Appendix C: Post opening observations
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XX |
X |
XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX |
XXXX XXXX XXXX XXXX XXXX XXXX XXX |
X |
XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXX |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX X |
X |
XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XX |
Adequate segregation of duties. |
6 |
The post dispatch staff are involved in the post opening operation. |
XXXX XXXX XXXX XXXX XXX |
X |
XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XX |
Restriction of personal belongings permitted in post opening area. |
6 |
There is no restriction of personal belongings being taken into the post room. |
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX X |
X |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXX |
Post is date stamped. |
4 |
Post is date stamped on post opening. Our extensive sampling of casework has only revealed one document that was not date stamped. |
Post is opened on receipt and dispatched to addressee. |
4 |
Post is opened and sorted into pigeon holes for dispatch to the relevant council department. |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX |
X |
XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XX |
Original documents stamped as 'original seen' and returned to claimant. |
4 |
Original documents are registered in a valuables book copied and returned to claimants by the Scanning team. |
Items of value recorded immediately, countersigned and passed securely to cashier after post opening. |
6 |
Items of value are not recorded on post opening. Valuables are recorded by Scanning team staff after the post is collected. |
Valuables register kept securely. |
4 |
The valuables register is kept in a locked drawer in the scanning room. |
Secure procedure for handling returned HB cheques. |
6 |
Returned HB cheques are not opened but are collected by the Fraud Support Officer. |
Cheques are cancelled immediately on receipt. |
6 |
Returned HB cheques are not cancelled on receipt but are passed to the Benefit Fraud team. |
Cheques are passed by hand to cashier immediately after post opening. |
6 |
HB cheques are referred to fraud immediately after opening. |
Recorded and registered posts are recorded. |
4 |
Post received at reception is in locked box. It is taken twice daily to the scanning room, where it is then opened by 2 Scanning section staff. Valuables are recorded in valuables book. Returned cheques sent straight to Fraud. |
Post received in the mail box at reception is collected securely. |
4 |
The 2 post dispatch staff, plus at least 2 staff from various council departments on a rota basis, are involved in post opening. |
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Is a daily log of staff involved in post opening kept. |
6 |
A log has recently been introduced to record the names of officers opening post. However, the post dispatch officers names are not recorded in this book. The log does not record officers entering or leaving the post room during post opening. |
Are original documents verified as authentic photocopy and the photocopies stamped as original seen. |
4 |
Original documents are verified by Scanning staff and stamped as original seen and signed. |
Is there a post opening procedure manual. |
6 |
There is a recently produced document covering the collection of the HB post. However, there are no documented procedures for the Finance Division post opening operation. |
Does the local authority have assurance that post is distributed to the right person or section. |
4 |
Few problems with misdirected mail are reported. |
Are monthly management checks on post opening procedures carried out. |
6 |
A management check on the new HB post collection procedures has been undertaken, but there is no routine management check of the Finance Division post opening operation. |
Is there a programme to review post opening procedures. |
6 |
The procedures around collection of HB post have been reviewed. Changes to procedures have been implemented, such as the log of staff opening post. However, there is no regular review of the wider the Finance Division post opening operation. |
Source: Performance Standards and BFI observation
Comparison of Rhondda Cynon Taf’s performance against key IT controls
| Control and objective | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Existence of information security policy |
|
|
To ensure that management provides direction and support for information security. |
6 |
Policy exists but is over 4 years old. Audit Commission in Wales (District Audit) recommended in October 2001 that the authority updates its policy and obtains Cabinet approval. Draft policy completed. IT officer confirmed that the adoption of this policy has not yet been agreed and that this was overdue. |
Allocation of security responsibilities |
|
|
To allocate explicit individual responsibility for the protection of information and other assets. |
6 |
We were told that different officers are responsible for security of the benefits IT system and document image processing system, but no documentation detailing officers’ responsible was provided. |
Information security education and training |
|
|
To ensure that users are aware of security threats and are able to support the policy. Security procedures should be explained to users so that they are correctly followed. |
6 |
Audit Commission in Wales (District Audit) recommended in October 2001 that the authority’s information security policy is made available on the intranet and that it is drawn to the attention of all staff. Draft policy states that it is personnel’s role to include information security in induction courses and job descriptions. Staff handbook does not include data on security information. Policy neither agreed or posted on intranet. No guidance issued to staff. |
Reporting of security incidents |
|
|
To provide a process where incidents affecting security are reported as quickly as possible so that any damage is limited. Such incidents should be monitored and analysed so that lessons are learnt and the effectiveness of security controls can be re-evaluated if necessary. |
6 |
Procedure is that benefits IT system incidents are reported to Principal Benefits Officers. No forms or formal recording were in place. |
| Control and objective | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Virus controls |
|
|
