Scope and Findings of IT Audit Report
VerifiedAdded on 2023/01/11
|9
|2587
|27
AI Summary
This report analyzes the findings and scope of an IT audit report, focusing on four key applications namely RAMS, Horizon power, NRL-T and PRS & PRX. It discusses the audit findings in each system and provides recommendations for improvement. The report also highlights the ethical and legal responsibilities of an IT auditor.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Assesment 3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TABLE OF CONTENTS
INTRODUCTION...........................................................................................................................2
MAIN BODY..................................................................................................................................2
Scope and focus...........................................................................................................................2
Audit findings in various systems................................................................................................2
Ethical and legal responsibilities of an IT auditor.......................................................................6
CONCLUSION................................................................................................................................7
REFERENCES................................................................................................................................8
INTRODUCTION...........................................................................................................................2
MAIN BODY..................................................................................................................................2
Scope and focus...........................................................................................................................2
Audit findings in various systems................................................................................................2
Ethical and legal responsibilities of an IT auditor.......................................................................6
CONCLUSION................................................................................................................................7
REFERENCES................................................................................................................................8
INTRODUCTION
Information technology (IT) audit is defined as the set of monitoring and controlling
activities in which integrity, confidentiality and performance standards of existing IT systems of
an organisation are reviewed by experts (Drljača and Latinović, 2016). The purpose of this type
of audits is to ensure that IT systems of business are secure and effective in terms of performance
management which otherwise could lead to the security risks or failure with IT infrastructure of
the organisation (Lu and et.al., 2018). The report will analyse the findings and scope of an IT
audit report. It will also provide suitable recommendations to improve the findings and make IT
infrastructure more secure and efficient for information handling.
MAIN BODY
Scope and focus
The audit report focuses on four key applications namely RAMS, Horizon power, NRL-T
and PRS & PRX. Each of these applications is reviewed in terms of information security, data
processing time and intended outcomes versus actual outcomes received, recovery and data
backup, segregation of duties, authenticity and other credible requirement of input, output as well
and processing data. Each of the entities related to information systems and related applications
were assessed and classified on the basis of different rating scales (Stafford and et.al., 2018). The
purpose of audit was to analyse and evaluate the effectiveness of samples of IT processes so that
reliability, security and accessibility of their operations can be assured. The focus of this type of
auditing is not only limited to only highlighting the drawbacks and inefficiency loop holes in the
IT infrastructure but also to recommend appropriate solutions for improving the information
processing systems or entities related to various applications.
Audit findings in various systems
RAMS
Recruitment advertisement management system (RAMS) is used by entities of Western
Australian (WA) government for managing redeployments, recruitment and severance details
related work. From the audit it has been found that some of the components of software are not
Information technology (IT) audit is defined as the set of monitoring and controlling
activities in which integrity, confidentiality and performance standards of existing IT systems of
an organisation are reviewed by experts (Drljača and Latinović, 2016). The purpose of this type
of audits is to ensure that IT systems of business are secure and effective in terms of performance
management which otherwise could lead to the security risks or failure with IT infrastructure of
the organisation (Lu and et.al., 2018). The report will analyse the findings and scope of an IT
audit report. It will also provide suitable recommendations to improve the findings and make IT
infrastructure more secure and efficient for information handling.
MAIN BODY
Scope and focus
The audit report focuses on four key applications namely RAMS, Horizon power, NRL-T
and PRS & PRX. Each of these applications is reviewed in terms of information security, data
processing time and intended outcomes versus actual outcomes received, recovery and data
backup, segregation of duties, authenticity and other credible requirement of input, output as well
and processing data. Each of the entities related to information systems and related applications
were assessed and classified on the basis of different rating scales (Stafford and et.al., 2018). The
purpose of audit was to analyse and evaluate the effectiveness of samples of IT processes so that
reliability, security and accessibility of their operations can be assured. The focus of this type of
auditing is not only limited to only highlighting the drawbacks and inefficiency loop holes in the
IT infrastructure but also to recommend appropriate solutions for improving the information
processing systems or entities related to various applications.
