IT Audit: Focus, Scope, and Findings
VerifiedAdded on 2023/01/09
|9
|2497
|89
AI Summary
This report discusses the focus and scope of IT audit, analyzes the findings of various audits, and explores the professional, legal, and ethical responsibilities of IT auditors.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
ASSIGNMENT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TABLE OF CONTENTS
INTRODUCTION ..........................................................................................................................1
AUDIT REPORT.............................................................................................................................1
Identifying focus and scope of Audit. .........................................................................................1
Analysing audit findings of Recruitment Advertisement Management System of Western
Australia Government..................................................................................................................2
Analysing audit findings in Horizon Power.................................................................................3
Analysing audit findings pertinent to Pensioner Rebate Scheme and Exchange departments. . .4
Analysing audit findings in New Land Registry Office..............................................................5
Professional, legal and ethical responsibilities of IT auditor. .....................................................5
CONCLUSION................................................................................................................................6
REFERENCES................................................................................................................................7
INTRODUCTION ..........................................................................................................................1
AUDIT REPORT.............................................................................................................................1
Identifying focus and scope of Audit. .........................................................................................1
Analysing audit findings of Recruitment Advertisement Management System of Western
Australia Government..................................................................................................................2
Analysing audit findings in Horizon Power.................................................................................3
Analysing audit findings pertinent to Pensioner Rebate Scheme and Exchange departments. . .4
Analysing audit findings in New Land Registry Office..............................................................5
Professional, legal and ethical responsibilities of IT auditor. .....................................................5
CONCLUSION................................................................................................................................6
REFERENCES................................................................................................................................7
INTRODUCTION
IT audit plays essential role for the companies and businesses. Organisations are
conducting IT audit for ensuring that the systems and software used by the business are safe and
secure. IT audit are of 3 types that are compliance with the applicable laws, policies and
standards, performance and of financial statements. Objective behind conducing IT audit is
identifying and assessing the inefficiencies and inaccuracies in management as well as IT
systems of business. It includes wide range of the IT processing and the communication
infrastructures. Auditors identify the errors and loop holes in the IT systems to preventing
protecting company from threats and frauds. Present report will identify the focus and scope of
the audit. It will analyse the findings of RAMS, Horizon power, PRS & PRX and NRL-T. It will
also discuss about the professional legal and ethical responsibilities of the IT auditor.
AUDIT REPORT
Identifying focus and scope of Audit.
The audit is conducted of various state government entities. Every application have
importance to operations of entity and could affect stakeholders and public id applications and
processes are not properly managed. Report covers 4 organisations which are RAMS, Horizon
power, PRS & PRX and the NRL-T.
Focus of the audit was over systematic processing as well as handling of the data in control
categories stated below.
Policies & procedures are proper and support in processing of the data.
Security and safety of sensitive information by ensuring confidentiality, integrity and the
information availability.
Data input is complete, accurate and authorised.
Recovery and backup is in place and appropriate
Data output in hard copy or online is complete and accurate
Data processing is taking place accurately and in time.
Segregation of the duties is adequate and not staff is not given incompatible duties.
Audit trails ensuring adequate controls on transaction logs. and;
Interface controls, masterfile maintenance and data preparation.
It assessed that controls and the processes for obtaining reasonable assurance that
applications are working properly and information contained is accurate, accessible, reliable and
1
IT audit plays essential role for the companies and businesses. Organisations are
conducting IT audit for ensuring that the systems and software used by the business are safe and
secure. IT audit are of 3 types that are compliance with the applicable laws, policies and
standards, performance and of financial statements. Objective behind conducing IT audit is
identifying and assessing the inefficiencies and inaccuracies in management as well as IT
systems of business. It includes wide range of the IT processing and the communication
infrastructures. Auditors identify the errors and loop holes in the IT systems to preventing
protecting company from threats and frauds. Present report will identify the focus and scope of
the audit. It will analyse the findings of RAMS, Horizon power, PRS & PRX and NRL-T. It will
also discuss about the professional legal and ethical responsibilities of the IT auditor.
