Information Systems Audit and Assurance - Assignment

Verified

Added on Ā 2022/08/27

|10
|2611
|22
AI Summary

Contribute Materials

Your contribution can guide someoneā€™s learning journey. Share your documents today.
Document Page
Running head: INFORMATION SYSTEMS AUDIT AND ASSURANCE
Information Systems Audit and Assurance
Name of the Student
Name of the University
Authorā€™s Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1INFORMATION SYSTEMS AUDIT AND ASSURANCE
Table of Contents
1) Executive Summary....................................................................................................................2
2) Introduction.................................................................................................................................3
3) Background of the Case..............................................................................................................3
4) Problem Identification.................................................................................................................3
5) Audit Approach and Potential Solution.......................................................................................4
I. IS Risks.....................................................................................................................................4
II. Audit Plan, Objectives and Procedures...................................................................................5
III. Audit Questions and Documents...........................................................................................6
IV. Control Recommendations....................................................................................................7
6) Concussion..................................................................................................................................7
7) References...................................................................................................................................8
Document Page
2INFORMATION SYSTEMS AUDIT AND ASSURANCE
1) Executive Summary
The key purpose of this report is the analysis of different aspects associated with the Information
System (IS) audit of the companies. When considering the instance of data breach in Marriott
International, it could be seen that unauthorized access to the information system of the hotel
group caused the date breach. This indicates towards the need for strengthening the information
systems of the companies. Therefore, the IS audit needs to be planned by taking into
consideration all the relevant aspects such as risk identification, recognition of areas that need to
be considered for audit, developing objectives and audit procedures for those identified areas and
evaluating the findings. This whole audit process will help to take into consideration the required
areas in information system requiring additional consideration. Moreover, certain
recommendations are made in the report which need to be followed by the companies in order to
avoid any types of information system related risks and threats.
Document Page
3INFORMATION SYSTEMS AUDIT AND ASSURANCE
2) Introduction
An IS Audit refers to the examination and evaluation of an organizationā€™s information
technology policies, operations and infrastructures. IS audit helps in determining whether the
existing IT controls are able in protecting corporate assets, ensuring integrity of data and aligning
with the business goals and objectives (Gupta and Shakya 2015). The main aim of this report is
to assess an incident of data breach in recent times and evaluate the necessary aspects in the
lights of IS audit. The famous data breach occurred in Marriott International in 2018 is taken into
consideration for this report.
3) Background of the Case
A massive data breach was reported by the hotel group Marriott International affecting
500 millions guests of the group. Marriott International is a multinational diversified hospitality
company of America managing and franchasining a wide range of portfolio of hotels and related
lodging facilities (forbes.com 2020). The business portfolio of Marriott International includes
more than 6500 properties in 30 leading hotel brands in 127 countries and territories. It also
operates as well as franchise hotels and licenses resorts for vacation all around the world. The IS
of Marriott International has three key responsibilities; they are handing large amount of data,
communication at the speed of the light and following the rules. It helps in sharing the booking
and reservation related data with other properties of the group in accordance with the overall
business strategy. Apart from bookings and reservations, the IS of Marriott International also
stores and communicates data and information of its guestsā€™ payment methods, traveling history,
passport and others (marriott.com 2020).
4) Problem Identification
As mentioned by Marriott International, hacker had access to its many of the hotel
chainsā€™ reservation systems starting from 2014 to 2018. In September 2018, a notification was
received by the group about an attempt of accessing its database. Marriott International became
aware of the fact that they have been hacked when an unusual database query was flagged in a
security tool (washingtonpost.com 2020). A used with administrative privilege made this
database query and it was quickly revealed in the analysis that the person did not make the query

