Internal Audit Risk Assessment And Plan - Moray
www.pwc.co.ukITEM: 5APPENDIX AInternal Audit RiskAssessment and Plan2016/17FINALNHS GrampianMarch 2016
Contents1. Introduction and approach12. Audit universe and strategic risks, themes andobjectives33. Risk assessment44. Annual plan8Appendix 1. NHS Grampian Strategic level risks, themesand objectives11Appendix 2. Detailed methodology13Appendix 3. Risk assessment criteria15Distribution ListFor actionAssistant Director of FinanceFor informationAudit CommitteeThis document has been prepared only for NHS Grampian and solely for the purposeand on the terms agreed with NHS Grampian.PwC Contents
FINAL1. Introduction and approachIntroductionThe following paper sets out our indicative Internal Audit Plan for 2015/16, along with indicative timings forreview and a brief description of the expected scope of the review. As such, this Plan is a draft document forconsideration and comment.ApproachThe internal audit service will be delivered in accordance with the Internal Audit Charter. A summary of ourapproach to undertaking the risk assessment and preparing the internal audit plan is set out below. The internalaudit plan is driven by NHS Grampian’s organisational objectives and priorities, and the risks that may preventNHS Grampian from meeting those objectives. A more detailed description of our approach can be found inAppendix 1 and 2.Step 1Understand corporate objectivesand risks Obtain information and utilise sector knowledge toidentify corporate level objectives and risks.Step 2Define the audit universe Identify all of the auditable units within the organisation.Auditable units can be functions, processes or locations.Step 3Assess the inherent risk Assess the inherent risk of each auditable unit based onimpact and likelihood criteria.Step 4Assess the strength of the controlenvironment Assess the strength of the control environment withineach auditable unit to identify auditable units with a highreliance on controls.Step 5Calculate the audit requirementrating Calculate the audit requirement rating taking intoaccount the inherent risk assessment and the strength ofthe control environment for each auditable unit.Step 6Determine the audit plan Determine the timing and scope of audit work based onthe organisation’s risk appetite.Step 7Other considerations Consider additional audit requirementsidentified from the risk assessment process.tothosePwC 1
FINALBasis of our planThe level of agreed resources for the internal audit service for April 2016 to March 2017 is 135,000. Within ourproposal for Internal Audit services for the period 2014-2017, we set out our three year strategic plan for NHSGrampian based on our assessment of your risks at that date. We recognise that risks change over time, which iswhy it is important that we review and update our risk assessment at least annually to take account of thesechanges and adjust our Internal Audit Plan accordingly.Basis of our annual internal audit conclusionInternal audit work will be performed in accordance with PwC's Internal Audit methodology which is aligned tothe Public Sector Internal Audit Standards. As a result, our work and deliverables are not designed or intendedto comply with the International Auditing and Assurance Standards Board (IAASB), International Frameworkfor Assurance Engagements (IFAE) and International Standard on Assurance Engagements (ISAE) 3000.Our annual internal audit opinion will be based on and limited to the internal audits we have completed overthe year and the control objectives agreed for each individual internal audit. The agreed control objectives willbe reported within our final individual internal audit reports.In developing our internal audit risk assessment and plan we have taken into account the requirement toproduce an annual internal audit opinion by determining the level of internal audit coverage over the audituniverse and key risks.Other sources of assuranceIn developing our internal audit risk assessment and plan we have taken into account other sources ofassurance that are available, such as external inspections, external audit work, and ISO accreditations. We donot intend to place reliance upon these other sources of assurance.PwC 2
FINAL2. Audit universe and strategicrisks, themes and objectivesAudit universeThe diagram below represents the high level auditable units within the audit universe of NHS Grampian. Theseunits form the basis of the internal audit overnanceAcuteServicesPartnershipWorkingReceiving &AdmissionsHealth &Social CareIntegrationHealth nt &Care ProvisionClinicalStandardsEstatesMajor iting TimesStrategic risks, themes and objectivesStrategic level risks, themes and objectives have been determined by NHS Grampian. These are recorded withinAppendix 1 and have been considered when preparing the internal audit planPwC 3
