The accountability report consists of four sections:
- Remuneration and people report
- Parliamentary accountability and audit report
- Certificate and report of the Comptroller and Auditor General to the Houses of Parliament
Corporate governance report
The corporate governance report provides an explanation of how the organisation is governed, how this supports our objectives and how we make sure that there is a sound system of internal control allowing us to deliver our purpose and role.
Directors’ report
The Board has a number of roles that are set out in legislation and in our framework agreement with DHSC. These are reflected in CQC’s corporate governance framework and other related governance documents. There have been no significant departures from the processes set out in these documents during the year.
Our unitary Board is made up of our Chair (Peter Wyman) and up to 14 Board members, the majority of whom must be non-executive members. The current composition of the Board, excluding the Chair, is six non-executive members, our Chief Executive (who is also the Accounting Officer), our three Chief Inspectors, and our Chief Operating Officer. One of our non-executive directors (Sir John Oldham) acts as the Senior Independent Director.
Membership of the Board changed during the year; the membership and attendance at meetings is detailed in figure 1.
Terms of appointment for non-executive directors Professor Louis Appleby and Professor Paul Corrigan came to an end on 30 June 2019. DHSC plans to recruit to the non-executive vacancies on the Board during 2020.
In terms of executive membership of the Board, Deborah Westhead, then a Deputy Chief Inspector in the Adult Social Care directorate, was appointed as Interim Chief Inspector of Adult Social Care in January 2019 Kate Terroni was subsequently appointed and took up the permanent role on 1 May 2019.
Mark Sutton took up the role of Chief Digital Officer in April 2019. Mark is a member of the Executive Team and attends Board meetings.
Dr Malte Gerhold stepped down from his role as Executive Director of Strategy and Intelligence on 8 March 2020, and this role was disestablished. The leadership of the Strategy and Intelligence directorate was restructured with a new Engagement, Policy and Strategy directorate being led by Ian Trenholm, Chief Executive, and the Intelligence team forming part of the new Digital and Intelligence directorate led by Mark Sutton, Chief Digital Officer.
Biographies of all our Board members and their declarations of interest are shown on our website: https://www.cqc.org.uk/about-us/meet-our-team/our-board
The Board carries out a range of business in line with its main responsibilities, which are to:
- provide strategic leadership to CQC and approve the organisation’s strategic direction
- set and address the culture, values and behaviours of the organisation
- assess how CQC is performing against its stated objectives and public commitments.
The Board meets both in public and private session throughout the year. Public sessions of the Board are recorded and are available to view on CQC’s website following each meeting. At each of its meetings, the Board receives performance data setting out the current performance and financial position, and details of activity to address where performance is under plan. The Board has the opportunity to scrutinise and discuss the data during these meetings. Overall papers and data reviewed by the board are of a high standard and well received, with positive improvements made to regular items such as performance reporting.
The Board has continued its commitment to achieving outstanding levels of governance as CQC would expect of providers when assessing whether they are well-led. It has done this by providing oversight and challenge on key issues, including:
- Ongoing oversight of our financial and business planning including the development of our priorities for 2020/21.
- Comment and advice on the development of CQC’s new strategy.
- Comment and advice on the development and delivery of the programme of work within the Change portfolio. This has encompassed a wide range of activity, including digital development; the Registration Transformation programme; Quality Improvement work; and the communication narrative around Change.
- Consideration and approval of the business case to implement the foundations required for a new Digital Operating Model for CQC.
- In light of scrutiny by the Audit and Corporate Governance Committee (ACGC), agreement to recommend the 2018/19 Annual Report and Accounts to the Chief Executive to sign as the Accounting Officer; and approval of strategic and high-level operational risks, rating and mitigations for 2019/20.
- Deliberation and agreement of proposals to keep our current fees scheme unchanged, and of those contracts over the threshold requiring Board approval.
- Consideration and comment on CQC’s People Plan, results of People Pulse Surveys and on our annual People Survey.
- Deliberation of the themes and priorities of CQC’s first internal strategy addressing equality, diversity and inclusion.
- Advice and comment on key messages for the 2018/19 State of Care report, and on priorities for the Independent Voice programme.
- Following the Panorama programme on Whorlton Hall, scrutiny and comment on CQC action taken in relation to the issues raised, including receipt of two independent reviews (one authored by David Noble QSO and one by Prof Glynis Murphy) and monitoring action in response to the recommendations made.
