HSE Audit and Risk Committee meeting minutes 20 July 2022

Members Present

Brendan Lenihan (Vice Chair), Fergus Finlay, Ann Markey, Pat Kirwan.

Apologies

Colm Campbell, Martin Pitt

HSE Executive Attendance

Stephen Mulvany (CFO), Dean Sullivan (CSO), Tom Malone (Interim ND Internal Audit), Patrick Lynch (ND G&R/CRO), Paul de Freine (ND Estates), Mairead Dolan (ACFO), Dara Purcell (Corporate Secretary), June Robinson (Board Office).

Joined the Meeting

KPMG representatives (item 3), Colum Maddox (A/CFO) (item 5), John Swords (ND Procurement) and Julie Ryan (AND Procurement) (item 5.4) Michelle Galvin, Internal Audit (item 6.1) Maire Lennon (item 7.1),

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda.

The Vice Chairman welcomed the Committee members to the meeting and held a private session to consider the agenda and papers and the approach to conducting the meeting.

EMT joined the meeting at 1.30 pm.

No conflicts of interest were declared.

2.1 Minutes

The Committee approved the minutes of the meeting held on 16th June 2022.

2.2 Matters Arising

No issues were raised.

The National Director Governance and Risk provided the Committee with an update on the Governance and Compliance design project currently underway and which is being supported by KPMG.

KPMG representatives made a presentation to the Committee covering the following.

1. Update on the main activities undertaken and progress with the project.
2. The key observations to date.
3. An outline of the principles underpinning the Governance & Compliance Operating Model.
4. The next steps for the Project and indicative timelines for finalising the report.

The Committee acknowledged that while the HSE currently undertakes a range of monitoring and assurance activities across all lines of defence, in general, there is a relatively low level of maturity related to the monitoring and assurance activities performed by first line of defence and second line of defence functions.

As a result, there is a need for a programme of improvement across many of these first and second line of defence functions and activities. The Committee advised that the new Central Compliance Function should be designed in a way that can provide the EMT, ARC and the Board with consistent reliable reporting on the compliance risk profile of the organisation. As a second line of defence function, this can draw from but be independent of the current first line of defence monitoring and assurance activities. The Function should also have the ability to impact and influence the quality of compliance activities being performed across the organisation. The feedback provided by the Committee will be reflected in the remaining stages of the project which is expected to be completed in the middle-end of August.

A further briefing will be provided to the Committee in September, 2022.

ND G&R left the meeting.

As ND Governance and Risk was required to leave the meeting early, he had provided a written update to the V/Chairman on the following items:

4.1 Risk Programme - Feedback - ARC Workshop

• the workshop was very useful and the Corporate Risk Support Team [CRST] members who joined the meeting found it valuable and asked that their thanks be extended to the ARC
• the output from the workshop is tabled for discussion at next week’s EMT meeting
• the ARC advices will be reflected as part of the Q3 Review due to be completed mid-September

4.2 Our Lady’s Hospital Navan (OLHN)

The Vice Chair informed the Committee that the reconfiguration of Navan Hospital and the associated risks are being considered at Board Level.

Colum Maddox A/CFO joined the meeting

5.1 YTD Expenditure

The Committee received a briefing from the CFO on the financial position year to date and the forecast to year end as set out in the briefing papers circulated to the Committee prior to the meeting for consideration.

The Committee reviewed the key messages in the paper in relation to the financial position noting Revenue Income and Expenditure YTD is showing a deficit of €474.1m or 5.6%, with a significant element of this being driven by the direct impact of COVID-19.

The Committee noted from an overall perspective it is expected over the coming weeks and months, that core (non COVID-19) activities will naturally increase and the impact of “delayed” care will also increase demand for core services.

The Committee were informed it has been agreed at EMT and advised to the Board that steps are being taken by the EMT to reduce the expected level of growth in order to breakeven on Core. Engagement on the 2022 costs of the HSE’s COVID-19 responses is continuing with both the Departments of Health and Public Expenditure & Reform.

A third sanction request has been submitted to the Department of Health, which will allow the HSE to continue to operate within COVID-19 sanction to 31st July 2022. At the most recent meeting of the Health Budget Oversight Group (HBOG), the potential 2022 cost of COVID-19 responses was discussed at length, with particular focus on the 2022 outlook of Acute & Community specific COVID-19 responses.