AUDIT REPORT
Identifying focus and scope of Audit.
The audit is conducted of various state government entities. Every application have
importance to operations of entity and could affect stakeholders and public id applications and
processes are not properly managed. Report covers 4 organisations which are RAMS, Horizon
power, PRS & PRX and the NRL-T.
Focus of the audit was over systematic processing as well as handling of the data in control
categories stated below.
Policies & procedures are proper and support in processing of the data.
Security and safety of sensitive information by ensuring confidentiality, integrity and the
information availability.
Data input is complete, accurate and authorised.
Recovery and backup is in place and appropriate
Data output in hard copy or online is complete and accurate
Data processing is taking place accurately and in time.
Segregation of the duties is adequate and not staff is not given incompatible duties.
Audit trails ensuring adequate controls on transaction logs. and;
Interface controls, masterfile maintenance and data preparation.
It assessed that controls and the processes for obtaining reasonable assurance that
applications are working properly and information contained is accurate, accessible, reliable and
1
secure. Audit also provides for the weaknesses in the control designs that increases risks of the
information in applications from threats.
Analysing audit findings of Recruitment Advertisement Management System of Western
Australia Government.
WA government entities uses RAMS for managing staff redeployments and recruitment
and for recording severance details. It is hosted externally and managed by the 3rd party vendors
in SaaS arrangements.
Commission is not having adequate level of assurance on the vendor controls. It has not
received or undertaken independent assurance that the information security control are strong
and effectively working of the key vendor. Due to this, it could not be assured that integrity,
confidentiality and availability is protected (Gertsson and et.al., 2017). It is also having control
deficiencies such as unsupported software, no testing of disaster recovery and technical
specification documentations are outdated. There is lack of risks assessment that leads to the
inadequate information safeguards requirement in contract.
Information security risk to RAMS information and application at extension or contract
time are not assessed. In absence of the formal risk assessments it is difficult to identify whether
controls documented in contract are adequately addressing the risks & vulnerabilities. Customers
directly do not manage controls protecting information. Contract do not accurately specify the
terms & conditions for security of the information. Weaknesses specified in the audit includes no
rights for conducting security audits, no control assurance, unspecified obligations for reporting
data and security breach, no specific encryption and data retention.
Due to improper access controls it increases risk of misuse of unauthorised access.
Commission is not having adequate controls for minimising risks of the unauthorised access.
User accounts are not managed properly and do not have any policy regarding the same.
Configuration of the password is weak of the portal and also generic accounts are improperly
managed. Passwords and generic accounts are shared over mails without having accurate details
with whom information is shared that may lead to unauthorised access.
Also the arrangements for business continuity are inadequate. Business continuity plans
of RAMS are outdated which lay increased risks about the future operational efficiency. Escrow
management is also inadequate as code data, and documentations are not deposited.
2
information in applications from threats.
Analysing audit findings of Recruitment Advertisement Management System of Western
Australia Government.
WA government entities uses RAMS for managing staff redeployments and recruitment
and for recording severance details. It is hosted externally and managed by the 3rd party vendors
in SaaS arrangements.
Commission is not having adequate level of assurance on the vendor controls. It has not
received or undertaken independent assurance that the information security control are strong
and effectively working of the key vendor. Due to this, it could not be assured that integrity,
confidentiality and availability is protected (Gertsson and et.al., 2017). It is also having control
deficiencies such as unsupported software, no testing of disaster recovery and technical
specification documentations are outdated. There is lack of risks assessment that leads to the
inadequate information safeguards requirement in contract.
Information security risk to RAMS information and application at extension or contract
time are not assessed. In absence of the formal risk assessments it is difficult to identify whether
controls documented in contract are adequately addressing the risks & vulnerabilities. Customers
directly do not manage controls protecting information. Contract do not accurately specify the
terms & conditions for security of the information. Weaknesses specified in the audit includes no
rights for conducting security audits, no control assurance, unspecified obligations for reporting
data and security breach, no specific encryption and data retention.