- Reflection of the work and activity of Healthwatch England and the National Guardian’s Office.
- Scrutiny and oversight of how CQC discharges its Market Oversight responsibility and consideration of specific cases as they arose.
- Consideration and advice on proposed statements setting out CQC’s position on 3 key recommendations in the independent review of the Mental Health Act, and approval of CQC’s annual report (2018/19) monitoring the use of the Mental Health Act (published February 2020).
- Both the Audit and Corporate Governance Committee (ACGC) and the Regulatory Governance Committee (RGC) produce an annual report of their activity, which is presented to the public session of the Board in its June meeting each year. It is also made available through CQC’s website with the other public Board papers.
The Board heard updates from each of the equality networks and their priorities and in February 2020 the Board reviewed and endorsed the organisational strategy for diversity and inclusion, ‘Our inclusive future 2020–2023’.
A member of one of CQC’s equality networks continues to be invited to the monthly Board meetings on a rotational basis and to sit on every senior-level recruitment panel to provide support and challenge around diversity and inclusion issues.
The Board received an annual progress update from CQC’s Freedom to Speak Up Guardian in the public Board meeting in October 2019. In addition, in April 2019 Prof Megan Reitz delivered a Board seminar entitled ‘Speaking truth to power’.
A Freedom to Speak Up Guardian has been in place at CQC since 2017. On 1 April 2020 three colleagues were appointed to take over this role and work as a team to continue to raise the profile of speaking up in CQC. The Guardians are supported by a Speak Up Reference Group and colleagues who are Speak Up Ambassadors. A number of whom are also trained as Mental Health First Aiders.
Speak Up Month, which coincides with Black History Month, continues to include a range of activities for Board members and colleagues across the organisation to join, including a joint event with the National Guardian’s Office.
Board and committee membership and attendance
Statement of Accounting Officer’s responsibilities
Under the Health and Social Care Act 2008, the Secretary of State for Health and Social Care has directed the Care Quality Commission (CQC) to prepare for each financial year a statement of accounts in the form and on the basis set out in the Accounts Direction. The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of CQC and of its net resource outturn, application of resources, changes in taxpayers’ equity and cash flows for the financial year.
In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual (FReM) and in particular to:
- observe the Accounts Direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
- make judgements and estimates on a reasonable basis
- state whether applicable accounting standards as set out in the FReM have been followed, and disclose and explain any material departures in the financial statements, and
- prepare the financial statements on a going concern basis.
The Secretary of State for Health and Social Care has appointed the Chief Executive as the Accounting Officer of CQC. My responsibilities as Accounting Officer, including responsibility for the propriety and regularity of public funds and assets vested in CQC, and for keeping proper records, are set out in Managing Public Money published by HM Treasury.As Accounting Officer, I can confirm that:
- There is no relevant audit information of which CQC’s auditors are unaware.
- I have taken all steps I ought to have taken to make myself aware of any relevant audit information and to establish that CQC’s auditors are aware of that information.
- The annual report and accounts as a whole are fair, balanced and understandable.
- I take personal responsibility for the annual report and accounts and the judgements required for determining that it is fair, balanced and understandable.
Governance statement
CQC’s governance framework and structures
CQC has a corporate governance framework that describes the governance arrangements of the organisation and how they help make sure that our leadership, direction and control enables long-term success.
Management assurance
CQC has a management assurance framework that has been designed to seek assurance from all parts of the organisation that internal controls are working effectively and to identify areas of concern. With standards arranged into eight management assurance areas, the framework helps CQC to answer key performance questions:
Management assurance areas and business plan objectives:
1. planning
We develop, consult on and publish CQC’s strategy for 2021+
Management assurance areas and business plan objectives:
2. financial management, systems and controls
We are a financially sound organisation and resource our work effectively
Management assurance areas and business plan objectives:
3. performance and risk management
We deliver an effective and efficient Registration service
We embed work to improve our consistency of regulation
We provide timely information that is useful for the public and providers
We use enforcement when we need to keep people safe
Management assurance areas and business plan objectives:
4. whole organisation approach
We develop our regulation and our organisation through a programme of change and quality improvement
5. people management and development
We make CQC a great place to work
6. information and evidence management
We use intelligence to regulate registered services
We have effective digital services day to day
7. governance and decision making
We develop our regulation and our organisation through a programme of change and quality improvement
Management assurance areas and business plan objectives:
8. continuous improvement
We embed work to improve our consistency of regulation
It also underpins our journey to mature and improve our regulatory model and how we manage ourselves as set out in the objectives in our business plan. This table illustrates how the key performance questions, management assurance areas and business plan objectives align:
Each of our directorates provide a self-assessment (including a rating) against a clear set of expectations of performance in these eight core management disciplines. The assessments are peer reviewed by another directorate, then put through a collective challenge by the Executive Team, before being presented to the Audit and Corporate Governance Committee (ACGC).
