Corporate report

UKHSA Advisory Board: Audit and Risk Committee minutes

Updated 12 May 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/ukhsa-advisory-board-meeting-papers-for-may-2025/ukhsa-advisory-board-audit-and-risk-committee-minutes

1. 1. Recommendation

The Advisory Board is asked to note the minutes of 9 December meeting of the Audit and Risk Committee. The minutes were agreed on 18 March 2025.

2. 2. Minutes (confirmed), Audit and Risk Committee, 9 December 2024

Present at the meeting were:

  • Cindy Rampersaud – Non-Executive Member of UKHSA Advisory Board (Chair)
  • Ian Peters - Non-Executive Chair of UKHSA Advisory Board

In attendance were:

  • Tina Clapham - Director, Data and Cyber Security
  • Dame Jenny Harries – Chief Executive
  • Scott McPherson - Director General, Strategy, Policy & Programmes
  • Marc Merel - Director of Evaluation & Translation
  • Donald Shepherd - Director of Finance- Andy Brittain – Director General Finance, DHSC
  • Rachel Nugent - Director, National Audit Office
  • 16 attendees had their name and title redacted

Apologies were received from:

  • Sir Gordon Messenger – Non-Executive Member of UKHSA Advisory Board
  • Jon Friedland – Non-Executive Member of UKHSA Advisory Board
  • Simon Blagden – Non-Executive Member of UKHSA Advisory Board
  • Luke Heath – interim Chief Financial Officer
  • Suzy Powell - Director, Emergency Preparedness and Health Protection
  • Alex Sienkiewicz – Director of Corporate Services

3. 3. Introductions and apologies

24/200 The Chair welcomed all attendees to the meeting.

24/201 Apologies were given. The meeting was deemed to be quorate with Ian Peters representing Jon Friedland.

24/202 No declarations of interest were given in respect to the Audit and Risk Committee agenda.

4. 4. Minutes of the previous meeting

24/203 The minutes from the last meeting on 10 September 2024 (enclosure ARC/24/057) were agreed.

5. 5. Matters Arising

24/204 The action list (enclosure ARC/24/058) was noted and those marked for closure were closed and some points were referred to the forward look item.

24/205 Regarding action 24-134 and the strategic risk register, the Committee asked that the Science and Research Committee oversee UKHSA’s management of risks relating to science and research rather than duplicate that work at both committees. It also recommended that the full risk register should go to the Advisory Board as a regular item to prompt scrutiny of all areas of risk. (Action: Secretariat)

24/206 The Committee noted an update on the ongoing SCS restructure and governance changes at UKHSA, which was due to complete in the new year, and that this work was in progress while the recent GIAA audit of Corporate Governance was carried out.

6. 6. Annual report and accounts

24/207 [Title redacted] introduced the final version of UKHSA’s annual report and accounts 2023-24 (enclosure ARC/24/074) with a list of amendments since last circulated (enclosure ARC/24/075). Also provided were the audit completion report (enclosure ARC/24/076) and the draft letter of representation (enclosure ARC/24/077).

24/208 UKHSA received a limitation of scope opinion over its audit, since the in-year movements in the comparative period (2022-23) and the Covid Vaccine Unit opening balances remained unassured. This represented an improvement on the previous year and the best that could have been achieved this year in the circumstances.

24/209 In discussion the following points were made:

  • the NAO expected to be able to certify the accounts once the signed copy was submitted.
  • [Information redacted in accordance with the Freedom of Information Act 200.]
  • the Finance and Control Improvement Programme (FCIP) had been driving improvement.
  • the best that could be achieved with next year’s accounts would be a limitation of scope. This would be due to comparatives with parts of the 23-24 accounts relating to the Covid Vaccines Unit.

24/210 The Committee noted thanks to everyone involved in producing the report for their hard work and collaboration. Particular thanks were noted to Madeline Fieldman, the Deputy Director, Finance Control and Operations. A lessons-learned exercise would be carried out so that any identified improvements might be made next time, and would feed into the FCIP.

24/211 The Committee noted the papers and agreed to recommend the annual report and accounts for signing. Subsequently, all absent non-executive members of the Committee confirmed their agreement by correspondence.

7. 7. Government Internal Audit Agency (GIAA) update

24/212 The Head of Internal Audit presented the annual internal audit report and opinion 2023/24 (enclosure ARC/24/059) and a progress report against the internal audit plan for 2024/25 (enclosure ARC/24/061).

24/213-24/215 The Audit and Risk Committee noted the papers and the update, in which the following points were made: [Information redacted in accordance with the Freedom of Information Act 2000.]

8. 8. Finance Update

24/216 The Director of Finance introduced the paper (enclosure ARC/24/060) which covered the latest financial position and updates on the spending review, FCIP, Money and People Services (MaPS), and fraud.

