Corporate governance report

The corporate governance report provides an explanation of how the organisation is governed, how this supports our objectives and how we make sure that there is a sound system of internal control allowing us to deliver our purpose and role.

Governance statement

The Care Quality Commission (CQC) is an executive non-departmental public body established by legislation to protect and promote the health, safety and welfare of people who use health and social care services and as the regulator of all health and adult social care services in England.

Our statutory functions are set out principally in the Health and Social Care Act 2008 (“the 2008 Act”), together with the Health and Social Care Act 2012 and the Care Act 2014. There is additional relevant primary and secondary legislation.

The powers and constitution of CQC’s Board are derived from Schedule 1 to the 2008 Act, and regulations made under it in 2012 and again in May 2014, that make provision for Board membership.

As an Arms-Length Body, we aim to have a good working relationship with our Sponsor Department, the Department of Health and Social Care (DHSC), where our responsibilities and accountabilities are clear and delivered through appropriate governance arrangements in line with the principles of the UK Corporate Governance Code. We have a Framework Document with DHSC which sets out our purpose, governance and accountability, management and financial responsibilities and reporting procedures.

CQC’s governance framework and structures

Our corporate governance framework describes the governance arrangements of the organisation and how they help make sure that our leadership, direction and control enables long-term success. This document can be found in the About us section.

Figure 15: CQC's governance structure

Read a text version of this diagram

The diagram shows the line of accountability (in descending order):

from Parliament to the Department of Health and Social Care
from the Department of Health and Social Care to the CQC Board
from the CQC Board to the executive team
from the Executive Team to CQC directorates

Below that are listed CQC directorates Adult Social Care, Hospitals, Primary Medical Services and Integrated Care, Regulatory Corporate and Customer Operations, Intelligence and Digital, and Engagement, Policy and Strategy.

There is an arrow drawn from CQC Board to:

statutory committees of CQC: the External Strategic Advisory Group and Healthwatch England
non-statutory committee of the CQC Board: Audit and Risk Assurance Committee, Regulatory Governance Committee and Remuneration Committee

There is an arrow from the executive team to a list of committees of the executive team:

National Health, Safety and Well-being Committee
Safeguarding Committee
Investment Committee
People Committee
Strategic Change Committee
Research, Development and Evaluation Committee
Delivery Coordination Committee

CQC’s Board

Purpose and leadership

The Board has key roles that are set out in legislation and in our framework agreement with the Department of Health and Social Care (DHSC). These are reflected in our corporate governance framework and other related governance documents. There have been no significant departures from the processes set out in these documents during the year.

The Board carries out a range of business in line with its main responsibilities, which are to:

provide strategic leadership to CQC and approve the organisation’s strategic direction
set and address the culture, values and behaviours of the organisation
assess how CQC is performing against its stated objectives and public commitments.

In response to the findings of the Board Evaluation carried out in October 2021, the Board decided on 18 May 2022 to reduce the number of times it meets in a year, with Board Strategy Days held twice a year. The Board met 8 times over the course of the financial year – though some of these meetings took place virtually where rail industrial action meant that face-to-face meetings were not possible. The Board meets both in public and private session throughout the year and the public sessions, both online and in-person, have been recorded and are available to view on our website following each meeting. Our public sessions were live streamed as well as being recorded.

In relation to performance, at each meeting, the Board:

receives information setting out our current performance, including the latest risk register and financial position
reviews details of activity to address where performance is under business plan targets

The Board also provides strategic oversight of the transformation programme and has worked with senior leadership to shape its scope and on benefits realisation. The Board also receives regular reports on issues such as information and cyber security risk. Further information on data security is included on page 64. Papers and data which are received by the Board to support decision making are generally of a good standard, but we continue to keep this under review.

The Board is committed to following the same standards of governance as those it expects of providers when assessing whether they are well-led. It has done this by providing oversight and challenge on key issues. Through the scrutiny of the Audit and Risk Assurance Committee, the Regulatory Governance Committee and in Board meetings, the Board seeks assurance that there are systems, processes and accountabilities for identifying and managing risks and to enable CQC’s continued regulatory oversight across health and social care.

