An Audit report of information system is provided for analysis purpose. The objective of our Report is to understand the audit scope and analyse the various findings in different processes and functions of the ICT business. Key areas of the report will be
Every audit is aimed to provide the audit observations but for that most important part in Auditing is to first define the scope of audit, so that Audit Team can focus on the main objective. As per the case study, though there are various business application all of which are equally important but the Western Australian Audit team has defined the focus and scope as:-
Main focus of the Audit team was in the areas of:-
Western Australian Government entities use Recruitment Advertisement Management System (RAMS) to manage the recruitment and deployments of staff and to record details of severance. This software contains highly sensitive information’s of the candidates and staff.
RAMS has facilitated successfully a number of recruitment process since its implementation in 2003, but still as per Auditors there was a scope for improvement and their findings were in line with this assumption only.
The commission has to follow SaaS contract arrangement and it is responsible for monitoring the delivery as per arrangement below:
As audited by team the audit observation is that commission don’t have the adequate assurance on vendor control, they also have not taken any independent assurance from any of their key vendors to manage information security control are operating effectively. Which resulted the commission didn’t have any assurance that information in RAMS is protected to ensure its confidentiality, integrity & availability. Audit Team identified the following control deficiencies:-
So, all these shows that there is a risk to business continuity planning and poor user access management which creates risk of potential threat to sensitive personal information.
The Regional Power Corporation used the advanced Metering Infrastructure which was audited, focussed on the applications, as Horizon Power Corporation traded, monitored & recorded bills for the consumption of electricity. Sensitive personal and clients information was stored by the applications, such as customer names, addresses, date of births and locations etc where these electricity consumption were supposed to be installed.
Aim was to achieve the purpose of The AMI Systems. Which collects & stores electricity consumption data & other business systems of Horizons are being communicated to. The inadequacies in contractors access management and background checks leads to the lack of integrity and a severe dip in confidentiality it holds is at high risk factors! So an improved network and database security controls becomes absolutely necessary to strengthen the system integrity in itself.
Key Audit findings of Horizon Power
HORIZON has a good process for detection & remedies for errors in bill consumptions issues & it also has a process to detect & remedy data errors in consumption readings in high value errors before bills are issued. Meter with advanced network access records consumptions readings on daily basis. An accounts Manager reviews consumption readings variances & initiates corrective action on bills before being issued to commercial customers with an corrective action as recorded by The Velocity systems. In 2017-2018 it has corrected error value of $1.43 billion. These comprised errors of $1.42 billion for one customer & $8.5 million for other commercial customers. The$1.42 billion error occurred from the manual reading of the customer’s meter.
Inadequate human resource security and contractor access management
Criminal history checks are not in horizons policies & process for their human resources, new staffs are employed without criminal background checks who has the privilege to access critical power infrastructure & systems as found in the Audit! No key background checks are initiated for ‘regular key staff’s. Though the recruitment process includes checks of qualifications & references, medical tests but it doesn’t include criminal background verifications. A high risk is involved in this and immediate action is required in this area as identified by the Auditors..
System information is at risk of errors and unintentional disclosure
To record important meter installation information before the information is stored in the application, Horizon depends on manual forms. There is a increased risk involved if inaccurate information being entered into the applications manually. It was informed that the data is validated & entered from forms into the applications by a process which is in place but it is not clear if this process is done due to shortages of documentation. If a perfect data validation process is not followed consistently, data errors will go unnoticed which could impact the information integrity. These forms carry sensitive important information like property addresses & meter configuration details, including IP addresses, an instance was found that a staff of horizon using a private email account to transmit sensitive information to Horizon. It could improve the confidentiality & integrity of its information by implementing processes to collect data electronically.
To improve the Security of the Network & Electronic records there are huge scopes!
Its databases security controls & network are not fully protecting the confidentiality, integrity & availability of information. Audit findings as follows:
Inappropriate configuration of the Network firewall - Firewall that separates the AMI network from horizons main corporate network wasn’t configured properly, hence has an increased risk of cyber-attacks & access towards its key systems, it has started addressing these issues. Firewall software was outdated as audited. Installations of soft wares updates which are vital for security performance & vulnerabilities were not been installed, which effected performance issues with the firewall & leaves the networks vulnerability for exploitation and so it has started to update all its soft wares.
Database security is weak – A compromised confidentiality & integrity of information in the databases were found which had several weaknesses rendering to AMI database.