Due to improper access controls it increases risk of misuse of unauthorised access.
Commission is not having adequate controls for minimising risks of the unauthorised access.
User accounts are not managed properly and do not have any policy regarding the same.
Configuration of the password is weak of the portal and also generic accounts are improperly
managed. Passwords and generic accounts are shared over mails without having accurate details
with whom information is shared that may lead to unauthorised access.
Also the arrangements for business continuity are inadequate. Business continuity plans
of RAMS are outdated which lay increased risks about the future operational efficiency. Escrow
management is also inadequate as code data, and documentations are not deposited.
2
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Commission is also not having well monitored vendor compliance for ensuring that
entities needs are met by RAMS (Zhang, 2018). It does not manage the service level contracts or
agreements adequately.
Vendor and commission does not have change & management process adequately
documented and regularly managed for managing the issues with application. Inadequate
incident and change management leads to uncertain recurring issues.
Analysing audit findings in Horizon Power.
Audit is based over advanced metering infrastructures that is used by Regional Power
Corporation as Horizon Power for recording, monitoring and billing for consumption of the
electricity.
It could be identified that the processes are adequate for detecting and remedying the
consumption errors before issue of bills, however value of the errors is significantly high.
Consumption reading processes are good and readings occur regularly for the advanced meters
having network access. Billing variances are reported by the system velocity for corrections.
Errors identified were of $1.43 billion. Errors of around 1.42 billion were mainly from the
manual reading of meter and does not have the network access (Sharma, Tanyi and Litt, 2017).
It is having inadequate security for human resources and contractor access management.
Policies and procedures of Horizon does not require history checks for criminal records. Staff
without history check is having privileged access over power infrastructures. Access
management of Horizon is also not effective because of inaccurate records of HR. Horizon
performs review of network access quarterly for identifying and disabling accounts which are not
used from 60 days.
System information of the Horizon is at risks of unintentional disclosure and errors. It
relies over manual forms for recording important information of meter installation before
information is recorded in the applications. Manual workflow increases risks of the inaccurate
information entered into the applications. Integrity of the information will be impacted if the
errors in the data are going unnoticed and validation processes are not followed consistently. As
the information is is transferred through emails it increases risks of the unintentional disclosures.
Network and databases of the Horizon are not fully protecting integrity, confidentiality
and availability of the information. It has inappropriate network firewall configuration which
increases risks of unauthorised attacks and cyber-attacks. Software was also out of date. Security
3
entities needs are met by RAMS (Zhang, 2018). It does not manage the service level contracts or
agreements adequately.
Vendor and commission does not have change & management process adequately
documented and regularly managed for managing the issues with application. Inadequate
incident and change management leads to uncertain recurring issues.
Analysing audit findings in Horizon Power.
Audit is based over advanced metering infrastructures that is used by Regional Power
Corporation as Horizon Power for recording, monitoring and billing for consumption of the
electricity.
It could be identified that the processes are adequate for detecting and remedying the
consumption errors before issue of bills, however value of the errors is significantly high.
Consumption reading processes are good and readings occur regularly for the advanced meters
having network access. Billing variances are reported by the system velocity for corrections.
Errors identified were of $1.43 billion. Errors of around 1.42 billion were mainly from the
manual reading of meter and does not have the network access (Sharma, Tanyi and Litt, 2017).
It is having inadequate security for human resources and contractor access management.
Policies and procedures of Horizon does not require history checks for criminal records. Staff
without history check is having privileged access over power infrastructures. Access
management of Horizon is also not effective because of inaccurate records of HR. Horizon
performs review of network access quarterly for identifying and disabling accounts which are not
used from 60 days.
System information of the Horizon is at risks of unintentional disclosure and errors. It
relies over manual forms for recording important information of meter installation before
information is recorded in the applications. Manual workflow increases risks of the inaccurate
information entered into the applications. Integrity of the information will be impacted if the
errors in the data are going unnoticed and validation processes are not followed consistently. As
the information is is transferred through emails it increases risks of the unintentional disclosures.