Following consideration of the key financial messages the Committee noted that the following are being brought to a conclusion through engagement with DOH and DPER as a matter of priority as part of our overall financial management efforts, particularly in the context of the Estimates 2023 process which is in effect underway:

1. To manage COVID Community and Hospital Response Costs to end 2022 and into 2023
2. To manage CORE expenditure to at least a breakeven.
3. Determination of the % of Haddington Road agreement hours that services are permitted to replace

5.2 Health Budget Oversight Group Minutes

The minutes of the Health Budget Oversight Group Minutes of the 1st June 2022 were noted by the Committee.

5.3 Special Legislative Account - Status of 2021 Draft Accounts

The ACFO advised the Committee that the special legislative accounts as required under Health legislation (Health Act 2006 and Hepatitis C Compensation Tribunal (Amendment) Act 2006) have been prepared and presented for audit to the Comptroller and Auditor General within the required time scales.

These accounts will come back to the ARC post audit at which time the ARC will be asked to recommend them for approval by the HSE Board.

5.4 Annual Self-Assessment of Competitive Compliant Procurement Exercise

John Swords National Director of Procurement (NDP) and Julie Ryan Assistant National Director Procurement joined the meeting for consideration of this item.

Following the presentation of the Self-Assessment Service on Procurement Activity at the Committee meeting 12th May, 2022, the Committee requested that an exercise be completed to identify the level of compliance in terms of the Corporate Centre as an output of Self Declaration Process 2021 with an initial focus on Professional Service and Education and Training.

The National Director of Procurement provided a high level overview of the analysis that was conducted of the output of the Corporate Centre Self Declaration Process 2021 which had involved examination of financial management data aligned to cost centres across the corporate centres. He noted this was an initial view which will need to be refined as the exercise progresses as there is a level of recoding required and provided some examples.

The NDP identified that the procurement derogations applied included article 32(Used in cases of urgency where no time to go the market, Unforeseen circumstance such as Covid). Article 72 (roll over of contracts or additional works carried out under a contract without going back to market) and Article 12 (public to public or proprietary products). He provided some examples of same.

The Committee thanked the procurement team for the work to date and was pleased to see it going in the right direction.

Actions Agreed

The Committee requested a list of these derogations with associated detail including the contact name of the EMT owner for discussion at the September meeting and based on this review the Committee will consider if an audit on the findings is appropriate.

The National Director of Internal Audit provided an update on 2 Internal Audit Reviews, Ref No. IT004ASOP0722 and MT004HRES0622.

6.1 Internal Audit Report IT004ASOP0722

Michelle Galvin joined the meeting, for consideration of this item.

IA had undertaken an audit of compliance with the 14 security recommendations issued to all 17 voluntary hospitals on foot of the report conducted following the 2021 cyber-attack. Following its audit work, IA issued an audit report to each of the voluntary hospitals.

IA presented a report to the Committee on progress made by the voluntary hospitals in implementing ICT security recommendations on foot of the cyber-attack.

Overall, the audit found that:

• best endeavors were made by all 17 voluntary hospitals to implement the security recommendations in a timely manner
• some hospitals were unable to implement certain recommendations due to limitations with the technology in use in the hospital
• across the majority of hospitals, poor compliance of the Enterprise Password Settings was noted - hospitals raised concerns about complexities associated with enforcing such password parameters on user, privileged and service accounts
• a good level of compliance was noted against the rollout of the Fire Eye Agents across the hospitals

The audit provided an overall audit assurance level of moderate. The audit made two recommendations:

1. The HSE eHealth team works with the relevant hospitals to assist them address the gaps identified.
2. The HSE eHealth team conduct periodic reviews to assess continued compliance (the audit is a point in time assessment).

The ND IA noted that, where the report identifies gaps in a hospital with the implementation of a Mandiant recommendation, it sets out the current practice in that hospital which in some cases seems to mitigate the related risk to some degree.

