Information Commissioner's Office

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Information Commissioner's Office"

Transcription

1 Information Commissioner's Office Internal Audit : Visit Four March 2011 Report distribution Timetable For action: Head of Good Practice Scoping meeting: 5 January 2011 Good Practice Group Fieldwork Manager completion: 17 January 2011 For information: Information Draft report issued: 10 February 2011 Commissioner Management 2 & 15 March 2011 Deputy Commissioner: responses received: Data Protection Final report issued 15 March 2011 Director of Operations Audit Committee

2 Information Commissioner's Office: Internal Audit Contents Page 1 Executive summary 1 2 Detailed Findings and Action Plan 4 Appendices A B Brief Audit Approach Responsibilities, approach and scope This report is confidential and is intended for use by the management and Directors of the Information Commissioners Office only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third party without our written prior consent. We do not accept responsibility for any reliance that third parties may place upon the report. Any third party relying on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however, such loss or damage is caused. It is the responsibility of Information Commissioners Office's management to ensure that there are adequate risk management, governance and control arrangements Grant Thornton UK LLP. All rights reserved

3 1 Executive summary 1.1 Scope and Objectives As part of its increased powers in respect of data protection, the ICO reorganised its Good Practice function during 2010, emphasising its primary role to educate both public and private organisations to better manage their responsibilities under the Data Protection Act. Currently the key role of the function is to undertake consensual reviews of the Data Protection arrangements at organisations with a view to educating and advising those bodies on how best to protect their data although Assessment Notices can be served on certain public sector bodies. The scope of our review, as agreed with management, was to focus on the following risks associated with the work of the Good Practice function: The audit methodology used for consensual reviews may not be clearly documented and reflect industry-recognised standards of internal audit (specifically the IIA Standards) resulting in a process that may not focus on the key issues of clients and/or may fail to provide clear guidance to audit staff on the requirements of individual reviews The methodology may not be consistently applied resulting in both staff and auditees being inadequately prepared for the audit, an inability to substantiate findings and recommendations in audit reports and a failure to address weaknesses in data protection processes at external organisations. The function may not liaise with other parts of the ICO, e.g. Enforcement, resulting in a failure to consider relevant matters as part of the planning and delivery of audits which could impact on the efficiency, effectiveness and benefits derived from individual audits. The function may not obtain and/or address feedback received from audited organisations resulting in a failure to improve and to meet the expectations and requirements of auditees. Further details of the scope of the work can be seen at Appendix B. 1.2 Key matters arising from the audit We are pleased to confirm that some significant progress has already been made by the Good Practice function, both in building a team and establishing a professional audit methodology. In particular: In May 2010, a Head of Good Practice was recruited to lead the function and to increase the number of reviews that it is able to undertake. Three audit teams have been established, one of which is a research team that has concentrated on identifying data controllers for inclusion in the audit programme. The function's approach to consensual reviews has been formalised and documented in an Audit Manual that became operational in October The types of audits that may be conducted at organisations has been defined The approach is risk-based and the types of organisation considered to be of higher priority for review have been identified Grant Thornton UK LLP. All rights reserved 1

4 The audit approach includes follow-up reviews; these reviews are risk-based, i.e. the nature of any follow-up work undertaken is determined by the opinion given during the initial audit. As regards the delivery of the reviews, our sample of five audit files confirmed that those audits had been consistently undertaken and in accordance with the audit approach, key documentation and approvals. No significant issues were found in our testing. We also confirmed that the method used to segment the audit universe is appropriate and adequately reflects the risk based nature of the audit approach. In particular, we identified the following examples of good operational practice: A standard audit feedback form has been developed which is sent to all auditees requesting their feedback. The form has been designed to elicit feedback on each key element of the audit which, in due course, will enable the function periodically to identify areas of improvement. Where audits are conducted in Scotland, Wales or Northern Ireland, a representative of the ICO's regional offices attends the audit to provide any local knowledge to the audit team. The Head of Good Practice meets weekly with the Operations Directorate Department Heads and, along with staff, attends the monthly casework forums, which is useful for understanding the key issues and activities that are being experienced across the ICO. Areas for improvement As the Good Practice function is relatively new, and it is still perfecting its audit approach, management expected that there would be scope to further improve its arrangements. Inevitably therefore we have identified a number of opportunities at Section Two of this report. Our one medium priority recommendation is summarised below: Further consideration should be given to the policy and guidance underpinning the Good Practice function's use of audit opinions. As a key role of the function is to educate organisations, it could be argued that a formal opinion is not always necessary and could unnecessarily expose the ICO to legal challenge. If opinions are required, the risks associated with providing a high assurance opinion should be further explored. For example, how much reputation damage would the ICO suffer if it had previously issued a high assurance (i.e. positive) audit opinion to an organisation subsequently found to be in breach of the Data Protection Act, and would it be legally liable for the opinions it issues? 1.3 Opinion Overall we conclude that as regards the risks associated with the work of the Good Practice function: the risk management activities and controls that we examined were suitably designed to achieve the objectives required by management. those activities and controls were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related risk management objectives were achieved during the period under review Grant Thornton UK LLP. All rights reserved 2

5 1.4 The way forward Our findings, detailed recommendations, together with the ICO responses, are included in the Action Plan at Section Two. 1.5 Acknowledgments We would like to take this opportunity to thank the staff at the ICO for their assistance and co-operation during the course of this audit. Grant Thornton UK LLP March Grant Thornton UK LLP. All rights reserved 3

