SBM4302 Western Australian Auditor's General Report Case Study Sample

• University : Asia Pacific International College My Assignment Services is not sponsored or endorsed by this college or university.
• Subject Name : Auditing

IT Audit and Controls

Introduction to IT Audit and Controls

An Audit report of information system is provided for analysis purpose. The objective of our Report is to understand the audit scope and analyse the various findings in different processes and functions of the ICT business. Key areas of the report will be

• To identify the scope and focus of audit
• To analyse the audit finding in all IT systems of :-
  1. RAMS of Western Australia Government
  2. Horizon Power
  3. Pension Rebate Scheme and Exchange department
  4. New Land Registry office.

• To List down the professional , ethical and legal responsibility of an IT Auditor

Audit Focus and Scope

Every audit is aimed to provide the audit observations but for that most important part in Auditing is to first define the scope of audit, so that Audit Team can focus on the main objective. As per the case study, though there are various business application all of which are equally important but the Western Australian Audit team has defined the focus and scope as:-

1. Recruitment Advertisement Management System (RAMS) – Public Sector Commission
2. Metering Infrastructure of Horizon
3. Pension Rebate Scheme and Exchange under Office of State Revenue
4. NLR (New Land Register)- Western Australian Land Information Authority

 Main focus of the Audit team was in the areas of:-

1. Policies and procedure to see that they are appropriate enough and support reliable processing of information
2. Safety and security of sensitive information is another focus to ensure the integrity, confidentiality
3. Accuracy and completeness of Data input
4. Recovery and Backup plan is in place in event of any disaster
5. Reports of Data Output is accurate and complete
6. Data Processing is timely and as intended
7. Proper Segregation of duties and responsibly, authority is there in staff
8. Audit trail or logs are available to see the transaction history
9. Maintenance of Masterfile , interface control and data preparation is regular and timely basis

Analysis of audit findings in the Recruitment Advertisement Management System of the Western Australia Government

Western Australian Government entities use Recruitment Advertisement Management System (RAMS) to manage the recruitment and deployments of staff and to record details of severance. This software contains highly sensitive information’s of the candidates and staff.

RAMS has facilitated successfully a number of recruitment process since its implementation in 2003, but still as per Auditors there was a scope for improvement and their findings were in line with this assumption only.

The commission has to follow SaaS contract arrangement and it is responsible for monitoring the delivery as per arrangement below:

• Software (as a Service) Security Responsibility
• Governance Entity
• Data Entity and Vendor
• Runtime Vendor
• Middleware Vendor
• Operating System Vendor
• Virtualisation Vendor
• Servers Vendor
• Storage Vendor
• Network Vendor
• Data Centres Vendor

Key Audit Findings

As audited by team the audit observation is that commission don’t have the adequate assurance on vendor control, they also have not taken any independent assurance from any of their key vendors to manage information security control are operating effectively. Which resulted the commission didn’t have any assurance that information in RAMS is protected to ensure its confidentiality, integrity & availability. Audit Team identified the following control deficiencies:-

• Unsupported software –Out dated software’s increases the risks of attackers using known threats to gain access to sensitive information and the disrupt systems. One component which not had any software updates was applied that could fix known security vulnerabilities. Some software vendors avoid the usages of some software components that undermines the applications which no longer are supported for applications.
• Disaster recovery not tested – Not a single full disaster recovery test was performed by the vendor Since2015! So its uncertain for the Commission to ascertain that the application could be recovered
• Outdated technical documentation = whether appropriate controls are in place to protect the application, the Commission couldn’t be so certain about it though. Because the technical documentation describing the applications doesn’t reflect environment of current application.

So, all these shows that there is a risk to business continuity planning and poor user access management which creates risk of potential threat to sensitive personal information.

Analysis of Audit Finding – Horizon Power

Introduction

The Regional Power Corporation used the advanced Metering Infrastructure which was audited, focussed on the applications, as Horizon Power Corporation traded, monitored & recorded bills for the consumption of electricity. Sensitive personal and clients information was stored by the applications, such as customer names, addresses, date of births and locations etc where these electricity consumption were supposed to be installed.

