Archived decisions
Audit No /Ref |
_ Recommendation |
Priority 1=Low 2=Med 3=High |
Post responsible |
SMT |
Comments |
Action Date |
Follow up |
Date Closed | |||||||||||||||||
DATABASES 2006/07 | |||||||||||||||||||||||||
3.7 |
We recommend that logging is switched on where the function is available to do this to maintain an adequate audit trail. |
2 |
Network Project Manager |
Director of Corporate Services |
Agreed. A review of databases will be carried out and logging switched on where possible and appropriate. |
29/06/2007 |
Mar 2007 |
04/07/2007 | |||||||||||||||||
SECURITY & PASSWORD CONTROLS 2003/04 | |||||||||||||||||||||||||
3.11 |
Consideration should be given to the removal of Revelation in favour of SAP for higher security. |
3 |
IT Manager |
Director of Corporate Services |
Part of ICT Strategy. 12/10/05 PRT Note: Revelation not yet completely phased out due to delays in new system development. Now targeted for April 2006. 18/11/05 PRT Note: A future action date to be agreed with Internal Audit.
05/01/06 PRT Note: New action date of May 06 agreed by Internal Audit. 05/06/06 PRT Note: New action date agreed by Internal Audit of Sept 06. 12/12/06 and 4/01/07: ICT Manager confirmed Rev is being phased out, but work not yet complete |
Mar 2005 Sept 2005 May 2006 Sept 2006 |
11/10/2005 28/04/2006 05/06/2006 04/01/2007 12/02/2007 20/04/2007 26/07/2007 |
31/07/2007 | |||||||||||||||||
Performance Review Team note - 7/02/2007 - Work is underway to implement the replacement for Revelation. The current target date for this is the end of March 2007. Performance Review Team note - 20/04/2007 - Further slippage on the timescales is a cause for concern. The current target date is June 2007. Performance Review Team note - 26/07/2007; Access to Revelation has been reduced to a handful of key staff for archive purposes. It is no longer being updated but serves only as an archive of historical records. | |||||||||||||||||||||||||
SECURITY & PASSWORD CONTROLS 2006/07 | |||||||||||||||||||||||||
3.3 |
A date for the phase out of Revelation must be stated and adhered to, or tools to enable monitoring of access to personal data held there implemented and used. If Revelation is not phased out by June 2007 then a monitoring tool and procedures should be implemented. |
2 |
ICT Manager |
Director of Corporate Services |
It is accepted that the time taken to resolve this issue is unacceptable and the issue has been escalated to the Directors Group. The primary reason for the delay in phasing out the use of the 'Revelation' database has been the continuing reliance placed on it to feed key personnel data to the main training database system. Also, there are some 'data cleansing' issues to be resolved. These will be progressed as a matter of urgency and additional resources allocated to ensure that the SAP system becomes the primary feeder system of personnel data. |
June 2007 |
27/04/2007 07/06/07 26/07/2007 |
31/07/2007 |
|||||||||||||||||
Performance Review Team note 26/07/2007; Access to Revelation has been reduced to a handful of key staff for archive purposes. It is no longer being updated but serves only as an archive of historical records. | |||||||||||||||||||||||||
3.7 |
Consideration should be given to including an appendix on acceptable use of the internet to service order SO/2/8/1/6. |
1 |
Help Desk Supervisor |
Director of Corporate Services / Head of Finance & Office Services |
Appendix K of SO/2/8/1/6 will be amended to include use of the internet. Staff changes necessitate new action date |
May 2007 31/07/07 |
27/04/2007 05/06/07 |
5/06/2007 | |||||||||||||||||
SECURITY & PASSWORD CONTROLS 2006/07 (continued) | |||||||||||||||||||||||||
3.6 |
The existence and location of the policy must be promoted to users to ensure they are aware of their responsibilities or can find them. |
2 |
Help Desk Supervisor IT Technician |
Director of Corporate Services |
Information Services, via Help Desk will be running a series of promotions alerting users to the IS User Policy. These promotions will be varied in their style to capture as many users as possible. Other initiatives already underway include a poster campaign re computer virus protection. A web based newsletter is being developed to promote security and password control (due for rollout 31.06.07) |
June 2007 |
27/04/2007 05/06/07 26/07/2007 |
26/07/2007 | |||||||||||||||||
Performance Review Team note 25/05/2007 - A link has been inserted from the Service Order SO/2/6/1/6 to the policy, and a poster campaign has been used to promote the policy to users logging in from home using their `Passport'. Plans are in place to advertise further using the help desk. Performance Review Team note 26/07/2007 - The Corporate Services sections of the revamped newsletter is being used on a regular basis to remind users of Information Security Policy and good ICT practice generally. | |||||||||||||||||||||||||
3.8 |
