southern health nhs foundation trust internal audit annual ...€¦ · internal audit annual report...
TRANSCRIPT
Southern Health NHS Foundation Trust
Internal Audit Annual Report
Year ended 31 March 2013
Presented at the Audit Committee meeting of: 20 May 2013
Nick Atkinson Head of Internal Audit
1
1 INTRODUCTION
1.1 Roles and responsibilities
The whole Board is collectively accountable for maintaining a sound system of internal control and is
responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall
system.
The Annual Governance Statement (AGS) is an annual statement by the Accounting Officer, on behalf of the
Board, setting out:
how the individual responsibilities of the Accounting Officer are discharged with regard to maintaining a
sound system of internal control that supports the achievement of policies, aims and objectives;
the purpose of the system of internal control as evidenced by a description of the risk management and
review processes, including the Assurance Framework process;
the conduct and results of the review of the effectiveness of the system of internal control including any
disclosures of significant control failures together with assurances that actions are or will be taken where
appropriate to address issues arising.
In accordance with NHS Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an
annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of
the organisation’s risk management, control and governance processes (i.e. the organisation’s system of
internal control). This is achieved through a risk-based plan of work, agreed with management and approved
by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent
limitations described below.
The opinion does not imply that Internal Audit has reviewed all risks and assurances relating to the
organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a
robust and organisation-led Assurance Framework. As such, the Assurance Framework is one component
that the Board takes into account in making its AGS.
2 THE HEAD OF INTERNAL AUDIT OPINION
The purpose of my annual HoIA Opinion is to contribute to the assurances available to the Accountable
Officer and the Board which underpin the Board’s own assessment of the effectiveness of the organisation’s
system of internal control. This Opinion will in turn assist the Board in the completion of its AGS.
My opinion is set out as follows:
Based on the work undertaken in 2012/2013, significant assurance can be given that there is a generally
sound system of internal control, designed to meet the organisation’s objectives, and that controls are
generally being applied consistently.
2.1 Issues Judged Relevant to the preparation of the Annual Governance Statement
Based on the work we have undertaken on the Trust’s system of internal control we do not consider that
within these areas there are any issues that need to be flagged as significant internal control issues within
the AGS.
2.2 The basis of the Opinion
The basis for forming my opinion is as follows:
An assessment of the design and operation of the underpinning Assurance Framework and supporting
processes;
2
An assessment of the range of individual opinions arising from our work reported throughout the year.
This assessment has taken account of the relative materiality of these areas and management’s progress
in addressing control weaknesses; and
Any reliance that is being placed upon third party assurances.
2.3 Information Supporting the Opinion
The commentary below provides the context for my opinion and together with the opinion should be read in
its entirety.
2.3.1 The design and operation of the Assurance Framework and associated processes
For a Trust such as Southern Health NHS Foundation Trust, providing the services that it does and of its
considerable size we would expect, at a minimum for the organisation to be aiming for “Risk Managed” on
the Risk Maturity framework. Currently the Trust is rated as “Risk Defined” or between “Risk Defined” and
“Risk Managed” for most of the elements which constitute the Risk Maturity framework. The actions we
identified within the Risk Improvement Road Map, included within our Risk Maturity report, are designed to
move the Trust towards “Risk Managed” over the next six to twelve month period. Overall it is our view that
the Trust has a good framework through which it can manage risk, however it is felt that there is room for
strengthening the content and quality of the information that is documented.
We concluded that during the course of the review and through discussions with those interviewed that in
the main there was a general understanding and awareness of the requirements for the Trust’s risk
management processes and procedures, albeit there was in cases a lack of clarity regarding risk reporting
and what reports were received and where. This is an area that can be improved within the Risk
Management Strategy and Policy and through training and education.
Whilst many of the risk and control descriptions were reasonably set out within the Assurance Framework
and Risk Registers these were not always completed consistently and accountability could be improved by
ensuring clear deadlines and accountable officers are attributed to each action designed to close a gap in
control.
It was also felt that Board visibility of the Trust’s Top 5-10 risks or “Corporate Risks”, that were not included
within the Board Assurance Framework was not as good as it could be due to the corporate risk register not
being presented or optimised and the lack of a risk appetite driving the Board Reporting Cycle.
Finally, going forward into 2013/14, it is imperative that the Trust’s Executive and Non-Executive Directors
formally decide on a set of strategic risks for the year that the organisation can then seek to manage and
use resources effectively to do so. Alongside this, an agreement must be sought on what information is
required at Board and Audit Committee level to provide assurance on the control framework surrounding
these risks. The Risk Maturity report is currently in draft awaiting management comments.
