(a) That the report be accepted; and
(b) That Members are assured that the remedial actions identified on GDPR have and will, if implemented, address the control weaknesses identified.
The Internal Audit Manager presented the update on progress of the Internal Audit department including changes to the audit plan, action tracking and investigations. As requested at the recent facilitation workshop, an overview of audit assurances was now included within this report.
Since June 2018, three ‘Amber Red’ or ‘Some’ assurance opinions had been issued for Pension Administration, the Joint Corporate Procurement Unit and Payroll. Due to concerns from the Chair and Vice-Chair about outstanding actions on the latter, the Senior Manager, Human Resources & Organisational Development and Employment Services Manager were in attendance to provide a further update.
The Senior Manager gave assurance that good progress had been made on the actions since the report was produced. She explained that many of the actions consisted of multiple elements of which most had been completed and that the Payroll team had allowed for a period of testing to satisfy themselves that actions were robust and effective, before formally signing off. She went on to report on further improvements achieved by consolidating databases into one.
Sally Ellis explained that the concerns had arisen from some issues outstanding from the 2016/17 audit, particularly those with financial implications, and that it would be helpful for the Committee to be notified of completion dates. The Employment Services Manager advised that the two which remained outstanding related to documented procedures and performance indicators. Good progress had been made on both and the due date had been extended until the end of March 2019 to ensure that outcomes were acceptable for the next audit.
The Chief Executive spoke about significant workload implications in Payroll to deal with changes in recent years. He said that officers would agree on realistic completion dates and advise the Chair and Vice-Chair accordingly.
During the period, one ‘Red’ or ‘Limited’ assurance opinion had been issued for General Data Protection Regulations (GDPR). The audit had been undertaken in March 2018 in preparation for implementing the new regulations in May. The Senior Auditor summarised the aim of the new regulations on which compliance had been addressed through five work-streams. She gave assurance that implementation across the Council had been prioritised by Chief Officers and Senior Managers, with progress underway on action plans for each portfolio. A range of positive actions had been taken including the appointment of a dedicated Compliance Officer and the key role of the Information Governance team, together with extensive training and communications to the workforce. The overall audit opinion reflected the uncertainty in relying on third party suppliers to give assurance that their systems complied with GDPR.
The Chief Officer (Governance) provided an update on actions to address each of the audit findings, as set out in the separate report on the agenda. On the capability of externally provided software systems holding personal data to meet the obligations of GDPR, 61 were now either fully compliant or in the process of doing so, whilst work was continuing on the remaining seven which were viewed as low risk. Good progress was