Audit findings in various systems
RAMS
Recruitment advertisement management system (RAMS) is used by entities of Western
Australian (WA) government for managing redeployments, recruitment and severance details
related work. From the audit it has been found that some of the components of software are not
supported by their vendors which increase the security vulnerabilities. The disaster recovery is
also not tested for the application and has outdated technical specifications. It indicates that there
is insufficient control over protecting the application (Brown and et.al., 2019). Thus inadequate
vendor control imposes a major security threat on application.
Another critical finding through audit is that in RAMS there is lack of risk assessment
and access control which is responsible for increasing risk of information threats. The application
does not have any regular security audit, encryption, and control assurance and obligation
procedure to indicate data breach. Most of the accounts have weak password configuration and
extensive mismanagement. It has been also identified that RAMS business continuity plan is not
reviewed since 2014 and thus in case if it disrupt then it may be impossible to recover the data.
The application does not have proper escrow management which means that if vendor will
terminate service then commission will not be able to recover its data. The application also
witnesses various challenges and operational issues because vendors and commission does not
regularly review the system nor they outline the changes. As a result of this application and
commission are not able to record, analyse or classify the changes and thus user satisfaction is
reducing every year.
Recommendations: It is recommended by auditing team that a risk assessment framework must
be implemented so that risks can be identified appropriately. Further there must be regular
monitoring of SLA contractual obligations and for receiving feedbacks from different
stakeholders. RAMS must also implement account management practices which must also be
communicated to its different stakeholders. For the long term effectiveness business impact
analysis must also be carried out so that business continuity plan for RAMS can be updated in
regular intervals.
Horizon power
Horizon power is used within advanced metering infrastructure for monitoring and
recording of electricity consumption bill. Thus application is responsible for storing and
managing highly sensitive information of customers. It has been analysed from the audit that
number of errors in producing bills is quite high which is of great concern. The information is
recorded manually and thus there are high chances of errors along with the unintentional
also not tested for the application and has outdated technical specifications. It indicates that there
is insufficient control over protecting the application (Brown and et.al., 2019). Thus inadequate
vendor control imposes a major security threat on application.
Another critical finding through audit is that in RAMS there is lack of risk assessment
and access control which is responsible for increasing risk of information threats. The application
does not have any regular security audit, encryption, and control assurance and obligation
procedure to indicate data breach. Most of the accounts have weak password configuration and
extensive mismanagement. It has been also identified that RAMS business continuity plan is not
reviewed since 2014 and thus in case if it disrupt then it may be impossible to recover the data.
The application does not have proper escrow management which means that if vendor will
terminate service then commission will not be able to recover its data. The application also
witnesses various challenges and operational issues because vendors and commission does not
regularly review the system nor they outline the changes. As a result of this application and
commission are not able to record, analyse or classify the changes and thus user satisfaction is
reducing every year.
Recommendations: It is recommended by auditing team that a risk assessment framework must
be implemented so that risks can be identified appropriately. Further there must be regular
monitoring of SLA contractual obligations and for receiving feedbacks from different
stakeholders. RAMS must also implement account management practices which must also be
communicated to its different stakeholders. For the long term effectiveness business impact
analysis must also be carried out so that business continuity plan for RAMS can be updated in
regular intervals.
Horizon power
Horizon power is used within advanced metering infrastructure for monitoring and
recording of electricity consumption bill. Thus application is responsible for storing and
managing highly sensitive information of customers. It has been analysed from the audit that
number of errors in producing bills is quite high which is of great concern. The information is
recorded manually and thus there are high chances of errors along with the unintentional
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
disclosure of the information. A major security loop hole is identified in manual role as well.
Horizon power does not have security or background check of staff members who are
responsible to access the systems and infrastructure.
Thus there is high risk of data breach from the negligence or actions of staff members.
