IT General Controls

Full report in Appendix B

Background:
• This report contains the findings from the IT General Controls (ITGC) review as part of the 2023-24 internal audit plan.
• The following areas were covered as part of the scope of this report:
IT Strategy and Governance
Physical Security of server environment(s)
User access, including user provisioning, leavers, privileged access management and password configuration standards
IT hardware and software asset management
Vulnerability management
IT change management
IT infrastructure performance and capacity management
Incident and problem management
Back-up and recovery procedures
Third Party Management.

Internal Audit Findings:
• Moderate assurance is provided on the design of IT general controls based on our assessment covering ten domains
• The ‘Medium’ significance findings are related to:
A lack of periodic user access reviews;
Password policies for legacy systems require an assessment; and
Limitations impacting patch management.

Internal Summary of Findings of the Report
SUMMARY OF FINDINGS # OF AGREED ACTIONS
High 0 0
Medium 3 7
Low 3 6
TOTAL NUMBER OF FINDINGS: 6 13

SPA Considerations:
• SPA welcomes the findings of the audit which concludes there are ‘generally sound’ controls with some exceptions.
• All findings have been accepted and we note that in some cases the completion deadline is long which can be partly related to the time require to implement IT related changes.
• The 2024-25 internal audit plan includes a place holder for a further IT related audit. The findings of the general controls audit will be considered when scoping the next IT audit.