southern health nhs foundation trust internal audit annual ...€¦ · internal audit annual report...

Southern Health NHS Foundation Trust

Internal Audit Annual Report

Year ended 31 March 2013

Presented at the Audit Committee meeting of: 20 May 2013

Nick Atkinson Head of Internal Audit

1

1 INTRODUCTION

1.1 Roles and responsibilities

The whole Board is collectively accountable for maintaining a sound system of internal control and is

responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall

system.

The Annual Governance Statement (AGS) is an annual statement by the Accounting Officer, on behalf of the

Board, setting out:

how the individual responsibilities of the Accounting Officer are discharged with regard to maintaining a

sound system of internal control that supports the achievement of policies, aims and objectives;

the purpose of the system of internal control as evidenced by a description of the risk management and

review processes, including the Assurance Framework process;

the conduct and results of the review of the effectiveness of the system of internal control including any

disclosures of significant control failures together with assurances that actions are or will be taken where

appropriate to address issues arising.

In accordance with NHS Internal Audit Standards, the Head of Internal Audit (HoIA) is required to provide an

annual opinion, based upon and limited to the work performed, on the overall adequacy and effectiveness of

the organisation’s risk management, control and governance processes (i.e. the organisation’s system of

internal control). This is achieved through a risk-based plan of work, agreed with management and approved

by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent

limitations described below.

The opinion does not imply that Internal Audit has reviewed all risks and assurances relating to the

organisation. The opinion is substantially derived from the conduct of risk-based plans generated from a

robust and organisation-led Assurance Framework. As such, the Assurance Framework is one component

that the Board takes into account in making its AGS.

2 THE HEAD OF INTERNAL AUDIT OPINION

The purpose of my annual HoIA Opinion is to contribute to the assurances available to the Accountable

Officer and the Board which underpin the Board’s own assessment of the effectiveness of the organisation’s

system of internal control. This Opinion will in turn assist the Board in the completion of its AGS.

My opinion is set out as follows:

Based on the work undertaken in 2012/2013, significant assurance can be given that there is a generally

sound system of internal control, designed to meet the organisation’s objectives, and that controls are

generally being applied consistently.

2.1 Issues Judged Relevant to the preparation of the Annual Governance Statement

Based on the work we have undertaken on the Trust’s system of internal control we do not consider that

within these areas there are any issues that need to be flagged as significant internal control issues within

the AGS.

2.2 The basis of the Opinion

The basis for forming my opinion is as follows:

An assessment of the design and operation of the underpinning Assurance Framework and supporting

processes;

2

An assessment of the range of individual opinions arising from our work reported throughout the year.

This assessment has taken account of the relative materiality of these areas and management’s progress

in addressing control weaknesses; and

Any reliance that is being placed upon third party assurances.

2.3 Information Supporting the Opinion

The commentary below provides the context for my opinion and together with the opinion should be read in

its entirety.

2.3.1 The design and operation of the Assurance Framework and associated processes

For a Trust such as Southern Health NHS Foundation Trust, providing the services that it does and of its

considerable size we would expect, at a minimum for the organisation to be aiming for “Risk Managed” on

the Risk Maturity framework. Currently the Trust is rated as “Risk Defined” or between “Risk Defined” and

“Risk Managed” for most of the elements which constitute the Risk Maturity framework. The actions we

identified within the Risk Improvement Road Map, included within our Risk Maturity report, are designed to

move the Trust towards “Risk Managed” over the next six to twelve month period. Overall it is our view that

the Trust has a good framework through which it can manage risk, however it is felt that there is room for

strengthening the content and quality of the information that is documented.

We concluded that during the course of the review and through discussions with those interviewed that in

the main there was a general understanding and awareness of the requirements for the Trust’s risk

management processes and procedures, albeit there was in cases a lack of clarity regarding risk reporting

and what reports were received and where. This is an area that can be improved within the Risk

Management Strategy and Policy and through training and education.

Whilst many of the risk and control descriptions were reasonably set out within the Assurance Framework

and Risk Registers these were not always completed consistently and accountability could be improved by

ensuring clear deadlines and accountable officers are attributed to each action designed to close a gap in

control.

It was also felt that Board visibility of the Trust’s Top 5-10 risks or “Corporate Risks”, that were not included

within the Board Assurance Framework was not as good as it could be due to the corporate risk register not

being presented or optimised and the lack of a risk appetite driving the Board Reporting Cycle.

Finally, going forward into 2013/14, it is imperative that the Trust’s Executive and Non-Executive Directors

formally decide on a set of strategic risks for the year that the organisation can then seek to manage and

use resources effectively to do so. Alongside this, an agreement must be sought on what information is

required at Board and Audit Committee level to provide assurance on the control framework surrounding

these risks. The Risk Maturity report is currently in draft awaiting management comments.

