IS Audit Report Case Study

Verified

Added on 2023/01/18

AI Summary

This IS Audit Report Case Study discusses the information security risks faced by businesses, the need for audit, audit procedures, and control recommendations. It focuses on a recent data breach case study of the company Timehop.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Audit
IS Audit Report Case Study

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

INFORMATION SYSTEMS AUDIT AND ASSURANCE 1
Executive Summary
With the consistent advancements in the information technology practices and
communication innovations, businesses of modern times are consistently facing the
information security issues and sensitive data being breached by the hackers. The acts not
only lead to the monetary losses for the entities, monetary and security loss for the customers
of the companies, but also undermine the goodwill of the organisation at national and global
levels. The report is addressed to the senior management of the organisation Timehop to shed
further light on the various aspects of the information security risks, need of audit, audit
procedures followed and the control recommendations are additionally suggested.
The reports is aimed at equipping the management with the necessary knowledge of the
technical and procedural aspects of the information systems audit and assurance to avoid the
security breaches in the future because of the information security risks like the multifactor
authentication. Additionally, other information security risks such as ransom ware, phishing,
uncontrolled access and others are highlighted, which are regular in the business environment
of the entity. Some of the audit procedures are highlighted that would be adopted as a part of
the information security audit exercise for the entity.

INFORMATION SYSTEMS AUDIT AND ASSURANCE 2
Introduction
With the advancement in the information systems and communication technologies, business
processes and functions are excessively depending on the computers and related innovations.
The use of the enhanced technologies and computer systems are not only replacing the
traditional accounting and manual information systems, but in addition posing a number of
risks in the business environment of the entities in the form of threats of data viruses, data
breaches, information loss and others. Thus, in order to safeguard the digital infrastructure,
maintaining the integrity of the data, and overall efficient utilisation of resources for the
achievement of the goals and objectives of the organisation, it is vital to obtain a reasonable
assurance that the systems and processes are free from material risks.
The following report is aimed at shedding the light on the various aspects of the information
systems audit and assurance to the management. This would be done by taking the recent
case study of the company where the data breach was purported against the company
Timehop which is regarded as one of the worst data breaches in the history of Australia,
affecting nearly 200000 users of Australia.
Background of the case
The company Timehop is a US-based popular social media company. In the times of
excessive reliance on social media, the company enables the users to see their old tweets and
Instagram posts in the form of "memories". The data breach is one of the latest data breaches
and had occurred in the month of July 2018 itself which affected around 21 million users
worldwide and included 20000 users of the Australia as well (Redrup, 2018). The repository
of the company included the personal data in the form of names, dates of birth, email
addresses and other incidental sensitive information stored of a million of users worldwide.
The preliminary investigations are suggestive of the fact that the hackers had initially
attacked the cloud environment of the company Timehop in the December 2017 (Lomas,
2018). The said attack was facilitated using the compromised admin credentials and was
aimed at conducting the preliminary research before launching the actual attack in the July
following year. The preliminary attacks were also conducted in the months of March and
June. In terms of the breach, it can be further stated that attackers targeted an account in the
cloud environment which was not protected through the multifactor authentication, which
eventually became the vulnerable account for attackers to target.

INFORMATION SYSTEMS AUDIT AND ASSURANCE 3
Information Security Risks
It is vital to note that a company’s digital framework can be its strongest as well as the
weakest links in the modern business environment. This is because it takes only one
vulnerable link in the above ecosystem on the part of the partners of an entity, supplier or
contractor that can be abused by the hackers to gain the access of the sensitive information.
The main issue as stated above that laid the grounds for the said breach was the multifactor
authentication which is essential to control the access to critical assets. In the said scenario,
the attackers first steal the credentials or obtain the same with the aid of social engineering
and the same are further used to access the target network. It is significant to note that a
number of popular companies such as the Tesla, Gemalto, Aviva and Uber have also been the
victim of the leakage or stealing of the access credentials (Vijayan, 2018).
Apart from the above, some of the information security risks that govern the business of the
company Timehop are explained as follows. Ransom ware and Virus Attacks are one of the
most common attacks faced by the businesses of today. The Ransom ware is descriptive of
collection of malicious software that force the payment of some monetary amount and block
access to a computer system until such sum is paid (Church, 2018). As the Timehop service is
in the business of social media service, hackers can incorporate information in the form of a
personal details of an individual in an email and send the same to the businesses. The email
of the Ransom ware can also be distributed in the form of private messages and through posts