3
2.3.2 The range of individual opinions arising from our work that have been reported throughout the year
The internal audit plan was driven by the Trust’s key risks as identified by management and was further
driven by the need to review key financial systems to ensure that continued External Audit reliance is placed
upon the work of Internal Audit. Discussions were also held with the Director of Finance during the year to
ensure that any key emerging risks for the Trust were included in the plan.
A summary of internal audit work undertaken, and the resulting opinions, is provided at Appendix A. At
Appendix B we provide more detail on the key internal audit findings which have informed our annual
opinion.
During the year we have issued five “amber red rated” opinions, which related to:
Compliance with Standing Orders - This audit covered spend against a range of contracts, the
majority of which were put in place prior to the introduction of the in-house Procurement team. In
general, we found that contracts negotiated and agreed prior to the introduction of the in-house
Procurement team were those where the paperwork could not always be located and supported to
help demonstrate compliance with Standing Orders.
Patients’ Monies and Properties – We raised ten recommendations relating to compliance with the
control framework. This was as a result of our site visits identifying that each site was operating its
own processes for patients’ monies, and that these were in some instances not compliant with the
Trust’s policy.
Appraisals – Whilst we considered that the design of the new appraisals process was reasonable,
we noted that it was yet to be embedded at the time of the audit. As a consequence our testing
identified a significant number of employees for whom appraisal forms were incomplete or missing.
We also identified that the Trust had failed to achieve its original target for the completion of
appraisals.
Partnership working (Section 75 Agreements)– This review considered the three section 75
arrangements in place at the Trust. Two were with Hampshire County Council (one for Learning
Disabilities and one for Adult Mental Health). The other was to provide adult mental health services
to Southampton City Council. Our audit found that there was no standard risk management or
performance management processes for the Trust’s Section 75 Agreements. We also noted that the
Groups charged with oversight of partnership arrangements had met at best irregularly and did not
have up to date terms of reference in place.
Payroll Feeder Systems – As in previous years we raised a number of recommendations in this
area to address issues identified, including a number which resulted in overpayments being made.
The following charts compare the breakdown of internal audit opinions issued this year against those issued
last year and the proportion and priority of recommendations made this and last year.
4
2.3.3 Comparison of Internal Audit Opinions (Assurance assignments) in 2012/13 compared with 2011/2012
2.3.4 Comparison of Internal Audit recommendations made 2012/2013 compared with 2011/2012
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2011/2012 2012/2013
Green
Amber Green
Amber Red
Red
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2011/2012 2012/2013
Low
Medium
High
5
2.3.5 Common Weaknesses
There have been no common weaknesses identified throughout our reviews.
2.3.6 Acceptance of Recommendations
Whilst we have two reports at draft stage, relating to Risk Management and Patient Records and we have
been provided with assurances by management as part of our debrief process that the recommendations we
have made are being or will be appropriately considered by management.
All of the recommendations made within our finalised reports have been accepted by management.
2.3.7 Progress made with previous internal audit recommendations
Our follow up of the recommendations made in 2011/2012, including those that were outstanding from
previous years, showed that the Trust had made adequate progress in implementing the agreed
recommendations, as summarised below:
Priority Number made in
2011/2012
Of which:
Addressed Not implemented or still in
progress
High 6 4 2
Medium 40 22 18
Low 24 16 8
Totals 70 42 28
The two high priority recommendations not implemented or still in progress were:
Payroll - Termination forms and changes to employees' payroll data should be communicated to HR
on a timely basis to avoid possible overpayments taking place. HR should consider escalating any
persistent offenders to the relevant Director (Payroll feeder systems)
Location Visits – Therapies Waiting Times - The team should put in place a weekly process
whereby patients who have waited a certain length of time (for example, 11 weeks) are prioritised for
attention. We note that there is a daily check during triage, and ultimately the Team Lead is
responsible for ensuring waiting limits. However presently staffing resources are limited. The
forthcoming amalgamation of CCT and ART therapy teams from Winchester and Andover will result
in transfer of care for four GP practices, which will improve staffing levels, ensuring the 12 week
waiting limit is met. (Location visits – Andover)
2.3.8 Reliance Placed Upon Work Of Other Assurance Providers
In forming our opinion we have not placed any direct reliance on other assurance providers.
3 OUR PERFORMANCE
3.1 Wider value-adding delivery
As part of our client service commitment, during 2012 we issued 15 NHS sector specific client updates and
four general briefings.
3.2 Conflicts of Interest
We (RSM Tenon) have not undertaken any work or activity during 2012/2013 that would lead us to declare
any conflict of interests.
6
3.3 Conformance with Internal Audit Standards
RSM Tenon affirms that our internal audit services are designed to comply with the NHS Internal Audit
Standards, which are derived from the Institute of Internal Auditors International Standards for the
Professional Practice of Internal Auditing (‘the Standards’).