3

2.3.2 The range of individual opinions arising from our work that have been reported throughout the year

The internal audit plan was driven by the Trust’s key risks as identified by management and was further

driven by the need to review key financial systems to ensure that continued External Audit reliance is placed

upon the work of Internal Audit. Discussions were also held with the Director of Finance during the year to

ensure that any key emerging risks for the Trust were included in the plan.

A summary of internal audit work undertaken, and the resulting opinions, is provided at Appendix A. At

Appendix B we provide more detail on the key internal audit findings which have informed our annual

opinion.

During the year we have issued five “amber red rated” opinions, which related to:

Compliance with Standing Orders - This audit covered spend against a range of contracts, the

majority of which were put in place prior to the introduction of the in-house Procurement team. In

general, we found that contracts negotiated and agreed prior to the introduction of the in-house

Procurement team were those where the paperwork could not always be located and supported to

help demonstrate compliance with Standing Orders.

Patients’ Monies and Properties – We raised ten recommendations relating to compliance with the

control framework. This was as a result of our site visits identifying that each site was operating its

own processes for patients’ monies, and that these were in some instances not compliant with the

Trust’s policy.

Appraisals – Whilst we considered that the design of the new appraisals process was reasonable,

we noted that it was yet to be embedded at the time of the audit. As a consequence our testing

identified a significant number of employees for whom appraisal forms were incomplete or missing.

We also identified that the Trust had failed to achieve its original target for the completion of

appraisals.

Partnership working (Section 75 Agreements)– This review considered the three section 75

arrangements in place at the Trust. Two were with Hampshire County Council (one for Learning

Disabilities and one for Adult Mental Health). The other was to provide adult mental health services

to Southampton City Council. Our audit found that there was no standard risk management or

performance management processes for the Trust’s Section 75 Agreements. We also noted that the

Groups charged with oversight of partnership arrangements had met at best irregularly and did not

have up to date terms of reference in place.

Payroll Feeder Systems – As in previous years we raised a number of recommendations in this

area to address issues identified, including a number which resulted in overpayments being made.

The following charts compare the breakdown of internal audit opinions issued this year against those issued

last year and the proportion and priority of recommendations made this and last year.

4

2.3.3 Comparison of Internal Audit Opinions (Assurance assignments) in 2012/13 compared with 2011/2012

2.3.4 Comparison of Internal Audit recommendations made 2012/2013 compared with 2011/2012

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2011/2012 2012/2013

Green

Amber Green

Amber Red

Red

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2011/2012 2012/2013

Low

Medium

High

5

2.3.5 Common Weaknesses

There have been no common weaknesses identified throughout our reviews.

2.3.6 Acceptance of Recommendations

Whilst we have two reports at draft stage, relating to Risk Management and Patient Records and we have

been provided with assurances by management as part of our debrief process that the recommendations we

have made are being or will be appropriately considered by management.

All of the recommendations made within our finalised reports have been accepted by management.

2.3.7 Progress made with previous internal audit recommendations

Our follow up of the recommendations made in 2011/2012, including those that were outstanding from

previous years, showed that the Trust had made adequate progress in implementing the agreed

recommendations, as summarised below:

Priority Number made in

2011/2012

Of which:

Addressed Not implemented or still in

progress

High 6 4 2

Medium 40 22 18

Low 24 16 8

Totals 70 42 28

The two high priority recommendations not implemented or still in progress were:

Payroll - Termination forms and changes to employees' payroll data should be communicated to HR

on a timely basis to avoid possible overpayments taking place. HR should consider escalating any

persistent offenders to the relevant Director (Payroll feeder systems)

Location Visits – Therapies Waiting Times - The team should put in place a weekly process

whereby patients who have waited a certain length of time (for example, 11 weeks) are prioritised for

attention. We note that there is a daily check during triage, and ultimately the Team Lead is

responsible for ensuring waiting limits. However presently staffing resources are limited. The

forthcoming amalgamation of CCT and ART therapy teams from Winchester and Andover will result

in transfer of care for four GP practices, which will improve staffing levels, ensuring the 12 week

waiting limit is met. (Location visits – Andover)

2.3.8 Reliance Placed Upon Work Of Other Assurance Providers

In forming our opinion we have not placed any direct reliance on other assurance providers.

3 OUR PERFORMANCE

3.1 Wider value-adding delivery

As part of our client service commitment, during 2012 we issued 15 NHS sector specific client updates and

four general briefings.