FINAL3. Risk assessmentRisk assessment resultsAuditRequirementRatingCorporate T654A.5Estates534BCorporate GovernanceB.1Risk Management332B.2Business Continuity Planning543B.3Board Governance332B.4Financial Planning543COperational GovernanceC.1Clinical Standards543C.2Health and Safety332C.3Staff Governance332DAcute servicesD.1Receiving and Admissions432D.2Discharge Process635D.3Treatment and Care Provision553D.4Theatres442D.5Waiting Times442EPartnership WorkingAuditable UnitFrequencyControlEnvironmentIndicatorARefColour codeInherent RiskRatingEach auditable unit has been assessed for inherent risk and the strength of the control environment, inaccordance with the methodology set out in Appendix 2 and 3. The results are summarised in the table below. Annual Every two years Every two years Annual Annual Every three years Every two years Every three years Every two years Every two years Every three years Every three years Every three years Annual Every two years Every three years Every three yearsPwC 4
AuditRequirementRatingHealth and Social Care Integration654E.2Mental Health433FMajor Change ProgrammesF.1On-going Change Programmes644Auditable ur codeInherent RiskRatingFINAL Annual Every two years AnnualKey to frequency of audit workAudit Requirement RatingFrequency6Annual 5Annual 4Annual 3Every two years 2Every three years 1No further work Key areas of focusColour Code PwC 5
FINAL4. Annual planAnnual plan and indicative timelineThe following table sets out the internal audit work planned for April 2016 to March 2017, together with indicative dates for each audit.RefAuditable UnitProposed reviewQ1Q2Q3Q4Proposed scope of review (high level)AA.1FinanceKey Financial ControlsA.1FinanceProperty TransactionMonitoringA.2ProcurementFamily Health ServiceContractorsA.4ICTData Quality inManagementInformationA.4ICTCyber SecurityA.5EstatesProject Management ofNon-Capital ChangeProjectsQ4Q2Review of key financial controls: purchase & payables, income & debtors, payroll, bank & cashand asset managementReview of disposal and acquisition of property by during 2015/16 in accordance with theScottish Government Health Directorate’s Property Transaction Manual.Q3A review of the management arrangements for Family Health Service contractors, specificallyreviewing how they are held accountable against the requirements of their contracts with NHSGrampian.Q2A review of the processes in place around management information to ensure quality of dataused in developing the Board’s strategic plans. Areas to consider could include: processes andcontrols around data collection and input, and robustness of management informationsystems. Scope also to include consideration of the process and controls for the review andsign off of external information returns and communication by Senior Management.Q3A review of cyber security maturity, assessing how the Board identifies cyber threats and risks,and how it develops responses to those threats and risks.Q4A review of management arrangements for non-capital change projects. Full scope to beagreed with management but to include consideration of the strategy for the allocation ofaccommodation and processes for decision making for non-clinical support functions.PwC 8
FINALRefAuditable UnitProposed reviewQ1Q2Q3Q4Proposed scope of review (high level)BB.3Board GovernanceGovernance StatementStaff GovernanceStaff Continuity andPlanningTreatment and CareProvisionHomecare PrescribingServicesQ4Assess the evidence provided by NHS Grampian to support the Accountable Officer’scompletion of the Governance Statement.CC.3Q1A review of staff continuity and succession planning, including; identification of critical roles,process for identifying capacity and where staff are stretched, assessment and identification ofstaff requirements for personal development and support.DD.3Q2We will examine the controls in place around the operation of the Homecare Service ,including reviewing the following key areas; Appropriate processes are in place for the registration of patients with medicineshomecare services; Notification of intention to supply medicines though a homecare service provider issent to the patient’s General Practitioner; Appropriate processes are in place to ensure patients from the rheumatology,dermatology and MS service prescribed medicines under a homecare arrangementare reviewed to establish whether the treatment is effective; and Appropriate processes are in place for notification of any problems or errors withinmedicines homecare services.PwC 9
