Oral item - TIAA internal audit partner
4.1 The Committee welcomed Clive Fitzgerald from TIAA, the Commission’s co-sourced internal audit partner, to the meeting. For the benefit of the new Committee members, Clive provided some background to the company, which was the largest independent provider of internal audit, business assurance and counter-fraud in the country, covering a wide range of public sector organisations. Gareth described how the co-sourced arrangement works in practice, bringing in specific expertise and knowledge and protecting the independence of the internal audit function.
ACARAC (01-19) Paper 4 - Scheme of Delegation
4.2 The Committee commented that the substantial assurance was a positive reflection on the work of the Finance Team’s engagement with budget holders and the maturity of the scheme of delegation. In response to questions around the levels of delegation, Nia Morgan described the increased sense of ownership and interest in budget management, partly as a result of allowing budget holders to set appropriate delegations in their areas.
ACARAC (01-19) Paper 5 - GDPR Compliance Follow Up
4.3 The Committee welcomed this follow-up review of assurances around GDPR compliance. Dave advised that a revised Data Protection Policy had been approved by Executive Board, and that an electronic staff training package would be ready for delivery in the coming weeks. This had been developed in-house as there was nothing commercially available which was suitable. The Commission agreed to consider how best to evidence receipt of this training.
4.4 The Commission were considering options for appointing a temporary Data Protection Officer to cover for maternity leave. Team resilience would be increased by training another member of staff.
4.5 The practical issues around data protection agreements for elected members was being discussed further at an inter-parliamentary forum at the end of February and this could inform decisions around the Commission’s approach.
4.6 The Committee discussed testing the security of sensitive personal information held by the Commission and the role and importance of the Information Asset Registers and Registers of Personal Data. It was noted that the move to SharePoint as a document management system would provide further mitigation for information-related risks and that the forthcoming review of cyber-security would help to test the controls. It was agreed that Dave and Bob should consider this further.
4.7 Committee members asked for GDPR compliance to be reviewed at a future meeting.
4.8 The Committee asked for the issue of the data protection agreement with the HR/Payroll system provider to be re-visited, and suggested keeping the ICO informed.
ACARAC (01-19) Paper 6 – Payroll
4.9 The Committee asked for assurance that the recommendations from the previous audit had been implemented effectively. Gareth explained that the focus for this review was around the systems in place whereas the previous review had focused on data analytics for which assurance is provided from the routine and thorough reviews by the WAO when auditing the accounts. The effectiveness of data analytics was also discussed regularly at inter-parliamentary meetings. He also reported that inefficiencies around manual interventions for reconciliation had been eliminated as far as possible. The Committee asked to return to this issue at a future meeting.
– (4.3) Dave to share the electronic data protection staff training package with Independent Advisers.
– (4.6) Dave and Bob to discuss testing the controls around information security.
– (4.7) Clerking team to add GDPR compliance to the forward work programme.
– (4.8) Dave to provide an update on the data protection agreement with the HR/Payroll system provider at a future meeting.
– (4.9) Nia to provide an update on manual interventions for reconciliations for HR and finance data.