3.2 Conflicts of Interest

We (RSM Tenon) have not undertaken any work or activity during 2012/2013 that would lead us to declare

any conflict of interests.

6

3.3 Conformance with Internal Audit Standards

RSM Tenon affirms that our internal audit services are designed to comply with the NHS Internal Audit

Standards, which are derived from the Institute of Internal Auditors International Standards for the

Professional Practice of Internal Auditing (‘the Standards’).

Under the Standards, internal audit services are required to have an external quality and review at least

once every five years. In line with this requirement, during 2011 RSM Tenon commissioned an external

independent review of our internal audit services to provide assurance whether our approach meets the

requirements set out in the International Professional Practices Framework (IPPF) published by the Global

Institute of Internal Auditors. The NHS Internal Audit Standards are based upon the IPPF.

The external review concluded that “the design and implementation of systems for the delivery of internal

audit provides substantial assurance that the Standards established by the IIA in the IPPF will be delivered

in an adequate and effective manner”.

In this year we have reviewed our processes to ensure we will be compliant with the Public Sector Internal

Auditing Standards when they are introduced in 2013/2014.

3.4 Performance Indicators

Our performance during 2012/2013 is summarised below across a range of performance indicators.

Delivery Quality

Target Actual Notes (ref)

Target Actual Notes (ref)

Audits commenced in line with original timescale

100% 91% A Compliance with NHS Internal Audit Standards

Yes Yes

Audit scopes signed by relevant Director

100% 100% Extent to which External Audit place reliance on our work

Yes Yes

Draft reports issued within 10 days of debrief meeting

100% 90% B

Staff

Final report issued within 3 days of management response

100% % of staff with CCAB/CMIIA qualifications

>50% 81%

Completion of audit plan by 31

st March

100% 95% A Turnover rate of staff <10% 0%

% audit reports presented to agreed Audit Committee meetings

100% 85% C

Response Times

% of High & Medium recommendations followed up

100% 100% Response time for all general enquiries for assistance

2 working days

100%

Notes

Response for emergencies and potential fraud

1 working day

N/A

7

Note A: Management requested a delayed start to the Risk Management audit to help review the Trust’s revised

systems and processes later in the year than originally planned. The originally planned review of Service Line Reporting was replaced with a request for an audit of Patient Records by the Audit Committee. This was completed in March/April 2013 and is now in draft awaiting management comments.

Note B: Two reports were issued outside of the agreed timeframe. One of these was issued 14 working days after

debrief relating to Data Quality and one relating to Information Governance was delayed due to staff sickness. The Head of Internal Audit called the Information Governance Manager to apologise and explain the delay.

Note C: Three reports were presented at the meeting following the originally proposed meeting, where we were

awaiting responses to draft reports which were not presented within the timeframe to allow presentation to the proposed committee.

8

APPENDIX A: INTERNAL AUDIT OPINIONS AND RECOMMENDATIONS 2012/2013

Audit

Link to risk or rationale for coverage

Opinion Actions Agreed (by priority)

High Medium Low

Audits to address specific risks

Clinical Audit Follow Up Following the Amber/Red opinion

review in 2011/12 we will follow up in

detail the work conducted as part of the

2011/12 review and the

recommendations which were agreed

for implementation. Specific focus to

be placed on any differences in ways of

working between Mental Health and

Community arms of the Trust.

Adequate

Progress

0 2 0

Compliance with Standing

Orders

Focus on the systems to purchase and

achieve best value for money.

Amber / Red 2 4 5

Patient Monies and Property Ensure overarching systems for

maintaining patients monies are secure

and in line with overarching policies and

best practice.

Amber / Red 1 7 2

ESR Data Quality Failure to have accurate information

concerning the Trust’s workforce

reduces the capacity of the business to

undertake effective decision making.

Amber / Green 0 3 0

Follow Up To meet internal auditing standards and

to provide management with ongoing

assurance regarding implementation of

recommendations.

Adequate

Progress

0 6 6

CQC Mock Inspections All key processes from staffing, policy

compliance, cash and patient monies

handling, use of temporary staffing,

health and safety and security.

Green 0 1 3

Location Visit - Alton

Community Hospital - Anstey

Ward

All key processes from staffing, policy




Amber / Green 0 2 0

Location Visits - Stefano Olivieri

Unit, Melbury Lodge

All key processes from staffing, policy




Amber / Green 0 5 0

Carbon Management Failure to maximise the financial and

social opportunities through reduction

of carbon emissions impacts on the

Advisory 2 6 5

9

Audit



High Medium Low

Trust financially and reputationally with

users and staff alike.

