Briefing / Head of internal audit annual opinion

Introduction

The accountable officer of each NHS organisation has the responsibility for maintaining a sound system of internal control and governance that supports the achievement of the organisation’s policies, aims and objectives, while safeguarding quality standards and public funds. Internal audit has a key role in providing assurance over these arrangements, which is reported in the annual head of internal audit (HoIA) opinion. 

Over recent years, the HoIA has needed to consider a number of significant changes, emerging risks and pressures from the Covid-19 pandemic to the structural changes brought about by the Health and Care Act 2022.  

This paper looks at what the HoIA opinion is; why it is important; the requirements for the HoIA opinion; and key considerations. This paper will be of particular interest to internal auditors, finance directors and their teams, non-executive directors and directors of governance.

Head of internal audit (HoIA) opinion

What is the HoIA opinion?

 The HoIA opinion is a requirement of Public sector internal audit standards (PSIAS).HM Treasury and Internal Audit Profession, Public sector internal audit standards - applhying the IIA International Standards to the UK public sector, August 2017The HoIA opinion is ‘the rating, conclusion and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management and/or control processes of the organisation. An overall opinion is the professional judgement of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval.’ 

The HoIA opinion must be provided to support the organisation’s annual governance statement (AGS) and inform and comment on the adequacy of the organisation’s assurance framework. This opinion is based on a combination of the assurance work that internal audit carry out during the year (as set out in the annual audit plan) and its assessment of other available evidence and assurances about the organisation's arrangements for internal control and managing risk. Internal auditors use a range of assurance levels when providing opinions. 

The HoIA opinion is usually included within internal audit’s annual report, along with a summary of the work that supports the opinion and a statement on conformance with the PSIAS. It needs to be written at the appropriate time, promptly after the year-end, so as to inform the AGS and be referenced within the AGS. 

Where the organisation produces accounts and a governance statement covering a part year, then the HoIA should issue an opinion covering audit and assurances relevant to the period.

Why is the HoIA opinion important?

The mission of internal audit, as set out in the PSIAS, is ‘to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.’ The HoIA opinion is a key reporting component of internal audit’s role within an organisation’s governance framework. In particular, it informs the AGS - a public document reviewed by the audit committee - providing assurance to executives, audit committees, external auditors, other regulators and the public.  

The purpose of the AGS is to report on the extent to which the organisation has maintained control and managed risks in line with its own risk appetite, approved policies and applicable legislation and codes of governance.

The AGS is the responsibility of management, but it is informed by the HoIA opinion. The AGS is a high level and strategic document that also contains any significant governance issues identified during the year.  As set out in HM Treasury's Managing public moneyHM Treasury, Managing public money - annex 3.1, May 2023, ‘The accounting officer and the board have a number of inputs into this process…(including) insight into the organisation’s performance from internal audit, including an audit opinion on the quality of the systems of governance, management and risk control.’

Each year the relevant regulatory bodyFor NHS trusts, year-end requirements are issued by NHS England as part of their financial accounting and reporting updates; for foundation trusts guidance is included in the FT annual reporting manual; and integrated care boards must follow template and guidance published via the NHS England sharepoint.  issues guidance for NHS bodies to use when preparing their governance statement. The statement must cover a number of areas including: 

• the scope of the NHS body’s accounting (or accountable) officer’s responsibilities
• information about the NHS body’s governance framework (including its committee structure)
• a description of how risk is assessed and managed
• information about how the risk and control framework works
• a review of the effectiveness of risk management and internal control
• any significant control issues and how they are being addressed. 

Examples of factors to consider when determining whether an internal control issue is significant are included within the guidance. 

When receiving the HoIA opinion, it is important for NHS bodies to understand what this means. If the opinion offers a significant level of assurance, then it is a positive message for the organisation and supports the AGS. However, if there is any moderation or limitation, organisation’s need to think about what this means and ensure this is reflected in the AGS.