6 2 Detailed Findings and Action Plan 2.1 The audit methodology used for consensual reviews may not be clearly documented and reflect industryrecognised standards of internal audit (specifically the IIA Standards) resulting in a process that may not focus on the key issues of clients and/or may fail to provide clear guidance to audit staff on the requirements of individual reviews Detailed Findings Action Plan The primary role of the Good Practice Function is to undertake consensual audits of Recommendation 1: LOW organisations with a view to educating and providing advice on how they can better manage We support the intention of management to: their responsibilities under the Data Protection Act. Audit Manual Development In May 2010, the ICO employed a new Head of Good Practice to further develop and grow the activities and scope of the Good Practice function. Part of the work over the past year has been to further develop the methodology adopted in the function's audits of external organisations, which became operational from October Develop a document identifying the high-level audit approach for stakeholders outside of the good practice team. This should be appropriately approved and make reference to relevant audit standards where applicable; Consider the value of shorter audits for new notifiers as an additional segment of the audit universe. The Good Practice function are in the process of developing a high level document to identify the audit approach which will be externally facing which will be used to demonstrate the features of an ICO Data Protection audit. We support the intention to do this as a way of informing stakeholders within the ICO to increase their awareness of the work of the Good Practice Function. This should also add to the credibility of the audits and should improve transparency to external stakeholders. It is intended that this document will go through appropriate approval by relevant senior staff which we support. In addition we suggest it make reference to relevant standards e.g. Government Internal Audit Standards (2009) and the Chartered Institute of Internal Auditors guidance on risk based internal auditing (2011). [Recommendation 1] Response: An externally facing document outlining the audit approach is being developed, based on the internal audit manual and to complement the existing Assessment Notice Code of Practice. It is anticipated that this will be approved by the Operational Directorate Department Heads meeting and will reference the appropriate audit standards where applicable. Work has started to identify new sectors and new approaches to good practice work including new notifiers. Date for implementation/responsible officer: 2011 Grant Thornton UK LLP. All rights reserved 4

7 Audit focus and selection of auditees The research team within the Good Practice Function is largely responsible for identifying the areas which the audit teams can cover (known as the audit universe) and which organisations within that universe the ICO will seek to audit. The Audit Universe is segmented and includes areas such as: 30 June 2011/Louise Webb, Head of Good Practice Central Government Departments and associated agencies and NDPBs, i.e. those covered by Assessment Notice powers Organisations with six or more cases where compliance is deemed to be unlikely in the previous 6 months Organisations who are high notification fee payers i.e. process large volumes of data. Areas of interest for the ICO (specific sectors that have been identified as an ICO corporate priority e.g. finance, health and criminal justice) The ICO has the power to audit Central Government Departments but have to obtain agreement from other organisations to undertake consensual audits. The function's research team undertake risk assessments for a range of segments, e.g. Government Departments to identify those organisations where an audit would add the most value. The metrics considered in these risk assessments include but are not limited to : Staff numbers Number of locations Resources allocated to Data Protection (DP) Types (volume and nature) of personal data held. Following this assessment, the Good Practice team applies a RAG (red, amber, green) rating to each organisation in order to prioritise the focus of its audit activities. In addition, audits can be undertaken with organisations which have volunteered for an audit and also where the ICO's Enforcement function has referred an organisation for an audit Grant Thornton UK LLP. All rights reserved 5

8 The Good Practice function are also considering the value of undertaking short audits of new notifiers to focus on high level controls over data as it is expected that such organisations are more likely to not have a full awareness of Data Protection requirements. The Good Practice function issues letters to prospective organisations for an audit and to date have been relatively successful in obtaining agreement to conducting audits. For, example, during December 2010, the function issued 67 letters to organisations requesting a consensual audit; as at the time of our audit (January 2011), 14 out of 17 replies had agreed to an audit. The Good Practice Function tracks the responses in the three categories (central government agencies, other public sector and private sector). It would however be useful if this was tracked in more detail by sector allowing the information to be used by senior stakeholders within the ICO to identify the extent of engagement with different sectors (e.g. NHS, Local Authority, Banking etc) and utilise this information for seeking greater powers of access. Audit Fieldwork The Audit Manual has a clear process for the planning and delivery of audits, including working papers and allocated responsibilities. A checklist is used to assist the auditor in delivering the audits. The Audit Manual also sets out expected timings for completing the various elements of the audit, e.g. issue of the first draft report within 12 days of fieldwork, and performance in meeting these deadlines is tracked on a management information spreadsheet. The audit fieldwork process per the manual is briefly shown at Appendix A for reference. Resourcing requirements The Good Practice Function is intending to double the size of the team in As the team grows, it would be useful for champions to be identified for key areas of risk or sectors to allow individual auditors to be repository of information for good practice and common issues in their area. [Recommendation 2]. This would not require auditors to work exclusively in a particular sector or risk area as this would limit personal development Recommendation 2: LOW We suggest auditors are assigned to be champions for an area of DP risk or a particular sector to be a repository of information identifying common issues/good practice in the areas which they can share with colleagues. This would negate the need for all auditors to undertake detailed research in each area of reviews. Response: On an informal basis this already happens in areas of Data Protection risk such as IT security, employment practices and the Privacy and Electronic Communications Regulations. However, in particular in light of the ongoing expansion of the team, we recognise the value in developing champions in areas of DP risk or a particular sector. Date for implementation/responsible officer: 30 June 2011/Louise Webb, Head of Good Practice 2011 Grant Thornton UK LLP. All rights reserved 6

9 and there would be a loss of knowledge should they leave, we simply propose that they keep up to date with the outputs of audit reports for the areas they have been allocated as a champion. The Good Practice Function records data on the average number of days required to complete an audit. This data could be further enhanced by analysing auditees by sector to help the ICO to better understand which sectors require more resources than others. Audit Follow-up The engagement lead auditor who carried out the initial audit will often be responsible for any follow-up activity. Previously all audits were followed up however a more risk based approach is now employed which we fully support. The follow-up activity will now be based on the initial opinion given, with organisations with significant Data Protection issues being followed up with formal three-monthly updates from the organisation and a follow up visit Grant Thornton UK LLP. All rights reserved 7

