DRAFT
Internal Audit
Report
Computer Recycling
Document Details:
Reference:
Senior Manager, Internal Audit & Assurance:
Engagement Manager:
Auditor:
2.7/2013.14
ext. 6567
ext. 6572
ext. 6244
Date: 4th August 2015
1. EXECUTIVE SUMMARY
1.1
INTRODUCTION
This report is not for reproduction publication or disclosure by any means to unauthorised persons.
Page 1
Internal Audit Report – Computer Recycling
As part of the 2013/14 Internal Audit Plan an audit of computer recycling was carried
out.
It is important that appropriate processes are in place with regards to computer
recycling and that they are in line with agreed procedures.
Worcestershire County Council produces an appreciable amount of ICT waste each
year, mainly comprising of PC's, Laptops, Printers and Servers. The Council currently
replaces approximately 1000 PCs per year.
The equipment disposed of is normally 4 to 5 years old; the proportion of desk tops to
laptops is 50/50. The Council also disposes of a number of servers and these are
normally 4 to 8 years old.
The introduction of the Public Services Social Value Act 2012 requires Local Authorities
to consider how scarce resources are allocated and used. Social Value has been
defined as "A process whereby organisations meet their needs for goods, services,
works and utilities in a way that achieves value for money on a whole life basis in terms
of generating benefits to society and the economy, whilst minimising damage to the
environment."
The Council has entered into contracts to provide a disposal service for its obsolete ICT
equipment in accordance with the European Waste Electrical and Electronic Equipment
Directive (ICT WEEE) and has looked to contract with businesses that will provide
opportunities for people with learning disabilities in order to meet social value
requirements.
1.2
OVERALL OPINION
The audit work has identified a clear management commitment to ensuring that
personal data is disposed of in a secure manner. Whilst there are a number of good
practices in place, the concerns identified around procedures, contractual
arrangements and security have led to a limited assurance audit opinion.
Officers responsible for computer recycling were unable to provide copies of contracts
with either Lifestyles or Newstart for the recycling of the Council's computers.
There is a requirement to update procedural documents to reflect current procedures.
Consideration should also be given to a more detailed Asset Disposal Strategy that
addresses the process of IT asset disposal and personal data deletion.
The Council has a computerised inventory system. However, the system requires the
Business Support Assistant to manually update the status of computers at each stage
of the recycling process. There was evidence to suggest that the computerised
inventory is not updated in a timely basis. Moreover, computer recycling progress
sheets produced by recycling companies have not been checked and updated on the
inventory for three months at the time of audit testing. Consideration should be given to
whether there are more efficient and timely ways to process this information.
Page 2
Internal Audit Report – Computer Recycling
Computers are authorised for disposal by the Business Support Assistant. However,
the Business Support Assistant is not on the Directorate's scheme of delegation and is
therefore not authorised to release the computers to the recycling companies.
Examination of the Council's computerised inventory record revealed that 5 computers
that had been sent to Lifestyles for recycling, have been classed on the inventory as
missing. Full investigations should be undertaken into any missing computers.
The Council has not carried out any inspection of the companies who recycle the
Council's computers to ensure that they are operating in accordance with WEEE
standards.
Overall Audit Opinion
Full assurance
Full assurance that the system of internal control meets
the organisation’s objectives and controls are
consistently applied.

Significant
assurance
Significant assurance that there is a generally sound
system of control designed to meet the organisation’s
objectives. However, some weaknesses in the design or
inconsistent application of controls put the achievement
of some objectives at some risk.
Limited
assurance
Limited assurance as weaknesses in the design or
inconsistent application of controls put the
achievement of the organisation’s objectives at risk
in some of the areas reviewed.
No assurance
No assurance can be given on the system of internal
control as weaknesses in the design and/or operation of
key control could result or have resulted in failure(s) to
achieve the organisation’s objectives in the area(s)
reviewed.
2. SUMMARY OF CONCLUSIONS
2.1
The conclusion for each control objective evaluated as part of this audit was as follows:
Page 3
Internal Audit Report – Computer Recycling
Control Objective
Full
CO1: Ensure that Policies and Procedures are
available and appropriately approved.
CO2: Ensure that the disposal of computer
equipment for recycling is in accordance with the
approved policies and procedures.
CO3: Confirm the Security of computer equipment
prior to disposal and that all data has been fully
removed.
CO4: Ensure that the disposal of computer
equipment is in accordance with the contracted
arrangements in accordance with the specified
targets.
Assurance
Significant Limited

None




2.2
The recommendations arising from the review are ranked according to their level of
priority as detailed at the end of the report within the detailed audit findings.