Actions agreed

As part of its deliberations the Committee requested that

1. The IA report be sent to Mandiant to formally seek their observations on the report and specifically for Mandiant to set out the risks and implications for the HSE arising from the audit’s findings.
2. The report be referred to the HSE Compliance Unit with the aim of including an ICT security threshold/level of ICT compliance in the Service Level Agreements with the voluntary hospitals in a similar way that we include required levels of compliance in other areas. The Compliance Unit will agree such a threshold with the CIO.
3. ND IA will engage with the CIO to provide any further information his team or Mandiant may need to implement the recommendations.

6.2 Internal Audit Report – MT004HRES0622

The V/Chairman set out the background to this audit which was to provide assurance over the number of High Earners disclosed in the HSE Annual Report, the appropriateness of the payments made and the accuracy of the figures reported. The results of the audit work highlighted a number of shortcomings in the current control environment.

ND IA noted that Internal Audit tabled the draft report at EMT and sought a coordinated management response to address the report’s findings which spanned several HSE Divisions including: Operations (Acutes and Community Care); Clinical; HR and Finance. Due to the nature of the findings, the draft report, without management comment, was tabled at the ARC meeting of 14 April.

ND IA confirmed the final report, including management’s response was issued on 30 June 2022 and management has developed an action plan has been developed in response to the findings of the internal audit report.

The Committee noted that the scope of the internal audit report is limited to those individuals employed by the HSE. It does not extend to individuals who are employed by other organisations. As part of the work currently being undertaken, consideration will be given to extending the scope of engagement to include other organisations funded by the HSE.

The Committee noted the up to date position and suggested consideration be given, including legal advice if necessary, on whether it is required under FOI/GDPR compliance to carry out further anonymization of the IA Report.

M. Lennon, Head of Legal Services, joined the meeting for consideration of this item.

She sets out the detail, based on the template report circulated to the Committee in advance, the level of information it is proposed will be provided to the Committee in future reports covering strategic legal matters, noting this new reporting template had been developed in response to the previous request from the Committee for a more detailed report on strategic legal matters.

The Committee welcomed the proposals for more detailed reporting of HSE managed legal matters.

Actions agreed

The Committee agreed to the proposal that two strategic legal cases reports will be tabled for ARC meetings. Report one will cover Q1 and Q2 and Report 2 will cover Q3 and Q4. The Report for the period Q1 and Q2 2022 will be tabled for the September meeting.

The Committee requested that similar reporting arrangements be requested from the State Claims Agency with particulars of strategic litigation against the HSE which the State Claims Agency manages on foot of its delegated authority, including where possible to get some level of advance notification of developments in these strategic cases which are likely to generate some media reporting, such as Court hearings or announcements that litigation has been settled/resolved.

M Lennon agreed to request this information from the SCA in line with the format and reporting frequency for HSE directly managed legal matters so as to provide the Committee with the totality of HSE strategic legal matters (those managed by HSE itself and those managed by the SCA).

8.1 Contracts

No contracts were tabled for consideration.

8.2 Properties

The CSO and National Director Estates briefed the Committee on the following property transactions circulated to the Committee prior to the meeting for pre Board scrutiny prior to submission to the Board for consideration.

1. Proposed granting of a 10-year lease for property at Ballyfin Road, Mountrath, Co. Laois to the Muiriosa Foundation.
2. Proposed Transfer of 63A Shannon Heights, Kilrush, Co. Clare to the Sophia Housing Association.
3. Proposed Transfer of 0.4 acre site to rear of 63A Shannon Heights, Kilrush, Co. Clare to Clare County Council.
4. Lease of Units at Omni Shopping Centre, Santry, Dublin 9.
5. Disposal of vacant houses on the avenue of St Ita’s Hospital, Portrane, Co Dublin to Fingal County Council.
6. Preliminary Business Case for the proposed New Emergency Department and Women’s & Children’s Development Block at University Hospital Galway (UHG) and Annexe.
7. Approval for the transaction that will allow the HSE enter into a Public Private Partnership (PPP) for the delivery of 7 Community Nursing Units and Appendix (x1).
8. Acquisition of Building 4, University Technology Park, Curraheen, Cork City for Cork University Hospital (CUH).

Following consideration of the detail for each proposed transaction the Committee agreed to recommend the following transactions to the HSE Board for approval.

No matters were raised and the meeting concluded at 18:00