STATEMENT ON INTERNAL CONTROL 200708 Presenter at Board meeting by AdamThomson



               STATEMENT ON INTERNAL CONTROL 2007/08

Presenter at Board meeting:        Clive Appleby
                                   AD Corporate Services

Purpose of Paper: For the Board to agree the Statement on Internal Control
(SIC) for 2007/08, subject to any recommendations made by the Audit

Assurance Framework Objective:

5        Continue to develop the Boards and Committees, to ensure we have
         robust arrangements for all aspects of integrated governance

Linkage to the relevant SHA Improving Lives Saving Lives pledge          N/A
Equality Impact Assessment: N/A

Action Required by Board:

    The Board is asked to:

    1)    Agree the Statement on Internal Control for 2007/08 for signing off
          by the Chief Executive as Accountable Officer, subject to any
          recommendations made by the Audit Committee following a
          meeting of the Committee held on 13th June 2008

    2)    Note that once agreed, the SIC forms part of the Annual Accounts
          for the PCT

Key areas for discussion or noting: The format and content of the SIC
follows a prescribed format and content as issued by the Department of

Relevant legal issues:       N/A
Public Engagement:           N/A

Clive Appleby
Asst. Director Corporate Services
3rd June 2008

    This document can be made available in larger font or in translation
                            upon request.

                              (Draft 4 – May 08)



1.    Scope of responsibility

The Board is accountable for internal control. As Accountable Officer, and
Chief Executive of this Board, I have responsibility for maintaining a sound
system of internal control that supports the achievement of the organisation’s
policies, aims and objectives. I also have responsibility for safeguarding the
public funds and the organisation’s assets for which I am personally
responsible as set out in the Accountable Officer Memorandum.

I am also the Chief Executive of East & North Hertfordshire PCT. Although the
two PCTs are separate statutory bodies, they have a single management and
HQ team and share some common strategic and operational goals and
control system objectives.

My responsibilities as Accountable Officer in respect of internal controls are
supported by a Non-Executive Director Chaired (Joint) Integrated Governance
Committee and an Audit Committee (The Chair of which works informally but
closely with the Chair of East & North Hertfordshire PCT Audit Committee).
Both of these committees report to the Board.

When appropriate, internal control issues also feature at weekly meetings of
the Executive Director Team. Controls are also reviewed by the PCT’s
internal and external auditors.

The PCT is held to account for its performance by the East of England
Strategic Health Authority. It also works closely with local authorities
(Hertfordshire County Council, Hertsmere Borough Council, St. Albans District
Council, Three Rivers District Council, Watford Borough Council and Dacorum
Borough Council) and is subject to scrutiny by the County Council “Overview
and Scrutiny” Committee

The PCT in turn, its primary role as being a commissioning organisation, has
responsibilities for monitoring levels of standards, compliance and quality
achieved by independent health practitioners and healthcare organisations
from which it commissions services. This is evidenced through the annual
“Standards for Better Health” declaration and the contracts entered into for


2.      The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable
level rather than to eliminate all risk of failure to achieve policies, aims and
objectives; it can therefore only provide reasonable and not absolute
assurance of effectiveness. The system of internal control is based on an
ongoing process designed to:

•    identify and prioritise the risks to the achievement of the organisation’s
     policies, aims and objectives,
•    evaluate the likelihood of those risks being realised and the impact should
     they be realised, and to manage them efficiently, effectively and

The system of internal control has been in place in West Hertfordshire
Primary Care Trust for the year ended 31 March 2008 and up to the date of
approval of the annual report and accounts.

3.      Capacity to handle risk

The Chief Executive is the Accountable Officer for risk management within the
PCT. Day to day executive responsibility for governance and control is
delegated to the Director of Public Involvement and Corporate Services, who
is supported by an Assistant Director of Integrated Governance. This
Directorate includes a “compliance unit” as recommended by the Integrated
Governance Handbook (Department of Health February 2005). The function
of the Compliance Unit is to provide organisational capacity to effectively
monitor and facilitate risk control within the PCT.

A programme of risk management training for all staff is in place (for induction
and risk specific training). Key risk-related policies, guidance and other
documents, once they have been approved through internal approval
processes, are posted on the PCT’s “intranet” and their adoption is publicised
to staff through staff newsletters and a team briefing process.

Risk-related performance reports are submitted to the Joint Integrated
Governance Committee (either programmed or by exception) with the aim that
lessons can be learned and good practice can be devised and disseminated.

The Secretary of States Directions 2004 on work to counter fraud and
corruption require NHS bodies to appoint a Local Counter Fraud Specialist
(LCFS). The overarching body is the NHS Counter Fraud and Security
Management Service (CFSMS). The PCT employs a LCFS who reports
directly to the Director of Finance.

West Herts PCT participated in the Audit Commission’s National Fraud
Initiative validating identified payroll, visa and NINO (National Insurance
number) records. There were no issues of fraud.


