Northern Ireland Health and Social Care

Paper BSO 66/2017

NORTHERN IRELAND HEALTH AND SOCIAL CARE

BUSINESS SERVICES ORGANISATION

GOVERNANCE AND AUDIT COMMITTEE

Minutes of the Governance and Audit Committee (GAC) which took place on Tuesday, 9 June2017 at 11:00am in the Boardroom, BSO, 2 Franklin Street, Belfast.

Present: / Mr Jeremy Stewart(Chair)
Mr Mark Campbell / In Attendance: / Mrs Wendy Thompson (Director of Finance)
Mr Simon McGrattan (Assistant Director of Finance)
Mr Robin McClelland / Mrs Catherine McKeown (Head of Internal Audit)
Prof Dorothy Whittington / Mr Martin Pitt (PwC)
Mr Richard Ross (NIAO)
Mrs Janine Watterson (Committee Secretary)

Private Meeting

A private meeting between Auditors and GAC Non-Executive Directors took place at the commencement of the meeting without BSO Officers present.

1. Apologies

There were no apologies for absence.

1. Conflicts of Interest Declaration

There were no conflicts of interest declared.

1. Minutes of Governance and Audit Committee held on 11 April 2017 –GAC 32/2017

The minutes of the meeting held on 11 April 2017were approved subject to a minor amendment.

The Secretary agreed to make the necessary change and arrange for presentation of the minute to the BSO Board.

1. Action Points arising out of Minutes of 11 April 2017– GAC 33/2017

The GAC noted the following actions taken:

(a)Feedback on the 2016/17 Payroll Shared Services (March 2017) Internal Audit Report

i.Payroll Project

The Director of Finance updated the GAC on theinitial planning stages of the payroll project which was being established to address payroll system and other issues including those raised in the 2016/17 Payroll Shared Services (March 2017) internal audit report. She advised the GAC that she was the Senior Responsible Officer for the project and would be working,in conjunction, with the Acting Head of Shared Services to progress three separate work streamswhich had been identified for action. She continued, advising that the firstwork stream would reviewsystem performance andmonitor the remediation planincluding any issues in relation to theannual pay award uplift. The second work streamwould be the commissioning of a fundamental review of the payroll structure with outcomes subject to independent review. The thirdwork streamwould consider the quality of payroll information available and how this could be improved within the current funding/staffinginfrastructure. She advised that a detailed project plan had been drawn upand would be progressed by the relevant work streams who would report back to theBSO Board, the BSO senior management team and, a newly formed payroll customer assurance board.

The Director of Finance also informed the GAC that additional resources from the HSC were being made available to progress the quality workstream. She also advised the GAC that the payroll customer assurance board would meet monthly to receive progress on payroll services with the first meeting taking place on 29 June. The customer assurance board would be co-chaired by the BSO Director of Finance and the Director of Finance of the South Eastern HSC Trust.

In response to a question from Mr McClelland, the Director of Finance advised that BSO ITS would lead the work stream in relation to system performance and,in addition, provide input in to the payroll quality work stream,if system changes are required. She highlighted that currently BSOITSmeet with the system provider regularly to monitor performance.

The GAC noted that, as primarily internal resources were being used to supplement the project, that any additional costs should be minimal and managed within the current shared services budget.

The Chair thanked the Director of Finance for her progress report.

ii.Direct Award Contract Register – Analysis of Information

The Director of Finance confirmed that she had spoken with PaLs staff to arrange for further analysis of the information presented in the Direct Award Contract (DAC) Registerand that she anticipated that this would be presented at the October 2017 GAC meeting.

The GAC noted the position.

5.Chair’s Business

(a)Training

The Chair advised the GACthat he had recently attended training for Non-Executive Directors and also in relation to Whistleblowing. He advised that this training had proved informative and of value particularly in his role as Whistleblowing Champion of the BSO.

(b)Draft GAC Annual Report to the BSO Board as at 31 March 2017 - GAC 34/2017

The Chair presented the draft GAC Annual Report for the year ended 31 March 2017. In particular, he highlighted changes in GAC membership throughout the year which had resulted in gaps in expertise during the latter part of the 2016/17 year. He thanked those Non-Executive Directors (NEDs) who served on the GAC during this difficult period.

The Chair then referred to paragraph 5 of the draft Report which related to the number of GACmeetings required under its Terms of Reference and proposed that, given GAC concerns regarding limited /unacceptable assurances issued by internal audit, a further meeting(s) is arranged to monitor progress of recommendations within these reports. The GAC concurred with this course of action and the Secretary agreed to make the necessary arrangements for a meeting to take place in August 2017.

The Chair then drew attention to paragraph 18 of the draft Report which summarised the GAC’s opinion in respect of the year ended 31 March 2017. The GAC agreed with the opinions documented in the draft Report ie.that GAC had discharged its oversight responsibilities in accordance with its Terms of Reference and best practice, that the assurances available were sufficient to support the BSO Board and the Accounting Officer and, that a sound system of internal control was in place.