The Board reviews our corporate risk register on a quarterly basis, and our Executive Team have a risk discussion monthly. Further scrutiny of risk controls and mitigating actions is undertaken as part of the risk discussion at Audit and Risk Assurance Committee. In 2021/22 the Board commenced a review of our approach to categorising and recording risk which had led to changes in the format and information held on the risk register so that it now shows clear risk appetites for each risk category. All development was done in line with Government’s ‘The Orange Book – Management of Risk’.

Board composition

Our unitary Board is made up of our Chair (Ian Dilks) and up to 14 Board members, the majority of whom must be non-Executive members. The composition of the Board as at 31 March 2023 was the Chair, 3 further non-Executive members, 2 Associate Non-Executive members, our Chief Executive (who is also the Accounting Officer), our 2 Chief Inspectors, and our Chief Operating Officer (who acts in a dual capacity as Chief Inspector of Adult Social Care).

There were a number of changes to our Board membership over the financial year:

Mark Saxton retired from his role as Non-Executive Director and Senior Independent Director on 28 February 2023 and was replaced as Senior Independent Director by Mark Chambers.
Robert Francis KC also retired from his role as Non-Executive Director on 15 November 2022.
Sally Cheshire resigned as Non-Executive Director on 31 December 2022.
Rosie Benneyworth, our Chief Inspector of Primary Medical Services and Integrated Care, and Kirsty Shaw, our Chief Operating Officer, resigned on 31 July 2022 and 12 August 2022 respectively.
Dr Sean O’ Kelly’s remit as Chief Inspector of Hospitals was expanded to include Primary Medical Services from 1 August 2022.
Kate Terroni took up the dual role of Chief Operating Officer and Chief Inspector of Adult Social Care on 1 August 2022 on an interim basis.
Jora Gill’s term as a non-executive Director ended on the 31 October 2022 and he was appointed an Associate Non-Executive Director from 1 November 2022.

Subsequent to the year end:

Jora Gill’s term as an Associate Non-Executive Director ended on 31 May 2023.
Dr. Ali Hasan became a Non-Executive Director from 1 June 2023 having been an Associate Non-Executive Director up to that date
Christine Asbury, Dr Mark Chakravarty and Professor David Croisdale-Appleby were all appointed as Non-Executive Directors on 1 June 2023. Professor David Croisdale-Appleby is also Chair of Healthwatch England.
James Bullion, Chief Inspector of Adult Social Care and Integrated Care, Mark Sutton, Chief Digital and Data Officer, and Tyson Hepple, Executive Director of Operations, were all appointed as Executive Board members on 28 November 2023.
Charmion Pears was appointed Non-Executive Director and Chair of the Audit and Risk Assurance Committee on 1 February 2024.
Ian Trenholm stood down as CQC’s Chief Executive and Executive Board member from 28 June 2024 with Kate Terroni appointed as Interim Chief Executive.

As an executive non-departmental public body, CQC’s Non-Executive Board appointments are made by ministers within our sponsor department, the Department of Health and Social Care. The department oversees the Care Quality Commission in its delivery of effective corporate governance.

Biographies of all our Board members and their declarations of interest are in the About us section.

Board committees

Audit, risk and assurance committee

This committee met four times for the year to consider matters relating to financial reporting, risk management and internal controls, whistleblowing, internal audit and external audit. Committee meetings were attended by committee members and independent members as well as the National Audit Office (NAO), the CQC’s internal auditors and a representative from the Department of Health and Social Care (DHSC).

The committee’s main business included risk tolerance, risk management and management assurance; emerging risks in our regulatory governance approach; emerging risks in relation to the transformation programme; internal and external audit reports and action plans; and counter fraud.

Remuneration committee

This committee met five times for the year to consider matters in relation to Executive remuneration, pay and reward policy, succession planning and senior talent management.

Its main business during the year included management of change, redundancy payments, voluntary exit scheme, creation of new Executive roles, the recruitment of the Chief Inspector of Hospitals, and Executive Team contractual changes.

Regulatory governance committee

The committee met twice for the year to consider matters relating to our regulatory approach and effectiveness. Its main business included reviewing planned changes to the regulatory model and reviewing policies and processes across registration, monitoring, inspecting, rating, enforcement and Independent Voice.