Our management assurance processes have been embedded over the last five years and have led to improvements in how we manage ourselves. Over time there has been a demand to update and improve the definitions of our management assurance standards, and to consider better ways of improving consistency and fairness in judgements.
During 2019/20, we held cross CQC meetings to discuss and review ‘Whole organisation approach’ and ‘Continuous Improvement’. We also introduced some additions to the standards to reflect aspects of our ‘Well-being’ strategy. Our approach of cross-directorate meetings has provided a collective view of required improvements that can then feed back into Directorates’ assessments and ratings.
In 2019/20 we also started a process of looking at future changes to our Management Assurance process to identify how we can make the process more efficient and strengthen the assurance provided with assessments that are evidence-based and consistent.
During 2019/20, Health Group Internal Audit Service reviewed a selection of the directorate assessments, attended inter-Directorate peer reviews and cross-CQC review meetings. Findings were reported to the ACGC. Recommendations included improvements to enhance the adequacy and effectiveness of the framework of governance, risk management and control including making more evidence examples available, streamlining the peer review process and ensuring action plans are mandatory in areas that are deemed as requires improvement.
The main findings from our assessments in 2019/20, together with some of the improvement actions we have underway, are summarised below.
In 2019/20, 14 Directorates carried out assessments, and out of a total of 112 ratings (14 Directorates x 8 assessment areas):
- None (0%) were rated as ‘Outstanding’, 77 (69%) were rated as ‘Good’, and 35 (31%) were ‘Requires Improvement’.
- Financial management, systems, and control; Governance and decision-making; were the areas rated most highly.
- We need to do more work on whole organisation approach; continuous improvement; people management and development; and performance and risk management which were our least highly scored areas.
Of the 14 directorates that carried out assessments in 2019/20, 5 of them were created since the 2018/19 assessments and just 9 directorates existed in the same form in both years. For these directorates the comparisons are as follows. Out of a total of 72 ratings (9 directorates and 8 assessment areas):
- 2019/20: None (0%) were outstanding; 52 (72%) were good and 20 (28%) were requires improvement.
- 2018/19: 2 (3%) were outstanding; 54 (75%) were good and 16 (22%) were requires improvement.
The following sections provide detail under each of the eight areas of management responsibility:
We have increased the opportunities for engagement with our senior leaders in formulating the detailed corporate business plan for 2020/21, whereas in previous years they contributed to Priority and Objective setting. We have also ensured good communications between Strategic Planning and Business planning teams.
In our Change programme activity, we have a portfolio build process that ensures we align delivery priorities to available capacity (money and people). The process was incorporated into our business planning timetable for 2020/21, and on an ongoing basis we review monthly through a Resources Committee to ensure aspects remain aligned. We also conduct quarterly deep dives on the portfolio to determine if any adjustments need to be made to reflect emerging requirements or shifts in capacity.
We have a resource strategy in place to obtain the resources we need for delivery and we actively monitor this on a weekly basis. We need to undertake some work to optimise the process to improve the expediency and quality of resources coming through from our contingent labour facility.
Budget Management, Investment Decisions and Financial Control
Directorates continue to monitor their budgets closely with appropriate action taken to address variance and mitigate financial risk. In addition to a monthly financial review, the Executive team carried out a deep-dive into the financial position at the mid-point in 2019/20.
Appropriate financial systems are in place, with a clear understanding of roles and responsibilities, with controls in place to ensure adherence to policies. Value for money is at the forefront of our decision making and is evident in our budgetary position and reduced spending on areas such as travel and subsistence and estates costs.
Contract management
CQC has continued to roll out the government standard framework for contract management and the accompanying toolkit.
Delivery of associated contract management training to key stakeholders has commenced across CQC, and all new ‘gold’ contracts are now utilising the full set of tools and templates. The process is being gradually cascaded and adopted across lower risk ‘silver’ and ‘bronze’ contracts.
Alongside this, several members of the Commercial Team have undertaken formal contract management training (IACCM) and obtained a professional contract management qualification. More members will be working towards this accreditation in 2020/21.