10 2.2 The methodology may not be consistently applied resulting in both staff and auditees being inadequately prepared for the audit, an inability to substantiate findings and recommendations in audit report and a failure to address weaknesses in data protection processes at external organisations. Detailed Findings The development by the Good Practice function of an audit manual with standard templates was a key mechanism for delivering audits in a consistent manner. All audit files are stored electronically on the Meridio system and use standard record keeping folders to promote further consistency in maintaining records. Operationally, auditors work for each manager which reduces the potential for silos to emerge and helps to embed a consistent audit approach across the audit teams. Planning of audits Before audits take place the Good Practice Function send a letter of engagement to the organisation. A review of this identified that it was not clear what the responsibilities are for both parties in relation to an audit, we did however note that the responsibilities of the ICO was embedded within the letter though not explicitly clear. Identifying the responsibilities of both parties is considered to be good practice and ensures expectations are clear at the outset and that they can be managed. [Recommendation 3] Each file that we sampled had identified the scope of work within the letter of engagement; however two of the five letters did not have evidence of client approval on record. Staff should be reminded of the need to obtain this prior to on-site visit, failure to agree the scope with the client could result in the risk that expectations are not adequately managed. [Recommendation 3] As the Good Practice function's focus is solely on Data Protection reviews, it has identified the high level risks in relation to the Data Protection Act and the expected controls in relation to it within its Risk Library, which helps to promote consistency in planning of reviews. The Library is used to inform the focus of the on-site work although the audit teams can tailor the areas of focus to be reviewed, which are agreed in advance by the Audit Manager. Our testing identified that in a sample of five reviews, one review file did not Action Plan Recommendation 3: LOW The Letter of Engagement should increase the clarity identifying the responsibilities of the ICO and the auditees in relation to the audit. Furthermore, auditors should be reminded to ensure: letters of engagement are approved by the client before audit takes place consideration of risk library document which is used to alter the focus of audit work is approved by the manager. Response: We will review the letter of engagement to ensure responsibilities are clear. We have also reminded auditors as to the importance of ensure they have an approved letter of engagement before an audit, as well as ensuring the scope areas of the audit have been approved by a team manager. Date for implementation/responsible officer: 30 June 2011/Louise Webb, Head of Good Practice 2011 Grant Thornton UK LLP. All rights reserved 8

11 hold manager approval of the tailored scope of work that was to be undertaken. As the Risk Library is a key document in planning Data Protection audits, we suggest that the Library should be shared with the Information Rights Committee to obtain further guidance on the key risk factors. [Recommendation 4] Fieldwork/working papers Our review of a sample of working papers and the audit approach identified that the working papers are focussed on reviewing the design of the controls that organisations have in place to protect data, with less focus on the effective operation of these controls. While no evidence was identified that the balance between design and effectiveness was not appropriate, the working papers were not transparent at distinguishing the two elements. To distinguish between the two, we suggest that the main audit working paper is revised to clarify observations are required for both control design and control effectiveness. This transparency should provide a prompt for auditors to balance their work on reviewing the design of controls and the effectiveness of those controls. [Recommendation 5] Our testing of audit files confirmed that: Appropriate evidence of review of the files was held Appropriate evidence of the on-site visit was held, with a working paper for each risk within the letter of engagement Each audit had a completed opinion calculator Draft reports were seen where the audit had reached that particular stage The engagement lead auditor checklist was completed up to the relevant stage that the audit was at. Audit Opinion The arrangements in relation to the audit opinion and audit report were reviewed. A number of issues were identified which need to be discussed and clarified between the Good Practice function and other stakeholders within the ICO. Recommendation 4: LOW The risk library document should be submitted to the Information Rights Committee for discussion and approval. Response: The risk library document has now been reviewed and redesigned and will be circulated to the appropriate stakeholders for approval, to include the Deputy Commissioner and Director of Data Protection. Date for implementation/responsible officer: 31 May 2011/Louise Webb, Head of Good Practice Recommendation 5: LOW The main audit working paper should include an additional column to provide transparency that audit work is considering both the design but also the effectiveness of controls. Response: The audit working paper will be altered to make clear which column refers to the design of controls and which refers to effectiveness. Date for implementation/responsible officer: 30 March 2011/Louise Webb, Head of Good Practice The ICO gives one of four opinions in its audit reports: very limited assurance, limited 2011 Grant Thornton UK LLP. All rights reserved 9

12 assurance, reasonable assurance and high assurance. Given the scope of the audits, for the ICO to provide a high assurance opinion is a very strong statement and could impact on the ICO's role as enforcer. For example, if the Good Practice function provided high assurance at an organisation which was subsequently subject to a high profile breach of the DPA, the ICO could suffer damage to its reputation as it had provided such high assurance over the arrangements in place. Therefore, the ICO should consider whether it is necessary to provide high assurance opinions; if it determines that it wishes to continue doing so, management should introduce a contingency communication plan which considers this situation so it can be effectively managed should the situation arise. Furthermore, to limit the exposure that ICO has to third parties, its audit reports should include a disclaimer to reflect that the report is for the auditees' purposes only and that no responsibility will be taken in the event of third parties placing reliance on this report. Indeed given the audits are free for organisations and the ethos of the Good Practice Function is to 'educate and improve' it needs to ask itself the wider question of 'is there a need to give an opinion at all. It can be argued that providing recommendations is sufficient to improve the Data Protection arrangements and that providing an opinion is unnecessarily putting the ICO reputation at risk. This wider question needs to be discussed and agreed by ICO management. [Recommendation 6] Opinions that are provided are calculated based on the results from the individual risk areas. Currently these are a simple average of all areas reviewed and therefore implies that each risk is equally important, whereas in reality some risks may be more important than others. We suggest the Good Practice function liaise with relevant senior stakeholders such as the Information Rights Committee to discuss whether it is worthwhile identifying and allocating priorities to risk areas which would impact on the overall opinions provided. Post audit evaluations The IIA's Internal Audit Standard 1311 on internal assessments states that "periodic reviews should be performed through self assessment or by other persons within the organisation with sufficient Recommendation 6: MEDIUM The arrangements in relation to audit opinions need to be adequately considered as below: A disclaimer to third parties should be included within the audit reports The Information Rights Committee and Good Practice function should consider and agree if an opinion should be given within audit reports The Information Rights Committee and Good Practice function should consider and agree if high assurance opinions should be given at all, subject to the above. The Information Rights Committee and Good Practice function should consider and agree if risks per the Risk Library have equal weighting. If the consensus is that they don t the opinion calculator should adequately reflect the weighting of risks when determining the opinion. The Good Practice function should liaise with relevant stakeholders across the ICO to develop a contingency plan should a high profile breach of the Data Protection Act occur in an organisation where an audit opinion provided high assurance over data protection arrangements. Response: We agree with the need to add a disclaimer to the audit report and this will be implemented into audit reports going forward and into the audit manual. With regards the need for an audit opinion, we will consult with key stakeholders, including the Deputy Commissioner and Director of Data Protection. We feel that the question of 2011 Grant Thornton UK LLP. All rights reserved 10