Security breach is critical issue for the applications and horizon power seems to have no room
for improving security of its electronic records and network. The network firewall and web
server configuration is inappropriate and there are no policies for monitoring activities or
logging. It plays an important role in increasing network access and database related security
risks. Informal nature of third party applications also acts as major cause for the vulnerabilities of
management programs (Rose and et.al., 2017). Though horizon power have regular test and
assessments for its cyber security but there is need to have better management of operating
systems .
Recommendations:
For improving the efficiency of horizon power it is recommended that at first horizon
power must implement suitable procedures and manual so that there is regular background check
of contractors and staff members. From business objective purpose a greater emphasis must be
paid on digital processes and improved security control for database and network. There is also
a need to review the access management practices. For including third party applications horizon
power must also encourage the processes for vulnerability management.
PRS and PRX
Pensioner rebate scheme (PRS) and Pensioner rebate exchange (PRX) systems are used
by local government entities and State Revenue for processing reimbursement claims. However
poor access control and ineffective disaster recovery planning is affecting integrity, availability
and confidentiality of the system. State revenue does not have any control over review and
access control. The passwords of systems are too easy to guess or track and there are not suitable
policies for monitoring and recording system activities. This inadequate and unmanaged control
leads to unauthorised use and access of information. From the audit it has been also found that
there are no anti malware software on PRS and vulnerability identification application on PRX or
PRS. Thus insufficient security vulnerabilities increase exposure to security risk. In such
Horizon power does not have security or background check of staff members who are
responsible to access the systems and infrastructure.
Thus there is high risk of data breach from the negligence or actions of staff members.
Security breach is critical issue for the applications and horizon power seems to have no room
for improving security of its electronic records and network. The network firewall and web
server configuration is inappropriate and there are no policies for monitoring activities or
logging. It plays an important role in increasing network access and database related security
risks. Informal nature of third party applications also acts as major cause for the vulnerabilities of
management programs (Rose and et.al., 2017). Though horizon power have regular test and
assessments for its cyber security but there is need to have better management of operating
systems .
Recommendations:
For improving the efficiency of horizon power it is recommended that at first horizon
power must implement suitable procedures and manual so that there is regular background check
of contractors and staff members. From business objective purpose a greater emphasis must be
paid on digital processes and improved security control for database and network. There is also
a need to review the access management practices. For including third party applications horizon
power must also encourage the processes for vulnerability management.
PRS and PRX
Pensioner rebate scheme (PRS) and Pensioner rebate exchange (PRX) systems are used
by local government entities and State Revenue for processing reimbursement claims. However
poor access control and ineffective disaster recovery planning is affecting integrity, availability
and confidentiality of the system. State revenue does not have any control over review and
access control. The passwords of systems are too easy to guess or track and there are not suitable
policies for monitoring and recording system activities. This inadequate and unmanaged control
leads to unauthorised use and access of information. From the audit it has been also found that
there are no anti malware software on PRS and vulnerability identification application on PRX or
PRS. Thus insufficient security vulnerabilities increase exposure to security risk. In such
situations State Revenue may also fail to recover the application data due to lack of appropriate
disaster recovery plan because the plan is not updated and fails to describe current system
environment. The vulnerabilities can be easily exploited by network or system attackers for
interrupting business or accessing sensitive data in an unauthorised way.
Recommendations:
On the basis of above findings it is suggested that PRS and PRX must regularly update its
security procedures and related policies so that user access can be managed in better way. As per
the act the application must also validate the identity processes and regular check of occupancy
and land ownership. It is also advised to PRS and PRX that they must develop monitoring and
log in framework so that key changes can be tracked and support documentations can also be
updated regularly.
NRL-T
‘Western Australian Land information authority’ uses New Land Registry- Titles (NLR-
T) application for managing the records of location information and property ownership. It audit
results indicate that changes to records are not reviewed and monitored. The access control is not
imposed properly and thus there are high possibilities of information misuse. The duties of staff
members who perform end to end transactions through application are not segregated in proper
manner. As a result of this error possibilities are not detected and thus due to fraudulent activities
unauthorised and inaccurate changes takes place in records.