The Counter Fraud Security Management Service Procurement Risk Exercise
was also undertaken, where two tenders were identified for investigation. The
exercise is complete and information submitted to the CFSMS for analysis.
The outcome will be notified later in the year 2008.

4.    The risk and control framework

The PCT has a Risk Management Strategy in place, which was approved by
the Joint Integrated Governance Committee and adopted by the Board in
March 2007. This was superseded by an Integrated Governance Strategy
which was approved by the Board in March 2008. This includes provision of a
process for the identification, evaluation and control of risks.

The Strategy is supported by policies in place on risk management, adverse
incidents and serious untoward incidents.

An overview of the PCTs strategic objectives, associated risks and controls is
provided by the “Assurance Framework”. The Board was actively involved in
the development of the Framework and it was first approved by the Board in
January 2007. The Framework is not fixed, and it is reviewed and updated as
objectives, risks, controls or required actions change.

As part of the Integrated Governance Strategy, the PCT also maintains both
“High Level” and operational risk registers, with risks rated as “high” being
reported to the Joint Integrated Governance Committee (JIGC) and being
subject to review by the Boards. High level risks also feed into the Assurance
Framework, along with associated control measures.

The version of the Assurance Framework in place as at 31st March 2008 has
identified 10 strategic objectives. There are no identified gaps in assurances,
but as the PCT is still a developing organisation, there are some gaps in
control associated with all objectives. No gaps identified are identified as
being “Significant Control Issues” in 5 below.

The Full Assurance Framework can be seen on the PCT’s website by
following the link below (and see item (B) 11):

Complementary to, and consistent with, the Assurance Framework, is the
PCT’s Declaration on Compliance with the “Core standards” of “Standards for
Better Health”, which forms part of the Government’s “Annual Health Check”
overseen by the Healthcare Commission. Declaration on compliance
covering 2007/08 was submitted in April 2008. A copy of the PCT’s full
Declaration can be seen on the PCT’s website by following the link below as
item (D) 11 11.20


The PCT declared “insufficient assurance” for one standard, as follows:

11b Healthcare organisations ensure that staff concerned with all aspects of
the provision of healthcare participate in mandatory training programmes
Reason for Insufficient Assurance: Inadequate recording of attendance at
mandatory training prior to 01/09/07
Inadequate assurance to ensure that staff failing to book on mandatory
training sessions are being followed through

Actions Planned: Quarterly reports to service managers on staff attendance at
training - April 2008
Service managers to regularly review uptake within their teams to ensure staff
are on target to receive training required in 08/09 (ongoing)

The PCT also declared “standard not met” for one standard, as identified
under “Significant Control Issues” in section 5 below.

The risk and control framework also allows for identification of risks from
external stakeholders. These are identified and addressed primarily through
incident report forms, service and performance meetings and Standards for
Better Health declarations.

Compliance with NHS Pension Scheme Regulations

As an employer with staff entitled to membership of the NHS Pension
scheme, control measures are in place to ensure all employer obligations
contained within the Scheme regulations are complied with. This includes
ensuring that deductions from salary, employer’s contributions and payments
in to the Scheme are in accordance with the Scheme rules, and that member
Pension Scheme records are accurately updated in accordance with the
timescales detailed in the Regulations

Information Governance and Assurance

The PCT has a clearly identified responsibility for information governance
and management which is reflected in an Information Governance Strategy.
The CEO is the Accountable Officer for risks relating to information

Risks related to information governance are managed, monitored and
reviewed by the Information Governance Committee (IGSC) which is a
subcommittee of the Joint Integrated Governance Committee. Information is
fed back to the relevant directorates to be incorporated into their risk registers
if necessary.


In addition the PCTs have taken the following actions to ensure compliance
with information governance:

       The IGSC has developed a work plan to ensure compliance at level 3
       of the IG statement of compliance for 2008-2009.
       A data flow mapping exercise has been undertaken for the two primary
       care trusts (East & North Herts PCT and West Hertfordshire PCT).
       Findings from this have been incorporated into the work plan.
       Work is in progress to implement encryption on portable devices.
       All bulk data flows are authorised by the Caldicott Guardian prior to

During 2007/08, there was one information governance issue of sufficient
severity to merit identification as a Significant Control Issues in section 5 of
this Statement (See below).

5.     Review of effectiveness

As Accountable Officer, I have responsibility for reviewing the effectiveness of
the system of internal control. My review is informed in a number of ways. The
head of internal audit provides me with an opinion on the overall
arrangements for gaining assurance through the Assurance Framework and
on the controls reviewed as part of the internal audit work. Executive
managers within the organisation who have responsibility for the development
and maintenance of the system of internal control provide me with assurance.
The Assurance Framework itself provides me with evidence that the
effectiveness of controls that manage the risks to the organisation achieving
its principal objectives have been reviewed. In 2007/08 my review has also
been informed by

Audit Commission “Auditors Local Evaluation” (ALE)
Internal Audit Reports on Governance and Risk
Internal review of evidence to support the self-declaration of compliance for
the Healthcare Commission’s “Standards for Better Health”
The PCT’s Self-declaration of compliance with the Healthcare Commission’s
“Standards for Better Health”.
Healthcare Commission monitoring visits

I have been advised on the implications of the result of my review of the
effectiveness of the system of internal control by the following:

The PCT Board

The Board places reliance upon the Audit Committee and (Joint) Integrated
Governance Committee for assurances on the extent to which the system of
internal control is sound.

