Police Scotland's technology department is understaffed and could lack appropriate safeguards against data breaches and IT disasters, the public spending watchdog has warned.

Audit Scotland has identified multiple challenges and services which "may be exposed to significant risk" in Police Scotland's information and communications technology (ICT) department.

The department has "a lack of available capacity and capability of suitably skilled resource" with "skill deficiencies in certain areas", it found.

Staff do not have "comprehensive knowledge" of all systems, meaning records could be deliberately or accidentally lost - an offence which carries the penalty of a £500,000 fine.

The force also has no system to track the cost of cyber attacks, it found.

Audit Scotland said the department delivers a "good quality service" but said "at a time of financial austerity there is both the necessity to rationalise and the challenge to invest in new technological solutions".

Management have agreed to develop an improvement plan to address these challenges.

The ICT department relies on contractors for key projects but this creates a risk of over-reliance on external parties, can add to cost, and limits the development of in-house knowledge, Audit Scotland said.

Police Scotland recently received Cabinet Office accreditation to access the Public Services Network which allows public bodies to share data throughout the UK.

Audit Scotland said the ICT department may not have appropriate measures to prevent records being lost or removed.

It said: "The ICT department acknowledges that they do not currently have a comprehensive knowledge of all software, physical or information assets across the estate due to numerous historic records of varying degrees of accuracy.

"As a result, the ICT department may not be aware of all business critical information resources and may not have the most appropriate measures in place to protect them against deliberate or accidental loss."

Auditors found "no structured approach to increase and maintain staff awareness of good information security procedures and practices".

Police Scotland has dealt with a number of cyber attacks, including a disruption of its public websites and "a selection of client-based malware attacks".

Auditors found the ICT department is taking appropriate action to mitigate these risks but "cost does not seem to feature in the risk assessment".

The Police Scotland ICT Strategy is still in its draft stages following the cancellation of a £40m i6 contract with Accenture, which is not considered in the report.

The report also does not address the call centre reforms instigated by the deaths of John Yuill and Lamara Bell in a crash on the M9 last July, auditors said.

Martin Leven, director of ICT at Police Scotland, said: "The overall conclusion of the whole report was that ICT provides a good level of support to the service and it has identified a number of areas which we are working on to ensure we can continue to demonstrate and deliver continual progress.

"We are absolutely committed to improving the ICT infrastructure across Police Scotland, moving away from a network of legacy systems to solutions which will allow officers and staff to more effectively carry out their duties and introducing innovation to streamline what we do and how we do it, to keep communities safe."