Change Programme Failure to identify Cost Improvements

require due to Commissioners 2011/12

QIPP plans.

Amber / Green 0 2 2

Financial Reporting &

Budgetary Control

Failure to deliver a financially viable

model of service in 2011/12, including

the risk of slippage as a result of

consultation lead times.

Green 0 1 0

Data Quality Evidence from reviews of CIRs suggest

that the clinical risk assessment policy

(CP 92) is not always complied with.

This many increase the risk of serious

incidents involving patients – including

suicide, violence to others and

homicide. This also exposes the Trust

to the potential for adverse criticism and

publicity following enquiries.

Green 0 1 1

Estates Management Failure to implement an estates plan

that is fit for purpose and ensures a

cost effective estate.

Green 0 0 1

Appraisals Failure to deliver our staff leads to loss

of talent and disruption to services.

Amber / Red 1 2 1

Financial Feeders External audit want to place reliance on

testing undertaken by internal audit and

the Trust needs to ensure it has robust

systems in place to support the key

financial processes.

Green 0 1 1

Partnership Working Failure to maximise the opportunities

through effective partnership working

could result in the failure to deliver an

excellent service to users.

Amber / Red 2 1 2

Cash and Treasury

Management

External audit want to place reliance on





Green 0 1 4

Payroll Feeder Systems External audit want to place reliance on



Amber / Red 1 3 2

10

Audit



High Medium Low



Follow Up To meet internal auditing standards and

to provide management with ongoing

assurance regarding implementation of

recommendations.

Adequate progress 2 12 2

Care Quality Commission

(CQC)

Trust is required to demonstrate

compliance with CQC registration.

Amber / Green 0 4 1

Risk Maturity Review Assessment of adequacy of risk

management structures to enable

effective management of risks and

business as a whole. 2012/13 will

focus on divisional risk management.

DRAFT 0 5 3

Information Governance Toolkit

Version 10

Failure to look after our patients and

staff data appropriately could lead to a

data security serious incident and

damage the reputation of the Trust.

Green 0 0 0

Patients’ records Audit committee request DRAFT 0 2 0

Total 11 71 41

We use the following levels of opinion classification within our internal audit reports:

Red Amber / Red Amber / Green Green

Taking account of the issues identified, the Board cannot take assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective.

Action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, whilst the Board can take some assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, the Board can take reasonable assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.

However we have identified issues that, if not addressed, increase the likelihood of the risk materialising.

Taking account of the issues identified, the Board can take substantial assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.

11

APPENDIX B: KEY FINDINGS FROM INTERNAL AUDIT REVIEWS 2012/2013

Assignment: Clinical Audit Follow Up Opinion: Adequate Progress

Our testing did not find any evidence of a review undertaken by the Audit and Governance team prior to the clinical audit reports being issued.

The Audit & Governance team was planning to review the Clinical Audit action plans and ensure that these were ‘SMART’. The procedures for this process were being drafted by the Head of Audit & Compliance.

The Trust had written a new Clinical Audit Policy which was due for ratification by the Trust Board in July 2012.

Assignment: Compliance with Standing Orders Opinion: Amber/ Red

This audit covered expenditure against a range of contracts, the majority of which were put in place prior to the

introduction of the in-house Procurement team. In general, we found that contracts negotiated and agreed prior to

the introduction of the in-house Procurement team were those where the paperwork could not always be located

and supported.

Design of control framework

A formal approval process for the authorisation of a tender was not undertaken by the Trust prior to the commencement of a tender process.

Once a tender process had been completed, the Trust was not required to complete a control sheet to ensure that they had complied with all aspects of the tender process.

Paragraph 9.16.1 of the SFI’s stated 'Where quotations are required under SFI 9.16.1 they should be obtained from at least two firms'. This was not consistent with the SDBRP, which stated that one quote was required for amounts below £2,500, and three quotes were required for amounts above £2,500.

Application of and compliance with control framework

The Scheme of Delegation and Board Reserved Powers made reference to expenditure between £25,000 and £50,000, but did not include sufficient detail as to whether quotations or tenders are required.

The Bravo system was not used consistently across the Trust. For example where the Estates team independently let tenders they used paper tendering documents.

Only three members of the Procurement team at the time of the audit had access to Bravo, and users could only view tender projects for which they had been assigned as a designated officer.

We tested a sample of 32 suppliers with whom the Trust has incurred varying degrees of expenditure since February 2012. For three suppliers who had gone through a tender process, the actual spend between February 2012 and June 2012 exceeded the total contract amounts stated per the winning tender bid.

