• No results found

FINAL INTERNAL AUDIT REPORT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "FINAL INTERNAL AUDIT REPORT"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

FINAL INTERNAL AUDIT REPORT

HR Document Management (IA 12 108/F)

Tricia Riley, HR Director

Audit Conclusion: Audit Closed

9 March 2015

Issue categories Agreed actions Satisfactorily addressed Partially addressed No longer applicable Not addressed Priority 1 13 12 1 0 0 Priority 2 3 3 0 0 0 Priority 3 0 0 0 0 0

(2)

CONTENTS

EXECUTIVE SUMMARY ... 3 STATUS OF AGREED ACTIONS ... 4 APPENDIX 1 – DISTRIBUTION LIST ... 11

Audit information

Version 1

Draft versions issued 1

Draft report issued 4 March 2015 Audit Manager Joe Palfreeman Director of Internal Audit Clive Walker

(3)

EXECUTIVE SUMMARY

Objective

The objective of this audit was to review the effectiveness of controls over HR document management covering both paper and electronic documents.

Scope

The audit focused on the control environment in relation to the following key risk areas associated with the management of staff records and ‘personal’ data within HR:

Policies and procedures including communication to the business Roles and responsibilities

Delivering document retention, storage and retrieval requirements Review and disposal of documents

Monitoring compliance with policies and procedures and following up any issues

Summary of findings

Our Interim Audit Report dated 4 July 2013 entitled HR Document

Management, identified four Priority 1 issues and one Priority 2 issue resulting in 16 agreed management actions.

The following issues were identified as being Priority 1:

There is no strategy within HR for delivery of its responsibilities with regard to the Information and Records Management (IRM) policy

There is a lack of local procedures and guidelines to advise staff on the management, storage and disposal of personal employee records Document management practices across HR operations are inconsistent

and ineffective

Records held electronically are not deleted once the statutory retention period has been reached, as required by the DPA and TfL’s Privacy and Data Protection Policy

We have now carried out a follow up review and can confirm that 15 actions have been satisfactorily addressed and one is partially addressed. We are satisfied that activity is being taken to address the partially addressed action and this will be follow up as part of our 2015 audit ‘Pan-TfL HR Documentation’. Accordingly this audit is now closed.

(4)

STATUS OF AGREED ACTIONS

Ref Agreed action Owner and

due date

Status

Priority 1 actions

1. Agree an overall owner with the HR Leadership Team for document management.

Lee Wise Complete

Satisfactorily addressed

The Director of Pensions and Reward is the owner on behalf of the HR Leadership Team.

2. Secure the HR Leadership Team’s agreement to establish an HR-wide network group to deliver HR’s responsibilities with regard to the IRM policy.

Lee Wise Complete

Satisfactorily addressed

The HR Leadership Team established a HR-wide network group.

3. Implement the HR-wide network group with representation from HR Services, HR Delivery and the Centres of Excellence. Stephen Field / Lee Wise 26/07/13 Satisfactorily addressed

The network group had appropriate representation from across HR as well as the wider business including Information

Governance. HR document management was taken forward as a project by the network group.

4. Develop a local HR Strategy that supports the overall IRM Policy taking into account the HRS document management project work carried out in 2009.

Stephen Field / Lee Wise 31/03/14

Satisfactorily addressed

A strategy that supports the overall IRM Policy and takes into account the HRS 2009 project was produced. The strategy was approved by the Director of Pensions and Reward and is

available on the Sharepoint HR Document Management Support page.

(5)

Ref Agreed action Owner and due date

Status

5. Develop and implement an HR Disposal Schedule. Stephen Field / Lee Wise 31/03/14 Satisfactorily addressed

The Employment and Pensions Disposal Schedule was updated by Information Governance with input from across HR. Each area of HR gathered data to review the relevant section of the

schedule. The Schedule was approved by the Director of

Pensions and Reward and is available on both the HR Sharepoint site and in the TfL Management System.

The schedule will undergo a formal review every two years with other updates made as and when required.

6. Develop processes and supporting documentation for employees and Line Managers that is easy to use and takes into account the

Employment and Pensions

disposal schedule and makes use of a draft Records Management Fact Sheet. The processes will be included in the TfL Management System. Stephen Field / Lee Wise 31/03/14 Satisfactorily addressed

An HR Sharepoint Document Management Support site now supports document management within HR.

