Annual report and accounts 2023/2024

Published: 17 July 2025 Page last updated: 17 July 2025

Downloads

Corporate governance report

The corporate governance report describes how the organisation is governed, how this supports our objectives, and how we ensure there is a sound system of internal control that enables us to deliver our purpose and role.

Directors report

The CQC is an executive non-departmental public body established by legislation to protect and promote the health, safety, and welfare of people who use health and social care services, and to regulate all health and adult social care services in England.

Our statutory functions are set out principally in the Health and Social Care Act 2008 (the 2008 Act), together with the Health and Social Care Act 2012 and the Care Act 2014. There is additional relevant primary and secondary legislation.

The powers and constitution of CQC’s Board are derived from Schedule 1 to the 2008 Act, and regulations under it that allow for Board membership (which were made in 2012 and again in May 2014).

Composition of Board, directorships, and significant interests

Board composition

As at 31 March 2024, our unitary Board was made up of the Chair (Ian Dilks) and, as required, up to 14 Board members,(the majority of whom must be non-executive members):

  • 8 non-executive members
  • the chief executive, (who was also the accounting officer)
  • the interim deputy chief executive
  • 2 chief inspectors (one of whom was in the role on an interim basis)
  • the executive director of operations
  • the chief digital and data officer.

There were a number of changes to our Board membership over the financial year:

  • Jora Gill’s term as an associate non-executive director ended on 31 May 2023.
  • Dr Ali Hasan became a non-executive director from 1 June 2023, having been an associate non-executive director up to that date.
  • Christine Asbury, Dr Mark Chakravarty, and Professor David Croisdale-Appleby were all appointed as non-executive directors on 1 June 2023. Professor David Croisdale-Appleby is also Chair of Healthwatch England.
  • James Bullion (Chief Inspector of Adult Social Care and Integrated Care), Mark Sutton (Chief Digital and Data Officer), and Tyson Hepple (Executive Director of Operations) were all appointed as executive Board members on 1 February 2024.
  • Charmion Pears was appointed as a non-executive director and Chair of the Audit and Risk Assurance Committee (ARAC) on 1 February 2024, replacing interim chair Jeremy Boss.

Subsequent to 31 March 2024:

  • Chris Day, Director of Engagement and Joyce Frederick, Director of Policy and Strategy were both appointed as members of the Executive Team on 1 April 2024.
  • Chris Dzikiti was appointed as Interim Chief Inspector of Healthcare on 20 May 2024.
  • Ian Trenholm stood down as CQC’s Chief Executive and Executive Board member from 30 June 2024, with Kate Terroni appointed as Interim Chief Executive from 1 July 2024.
  • On 1 July 2024 Jacqueline Jackson, Director of People and Chris Usher, Director of Finance, Commercial and Workplace were also appointed as members of the Executive Team.
  • Dr Sean O’Kelly resigned as Chief Inspector of Healthcare and Primary Medical Services and as an executive Board member from 31 July 2024.
  • Mark Sutton stepped down as Chief Digital and Data Officer and Executive Board member with effect from 30 August 2024.
  • Kate Terroni stepped down as Interim Chief Executive and Executive Board member and was replaced by James Bullion as acting Interim Chief Executive and Executive Board member from 21 October 2024.
  • Dr Ali Hasan resigned as a non-executive director with effect from 31 October 2024.
  • Tyson Hepple, Executive Director of Operations, stepped down from Board with effect from 31 October 2024.
  • Jeremy Boss, independent member of ARAC, resigned on 31 December 2024. David Corner, independent member of ARAC, also left CQC on 31 December 2024 at the end of his term.
  • Belinda Black resigned as non-executive director with effect from 31 January 2025.
  • Sir Julian Hartley was appointed as Chief Executive and executive Board member, with effect from 2 December 2024.
  • Professor Aidan Fowler was appointed Interim Chief Inspector of Healthcare from 24 February 2025.
  • Esther Provins was appointed as Interim Chief Digital and Data Officer from 3 March 2025.
  • Ian Dilks stood down as Chair at the end of his term of appointment on 31 March 2025.
  • Professor Sir Mike Richards CBE MD FRCP was appointed as Chair from 1 April 2025.
  • Dr Arun Chopra was appointed as Chief Inspector of Mental Health and executive Board member from 12 May 2025.
  • Charmion Pears, Mark Chambers, Stephen Marston, Christine Asbury, and Dr Mark Chakravarty all resigned from their roles as non-executive directors on 15 June 2025.
  • On 16 June 2025, Kay Boycott, Alex Kafetz, Michael Mire, Ruth Owen OBE, and Melanie Williams were appointed as non-executive members of the Board. Richard Barker CBE was appointed as an associate non-executive member of the Board on the same date. Kay Boycott was also appointed as Chair of ARAC.
  • Professor Bola Owolabi was appointed as Chief Inspector of Primary and Community Services and executive Board member from 7 July 2025.