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
4INFORMATION SYSTEMS AUDIT AND ASSURANCE
to whom the account was assigned; someone else managed to take control of the system. It
implies that the leaked information came from an unauthorized party who gained access to
Marriott Internationalā€™s guest authorization database of Starwood. This data breach affected its
guests and the group itself (washingtonpost.com 2020). Among 500 million affected guests, the
name, address, passport numbers, credit card details, check-in and check-out information was
compromised of around 327 million guests. In addition, multiple class action lawsuits have been
filed against the group. Marriott International had incurred $28 million in expenses related to this
data breach. In July 2019, Information Commission Officer (ICO) of UK levied a fine of more
than $120 million on Marriott International for the violation of British Citizenā€™s privacy rights
(washingtonpost.com 2020).
5) Audit Approach and Potential Solution
I. IS Risks
The data breach in Marriott International leads to the development of three types of IS
risks and they are discussed below:
Risk of Unauthorized Access ā€“ This data breach in Marriott International can lead to the danger
of unauthorized access to the confidential data of the guests. The main concern associated with
this risk is to break into secure networks in order to disable them (Mukaromah and Pribadi
2017).
Risk of Data Theft ā€“ The data breach also contributes to the risk of theft of important data and
information of the guests of Marriott International. It can be data theft and identity theft.
Risk of Sabotage ā€“ Marriott Internationalā€™s data breach also develops the risk of an act of
industrial sabotage. Insiders have the knowledge that provides the hackers with the capability of
brining maximum interruption to the operation of the group (Quezada-Sarmiento, Alvarado-
Camacho and Chango-CaƱaveral 2017).
The following table shows the likelihood of these above-discussed risks and level of
risks:
Likelihood of Risk Level of Risk Risks
Document Page
5INFORMATION SYSTEMS AUDIT AND ASSURANCE
High 3 Unauthorized Access
High 3 Data Theft
Low 1 Sabotage
Table 1: Risk Likelihood Scale
While considering the implication of these risks on the organization, it needs to be
mentioned that all these risks have negative impact on the information system of the group. This
reduces the efficiency as well as credibility of the information system of the group while reduces
the effectiveness of the data and information of the group (Tawakkal, Kurniati and Wisudiawan
2016).
II. Audit Plan, Objectives and Procedures
In case of the data breach of Marriott International, there are specific areas that need to be
audited; they are IS organizational structure, IS policies and procedures and IS standards.
IS Organizational Structure ā€“ The audit of Marriott International will include the audit of the
information system related organizational structure. The main objective of this area is to assess
the internal control of Marriott International associated with information system. The main audit
procedures for this area will include testing the information system related internal control of
Marriott International so that the strengths and weaknesses of this internal control can be
identified. This is an important area that needs to be considered (Radityohutomo et al. 2018).
IS Policies and Procedures ā€“ The IS audit of Marriott International also include the area of IS
policies and procedures and the objective of this audit is to assess all the policies and procedures
associated with the information system of Marriott International. As a part of the audit
procedures, the auditor will assess the credibility and reasonableness of the existing information
system policies and procedures of Marriott International (Murad et al. 2018).
IS Standards ā€“ The last area that will be considered in the audit of Marriott International is the
IS standards. The main audit objective of this area is the assessment of the standards associated
with information system within the organization. The audit procedure will include assessing the
aspect that whether Marriott International has complied with all the required standards of
Document Page
6INFORMATION SYSTEMS AUDIT AND ASSURANCE
information system while conducting the needed information system related operations. This is a
crucial area that needs to be considered (Wijaya and Yulyona 2017).
III. Audit Questions and Documents
As per the above discussion, there are three objectives. Following discussion shows the
required questions that need to be asked under each of the objectives.
1st Objective
1. Who is responsible for the internal control of IS?
2. How frequently is the internal control of IS reviewed for assessing any negative aspects?
3. What are the specific roles of the internal auditors of Marriott International in its IS
internal control?
2nd Objective
1. Who has the responsibility of developing the IS policies and procedures for Marriott
International?
2. How frequently is the IS policies and procedures are tested for assessing any maintenance
requirement?
3. Is there any reviewer for reviewing the IS policies and procedures of Marriott
International?
3rd Objective
1. How frequently are the IS standards of Marriott International are assessed for adjusting
any kind of standard updates?
2. Has there any recent change in the IS standards of Marriott International?
3. How does the internal auditors contribute to the adoption of IS standards by Marriott
International?
Apart from asking the above questions, the auditors will gather certain documents from the
company; they are the policy documents, documents associated with standards, guidelines
