved in the internal audit process. It tends to be the same people involved year on year. The Audit Committee has introduced changes by means of protocols in piecemeal fashion, which are operating efficiently. This policy therefore amalgamates and consolidates changes since the last version of the policy that are already implemented and being followed. This is supplemented by Internal Audit providing background information with their advance notice that an audit is to commence.

Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice? Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHSLA etc. Please identify the risks if training does not occur.

Local standard / best practice. Guidance already is being followed – therefore no risk to not having additional training.

Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.

Awareness is required by Executive Directors, the Senior Management Team, key contact officers and anyone involved in regular audits.

Is there a staff group that should be prioritised for this training / awareness?

As per previous response.

Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session, E Learning

Awareness training has already been delivered via the Senior Management Team, with Executive Directors cascading to relevant officers. This has been supported by Internal Audit providing background information with their advance notice that an audit is to commence.

Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Admin; needs etc.

Deputy Director of Corporate Relations and Communications

NTW(O)25


17

Appendix B – continued Training Needs Analysis

Staff/Professional Group Type of training

Duration of Training

Frequency of Training

Executive Directors

Senior Management Team

Key contact officers

Other officers involved in regular audits.

Awareness SMT discussion

(15 minutes)

Cascading to key contacts and other officers involved in regular audits.

Email to all relevant officers.

Guidance attached to all Internal audit notifications of advance work.

3 years

Copy of completed form to be sent to:

Training and Development Department, St. Nicholas Hospital

Should any advice be required, please contact:- 0191 245 6770 (internal 56770)

NTW(O)25


18

Appendix C Monitoring Tool

Statement

To demonstrate effective compliance, policy authors are required to include how monitoring of this policy is linked to auditable standards / key performance indicators will be undertaken using this framework.

NTW(O)25 – Guidance on the internal audit process - Monitoring Framework

Auditable Standard/Key Performance Indicators

Frequency/Method/Person Responsible

Where Results and Any Associate Action Plan Will Be Reported To Implemented and Monitored (this will usually be via the relevant Governance Group).

1. Internal Audit function - Time elapse from completion of audit file to review stage to issue of draft report – 4 weeks

Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis.

Annual performance per the Internal Audit Annual Report (July) is reviewed by the Audit Committee (July).

Any significant issues are brought to the attention of the Audit Committee by Internal Audit.

Reported to and monitored by the Audit Committee.

2. Management response to draft report – 4 weeks

a) overall b) by Executive Director

As above

Reported to and monitored by the Audit Committee with support from the SMT (if necessary) Any issues from the Audit Committee review are highlighted to the SMT with details of discussion / action reported back to the Audit Committee and / or the Executive Director provides a briefing on any issues to the Audit Committee and / or the Executive Director attends the next Audit Committee meeting to explain issues personally.

NTW(O)25


19

NTW(O)25 – Guidance on the internal audit process - Monitoring Framework

Auditable Standard/Key Performance Indicators

Frequency/Method/Person Responsible

Where Results and Any Associate Action Plan Will Be Reported To Implemented and Monitored (this will usually be via the relevant Governance Group).

3. Production of final report after receipt of satisfactory management responses – 1 week

a) overall b) by Executive Director

Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis.

Annual performance per the Internal Audit Annual Report (July) is reviewed by the Audit Committee (July).

Any significant issues are brought to the attention of the Audit Committee by Internal Audit.

Reported to and monitored by the Audit Committee with support from the SMT (if necessary) Any issues from the Audit Committee review are highlighted to the SMT with details of discussion / action reported back to the Audit Committee and / or the Executive Director provides a briefing on any issues to the Audit Committee and / or the Executive Director attends the next Audit Committee meeting to explain issues personally

4. Internal Audit performance – satisfaction

Determined by:

a) Key contacts

b) Executive Directors

c) Audit Committee

Outcome of questionnaires reported in the Internal Audit Annual Report (July) and reviewed by the Audit Committee (July).


