The scope of our engagement focussed on a follow-up of the agreed management actions in three previous internal IT audit reports, issued pre-COVID, to determine the level of residual risk to which IT systems and data may still be exposed to. We examined 26 different management actions and also raised additional, new queries. We identified a series of opportunities for controls improvement:  

• Contract Management: the absence of an IT procurement policy and processes was identified as a control gap and we provided added value advice on how to address this gap including referencing Cabinet Office best practice guidance.

• IT Strategy: the strategy was halfway through the delivery cycle during which time the employee headcount had nearly doubled. As the strategy is a living document we provided recommendations around opportunities to review and ensure that the organisation remains fully aligned with the business objectives.

• IT Asset register: we raised recommendations on strengthening the IT asset management process to ensure the register is fully maintained going forward. We provided advice on data clarity and consistency and linkages to other systems (general ledger, procurement system)

• IT Backup & Recovery: documentation to support the backup and recovery of key IT systems and data was developed but not formalised and implemented (e.g. testing of backups and Internet failover). We advised on formalisation procedures and Standard Operating Procedure construction.

• IT Policy documentation: we made recommendations around processes to ensure periodic refresh and review of documentation; and subsequent rollout and staff awareness mechanism.