HSE Audit & Risk Committee Meeting Minutes 11 March 2025

Members Present

Yvonne Traynor (Chair), Anne Carrigy, Michael Cawley, Pat Kirwan, Éimear Fisher, John Moody and Sharon Keogh

HSE Executive Attendance

Kate Killen White (REO Dublin Midlands), Joseph Duggan (Chief Internal Auditor), Mairead Dolan (Asst Chief Financial Officer), Brian O’Connell (ND, Head Strategic Health Infrastructure & Capital Delivery), Joe Ryan (ND Public Involvement, Culture and Risk Management/Chief Risk Officer), Dr Colm Henry, (Chief Clinical Officer), Dara Purcell (Corporate Secretary), Patricia Perry (Office of the Board)

Joined the Meeting

Dr Mary Coghlan (Director, National Productivity Unit), Gavin O’Neill (AND, National Productivity Unit), Maire Lennon (Head of HSE Office of Legal Services), Elaine Kilroe (AND Enterprise Risk Management), David Langton (AND Central Compliance Function)

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda. All performance/activity data used in this document refers to the latest information available at the time.

The Chairperson held a private session to consider the agenda, papers and the approach to conducting the meeting.

2.1 Conflicts of Interest

No conflicts of interest were declared.

2.2 Minutes

The Committee approved the minutes of 14 February 2025, subject to an amendment being made.

2.3 Action Log and Follow Up Items

The Chair advised that she had reviewed the ARC Action Log with the Board Office and all actions were being progressed as per the Update Report.

The Committee requested that

• an update be brought to a future meeting regarding the Delivery of the Equipment Replacement Programme;
• one page of current status of responses, and analysis on who should be on the Controls Assurance Review Process (CARP) list, and provide a future update on ambition to have 100% response to the CARP survey.

Dr Colm Henry, Chief Clinical Officer joined the meeting

3.1 Clinical Audit Plan 2025

The CCO provided the Committee with the Clinical Audit plan for 2025 which outlines the strategic direction, key objectives, and implementation framework while ensuring full alignment with the National Quality and Patient Safety objectives and the NCCA Operational Plan 2025, and noted that in light of limited resources, high-impact initiatives, leveraging technology and strengthening collaboration across stakeholders are being priortised.

The Committee reviewed the Clinical Audit Plan 2025 and discussed the financial impact to date of funding v savings, the level of funding and metrics required to deliver the plan in 2025, and costs relating to personal injury awards.

The Committee welcomed the Plan, noting that it tended towards hospital-based activities and requested that a broader approach be taking to include community, older people, mental health and disability services.

Maire Lennon, Head of Legal Services, Dr Mary Coghlan, Director NPU and Gavin O’Neill AND NPU joined the meeting

4.1 Review of the Office of Legal Services – update by the National Productivity Unit (NPU)

The Chair welcomed Dr. Mary Coghlan and Gavin O’Neill, NPU who provided an update of their assessment of the Review of the Office of Legal Services (OLS), which was previously undertaken by Outsource in April 2024.

The Committee noted the provision of legal services as managed by the OLS in 2023 was predominantly provided by a number of legal firms under a competitive legal services contract, and discussed the potential opportunity to increase the level of legal advice being provided in-house by OLS, given the Irish and International comparators outlined in the Committee briefing paper. Since the completion of the Outsource report, the Committee were advised that the OLS have been working to implement the recommendations proposed and noted the status of each recommendation.

The Committee were informed that OLS would engage with Estates re Property & Estates, and the Data Protection officer re Commercial Corporate / GDPR to (i) identify legal advice they deem would be suitable for in-housing cognisant of any potential contractual issues which could arise by taking work in-house which is currently under contract with external legal firms and (ii) to obtain a breakdown of external advisor hours and costs incurred over a representative period of 6 months in respect of (i), and (iii) NPU and OLS to agree on relative in-housed alternative operating model and cost assignment as illustrated in the Committee briefing paper. This will include a focus on how the agreed approach and associated outcomes can be tracked and monitored to ensure efficiencies and economies are achieved. The Head of OLS outlined a number of challenges involved in bringing tranches of work in-house and the necessity to identify the areas of legal work, in particular advisory legal advice, which could be competently and efficiently serviced by an in-house legal team. It was agreed that a further update on the implementation of the recommendations be brought back to the Committee in 3 months time.

Director NPU and AND NPU left the meeting

4.2 Half Year Report on Strategic Legal Matters

The Head of Legal Services presented to the Committee the HSE Corporate and Operational Strategic Legal Matters report for March 2024 to October 2024, as previously circulated.

The Committee noted the report which provided a summary of 65 significant matters in the reporting period, with 25 matters identified as matters of highest priority. The Committee in the course of reviewing the report, were provided with more detail by the Head of OLS in response to questions raised on specific cases.