Recommendations are also colour coded according to their level of priority with the
highest priorities highlighted in red, medium priorities in amber and lower priorities in
green. In addition, the detailed audit findings include columns for the management
response, the responsible officer and the time scale for implementation of all agreed
recommendations.
2.3
Where high recommendations are made within this report it would be expected that
they should be implemented within three months from the date of the report to ensure
that the major areas of risk have either been resolved or that mitigating controls have
been put in place and that medium and low recommendations will be implemented
within six and nine months respectively.
3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT
The following areas did not form part of this audit:

The auditor only looked at a random sample of items processed on the
inventory and did not carry out any checks on equipment that had been sent to
the recycling companies.
4. ACKNOWLEDGEMENTS
Audit would like to thank all involved for their assistance during this review.
Page 4
Internal Audit Report – Computer Recycling
5. DETAILED AUDIT FINDINGS
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
CO1: Ensure that Policies and Procedures are available and appropriately approved.
1
Medium The Council has a computer
The computer
The Council should review
recycling procedure. However,
recycling procedures
the current policies and
there is no indication of the
used by the Council
procedures to ensure that
date when this was written,
are out of data and do they reflect the risks
reviewed or an expected
not reflect the current
associated with redundant
review date.
controls and
hardware recycling and
procedures within the
ensure that data is cleansed
Appendix one refers to data
Council.
to Government standards
removal. However, there no
by the individual recycling
longer appears to be a
companies.
requirement for this to be
completed by staff as data
removal is now carried out by
The procedures should be
recycling Companies.
reviewed on a regular basis.
2
Medium
The computer recycling
procedure only refers to one of
the two recycling company that
the Council uses.
There is no detailed Asset
Disposal Strategy that
addresses the process of IT
asset disposal and personal
data deletion.
If personal data is
compromised during
the disposal process,
the council may be
responsible for
breaching the Data
Protection Act (DPA).
The Information
Commissioners Office has
produced an IT asset
disposal for organisation
document. The Council
should ensure that this is
referred to when drafting a
computer recycling
procedure.
This refers to various
Management Response
Agreed that the current
recycling processes are not
incorporated into the
Inventory Procedures that
state actions and
responsibilities during the
lifecycle of ICT assets.
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
ICT Service
Operations
Manager to
update by end
of November
2014.
This will need to be updated.
The Council allows
reasonable personal use of
ICT equipment and services
and there is opportunity for
personal data to be found on
the PC as copies of
documents or emails.
It is the responsibility of the
user that they handle the
personal data that may be
ICT Service
Operations
Manager to
update by end
of November
2014.
Internal Audit Report – Computer Recycling
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
aspects including a
consideration of how
personal data will be
disposed of, conducting a
risk assessment of the
disposal process and
categorising personal data.
3
High
Officers responsible for
recycling could not provide
copies of contracts with either
of the current providers,
Lifestyles or Newstart for the
recycling of computers.
There is a lack of a
formal agreement
between the Council
and the recycling
companies to
determine individual
responsibilities.
Data may not be
cleansed to
Government
standards.
There is also a
potential breach of
There is also a requirement
to identify devices
containing personal data.
Whilst a significant amount
of data may be stored on
laptops and PCs there also
needs to be consideration of
other devices such as
faxes, printers, servers,
smartphones, tablets and
USB backups or storage.
The Council should ensure
that there is a contract in
place with individual
recycling companies
reflecting responsibilities
regarding the recycling
process.
The contracts should
include:
• explicit direction on the
services to be undertaken
and that it may only act in
accordance with the
Council's instructions;
Management Response
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
present on their devices to
be handled appropriately.
This responsibility needs to
be emphasised strongly via
computer sage policy.
S&CA will review the
process to derive a formal
agreement between WCC
and the Recyclers.
ICT Service
Operations
Manager and
ICT Contracts
Manager to
derive a formal
agreement
that will cover
statement if
responsibilities
by end
December
2014.
Internal Audit Report – Computer Recycling
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
• an approved specification
for IT asset disposal which
is aligned to the Council's
disposal/security policy;
CO2: Ensure that the disposal of computer equipment for recycling is in accordance with the approved policies and procedures.
4
High
The Business Support
Computer equipment
The recycling of computer
The recycling process will be
Assistant is responsible for
is being authorised to
equipment should be
changed to ensure that
authorising the disposal of the
be recycled by a nonapproved by a senior
scheme of delegation is not
items of equipment recorded
authorised member of member of staff in
undermined. This role will
on the computer recycling
staff.
accordance with the
have to be performed by
sheets, which are then signed
Directorate's Scheme of
senior members of ICT
by a member of staff from the
Delegation.
management team.
recycling company on
collection of the equipment.