5. Adherence to NHS Internal Audit Standards – all met

Self assessment per the Internal Audit Annual Report (July) and reviewed by the Audit Committee (July)


6. Completion of audit plan Reported per the Internal

Audit Annual Report (July) and reviewed by the Audit Committee (July). Progress during the year reported via the Internal Audit progress report prepared by Internal Audit and reviewed by the Audit Committee on at least a quarterly basis. Any significant issues brought to the attention of the Audit Committee by Internal Audit.


NTW(O)25


1

Appendix 1

Key Contact (for specific audits) - Role and responsibilities

This role is performed by a senior manager, nominated by the appropriate director in the area

to be audited to be responsible for the smooth running of any specific audits in their area of

responsibility, and includes:

Advance Notice (5.3)

Arranging an entry meeting with Internal Audit and all key people in the area under review

If necessary, comment and agree previous systems notes and control evaluations sheets

Entry Meeting (5.4)

Discussing the scope of the audit and the estimated number of days, together with communicating to Internal Audit any specific risks or incidents that have occurred within the system to be audited

Ensuring suitable accommodation is available for any period when the auditors need to be on site

Providing information about systems or details of where this information is to be obtained, e.g. risk register (if exists), policies, procedure notes and highlighting any specific issues around rights of access, e.g. the need for Caldicott approval, which need to be addressed before starting the audit

Being the lead for receiving and processing information from the internal auditor. This may include copies of last year’s system notes for agreement, copies of systems notes drafted following meetings (for new areas), copies of control evaluation schedules with expected controls, etc

During the course of the audit (5.5)

To be kept informed of any key issues arising during the course of the audit, both in terms of difficulties and significant findings. Where difficulties in obtaining information/access to staff are identified, the key contact will be expected to resolve/assist

NTW(O)25


2

Arranging an exit meeting with the internal auditor at completion of fieldwork to discuss and agree findings

Draft report (5.6)

Receipt of draft report and agreement of findings

Arranging when necessary a further meeting to discuss the draft report

Provision of formal response within 5 weeks (which includes 1 week for clearance by the Executive Director) to the audit findings and risks included in the action plan, including the quoting of a responsible officer and target dates. Where this requires input from a variety of people or areas, the key contact may be asked to co-ordinate these with their colleagues and provide a complete set of management responses to the auditor. The key contact should be satisfied that his/her director accepts the management responses and timescales as they will be asked to agree the final report

Post audit (5.8)

Assisting the director (if asked) in monitoring performance against the report’s agreed action plan (management responses), including providing updates of current position against plan when required to Internal Audit

Commenting on Internal Audit’s performance via a post audit questionnaire

NTW(O)25


3

Appendix 2 Director’s responsibility

The director who has overall responsibility for the area is required to:

Advance notice (5.3)

Upon receipt of the advance notice of an intended audit nominate a key contact. The key contact is a senior officer, who will be responsible for the smooth running of the audit

Entry meeting (5.4)

Inform Internal Audit of any relevant issues that he/she is aware of e.g. emerging risks, incidents, areas where they would like audit to pay specific attention

During the course of the audit (5.5)

Where issues are identified with the provision of information, the auditor will escalate this by email to the relevant director who should ensure suitable action is taken to resolve the issue

Draft report (5.6)

Where the preliminary report contains a level of assurance below significant, the director should pay particular attention to ensuring the report is accurate and that the management responses are adequate and timely

Final report (5.7)

Confirm, within 1 week of receipt of the draft report containing management responses, that they have accepted the management responses and timescales

Ensuring any relevant risks identified are fed into the risk register for their area of responsibility

Post audit (5.8)

Monitor performance against the report’s agreed action plan (management responses), including providing updates of current position against plan when required to Internal Audit

Where the final report contains a level of assurance below significant or where Internal Audit consider the final responses to be inadequate, to account for the position to the Audit Committee

NTW(O)25


4

To participate in Senior Management Team and Audit Committee meetings, if necessary, in accordance with the protocol for considering limited assurance or no assurance internal audit reports and for reporting progress on internal audit reports (Appendix 5)