13 knowledge of internal audit practices". We therefore recommend a process for undertaking cold reviews of a sample of files each year, i.e. reviews of audit files some time after the work has been done, is introduced to promote good practice amongst the Good Practice function, with consideration of factors such as file maintenance, sample sizes and reporting. [Recommendation 7] liability of the ICO needs to be balanced with the value that an opinion brings to stakeholders, in particular the public, in making organisations easily comparable. With regards high assurance, we agree that the wording of this could be reviewed; however we are keen to ensure we have a mechanism for recognising and rewarding good practice. The ICO may have to tolerate the risk of identifying areas of good practice through audit, and be clear through the use of disclaimers that the audit is a reflection of process and procedures at a certain time and place, in relation to specified scope areas,. We feel that it would be even harder to get organisations to agree to a consensual audit if there was no way of good practice being recognised. We would be concerned about weighting risks with scope areas on a generic basis, as different organisations would carry different levels of risk. It may be more appropriate to consider at the planning stage whether risk areas need to be weighted on an engagement by engagement basis. We would be happy to work with Corporate Affairs and other stakeholders to develop a contingency plan for such outcomes. It should be noted that we have yet to issue a high assurance audit report. Date for implementation/responsible officer: 31 December 2011/Louise Webb, Head of Good Practice 2011 Grant Thornton UK LLP. All rights reserved 11

14 Recommendation 7: LOW The Good Practice function should consider the introduction of cold file reviews to support adherence with IIA standard 1311 and to identify opportunities to improve compliance with the audit methodology of the function. Response: We believe the introduction of cold file reviews is a good way to ensure consistency in our audit approach and represents good practice. Date for implementation/responsible officer: 1 April 2011/Victoria Heath, Group Manager 2011 Grant Thornton UK LLP. All rights reserved 12

15 2.3 The function may not liaise with other parts of the ICO, e.g. Enforcement, resulting in a failure to consider relevant matters as part of the planning and delivery of audits which could impact on the efficiency, effectiveness and benefits derived from individual audits. Detailed Findings The Good Practice Function liaises with other functions within the ICO in various ways. The Head of Good Practice meets with the Heads of Operations (Customer Contact, Complaints Resolution and Enforcement) each week as part of the Operations Directorate Department Heads (ODDH) meeting. On a monthly basis there is also representation by the Good Practice Team on the Casework Forum, which discusses the casework activity currently in progress. This all helps to inform the work of the Good Practice team, in terms of the issues to watch out for and possible organisations to target. Action Plan There are no issues in this area which we wish to bring to the attention of the ICO at this time. Before the Good Practice Function send out letters to organisations requesting agreement to conduct an audit, the list of organisations will be sent to Complaints Resolution, Strategic Liaison and Enforcement for their thoughts. The Strategic Liaison team may have useful background information and existing relationships. This is a good mechanism by which the existing relationships can be used to increase the likelihood of an organisation agreeing to a consensual audit. The Enforcement function provides Good Practice a list of enforcement activity to inform them of organisations they may wish to audit. The Enforcement function issues notices to organisations where a breach of the principles of the Data Protection Act has occurred with the power to impose a monetary penalty of up to 500,000. Alternatively the Enforcement function can agree an undertaking with the organisation to deliver a series of actions to prevent further breaches. The Enforcement function will work the Good Practice function to consider if offering an audit is an appropriate course of action. Where audits are taking place in Scotland, Wales or Northern Ireland a member of the regional office would be invited to join the audit team to ensure the audit team is aware of the culture of organisations and data protection environment and issues in the particular 2011 Grant Thornton UK LLP. All rights reserved 13

16 area. In addition this is a good way to increase the awareness of the work of the Good Practice Function with the regional offices Grant Thornton UK LLP. All rights reserved 14

17 2.4 The function may not obtain and/or address feedback received from audited organisations resulting in a failure to improve and to meet the expectations and requirements of auditees. Detailed Findings The Good Practice Function issues an audit feedback form which requests feedback from auditees in a range of different areas. In December 2010, the form was issued to all organisations audited in the financial year, although there is an intention to issue the feedback form with the final report, which we support. This will likely provide valuable feedback from individuals while it is still fresh in their head. The feedback form will however have to be amended as one of the questions on 'the impact of the ICO audit on data protection compliance' is unlikely to be answerable by the auditees at the time of the Final Report. Action Plan There are no issues in this area which we wish to bring to the attention of the ICO at this time. We reviewed the audit feedback form with others seen elsewhere and consider it to adequately cover the main things we would expect to see. As at the completion of our audit, seven feedback forms had been returned and the feedback received had been good in almost all the areas such as: The audit scope being relevant and appropriate The on-site work performed by ICO teams The conduct of ICO staff during the audit Report[s] delivered on time and addressed key risk areas Constructive and appropriate recommendations The process has raised awareness of the importance of data protection within the organisation The audit resulted in improved data governance The feedback did highlight three out of seven respondents were undecided about whether they would wish to have a future ICO audit although they stated that the measures that will flow from this audit will negate the need for a follow up Grant Thornton UK LLP. All rights reserved 15

18 - Effectiveness of the ICO's Good Practice Function A Brief Audit Approach 1 A letter sent to organisations requesting a consensual audit 2 An initial planning meeting held between the ICO and the organisation 3 A letter of engagement sent to the organisation highlighting the scope of work 4 Relevant documents requested from organisations which are then reviewed by the auditors 5 The detailed focus of the audit will be selected from the risk library. Any additions/deletions from the risk library is approved by the manager 6 On-site visit will take place 7 Key themes/findings communicated to the organisation on the last day of on-site fieldwork 8 Working papers completed and each area of scope is risk assessed between red, amber, yellow and green. 9 The ratings for different areas of risk are averaged to give an overall opinion score which determines the opinion. 10 1st draft report sent to the organisation within 12 working days of the end of fieldwork which identifies the findings 11 2nd draft report sent to organisation identifying both the findings and recommendations 12 The Final draft report issued soon after receiving management responses 13 Follow-Up date agreed 2011 Grant Thornton UK LLP. All rights reserved