Job descriptions for senior IT management should include reference to any responsibilities for maintaining the security of IT systems. |
1 |
ICT Manager |
Director of Corporate Services |
JDs recently updated as part of Hay evaluation exercise. |
30/09/2007 |
27/07/2007 |
27/07/2007 | |||||||||||||||||
3.12 |
We recommend that job description documentation should use the same titles as those in SAP, all staff must have one attached to them or their role. These should be reviewed at least annually to ensure it reflects current responsibilities and even if no changes are made the date of this review should be noted. |
2 |
ICT Manager |
Director of Corporate Services |
ICT Manager working on this. New Personal Development Review systems now require review of job descriptions as part of the annual review process |
30/06/2007 |
20/04/07 27/07/2007 |
27/07/2007 | |||||||||||||||||
3.5 |
We recommend that the manual list showing authorised officers and limits is updated and agreed with SAP to ensure SAP controls are correct. |
2 |
Financial Services Manager |
Head of Finance & Office Services |
Financial Services plan to review the authorised signatory list by March 2007. |
Mar 2007 Amended to 30/06/2007 |
Feb 2007 19/04/2007 05/06/07 |
29/06/2007 | |||||||||||||||||
URBAN SEARCH AND RESCUE TEAM 2006/07 | |||||||||||||||||||||||||
3.5 |
Regular three monthly reports should be prepared by the Group Manager setting out the achievements of the Team during the previous period, together with future developments and proposed timescales for implementation. |
2 |
Group Manager USAR |
Director of Strategic Projects and Specialist Response |
Regular report to be prepared by the Group Manager |
31/3/07 Amended to 30/07/2007 |
24/04/2007 |
07/08/2007 | |||||||||||||||||
Performance Review Team note: 15/05/2007 - A quarterly meeting of the Strategic Projects and Specialist Response Strategy Group will be held from June 2007. The Group Manager will report to these meetings. | |||||||||||||||||||||||||
TRAVEL AND SUBSISTENCE 2005/06 | |||||||||||||||||||||||||
3.6 |
The list of authorised personnel should be kept up to date to reduce the risk of unauthorised officers signing the claim forms. |
2 |
Financial Services Manager |
Head of Finance & Office Services |
Following the restructuring of uniformed posts into groups and the review of petty cash processes Financial Services has reviewed the authorised signatory list which covers the significant authorisations: petty cash, overtime, orders etc. In the future, SAP will allow electronic input of travel claims which will automatically be routed to the line manager. |
March 2007 Amended to 30/06/2007 |
Feb 2007 19/04/2007 |
29/06/2007 | |||||||||||||||||
HUMAN RESOURCES 2006/07 | |||||||||||||||||||||||||
3.13 |
A new starters checklist should be prepared (in a similar format to that used for leavers) to make sure that all procedures have been completed and evidenced. |
2 |
Action HR Managers (Workforce Support + Planning) |
Director of HR |
A new starter's checklist was done by Deputy Head of HR and issued to the HR Operations team. Both new teams have team members who are aware of this. The Workforce Planning and Support team have now reviewed this jointly and adapted to meet both team's needs. The importance of the need to utilise this will be pointed out again. The HR Managers (Workforce Planning and Support) will review the checklist after 6 months. |
In place |
04/07/2007 |
04/07/2007 | |||||||||||||||||
3.15 |
The two missing files should be located and a tracking system introduced for personnel files. |
2 |
Employee Relations Manager |
Director of HR |
Tracking system for personal files. This does exist and employees will be reminded of the need for this. |
Sept 2007 |
29/06/2007 |
24/06/2007 | |||||||||||||||||
3.23 |
In order to ensure that the short listing and interview processes are adequately evidenced, interviewers should sign and date the appropriate documentation. |
2 |
HR Managers (Workforce Support and Planning) |
Director of HR |
Agreed. Team members will be reminded of need. Although providing all interview panel members sign one copy of the notes, this is sufficient. |
Ongoing |
04/07/2007 |
04/07/2007 | |||||||||||||||||
HUMAN RESOURCES 2006/07 (continued) | |||||||||||||||||||||||||
3.4 |
When workflows are reviewed in the light of operational experience, consideration should be given for contracts (together with all supporting information) to be issued by Workforce Planning before the file is handed to Workforce Support for input of employment details into the payroll system. |
2 |
Deputy Head of HR Workforce Planning Manager |
Director of HR |
Once the new RDS application process is in place (anticipate Sept 2007), the contract production for RDS will pass to the Workforce Support team. This means that Workforce Planning will recruit and then pass information to Workforce Support to prepare and issue contract. |
Sept 2007 |
29/08/2007 |
29/08/2007 | |||||||||||||||||
