Statement of Internal Control

Statement on Internal Control for 2005/06
The Chief Executive signs the Statement on Internal Control (SIC) on behalf of the
Board. The draft SIC for 2005/06 was reviewed by the Audit Committee (7 th March
2006) and the Governance Executive (12th April 2006). The SIC will be included with
the Annual Accounts in the Annual Report. Department of Health guidance issued in
2003 (Building the Assurance Framework: A Practical Guide for NHS Boards)
describes the relationship between the SIC and the Assurance Framework:
“The requirement for all NHS Chief Executive Officers to sign a SIC…heightens the
need for Boards to be able to demonstrate that they have been properly informed
about the totality of the risks. To do this they need to be able to provide evidence
that they have systematically identified their objectives and managed the principal
risks to achieving them. The Assurance Framework fulfils this purpose.”
Since the last draft we have amended some of the wording in section 3 following the
discussion at the Governance Executive and inserted the last paragraph on the
significant control issue identified in the final declaration for Standards for Better Health
on failure to achieve standard C21 (the environment in which services are provided).
Damien Gibson
Associate Consultant
ParkHill Audit Agency
Gus Heafield
Director of Finance and Corporate Governance
June 2006
Statement on Internal Control for 2005/06
1. Scope of responsibility
The Board is accountable for internal control. As Accountable Officer, and Chief Executive of the
Board, I have responsibility for maintaining a sound system of internal control that supports the
achievement of the organisation’s policies, aims and objectives. I also have responsibility for
safeguarding the public funds and the organisation’s assets for which I am personally responsible
as set out in the Accountable Officer Memorandum.
I am regularly performance appraised by the Chairman of the South London and Maudsley NHS
Trust Board (The Trust). I also meet regularly regularly with the Chief Executive of the South East
London Strategic Health Authority, whose responsibility for performance management of The Trust
is discharged via a range of regular meetings with Trust staff, data submission and feed back.
The Trust has a range of mechanisms in place to facilitate effective working with key partners.
These include performance management of service level agreements with PCTs, Local Authority
Scrutiny Committees, and Chief Officer meetings with Directors of Social Services. These
processes are mirrored at Service Director/Borough level.
2. The purpose of the system of internal control
The system of internal control is designed to manage risk to a reasonable level rather than to
eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide
reasonable and not absolute assurance of effectiveness. The system of internal control is based
on an ongoing process designed to:
identify and prioritise the risks to the achievement of the organisation’s policies, aims and
evaluate the likelihood of those risks being realised and the impact should they be realised,
and to manage them efficiently, effectively and economically.
The system of internal control has been in place in South London and Maudsley NHS Trust for the
year ended 31 March 2006, and up to the date of the approval of the annual report and accounts.
3. Capacity to handle risk
The Trust’s Risk Management Strategy is endorsed by the Board and reviewed regularly. The
strategy makes it clear that while I have overall responsibility for risk management, responsibility
for specific risk management areas has been delegated to individual Directors as follows. The
Medical Director and the Director of Nursing and Education have delegated responsibility for
clinical risk management and in particular the management of clinical governance and risk
management processes, CNST, medical devices, serious adverse incidents, and complaints. The
Director of Finance and Corporate Governance has responsibility for managing the development
and implementation of systems of financial risk management and corporate governance, including
systems of internal control, Claims Management and Health and Safety. The Director of Human
Resources has delegated responsibility for risk management regarding Human Resources. The
Director of Estates and Facilities has overall responsibility for the buildings, plant and non-medical
devices used by Trust staff, and has particular responsibilities for security, waste management, fire
safety and environmental management. Directors of Clinical Services have responsibility for
operational risk management at Directorate level. Clinical Directors and the other Directorate
Professional Heads have responsibility for the systems of clinical risk management at Directorate
level and lead their implementation. The local responsibilities of the Directorate Clinical Directors
and Professional Heads mirror those established at corporate Trust level.
A range of risk management training is provided to staff to ensure they are equipped to manage
risks appropriate to their authority and duties, and are competent to fulfil their roles. Attendance at
training is followed up as part of the Performance Management Process. There is a range of
policies in place to describe staff roles in relation to the identification and management of risk. All
relevant policies are available on the intranet.
The Trust learns from good practice through a range of mechanisms including benchmarking,
clinical supervision and reflective practice, individual and peer reviews, performance management,
continuing professional development programmes, clinical audit and application of evidence-based
practice and meeting risk management standards. There are formal mechanisms in place to
ensure that external changes to best practice, such as those issued by the National Institute for
Health and Clinical Excellence, are incorporated into Trust policies and procedures.
