Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

IT Audit and Controls

Verified

Added on 2023/01/11

AI Summary

This report provides insights into the IT audit focus, scope of audit report, high risk issues, IT governance, IT general controls, and cyber security management in NSW City Council.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

IT Audit and Controls

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Table of Contents
Introduction......................................................................................................................................3
Determine audit focus along with scope of audit report.........................................................3
Illustrate high risk issues within NSW City council..............................................................3
Portray audit findings associated with IT governance in NSW City......................................4
Depict audit findings in context of IT general controls..........................................................5
Portray audit findings linked with cyber security management within NSW City................7
Conclusion.......................................................................................................................................8
References........................................................................................................................................9

Introduction
The systematic evaluation of security aspects of firms information system through
measuring of how well they conforms to set of formulated criteria is referred to as IT security
audit (Agyei-Mensah, Agyemang and Ansong, 2020). This presents higher level of description
with respect to ways in which firm can test as well as access their security postures that
comprises of cyber security. To have an understanding related with this aspect NSW City
Council is being taken into regards which are liable for allocating financial reporting process.
This report will provide an insight into scope of audit report, high risk issues and findings
associated with IT governance. Furthermore, it also involves IT general controls along with
aspects associated with cyber security.
Determine audit focus along with scope of audit report
The Councils are responsible for allocation of resources along with time for financial
reporting process and for this they have adequate processes, resources and systems which are
liable for executing new standards for accounting. The scope of this report is to furnish an audit
for strengthening quality, timelines of financial reporting along with recommendations in context
of internal governance and controls (Chopra and Chaudhary, 2020). Here, emphasis is laid on
high risk issues so that firm can have adequate services without having any compromise within
their services. Along with this, IT policies has to be formalised as well as reviewed regularly to
make sure emerging risks have been taken into consideration and adequate policies are reflective
in context of alterations within IT environment. It is necessary to identify risks and manage them
adequately so that third person or intruders do not have access to particular information.
Moreover, focus will be on improvisation of user access management processes for ensuring that
information systems are secured as well as possess significant controls through which
modifications can be made easily within information system as per requirements. In addition to
this, asset registers needs to be updated, reconcile them with asset management system that
comprises have significant controls for ensuring integrity in context of manual spreadsheet.
Illustrate high risk issues within NSW City council
Councils are dependent on IT (information technology) for delivering their services as
well as manage their data and information. While IT is responsible for delivering considerable
benefits, it also possesses present risks which Council have to acknowledge (Chopra and

Chaudhary, 2020). Within prior years, it has been recognised that that they have to improvise IT
governance as well as controls for managing their key financial systems. As per audit, it has been
recognized that there are 575 issues associated with information technology and out of this 448
were identified. Along with this, 68% are related with user access management. Apart from this,
total numbers of control deficiencies which have been reported within management letters have
been enhanced in comparison to previous year and ample numbers of high risks have been
declined. Furthermore, there are some high risk issues associated with lack of key information
technology procedures and policies, minimised risk management activities related with IT and
user access reviews within key financial systems are not carried out. This also involves shared
user accounts and segregation of duties is not adequately enforced within key financial system.
An instance can be taken into consideration like if systems are not managed adequately then
intruder or any other insider can have access to data then it could have adverse impact on ways in
which Council works. This involves not only loss of financial assets but also sensitive
information which may lead to huge impact on their overall functionalities.
In addition to this, privileged user access is not restricted as well as monitored for
identification of any kind of suspicious activity that is carried out. For an example when IT is
being used within NSW Council then it will lead to increase the probability of risks lie individual
can track activities happening on network and may compromise the integrity of data that is being
held by them. Thus it becomes essential to monitor activities or functions which are being carried
out as well as restrict access to all employees at different levels (Hussein, 2020). It will lead the
Council to ensure security levels within working area up to some extent. Furthermore, this has to
be made sure that strong passwords are being used and this can be done by having some
guidelines or a peculiar pattern that has to be entered within the password field. Along with this,
it will also ensure that password like dictionary words are not used which can be easily broken
up by dictionary or brute force attack or just by hit and trial method. The other major issues are
system execution with missing sign offs, unresolved flaws and documentation. As per the audit,
with respect to IT control deficiencies, they have been grouped into three crucial areas, they are
IT governance, general controls (comprises of disaster recovery planning, program change
management and user access management) and cyber security management (Lai, Liu and Chen,
2020). These sections are illustrated below provides an insight into these aspects with respect to
NSW Council.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Portray audit findings associated with IT governance in NSW City
IT governance is liable for furnishing a structure which enables council within effective
management of their IT risks as well as make sure that related activities are aligned for attaining
their objectives. Councils fail to maintain their information technology policies formalised and
even up to date which acts as a critical aspect that brings in risks. This makes it crucial for to
review emerging risks that will render reflection to IT environment. Here, lack of adequate
procedures leads to inappropriate as well as inconsistent practices that leads to enhanced
likelihood for third person access to their key systems (Lee and Levine, 2020). Much
improvisation have been not executed by Councils with respect to this aspect and they need to
review them regularly. They need to identify as well as interact risks related with making use of
IT so they can have significant knowledge about risks and accordingly respond to them within
acceptable timeframe.
IT governance framework can be utilised by Council to through which they can identify
adequate ways to render their services by making use of information technology. The type
framework that is responsible for defining ways as well as methods by which firm can execute,
manage and track IT governance in working environment is referred to as IT governance
framework. With respect to this, Council can make use of COBIT, it has mentioned beneath:
Controlled objective for Information and related technology (COBIT) framework: This
is being developed for managing along with IT governance. This can be used by Council like a
supportive tool that aids within bridging gap in between risks, control needs and technical
concerns. This is accountable to make sure that control, quality and reliability for information
system those are being used by NSW Council is being attained. This framework possesses
capabilities according to which plans can be developed, organised, delivered, supported and
acquired. In addition to this, overall performance can be monitored as well as evaluated for
attaining desired goals with high efficiency in terms of security (Li, No and Boritz, 2020).