Under the Standards, internal audit services are required to have an external quality and review at least
once every five years. In line with this requirement, during 2011 RSM Tenon commissioned an external
independent review of our internal audit services to provide assurance whether our approach meets the
requirements set out in the International Professional Practices Framework (IPPF) published by the Global
Institute of Internal Auditors. The NHS Internal Audit Standards are based upon the IPPF.
The external review concluded that “the design and implementation of systems for the delivery of internal
audit provides substantial assurance that the Standards established by the IIA in the IPPF will be delivered
in an adequate and effective manner”.
In this year we have reviewed our processes to ensure we will be compliant with the Public Sector Internal
Auditing Standards when they are introduced in 2013/2014.
3.4 Performance Indicators
Our performance during 2012/2013 is summarised below across a range of performance indicators.
Delivery Quality
Target Actual Notes (ref)
Target Actual Notes (ref)
Audits commenced in line with original timescale
100% 91% A Compliance with NHS Internal Audit Standards
Yes Yes
Audit scopes signed by relevant Director
100% 100% Extent to which External Audit place reliance on our work
Yes Yes
Draft reports issued within 10 days of debrief meeting
100% 90% B
Staff
Final report issued within 3 days of management response
100% % of staff with CCAB/CMIIA qualifications
>50% 81%
Completion of audit plan by 31
st March
100% 95% A Turnover rate of staff <10% 0%
% audit reports presented to agreed Audit Committee meetings
100% 85% C
Response Times
% of High & Medium recommendations followed up
100% 100% Response time for all general enquiries for assistance
2 working days
100%
Notes
Response for emergencies and potential fraud
1 working day
N/A
7
Note A: Management requested a delayed start to the Risk Management audit to help review the Trust’s revised
systems and processes later in the year than originally planned. The originally planned review of Service Line Reporting was replaced with a request for an audit of Patient Records by the Audit Committee. This was completed in March/April 2013 and is now in draft awaiting management comments.
Note B: Two reports were issued outside of the agreed timeframe. One of these was issued 14 working days after
debrief relating to Data Quality and one relating to Information Governance was delayed due to staff sickness. The Head of Internal Audit called the Information Governance Manager to apologise and explain the delay.
Note C: Three reports were presented at the meeting following the originally proposed meeting, where we were
awaiting responses to draft reports which were not presented within the timeframe to allow presentation to the proposed committee.
8
APPENDIX A: INTERNAL AUDIT OPINIONS AND RECOMMENDATIONS 2012/2013
Audit
Link to risk or rationale for coverage
Opinion Actions Agreed (by priority)
High Medium Low
Audits to address specific risks
Clinical Audit Follow Up Following the Amber/Red opinion
review in 2011/12 we will follow up in
detail the work conducted as part of the
2011/12 review and the
recommendations which were agreed
for implementation. Specific focus to
be placed on any differences in ways of
working between Mental Health and
Community arms of the Trust.
Adequate
Progress
0 2 0
Compliance with Standing
Orders
Focus on the systems to purchase and
achieve best value for money.
Amber / Red 2 4 5
Patient Monies and Property Ensure overarching systems for
maintaining patients monies are secure
and in line with overarching policies and
best practice.
Amber / Red 1 7 2
ESR Data Quality Failure to have accurate information
concerning the Trust’s workforce
reduces the capacity of the business to
undertake effective decision making.
Amber / Green 0 3 0
Follow Up To meet internal auditing standards and
to provide management with ongoing
assurance regarding implementation of
recommendations.
Adequate
Progress
0 6 6
CQC Mock Inspections All key processes from staffing, policy
compliance, cash and patient monies
handling, use of temporary staffing,
health and safety and security.
Green 0 1 3
Location Visit - Alton
Community Hospital - Anstey
Ward
All key processes from staffing, policy
compliance, cash and patient monies
handling, use of temporary staffing,
health and safety and security.
Amber / Green 0 2 0
Location Visits - Stefano Olivieri
Unit, Melbury Lodge
All key processes from staffing, policy
compliance, cash and patient monies
handling, use of temporary staffing,
health and safety and security.
Amber / Green 0 5 0
Carbon Management Failure to maximise the financial and
social opportunities through reduction
of carbon emissions impacts on the
Advisory 2 6 5
9
Audit
Link to risk or rationale for coverage
Opinion Actions Agreed (by priority)
High Medium Low
Trust financially and reputationally with
users and staff alike.
Change Programme Failure to identify Cost Improvements
require due to Commissioners 2011/12
QIPP plans.
Amber / Green 0 2 2
Financial Reporting &
Budgetary Control
Failure to deliver a financially viable
model of service in 2011/12, including
the risk of slippage as a result of
consultation lead times.