documents on IS internal control and others (Che and Bao 2019).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
7INFORMATION SYSTEMS AUDIT AND ASSURANCE
IV. Control Recommendations
1. In order to mitigate the first IS risk, it is recommended to the group to have a strong
password policy where it will be hard to discover the passwords. Moreover, the company
can implement two factor authentications for avoiding this risk as this will make sure that
only the authorized person accesses the account. Moreover, there needs to be adequate
monitoring of the whole IS process (Kaban and Legowo 2018).
2. In order to avoid the second risk, it is recommended to Marriott International to conduct
security audit as this is a crucial process for assessing the loopholes in the whole IS
system of the company so that they can be eradicated for reducing the scope of data theft.
At the same time, Marriott International will be needed to update its recovery plan so that
they can be prepared for any future attack (Vijayakumar and Ilangovan 2015).
3. For minimizing the last risk, Marriott International needs to maintain super
administration access where possible so that it can maintain the highest level of control
over the IS systems for preventing infiltration. It is recommended to Marriott
International to create and maintain effective documentation for networks and resources
by the IS department. This will ensure the presence of tightly-controlled records for
passwords and access points (Yu and Guo 2015).
6) Concussion
It can be seen from the above analysis that the main reason for the data breach of Marriott
International was the indentified access to an unknown party in the information system of the
hotel which caused major losses to the hotel and its guests. The main risks developed from this
data breach include the risks of unauthorized access, data theft and sabotage. The presence of all
these risks indicate towards the development of an effective IS audit plan for Marriott
International. The main objectives of the audit plan include assessing the IS organizational
structure, assessing IS policies and procedures and assessing IS standards. The above analysis
also makes certain recommendations for Marriott International and the group could well avoid
the data breach incident by following these recommendation as this would strengthen its IS
environment by identifying the strengths and weaknesses so that proper strategies can be made to
mitigate those weaknesses.
Document Page
8INFORMATION SYSTEMS AUDIT AND ASSURANCE
7) References
Che, G. and Bao, H., 2019, June. Government Information System Audit Should Focus on E-
government. In 2nd International Seminar on Education Research and Social Science (ISERSS
2019). Atlantis Press.
Forbes. 2020. Marriott International. [online] Available at:
https://www.forbes.com/companies/marriott-international/#58ded9fc4fa0 [Accessed 30 Mar.
2020].
Gupta, A. and Shakya, S., 2015, October. Information system audit an overview study in e-
Government of Nepal. In 2015 International Conference on Green Computing and Internet of
Things (ICGCIoT) (pp. 827-831). IEEE.
KABAN, E. and LEGOWO, N., 2018. AUDIT INFORMATION SYSTEM RISK
MANAGEMENT USING ISO 27001 FRAMEWORK AT PRIVATE BANK. Journal of
Theoretical & Applied Information Technology, 96(1).
Marriott International. 2020. [online] Available at:
https://www.marriott.com/marriott/aboutmarriott.mi [Accessed 30 Mar. 2020].
Mukaromah, S. and Pribadi, A., 2017. Information System Audit Based on Customer Perspective
4. Advanced Science Letters, 23(12), pp.12309-12312.
Murad, D.F., Fernando, E., Irsan, M., Kosala, R.R., Ranti, B. and Supangkat, S.H., 2018,
September. Implementation of COBIT 5 Framework for Academic Information System Audit
Perspective: Evaluate, Direct, and Monitor. In 2018 International Conference on Applied
Information Technology and Innovation (ICAITI) (pp. 102-107). IEEE.
Quezada-Sarmiento, P.A., Alvarado-Camacho, P.E. and Chango-CaƱaveral, P.M., 2017, June.
Development of an information system audit in a data center: Implementation of web application
to the management of audited elements. In 2017 12th Iberian Conference on Information
Systems and Technologies (CISTI) (pp. 1-5). IEEE.
Document Page
9INFORMATION SYSTEMS AUDIT AND ASSURANCE
Radityohutomo, Y., Wisudiawan, G.A.A., Alamsyah, A. and Herdiani, A., 2018. Implementation
of Genetic Process Mining to Support Information System Audit. Sustainable Collaboration in
Business, Technology, Information and Innovation (SCBTII), 1(1).
Tawakkal, I., Kurniati, A.P. and Wisudiawan, G.A.A., 2016, October. Implementing heuristic
miner for information system audit based on DSS01 COBIT5 (Case study: CV Narnia
distribution). In 2016 International Conference on Computer, Control, Informatics and its
Applications (IC3INA) (pp. 197-202). IEEE.
Vijayakumar, U. and Ilangovan, D., 2015. A Quantitative Approach to Information Systems
Audit in Small and Medium Enterprises. Informatica Economica, 19(3), p.89.
washingtonpost.com. 2020. Marriott Discloses Massive Data Breach Affecting Up To 500
Million Guests. [online] Available at:
<https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-massive-data-breach-
impacting-million-guests/> [Accessed 30 March 2020].
Wijaya, I.A. and Yulyona, M.T., 2017. Does Complexity Audit Task, Time Deadline Pressure,
Obedience Pressure, and Information System Expertise Improve Audit Quality?. International
Journal of Economics and Financial Issues, 7(3), pp.398-403.
Yu, G. and Guo, Q., 2015, December. Risk-based information security audit applied research in
the power industry. In 2015 Joint International Mechanical, Electronic and Information
Technology Conference (JIMET-15). Atlantis Press.
1 out of 10
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]