There is no regular review of user access permissions and thus many times some
individuals or users get excessive privilege encouraging unauthorised access to information
system. It has been also found that internal vulnerabilities are scanned properly but it does not
detect or prevent the attacks from the external environment. The failure to control mechanism
affects information availability and integrity (Veerankutty, Ramayah and Ali, 2018). In order to
keep pace with the evolving and advanced cyber threats this testing must be performed. The most
prominent finding through audit process is that NLR-T breaches its own ICT use policy and
credit card information is stored through insecure methods like email. Thus sensitive payment
information is stored without any masking to protect them along with back up. It also results in
breach of Payment Card Industry Data Security Standard for storing credit card information. It is
disaster recovery plan because the plan is not updated and fails to describe current system
environment. The vulnerabilities can be easily exploited by network or system attackers for
interrupting business or accessing sensitive data in an unauthorised way.
Recommendations:
On the basis of above findings it is suggested that PRS and PRX must regularly update its
security procedures and related policies so that user access can be managed in better way. As per
the act the application must also validate the identity processes and regular check of occupancy
and land ownership. It is also advised to PRS and PRX that they must develop monitoring and
log in framework so that key changes can be tracked and support documentations can also be
updated regularly.
NRL-T
‘Western Australian Land information authority’ uses New Land Registry- Titles (NLR-
T) application for managing the records of location information and property ownership. It audit
results indicate that changes to records are not reviewed and monitored. The access control is not
imposed properly and thus there are high possibilities of information misuse. The duties of staff
members who perform end to end transactions through application are not segregated in proper
manner. As a result of this error possibilities are not detected and thus due to fraudulent activities
unauthorised and inaccurate changes takes place in records.
There is no regular review of user access permissions and thus many times some
individuals or users get excessive privilege encouraging unauthorised access to information
system. It has been also found that internal vulnerabilities are scanned properly but it does not
detect or prevent the attacks from the external environment. The failure to control mechanism
affects information availability and integrity (Veerankutty, Ramayah and Ali, 2018). In order to
keep pace with the evolving and advanced cyber threats this testing must be performed. The most
prominent finding through audit process is that NLR-T breaches its own ICT use policy and
credit card information is stored through insecure methods like email. Thus sensitive payment
information is stored without any masking to protect them along with back up. It also results in
breach of Payment Card Industry Data Security Standard for storing credit card information. It is
also found that it’s outsourced ICT services are also not reviewed from long term and thus
security threats are also encouraged.
Recommendations:
NLR-T is recommended that its procedures, contractual agreement and access policies
must be reviewed and monitored. It must establish control network to protect sensitive
information such as that of credit card. The vulnerability management process must also be
increased which can assess the external vulnerabilities. It is also suggested that a regular risk
assessment must be performed around registry transactions so that control assessment can be
aligned with the system and process.
Ethical and legal responsibilities of an IT auditor
It is the responsibility of auditor to follow several legal as well as professional ethics to
carry out audit process without any bias or inaccuracy. The key ethical principles which must be
followed by IT auditors are confidentiality, competency, integrity and objectivity (Guoliang and
Linyi, 2017). The auditor must uphold all industrial principles and guidelines for auditing
information security and system. The process must be performed without any self serving
activities or impartiality. The true purpose is also served when true information is shared with
authorised stakeholders. Thus it is the primary responsibility of auditors that they must maintain
confidentiality of the audit process (Murad and et.al., 2018). Another ethical consideration is
competency which ensure that auditor must have all professional skills and competencies for
advanced knowledge related to information technology and organisational needs.
For conducting IT audit, professionals must also follow the professional code of conducts
laid by ISACA for all IS auditors. The audit process is also adhering with certain legal
compliances such as privacy and data protection. Though auditors have right to evaluate the
information systems and related data but it is also expected legally and ethically that they must
also protect this information from the unauthorised access (Setiawan, Noertjahyana and
Jourdano, 2018). The auditor must ensure that auditing information is disclosed only when it is
required by the legal and authorised individuals. The auditor must not use any of this information
for personal benefits or for sharing them with any unauthorised third party.
security threats are also encouraged.
