UKHSA Advisory Board: Audit and Risk Committee minutes 5 December 2023
Updated 29 January 2024
Date: 31 January 2024
Sponsor: Cindy Rampersaud
Recommendation
The Advisory Board is asked to note the minutes of 5 December 2023 meeting of the Audit and Risk Committee. The minutes were agreed on 28 January 2024.
Minutes (confirmed), Audit and Risk Committee, 5 December 2023
Present at the meeting were:
-
Cindy Rampersaud – Non-Executive Member of UKHSA Advisory Board (Chair)
-
Sir Gordon Messenger – Non-Executive Member of UKHSA Advisory Board
In attendance were:
-
Chris Coupland – Chief Information Officer
-
Susan Hopkins – Chief Medical Adviser
-
Anna Kinghan – Director of Engagement, National Audit Office
-
Andrew Sanderson – Chief Financial Officer
-
Donald Shepherd – Director of Finance
-
Alex Sienkiewicz – Director of Corporate Services
-
Edward Wynne-Evans – Director of Radiation, Chemicals and Environment
-
16 attendees had their name and title redacted
Apologies were received from:
- Simon Blagden – Non-Executive Member of UKHSA Advisory Board
Introductions and apologies
23/199 The chair welcomed all attendees to the meeting.
23/200 The Advisory Board had approved the appointment of Jon Friedland to the Audit and Risk Committee.
Minutes of the previous meeting
23/201 The minutes from the last meeting on 17 November 2023 (enclosure ARC/23/062) were agreed.
Matters arising
23/202 The action list (enclosure ARC/23/063) was noted.
Health and safety update
23/203 The Director of Corporate Services and [Title redacted] presented a paper (enclosure ARC/23/064) providing a high-level summary of UKHSA health and safety performance in the third quarter of the financial year.
23/204 There had been no notifiable incidents to the Health and Safety Executive (‘HSE’) so far in 2023 to 2024. The overall data supported a downward trajectory.
23/205 - 23/211 [Information withheld in accordance with the Freedom of Information Act.]
23/212 The Committee discussed the GIAA audit actions and asked whether any high priority actions would benefit from being accelerated. It was confirmed the [Title redacted] and [Title redacted], GIAA were working closely together on this. Closing of many of the actions required working across the organisation. There was only one overdue action, for which the date had now been extended, concerning roles and responsibilities for health and safety. A contractual solution to this, together with a roles and responsibility document, was being considered.
23/213 The Audit and Risk Committee thanked the Director of Corporate Services and [Title redacted] for the progress that had been made.
Finance update
23/214 The Audit and Risk Committee noted the latest financial position (enclosure ARC/23/065).
23/215 There was a small emerging underspend (£4.3m) for the core resource budget for the full year (against a budget that had been reduced from the original £395m to reflect Department of Health and Social Care (DHSC) ringfenced funding that was not needed). On the COVID budget, the priority was to bring down spending whilst continuing to deliver the Government’s ‘Living with COVID’ strategy. Significant budget transfers were planned in quarters 3 and 4 to devolved administrations and NHSE which would reduce current underspends. There was a risk of further underspend of a further £5m.
23/216 The full year resource forecast showed pressure on the COVID Vaccine Unit (‘CVU’) resource and capital budget. The autumn vaccination campaign had been brought forward in response to a new emerging variant and the forecast for the spring campaign has been revised based on cohort size and mix of vaccines distributed. His Majesty’s Treasure (HMT) reserve funding was accessible up to £532m.
23/217 The CVU budget was subject to impairments for this year’s budgets which would flow into next year. The current over-spend did not go beyond the control limits and there was a reserve in place. The VCR budget had been ring-fenced by DHSC and was being managed on the basis that UKHSA should neither gain nor lose.
23/218 [Information withheld in accordance with Freedom of Information Act 2000.]
23/219 It was explained that the £395m budget for this year included some non-recurrent activities which could be released the following year. However, the main issue was absorbing the COVID-19 legacy which included recurrent and non-current items. The Executive Committee would be examining this in detail at their meeting of 7 December 2023.
23/220 It was confirmed that one-off late notice spends for this year had been considered.
23/221 The Audit and Risk Committee asked if there was sufficient resource for the full audit planned for next year and whether there was a mechanism in place to request one-off spending. It was confirmed that work was underway to identify what couldn’t be absorbed next year and what would be part of the efficiency drive. Audit and Risk Committee recommended ensuring provisions were made for unknown issues that may occur throughout the year and for this to inform the business planning going forward.