19 - Effectiveness of the ICO's Good Practice Function B Responsibilities, approach and scope Responsibilities It is the responsibility of management to ensure that there are adequate controls and activities in place to ensure that The Information Commissioner's Office business objectives can be met and that the risks to the Information Commissioner's Office are minimised. Based on the work we have carried out, we provide an objective assessment of the adequacy and effectiveness of controls and activities established by management to manage the identified risks to the Information Commissioner's Office. It is our reporting protocol to balance our reporting of positive practice with areas for attention. This enables the Information Commissioner's Office to build upon its strengths, whilst focusing upon key findings and associated recommendations, which if acted upon, should enhance the control environment and improve the management of key risks. Please refer to our letter of engagement for full details of responsibilities and other terms and conditions. Approach Our internal audit approach is based upon the underlying principles of the UK Corporate Governance Code (June 2010). Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that it is doing so successfully for each of the areas being audited. Our audit has been carried out in accordance with the guidance contained within the Government s Internal Audit Standards (April 2009). We also have regard to the Institute of Internal auditors guidance on risk based internal auditing (2009) As part of our Audit Plan, we have agreed with the Audit Committee and management that we should carry out a review of the activities of the Good Practice function to further inform our ongoing understanding of The Information Commissioner's Office s key internal control and governance activities. We achieved our audit objectives by: agreeing the principles of and benefits of effective management of the area above meeting with key staff to gain an understanding of the arrangements in place building upon the information we have already gained through our audit planning process reviewing key documents that support the processes in place comparing existing arrangements with established best practice and other guidance. The findings and conclusions from this review will support our annual opinion to the Audit Committee on the adequacy and effectiveness of internal control arrangements Grant Thornton UK LLP. All rights reserved

20 - Effectiveness of the ICO's Good Practice Function Scope We agreed to focus our work on the following areas: The audit methodology used for consensual reviews may not be clearly documented and reflect industry-recognised standards of internal audit (specifically the IIA Standards) resulting in a process that may not focus on the key issues of clients and/or may fail to provide clear guidance to audit staff on the requirements of individual reviews The methodology may not be consistently applied resulting in both staff and auditees being inadequately prepared for the audit, an inability to substantiate findings and recommendations in audit report and a failure to address weaknesses in data protection processes at external organisations. The function may not liaise with other parts of the ICO, e.g. Enforcement, resulting in a failure to consider relevant matters as part of the planning and delivery of audits which could impact on the efficiency, effectiveness and benefits derived from individual audits. The function may not obtain and/or address feedback received from audited organisations resulting in a failure to improve and to meet the expectations and requirements of auditees. Reporting Management should make arrangements to monitor the implementation of recommendations agreed within this report and to provide assurances to the Audit Committee that the recommendations have been implemented. Our audit findings and recommendations are ranked and categorised as set out below: Priority High Medium Low Definition Findings fundamental to the management of the risk. Findings important to the management of risk Findings, which are relatively minor in nature, but represent the opportunity to improve the management of risk Grant Thornton UK LLP. All rights reserved

21 Grant Thornton UK LLP. All rights reserved. "Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com

More information

Information Commissioner's Office

Information Commissioner's Office Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:

More information

Revenue Scotland. Risk Management Framework

Revenue Scotland. Risk Management Framework Revenue Scotland Risk Management Framework Contents 1. Introduction... 3 1.1 Overview of risk management... 3 2. Policy statement... 4 3. Risk management approach... 5 3.1 Risk management objectives...

More information

Aberdeen City Council

Aberdeen City Council Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates

More information

Internal Audit - progress report 2015-16 and 2016-17 plan

Internal Audit - progress report 2015-16 and 2016-17 plan Audit Committee, 16 March 2016 Internal Audit - progress report 2015-16 and 2016-17 plan Executive summary and recommendations Introduction Grant Thornton have prepared the attached report which sets out

More information

Aberdeen City Council IT Governance

Aberdeen City Council IT Governance Aberdeen City Council IT Governance Internal Audit Report 2013/2014 for Aberdeen City Council May 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary where applicable Terms or

More information

Following up recommendations/management actions

Following up recommendations/management actions 09 May 2016 Following up recommendations/management actions Chartered Institute of Internal Auditors At the conclusion of an audit, findings and proposed recommendations are discussed with management and

More information

The Risk Management strategy sets out the framework that the Council has established.

The Risk Management strategy sets out the framework that the Council has established. Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management

More information

The Learning Zone - Project Management Arrangements

The Learning Zone - Project Management Arrangements Coleg Gwent Internal Audit Report () 6 June 2012 Overall Opinion The Learning Zone - Project Management Arrangements CONTENTS Section Page Executive Summary 1 Action Plan 4 Findings and Recommendations

More information

Item 5- Appendix A MOLE VALLEY DISTRICT COUNCIL. Annual internal audit report 2015/2016

Item 5- Appendix A MOLE VALLEY DISTRICT COUNCIL. Annual internal audit report 2015/2016 Item 5- Appendix A MOLE VALLEY DISTRICT COUNCIL Annual internal audit report 2015/2016 April 2016 CONTENTS 1 The annual internal audit opinion... 2 2 The basis of our internal audit opinion... 4 3 Our

More information

Hywel Dda University Health Board INTERNAL AUDIT CHARTER. March 2015

Hywel Dda University Health Board INTERNAL AUDIT CHARTER. March 2015 INTERNAL AUDIT CHARTER March 2015 Contents Section Page 1. Introduction 1 2. Purpose and Responsibility 1 3. Independence and Objectivity 2 4. Authority and Accountability 3 5. Relationships 4 6. Standards

More information

1.1 Terms of Reference Y P N Comments/Areas for Improvement

1.1 Terms of Reference Y P N Comments/Areas for Improvement 1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational

More information

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Internal Audit Report () FINAL Risk Management: Follow Up of Previous Internal Audit Recommendations

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

Internal Audit Strategic and Annual Plans 2015/16

Internal Audit Strategic and Annual Plans 2015/16 Internal Audit Strategic and Annual Plans 2015/16 Financial Scrutiny and Audit Committee 10 February 2015 Agenda Item No 8 Summary: This report provides an overview of the stages followed prior to the

More information

Rating Consultancy RICS/IRRV/RSA Code of Practice. 3rd edition

Rating Consultancy RICS/IRRV/RSA Code of Practice. 3rd edition Rating Consultancy RICS/IRRV/RSA Code of Practice 3rd edition Copyright notice Copyright of this Code of Practice belongs to RICS. Purchasers of this Code of Practice are, however, permitted to reproduce

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 2014-15 April 2014 Page 1 of 17 CONTENTS 1. Introduction 2. What is risk management? 3. Risk Management Policy Statement 4. Risk Management process 5. Roles and responsibilities

More information

Nottinghamshire County Council. Data protection audit report

Nottinghamshire County Council. Data protection audit report Nottinghamshire County Council Data protection audit report Executive summary October 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data

More information

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT 1 Scope of Internal Audit 1.1 Terms of Reference 1.1.1 Do terms of reference: (a) establish the responsibilities and objectives

