Audit Findings for Information Systems

Verified

Added on 2023/01/11

AI Summary

This report assesses the various audit findings from the Information Systems Audit Report, 2019. It covers the Recruitment Advertisement Management Systems (RAMS), Advanced Metering Infrastructure, Pensioner Rebate Scheme and Exchange, and New Land Registration information systems.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Assessment 3 report

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Table of Contents
INTRODUCTION...........................................................................................................................3
MAIN BODY..................................................................................................................................3
Focus and Scope of the Audit Report..........................................................................................3
Audit Findings for Recruitment Advertisement Management Systems (RAMS).......................4
Audit Findings for the Horizon Power........................................................................................5
Audit Findings for Pensioner Rebate Scheme (PRS) and Exchange (PRX)...............................6
Audit Findings for New Land Registry-Titles (NLR-T).............................................................7
Legal, Professional and Ethical Responsibilities of an IT Auditor.............................................8
CONCLUSION................................................................................................................................8
REFERENCES................................................................................................................................9

INTRODUCTION
Business applications are digital software programs, developed by programmers with the
intention to effectively facilitate and manage the operations, processes and functions of any
business organisation such as marketing, finance, legal, human resource etc. As the application
of information technology to the operations and functions of business and public organisation is
immensely beneficial to increasing the business’s productivity, performance, efficiency and
profitability in the consumer markets, there is also a need for the effective auditing of the
information systems implemented in business and public organisations to ensure various data
security and performance issues (Pak, 2019). This report assesses the various audit findings from
the Information Systems Audit Report, 2019.
MAIN BODY
Focus and Scope of the Audit Report
The Information Systems Audit Report 2019 primarily covers the Recruitment
Advertisement Management Systems (RAMS), Advanced Metering Infrastructure, Pensioner
Rebate Scheme and Exchange and New Land Registration information systems in various public
and business organisations. The audit report focuses on various attributes of the information
systems such as the organisational procedures and policies, data security from external forces,
recovery and backup of operational data in the event of accidents, accuracy of the input data,
processing time for information systems to process data and their performance, segregation and
compatibility of assigned duties, accuracy, relevance and completeness of data that is generated
by the information systems, accuracy of the audit trails that contain the transactional logs of the
previous operations of the information systems in addition to other operational attributes such as
how operational data is collected, prepared and processed with the intention to ensuring their
accuracy, completeness, relevance and timeliness.
The scope of the report was limited to a sample of key processes and controls which
helped the auditors gain assurance about the performance, accuracy and efficiency of the
information systems involved (Rodríguez and Piattini, 2018). The audit can effectively showcase

weakness and within the systems, which the systems might be highly susceptible to, but the audit
was not focused on whether if the operational data had been compromised.
Audit Findings for Recruitment Advertisement Management Systems (RAMS)
 The Public Sector Commission has neither sought nor received any assurances from the
third party vendors about accuracy, performance and efficiency of the information
security controls managed by the vendors. The audit found that there was unsupported
software implemented that are no longer even supported by the third party vendors. The
audit also found that third party vendors haven’t performed the data recovery test during
disasters since 2015. In addition, the auditors found that the technical specifications
relayed in the document do not represent the current application environment and are
outdated.
 The commission also failed to assess the risks to their operational data security during
contract extensions with the vendor. The audit found inadequacy in relation to the terms
and condition for data security in the contract between commission and vendors. As per
the contract the commission has no legal right to perform security audits of the RAMS
information system, hindering and limiting the commission’s capability to assess security
controls of the RAMS (Lenghel and Vlad, 2017). The auditors also found that the
vendors were under no legal obligation to report any data breaches and lapses in security
to the commission in addition to no specification about the data encryption methods and
algorithms used by the vendors for data security purposes. The auditors also found that
data retention in the system is very high, which can infringe upon the Australia’s Privacy
Act 1988 and GDPR, which can result in legal fines and damage to reputation.
 The auditors also found that there is increased risk for unauthorised access to the RAMS
system due to inadequate access controls in addition to other weaknesses in the access
controls such as ineffective management of user accounts along with privileged accounts,
resulting in high number of dead accounts that are not used in the system, resulting in
redundancy. The auditors also found that account and password protection processes for
the RAMS were below the industry standards, making the system highly susceptible to
unauthorised access of data and external attacks aiming to guess passwords.
 The auditors also found that the business continuity plan has not been reviewed by the
commission since 2014, resulting in increased risks for the RAMS operations and data

