MINUTEs OF THE NHS fife audit AND RISK committee HELD AT 9.45 AM ON THURSDAY 15 MAY 2014 IN the BOARD ROOM, HAYFIELD CLINIC, VICTORIA HOSPITAL, KIRKCALDY
Present:
Ms A Rooney (Chairperson) / Mr A Robertson, Non-Executive DirectorIn Attendance:
Mr D Archibald, Regional Audit Manager
Mrs C Bowring, Director of Finance
Mr B Crosbie, Audit Scotland
Mrs C Potter, Assistant Director of Finance, Management Accounting
Dr B Montgomery, Medical Director (attending on behalf John Wilson)
Ms G Woolman, Audit Scotland
Mr G O’Neil, Audit Scotland
Mrs F McLeary (Minutes)
/ ACTION /16/14 / APOLOGIES FOR ABSENCE
There were no apologies for absence.
17/14 / DECLARATION OF MEMBERS’ INTERESTS
Mr Robertson declared an interest as Chair of Kirkcaldy and Levenmouth CHP, Chair of Dunfermline and West Fife CHP and Chair of Acute Services.
18/14 / MINUTES OF THE PREVIOUS MEETING HELD ON 2 APRIL 2014
· The Minutes of the meeting of the 2 April 2013 were approved as true record subject to the following amendments.
· 06/14(b) – Child Protection – first paragraph, second last sentence should read … measurement of “LOCAL” target that NHS Fife …….. and not “HEAT”.
· 07/14(d) – Fife Health Board Patients Private Funds Audit Planning Memorandum - third last sentence change “integration” to “consolidation”.
· 07/014(d) – last sentence to be changed to read “Mr Crosbie confirmed that discussions are to be held with the Endowment Fund Auditors to agree a timetable.
· 10/14 – Follow up Monitoring Report - last sentence – “next” to be changed to “future”.
19/14 / ACTION LIST
Risk Management
Mrs Bowring said NHS Fife will be working with NHS Tayside over the next few months. NHS Tayside have had an external consultancy company working with them around Risk Management and all the necessary training. It would be possible for colleagues at NHS Tayside to come to a NHS Fife development session to share the information that they have.
Ms Rooney said that she would prefer to have the Board Development Session in Private.
Dr Montgomery said it would be useful to receive the help, support and advice that NHS Tayside can provide the Board with, but agreed that the Development Sessions should be held in Protective Time.
20/14 / MATTERS ARISING
There were no matters arising
21/14 / INTERNAL AUDIT
(a) / Progress Report
Mr Archibald stated that a total of twelve reports have been issued since the last meeting of the Audit and Risk Committee, the audit plan for 2013/14 is virtually complete with only two assignments still ongoing.
A brief update was given on the deferred audit plan B14/14 – Joint Planning and Accountability. Since the last Audit and Risk Committee, a revised assignment has now been shared with Susan Manion and Fife Council’s Internal Audit service.
The deferral of B14/14 Joint Planning and Accountability leaves one audit plan assignment outstanding, B18/14 – Workforce Planning and Information. Internal Audit are waiting on formal agreement from the Director of Acute Services and Director of HR. The completion of this review will complete the internal audit plan for 2013/14.
Ms Rooney asked if Dr Montgomery and Mrs Bowring could chase this matter up.
Mr Robertson and Ms Rooney praised Mr Archibald and the Internal Audit Team for doing an outstanding job this year, being in a really good position at the year end, providing quality reports and keeping within budget. Ms Rooney asked Mr Archibald to thank his team on behalf of the Audit & Risk Committee. / BM/CB
The Audit & Risk Committee noted the progress against the Internal Audit Plan for 2013/14.
(b) / Summary of Internal Audit Reports
Mr Archibald drew the Committee’s attention to three of the reports B11/14 - Risk Management, B23/14 – Purchase/Sale/Disposal of Fixed Assets and B34/14 - Data Management, Security and Business Continuity.
B11/14 – Risk Management
Work has been on-going to finalise the new Risk Management Framework. An Internal Audit review compared the most up-to-date version to ensure there are no gaps in the new framework. A number of recommendations were made and detailed in separate correspondence to management.
