UKHSA Advisory Board: Audit and Risk Committee minutes
Updated 11 September 2023
Date: 13 September 2023
Sponsor: Cindy Rampersaud
Recommendation
The Advisory Board is asked to note the minutes of 6 June 2023 meeting of the Audit and Risk Committee. The minutes were agreed on 5 September 2023.
Minutes (confirmed), UKHSA Audit and Risk Committee, Tuesday 6 June 2023
Present at the meeting were:
- Cindy Rampersaud – Chair, UKHSA Audit and Risk Committee and Non-Executive member of the UKHSA Advisory Board
- Simon Blagden – non-executive member
- Sir Gordon Messenger – non-executive member
In attendance were:
- Professor Dame Jenny Harries – Chief Executive
- Ian Peters –Chair of UKHSA Advisory Board
- Andrew Sanderson – Director General, Finance, Commercial and Corporate Services
- Donald Shepherd – Director of Finance
- Alex Sienkiewicz – Director of Corporate Services
- 17 attendees had their name and title redacted
Introductions and apologies
23/051 The Chair welcomed all attendees to the meeting.
23/052 The Chair had attended the Department of Health and Social Care (DHSC) Audit and Risk Committee (ARC) on 25 May 2023 with UKHSA colleagues. DHSC had been very supportive of the challenges facing UKHSA and in particular its re-sizing after the COVID-19 pandemic. The importance of following and tracking the Finance and Control Improvement Plan had been emphasised and any additional resource requirements to achieve this should be flagged with the department at an early stage.
23/053 It had also been agreed that there was a need for a joined-up approach to determine the requirement for the UKHSA estate and laboratories going forward, ensuring alignment with the wider health estate. It was reported that Shona Dunn, the Second Permanent Secretary, would be leading on this work on behalf of DHSC.
Minutes of the previous meeting
23/054 The minutes from the last meeting on 28 March 2023 (enclosure ARC/23/020) were agreed. ARC asked for the minutes to include further detail of the challenging nature of the discussions going forward. The Governance team would consider approaches to balance further detail in the minutes and presentation at public Advisory Board meetings. (Action: Name redacted)
Matters arising
23/055 The action list (enclosure ARC/23/021) was noted.
Government Internal Audit Agency (GIAA) update
23/056 The paper (enclosure ARC/23/022) provided an update on the delivery of the 2022 to 2023 audit plan and details of the internal audit opinion on the strength of risk control and governance arrangements.
23/057 - 23/058 [Information withheld in accordance with the Freedom of Information Act 2000]
23/059 The paper highlighted six common themes for management to consider when making decisions and changing processes. The risk control framework, set out as part of the revised Orange Book, would provide a useful checklist for better assurance around risk control and governance arrangements.
23/060 It was clarified that the final Head of Internal Audit annual report would be ready in 4 weeks and would be considered by the UKHSA Executive Committee (ExCo) and then ARC in September 2023.
23/061 The Committee suggested that the finance and control improvement programme should feature more prominently in the report and it was confirmed that this would referenced as part of the executive summary.
23/062-063 [Information withheld in accordance with the Freedom of Information Act 2000]
23/064 The Committee discussed income generation and whether the report should provide a narrative on its importance to the organisation. It was clarified that UKHSA would not seek to be dependent on income generation to provide its core services, but appropriate governance needed to be put in place for working with external partners.
23/065 The role of UKHSA needed to be fully understood by external stakeholders and the Committee asked about the connections and sharing themes identified through audit across organisations. GIAA currently audited around 85% of government. Part of GIAA’s role was to look at themes across government and this had already commenced on some topics, reports of which could be made available to members upon request. The intention was the share any pertinent insights with UKHSA going forward. [Information withheld in accordance with the Freedom of Information Act 2000]
23/066 It was suggested that a discussion examining the focus areas for work going forward with external organisations and the risks in relation to the management of interfaces and dependencies take place at a future ARC or Advisory Board session. (Action: Name redacted)
23/067 The Committee noted the improvements that had been made and thanked the Government Internal Audit Agency for the update.
