Audit Objective

To review completeness and accuracy of HR data, and consistency across council systems.

Assurance Opinion

Number of Actions

Key Risks Reviewed

Reasonable

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.

Priority

Joint

South

Vale

Reference

Priority 1

-

-

-

N/A

Priority 2

4

-

-

6 to 9

Priority 3

5

-

-

1 to 5

Total

9

-

-

Appendix 1

Objective

Audit Scope

1

Data collection

HR data is collected appropriately and in line with data protection arrangements.

2

Data usage

HR data is being used appropriately and in line with the organisation’s privacy notices.

3

Data mapping

Dependence of HR data is defined and transparent across the organisation.

4

Data accuracy

HR data is accurately applied and regularly reconciled across data sets and systems.

5

Data protection

HR data is managed in line with privacy notices and data sharing agreements across the organisation.

Key Findings

Objective

Key Findings

1

Data collection

·         Management of HR data relies on the accuracy of personal data manually entered onto separate council systems and monitored through various excel spreadsheets, across recruitment, payroll, and general employee management and budgetary routines.

·         Access to HR related systems and monitoring spreadsheets may be achieved by numerous officers across both HR teams (HR Advisory and HR Payroll). This increases the risk of input error, duplication, and unintentional deletion of personal data; however, checks are in place to minimise this occurrence.

·         HR data is initially obtained during the recruitment process within Hireful, the councils’ applicant tracking system, and further HR data is obtained during the onboarding process.

·         Completed forms are retained within an electronic personnel file and used to create the new starter’s profile on ResourceLink, the payroll and employee management system. Personal details are manually entered onto the system and actions are monitored and checked by HR and Payroll through the ‘Payroll Actions Tracker’ (PAT). The PAT (excel) is used to manage and monitor all HR data changes across the organisation.

·         Checks are in place to ensure that HR data across the recruitment and employee appointment process is reviewed and approved by senior management and Finance (accurate accounting and budgetary information used). Changes to appointments (Job IDs, cost centres, and apportionment etc) are updated in ResourceLink by HR and in Unit4 by Accountancy (GL codes).

2

Data usage

·         HR data received by Finance (Accountancy) through the recruitment, new appointment, and contract variation process is checked against budgetary information on budget setting spreadsheets and on Unit4.

·         Once a month, a starters, movers, and leavers (SML) report is generated by Payroll from the PAT data and is issued by internal email to a predefined distribution list. This information is used by service teams to manage system permissions and controls that sit outside of the HR team’s responsibility (including Microsoft 365, Unit4, LoneAlert, Ocella, and office security permissions etc).

·         Every other month, the HR team sends out a copy of the organisations establishment list on internal email (excel spreadsheet filtered to service area). Service managers and budget holders are required to conduct data accuracy checks and provide any staffing updates accordingly. Accuracy of the  establishment list data relies on the service manager review.

·         Review of establishment data is manual and involves input from over 30 service managers and HofS. This results in administrative effort, especially as review is sometimes late or non-existent. In June 2023, two responses were late and two service teams did not respond. In August 2023, three service team responses were not provided.

3

Data mapping

·         We mapped the use of HR data across the organisation, see Appendix 3.

·         We surveyed recipients of the SML report issued by Payroll every month. The SML report is generally used to manage and monitor access to service specific systems. Service teams don’t validate or edit the source data. Data is mostly used monthly (on issue), and respondents felt that the report data is relevant to their needs. Access to the report data is restricted to original recipients or service teams (where a general service email address was used).

4

Data accuracy

·         We identified up to 12 manual processes, various systems, and different excel spreadsheet/database reports are in place to support HR data management through recruitment, onboarding, budget management and employee termination, presenting an increased risk of manual errors or anomalies. There is an opportunity to implement synchronised automation of some system tasks, which may support a more efficient end-to-end process and less opportunity for errors.

·         We identified anomalies across HR, Finance (Accountancy) and IT checks and approvals which may impact the integrity of HR data across the organisation. Differences were found between Unit4 system cost centres, apportionment, and post details to approved HR forms and finance budget reports, where changes had not been supported with evidence on file. IT systems access was found to still be active for a sample of leavers across general and service specific systems across the organisation, and HR checks had not been evidenced on various forms to support completion. 

·         Accountancy review budget setting data as part of the annual budget setting process conducted during October to April; however, review of the Unit4 system against HR budgetary data (role IDs, cost centres/account codes and apportionment) is not regularly performed.

5

Data protection

·         There is no privacy notice published for the use of employee data following appointment to the organisation.

·         HR data (including personal employee information) is shared internally and externally; however, the use of such data is not defined or transparent to data subjects (employees), as required by GDPR.

·         As part of the monthly payroll process, personal data is shared externally with Zellis, HMRC, and the OCC pension services team. Information is sent via email, and attached files are not encrypted or password protected.

·         The joint master recruitment policy references the outdated data protection law (pre-2018) whereby data for unsuccessful applicants will be destroyed after six months, which also contradicts the HR privacy notice published on council websites in relation to employment applications (12 months).

·         Data retention checks are not regularly performed across HR systems and files, consequently data retention periods have been breached. We found leaver personnel files from 2014/15 (7-year retention period) and unsuccessful candidate information from 2012/13 on file (1-year retention period).