Illustration 1: COBIT Framework
The major entities contained within this framework are illustration of process, control
objectives, maturity models along with guidelines for management (Lyu and et. al, 2020). It will
lead NSW Council to maintain adequate security levels through which security of systems can be
secured in context of any high risks.
Depict audit findings in context of IT general controls
IT general controls illustrate activities as well as procedures which are being designed for
ensuring confidentiality along with integrity of data and systems. In addition to this, controls are
liable for underpinning integrity associated with financial reporting. The financial audits that are
being involved within review of IT general controls associated with key financial systems that
are supporting preparation for financial statement that address user access management.
Furthermore, there are privileged user access for monitoring and restriction for having access to
information. In addition to this, it also involves system software acquisition along with change as
well as maintenance. Furthermore, adequate disaster recovery planning has to be formulated to
deal with different statements (Smith, 2020). Council have not reviewed IT systems like support
service delivery which are basically outside scope of financial audit. Furthermore, council need
to take into consideration findings illustrated below with respect to systems:
User Access Management

Information technology is crucial for council in context of ways in which services are
being delivered. While IT improvises service delivery along with growing dependencies on
technology that illustrates that council may have certain risks related with misuse and
unauthorised access. The major areas which have to be taken into consideration in context of
access management comprises of adequate approval for new users as well as modification within
permission for access into IT system and timely removal for new given access. Furthermore,
strong password controls are being used for avoiding user access from being getting
compromised (Stoel and Havelka, 2020). In addition to this, there has to be periodic user access
review for identification of inadequate access and constraints for privileged access for adequate
employees along with monitoring their activities related with access. Council have improvised
their access for management processes. But, further enhancements are needed for tracking
privileged account activities for user along with periodic access reviews of actions carried out by
them.
Program Change Management
There has to be relevant controls over information technology systems so that they can be
improvised. Alterations are carried out in context of IT programs that are associated with
infrastructure components which have to be authorised prior for execution. It will lead to make
sure that modifications made are adequate as well as in line with needs of the business. Here,
controls within weak systems have to be altered as this expose Council to risk associated with
inaccurate or unauthorised alterations to programs, issues associated with integrity & data
accuracy (Yi and Long, 2020). This also involves unintended alterations with respect to ways in
which program report as well as process information and errors within financial reporting.
Council yet have not improvised change management controls over their IT systems in
comparison to previous year.
Disaster Recovery Planning
Council needs improvise their planning as well as testing as it will aid them to
minimise disruption to functionalities within event of crucial systems outrage or any other kind
of disaster (Agyei-Mensah, Agyemang and Ansong, 2020). Without any kind of adequate
analysis as well as planning, council might not be able to adequately anticipate disruption,
identification of highest tolerate outages and recover from them successfully within event of

