Minutes of the VSS Audit and Risk Committee
Wednesday 13 August 2025, 10.30am
MS Teams
ARC Members Present:
John Cahill (JC) ARC Chair
Briege Lafferty (BL) ARC Member
Brian Gilfedder (BG) ARC Member
VSS Officers in Attendance:
Victoria Murray (VM) Acting Head of Corporate Services
Courtney Powell (CP) Acting Finance Manager
Adam Strong (AS) Risk and Governance Manager
Others in Attendance:
Andrew Allen (AA) NIAO (External Audit)
Marcin Klimasz (MK) TEO
Elicia Erasmus (EE) Cavanagh Kelly (Internal Audit)
A Apologies
Andrew Walker (AW) Chief Executive Officer
B Minutes
The minutes of the previous meeting on April 16, 2025, were approved.
C Action Points
Action Points remaining open from previous meetings:
- 22.01.23 AP1: An updated draft of the VSS Risk Management Strategy was approved by the Board in June 2025. Periodic review of departmental risk registers commenced from August ARC meeting. Action closed.
Action Points arising from 13 August 2025
- 13.08.25 AP1: Management to consider inclusion of Cyber Security risk on the Organisational Risk Register
- 13.08.25 AP2: Further management of Cyber/digital risks to be discussed at Board level within consideration of wider business continuity planning.
D Conflict of Interest
No conflicts of interest were noted.
E Accounting Officer Update
E1 CEO/AO Exception Report
VM presented the CEO Exception Report in AW’s absence.
VSP Planning
The VSP funding call application and guidance documentation has now been drafted in preparation for the planned opening of the call on 1 September 2025. The VSS Board reviewed and discussed the call assessment process and appeals process at the September Board meeting.
Finalisation of the call timetable has been dependent on the receipt of approval of the VSP Business Case 2026-2028 within TEO, and VSS worked closely with the Victims Unit throughout the quarter to respond to queries as the business case moved through the review process.
VM explained that VSS had provided cost estimates for three options to be assessed within the VSP business case, for essential, desirable and optimal scenarios. On 11 July 2025, VSS received confirmation that a budget had been approved for the essential funding scenario, totalling £12.6m for 2026/27 and £12.5m for 2027/28.
Despite extensive engagement and the provision of supporting documentation, the proposal for a contribution to be made from the TPDPS programme has not been approved at this time. VSS is still working with the Victims Unit in TEO to review and refine the proposal paper provided, with a view to resubmitting this for further consideration in the coming weeks.
The failure to obtain approval of funding above baseline levels is extremely disappointing, and VSS has written to TEO to emphasise that a lack of additional funding provision will result in an increasingly challenging budgetary position in 2026/27 and 2027/28, and will undoubtedly result in a smaller number of funded organisations, and a reduced offering of support and services for victims and survivors. TEO has confirmed that senior officials and Ministers will be made aware of the associated risks when they are informed of the outcome of the business case approval process.
If ultimately no additional funding can be provided above current levels, the risk that budget pressure will reduce the capacity for service provision within the sector will become inevitable.
Budget Allocation 2025/26
VSS received a small amount of additional budget allocation in the June monitoring round to meet internal salary pressures arising from the agreed NICS pay award from 1 August 2025. Following review of budget commitments, VSS has been able to distribute £468k of additional funding to organisations for HWB/programme costs out of the TPDPS ringfenced budget.
The TPDPS contribution proposal previously under consideration by TEO as part of the VSP business case also contained a request for a proportionate amount of additional funding in 2025/26, and the current lack of approval of this approach severely restricts VSS’s ability to provide any additional funding to groups in the current financial year. A balance of £711k of approved applications, mainly for overheads, remain unfunded from the additional call process. In addition, we are observing pressure on INP framework budgets, likely associated with increased Peace funded HWB caseworker activity.
VSS has submitted bids in the October monitoring return for funded organisation overhead pressures and INP framework pressures.
PEACEPLUS
KPMG was formally appointed as project controller and has made good progress with verification activity. Period 1 and 2 claims have now been certified and submitted to SEUPB for payment. SEUPB has confirmed that no further interim payments will be offered to projects now that verifications activity has commenced, so VSS will continue to closely monitor project cashflow until such time as the standard verifications cycle is established.
VM noted that the project is forecasting an underspend position largely as a result of delays to recruitment of project staff. VSS is now considering ideas for utilisation of this underspend, although SEUPB may not be open to an extension of the project end date. A proposal for a project modification will be prepared and submitted to SEUPB in due course.
