Website of the Department of Health
Please note that this website has a UK government access keys system.
You are here:
Guidance on the Audit of Financial Shared Services
-
Last modified date:8 February 2007
1. Introduction
This high level guidance is aimed at NHS internal auditors who have responsibility for the audit of the user or provider organisation of a financial shared service. It focuses on helping NHS internal auditors provide their client organisations with advice on the principles they need to apply in establishing effective systems of internal control where they incorporate financial shared services, and on the assurance requirements. It is not the intention for this guidance to provide comprehensive commentary on Service Level Agreements (SLAs), individual financial systems or audit techniques.
2. Background
Shared financial services have been a feature of the NHS for a number of years. Initially these were relatively small scale and covered by Service Level Agreements (SLAs) of variable quality. It should be noted that NHS Trusts, PCTs and SHAs cannot have legally binding contracts with each other to cover these arrangements. More recently the number and complexity of shared services arrangements have grown considerably and a number of high profile issues have arisen.
The nature of these shared arrangements can vary considerably from providing an almost complete service to providing one element. This makes relationships more bespoke and complex.
3. Summary
The following are key elements for an effective system of control incorporating financial shared services:
Good system design
- clarity of about what is to be provided
- documented whole system design across user and provider
- documented whole system risk assessment
- robust controls at provider and user and across the interface
Sound and regular monitoring
- monitoring of performance as set out in the SLA by provider and user
- management and audit reviews by provider and user
- timely communication between provider and user of issues that may increase the level of risk
Reliable assurances
- primary reliance on user reviews and audit
- supplemented by provider assurances
Accountability
- user remains accountable for gaining assurances about the integrity of all expenditure / income in their accounts
- clear responsibility for each element of the whole system
4. Service Level Agreement
The Service Level Agreement (SLA) is the key document in managing the relationship between the user and provider and should include escalation procedures if either user or provider fail to deliver on their responsibilities.
It should incorporate an overview of the whole system including the controls and the risks to be managed by each party and the information that the provider has to be share with the user. It needs to set out the requirements/responsibilities of the user, in particular in maintaining the standing information that the provider utilises.
The SLA should set out details of the assurances the provider will provide to the user and when these will be issued. To be effective it needs to be monitored regularly by both parties.
5. Shared Service User Perspective (the user)
Accountability
The Accountable Officer, the Chief Executive, is statutorily accountable for the financial performance and systems of internal control of the organisation. This accountability can not be abrogated by way of 'contracting out' part or all of a service.
Assurances
The Accountable Officer requires assurances about the effectiveness of the organisation's financial systems to fulfil statutory responsibilities.
Where part of all of the financial systems are provided by another NHS organisation, the assurances will continue to be derived principally from reviews carried out by the user's management and internal audit reviews of the effectiveness of the controls that ensure the integrity of the financial information.
The user's local assurances should be strengthened by additional assurances given by the provider, but these cannot replace or (normally) be the major component.
By taking a whole system approach across the provider and user, this allows for efficient controls to be designed that complement, avoid duplication and allow for the effective management of risks. This approach provides opportunities to maximise the reliance that the user can place on assurances from the provider.
This relies on good and timely communication in both directions between the provider and the user about issues that may impact on the risks. Where a provider is unable to provide robust assurances on time, the user will need to determine what additional measures and checks are needed to compensate in order to achieve the necessary level of assurance.
User responsibilities
Through the SLA, the user will give the provider responsibility for performing some of its processing. The user remains responsible for ensuring that these processes are performed correctly including the interface with the user's systems.
The user should design its systems to ensure that all and only duly authorised transactions are processed and notify the provider without delay of any issues arising. The user should inform the provider immediately of any changes to standing information or systems.
Internal audit
The user's internal audit function should advise the user on how to gain sufficient assurances and undertake reviews as set out in the approved audit programme.
6. Shared Service Provider Perspective (provider)
Responsibility
The provider is responsible for the service set out in the SLA which should include assurances to the user about the effectiveness of the controls to provide the service that is being supplied and would normally include internal audit assessments.
Internal audit
The provider's internal audit function should undertake reviews of the systems within the shared service to provide an opinion in support of the assurance statements that management gives to the users in accordance with the SLA. In preparing this opinion, internal audit will need to focus on issues that relate to the accuracy of transactions.
Weaknesses may be identified from the audit testing which could restrict the assurance that could be given. In this case the auditor may wish, with the provider management's authority in accordance with the SLA, undertake additional transactional testing around the weakness identified to strengthen the assurance.
Access keys