FINALRefAuditable UnitProposed reviewQ1Q2Q3D.4TheatresTheatre UtilisationE.1Health and SocialCare IntegrationHealth and Social CareIntegration – ResourceAllocation and StaffGovernanceQ3Review to include consideration of the processes for allocating resources to the IntegratedJoint Boards (IJBs) and the arrangements for staff governance for NHS Grampian staffworking as part of the IJBs.E.2Mental HealthPatient Management inMental Health AcuteServicesQ3The overall objective of this internal audit review would be to consider the arrangements inplace for patient management within mental health acute services. The review would considerthe following areas: Performance targets; Information management; and Reporting and monitoring of performance and actions.Q1Q4Proposed scope of review (high level)The sub-processes and related control objectives included in this review are: Policies and Procedures are in place to help staff maximise theatre utilisation; Governance arrangements are in place to monitor and report on theatre utilisation,including actions taken to ensure theatre utilisation is maximised, the sharing oflessons learnt across theatres, and across sites; Processes are in place to review the use of locum doctors to support and sustainservices; Arrangements are in place to monitor and report theatre utilisation performance byspecialty, theatre, and site; Processes are in place to proactively manage potential DNAs (did not attends),operation overruns and appointments cancelled as not fit for surgery; and NHS Grampian has processes in place to participate in the national benchmarkingreporting managed by the National Theatre Implementation Group.EOur approach would include interviews with mental health services operational andperformance management staff as well as the review of reports and documentation associatedwith managing performance in patient management.PwC 10
FINALRefAuditable UnitProposed reviewQ1Q2Q3Q4Proposed scope of review (high level)FF.1On-going ChangeProgrammesFollow UpDigital StrategyQ1Q1A review of the Board’s IT and digital strategy. Areas to consider could include; how the Boardis utilising technology to enhance services, how the IT and digital strategy links to the Board’soverall strategy and vision, and how the Board manages technology risks.Q2Q3Q4Follow-up of actions taken to address high priority internal audit recommendations.ContractManagementTotalPwC 11
FINALAppendix 1. NHS GrampianStrategic level risks, themes andobjectivesStrategic level risks, themes and objectives aims have been determined by NHS Grampian and are set out in the“The Vision and Values of NHS Grampian” and the Strategic Risk Register. These have been considered whenpreparing the internal audit plan.Strategic Risk RegisterThe linkage of NHS Grampians Strategic Risk Register and the Internal Audit Plan for 2016/17 are set out in thetable below:Corporate Level RiskCross reference to Internal Audit Plan for 2016/17Partnership working with local authorities,third sector, independent contractors, andcommunity (586) Governance StatementHomecare Prescribing ServicesPatient Management in Mental Health Acute ServicesFamily Health Service ContractorsInvolvement and engagement (610) Governance StatementStaff Governance Standards Compliance(752) Governance StatementStaff Continuity and PlanningDelivery strategies to meet the future healthneeds of the population (851) Governance StatementTheatre UtilisationPatient safety (853) Governance StatementStaff Continuity and PlanningTheatre UtilisationHomecare Prescribing ServicesPatient Management in Mental Health Acute ServicesFamily Health Service ContractorsInfrastructure (855) Governance StatementProperty Transaction MonitoringCyber SecurityProject Management of Non-Capital Change ProjectsSustaining access to professional clinical staffin Grampian (859) Governance StatementStaff Continuity and PlanningSustainable Workforce (1134) Governance StatementStaff Continuity and PlanningEvidence and Intelligence Informed Strategy(1262) Governance StatementKey Financial ControlsProperty Transaction MonitoringData Quality in Management InformationDigital StrategyFamily Health Service ContractorsProject Management of Non-Capital Change ProjectsPwC 11
FINALHealth & Safety (1448) Governance StatementIntegration of Health and Social Care (1784) Governance StatementHealth and Social Care Integration – ResourceAllocation and Staff GovernanceStrategic Themes and ObjectivesThe linkage of the NHS Grampian Strategic Themes and Objectives and the Internal Audit Plan for 2016/17 areset out in the table below:Strategic AimCross reference to Internal AuditPlan for 2016/17(1) Improving Health & Reducing Inequalities Reduce inequalities in health outcomes and access to &use of healthcare Sustain & improve the population’s health Work in partnership to support healthier & fairercommunities (2) Delivering High Quality Care in the Right Place Provide safer, effective, sustainable services built aroundpeople Exploit the opportunities arising from integratedworking Modernise health care services to improve outcomes (3) Involving our Patients, Public, Staff & Partners Ensure public and patients are fully informed in a wayrelevant to their needs Ensure all plans, programmes and services demonstrateactive and meaningful involvement Embed a culture of genuine partnership in all NHSGservices (4) Developing and Empowering our Staff Alignment of staff across partnerships to deliveroutcomes Creation of a supportive and empowering