Network access accounts are not well managed – A Highly privileged ‘Administrator’ account was found whose password wasn’t changed, this privileged accounts are mostly targeted by hackers as they allow access to high levels. Former contractors & staffs access wasn’t disabled found from samples, 16network access accounts that belonged to 9 former staff & contractors. Three of these can access ICT Systems remotely, inappropriate controls could cause increased risk of unauthorized & access to the entire network.
Weak web server configuration. – External vulnerability assessment was found very weak in security of ‘My Account’ web portal in many ways, which increases the risk of unauthorized access or unintentional disclosure of information. Identification: o the use of legacy security protocol that has identical vulnerabilities o the usage of encryption algorithms that are weak & compromised o default application settings could be susceptible to cyber- attacks!
Lack of logging and event monitoring policy – Event monitoring & activity log policy is missing formally which increases the inconsistency in monitoring & identifying potential problems, ongoing attempts to compromise systems & information. It was recorded that horizon has the potential process to capture applications & system transactions & activity but a formal policy of monitoring would definitely enhance the strength of Control.
Inadequate User Access control and reviews:-
Auditors’ found that State Revenue is not regular in reviewing PRS and PRX users account and it resulted an excessive number of privileged users. And it was also found that most of these are unused and few ae dormant also. So, it clearly shows that there is scope of improvement in this.
A large number of users have access to unprotected sensitive information –
It was found that 60 users, who have the full access, which increases the risk of unauthorised access and modification or fraudulent activities intentionally or unintentionally. There are various discrepancy in the system an process as found in audit
Easy to guess database passwords It was identified that data bases have easy to guess password creating data security threats which is clear violation of cyber law and a huge data breach threat and hacking threat
-Segregation of duties - This is also missing in the process which resulted again security threat as the same person was performing the end to end step, that processing and authorization both. This may lead to fraudulent payment and wrong payments.
System does not give any LG for any changes in the sensitive information which is a major hindrances in the system which was found by the auditors
System activity is not adequately monitored or recorded - It also does not have any policy or procedure to control and monitor proactively the security threats. So it is highly security management. Auditors found 600 vulnerabilities on different workstations as unsupported and third party applications which should be unacceptable.
So Auditors have also suggested many recommendation for IT system to improve in the Areas identified by them e.g. timely patching of software which reduces the risk of potential attacks. Checking of their Disaster control mechanism to see its effectivity, kind of mock drill or any other way which management may decide.
New Land Registry is used by Western Australian Land information Authority, Land gate is one of the oldest entities managed by the state. This application NLT-R is developed and maintained as an outsourced ICT arrangement by a co-owned third party vendor.
These finding of IT System’s Audit of Recruitment Agency, Horizon Power , Pension System and NLR system has shown that Auditors have not only identified the major threats for the Govt and state to improve and look into but also for the general public to be cautious while sharing their information. All Such system possess threats to Confidentiality, integrity and unauthorised and fraudulent activities. State Must take strong action against the discrepancies found by the auditors and also work on Measures and recommendation suggested by the WAS in their Report.
Every Auditor in any of the business field must follow certain values and have following professional, legal and ethical responsibilities:-
1) Auditors should behave like " watch dog not a blood hound". They need not every time investigate the issue but their professional duty is to qualify the point in the report.
2) The auditor should have the capability to get the knowledge of the entity relating to its nature, policy and controls, and all relating laws i.e. regulations and compliance of land.
3) Before giving their opinion, the auditors must obtain sufficient evidence and explanation regarding the query.
4) The Auditors should work independently without any influence, pressure or bias, to reach to a conclusion.
The fundamental responsibility of an auditor is to maintain the integrity, like not to accept any gifts and any types of obligations. The auditors should try to avoid making false and misleading statements which will damage the good will and reputation of his firm. In other words, all auditors must act in an ethical manner which will bring credit upon themselves, their company and the quality auditing profession.
Office of the Auditor General. (n.d.). Audit reports Archive. [online] Available at: https://audit.wa.gov.au/reports-and-publications/reports/ [Accessed 22 Jul. 2020].
Master (2019). IT Audit Checklist: What Every IT Department Needs. [online] Sagacent Technologies. Available at: https://www.sagacent.com/it-audit-checklist/ [Accessed 22 Jul. 2020].
Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Auditing Assignment Help
Proofreading and Editing$9.00Per Page
Consultation with Expert$35.00Per Hour
Live Session 1-on-1$40.00Per 30 min.
Doing your Assignment with our resources is simple, take Expert assistance to ensure HD Grades. Here you Go....