Until 30 August 2004 when I took early retirement, I was the NHS National Controls Assurance Project Manager at the Department of Health. I proposed the controls assurance process in 1995 and was fortunate to manage the project for nine years. Through controls assurance NHS Boards have been providing annual public assurances on the effectiveness of the whole system of internal control, risk management and compliance with applicable laws and regulations. The requirement to provide an annual statement on internal control, adopted voluntarily by the NHS under controls assurance in the mid-1990s, was only recently made mandatory by HM Treasury across the public sector (following private sector practice).

  In 1999 a set of controls assurance standards, including one on infection control, was launched by the then Health Minister. After 1 August 2004, following a so-called "efficiency scrutiny" by the Department of Health and Cabinet Office Regulatory Impact Unit, it was announced that controls assurance had been "scrapped" from 1 August 2004. Unfortunately:

—  the department's new healthcare standards, issued earlier this year, still specifically require compliance with controls assurance;

—  more seriously, the Healthcare Commission have not yet published the draft criteria for the new standards that will be used to assess compliance. The Department is promising more information later in the year on what NHS bodies should do between 2 August 2004 and whenever the new system is put together.

  I have read the proceedings and 42nd PAC Report (2000) and would like to draw your attention to two issues:

—  in the PAC hearing in June 2000 the Department refuses to concede the PAC's point about the need to take urgent action over hand washing. And yet in August 2004, the month before this hearing, the NPSA announces that maybe 450 hospital acquired infection fatalities a year could be prevented if hands were washed between beds. Presumably the four years between the two PAC hearings represents 18,000 infections and 1,800 deaths.

—  At the 2000 PAC, the chief executive and CMO were arguing that Controls Assurance would solve the problem by putting the systems and processes in place and that this would then lead to measurable improvements. (PAC Agreed Report Para 4. (iv) "Key to achieving progress will be the effective implementation of the new Controls Assurance System, which builds on the statutory duty of chief executives for quality of care.") And indeed the NAO survey found that controls assurance had indeed put the systems and processes in place. (The NAO Reports says at para 2.4, "In ranking controls assurance as the main driver for change, nine out of ten chief executives reported that it provided the necessary framework for monitoring their infection control arrangements . . . as a result most trusts have reported year on year improvement in compliance with the infection control standard.") One might be forgiven for thinking, therefore, that a solid foundation had been put in place upon which to build. Yet in the month before this hearing the department ignores the NAO findings and "abolishes" controls assurance. Worse, the Director of Finance of the Department of Health is reported by the NHS Appointments Commission (Non-Exec Bulletin Issue, 5 July 2004, page 7) telling everyone that controls assurance is a "monster" and "one of the biggest bureaucratic burdens on the NHS".

  I would simply observe that the Cabinet Office/Department's review of controls assurance and this NAO Report on acquired infection are totally at odds with one other. This is something that needs to be clarified, not just because managing risks in our hospitals is an extremely serious problem and not a game, but because this apparent clash between the NAO and the DH surveys casts a wider shadow over the worth of all central reviews. Particularly those central reviews that can't be scrutinised. The NAO have published their Report and survey data in full for all to see; it would help if the Department/Cabinet Office would do the same. If not now, please could they ensure their officials don't lose the data before the Freedom of Information Act comes into force in January 2005?

  It is the case that the (controls assurance) infection control standard would have been amended to require a self-assessment against the controls recommended by the NPSA if that were policy. It is also true that the controls assurance process is led by NHS boards. Whether that is "bureaucratic" or not seems to me rather a moot point given the importance of the subject. It is my belief that:

—  whatever was perceived as being wrong with controls assurance should have been fixed;

—  "abolishing" controls assurance in 2005 only to re-invent the self-same criteria in 2006 in a rummaged-around fashion via the Healthcare Commission (inevitable because most of the stuff in the standards is indivisible) only serves to transfer responsibility from one arm of the government (Health Dept) to another part of the same arm (Healthcare Commission). That is, it gets us nowhere;

—  but a year is lost and all the historical data is seriously compromised. The original PAC Agreed Report (Paragraph 3) says, "Without robust, up to date, data, it is difficult to see how the Department of Health, the NHS Executive, health authorities and NHS Trusts can target activity and resources to best effect." I contend that a great deal of use can be made of controls assurance data to target areas of greatest risk reduction potential as had started to be demonstrated via the NHS controls assurance reporting system (ROCA). ROCA is an on-line, real time system, and the remarks in the review on the Cabinet Office website about the collection process are just plain wrong. I was able to take some small part in the NAO analysis through sharing data and believe that a great deal of use could still be made of the controls assurance data. I note the evidence of relationships between controls assurance data and various output indicators in Appendix 6 of the NAO Report. Quality information derived from robust data is absolutely vital, and it was a big mistake to abandon the system.

  It seems to me that Controls Assurance—including the infection control standard should not have been withdrawn, certainly not before a suitable replacement system was put in place. I suggest that:

(a)  the Department of Health should review its decision to abandon controls assurance before a replacement system is in place;

(b)  the Department of Health should explain why the benefits it promised the PAC under the banner of controls assurance have not accrued, if that is the case;

(c)  further, if it is true that the system of assuring the public "that systems are in place to protect patients, staff and visitors from risks of all kinds" (controls assurance) was an unnecessarily "bureaucratic" exercise, will they publish the cost-benefit analysis? When did it realise this? When did the CMO change his opinion from that he expresses to the PAC at the last hearing? Apparently not before January 2002 when his infectious diseases strategy, "Getting Ahead of the Curve" set a target for full compliance with the controls assurance infection control standard.

(d)  What constructive steps were taken to remedy the system? Why will the new healthcare standards and the new audit regime be any better? Are NHS bodies not going to have to render/share risk management and control data under the new system?

(e)  Now that controls assurance has been abolished, what exactly is the system of internal control now, what will it be in 2005-06 and what, if anything will the NHS sign up to in terms of managing risk, including infection control, in the period between now and March 2006?

(f)  The Department should certainly publish their survey data, including all comments made by respondents so that the discrepancy with the NAO findings can be examined further.

8 September 2004