Green 0 1 0
Data Quality Evidence from reviews of CIRs suggest
that the clinical risk assessment policy
(CP 92) is not always complied with.
This many increase the risk of serious
incidents involving patients – including
suicide, violence to others and
homicide. This also exposes the Trust
to the potential for adverse criticism and
publicity following enquiries.
Green 0 1 1
Estates Management Failure to implement an estates plan
that is fit for purpose and ensures a
cost effective estate.
Green 0 0 1
Appraisals Failure to deliver our staff leads to loss
of talent and disruption to services.
Amber / Red 1 2 1
Financial Feeders External audit want to place reliance on
testing undertaken by internal audit and
the Trust needs to ensure it has robust
systems in place to support the key
financial processes.
Green 0 1 1
Partnership Working Failure to maximise the opportunities
through effective partnership working
could result in the failure to deliver an
excellent service to users.
Amber / Red 2 1 2
Cash and Treasury
Management
External audit want to place reliance on
testing undertaken by internal audit and
the Trust needs to ensure it has robust
systems in place to support the key
financial processes.
Green 0 1 4
Payroll Feeder Systems External audit want to place reliance on
testing undertaken by internal audit and
the Trust needs to ensure it has robust
Amber / Red 1 3 2
10
Audit
Link to risk or rationale for coverage
Opinion Actions Agreed (by priority)
High Medium Low
systems in place to support the key
financial processes.
Follow Up To meet internal auditing standards and
to provide management with ongoing
assurance regarding implementation of
recommendations.
Adequate progress 2 12 2
Care Quality Commission
(CQC)
Trust is required to demonstrate
compliance with CQC registration.
Amber / Green 0 4 1
Risk Maturity Review Assessment of adequacy of risk
management structures to enable
effective management of risks and
business as a whole. 2012/13 will
focus on divisional risk management.
DRAFT 0 5 3
Information Governance Toolkit
Version 10
Failure to look after our patients and
staff data appropriately could lead to a
data security serious incident and
damage the reputation of the Trust.
Green 0 0 0
Patients’ records Audit committee request DRAFT 0 2 0
Total 11 71 41
We use the following levels of opinion classification within our internal audit reports:
Red Amber / Red Amber / Green Green
Taking account of the issues identified, the Board cannot take assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective.
Action needs to be taken to ensure this risk is managed.
Taking account of the issues identified, whilst the Board can take some assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.
Taking account of the issues identified, the Board can take reasonable assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.
However we have identified issues that, if not addressed, increase the likelihood of the risk materialising.
Taking account of the issues identified, the Board can take substantial assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.
11
APPENDIX B: KEY FINDINGS FROM INTERNAL AUDIT REVIEWS 2012/2013
Assignment: Clinical Audit Follow Up Opinion: Adequate Progress
Our testing did not find any evidence of a review undertaken by the Audit and Governance team prior to the clinical audit reports being issued.
The Audit & Governance team was planning to review the Clinical Audit action plans and ensure that these were ‘SMART’. The procedures for this process were being drafted by the Head of Audit & Compliance.
The Trust had written a new Clinical Audit Policy which was due for ratification by the Trust Board in July 2012.
Assignment: Compliance with Standing Orders Opinion: Amber/ Red
This audit covered expenditure against a range of contracts, the majority of which were put in place prior to the
introduction of the in-house Procurement team. In general, we found that contracts negotiated and agreed prior to
the introduction of the in-house Procurement team were those where the paperwork could not always be located
and supported.
Design of control framework
A formal approval process for the authorisation of a tender was not undertaken by the Trust prior to the commencement of a tender process.
Once a tender process had been completed, the Trust was not required to complete a control sheet to ensure that they had complied with all aspects of the tender process.
Paragraph 9.16.1 of the SFI’s stated 'Where quotations are required under SFI 9.16.1 they should be obtained from at least two firms'. This was not consistent with the SDBRP, which stated that one quote was required for amounts below £2,500, and three quotes were required for amounts above £2,500.
Application of and compliance with control framework
The Scheme of Delegation and Board Reserved Powers made reference to expenditure between £25,000 and £50,000, but did not include sufficient detail as to whether quotations or tenders are required.
The Bravo system was not used consistently across the Trust. For example where the Estates team independently let tenders they used paper tendering documents.
Only three members of the Procurement team at the time of the audit had access to Bravo, and users could only view tender projects for which they had been assigned as a designated officer.
We tested a sample of 32 suppliers with whom the Trust has incurred varying degrees of expenditure since February 2012. For three suppliers who had gone through a tender process, the actual spend between February 2012 and June 2012 exceeded the total contract amounts stated per the winning tender bid.