Figure 16: Board and committee membership and attendance to 31 March 2023

Name	Role	Position	Term of appointment	Board attendance¹	ACGC/ARAC attendance	RGC attendance	Rem Com attendance	ACGC Sub-Com attendance
Ian Dilks OBE	Non-Executive	Chair and Chair of RemCom	1 April 2022 - 31 March 2025	8/8	Not a member	Not a member	5/5	Not a member
Ian Trenholm	Executive Director	Chief Executive	30 July 2018	8/8	Not a member	Not a member	Not a member	Not a member
Dr. Sean O'Kelly	Executive Director	Chief Inspector of Health Care	20 June 2022	5/6	Not a member	Not a member	Not a member	Not a member
Dr. Rosie Benneyworth	Executive Director	Chief Inspector of Primary Medical Services and Integrated Care	4 March 2019 - 31 July 2022	4/4	Not a member	Not a member	Not a member	Not a member
Belinda Black	Non-Executive Director		1 May 2021 - 30 April 2024	8/8	Not a member	2/2	5/5	Not a member
Sally Cheshire CBE	Non-Executive Director	Chair of ARAC and ACGC sub com	4 January 2021 - 31 December 2022	6/7	3/3	1/1	4/4	2/2
Mark Chambers	Non-Executive Director	Chair of RGC	4 January 2021 - 3 January 2024	8/8	4/4	2/2	5/5
Sir Robert Francis QC	Non-Executive Director	Chair of Healthwatch England from 2018	1 July 2014 -November 2022	3/4	Not a member	Not a member	1/3
Jora Gill²	Associate Non-Executive Director⁴		1 November 2016 - 31 May 2023	7/8	4/4	Not a member	4/5	2/2
Dr. Ali Hasan³	Non-Executive Director		4 January 2021 - 3 May 2026	8/8	4/4	Not a member	5/5	2/2
Stephen Marston	Non-Executive Director		4 January 2021 - 3 January 2024	8/8	Not a member	2/2	3/5
Mark Saxton	Non-Executive Director		1 March 2018 - 28 February 2023	8/8	2/3	Not a member	4/5	2/2
Kirsty Shaw	Executive Director	Chief Operating Officer	1 October 2018 - August 2022	4/4	Not a member	Not a member	Not a member	Not a member
Kate Terroni	Executive Director	Interim Deputy Chief Executive	1 May 2019	7/8	Not a member	Not a member	Not a member	Not a member
Jeremy Boss	Independent member of ACGC/ARAC	Chair of ARAC⁵	1 January 2020 - 31 December 2023	Not a member	3/4	Not a member	Not a member	Not a member
David Corner	Independent member of ARAC/ACGC		1 January 2020 - 31 December 2024	Not a member	4/4	Not a member	Not a member	Not a member

Notes:

¹ The first figure shows the number of meetings attended and the second figure shows the number of meetings it was possible to attend. For example, there were 8 Board meetings that Ian Trenholm could have attended, and he was able to attend all 8 (represented as 8/8). We have indicated where a person is not a member of that committee, although Non-Executive Directors do also attend those committees of which they are not formally members.

² Jora Gill was a Non-Executive Director from 1 November 2016 to 31 October 2022 and an Associate Non-Executive Director from 1 November to 31 May 2023.

³ Dr Ali Hasan was an Associate Non-Executive Director from 4 January 2021 to 31 May 2023 and then a Non-Executive Director from 1 June 2023.

⁴ The role of Associate Non-Executive Director is an appointment to the Board similar to a Non-Executive Director. Although an Associate Non-Executive Director attends Board meetings and contributes fully to the issues being considered, they are not able to vote on any matters, should this be required.

⁵ Jeremy Boss is the Chair of the ARAC on an interim basis until recruitment is completed and an appointment made by DHSC.

Key:

ACGC/ARAC = Currently Audit and Risk Assurance Committee, previously Audit and Corporate Governance Committee
RGC = Regulatory Governance Committee
RemCom = Remuneration Committee
ACGC sub-com = ACGC sub-committee on transformation, this committee was dis-established on 8June 2022

Performance evaluation

An internal Board Effectiveness Review was conducted by our Board Secretariat in March 2023. There were no new significant issues arising, although some of the actions agreed in response to the external review conducted in October 2021 remain in progress.