Performance Review Team note 29/08/2007: All data entry onto SAP is now transferred from HR Workforce Planning to Workforces Support. Three Workforce Planning Team members currently retain `write' access for occasions where they are requited to assist. These people should not input details of contracts that they have administered and a check will be instigated to ensure that this access is only made when required. | |||||||||||||||||||||||||
PAYROLL 2005/06 | |||||||||||||||||||||||||
3.16 |
As previously recommended, the Human Resources department should be provided with a current list of authorised officers, which indicates the duties they are authorised to approve and the list kept up to date. |
2 |
Human Resources Operations Manager |
Head of Human Resources |
The Finance Department are now producing an up to date list of the authorised signatories. |
30/06.2006 amended to Mar 2007 Amended to 30/06/2007 |
Feb 2007 19/04/2007 05/06/07 |
29/06/2007 | |||||||||||||||||
PAYROLL 2006/07 | |||||||||||||||||||||||||
3.6.1 |
All contracts should be properly authorised and signed by the employee |
1 |
N/A |
N/A |
This point has been covered at least in one previous audit. Under employment legislation an employee is deemed to have accepted their contract of employment if they turn up to work and undertake their duties. Non-signers are chased up at least once but as stated above the non signing has no impact on the employment relationship unless they are in dispute which is of course managed via other means. |
N/A |
N/A |
N/A | |||||||||||||||||
3.6.2 |
Consideration should be given to placing responsibility for the authorisation of contracts to senior managerial positions in HR. |
2 |
N/A |
N/A |
Checking of work by team members has been integral to the working of teams in HR. This is to engender a culture of employment as previous arrangements led to an over reliance on managers to check and pick up errors. Checking and double-checking within teams has led to improvements in efficiency and we believe this is an acceptable process and risk. |
N/A |
N/A |
N/A | |||||||||||||||||
PAYROLL 2006/07 (continued) | |||||||||||||||||||||||||
3.8 |
The mandatory termination form should be used in all cases by line managers, and this requirement should again be reinforced throughout the Service. |
1 |
HR Officer (Workforce Support) |
Director of HR |
A termination form has been in place for some years and team members have been reminded of the need to obtain this. A SAP termination process is also in place and was reviewed as part of the audit recommendations. All Managers and employees will be reminded of the need to use this. |
July 2007 |
29/06/2007 |
29/06/2007 | |||||||||||||||||
3.18.1 |
The list of authorised officers for the whole Service should be completed as soon as possible and distributed to relevant officers. |
2 |
Financial Services Manager |
The list of authorised officers is being actioned by the Finance Department. |
June 2007 |
N/A |
29/06/2007 | ||||||||||||||||||
3.7 |
The Manager and Supervisor should agree and document the selective testing to be undertaken on a monthly basis, having regard to the underlying risks, and to ensure that all checks carried out are adequately evidenced. |
3 |
HR Manager + HR Officer (Workforce Support) |
Agreed. |
July 2007 Extended to 1/09/2009 |
4/07/2007 27/07/2007 |
7/08/2007 | ||||||||||||||||||
3.10 |
All changes to the pay details of members of HR should form part of the selective checking criteria and access to SAP should be controlled. |
3 |
HR Manager + HR Officer (Workforce Planning) |
Agreed |
July 2007 |
27/07/2007 |
7/08/2007 | ||||||||||||||||||
PAYROLL 2006/07 (continued) | |||||||||||||||||||||||||
3.18.2 |
Once completed, Workforce Support should, having regard to the risks involved and other compensating controls, assess how in practice the list could be used to manage the risks associated with authorisation of data input requests. This assessment should be conducted at the same time as the review of the selective checking of input data is carried out. |
2 |
HR Manager (Workforce Support) |
Authorised signatory list has been updated. HR Workforce Support Manager will implement, work force will amend workflow to incorporate random checking. |
July 2007 |
27/07/2007 |
7/08/2007 | ||||||||||||||||||
3.9 |
Members of the Workforce Planning team should not update the SAP payroll system, which should be the responsibility of Workforce Support, who are then in a position to maintain better control and oversight of the payroll function. |
3 |
Deputy Head of HR |
Director of HR |
Currently the Workforce Planning team set up new RDS starters. The issue and associated SAP payroll input will be reviewed and you will be advised of our decision in due course. I have discussed this and agreed with the Workforce Planning Manager that, once the RDS new application process is in place (anticipated September 2007), Workforce Planning will relinquish SAP input for RDS along with contract production and pass this over to Workforce Support. |