Performance
We have further strengthened the quality of performance information and our focus on performance reporting in directorates to help us deliver our targets. During the year we introduced Power BI for our performance and risk reporting, which has given managers more accessible ways of using performance information.
We have been able to use performance to identify improvement areas and track the progress following implementation. As set out in the Performance report, our KPIs showed some performance improvements, for example, performance of safeguarding concerns identified a change in process was required to ensure they were addressed in a timely way. Improvements were implemented in August 2019 and could be tracked to show consistent improvement from the remaining six months of the year.
We received the final audit report into Inspection quality and consistency assurance from our internal auditors in June 2020. It is clear from this audit, which had a limited rating, that we need to accelerate the work we have had underway for some time to improve our inspection consistency. In particular we need to define a corporate quality management framework for CQC as a whole covering our Quality control (QC) and Quality assurance (QA) activities, and increase learning and development opportunities for our people in our QC and QA processes. We are discussing all the report’s recommendations with our Board and monitoring of their implementation during 2020-21 will take place through the ACGC.
Risk management
Our risk management framework provides a strategic and operational risk register to be considered by the Board at quarterly intervals, and the Executive Team more frequently, including a twice-yearly review of our strategic and high-level risks.
The Board and the Executive Team have agreed our risk register for 2020/21 and the key risks for CQC have been reported to our Board meetings in our quarterly Performance reports, most recently in November 2020 (https://www.cqc.org.uk/about-us/board-meetings/care-quality-commission-board-meeting-18-november-2020). They cover external risks including being an effective regulator; the pace of change in health and social care; and COVID-19.
An internal audit of risk culture within CQC took place in Q4. This focused on corporate risks that relate to CQC’s own organisation and effectiveness. We are using the recommendations of this audit to improve our peoples’ knowledge and confidence regarding risk processes, including awareness of risk escalation procedures. In particular we will focus on awareness and risk escalation at team levels, with new training and engagement with managers throughout CQC being planned for 2020-21.
In the area of regulatory risk, we have identified several required improvements. These include how consistently we monitor and respond to the risk that services are not safe for the people who use them, underpinned by the reviews we commissioned following Whorlton Hall. Work is underway in line with an objective in our 2020/21 business plan to build a stronger regulatory risk framework that will enable us to ensure consistency and improve our approach.
For whole organisation approach there has been a small amount of improvement in the last year but not significantly. There are pockets of good practice, but these are outweighed by a need for a more mature approach and better sharing of good examples.
There is a split between project and cross cutting pieces of work – which we are getting better at – and business as usual where we have a greater amount of work to do. While we have improved since last year, we have higher expectations and we understand the challenges more.
We have made improvements around a collaborative approach to business planning, our project resourcing models and governance, and collaboration on Independent voice activity.
We have, however, more to do in respect of understanding available resources in directorates and articulating benefits to encourage people to get involved. We have more to do on ensuring that our modelling is creating true flexibility on the deployment of resources and we also need to take forward the learning from the David Noble report and ensure we drive forward consistency in our systems and processes.
Overall, our people survey results tell a similar story to 2018/19, but with some significant increases alongside a downward trend in several areas.
The results show that we continue to feel positively about our work, teams and managers. A large proportion of us continue to consider the work of CQC as vital for people who use services.
There has been a significant improvement in the experience of equipment and technology (up 16% to 57%) – following feedback in the 2018 survey we created much more robust change programmes and have delivered an upgraded network, replaced all mobile phones and implemented Office 365. Work has begun in earnest to replace other systems, such as Digital Publisher and CRM.
People also feel there has been an improvement in the ability to speak up and believe that the behaviours of local leaders support our values, as well as more positive responses to access to learning and development.
Some overall perceptions of working for CQC have declined, and this has resulted in our ‘Say, Stay, Strive’ employee engagement index score decreasing by five percentage points, to 66%.
Experience of how we lead change and communicate continue to score very low, despite our efforts to target action in these areas. Perceptions of executive and senior leadership have seen significant decreases, particularly in relation to the visibility of senior leaders and their connection to our values.
Listening to the feedback received was evident by the Executive Teams response to COVID-19, which through the technology of Teams live events has allowed the CEO to address the whole organisation and have a Q&A with all colleagues and leaders quickly and frequently on all topics; including change. Staff sentiment has recognised the improved visibility of leadership even though we’re all working from home; and we are using pulse surveys to get more frequent feedback. From June 2020 we’ll be launching an internal campaign around our change agenda that seeks to increase visibility and opportunities to engage with our change programme.