More information

Aberdeen City Council. Performance Management Process. External Audit Report o: 2008/19

Aberdeen City Council. Performance Management Process. External Audit Report o: 2008/19 Aberdeen City Council Performance Management Process External Audit Report o: 2008/19 Draft Issued: 11 February 2009 Final Issued: 6 April 2009 Contents Pages Pages Management Summary Introduction 1 Background

More information

Risk assessment. made simple

Risk assessment. made simple Risk assessment made simple July 2015 1 Sayer Vincent LLP Chartered accountants and statutory auditors Invicta House 108 114 Golden Lane London EC1Y 0TL Offices in London, Bristol and Birmingham 020 7841

More information

RISK MANAGEMENT POLICY

RISK MANAGEMENT POLICY RISK MANAGEMENT POLICY Issue Date: February 2010 Reviewed: July 2011 Contents Scope...3 Key Points...3 Background...3 Roles and Responsibilities...3 Classification of Risks...4 Risk Evaluation...4 Risk

More information

REPORT TO THE SCOTTISH AMBULANCE SERVICE BOARD COMMUNICATIONS STRATEGY. Report by Shirley Rogers, Director of Human Resources and Clinical Development

REPORT TO THE SCOTTISH AMBULANCE SERVICE BOARD COMMUNICATIONS STRATEGY. Report by Shirley Rogers, Director of Human Resources and Clinical Development REPORT TO THE SCOTTISH AMBULANCE SERVICE BOARD COMMUNICATIONS STRATEGY Report by Shirley Rogers, Director of Human Resources and Clinical Development ABSTRACT This paper summarises the key aims, objectives

More information

Governance, Risk and Best Value Committee

Governance, Risk and Best Value Committee Governance, Risk and Best Value Committee 2.00pm, Wednesday 23 September 2015 Internal Audit Report: Integrated Health & Social Care Item number Report number Executive/routine Wards Executive summary

More information

Manchester City Council

Manchester City Council Manchester City Council Accounts Audit Plan 2009/10 18 December 2009 Contents Page 1 Introduction 2 2 Approach and audit risks 3 3 Administration 13 4 Planned outputs 16 Appendices A B IFRS Action Plan

More information

Avon & Somerset Police Authority

Avon & Somerset Police Authority Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:

More information

Internal audit service protocol

Internal audit service protocol Internal audit service protocol Introduction This document sets out the process for reporting in accordance with the Operational Internal Audit Plan, which is approved by the Audit Committee annually.

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

1.0 Policy Statement / Intentions (FOIA - Open)

1.0 Policy Statement / Intentions (FOIA - Open) Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies

More information

Vale of Glamorgan. Overview Report: Review of HR and Workforce Planning. November 2011

Vale of Glamorgan. Overview Report: Review of HR and Workforce Planning. November 2011 Vale of Glamorgan Overview Report: Review of HR and Workforce Planning November 2011 Content 1 Introduction 1 2. Review Findings 3 3. The Way Forward 17 2012 Grant Thornton UK LLP. All rights reserved.

More information

Public Report. Professional discipline. Financial Reporting Council. May Ernst & Young LLP. Audit Quality Inspection

Public Report. Professional discipline. Financial Reporting Council. May Ernst & Young LLP. Audit Quality Inspection Public Report Professional discipline Financial Reporting Council May 2016 Ernst & Young LLP Audit Quality Inspection The FRC is responsible for promoting high quality corporate governance and reporting

More information

Risk & Opportunity Management Framework

Risk & Opportunity Management Framework Risk & Opportunity Management Framework January 2010 Version 1.0 Table of Contents 1 Preface... 14 1.1 Risk and Opportunity Management What is it?... 14 1.2 Purpose... 15 2 Risk Management Process... 15

More information

Criminal Injuries Compensation Authority. Data protection audit report

Criminal Injuries Compensation Authority. Data protection audit report Criminal Injuries Compensation Authority Data protection audit report Executive summary January 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with

More information

Internal Audit at the University of Cambridge.

Internal Audit at the University of Cambridge. Internal Audit at the University of Cambridge. Contents Introduction to Deloitte 1 Our team 2 What is Internal Audit? 4 Our approach to Internal Audit 5 Authority and reporting lines 7 Planning 8 Ad Hoc

More information

RISK MANAGEMENT POLICY

RISK MANAGEMENT POLICY RISK MANAGEMENT POLICY Approved by Governing Authority February 2016 1. BACKGROUND 1.1 The focus on governance in corporate and public bodies continues to increase. It resulted in an expansion from the

More information

Shepway District Council Risk Management Policy

Shepway District Council Risk Management Policy Shepway District Council Risk Management Policy Contents Section 1 Risk Management Policy... 3 1. Updates and amendments... 3 2. Definition... 3 3. Policy statement... 3 4. Objectives... 3 Section 2 Risk

More information

Hertsmere Borough Council. Data Quality Strategy. December 2009 1

Hertsmere Borough Council. Data Quality Strategy. December 2009 1 Hertsmere Borough Council Data Quality Strategy December 2009 1 INTRODUCTION Public services need reliable, accurate and timely information with which to manage services, inform users and account for performance.

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Cambridgeshire Constabulary. Data protection audit report

Cambridgeshire Constabulary. Data protection audit report Cambridgeshire Constabulary Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection

More information

Communications and Engagement Strategy

Communications and Engagement Strategy Item 8 Council 6 December 2012 Communications and Engagement Strategy Purpose of paper Action Public/Private Corporate Strategy 2010-14 Business Plan 2011-2012 To propose a new Communications and Engagement

More information

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 Summary This paper sets out the University s current obligations and arrangements for

More information

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance Audit Report for South Lakeland District Council People and Places Directorate Neighbourhood Services Audit of Grounds Maintenance Cumbria Shared Internal Audit Service: Internal Audit Report 7 th November

More information

Ipswich Building Society

Ipswich Building Society Ipswich Building Society Internal Audit Charter Approved by Audit and Compliance Committee on 22 October 2015 1. Mission 1. Mission The primary role of Internal Audit is to help protect the assets, reputation

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

How we deal with complaints and concerns

How we deal with complaints and concerns I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1 Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority

More information

Good Practice Guide: audit strategy

Good Practice Guide: audit strategy Good Practice Guide: audit strategy July 2010 Good Practice Guide: audit strategy July 2010 Official versions of this document are printed on 100% recycled paper. When you have finished with it please