Recommendations:
NLR-T is recommended that its procedures, contractual agreement and access policies
must be reviewed and monitored. It must establish control network to protect sensitive
information such as that of credit card. The vulnerability management process must also be
increased which can assess the external vulnerabilities. It is also suggested that a regular risk
assessment must be performed around registry transactions so that control assessment can be
aligned with the system and process.
Ethical and legal responsibilities of an IT auditor
It is the responsibility of auditor to follow several legal as well as professional ethics to
carry out audit process without any bias or inaccuracy. The key ethical principles which must be
followed by IT auditors are confidentiality, competency, integrity and objectivity (Guoliang and
Linyi, 2017). The auditor must uphold all industrial principles and guidelines for auditing
information security and system. The process must be performed without any self serving
activities or impartiality. The true purpose is also served when true information is shared with
authorised stakeholders. Thus it is the primary responsibility of auditors that they must maintain
confidentiality of the audit process (Murad and et.al., 2018). Another ethical consideration is
competency which ensure that auditor must have all professional skills and competencies for
advanced knowledge related to information technology and organisational needs.
For conducting IT audit, professionals must also follow the professional code of conducts
laid by ISACA for all IS auditors. The audit process is also adhering with certain legal
compliances such as privacy and data protection. Though auditors have right to evaluate the
information systems and related data but it is also expected legally and ethically that they must
also protect this information from the unauthorised access (Setiawan, Noertjahyana and
Jourdano, 2018). The auditor must ensure that auditing information is disclosed only when it is
required by the legal and authorised individuals. The auditor must not use any of this information
for personal benefits or for sharing them with any unauthorised third party.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Another professional responsibility of the auditors is that they must work for supporting
and welfare of stakeholders. Thus along with honesty, integrity auditors must maintain high
standards and should not engage themselves in discreditable actions which is against their
professional code of conduct. The purpose of audit is to identify and assess the information
systems so that relevant risks can be identified and suitable solutions can be implemented on
time (Han and et.al., 2016). Thus it is legal and ethical duty of auditor to inform stakeholders
about all audit findings accurately. Auditors must not mislead or hide any sensitive information
from the concerned authorities.
CONCLUSION
From the above audit analysis it can be concluded that though most of the entities and
applications are performing well but still there is need to improve several areas. With increasing
number of systems and entities there is need for implementing better security management
system for IT infrastructure. The organisations must also emphasis on including processes which
regularly provide back up and data recovery so that information disruption can be prevented.
Further it will also ensure that integrity and confidentiality of the information of users is not
threatened or compromised with increasing entities or IT system. It can also be concluded that a
secure culture can be embedded within systems only when a security aware workforce is
developed and build.
and welfare of stakeholders. Thus along with honesty, integrity auditors must maintain high
standards and should not engage themselves in discreditable actions which is against their
professional code of conduct. The purpose of audit is to identify and assess the information
systems so that relevant risks can be identified and suitable solutions can be implemented on
time (Han and et.al., 2016). Thus it is legal and ethical duty of auditor to inform stakeholders
about all audit findings accurately. Auditors must not mislead or hide any sensitive information
from the concerned authorities.
CONCLUSION
From the above audit analysis it can be concluded that though most of the entities and
applications are performing well but still there is need to improve several areas. With increasing
number of systems and entities there is need for implementing better security management
system for IT infrastructure. The organisations must also emphasis on including processes which
regularly provide back up and data recovery so that information disruption can be prevented.
Further it will also ensure that integrity and confidentiality of the information of users is not
threatened or compromised with increasing entities or IT system. It can also be concluded that a
secure culture can be embedded within systems only when a security aware workforce is
developed and build.
REFERENCES
Books and Journals
Brown, V.L. and et.al., 2019. Comments of the Auditing Standards Committee of the Auditing
Section of the American Accounting Association on Proposed Statement on Auditing
Standards (SAS) Audit Evidence. Current Issues in Auditing.