23/222 [Information withheld in accordance with the Freedom of Information Act 2000.]
Financial controls
23/223 The Audit and Risk Committee noted the update on the Finance and Control Improvement Programme (FCIP).
23/224 Going forward, the programme was looking to reduce reliance on the central finance team and to embed good practice at source.
23/225 The Audit and Risk Committee recognised the challenge of systemic and cultural change whilst dealing with ad hoc issues that arise. It recommended focusing on the systemic changes to reduce the risk of issues being identified going forward.
23/226 The Audit and Risk Committee discussed the extent to which those outside of the Finance community were helping drive the agenda. It was explained that the Finance and Control Improvement Board included members from other functions across UKHSA. More generally, and in terms of broader input into this important agenda it was welcomed that Professor Friedland joining the Audit and Risk Committee would strengthen its scientific expertise. It was also considered how to ensure clinical input into future meetings.
23/227 The Finance and Control Improvement Board included 47 sub-projects and the committee asked about leads from other groups. It was explained that there was representation from other groups but not leads.
23/228 The Audit and Risk Committee discussed the interaction of the FCIP projects with the 2022 to 2023 audit and whether there were any elements of the forthcoming 2023 to 2024 audit from which would be different. It was clarified that this would be covered during the planning phase. It was also reported that GIAA had conducted an internal audit into the Finance and Control Improvement Programme and a meeting had been arranged on 11 December 2023 to discuss the findings. These recommendations along with UKHSA’s broader learning would be incorporated in the planning for the 2023 to 2024 audit.
23/229 It was agreed that the Audit and Risk Committee would be provided with details of the key milestones and challenges for the Finance and Control Improvement Programme.
(Action: Andrew Sanderson)
Anti-fraud report
23/230 The Audit and Risk Committee noted the update (enclosure ARC/23/064a) on the work of the anti-fraud team.
23/231 Corporate risk colleagues were working closely with the anti-fraud team to promote understanding of the risk community and help inform their work.
23/232 The anti-fraud team was now fully resourced and was building links with other areas of the organisation, particular Human Resources (HR), to ensure it was effective.
Standing financial instruments
23/233 The Audit and Risk Committee endorsed the UKHSA updated standing financial instruments (enclosure ARC/23/064b).
National Audit Office (‘NAO’) update
23/234 The Director of Engagement, National Audit Office provided an update.
23/235 - 23/242 [Information withheld in accordance with the Freedom of Information Act 2000].
Government Internal Audit Agency (‘GIAA’) update
23/243 The paper (enclosure ARC/23/066) provided an update on delivery and outcomes from the planned internal audit work in 2023/24.
23/244 - 23/250 [Information withheld in accordance with the Freedom of Information Act 2000].
Assurance update
23/251 [Title redacted] presented the assurance update (enclosure ARC/23/067).
23/252 The Audit and Risk Committee noted the report.
23/253 It was emphasised that engagement with the organisation to promote understanding of audits was being actioned and considered a high priority.
UKHSA Strategic Risk Register
23/254 The Director of Corporate Services and [Title redacted] presented the latest version of the Strategic Risk Register (enclosure ARC/23/068). The Audit and Risk Committee noted the current position of risks as agreed by the Executive Committee.
23/255 The Audit and Risk Committee noted:
- the new risks agreed for inclusion by the Executive Committee
- the updates on the risks
- that an enterprise risk management solution acquisition was being finalised for full roll-out by year end; this application would help streamline the process of risk management within UKHSA
- the update from Information Governance on their evolving monitoring and reporting processes
23/256 - 23/257 [Information withheld in accordance with the Freedom of Information Act 2000.]
Deep dive on clinical quality
23/258 The Chief Medical Adviser introduced a paper on health protection governance and clinical strategy (enclosure ARC/23/069). The paper outlined proposed improvements to governance and assurance for the end-to-end clinical and health protection service, the progress made in addressing the Internal Audit recommendations on clinical governance, and the future role in respect of clinical or health protection governance and quality.
23/259 The [Title redacted] provided a short presentation highlighting the key points of the paper.
23/260 The Audit and Risk Committee noted:
- the proposed corporate framework for quality, agreed by the Clinical Quality Oversight Board and the Executive Committee
- the progress in implementing the recommendations of the Internal Audit report on clinical governance
23/261 The Audit and Risk Committee discussed the degree to which UKHSA’s relationship with non-government health protection and health security organisations (such as charities) provided assurance against the wider landscape. It was explained that a key part of the 3-year strategy was to develop those relationships. UKHSA was engaging with the DHSC and was becoming an active partner in the National Quality Board (‘NQB’) which included many key non-government partners and was increasingly focusing its attention on collaboration with partners rather than just support for the NHS. Health Protection Operations was undertaking work with local government and the NHS to establish good practice for public health pathways of care. UKHSA would encourage this work to be broadened out from operational to more strategic.