The Trust could not provide evidence of tenders or quotations for four suppliers where the level of expenditure required these to be obtained, or that a contract existed for these suppliers.

For a further two suppliers, both providing agency staff, no contract existed. A review of the payment listing also highlighted the Trust had a number of payments made to contractors or staff who were self-employed and as such will invoice the Trust for their services.

We found one instance where the purchase order was raised and authorised by members of NHS Portsmouth, who are not employees of the Trust.

Testing identified that only five of 32 invoices tested had a purchase order attached to the order.

Testing of tender waivers highlighted that officers were not always completing the form in the required detail. It was noted that one tender waiver did not include the VAT element on the waiver, despite the waiver form specifically stating that VAT was required to be included.

12

Assignment: Patient Monies & Property Opinion: Amber/Red

Design and Application of control framework

The Trust had a number of policies operating in relation to patient property. The ‘Patient Property Guidelines’ which were still being followed by all four hospitals we visited have since been superseded by the ‘Management of Patients Property Policy’. The financial procedures also contained procedures relating to patient property and therefore there was a lack of clarity as to the correct procedures to follow.

The ‘Management of Patient Property Policy’ was available for staff via the intranet. The medical and clerical staff we met with rightly stated that the policy was available on the intranet. However when they were asked to locate the policy none were able to do this.

The Trust’s policies had not been updated since they were first approved in March 2011. The ‘Management of Patients’ Property’ did not make reference to Southern Health NHS Foundation Trust, but to one of its predecessors, Hampshire Community Health Care.

Testing identified that only four out of sixteen admissions with property tested had a disclaimer form signed in full by the patient and hospital. Four patient’s disclaimer forms could not be provided, as these remained in patients’ files once they had been discharged. Two out of eighteen disclaimer forms for patients depositing cash with the Trust were not signed by the patient, and no explanation for this was recorded. We were not able to confirm that a disclaimer form had been completed for a further three patients as the patient files were no longer at the Hospital.

A scan review of disclaimer forms highlighted that patient names were not always on the hospital copy, whilst a number of forms were not completed in full.

Assignment: ESR Data Quality Opinion: Amber Green


An employee listing file was exported from ESR every Monday and imported to LEaD (Training Database). However validation checks between the two systems were not completed;

There were no sample or validation checks between the sickness dates per ESR and those imported into the e-rostering system.


Five employees out of a sample of ten were no longer active on ESR but remained on the LEaD system. Following further investigations we identified that the report of LEaD users was pulling inactive accounts including the five accounts identified in our testing. These accounts were not active and were therefore not included in performance figures;

We reviewed the e-learning results report from the week preceding the audit and identified three of the four e-learning results reviewed had not been uploaded. When discussed this was due to staff workloads. We then tested the e-learning results report from the second week of July. From this report we identified three e-learning results, from ten, which had not been entered into the LEaD system.

13

Assignment: CQC Mock Inspections Opinion: Green


Where mock CQC inspection visits have been cancelled the reason for the cancellation had not been recorded.


Testing identified seven out of ten action plans which have passed their action plan date but have not been followed up.

Action plan templates are issued to service lines for completion. However, our testing identified two action plans which did not contain all the recommendations which had been raised in the corresponding report.

It was not possible to evidence that a review of the report had been completed by:

the independent co-ordinator for five out of ten reports reviewed;

the Lead auditor for five out of ten reports reviewed;

the Head of Audit & Compliance prior to issuing to the service line due to annual leave.

However the Head of Audit & Compliance stated that authorisation was given prior to issuing, and the report was reviewed retrospectively.

Assignment: Location Visit - Alton Community Hospital - Anstey Ward

Opinion: Amber/Green


Agency Usage

The Anstey Ward, Alton Community Hospital did not have signed contracts in place with agencies in relation to the use of agency staff.

Leavers and Changes

The Ward Manager did not have access to the Ward budget, to enable monitoring of spends on a regular basis, in line with the Band 7 job description.


Sickness Absence Procedures:

The Trust had separate policies in place in relation to the two legacy organisations prior to the merger.

Agency Usage:

A reconciliation between the ward staff list and payroll list was not being regularly undertaken.

Assignment: Location Visits - Stefano Olivieri Unit, Melbury Lodge

Opinion: Amber/Green


Agency usage:

The Stefano Olivieri Unit did not have signed contracts in place with agencies in relation to the use of agency staff.

14

Sickness Absence (Trust-wide issue):

A Managing Sickness Absence Policy was in place, and due for review in May 2013, however the policy still referred to the former Hampshire Partnership NHS Foundation Trust, rather than Southern Health NHS Foundation Trust.