HIA
The five year review of services is now underway and VSS are engaging with TEO regarding business case cover for the next four years of service delivery. VM noted that as a result of wider discussions ongoing, VSS are now working with WAVE on an apportionment model for staff costs which will have an implication for the costs included in the HIA business case addendum. Resultantly, TEO has agreed to a revised timetable for completion which will likely see the HIA funding call opening in early 2026.
MBMLW
The Inquiry (Mother and Baby Institutions, Magdalene Laundries and Workhouses) and Redress Scheme Bill was introduced to the NI Executive on 16 June 2025 and is now moving through the legislative process. Subject to the bill being passed, it is anticipated that redress will commence in summer 2026. VSS is now working with the newly established Truth Recovery Redress Service (TRRS) on planning how to support individuals coming forward to engage in the redress process.
External Environment - Appointment of Victims Commissioner
The new Victims Commissioner has been appointed and will take up their post in October 2025. VSS will make arrangements for the Commissioner to meet with the VSS Board later this year.
Committee members noted the list of CEO Engagements during the quarter.
E2 Budget Report
CP provided an update on VSS budget position.
VSS received an opening budget allocation of £20.8million in total across TC, TPDPS, HIA & MBMLW. This included a £50k baseline uplift for the additional 3% pay award from August 2025.
The opening budget for TC is £14.8m, and at the end of Q1 VSS had utilised 44% of this budget, mainly due to the SDA payment run of £3.8m completed in April 2025. Expenditure was in line with forecast at the end of Q1, with VSS corporate underspends being offset by overspends trending in INP. The overspends identified in INP are driven by high demand for the Disability Aids Bereaved scheme, although pressures are being observed across all frameworks, and these have continued into the summer months. VSS has bid for an additional £120k for the Disability Aids Bereaved scheme in the October monitoring submission.
The opening budget for TPDPS is £2.8m, and 20% of budget was utilised at the end of Q1 consistent with forecast. The opening budget allocation included a provision for emerging needs which has now been distributed to Community Partners via an additional call process completed in July.
The opening budget for HIA is £1.3m, this was 24% utilised at the end of Q1, consistent with forecast.
The opening budget for MBMLW is £2.7m, and Quarter 1 reporting showed that we have utilised 13% of this budget. A £1m easement against the opening budget was held as a provision pending further clarity regarding the requirement for additional support for individuals applying for redress and. VSS has now surrendered £880k of this budget in the October monitoring return.
VSS PEACEPLUS expenditure to date is £651k (excluding project partners), £145k underspent to forecast due to delays in recruitment and timing of commencement of workforce training plan activity.
E3 Organisational Risk Register
VM provided a summary of the Organisational Risk Register.
No new risks were added this quarter. 7 risks remain open – 3 scored red, 3 amber, and 1 yellow. VM led a discussion of key changes across the open risks:
STG50: Members agreed that the likelihood score of this risk should be amended to the maximum level (probable) given recent developments with member availability to support the VSP call assessment process. VM confirmed that the scoring would be reviewed and updated at September quarter end, and that management were taking actions to mitigate against the increased risk score.
STG71: This risk will be reviewed and challenged in the next quarter. VM noted that the ongoing presence of this risk reflects the fact that when the RTN is not functioning effectively, VSS is not adequately supported to deliver on its organisational objectives
STG75: Risk score reduced in the quarter, and it is hoped that this risk will be able to be de-escalated once controller verifications are happening in line with the 12 week cycle specified in the PEACEPLUS programme manual.
STG77:This risk has been de-escalated post quarter end following confirmation from TEO of an approved budget for programme funding from 1 April 2026 – 31 March 2028.
STG80: Score escalated to maximum this quarter to reflect ongoing lack of additional budget allocation to the Victims Support Programme.
STG81: This risk is de-escalating as progress is made with the Truth Recovery programme timeline. VSS has not experienced any notable reputational issues following the introduction of the redress and inquiry bill. Consideration will be given to further de-escalation in the next quarter.
F Quarterly Reports
VM advised that the Quarterly ALB Report and Quarterly Assurance Statement were not required by TEO at the end of Q1, and confirmed that internal assurance processes had still been completed and received Accounting Officer approval. A headcount report has been provided as item F1.1 in place of the information usually included within the Quarterly ALB Report.
Members noted the Headcount Report and Delivery Plan Monitoring Report.
G Internal Audit - Cavanagh Kelly
EE shared a summary of the Internal Audit Reports on Cyber Security, Follow Up of Open Recommendations, and 2025-26 Annual Report for review and approval.