As an executive non-departmental public body, CQC’s non-executive Board appointments are made by ministers within our sponsor department, the Department of Health and Social Care. The department oversees CQC in its delivery of effective corporate governance.

Biographies of all our current Board members and their declarations of interest are on our website. No Board members in post during the period held company directorships or significant interests that could conflict with their responsibilities.

Board members declare their interests on appointment. These are logged, and the declared interests of current Board members are published on our website. We make it clear that they should update us if these change at any point, and review their declarations annually, updating our records and the website accordingly. Finally, we call for declarations of interests relevant to the matters of discussion at the start of every Board meeting.

We also have a working group that is reviewing our conflict of interest policy and process for all colleagues to ensure all declarations are updated. The policy is managed in line with our Code of Conduct which reflects the Civil Service Management Code (Section 4.3). As part of the review, we seek to raise awareness of the importance of declaring secondary employment by educating and informing all colleagues when updating potential conflicts. We aim to introduce calibration to assure consistency of decision making and provide extensive briefings and comms to ensure colleagues understand their responsibilities.

The Board met 7 times over the course of the financial year. It meets both in public and private sessions throughout the year, with the public sessions have being recorded and made available on our website following each meeting. Our public sessions are live streamed as well as being recorded.

Board and committee membership and attendance up to 31 March 2024

Ian Dilks OBE

  • Role: Non-executive director
  • Position: Chair and Chair of the Regulatory Governance Committee
  • Term of appointment: 1 April 2022 to 31 March 2025
  • Board attendance: 7/7
  • Regulatory Governance Committee attendance: 3/3
  • Board sub-committee on transformation attendance: 1/1

Ian Trenholm

  • Role: Executive director
  • Position: Chief Executive
  • Term of appointment: 30 July 2018
  • Board attendance: 6/7

Dr Sean O’Kelly

  • Role: Executive director
  • Position: Chief Inspector of Health Care
  • Term of appointment: 20 June 2022
  • Board attendance: 3/7

Belinda Black

  • Role: Non-executive director
  • Term of appointment: 1 May 2021 to 30 April 2027
  • Board attendance: 5/7
  • Regulatory Governance Committee attendance: 3/4
  • Remuneration Committee attendance: 3/3

Mark Chambers

  • Role: Non-executive director
  • Position: Chair of Regulatory Governance Committee
  • Term of appointment: 4 January 2021 to 3 January 2027
  • Board attendance: 7/7
  • Audit and Risk Assurance Committee attendance: 4/4
  • Regulatory Governance Committee attendance: 4/4
  • Remuneration Committee attendance: 2/3

Jora Gill2

  • Role: Associate non-executive director4
  • Term of appointment: 1 November 2016 to 31 May 2023
  • Board attendance: 2/2
  • Audit and Risk Assurance Committee attendance: 0/0
  • Remuneration Committee attendance: 1/1

Dr Ali Hasan3

  • Role: Non-executive director
  • Term of appointment: 4 January 2021 to 3 May 2026
  • Board attendance: 7/7
  • Audit and Risk Assurance Committee attendance: 4/4
  • Remuneration Committee attendance: 1/3
  • Board sub-committee on transformation attendance: 1/1

Stephen Marston

  • Role: Non-executive director
  • Term of appointment: 4 January 2021 to January 2027
  • Board attendance: 7/7
  • Regulatory Governance Committee attendance: 4/4
  • Remuneration Committee attendance: 2/3

Kate Terroni

  • Role: Executive director
  • Position: Interim Deputy Chief Executive
  • Term of appointment: 1 May 2019
  • Board attendance: 7/7

Jeremy Boss

  • Role: Independent member of the Audit and Risk Assurance Committee
  • Position: Independent member and Interim Chair of the Audit and Risk Assurance Committee5
  • Term of appointment: 1 January 2020 to 31 December 2025
  • Audit and Risk Assurance Committee attendance: 4/4
  • Board sub-committee on transformation attendance: 1/1

David Corner

  • Role: Independent member of the Audit and Risk Assurance Committee
  • Term of appointment: 1 January 2020 to 31 December 2024
  • Audit and Risk Assurance Committee attendance: 4/4

Christine Asbury

  • Role: Non-executive director
  • Term of appointment: 1 June 2023 to 31 May 2026
  • Board attendance: 5/5
  • Regulatory Governance Committee attendance: 2/2
  • Remuneration Committee attendance: 2/2

David Croisdale-Appleby

  • Role: Non-executive director
  • Term of appointment: 1 June 2023 to 31 May 2026
  • Board attendance: 5/5
  • Remuneration Committee attendance: 2/2

Charmion Pears

  • Role: Non-executive director
  • Position: Chair of the Audit and Risk Assurance Committee
  • Term of appointment: 1 February 2024 to 31 January 2027
  • Board attendance: 2/2
  • Audit and Risk Assurance Committee attendance: 1/1
  • Remuneration Committee attendance: 1/1