Drljača, D. and Latinović, B., 2016. Frameworks for audit of an information system in
practice. JITA-JOURNAL OF INFORMATION TECHNOLOGY AND
APLICATIONS. 12(2).
Guoliang, B. and Linyi, L., 2017. RESEARCH ON AUDIT FRAMEWORK OF
INFORMATION SYSTEM STRUCTURE CONTROL. Информационные технологии.
Проблемы и решения. (1). pp.278-286.
Han, S. and et.al., 2016. The association between information technology investments and audit
risk. Journal of Information Systems. 30(1). pp.93-116.
Lu, H. and et.al., 2018, June. The Research on Security Audit for Information System Classified
Protection. In International Conference on Cloud Computing and Security (pp. 300-308).
Springer, Cham.
Murad, D.F. and et.al., 2018, September. Implementation of COBIT 5 Framework for Academic
Information System Audit Perspective: Evaluate, Direct, and Monitor. In 2018
International Conference on Applied Information Technology and Innovation
(ICAITI) (pp. 102-107). IEEE.
Rose, A.M. and et.al., 2017. When should audit firms introduce analyses of Big Data into the
audit process?. Journal of Information Systems. 31(3). pp.81-99.
Setiawan, A., Noertjahyana, A. and Jourdano, G.V., 2018. Audit Information System Using
Framework COBIT 4.1 (With Domain Monitor and Evaluate) At Samudera Indonesia
Company (Doctoral dissertation, Petra Christian University).
Stafford, T. and et.al., 2018. The Role of Accounting and Professional Associations in IT
Security Auditing: An AMCIS Panel Report. Communications of the Association for
Information Systems. 43(1). p.27.
Veerankutty, F., Ramayah, T. and Ali, N.A., 2018. Information technology governance on audit
technology performance among Malaysian public sector auditors. Social Sciences. 7(8).
p.124.
Books and Journals
Brown, V.L. and et.al., 2019. Comments of the Auditing Standards Committee of the Auditing
Section of the American Accounting Association on Proposed Statement on Auditing
Standards (SAS) Audit Evidence. Current Issues in Auditing.
Drljača, D. and Latinović, B., 2016. Frameworks for audit of an information system in
practice. JITA-JOURNAL OF INFORMATION TECHNOLOGY AND
APLICATIONS. 12(2).
Guoliang, B. and Linyi, L., 2017. RESEARCH ON AUDIT FRAMEWORK OF
INFORMATION SYSTEM STRUCTURE CONTROL. Информационные технологии.
Проблемы и решения. (1). pp.278-286.
Han, S. and et.al., 2016. The association between information technology investments and audit
risk. Journal of Information Systems. 30(1). pp.93-116.
Lu, H. and et.al., 2018, June. The Research on Security Audit for Information System Classified
Protection. In International Conference on Cloud Computing and Security (pp. 300-308).
Springer, Cham.
Murad, D.F. and et.al., 2018, September. Implementation of COBIT 5 Framework for Academic
Information System Audit Perspective: Evaluate, Direct, and Monitor. In 2018
International Conference on Applied Information Technology and Innovation
(ICAITI) (pp. 102-107). IEEE.
Rose, A.M. and et.al., 2017. When should audit firms introduce analyses of Big Data into the
audit process?. Journal of Information Systems. 31(3). pp.81-99.
Setiawan, A., Noertjahyana, A. and Jourdano, G.V., 2018. Audit Information System Using
Framework COBIT 4.1 (With Domain Monitor and Evaluate) At Samudera Indonesia
Company (Doctoral dissertation, Petra Christian University).
Stafford, T. and et.al., 2018. The Role of Accounting and Professional Associations in IT
Security Auditing: An AMCIS Panel Report. Communications of the Association for
Information Systems. 43(1). p.27.
Veerankutty, F., Ramayah, T. and Ali, N.A., 2018. Information technology governance on audit
technology performance among Malaysian public sector auditors. Social Sciences. 7(8).
p.124.
1 out of 9
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.