Comment annually on Internal Audit’s overall performance via a questionnaire

NTW(O)25


5

Appendix 3

Levels of assurance provided by Internal Audit reports

FULL assurance that the system of internal control is designed to meet the organisation's objectives, and controls are consistently applied in all the areas reviewed (this level of assurance only applies to a system which is of such importance in terms of impact and severity that Northumberland, Tyne and Wear NHS Foundation Trust (the Trust/NTW) would need to assure itself that no element of the system could fail, i.e. “never incidents” SIGNIFICANT assurance with no issues of note is based on, and limited to the work undertaken by Audit that the Trust has significant assurance with no issues of note that there is a generally sound system of control designed to meet the organisations objectives; SIGNIFICANT assurance with issues of note provides significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls can put the achievement of particular objectives at risk. LIMITED assurance as weaknesses in the design or inconsistent application of controls can put the achievement of the organisation's objectives at risk in the areas reviewed. NO assurance as weaknesses in control, or consistent non-compliance with key controls, could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed. In addition, there is a specific high level assurance relating to the Trust’s arrangements for providing its own assurance that policies are an integral part of the organisation and that they are monitored for compliance and take into consideration current regulations and best practice. The assurance is stated as “The Trust appears (does not appear) to have reasonable assurance processes in place to measure compliance with the policy/policies relevant to this area.”

NTW(O)25


6

Appendix 4

Provision of information, timescales and performance indicators

All requests for information or queries will be responded to within 1 week, whether these requests are made by internal auditors to client staff or vice versa

Where information is not immediately available, an indication will be provided within the week of when the information will be available. Information will then be provided in line with this agreement

Draft reports will be issued within 4 weeks of completion of fieldwork or if there is a closedown meeting, within 2 weeks of that

Management responses will be provided by the key contact within 5 weeks (which includes 1 week for clearance by the Executive Director) of the issue of the draft report, in line with agreed service level agreements

Management responses will:

o Be complete, i.e. cover all findings raised or recommendations made.

o Address the issues identified.

o As well as actions to address weaknesses identified, will include timescales within which the action will be implemented and a named individual, who will be responsible for implementing this action. The individual should be of sufficient seniority to enable them to do this and timescales will be reasonable

Final reports will be issued within 1 week of the receipt of adequate management responses, in line with agreed service level agreements

Internal Audit will as part of their regular progress reports to the Audit Committee highlight significant areas where timescales for action are being exceeded

The key contact will be asked to complete a post audit questionnaire, the results of which will be routinely reported to the Audit Committee and annually incorporated into the Internal Audit Annual Report

Annually, the directors and the Audit Committee will be asked to complete a questionnaire on the overall performance of Internal Audit

Internal Audit will present a progress report to every Audit Committee showing for each completed audit, the dates draft/final reports were issued, levels of assurance given and key issues. This report will also highlight any significant issues raised where Internal Audit feels management have not agreed to take action on a major issue or the timescales for action appear excessive

Internal Audit will also provide to the Audit Committee a follow up report highlighting key issues where management have failed to take action within the agreed timescales

NTW(O)25


7

Appendix 5

Process for: (i) considering “limited” assurance or “no” assurance internal audit reports, and

Final report to be considered by Corporate Decision Team (CDT) prior to Audit Committee consideration

Full report to be presented to the Audit Committee along with any key SMT comments

The relevant director to attend the Audit Committee meeting if the weaknesses in the report are sufficiently serious, the action plan is regarded as inadequate, etc, taking the materiality of the system/subject into consideration.

Internal Auditor to indicate in the report when the Audit Committee should receive a report on progress against the action plan from the relevant director, with the Deputy Director of Corporate Relations and Communications scheduling the progress reports into the Audit Committee agenda setting process

(ii) For reporting progress on management actions

The Internal Auditor to request updates from management at the appropriate time

Update report to be considered by CDT prior to Audit Committee consideration

Update report to be presented to the Audit Committee along with any key CDT comments

Attendance of the director at the Audit Committee meeting to be at the discretion of the Chair of the Audit Committee

If the Audit Committee deems that progress is insufficient, a date to be set for the relevant director to provide a further progress report

Internal Audit/Client Liaison Protocol · B Training Checklist and Training Needs Analysis 15 ......

Documents

Transcript of Internal Audit/Client Liaison Protocol · B Training Checklist and Training Needs Analysis 15 ......