Head of Legal Services left the meeting

5.1 YTD Expenditure

The Asst CFO provided the Committee with the key messages relating to January 2025 Cash Utilisation, which was noted.

5.2 Non-Pay Savings 2025

The Asst CFO presented an update in relation to initial non-pay savings initiatives which are being co-ordinated by the National Finance and Procurement Division, and advised that the aim is to focus on price reductions, price harmonisation and interchangeability. The Committee discussed the initiatives outlined in the paper noting that the preliminary indicative estimate of the potential full year savings across five projects noting that the figure has to be validated further.

A discussion took place in relation to Project #6 Activity Based Funding (ABF) Improvement, noting the need to identify savings and have comparable analysis, and if possible to link with the Service Arrangements in Section 38 agencies; Project # 7 Activity Based Funding (ABF) Expansion and Project # 8 IFMS – Continued roll out and benefits realisation, the Committee were unsure of objectives set out and requested that it be made clearer.

The Committee noted the paper and requested that more details and the target for full year savings are to be included in the plan.

The Committee discussed spend approval levels for HSE staff, with a request to reduce/amend the authority level for non-pay spend. It was noted that a risk assessment would be required to understand any risks associated with the reduction, and it was agreed that the request would be brought to the CEO for consideration.

5.3 Draft AFS (including draft SIC)

The Asst CFO presented to the Committee the draft Annual Financial Statements (AFS) for review. The Committee noted that draft AFS have been submitted to the C&AG on 28th February 2025 in line with the DPER requirement and will be presented to the Board for formal adoption in line with the Health Act at its meeting on 28 March 2025.

The Committee noted that the Draft AFS 2024 reports the Revenue I/E Deficit of €762.8m (including First Charge from 2023 of €574.6m) and Capital I/E Deficit of €29.2m.

The Committee discussed the Statement of Internal Control (SIC), noting that the assessment of the control environment is Limited, and that actions are being taken by the HSE to mitigate these weaknesses and to drive improvements.

The Committee were advised that the audit is on-going and the accounts will not be considered final until the audit has concluded and any material changes that may arise have been considered and actioned. It is expected subject to the progression of the C&AG audit that the final draft will be brought to the SLT, ARC and the Board in May and any material changes to the AFS and disclosures will be explained.

The Committee agreed to endorse the draft AFS including SIC for onward submission to the HSE Board for consideration and adoption.

Elaine Kilroe, AND ERM and David Langton, AND Central Compliance Function joined the meeting

6.1 Central Compliance Function- Compliance Reports

(i) Compliance Obligations Register Q4 Update

The AND Central Compliance Function (AND CCF) presented the Compliance Obligations Register (COR) Q4 2024 to the Committee, and it was noted that Internal Obligations have increased by 11 (1%) from 785 to 796; External Obligations have increased by 24 (6%) from 411 to 435; and that the COR has been published on the HSE website.

The Committee were advised that the updated COR and associated metrics report will be presented at the SLT meeting on 11 March 2025 and will be brought back to the Committee. The Committee discussed the need to demonstrate compliance with the COR and the linkage with other metrics that are presented to the Committee. It was noted that a risk based Compliance Assurance Plan will be implemented for Q4 2025 and will be brought to the Committee.

(ii) Maturity Assessment of HSE Compliance Functions

The AND CCF presented Maturity Assessment of HSE Compliance Functions paper to the Committee which provided a detailed overview of the compliance functions identified and analysed, and outlined a high level overview of the key observations. The Committee noted that the completion of the review exercise is a valuable step along the Compliance Project journey, and that the CCF will work with all functions reviewed to further mature their processes. It was agreed that a twice yearly report will be brought to the Committee.

The Committee discussed a key observation included in the report, relating to the Primary Care Reimbursement Services (PCRS) annual budget of circa. €4billion, noting that outputs of the PCRS Probity Unit do not have a governance pathway into any Board Committee at present. It was agreed that the ND Public Involvement, Culture and Risk Management would liaise with the AND CCF and may incorporate into metrics and report by exception, if required.

(iii) KPMG Compliance Project Implementation Plan Update

The AND CCF presented to the Committee the quarterly update in relation to the KPMG Compliance Project Implementation Plan and progress to date. The Committee noted the update and the overview of the recommendations completed since the December 2024 meeting.

6.2 2024 Annual Report – Treatment of Protected Disclosures

The Committee noted the Protected Disclosures Annual Report 2024, which fulfils the statutory obligation to publish a statement confirming that the HSE has internal reporting channels in place, which once approved would be published by the statutory deadline of the 31 March 2025 and included in the HSE’s Annual Report 2024. The Committee discussed the detailed year-end report of activity presented, and noted the 38% increase of Protected Disclosures (PDs) received compared to 2023, and the planned PD Training to ensure the creation of a more open culture around with dealing with PDs, noting that training and learning sessions across the HSE to take place before the end of Q2 2025.