23/262 It was clarified that the Medical Healthcare Regulatory Agency (‘MHRA’) were members of the NQB. They would be an important partner to help develop systems. The MHRA mainly regulated the private sector industry and the market, rather than healthcare delivery. The Care Quality Commission regulated health bodies, including adult social care and primary care GPs, but not UKHSA. UKHSA did provide some healthcare services and was keen to work to the same standards.
23/263 It was also clarified that the term ‘health protection’ encompassed all of the UKHSA’s delivery including science, chemical, radiation and environmental and the support capabilities such as HR, communications and finance.
23/264 The committee discussed the mapping of the services provided by UKHSA. It was explained there were commissioned services from the NHS, national services, local services and ad hoc services. As part of the strategy, each area of service would be asked to document their services for the framework for the service. This was especially relevant to the laboratory functions. The aim would be for UKHSA to achieve the necessary standards to be regulated itself, rather than undertaking the regulation.
23/265 [Information withheld in accordance with the Freedom of Information Act 2000.]
23/266 It was agreed that a further update on Clinical Quality would take place by September 2024.
National Mycobacterial Reference Service serious untoward incident (SUI) report
23/267 The Director RCE and [Title redacted] presented the results of an investigation into a Serious Untoward Incident arising from a laboratory error and reported the progress on the implementation of the action plan to address the recommendations from the investigation (enclosure ARC/23/070).
23/268 The committee noted the findings from the investigation and recommendations and action plan to address them.
23/269 - 23/270 [Information withheld in accordance with the Freedom of Information Act 2000.]
(Action: name and title redacted)
‘Big Rocks’ technology programme and shadow IT functions
23/271 The [Title redacted] and [Title redacted] presented a paper (enclosure 23/071) which outlined the Big Rocks Programme approach and highlighted the relationship with the Shadow IT Discovery project.
23/272 The committee were reminded that ‘Big Rocks’ consisted of infrastructure rationalisation, migration of application and services to the cloud, enhancing value of UKHSA data, re-skilling the workforce and supporting knowledge management. ‘Shadow IT’ referred to the un-governed and corporately unsupported IT systems, and investigations into the scale of the risk.
23/273 The Audit and Risk Committee noted the overall approach to delivering the Big Rocks Programme and Shadow IT Discovery project, and the linkage.
23/274 - 23/276 [Information withheld in accordance with the Freedom of Information Act 2000.]
23/277 The Audit and Risk Committee discussed the alignment between the programmes and the risk of duplication and gaps emerging. It was explained all changes go through the DDAT assurance Board (which included UKHSA DAS, DHSC and Cabinet Office) which took a holistic view of all the programmes. The main risks were around dependencies rather than duplication.
23/278 The Audit and Risk Committee discussed whether there were similar activities taking place elsewhere in government and whether this could be leveraged to apply learnings. It was clarified that there was engagement with other government departments undertaking similar activities. Consultants that had undertaken similar work elsewhere in government had been deployed by UKHSA.
Audit and Risk Committee forward look
23/279 The Audit and Risk Committee noted the forward look (enclosure ARC/23/072).
23/280 It was agreed that:
- an update on Clinical Quality would be considered by September 2024
- the Finance and Control Improvement plan would be considered by the Audit and Risk Committee at the next meeting. The Finance Report standing item would build in progress on the improvement plan and would reflect lessons learned from the year end process
- an update would be provided on the development of metrics to measure the necessary culture change for finance controls
- a paper would be provided for the next meeting on the Moderna Strategic Partnership to understand the status of the implementation plan and the issues of governance between the organisations
Any other business
23/281 The Audit and Risk Committee had previously delegated authority to the chair to sign off the Report and Accounts on its behalf, subject to there being no material changes. It was agreed that in the light of the changes to the model and the impact on the report and accounts, an extraordinary Audit and Risk Committee meeting would be arranged in January 2024 to further consider the report and accounts.
23/282 The Committee expressed its thanks to the Director of Engagement, National Audit Office for her contribution to the committee’s work and wished her well in her new role auditing the Department for Education.
23/283 There being no further business, the meeting closed at 3:55pm.
December 2023