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

INFORMATION SYSTEMS AUDIT AND ASSURANCE 4
and thus compromising the security of the business. Another major information security
threat is in the form of Phishing & Brand Impersonation. Phishing is referred to as an act of
setting a website that is closely resembling the original website, thereby the users of the
business like Timehop can be targeted and tricked with the aid of the fake website. Thus,
phishing is an idea where the individuals are convinced that the website belongs to the trusted
businesses and services like Timehop. The attackers further asks the users to enter their
sensitive information such as the login credentials, bank account details, credit card
information and others to be misused further. This can further lead to the users purchasing the
counterfeit products or forcing indirectly the receipt of the ransom ware. For instance,
recently the company Telstra was hit by the email scam and it is regarded that the business
email compromises together account for an estimated cost of about $ AUD 4.2 billion
worldwide and attacks are reportedly on the rise (Dias, 2016). Nevertheless, the said acts can
create confusion for the users of the Timehop as they try to interact with brand of a business
through a malicious website, thereby undermining the goodwill of the company. Some other
information security risks that exists in the business environment of the Timehop are the
uncontrolled user access, because of the sharing of the access amongst the various categories
of individuals within entity, followed by the stealing of the passwords.
Audit Plan, Objectives and Procedures
Scope of Audit: Information security audit refers to the evaluation and assessment of an
organisation’s infrastructure of information technology, policies and procedures. It refers to
the process of collection of evidence, in order to test check the same and provide reasonable
assurance that reasonable safeguards are adopted for the computer system, maintenance of

INFORMATION SYSTEMS AUDIT AND ASSURANCE 5
the data integrity, and thereby utilization of the resources for the achievement of the
organisational goals efficiently. The following audit is aimed at reviewing the controls of the
computer systems, and multifactor authentications, to gain an assurance about their adequacy
and effectiveness. In addition, the firewalls, passwords of the entity, security settings and the
user rights would also be examined.
Audit Objectives: The following four chief audit objectives are identified in relation to the
above mentioned audit scope. Firstly to assure the compliance with the relevant laws and
regulations and also the contractual arrangements to which the business process is subjected
to, to ensure the compliance with the externally imposed business criteria. The second
objective can be stated to be the assuring the integrity, reliability, confidentiality, and
availability of information and information technology resources. The last objective is to gain
an assurance on the system development quality and security of the assets and resources.
Audit Procedures: In order to assure the compliance with the relevant laws, regulations and
the external contractual arrangements following procedure would be followed. Firstly, a
discussion would be organised with the executive management regarding the type of systems
available, the contracts would be cross checked regarding the prices recorded, expiration
dates, payment of the subscriptions and other incidental information. The examinations
would be conducted of the Information security policies of the entity, purchasing policies,
Industry standards or guidelines and the segregation of duties policies for the procurement
and the use of the said systems.
For the assurance of the information and information technology resources following
procedure is listed down that would be followed by the auditors.

INFORMATION SYSTEMS AUDIT AND ASSURANCE 6
Audit Questions and Documents
Some of the documents that would aid in the evaluation of the external business criteria of the
business are the prior audit reports, purchases contracts, software vendor manuals, system
development documents, subscription receipts, organizational charts, policy documents for
the use of the systems. In addition, the questions would be raised to the senior management in
relation to the information security budget evaluation to ensure that the adequate number of
systems are purchased by the entity as per the nature and size of the operations. Further, the
questions would be raised with respect to the management controls with regards to whether
the certifications, and required accreditations have been obtained or not. With regards to legal
compliance it is necessary to note that the companies with turnovers of $3 million or more are
required to report the data breaches of customer data to the Office of the Australian
Information Commissioner (OAIC) and to any affected customers (Powell, 2019).
Further, some of the documents that would aid the assurance of confidentiality, integrity and
reliability of the information security processes and systems are internal procedures of use of
the data repositories, process flowcharts, training manuals, and the disaster recovery plans.
These are in addition to the exception lists in group policies, Screen prints of administrative
console configuration parameters, White- and black-list exceptions of web sites and other
control documents. The interviews would be conducted with the support personnel of the
organisation. The questions would be raised with regards to the rules of behaviour, as to
where the employees have signed, read and understood the rules of behaviour before
accessing the information systems. The questions would be raised whether the managers have
abided by the software usage restrictions and have enforced the tracking of the security flaws.
Control Recommendations
In context of Australia, the data breach is governed by the Australian Privacy Act 1988 (Cth)
(Office of Australian Information Commissioner, 2018). According to the guide on the
privacy data breach, it is suggested for the entities to devise a data breach response plan in
order to facilitate a swift response and ensure that any legal obligations are complied with.
The 13 principled of the act known as the Australian Privacy Principles (APPs) must be
followed. Some of the actions that can be taken by the entity are the restriction of the
collection of personal information. Additionally to establish the requirements of destroying or
de-identifying the information with respect to the clients and entity which is no longer of use
for the organisation.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

