HSE Audit and Risk Committee meeting minutes 11 June 2021

Members Present

Ann Markey, Brendan Lenihan (Vice Chair), Fergus Finlay, Fiona Ross, Pat Kirwan, Colm Campbell, Martin Pitt.

HSE Executive Attendance

Patrick Lynch (ND Quality Assurance and Verification), Stephen Mulvany (CFO), James Gorman (Unit Manager, Patient’s Private Property Central Unit), Geraldine Smith (ND Internal Audit) (item 2), Dean Sullivan (CSO) (item 3 & 4), Jim Curran (ND Estates) (item 3 & 4), Dara Purcell (Corporate Secretary), Hannah Barnes.

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda.

1.1 Welcome and Introductions

The Vice Chair welcomed Committee members to the meeting and held a private session to consider the agenda and papers for the meeting, and the approach to conducting the meeting. Ann Markey agreed to formally act as Committee chair for the purposes of signing the minutes at this meeting and then asked the Vice Chair to handle the conduct of the meeting.

1.2 Declarations of Interest

The V/ Chair Brendan Lenihan, and Martin Pitt agreed to absent themselves for an item which would be considered by the Committee as they may have a conflict of interest due to previous dealings with the entity.

1.3 Approval of Minutes

The Committee approved the minutes of the 9th April, 22nd April, 10th May, and 21st May.

2.1 Internal Audit Q1 Report

The Committee reviewed with the ND Internal Audit the Q1 Internal Audit Report, which had been originally due to be presented to the Committee at their 14th May meeting but due to the Cyber Attack on the HSE was postponed.

The Committee noted that Health Care Audit (HCA] team, formerly part of the Quality Assurance & Verification Division (QAV), transferred to the Internal Audit Division with effect from 18th March 2021 when the team resumed duty from a year-long redeployment in support of HSE’s Covid19 response. The overall results of health care audit activity and resourcing will be incorporated in ND IA reporting to the Committee with effect from Q2.

The ND Internal Audit reported to the Committee on the 31 HSE audit reports that were issued within Q1. The Committee were informed that that audit opinions in the Q1 reporting assessed the overall control environment as:

• unsatisfactory – 4 reports
• limited - 13 reports
• moderate – 4 reports
• satisfactory – 10 reports

Overall, 28 of these reports were HSE based while the others covered HSE Funded Agencies. The ND Internal Audit identified that the 6 Q1 follow-up audit reports represented incomplete implementation of the original audit recommendations in 67% (4 reports) of the follow-up reports, complete implementation in 33% (2 reports) of the follow up reports. The Committee noted that 1 report was found to be inaccurate as part of management’s reporting of the implementation status of recommendations. The ND Internal Audited provided a high-level summary of 6 key HSE reports which were issued in Q1 2021. The Committee sought assurance from the ND Internal audit that the relevant EMT members would be providing oversight on the issues raised. The ND Internal Audit confirmed that the audit reports had been circulated to the EMT members with remit over the areas and that Internal Audit would be following up on the implementation of the Audit Recommendations. The Committee requested that the following key reports are to be shared with the Chair of the Safety and Quality Committee: Non-Consultant Hospital Doctor Recruitment - National Report, Children First Legislation, Sligo University Hospital - Saolta Hospital group, Children First Legislation CHO1, and CHO Legislation CHO 4. The Committee requested that the following key reports are to be shared with the Chair of the People and Culture Committee: Non Consultant Hospital Doctor Recruitment - National Report, Children First Legislation, Sligo University Hospital - Saolta Hospital group, Children First Legislation CHO1, CHO Legislation CHO 4, and the Job Evaluation Scheme.

The Committee noted that the ND Internal Audit advised that due to the severe impact caused by the recent Cyber Attack she would be presenting the Committee with a revised Internal Audit plan for 2021.

2.2 Payroll Irregularities, Internal Control Audit Report

The ND Internal Audit briefed the Committee on the HSE Internal Audit Report: Payroll Irregularities, Internal Controls Audit which found that the level of assurance that may be provided to management about the adequacy and effectiveness of the governance, risk management and internal control system in this area is unsatisfactory. The Key audit findings included a lack of segregation of duties, a lack of management oversight and hierarchical controls, a lack of budgetary control, deficiencies in authorisation of input and output of payroll forms, local payroll cheque handling deficiencies, inadequacies in HR Census Monitoring process, inadequacies in the leavers process and leavers checklist, and deficiencies in maintenance of employee HR records. The Committee requested that an update on the implementation of the recommendations in the key reports outlined including the Payroll irregularities report is to be brought to the Committee in September. The Committee considered the importance of accountability within the system and asked executives to consider if it would be appropriate for an accountable person at site level to attend the September Committee meeting. The CFO confirmed in response to questions that a learning note was being issued to the system regarding learnings form the payroll fraud incident.