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

recovery during unforeseen accidents (Manaseer and Alawneh, 2019). The auditors also
found that despite there being a software escrow agreement in the contract, the vendor
still hasn’t deposited any data, code, further hampering the data recovery and backup
operations of the RAMS.
Audit Findings for the Horizon Power
 The IT auditors found that prior to the issue of bills, Horizon has effective processes to
remedy and detect all operational errors, but the number of error in the Advanced
Metering Infrastructure information system is quite high, decreasing its performance and
efficiency.
 The auditors also found that Horizon does not conduct criminal history checks for their
employed human resources, increasing the risk to data security, as they have privileged
access to the AMI systems and data. The auditors also found that Horizon’s access
management for third party contractors is ineffective due to discrepancies in the records
maintained by its HR. This increases the risk of external attacks on the AMI system
through third party access (Arboleda and Díaz, 2019). Auditors also found that even after
third party contractors are no longer working with Horizon, their accounts are able to
access their systems and networks for remaining period of the quarter.
 The auditors also found that the inaccuracies in the operational data of Horizon is
increased due to its reliance on manual forms for collection of operational data, which is
then entered into their systems decreasing its accuracy and reliability due to human
errors. The audit found that Horizon employees make use of personal email accounts to
transmit sensitive operational data, decreasing Horizon’s data security and increasing the
risk for operational data to be disclosed to external forces.
 The audit found that Horizon’s database and network security controls are not entirely
capable of protecting the integrity and confidentiality of operational data from external
forces, as the firewall that manages Horizon’s network in addition to being outdated, was
also incorrectly configured increasing risks of unauthorised access and making the
system vulnerable to cyber-attacks (Al-Matari and et.al., 2018). The audit also found the
AMI database security to be quite weak and network accounts of Horizon ineffectively
managed in addition to weak configuration of their web servers all contributing towards
vulnerability of the system to external forces and unauthorised access by third parties.

Audit Findings for Pensioner Rebate Scheme (PRS) and Exchange (PRX)
 The auditors found that the Office of State Revenue does not conduct adequate checks
related to the occupancy and ownership of the land which can result in decrease of the
performance and efficiency of their PRS and PRX systems as payments are made to
individuals who are ineligible for the payment.
 The auditors noticed that the State Revenue does not have adequate security controls and
user access processes which can result in the unauthorised access to confidential
information by external forces (Saputra, 2016). This is exacerbated by the finding that
State Revenue does not consistently review the user accounts of their PRS and PRX
systems, resulting in excess in the number of administrator accounts in the system,
further decreasing data security efforts and making the system vulnerable to cyber-
attacks.
 The auditors also found that excessive number of users are able to access confidential
data which is unprotected in the systems, with there being 60 users able to read, modify
or delete the sensitive information of pensioners and their payment files, which are
unprotected. This is an immense threat to the confidentiality, security and protection of
operational data within the PRS and PRS systems. The auditors also found the database
of the systems to make use of rudimentary passwords, which are immensely easy for
external attackers to exploit, further making the system vulnerable to external attacks.
 The auditors found that there are present numerous security vulnerabilities due to
operational mismanagement, making the PRS and PRX systems further exposed to
external cyber-attacks, as there is no anti malware software installed in the PRS
production server (Kamal and et.al., 2020). This is also exacerbated by the finding that
there are over 600 third party software installed with various security updates and patches
also missing from the PRS and PRX systems.
 Through the audit, it become apparent that if any unforeseen accident occurs, the State
Revenue has not implemented any data backup or recovery plan for both PRS and PRS.
Though other systems are placed in regards to data backup and recovery, they have never
been tested by the State Revenue, further hampering their data recovery and backup
operations in the event of accidents.

