|
Report to: |
Audit Committee |
|
Date of meeting: |
28 March 2025 |
|
By: |
Chief Finance Officer |
|
Title: |
East Sussex County Council and East Sussex Pension Fund: IT Systems Audit Findings Report |
|
Purpose: |
To inform the Audit Committee of the content of the Grant Thornton IT Audit Findings Report for East Sussex County Council (ESCC) and East Sussex Pension Fund (ESPF) |
RECOMMENDATIONS:
The Audit Committee is recommended to note the content of the ESCC and ESPF: IT Systems Audit Findings Report.
________________________________________________________________________________________________________________________________________
1.1 Grant Thornton (GT), as the external auditors for ESCC and ESPF, undertake audit work for IT systems that are used to provide information included within the annual ESCC Statement of Accounts and the ESPF Annual Report. The latest IT Audit Findings report for the period ending 31 March 2024 is provided at Appendix 1.
2.1 The systems in scope for the audit were SAP (ESCC) and Altair (ESPF) and in completing the audit the following tasks were undertaken:
· Evaluation of whether prior years’ recommendations from the 2022/23 audit had been addressed and remediated during 2023/24;
· Performed high level walkthroughs, inspected supporting documents and analysis of configurable controls;
· Documented test results and provided evidence of the findings to IT&D Teams for recommendation and remediation.
2.2 The overall assessment of IT General Controls per system was found to be:
· Altair: Amber – Non-significant deficiencies identified in IT controls relevant to the audit of financial statements/significant deficiencies identified but with sufficient mitigation of relevant risk. Within this overall rating, there were green ratings for Technology Infrastructure and Technology acquisition, development and maintenance, with an amber rating for Security Management.
· SAP: Red – Significant deficiencies identified in IT controls relevant to the audit of financial systems. Within this overall rating, there were amber ratings for Security Management and Technology Infrastructure, with a red rating for Technology acquisition, development and maintenance.
2.3 Section 4.1 of the audit report sets out a number of recommendations, all are amber rated, apart from one red. The red risk relates to an issue identified in the 2022/23 audit, whereby system users were identified with inappropriate access to an element of the production system. The report explains in more detail the risks associated with access, authorisation and segregation of duties and sets out a recommendation that management remove specific system access permanently from production. Management has responded that the violating roles have been remediated and that no users currently have the specific production system access to which the risk applies.
2.4 Management has provided responses to all recommendations, which GT has confirmed they are satisfied address the risk identified.
3.1 The Audit Committee is recommended to note the content of the ESCC and ESPF: IT Systems Audit Findings Report for the year ended 31 March 2024.
IAN GUTSELL
Chief Finance Officer
Contact Officer: Ian Gutsell, Chief Finance Officer
Tel. No: 01273 481399
Email: ian.gutsell@eastsussex.gov.uk
Local Member(s): All
Background Documents
None