The V/Chair and Martin Pitt absented themselves from the meeting at 09:25 for the discussion of the Q1 Internal Audit Overview of Internal Findings of the report on Section 39 – Pieta House, CHG. It was confirmed that they had not received any documentation relating to this issue. The ND Internal Audit provided an overview of the findings and responded to Committee members questions on the report. The Committee noted that a new board is in place within the organisation and that Pieta House have stated that they are now operating in line with the Charites triple Lock requirements.

Actions

1. The following key reports are to be shared with the Chair of the Safety and Quality Committee: Non-Consultant Hospital Doctor Recruitment - National Report, Children First Legislation, Sligo University Hospital - Saolta Hospital group, Children First Legislation CHO1, and CHO Legislation CHO 4.
2. The following key reports are to be shared with the Chair of the People and Culture Committee: Non-Consultant Hospital Doctor Recruitment - National Report, Children First Legislation, Sligo University Hospital - Saolta Hospital group, Children First Legislation CHO1, CHO Legislation CHO 4, and the Job Evaluation Scheme.
3. An update on the implementation of the recommendations in the key reports outlined at the ARC Meeting 11th June is to be brought to the Committee in September.
4. The final Payroll Irregularities, Internal Control Audit Report is to be shared with the Chair of the HSE Board
5. The final Payroll Irregularities, Internal Control Audit Report is to be shared with the Chair of the People and Culture Committee.
6. The Committee will meet with a site level accountable person in regard to the Payroll Irregularities, Internal Control Audit Report at their September meeting.
7. A note is to be issued system wide regarding learning’s from the payroll fraud incident. (The CFO is to confirm if this has already been circulated)

3.1 CNU PPP Contract Update

The CSO accompanied by the ND Estates provided a verbal briefing on the CNU PPP Contracts progress. The Committee noted that the HSE’s due diligence process is ongoing. The funding competition has been concluded and the result is a marginal reduction on the unitary payment previously advised to the Board. All the participants in the funding competition are known to the NTMA. In response to questions the ND Estates confirmed that the design process is being closed out with the design responsibility being given to the contractor. The ND Estates also advised the Committee that the final award of contract decision will be presented to the Board for decision. The minute of the contract award decision will be in a prescribed format. The Committee requested that the prescribed draft of the PPP contract award decision be provided to the Committee at its July meeting.

Actions

1. The Committee requested that the prescribed draft of the PPP contract award decision be provided to the Committee at its July meeting.

4.1 Primary Care Centres

The CSO accompanied by the ND Estates provided a verbal update on the Primary Care Centres location and approval assessment. The Committee acknowledged the progress that had been made since they were last briefed on the proposed approach at the April Committee meeting. The Committee noted that there are 262 Primary care centres contractually committed or fully operational and that further assurances would be provided to the Committee and to the HSE Board.

5.3 Patients Private Property Accounts 2020

The CFO and the Unit manager of the Patients Private Property Central unit briefed the Committee on the Patients Private property Accounts for 2020. Items circulate din advance of this item included the 2020 PPP Crowley’s DFK Management Letter and Consolidated National Accounts and the 2019 C&AG PPP Management Letter. The Committee noted that Crowleys DFK completed their audit of the 2020 PPP accounts nationally and provided the management letter detailing their findings on 31st May 2021. The Committee noted that the value of the PPP fund decreased by €3.6m, driven by a combination of withdrawals of high value probate amounts and a general reduction in the number of new PPP accounts. The number of PP accounts retained at 154 Care Centres at 31/12/2020 was 5037 which is a decrease of 717 on the previous year. The Committee noted the audit findings from the Crowlys DFK management letter and recommended they be shared with the C&AG.

5.1 YTD Update, C.19 Flash Report

The CFO provided a verbal briefing to the Committee on the YTD update and the C.19 Flash report. The CFO advised the Committee that the May financial cycle of reporting was directly affected by the Cyber Attack and noted that the April cycle had already been initiated. The CFO advised the Committee that the target was to ensure the June reporting close date was maintained as normal and that normal reporting dates from then on would be met. The Committee recognised that in normal circumstances the June reporting data would be seen in the second last week of July and made available in the first week of August, however the implementation of the IFMS programme will eventually shorten this cycle. The Committee discussed the progress of the IFMS programme with the CFO and noted that delays have incurred due to the 3rd surge of Covid-19 and these have been further impacted by the Cyber Attack with the close out of the design and build phase being pushed to 15th July.

5.5.1 Financial Matters relating to the ransomware CONTI attack on the HSE’s IT systems

The CFO responded to questions posed by the Committee and informed them that yes due to the cyber-attack laptops with bank details on them had been compromised and work is ongoing with the OCIO on this issue but there has been no evidence of altered banking details. The CFO also confirmed that some HSE Systems are in use within TUSLA and other 3rd party stakeholders.

