Feature / Inner strength

Internal audit is an under-used resource but it is a vital link in providing independent assurance to boards about what they are signing up to, argues Paul Dillon-Robinson

Boards need to take their self-certification more seriously and challenge themselves more about the robustness of the information they receive for monitoring, forecasting and decision-making. At the same time, internal audit could, and should, be doing more for NHS foundation trusts.

This is the clear message coming out of foundation trust regulator Monitor and was underlined by Monitor’s regulatory operations director, Edward Lavelle, when he attended the HFMA’s Corporate Governance and Audit Committee recently.

It is not a new mantra. Monitor chairman Bill Moyes has been increasingly making the same point to authorised and aspirant foundation trust boards, stressing that such an approach is both expected and represents best practice. It has become more official with the publication of Monitor’s briefing, Effective governance in NHS foundation trusts, in February.

Recognising accountabilities
For many, the words ‘governance’ and ‘accountability’ (let alone ‘assurance’ and ‘audit’) bring on a strange glazed look. But it is clear that sustainable performance can only be built on foundations of good governance, and that many foundation trusts have yet to fully appreciate the new accountabilities they have. These accountabilities are built on their:

• Legal structure through the terms of authorisation and constitution
• Stakeholder engagement with governors and members
• Contractual duties with commissioners through the legally binding contract
• Status as public benefit corporations.

Understanding these accountabilities, as well as the other demands on boards – corporate manslaughter, say, or lessons from Maidstone & Tunbridge Wells – should be driving discussions at board level on how they can gain assurance that they are working to robust information.

Boards need to be clear on what they are publicly signing up to. The current focus of attention is driven by the 11 independent reviews of foundation trusts’ self-certification process, undertaken at Monitor’s instigation. These were undertaken because of general concerns about the lack of correlation at some foundation trusts between self-assessed declarations on planned achievement against standards and targets and the actual outturn.

It is perhaps no coincidence the Audit Commission is looking more closely at inconsistencies between declarations under Standards for better health and the statement on internal control. Is there concern that such declarations are not being taken as seriously as they should be?

Monitor’s compliance framework is based on a risk-based approach, so that regulation remains directed and proportionate. But if the declarations they rely on are found to be unsafe, the level of regulation (and possible intervention) will increase.

The message to boards is clear: whether executive or non-executive members, be sure you know what you are signing up to.

The first line of assurance will always be to rely upon the executive directors and their team. Independent assurance should also be part and parcel of any board reporting process. But the use of internal audit (or other independent assurers) in this role is patchy, limited or unused.

It is worth thinking about where Monitor is coming from. Much of the lead in regulation comes from the financial services sector. Regulation in this sector is conceptually similar, based on certification and monitoring, but has more direct intervention and harsher penalties. The US healthcare system also has a heavily embedded compliance element, albeit driven by the revenue regime.

Regulatory defence
This leads to the concept of ‘regulatory defence’, where boards build up layers of review and control to ensure they meet the regulations they are required to abide by. The advantage of such a secure control environment is that managers can focus on meeting their objectives in this environment, assured they are not risking breaches.

For internal auditors, the impact on their profession of increased regulation in the financial services sector has been significant. It has not only raised the profession’s performance but has led to a greater appreciation of the skills that good internal auditors display, and weeded out poor performers, while rewarding those at the top.

The HFMA is pursuing a strategy under the banner of ‘Raising our game’. It is a theme that could equally be applied to both boards and auditors.

Paul Dillon-Robinson is managing director of South Coast Audit and chairman of the HFMA’s Corporate Governance and Audit Committee


Comment on this article