Professor Whittington referred to Appendix 1 of the draft reportwhich provided a record of attendance at GAC meetings throughout the 2016/17 financial year and highlighted the need for amendment for clarification purposes. Mr McClelland also requested that the table was amended to clarify that the Director of Human Resource and Corporate Services was in attendanceat the April 2016 meeting in the capacity of Acting Chief Executive. The Secretary agreed to revise the table to better reflect the position.

The GAC approved the draft GAC Annual Report to the BSO Board for the year 31 March 2017, subject to the revisions agreed at Appendix 1. Following these revisions, the draft report would be finalised and presented to the Board on 13 June 2017.

6.Internal Audit

(a)Progress Report

The Head of Internal Audit advised the GAC that, to date, satisfactory progress had been made against the BSO2017/18 Internal Audit Plan.

(b)HSCNI Cyber Security Self-Assessment Consultancy AssignmentReport-

GAC 43/2017

The Head of Internal Audit presented the HSCNI Cyber Security Self-Assessment Consultancy Assignment Report which summarised the findings of a Self-Assessment questionnaire on HSCNI Cyber Security which had been completed by six HSC organisations. She explained that this report was not designed to give assurance but rather to develop internal audit’s understanding of cyber security in the HSC and also to assist in stimulating discussion and reporting around cyber security risk and assurance at audit committees. Further, she advised that internal audit were currently working with participants of the self-assessment to assist in building an IT needs assessment all of which would inform an ITS security audit to be undertaken in the 2018/19 year.

The GAC noted the report presented and, in particular, thatthe recommendations made in the report would now be taken forward individually and collectively by the Director of Planning/Performance Group on which BSO is represented.

In response to a question from the Chair, the Head of Internal Audit advised the GAC that currently there is one temporary IT Audit Manager post within internal audit however, this was due to be advertised as a permanent post in the near future. The GAC welcomed this course of action.

The Chair then referred to a recent large scale NHS cyber-attack which caused major disruption and enquired of the Director of Finance what steps were being taken by BSO to prevent a similar attack in the HSC. The Director of Finance referred to recent BSO Board discussions which highlighted IT controls in place within BSO. She also highlighted proposed plans to strengthen IT security which had been forwarded to the DoH for approval.

Mr McClelland highlighted that he was in receipt of an articlewhich set out pertinent questions for large IT dependent organisations which,he said,may prove useful for BSO to consider when reviewing the robustness of HSC IT systems. Mr McClelland agreed to forward this article to the Director of Customer of Care and Performance who is the Director responsible for IT within BSO.

TheGAC, in noting the report, were pleased that BSO IT managed systems had withstood recent cyber-attacks and that further work was being considered to mitigate against a future attack.

7.2016/17 Annual Report and Accounts

(a)Executive Summary to 2016/17 Financial Statements – GAC 35/2017

(b)Draft Annual Report and Accounts and Letter of Representation - GAC 36/2017

The Director of Finance presented the Draft BSO Annual Report and Accounts for the year ended 31 March 2017 along with her Executive Summary highlighting that all key targets had been achieved including financial breakeven. She also highlighted that a concerted effort had been made this year to reduce the volume of the Annual Report and Accounts to improve its readability. The Director of Finance thendrew the GAC’s attention to the Governance Statement and highlighted that three new paragraphs had been inserted in relation to Leases, Financial Challenges and Recruitment and Selection.

Mr Campbell referred to the paragraph on leases and enquired why DoH approval had not been granted prior to the extension of a lease during the 2015/16 financial year. The Director of Finance advised that SMT had kept DoH fully appraised of the BSO’s intention to extend the lease in question however, formal approval had not been sought. She clarified that this issue did not occur in the 2016/17 year however,following NIAO criticism, DoHhad tightencontrolsaround the leasing of properties andfurthermore, requested that HSC bodies highlight any leasing agreements which had not followed due process in Governance Statements.

Professor Whittington referred to page 67 of the draft Annual Report and Accounts, regarding the intern scheme and requested that further information is provided to clarify the number of interns appointed compared to available places. Mr Campbell also referred to page 25 and advised that the commencement date of non-executive directors should be reviewed for accuracy.

Mr Campbellthanked the Director of Finance for her presentation and commented that it was pleasing to note a breakeven and surplus position given present financial challenges.

The GAC reviewed the 2016/17 Annual Report and Accounts and Letter of Representation and agreed that, subject to minor revision, these documents could be presented to the BSO Board for approval.

8.External Audit

(a)NIAO Draft 2016/17BSO Report to those Charged with Governance - GAC

37/2017

Mr Pitt presented the draft 2016/17 NIAO Report to Those Charged with Governance in respect of BSO and, in doing so, thanked the Director of Finance and her Team for their cooperation during the audit process. He also advised the GACthat while the 2016/17 Annual Report and Accounts had now been reviewed by audit, BSO should not publish this document until formally agreed with NIAO.