Network and databases of the Horizon are not fully protecting integrity, confidentiality
and availability of the information. It has inappropriate network firewall configuration which
increases risks of unauthorised attacks and cyber-attacks. Software was also out of date. Security
3
of the database is also weak that renders the database of AMI vulnerabilities of inappropriate and
unauthorised access compromising integrity and confidentiality of the information in database.
Networking access account are inadequately managed. Passwords of highly privileged
account of administrator could not be changed for extended period. External assessment of
vulnerabilities of web account portal provides about number of security weaknesses. The
weaknesses identified increases risk of the unintentional disclosures and unauthorised access.
It is having vulnerability management program. Weaknesses in process leaves the system and
information at exposure risk. 3rd party applications are informal and adhoc.
Analysing audit findings pertinent to Pensioner Rebate Scheme and Exchange
departments.
Office of the State Revenue process claims of local government entities for
reimbursements of concessions paid to the eligible seniors and pensioners via PRS and PRX.
Occupancy and ownership checks are not performed by the State revenues that increases
risk of the payments made to the ineligible individuals. The checks are required by Act;
responsibility was taken in 2003 from LG but checks were stopped from 2005. It reduces risk of
the incorrect concessions paid to the seniors and pensioners. Checks were stopped due to false
rejection of inaccuracies in land ownership and occupancy information of LG files (Groomer and
Murthy, 2018).
Inadequate controls could lead to the unauthorised use of the information. It does not
possess security controls or user access though it is storing confidential and personal information
in the PRS & PRX. User accounts are not time reviewed there are high number of administrator
privileges and user accounts (Eshleman and Lawson, 2017). Unused accounts are prone to
malicious activities by the hackers.
There is large access to the users over unprotected sensitive data. It increases risk of the
unauthorised access & charges for the information as well as fraudulent payments.
Database passwords could be guessed easily. In the audit it was identified that around 10
of passwords could be guessed easily and around 70 accounts has not changed the passwords
from more than 12 months. Weak passwords are prone to risk of external threats.
Segregation of the duties between the staff is inadequate. It was found that around 17 users were
able to process the claims in end to end step as they got the access over both PRS & PRX.
4
unauthorised access compromising integrity and confidentiality of the information in database.
Networking access account are inadequately managed. Passwords of highly privileged
account of administrator could not be changed for extended period. External assessment of
vulnerabilities of web account portal provides about number of security weaknesses. The
weaknesses identified increases risk of the unintentional disclosures and unauthorised access.
It is having vulnerability management program. Weaknesses in process leaves the system and
information at exposure risk. 3rd party applications are informal and adhoc.
Analysing audit findings pertinent to Pensioner Rebate Scheme and Exchange
departments.
Office of the State Revenue process claims of local government entities for
reimbursements of concessions paid to the eligible seniors and pensioners via PRS and PRX.
Occupancy and ownership checks are not performed by the State revenues that increases
risk of the payments made to the ineligible individuals. The checks are required by Act;
responsibility was taken in 2003 from LG but checks were stopped from 2005. It reduces risk of
the incorrect concessions paid to the seniors and pensioners. Checks were stopped due to false
rejection of inaccuracies in land ownership and occupancy information of LG files (Groomer and
Murthy, 2018).
Inadequate controls could lead to the unauthorised use of the information. It does not
possess security controls or user access though it is storing confidential and personal information
in the PRS & PRX. User accounts are not time reviewed there are high number of administrator
privileges and user accounts (Eshleman and Lawson, 2017). Unused accounts are prone to
malicious activities by the hackers.
There is large access to the users over unprotected sensitive data. It increases risk of the
unauthorised access & charges for the information as well as fraudulent payments.
Database passwords could be guessed easily. In the audit it was identified that around 10
of passwords could be guessed easily and around 70 accounts has not changed the passwords
from more than 12 months. Weak passwords are prone to risk of external threats.