Aim was to achieve the purpose of The AMI Systems. Which collects & stores electricity consumption data & other business systems of Horizons are being communicated to. The inadequacies in contractors access management and background checks leads to the lack of integrity and a severe dip in confidentiality it holds is at high risk factors! So an improved network and database security controls becomes absolutely necessary to strengthen the system integrity in itself.

Key Audit findings of Horizon Power

HORIZON has a good process for detection & remedies for errors in bill consumptions issues & it also has a process to detect & remedy data errors in consumption readings in high value errors before bills are issued. Meter with advanced network access records consumptions readings on daily basis. An accounts Manager reviews consumption readings variances & initiates corrective action on bills before being issued to commercial customers with an corrective action as recorded by The Velocity systems. In 2017-2018 it has corrected error value of $1.43 billion. These comprised errors of $1.42 billion for one customer & $8.5 million for other commercial customers. The$1.42 billion error occurred from the manual reading of the customer’s meter.

Inadequate human resource security and contractor access management

Criminal history checks are not in horizons policies & process for their human resources, new staffs are employed without criminal background checks who has the privilege to access critical power infrastructure & systems as found in the Audit! No key background checks are initiated for ‘regular key staff’s. Though the recruitment process includes checks of qualifications & references, medical tests but it doesn’t include criminal background verifications. A high risk is involved in this and immediate action is required in this area as identified by the Auditors..

System information is at risk of errors and unintentional disclosure

To record important meter installation information before the information is stored in the application, Horizon depends on manual forms. There is a increased risk involved if inaccurate information being entered into the applications manually. It was informed that the data is validated & entered from forms into the applications by a process which is in place but it is not clear if this process is done due to shortages of documentation. If a perfect data validation process is not followed consistently, data errors will go unnoticed which could impact the information integrity. These forms carry sensitive important information like property addresses & meter configuration details, including IP addresses, an instance was found that a staff of horizon using a private email account to transmit sensitive information to Horizon. It could improve the confidentiality & integrity of its information by implementing processes to collect data electronically.

To improve the Security of the Network & Electronic records there are huge scopes!

Its databases security controls & network are not fully protecting the confidentiality, integrity & availability of information. Audit findings as follows:

Inappropriate configuration of the Network firewall - Firewall that separates the AMI network from horizons main corporate network wasn’t configured properly, hence has an increased risk of cyber-attacks & access towards its key systems, it has started addressing these issues. Firewall software was outdated as audited. Installations of soft wares updates which are vital for security performance & vulnerabilities were not been installed, which effected performance issues with the firewall & leaves the networks vulnerability for exploitation and so it has started to update all its soft wares.

Database security is weak – A compromised confidentiality & integrity of information in the databases were found which had several weaknesses rendering to AMI database.

Network access accounts are not well managed – A Highly privileged ‘Administrator’ account was found whose password wasn’t changed, this privileged accounts are mostly targeted by hackers as they allow access to high levels. Former contractors & staffs access wasn’t disabled found from samples, 16network access accounts that belonged to 9 former staff & contractors. Three of these can access ICT Systems remotely, inappropriate controls could cause increased risk of unauthorized & access to the entire network.

Weak web server configuration. – External vulnerability assessment was found very weak in security of ‘My Account’ web portal in many ways, which increases the risk of unauthorized access or unintentional disclosure of information. Identification: o the use of legacy security protocol that has identical vulnerabilities o the usage of encryption algorithms that are weak & compromised o default application settings could be susceptible to cyber- attacks!

Lack of logging and event monitoring policy – Event monitoring & activity log policy is missing formally which increases the inconsistency in monitoring & identifying potential problems, ongoing attempts to compromise systems & information. It was recorded that horizon has the potential process to capture applications & system transactions & activity but a formal policy of monitoring would definitely enhance the strength of Control.

Analysis of Audit Finding pensioner rebate scheme and Exchange Departments

Inadequate User Access control and reviews:-

Auditors’ found that State Revenue is not regular in reviewing PRS and PRX users account and it resulted an excessive number of privileged users. And it was also found that most of these are unused and few ae dormant also. So, it clearly shows that there is scope of improvement in this.