The Information
This will also add an extra
Commissioners Office
layer of validation to those
The Business Support
recommends that there is
devices being recycled.
Assistant is not an authorised
an asset disposal champion
officer and is not on the
with a sufficient level of
Authority's Scheme of
authority.
Delegation.
5
Medium A sample of nine laptops and
The Council's
When computers are placed It would be good to provide
one tower PC held in the
inventory is not kept
in the recycling cage the
automation for the recycling
recycling cage were checked
up to date.
inventory should be
process. This automation is
against the inventory.
automatically updated to
present when taking
reflect the change in status. allocating stock.
The nine laptops were still
showing on the inventory as
S&CA will investigate
located with their previous user
opportunities to provide that
and had not been updated to
form of automation at the
reflect the current status.
recycling stage.
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
the DPA.
If automation is not possible,
the manual update to
inventory will be expedited.
ICT Service
Operations
Manager to
update by end
of November
2014.
ICT Service
Operations
Manager to
schedule a
review of the
automation
process for
recycling, and
implement, by
end of
December
2014.
Internal Audit Report – Computer Recycling
Ref.
6
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
Low
A Dell tower PC did not have a
WCC sticker and the serial
number could not be found on
the asset register.
There is no audit trail
back to the inventory.
All items placed in the
recycling cages should have
a WCC sticker so that the
item can be traced through
to the inventory.
S&CA does not offer a
service to recycle other user
equipment however it
sometimes does have nonWCC equipment presented
to it for recycling, (either
personal or schools
equipment).
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
ICT Service
Operations
Manager to
update by end
of November
2014.
Where this is the case, there
will not be a WCC sticker
present, and therefore not on
the WCC inventory. This is
invalid in the recycle process.
Where such situations are
found, S&CA will issue a
WCC asset tag and
associate the device on
Hardware Inventory as 'not
supported' and release for
recycling in the normal
fashion.
7
Medium
The Council should receive
reports from both recycling
companies to show that the
hard drives of recycled
computers have been
cleansed. However, at the time
of the audit there was a back
log of three months progress
reports that have yet to be
checked and processed on to
There is a risk that
items being sent for
recycling might not
have been recycled in
line with the required
standards and that the
inventory is not kept
up to date in a timely
basis.
Progress reports should be
checked and processed on
a timely basis, thus
ensuring that computers
have been cleansed and
recycled and the inventory
record is accurate.
S&CA will look to adopt
automation to speed the
otherwise paper-based
process.
Where the process will rely
on manual processes, this
will be expedited with greater
time allocated or inventory
updates.
ICT Service
Operations
Manager to
update by end
of November
2014.
Internal Audit Report – Computer Recycling
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
the inventory.
CO3: Confirm the security of computer equipment prior to disposal and that all data has been fully removed.
8
High
For the sample of Recycling
Sensitive data may be A full investigation should
The existing recycling
forms viewed one of the
accessed by an
be undertaken in respect of
procedure should handle this
computers listed (Serial No
unauthorised user.
any missing computers.
correctly.
G3BZM3J) was not received
by the recycling firm. It is
When the computers are
What needs to change here
unclear at which stage of the
collected by the recycling
is the timeliness of
process that the computer
There is a concern
company it is
conducting the checks
went missing or the current
that potentially items
recommended that the
between what was taken by
location of the computer as the maybe mislaid or
computers are physically
the recycling company and
status on the inventory is
misappropriated.
checked against the
what they have said has
missing.
computer cage list by a
been recycled by reference
member of the Council staff to the certificates received
The auditor was told that the
and a member of the
back.
Business Support Assistant will
recycling company to certify
notify senior member of staff
that the list is correct.
A shorter time between
that a computer has gone
recycling and checking will
missing.
be implemented.
Further research shows that a
total of five Notebooks sent to
Lifestyles Recycling in the last
year and a half have been
classed as missing on the
inventory
Following further discussions,
the Service Delivery Manager
found that one of the laptops
was reissued. However the
other four still remain missing.
One of the missing laptops had
The inventory is not
updated to reflect the
current location of the
laptop.
The Council should confirm
the current location of the
laptop and update the
inventory accordingly.
It is important that the
reports from the recycling
companies are checked in a
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
ICT Service
Operations
Manager to
update by end
of November
2014.
Internal Audit Report – Computer Recycling
Ref.
9
Priority
Low
Findings
Risk Arising/
Consequence
Recommendation
not been updated on the
system as missing until nine
months after the machine was
due to be collected by
Lifestyles. It is unclear if the
delay in updating the system is
with Lifestyles or as previously
mentioned in finding No 6 that
the reports are not checked
and processed against the
records held in a timely basis.