Directorates report that they have put additional effort into the areas where staff have greatest concerns – workload and wellbeing in particular. As a result, Directorates are focusing on greater engagement with people from senior and other managers; on development and training; well-being initiatives at Directorate and team levels, including focusing on connectivity for home workers and using data to monitor workload and sickness so issues can be addressed. Directorates will monitor future survey results with the aim of seeing an improvement in these and other areas.
We are in the process of a very significant digital transformation. This means that colleagues in all directorates are experiencing change in the way that they use, store and manage information and evidence.
These changes will allow CQC to make information management improvements and will allow greater oversight and assurance in this area. This work has started and will continue over the next year with all directorates.
12 out of 14 Directorates were rated as good in relation to this area of the Management Assurance standards, with two being requires improvement. We have not identified that this represents a significant variation between the standard of information and evidence management across directorates, but this reflects different operational demands and priorities that impact on information and evidence management.
As an example of the areas for improvement, one of those Directorates highlighted the intention to do more work to support staff to collect data that is most closely focused on the needs of making judgements about regulatory risk, and therefore minimise the collection of extraneous data. The other Directorate highlighted that the data storage solutions for some data they use needed improvement and while workarounds were being used, a Quality Improvement project had been established to resolve this. Learning from these improvements can be shared with all directorates as part of the ongoing work to further strengthen our information and evidence management.
We continued to work with DHSC’s sponsor team to maintain arrangements for regular performance reporting and review. Assurances around the efficient and effective operation of Healthwatch England were sought through CQC’s governance frameworks. These comprise regular reporting to CQC’s Board and CQC’s ACGC, and regular accountability meetings between the Accounting Officer and the Chair and Chief Executive of Healthwatch England.
We have a scheme of delegation to ensure that all significant decisions are made by those who are authorised to make them. We have no information or evidence to suggest that during the year CQC has assumed duties beyond its statutory powers, or that it has improperly delegated any duties. We updated the scheme twice in the year.
During 2019 we embedded our governance model which was reviewed in 2018/19 to provide a more appropriate balance between governance and delivery. In particular the changes to our governance for our change portfolio – the creation of the Strategic Change Committee – have helped deliver an organised and funded change portfolio that will help us to deliver change effectively – and we have addressed progress with our change programme in the Performance report.
We set out Quality Improvement (QI) as a key priority in our business plan for 2019-20 and we have made progress in several areas. There is a will and a desire in this area coupled with systems and people’s skills being aligned but still more to do.
We have established effective governance structures for managing QI, with Directorate Improvement Groups identifying and coordinating improvement activity within the Directorates, supported by an Improvement Board that provides organisation wide coordination. The development of the QI capability is overseen by a Steering Group and Operational Delivery Group who have responsibility for ensuring QI becomes part of our day-to-day way of working.
We also have established a central QI resource who are trained and experienced, and there are eight directorate QI Gold Experts. This combined with the established governance enables identification and tracking of QI initiatives for all projects.
Training in QI will be available to all colleagues over the next 2 years. To date we have trained 15 Gold level experts, have commenced with Silver Champion level training for 600 colleagues and for all colleagues rolled out our Bronze Foundation level during May 2020. Coaching has also commenced for our Senior Leadership Group and further training is being developed for our Leadership group.
Our approach to QI is still bedding in and maturing and the focus now in addition to continuing the rollout of training is on areas such as benefits articulation and improving the process for gathering improvement ideas.
Other assurance areas
Information governance and cyber security are important areas of focus within CQC. As in previous years there has been ongoing improvement work throughout 2019/20 which has been driven by the Information Governance Working Group. That work has been reported to and overseen by the Information Governance Group, chaired by the CQC SIRO. A summary of the work of the group is reported to the Executive Team. Regular updates are provided to the Board at their monthly meetings to cover any significant developments or incidents affecting security and governance within CQC. The board also held a cyber and information security seminar in October 2019 to provide an update and assurance in this area for CQC.
A major programme of migration is taking place in CQC to move systems and data to cloud based infrastructure from the traditional on-premises based systems. Information Security and Governance is an integral part of the programme to ensure that all elements are compliant with both CQC internal and external requirements and good practice.
