Corporate report

UKHSA Advisory Board: Audit and Risk Committee minutes

Updated 13 December 2023

Date: Thursday 30 November 2023

Sponsor: Cindy Rampersaud

Recommendation

The Advisory Board is asked to NOTE the minutes of 5 September 2023 meeting of the Equalities, Ethics and Communities Committee. The minutes were agreed on 17 November 2023.

Minutes, UKHSA Audit and Risk Committee, Tuesday 5 September 2023

Present at the meeting were:

  • Cindy Rampersaud – non-executive Chair
  • Sir Gordon Messenger – non-executive member
  • Simon Blagden – non-executive member

In attendance were:

  • Tina Clapham – Director, Cyber
  • Chris Coupland – Chris Coupland
  • Jenny Harries – Chief Executive Officer (CEO)
  • Anna Kinghan – Director, Engagement, National Audit Office
  • Amy Manning – National Audit Office
  • Oliver Munn – Director General, Health Protection Operations
  • Niki Parker – Head of Internal Audit, Government Internal Audit Agency
  • Steven Riley – Director General, Data Analytics and Surveillance
  • David Robb – Internal Audit Manager, Government Internal Audit Agency
  • Andrew Sanderson – Chief Financial Officer
  • Donald Shepherd – Director, Finance
  • Alex Sienkiewicz – Director, Corporate Services
  • Paul Sutton – Director, Emergency Preparedness, Resilience and Response
  • Gemma Taylor – National Audit Office
  • Nadeem Ukadia – Government Internal Audit Agency
  • 13 attendees with names and titles redacted
  • 1 attendee with name and title redacted (minutes)

Apologies from:

  • Andy Brittain – Director, Finance, DHSC

Welcome, apologies and declarations of interest

23/118 The Chair welcomed all attendees to the meeting.

23/119 Apologies were received from Director Finance, DHSC.

Minutes of previous meeting and matters arising

23/120 The minutes from the last meeting on 6 June 2023 (enclosure ARC/23/037) were AGREED.

23/121 The action list (enclosure ARC/23/038) was NOTED.

23/122 The updated Terms of Reference were AGREED subject to minor edits.

Finance update

23/123 The Chief Financial Officer and [title redacted] provided a Finance update (enclosure ARC/23/040) which included:

  • a progress update against the 2022-23 Annual Report and Accounts preparation and audit timetable
  • an update on the progress of the Finance and Control Improvement (F&CI) Programme

23/124-23/125 [Information withheld in accordance with the Freedom of Information Act 2000].

23/126 It was AGREED that an update on the intellectual property asset situation and the report on the valuation of land and buildings would be shared with the Committee once the reports had been received.

23/127 The Committee considered the balance between the short-term work on the accounts and the longer term F&CI Programme. There was a conscious decision to work on areas of urgent concern first especially issues that needed addressing for the current accounts and that fixing would benefit the following years.

23/128 It was considered as to whether the F&CI Programme should have a broader remit, covering all of UKHSA rather than just finance and whether more could be achieved by focusing on the culture across the organisation. It was confirmed that the programme covered the broader control environment, and the assurance mapping work provided the holistic view across UKHSA and was covered later on the agenda.

23/129 The Committee expressed their thanks for the good progress achieved.

Anti-fraud reporting

23/130 The [title redacted] provided an update on the UKHSA Anti-Fraud Team’s work (enclosure ARC/23/40a).

23/131 Key points of progress were reported including a draft action plan for 23/24 with adherence to functional standards had been put in place; the Fraud Risk Assessment was underway; the Human Risk Assessment had been completed; the post event assurance for Test and Trace Support Payment had been completed; the Government Internal Audit Agency (GIAA) review was scheduled for Q4; and the DHSC lead group review was expected to happen before the end of the financial year.

23/132-23/133 [Information withheld in accordance with the Freedom of Information Act 2000].

23/134 The Committee raised the number of false positives compared to other government departments and the timescale to refine the data. It was clarified that as it was the first time UKHSA had received the National Fraud Initiative data there were no meaningful comparators and that UKHSA may have a higher number of false positives due to the high turnover rates and the significant number of employees legitimately dual working. The data refinement was expected to be completed in around 6 weeks.

National Audit Office (NAO) update

23/135 The Director of Engagement, NAO and the Senior Audit Manager, NAO provided an update on the Audit Progress and Audit Planning Report (enclosure ARC/23/041 and ARC/23/041a).

23/136 Some errors had been identified during the Audit and a full assessment of the errors was being worked through.

23/137 [Information withheld in accordance with the Freedom of Information Act 2000].

23/138 The Audit and Risk Committee NOTED the updated assessment of risks and the possible increase in audit fee. No disclosures were made on the mandatory enquiries to those charged with governance in the report (ARC/23/041a).

Government Internal Audit Agency update

23/139 The Head of Internal Audit, GIAA presented an update on the internal audit opinion for 2022/23 and a first report against the 2023/24 plan (enclosure ARC/23/042, ARC/23/042a, ARC/23/042b, and ARC/23/042c).

23/140-23/142 [Information withheld in accordance with the Freedom of Information Act 2000].

23/143 A discussion followed on how the Committee would have sight of risks that had moved separately from the new plan. It was confirmed that GIAA would continue to report to the Committee against the agreed timescale therefore sighting the Committee on delays. Internal work with risk colleagues and Directors General across UKHSA was being undertaken to ensure risk associated with incomplete audit actions was considered and included on group risk registers. Further discussion occurred in the Assurance update on the ambitious targets set at time of audit affecting number of overdue actions and ability to complete them.