It was noticed that the
Lifestyles Computer Re-cycling
progress sheets (CRPS)
reports appear to have the
Lifestyles I.T Technicians
typescript signature and that
these reports are emailed to
the Council by a colleague of
his at Lifestyles.
There is a risk that
items that go missing
are not being
investigated in a
timely manner.
timely basis and that any
missing computers are
promptly brought to the
attention of senior
management so that they
can be investigated.
There is a lack of
assurance that all the
work carried out on
each computer has
been completed by
the I.T Technician, as
the signature could be
pasted on the
documents by any
member of staff within
Lifestyles.
The Computer Re-cycling
progress sheets should
either be physically signed
or emailed to the Authority
by the I.T Technician to
ensure that the work has
been carried out as stated
on the documents.
Management Response
S&CA will work the recyclers
to arrive at a process that
gives a more verifiable
process that each certificate
is being handled
appropriately, and signatures
used in an automated
process.
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
ICT Service
Operations
Manager to
update by end
of December
2014.
It was also noticed that the
progress sheets from Newstart
are not signed although they
are emailed to the Council by
the person who has carried out
the checks.
CO 4: Ensure that the disposal of computer equipment is in accordance with the contracted arrangements in accordance with the specified targets.
10
Medium The Council holds copies of
The Council has not
The Council should ensure
Agreed, S&CA via the audit
ICT Service
various Environment Agency
checked to ensure
that all Environment Agency process will check for
Operations
documents in regards to
that the companies
documents are up to date
evidence that accreditations
Manager to
Lifestyle & Newstart. However
have the correct
and reviewed annually to
are current.
update by end
it was noticed that some of
Environment Agency
ensure that the companies
of December
these had expired. An example documents in place
who are recycling the
2014.
Internal Audit Report – Computer Recycling
Ref.
11
12
Priority
Medium
Medium
Findings
Risk Arising/
Consequence
being in respect of Overton
whose waste management
th
licence is dated 7 November
2008.
for the recycling of
computers in
accordance with
WEEE Directive.
The Council carried out a
tendering exercise in 2012 for
the recycling of the Authority's
computers. The tendering
exercise was carried out by the
Corporate Systems manager
who unfortunately no longer
works for the Authority. It is
unclear how the contract was
awarded as there are no
scoring sheets to support the
evaluation process.
Since the audit commenced
Systems & Customer Access
has carried out an inspection of
both Lifestyles and Newstart.
However it is unclear from the
records held what testing was
carried out and if a sample of
computer equipment was
inspected.
It is unclear how the
tenders were scored
and who was involved
in the process.
There is no protection
to the Council in the
event of any
challenge over the
process.
It is unclear if the
Council has carried
out sufficient testing of
a sample of
computers to ensure
that they have been
cleansed and all data
removed before being
resold.
The asset disposal
company will be
acting on the
Council's behalf, the
Council will be
Recommendation
Management Response
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
computers have the correct
documentation in place.
Reviews of documentation
could be included in the
current inspections of both
Lifestyles and Newstart.
The Council should ensure
that when a tendering
exercise is carried out that
sufficient evidence is
retained in accordance with
the requirements of the
County Council's
Procurement Code.
The Council should ensure
that a sample of computers
sent for recycling has been
tested to ensure that
computers have been
cleansed in accordance with
the procedure agreed.
Internal audit have sought
further clarification of the
testing carried out.
Evidence of the process is
stored within files in CIMU,
but no evidence exists on online files to substantiate the
procurement exercise.
ICT Service
Operations
Manager with
immediate
effect.
S&CA will comply with the
Councils Procurement code.
This will be included in the
audit to ensure compliance.
To execute this responsibility
the audit will include
evidence of the actual data
cleanse process by watching
the process and inspection of
tools used. This should be
as specified in their
accreditation.
ICT Service
Operations
Manager to
update by end
of December
2014.
Internal Audit Report – Computer Recycling
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
responsible under the
DPA for what the
provider does with
any personal data
contained on the
devices that it is
recycling. If the
provider does not
successfully delete
personal data that is
subsequently
compromised the
Council may be
responsible for the
breach.
Key to Priorities:
High
Medium
Low
This is essential to provide satisfactory control of serious risk(s)
This is important to provide satisfactory control of risk
This will improve internal control
Management Response
Responsibility Recommendation
and Timescale
Implemented
(Officer & Date)
Internal Audit Report – Computer Recycling
Limitations relating to the Internal Auditor's work
The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the
extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls
which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control
environment.