The Trust did not have one amalgamated policy operating in practice. There were still two policies in practice relating to the two predecessor organisations.


Two of ten staff members tested who had been absent since April 2012 had medical certificates on file due to their absence being longer than seven days. However testing identified that an absence reporting form was not completed by eight employees where their absence was less than seven days although this was requested by the policy. The Ward was not aware of this requirement.

Formal documentation relating to return to work interviews for ten members of staff was not evident.

Timesheets for two/five Bank Staff employees could not be provided at the time of the audit, however these were verified back to the manual rosters maintained.

Timesheets for two/five agency invoices selected for testing could not be provided, and one of these could not be agreed back to the roster.

Assignment: Carbon Management Opinion: Advisory

The key findings from the review were as follows:

The Board should be informed of the financial implications of potential CRC participation and the implications of the Climate Change Act

Environmental and energy due diligence should be undertaken prior to property transfers

The Governance arrangements for Sustainability Management needed to be clearly defined

A revised sustainability strategy and policy needed to be developed.

The Trust would benefit from a formal process for managing their sustainable development programme.

The Sustainable Development Action Plan needed to be reviewed and updated

Assignment: Change Programme Opinion: Amber/Green


Procurement contracts were not consistently and formally assigned to a specific manager to monitor and review the contract on a day to day basis;

The Work Plan used by the Procurement team only detailed contracts due to expire. A full contracts register was not held

Application and Compliance with control framework

The Procurement Board did not specifically review those projects that had been graded as “red” under the RAG grading system however, red items were reviewed at the Financial Performance Review Meetings.

Assignment: Financial Reporting & Budgetary Control Opinion: Green


15

For Community Health, responsibilities for budget setting and the monitoring of budgets were outlined in the current job descriptions of staff and therefore they did not formally sign off the budget. It is the view of Internal Audit that whilst responsibilities may be incorporated within the job descriptions it is important that accountability is clearly set out against the actual budgets for the year and that there is a consistent approach taken to this across the Organisation.

Assignment: Data Quality Opinion: Green


There were no checks carried out to ensure that clustering has been accurately completed.


We selected a sample of staff leavers and tested to ensure that their RiO account had been disabled. We found one member of staff who had left the Trust but whose account had not been disabled or deleted.

Assignment: Estates Management Opinion: Green

No significant issues were raised as part of this review.

Assignment: Appraisals Opinion: Amber Red


We selected a sample of 25 staff members recorded as having received an appraisal per the ESR system and reviewed their appraisal forms. For four staff members the appraisal forms could not be provided to us, although we selected our sample prior to the audit visit and allowed the Trust four weeks to provide these to us. We were therefore unable to confirm that these appraisals were completed and consequently that the ESR data was accurate as reported.

We found that not all forms had been fully completed and in some cases some sections had been completely omitted. In ten out of 21 forms reviewed there was at least one, and in some cases two, sections that were not completed. We raised the possibility that this could impact on the quality of the appraisal if the form was not completed in full. We discussed this with the Director of Human Resources and acknowledged that much of the benefit from the appraisal comes from the quality of the conversation with the line manager and should not be measured simply on the completion of all areas of the appraisal form.

We selected a sample of nine appraisers who should have attended the appraisal training; one individual had not done so.

The original target set was that all appraisals should be completed by the end of June 2012. This was found to be unrealistic owing to the slow progress on completion. The key performance indicator was set so that it is on a sliding scale and increases each month. The new target is that all appraisals are to be completed by the end of October 2012. We found this consistent with the dashboard reported to and monitored by the Trust Board. However, we believe that the need to restate the target indicated possible weaknesses in the project management of the roll out of the new appraisals process.

16

Assignment: Financial Feeder Systems Opinion: Green

Design and application of control framework

An asset validation exercise was not undertaken in the year

Review of the asset register reconciliation to the general ledger was not always completed in a timely manner.

Assignment: Partnership Working (Section 75 Agreements) Opinion: Amber Red


Whilst some limited review of risk was taking place from a Southern Health perspective, the partners had not yet identified a way to bridge this review to span across both organisations from a service user’s perspective. Furthermore, it was not a routine item on the agenda of either the Partnership Boards and therefore not considered with sufficient regularity.

There was no standard performance management approach in relation to managing the section 75s. In particular the Hampshire County Council section 75s had not been subject to monitoring through KPIs. This was a recognised weakness at the Trust, and a KPI dashboard had been developed with a view to making the process more transparent.

The terms of reference of the Hampshire Partnership Board and the POG required review to ensure they are current and reflect the chosen governance structure for the section 75s in place.


