Chapter 6: provider assurance
Updated 25 January 2024
Introduction and background
1. The Provider Assurance Team (PAT) is part of Department for Work and Pensions (DWP) Finance Group in the Contracted Management and Partnership Directorate (CMPD) and has been in operation since October 2009.
2. The primary purpose of the PAT is to provide the DWP CMPD Director with an assurance that provider systems of internal control are such that payments made to CMPD providers are in accordance with DWP and Treasury requirements.
3. PAT reviews and tests providers’ systems of internal control to establish how effective they are at managing risk to DWP in relation to health and employment provision expenditure and service delivery, including the arrangements they have in place for their supply chain.
4. This work is carried out by the PAT by reviewing providers’ internal control systems to assess their ability to manage risk across 3 key areas:
- Governance Arrangements – covering the provider’s governance arrangements, systems for tracking and reporting performance and their anti-fraud measures
- Service Delivery – includes the provider’s systems for starting, ending and moving participants through provision and generally looks to ensure that DWP is getting the service it is paying for. This section also covers management of the supply chain
- Claim Procedures and Payments – looks to ensure that providers have in place effective systems to support their claims for payment, including appropriate segregation of duties
How the PAT operate
5. The Provider Assurance Team (PAT) operates at a national level enabling it to present CMPD provision providers operating across regions with a single view of the effectiveness of their systems. Each provider is allocated a nominated Senior Assurance Manager as a single point of contact within DWP for management of assurance related issues / concerns. Contact details for the team can be found at paragraph 37.
6. On completion of each review providers are awarded a PAT assurance rating in one of the following 4 categories:
(i) weak
(ii) limited
(iii) reasonable, or
(iv) strong
7. The provider is sent a formal report which details the review findings including key strengths and areas for improvement, and where weaknesses have been identified. Providers are required to complete an action plan setting out appropriate steps for improvement. Action plans are followed up until the PAT is satisfied that all required actions have been undertaken.
8. The description of the 4 assurance levels are as follows:
- Strong Assurance – governance, risk management and control arrangements operated provide strong assurance that material risks are identified and managed efficiently and effectively, although improvements may be recommended
- Reasonable Assurance – governance, risk management and control arrangements operated provide reasonable assurance that material risks are identified and managed efficiently and effectively. Remedial action is required to improve the control environment
- Limited Assurance – governance, risk management and control arrangements operated provide limited assurance that material risks are identified and managed efficiently and effectively. Corrective action is required to resolve control weaknesses
- Weak Assurance – governance, risk management and control arrangements operated provide weak assurance that material risks are identified and managed effectively. Urgent and significant corrective action is required to resolve significant control weaknesses
How the PAT plan
9. In order to manage review activity and direct our resources in the most effective way, the PAT operates a national plan covering all health and employment provision providers in scope for PAT reviews. Provider reviews are allocated in priority order according to risk. This is determined by a number of factors including the current assurance rating, length of time since the previous review, and DWP stakeholder intelligence.
The review process
10. The PAT look for evidence that systems are in place across provider organisations to manage key risks to DWP expenditure. To facilitate this process the key risks have been broken down across the 3 scope areas (see paragraph 4) and the PAT will examine the controls in place within the providers organisation to look at how effective they are in managing the risks identified.
11. There are 5 stages to the review process which can take up to 23 weeks to complete, depending on the complexity of the providers organisation and the extent of the health or employment provision contracts. The bulk of provider facing activity takes place within field testing which generally lasts no longer than 5 weeks.
Provider review process
12. A PAT Review covers the following stages:
- Planning and research
- Initial evaluation
- Field work
- Final evaluation
- Reporting
- Follow up of action plan
Planning research and initial evaluation
13. The purpose of this stage is to pull together all relevant information about the provider, form a paper-based opinion about the systems and develop the testing strategy.
14. During this period the provider will be sent 2 documents:
- a Provider Systems Questionnaire (PSQ) which asks a series of questions about the providers systems across each of the 3 scope areas
- a site information stencil to confirm information about the delivery sites for the programmes
15. The PAT also take account of feedback from other departmental colleagues who work closely with the provider. Intelligence is gathered from these sources during the planning process and used alongside the PSQ response from the provider when forming an initial view of the risk and development of the test strategy. See paragraph 30 for the stakeholders consulted during this period.
Field work at providers
16. Commencement of the field work is signalled by a formal start-up meeting between the provider and the PAT. The purpose of this meeting is to brief the provider on the forthcoming review and agree the terms of engagement throughout including timescales for final feedback and the timeframe for providing all evidence by.
17. Based on the planning, research and initial evaluation the PAT decide whether to carry out any testing deemed necessary to form a judgement as to the effectiveness of the systems under review.