Finance update
23/068 The Chief Financial Officer provided a Finance update (enclosure ARC/23/023) that included:
- a progress update against the 2022 to 2023 Annual Report and Accounts (ARA) preparation and audit timetable
- the draft 2022 to 2023 UKHSA Annual Report and Accounts for review and comment by ARC members
- details of key areas of accounting judgement, features of the 2022 to 2023 account, issues identified with the prior year account and areas of ongoing work or review
- an update on the progress of the Finance and Control Improvement Programme
23/069 The Committee asked about any difficult issues that had been encountered during the improvement programme. It was explained that non-current assets, including assets under construction, had been a focus for ongoing work. There were a high number of assets which required a full existence and verification evaluation so that a solid baseline was provided for future years. A number of items had also been identified as requiring adjustment. This was time consuming due to the volume and would likely be ongoing after 19 June 2023. The National Audit Office (NAO) had adjusted their schedule to accommodate.
23/070 Resourcing remained a risk area with a challenging recruitment timetable to fill posts. This may also impact the ongoing requirement for higher levels of accuracy and the end-to-end processes with human resources (HR) and commercial. This had been factored into the multi-year action plan, but any issues with recruitment could compromise the trajectory.
It was clarified that sufficient resource was in place to produce accounts for 2022 to 2023. However, main resource challenges would be at year end when simultaneously responding to the audit whilst fixing any problems to ensure they were not an issue for future years. To mitigate this, there was a focus on recruitment and links were in place with Talent Management, DHSC and individuals who may be redeployed.
23/071 It was clarified that the strategic future of the Harlow programme was subject to a ministerial process and work was ongoing. Discussion concerning its future were complex. There were currently no material changes to the handling of the matter in the 2022 to 2023 accounts.
23/072 It was agreed that:
- further comments on the ARA would be provided to [Title redacted] and the [Title redacted] by 9 June 2023
- the ARA would be reviewed at the ARC on 5 September 2023 with an additional meeting in October for final endorsement
- any resourcing risks that materialised and which may impact on the agreed timetable for the production of the ARA would be flagged by management so that government could be informed
- any risks that threatened the removal of the disclaimer should be prioritised above the risks relating to the removal of qualifications
23/073 ARC expressed their thanks for the significant improvements that had been made over the prior year.
Anti-fraud team update
23/074 The [Title redacted] presented a paper (enclosure ARC/23/023) which provided an update on the work of the UKHSA Anti-Fraud team.
23/075 It was highlighted that there had been a high reliance on a temporary workforce that had presented significant challenges throughout 2022 to 2023. A new Head of Anti-Fraud had recently been appointed. In addition, in May 2023 the recruitment campaign had concluded for the other 4 positions within the team. The Public Sector Fraud Authority (PSFA) had agreed to provide training to all new staff to meet accreditation standards as Fraud professionals. This had been arranged in collaboration with DHSC.
23/076 The new resource would allow the work programme to be accelerated with a focus on risk assessments.
23/077 ARC reminded management of the importance of prioritising the production of a strategy, outcomes-based metrics and an action plan. (Action: Andrew Sanderson / [Name redacted])
National Audit Office update
23/078 The Director of Engagement, NAO Audit, presented the Audit Planning Report (enclosure ARC/23/04) which detailed the proposed approach for the audit of the 2022 to 2023 financial statements.
23/079 - 23/081 The Committee noted the overview of audit risks and that any changes to the provisional risk plan would be communicated. [Information withheld in accordance with the Freedom of Information Act]
23/082 It was confirmed that the problems experienced during testing of the stock takes were not present this year and this was a significant improvement.
23/083 It was also confirmed that the Public Accounts Committee report (based on the NAO report) due for publication soon was not expected to produce additional actions.
