Comhairle nan Eilean Siar Internal Audit Follow Up Review Document Management. Final Report FU01 14/15

Transcription

1 Comhairle nan Eilean Siar Internal Audit Follow Up Review Document Management Final Report FU01 14/15 11 November 2014

2 CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1 4 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 5 10 APPENDIX RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND 11 INTERNAL AUDIT 11 November 2014

3 SECTION 1 EXECUTIVE SUMMARY Introduction 1.01 This follow up report has been prepared for the Comhairle s Audit & Scrutiny Committee. The original report advised of a number of recommendations made in Document Management report which was issued on 10 th December The follow up review was undertaken in accordance with the operational annual internal audit plan for 2014/15. Internal audit objective 1.02 Following up internal audit reports and assessing the level of compliance with recommendations made is an important part of the internal audit function In accordance with the remit detailed in the operational annual internal audit plan for 2014/15, our internal audit work was designed to obtain assurance that the original recommendations have been implemented. We obtained this assurance through internal audit testing and undertaking discussions with key personnel The main recommendations in the original report were: - The Public Records (Scotland) Act 2011(PRSA) came into force on the 1 st January The PRSA requires the Comhairle to prepare and submit a five year Records Management Plan (RMP) to the Keeper for approval. Although work has started on this task, the Keeper will invite each named authority to submit a plan within a period of 6 month from date of notice; A comprehensive document management policy be updated outlining the key requirement of applicability, roles and responsibilities, regulatory environment and monitoring; and Appropriate storage facilities are used by departments which reflect the level of security and water/fire proofing that may be required. 11 November

4 SECTION 1 EXECUTIVE SUMMARY (CONTINUED) Detailed findings 1.05 The current status of progress against the original recommendations can be summarised as follows:- Key to status Fully implemented;, although further work is required to meet the objective of the recommendation; or Insufficient progress to date. Recommendation Action to Date Status A comprehensive document management policy be updated outlining the key requirement of applicability, roles and responsibilities, regulatory environment and monitoring. This policy should flow from the findings of the current crossdepartment review taking place. Any Records Management Policy implemented should cover paper, faxes, internet and intranet information. A Records Management Policy be introduced which covers training requirements for new and existing staff. All existing staff should receive appropriate information security and data management training. Training in information security and data management should take place as part of the induction training for all new staff. Regular information updates should be advised to staff on a regular basis and where significant changes are identified specific training is rolled out to all staff. 11 November

5 SECTION 1 EXECUTIVE SUMMARY (CONTINUED) Recommendation Action to Date Status The Comhairle s Management Team need to take forward policies and procedures which provide consistency of approach, and are implemented within departments and monitored to assess compliance. Fully implemented A statement in relation to third party operatives who could access data be covered in a document management policy. The document management policy outlines security requirements, prohibited activities and the requirement to sign up to this requirement either within a contract or a declaration in short term instances. A communications classification system (Protective Marking) be introduced which complies with best practice. Insufficient progress to date Appropriate training and advice is given to all staff in the use of classification frameworks. A corporate approach covering document management must be progressed as a matter of priority given that sufficient notice was given to all public bodies of their statutory duties to comply. Insufficient progress to date A RMP be produced which meets the 14 best practice areas as defined by the Keeper and is implemented and lodged as per the Act. A standard is set in terms of data security and disposal of waste through shredding and confidential waste disposal throughout the Comhairle and which meet BS15713 (The secure destruction of confidential material). Any such guidance should also identify the minimum security grade of office shredders. A corporate process and associated procedures be implemented which take bulk confidential waste off site for disposal. 11 November

6 SECTION 1 EXECUTIVE SUMMARY (CONTINUED) Recommendation Action to Date Status Corporate protocols and instructions should be agreed which covers manual records and security of files when not in use or are visible to nonauthorised staff and visitors. A comprehensive IT asset register be maintained and reviewed periodically in terms of update to identify that all assets that should be held are still within the control of the Comhairle or have been disposed off using the approved method. Appropriate storage facilities are used by departments which reflect the level of security and water/fire proofing that may be required. Insufficient progress to date Insufficient progress to date Concluding remarks 1.06 From our follow up testing, we note that out of the 18 follow up recommendations made in the original follow up report 1 appears to have been fully implemented, and management have confirmed that the remaining recommendations will be implemented by June For Comhairle nan Eilean Siar Internal Audit Services Internal Audit Comhairle nan Eilean Siar Council s Sandwick Road Stornoway 11 November November

7 SECTION 2 DETAILED FINDINGS 2.1 A comprehensive document management policy be updated outlining the key requirement of applicability, roles and responsibilities, regulatory environment and monitoring. This policy should flow from the findings of the current crossdepartment review taking place. This has been drafted to reflect terms of the Act; still in progress. To be finalised and approved. Review March 2015 Any Records Management Policy implemented should cover paper, faxes, internet and intranet information. As above As above 11 November