Segregation of the duties between the staff is inadequate. It was found that around 17 users were
able to process the claims in end to end step as they got the access over both PRS & PRX.
4
Person initiating the process should not be having power of authorising it. This could lead to the
increased risk related to the fraudulent and unauthorised payments
There is inadequate management of the system vulnerabilities which poses PRS & PRX to cyber-
attacks. State Revenues will not have the procedure for recovering PRS & PRX after any major
disruption and incident.
Analysing audit findings in New Land Registry Office.
New Land Registry – Titles is an application used by WA land Information Authority f or
managing location and information records for WA.
Transactions are not reviewed by Landgate in NLR-T. It was identified from the review
of 8 transactions that change in title of two lands were done without proper delegations. It leads
to inappropriate and erroneous changes to the NLR – T information and which is breach of Act.
Documentation of the transactions were proper (Bartnik and et.al., 2018).
Inadequate access over user controls leads to the unauthorised access or the information
misuse. Access controls of user leading to risks and misuse uses the cloud infrastructures and
could be used by several tenants. There is inadequate segregation of the duties that leads to risk
of not detecting errors. There are excessive rights to user access and also the review of user
access is irregular.
There is absence of the external network penetration testing that results in the
vulnerabilities undetected. Landgate has not tested effectiveness and adequacy of the controls for
detecting and preventing attacks of external network on NLR – T. It has breached the ICT
Acceptable Use Policy that prohibits the storage of credit cards details over insecure methods
like emails. Landgate has not reviewed the contractual IT services since from November 2016.
Professional, legal and ethical responsibilities of IT auditor.
Every auditor has to ensure that the roles and responsibilities as an auditors are
discharged professionally, legally and ethically. An auditor is required to ensure that proper
professionalism is maintained while conducting audit of any company or entity (Curtain and
Grafenauer, 2019).
Auditors as professionals should gain proper understanding of company and the
operations. Evaluate adequately the internal control procedures established and follow in entity.
They are required to ensure that financial transactions and other requirements are properly
carried out. They have the responsibility of identifying that the security control and procedures
5
increased risk related to the fraudulent and unauthorised payments
There is inadequate management of the system vulnerabilities which poses PRS & PRX to cyber-
attacks. State Revenues will not have the procedure for recovering PRS & PRX after any major
disruption and incident.
Analysing audit findings in New Land Registry Office.
New Land Registry – Titles is an application used by WA land Information Authority f or
managing location and information records for WA.
Transactions are not reviewed by Landgate in NLR-T. It was identified from the review
of 8 transactions that change in title of two lands were done without proper delegations. It leads
to inappropriate and erroneous changes to the NLR – T information and which is breach of Act.
Documentation of the transactions were proper (Bartnik and et.al., 2018).
Inadequate access over user controls leads to the unauthorised access or the information
misuse. Access controls of user leading to risks and misuse uses the cloud infrastructures and
could be used by several tenants. There is inadequate segregation of the duties that leads to risk
of not detecting errors. There are excessive rights to user access and also the review of user
access is irregular.
There is absence of the external network penetration testing that results in the
vulnerabilities undetected. Landgate has not tested effectiveness and adequacy of the controls for
detecting and preventing attacks of external network on NLR – T. It has breached the ICT
Acceptable Use Policy that prohibits the storage of credit cards details over insecure methods
like emails. Landgate has not reviewed the contractual IT services since from November 2016.
Professional, legal and ethical responsibilities of IT auditor.
Every auditor has to ensure that the roles and responsibilities as an auditors are
discharged professionally, legally and ethically. An auditor is required to ensure that proper
professionalism is maintained while conducting audit of any company or entity (Curtain and
Grafenauer, 2019).
Auditors as professionals should gain proper understanding of company and the
operations. Evaluate adequately the internal control procedures established and follow in entity.
They are required to ensure that financial transactions and other requirements are properly
carried out. They have the responsibility of identifying that the security control and procedures
5
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
are properly established and working effectively in the organisation. Professional services
include performing duties with due care and diligence.
