Audit and Risk Committee Assurance Report - July 2025
Meeting: Trust Board – Public Meeting
Date: 10 September 2025
Report Title: Audit and Risk Committee Assurance Report
Agenda Item: PUB25/09/4.5
Committee Date: 23 July 2025
Meeting Chair: George Lynn – Non-Executive Director and Committee Chair
Meeting quorate: YES
Purpose: Assurance
Link to EEAST Strategic Mission:
- Patient Mission
- Partnership Mission
- People Mission
- Productivity Mission
Summary of items considered at the meeting:
| Issue | Consideration | ** Resolution ** | Assurance |
|---|---|---|---|
| Directorate Risk Register Deep-dive: Strategy & Transformation | Overview of risk register for Strategy & Transformation highlighting the diverse range of technological and governance related risks. | There are 34 risks on the risk register – 5 scoring 15+ Taxi Procurement (15) Compliance/Consumption/ Management of Trust Date (16) Net Zero & Sustainability (16) Cyber incident compromises Trust Digital Systems (15) Ability to restore Trust Data (15) Reviewed risk register analysis & noted the related commentaries. | Reasonable |
| Board Assurance Framework (BAF) and Risk Management Update | Review of Strategic Risks and BAF Framework | The Committee reviewed and ratified the newly updated strategic risks and framework presentation - noting the introduction of three lines of defence assurance models. The Committee also reviewed and discussed operational risks on the Corporate Risk Register & risk management KPI’s. | Reasonable |
| Sub-Group Assurance Report: Compliance and Risk Group (CRG) | Report on levels of assurance provided in areas reported to CRG at its last meeting (July 2025) | The Committee noted that three groups reported – Risk Management Group, Information Governance Group & Data Quality & Security Group. There were three areas for escalation to AC identified by CRG: potential risks to FOI compliance arising from CEP 25 savings work. AI policy has had some internal approvals – noted due to be sanctioned by CRG. DSPT Submission proposed as “approaching standards” | Reasonable |
| Attestation of Trust Seal Q1 2025-26 | Report detailing the instances when the Trust Seal had been used during Q1 2025-26 | The Committee noted that there had been 3 occasions when the seal had been attested – all property transfers related. | Reasonable |
| Consolidated Committee Annual Effectiveness Annual Report 2024-25 | Report covering the workings of the committee during 2024-25 | The Committee reviewed the commentary on the workings of the Board Committees, noted the actions identified and endorsed the proposed improvements for the respective Committees. | Reasonable |
| Cyber Security Assessment Update | Update & assurance report following the publication of National Cyber Security Assessment for UK Ambulance Services | The Committee reviewed detailed reports supporting the assessments and noted that, across 14 UK Ambulance Services, EEAST’s Cyber Security maturity was assessed at 71%, compared to the national average of 68%. It was reported that EEAST’s weaknesses were assessed to be: Governance & leadership – requires a strategic plan. Application security – relates to a small number of non-critical apps. Cloud security – EEAST intend to move to National NHS MS Office in April 2026. | Reasonable |
| Cyber Risk Summary Report | Provide a status report on Corporate Cyber Risk DIG0003. | The Committee reviewed summaries of four Cyber Incidents (Oct 24 – June 25) and noted that the previous risk assessment for DIG0003 was 20. Following the execution of controls and actions, the current assessment score has reduced to 15, with further mitigations planned to achieve a risk score of 12. | Reasonable |
| Business Continuity Incident Response exercise (Cyber Risk) | Summary of the Business Continuity Incident Response exercise undertaken 20th May 2025 at Melbourn. Exercise specifically focused on Cyber Ransomware scenario. | The Committee noted that NHS-funded organisations are required to undertake a Trust-wide business continuity exercise at least annually to validate elements of the Civil Contingencies Act 2004 EPRR Core Standards. The exercise was designed and delivered by NHSE experts and the NHSE Regional Cyber Security Lead. Feedback was noted on risks, key issues, and proposed improvements. | Reasonable |
| Information Governance & Data Security Protection Toolkit (DSPT) updates | Update on the Trust’s current position with respect to: Digital Security Protection Tool compliance. Information Governance breaches. Subject Access Requests and FOI’s | The Committee noted: 2024-25 CAF-DSPT – 45 of the 47 expected outcomes were met. Initially assessed as Standards Not Met but later changed to Approaching Standards. IG breaches – averaging 21 per month, judged to be low-level, with an average of 2 per month reported to the ICO. IG training compliance – stable at 93%. SAR Compliance over the last 4 months – 86%. FOI compliance – 58%. The Committee also noted follow-on meeting commentary with ICO in July. Of the 82 actions identified, 38 have been closed, with the remainder still in progress. The ICO indicated that if FOI compliance does not improve, it could result in an enforcement notice. | Moderate |
| Security Management Annual Report 2024-25 | Report on positions & actions taken by the Trust on Violence, Prevention and Reduction to EEAST staff & property | The Committee noted the detailed report on activities and incidents, including the increased use and staff activation of Body Worn Cameras across the Trust. It was noted that EEAST’s self-assessment against the NHS England Violence, Prevention and Reduction Standard showed full compliance in 5 out of 7 domains. The two non-compliant domains were Governance & Assurance and Evaluation. The strategic plan has been updated, with full compliance expected in 2025/26. | Reasonable |
| Losses & Special Payments Report | Report on Tenders and Waivers Q1 (April – June 2025) | The Committee noted that the Trust made seven losses and special payments totalling £118k, including one settlement of £95k arising from a disputed tender process. | Reasonable |
| Financial Management – Tenders & Waivers | Report on Tenders and Waivers Q1 (April– June 2025) | The Committee noted the Trust waived £408,775 of non-pay period in Q4 (amounting to 10 in total). | Reasonable |
| Counter Fraud progress | Update on Counter Fraud team since last meeting | The Committee noted continuing progress in managing fraud across EEAST, with 8 open investigations, 4 new referrals, and 4 cases closed since the last report. | Reasonable |
| Internal audit reports – TIAA 2024-25 progress | Update on finalised IA work against 2024/25 plan. Including: Key Financial Systems (reasonable assurance). Effectiveness of Business Planning Financial (substantial assurance). Cyber Assessment Framework aligned Data Security and Protection Toolkit (compliance audit) | The Committee noted reports issued. | Reasonable & Substantial |
| Internal Audit Progress Report 2025-26 | RSM (new internal auditors) provided their first report on their IA work for 2025-26. | The Committee noted that no reports were due in July 2025. RSM is planning the Freedom to Speak Up review, which was to be followed by the CQC Action Plan. Management have requested to defer CQC work (to embed actions), and the IA replacement work will include a review of the Rolling Hours plan and associated write-offs. | Reasonable |
| External Auditor’s Annual Report | Summary of EY findings for Annual Accounts and Value for Money audit. | The Committee noted final report: an unqualified audit opinion for the 2024-25 Financial Statements. EY reported on exception to EEAST’s value-for-money arrangements due to significant weaknesses identified in line with CQC inspection findings and s.30 referral to SoS for continued cumulative breakeven position. EY was obliged to report these latter items at the point of signing off the accounts. | Reasonable |
Matters for escalation or referral:
None
