Comics

IT Risk Assessment Action Plan. South Staffordshire District Council Audit 2010/11

Categories
Published
of 7
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
IT Risk Assessment Action Plan South Staffordshire District Council Audit 2010/11 The Audit Commission is a public corporation set up in 1983 to protect the public purse. The Commission appoints auditors
Transcript
IT Risk Assessment Action Plan South Staffordshire District Council Audit 2010/11 The Audit Commission is a public corporation set up in 1983 to protect the public purse. The Commission appoints auditors to councils, NHS bodies (excluding NHS Foundation trusts), police authorities and other local public services in England, and oversees their work. The auditors we appoint are either Audit Commission employees (our in-house Audit Practice) or one of the private audit firms. Our Audit Practice also audits NHS foundation trusts under separate arrangements. We also help public bodies manage the financial challenges they face by providing authoritative, unbiased, evidence-based analysis and advice. Contents Introduction and background...2 Conclusion...3 Appendix 1 IT Weaknesses Identified and Management Response...4 IT weaknesses identified and management response...4 Audit Commission IT Risk Assessment Action Plan 1 Introduction and background 1 As part of our 2010/11 annual accounts planning work we undertake a review and assessment of the Council s IT control environment. The purpose of this review was to assess the extent to which we can rely on automated IT controls in order to provide assurance on the year end accounts. 2 Our 2010/11 assessment highlighted some weaknesses in IT controls which we reported to the Audit Committee in our External Opinion Plan in June These were: Lack of IT security policy and corporate password standard (although IT security policy imminent). Weaknesses in password controls, number of administrator accounts and management of user accounts as previously reported by internal audit (if IA follow up work finds no improvement). Remote access for some suppliers is on a permanent basis to allow support during implementation of new system and there is therefore no control over access. This should be reviewed and appropriate restrictions placed on access for all suppliers. Although the authority have undertaken desktop exercises for disaster recovery, there has been no full DR test yet. There has been a major new system implemented during the year without a change control policy in place and no post implementation review conducted as yet. We have now obtained agreement with the Council s I.C.T. Services Manager on the action that will be taken to address these weaknesses. Details are set out on the attached appendix. Audit Commission IT Risk Assessment Action Plan 2 Conclusion We are satisfied that appropriate action is being taken to address the IT weaknesses noted. Audit Commission IT Risk Assessment Action Plan 3 Appendix 1 IT Weaknesses Identified and Management Response IT weaknesses identified and management response ITRA issue noted Lack of IT security policy and corporate password standard (although IT security policy imminent). IA recommendation already made? Password security best practice should be detailed in the IT security policy and made available to all staff. Management response Agreed to implement Internal Audit recommendation by August Weaknesses in password controls, number of administrator accounts and management of user accounts as previously reported by internal audit (if IA follow up work finds no improvement). Remote access for some suppliers is on a permanent basis to allow support during implementation of new system and there is therefore no control over access. This should be reviewed and appropriate restrictions placed on access for all suppliers. Although the authority have undertaken desktop exercises for disaster recovery, there has been no full DR test yet. Password security best practice should be detailed in the IT security policy and made available to all staff. Agreed to implement Internal Audit recommendation by August There are 3 suppliers with permanent access. All other connections are switched off and third parties must request access to be granted to enter the system. Where this is in place for the 3 suppliers this is due to operational requirements for the systems. The access is limited to only the essential areas required for maintenance of that particular system. The suppliers always request permission before entering the system but have requested that the connection is left for out of hours maintenance. A DR exercise is planned for later this year. In addition we are implementing a new IT DR system using virtualized technologies and this will provide immediate full system recovery capability. Audit Commission IT Risk Assessment Action Plan 4 ITRA issue noted There has been a major new system implemented during the year without a change control policy in place and no post implementation review conducted as yet. IA recommendation already made? Management response A change control system is now in place. The project is now coming to a close and a post implementation review is being undertaken by a third party at the moment. Audit Commission IT Risk Assessment Action Plan 5
Search
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks