Corporate report

UKHSA Advisory Board: Audit and Risk Committee minutes

Updated 16 September 2024

Date: 17 September 2024

Sponsor: Cindy Rampersaud

1. Recommendation

The Advisory Board is asked to note the minutes of 4 June 2024 meeting of the Audit and Risk Committee. The minutes were agreed on 10 September 2024.

2. Minutes (confirmed), Audit and Risk Committee, 4 June 2024

Present at the meeting were:

• Cindy Rampersaud – Non-Executive Member of UKHSA Advisory Board (Chair)
• Sir Gordon Messenger – Non-Executive Member of UKHSA Advisory Board
• Jon Friedland – Non-Executive Member of UKHSA Advisory Board
• Simon Blagden – Associate Non-Executive Member of UKHSA Advisory Board

In attendance were:

• Andy Brittain – Director General Finance, Department of Health and Social Care (DHSC)
• Sarah Collins – Commercial Director
• Dame Jenny Harries – Chief Executive
• Donald Shepherd – Director of Finance

• Alex Sienkiewicz – Director of Corporate Services

• 21 attendees from UKHSA, DHSC, the National Audit Office, Government Internal Audit Agency and PwC had their name and title redacted

3. Introduction and apologies

24/078 The Chair welcomed all attendees to the meeting.

24/079 No declarations of interest were given in respect to the Audit and Risk Committee agenda.

4. Minutes of the previous meeting

24/080 The minutes from the last meeting on 5 March 2024 (enclosure ARC/24/020) were agreed.

5. Matters arising

24/081 The action list (enclosure ARC/24/021) was noted.

24/082 The committee challenged itself to set more actions, assigning clear accountability in each case. The Secretary was asked to review best practice and take steps to support this. (Action: Secretary)

6. Finance update

24/083 The Director of Finance introduced the finance update.

6.1 Latest financial position – month 12 (enclosure ARC/24/022)

24/084 The following updates were provided in respect to the financial position:

• UKHSA concluded 2023 to 2024 with an underspend of c£6 million, which was in line with expectations and with no breach of control totals
• unspent funding at the end of the financial year would need to be handed back to HM Treasury in line with usual funding practices
• the projected underspend at period 6 had reduced by the end of the year partly due to accelerated spending and partly because some expenditure had been delayed from earlier in the year – in the case of capital expenditure this had been affected by International Financial Reporting Standards IFRS16 adjustments
• there had been a decrease in spending on COVID-19, which reflected demand with ramped-down activity
• the accounting for the COVID Vaccine Unit needed adjustment following a decision to revert to using forecasts instead of actuals – it was expected that this would reach a deficit position but not in breach of overall control totals and this would be cost-neutral for the DHSC group; the revised numbers would come back to the Audit and Risk Committee (Action: Donald Shepherd)
• for 2024 to 2025 the budget, delegations and business plans had been agreed and the run-rate was currently on track; it had been challenging to transition from having a separate COVID-19 budget – the annual business planning process began in the autumn and aimed to conclude by February, and planning for 2024 to 2025 had slipped to March but was now on track (steps were being taken to align to the spending review)

24/085 The committee recognised that that financial picture was complicated by the disclaimed audit opinion in 2022 to 2023 but was expected to become simpler as the organisation moved past this. Discussion followed on what further financial information, including setting out the different budgets and funding arrangements UKHSA was subject to, would help the committee with its understanding and scrutiny of financials. The committee agreed to schedule a deep dive on financials at a future meeting during which further reports could be commissioned. (Action: Donald Shepherd)

6.2 Update on 2023 to 2024 Annual Report and Accounts (enclosure ARC/24/023)

24/086 It was reported that the plan to deliver the accounts according to the extended timetable was on track, covering as it did the continued audit of the 2023 to 2024 opening balances (2022 to 2023 closing balances) and audit of the 2023 to 2024 closing balances.

24/087 Discussion followed on the cut-off date for the 2023 to 2024 accounts. The accounts would not be signed ahead of the autumn COVID-19 vaccination campaign, and would therefore cover that period of expenditure, so it had been deemed best to wait until there could be confidence that the accounts were materially correct rather than rely on a forecast. There was a risk that any further complications at that point could push the signing into 2025. The committee agreed that it was reasonable to wait for this cut-off date but asked that any issues that arose be escalated promptly. In future years it was expected that the accounts would be signed ahead of the autumn campaign. (Action: Name redacted)

24/088 A draft report and accounts would be available in July for the committee to review as scheduled.  A further update on progress would also be presented with the draft accounts. There was a possibility that adjustments would need to be made after the draft had been reviewed by the committee in July.

24/089 Dame Jenny Harries joined the meeting.

24/090 A detailed update on audit of the COVID Vaccine Unit (CVU) was provided (enclosure ARC/24/024). There was way forward agreed with the NAO and PWC on how the closing and opening balances for the CVU would be audited. The methodology for 2022 to 2023 would be forecasting and the accounts would be reviewed and restated. The commitment to only using forecasts only applied to 2022 to 2023; a decision would be taken in the normal way on what was appropriate for 2023 to 2024. Preparation was underway to minimise the risk posed by any adjusting events that might arise. Audit of the CVU had started and UKHSA had provided all the documents required to date.

24/091 PwC attended the meeting to provide an update on their work on the audit of the CVU, assuring the committee that this work was on track and at the time of reporting there were no concerns to raise.

24/092 The committee was interested in the extent to which UKHSA had influence to maximise the efficient use of vaccine stock. The committee heard that this sat with NHS England and that, while NHS England were aware of the scrutiny the CVU was under, these decisions were made from a public health perspective. Changes had been made that would give a better flow of information between the CVU and finance team, for example helping to anticipate and accommodate changes in vaccine uptake.  It was confirmed that there were regular meetings internally with both colleagues from CVU and the finance team to monitor progress and that discussions had also taken place with NHS England.

6.3 Progress against Finance and Control Improvement Plan

24/093 An update was provided  on progress against the plan (enclosure ARC/24/025).

24/094 The Audit and Risk Committee noted the following:

• following the departure of the Chief Financial Officer at the end of May 2024, the Director of Finance had been appointed Senior Responsible Owner for delivery of the plan
• the programme team had worked with the central portfolio management office to complete the reporting dashboard for the programme
• all GIAA recommendations on the programme had been implemented
• changes in the programme’s risk register which overall indicated an increased level of risk

24/095 The committee asked whether the delivery timeline was overly ambitious and heard that the programme aimed to deliver a minimum by April and that further continuous improvement would be needed from that point. (Action: Donald Shepherd / Name redated)

24/096 The committee also stressed the importance of the programme being broader than financial control and asked whether limited financial awareness within the wider organisation had been captured and managed as a risk. Several steps had been taken to address this, including training and engagement, closer oversight of budget-holders by the Chief Executive, and increased escalation and reporting channels for the finance team.

24/097 The committee asked to see a set of key performance indicators in future updates to track progress against the Finance and Control Improvement Plan.

7. Anti-fraud update (including Strategy and Enterprise Fraud Risk Assessment)

24/098 The [Title redacted] reported on the team’s work in 2023 to 2024 and the workplan for 2024 to 2025 (enclosure ARC/24/026).

24/099 The committee noted the report, which covered the following key points:

• the team had been in place for one full year and was still recruiting to reach its full complement
• [Information redacted in accordance with the Freedom of Information Act 2000]
• the team had established good relations across the business and with DHSC
• in 2024 to 2025 the team would focus on getting the basics right, including proactive detection, accurate reporting, policy creation and recovering money

24/100 Discussion followed on whether the amount of fraud detected was disproportionately high. The committee was assured that while the team was looking to bring the level down it was considerably lower than historic numbers.

24/101 The committee asked for a further paper covering:

• a more detailed breakdown of the types of fraud taking place, delineating what was considered deliberate, negligent or in error
• clarity on what was meant by prevention as opposed to fraud that had taken place
• how the team aligned with the Finance and Control Improvement Programme on controls, training and other root causes and mitigations
• the approach to escalating instances of fraud internally or externally, including alignment to the whistleblowing policy

(Action: Donald Shepherd / Name redacted)

24/102 The committee noted the plan of counter fraud work set out in the Action Plan for 2024 to 2025.

8. National Audit Office (NAO) update

24/103 The Director of Engagement, National Audit Office provided the latest update covering the NAO Audit Planning Report 2023 to 2024 and audit progress, which was on track (enclosure ARC/24/027).

24/104 The Audit and Risk Committee noted the update and, regarding points of enquiry set out on page two of the audit planning report, confirmed it had nothing further to report to the NAO.

24/105 The committee was interested in how well the NAO felt that UKHSA was addressing the risks and recommendations raised the previous year. While it was early to say, processes seemed to be improved and the NAO no longer expected large, extrapolated errors in the sampling.

9. Government Internal Audit Agency (GIAA) update

24/106 The Head of Internal Audit presented the GIAA update report and internal audit plan for 2024 to 2025, as well as the Internal Audit Charter (enclosure ARC/24/028).

9.1 Internal Audit progress report

24/107 The Head of Internal Audit reported that progress with audits was on track. [Information redacted in accordance with the Freedom of Information Act 2000.]

24/108 The committee noted the update and was interested to know whether the work on Finance and Control Improvement would address any of the outstanding audit actions. The programme had been tracking this and would share their work with the Head of Internal Audit for awareness. It was recognised that closure of actions would require evidence of completion.

24/109 Discussion followed around the point that management must set good, ‘SMART’ actions in response to recommendations, and any actions that went further than the recommendations required should be set separately to the internal audit process. The approach to action-setting was being improved and there had been less difficulty closing more recent actions, although it was observed that the target of agreeing actions within 10 working days was rarely met.

24/110 The committee also recommended that all overdue actions be further reviewed with a risk lens to see which were most critical from that perspective and asked to see that assessment included in future reports. The committee heard that UKHSA’s new risk management software would facilitate this and other risk reporting. (Action: internal audit action owners)

24/111 Following discussion on recurring themes in limited audits, the Director of Corporate Services suggested that it might be helpful to introduce some central oversight and coordination for developing and reviewing corporate policies and procedures, and the committee asked that a proposal on this be brought to a future meeting. The Chief Executive reported that the agreed changes in the senior leadership structure would help to improve clarity of roles and responsibilities, which would then inform the development of the organisation’s policy framework. The committee acknowledged this but observed some urgency to resolve issues with policies and procedures. (Action: Governance team)

9.2 Internal audit plan 2024 to 2025

24/112 The Audit and Risk Committee agreed the Internal Audit plan for 2024 to 2025 and the Internal Audit Charter.

24/113 The committee considered whether the plan covered a suitable balance of science and corporate topics and asked that the Chairs of the relevant sub-committees reflect on this and make any further recommendations. (Action: Cindy Rampersaud / Jon Friedland)

10. Internal Audit recommendations

24/114 The Chief Risk and Assurance Officer presented an update on delivery of actions in response to internal audit recommendations (enclosure ARC/24/029).

24/115 The committee noted the update and in particular the drive to resolve overdue internal audit recommendations. The committee agreed that, going forward, assessment of evidence from the business on closure of audit recommendations and whether this satisfactorily closed them out would be carried out by the corporate risk and assurance team. This had previously been carried out, at cost, by GIAA. Under this new arrangement, GIAA would sample a proportion of the audit recommendations to provide the committee with assurance that closure decisions were robust.

11. UKHSA Strategic Risk Register

24/116 The Director of Corporate Services and [Title redacted] presented an overview of the principal risks facing UKHSA as identified by the Executive Committee and how these were being controlled and mitigated (enclosure ARC/24/030).