The site is easy to use and includes sections on the HR Disposal Schedule, HR Document Management Strategy, Line Manager Guidance, Information Governance Courses and the Core Staff File. There are also links to Information Governance fact sheets. The site re-enforces the need for all HR staff to follow document management processes to comply with the Data Protection Act and references the Employment and Pensions Disposal Schedule as the key sign-posting document.

Details of core staff file requirements are reflected in the TfL Management System.

(6)

Ref Agreed action Owner and due date

Status

7. Develop and deliver

communications and training to HR staff and Line Managers in support of the processes. Stephen Field / Lee Wise 31/03/14 Satisfactorily addressed

Regular communication on document management activities were provided throughout the project by the HR Director including an article in ‘HR News’.

Document management champions are embedded into each HR business area and provide support and training to HR staff as required.

Information and records management, and privacy and Data Protection have been added to the HR Leadership Team agenda for discussion on a half yearly basis to review and monitor

compliance with document management. 8. Create a mechanism to be able to

carry out regular on-going

compliance checks to ensure HR staff and Line Managers are following the processes. Agree with the HR Leadership Team what these checks are and how regular they should be.

Stephen Field / Lee Wise 31/03/14 Extended to 30/11/14 Satisfactorily addressed

A four month amnesty was agreed by The Director of Pensions and Reward on behalf of the HR Leadership Team to allow HR staff to comply with the revised document management

arrangements.

From August 2014 a requirement was introduced for HR Line Managers to undertake regular compliance checks within their business areas. Details of the checks are included in the HR Managers Quick Guide.

HR Leadership Team audit checks are also now conducted on a six monthly basis to be carried out at random across HR. The first of these audits took place in December 2014 and a report

(7)

Ref Agreed action Owner and due date

Status

produced with appropriate actions to address identified weaknesses.

9. The HR Network Group will

investigate the feasibility of holding staff records in one place and make a recommendation to the HR Leadership Team. Stephen Field / Lee Wise 31/03/14 Satisfactorily addressed

The feasibility of holding staff records in one place was

investigated but found to be not possible due to the different IT systems in use throughout HR. The Employment and Pensions Disposal Schedule will be used as the guide as to where staff records should be retained. This approach is endorsed by the HR Leadership Team.

10. HR will implement an interim process which will signpost where all staff file documentation is held pending the outcome of the feasibility review. This will be communicated to line managers and captured in the TfL

Management System. Stephen Field / Lee Wise 31/12/13 Satisfactorily addressed

The Employment and Pensions Disposal Schedule is the key point of reference for signposting where all staff file

documentation is held.

This has been communicated to HR using the HR Sharepoint Document Management Support site and through ‘HR News’. The Disposal Schedule is available on the TfL Management System.

11. Signposting will be used on an on-going basis where different

technologies mean it may not be possible to hold data in one place.

Stephen Field / Lee Wise

Satisfactorily addressed See agreed action 10.

(8)

Ref Agreed action Owner and due date

Status

12. Work with IM to agree the rules around archiving and deletion on SAP R3, EiC, Taleo and Intrinsic. Rules will be documented and communicated to all staff with responsibility for maintaining personal records on these systems. Stephen Field / Lee Wise 31/03/14 Partially addressed

HR undertook work to agree the rules around archiving and deletion in line with the Employment and Pensions Disposal Schedule requirements and this was agreed by the HR

Leadership Team. A change request was submitted to IM to look into the feasibility of implementing archiving and deletion rules into HR systems.

This work was incorporated into the wider pan-TfL IM Enterprise Content Management (ECM) programme and the HR Pensions Manager assigned to the ECM steering group to ensure HR’s requirements were met.

However, ECM is now focusing on overall strategy and the

technical roadmap, rather than implementing the specific needs of any particular business area. As a result a group has been

established to take forward the archiving and deletion of HR data. Group membership is from HR, IM and Information Governance and the first stage of their activity will be to conduct a proof of concept. IA will follow up this work as part of the 2015 audit ‘Pan-TfL HR Documentation’.

13. A business case will be developed for automated archiving and

deletion of personal records for consideration by the HR Director and Chief Information Officer.