organisationclimate and culture Be the NHS employer of choice Home Prescribing ServicesPatient Management in Mental HealthAcute ServicesFamily Health Service ContractorsHealth and Social Care Integration –Resource Allocation and StaffGovernanceKey Financial ControlsProperty Transaction MonitoringStaff Continuity and PlanningData Quality in ManagementInformationTheatre UtilisationHome Care Prescribing ServicesPatient Management in Mental HealthAcute ServicesFamily Health Service ContractorsProject Management of Non-CapitalChange ProjectsDigital StrategyTheatre UtilisationHomecare Prescribing ServicesPatient Management in Mental HealthAcute ServicesHealth and Social Care Integration –Resource Allocation and StaffGovernanceStaff Continuity and PlanningPatient Management in Mental HealthAcute ServicesHealth and Social Care Integration –Resource Allocation and StaffGovernancePwC 12
FINALAppendix 2. DetailedmethodologyStep 1 - Understand corporate objectives and risksIn developing our understanding of your corporate objectives and risks, we have: Reviewed your strategic level risks, themes and objectives;Drawn on our knowledge of the NHS ; andMet with a number senior management and non-executive members.Step 2 - Define the Audit UniverseIn order that the internal audit plan reflects your management and operating structure we have identified theaudit universe for NHS Grampian made up of a number of auditable units. Auditable units include functions,processes, systems, products or locations. Any processes or systems which cover multiple locations are separatedinto their own distinct cross cutting auditable unit.Step 3 - Assess the inherent riskThe internal audit plan should focus on the most risky areas of the business. As a result each auditable unit isallocated an inherent risk rating i.e. how risky the auditable unit is to the overall organisation and how likely therisks are to arise. The criteria used to rate impact and likelihood are recorded in Appendix 2.The inherent risk assessment is determined by: Mapping the corporate risks to the auditable units;Our knowledge of your business and the NHS; andDiscussions with management.Impact RatingLikelihood 3221Step 4 - Assess the strength of the control environmentIn order to effectively allocate internal audit resources we also need to understand the strength of the controlenvironment within each auditable unit. This is assessed based on: Our knowledge of your internal control environment;Information obtained from other assurance providers; andThe outcomes of previous internal audits.PwC 13
FINALStep 5 - Calculate the audit requirement ratingThe inherent risk and the control environment indicator are used to calculate the audit requirement rating. Theformula ensures that our audit work is focused on areas with high reliance on controls or a high residual risk.Inherent RiskRatingControl design /an/a221n/an/an/an/a11n/an/an/an/an/aStep 6 - Determine the audit planYour risk appetite determines the frequency of internal audit work at each level of audit requirement. Auditableunits may be reviewed annually, every two years or every three years.In some cases it may be possible to isolate the sub-process (es) within an auditable unit which are driving theaudit requirement. For example, an auditable unit has been given an audit requirement rating of 5 because ofinherent risks with one particular sub-process, but the rest of the sub-processes are lower risk. In these cases itmay be appropriate for the less risky sub-processes to have a lower audit requirement rating be subject to reducedfrequency of audit work. These sub-processes driving the audit requirement areas are highlighted in the plan askey sub-process audits.Step 7 - Other considerationsIn addition to the audit work defined through the risk assessment process described above, we may be requestedto undertake a number of other internal audit reviews such as regulatory driven audits, value enhancement orconsulting reviews. These have been identified separately in the annual plan.PwC 14
FINALAppendix 3. Risk assessmentcriteriaDetermination of Inherent RiskWe determine inherent risk as a function of the estimated impact and likelihood for each auditable unit withinthe audit universe as set out in the tables below.ImpactratingAssessment rationale6Critical impact on operational performance; orCritical monetary or financial statement impact; orCritical breach in laws and regulations that could result in material fines or consequences; orCritical impact on the reputation or brand of the organisation which could threaten its futureviability.5Significant impact on operational performance; orSignificant monetary or financial statement impact; orSignificant breach in laws and regulations resulting in large fines and consequences; orSignificant impact on the reputation or brand of the organisation.4Major impact on operational performance; orMajor monetary or financial statement impact; orMajor