INFORMATION SYSTEMS AUDIT AND ASSURANCE 7
Additional recommendation is to establish strong passwords which are beyond the common
terminologies. This must be in addition to the adoption of a strong firewalls to control the
internet traffic coming into and flowing out the business. A policy document must be
developed to guide the authority and extent of usage of systems and protocols to use them.
Conclusion
As per the discussions conducted in the previous parts it can be stated that with increased
globalization and advancement in the information and communication technologies,
businesses are increasingly relying on the information systems and processes. Recently, the
company Timehop had faced one of the world’s biggest data breach which resulted in
compromising the sensitive information of millions of users across the globe, of which
around 200000 were affected in the Australia itself. In order to avoid such mishaps in the
future, it is essential to ensure that the systems and processes are properly secured. The report
shed light on some of the major information security risks that govern the business
environments of modern times. In the case of the company Timehop, the use of the
multifactor authentication was found to be the major reason for the said security breach.
Thus, an audit plan has been devised to ensure the compliance with the applicable laws and
regulations and to ensure the security, effective functioning of the systems and processes.
Further, some of the control measures are suggested to the entity to avoid the loss of
important information of entity and consumers in future.

INFORMATION SYSTEMS AUDIT AND ASSURANCE 8
References
Lomas, N. (2018) Timehop discloses July 4 data breach affecting 21 million [online]
Available from: https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breach-
affecting-21-million/ [Accessed on: 10/04/2019].
Redrup, Y. (2018) Timehop app data breach catches hundreds of thousands of Aussies
[online] Available from: https://www.afr.com/technology/web/security/timehop-app-data-
breach-catches-hundreds-of-thousands-of-aussies-20180712-h12kqk [Accessed on:
10/04/2019].
Vijayan, J. (2018) Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor
Authentication [online] Available from: https://www.darkreading.com/attacks-breaches/data-
breaches-at-timehop-macys-highlight-need-for-multi-factor-authentication/d/d-id/1332250
[Accessed on: 10/04/2019].
Church, J. (2018) 7 Social Media Security Issues Your Business Faces [online] Available
from: https://www.business2community.com/cybersecurity/7-social-media-security-issues-
business-faces-02024378 [Accessed on: 10/04/2019].
Dias, D. (2016) Telstra customers hit by email scam: How to protect your business [online]
Available from: https://www.smartcompany.com.au/business-advice/how-to-protect-your-
business-from-new-business-email-phishing-scams/ [Accessed on: 10/04/2019].
Powell, D. (2019) Over 800 businesses hit by data breaches in 2018, including lost USB
drives and fax machine fumbles [online] Available from:
https://www.smartcompany.com.au/technology/business-data-breaches-2018/ [Accessed on:
10/04/2019].
Office of Australian Information Commissioner (2018) Data breach preparation and
response — A guide to managing data breaches in accordance with the Privacy Act 1988
(Cth) [online] Available from:
https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-
response [Accessed on: 10/04/2019].

1 out of 9

+13062052269

info@desklib.com

IS Audit Report Case Study

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Data Protection, Privacy, and Cyber Security: A Review of Regulations

IT Audit and Controls

Information Assurance and Risk - Desklib

Information Systems Audit and Assurance - Assignment

Cloud Computing Security Analysis

Corporate Governance and Ethics: A Case Study of the Equifax Data Breach