As well as providing assurance, the HoIA opinion is also an important governance tool in identifying areas for improvement. If the opinion identifies areas for improvement, this will need to be reflected in the organisation’s risks and will likely impact the internal audit plan the following year, to focus on supporting improvements. Organisations will need to ensure plans are in place to address issues identified, working with internal audit and others to make the required improvements to their governance arrangements.

What are the requirements for the HoIA opinion?

The Relevant Internal Audit Standard Setters (RIASS) – including the Department of Health and Social Care (DHSC) for the NHS (excluding foundation trusts) and HM Treasury which covers NHS foundation trusts – have adopted the PSIAS from 1 April 2017, on advice of the UK Public Sector Internal Audit Standards Advisory Board (IASAB). These set out the requirements for the HoIA opinion. Key elements include:

• ‘The risk-based plan must take into account the requirement to produce an annual internal audit opinion and the assurance framework. It must incorporate or be linked to a strategic or high-level statement of how the internal audit service will be delivered and developed in accordance with the internal audit charter and how it links to the organisational objectives and priorities.’ PSIAS 2010. 
• ‘The risk-based plan must explain how internal audit’s resource requirements have been assessed. Where the chief audit executive believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences must be brought to the attention of the board.’ PSIAS 2030
• ‘Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.’ PSIAS 2050
• ‘The chief audit executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement. When an overall opinion is issued, it must take into account the strategies, objectives and risks of the organisation and the expectations of senior management, the board and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant and useful information. The communication will include: 
  • the scope including the time period to which the opinion pertains
  • scope limitations  
  • consideration of all related projects including the reliance on other assurance providers
  • a summary of the information that supports the opinion  
  • the risk or control framework or other criteria used as a basis for the overall opinion, and ¬ the overall opinion, judgment or conclusion reached. 
  • the reasons for an unfavourable overall opinion must be stated.’ PSIAS 2450

NHS bodies will need to work with their HoIA to ensure there is sufficient coverage within its internal audit plan to provide assurance on core, mandated and risk-based areas.

The new Global internal audit standards (GIAS)The Institute of Internal Auditors, Global internal audit standards, January 2024 were released in January 2024 and will take effect from January 2025. CIPFA is reviewing the new standards and considering the implications for the new PSIAS and it is likely that new rules will be in place, in line with GIAS, for implementation in 2025. 

Key considerations for the HoIA

Every year it is important for the HoIA to consider whether they have sufficient evidence to complete their opinion in accordance with the PSIASs. 

The Health and Care Act 2022 changed the health and care system architecture, disbanding CCGs and creating 42 ICBs. There is significant variety in the size, complexity and maturity of ICBs. For example: the range of nhs trust and foundation trust partners within each ICB footprint ranges from one in Frimley to 17 in Cheshire and Merseyside; some ICBs have a number of ‘place’ based arrangements; and some ICBs may work closely across ICB boundaries. Providers are also increasing working in provider collaboratives. This context will need to be considered as part of the HoIA, particularly as new arrangements continue to be developed and embedded. 

As system working becomes the new ‘norm’, the HoIA will need to take into account the following:

• the ongoing development of collaborative work
• development of system governance and risk management arrangements
• change in focus from delivery of individual statutory organisational goals to having more of a system focus
• the move towards the provision of system assurance.

In informing the work required for the HoIA, challenges and changing priorities will need to be discussed with organisations on an ongoing basis. Engagement with organisations and the audit committee often includes regular briefings and updates to support assurance requirements. Particularly in the context of rapid change, audit plans should be revisited and refreshed on an ongoing basis to ensure that they are focused on the key risks to achieving the level of assurance required. 

Conclusion

The HoIA opinion is an integral piece of an organisation’s governance framework, providing assurance to inform the AGS, and identifying improvement opportunities. It is informed by internal audit work throughout the year, as set out in the risk-based audit plan. Sufficient coverage across core, mandated and risk-based areas is required to enable the HoIA to issue an opinion. 

Regular reporting and monitoring should take place to ensure that the achievement of the plan is on track. To ensure no year-end surprises, any changes or issues - impacting on the delivery of planned internal audit work and on the organisation’s wider governance and control framework during the year - need to be discussed as they arise.