Stephen Field / Lee Wise 31/03/14

Satisfactorily addressed

(9)

Ref Agreed action Owner and due date

Status

Priority 2 actions

14. Existing HR staff with responsibility for managing records and who have not completed the eLearning records management course will do so. Stephen Field / Lee Wise 31/12/13 Satisfactorily addressed

All HR staff apart from those on maternity, career breaks and long term sick completed the three eLearning courses:

My role in information and records management My role in information security

My role in privacy and data protection

Those on leave are required to complete the training on their return to work.

15. All new HR staff will be required to complete the eLearning records management course on joining the function. Stephen Field / Lee Wise 31/03/14 Satisfactorily addressed

A process is in place to ensure all new HR staff complete the three eLearning courses. A periodic report is sent via the SAP reporting team to identify new entrants or existing employees who have joined HR. These employees are contacted to complete the training within four weeks of starting in HR. HR monitor

completion of the training and a reminder is sent if they do not complete all three modules within this timescale.

16. Develop any additional training required to ensure that staff are equipped to manage HR

information and records relating to

Stephen Field / Lee Wise

Satisfactorily addressed

HR requires that its staff complete the eLearning courses at least once every three years. If there are updates to any of these

(10)

Ref Agreed action Owner and due date

Status

Develop a roll out plan to ensure that staff with responsibilities for people-related records

management, complete this additional training.

Governance recommends that refresher training for data protection and information security eLearning courses is

completed annually and HR accepts the risk of not following this recommendation.

Following completion of this standard training we noted some weaknesses in document management responses to questions raised with the HR Help Desk suggesting there was a further training requirement in this area.

HR undertook specific coaching for the advisors that take 1729 HR Help Desk calls and Information Governance also attended advisor team meetings to reinforce document management knowledge. New advisors will also receive this coaching and refresher sessions will also be held on a six monthly basis. Document management requirements are also reinforced in role training for all staff with responsibilities for people-related records.

(11)

APPENDIX 1 – Distribution list

This report was sent to Tricia Riley, Director of Human Resources, by Clive Walker, Director of Internal Audit, and copied to:

Stephen Field Director of Pensions and Reward Kim Travers Head of HR Service Delivery Rebecca Crowther HR Services Delivery Manager

Lee Wise Staff Travel Manager

Hannah Delves Head of HR Planning & Governance Charlotte Johns Recruitment Delivery Manager Richard Bevins Head of Information Governance James Newman Privacy and Data Protection Manager Clare Cowling Information & Records Manager

Kathy McMahon IM SAP Functional Operations Manager Caroline Kelly as Key Risk Representative

Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal

Andrew Pollins Interim Chief Finance Officer

Howard Carter General Counsel

Robert Brent KPMG

References

Download now ( PDF - 11 Page - 191.71 KB )

Related documents

A quick-assessment procedure to evaluate the degree of conservation of rockfall drapery meshes

Different anchors types and connection with the ropes and the mesh: (a) Damage on the plate and/or on the head of the anchors – D1, (b) Unthreading of the anchors – D2, (c) Presence

Oxygen Insufficiency

The hazards of the oxygen therapy may affect the eyes. Retrolental fibroplasias is noted in premature infants who have a high concentration of oxygen inhalation. The infants exposed

Cat Fundas(Vv Imp)

iv.) Make use of bookmark : if u realize that a question looks familiar but you aren't able to crack  in a few minutes bookmark it and solve other questions, come back to it once

Distinctive correspondence between separable visual attention functions and intrinsic brain networks

inter-network functional connectivity (FC) values of the ventral attention (left), and visual (right) networks with the other networks were tested for the high performance group

A Long-Term Survival Guide - 460 Useful Books You Can Download for Free

There are books on many subjects of interest, including woodcraft skills, farming, metal-working, taking care of horses, home- made energy, do-it-yourself medical care, nuclear

Holocene landscape response to seasonality of storms in the Mojave Desert

Interpretation of the timing of LIA lakes in the Mojave Desert is not improved by comparison with proxies for climate records at this time, most of which demonstrate a cool period

Branches

In Bazi analysis, the earth element is represented by the four branches; Chen Dragon, Wei In Bazi analysis, the earth element is represented by the four branches; Chen Dragon, Wei

FAIS NEWSLETTER VOL. 6 1 FAIS NEWSLETTER. Cursory overview of Money Laundering 2-3. Money Laundering Legislations in South Africa 4-11

Contrary to this, the suspicious transaction reporting obligation requires accountable institutions to file reports of a single transaction or of transactions concluded in