The department implemented our recommendation to establish a formalized IT risk and control framework—see below
FINDINGS AND RECOMMENDATIONS
Matters from prior-year audits
IT risk assessment and IT control framework (Solicitor General)—implemented Our audit findings
In October 2008 we reported that the Department of Solicitor General and Public Security did not have a formalized information technology control framework to identify and mitigate IT risks and improve its controls over information technology.1 The department was one of nine organizations that received this recommendation.
We determined that the department has defined the necessary steps and documented the process it will follow to identify technology risks, evaluate their impacts on the business and document the treatment strategies for the identified risks. There is an IT risk registry that identifies the business services affected and a foundation of control policies and procedures have been defined for critical systems in the department.
The department has established a formalized IT risk and control framework, to assess its technology risks and design and implement required controls to mitigate the identified risks.
There are no outstanding recommendations to the Department of Justice and Solicitor General.