Corporate report

UKHSA Advisory Board: Audit and Risk Committee minutes

Updated 20 November 2025

1. Recommendation

The Advisory Board is asked to note the minutes of 3 June 2025 meeting of the Audit and Risk Committee. The minutes were agreed on 15 September 2025.

2. Minutes

Present at the meeting were:

• Cindy Rampersaud – Non-Executive Member of UKHSA Advisory Board (Chair)
• Jon Friedland – Non-Executive Member of UKHSA Advisory Board
• Sarah Jensen – Associate Non-Executive Member of UKHSA Advisory Board
• Sir Gordon Messenger – Non-Executive Member of UKHSA Advisory Board

In attendance were:

• Dyfed Alsop - Chief Operating Officer and Acting Chief Executive
• Tina Clapham - Director, Data and Cyber Security

• Jon Cocking - Director People and Workplace

• Rachel Nugent - Director, National Audit Office
• 14 attendees had their name and title redacted

Apologies were received from: - Luke Heath - Chief Financial Officer (interim)

3. Welcome and apologies

25/053 The Chair welcomed all attendees to the meeting and apologies were noted.

25/054 The Chair welcomed Sarah Jensen to her first meeting as a member of the Audit and Risk Committee and noted that Simon Blagden had left the committee. The Chair also welcomed Dyfed Alsop to his first meeting as interim Chief Executive.

25/055 No declarations of interest were given in respect to the Audit and Risk Committee agenda.

4. Minutes of the previous meeting

25/056 The minutes from the last meeting on 18 March (enclosure ARC/25/022) were agreed.

5. Matters arising

25/057 The action list (enclosure ARC/25/023) was noted and the Committee agreed that those marked for closure be closed.

25/058-25-060 [Information redacted in accordance with the Freedom of Information Act 2000]

6. Finance update

25/061 [Title redacted] presented the finance update (enclosure ARC/25/024) which covered the latest financial position, the Evolve Programme (formerly Finance and Control Improvement Programme), the Spending review and work to prepare the annual report and accounts 2024-25. They also presented updates on anti-fraud (enclosure ARC/25/025).

25/062 The Committee noted the finance update and the following points made during the presentation:

• Core outturn was 0.3%, reflecting good forecasting and budget management.
• In future years, managing budget reductions and unfunded pay awards might require longer term planning and structural changes.
• The spending review was ongoing.
• The cyber bid was separate to the core budget and £50million had effectively been underwritten by DHSC.
• The Evolve Programme now had all its workstreams in place and progress was being made, with an outstanding audit being handled.
• The annual report and accounts 2024-25 was on track with fixed assets remaining the biggest risk to the timetable.

25/063 The Audit and Risk Committee noted the update on anti-fraud activity: [Information redacted in accordance with the Freedom of Information Act 2000.]

25/064 The Committee reflected on the culture around mandatory training in principle. [Information redacted in accordance with the Freedom of Information Act 2000.]

7. National Audit Office (NAO) update

25/065 The Audit and Risk Committee noted the update from the National Audit Office, in which the audit progress report 2024-25 (enclosure ARC/25/026) and the management letter 2023-24 (enclosure ARC/25/027) were presented.

25/066 In discussion the following points were made:

• there was good progress so far with interim audit testing substantially complete.
• [Information redacted in accordance with the Freedom of Information Act 2000.]

25/067 The Committee thanked the NAO and Finance team for their work and the huge improvement compared to the previous year.

8. Corporate assurance and audit update

25/068 [Titles redacted] presented an update on corporate assurance and the delivery of internal audit recommendations (enclosure ARC/25/028). The paper also explained how the Corporate Assurance team was working to further support the internal audit process.

25/069-25/070 The Committee noted the update, including the following points: [Information redacted in accordance with the Freedom of Information Act 2000.]

9. Government Internal Audit Agency (GIAA) update

25/071 [Title redacted] presented the progress report on the 2024/25 internal audit plan (enclosure ARC/25/029), draft internal audit plan 2025/26 (enclosure ARC/25/030) and internal audit charter 2025-26 (enclosure ARC/25/031).

25/072 The Audit and Risk Committee noted the papers and the update, in which the following points were made:

[Information redacted in accordance with the Freedom of Information Act 2000.]

25/073 The Committee endorsed the draft internal audit plan 2025-26 subject to comments made.

10. UKHSA Strategic Risk Register (SRR)

25/074 [Title redacted] introduced the paper (enclosure ARC/25/032) which covered the latest iteration of the register (Q4 24/25) and an update on development of the new strategic risk register.

25/075 The Audit and Risk Committee endorsed the latest version of the SRR and noted the update, in particular the following points: [Information redacted in accordance with the Freedom of Information Act 2000.]

25/076 The Committee asked how risk associated with the delivery of Exercise Pegasus was being captured, and was assured that there would be a separate, temporary Exercise Pegasus risk register.

11. Health and safety update

25/077 The Director, People and Workplace and [Title redacted] introduced the paper (enclosure ARC/25/033) which provided the latest update on health and safety within UKHSA.

25/078 The Committee noted the report

12. Annual whistleblowing report

25/079 [Title redacted] presented the annual whistleblowing report (enclosure ARC/25/034).

25/080 The Committee considered and noted the report, and was assured that there was nothing to suggest any trends or areas of concern.

13. Cyber security and information governance

25/081 The Director, Data and Cyber Security presented an update on progress with meeting DSPT-CAF and the transformation programme (enclosure ARC/25/035). The latest SIRO report was also shared (enclosure ARC/25/036).

25/082 Audit and Risk Committee noted the papers, and in particular:

• UKHSA was now reaccredited to the DSPT standard and working to meet DSPT-CAF by the end of June 2025. This would be dependent on submitting a successful business case for the Trust Programme, of which the team was reasonably confident.

• Information redacted in accordance with the Freedom of Information Act 2000.]

14. Effectiveness review and terms of reference

25/083 The Chair of the Audit and Risk Committee presented a paper setting out the findings and recommendations of the Committee’s latest effectiveness review carried out at the end of the 2024-25 financial year, and a proposed update to the Committee’s terms of reference (enclosure ARC/25/037).

25/084 The Committee agreed the updated terms of reference and effectiveness review recommendations.

25/085 In discussion the following points were made:

• Agendas were filled by regular reports with not enough space for deep dives. The Committee was keen to rebalance this, and to use the new strategic risk register to help.
• Environmental, Social and Governance should be added to forward programme.
• The terms of reference would go on to the Advisory Board to approve.

15. Audit and Risk Committee Forward Look

25/086 The Audit and Risk Committee noted the forward look (enclosure ARC/25/038) about which several comments had been made in the course of the meeting.

16. Any other business

25/087 There being no further business the meeting closed at 12.30pm.

25/088 There followed a closed session meeting between non-executive Committee members, the GIAA and NAO.

25/089 There would be an informal pageturner on the draft 2024-25 annual report and accounts on 7 August 2025, with the next formal meeting taking place on 15 September 2025.

17. For noting

25/090 The Committee noted the internal audit reports