This report analyzes the findings and scope of an IT audit report, focusing on four key applications namely RAMS, Horizon power, NRL-T and PRS & PRX. It discusses the audit findings in each system and provides recommendations for improvement. The report also highlights the ethical and legal responsibilities of an IT auditor.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Assesment 3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TABLE OF CONTENTS INTRODUCTION...........................................................................................................................2 MAIN BODY..................................................................................................................................2 Scope and focus...........................................................................................................................2 Audit findings in various systems................................................................................................2 Ethical and legal responsibilities of an IT auditor.......................................................................6 CONCLUSION................................................................................................................................7 REFERENCES................................................................................................................................8
INTRODUCTION Information technology (IT) audit is defined as the set of monitoring and controlling activities in which integrity, confidentiality and performance standards of existing IT systems of an organisation are reviewed by experts (Drljača and Latinović, 2016). The purpose of this type of audits is to ensure that IT systems of business are secure and effective in terms of performance management which otherwise could lead to the security risks or failure with IT infrastructure of the organisation (Lu and et.al., 2018). The report will analyse the findings and scope of an IT audit report. It will also provide suitable recommendations to improve the findings and make IT infrastructure more secure and efficient for information handling. MAIN BODY Scope and focus The audit report focuses on four key applications namely RAMS, Horizon power, NRL-T and PRS & PRX. Each of these applications is reviewed in terms of information security, data processing time and intended outcomes versus actual outcomes received, recovery and data backup, segregation of duties, authenticity and other credible requirement of input, output as well and processing data. Each of the entities related to information systems and related applications were assessed and classified on the basis of different rating scales (Stafford and et.al., 2018). The purpose of audit was to analyse and evaluate the effectiveness of samples of IT processes so that reliability, security and accessibility of their operations can be assured. The focus of this type of auditing is not only limited to only highlighting the drawbacks and inefficiency loop holes in the IT infrastructure but also to recommend appropriate solutions for improving the information processing systems or entities related to various applications. Audit findings in various systems RAMS Recruitment advertisement management system (RAMS) is used by entities of Western Australian (WA) government for managing redeployments, recruitment and severance details related work. From the audit it has been found that some of the components of software are not
supported by their vendors which increase the security vulnerabilities. The disaster recovery is also not tested for the application and has outdated technical specifications. It indicates that there is insufficient control over protecting the application (Brown and et.al., 2019). Thus inadequate vendor control imposes a major security threat on application. Another critical finding through audit is that in RAMS there is lack of risk assessment and access control which is responsible for increasing risk of information threats. The application does not have any regular security audit, encryption, and control assurance and obligation procedure to indicate data breach. Most of the accounts have weak password configuration and extensive mismanagement. It has been also identified that RAMS business continuity plan is not reviewed since 2014 and thus in case if it disrupt then it may be impossible to recover the data. The application does not have proper escrow management which means that if vendor will terminate service then commission will not be able to recover its data. The application also witnesses various challenges and operational issues because vendors and commission does not regularly review the system nor they outline the changes. As a result of this application and commission are not able to record, analyse or classify the changes and thus user satisfaction is reducing every year. Recommendations:It is recommended by auditing team that a risk assessment framework must be implemented so that risks can be identified appropriately. Further there must be regular monitoringofSLAcontractualobligationsandforreceivingfeedbacksfromdifferent stakeholders. RAMS must also implement account management practices which must also be communicated to its different stakeholders. For the long term effectiveness business impact analysis must also be carried out so that business continuity plan for RAMS can be updated in regular intervals. Horizon power Horizon power is used within advanced metering infrastructure for monitoring and recording of electricity consumption bill. Thus application is responsible for storing and managing highly sensitive information of customers. It has been analysed from the audit that number of errors in producing bills is quite high which is of great concern. The information is recorded manually and thus there are high chances of errors along with the unintentional