Risk management

Our framework

Our corporate risk framework covers the identification and management of risks to the delivery of our purpose, strategy and business plan. We use the 3 lines of defence model in managing, monitoring and independently assuring risk. Our risk framework and guidance supporting it defines risk responsibilities in the organisation as follows:

Read a text description of the risk framework diagram

The diagram shows:

1st line of defence

All staff:

can recognise, assess and manage risks in their business area
identify cross-CQC risks
know how to escalate risks outside their control

All managers:

should support a positive risk culture in their teams by:
discussing risks with their people
ensuring people understand risk principles, and how to escalate risks
take responsibility for risks escalated to them – and feedback to staff who raise them
understand which risks they are managing, where the risks are recorded and how they are monitored

Directors:

identify and manage their directorate risks through risk registers.
regularly monitor risk actions and escalate risks appropriately.
understand their responsibilities in managing risks in the corporate risk register.

2nd line of defence

Senior leadership:

ET* monitors the highest- level risks, escalating these to DHSC where appropriate
(*Advised by a senior managers risk group known as the SLT30 risk group)

3rd line of defence

Audit:

review risk framework and provide independent challenge and assurance

Governance

The Board; The Audit and Corporate Governance Committee; The Regulatory Governance Committee

We see the effective management of risks to the delivery of our purpose (corporate risk) as critical to our assurance and governance. During 2022/23 we began a transformation of our risk management approach. The CQC Board agreed 6 new risk categories for corporate risks. The Board agreed an overall category level risk appetite for each one.

New risk categories and appetite level

Strategy risk
People risk

Category appetite level: Open - willing to consider all options and choose one that is most likely to result in successful delivery.

Operational risk
External risk
Reputational risk
Security risk

Category appetite level: Cautious - preference for safe business delivery options that have a low degree of residual risk.

Financial risk

Category appetite level: Minimalist - preference for very safe business delivery options that have a low degree of inherent risk with the potential for benefit/return not a key driver.

The Executive team and the Board held a number of horizon-scanning discussions before agreeing 25 Strategic level risks within the risk categories (set out in the ‘Risks we managed in 2022/23’ section below), with further discussions refining these risks and determining a risk level appetite and tolerance for each one.

Our strategic and high-level corporate risk register is regularly reviewed and monitored, with risk discussions occurring at various levels across CQC from the Board level to Directorate levels, to ensure appropriate escalation and mitigation of risks at all times. DHSC reviews the risk register as part of a quarterly budget and assurance meeting and at a quarterly accountability meeting, where CQC’s finance position and performance delivery are also discussed.

However, we recognise we need to make further significant progress to develop our approach to risk management in CQC in the coming year, and to support this, discussions are advanced in respect to introducing a software package to support our risk management; and the resourcing and skills requirements for roles across CQC that support the risk management process.

Risks we managed in 2022/23

Strategy risks

Our strategy does not match the current needs of the sector.
We do not have effective governance and risk management frameworks in place.
We do not deliver our organisation transformation effectively.
We do not obtain enough feedback from people to ensure that user voice is central to our regulatory activity.
We are unable to obtain the right data from external stakeholders to accurately assess the risk in services we regulate.
We do not have enough quality data to be an intelligence-based regulator that shares information with others so they can act.
We are unable to drive improvement and therefore do not add value to the health and social care sector.

Operational risks

Our operational workforce is not as productive as it should be.
We do not make an accurate and timely assessment on the quality of care for people using services.
Our operational workforce does not comply with policies and procedures.
Our operational processes and controls are not flexible enough to respond to changing demands and priorities.
There is the risk that business continuity and IT disaster recovery arrangements do not meet business needs.
If risk within the sector significantly increases, there is a risk that we do not have operational resources to respond in a timely manner.

Reputational risks

We do not have a productive relationship with key stakeholders.
The current legislation is inappropriate to cope with innovations.

People risks

We cannot attract and retain our workforce.
Our colleagues don’t have the appropriate skills (including clinical skills).
Our colleagues are insufficiently engaged in our culture change and ways of working.
We have not delegated roles and responsibilities appropriately, clearly and/or effectively.

Security risks

Interruption to our technology systems due to ransomware or other malign attacks.
Unauthorised access to our systems and misuse of information we hold.

Financial risks

The fees we charge are considered to be excessive by those we regulate.
We do not get appropriate funding to deliver our commitments.
We do not have appropriate departmental controls and financial oversight.