The review commended work undertaken to put a Board Assurance Framework (BAF) in place and acknowledge that it is still work in progress.
NHS Fife’s self-assessment was also reviewed. It highlighted areas where requirements were not being fully met. It was recommended a more detailed risk management work plan be developed to provide the Audit and Risk Committee with assurance that arrangements are adequate and effective.
Ms Rooney asked if SMT had this on their workplan, as this was not an easy piece of work to deliver. Dr Montgomery said that Risk was a standing item on the SMT agenda.
Mr Archibald said all areas need to link into corporate vision/objectives focusing on risks that are stopping objectives being met.
Mr Robertson stated that the Chairman is currently looking at the structure of Standing Committees of the Board that report into NHS Fife Board to identify areas where there are gaps, and identifying where decision-making happens to ensure that the right reports go to the right Committees.
Mrs Bowring confirmed that the internal audit reports from the Audit and Risk Committee go to the Information Governance Group but is unaware how they are disseminated further.
Ms Woolman reminded the Committee to remember that there are Minutes taken at each meeting, there are follow up-mechanisms already in place and the minutes goes to each NHS Board meeting.
Ms Rooney asked Mrs Bowring to add an appendix to the annual assurance statement listing all the reports that have come to the Audit and Risk Committee.
B23/14 – Purchase/Sale/Disposal of Fixed Assets
In relation to CEL 35 (2010) – Property and Asset Management in NHS Scotland, a review was undertaken which confirmed that items and dataset fields had been correctly added for all purchases relating to equipment at Victoria and Queen Margaret Hospitals with the exception of one entry. The testing of purchases outwith these two locations revealed that there were required fields not being populated for some of the items tested. There are currently no regular cross checks in place to confirm consistencies between the Apollo system and the RAM Asset Management System. The ‘C’ grade given is for not having compliance in all areas.
Ms Rooney asked how portable equipment would be recorded when NHS Fife starts working jointly with Fife Council. She also asked about equipment in Dental Access Centres and GP surgeries. Mrs Bowring advised that the portable equipment would be recorded through the joint equipment store system already in place. She also advised that dental access equipment belonged to NHS Fife but the equipment in GP surgeries was owned by those surgeries.
B34/14 – Data Management, Security and Business Continuity
Since NHS Greater Glasgow and Clyde (GG&C) suffered an unavailability event in October 2013, the Head of e-Health prepared an executive briefing paper following the incident. The e-Health Department are currently reviewing their technical disaster recovery arrangements. The Scottish Government and NHS GG&C commissioned an independent review. NHS Fife does not currently comply in full with all the aspects of five of the eight recommendations made by the report. Assessments will be undertaken to see how long departments can go without the system and how quickly they can be back up and running, and make sure there are alternative/paper processes in place. These measures already exist as disaster recovery plans but are largely untested.
Mrs Bowring stated that this had been the third itemised checklist/review undertaken and each department has a contingency plan in place.
Mr Archibald confirmed that four departments had been visited to determine the status of their contingency arrangements for coping in a situation like NHS GG&C. The visit identified that three out of the four departments had contingency plans documented. The fourth department, Out Patients, has plans still being developed.
Ms Rooney stated that the overall report findings were classified as 3s, thereby giving NHS Fife some reassurance.
B16/14 – Infection Control
Ms Rooney drew attention to the second last paragraph and noted that Scott McLean, Director of Nursing, was revising the NHS Fife Communications and Public Involvement Strategy.
B19/14 – Efficiency Savings
Ms Rooney stated that this was a really good report.
B30/14 – Records Management
No particular issues were raised on this report.
B40b,c,d,e,f/14 Departmental Review
Ms Rooney asked whether the outcomes of departmental reviews are showing a trend of continuous improvement, and whether departments are seeing outcomes from previous reviews.
Mr Archibald said he had seen patches of improvement although mandatory training attendance remained poor throughout each review. He stated that Scott McLean and the 3 Associate Directors of Nursing had sent a letter out to all Mangers reminding them of the importance of training.
Dr Montgomery said the mandatory training is a big issue. Staff need to comply with the training but staff away from the frontline proves challenging. / CB
The Committee noted the audit activity as summarised.
