Auditing 'outside the box'
How do you deliver a head of audit opinion in the context of partnership and integrated system working?
As the public sector landscape has changed we have seen an increase in organisations working in partnership. Alongside this it is clear that in many settings, not least in health and social care, organisations can no longer deliver strategic objectives and manage risks in isolation.
As the health and social care landscape changes, the architecture of the NHS moves into Integrated Care Systems, there becomes a greater focus on ‘system’ and ‘place’ and a ‘blurring’ of organisational boundaries to enable more agile and effective transformation. Governance within this setting remains critical, and becomes complicated with statutory body requirements, system level governance and the need for collaborative and collective decision making. Regulatory requirements and relationships have started to move to system level, and the latest guidance for organisations states ‘system first’ as a key call to action.
So where does this leave Internal Audit?
The need for collaboration between internal auditors in the public sector comes from a number of drives, not least:
- Organisations can no longer deliver objectives on their own
- Various forms of organisations coming together for health and social care provision
- Statutory body requirements alongside the need to work together in a ‘system’/ ‘place’
- Blurred boundaries to organisations, systems and processes, and ‘accountability’
- Organisations starting to focus on the wider risks and external factors
- Needing to think differently about what is needed to deliver the HOIA opinion
- Traditionally difficult to audit across boundaries, relying on third party assurance, limited scopes etc.
Professional standards require us to produce a risk based plan (to determine the priorities in the internal audit activity consistent with the organisation’s goals) and an overall opinion (Head of Internal Audit Opinion). Within the definition of internal audit there is also a clear direction in terms of adding value and helping to improve an organisation’s operations.
In terms of planning this may lead to three levels needing to be considered including system wide assurances, ICS/Place based assurance and local organisation assurance (all of which would feed into the overall Opinion). Traditionally, internal audit plans have predominantly (if not exclusively) been at a local organisation level so it is likely that there will need to be a journey to a more system wide focus. The speed of this transition will very much depend on the system developments, governance, relationships and infrastructure. That said internal auditors are in a unique place to help to contribute to the understanding about assurance at each level and the implications that need to be considered.
What are the barriers and how can we overcome these?
Fundamentally the professional standards, approach and expectations placed on internal auditors are the same across sectors. On a practical level there are a number of barriers that need to be overcome including:
- IA Planning – how do auditors ensure alignment of risks and priorities? What is a key risk to one organisation may only have a small impact at another, so ‘local’ organisation risk based planning may rightly result in different internal audit plans. In addition to this organisation (and indeed Internal Audit) culture can vary significantly, which means that there could be different expectations and positioning of Internal Audit. Formal approval of plans can also be tricky in this context.
- IA Delivery - do we deliver work together, does one team lead or do we just join up the outcomes and placed reliance on each other’s work? Working together in an integrated way brings the opportunities for shared knowledge, end to end assurance and clearer messages re outcomes but this can be difficult to achieve in practice. The options of splitting scopes/ roles can be more practical but this needs careful consideration of where the boundaries lie, the scope of the work and clear understanding of what we are trying to achieve. The easiest approach on paper is to agree to place reliance on each other’s work, to deliver ‘reviews’ separately and share findings, but this can lead to disjointed assurances which are difficult to explain especially when the timing and format of reports can be vastly different.
- IA Protocols and processes – do we need a formal protocol in place at the start or do we need to work up a ‘proof of concept’ to enable us to design this? For some organisations a formal written protocol setting out the arrangements will be required and for others there will be opportunity to develop this through working together and testing what works best. Amongst others, its important that areas such as information sharing, audit approach, record keeping, quality assurance, reporting, and terminology are all discussed. This will require some flexibility (and often compromise), not in the fundamental areas in terms of professional standards and legislation but more in the culture, local preferences, audit systems and look and feel of reports.
There is no right or wrong answer to these as there are many factors that need to be taken into consideration, but it is important that these are taken into account, shared and understood.
It is important to agree a set of key principles to partnership working, including
- Shared understanding of the organisation working arrangements and where these cross boundaries.
- Regular and timely communication to discuss areas of mutual interest.
- Flexibility needed in terms of approach, timing, reporting styles etc.
- Where systems are operated within an organisation then the local internal audit team should be directly involved.
This supports the building of relationships, trust and understanding which all contributes to effective outcomes for the organisations, teams and individuals.
Strategic and Operational Planning
The approach to strategic and operational planning, can be seen as an extension to the local internal audit planning approach.
- Strategic risk assessment of the statutory body(s) by the relevant team
- Identifying areas of ‘mutual’ interest through sharing and joint discussions
- Agreeing the best approach to the provision of assurance (this can vary assignment by assignment)
- Third party assurance
- Integrated Team
- Joint Working or
- Establishing the logistics of delivery, including resources, timing, reporting etc.
What does this look like in practice?
As organisations collaborate at scale and operate at a system level, Internal Audit plays a pivotal role in the understanding of system risks, including how they impact on each organisation and how they will be managed. It is important that the risk assessment is a continuous process throughout the year and the plans will remain flexible to allow for response to emerging challenges, including the delivery of integrated assurance across organisational boundaries.
Case study - Group risk and assurance:
Flexibility and dynamism can been seen through our work with one of our clients as they brought together a Group structure in 2017 involving 2 statutory bodies (five local hospitals, specialist and acute services, community services and a Local Care Organisation). Within the Group each Care Organisation (COs) is not only responsible for providing healthcare services to local communities but also playing a much broader role in each locality and supporting the establishment of new integrated models of care.
Through the lens of Group Audit Committee the key challenges in a Group model were:
- Asserting consistent focus upon assurance and risk
- Understanding what responsibilities sit where
- Deploying resources differently and collecting intelligence in new ways.
Therefore the formation of Group required transforming how assurance is provided across boundaries to support integration as well as meeting the requirements of the Group and the two statutory bodies that it currently comprises.
MIAA as the internal audit service provider for both statutory bodies has supported and been a Trusted Advisor on the journey to form a Group model. This has involved developing an innovative approach to the development and delivery of assurance to adapt as the organisation changes. The aim of this review and redesign of the assurance process was to ensure the approach to internal audit supported the vision of integrated assurance across Group and COs and continued to capture the assurance requirements of the statutory bodies.
We worked flexibly and innovatively to redesign and transform all aspects of the internal audit planning, delivery and reporting to ensure that we were aligned to the new risks.
Case study - Working Across Boundaries: CCG and Local Authority
Recognising the opportunity to provide joint assurances in areas such as the Better Care Fund, MIAA worked with local authority internal audit teams to undertake a joint review. We worked through a number of practical and logistical challenges in terms of ensuring delivery of work to joint methodologies and reporting arrangements.
This was an innovative approach, the outcome of which was a greater benefit to both organisations in providing a more holistic opinion of the Better Care Fund arrangements by working across organisational boundaries.
Louise Cobain is the Assurance Director at MIAA
Karan Wheatcroft is the Operations Director at MIAA
MIAA is an NHS hosted shared service with a clear mission: To support improved public services outcomes through a world class shared service for audit, assurance, challenge and solutions.