A large number of users have access to unprotected sensitive information –

It was found that 60 users, who have the full access, which increases the risk of unauthorised access and modification or fraudulent activities intentionally or unintentionally. There are various discrepancy in the system an process as found in audit

• Payment file in plain Text
• No one detect if any change is there in payment file
• Pensioners files are shared in Shared network

Easy to guess database passwords It was identified that data bases have easy to guess password creating data security threats which is clear violation of cyber law and a huge data breach threat and hacking threat

-Segregation of duties - This is also missing in the process which resulted again security threat as the same person was performing the end to end step, that processing and authorization both. This may lead to fraudulent payment and wrong payments.

System does not give any LG for any changes in the sensitive information which is a major hindrances in the system which was found by the auditors

 System activity is not adequately monitored or recorded - It also does not have any policy or procedure to control and monitor proactively the security threats. So it is highly security management. Auditors found 600 vulnerabilities on different workstations as unsupported and third party applications which should be unacceptable.

So Auditors have also suggested many recommendation for IT system to improve in the Areas identified by them e.g. timely patching of software which reduces the risk of potential attacks. Checking of their Disaster control mechanism to see its effectivity, kind of mock drill or any other way which management may decide.

Audit Findings of the New Land Registry

New Land Registry is used by Western Australian Land information Authority, Land gate is one of the oldest entities managed by the state. This application NLT-R is developed and maintained as an outsourced ICT arrangement by a co-owned third party vendor.

Key Findings:

• Land information Changes not reviewed: Land gate stopped reviewing the accuracy of transactions in 2016, so Auditor took a random sample to check the transaction accuracy and found that out of 8 , 2 land transaction had title changes which was done without proper delegation Which show the loop whole and major risk area in the process.
• Weak and inadequate User Access Control: - Auditors found that the system has the risk of unauthorised access and information can be changed without appropriate authorization and control. Weakness are in the following areas:-
• Inadequacy of duty segregation: Auditors found 2 staff members were given more access and privileges to perform end to end title transaction putting the whole system into high risk and break of law, and encouraging fraudulent activities.
• Excessive user Access rights- 7 users were having rights as “Assistant Registrar” right which is against their role in the system and against the law as well
• Irregular user access reviews
• Lack of External Network Penetration- this testing may result threats in the system going undetected Landgate has performed any such test since it was live , which has created another risk that whether this test is effective or not.
• Credit card data is at risk of exposure

Conclusion on IT Audit and Controls

These finding of IT System’s Audit of Recruitment Agency, Horizon Power , Pension System and NLR system has shown that Auditors have not only identified the major threats for the Govt and state to improve and look into but also for the general public to be cautious while sharing their information. All Such system possess threats to Confidentiality, integrity and unauthorised and fraudulent activities. State Must take strong action against the discrepancies found by the auditors and also work on Measures and recommendation suggested by the WAS in their Report.

Professional, Legal, and Ethical Responsibilities of an IT Auditor

Every Auditor in any of the business field must follow certain values and have following professional, legal and ethical responsibilities:-

Professional

 1) Auditors should behave like " watch dog not a blood hound". They need not every time investigate the issue but their professional duty is to qualify the point in the report.

2) The auditor should have the capability to get the knowledge of the entity relating to its nature, policy and controls, and all relating laws i.e. regulations and compliance of land.

3) Before giving their opinion, the auditors must obtain sufficient evidence and explanation regarding the query.

4) The Auditors should work independently without any influence, pressure or bias, to reach to a conclusion.

Ethical

The fundamental responsibility of an auditor is to maintain the integrity, like not to accept any gifts and any types of obligations. The auditors should try to avoid making false and misleading statements which will damage the good will and reputation of his firm. In other words, all auditors must act in an ethical manner which will bring credit upon themselves, their company and the quality auditing profession.

Legal

• Producing statements containing the untrue material facts
• Material fact omission must be brought into the notice
• Failing to include information to mislead
• Timely disclosure of all material information to govt and other agencies

Reference for IT Audit and Controls

Office of the Auditor General. (n.d.). Audit reports Archive. [online] Available at: https://audit.wa.gov.au/reports-and-publications/reports/ [Accessed 22 Jul. 2020].

‌Master (2019). IT Audit Checklist: What Every IT Department Needs. [online] Sagacent Technologies. Available at: https://www.sagacent.com/it-audit-checklist/ [Accessed 22 Jul. 2020].

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Auditing Assignment Help