The HSE estimates it has made savings of more than €20 million through streamlining its mobile device policies and billing arrangements.
An internal audit presented to management in June last year found, however, that the HSE did not have a single register of all mobile devices and there was a risk of them being issued without appropriate approval.
Device request forms were not standardised across all HSE regions, according to the report, released along with others under the Freedom of Information Act.
Deloitte, which carried out the examination for the HSE, said the controls in place to ensure the return of devices when users left the HSE were "ineffective" at the time of the audit.
The office of the chief information officer in the HSE accepted the findings of the audit team and said it would implement the recommendations in a timely manner.
In 2009, the HSE received 220,000 mobile-related invoices but there were now only 24 invoices generated nationally, a management comment on the report said. Savings made by the national mobile management team were over €20 million by the end of 2015, it said.
In January last year, the number of mobile devices issued by the health service stood at 24,950. This included 15,112 devices on the 3 network, 9,807 on the Vodafone network and 31 on the Eir network.
A separate audit of the HSE’s northeast region data centre in Kells, Co Meath, completed at the end of March 2016, found electronic fobs issued to visitors provided access to restricted areas.
“If a malicious person was to gain access to one of these fobs, they would have full access to restricted areas such as the data centre, which in turn may impact the availability, confidentiality and integrity of the data and systems hosted there,” the report said.
In addition, the back door leading to the car park was left unlocked during working hours.
Separately, a redacted audit of an unnamed section of the child and family agency Tusla revealed a high-level national risk in relation to the encryption of data.
Such a finding by the auditors means the issue poses a “key risk to Tusla and/or its service users and clients” such as strategic, operational, financial, or reputational. It signals “serious control weaknesses” which need to be addressed immediately.
Deloitte recommended a formal training programme in information security and data protection for all Tusla employees.
A separate report on Tusla found a register of children in foster care in the HSE southeast region did not adequately comply with the law.
Another redacted audit found a potential risk of unauthorised access to confidential payroll information on over 56,000 HSE employees in the east, northeast, south and west. The report in relation to the unnamed outsourced service was completed last February.