More information

Northumberland National Park Authority. Internal Audit Annual Report Year ended 31 March Presented at the Authority meeting of: 17July 2013

Northumberland National Park Authority. Internal Audit Annual Report Year ended 31 March Presented at the Authority meeting of: 17July 2013 Northumberland National Park Authority Internal Audit Annual Report Year ended 31 March 2013 Presented at the Authority meeting of: 17July 2013 Patrick Green Head of Internal Audit 1 INTERNAL AUDIT OPINION

More information

External Audit BV Performance Report: Delivering Change Management and Financial Sustainability

External Audit BV Performance Report: Delivering Change Management and Financial Sustainability CLACKMANNANSHIRE COUNCIL THIS PAPER RELATES TO ITEM 05 ON THE AGENDA Report to: Resources and Audit Committee Date of Meeting: 24 September 2015 Subject: External Audit BV Performance Report: Delivering

More information

NES/11/111. Dorothy Wright Director HR & OD Christine McCole, Depute Director HR Tom Power, OD Business Partner (Leadership & Performance Management)

NES/11/111. Dorothy Wright Director HR & OD Christine McCole, Depute Director HR Tom Power, OD Business Partner (Leadership & Performance Management) NES Item 8d December 2011 NES/11/111 (Enclosure) NHS Education for Scotland Board Paper Summary 1. Title of Paper People & Organisational Development Strategy 2. Author(s) of Paper Dorothy Wright Director

More information

Renfrewshire Council. Data protection audit report. Executive summary January 2013

Renfrewshire Council. Data protection audit report. Executive summary January 2013 Renfrewshire Council Data protection audit report Executive summary January 2013 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection

More information

Making revalidation recommendations: the GMC responsible officer protocol

Making revalidation recommendations: the GMC responsible officer protocol 2012 Ready for revalidation Making revalidation recommendations: the GMC responsible officer protocol Guide for responsible officers Contents Section 1: Introduction... 4 1.1 The purpose of the protocol

More information

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT Public Sector Auditing.. Private Sector Thinking CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT Date: 7 th November 2014 Author: Rachel Abbott Principal Auditor Introduction & Scope The National Planning

More information

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers Contents Page 1 Introduction 2 2 Objectives of the Strategy 2 3 Data Quality Standards 3 4 The National Indicator Set 3 5 Structure of this Strategy 3 5.1 Awareness 4 5.2 Definitions 4 5.3 Recording 4

More information

Internal Audit Annual Report 2014/2015

Internal Audit Annual Report 2014/2015 www.pwc.co.uk Internal Audit Annual Report 2014/2015 DRAFT Oxford City Council June 2015 Annual Report 2014/2015 Contents 1. Executive summary 1 2. Summary of findings 3 3. Internal Audit work conducted

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com

More information

www.gdc-uk.org Standards for Education Standards and requirements for providers of education and training programmes

www.gdc-uk.org Standards for Education Standards and requirements for providers of education and training programmes www.gdc-uk.org Standards for Education Standards and requirements for providers of education and training programmes November 2012 GDC Standards for Education The Standards for Education and the requirements

More information

Internal Audit Manual

Internal Audit Manual Internal Audit Manual Version 1.0 AUDIT AND EVALUATION SECTOR AUDIT AND ASSURANCE SERVICES BRANCH INDIAN AND NORTHERN AFFAIRS CANADA April 25, 2008 #933907 Acknowledgements The Institute of Internal Auditors

More information

Joint Protocol between External Audit and Internal Audit Auditor General for Wales and Flintshire County Council

Joint Protocol between External Audit and Internal Audit Auditor General for Wales and Flintshire County Council Joint Protocol between External Audit and Internal Audit Auditor General for Wales and Flintshire County Council (To be)adopted June 2015 1 Contents Introduction 3 Background 3 Objective 6 Approach 6 The

More information

Cumbria Constabulary. Business Continuity Planning

Cumbria Constabulary. Business Continuity Planning Cumbria Constabulary Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), www.sjstudios.co.uk, Monument (Market

More information

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting

More information

Internal Audit Annual Report Year ended 31 March Presented at the Audit Committee meeting of: 1 st July 2013

Internal Audit Annual Report Year ended 31 March Presented at the Audit Committee meeting of: 1 st July 2013 NOTTINGHAMSHIRE OFFICE OF THE POLICE & CRIME COMMISSIONER & NOTTINGHAMSHIRE POLICE Internal Audit Annual Report Year ended 31 March 2013 Presented at the Audit Committee meeting of: 1 st July 2013 Patrick

More information

Appenidx 1a. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF HOUSING COMPLIANCE AUDIT PROGRAMME

Appenidx 1a. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF HOUSING COMPLIANCE AUDIT PROGRAMME Appenidx 1a DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF HOUSING COMPLIANCE AUDIT PROGRAMME DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance

More information

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance FRAMEWORK FOR THE PREPARATION OF ACCOUNTS Best Practice Guidance Revised Edition April 2010 PUBLISHED IN APRIL 2010 THE INSTITUTE OF CHARTERED ACCOUNTANTS OF SCOTLAND This document is published by the

More information

DRAFT. Report to Governors on the Quality Report 2015/16. Royal United Hospitals Bath NHS Foundation Trust] Year ended 31 March 2016 16 May 2016

DRAFT. Report to Governors on the Quality Report 2015/16. Royal United Hospitals Bath NHS Foundation Trust] Year ended 31 March 2016 16 May 2016 Report to Governors on the Quality Report 2015/16 This version of the report is a draft. Its contents and subject matter remain under review and its contents may change and be expanded as part of the finalisation

More information

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating: Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management Assurance Rating: Distribution List: Final Report Audit Committee Principal Vice Principal, (Resources and Financial Planning)/Director

More information

Invitation to Tender

Invitation to Tender Provision of a Customer Satisfaction Tool Ref: BS/14/C/0192 Page 1 of 12 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Structure of this Document... 3 1.3 Confidentiality... 3 1.4 Use

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

Summary of feedback on Big data and data protection and ICO response

Summary of feedback on Big data and data protection and ICO response Summary of feedback on Big data and data protection and ICO response Contents Introduction... 2 Question 1... 3 Impacts and benefits; privacy impact assessments (PIAs)... 3 New approaches to data protection...