Our most significant focus over the year has been in the following areas:

We have had challenges in recruiting specialist technology, intelligence and legal roles, which has been a risk that we have had to take additional action to mitigate. Our people survey and other sources have identified risks in relation to engaging our colleagues in our culture change and ways of working.
Although we are completing our technology and business change, there is a risk that our legacy systems do not meet the business need.
We have set an ambitious organisational transformation and we need to closely monitor the risk of delivery both the transformation programme and also the aspirations of our strategy, such as driving improvement in the sector.
As we change our regulatory methodology and technology, there is a risk of the impact on our operational colleagues, specifically on their productivity and ability to deliver their regulatory activity.

In all these areas we continue to monitor the risks and work to build assurance and effective mitigation.

Management assurance

CQC has a management assurance framework that has been designed to seek assurance from all parts of the organisation that internal controls are working effectively. Regular assessments against standards within the framework inform our risk control assurance process and help to identify where our risks are increasing or where there are new risks.

There are 6 management assurance areas:

Performance planning and risk
Financial management systems and controls
People management and development
Information and evidence management
Continuous improvement
Governance and decision-making.

We carried out assessments against standards in the framework in January 2023. The assessment process showed that 43% of standards are met in full; 39% partly met; and 18% not met. Because we reviewed and updated the standards during 2022, a direct comparison with the previous year is not possible.

Directorates did less well on:

our 95% targets for required learning completion by colleagues
having structures in place for taking forward quality improvement activity
the responses from their people to staff survey questions about being clear about how their work contributes to achieving the objectives of the organisation, and being informed about the changes happening as part of our transformation programme.

Directorates have action plans in place to enable them to make improvements as a result of the assessments, and further assessment will gauge the progress that has been achieved.

We will continue to review the management assurance process against our developing approach to quality management and risk control monitoring, to ensure these processes correspond.

Other areas of assurance

Freedom to Speak Up

During 2023, CQC’s Board approved a new Freedom to Speak up policy, which was prepared following the guidance from NHS England and National Guardian Office. It is part of a wider cultural drive to build confidence and encourage colleagues to speak up well. The policy follows national best practice in relation to speaking up arrangements for organisations. It is intentionally short and is written to be inclusive for all workers at CQC including those who are contractors or specialist advisors.

The policy makes it clear that line managers have a responsibility for nurturing a positive speaking up culture in their teams and that they are pivotal in supporting colleagues. They are also usually the people who offer the easiest and simplest way of resolving matters. The new policy is an important first step and further work is needed to build a vibrant speak up culture.

In March 2023, we published 2 reports designed to improve how we listen to, learn from and act on concerns raised within the sector. These reports followed the outcome of an employment tribunal in October 2022 where the findings were highly critical of the Care Quality Commission. We since commissioned and published a barrister-led independent review to determine whether we had taken appropriate regulatory action where health and care staff had shared information with us.

We also undertook and published a second listening, learning, responding to concerns review to explore wider issues related to our culture and processes.

This second report acknowledged there had been a lack of proactive support for the CQC Guardian. The 2 Guardian posts that were vacant in 2022/23 were not replaced and administrative support had been withdrawn. The remaining Guardian has continued to support people within the limitations of the available resource. However, we have recognised the need to invest in the Freedom to Speak Up Guardian role and in line with the recommendations of the Listening Learning and Responding to concerns review, we are reviewing the number required to cover the whole organisation and giving protected time to enable the role to be carried out in full.

The National Guardian’s Office has an improvement tool that organisations are encouraged to use to assess their Freedom to Speak up arrangements and identify areas for improvement. The Board has agreed to complete this tool, which will support us to make recommendations for further improvements to our arrangements.

Security

Information and cyber security are important areas of focus at CQC. As in previous years, there has been ongoing improvement work throughout 2022/23 as we strive to improve our resiliency to an evolving cyber threat landscape.

This includes observed changes to prime threats, threat actors and attack vectors affecting organisational security risk posture, mitigation measures and focuses. The Russia-Ukraine conflict reshaped the threat landscape during the reporting period, with increased attacks on Global Cloud Infrastructure also reflected across CQC Azure environments, pivoting our cyber operations focus. Malware, social engineering, and insider threats (by way of inadvertent data breaches) continue to be our main vectors, although we continue to be vigilant of the threat that supply chain subversion, zero day/critical vulnerabilities and ransomware pose to CQC and are equally taking steps to mitigate these risks.