24/217 The Committee noted the update, in which the following points were made:

  • a break-even position was expected by the end of the financial year if the normal pattern held.
  • the spending hole of approximately £35m that had emerged in-year had been met by UKHSA’s savings and reallocation exercise and a contribution from DHSC.
  • some extra capital had been secured to put towards cyber and technology needs.
  • the latest modelling was forecasting lower-than-anticipated vaccine use, contributing to underspend, but forthcoming policy decisions might reduce that.
  • the FCIP was being reset to make it more strategic and internalised; plans were going to the FCIP Board in January.

24/218 The Committee asked whether the in-year savings exercise posed a risk to delivery of UKHSA’s remit. UKHSA had considered that risk and had secured the budget it needed to be able to meet its core remit. However, a recruitment freeze had contributed to resourcing issues in some areas, which were being monitored.

24/219 The Committee was also interested to hear more about the implementation milestones and timeline for the MaPS work, which it felt was important to guard against scope-creep, and to confirm that audit findings were feeding into the work. (Action: Luke Heath)

9. 9. National Audit Office (NAO) update

24/220 The update from the NAO was covered under the item on the annual report and accounts.

10. 10. Corporate assurance and audit update

24/221 [Title redacted] presented an update on corporate assurance and the delivery of internal audit recommendations (enclosure ARC/24/062).

24/222 The Committee noted the vision for Corporate Assurance and the proposals to expand the scope of work carried out by Corporate Assurance as outlined in the paper.

24/223 The Committee noted the update on internal audit actions, including the review of high priority overdue actions as requested by the Audit and Risk Committee.

24/224 The Committee observed that the detail on action plans and targets that was now included in the overdue actions report was helpful and recognised that UKHSA’s efforts seemed to be contributing to an improved closure rate.

24/225 The Committee was interested in opportunities for more efficient delivery of recommendations by collaborating or asking for help externally, for example across government. In response it was confirmed that the Corporate Assurance team tried to look out for any such gaps and opportunities, and specifically that DHSC was seeking to get UKHSA joined up with wider government work on cyber and information security.

11. 11. UKHSA Strategic Risk Register (SRR)

24/226 [Title redacted] introduced the paper (enclosure ARC/24/063) which presented the latest iteration of the risk register, summarised recent discussions with Advisory Board committee members and the Executive Committee on strategic risks, and the planned next steps to update the Strategic Risk Register by 1 April 2025.

24/227 The Audit and Risk Committee noted the update, in particular the following points:

  • there was consensus that the content of the register should be considered from a science and research perspective.
  • a shorter list of strategic risks was being drafted for the Executive Committee to consider before bringing to the Audit and Risk Committee. The aim was to have these agreed for the new financial year.
  • [Information redacted in accordance with the Freedom of Information Act 2000.]

24/228 The Committee recognised that further work was needed on setting and using risk appetite and felt that this should be informed by DHSC’s own approach and view. A further workshop on setting risk appetite was being scheduled. There was support for this to be externally-facilitated.

12. 12. Science infrastructure risk

24/229 The Director General, Strategy, Policy & Programmes introduced the paper (enclosure ARC/24/064) which provided an update on risk to the delivery of the strategic priorities relating to the science infrastructure, the mitigations in place, and the timeline for delivery of solutions and further mitigations, including a progress report on the Science Hub Programme.

24/230 The Committee noted the report and in particular the following points:

[Information redacted in accordance with the Freedom of Information Act 2000.]

24/031 The Committee recognised that UKHSA’s management of the science infrastructure risk had a significant dependency on the future of the Science Hub, a decision which was held by ministers. The Committee heard that DHSC would support UKHSA in engaging ministers to reach an informed decision.

13. 13. Information governance and SIRO metrics

24/232 The Director, Data and Cyber Security introduced the paper (enclosure ARC/24/065), which provided an update

24/233-24/235 The Audit and Risk Committee noted the update. In particular the following points were discussed: [Information redacted in accordance with the Freedom of Information Act 2000.]

14. 14. Audit and Risk Committee Forward Look

24/236 The Audit and Risk Committee noted the forward look (enclosure ARC/24/066).

24/237 Suggested topics for further discussion included:

  • the desire for a deep dive on financial reporting to the Committee was reiterated.
  • a workshop on risk appetite, a regular deep dive on risk and it was recommended that the Advisory Board see the risk register at least once per year.
  • a deep dive on the FCIP and its reset.
  • lessons learned on the annual report and accounts process

24/238 It was also suggested that the proposed item on staff engagement be referred to the People and Culture Committee, with the Audit and Risk Committee focusing on the risk of skills gaps.

15. 15. Any other business

24/239 There being no further business the meeting closed at 4.30pm.

24/240 There followed a closed session meeting between non-executive Committee members and union representatives.

24/241 The next meeting would take place on 18 March 2025.

Back to top