James Bullion

  • Role: Executive director
  • Position: Chief Inspector of Adult Social Care and Integrated Care
  • Term of appointment: February 2024
  • Board attendance: 2/2

Mark Chakravarty

  • Role: Non-executive director
  • Term of appointment: 1 June 2023 to 31 May 2026
  • Board attendance: 4/5
  • Audit and Risk Assurance Committee attendance: 1/1 (observing)
  • Remuneration Committee attendance: 1/2

Mark Sutton

  • Role: Executive director
  • Position: Chief Digital and Data Officer
  • Term of appointment: February 2024
  • Board attendance: 2/2

Tyson Hepple

  • Role: Executive director
  • Position: Executive Director of Operations
  • Term of appointment: February 2024
  • Board attendance: 2/2

Notes:

The first figure shows the number of meetings attended and the second figure shows the number of meetings held within the period under review that the individual was invited to. For example, Mark Chambers attended all 7 Board meetings out of the 7 Board meetings held during the review period (represented as 7/7). 

2 Jora Gill was an associate non-executive director from 1 November 2016 to 31 May 2023.

3 Dr Ali Hasan was an associate non-executive director from 4 January 2021 to 31 May 2023. then a non-executive director from 1 June 2023.

4 The role of associate non-executive director is an appointment to the Board similar to a non-executive director. Although an associate non-executive director attends Board meetings and contributes fully to the issues being considered, they are not able to vote on any matters should this be required.

5 Jeremy Boss was the Chair of the ARAC on an interim basis until Charmion Pears was appointed as a non-executive director, and became ARAC Chair from March 2024.

Personal data related incidents

As detailed in the Performance analysis section, 4 incidents were reported to the Information Commissioner’s Office during the financial year, with minor recommendations received.

Two incidents were due to human error, and 2 were IT system related. The required root cause analysis was completed and remediations and mitigations put in place to limit our exposure to recurring incidents. Updated learning and technical fixes have been implemented, and we continue to promote the importance and awareness of data security within CQC.

Statement of accounting officer’s responsibilities

Under the Health and Social Care Act 2008, the Secretary of State for Health and Social Care has directed CQC to prepare for each financial year a statement of accounts in the form and on the basis set out in the Accounts Direction. The accounts are prepared on an accruals basis, and must give:

  • a true and fair view of the state of affairs of CQC and its income and expenditure
  • a Statement of Financial Position
  • cash flows for the financial year.

In preparing the accounts, the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual (FReM) and in particular to:

  • observe the Accounts Direction issued by the Secretary of State for Health and Social Care, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis
  • make judgements and estimates on a reasonable basis
  • state whether applicable accounting standards as set out in the FReM have been followed, and disclose and explain any material departures in the financial statements
  • prepare the financial statements on a going concern basis
  • confirm that the Annual report and accounts as a whole is fair, balanced and understandable and take personal responsibility for the Annual report and accounts and the judgements required for determining that it is fair, balanced, and understandable.

The Secretary of State for Health and Social Care has appointed the Chief Executive as the Accounting Officer of CQC. The responsibilities of an Accounting Officer, include responsibility for:

  • the propriety and regularity of public finances for which they are answerable
  • keeping proper records
  • safeguarding CQC’s assets, which are set out in Managing Public Money, published by HM Treasury.

As Accounting Officer, I have taken all the steps that I ought to have taken to make myself aware of any relevant audit information and to establish that CQC’s auditors are aware of that information. So far as I am aware, there is no relevant audit information of which the auditors are unaware.

Governance statement

The Accounting Officer for CQC is required to provide assurances about the stewardship of the organisation, as provided in this governance statement, in line with HM Treasury guidance.

The Accounting Officer for CQC as at the time of publication is Sir Julian Hartley, CQC Chief Executive.

As an arms length body (ALB), we aim to have a good working relationship with our sponsor department, the Department of Health and Social Care, where our responsibilities and accountabilities are clear and delivered through appropriate governance arrangements in line with the principles of HM Treasury's Corporate governance in central government department's Code of good practice, where it applies to CQC. We have a framework document with the department, which sets out our:

  • purpose
  • governance
  • accountability
  • management
  • financial responsibilities
  • reporting procedures.

Care Quality Commission’s governance framework and structures

Our corporate governance framework describes the governance arrangements of the organisation and how they help ensure that our leadership, direction, and internal control enable long-term success. This is in the About us section of our website, and is shown in Figure 4.

Figure 4: CQC’s governance structure

Graphic showing our governance structure. The graphic is dscribed below.