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
disclosure of the information. A major security loop hole is identified in manual role as well. Horizonpowerdoesnothavesecurityorbackgroundcheckofstaffmemberswhoare responsible to access the systems and infrastructure. Thus there is high risk of data breach from the negligence or actions of staff members. Security breach is critical issue for the applications and horizon power seems to have no room for improving security of its electronic records and network. The network firewall and web server configuration is inappropriate and there are no policies for monitoring activities or logging. It plays an important role in increasing network access and database related security risks. Informal nature of third party applications also acts as major cause for the vulnerabilities of management programs (Rose and et.al., 2017). Though horizon power have regular test and assessments for its cyber security but there is need to have better management of operating systems . Recommendations: For improving the efficiency of horizon power it is recommended that at first horizon power must implement suitable procedures and manual so that there is regular background check of contractors and staff members. From business objective purpose a greater emphasis must be paid on digital processes and improved security control for database and network. There is also a need to review the access management practices. For including third party applications horizon power must also encourage the processes for vulnerability management. PRS and PRX Pensioner rebate scheme (PRS) and Pensioner rebate exchange (PRX) systems are used by local government entities and State Revenue for processing reimbursement claims. However poor access control and ineffective disaster recovery planning is affecting integrity, availability and confidentiality of the system. State revenue does not have any control over review and access control. The passwords of systems are too easy to guess or track and there are not suitable policies for monitoring and recording system activities. This inadequate and unmanaged control leads to unauthorised use and access of information. From the audit it has been also found that there are no anti malware software on PRS and vulnerability identification application on PRX or PRS. Thus insufficient security vulnerabilities increase exposure to security risk. In such
situations State Revenue may also fail to recover the application data due to lack of appropriate disaster recovery plan because the plan is not updated and fails to describe current system environment. The vulnerabilities can be easily exploited by network or system attackers for interrupting business or accessing sensitive data in an unauthorised way. Recommendations: On the basis of above findings it is suggested that PRS and PRX must regularly update its security procedures and related policies so that user access can be managed in better way. As per the act the application must also validate the identity processes and regular check of occupancy and land ownership. It is also advised to PRS and PRX that they must develop monitoring and log in framework so that key changes can be tracked and support documentations can also be updated regularly. NRL-T ‘Western Australian Land information authority’ uses New Land Registry- Titles (NLR- T) application for managing the records of location information and property ownership. It audit results indicate that changes to records are not reviewed and monitored. The access control is not imposed properly and thus there are high possibilities of information misuse. The duties of staff members who perform end to end transactions through application are not segregated in proper manner. As a result of this error possibilities are not detected and thus due to fraudulent activities unauthorised and inaccurate changes takes place in records. There is no regular review of user access permissions and thus many times some individuals or users get excessive privilege encouraging unauthorised access to information system. It has been also found that internal vulnerabilities are scanned properly but it does not detect or prevent the attacks from the external environment. The failure to control mechanism affects information availability and integrity (Veerankutty, Ramayah and Ali, 2018). In order to keep pace with the evolving and advanced cyber threats this testing must be performed. The most prominent finding through audit process is that NLR-T breaches its own ICT use policy and credit card information is stored through insecure methods like email. Thus sensitive payment information is stored without any masking to protect them along with back up. It also results in breach of Payment Card Industry Data Security Standard for storing credit card information. It is