UKHSA Strategic Risk Register
23/084 The Director of Corporate Services presented the latest version of the Strategic Risk Register (SRR) (enclosure ARC/23/025). ARC noted the current position of risks as agreed by ExCo. It also noted the additional SRR item relating to target risk to assist with consideration of risk appetite.
23/085 ARC noted:
- the updates on the risks that had previously been highlighted
- that an approach to risk appetite was being looked at, benchmarking to DHSC’s approach
- the publication of the new Orange Book on risk management produced by HM Treasury and the work being done to align UKHSA policies and processes with the revised guidance
- the beginning of a process to identify an Enterprise Risk Management application to streamline risk management and reporting
23/086 Business Continuity Plans existed at Group level with work underway to develop an agency wide plan. There would be a focus on critical infrastructure with other partners (for example Home Office). Additionally it would tie into Ready to Respond work presented to the May Advisory Board. Risks around emergency preparedness and response would feature at the next meeting. It was suggested an exercise to test the response system could be held and feature in the September update.
23/087 ARC discussed the merits of recognising the management of external relationships as a risk in its own right. It was explained that much of this was already captured in existing risk management and risk mitigation in areas such as emergency response, the health protection systems with local authorities and pandemic preparedness. It was confirmed that existing external relationship managers were in place in the strategic management team and the commercial team. However, it was acknowledged that having the right connections in relation to operational response would benefit from further consideration and that this also linked to cross-organisational working.
23/088 ARC discussed risk 12 relating to staff and public safety and asked about seeing more detailed information about the metrics (for example, slips trips and falls and lost time incidents). It was explained that the internal platform MaPS was not yet able to provide this information.
23/089 It was recommended that:
- advice was sought on how the Advisory Board could support relationship management and improve linkages with external organisations. (Action: Name redacted)
- health and safety data currently available would be provided to the Committee as a matter of routine; and (Action: Alex Sienkiewicz)
- the work undertaken in relation to human factors of laboratory work and the mitigations in place would be made available to the Committee members. (Action: Alex Sienkiewicz)
Deep Dive on Recruitment and Retention
23/090 The [Title redacted] presented a paper on people related strategic risks and the governance mechanisms in place to manage these risks (enclosure ARC/23/026).
23/091 ARC noted:
- the current people focused SRR risks and their mitigations
- the roles and responsibilities relating to skills development and how this lined to the role of Head of Profession
- that workforce, recruitment, and organisational culture were already areas of focus and assurance for the Advisory Board and People and Culture Committee
23/092 It was agreed that skills would benefit from further discussion and this would be scheduled for a future meeting. (Action: Jac Gardner / [Name redacted])
23/093 The Committee discussed first line responsibility which should primarily sit with line managers rather than ExCo. Details of the delineation of responsibilities would be discussed further at the People and Culture Committee.
23/094 The Committee discussed leavers and observed there was often little flexibility to retain people through salary increases. It was suggested that investment in training could help with retention and organisational resilience.
23/095 The Committee observed that UKHSA employed some individuals that were highly experienced and experts in their field. However, there was often a gap in succession because investment in the necessary training for potential successors had not been possible.
23/096 ARC also discussed:
- whether there were opportunities to leverage and deploy processes from elsewhere to reinforce first line responsibility
- whether pulse surveys had been undertaken to identify problem areas and how these related to staff turnover
- the role of the brand work and how this could be help in retention
- HR operational delivery (for example processing changes, compliance with policy) and how this contributed to the overall risk and mitigation strategy
23/097 It was also noted that the NHS were looking to build in modular training for many of their staff. The NAO had introduced performance coaches, separate from line managers, to help manage careers and the result had been a positive impact on retention.
ARC Annual Report and Effectiveness Review
23/098 The Chair of UKHSA Advisory Board presented the UKHSA ARC Annual Report for 2022 to 2023 and the outcome of the effectiveness review (enclosure ARC/23/027) including proposed recommendations for the coming year.