The Trust could not provide evidence of tenders or quotations for four suppliers where the level of expenditure required these to be obtained, or that a contract existed for these suppliers.
For a further two suppliers, both providing agency staff, no contract existed. A review of the payment listing also highlighted the Trust had a number of payments made to contractors or staff who were self-employed and as such will invoice the Trust for their services.
We found one instance where the purchase order was raised and authorised by members of NHS Portsmouth, who are not employees of the Trust.
Testing identified that only five of 32 invoices tested had a purchase order attached to the order.
Testing of tender waivers highlighted that officers were not always completing the form in the required detail. It was noted that one tender waiver did not include the VAT element on the waiver, despite the waiver form specifically stating that VAT was required to be included.
12
Assignment: Patient Monies & Property Opinion: Amber/Red
Design and Application of control framework
The Trust had a number of policies operating in relation to patient property. The ‘Patient Property Guidelines’ which were still being followed by all four hospitals we visited have since been superseded by the ‘Management of Patients Property Policy’. The financial procedures also contained procedures relating to patient property and therefore there was a lack of clarity as to the correct procedures to follow.
The ‘Management of Patient Property Policy’ was available for staff via the intranet. The medical and clerical staff we met with rightly stated that the policy was available on the intranet. However when they were asked to locate the policy none were able to do this.
The Trust’s policies had not been updated since they were first approved in March 2011. The ‘Management of Patients’ Property’ did not make reference to Southern Health NHS Foundation Trust, but to one of its predecessors, Hampshire Community Health Care.
Testing identified that only four out of sixteen admissions with property tested had a disclaimer form signed in full by the patient and hospital. Four patient’s disclaimer forms could not be provided, as these remained in patients’ files once they had been discharged. Two out of eighteen disclaimer forms for patients depositing cash with the Trust were not signed by the patient, and no explanation for this was recorded. We were not able to confirm that a disclaimer form had been completed for a further three patients as the patient files were no longer at the Hospital.
A scan review of disclaimer forms highlighted that patient names were not always on the hospital copy, whilst a number of forms were not completed in full.
Assignment: ESR Data Quality Opinion: Amber Green
Design of control framework
An employee listing file was exported from ESR every Monday and imported to LEaD (Training Database). However validation checks between the two systems were not completed;
There were no sample or validation checks between the sickness dates per ESR and those imported into the e-rostering system.
Application of and compliance with control framework
Five employees out of a sample of ten were no longer active on ESR but remained on the LEaD system. Following further investigations we identified that the report of LEaD users was pulling inactive accounts including the five accounts identified in our testing. These accounts were not active and were therefore not included in performance figures;
We reviewed the e-learning results report from the week preceding the audit and identified three of the four e-learning results reviewed had not been uploaded. When discussed this was due to staff workloads. We then tested the e-learning results report from the second week of July. From this report we identified three e-learning results, from ten, which had not been entered into the LEaD system.
13
Assignment: CQC Mock Inspections Opinion: Green
Design of control framework
Where mock CQC inspection visits have been cancelled the reason for the cancellation had not been recorded.
Application of and compliance with control framework
Testing identified seven out of ten action plans which have passed their action plan date but have not been followed up.
Action plan templates are issued to service lines for completion. However, our testing identified two action plans which did not contain all the recommendations which had been raised in the corresponding report.
It was not possible to evidence that a review of the report had been completed by:
the independent co-ordinator for five out of ten reports reviewed;
the Lead auditor for five out of ten reports reviewed;
the Head of Audit & Compliance prior to issuing to the service line due to annual leave.
However the Head of Audit & Compliance stated that authorisation was given prior to issuing, and the report was reviewed retrospectively.
Assignment: Location Visit - Alton Community Hospital - Anstey Ward
Opinion: Amber/Green
Design of control framework
Agency Usage
The Anstey Ward, Alton Community Hospital did not have signed contracts in place with agencies in relation to the use of agency staff.
Leavers and Changes
The Ward Manager did not have access to the Ward budget, to enable monitoring of spends on a regular basis, in line with the Band 7 job description.
Application of and compliance with control framework
Sickness Absence Procedures:
The Trust had separate policies in place in relation to the two legacy organisations prior to the merger.
Agency Usage:
A reconciliation between the ward staff list and payroll list was not being regularly undertaken.
Assignment: Location Visits - Stefano Olivieri Unit, Melbury Lodge
Opinion: Amber/Green
Design of control framework
Agency usage:
The Stefano Olivieri Unit did not have signed contracts in place with agencies in relation to the use of agency staff.
14
Sickness Absence (Trust-wide issue):
A Managing Sickness Absence Policy was in place, and due for review in May 2013, however the policy still referred to the former Hampshire Partnership NHS Foundation Trust, rather than Southern Health NHS Foundation Trust.
