This report assesses the various audit findings from the Information Systems Audit Report, 2019. It covers the Recruitment Advertisement Management Systems (RAMS), Advanced Metering Infrastructure, Pensioner Rebate Scheme and Exchange, and New Land Registration information systems.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Assessment 3 report
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents INTRODUCTION...........................................................................................................................3 MAIN BODY..................................................................................................................................3 Focus and Scope of the Audit Report..........................................................................................3 Audit Findings for Recruitment Advertisement Management Systems (RAMS).......................4 Audit Findings for the Horizon Power........................................................................................5 Audit Findings for Pensioner Rebate Scheme (PRS) and Exchange (PRX)...............................6 Audit Findings for New Land Registry-Titles (NLR-T).............................................................7 Legal, Professional and Ethical Responsibilities of an IT Auditor.............................................8 CONCLUSION................................................................................................................................8 REFERENCES................................................................................................................................9
INTRODUCTION Business applications are digital software programs, developed by programmers with the intention to effectively facilitate and manage the operations, processes and functions of any business organisation such as marketing, finance, legal, human resource etc. As the application of information technology to the operations and functions of business and public organisation is immensely beneficial to increasing the business’s productivity, performance, efficiency and profitability in the consumer markets, there is also a need for the effective auditing of the information systems implemented in business and public organisations to ensure various data security and performance issues (Pak, 2019). This report assesses the various audit findings from the Information Systems Audit Report, 2019. MAIN BODY Focus and Scope of the Audit Report TheInformationSystemsAuditReport2019primarilycoverstheRecruitment Advertisement Management Systems (RAMS), Advanced Metering Infrastructure, Pensioner Rebate Scheme and Exchange and New Land Registration information systems in various public and business organisations. The audit report focuses on various attributes of the information systems such as the organisational procedures and policies, data security from external forces, recovery and backup of operational data in the event of accidents, accuracy of the input data, processing time for information systems to process data and their performance, segregation and compatibility of assigned duties, accuracy, relevance and completeness of data that is generated by the information systems, accuracy of the audit trails that contain the transactional logs of the previous operations of the information systems in addition to other operational attributes such as how operational data is collected, prepared and processed with the intention to ensuring their accuracy, completeness, relevance and timeliness. The scope of the report was limited to a sample of key processes and controls which helped the auditors gain assurance about the performance, accuracy and efficiency of the information systems involved (Rodríguez and Piattini, 2018). The audit can effectively showcase
weakness and within the systems, which the systems might be highly susceptible to, but the audit was not focused on whether if the operational data had been compromised. Audit Findings for Recruitment Advertisement Management Systems (RAMS) The Public Sector Commission has neither sought nor received any assurances from the third party vendors about accuracy, performance and efficiency of the information security controls managed by the vendors. The audit found that there was unsupported software implemented that are no longer even supported by the third party vendors. The audit also found that third party vendors haven’t performed the data recovery test during disasters since 2015. In addition, the auditors found that the technical specifications relayed in the document do not represent the current application environment and are outdated. The commission also failed to assess the risks to their operational data security during contract extensions with the vendor. The audit found inadequacy in relation to the terms and condition for data security in the contract between commission and vendors. As per the contract the commission has no legal right to perform security audits of the RAMS information system, hindering and limiting the commission’s capability to assess security controls of the RAMS (Lenghel and Vlad, 2017). The auditors also found that the vendors were under no legal obligation to report any data breaches and lapses in security to the commission in addition to no specification about the data encryption methods and algorithms used by the vendors for data security purposes. The auditors also found that data retention in the system is very high, which can infringe upon the Australia’s Privacy Act 1988 and GDPR, which can result in legal fines and damage to reputation. The auditors also found that there is increased risk for unauthorised access to the RAMS system due to inadequate access controls in addition to other weaknesses in the access controls such as ineffective management of user accounts along with privileged accounts, resulting in high number of dead accounts that are not used in the system, resulting in redundancy. The auditors also found that account and password protection processes for the RAMS were below the industry standards, making the system highly susceptible to unauthorised access of data and external attacks aiming to guess passwords. The auditors also found that the business continuity plan has not been reviewed by the commission since 2014, resulting in increased risks for the RAMS operations and data
