. Improvement is required in the risk assessment process as the risks raised at a strategic level are not clearly cascaded to the operational risk register for follow up action and monitoring. Furthermore, there was inadequate IT risk identification due to the IT governance framework still in the process of being finalized. . Leadership to intensify their efforts to finalize the appointment of the position of "Head of Internal Audit", a position that has been vacant for period exceeding eighteen months. . Transversal material misstatements corrected.