Read a text version of this diagram

The diagram shows the line of accountability (in descending order):

  • from Parliament to the Department of Health and Social Care
  • from the Department of Health and Social Care to the CQC Board
  • from the CQC Board to the executive team
  • from the Executive Team to CQC directorates

Below that are listed CQC directorates Corporate Services, Operations Group, Regulatory Leadership, Technology Data and Insight, and Engagement, Policy and Strategy.

There is an arrow drawn from CQC Board to:

  • statutory committees of CQC: the National Health, Safety and Well-being Committee, the External Strategic Advisory Group and Healthwatch England
  • non-statutory committees of the CQC Board: Audit and Risk Assurance Committee, Remuneration Committee, Regulatory Governance Committee and Emergency Management Sub-committee

There is an arrow from the executive team to a list of committees of the executive team:

  • Strategic Oversight and Prioritisation Committee
  • Investment Committee
  • People and Culture Committee
  • Regulatory Model Governance Committee
  • Performance and Risk Committee

We have a Framework Document with DHSC, which sets out our purpose, governance and accountability, management and financial responsibilities and reporting procedures.

Purpose and leadership of the Care Quality Commission’s Board

The Board has key roles that are set out in legislation and in our framework agreement with the Department of Health and Social Care. These are reflected in our corporate governance framework and other related governance documents. There have been no significant departures from the processes set out in these documents during the year.

The Board carries out a range of business in line with its main responsibilities, which are to:

  • provide strategic leadership to CQC and approve the organisation’s strategic direction
  • set and address the culture, values, and behaviours of the organisation
  • assess how CQC is performing against its stated objectives and public commitments
  • be accountable for internal control, ensuring that a sound risk management system that supports the achievement of CQC policies, aims, and objectives, is maintained
  • ensure that public money is safeguarded and used economically, efficiently, and effectively in accordance with HM Treasury’s Managing Public Money.

In relation to performance, at each meeting, the Board:

  • receives information setting out our current performance, including the latest risk register and financial position
  • reviews details of activity to address where performance is under business plan targets.

The Board also provides strategic oversight of the transformation programme and receives regular reports on regulatory insights, organisational matters, and issues such as risks related to information and cyber security. Further information on data security is included in the section on security. Papers and data which are received by the Board to support decision making are generally of a good standard, but we continue to keep this under review

The Board is committed to following high standards of governance. It has done this by providing oversight and challenge on key issues. The Board seeks assurance that there are systems, processes, and accountabilities for identifying and managing risks, and to enable CQC’s continued regulatory oversight across health and social care. It does this through the scrutiny of the Audit and Risk Assurance Committee, the Regulatory Governance Committee and in Board meetings.

CQC’s Board also reviews and approves Standing Orders, Standing Financial Instruction, Scheme of Delegation, and corporate policies periodically to ensure effective governance and appropriate decision-making within CQC.

The Board receives a quarterly corporate risk register, and our Executive team has a monthly risk discussion. Further scrutiny of risk controls and mitigating actions is undertaken as part of the risk discussion at Audit and Risk Assurance Committee.

An internal Board evaluation was conducted in April 2023, based around an online survey of Board members and attendees. This sought views on a range of issues such as how well the Board worked together as a group, its strategic oversight and its management of performance and risk. The results were analysed and discussed by Board in May 2023 and it approved an action plan in July 2023. This included making improvements in a number of areas such as:

  • non-executive director training and development
  • allocating members’ time for strategic development
  • performance, risk management, and assurance reporting received by the Board.

An external board effectiveness review is conducted every 3 years with the latest taking place in July 2024.

Board committees

Audit, Risk and Assurance Committee

This committee met 4 times in 2023/24 to consider matters relating to:

  • financial reporting
  • risk management and internal controls
  • whistleblowing
  • internal and external audit.

Committee members and independent members attended committee meetings, as well as the National Audit Office (NAO), CQC’s internal auditors and a representative from the Department of Health and Social Care.

The committee’s main business included:

  • risk tolerance, risk management, and management assurance of internal controls
  • emerging risks in our regulatory governance approach
  • emerging risks in relation to the transformation risk, assurance and resourcing
  • internal and external audit reports and action plans
  • information security and cyber resilience
  • reports from Healthwatch England and the National Guardian’s Office (NGO)
  • the Senior Information Risk Owner Annual Report
  • change of CQC’s internal auditor
  • counter fraud.

Remuneration Committee

This committee met 5 times in the year to consider matters in relation to executive remuneration, pay and reward policy, succession planning and senior talent management.

Its main business during the year included management of change, redundancy payments, voluntary exit scheme, pay awards for Executive Senior Managers (ESM) recruitment and pay awards, executive grade talent review, and ET contractual changes.

Regulatory Governance Committee

The committee met 4 times in the year to consider matters relating to our regulatory approach and effectiveness. Its main business included progress on improvements to the design of CQC’s regulatory model and operational KPIs that provide evidence of our delivery against the effectiveness of and delivery against our design, which includes information of concern, and age of ratings. The Committee also considered deep-dive topics on silent services, registration, complaints, and whistleblowing.