5.4.2 Data Breach update

The DPO provided a verbal update to the Committee on the situation surrounding the data breach following the CONTI Cyber Attack on the HSE. The Committee noted that the DPO had informally contacted the Data protection Commissioner (DPC) on the 14th of May when the Attack was initially recognised and followed up with a formal notification on 15th May in line with legislation. The DPO informed the Committee that the HSE secured an injunction from the Irish High Court on 20 May 2021. The terms of the High Court Order prevent the publication, sharing, selling or processing of any data exfiltrated from HSE networks, including data held and processed for third parties, including Section 38/39 organisations and TUSLA. The HSE will coordinate the execution of the injunction on behalf of all voluntary organisations. The Committee were advised that the voluntary hospital whose data made up the majority of the stolen data, is contacting the affected persons whose data was published online as it is the data controller in this instance. HSE DPO is still considering national position in respect of contacting other persons whose data may have been compromised in conjunction with legal advice and DPC.

5.2 C&AG Audit Cert

The Committee noted the C&AG Audit Certification in relation to the HSE’s Annual Financial Statements for 2020 and the accompanying briefing note which was circulated in advance of the Committee meeting.

5.4 Activity Based Funding

It was agreed that in the interest of time this item would be deferred to the next Committee meeting.

Actions

1. The Committee requested that Crowlys DFK’s Management letter for the PPP Accounts is shared with the C&AG.
2. The item on Activity Based Funding is to be deferred until the July Committee meeting.

The V/Chair of the Committee led a discussion with the ND QAV on the Q1 CRR Review. The Committee noted that since the Q1 review the cyber-attack has had a very significant impact on the profile of many of the risks on the CRR such as:

• Risk 2: Restoration of services
• Risk 6: Health Service funding
• Risk 8: Capacity, access and demand.
• Risk 9: HCAI/Amr [Lab capacity]
• Risk 13: Cyber Security
• Risk 15: Screening
• Risk 17: Organisational Reputation
• Risk 19: Staff health and safety.
• Risk 21: ICT systems and infrastructure
• Risk 23: Business Continuity management.

The Committee discussed the critical dependencies between the risks for example cyber security and business continuity planning and management. The Committee decided that it would not refer the quarterly review report to the other HSE Board Sub Committees as part of their oversight role, given the fundamental change in the HSE’s risk profile since the 14th May 2021. In doing so the Committee emphasised that the management of risk is a living process not confined to the formal quarterly review process. As part of the risk assessment risk owners need to further evaluate the potential impact of risks materialising and place a greater focus on reducing the impact of the risks if they materialise.

The Committee discussed the impact of the crystallisation of risks on the Health Service and in particular its staff. The Committee noted that staff across the organisation have been subject to exceptional pressures because of both Covid and now the cyber-attack. Discussion centred on whether there are other potential catastrophic events that might occur that would add to this pressure. It was emphasised that the ongoing resilience of staff and particularly those in critical positions is now in itself a significant risk to the effective operation of health services. The Committee requested that the risks to staff resilience should be assessed as part of the HSE’s Corporate Risk Profile. Additionally, it was agreed that the are many mission critical systems and infrastructure across the health service and the Committee recommended that a full prioritised list of critical systems be developed if not already available. The Committee also recommended that consideration be given to the National Risk Assessment for Ireland 2020 as an important point of reference for the HSE in reviewing its risk profile.

Following the Committees earlier discussion with the DPO and the effects the Cyber Attach has had on Data Protection within the HSE, the Committee asked executives to again consider that data protection should be reflected in the HSE’s Corporate risk register. Considering the cyber-attack and potential release of personal data, this is now a live risk.

6.2 Draft Report on the HSE Board and Executive Team: Managing Risk

Mr John Moody reviewed with the Committee the Draft Report on the HSE Board and Executive Team: Managing Risk which had been circulated in advance of the Committee meeting. The ARC welcomed the report and thanked Mr Moody for his work. A number of minor suggestions were made, and Mr Moody will reflect these in the final report. The Committee proposed that the Report would be presented to the HSE Board at its July meeting with a focus on understanding the broader cultural significance of the findings and how to embed them within the organisation. It was agreed that an implementation plan would be considered to give effect to the recommendations in both the Moody report and the HSE’s own Risk Review 2019.

Actions

1. The Committee requested the EMT to undertake a reassessment of the current risks in light of the cyber-attack.
2. The Committee requested that the relevant risk owners further evaluate the potential impact of risks materialising and place a greater focus on reducing the impact of the risks if they materialise
3. The Committee requested that the risks to staff resilience should be assessed as part of the HSE’s Corporate Risk Profile.
4. The Committee recommended that a full prioritised list of critical systems be developed if not already available
5. The Committee proposed that the final Moody report will be presented to the Board at its July meeting.
6. It was agreed that an implementation plan would be considered to give effect to the recommendations in both the Moody report and the HSE’s own Risk Review 201

No items were presented for review by the Committee.

As agreed under item 2.1 Internal Audit Q1 Report the Committee agreed that a number of key reports would be circulated to the Chair of the HSE Board, the Chair of the Safety and Quality Committee and the Chair of the People and Culture Committee.

The meeting concluded at 12:30.