Report Summary
This report provides members of the Scottish Police Authority's Audit, Risk & Assurance Committee with an overview of the internal audit reports on the Grievance Process, IT General Controls and Best Value Readiness from the 2023/24 internal audit plan.
To access the full document please open the PDF document above.
To view as accessible content please use the sections below. (Note that tables and some appendixes are not available as accessible content).
Meeting
The publication discussed was referenced in the meeting below
Audit, Risk and Assurance Committee - 9 May 2024
Date : 09 May 2024
Location : online
IT General Controls
Full report in Appendix B
Background:
• This report contains the findings from the IT General Controls (ITGC) review as part of the 2023-24 internal audit plan.
• The following areas were covered as part of the scope of this report:
IT Strategy and Governance
Physical Security of server environment(s)
User access, including user provisioning, leavers, privileged access management and password configuration standards
IT hardware and software asset management
Vulnerability management
IT change management
IT infrastructure performance and capacity management
Incident and problem management
Back-up and recovery procedures
Third Party Management.
Internal Audit Findings:
• Moderate assurance is provided on the design of IT general controls based on our assessment covering ten domains
• The ‘Medium’ significance findings are related to:
A lack of periodic user access reviews;
Password policies for legacy systems require an assessment; and
Limitations impacting patch management.
Internal Summary of Findings of the Report
SUMMARY OF FINDINGS # OF AGREED ACTIONS
High 0 0
Medium 3 7
Low 3 6
TOTAL NUMBER OF FINDINGS: 6 13
SPA Considerations:
• SPA welcomes the findings of the audit which concludes there are ‘generally sound’ controls with some exceptions.
• All findings have been accepted and we note that in some cases the completion deadline is long which can be partly related to the time require to implement IT related changes.
• The 2024-25 internal audit plan includes a place holder for a further IT related audit. The findings of the general controls audit will be considered when scoping the next IT audit.