4. The risk and control framework
The Assurance Framework Policy and the Risk Management Strategy describe the arrangements
for embedding risk management in the activities of the organisation through explicit processes for
identifying, assessing and responding to risks and incidents. The Assurance Framework Policy
ensures the Trust Board receives regular exception reports, that it reviews the entire Assurance
Framework twice a year, and that the Clinical Governance and Risk Management sub-committee
of the Board reviews all AF processes and procedures to ensure their effectiveness. The Clinical
Governance and Risk Management sub-committee is also responsible for the development,
management, and implementation of the Risk Management Strategy. The Audit Committee has,
principally through assessment of relevant internal and external audit work, monitored appropriate
implementation of Assurance Framework and risk management processes.
The Assurance Framework identifies the assurances available to the Board in relation to the
achievement of the Trust’s principal objectives and opportunities, the significant risks to these
objectives and opportunities, and the effectiveness of the operation of key controls.
The Assurance Framework identifies some gaps in control and assurance. The types of gaps in
control described in the Assurance Framework include data quality, capacity, and the effectiveness
of some systems and procedures. The types of gaps in assurance are insufficient objectivity or
unsatisfactory quality.
Use of a risk rating tool developed in accordance with national guidance ensures a consistent
approach is taken to prioritising risks and incidents. The Performance Management Process
ensures that risk registers are maintained by Directorates and at a local level. These registers
inform the high level Corporate Risk Register and the Assurance Framework, and are shared with
other Directorates as appropriate. Key Performance Indicators are central to the Performance
Management Process
All staff are responsible for managing risks within the scope of their role and responsibilities as
employees of the Trust and as professionals working to professional codes of conduct. The Trust
Board, through the Risk Management Strategy, promotes open and honest reporting of incidents,
risks and hazards. This is supported by a range of policies that staff are required to comply with.
The Risk Management Strategy also includes a statement on responsible risk taking.
There are robust formal mechanisms for engaging with partner organisations, service users and
the wider public. These mechanisms contribute to internal Business Planning and Performance
Management Processes.
5. Review of effectiveness
As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of
internal control. My review is informed in a number of ways. The head of internal audit provides
me with an opinion on the overall arrangements for gaining assurance through the Assurance
Framework and on the controls reviewed as part of the internal audit work. Executive managers
within the organisation who have responsibility for the development and maintenance of the
system of internal control provide me with assurance. The Assurance Framework itself provides
me with evidence that the effectiveness of controls that manage the risks to the organisation
achieving its principal objectives have been reviewed. My review is also informed by assurances
from other sources which include audit and accreditation by external bodies, patient and staff
surveys and the Standards for Better Health self-assessment process.
I have been advised on the implications of the result of my review of the effectiveness of the
system of internal control by the Governance Executive, and the Board Audit Committee and
Clinical Governance & Risk Management Committees. A plan to address weaknesses is in place.
Ratification of the Assurance Framework Policy by the Trust Board in October 2005 formalised the
arrangements for ensuring the Assurance Framework is fit for purpose. The Policy has resulted in
several reviews of the Assurance Framework by the Trust Board, the Governance Executive and
the Clinical Governance and Risk Management Board sub-committee. The Governance Executive
and the Clinical Governance and Risk Management sub-committee have provided the Board with
reports on risk management, clinical governance and performance management throughout the
During 2005/06 a major consultation exercise has been undertaken on the Trust’s Five Year
Strategy. The results are have been incorporated in the Trust’s Service Development Strategy /
Integrated Business Plan. The new strategic objectives, and the requirements to meet Standards
for Better Health, are explicitly reflected in the organisation’s principal objectives for 2005/06.
The Audit Committee, Internal Audit and External Audit have each reviewed their own operations,
those of the other two parties and the interaction thereof, and appropriate action plans are being
implemented. The Audit Committee has undertaken a formal review of the requirements of the
revised Audit Committee Handbook to ensure it fulfils its new responsibilities. The Audit
Committee has provided the Board with an independent and objective review of financial and
corporate governance, and internal financial control within the Trust. The Committee has received
assurances from external and internal audit and management. Internal and External Audit have
reviewed and reported on control, governance and risk management processes, based on an audit
plan approved by the Audit Committee. The work included identifying and evaluating controls and
testing their effectiveness, in accordance with NHS Internal Audit Standards. Where scope for
improvement was found, recommendations were made and appropriate action plans agreed with
management. The Audit Committee has a mechanism to track management’s progress
implementing agreed recommendations.
The Trust identified a significant control issue in its Declaration of Compliance with the Standards
for Better Health. The Trust declared it was not compliant with Standard C21 (the environment in
which services are provided) in the Declaration submitted to the Healthcare Commission. A
detailed programme of action for environmental improvements is in place and will be completed by
30th September 2006.
Signed on behalf of the Board on [date to be inserted]
Stuart Bell
Chief Executive