G1 Cyber Security
EE provided an overview risks identified and the results of testing, noting the outsourcing of many of the IT functions. The Cyber security audit received an audit score of “satisfactory”, and no recommendations were noted.
EE took questions from members on the contents of the report. BG asked for further assurance from the internal auditor regarding their level of expertise in undertaking audits of this nature. EE responded that the internal auditors are not IT experts and did not undertake penetration testing, as this is a specialist area. The objective of this audit was to provide the ARC with assurance that VSS has adequate arrangements in place to address the risks that the organisation faces in relation to Cyber Security. EE confirmed that as an organisation Cavanagh Kelly are completing audits of this nature with increasing regularity and had completed 4/5 on similar organisations within the past year.
BL and BG recommended the inclusion of Cyber Security on the Organisational Risk Register as a standing item. VM noted that cyber security risks are currently held at a departmental level and agreed that this would be considered by management, and this has been recorded as 13.08.25 AP1.
G2 Internal Audit Follow Up on Prior Year recommendations
EE reported that for follow up review on previous years’ recommendations, there were three Priority 2 and ten Priority 3 Open recommendations. The review concluded that of the three Priority 2 recommendations, two were partially implemented and one is no longer relevant. Of the ten priority 3 recommendations, five were implemented, four were partially implemented and one is no longer relevant.
VM noted that the two long standing open audit recommendations relate to the VSS Business Continuity Plan, for which work to update has commenced this year. BG suggested that the VSS approach to business continuity planning should form part of a wider review of the area by the Board, and this has been recorded as 13.08.25 AP2.
G3 Annual Internal Audit Report
Overall assurance for 2024/25 determined as Satisfactory.
EE left the meeting.
H External Audit Update – NIAO
AA provided a verbal update and noted that there have been some changes to the audit team and the timetable contained within the audit strategy. AA confirmed that there are no concerns with achieving completion of the audit and provision of a RTTCWG in advance of the October ARC meeting.
I Standing Agenda Items
I1 ARC Self-Assessment Action Plan
VM shared the action plan which had been updated with the actions from the 2024-25 ARC Self-Assessment Review, and sought comments against each item from members.
Members discussed the action required under Skills and Experience 2.19;
ARAC has the level of skills and expertise required to challenge management and provide assurance to the Board that the organisation is properly managing its cyber and digital risks.
Members agreed that this action be updated to ‘further management of Cyber/digital risks to be discussed at Board level within consideration of wider business continuity planning’, with the associated action included within 13.08.25 AP2.
All were content with the remainder of the actions as noted and these will now be taken forward through the 2025-26 year.
I2 ARC Training Update and Requirements
BG discussed the AI training he had recently attended and expressed an interest in pursuing a course in how AI could help an ALB. VM confirmed that this request had been noted at Board and appropriate training for all organisational levels would be considered by the AI working group.
I3 Audit recommendations
Noted
I4 Gifts and Hospitality Update
Noted
I5 Compliance Update
AS provided an update and noted that one additional suspected fraud item had been notified to TEO after the end of the quarter.
BL questioned the timing of some of the open fraud cases. VM explained that timing of identification was associated with checks in advance of the annual Self-Directed Assistance payments.
I6 Procurement Update Q1 25/26
Noted.
BG sought assurance regarding the proposed cost of the Risk Management Software and associated benefits that this would bring. VM and AS explained the requirement for a system and the organisational efficiencies that this would bring. BL and AA confirmed that there is no standard system in use within the NI public sector. Members were content that management proceed with procurement of the system.
I7 FD/DAO updates from DoF Q1 2025/26
Noted.
I8 ARC Terms of Reference (note only)
Included for reference.
J Any Other Business
J1 VSS Risk Management Strategy
Included for reference.
J2 Corporate Services Risk Register June 2025
VM introduced the Corporate Services Risk Register. Departmental risk registers will now be provided within ARC papers on a rotational basis each quarter. VM provided a summary of the register and noted that it contains 14 finance risks and 24 governance risks. VM noted that the intent of this process is to provide members with assurance as to management of risks at an operational level, and not to complete a detailed review of risks with the committee.
Members confirmed that they were content to have sight of the departmental registers each quarter in line with the process VM set out.
J3 ARC Annual Report
The Committee noted the report.
J4 Annual Report and Accounts
VM noted that the Annual Report and Accounts had been previously circulated to the Committee and thanked members for their responses. Members confirmed their approval for the draft Annual Report and Accounts to be submitted to NIAO in advance of the commencement of the 2025/26 audit on 26 August 2025.
K Date of next meeting
The next meeting of the Audit and Risk Committee is scheduled to take place on 15th October 2025.