The municipality failed to implement appropriate risk management activities to ensure that regular assessments, including consideration of IT risks and fraud prevention, were conducted and that a risk strategy to address the risks were developed and monitored.