During 2019/20, work has continued to be undertaken to ensure that CQC remains compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Work is ongoing to maintain and strengthen compliance with data protection legislation. Data Protection Impact Assessments are being conducted for all major changes and as part of the systems migration from an on premises to cloud based infrastructure.
Security incident analysis and response has continued throughout 2019/20 and is reported to CQC’s SIRO and the Audit and Corporate Governance Committee. The number of incidents reported and investigated during the year was consistent with that of previous years and were low-level incidents where no harm or distress was caused. There was only one incident that was reported to the Information Commissioner’s Office; this was reported as a precaution in case it developed at a later stage, but no further follow up by the ICO or CQC was necessary.
We have continued to liaise with the Department of Health and Social Care, NHS England, NHS Digital and the Information Commissioner’s Office on matters of information security and privacy.
CQC’s Information Governance risk register is regularly reviewed at the meetings of the Information Governance Group, which continues to monitor the risks and our actions to manage them. We completed the baseline return for the Data Security and Protection Toolkit (DSPT), coordinated by NHS Digital. We have also submitted our full annual return for the DSPT with a fully compliant assessment.
The Director of Governance and Legal Services leads CQC’s counter fraud function. The number of allegations of fraud received during 2019/20 has continued to be very low, with 9 cases reported and investigated. Those cases contained allegations of corruption or conflict of interest but, following thorough investigation, none have been found to be substantiated. Twice yearly summary reports are presented to the CQC Audit and Corporate Governance Committee for their information and comment. Discussions have taken place with the DHSC counter-fraud team to ensure that CQC processes are aligned with those of the department and other ALBs. That discussion also resulted in CQC receiving regular fraud bulletins and updates.
Conclusion
A management assurance assessment process remains an essential method for gaining assurance and facilitating improvement in the eight areas of management responsibility. The process enables us to set consistent standards we expect in our management and governance and monitor how well these are met across the organisation. Viewed alongside evidence from our KPIs and other measures, and an internal audit programme, we have a good picture of what we are doing well and where we need to improve.
As our summary above sets out, our financial management, systems, and control; Governance and decision-making; and Planning are areas where we can be assured progress has been particularly good. In other areas we can be assured that we know what we are doing well and have identified the things we need to improve, particularly in the areas of Whole organisation Approach, Continuous improvement, Performance and Risk Management and People Management and Development. Within the performance area, improvements to our Quality Controls and Quality Assurance are a clear priority.
We will look to strengthen Management Assurance in the coming year – to build an even stronger evidence base; consistent judgements and as much as possible make the process easy to use, and accessible to our people.
Head of Internal Audit Opinion
We have completed 17 reviews during 2019/20 (2018/19 18). Of the reviews for which formal ratings were issued, 0 (0%) were rated Substantial, 13 (93%) were rated Moderate and 1 (7%) rated Limited [prior year 1 (8%) Substantial, 10 (84%) Moderate and 1 (8%) Limited.
My overall opinion, consistent with that given in 2018/19, is that I can give to the Accounting Officer of the Care Quality Commission for the reporting year 2019/20 MODERATE assurance that there are adequate and effective systems of governance, risk management and control. This opinion should be read in the context of the background and further details given in this report.
We would like to take this opportunity to thank all of those who have assisted us during the course of this year’s internal audit programme. CQC continues to take a positive approach to the value of internal audit and to implementation of agreed actions where required in response to recommendations.
My opinion is based on the following information:
- Outcomes of the engagements on the 2019/20 internal audit plan
- Findings of our review of CQC’s response to Covid-19 and
- Cumulative knowledge gained from attendance at management committees including the Strategic Change Committee and Audit and Corporate Governance Committee; access to risk registers and key documentation; and discussions with management.
This report covers the period 1 April 2019 to 31 March 2020.
The Public Sector Internal Audit Standards (PSIAS) require me, as Group Chief Internal Auditor, to deliver an annual internal audit opinion and report. The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.
My opinion is a key element of the assurance framework and can be used to inform the organisation’s Governance Statement.
My opinion is not absolute and is a reflection of the evidence available.
My opinion does not detract from the Accounting Officer’s personal responsibility for risk management, governance and control processes.
The Government Internal Audit Agency (GIAA) has conducted its work throughout 2019/20 in compliance with PSIAS. A copy of PSIAS is available on request.
GIAA was subject to an External Quality Assessment in 2015/16, which confirmed that it ‘generally conforms’ to the requirements of the PSIAS. This was supplemented with a short assessment by the National Audit Office in 2016/17. The next External Quality Assessment will take place in autumn 2020.
