Audit committee key to system working and preparing for unforeseen events

As the service looks to meet these challenges – including greater system working, the ongoing financial pressures and the need to be prepared for unforeseen events such as a major cyber-attack – clarity will be a key requirement. Audit teams and good governance are fundamental to delivering that clarity.

‘Governance principles hold good - governance models change, but the same governance principles apply.’  This was the clear opening message from Paul Dillon-Robinson, former director of internal audit and risk at the House of Commons.

Governance is largely about decision-making and the key is to have the discussion about why, not just how. Internal audit can make a big impact by speaking the truth to power, taking on the big issues and applying judgement. Mr Dillon-Robinson – a former chairman of the HFMA’s Governance and Audit Committee – acknowledged that being an effective audit committee may not always be a comfortable role. 

However, it has a key part to play in establishing a full understanding of the wider picture and providing independent assurance. It should ensure there is more than a tick-box approach to governance and have a proactive involvement in audit, being clear on what assurance it wants internal audit to provide.

Both Mr Dillon-Robinson and Paul Moore, director of governance and quality improvement at Sherwood Forest Hospitals NHS Foundation Trust, agreed that the risk register and process can assume more importance than managing the risk in some cases. The focus should be on the response to the risk first, rather than debating the score. 

They pointed to a danger that some risks are overcontrolled or that appropriate risks are not being taken to maximise value. Organisations should be clear on their risk appetite and a risk appetite statement can be a helpful employer/employee engagement device. 

May’s WannaCry ransomware attack hit more than 200,000 computers across the world. While the NHS was not the target of the attack, the NHS did face disruption. Robert White, director at the National Audit Office, described how the NHS was affected, the lessons learned and the role of the audit committee in cyber security. 

The NAO has recently published Cyber security and information risk guidance for audit committees. Audit committee members will need to know which questions to ask, seek independent assurance and ensure they know how to respond when faced with these challenges – asking information technology teams to explain this is a really helpful step. It is not if, but when, for the next cyber-attack. The next one is likely to be more sophisticated and, should the NHS be ill-prepared, more disruptive.

The governance of sustainability and transformation partnerships (STPs) was a key area of concern for many attendees – particularly the lack of non-executive and lay member involvement and the conflict between organisational accountability and commitment to the STP. 

Sam Simpson, director of finance at Cheshire and Merseyside STP and Tim Crowley, managing director of Mersey Internal Audit Agency, talked about how the audit committee can play a championing role in ensuring a clear understanding of the STP and where decisions are made. 

In October, the HFMA Governance and Audit Committee published a tool to support and help audit committees explore the key elements of STP governance. 

With a move to a system approach based on relationships, trust and a shared vision, there were positive examples of change – clear open book accounting; top slicing of individual audit plans to allocate days to system plans; and discussions about formal STP audit committees or informal non-executive lay member meetings. 

Throughout the day, there was a clear focus on the important role of the audit committee – to ensure clarity, use internal audit and robustly challenge – providing a clear line of sight for organisational and system wide changes.

• Member organisations of the Chair, Non-executive and Lay Member faculty can download conference slides and videos at hfma.to/audit1