Agenda item
TIAA internal audit partner and latest Internal Audit reports
- Meeting of Senedd Commission Audit and Risk Assurance Committee, Monday, 11 February 2019 10.00 (Item 4.)
- View the background to item 4.
Minutes:
Oral
item - TIAA internal audit partner
4.1 The
Committee welcomed Clive Fitzgerald from TIAA, the Commission’s co-sourced
internal audit partner, to the meeting. For the benefit of the new Committee
members, Clive provided some background to the company, which was the largest
independent provider of internal audit, business assurance and counter-fraud in
the country, covering a wide range of public sector organisations. Gareth
described how the co-sourced arrangement works in practice, bringing in specific
expertise and knowledge and protecting the independence of the internal audit
function.
ACARAC (01-19) Paper 4 - Scheme of Delegation
4.2
The Committee commented that the substantial
assurance was a positive reflection on the work of the Finance Team’s engagement
with budget holders and the maturity of the scheme of delegation. In response
to questions around the levels of delegation, Nia Morgan described the
increased sense of ownership and interest in budget management, partly as a
result of allowing budget holders to set appropriate delegations in their
areas.
ACARAC (01-19) Paper 5 - GDPR Compliance Follow Up
4.3
The Committee welcomed this follow-up review of
assurances around GDPR compliance. Dave advised that a revised Data Protection
Policy had been approved by Executive Board, and that an electronic staff
training package would be ready for delivery in the coming weeks. This had been
developed in-house as there was nothing commercially available which was
suitable. The Commission agreed to consider how best to evidence receipt of
this training.
4.4
The Commission were considering options for
appointing a temporary Data Protection Officer to cover for maternity
leave. Team resilience would be
increased by training another member of staff.
4.5
The practical issues around data protection
agreements for elected members was being discussed further at an
inter-parliamentary forum at the end of February and this could inform
decisions around the Commission’s approach.
4.6
The Committee discussed testing the security of sensitive
personal information held by the Commission and the role and importance of the
Information Asset Registers and Registers of Personal Data. It was noted that
the move to SharePoint as a document management system would provide further
mitigation for information-related risks and that the forthcoming review of
cyber-security would help to test the controls. It was agreed that Dave and Bob
should consider this further.
4.7
Committee members asked for GDPR compliance to be
reviewed at a future meeting.
4.8
The Committee asked for the issue of the data
protection agreement with the HR/Payroll system provider to be re-visited, and
suggested keeping the ICO informed.
ACARAC (01-19) Paper 6 –
Payroll
4.9
The Committee asked for assurance that the
recommendations from the previous audit had been implemented effectively.
Gareth explained that the focus for this review was around the systems in place
whereas the previous review had focused on data analytics for which assurance
is provided from the routine and thorough reviews by the WAO when auditing the
accounts. The effectiveness of data analytics was also discussed regularly at
inter-parliamentary meetings. He also reported that inefficiencies around manual
interventions for reconciliation had been eliminated as far as possible. The
Committee asked to return to this issue at a future meeting.
Actions
–
(4.3) Dave to share the electronic data protection staff training
package with Independent Advisers.
–
(4.6) Dave and Bob to discuss testing the controls
around information security.
–
(4.7) Clerking team to add GDPR compliance to the
forward work programme.
–
(4.8) Dave to provide an update on the data
protection agreement with the HR/Payroll system provider at a future meeting.
–
(4.9) Nia to provide an update on manual
interventions for reconciliations for HR and finance data.