UKHSA ARC Annual Report
23/099 2022 to 2023 had been a year of establishment and seen a progressive evolution in the way in which the ARC operated. A number of new disciplines had been introduced during the year, including the approach to strategic risk review, whilst operating in a highly dynamic and uncertain environment. There had been considerable focus in the second half of the year on the disclaimed accounts opinion and the development and mobilisation of the financial improvement plan.
23/100 A baseline had been established from a wide range of internal audits. Most of these audits had resulted in a ‘limited’ assessment and the expectation was that during 2023 to 2024 there would be an upward movement in these ratings. The number of outstanding audit actions had also been greatly reduced.
Effectiveness Review
23/101 A short questionnaire was shared with members of the ARC as part of the Advisory Board effectiveness review process and a more detailed toolkit questionnaire was completed by the interim ARC Chair which focused specifically on how the Committee operated in line with the requirements of the HM Treasury toolkit.
23/102 The reviews found that the ARC was operating in line with its terms of reference and was meeting the standards as set out in the toolkit. Of particular value were the conversations after the formal agenda with the NAO and GIAA. The appointment of Cindy Rampersaud had resolved a number of findings in respect to the skills and membership of the committee.
23/103 The action plan included:
- a more structured approach to the forward look;
- greater focus on strategic risks, risk appetite and their mitigations and controls; and
- enhanced focus on the internal controls framework and assurance.
23/104 In addition, there were some learning aspects about how to improve the relationships between the Committees and the Advisory Board.
23/105 ARC agreed the recommendations and implementation for the 2023 to 2024 reporting year.
23/106 The Committee observed that the position was much improved over the previous year and suggested that feedback from ExCo would also be very helpful in determining whether the ARC was striking the right balance between challenge and support.
UKHSA Internal Audit Actions update
23/107 ARC noted the summary report (enclosure ARC/23/028).
23/108 The number of overdue actions had reduced from 65 in January 2023 to 11 in May 2023. The number of open actions had increased due to the number of internal audits which had generated additional actions, but there had also been an increase in the number of completions.
23/109 The Risk and Assurance team provided a monthly summary to ExCo and its members’ private offices, listing all overdue and open actions. The team had focused on engaging with private offices, control owners and action owners to ensure the actions were being progressed and they were recognising the benefit of being informed and part of the process.
23/110 The Committee asked whether some of the historical actions (and items on the strategic risk register) could now be closed or consolidated as they were now out of date or no longer relevant. It was explained that the GIAA had undertaken a review of historical actions and closed a number down. The remaining open historical actions were still valid as they remained pertinent to UKHSA operations. Each recommendation on the Trackwise system may result in multiple actions for management, which could not be closed until all actions were completed.
23/111 The Risk and Assurance team were now involved earlier in the audit process to ensure they understood the relevant details and to improve the actions in response to findings. Going forward, some of the larger actions would be broken down to provide a more transparent view of progress.
23/112 The timescales between field work being undertaken and audit reports being published were reducing.
23/113 The Committee discussed how well understood the three lines of defence was across the organisation. It was explained this was a matter of ongoing work and UKHSA would embed the updated Orange Book standards. The Assurance Framework which was in development would help address this, together with the work on compliance with functional standards. The Committee emphasised the importance of the first line understanding their responsibilities across all strategic risks.
ARC forward look
23/114 ARC noted the forward look (enclosure ARC/23/029) which had been updated following points raised during the previous meeting, and in consultation with the ARC Chair.
23/115 The Non-executive members would email any further comments to the [Title redacted] and [Title redacted].
26/116 It was agreed that the risk concerning the public inquiry and the resource required to respond, together with the organisational and reputational risks, would be brought forward for consideration at the next ARC meeting on 5 September 2023. Regular updates would also be scheduled. (Action: Scott McPherson / [Name redacted])
Any other business
23/117 There being no further business, the meeting closed at 12:58pm.
June 2023