Internal control and corporate risk framework

Internal control

A significant element of our governance framework is the system of internal control, designed to manage risk to an acceptable and reasonable level. It cannot eliminate all risks of failure to achieve policies, aims and objectives to provide absolute assurance, but it provides reasonable assurance of effectiveness.

CQC’s system of internal control is based on an ongoing process designed to:

  • identify and prioritise risks to achieving policies, aims and objectives
  • evaluate the likelihood of risks being realised, the impact if they are realised, and to manage them within our risk appetite.

We consider the effective management of risks to the delivery of our purpose (corporate risk) as critical to our assurance and governance.

This process was in place for the financial year and up to the date of publication of the Annual report and accounts.

Our corporate risk framework

Our corporate risk framework identifies risks to the delivery of our purpose, strategy and business plan and how we manage them. We use the 3 lines of defence model in managing, monitoring and independently assuring risk. Our risk framework and supporting guidance defines how corporate risk is managed between the Board, the Executive team and directorates is illustrated in Figure 5.

Figure 5: Risk framework

Read a text description of the risk framework diagram

The diagram shows:

1st line of defence

All staff:

  • can recognise, assess and manage risks in their business area
  • identify cross-CQC risks
  • know how to escalate risks outside their control

All managers:

  • should support a positive risk culture in their teams by:
  • discussing risks with their people
  • ensuring people understand risk principles, and how to escalate risks
  • take responsibility for risks escalated to them – and feedback to staff who raise them
  • understand which risks they are managing, where the risks are recorded and how they are monitored

Directors:

  • identify and manage their directorate risks through risk registers.
  • regularly monitor risk actions and escalate risks appropriately.
  • understand their responsibilities in managing risks in the corporate risk register.

2nd line of defence

Senior leadership:

  • ET* monitors the highest- level risks, escalating these to DHSC where appropriate
    (*Advised by a senior managers risk group known as the SLT30 risk group)

3rd line of defence

Audit:

  • review risk framework and provide independent challenge and assurance

Governance

The Board; The Audit and Corporate Governance Committee; The Regulatory Governance Committee

CQC maintains a corporate risk register, which is reviewed and monitored regularly, with risk discussions occurring at various levels across CQC from Board level to Directorate level, to ensure appropriate escalation and mitigation of risks. The Audit Risk and Assurance Committee plays a vital role in its oversight, and the Department of Health and Social Care also reviews the risk register as part of quarterly budget and assurance meetings and quarterly accountability meetings.

The Board and the Audit Committee will use the corporate risk register to help design the annual programme of internal audit, or to consider any other internal reviews or external consultants to provide assurance that the risk is being managed effectively, and to identify any remedial actions that could be required.

Our framework is compliant with UK government’s The Orange Book – Management of Risk – Principles and Concepts

Risks managed in 2023/24

During 2023/24, we further developed our risk management approach implementing 6 new risk categories and category level risk appetite for each, as approved by our Board. These categories, together with our risk appetite tolerances, are detailed in our performance report.

We also invested and introduced a software package to support our risk management and increased resources and skill capability throughout 2023/24 to further support our risk management process going forward.

The following areas describe our most significant focus during the year, which focused on risks that have been operating outside our appetite tolerance. In all instances, we have monitored and worked to build assurance and effective mitigation. This continues in 2024/25.

Strategy risks

The main risks in this category were delivering our transformation programme and obtaining the right data from external stakeholders. During the year, we went live with the new system and framework and monitored risks regarding transitioning to our new ways of working safely and effectively. This included the introduction of Strategy Risk S9: ‘We do not transition to our new ways of working safely and effectively’, which was considered outside tolerance. To mitigate data risks, we introduced solutions to ensure key patient level datasets were available in our work alongside active projects to deliver remaining outstanding sources of data.

Operational risks

The main risks were our productivity, ability to assess the quality of care or risk, and our IT disaster recovery arrangements. This included Operational Risk O2. ‘We do not make an accurate and timely assessment on the quality of care or risk for people using services’, which was considered out of tolerance. During the year, we worked with our vendor to improve back-up frequency success rates to mitigate the IT recovery risk. Mitigations for improving productivity and assessing care concentrated on our transformation programme.

Reputational risks

Risks within this category focused on the appropriateness of current legislation to cope with innovation and maintaining ongoing dialogue with the Department of Health and Social Care about the scope of regulation, informed by horizon scanning for innovative care development. Towards the end of 2023/24 a new risk related to transitioning to our new ways of working highlighted potential reputational impacts and this was later reflected in a new reputational risk early in 2024/25.

People risks

The main risks in this category were around attracting and retaining our workforce and engaging colleagues in our culture change and ways of working. We faced difficulty in recruiting and retaining staff in some specific areas. However, organisationally this risk is mitigated through our employee offering. Risk P3. ‘Our colleagues are insufficiently engaged in our culture change and ways of working’ is outside tolerance. A plan to develop a CQC culture change programme was agreed in the year and engagement for our new ways of working through the transformation programme.