UKHSA Strategic Risk Register (SRR)

23/144 The [title redacted] presented the latest version of the SRR (enclosure ARC/23/043) including an update on changes to risks.

23/145 The Audit and Risk Committee NOTED:

  • the updates on the risks that had previously been highlighted
  • the risk approach was being worked on in alignment with DHSC
  • an enterprise risk management solution had been identified and approved for procurement

23/146 [Information withheld in accordance with the Freedom of Information Act 2000].

23/147 A discussion followed on the UKHSA profile on the DHSC departmental risk register. It was reported that there had been constructive and positive discussions between UKHSA and DHSC risk teams, including the sponsorship team. [Information withheld in accordance with the Freedom of Information Act 2000].

23/148 It was confirmed that each risk had a defined Executive Committee owner and the new template for reporting was more robust for details on mitigations, progress on actions and target dates.

23/149-23/150 [Information withheld in accordance with the Freedom of Information Act 2000].

Health and safety dashboard

23/151 The [title redacted] provided an update on Health and Safety (enclosure ARC/23/044)

23/152 The role the human factor specialists was considered along with where they were based. They work at a corporate level organisation wide and were working with government apprentices at graduate level to deploy an apprentice to Science Group and one across the organisation.

23/153-23/154 [Information withheld in accordance with the Freedom of Information Act 2000].

Public inquiry

23/155 The [title redacted] presented a paper on the risk and management pressures associated with response to the COVID-19 public inquiry (PI) (enclosure ARC/23/045).

23/156 The Audit and Risk Committee NOTED:

  • the expected duration of the COVID-19 PI and the commitment required from UKHSA to support the Inquiry’s work
  • the arrangements being put in place to track UKHSA’s delivery of its priorities

23/157 It was considered if cost capturing was in place to provide a figure for the cost to deliver the PI. It would be beneficial to understand the cost to UKHSA and wider government. [Information withheld in accordance with the Freedom of Information Act 2000].

23/158 The UKHSA PI team was a similar size to DHSC and NHS team, however, it was discussed that UKHSA’s contribution to the PI was challenging due to the changes in the organisation throughout COVID-19 and the requirement to provide evidence for PHE, Test and Trace and UKHSA. UKHSA remained a core participant, distinct from DHSC for responses.

23/159 Improvements to processes were being demonstrated and implemented and there was a desire to continue to make improvements whilst responding to other modules.

Emergency preparedness and response

23/160 The Director General, Health Protection Operations presented a paper on UKHSA’s activity to increase preparedness for core health threats (enclosure ARC/23/046).

23/161 A discussion considered the dependencies on other organisations for emergency response and the importance of considering where UKHSA’s role sits. As a category one responder, UKHSA needed to articulate clearly what their role and responsibilities were and how those cascaded and were discharged within the agency. The concept of operations described the relationship with DHSC, NHS, other agencies and the four nations. There had also been engagement with Cabinet Office and other organisations.

23/162 - 23/163 [Information withheld in accordance with the Freedom of Information Act 2000].

23/164 There was an Advisory Board workshop planned for October which would allow all Advisory Board members to discuss emergency preparedness and response in more detail.

Update on cyber risk

23/165 The [title redacted] provided an update on the mitigations to address UKHSA cyber risk profile (enclosure ARC/23/047).

23/166 The Audit and Risk Committee NOTED the current mitigations.

23/167 Cyber was in a stable position for the next two years with recruitment almost completed. The stability had enabled a governance process with Technology to be started to be put in place. [Information withheld in accordance with the Freedom of Information Act 2000].

23/168 The Safer Cyber programme was close to starting, with a ministerial meeting happening that week to confirm resourcing.

23/169 - 23/171 A discussion followed on ensuring that the right people were in place as more risks were uncovered and whether people outside of UKHSA could be brought in to support if needed. The team was well resourced, and the discovery processes would help identify specific needs. The flexibility and speed to bring new people was a challenge [Information withheld in accordance with the Freedom of Information Act 2000].

Assurance update

23/172 The [title redacted] provided an update on the internal audit actions and assurance mapping of UKHSA (enclosure ARC/23/048 and ARC/23/048a).

23/173 The Audit and Risk Committee NOTED the update for the internal audit actions.

23/174 - 23/176 It was considered whether the timing of implementation being pulled forward was impacting the timeliness of completion of actions. [Information withheld in accordance with the Freedom of Information Act 2000].

23/177 The Audit and Risk Committee NOTED the update on the assurance mapping of UKHSA.

Forward look and topics for future meetings

23/178 The Audit and Risk Committee NOTED the forward look (enclosure ARC/23/049).

23/179 The Audit and Risk Committee AGREED to move Information Governance to the March meeting. [name redacted]

Any other business and close

23/180 The Chief Scientific Officer provided a verbal update on the incident declared in March 2023 with an internal investigation complete. The immediate control measures were reviewed, and no other errors identified. An action plan was being developed and implemented. [Information withheld in accordance with the Freedom of Information Act 2000].

23/181 It was recommended the report on the incident be circulated to ARC ahead of the December meeting.

23/182 There being no further business the meeting closed at 12:52pm.