Mr Pitt reported that,aside from completion procedures, the audit was complete and that he anticipated that NIAO would be recommending that C&AG issue an unqualified opinion, without modification. However, he highlighted that while the outcome of the audit had concluded that reliance could be placed on the satisfactory operation of IT systems underpinning the financial statements, PwC were unable to provide assurance over manual controls in relation to Payroll, Travel and Subsistence and Recruitment, although other controls were operating satisfactorily. Mr Pitt stated that outcome of the audit highlighted that the resilience of the payroll system continues to be of concern together with a lack of controls in this area. Mr Pitt highlighted that the BSO Report to those Charged with Governance did not include shared services audit findings and indicated that these were documented separately in the BSO Third Party Assurance Report which was being presented under paperGAC38/2017.

Mr Campbell sought clarification as to the wording under paragraph 1.4 (page 4) of the Report to those Charged with Governancein relation to presumed risk of fraud and recognition. Mr Pitt advised that this is mandatory wording under the International Audit Standards and also explained that the risk of fraud in BSO is low considering income is received ‘in service’. He also explained that in relation to this element of the audit PwC focussed on revenue money.

Mr McClelland commented that it was reassuring to receive an unqualified opinion given GAC concerns in relation to payroll systems.

The GAC noted the NIAO draft BSO Report to those Charged with Governance and also that this would now be presented to the BSO Board.

(b) NIAO Report on BSO Third Party Audit Assurance: Year Ended 31 March 2017 –

GAC 38/2017

Mr Pitt presented the NIAO report on BSO Third Party Assurance: Year ended 31 March 2017. He advised that the purpose of this report was to provide controls assurance to external auditors of other HSC bodies, to whom BSO provide services,by highlighting key controls in relation to IT and also manual controls and report any exceptions. He advised that overall the report was satisfactory with the exception of Payroll and Recruitment which he said was a disappointing outcome four yearspost implementation of HRPTS and emphasised that payroll needed to be a key focus for BSO going forward. He also highlighted other issues identified forimprovement which had been accepted by BSO management and acted upon.

The Chair thanked Mr Pitt for his report andreiterated earlier discussions that GAC would hold an additional meeting or meetings to monitor recommendations issued in relation to payroll and other reports which had received limited assurances.

Mr Ross alerted the GAC that it was very likely that the NIAO would conduct a review of the HRPTS system and report the findings in the NIAO General Health Report which was due to be published in November 2017. He stated that this would not be a full study.

The GAC noted the NIAO Report on BSO Third Party Assurance for the Year ended 31 March 2017 and also that this would now be presented to the BSO Board.

9.2016/17 Annual Accounts for Client Organisations – Update

TheDirector of Finance advised the GAC that the production of2016/17 Annual Accounts for Customers was progressing satisfactorily and in line with timetable. It was expected that clean audit reports would be issued.

The GAC noted the position.

10.Business Matters – Director of Finance to report

(a)Risk Management Strategy and Procedure for the Management of Risk Registers – GAC 39/2017

The Director of Finance presented the Risk Management Strategy and Procedure for the Management of Risk Registers. She advised that this document reflected the out workings of the BSO Board Risk Management Workshopheld in March 2017.

Professor Whittington referred to a common risk which passes between BSO andits customers if either party fails to carry out its role and proposed that this should also be included in the Strategy document. The GAC concurred with this view and the Director of Finance agreed that she would arrange for thisto be included at page 10 under Shared Risks in the final document.

The GAC approved the Risk Management Strategy and Procedure for the Management of Risk Registers subject to the agreed revision.

(b)Corporate Risk and Assurance Report – GAC 40/2017

The Director of Finance presented the Corporate Risk and Assurance Report highlighting any changes between March 2017 and May 2017.

Mr Campbell referred to the Corporate Risk Register and enquired as to how these riskspercolatethrough the Organisation. The Director of Finance responded advising that staff would be aware of corporate risks, pertinent to their area of work, as the risk process is initiated at local level escalating to corporate level if appropriate.

The GAC noted the Corporate Risk and Assurance Report.

(c) Revised Gifts and Hospitality Policy – GAC 41/2017

The GAC reviewed the Gifts and Hospitality Policy on behalf of the BSO Board and agreed that it could now be presented to the Board for approval subject to a change in wording to clarify that the Director of Finance should be ‘consulted on matters which sit outside the policy’ rather than ‘as appropriate’.

The Secretary agreed to make the necessary changes prior to presentation to the BSO Board.

(d)Progress on Audit Recommendations as at 31 May 2017 - GAC 42/2017

The GAC noted the Progress report on audit recommendations as at 31 May 2017.

11.Notified Any Other Business

There were no matters raised.

12.Date of Next Meeting

The date of the next meeting was agreed for Thursday, 17 August 2017.

______

Chair

Date ______

1