To safeguard the integrity of software and data. Virus detection and prevention measures and user awareness procedures should be implemented. |
6 |
Virus controls on all personal computers. Users interviewed were not aware of any formal anti-virus procedures. |
Business continuity planning process |
|
|
To ensure that appropriate recovery plans are in place to protect against any interruptions to normal business processes and to recover business-critical activities quickly. |
4 |
Business continuity plans in place. Contracts held with a business continuity company for recovery of key systems. No contract for document image processing system yet, but this will be explored with the existing business continuity company. |
Control of proprietary copying |
|
|
To safeguard important records from loss, destruction and falsification. |
4 |
Departmental managers are responsible for ensuring that licences are held for all software packages in use. |
Safeguarding of organisation’s records |
|
|
To safeguard important records from loss, destruction and falsification. |
4 |
IT department responsible for the storage of information and systems accepted as part of the Rhonda Cynon Taf network. This means IT department are responsible for back ups. Managers are responsible for back up of standalone systems. |
Compliance with duties of confidentiality and data protection |
|
|
To ensure compliance with data protection legislation. |
4 |
Data Protection officer is in post and is in contact with Welsh local authorities ‘Data Protection Officers’ Group’. |
Compliance with security policy and standards |
|
|
To ensure continuing compliance with the organisation’s policy and standards. |
6 |
Audit Commission in Wales (District Audit) completed a review against good practice in 1998 and follow-up review undertaken in October 2001. |
Source: BFI analysis
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Access control policy |
||
Requirements for user access to systems should be defined and documented. |
4 |
Policy states that staff only allowed access to appropriate levels of data. Staff are allocated a user group of between 1 and 9 depending on their duties. There is no detailed written policy of the appropriate allocation of user groups. |
XXXX XXXX XXXX |
||
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XX |
X |
XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX |
XXXX XXXX XXXX XXXX |
|
|
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX |
X |
XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX |
Review of user access rights |
|
|
Users access capabilities (including privileges) should be regularly reviewed. |
6 |
Access rights reviewed twice in recent months due to merger with Community Housing Division. But no formal review procedure. |
User password management |
|
|
Allocation of user passwords should be controlled by a formal management process. |
4 |
Policy states that all system passwords will be prompted for change at regular intervals. Assessors confirm that passwords required and system prompts for new password every 30 days. |
Password use |
|
|
Users should be advised to follow good practice in selection and use of passwords. |
4 |
Memo issued about a year ago. |
Unattended equipment |
|
|
Unattended equipment should be protected from unauthorised access or usage. For example, active sessions should be terminated unless they can be controlled by a system lock or time-out. |
6 |
Memo said to have been issued following internal audit criticism last year. However, no evidence of this was provided. The benefits IT system automatically timed out if no activity. |
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
User identifiers |
|
|
All computer activities should be traceable to individuals. |
4 |
Benefits IT system holds audit trail for all user activity. |
Source: BFI analysis
Rhondda Cynon Taf’s compliance with document image processing good practice
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Provide a comprehensive list of document types for indexing. |
4 |
98 different document types are used. |
Monitor the progress of scanned documents allocated to individual members of staff. |
4 |
Supervisors have the ability to check any work scanned on the system. |
Routing indexed documents to specific members of staff or teams. |
4 |
The system is set up to route documents direct to supervisors who then allocate work to individual processors. |
Being able to significantly magnify chosen areas of the document, such as the signature for close scrutiny. |
4 |
The system allows magnification of documents. |
Providing a split screen facility, so that 2 documents can be readily compared at the push of a button. |
4 |
A split screen facility is provided and is used by staff. |
Being able to easily produce high quality hard copies of images. |
4 |
High quality hard copies of documents can be produced locally. |
Identify high priority documents, such as extended payment claims and can allocate different timescales for dealing with different types of documents. |
4 |
The system is set up to flag documents at pre-set intervals, set according to priority. |
Automatically alerts staff to documents due for action or overdue. |
4 |
Overdue documents are indicated to staff. |
Producing colour images, in addition to black and white. |
6 |
This facility is available but is not used. Rhondda told us this was due to cost considerations. |
If documents are stored on disk, having disks stored carefully in conditions which minimise the risk of degradation. |
4 |
Documents are saved on to a server. |
| Good practice | Met by the authority? 4 /6 |
BFI comment |
|---|---|---|
Classifying documents in terms of priority, security level and urgency for input. |
6 |
No sorting or prioritisation of documents is undertaken before scanning. |
Scanning documents into the system on the day of receipt. If this is not possible, they should be scanned as soon as possible on the next working day. Ensuring that scanned images cannot be amended or altered by users. |
4
4 |
Staff aim to input documents on the day of receipt, but depending on the volume of work, this may not be achieved until the following day. |
Having sufficient staff with responsibility for scanning documents who are sufficiently fraud aware to be able to identify and intercept suspect documents. |
4 |
Scanning staff have had training in identification of original documents. |
Source: BFI analysis