Security risks

This category included cyber security and unauthorised access to, or misuse of, our information. Our Information Security Management System was managed in alignment with the ISO 27001 standard and policies, awareness and training, and we regularly carried out audit and testing. We continued to deliver positive outcomes across a number of areas in relation to information risk, with specific improvements in cyber resilience and information security. Our Cyber Security and Resilience programme continues to deliver positive outcomes in line with National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).

Financial risks

The main risk within this category centred around receiving appropriate funding to deliver our commitments. We kept in close contact with colleagues in the Department of Health and Social Care throughout the financial year. This was to make sure we were not operating at risk for any aspects of our work, while ensuring Finance resource was directed appropriately to understand the financial impact and risks associated of our commitments. This enabled us to take appropriate action to ensure we could deliver within our funding envelope.

Other use of management controls

Security

Building on our work in previous years, we saw improvements in cyber resilience and information security during the year.

We are continuing to operate in an evolving external and geopolitical landscape. The sectors we regulate and our supply chain continue to face an ‘enduring and significant’ threat, with high profile attacks significantly affecting NHS trusts and reducing their ability to provide services.

Our Cyber Security and Resilience programme continues to deliver positive outcomes in line with the NCSC’s CAF. Notably, we have:

  • made improvements to our security monitoring capabilities
  • delivered our new cyber education and awareness platform ‘CybSafe’
  • achieved a ‘Standard Met’ status on our Data Security and Protection Toolkit submission
  • undertaken business continuity and IT disaster recovery rehearsals and tests.

The number of cyber security incidents reported increased during 2023/24 (see Performance analysis for further details). This was due to an evolving cyber threat landscape and increased monitoring of logs from new systems, but also as a result of security awareness campaigns on collective responsibility and championing staff to report suspected or confirmed information security incidents.

Counter fraud

In September 2023, CQC employed a full-time counter fraud manager with the main purpose of achieving and maintaining compliance with the Government Functional Standard in Counter Fraud. This includes:

  • Understanding and reducing the impact of fraud risk and threats to CQC, through an effective counter fraud risk management model to establish and improve controls.
  • Embedding a strong culture and awareness of counter fraud, bribery and corruption at all levels of CQC, to align with our organisational values.
  • Building our proactive counter fraud capability to enable the prevention, detection and investigation of fraud, bribery, and corruption.
  • Having staff, systems, and processes in place to respond when we know fraud, bribery and corruption has occurred.
  • Working together with our internal and external partners to continually improve and increase the collaboration and co-ordination of the counter fraud responses across CQC.

As our counter fraud function matures, we expect to see an increase in the cases reported to us. In 2023/24 we received 8 allegations of fraud, bribery, or corruption. Of these, 6 cases were investigated and closed during the year. The 2 cases which were active at 31 March 2024 have subsequently been closed.

Whistleblowing and Freedom to Speak Up

During 2023/24, CQC continued to embed a Freedom to Speak Up (FTSU) approach across the organisation, including an FTSU policy that follows guidance from NHS England and the National Guardian’s Office, and national best practice in relation to speaking up arrangements for organisations.

CQC has 3 FTSU Guardians supported by a team of 20 Ambassadors, who are pivotal in signposting and supporting colleagues.

During 2023/24 FTSU Guardians received 83 contacts. All but 3 were from colleagues within the Operations Directorate. The contacts received can be broken into 2 main themes. They centre on either culture and behaviour, including a range of behaviours from poor line management, lack of visibility of managers, poor communication, staff feeling bullied, closed cultures, lack of action to address performance and behaviour and feelings of exclusion.

The second theme links to our processes, which are all due to the new ways of working.

These findings are essential to the need for us to change and improve as an organisation.

Government Functional Standards

Government Functional Standards set expectations for the management of functional work to promote consistent and coherent working within government organisations. They provide a stable basis for assurance, risk management and capability improvement and can support organisations to achieve their objectives more effectively and efficiently.

Although still in its infancy in CQC, this will play a greater part in our management assurance approach going forward into future financial years. We aim to strengthen our position across standards and set our ambitions for improvement.

Head of Internal Audit Opinion

The following report is the Head of Internal Audit Opinion from our internal auditors for the period in question, PwC. Since the end of the 2023/24 financial year our internal audit provision has changed. The Government Internal Audit Agency (GIAA) was appointed as CQC’s internal auditor from April 2024.

Reasonable or moderate assurance

Governance, risk management and control in relation to business-critical areas is generally satisfactory. However, there are some areas of weakness and/or non-compliance in the framework of governance, risk management and control, that potentially put the achievement of objectives at risk. Some improvements are needed in those areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control.