8 SECTION 2 DETAILED FINDINGS (CONTINUED) 2.2 A Records Management Policy be introduced which covers training requirements for new and existing staff. All existing staff should receive appropriate information security and data management training. Training in information security and data management should take place as part of the induction training for all new staff. / HR (all) Once Policy documentation has been finalised and approved, then roll out of training will follow to all relevant staff. We are advised by the Business Development Manager that information security and Data Protection training is included in all induction training and Data Protection training is available as an in-house training course for all employees. In addition, the IT and Customer Services purchased an e-learning training course in Information Security for all employees. Review in June 2015 Regular information updates should be advised to staff on a regular basis and where significant changes are identified specific training is rolled out to all staff. 11 November

9 SECTION 2 DETAILED FINDINGS (CONTINUED) 2.3 The Comhairle s Management Team need to take forward policies and procedures which provide consistency of approach, and are implemented within departments and monitored to assess compliance. Chief & CMT January 14 Management Team have approved reports from the former archivist at Working Group. Done and ongoing. 2.4 A statement in relation to third party operatives who could access data be covered in a document management policy. Draft policy in progress. Completion and approval of policy Review March 2015 The document management policy outlines security requirements, prohibited activities and the requirement to sign up to this requirement either within a contract or a declaration in short term instances. As above. As above. 11 November

10 SECTION 2 DETAILED FINDINGS (CONTINUED) A communications classification system (Protective Marking) be introduced which complies with best practice. Appropriate training and advice is given to all staff in the use of classification frameworks. IT and Customer Services July14 IT and Customer Services/ Head of HR July 14 A report was approved by CMT in April this year recommending that: a) a tender exercise be undertaken to determine the most cost effective option that meets the Comhairle s requirements and; b) the proposed classification categories are approved for use in the Comhairle. Nothing further has been done as resources were redirected to PSN compliance. Revised target will be end June Implementation of the recommendations. A corporate approach covering document management must be progressed as a matter of priority given that sufficient notice was given to all public bodies of their statutory duties to comply. A RMP be produced which meets the 14 best practice areas as defined by the Keeper and is implemented and lodged as per the Act. The working group will take forward archivists recommendations. Records Management Policy in progress. Completion and approval of policy Review March As above. 11 November

11 SECTION 2 DETAILED FINDINGS (CONTINUED) 2.7 A standard is set in terms of data security and disposal of waste through shredding and confidential waste disposal throughout the Comhairle and which meet BS15713 (The secure destruction of confidential material). Any such guidance should also identify the minimum security grade of office shredders. (All) Documentation in draft form and will be progressed shortly. Completion and approval of policy Review March A corporate process and associated procedures be implemented which take bulk confidential waste off site for disposal. As above. As Above. 2.8 Corporate protocols and instructions should be agreed which covers manual records and security of files when not in use or are visible to non-authorised staff and visitors. Documentation in draft form and will be progressed shortly. Completion and approval of policy Review March November

12 SECTION 2 DETAILED FINDINGS (CONTINUED) 2.9 A comprehensive IT asset register be maintained and reviewed periodically in terms of update to identify that all assets that should be held are still within the control of the Comhairle or have been disposed off using the approved method. IT and Customer Services July14 Nothing further has been done as resources were redirected to PSN compliance. Revised target will be end June Implementation of the recommendations Appropriate storage facilities are used by departments which reflect the level of security and water/fire proofing that may be required. Assets & Infrastructure Enhanced storage facilities have been made available to Departments at Marybank Depot. These include secure and general storage. Procedures have been put in place to ensure that documents are stored in appropriate containers and labelled correctly. The enhanced facilities do not necessarily provide the highest level of fire security as the existing building has limitations, however are a practicable step towards more appropriate storage facilities. Develop a corporate strategy and understanding of storage requirements which will provide direction to future asset provision. 11 November

13 APPENDIX: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL AUDIT Internal controls It is the responsibility of Comhairle management to maintain adequate and effective financial systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to evaluate significant financial systems and associated internal controls and to report to the Audit Committee on the appropriateness of such systems and controls. In practice, we cannot examine every financial activity and accounting procedure and we cannot substitute for management s responsibility to maintain adequate systems of internal controls over financial systems. We therefore may not identify all the weaknesses that exist in that regard. Fraud and corruption The prime responsibility for the prevention and detection of fraud and irregularities rests with Comhairle management. They also have a duty to take reasonable steps to limit the opportunity for corrupt practices. It is our responsibility to review the adequacy of these arrangements, but our work does not remove the possibility that fraud, corruption or irregularity may have occurred and remained undetected. We nevertheless endeavour to plan our audit so that we have a reasonable expectation of detecting material fraud, but our examination should not be relied upon to disclose all such material frauds as may exist. 11 November