Numbers of security incidents have grown steadily over the 2022/23 financial year due to the evolving cyber threat landscape, a maturing security monitoring capability and positive results from security awareness campaigns focused on collective responsibility and championing staff to report suspected or confirmed information security incidents. In total, the Security team has resolved 1,553 incidents of varying nature, including malware infections, social engineering (including phishing), data breaches, account compromises, and network intrusions, with 20 of these being significant incidents requiring a specific response and recovery effort and response. Examples including attempted intrusions, multiple-device malware infections and targeted multi-user phishing campaigns.

Data breach incidents were consistently low throughout the year with 115 reported in total. One data breach was reported to the Information Commissioner's Office (ICO) in line with NHS Egland DSPT guidelines. Hardware losses remain low with 20 lost devices, and 430 low commodity phishing attacks were conducted against CQC.

We continue to liaise with the Department of Health and Social Care, NHS England & Improvement, NHS Digital and the Information Commissioner’s Office on matters of information security and privacy.

There continues to be a low number of cases being reported and investigated in relation to fraud, bribery and corruption. We have received 6 allegations against members of CQC staff. All these allegations have been fully investigated and 4 have been closed as there was no evidence to substantiate them. There does appear to be evidence to suggest that there may be other reason for concern in 2 of the cases and these are both currently still active.

Conclusion

The work we have done in the year with the Board and Executive team in reviewing our risks, and setting appetite and tolerance levels for risks, has enabled us to start to improve the quality of our risk management, with more to do. We need to make further progress to develop our assurance relating to risk management, and to mature the organisation’s approach more widely at the directorate and team levels in the coming year. The introduction of dedicated software for risk and the strengthening of our central risk team will be central to this.

Our management assurance assessment process remains an important method for gaining assurance and facilitating improvement in key areas of management responsibility. While we made useful improvements to the process aided by Internal Audit, who reported on the process at the start of the year, we need to ensure this works in a complementary way with our developing approach to risk assurance and quality assurance. Our directorates need to ensure that we act on identified areas for improvement against the standards.

Head of Internal Audit opinion

Reasonable or moderate assurance. Governance, risk management and control in relation to business-critical areas is generally satisfactory. However, there are some areas of weakness and/or non-compliance in the framework of governance, risk management and control, which potentially put the achievement of objectives at risk. Some improvements are needed in those areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control.

Basis of opinion

Our opinion is based on:

all audits undertaken during the year
any follow-up action taken in respect of audits from previous periods
any significant recommendations not accepted by management and the resulting risks
the effects of any significant changes in the organisation’s objectives or systems
any limitations that may have been placed on the scope or resources of internal audit
the proportion of the organisation’s audit needs that have been covered to date.

Purpose of the annual opinion

The Public Sector Internal Audit Standards require the Head of Internal Audit to provide an annual opinion, based on and limited to the work performed, on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control (the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with management, and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations. The opinion does not imply that Internal Audit has reviewed all risks relating to the organisation.

We are satisfied that sufficient internal audit work has been undertaken to allow an opinion to be given about the adequacy and effectiveness of governance, risk management and control. In giving this opinion, it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the system of internal control.

Compliance with the code of ethics and internal audit standards

We have a firm, wide internal audit methodology that is aligned to the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This is designed to standardise the approach to conducting internal audit engagements. All our work is documented in our dedicated internal audit software, which sets out the procedures needed to achieve compliance with the standards. The inbuilt workflow functionality ensures that work is adequately documented and reviewed before results are shared. This is further supported by relevant training, supervision and review of the work performed by those with adequate experience and skill in the relevant areas. We also review a random selection of engagements to ensure they comply with the firm’s requirements and have appropriately followed the internal audit methodology.

We can confirm that our work has been performed in accordance with this methodology.

Scope of the report

This report outlines the internal audit work we have carried out for the year ended 31 March 2023.

We would like to take this opportunity to thank CQC’s staff, for their co-operation and assistance provided during the year.

Governance, risk management and internal control

Our programme included a focus on strategy and key transformation programmes in addition to governance, risk management and other elements of internal control.