Every year, we undertake regular internal quality review exercises. Broadly, each exercise has been satisfied with the quality of our findings and reports, and recognised improvements in how we document and evidence our work.
We continue to strive for improvement and to ensure we apply best practice consistently across our work.
2020 has seen the UK impacted by the worldwide COVID-19 pandemic, which resulted in a Government lockdown from 23 March. Our work for 2019/20 was planned and delivered before the pandemic and before the impact of COVID-19 was known.
Like other organisations, CQC has needed to respond to the changing situation, taking some urgent and agile decisions to mitigate the impact on the organisation and its staff, and to play its part in the wider NHS and national response. In particular, the decision was taken to suspend normal inspection activity.
Our review of governance, risk and controls was not undertaken in anticipation of the pandemic and the response that would be required of CQC. However, in May 2020 we have performed a high-level review of the response to the crisis, and further work is ongoing to consider how risks facing the organisation have changed and how recovery into future (new or changed) ways of working is being planned and delivered.
CQC was able to draw on its pre-existing Business Continuity arrangements, led through a gold/silver/bronze structure, to respond to the crisis. While these arrangements had been established and tested previously, that was not in anticipation of a crisis on this scale. Some adjustment was required to embed more senior leadership and capacity into managing the response. Going forwards, it will be important toembed the lessons learned, which management is taking steps to do, ensuring continuity and crisis plans cover all potential types of incident and that exercising fully involves all relevant staff in all their possible roles. The detailed findings from our review are currently being collated and will be reported to ACGC in due course.
Management has established a formal programme for recovery of regulation activity, with separate business recovery for matters such as working from home and return to offices. Fairly early on in the response it was identified that there needed to be scenario planning to inform the response, and we believe continued use of scenarios to inform recovery is likely to be helpful. In addition, the crisis has shown the need for organisations to revisit their risk management to ensure all potential risks have been identified and sufficient attention given to those of very remote likelihood but possible extreme impact.
Themes of work
Work in 2019/20 covered a number of areas of governance.
Early in the year management took steps to improve processes for obtaining external approvals, e.g. DHSC approval to incur expenditure. We found communication with DHSC had improved following the introduction of fortnightly meetings and approval times had reduced because the sponsor team was informed early and consulted during drafting. Recommendations included that a forward plan be maintained to document external approvals required and that guidance notes on the process be prepared.
A review of Quality Improvement concluded that good progress had been made on governance, the QI function and working practices but after some delays to roll-out, reporting on the benefits derived from projects will only be available from July once benefit KPIs have been established.
The Management Assurance-self-assessment process continued to promote an organisational focus on governance, risk and controls. We noted that the cross-CQC panels on Whole Organisation Approach and Continuous Improvement appeared to work well to create engagement.
CQC continues to have focus on the management of risk, particularly the more significant risks via Audit and Corporate Governance Committee (ACGC) and Board.
At the request of ACGC we held a series of workshops with samples of staff to assess the culture for raising risks. Strengths identified included that: 88% of staff had an awareness of risk management; 78% were aware of the escalation process; and 49% agreed that CQC actively seeks out information on risk events and ensures key lessons are learnt. Areas for improvement included: raising awareness of the risk management framework and escalation process, including through training; encouraging consistent reporting/escalation of risks; and considering corporate briefings on strategic risk and lessons learnt.
We also reviewed CQC’s framework for management of regulatory risk. This identified a need to improve record keeping within CRM to evidence closure of risks. Other recommendations included to develop an overarching framework for oversight and reporting of regulatory risk, to sit above the existing sector-based frameworks.
We have issued 17 (2018/19:18) reports since our last Annual Report, all of which addressed key aspects of the systems of internal control. A number of these are reported on separately under Governance, Risk Management or Projects and Programmes.
We performed three reviews of key financial control processes in 2020/21 covering the Payroll, Payments and Fees forecasting / accounting systems. There were no high priority actions arising from any of these reviews and no exceptions identified from our transactions testing. Some improvements were required to enhance the adequacy and effectiveness of governance, risk management and control in each of these areas, with more scope to continue developing the fees forecasting and accounting processes, with recommendations including:
- enhance the accuracy of data feeding the fees setting model, including through improved use of time recording and aligning the cost model to fee categories; and
- improve the accuracy of apportionment assumptions for GIA costs and continue to focus on the risk of cross subsidy of GIA funded activity from fee income.