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
recovery during unforeseen accidents (Manaseer and Alawneh, 2019). The auditors also found that despite there being a software escrow agreement in the contract, the vendor still hasn’t deposited any data, code, further hampering the data recovery and backup operations of the RAMS. Audit Findings for the Horizon Power The IT auditors found that prior to the issue of bills, Horizon has effective processes to remedy and detect all operational errors, but the number of error in the Advanced Metering Infrastructure information system is quite high, decreasing its performance and efficiency. The auditors also found that Horizon does not conduct criminal history checks for their employed human resources, increasing the risk to data security, as they have privileged access to the AMI systems and data. The auditors also found that Horizon’s access management for third party contractors is ineffective due to discrepancies in the records maintained by its HR. This increases the risk of external attacks on the AMI system through third party access (Arboleda and Díaz, 2019). Auditors also found that even after third party contractors are no longer working with Horizon, their accounts are able to access their systems and networks for remaining period of the quarter. The auditors also found that the inaccuracies in the operational data of Horizon is increased due to its reliance on manual forms for collection of operational data, which is then entered into their systems decreasing its accuracy and reliability due to human errors. The audit found that Horizon employees make use of personal email accounts to transmit sensitive operational data, decreasing Horizon’s data security and increasing the risk for operational data to be disclosed to external forces. The audit found that Horizon’s database and network security controls are not entirely capable of protecting the integrity and confidentiality of operational data from external forces, as the firewall that manages Horizon’s network in addition to being outdated, was also incorrectly configured increasing risks of unauthorised access and making the system vulnerable to cyber-attacks (Al-Matari and et.al., 2018). The audit also found the AMI database security to be quite weak and network accounts of Horizon ineffectively managed in addition to weak configuration of their web servers all contributing towards vulnerability of the system to external forces and unauthorised access by third parties.
Audit Findings for Pensioner Rebate Scheme (PRS) and Exchange (PRX) The auditors found that the Office of State Revenue does not conduct adequate checks related to the occupancy and ownership of the land which can result in decrease of the performance and efficiency of their PRS and PRX systems as payments are made to individuals who are ineligible for the payment. The auditors noticed that the State Revenue does not have adequate security controls and useraccessprocesseswhichcanresultin theunauthorisedaccesstoconfidential information by external forces (Saputra, 2016). This is exacerbated by the finding that State Revenue does not consistently review the user accounts of their PRS and PRX systems, resulting in excess in the number of administrator accounts in the system, further decreasing data security efforts and making the system vulnerable to cyber- attacks. The auditors also found that excessive number of users are able to access confidential data which is unprotected in the systems, with there being 60 users able to read, modify or delete the sensitive information of pensioners and their payment files, which are unprotected. This is an immense threat to the confidentiality, security and protection of operational data within the PRS and PRS systems. The auditors also found the database of the systems to make use of rudimentary passwords, which are immensely easy for external attackers to exploit, further making the system vulnerable to external attacks. The auditors found that there are present numerous security vulnerabilities due to operational mismanagement, making the PRS and PRX systems further exposed to externalcyber-attacks,as thereis no anti malwaresoftware installedin the PRS production server (Kamal and et.al., 2020). This is also exacerbated by the finding that there are over 600 third party software installed with various security updates and patches also missing from the PRS and PRX systems. Through the audit, it become apparent that if any unforeseen accident occurs, the State Revenue has not implemented any data backup or recovery plan for both PRS and PRS. Though other systems are placed in regards to data backup and recovery, they have never been tested by the State Revenue, further hampering their data recovery and backup operations in the event of accidents.