18. Field Testing is arranged via MS Teams and at the providers premises or a combination of both. Where fieldwork is to be undertaken at a provider’s premises, it can be conducted at any of the sites across the country. Choosing which premises to visit will be determined by a number of factors, for example the provisions and activities delivered at individual sites, any intelligence gathered during the planning stage which may indicate weaknesses in certain areas, or the availability of PAT resource.
19. The tests will typically include reviewing key policy documents, examining participant files, interviewing staff, and performing checks in sufficient quantities to allow the team to form an opinion across the providers systems as a whole. This may mean that testing has to be extended in some circumstances or that it may be cut short in others.
20. During the testing period the PAT provides a written summary of the key points. This allows the provider to understand and discuss the findings to date.
21. Throughout the testing period the provider will be given the opportunity to provide any supporting documentation and/or missing evidence that has been requested by the PAT. All evidence must be provided by the date agreed at the start up meeting.
Final evaluation
22. Evaluation of the providers systems is continuous throughout the end-to-end PAT process. Once testing is complete all the findings are considered and an overall assurance level is awarded covering the 3 scope areas of Governance Arrangements, Service Delivery and Claims Procedures and Payments as described in paragraph 4.
23. The final evaluation and assurance level will be formally presented to the provider at a final feedback meeting at a time agreed in advance. At this meeting the PAT will discuss what actions will need to be taken to address any issues raised and timescales for satisfactory completion of those actions.
Review outputs
24. Following the final feedback, a report is produced by the PAT and sent to the provider. The report will contain details of our findings and opinion against all key risk areas across the 3 scope areas and an overall assurance level assessment for the PAT report.
25. There will be an action plan at the back of the report covering all the issues raised at the feedback meeting. The provider is expected to return the action plan within 10 working days of receipt. The response should contain any timescales for implementing any necessary improvements, which can be from one week to a maximum of 3 months.
26. Providers will work with EAD Performance Managers on behalf of the PAT to implement all the actions but is the PAT that make the final decision on and sign off of each action. This follow up will take place within the timescales agreed with the PAT.
27.Providers are also asked to complete and return a feedback stencil to the Senior Assurance Manager. DWP is committed to providing an effective Provider Assurance function and in order to meet this commitment the PAT need to constantly review the way in which they operate and their supporting policies and procedures. As a major stakeholder in this process, obtaining feedback from the provider is critical.
28. If there are any issues or causes for concern that cannot be addressed throughout the course of the review, then the provider should in the first instance put a complaint in writing to the Head of the Provider Assurance Team. (contact details at paragraph 37).
29. There is no formal appeals process to allow the provider to challenge the level of assurance awarded. The PAT undertake a period of extensive evaluation to ensure there is a good understanding of the providers systems and processes, and will gain sufficient evidence through testing to reach a sound conclusion regarding the adequacy and effectiveness of the controls within the providers organisation. If a provider is unhappy with the outcome there will be the opportunity to discuss concerns with the SAM and/or Head of the PAT.
30. The final feedback meeting allows the provider ample opportunity to discuss the findings and assurance level, before the final report is issued.
31. The main focus of any meeting or correspondence after an assurance rating has been given will concentrate on the implementation of the areas for improvement as detailed in the action plan to strengthen the providers controls/maintain a strong level of control in preparation for the providers next review.
32. The report is also sent to DWP stakeholders, these typically include (but not exclusively):
- CMPD Director
- Commercial Directorate
- Employment Accounts Division or Health Controls
- Counter Fraud and Investigation
- Performance Managers
- PRaP Operational Support Team (POST)
Other potential actions
33. Without prejudice to any other of DWPs rights under your Contracts, there may be other actions required depending on the findings of the review, including:
-
Overpayment Recovery – if overpayments are identified and evidence could not be produced during the review, then DWP may seek to recover any overpayments
-
If any overpayments, errors or discrepancies identified during the review indicate they are as a result of systemic weaknesses then you may be required to provide the applicable evidence over a specified period of time and in doing so identify any overpayments. The results will be verified before any subsequent action is taken.
Provider assurance team reporting
34. DWP may periodically publish assurance levels by Provider (note - this will not include reports or supporting information).
35. All PAT provider assurance reports are shared with the CMPD Director and other senior managers within DWP.
36. DWP may take remedial actions in the following circumstances:
-
if following a Weak or Limited Assurance level from the PAT the providers subsequent assurance level is the same or worse for the same reasons, or they are awarded a consecutive third weak or limited assurance, regardless of the reasons
-
following a review, if the provider fails to submit and/or implement the Action Plan within agreed timescale
-
where there are suspicions that a provider may be acting inappropriately the team will refer to Counter Fraud and Investigations as the experts trained in the legalities and techniques required to carry out formal investigations, or
-
where there are serious concerns around data security these are reported through the respective channels to colleagues in the DWP Security Incident Response Team
Contact details
37. Send all enquiries to the PAT central inbox: provider.assuranceteam1@dwp.gov.uk