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

disaster. Along with this, some councils does not have relevant as well as current disaster
recovery planning for dealing with distinct situations.
Portray audit findings linked with cyber security management within NSW City
The body of processes, practices and technologies that are designed for protecting
programs, data, devices and network from damage, unauthorised access or attacks is defined as
cyber security. NSW cyber security policy at State level illustrates that strong security is crucial
components of Digital Government strategies. The term is liable for covering all the essential
measures that are being utilised for protecting system along with information stored and
possessed within them from any kind of compromise in terms of integrity, availability and
confidentiality (Chopra and Chaudhary, 2020). Along with this, poor management in context of
cyber security can expose councils with reference to broad range of risks that comprises of
financial loss, data breaches and reputational damage. For an example, if third person get access
to servers or network of NSW City, it won’t be difficult for them to have entire details present
within the network, they may even have access to sensitive data.
Along with this, all the systems present within network can be accessed which means that
there are high risks for data leakage of ample number of people of NSW City that imply that it
can be used to exploit them or damage reputation of people. The probable influence associated
with this comprises of theft of financial along with information as well as intellectual property
information (Chopra and Chaudhary, 2020). Theft of money can be carried out, this can be done
by making use of wannacry attack in which intruders demanded for hefty amount for giving
access to data. This can have a strong influence both in financial and data loss aspects. There can
be multiple requests to servers of NSW City which may lead to denial of service that might even
lead to server or network crash and even this can cost heavy for them. Along with this,
destruction of information, cost associated with refurbishing impacted system, devices as well as
network, legal actions which occurs due to attacks like denial of service leads to system
downtime and may also have some legal fees.
Furthermore, this also involves third part losses in terms of data which is present within
government systems that are being utilised for criminal purposes. If in any case, this information
is exploited then it will have adverse impact on NSW City as decisions with any aspects have to
be changed if integrity and confidentiality of that specific data has been compromised (Hussein,
2020). To deal with such kind of issues higher level assessment have been formulated for

determination of whether councils comprises basic governance along with internal controls for
managing cyber security. But this management needs improvisation in context that most of the
councils need to execute basic entities related with governance like cyber security framework
and policies. Here, emphasis has to be laid on upcoming performance audit which have been
planned with respect to cyber security (Lai, Liu and Chen, 2020).
Conclusion
Form the above it can be concluded that, it is necessary for each organisation to carry an
audit with respect to functionalities that are being carried out by them. The reason behind this is
that it will lead them to identify probable attacks or security aspects which may lead to create
adverse impact on overall operations. For this Council needs to monitor their activities by
tracking the network, identifying vulnerabilities as well as unauthenticated activities which are
conducted within. Furthermore, they can also formulate restrictions with respect to what kinds of
data can be accessed at distinct levels of employees in order to maintain privacy. Apart from this,
there are distinct IT governance framework that aids within formulating plans, monitoring,
evaluating performance and many other aspects which need to be tracked.

References
Books & References
Agyei-Mensah, B.K., Agyemang, O.S. and Ansong, A., 2020. Audit Committee Effectiveness,
Audit Quality, and Internal Control Information Disclosures: An Empirical Study.
In Corporate Governance Models and Applications in Developing Economies (pp. 1-22).
IGI Global.
Chopra, A. and Chaudhary, M., 2020. External Audit. In Implementing an Information Security
Management System (pp. 247-258). Apress, Berkeley, CA.
Chopra, A. and Chaudhary, M., 2020. Internal Audit. In Implementing an Information Security
Management System (pp. 221-235). Apress, Berkeley, CA.
Hussein, W.N., 2020. Impact of Economic and Knowledge Transfer Advantages of Outsourcing
Internal Audit on the Internal Control Environment/An Investigative study for a group of
employees at Iraqi Industrial Sector. Tikrit Journal of Administration and Economics
Sciences, 16(49 part 1), pp.57-76.
Lai, S.M., Liu, C.L. and Chen, S.S., 2020. Internal Control Quality and Investment
Efficiency. Accounting Horizons.
Lee, K.K. and Levine, C.B., 2020. Audit partner identification and audit quality. Review of
Accounting Studies, pp.1-32.
Li, H., No, W.G. and Boritz, J.E., 2020. Are external auditors concerned about cyber incidents?
Evidence from audit fees. AUDITING: A Journal of Practice, 39(1), pp.151-171.
Lyu, Q. And et. al, 2020. SBAC: A secure blockchain-based access control framework for
information-centric networking. Journal of Network and Computer Applications, 149,
p.102444.
Smith, S.S., 2020. Internal Control Considerations. In Blockchain, Artificial Intelligence and
Financial Services (pp. 143-150). Springer, Cham.
Stoel, M.D. and Havelka, D., 2020. Information Technology Audit Quality: An Investigation of
the Impact of Individual and Organizational Factors. Journal of Information Systems.
Yi, T. and Long, H., 2020, April. Research on the Social Security Fund Risk Control and
Management Measures Based on Cloud Audit and Big Data Era. In Modern Economics
& Management Forum (pp. 26-29).

1 out of 10

+13062052269

info@desklib.com

IT Audit and Controls

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

IT Audit and Controls

IT Audit and Controls

Analysis of IT Audit Report on Local Government 2019

Assessment 2 report

Assessment 2 Report on IT Governance Audit

Audit Focus and Scope of Given Audit Report