breach in laws and regulations resulting in significant fines and consequences; orMajor impact on the reputation or brand of the organisation.3Moderate impact on the organisation’s operational performance; orModerate monetary or financial statement impact; orModerate breach in laws and regulations with moderate consequences; orModerate impact on the reputation of the organisation.2Minor impact on the organisation’s operational performance; orMinor monetary or financial statement impact; orMinor breach in laws and regulations with limited consequences; orMinor impact on the reputation of the organisation.1Insignificant impact on the organisation’s operational performance; orInsignificant monetary or financial statement impact; orInsignificant breach in laws and regulations with little consequence; orInsignificant impact on the reputation of the organisation.PwC 15
FINALLikelihoodratingAssessment rationale6Has occurred or probable in the near future5Possible in the next 12 months4Possible in the next 1-2 years3Possible in the medium term (2-5 years)2Possible in the long term (5-10 years)1Unlikely in the foreseeable futurePwC 16
In the event that, pursuant to a request which NHS Grampian has received under the Freedom of Information (Scotland) Act2002 or the Environmental Information Regulations 2004 (as the same may be amended or re-enacted from time to time) orany subordinate legislation made thereunder (collectively, the “Legislation”), NHS Grampian is required to disclose anyinformation contained in this document, it will notify PwC promptly and will consult with PwC prior to disclosing suchdocument. NHS Grampian agrees to pay due regard to any representations which PwC may make in connection with suchdisclosure and to apply any relevant exemptions which may exist under the Legislation to such report. If, followingconsultation with PwC, NHS Grampian discloses any this document or any part thereof, it shall ensure that any disclaimerwhich PwC has included or may subsequently wish to include in the information is reproduced in full in any copies disclosed.This document has been prepared only for NHS Grampian and solely for the purpose and on the terms agreed with NHSGrampian in our agreement dated 23 March 2014. We accept no liability (including for negligence) to anyone else inconnection with this document, and it may not be provided to anyone else. 2016 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP (alimited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers InternationalLimited, each member firm of which is a separate legal entity.
The internal audit service will be delivered in accordance with the Internal Audit Charter. A summary of our approach to undertaking the risk assessment and preparing the internal audit plan is set out below. The internal audit plan is driven by NHS Grampian's organisational objectives and priorities, and the risks that may prevent
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
based focus to a risk based focus requires that the internal audit activity be carried out by an experienced multidisciplinary team using risk-based internal audit (RBIA) methodology. 1.2.The objective of this Guide is to provide guidance to the members of the Institute, as to the concepts and steps involved in risk-based internal audit
GTAG Global Technology Audit Guides HoA Head of Agency HoIA Head of Internal Audit IA Internal Audit / Internal Auditor IA-CM Internal Audit Capability Model IAS Internal Audit Service . Audit, the Code of Ethics for Internal Auditors and the Auditing Standards. The only way
INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S
audit committee and internal audit is fundamental to internal audit's success. 1.2. Securing the appropriate resources for internal audit to meet expectations In many organisations, the audit committee is responsible for approving the internal audit budget, and this approval is typically based on management's recommendation.
An internal audit must be planned in advance and a schedule created for each internal audit process. The Management Meetings can be used to plan the audit and to record the results of each internal audit process. When planning the internal audit, consideration to following criteria shall be included when planning an internal audit:
6. QMS 9001:2015 internal Audit It covers internal audit process, audit question techniques and guidelines for internal audit as well as auditor criteria. 7. Steps for QMS Internal Audit It covers steps to carry out Quality management system internal audit
literary techniques, such as the writer’s handling of plot, setting, and character. Today the concept of literary interpretation frequently includes questions about social issues as well.Both kinds of questions are included in the chart that begins at the bottom of the page. Often you will find yourself writing about both technique and social issues. For example, Margaret Peel, a student who .
