UKHSA Advisory Board: Audit and Risk committee minutes
Updated 10 May 2023
Date: Tuesday 14 March 2023
Sponsor: Ian Peters
Recommendation
The Advisory Board is asked to note the minutes of 24 November 2022 meeting of the UK Health Security Agency (UKHSA) Audit and Risk Committee. The minutes were agreed on 19 January 2023.
Minutes (confirmed), UKHSA Audit and Risk Committee, Thursday 24 November 2022
Present at the meeting were:
- Ian Peters – chair of UKHSA Advisory Board (Chair)
- Simon Blagden – non-executive member
- Sir Gordon Messenger – non-executive member
In attendance were:
- Deputy Director Finance, Department of Health and Social Care (DHSC)
- Tina Clapham – Director Data and Cyber Security
- Chris Coupland – Chief Information Officer
- Head of Governance
- (Incoming) Chief Risk and Assurance Officer
- Dame Jenny Harries – Chief Executive
- Philippa Harvey – Director of the COVID-19 Vaccine Unit (CVU)
- Deputy Director, Health Protection Policy, DHSC
- Anna Kinghan – Director of Engagement, National Audit Office (NAO)
- Lead Assurance Advisor
- Gerry Murphy – non-executive member, DHSC Board and Chair DHSC Audit and Risk Committee
- Deputy Director, Accounts and Finance Operations Branch, DHSC
- Senior Governance Officer (minutes)
- Head of Internal Audit, Government Internal Audit Agency
- Steven Riley – Director General, Data, Analytics and Surveillance
- Internal Audit Manager, Government Internal Audit Agency
- Andrew Sanderson – Director General, Finance, Commercial and Corporate Services
- Deputy Director, Governance, Risk and Assurance
- Donald Shepherd – Director of Finance
- Alex Sienkiewicz – Director of Corporate Services
- Deputy Director, Cyber
- Audit Manager, National Audit Office
- Lead Risk Advisor
- Head of Counter Fraud
Introductions and apologies
22/101 The Chair welcomed all attendees.
22/102 [Name redacted] was welcomed to the meeting. They were attending in an observer capacity as the incoming Chief Risk and Assurance Officer, starting in December 2023.
Previous meeting minutes
22/103 The minutes from the last meeting on 11 October 2022 (enclosure ARC/22/32) were agreed.
Matters arising
22/104 The action list (enclosure ARC/22/033) was noted.
22/105 The Chair provided an update on the process to appoint a new permanent Chair of the Audit and Risk Committee. The selection panel had met and put forward 3 candidates for consideration. The Cabinet Office had approved the selection on 21 November 2022. The matter would now be considered by ministers and then the Prime Minister. A decision was expected in mid-December 2022.
Vaccine Taskforce transition
22/106 Director of the CVU provided an update on the main risk areas following the Vaccine Taskforce (VTF) joining UKHSA on 1 October 2022. These had been considered in detail at the previous meeting.
22/107 The following updates were provided:
- One of the main risk areas was recruitment as there were approximately 25 vacancies to be filled; 250 interviews had taken place over a 2-week period to fill posts in the most specialist areas.
- VTF continued to work using the Department for Business, Energy and Industrial Strategy (BEIS) IT systems. UKHSA email addresses would be implemented shortly together with the Pulse intranet. This would support closer working.
- The transition had also resulted in a need to recruit new Finance personnel. The Director General for Finance, DHSC was assisting in providing interim support. Finance remained an important area given the large budgets being controlled.
- VTF had a plan in place should there be a surge during the winter months.
22/108 to 22/111 Information withheld in accordance with the Freedom of Information Act 2000.
22/112 The Committee discussed induction arrangements for new staff, both given the transfer of VTF colleagues joining UKHSA and the associated new responsibilities for the organisation. It was being investigated as to whether a bespoke induction could be provided, which would include vaccine learning. This would require input from the subject matter experts to develop the appropriate content.
22/113 The Audit and Risk Committee noted the update and agreed that future updates would be reported through the Strategic Risk Register.
UKHSA Governance, Risk and Assurance
Strategic Risk Register (SRR)
22/114 The Chair noted the good progress in respect to refreshing and updating the SRR (enclosure ARC/22/34). As part of the refresh process, the Executive Committee had agreed a new impact and probability matrix for strategic risk identification and assessment, which has now been incorporated into an updated version of the UKHSA Risk Management Policy.
22/115 to 22/117 Information withheld in accordance with the Freedom of Information Act 2000.
22/118 The Chair noted the good progress in respect to the SRR (enclosure ARC/22/17).
22/119 Information withheld in accordance with the Freedom of Information Act 2000.
Internal audit actions update
22/120 The Lead Assurance Advisor provided an update on progress (enclosure ARC/22/035). It was reported that since the previous meeting, there had been significant increased engagement with action owners including Executive Committee members and their offices. There were now fewer overdue actions, although in some cases the due dates had been extended.
