Corporate report

UKHSA Advisory Board: Audit and Risk Committee meeting minutes

Updated 17 July 2023

Date: Wednesday 19 July 2023

Sponsor: Cindy Rampersaud

Recommendation

The Advisory Board is asked to note the minutes of 28 March 2023 meeting of the UK Health Security Agency (UKHSA) Audit and Risk Committee (ARC). The minutes were agreed on 6 June 2023.

Minutes (confirmed), UKHSA Audit and Risk Committee, Tuesday 28 March 2023

Present at the meeting were:

• Ian Peters – chair of UKHSA Advisory Board (Chair)
• Simon Blagden – non-executive member
• Sir Gordon Messenger – non-executive member
• Cindy Rampersaud – incoming ARC Chair

In attendance were:

• Tina Clapham – Director Data and Cyber Security
• Chris Coupland – Chief Information Officer
• Professor Dame Jenny Harries – Chief Executive
• Anna Kinghan – Director of Engagement, National Audit Office (NAO)
• Steven Riley – Director General, Data, Analytics and Surveillance
• Andrew Sanderson – Director General, Finance, Commercial and Corporate Services
• Donald Shepherd – Director of Finance
• Alex Sienkiewicz – Director of Corporate Services
• 2 attendees from the Department of Health and Social Care (DHSC), who had their names redacted
• 2 attendees from the Government Internal Audit Agency, who had their names redacted
• 2 attendees from NAO, who had their names redacted
• 8 attendees who had their names and titles redacted

Introductions and apologies

23/025 The Chair welcomed all attendees to the meeting and introduced Cindy Rampersaud who had been appointed as the substantive Chair of ARC and would be taking up her role from April 2023.

Previous meeting minutes

23/026 The minutes from the last meeting on 19 January 2023 (enclosure ARC/23/006) were agreed.

Matters arising

23/027 The action list (enclosure ARC/23/007) was noted.

Finance update

23/028 The Director General, Finance, Commercial and Corporate Services provided an update on the Finance and Control Improvement Programme (enclosure ARC/23/008), which had been set up to address the concerns raised in UKHSA’s 2021 to 2022 accounts. The programme was making progress and bringing positive momentum, though the path to a clean audit opinion was likely to take until 2024 to 2025.

23/029 Discussion queried whether there was sufficient resourcing for each stage of the programme’s action plan. One particular risk was the loss of continuity from losing contractors as a result of DHSC’s controls on the use of contingent labour. Senior officials were supporting the case to ministers on need for specific contingent labour resource in this area.

23/030 The Audit and Risk Committee endorsed the action plan within the Finance and Control Improvement Programme, subject to sufficient resourcing of staff.

23/031 The Audit and Risk Committee agreed that UKHSA should accept the NAO’s proposed audit approach for 2022 to 2023. The primary focus would be assurance over closing balances.

National Audit Office update

23/032 Colleagues from the National Audit Office provided a verbal update on scoping for the financial year 2022 to 2023 audit. A planning meeting was held and would be shared with management in the coming weeks.

23/033 NAO colleagues were progressing a targeted review of UKHSA’s new finance system. The work was primarily designed to inform the NAO’s audit approach, but the findings were being shared with UKHSA. Areas of focus included access control, change control and opening balances. It was noted that UKHSA had commissioned a fuller audit of the system from the Government Internal Audit Agency, which would be scheduled early in the new financial year.

23/034 The Audit and Risk Committee thanked colleagues for their work and anticipated the fuller written report at the next meeting.

UKHSA strategic risk register

23/035 The Director of Corporate Services presented the latest version of the Strategic Risk Register (enclosure ARC/23/009). The Audit and Risk Committee noted the proposed additional risks and de-escalation of risks as agreed by the Executive Committee. A deeper discussion would be scheduled on specific risks, including operational risk driven by constraints on contingent labour. A proposed schedule would be developed by the secretariat, in consultation with the ARC Chair.

([Name redacted])

23/036 Comments were noted on the balance of risks sitting with inherited issues over future state of the organisation. There was consensus to maintain existing risk balance until clarity was given on financial stability of the organisation. It was noted that capital spending should be monitored with respect to infrastructure at Porton Down and approval of the Harlow business case.

23/037 ARC noted the present legal risks with advised action grounded in expert evidence. Discussion followed on risks around Porton Biopharma Limited with an update expected by the next Committee meeting.

(Donald Shepherd)

Cyber security

23/038 [Title redacted] presented an update on development in the Cyber Security team and measures to baseline UKHSA’s cyber risk (enclosure ARC/23/010).

23/039 to 23/041 ARC noted the risk audit against Centre for Internet Security (CIS) 18 Critical Security Controls and the current risk posture of UKHSA. Information withheld in accordance with the Freedom of Information Act 2000.

23/042 The Strategic Risk Register would be updated to reflect cyber risk profile and a deeper discussion would be added to the Committee forward look.

Health and safety

23/043 ARC noted the health, safety and environment (HSE) arrangements set out in the paper (enclosure ARC/23/011) and planned HSE inspections. The Committee was encouraged by the positive culture of reporting incidents within high-risk laboratory settings. Further work would focus on extending reporting culture in office-based environments. Additionally, an analysis of mental health risks would enable targeting of wellbeing resources within the organisation.

23/044 Discussion followed on health and safety risks associated with overseas supply chains and activity. Staff in global settings followed advice of the Foreign, Commonwealth and Development Office. Health and safety concerns with commercial partners were mitigated in establishing contracts, including the right of audit.

UKHSA internal audit actions update

23/045 ARC noted the summary report and processing taken to minimise the number of outstanding actions that had reduced significantly (enclosure ARC/23/012). The team would continue working with colleagues to agree action plans and provide support where progress was not being made or was delayed.

Government Internal Audit Agency update

23/046 The Head of Internal Audit provided an update on audits from 2022 to 2023 (enclosure ARC/23/013). It was noted that the Government Internal Audit Agency (GIAA) were working to confirm actions submitted as complete by responsible owners.

23/047 ARC agreed the audit plan for 2023 to 2024 (enclosure ARC/23/014). There was a challenge of resourcing but GIAA remained confident in completing the plan. The Committee welcomed the future focus for the upcoming audit as UKHSA moved away from the establishment phase of organisation.

ARC annual report and effectiveness review

23/048 [Title redacted] noted that surveys had been sent to meeting attendees with a substantive report expected at the June meeting. This would be reported to the Advisory Board and inform the governance statement for the annual report.

([Name redacted])

Forward look

23/049 ARC noted the forward look (enclosure ARC/23/015) that would be updated following points raised during the meeting, and in consultation with the incoming ARC Chair.

Any other business and close

23/050 It was noted that a Serious Untoward Incident had been declared with an investigation report as expected in coming months.

23/051 There being no further business, the meeting closed at 12:23pm.

[Name redacted]
[Title redacted]
March 2023