6.3 Deep dive on an ARC risk – Data Protection Risk

The CRO presented a briefing with regard to Data Protection Risk and provided an outline to the Committee including how it is managed, measured, and the progress of the risk reduction plan.

The Committee discussed the key actions relevant to the risks that are being progressed as planned, noting that the Transformation Programme has commenced addressing high risk priority gaps identified from Data Privacy Governance Framework and Operating Model Review in 2021. Enhancement of Data Privacy Digital Platform will enable the DPO to monitor compliance with obligations in the Data Protection Act and GDPR across the organisation, tender is due to be published in Q2 2025, and it was agreed that the CRO would bring a further update later in the year.

The Committee discussed Cyber Risk Preparedness and requested that the CRO provide a briefing at a future meeting.

6.4 Risk Appetite Statement update

The AND ERM provided a verbal update noting significant progress. It was noted that a paper will be brought to the April meeting for recommendation to the Board.

AND Enterprise Risk Management and AND Central Compliance Function left the meeting

7.1 Q4 2024 report (IA Reports and IA Recommendations Monitoring)

The CIA provided a report to the Committee which included Audit Activity and Plan Status and Planned Audits Q1 2025; Audits Issued and Key control findings from Audit Reports in Q4 2024; Implementation of audit recommendations at 31 December 2024; National Performance Indicator; and open and overdue recommendations by area.

The Committee noted the update in relation to the Internal Audit Plan Status at 31 December 2024; with 13 audit reports issued in Q4 2024 and an outline of the key findings of those reports.

The Committee discussed a number of audit reports and requested that the Chief People Officer attend the April meeting to address payroll anomalies resulting in unsatisfactory findings in relation to two IA reports: Suspected Irregularity Regarding Payroll CHO3 HSE Mid-West and CHO4 HSE South-West, HSE Weaknesses; and Recommendations Report AND Management of National Payroll (Pay Related) Overpayments.

As highlighted by the Committee at previous meetings, the issue of overdue audit recommendations was discussed, with the Committee noting that of the 346 open recommendations at the end of 2024, 303 (87%) were overdue. The Committee reinforced the request that management attend to explain the overdue recommendations in the area of their control, and the CIA advised that a report in relation to open recommendation findings is being considered by the CEO and will be submitted to the Committee in April.

7.2 CIA Annual Report 2024

The Chief Internal Auditor (CIA) presented to the Committee the Annual Audit Opinion 2024. He informed the Committee that based on the results of internal audit work completed during 2024, that Limited assurance can be provided in respect of the governance, risk management and control systems operating in the subject areas audited and outlined the reasons for his opinion, which were included in the report.

He advised that sufficient and appropriate audit procedures had been conducted and evidence gathered to support the conclusions reached in the audit reports issued in 2024. The conclusions were based on conditions at the time of audit and are only applicable to the HSE.

The Committee discussed the report presented noting concern in relation to the same Limited Opinion as 2023 and of the audit recommendations made in 2024, 62 of 182 were potentially systemic. The CIA advised of the Plan for 2025 in relation to national audits and that there will be more audit evidence to support the systemic nature of findings based on a wider substantive testing, on the areas of highest risk once the risks are identified and assessed. This means that audits are not performed equally across all areas but are instead concentrated on the processes, functions, departments or divisions where there is the most significant risk.

Brian O’Connell, ND, Head Strategic Health Infrastructure & Capital Delivery and Michael Connelly joined the meeting

8.1 Quarterly Report - final account for completed construction projects

The ND, Head Strategic Health Infrastructure & Capital Delivery provided a report to the Committee comparing the contract amounts for major capital projects approved by the Board with the final outturn for those projects.

The Committee were advised that in the period between January 2020 to December 2024, 40 awards of construction contracts in excess of €10 million (excl VAT) were approved by the HSE Board. Of these, 6 Projects completed with agreed Final Accounts were presented at the Committee on 10 May, 2024. A further 9 projects have since completed, 4 of which have Final Accounts agreed and were provided with an outline of the Construction Contract Award Value approved compared with the final account.

8.2 Building Contracts & Properties

The ND, Head Strategic Health Infrastructure & Capital Delivery presented to the Committee the following contract.

The Committee considered the details of the proposed contract and agreed to recommend to the Board for approval.

The Chair noted that in relation to the delegated authority for property transactions, a review of all property transactions under the current delegation in order to consider any adjustment required to policy going forward will be presented to the Committee at the April meeting.

The Committee requested for an update at a future meeting with regard to the IFMS roll out including Section 38 agencies. It was noted that IFMS comes under the remit of the Strategy & Reform Committee.

There was no further business.

The Chair thanked the Committee and SLT members. The meeting ended at 1.21pm