Audit Findings for New Land Registry-Titles (NLR-T) The auditors found that the Landgate organisation does not conduct thorough reviews of the transactional data of land information in their NLR-T system with regards to its accuracy. This increases the risks of unauthorised or erroneous changes to the operational data of NLR-T, decreasing its performance and efficiency. Through the audit, it became apparent that the user access controls implemented into NLR-T were inadequate which could result in the unauthorised access and misuse of confidentialoperationaldata of NLR-T.Thisisexacerbatedby theuse of cloud infrastructure for the operations of NLR-T, as it is designed to be used by multiple tenants (Munteanu, 2016). In addition, the auditors found that there was ineffective segregation of duties by Landgate, as two staff members were given excessive privileges through which they could perform end to end land title transactions, decreasing the data security and privacy of the NLR-T. The auditors also found there to be more users than needed who could bypass system checks of the NLR-T, in addition to the fact that Landgate did not consistently review the user access provided to others. All these factors make the NLR-T system vulnerable to external cyber-attacks and unauthorised access by external forces. Landgate also does not conduct any testing of the external network penetration, which effectively decreases the security of the NLR-T, as even in the event of data breach or externalattack,thesystemandLandgatemightremainignorantof theattackor penetration in the first place. The auditors also found Landgate to breach the ICT Acceptable Use Policy as they were storing payment forms which included confidential credit card information of users in long term backups for recovery purposes, without effectively encrypting or masking the sensitive information. Legal, Professional and Ethical Responsibilities of an IT Auditor An IT auditor has various legal, professional and ethical responsibilities while conducting their auditing operations. Every IT auditor has to adhere to legally mandated laws for their auditing operations such as the IFAC Code of ethics, which detail the ethical responsibilities of any auditor (Abdirahman, 2017). These are also the professional and ethical responsibilities of an IT auditor in addition to being legally mandated and include the following responsibilities:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Integrity:The auditor must be honest and straightforward in their auditing operations. Objectivity:The auditor must be objective in their auditing operations, not allowing external biases and prejudices to override their judgements. Competence and Care:The auditor must maintain their professional skills and knowledge in order to ensure their client receives competent professional service. Confidentiality:The auditor must respect the confidentiality of their clients during their auditing operations and should not disclose it to external sources. Professional Behaviour:The auditor must always comply with mandated laws and regulations and avoid practices that discredits the auditor’s profession. CONCLUSION Based on the findings of the report, it can be concluded that the auditing of information systems implemented with the intention to manage and facilitate the operations and processes of business and public organisations is immensely essential to maintaining the performance, efficiency and internal security of the information systems. Firstly, this report evaluates the audit focus and scope of the given report. Then the report assesses audit findings for the Recruitment Advertisement Management Systems (RAMS). The report also analyses the audit findings for Horizon Power in addition to the Pensioner Rebate Scheme (PRS) and Exchange (PRX). Further the report evaluates the audit findings for New Land Registry-Titles (NLR-T). Finally, the report identifies the legal, professional and ethical responsibilities of an IT auditor.
REFERENCES Books and Journals Abdirahman, Y.K.K., 2017. A Framework For Improving Computer-Based Information Systems Auditing.International Journal of Computer (IJC).26(1). pp.146-151. Al-Matari, O.M. and et.al., 2018, October. Cybersecurity Tools for IS Auditing. In2018 Sixth International Conference on Enterprise Systems (ES)(pp. 217-223). IEEE. Arboleda, R.P.B. and Díaz, F.J.D., 2019. La auditoría interna de sistemas en la gestión empresarial/Internal Information Systems Auditing in Business Management.Revista Cubana de Contabilidad y Finanzas. COFIN HABANA. (2). Kamal, S. and et.al., 2020. Computer-Assisted Audit Tools for IS Auditing. InInternet of Things —Applications and Future(pp. 139-155). Springer, Singapore. Lenghel, R.D. and Vlad, M.P., 2017. INFORMATION SYSTEMS AUDITING.Quaestus, (11), p.178. Manaseer, S. and Alawneh, A., 2019. ON CYBER SECURITY AUDITING AWARENESS: CASE OF INFORMATION AND COMMUNICATION TECHNOLOGY SECTOR. International Journal of Computer Science and Information Security (IJCSIS).17(7). Munteanu, E., 2016. A Systematic Literature Review of Information Systems Auditing in Developing Countries.Stockholm University, Sweden. Pak, C., 2019. IS 680-851: Information Systems Auditing. Rodríguez, M. and Piattini, M., 2018, September. A Teaching Experience on Information Systems Auditing. InMethodologies and Intelligent Systems for Technology Enhanced Learning, 8th International Conference(Vol. 804, p. 114). Springer. Saputra, W., 2016. AUDITING PROCESS ON ELECTRONIC COMMERCE SYSTEMS. Akuntabilitas.9(1).