The Trust did not have one amalgamated policy operating in practice. There were still two policies in practice relating to the two predecessor organisations.
Application of and compliance with control framework
Two of ten staff members tested who had been absent since April 2012 had medical certificates on file due to their absence being longer than seven days. However testing identified that an absence reporting form was not completed by eight employees where their absence was less than seven days although this was requested by the policy. The Ward was not aware of this requirement.
Formal documentation relating to return to work interviews for ten members of staff was not evident.
Timesheets for two/five Bank Staff employees could not be provided at the time of the audit, however these were verified back to the manual rosters maintained.
Timesheets for two/five agency invoices selected for testing could not be provided, and one of these could not be agreed back to the roster.
Assignment: Carbon Management Opinion: Advisory
The key findings from the review were as follows:
The Board should be informed of the financial implications of potential CRC participation and the implications of the Climate Change Act
Environmental and energy due diligence should be undertaken prior to property transfers
The Governance arrangements for Sustainability Management needed to be clearly defined
A revised sustainability strategy and policy needed to be developed.
The Trust would benefit from a formal process for managing their sustainable development programme.
The Sustainable Development Action Plan needed to be reviewed and updated
Assignment: Change Programme Opinion: Amber/Green
Design of control framework
Procurement contracts were not consistently and formally assigned to a specific manager to monitor and review the contract on a day to day basis;
The Work Plan used by the Procurement team only detailed contracts due to expire. A full contracts register was not held
Application and Compliance with control framework
The Procurement Board did not specifically review those projects that had been graded as “red” under the RAG grading system however, red items were reviewed at the Financial Performance Review Meetings.
Assignment: Financial Reporting & Budgetary Control Opinion: Green
Application and Compliance with control framework
15
For Community Health, responsibilities for budget setting and the monitoring of budgets were outlined in the current job descriptions of staff and therefore they did not formally sign off the budget. It is the view of Internal Audit that whilst responsibilities may be incorporated within the job descriptions it is important that accountability is clearly set out against the actual budgets for the year and that there is a consistent approach taken to this across the Organisation.
Assignment: Data Quality Opinion: Green
Design of control framework
There were no checks carried out to ensure that clustering has been accurately completed.
Application and Compliance with control framework
We selected a sample of staff leavers and tested to ensure that their RiO account had been disabled. We found one member of staff who had left the Trust but whose account had not been disabled or deleted.
Assignment: Estates Management Opinion: Green
No significant issues were raised as part of this review.
Assignment: Appraisals Opinion: Amber Red
Application and Compliance with control framework
We selected a sample of 25 staff members recorded as having received an appraisal per the ESR system and reviewed their appraisal forms. For four staff members the appraisal forms could not be provided to us, although we selected our sample prior to the audit visit and allowed the Trust four weeks to provide these to us. We were therefore unable to confirm that these appraisals were completed and consequently that the ESR data was accurate as reported.
We found that not all forms had been fully completed and in some cases some sections had been completely omitted. In ten out of 21 forms reviewed there was at least one, and in some cases two, sections that were not completed. We raised the possibility that this could impact on the quality of the appraisal if the form was not completed in full. We discussed this with the Director of Human Resources and acknowledged that much of the benefit from the appraisal comes from the quality of the conversation with the line manager and should not be measured simply on the completion of all areas of the appraisal form.
We selected a sample of nine appraisers who should have attended the appraisal training; one individual had not done so.
The original target set was that all appraisals should be completed by the end of June 2012. This was found to be unrealistic owing to the slow progress on completion. The key performance indicator was set so that it is on a sliding scale and increases each month. The new target is that all appraisals are to be completed by the end of October 2012. We found this consistent with the dashboard reported to and monitored by the Trust Board. However, we believe that the need to restate the target indicated possible weaknesses in the project management of the roll out of the new appraisals process.
16
Assignment: Financial Feeder Systems Opinion: Green
Design and application of control framework
An asset validation exercise was not undertaken in the year
Review of the asset register reconciliation to the general ledger was not always completed in a timely manner.
Assignment: Partnership Working (Section 75 Agreements) Opinion: Amber Red
Design of control framework
Whilst some limited review of risk was taking place from a Southern Health perspective, the partners had not yet identified a way to bridge this review to span across both organisations from a service user’s perspective. Furthermore, it was not a routine item on the agenda of either the Partnership Boards and therefore not considered with sufficient regularity.
There was no standard performance management approach in relation to managing the section 75s. In particular the Hampshire County Council section 75s had not been subject to monitoring through KPIs. This was a recognised weakness at the Trust, and a KPI dashboard had been developed with a view to making the process more transparent.
