Statement on Internal Control

Scope of responsibility

A s Accounting Officer I have responsibility for maintaining a sound system of internal control that supports the achievement of the Board's policies, aims and objectives; whilst safeguarding the public funds and Agency's assets for which I am personally responsible, in accordance with the responsibilities assigned to me in Government Accounting .

The relationship between the Health Protection Agency and its sponsoring department, the Department of Health, is specified in the Management Statement. The Agency's business plan, objectives and associated risks are discussed at the annual accountability meeting with the Minister for Public Health and at the quarterly review meetings with officials from the Department of Health and from the devolved administrations as appropriate.

Accountability within the Health Protection Agency is exercised through:

 

• The Board and the Audit Committee. The Agency's Board has established an Audit Committee, under the Chairmanship of a non-executive Board member, to support their corporate governance role and me in my responsibility for risk, controls and associated assurance

• An Executive Group comprising all Centre and Divisional Directors and with myself as the Accounting Officer. Executive Directors are personally accountable for the management of the risks within their Centres and Divisions

 

The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable level, rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable, and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of the Board's policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. The system of internal control has been in place in the Agency for the year ended 31 March 2006 and up to the date of approval of the annual report and accounts, and accords with HM Treasury guidance.

 

Capacity to handle risk

The Agency aims to minimise adverse outcomes such as harm, loss or damage to the organisation, its people or property through adequate supervision and training, appropriate delegation, continuous review of processes and the environment, and the sharing of lessons learned and best practice. This is achieved, primarily, through the Adverse Incident Reporting system, available to employees through the Agency's intranet, and managed by the Corporate Affairs Division.

The Agency's risk management policy and approach set out responsibilities at all levels including senior-level leadership for the risk management process. In addition, risk management is included as part of all Centre Directors', Divisional Directors' and other senior staff members' performance criteria. Risk management is being included in job descriptions and person specifications, and is part of the staff appraisal process.

Executive directors and management staff have attended risk management workshops to equip them in assessing risks, and to demonstrate methods of promoting risk management. A programme of risk management training for managers is in place, and guidance is provided to staff through the Agency's intranet.

 

The risk and control framework

A Strategic Risk Register is maintained by the Executive Group and reviewed periodically by the Board. A bottom-up approach is also in place where risks are reported via risk registers, verbally during staff and management meetings, or through written reports. These mechanisms help ensure that the appropriate filtering and delegation of risk management is in place. The risks identified at a centre level are updated quarterly and are fed into the strategic risk register where appropriate.

Assessment of the adequacy of controls is a vital part of our systematic approach that attempts to limit risk to an acceptable residual level, rather than obviate the risk altogether. Staff are encouraged to balance cost with control to help ensure that value for money is achieved.

It is a requirement that all centre and division business plans, and major business cases include a risk assessment.

An adverse incident reporting policy and procedure have been implemented to provide a formal mechanism for reporting and learning from incidents across the Agency. As part of this, a real-time electronic incident reporting and investigation system is being implemented. The Agency has a formal complaints procedure which is published on the Health Protection Agency website.

A Risk Management Group has been established to develop the Agency's approach to risk management, and identify and respond to crosscutting operational risks.

A Clinical and Health Protection Governance Group has been established to ensure that robust clinical and health protection governance systems operate throughout the Agency.

The risk appetite of a complex organisation is difficult to assess. A broad framework based on a risk matrix is used to help staff assess risks relating to their specific area of work.

An assurance framework is being developed, along with a mechanism to monitor progress against the Department of Health's Standards for Better Health , through the Healthcare Commission's Health Check assessment process.

The Agency's work involves a large number of stakeholders, with work carried out through partnerships and contractual agreements. An initial review of these relationships was completed by the Executive Group during 2005, and key risks are being identified and discussed with partners to establish a common understanding and to clarify responsibilities.

The Emergency Response Liaison Group ensures that the Agency can respond to emergencies. Accountability lies with Centre Directors, and through Regional Directors to local teams. The Health Protection Agency has been involved in, and has undertaken, a number of exercises to improve our preparedness and there is a rolling programme of exercises. Work with partners and other stakeholders to meet the requirements of the Civil Contingencies Act has been carried out at regional and local levels by emergency planners and resilience groups.

 

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and executive managers who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letter and other reports. I have been advised on the implications of my review of the effectiveness of the internal control system by the Board and the Audit Committee and a plan to address weaknesses and ensure continuous improvement of the system is in place.

The Agency's Board receives regular reports from the Chairman of the Audit Committee concerning risk, control and governance, and associated assurance. The Audit Committee is fully committed to ensuring that corrective action is taken in a timely manner where necessary.

The Integrated Governance Group (IGG), reviews governance activities within the Agency and identifies the actions necessary for improvement. The appropriateness, effectiveness and progress of the risk management strategy, policy and approach are monitored by the IGG, with the aid of an agreed rolling work plan. The IGG reports and makes recommendations to the Audit committee. Liaison and joint attendance between the IGG, the Audit Committee and the Health and Safety Strategy Group helps to ensure that a consistent approach is taken.

Internal Audit provides an independent, objective assurance and consulting service designed to add value and improve the Agency's operations. Its work is based on an agreed audit plan, which is carried out in accordance with Government Internal Audit Standards. This helps ensure that the work undertaken by Internal Audit provides a reasonable indication of the controls in operation across the whole of the Agency. Findings from work carried out during the year are presented to me and the Audit Committee. In addition, the Head of Internal Audit provides me with copies of all final reports and an annual written statement setting out a formal opinion on the adequacy, reliability and effectiveness of the systems and controls in place across the Agency.

 

Control issues during the year

At 1 April 2005 the Agency implemented a new finance and resource management system, operated by a newly established in-house financial accounting function, designed to replace the various accounting systems of its predecessor bodies operated by a combination of out-sourced and inherited staff, in order to provide better accounting and financial information to the Agency. The system is undergoing a phased implementation which extends into 2006/07.

As would be expected in any normal implementation of a fundamental system of this type, allied to the establishment of a totally new function to operate it, some of the standard controls that would be expected to operate in an ongoing finance system were not fully operated for a period of time following the implementation date whilst systems, procedures and new staff were becoming fully operational. However, compensating checks and controls were put in place and all essential key controls were reinstated fully in the course of the year. No significant errors or omissions in the accounting records have been identified as a result of the temporary control arrangements.

 

 

 

Professor Pat Troop

(Chief Executive)

30 June 2006