EXTERNAL AUDIT
22/14 / (a) / Best Value Toolkit – Public Performance Reporting
Mr Crosbie introduced his report to the Committee, stating that the report focused on the best value work on Public Performance Reporting (PPR). The report summarises the audit findings from the review.
Page eight shows the overall findings of the assessment. It was evaluated that NHS Fife Board overall demonstrated basic practice standards. (i.e. standards that are sufficient to allow the organisation to demonstrate sound performance).
Page nine - Culture and Practices – Performance Management Strategy and Framework - the framework is scheduled for review in 2014 and that work is ongoing. External Auditors have not seen anything in relation to it as yet.
Page ten – Statutory requirement and Guidance – Patient Focus Public Involvement (PFPI)– a specific action identified in the PFPI Committee work plan for 2013-15 is to ensure that ‘Clients, citizens and other stakeholder members are involved in developing indicators and targets and monitoring and managing performance’. Although the Committee has considered some of the aspects of the Board performance, there is no evidence of the clients, citizens or other stakeholders being involved in developing targets and performance indicators. In March 2014, PFPI agreed to be more proactive about issues arising throughout the year and revise guidance.
Page eleven – Provision of good quality information and effective public accountability - The framework identifies the Board Executive Performance Report (BEPR) as the main mechanism for monitoring performance throughout the year. Good information is available within the BEPR, however there is limited information in terms of effective performance reporting through clear sign-posting on the website to performance information. External Audit have considered doing a review of “NHS Fife’s Website” next year.
Ms Rooney said that there has been a lot of challenges around the website and many of the documents on the website are out-of-date. Committee members discussed the benefits of more user-friendly websites and agreed that they would be in favour of the review of the Fife website.
The Committee noted the report.
(b) / Report of Governance Arrangements and Internal Controls 2013/14
Ms Woolman introduced her paper to the Committee and stated that the review revealed that NHS Fife has generally sound corporate governance arrangements in place and that key controls within NHS Fife’s key financial systems are operating satisfactorily. Although there was no significant weaknesses in the system, some areas have been identified where there is scope for improvement.
Page six – Audit Finding 1. - Governance – Register of Interests, Hospitality and Gifts – there were a number of audit findings around this; the proposed management responses are shown in the action column and included;
· Corporate Services will issue the appropriate form to all departments which require to hold registers and advise on the information to be included and the process for completion
· Registers will be updated on the website.
· The Board will also review the Code of Corporate Governance to see if any enhancements are required
Page seven – Audit Finding 2 – Governance – Board and Committee Arrangements – from December 2013, elected members of the Board were required to stand down. Consideration was given to the impact of change on the Board’s business.
Ms Rooney questioned on page seven, second paragraph that two of the Board’s committee meetings have been cancelled (and rearranged) since December 2013. She queried the reason for cancellation of one of the Committees.
Page eight – action point three – Information Communication Technology (ICT) – Health Boards will no longer be supporting Windows XP and Internet Explorer. The Head of e-Health has stated a review is to be undertaken.
Page nine – action point four – System of Internal Controls – Payroll - A new software system eESS will be implemented by the end of May 2014 by the HR Directorate.
Page fourteen - Appendix B – shows that some issues have been resolved in some areas.
Ms Rooney referred to action point four and asked about the missing HR files and where they could be.
Dr Montgomery said HR would need to give their perspective on this as it has been raised elsewhere.
Mr Crosbie said that the unsigned contract is the manager’s responsibility and if the employee is not working to the conditions then this could lead to a dispute on contract status.
The Audit Committee noted the report.
(c) / Report – ICT – Access Management
Mr O’Neil introduced his paper to the Committee; he stated that Audit Scotland reviewed NHS Fife’s user identity and access management (UIAM) strategy and considered the procedures and controls in place. Audit Scotland reviewed user identities on the NHS Fife Active Directory. The Active Directory and Oasis system have over 14,000 and 2,600 users respectively.
The Board has an extensive and well-designed information security management framework in place, supported by well-developed polices and procedures. However, there have been areas identified where there is scope for improvement.
Mr Crosbie has met with the new Head of e-Health, Mr William Edwards to discuss the issues and risk identified from the report. These items and issues are reflected in appendix A of the report.