We are satisfied that sufficient internal audit work has been undertaken to allow an opinion to be given about the adequacy and effectiveness of governance, risk management and control. In giving this opinion, it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the system of internal control.

Basis of opinion

Our opinion is based on:

  • all audits undertaken during the year
  • any follow-up action taken in respect of audits from previous periods
  • any significant recommendations not accepted by managers, and the resulting risks
  • the effects of any significant changes in the organisation’s objectives or systems
  • any limitations that may have been placed on the scope or resources of internal audit
  • the proportion of the organisation’s audit needs that have been covered to date.

Purpose of the annual opinion

The Public Sector Internal Audit Standards require the Head of Internal Audit to provide an annual opinion, based on and limited to the work performed, on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control (the organisation’s system of internal control). This is achieved through a risk-based plan of work, agreed with managers, and approved by the Audit and Risk Assurance Committee, that should provide a reasonable level of assurance, subject to the inherent limitations. The opinion does not imply that Internal Audit has reviewed all risks relating to the organisation.

Conformance with the code of ethics and internal audit standards

We have a firm-wide internal audit methodology that is aligned to the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This is designed to standardise the approach to conducting internal audit engagements.

All our work is documented in our dedicated internal audit software, which sets out the procedures needed to achieve compliance with the standards. The inbuilt workflow functionality ensures that work is adequately documented and reviewed before results are shared. This is further supported by relevant training, supervision and review of the work performed by those with adequate experience and skill in the relevant areas. We also review a random selection of engagements to ensure they comply with the firm’s requirements and have appropriately followed the internal audit methodology.

We can confirm that our work has been performed in accordance with this methodology.

Scope of the report

This report outlines the internal audit work we have carried out for the year ended 31 March 2024.

We would like to take this opportunity to thank CQC’s staff, for their co-operation and assistance provided during the year.

Governance, risk management and internal control

Our programme of work included a focus on key business and regulatory controls, as well as key transformation programmes, in addition to governance, risk management and other elements of internal control.

As at 19 June 2024, we have completed the fieldwork and issued final reports for all internal audit reviews planned to be delivered in the period (10 reports).

From this, we have identified the following risk findings:

  • 3 high risk
  • 19 medium risk
  • 11 low risk
  • 7 advisory rated.

Throughout the year we have performed continuous verification of follow-up actions closed by managers. In the period, we have validated a total of 134 actions consisting of 25 high, 100 medium and 9 low risk actions. No critical risk findings were reported.

The following are the internal audit reports completed in 2023/24.

Confidentiality and access management

Diligent (board portal software) usage and access management: management of Diligent should be moved to a centralised team with established policies for administering access. It is suggested that SharePoint should be used for certain committees to reduce licensing costs, while reserving Diligent for key executive-level boards.

Transformation ‘deep dive’ (finance)

Programme governance and go-live: the audit highlighted the need for further consideration of the programme governance approach to better address process and change management challenges. Further consideration of internal contingency planning was also needed.

Service readiness and system integrations: several outstanding areas were identified that could potentially affect the programme's readiness and stakeholders' confidence in the solution, particularly in receivable invoicing and payroll. Contingency planning between User Acceptance Testing 1 and User Acceptance Testing 2 was needed to address potential defects. Dependencies that directly affect reporting capabilities and overall service readiness were outstanding at the time of the audit, including the finalisation and testing of priority reports at the start of the programme.

Market Oversight

The team promotes a strong culture of open dialogue and critical thinking, leading to better decision-making and innovation. The team is well-resourced with skilled staff and collaborates with the Corporate Provider Team to share metrics and understand the quality of providers’ services. This approach enables comprehensive risk assessments beyond just financial considerations.

Recruitment

We are committed to increasing the use of Independent Panel Members (IPMs) to enable us to improve the range of talent we appoint. Throughout 2024, the People Directorate has actively promoted the initiative, leveraging Equality Networks to drive awareness and recruit more IPMs, ensuring a robust foundation for inclusive and impactful decision-making.

Stakeholder engagement

The new operating model in the Engagement Directorate aims to reduce overlap and silos, align campaigns with strategy, and promote continuous improvement. The Engagement Insight team will ensure consistency through post-evaluation exercises and defined evaluation criteria.

Technology

The organisation is implementing Microsoft Purview to manage confidential information and has established a process to remove inactive Active Directory (AD) and Azure AD (AAD) accounts. This includes monitoring key metrics by the senior leadership team.

In the period from the end of the 2023/24 financial year to the certification of our Annual report and accounts, the GIAA has completed 12 reviews, which have seen 4 limited outcomes and 1 unsatisfactory outcome. Reports and associated recommendations have been reviewed in detail across the organisation as overseen by our Audit, Risk and Assurance Committee. The committee is assured that managerial action plans and responses agreed by director leads are in place to address recommendations.