As at August 2023, we have completed the fieldwork and issued reports for 15 internal audit reviews. From this, we have identified the following risk findings:

2 high risk
20 medium risk
6 low risk
10 advisory rated

We will use these to improve weaknesses in the design of controls and/or operating effectiveness. No critical risk findings were reported.

Transformation reviews - regulatory platform

A high-risk report was issued during the year in relation to the regulatory platform programme. Shortly after this high-risk report was submitted, CQC completed its own gap analysis on the programme to determine what happened previously, alongside reviewing the audit recommendations to ensure they apply the right mitigations to prevent this from happening again.

We have performed 2 further follow-up reviews, specifically in relation to the regulatory platform programme. A further review into the regulatory programme (Deep Dive - Planning and Governance) was completed during May/June 2023 and has been classified as a Medium risk report. This review comprised a deep dive into CQC’s governance and planning approach for the regulatory transformation ‘new’ programme following the reset.

Regulatory programme

Reporting produced in the Programme Board packs for senior programme stakeholders was not aligned to the Programme Business Case to contextualise the long-term delivery and spend profile of the programme. Within the reporting for the current year, project managers took a mixed approach in reporting the percentage of completed figures relevant to their project line. There was no reporting to provide an understanding of the progress of Service Design in mapping DevOps items, and no DevOps delivery plan reporting that would provide an overview of current delivery metrics.

IR35

We tested a sample of 20 contractors falling under the scope of IR35. This identified a lack of awareness of the existing process, as we highlighted 4 instances where the hiring managers did not follow the process. This meant we were unable to inspect evidence of approval being granted in some cases. Furthermore, the 'Off Payroll Workers IR35 Internal Process' requires staff to “save email and determinations on workers’ P files that have been set up for audit purposes”. For 13 out of 20, we could not locate any evidence of the second determination being provided to the worker, and 5 out of 20 did not have evidence of appropriate approval response stored in the P file.

Accounting Officer’s conclusion

Our regulatory and organisational transformation has continued this year following the launch of our strategy in May 2021 for the changing world of health and social care. Our internal auditor’s work has therefore focused on reviews to support the effective delivery of the regulatory programme. We have found many areas of good practice, and have worked to implement the agreed actions from the recommendations made to support successful delivery.

The Head of Internal Audit has provided an annual opinion providing reasonable / moderate assurance that there are adequate and effective systems of governance, risk management and control. We note that improvements are suggested in some areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control and these will be implemented.

I agree with their conclusion.

CQC has complied with HM Treasury's Corporate Governance in Central Government Department's Code of Good Practice to the extent that they apply to a non-departmental public body.

I conclude that CQC's governance and assurance processes have supported me in discharging my role as Accounting Officer. I am not aware of any significant internal control problems in 2022 to 2023. Work will continue to maintain and strengthen the assurance and overall internal control environment in CQC.

Statement of Accounting Officer’s responsibilities

Under the Health and Social Care Act 2008, the Secretary of State for Health and Social Care has directed CQC to prepare for each financial year a statement of accounts in the form and on the basis set out in the Accounts Direction. The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of CQC and of its income and expenditure, Statement of Financial Position and cash flows for the financial year. This annual report and accounts was prepared on time during 2022/23. The lateness of publication is due to delays in the audit of local authorities and their pension schemes, which is beyond our control and also affects other organisations. I have reviewed the information contained in the report and accounts, which has been updated to ensure it remains accurate for the reporting period and relevant.

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual (FReM) and in particular to:

observe the Accounts Direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
make judgements and estimates on a reasonable basis
state whether applicable accounting standards as set out in the FReM have been followed, and disclose and explain any material departures in the financial statements
prepare the financial statements on a going concern basis
confirm that the Annual Report and Accounts as a whole is fair, balanced and understandable and take personal responsibility for the Annual Report and Accounts and the judgements required for determining that it is fair, balanced and understandable.

The Secretary of State for Health and Social Care has appointed the Chief Executive as the Accounting Officer of CQC. The responsibilities of an Accounting Officer, including responsibility for the propriety and regularity of public finances for which the Accounting Officer is answerable, for keeping proper records and for safeguarding CQCs assets are set out in Managing Public Money, published by HM Treasury.

As Accounting Officer, I have taken all the steps that I ought to have taken to make myself aware of any relevant audit information and to establish that CQC’s auditors are aware of that information. So far as I am aware, there is no relevant audit information which the auditors are unaware.