22/121 Additional resource would be in place in January 2023, which would increase capacity to undertake further internal second line of defence assurance work, in addition to the third line of defence provided by internal audit.
22/122 Overdue internal audit actions had reduced from 37 to 14. However, 6 further internal audits had taken place that had created over 100 additional actions, and it was a priority to continue to pre-emptively engage with teams.
22/123 The Committee asked how distracting it was for colleagues to address the actions while undertaking their regular work. It was explained that this was considered part of their ongoing duties and it was only in exceptional cases resourcing issues had been raised as a concern.
22/124 The Audit and Risk Committee noted that the required detailed responses to the Public Inquiry were likely to put further pressure on the bandwidth of the executive to address actions. The Committee highlighted the importance of tracking and monitoring progress in helping ensure actions were discharged.
22/125 The Chair noted the step change in both the tracking and intervention and welcomed the heightened focus and additional progress. In addition, the Chair noted the progress in reducing the number of outstanding actions and took comfort in the grip and control provided by a proactive approach.
22/126 The UKHSA Audit and Risk Committee noted the report.
Cyber risk
22/127 The Director General, Data, Analytics and Surveillance and the Chief Information Officer introduced the paper (enclosure ARC/22/036), which outlined the cyber risk within UKHSA and the steps the Cyber Division were taking to develop a comprehensive mitigation and remediation strategy.
22/128 The Director Data and Cyber Security and Deputy Director, Cyber highlighted the key points including the main red risk area, the standards being worked to over time and the plan going forward.
22/129 to 22/131 Information withheld in accordance with the Freedom of Information Act 2000.
22/132 The Audit and Risk Committee asked whether resource and budget had been set aside for education of the wider team. It was explained that this was part of the cultural challenge referred to in the presentation and cyber training would be part of the framework going forward. The Audit and Risk Committee highlighted the importance of having clear responsibilities and information governance in place. This would help in ensuring the cultural changes needed were properly embedded.
22/133 The cyber essentials plus process required an annual return which would be independently reviewed by the Government Internal Audit Agency (GIAA). It was agreed that it would be clarified for the Audit and Risk Committee how this would be integrated into the framework. It was confirmed that penetration testing was already taking place and would be an important part of future plans.
22/134 The Committee discussed the frequency of threats, and it was noted that threats were occurring on a daily basis.
22/135 Information withheld in accordance with the Freedom of Information Act 2000.
22/136 The Audit and Risk Committee noted the current red risk and the steps being put in place to baseline the risk.
22/137 It was agreed that the baseline work was critical and that an interim update would be provided in January 2023. A further update would be provided to the March 2023 Audit and Risk Committee meeting.
Steven Riley, Chris Coupland
(Tina Clapham, [Name redacted])
UKHSA annual report and accounts 2021 to 2022
22/138 The Director General, Finance, Commercial and Corporate Services presented the latest draft of the annual report and accounts (enclosure ARC/22/037).
22/139 Good progress had been made. However, the complexity of the accounts for the new organisation, the workforce change, and new systems meant the process was challenging. Systematic work was taking place through the various issues. Cash reconciliation was now completed, and the team was now working through the final reconciling items.
22/140 The NAO had identified data quality issues with staff costs, and analysis suggested that this was due to headcount data rather than cost data. Good progress was being made with sampling, and most queries and outstanding items would soon be addressed.
22/141 Information withheld in accordance with the Freedom of Information Act 2000.
22/142 The main areas of concern were:
- journals
- queries
- staff costs and accruals
- the number of different issues to resolve
The inventory samples were the most difficult to support.
22/143 It was noted that the extended period of work required to finalise to 2021 to 2022 accounts was impacting on the time available to work on the accounts for the following year.
22/144 The Committee asked whether the overcoming the difficulties involved for the 2021 to 2022 accounts would put the organisation on a better footing for future years. It was explained that although structural issues had been addressed in Finance, the organisation would continue to evolve (for example, the ramp down programme) and therefore some challenges would continue.
22/145 It was clarified for the Committee that the statutory deadline to approve the accounts was 31 January 2023. Treasury had advised not to seek a statutory instrument to extend this deadline and the Audit and Risk Committee agreed with this conclusion. In addition, the aim should be to file future accounts in accordance with the pre-coronavirus (COVID-19) pandemic timetable. It was recognised that while this ambition would be welcomed, timescales would be challenging and would require a step change in approach.
22/146 The final format and presentation of the annual report and accounts would be discussed and agreed with the Publications team in Communications.
22/147 It was agreed an additional Audit and Risk Committee meeting would be scheduled for January 2023 to consider the accounts. An additional meeting of main members of the Audit and Risk Committee would be arranged in 10 to 14 days to determine progress, after which the timescales would become clearer.