The Audit Committee

The Audit Committee’s primary role is to independently oversee the
governance and assurance process on behalf of the PCT and to report to the
Board on the soundness and effectiveness of the systems in place for risk
management and internal control. In order to provide this assurance to the
Board, both Internal and External Audit undertake systems based reviews
providing an opinion to the committee on the processes and controls in place.

The (Joint) Integrated Governance Committee

The (Joint) Integrated Governance Committee is responsible for overseeing
the identification and management of risks facing the PCT, including the
development and monitoring of the PCT’s Assurance Framework and the self
declaration on compliance with core standards as part of the Healthcare
Commission’s “Annual Health Check”.

Executive Directors

The Executive Directors meet weekly. Risk-related items feature as agenda
items for these meetings.

Internal Audit

Internal Audit reviews the system of internal control and report their findings to
the Audit Committee. This includes specific reports on areas relevant to
controls, risk and governance and also a Head of Internal Audit Opinion,
which informs this Statement on Internal Control.

A plan to ensure continuous improvement of the system was in place
throughout 2007/08 and developments have included:

   (1)    incorporating areas of weakness in the PCT’s Assurance
          Framework and Risk Register, and identifying actions required,
          timescales and appropriate “leads”.
   (2)    holding Directors and Officers to account to effect changes within
          agreed timescales
   (3)    monitoring progress on required improvements by the Audit
          Committee and Joint Integrated Governance Committee including
          review by the latter of risk and control related performance reports
   (4)    The chairs of the Audit and (Joint) Integrated Governance
          Committee raising areas of serious concern and observations on
          progress with the Board


Significant control issues

The Head of Internal Audit Opinion for the period 1st April 2007 – 31st March
2008, states that significant assurance can be given that there is generally a
sound system of internal control, designed to meet the organisation’s
objectives, and that controls are generally being applied consistently.
However, some weakness in the design and inconsistent application of
controls put the achievement of particular objectives at risk.

The Head of Internal Audit Opinion has not identified any significant issues
which require disclosure within the Statement on Internal Control.

For the “Standards for Better Health Declaration”, the PCT declared the
following standard as “Not Met”:

Healthcare Organisations keep patients, staff and visitors safe by having
systems to ensure that all reusable medical devices are properly
decontaminated prior to use and that the risks associated with
decontamination facilities and processes are well managed

Reason for non-compliance: The PCTs use the CSSD services at the two
local acute trusts in Hertfordshire. The PCTs are declaring ‘not met’ on C4c in
view of the declaration of ‘not met’ by the West Hertfordshire NHS Trust and
of ‘insufficient assurance’ by the East and the North Hertfordshire NHS Trust
on this standard. Both trusts are able to show from action plans submitted
that they had achieved full compliance with the standard by 31st of March

In addition audits undertaken across the PCTs revealed areas of non
compliance with use of desktop sterilisers within some community podiatry
and dental services.

Actions planned: Review of the action plan with the two commissioned trusts
to ensure services are being provided by an accredited CSSD and
decontamination services are fully compliant with the relevant legislations -
June 2008.

Comprehensive risk assessment on the use of desktop sterilisers in
community dental and podiatry services to help manage the associated risks -
April 2008 (achieved)

A programme of replacement of desktop sterilisers and use of single use
items where possible is underway along with physical upgrades to local
decontamination facilities - July 2008.


In 2007/08 there was one Serious Untoward incident relating to Information
Governance which has been identified as a Significant Control Issue. The
details are as follows:

Summary of Serious Untoward Incident (SUI) involving personal
data as reported to the Information Commissioner’s Office in 2007-
Date of       Nature of         Nature of Number of Notification
incident      incident          data      people       steps
                                involved  potentially

January        Loss of back up     Clinical    Over 1000 Police
2008           tape for GP         database                 informed
               service from        containing
               outside secured     patient
               NHS premises        names
Further        An IT provider has been commissioned by the
action on      Hertfordshire PCTs to implement encryption of back up
information    tapes.
risk           IT software provider was contacted about potential risk
               and media enquiries.
               The practice had performed a risk assessment prior to the
               incident to ensure that back up tapes are kept off site to
               ensure business continuity.

Signed                          __________________________
Chief Executive Officer
West Hertfordshire Primary Care Trust

Date:                            (on behalf of the Board)


To top