What are the controls and the gaps of the following from an IT audit perspective:

The SSO Server is a single purpose server solely designed for SSO and resides in the internal network. Using a batch process, the vendor provides quarterly updates which are downloaded directly to the server and automatically installed by the servers single purpose operating system. Access to the SSO application is restricted to the security administration staff. The vendor maintains an active account on the server in the event maintenance is required. The vendor accesses the system periodically to review status and log activity to determine the servers capacity and to proactively look for concerns prior to problems arising. A replication copy of the SSO Server exists as a backup and automatically assumes primary role if the main server stops functioning.