Sept 2007 |
29/08/2007 |
29/08/2007 | |||||||||||||||||
Performance Review Team note: 29/08/2007: All data entry onto SAP is now transferred from HR Workforce Planning to Workforces Support. Three Workforce Planning Team members currently retain `write' access for occasions where they are required to assist. These people should not input details of contracts that they have administered and a check will be instigated to ensure that this access is only made when required. | |||||||||||||||||||||||||
FOLLOW UP AUDIT - TEMPORARY, CASUAL AND AGENCY STAFF 2004/05 | |||||||||||||||||||||||||
3.14 |
Tendering procedures to be followed if expenditure is expected to exceed £5000 to comply with Standing Orders on Contracts. |
2 |
HR Operations Manager |
Head of Community Safety |
Agreed. Specific timeframe unknown at present. 06/06/2006 - PRT Note: Action will be taken to resolve this action point by 30/09/2006. A new action date has been requested and received from Internal Audit. |
March 2006 amended to Quarter 3 2006/07 |
04/04/2006 19/05/2006 02/10/2006 02/02/2007 |
31/08/2007 | |||||||||||||||||
12/02/2007 - Performance Review Team note: A meeting has been held with Hampshire County Council (HCC) to discuss the use their contract for the procurement of temporary and casual staff. This could potentially save resources on tendering. The current framework in place at HCC expires in July 2007 with an option to extend until the end of the financial year 2008/09. The proposal is that Hampshire Fire and Rescue would pilot the use of the contract for a year. Currently, the Head of Workforce Planning is analysing the costs of using this contract against current and historic costs. A decision will be made on the way forward by Human Resources Planning Group in March 2007. 23/05/2007 - Performance Review Team note: HR Policy Group approved the proposal to `pilot' the existing HCC framework arrangement for a period of 12 months and then look at the results that HCC obtain from a full tendering process in 2008/9. Additional information was requested in relation to the diversity of agency staff and costings, and this work is being progressed. Formal sign off on this item is anticipated in June 2007. 05/06/2007 - Performance Review Team note: Process being formalised with contractor. Anticipate sign off in June 2007. 02/08/2007 - Performance Review Team note: Contract to be signed for one-year period from October 2007. | |||||||||||||||||||||||||
TRAVEL AND SUBSISTENCE 2005/06 | |||||||||||||||||||||||||
3.23 |
Human Resources should continue to develop management information that will highlight trends in mileage carried out in private vehicles and review the policy on essential/ leased car users to ensure value for money is being achieved. |
2 |
Deputy Head of Human Resources |
Head of Human Resources |
HR is undertaking a project to review pay and rewards. This may highlight the need to review arrangements for essential/lease car users. Requirement for Workforce management information has been noted, but is not a priority activity at this time. |
Review requirements in September 2007 |
24/07/2007 |
06/08/2007 | |||||||||||||||||
02/08/2007 - Performance Review Team note: Travel and subsistence expenditure is being monitored by SMT via monthly budget monitoring reports. The expenditure is not directly under the control of one individual because departmental, training and operational requirements have a bearing on the expenditure. | |||||||||||||||||||||||||
HARDLEY FIRE STATION 2006/07 | |||||||||||||||||||||||||
3.19 |
A quarterly reconciliation to the bank account should be recorded and agreed to the balance in the cash book. In addition, a record of funds held by the Treasurer at his home should be documented and annually an independent person should review the club accounts and verify the records are complete and accurate. |
2 |
Crew, Watch Managers and Treasurer |
Head of Finance & Office Services |
The quarterly reconciliation will be carried out. The Treasurer will provide the documented evidence of funds held at home. An independent person will review and verify accounting records at the end of the next financial year. All petty cash is now reconciled at SHQ. |
30/07/2006 31/03/2007 |
N/A 13/04/2007 |
20/07/2006 31/05/2007 | |||||||||||||||||
Performance Review Team note 25/05/2007 - Accounts are currently undergoing independent review. This item will be closed once the review is complete. Performance Review Team note: 28/07/2007 - Independent review has been carried out. | |||||||||||||||||||||||||
CAPITAL CONTRACTS 2006/07 | |||||||||||||||||||||||||
3.8 |
We recommend that at the next revision of the Service Level Agreement between the HFRA and PBRS, the procedure for the authorisation of payments in excess of the minor payments limit of £15,000 is specified, to avoid potential disputes over large payments. |
2 |
Director of Corporate Services |
Director of Corporate Services |
