Corporate report

UKHSA Advisory Board: Audit and Risk Committee minutes

Updated 4 July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/ukhsa-advisory-board-meeting-papers-for-july-2025/ukhsa-advisory-board-audit-and-risk-committee-minutes

Recommendation

The Advisory Board is asked to note the minutes of 18 March 2025 meeting of the Audit and Risk Committee. The minutes were agreed on 6 June 2025.

Minutes (confirmed), Audit and Risk Committee

Present at the meeting were:

  • Cindy Rampersaud – Non-Executive Member of UKHSA Advisory Board (Chair)
  • Jon Friedland – Non-Executive Member of UKHSA Advisory Board

In attendance were:

  • Tina Clapham - Director, Data and Cyber Security
  • Jon Cocking - Director People and Workplace
  • Dame Jenny Harries – Chief Executive
  • Luke Heath - Chief Financial Officer (interim)
  • Rachel Nugent - Director, National Audit Office
  • 16 attendees had their name and title redacted

Apologies were received from:

  • Sir Gordon Messenger – Non-Executive Member of UKHSA Advisory Board
  • Simon Blagden – Associate Non-Executive Member of UKHSA Advisory Board
  • Tim Andrews – Finance Director, DHSC
  • Andy Brittain – Director General Finance, DHSC
  • Suzy Powell - Director, Emergency Preparedness and Health Protection
  • 1 apology had their name and title redacted

Welcome and apologies

25/001 The Chair welcomed all attendees to the meeting and apologies were noted. (Action: Secretariat)

25/002 No declarations of interest were given in respect to the Audit and Risk Committee agenda. (Action: Secretariat)

Minutes of the previous meeting

25/003 The minutes from the last meeting on 9 December 2024 (enclosure ARC/25/001) were agreed.

25/004 Regarding action 24-022 on collaboration between Advisory Board committees on risks, it was clarified that the SRC would refer matters of risk to ARC as needed and that the secretaries would cross-check the minutes and action logs of both committees for alignment, escalating any matters for attention.

Matters Arising

25/005 The action list (enclosure ARC/25/002) was noted and those marked for closure were closed.

25/006 The Committee asked that a date be set soon for the deep dive on finance which should be run as a workshop not a meeting item.

25/007 The Committee asked that prioritisation work on internal audit actions be added to the Committee action log to monitor.

Finance Update

25/008 The Director, Finance, Performance, Risk and Assurance and the [Title redacted] presented the finance update (enclosure ARC/25/003) which covered the latest financial position, the Finance and Control Improvement Programme, the Spending review and work to prepare the annual report and accounts 2024-25. They also presented updates on anti-fraud (enclosure ARC/25/004) and on the Standing Financial Instructions (enclosure ARC/25/005).

25/009 The Committee noted the finance update and the following points made during the presentation:

  • since the previous meeting additional funds had been secured through Phase One of the Spending Review.
  • the 2025-26 business planning process had concluded and Directors had been allocated their budgets.
  • DHSC had recognised that UKHSA was unable to absorb the cost of the pay increase in its budget, but had agreed with UKHSA to revisit this later in the financial year. The Committee was assured that this was reasonable given that before the end of the year many factors could change the amount needed.
  • in response to concerns about forecasts the finance team planned to organise ‘capital challenge sessions’ in Q3 to support teams to manage their budgets and capacity and to unblock delays to delivery. An update would be provided in June. The team was advised to look at assurance and audit reports for recommendations on this. (Action: Luke Heath)
  • the Committee asked whether investment in projects would be prioritised according to risk and was assured that this was being considered.
  • all returns for the Spending Review had been submitted to DHSC and work was proceeding to engage Ministers and work with DHSC and the Treasury on bids. [Information redacted in accordance with the Freedom of Information Act 2000.]
  • the Finance and Control Improvement Programme was undergoing a review and was likely to be renamed. The biggest concern was UKHSA having the capacity to drive the work forward and the review was looking into this.
  • the Annual Report and Accounts process was in a better place than in previous years, with lessons learned being taken into account. The interim audit was underway and a new support contract for the annual report was out to tender. The Committee advised the team to consider any onboarding that might be necessary to ensure this year’s auditors fully understood UKHSA’s circumstances.

25/010 The Audit and Risk Committee noted the update on anti-fraud activity, which covered the outcome from the GovS013 Functional Standard assessment and the Q3 progress update on the anti-fraud action plan.

25/011-25/013 [Information redacted in accordance with the Freedom of Information Act 2000.]

25/014 The Audit and Risk Committee noted the update to the Standing Financial Instructions (SFIs), which had been agreed by the Executive Committee on 13 March 2025.

25/015 The Committee was assured that the delegations in the SFIs were typical of comparable organisations. The Committee requested that the SFIs be shared with the GIAA for feedback. (Action: Luke Heath)

National Audit Office (NAO) update

25/016 The Audit and Risk Committee noted the update from the National Audit Office, in which the draft management letter 2023-24 (enclosure ARC/25/006) and audit planning report 2024-25 (enclosure ARC/25/007) were presented.

25/017 The Committee noted the draft management letter

25/018 In discussion the following points were made:

  • the Committee requested that the management response be shared when possible. (Action Luke Heath)
  • the Committee asked whether there was enough resource within UKHSA to support the work, and was assured that there was subject to improvements feeding through into the accounting work.
  • while covid was no longer a priority issue in health, with the organisation’s focus having moved to new pathogens, it was still very significant in the organisation’s accounts.
  • [Information redacted in accordance with the Freedom of Information Act 2000.]