More information

Internal Audit Unit Department of Public Expenditure and Reform. Service Level Agreement

Internal Audit Unit Department of Public Expenditure and Reform. Service Level Agreement Internal Audit Unit Department of Public Expenditure and Reform Service Level Agreement with Department of Finance for the Provision of Internal Audit Services 2016 Service Level Agreement Internal Audit

More information

Bedfordshire Fire and Rescue Authority Audit and Standards Committee 26 June 2014 Item No. 8

Bedfordshire Fire and Rescue Authority Audit and Standards Committee 26 June 2014 Item No. 8 For Publication REPORT AUTHOR: Bedfordshire Fire and Rescue Authority Audit and Standards Committee 26 June 2014 Item No. 8 ASSISTANT CHIEF OFFICER (HUMAN RESOURCES AND ORGANISATIONAL DEVELOPMENT) SUBJECT:

More information

Internal Audit Service LOCH LOMOND & THE TROSSACHS NATIONAL PARK AUTHORITY INTERNAL AUDIT PLAN

Internal Audit Service LOCH LOMOND & THE TROSSACHS NATIONAL PARK AUTHORITY INTERNAL AUDIT PLAN Internal Audit Service LOCH LOMOND & THE TROSSACHS NATIONAL PARK AUTHORITY INTERNAL AUDIT PLAN 2016-19 INDEX OF CONTENTS Page 1 Introduction 2 2 The Audit Planning Process 3 3 Monitoring the Plan 4 4 Annual

More information

Bedford Group of Drainage Boards

Bedford Group of Drainage Boards Bedford Group of Drainage Boards Risk Management Strategy Risk Management Policy January 2010 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report. REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating: Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating: Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation

More information

ACADEMIC POLICY FRAMEWORK

ACADEMIC POLICY FRAMEWORK ACADEMIC POLICY FRAMEWORK Principles, Procedures and Guidance for the Development & Review of Academic Policies [V.1] Page 2 of 11 TABLE OF CONTENTS 1. FRAMEWORK OVERVIEW... 3 2. PRINCIPLES... 4 3. PROCESS...

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Information Management Policy

Information Management Policy Title Information Management Policy Document ID Director Mark Reynolds Status FINAL Owner Neil McCrirrick Version 1.0 Author Deborah Raven Version Date 26 January 2011 Information Management Policy Crown

More information

Internal Audit Annual Report 2011/12

Internal Audit Annual Report 2011/12 1 Introduction 1.1 In accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, the Internal Audit Annual Report 2011/12 for Cheshire East contains the following:

More information

Internal Audit Division

Internal Audit Division Internal Audit Division at the Financial Conduct Authority Information Pack April 2013 Contents of Information Pack A. Introduction B. Internal Audit Terms of Reference C. Organisation D. Skills and Competencies

More information

South Northamptonshire Council Contract Assurance: Leisure Contract

South Northamptonshire Council Contract Assurance: Leisure Contract South Northamptonshire Council Contract Assurance: Leisure Contract FINAL Internal Audit Report 2012/2013 January 2013 Contents 1. Executive summary 4 2. Background and scope 5 3. Detailed current year

More information

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 This report has been prepared on the basis of the limitations set out on page 16. Contents Page

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Internal Audit 2011-12: Business Continuity Review Last updated 6 February 2012 Will Simpson Senior Manager

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER APPENDIX A INTERNAL AUDIT CHARTER Version Control Version No Author Date 1.2 Anna Wright September 2014 Shared Service Senior Auditor 1.3 Lisa Cotton August 2015 Shared Service Senior Auditor 1.4 Lisa

More information

Cheshire Fire Authority

Cheshire Fire Authority Cheshire Fire Authority Internal Plan 2013/2014 Presented at the Cheshire Fire Authority meeting of: 17 April 2013 Lisa Randall Head of Internal 1 INTRODUCTION This document sets out the approach we have

More information

Guidance for audit committees. The internal audit function

Guidance for audit committees. The internal audit function Guidance for audit committees The internal audit function March 2004 The Combined Code on Corporate Governance July 2003 C.3 Audit Committee and Auditors Main Principle: The board should establish formal

More information

Cardiff Council. Data protection audit report. Executive summary June 2014

Cardiff Council. Data protection audit report. Executive summary June 2014 Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998

More information

Report on the Quality Account 2015/16

Report on the Quality Account 2015/16 Report on the Quality Account 2015/16 South West London and St George's Mental Health NHS Trust Year ended 31 March 2016 31 MAY 2016 Paul Grady Engagement Lead T 020 7728 2301 E paul.d.grady@uk.gt.com

More information

the role of the head of internal audit in public service organisations 2010

the role of the head of internal audit in public service organisations 2010 the role of the head of internal audit in public service organisations 2010 CIPFA Statement on the role of the Head of Internal Audit in public service organisations The Head of Internal Audit in a public

More information

Head of Internal Audit:

Head of Internal Audit: Head of Internal : Opinion on the effectiveness of the system of Internal Control at Northern Devon Healthcare NHS Trust for the year ended 31 March 2010 Roles and responsibilities The whole Board of Directors

More information

Improving information to support decision making: standards for better quality data

Improving information to support decision making: standards for better quality data Public sector November 2007 Improving information to support decision making: standards for better quality data A framework to support improvement in data quality in the public sector Improving information

More information

Limited Liability Partnerships

Limited Liability Partnerships Limited Liability Partnerships Recently, companies have become increasingly interested in looking at an alternative business form which has been more commonly associated with professional firms such as

More information

Risk Management Strategy

Risk Management Strategy Risk Management Strategy 2010 RISK MANAGEMENT STRATEGY 1 INTRODUCTION 1.1 What is Risk Management? 1.1.1 Risk can be defined as uncertainty of outcome (whether positive opportunity or negative threat).

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

RIIO-ED1 BUSINESS PLAN SA-09 Supplementary Annex Data assurance. June 2013 (Updated April 2014)

RIIO-ED1 BUSINESS PLAN SA-09 Supplementary Annex Data assurance. June 2013 (Updated April 2014) 2015-2023 RIIO-ED1 BUSINESS PLAN SA-09 Supplementary Annex Data assurance June 2013 (Updated April 2014) SA-09 Data assurance Contents 1 Introduction... 3 Structure of this document... 3 2 Data assurance

More information

Group Risk Management Policy

Group Risk Management Policy Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014

More information