Work in the NHS? You’ll need to understand the key changes to the NHS audit committee handbook, outlined here.
In June the Department of Health, with the assistance of the Healthcare Finance Managers Association (HFMA), produced a revised and updated version of its audit committee handbook (first issued in 2005).
Whilst much of the actual content remains the same, the structure of the handbook has been re-modelled with the result that a greater emphasis is now placed on the assurance framework as the pivotal tool in underpinning the audit committee’s broader remit of monitoring financial, clinical and all operational risks.
This is achieved by gaining quality assurances that the most significant risks to the organisation’s strategic goals are being effectively controlled; specifically that the level of operational control is appropriate to areas where the inherent level of risk (to achieving the organisation’s strategic goals) is high and that where residual risk is high appropriate monitoring and action is being undertaken.
This article provides a summary of the main points and any significant changes to the 2005 edition by covering the following areas:
- role of the audit committee
- assurance framework format
- controls and assurance
- financial performance
- clinical focus
- working with other committees and auditors
- the role of internal audit
- the role of external audit
- the role of clinical audit
- organise and support an audit committee.
Role of the audit committee
No audit committee can limit itself to internal financial control matters; it must have a broad remit across the organisation with the assurance framework as a pivotal tool in managing risks to the organisation’s strategic objectives. There are two areas the audit committee should provide the board with assurance:
- the assurance framework – the audit committee’s primary role is to look behind the framework to provide assurance that it is valid and suitable and that robust controls have been put in place to manage significant risks to the organisation’s strategic objectives
- public disclosure statements – in particular this comprises the statement on internal control, the evidence to demonstrate fitness to register with the Care Quality Commission (CQC), the annual report and accounts, and the quality account. The audit committee should ensure rigorous processes are in place to support these statements.
- greater emphasis is now placed on the assurance framework for identifying risks related to the organisation’s strategic goals, and specifically states the key question audit committee members need to ask is ‘how do we know what we know’?
- the role of the audit committee in providing assurances to the board on the assurance framework and disclosure statements is detailed more comprehensively with the emphasis on ensuring there is sufficient scrutiny of the processes and quality of data behind the assurance statements it is placing reliance on
- the revised handbook includes a list of what an audit committee should NOT do; this includes establishing and maintaining processes for governance, and overseeing the risk agenda.
Assurance framework format
The assurance framework is the key source of evidence that links strategic objectives to risk. The audit committee should use this document as the central tool for planning its work and key topics for scrutiny. It should not manage the process of populating the framework (this is the responsibility of the board), but should review the process and format of the framework thereby assuring the framework concentrates on high risk areas.
Assessing and reporting on the suitability of the format and processes around the assurance framework will provide a sound basis for the audit committee to comment on key aspects. The audit committee can make a significant contribution to the organisation by questioning whether the format of the assurance framework and the arrangements in place really do work for the organisation.
- the 2011 handbook includes a new section specifically on the importance of the assurance framework to the work of the audit committee, and directs audit committees to use the assurance framework as a key tool for planning and identifying topics for scrutiny
- the assurance framework should follow the structure of the organisation’s strategic objectives
- the role of the audit committee in reviewing the format and layout of the assurance framework is also comprehensively covered; specifically that objectives are appropriate, controls in place are sound, assurances are reliable and of good quality, and the data assurances are based on is sound and accurate.
Control and assurance
The assurance framework should follow the structure of the organisation’s strategic objectives. The audit committee should look at the process by which these are compiled and satisfy itself that the objectives are sufficiently strategic, clearly stated and not too numerous to be unmanageable, this point is highlighted in ‘taking it on trust’.
The controls in the framework are what the organisation relies on from day to day to manage its risks. The committee should seek assurances from management, auditors and other external sources of assurances that they are sound in design and operated consistently. The committee should also consider that there is a plan for these assurances to be received. This should form a key part of the audit planning process and involve a detailed review of sources of assurance and priorities. This can be reviewed in-year using the assurance framework and knowledge of board priorities to reconfirm the audit plans, particularly in relation to internal audit.
The board and audit committee should seek positive assurances that risks are controlled. The committee may also identify negative assurance e.g. a source giving a poor opinion or a conflict between two sources of assurance. The committee will then expect management to strengthen controls and seek independent assurance about the effectiveness of these.
A critical element for the audit committee is whether data on which assurances are based is reliable, the committee should ask whether it is valid (what sources were used), complete (did the data collection include all relevant elements and factors) and up to date (what periods does it cover).
- clear distinction is now provided between controls in the assurance framework and assurances in the assurance framework
- in respect of controls Audit Committees should question whether:
- controls are relevant to the risk
- the risks relate to the organisation’s objectives
- controls are complete in terms of adequacy covering all key risks
- in respect of assurances Audit Committees should identify whether assurances received are reliable, in doing so they should consider:
- the nature and source of the body providing the assurance
- the skills and experience of those providing assurance
- the nature and extent of work behind the assurance
- how current the assurance is
- what was the purpose of the review.
The maintenance of sound public accountability through financial reporting and robust systems of internal financial control remains a critical element of the Audit Committee’s work. The Committee should ensure it is reviewing regularly the risks and controls around financial management. In doing this the Committee will need to consider the integrity, completeness and clarity of financial reporting, taking into consideration the views of Internal and External Audit.
A key role of the Committee is to review, agree and recommend to the Board for approval the annual report and accounts. The Director of Finance has operational responsibility for establishing and maintaining a sound system of internal financial control, is responsible for the annual accounts and is increasingly taking on wider risk management responsibilities, consequently the Director of Finance should be a key executive contact for the Audit Committee. The Committee can also offer the Director of Finance a high profile forum when potentially difficult financial control decisions are required.