We also reviewed the Inspection Model and assurance mechanisms for Quality and Consistency of Inspection Reports.In relation to the Inspection Model our work confirmed opportunities forming part of management’s pre-existing plans in relation to:
- continuing to work with Inspectors to make use of intelligence products as easy as possible
- the benefits of a structured technological solution to interfacing with providers and
- further opportunities in relation to efficiency of report writing.
We found that pending completion of work in progress on the improvement project, CQC has limited assurance that quality assurance and quality control processes achieve consistency across inspection activity. We recommended a corporate quality management framework be introduced, quality control tools be applied consistently across inspection reporting, learning and development for staff be broadened and that more steps should be taken to formalise the improvement project.
In other reviews in 2019/20 we considered the management of activity in Intelligence and how resources were prioritised to products and development initiatives. We also provided some independent views to management’s scheduling project team.
The major programme of change at CQC has continued throughout 2019/20, comprised of a number of key projects. There has been significant work to improve the IT infrastructure: CQC moved to Office 365 and the Digital Foundations Programme (DFP) is nearing implementation of an entirely new IT infrastructure. At the time of this report, a new five-year strategy is being developed and the “Transforming Our Organisation” project to develop a new Target Operating Model (TOM) is now underway.
We performed an assessment of CQC’s programme governance. This broadly confirmed management’s self-assessment that areas of the framework were either “developed but not yet consistent” or “established but yet to be embedded”. Key areas for development were benefits management and lifecycle assurance.
A high-level security review of the Office 365 architecture, the configuration of security tools and the integration with the on-premise environment was also performed. Findings were broadly as we would have expected for the stage of the migration: a number of available features and configurations had yet to be fully implemented that would provide considerable security benefits, particularly for Identity and Access Management.
A key area of our work in 2019/20 was the DFP. We undertook both an initial Gateway Zero review and a “Readiness for Implementation” review. We found that compared to the “Amber/Red” delivery confidence in April 2019 improved governance and core programme management processes by October 2019 had significantly improved ability to deliver the intended outcomes. However, there remained risks and opportunities to achieving the demanding timeline for changeover in April 2020.
The Readiness review in March 2020 revealed further significant progress, with onboarding of key suppliers to drive the definition and implementation of the intended solution including the technical future system architecture and the organisational structures and processes for the new IT services. However, projected timelines for delivery and transition of services and applications remained demanding even though the key dates had moved to June 2020. Overall, our review re-confirmed that management are aware of the key risks and issues, but there remains risk to being able to achieve the revised timescales.
Further work on projects, including an updated programme governance assessment, post-implementation review of DFP and assurance work on the TOO project will feature in our 2020/21 plan.
Jane Forbes
Head of Internal Audit
We have continued to ensure that robust mechanisms are in place to assess risk and compliance, with regular review at the Board and the ACGC.
Our transformation programme encompasses a number of initiatives across registration, our regulatory model, and digital strategy. Significant progress has been made during 2019/20 on delivery of this programme.
In previous years, technology was identified as an area where improvement was needed, and significant improvements have been made on this during 2019/20, led by the Chief Digital Officer, who took up post in April 2019. The majority of technology services are now consumed from the cloud, which offers cost and resilience benefits but has been accompanied by new technology partners and a different cyber risk landscape – both of which will be monitored closely during 2020/21.
Improvements in productivity as a result of this multi-year transformation programme are beginning to be seen and will continue in 2020/21 and beyond. A new sub-committee of ACGC was established and this continues to provide additional scrutiny to this work.
The year has not been without challenges, including a staff survey with some disappointing results. Significant action has been taken in response and a ‘pulse’ survey in May 2020 demonstrated significant improvement. At the end of 2019/20 the Covid-19 pandemic impacted on our regulation of health and adult social care services. We expect disruption will continue well into 2021.
The Head of Internal Audit has provided an annual opinion providing moderate assurance that there are adequate and effective systems of governance, risk management and control.
I agree with their conclusion.
CQC has complied with HM Treasury’s Corporate Governance in Central Government Department’s Code of Good Practice to the extent that they apply to a non-departmental public body.
I conclude that CQC’s governance and assurance processes have supported me in discharging my role as Accounting Officer. I am not aware of any significant internal control problems in 2019/20. Work will continue in 2020/21 to maintain and strengthen the assurance and overall internal control environment in CQC.