Agreed. We will seek to incorporate this recommendation in the next formal review of the SLA. In the meantime, we will ask for PBRS to inform our key contacts that this in now an expectation. |
1/06/2007 |
29/06/2007 |
29/06/2007 | |||||||||||||||||
IT NETWORKS 2007/08 | |||||||||||||||||||||||||
3.3 |
We recommend that the `Aims and Key Objectives' section of the `Purpose and Aims' section of the Business Plan is updated to include resilience and security of the network to deliver ICT to the Authority. |
1 |
Information Services Manager |
Director of Corporate Services |
Agreed. Business plan updated. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
3.4 |
We recommend that the title of Network Project Manager is changed to something which is appropriate for the current role of the person concerned. |
1 |
Information Services Manager |
Director of Corporate Services |
Agreed. The job title has now been changed to Business Intelligence Manager. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
3.6 |
We recommend that guidance should be issued to staff on the process for reporting potential security incidents. These should be logged by the Helpdesk on the Quetzel system under a unique category so that they can be easily identified and accessed. |
1 |
IT Engineer |
Director of Corporate Services |
Agreed and actioned. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
IT NETWORKS 2007/08 (continued) | |||||||||||||||||||||||||
3.9 |
We recommend that there should be an annual risk assessment review to establish whether there are any new threats to the network or known risks have increased. |
1 |
IT Engineer |
Director of Corporate Services |
Agreed. We will take stock of the total security of the network as an on-going process. HFRS network is reviewed for potential risks as part of the network management and development process to protect and keep the network up-to-date. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
3.14 |
We recommend that the Information Services staff access is reviewed at least annually. |
1 |
IT Engineer |
Director of Corporate Services |
.Agreed and actioned. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
3.15 |
We recommend that the testing records for the generator and UPS should be independently checked by the Information Services Manager to ensure that the tests have been properly recorded and undertaken each month. |
1 |
Information Services Manager |
Director of Corporate Services |
Agreed. The log will be checked and initialled by the ICT Manager or the Helpdesk Supervisor on a monthly basis. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
IT NETWORKS 2007/08 (continued) | |||||||||||||||||||||||||
3.18 |
We recommend that the process for backing up of configuration files is formalised so that it is done every three months and is documented to confirm that the backups have been taken. |
1 |
IT Engineer |
Director of Corporate Services |
Agreed. Helpdesk will issue a reminder to the network team to backup all the configurations of devices used by the network such as routers. Once the back up is done, help desk, will record and close the task. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
3.19 |
We recommend that a plan is drawn up to test the recovery of the network to establishments by means of a "walkthrough" or desktop exercise on a regular basis to ensure that both staff are familiar with the process and also adequate documentation is available to enable recovery to be achieved. |
2 |
IT Engineer |
Director of Corporate Services |
Agreed. An annual walkthrough of the business continuity plan will be scheduled and recorded. Helpdesk will manage this process in line with the quarterly updates of the business continuity plan. |
Immediate |
N/A |
9/08/2007 | |||||||||||||||||
CORPORATE GOVERNANCE 2005/06 | |||||||||||||||||||||||||
3.41 |
We recommend that a comprehensive list is maintained of all partnership arrangements in place, which should be reported to Service Management Team. |
2 |
Performance Review Team Manager |
Director of Corporate Services |
The outcomes of the Best Value Review of our partnership arrangements are due to be presented to the Authority in September 2006. This will include the future use of a `checklist' of good practice to determine the robustness of partnership arrangements. This will assist in determining which of our numerous collaborative initiatives with other organisations constitute genuine `partnerships'. |
April 2007 amended to 31st July 2007 Amended to 31/10/2007 |
June 2007 |
3/09/2007 | |||||||||||||||||
Performance Review Team note 21/05/2007: All partnership arrangements are currently being reviewed against the Partnership Policy and template. Once this work is complete the definitive list of partnerships will be reported to Service Management Team. Performance Review Team note 14/08/2007: A list of partnerships was reported to SMT on 3rd September 2007. | |||||||||||||||||||||||||