As of January last year, the HSE had 24,950 mobile devices in use but a review of mobile device security found a risk of a lack of accountability and tracking of devices within the organisation and also found that people leaving the HSE could keep devices unnoticed for a significant period of time.
“Based on the number and nature of findings identified, the auditors assessed the controls as inadequate,” the audit report said.
An audit of staff salaries for the primary care reimbursement service (PCRS) found two staff members who began employment during 2014 were incorrectly placed on the 6th and 5th points of the payscale instead of being placed on the 1st point of the scale, resulting in total salary overpayments of €21,024 by the end of August 2015.
Travel and subsistence claims were paid in respect of HSE staff who are not on the PCRS payroll in respect of services covered by the PCRS.
An audit of the ICT structure in a regional data centre in the northeast by Deloitte found that the back door leading to a car park was unlocked and that visitor fobs allowed unrestricted access to all parts of the building.
It said the newly commissioned centre in Kells, Co Meath, was “considered as the model for the next generation of regional data centres in the HSE” but identified six “high risks”, although the details were redacted.
Concerns were also raised about IT data protection controls within a facility operated by Tusla, and about issues relating to IT general controls at University Hospital Galway.
Another audit, this time on IT general controls over HSE payroll systems (outsourced to a redacted provider), identified 16 risks, including seven deemed as high risk.