Name redacted
22/148 The Audit and Risk Committee noted the draft of the annual report and accounts and recognised the effort and collaboration required to produce the accounts.
Update from the National Audit Office
22/149 Delivery of the audit was now expected in January 2023. The focus was on the main areas of accruals, journals and expenditure. Due to the timescales being worked to, it was essential for any queries to be progressed at pace. It was important that the good progress made on staff costs continued to avoid the need to move to a sampling approach which would be more time consuming.
22/150 Work was underway to address issues with the bank reconciliation system, which had resulted in the need to match 18,000 transactions with a full list of reconciled items to diagnose the issue. It was agreed that Audit and Risk Committee would be informed of the reason for this issue once identified and corrected.
Name redacted
22/151 The Audit and Risk Committee noted the update.
Finance report
22/152 The Director General, Finance, Commercial and Corporate Services presented a paper that provided an overview of the UKHSA’s finances as at month 6 for financial year 2022 to 2023 (the end of September 2022). At the time of submitting, the month 7 (end of October 2022) figures were being finalised.
22/153 The overall underspend for UKHSA was £145 million. On the core side, this was a consequence of late budget agreements and ongoing recruitment issues, which were being addressed by the central team.
22/154 For COVID-19, the month 6 position was a core deficit of £105 million, mainly due to NHS testing, although this was reducing.
22/155 The Audit and Risk Committee is noted the financial position.
Counter fraud strategy
22/156 The Head of Counter fraud presented a paper to provide details of the counter fraud business plan for 2022 to 2023. The counter fraud strategy had now been published on the Pulse intranet site. There had been a number of recent activities to raise anti-fraud awareness across the organisation.
22/157 The Audit and Risk Committee noted the UKHSA counter fraud business plan.
Internal audit
Annual report and opinion for 2021 to 2022
22/158 The Head of Internal Audit provided a presentation on the Annual Report and Opinion (enclosure ARC/22/039).
22/159 There were 8 pieces of work in the plan, and the overall opinion from that work was of limited assurance. This reflected the outcomes of the majority of the pieces of work. The Audit and Risk Committee noted the report and agreed that the conclusions were fair given the maturity of the organisation.
22/160 The Lead Assurance Advisor stated that in practice improvement would require further assessment and mapping of what levels of assurance were in place. Internal assurance at the second line would be increased with the new resource being put in place. Some specialist teams provide second line oversight and assurance such as information governance and health and safety. It was agreed a paper would be provided for a future meeting to highlight the areas being strengthened.
Name redacted
Progress update on the internal audit plan for 2022 to 2023
22/161 The Head of Internal Audit provided an update on the 2022 to 2023 plan (enclosure ARC/22/040).
22/162 It was reported that to date 4 audits had been completed to final report stage. These have resulted in:
- 1 Substantial assurance rating
- 1 Moderate assurance rating
- 2 Limited assurance opinions
In addition to these:
- 2 audits were at draft report stage
- 5 audits are in progress
- 2 audits have draft terms of reference (ToR) issued awaiting management responses
Scoping meetings had been requested for 3 audits, and 3 have not yet started. Two audits have been finalised since the last progress report, which were Clinical Governance and Testing Ramp-down.
22/163 The Chair asked the Head of Internal Audit the likely opinion for 2022 to 2023 and it was too early to give a definitive opinion. There were no quick fixes to swiftly improve the outcome and improvement would require addressing the themes identified, including risks being consistently assessed and recorded. The Committee agreed that GIAA would be invited to attend an Executive Committee meeting to discuss further, including further work, which could be progressed ahead of the next year-end audit opinion.
Dame Jenny Harries
(Name redacted)
22/164 The Audit and Risk Committee noted the paper and the Chair thanked the Head of Internal Audit and the team for their ongoing work and support to UKHSA.
Forward look
22/165 The following additional items were agreed for the forward look:
- accounts approval (special ad-hoc meeting in January 2023)
- cyber risk (written interim update in January 2023 followed by a further update in March 2023)
- legal risk
- health and safety risk
- public inquiry risk
Any other business and close
Departmental security health check
22/166 The latest report had been sent to Dame Jenny Harries as Accounting Officer. The target date for improvements was the end of March 2023. The Committee highlighted the importance of Security in corporate culture and that it was responsibility of everyone.
22/167 It was noted that security (including cyber) and clinical governance were areas where engagement with all colleagues was required. ‘Security weeks’ would be planned for the future as a theme.
Wellbeing paper
22/168 The Audit and Risk Committee discussed the possibility of considering a wellbeing report at a future meeting. It concluded this was more appropriate for the Advisory Board as part of their consideration of the staff survey results and would be added to the forward look.
22/169 The Chair thanked all attendees and there being no further business, the meeting closed at 11:55am.
[Name redacted]
Senior Governance Officer – Corporate Services
November 2022