a) While NSFAS has implemented back up procedures, there is currently no review or testing of the back-ups. b) Control weaknesses have been identified with the logical access controls within the IT environment and these include user access rights reviews which are not performed. c) There is no password authentication to gain access into certain applications and super user activity reviews are not performed. d) No IT steering committee has been established to assist the board with governance of IT.