The Partnership Operations Groups (POGs) for Learning Disabilities and Adult Mental Health had been ineffective, as they had met irregularly or not at all, and appear to have suffered from a lack of buy in as a result. As a result, operational monitoring of the partnership performance had been hampered.

The Hampshire County Council Partnerships Board did not meet in one instance in 2012/13 as expected. We considered the meetings to have an important role in the governance of the arrangements and therefore these should take place quarterly as per the terms of reference.

Assignment: Cash & Treasury Management Opinion: Green


The Investment Committee was to be disbanded. However, it was unclear which committee would take over its responsibilities for overseeing investment practices at the Trust.

Assignment: Payroll Feeder Systems - not previously reported

Opinion: Amber Red


An authorised signatory list was not in place detailing those staff able to authorise starters, leavers, amendments and payments. This was identified as an issue in the 2011/12 audit of payroll feeder systems

17

and was scheduled to be addressed through the full roll out of E-Rostering.


Testing evidenced that authorisation could not be provided for seven starters, four changes (both samples of 20) and one leaver (from a sample of 15) as no signatures were provided as the forms had been e-mailed to HR and emails had not been retained.

From the sample of 20 starters tested to ensure timely input on to the ESR system, it was identified that six starters were input on to ESR after the effective date.

In addition, the sample of new starters also highlighted an issue regarding flexi- retirement. The usual process is to terminate the employee’s role and then create them as a new starter. The sample showed an employee whose two roles overlapped by eight days.

We tested a sample of 20 leavers to ensure that terminations were updated on the ESR system in a timely manner to reduce the likelihood of overpayments. Five files were not provided to us during the audit as they had been archived. Three of the remaining 15 files provided showed the date the information was received was after the effective date. In two of these cases this resulted in overpayments being made. The overpayments from the sample tested totalled a value of £2637.62.

We tested a sample of 20 changes to payroll data to ensure that changes were made promptly. Ten of the forms were received after the effective date and consequently resulted in the amendments being made on ESR after the effective date. Of the ten late forms there were three underpayments and two overpayments. In addition, there was one overpayment identified within the sample although the form had been provided to HR one day before the effective date. The overpayments from the sample tested totalled a value of £1152.27, of which £855.62 relate to late forms.

In 2012/13 the Trust had made overpayments to the date of the audit of c£323k (including current staff and leavers). This total included the results of an enhancement recovery exercise performed in June which discovered staff had been wrongly allocating bank holidays resulting in c£45k of overpayments being identified.

Payroll reconciliations completed for the 2012/13 financial year were tested, showing that for the last seven months they had been completed and signed off by both the preparer and the reviewer. However, whilst the reconciliations were completed monthly they were found only to be reviewed bi-monthly.

Assignment: Care Quality Commission - not previously reported

Opinion: Amber Green


All completed Provider Compliance Assessments (PCAs) were held and maintained by the local sites rather than centrally.

The Compliance Team did not receive the Local Governance Group minutes. In our CQC audit 2011/12 we raised a recommendation in relation to the collation and review of Local Governance Group minutes by the Head of Audit and Compliance. Owing to staff illness this had not yet been implemented.

Following an amber or red inspection outcome, sites have 28 days to respond with an action plan. If this deadline is not met, penalties apply. However we noted that there were no internal deadlines in place for the sites to provide the action plans to central Compliance prior to submission.

A review of evidence held to support CQC outcomes was not undertaken on a quarterly basis by the Local Governance Group within each Division.

A CQC Mock Inspection Team Ultimate Guide to CQC was completed in December 2012, however due to staff absence this guidance remained as a first draft.


Our testing of PCA forms covering a sample of three divisions identified one PCA form which included a criterion which had not been RAG rated. For one division only two of the four PCA forms for the outcomes selected could be provided at the time of the audit.

There had been 22 CQC inspections since April 2012 which had resulted in three non-compliant reports and action plans. The three non-compliant reports were for Forest Lodge, Ravenswood and 17 Quay Haven. Our testing of the three inspections identified for one inspection, completed 23 November 2012, per

18

the inspection log an action plan in response was still outstanding from the centre at the time of the audit. Following our audit it was confirmed that the action plan had been submitted to meet CQC deadlines but this had not been submitted to the central compliance team.

Our testing of evidence to support CQC compliance from three divisions identified one division who did not provide any evidence to support the outcome PCA’s and a further division who were unable to provide sufficient evidence for three areas selected in our sample. Two of the three areas were pieces of evidence that could not be located and the final area was evidence that the Manager did not have access to.

Assignment: Information Governance Toolkit – not previously reported

Opinion: Green

Assessment No. of

requirements

Explanation

Agreed 10 From the evidence provided we agree with the score

recorded for all ten standards selected.