24/117 The Audit and Risk Committee noted the latest version of the Strategic Risk Register, and in particular:

• there had been no new risk added or de-escalation of existing risks since the previous report. Work was in progress to review risks that appeared static and had included helpful engagement with DHSC
• the risk team had begun work with risk owners to review target risks. So far risk owners had engaged with the challenge offered but stood by the targets they had given

24/118 The committee noted a demonstration of the new platform for risks and controls. This would help to connect risks to business objectives and deliverables, enabling more coordinated reporting. The risk team intended to ask teams to enter and validate their own controls, taking the opportunity to review and cleanse the controls put forward into the new system. This would be piloted before rolling out across all teams. The committee recommended that the risk team make this process as simple as possible with the minimum input required from other teams. The committee also cautioned against mapping risks at too high a level where this ceased to be meaningful.

24/119 The committee recommended that all decisions of the Executive Committee be mapped to the risk register so it was clear which risks the decisions addressed. There was a prompt on this in the current paper template but this needed further work. (Action: Names redacted)

24/120-24/121 [Information redacted in accordance with the Freedom of Information Act 2000.]

12. Health and Safety Update

24/122 The Director of Corporate Services and Deputy Director, Health and Safety provided an update on health and safety in UKHSA in Q1 2024 to 2025 (enclosure ARC/24/031). The committee noted the report.

24/123 [Information redacted in accordance with the Freedom of Information Act 2000.]

24/124 The committee was reassured on the management of the issue and endorsed plans for further investigation, particularly of any failures of the safety management system and the process for escalation and resolution of issues.

13. Commercial risk

24/125 The Commercial Director provided an overview of the nature of commercial risks and how they were being addressed and invited feedback (enclosure ARC/24/032). Key points were:

• commercial represented a significant proportion of UKHSA’s expenditure, making it particularly important to have a culture of commercial good practice
• it was a relatively immature function but had a good basis to build from and put risk front and centre
• the Commercial Strategy had just been published, which learned lessons from COVID-19
• generally the commercial risks were low-likelihood-high-impact – there were risk registers across categories of spend and for specific contracts
• notable risks were capabilities, where UKHSA struggled to compete in the recruitment market, and the risk to the budget should income generation decrease
• a challenge for Commercial was keeping the supply chain hot enough to respond to changing needs, balanced against the cost of doing so – this made the ability to be agile and to anticipate needs ahead of time particularly important

24/126 The committee recognised that there was often a good case for spending money in order to save money and that Commercial was well placed to steer on that, and asked whether the Commercial Director felt empowered to do so. The committee heard that the key to this was understanding the market, being able to identify options and plan ahead while retaining flexibility. More of the team was now focused on strategy, forward-planning and contract management, including long-term agreements, and the Commercial Director felt confident about the team’s ability to be flexible and responsive to changing needs.

24/127 The commercial team was pursuing a number of strategies to improve recruitment and retention. DHSC raised the importance of retention in respect to existing expert staff.

24/128 The committee was interested in the risk of supply chain failure. The commercial team was managing this constantly through diversification, managing supplier relationships, and keeping abreast of innovations. No particular concerns were reported. (Action Sarah Collins / Donald Shepherd).

24/129 Discussion followed on the culture change needed to better support good commercial practice across the organisation. Training and engagement were important but the related governance and processes needed to be right too. The Committee asked that the team explore any beneficial links with the Finance and Control Improvement Programme.

24/130 The Chair encouraged the Commercial Director to reach out to the Audit and Risk Committee for any assistance it could provide.

14. Audit and Risk Committee Forward Look

24/131 The Audit and Risk Committee noted the forward look (enclosure ARC/24/033). The Chair invited any further changes to be submitted offline.

15. Any other business

24/132 There being no further business the meeting closed at 4:01pm.

24/133 The next meeting would take place on 10 September 2024.

16. For noting

24/134 Background papers from GIAA:

GIAA ARC supplement pack (enclosure ARC/24/034)

Completed internal audit reports (enclosure ARC/24/035) for:

• Anti-Fraud
• Cyber Security
• Financial Reconciliations