Significant control challenges

Valuation of Local Government Pension Scheme assets

The largest single elements within CQC’s Statement of Financial Position are the assets and liabilities of its share in Local Government Pension Schemes (LGPS), as shown in Note 5. We rely on work done by the auditors of the individual schemes to gain assurance of the valuation of these, and the inherent ongoing challenges to the timeliness of the audit of these schemes has led to delays in the certification of our annual report and accounts since 2019/20.

The introduction of the Accounts and Audit (Amendment) Regulations 2024 has meant that assurance could not be gained over the valuation of assets relating to CQC’s membership of Teesside Pension Fund, as the auditor of Middlesbrough Council and its subsidiaries (including the pension fund) did not meet the statutory backstop date of 28 February 2025 for completing the audit and issued a disclaimed opinion on the financial statements for the year ended 31 March 2024. This led to a qualification on the audit opinion relating to our share of the Teesside Pension Fund assets due to insufficient evidence being available.

The auditor of Middlesbrough Council is intending to complete the outstanding audit work relating to the asset balances at 31 March 2024 as part of its 2024/25 statutory audit.

Valuation of intangible assets

In response to the review by Dr Penny Dash into the operational effectiveness of CQC and the independent review by Professor Sir Mike Richards of the single assessment framework, CQC commissioned a further independent review. Peter Gill, an independent IT expert, looked at the technology underpinning our new regulatory approach after both reviews referenced operational issues following the introduction of the new regulatory platform. The resulting report was presented and accepted by Board in February 2025 before being published in March 2025.

The technology report highlighted significant issues with the functionality, design and useability of the regulatory platform of which the provider portal is one of the main modules that has resulted in significant operational issues for both CQC staff and registered providers.

We started an impairment review outside of our normal review cycle to ensure that the carrying value of the asset is appropriate, however the valuation of bespoke intangible assets is complex and as a significant judgement takes time to assess. We are unable to provide assurance around the carrying value of the asset or the impairment charge included in the Financial Statements. This led to a qualification on the audit opinion relating to the valuation of the regulatory platform intangible asset. The outstanding impairment review work will be completed as part of our preparation of the 2024/25 Financial Statements and will cover the valuation of the asset at both 31 March 2023 and 31 March 2024 so that the qualification is limited to the current year.

Due to the ongoing delays relating to the valuation of our LGPS assets and the timing of events affecting our intangible asset valuation we have decided to proceed with publication without this review being completed.

Governance arrangements for approval of Annual report and accounts

There have been significant changes in the membership of CQC’s Board in the period since March 2024, as reported earlier in this Governance Statement. As a result, all Board members in post during 2023/24 left CQC ahead of this Annual report and accounts being approved.

We have implemented temporary governance to enable certification due to these extraordinary circumstances, which would only apply to the Annual report and accounts 2023/24. Assurance was provided by the Director of Finance, who was in post during the reporting period, that all ARAC feedback had been addressed and audit work had been completed satisfactory to the Chair. The Chair, on behalf of Board, obtained the necessary assurances before recommending final approval to the accounting officer.

Accounting officer’s review and conclusion

Accounting officer’s Assurance

I became CQC’s Accounting Officer after the reporting period of the 2023/24 Annual report and accounts. As such I have had to obtain the necessary and appropriate assurances to form my accounting officer opinion from a number of sources:

  • Our internal auditor’s work has looked at reviews into aspects of our transformation programme as well as aspects of our corporate approach, which has highlighted some areas of good practice as well as identifying areas in which we must improve going forward.
  • In addition to assurances sought through the CQC corporate governance framework detailed in this Corporate governance report, I have been presented with an accounting officer handover letter from my predecessor as to their opinion on the internal control environment within the 2023/24 financial year.
  • I obtain a regular risk update as part of the CQC Executive Committee and weekly performance exception reports.
  • In areas where I have not been able to obtain the required level of assurance, I have commissioned external, independent reviews and reports to do so:
    • the review of the effectiveness of CQC led by Dr Penny Dash produced an interim report in July 2024, and the final report in October 2024 is being incorporated into our future strategic direction.
    • a review of CQC’s single assessment framework and its implementation was undertaken by Professor Sir Mike Richards, which will inform the redesign of the new assessment framework.

Conclusion

The Head of Internal Audit has provided an annual opinion providing reasonable/moderate assurance that there are adequate and effective systems of governance, risk management and control. We note that improvements are suggested in some areas to enhance the adequacy and/or effectiveness of the framework of governance, risk management and control, and these will be implemented.

I agree with Head of Internal Audit’s conclusion.

CQC has complied with HM Treasury's Corporate governance in central government department's Code of good practice to the extent that they apply to a non-departmental public body.

I conclude that CQC's governance and assurance processes have supported me in discharging my role as Accounting Officer. I am not aware of any significant internal control problems in 2023/24 other than those detailed above. Work will continue to maintain and strengthen the assurance and overall internal control environment in CQC.