The core business of NHS organisations is healthcare; therefore the Committee must spend time reviewing healthcare aspects of the business. In particular it falls to the Audit Committee to consider the clinical objectives and risks in the Assurance Framework. The Committee’s role at all times is to satisfy itself that the same level of scrutiny and independent audit over controls and assurances is applied to the risks to all strategic objectives, be they clinical, financial or operational.
- A key role of the Audit Committee is to recognise the risks to clinical services from financial pressures and satisfy itself that adequate controls are in place and reliable assurances are received.
Working with other committees and auditors
The audit committee will need to have an effective relationship with any risk or governance committee so that it can understand the processes in operation. The audit committee’s role is not to manage risks, but rather to ensure that the overall system for risk management is in place and effective. It is important, so as not to impair independence, that roles are not merged and should be clearly stated in the respective terms of reference.
The audit committee should actively review the plans of auditors, and while the role of external audits is set out in the Audit Commission’s ‘Code of Audit Practice’ there is more scope for the audit committee to be pro-active in influencing the internal audit strategy and requesting work from internal audit that focuses on its audit needs.
The role of internal audit
An effective audit committee is dependent on the existence of an effective internal audit function; as an independent, objective and consulting body designed to add value and improve an organisation’s operations. Internal audit’s role embraces two key areas:
- the provision of an independent and objective opinion on the degree to which risk management control and governance support the achievement of the organisation’s agreed objectives
- the provision of an independent and objective consultancy service specifically to help line management improve the organisation’s risk management, control and governance arrangements.
The head of internal audit should have access to the chair of the audit committee at any time, and it should be clear that management should not be allowed to restrict or censor this access.
Each year’s internal audit plan should set out details of the assignments to be carried out. The relationship between the plan and the assurance framework is critical and the chief executive will normally attend discussions in relation to the internal audit plan in recognition of their responsibility and ownership of both.
The committee should be clear about those risks and controls that internal audit will be addressing and identify where else the committee needs to seek assurances not covered in the internal audit plan. The assurance framework should be the mechanism that informs this task.
Best practice describes the existence of a formal internal audit ‘charter’ which is a written statement defining internal audit’s objectives, responsibilities, authority and reporting lines. The charter should comply with NHS internal audit standards and set out internal audit’s position within the organisation, its authority to access records, personnel and physical properties relevant to assignments. The existence of an internal audit charter is an addition to the audit committee self assessment checklist.
- included in the 2011 audit committee handbook is a series of best practice examples and questions for consideration in regards to internal audit, including the question does a formal internal audit charter exist. This should be a written statement defining the objectives, responsibilities, authority and reporting lines
- key sources of a good risk based internal audit plan are included, these are listed as
- core financial systems
- governance and risk management
- assurance framework
- audit risk assessment
- it is noted that an important role of the audit committee is to monitor the implementation of agreed audit recommendations, ensuring the trust has a robust system for monitoring progress and, where applicable, asking operational managers to attend committees.
The role of external audit
The objectives of external audit fall into two broad categories – to review and report on
- the audited body’s financial statements, and on its statement on internal control
- whether the audited body has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources.
The appointed external audit provider should prepare an audit strategy and an annual audit plan for implementing the strategy. The annual plan should set out the details of the work to be carried out by external audit and must be discussed with the audit committee; the committee should concentrate on the outputs of the plan, and what they will receive from the external auditors, balanced against an understanding of the auditor’s statutory functions.
External audit should work with management and other assurance functions to optimise coverage. The committee will want to see and gain assurance that duplication of work with internal audit is minimised. External audit should never direct the work of internal audit and review and re-perform similar items for any piece of work on which it intends to place reliance. The audit committee should consider external audit’s view on the adequacy of internal audit.
External audit may issue a Public Interest Report (PIR) or referral to the secretary of state (or Monitor for an FT). A PIR is made when where auditors consider a matter is sufficiently important to be brought to the attention of the audited body or public as a matter of urgency. Whenever a PIR is considered the committee should receive a briefing on the statutory back ground and potential consequences of such a report.
- duplication of work between internal and external audit should be kept to a minimum.
The role of clinical audit
‘Taking it on trust’ describes clinical audit as ‘the review of clinical performance, the measurement of performance against agreed standards and the refining of clinical practice as a result’. For NHS boards managing clinical risk is of equal or greater concern than managing financial and business risk, therefore a good clinical audit function is an enormous asset and source of assurance.
In order to support the annual statement on internal control, heads of internal audit must provide an opinion on the effectiveness of risk management and control across potentially the whole of the trust’s activities. In addition when assessing the clinical governance aspects of the assurance framework internal audit and the audit committee will need to evaluate the extent and quality of the assurance provided by clinical audit.
Organise and support an audit committee
An audit committee should comprise of only non-executive directors; this provides the basis for the committee to operate and be seen to operate independently and to apply an objective approach. The committee should consider its own training needs and ensure that members have the skills to perform their role effectively. Essential is an understanding of finance and internal controls.
Prior to the 2005 edition of the audit committee handbook, audit committees met three to four times per year but in implementing the wider remit a committee is unlikely to fulfil its responsibilities in fewer than five meetings per annum. In assessing its performance audit committee members should assess their performance annually using the checklist in the audit committee handbook mindful that with any self assessment it is important to be constructively critical in their responses.
Helen England – director of audit and Matthew Lee – senior auditor, Parkhill www.parkhill.org.uk