They should identify the practices being followed and whether they are in compliance
with the respective laws and policies of the entity. Ethics are the moral principles to be followed
by the auditors while performing their duties. It requires auditors to follow 4 rules of integrity,
objectivity, confidentiality and integrity while conducting audit of any entity. They have to
report true information regarding the findings or audit without concealing material facts and
findings of audit.
CONCLUSION
It could be concluded from the above research that conducting IT audit is essential by the
entities that have high use of the information systems in their business operations. It helps in
identifying the inefficiencies and inaccuracies of the systems of the entity so that they could be
corrected properly. Conducting audit enables the management to know whether the control and
security measures are working effectively of the entity.
6
include performing duties with due care and diligence.
They should identify the practices being followed and whether they are in compliance
with the respective laws and policies of the entity. Ethics are the moral principles to be followed
by the auditors while performing their duties. It requires auditors to follow 4 rules of integrity,
objectivity, confidentiality and integrity while conducting audit of any entity. They have to
report true information regarding the findings or audit without concealing material facts and
findings of audit.
CONCLUSION
It could be concluded from the above research that conducting IT audit is essential by the
entities that have high use of the information systems in their business operations. It helps in
identifying the inefficiencies and inaccuracies of the systems of the entity so that they could be
corrected properly. Conducting audit enables the management to know whether the control and
security measures are working effectively of the entity.
6
REFERENCES
Books and Journals
Curtain, F. and Grafenauer, S., 2019. Comprehensive nutrition review of grain-based muesli bars
in Australia: An audit of supermarket products. Foods, 8(9), p.370.
Bartnik, S.E. and et.al., 2018. Optometry‐facilitated teleophthalmology: an audit of the first year
in Western Australia. Clinical and Experimental Optometry.101(5). pp.700-703.
Zhang, J.H., 2018. Accounting comparability, audit effort, and audit outcomes. Contemporary
Accounting Research.35(1). pp.245-276.
Sharma, D.S., Tanyi, P.N. and Litt, B.A., 2017. Costs of mandatory periodic audit partner
rotation: Evidence from audit fees and audit timeliness. Auditing: A Journal of Practice &
Theory.36(1).pp.129-149.
Groomer, S.M. and Murthy, U.S., 2018. Continuous Auditing of Database Applications: An
Embedded Audit Module Approach1. In Continuous auditing. Emerald Publishing
Limited.
Eshleman, J.D. and Lawson, B.P., 2017. Audit market structure and audit pricing. Accounting
Horizons.31(1). pp.57-81.
Gertsson, N. and et.al., 2017. Exploring audit assistants’ decision to leave the audit
profession. Managerial Auditing Journal.
[Online]. Available through : <>.
7
Books and Journals
Curtain, F. and Grafenauer, S., 2019. Comprehensive nutrition review of grain-based muesli bars
in Australia: An audit of supermarket products. Foods, 8(9), p.370.
Bartnik, S.E. and et.al., 2018. Optometry‐facilitated teleophthalmology: an audit of the first year
in Western Australia. Clinical and Experimental Optometry.101(5). pp.700-703.
Zhang, J.H., 2018. Accounting comparability, audit effort, and audit outcomes. Contemporary
Accounting Research.35(1). pp.245-276.
Sharma, D.S., Tanyi, P.N. and Litt, B.A., 2017. Costs of mandatory periodic audit partner
rotation: Evidence from audit fees and audit timeliness. Auditing: A Journal of Practice &
Theory.36(1).pp.129-149.
Groomer, S.M. and Murthy, U.S., 2018. Continuous Auditing of Database Applications: An
Embedded Audit Module Approach1. In Continuous auditing. Emerald Publishing
Limited.
Eshleman, J.D. and Lawson, B.P., 2017. Audit market structure and audit pricing. Accounting
Horizons.31(1). pp.57-81.
Gertsson, N. and et.al., 2017. Exploring audit assistants’ decision to leave the audit
profession. Managerial Auditing Journal.
[Online]. Available through : <>.
7
1 out of 9
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.