Audit Findings for New Land Registry-Titles (NLR-T)
 The auditors found that the Landgate organisation does not conduct thorough reviews of
the transactional data of land information in their NLR-T system with regards to its
accuracy. This increases the risks of unauthorised or erroneous changes to the operational
data of NLR-T, decreasing its performance and efficiency.
 Through the audit, it became apparent that the user access controls implemented into
NLR-T were inadequate which could result in the unauthorised access and misuse of
confidential operational data of NLR-T. This is exacerbated by the use of cloud
infrastructure for the operations of NLR-T, as it is designed to be used by multiple
tenants (Munteanu, 2016). In addition, the auditors found that there was ineffective
segregation of duties by Landgate, as two staff members were given excessive privileges
through which they could perform end to end land title transactions, decreasing the data
security and privacy of the NLR-T. The auditors also found there to be more users than
needed who could bypass system checks of the NLR-T, in addition to the fact that
Landgate did not consistently review the user access provided to others. All these factors
make the NLR-T system vulnerable to external cyber-attacks and unauthorised access by
external forces.
 Landgate also does not conduct any testing of the external network penetration, which
effectively decreases the security of the NLR-T, as even in the event of data breach or
external attack, the system and Landgate might remain ignorant of the attack or
penetration in the first place.
 The auditors also found Landgate to breach the ICT Acceptable Use Policy as they were
storing payment forms which included confidential credit card information of users in
long term backups for recovery purposes, without effectively encrypting or masking the
sensitive information.
Legal, Professional and Ethical Responsibilities of an IT Auditor
An IT auditor has various legal, professional and ethical responsibilities while conducting
their auditing operations. Every IT auditor has to adhere to legally mandated laws for their
auditing operations such as the IFAC Code of ethics, which detail the ethical responsibilities of
any auditor (Abdirahman, 2017). These are also the professional and ethical responsibilities of an
IT auditor in addition to being legally mandated and include the following responsibilities:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Integrity: The auditor must be honest and straightforward in their auditing operations.
Objectivity: The auditor must be objective in their auditing operations, not allowing external
biases and prejudices to override their judgements.
Competence and Care: The auditor must maintain their professional skills and knowledge in
order to ensure their client receives competent professional service.
Confidentiality: The auditor must respect the confidentiality of their clients during their auditing
operations and should not disclose it to external sources.
Professional Behaviour: The auditor must always comply with mandated laws and regulations
and avoid practices that discredits the auditor’s profession.
CONCLUSION
Based on the findings of the report, it can be concluded that the auditing of information
systems implemented with the intention to manage and facilitate the operations and processes of
business and public organisations is immensely essential to maintaining the performance,
efficiency and internal security of the information systems. Firstly, this report evaluates the audit
focus and scope of the given report. Then the report assesses audit findings for the Recruitment
Advertisement Management Systems (RAMS). The report also analyses the audit findings for
Horizon Power in addition to the Pensioner Rebate Scheme (PRS) and Exchange (PRX). Further
the report evaluates the audit findings for New Land Registry-Titles (NLR-T). Finally, the report
identifies the legal, professional and ethical responsibilities of an IT auditor.

REFERENCES
Books and Journals
Abdirahman, Y.K.K., 2017. A Framework For Improving Computer-Based Information Systems
Auditing. International Journal of Computer (IJC). 26(1). pp.146-151.
Al-Matari, O.M. and et.al., 2018, October. Cybersecurity Tools for IS Auditing. In 2018 Sixth
International Conference on Enterprise Systems (ES) (pp. 217-223). IEEE.
Arboleda, R.P.B. and Díaz, F.J.D., 2019. La auditoría interna de sistemas en la gestión
empresarial/Internal Information Systems Auditing in Business Management. Revista
Cubana de Contabilidad y Finanzas. COFIN HABANA. (2).
Kamal, S. and et.al., 2020. Computer-Assisted Audit Tools for IS Auditing. In Internet of Things
—Applications and Future (pp. 139-155). Springer, Singapore.
Lenghel, R.D. and Vlad, M.P., 2017. INFORMATION SYSTEMS AUDITING. Quaestus, (11),
p.178.
Manaseer, S. and Alawneh, A., 2019. ON CYBER SECURITY AUDITING AWARENESS:
CASE OF INFORMATION AND COMMUNICATION TECHNOLOGY SECTOR.
International Journal of Computer Science and Information Security (IJCSIS). 17(7).
Munteanu, E., 2016. A Systematic Literature Review of Information Systems Auditing in
Developing Countries. Stockholm University, Sweden.
Pak, C., 2019. IS 680-851: Information Systems Auditing.
Rodríguez, M. and Piattini, M., 2018, September. A Teaching Experience on Information
Systems Auditing. In Methodologies and Intelligent Systems for Technology Enhanced
Learning, 8th International Conference (Vol. 804, p. 114). Springer.
Saputra, W., 2016. AUDITING PROCESS ON ELECTRONIC COMMERCE SYSTEMS.
Akuntabilitas. 9(1).

1 out of 9

+13062052269

info@desklib.com

Audit Findings for Information Systems

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

IT Audit: Focus, Scope, and Findings

IT Audit Findings in Different Firms

BUSINESS INFORMATION SYSTEMS

IT Audit and Control

Audit Findings in RAMS, Horizon Power, PRS and PRX, NRL-T

Scope and Findings of IT Audit Report