The terms of reference of the Hampshire Partnership Board and the POG required review to ensure they are current and reflect the chosen governance structure for the section 75s in place.
Application and Compliance with control framework
The Partnership Operations Groups (POGs) for Learning Disabilities and Adult Mental Health had been ineffective, as they had met irregularly or not at all, and appear to have suffered from a lack of buy in as a result. As a result, operational monitoring of the partnership performance had been hampered.
The Hampshire County Council Partnerships Board did not meet in one instance in 2012/13 as expected. We considered the meetings to have an important role in the governance of the arrangements and therefore these should take place quarterly as per the terms of reference.
Assignment: Cash & Treasury Management Opinion: Green
Design of control framework
The Investment Committee was to be disbanded. However, it was unclear which committee would take over its responsibilities for overseeing investment practices at the Trust.
Assignment: Payroll Feeder Systems - not previously reported
Opinion: Amber Red
Design of control framework
An authorised signatory list was not in place detailing those staff able to authorise starters, leavers, amendments and payments. This was identified as an issue in the 2011/12 audit of payroll feeder systems
17
and was scheduled to be addressed through the full roll out of E-Rostering.
Application and Compliance with control framework
Testing evidenced that authorisation could not be provided for seven starters, four changes (both samples of 20) and one leaver (from a sample of 15) as no signatures were provided as the forms had been e-mailed to HR and emails had not been retained.
From the sample of 20 starters tested to ensure timely input on to the ESR system, it was identified that six starters were input on to ESR after the effective date.
In addition, the sample of new starters also highlighted an issue regarding flexi- retirement. The usual process is to terminate the employee’s role and then create them as a new starter. The sample showed an employee whose two roles overlapped by eight days.
We tested a sample of 20 leavers to ensure that terminations were updated on the ESR system in a timely manner to reduce the likelihood of overpayments. Five files were not provided to us during the audit as they had been archived. Three of the remaining 15 files provided showed the date the information was received was after the effective date. In two of these cases this resulted in overpayments being made. The overpayments from the sample tested totalled a value of £2637.62.
We tested a sample of 20 changes to payroll data to ensure that changes were made promptly. Ten of the forms were received after the effective date and consequently resulted in the amendments being made on ESR after the effective date. Of the ten late forms there were three underpayments and two overpayments. In addition, there was one overpayment identified within the sample although the form had been provided to HR one day before the effective date. The overpayments from the sample tested totalled a value of £1152.27, of which £855.62 relate to late forms.
In 2012/13 the Trust had made overpayments to the date of the audit of c£323k (including current staff and leavers). This total included the results of an enhancement recovery exercise performed in June which discovered staff had been wrongly allocating bank holidays resulting in c£45k of overpayments being identified.
Payroll reconciliations completed for the 2012/13 financial year were tested, showing that for the last seven months they had been completed and signed off by both the preparer and the reviewer. However, whilst the reconciliations were completed monthly they were found only to be reviewed bi-monthly.
Assignment: Care Quality Commission - not previously reported
Opinion: Amber Green
Design of control framework
All completed Provider Compliance Assessments (PCAs) were held and maintained by the local sites rather than centrally.
The Compliance Team did not receive the Local Governance Group minutes. In our CQC audit 2011/12 we raised a recommendation in relation to the collation and review of Local Governance Group minutes by the Head of Audit and Compliance. Owing to staff illness this had not yet been implemented.
Following an amber or red inspection outcome, sites have 28 days to respond with an action plan. If this deadline is not met, penalties apply. However we noted that there were no internal deadlines in place for the sites to provide the action plans to central Compliance prior to submission.
A review of evidence held to support CQC outcomes was not undertaken on a quarterly basis by the Local Governance Group within each Division.
A CQC Mock Inspection Team Ultimate Guide to CQC was completed in December 2012, however due to staff absence this guidance remained as a first draft.
Application and Compliance with control framework
Our testing of PCA forms covering a sample of three divisions identified one PCA form which included a criterion which had not been RAG rated. For one division only two of the four PCA forms for the outcomes selected could be provided at the time of the audit.
There had been 22 CQC inspections since April 2012 which had resulted in three non-compliant reports and action plans. The three non-compliant reports were for Forest Lodge, Ravenswood and 17 Quay Haven. Our testing of the three inspections identified for one inspection, completed 23 November 2012, per
18
the inspection log an action plan in response was still outstanding from the centre at the time of the audit. Following our audit it was confirmed that the action plan had been submitted to meet CQC deadlines but this had not been submitted to the central compliance team.
Our testing of evidence to support CQC compliance from three divisions identified one division who did not provide any evidence to support the outcome PCA’s and a further division who were unable to provide sufficient evidence for three areas selected in our sample. Two of the three areas were pieces of evidence that could not be located and the final area was evidence that the Manager did not have access to.