25/019 The Committee noted the audit planning report 2024-25, and, regarding points of enquiry set out on page two of the audit planning report, confirmed it had nothing further to report to the NAO. The following points were made in discussion:

  • the Committee was reassured that the materiality increase was not significant
  • the risks were comparable to the previous year, with two merged and two downgraded
  • the interim audit was making good progress with the speed and quality of evidence returned an improvement on the previous year.
  • [Information redacted in accordance with the Freedom of Information Act 2000.]

Government Internal Audit Agency (GIAA) update

25/020 [Title redacted] presented the progress report on the 2024/25 internal audit plan (enclosure ARC/25/008) and gave a verbal update on the draft internal audit plan 2025/26.

25/021 The Audit and Risk Committee noted the papers and the update

25/022 The Committee agreed that the executive, working with GIAA, should produce a clear plan to reduce and close all overdue actions within the next 12 months. A regular report should be provided to track, against each action, the risk level, accountable individual, and target completion date. (Acton: Luke Heath / Jon Cocking)

25/023 [Information redacted in accordance with the Freedom of Information Act 2000.]

Corporate assurance and audit update

25/024 [Title redacted] presented an update on corporate assurance and the delivery of internal audit recommendations (enclosure ARC/25/009). The paper also explained the vision for Corporate Assurance and the proposed mandate to expand the scope of work carried out by Corporate Assurance.

25/025 The Committee noted the update, and it was confirmed that the team would provide the Committee with a report on internal audit actions as discussed under the previous item along with an update on the process being developed for the organisation to manage the risk attached to unclosed actions.

25/026 In discussion, the Committee recognised a need to develop a culture of focus on audit and assurance and that a top-down focus on this would be welcome. The team registered its ambition to get more involved in the planning and scoping of audits and to help teams do better at preparing for audits and evidencing delivery of actions.

25/027 The Committee suggested that it might be helpful to integrate some elements of the Corporate Assurance report with the report from the GIAA. (Action: Luke Heath)

UKHSA Strategic Risk Register

25/028 [Title redacted] introduced the paper (enclosure ARC/25/010) which covered the Q3 report on the current strategic risk register and an update on work to refresh the register.

25/029 The Audit and Risk Committee noted the update

25/030-25/032 [Information redacted in accordance with the Freedom of Information Act 2000.]

25/033 The Audit and Risk Committee endorsed the latest version of the strategic risk register, [Information redacted in accordance with the Freedom of Information Act 2000.]

Health and safety update

25/034 The Director, People and Workplace and the Deputy Director, Workplace and Health and Safety introduced the paper (enclosure ARC/25/011) which provided the latest update on health and safety within UKHSA.

25/035 The Committee noted the report

25/036 [Information redacted in accordance with the Freedom of Information Act 2000.]

25/037 The Committee was also interested in whether wellness and psychological safety was in scope of Health and Safety activity at UKHSA. This was confirmed, with a sub-committee dedicated to work-related stress. The Committee was keen to see these topics covered in future reporting.

Annual Clinical and Health Protection Quality Report 2024/25

25/038 [Title redacted] introduced the paper (enclosure ARC/25/012) which presented the first annual Clinical and Health Protection Quality report.

25/039 The Committee noted the report and in particular the following points:

  • corporate support was needed to deliver the standards of quality needed; to understand the end-to-end service, aims and common language.
  • There was a need for better central data to provide management with a good oversight.

25/040 The Committee was interested in the parallels with the governance of other areas of work, such as science quality, and understood that these were managed separately. The Committee recognised that culture and compliance, as discussed earlier in the meeting, was a theme that was also relevant to these areas of work.

25/041 The Audit and Risk Committee endorsed the internal publication and dissemination of the Annual Report and endorsed the next (2025/26) Annual Report publication date.

Information governance and Senior Information Risk Owner (SIRO) metrics

25/042 The Director, Data Protection, Security & Technology Services introduced the paper (enclosure ARC/25/013), which updated the Committee on risk to the delivery of the strategic priorities relating to information governance and security, The regular report on SIRO metrics was also provided (enclosure ARC/25/013).

25/043 The Audit and Risk Committee noted the update

25/044 The Committee asked to review the plan and success measures for the Transformation Programme when available, and to monitor delivery over the course of the programme, for assurance that the investment had the required impact. (Action: Steven Riley / Tina Clapham)

25/045 The Committee was supportive of the programme having a focus on compliance culture and recommended that the People and Workplace team input into that.

25/046 The Committee noted a request to the Executive from the Director, Data Protection, Security & Technology Services for support to navigate approvals processes as quickly as possible. (Action: Luke Heath)

Audit and Risk Committee Forward Look

25/047 The Audit and Risk Committee noted the forward look (enclosure ARC/25/015).

25/048 Suggested topics for further discussion included:

  • the risk appetite workshop and financials workshop should take place before the next meeting if possible.
  • the next update on the strategic risk register should cover external context.
  • risk relating to culture and compliance should return for discussion, mindful of overlap with the work of the People and Culture Committee.

Any other business

25/049 There being no further business the meeting closed at 12.50pm.

25/050 There followed a closed session meeting between non-executive Committee members, the GIAA and NAO.

25/051 The next meeting would take place on 3 June 2025

For noting

25/052 Background papers from GIAA

Back to top