Assignment: Risk Management – not previously reported Opinion: N/A

For a Trust such as Southern Health, providing the services that it does and of its considerable size we would expect, at a minimum for the organisation to be aiming for “Risk Managed” on the Risk Maturity framework. Currently the Trust is rated as “Risk Defined” or between “Risk Defined” and “Risk Managed” for most of the elements which constitute the Risk Maturity framework. The actions we identified within the Risk Improvement Road Map, included within our Risk Maturity report, are designed to move the Trust towards “Risk Managed” over the next six to twelve month period. Overall it is our view that the Trust has a good framework through which it can manage risk, however it is felt that there is room for strengthening the content and quality of the information that is documented.

We concluded that during the course of the review and through discussions with those interviewed that in the main there was a general understanding and awareness of the requirements for the Trust’s risk management processes and procedures, albeit there was in cases a lack of clarity regarding risk reporting and what reports were received and where. This is an area that can be improved within the Risk Management Strategy and Policy and through training and education.

Whilst many of the risk and control descriptions were reasonably set out within the Assurance Framework and Risk Registers these were not always completed consistently and accountability could be improved by ensuring clear deadlines and accountable officers are attributed to each action designed to close a gap in control.

It was also felt that Board visibility of the Trust’s Top 5-10 risks or “Corporate Risks”, that were not included within the Board Assurance Framework was not as good as it could be due to the corporate risk register not being presented or optimised and the lack of a risk appetite driving the Board Reporting Cycle.

Finally, going forward into 2013/14, it is imperative that the Trust’s Executive and Non-Executive Directors formally decide on a set of strategic risks for the year that the organisation can then seek to manage and use resources effectively to do so. Alongside this, an agreement must be sought on what information is required at Board and Audit Committee level to provide assurance on the control framework surrounding these risks.

19

Assignment: Patient Records (DRAFT) - not previously reported

Opinion: Amber Green

Design and application of control framework

We selected a sample of ten patients from the Integrated Community Services team and reviewed RiO to ensure that patient details were up to date and that all relevant forms had been completed. We were unable to review secondary files as due to the nature of the patient care, manual files are kept in patient homes. However, we found a number of missing or incomplete forms in the sample. Specifically, we noted the following issues:

o Five had not received an assessment, with one assessment taking place five months after the date of joining the case load. No issues were noted with the remaining five.

o Six had either partial or no observations written up (e.g. Blood pressure). No issues were noted with the remaining four.

o The one Falls patient in the sample did not receive a Falls assessment.

o The one Palliative care patient did not receive an End of Life Assessment.

o Three out of five Wound cases had not received a Wound Assessment, although one had been recorded in the progress notes. No issues were noted with the remaining two.

o Six out of ten had not received a Waterlow/Braden Assessment (both risk assessment scales used to assess a patient's level of risk for the development of pressure ulcers) despite the fact that in one case the patient had initially presented with pressure sores. No issues were found with the remaining four.

o Six out of ten did not have a Care Plan. No issues were found with the remaining four.

Owing to the nature of their work, the Integrated Community Services and Learning Disabilities teams cannot always access RiO when with patients. Whilst they should update RiO at the earliest opportunity we were informed that this is not always the case.

We discussed the use of RiO as a reporting tool with the Integrated Community Services team and found that they do not place significant reliance on reports produced from RiO as they are aware that it is not always kept up to date, as per the above point. They find data to be unreliable and incomplete and the Area Manager noted that she had to investigate all variances in reports prior to submission rendering the process inefficient.

Reporting was also discussed with the Learning Disability team at Ridgeway who noted that they find the RiO reporting functions to be extremely slow, and as a result are often unable to review reports before they are sent to Management.

The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the

weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as

accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and

information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist.

This report, together with any attachments, is provided pursuant to the terms of our engagement. The use of the report is solely for internal purposes by the management

and Board of our client and, pursuant to the terms of the engagement, it should not be copied or disclosed to any third party or otherwise quoted or referred to, in whole

in part, without our written consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.

© 2012 - 2013 RSM Tenon Limited

The term "partner" is a title for senior employees, none of whom provide any services on their own behalf.

RSM Tenon Limited is a subsidiary of RSM Tenon Group PLC. RSM Tenon Group PLC is an independent member of the RSM International network. The RSM

International network is a network of independent accounting and consulting firms each of which practices in its own right. RSM International is the brand used by the

network which is not itself a separate legal entity in any jurisdiction.

RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

southern health nhs foundation trust internal audit annual ...€¦ · internal audit annual report...

Documents