Assignment: Information Governance Toolkit – not previously reported
Opinion: Green
Assessment No. of
requirements
Explanation
Agreed 10 From the evidence provided we agree with the score
recorded for all ten standards selected.
Assignment: Risk Management – not previously reported Opinion: N/A
For a Trust such as Southern Health, providing the services that it does and of its considerable size we would expect, at a minimum for the organisation to be aiming for “Risk Managed” on the Risk Maturity framework. Currently the Trust is rated as “Risk Defined” or between “Risk Defined” and “Risk Managed” for most of the elements which constitute the Risk Maturity framework. The actions we identified within the Risk Improvement Road Map, included within our Risk Maturity report, are designed to move the Trust towards “Risk Managed” over the next six to twelve month period. Overall it is our view that the Trust has a good framework through which it can manage risk, however it is felt that there is room for strengthening the content and quality of the information that is documented.
We concluded that during the course of the review and through discussions with those interviewed that in the main there was a general understanding and awareness of the requirements for the Trust’s risk management processes and procedures, albeit there was in cases a lack of clarity regarding risk reporting and what reports were received and where. This is an area that can be improved within the Risk Management Strategy and Policy and through training and education.
Whilst many of the risk and control descriptions were reasonably set out within the Assurance Framework and Risk Registers these were not always completed consistently and accountability could be improved by ensuring clear deadlines and accountable officers are attributed to each action designed to close a gap in control.
It was also felt that Board visibility of the Trust’s Top 5-10 risks or “Corporate Risks”, that were not included within the Board Assurance Framework was not as good as it could be due to the corporate risk register not being presented or optimised and the lack of a risk appetite driving the Board Reporting Cycle.
Finally, going forward into 2013/14, it is imperative that the Trust’s Executive and Non-Executive Directors formally decide on a set of strategic risks for the year that the organisation can then seek to manage and use resources effectively to do so. Alongside this, an agreement must be sought on what information is required at Board and Audit Committee level to provide assurance on the control framework surrounding these risks.
19
Assignment: Patient Records (DRAFT) - not previously reported
Opinion: Amber Green
Design and application of control framework
We selected a sample of ten patients from the Integrated Community Services team and reviewed RiO to ensure that patient details were up to date and that all relevant forms had been completed. We were unable to review secondary files as due to the nature of the patient care, manual files are kept in patient homes. However, we found a number of missing or incomplete forms in the sample. Specifically, we noted the following issues:
o Five had not received an assessment, with one assessment taking place five months after the date of joining the case load. No issues were noted with the remaining five.
o Six had either partial or no observations written up (e.g. Blood pressure). No issues were noted with the remaining four.
o The one Falls patient in the sample did not receive a Falls assessment.
o The one Palliative care patient did not receive an End of Life Assessment.
o Three out of five Wound cases had not received a Wound Assessment, although one had been recorded in the progress notes. No issues were noted with the remaining two.
o Six out of ten had not received a Waterlow/Braden Assessment (both risk assessment scales used to assess a patient's level of risk for the development of pressure ulcers) despite the fact that in one case the patient had initially presented with pressure sores. No issues were found with the remaining four.
o Six out of ten did not have a Care Plan. No issues were found with the remaining four.
Owing to the nature of their work, the Integrated Community Services and Learning Disabilities teams cannot always access RiO when with patients. Whilst they should update RiO at the earliest opportunity we were informed that this is not always the case.
We discussed the use of RiO as a reporting tool with the Integrated Community Services team and found that they do not place significant reliance on reports produced from RiO as they are aware that it is not always kept up to date, as per the above point. They find data to be unreliable and incomplete and the Area Manager noted that she had to investigate all variances in reports prior to submission rendering the process inefficient.
Reporting was also discussed with the Learning Disability team at Ridgeway who noted that they find the RiO reporting functions to be extremely slow, and as a result are often unable to review reports before they are sent to Management.
The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the
weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as
accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and
information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist.
This report, together with any attachments, is provided pursuant to the terms of our engagement. The use of the report is solely for internal purposes by the management
and Board of our client and, pursuant to the terms of the engagement, it should not be copied or disclosed to any third party or otherwise quoted or referred to, in whole
in part, without our written consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.
© 2012 - 2013 RSM Tenon Limited
The term "partner" is a title for senior employees, none of whom provide any services on their own behalf.
RSM Tenon Limited is a subsidiary of RSM Tenon Group PLC. RSM Tenon Group PLC is an independent member of the RSM International network. The RSM
International network is a network of independent accounting and consulting firms each of which practices in its own right. RSM International is the brand used by the
network which is not itself a separate legal entity in any jurisdiction.
RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England