also found that it’s outsourced ICT services are also not reviewed from long term and thus security threats are also encouraged. Recommendations: NLR-T is recommended that its procedures, contractual agreement and access policies mustbereviewedandmonitored.Itmustestablishcontrolnetworktoprotectsensitive information such as that of credit card. The vulnerability management process must also be increased which can assess the external vulnerabilities. It is also suggested that a regular risk assessment must be performed around registry transactions so that control assessment can be aligned with the system and process. Ethical and legal responsibilities of an IT auditor It is the responsibility of auditor to follow several legal as well as professional ethics to carry out audit process without any bias or inaccuracy. The key ethical principles which must be followed by IT auditors are confidentiality, competency, integrity and objectivity (Guoliang and Linyi, 2017). The auditor must uphold all industrial principles and guidelines for auditing information security and system. The process must be performed without any self serving activities or impartiality. The true purpose is also served when true information is shared with authorised stakeholders. Thus it is the primary responsibility of auditors that they must maintain confidentiality of the audit process (Murad and et.al., 2018). Another ethical consideration is competency which ensure that auditor must have all professional skills and competencies for advanced knowledge related to information technology and organisational needs. For conducting IT audit, professionals must also follow the professional code of conducts laid by ISACA for all IS auditors. The audit process is also adhering with certain legal compliances such as privacy and data protection. Though auditors have right to evaluate the information systems and related data but it is also expected legally and ethically that they must alsoprotectthisinformationfromtheunauthorisedaccess(Setiawan,Noertjahyanaand Jourdano, 2018). The auditor must ensure that auditing information is disclosed only when it is required by the legal and authorised individuals. The auditor must not use any of this information for personal benefits or for sharing them with any unauthorised third party.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Another professional responsibility of the auditors is that they must work for supporting and welfare of stakeholders. Thus along with honesty, integrity auditors must maintain high standards and should not engage themselves in discreditable actions which is against their professional code of conduct. The purpose of audit is to identify and assess the information systems so that relevant risks can be identified and suitable solutions can be implemented on time (Han and et.al., 2016). Thus it is legal and ethical duty of auditor to inform stakeholders about all audit findings accurately. Auditors must not mislead or hide any sensitive information from the concerned authorities. CONCLUSION From the above audit analysis it can be concluded that though most of the entities and applications are performing well but still there is need to improve several areas. With increasing number of systems and entities there is need for implementing better security management system for IT infrastructure. The organisations must also emphasis on including processes which regularly provide back up and data recovery so that information disruption can be prevented. Further it will also ensure that integrity and confidentiality of the information of users is not threatened or compromised with increasing entities or IT system. It can also be concluded that a secure culture can be embedded within systems only when a security aware workforce is developed and build.
REFERENCES Books and Journals Brown, V.L. and et.al.,2019. Comments of the Auditing Standards Committee of the Auditing Section of the American Accounting Association on Proposed Statement on Auditing Standards (SAS) Audit Evidence.Current Issues in Auditing. Drljača, D. and Latinović, B., 2016. Frameworks for audit of an information system in practice.JITA-JOURNALOFINFORMATIONTECHNOLOGYAND APLICATIONS.12(2). Guoliang,B.andLinyi,L.,2017.RESEARCHONAUDITFRAMEWORKOF INFORMATION SYSTEM STRUCTURE CONTROL.Информационные технологии. Проблемы и решения. (1). pp.278-286. Han, S. and et.al., 2016. The association between information technology investments and audit risk.Journal of Information Systems.30(1). pp.93-116. Lu, H. and et.al., 2018, June. The Research on Security Audit for Information System Classified Protection. InInternational Conference on Cloud Computing and Security(pp. 300-308). Springer, Cham. Murad, D.F. and et.al., 2018, September. Implementation of COBIT 5 Framework for Academic InformationSystemAuditPerspective:Evaluate,Direct,andMonitor.In2018 InternationalConferenceonAppliedInformationTechnologyandInnovation (ICAITI)(pp. 102-107). IEEE. Rose, A.M. and et.al.,2017. When should audit firms introduce analyses of Big Data into the audit process?.Journal of Information Systems.31(3). pp.81-99. Setiawan, A., Noertjahyana, A. and Jourdano, G.V., 2018.Audit Information System Using Framework COBIT 4.1 (With Domain Monitor and Evaluate) At Samudera Indonesia Company(Doctoral dissertation, Petra Christian University). Stafford, T. and et.al.,2018. The Role of Accounting and Professional Associations in IT Security Auditing: An AMCIS Panel Report.Communications of the Association for Information Systems.43(1). p.27. Veerankutty, F., Ramayah, T. and Ali, N.A., 2018. Information technology governance on audit technology performance among Malaysian public sector auditors.Social Sciences.7(8). p.124.