IT Audit and Controls (Assessment 3): Detailed Findings and Analysis

Verified

Added on 2023/01/12

AI Summary

This report presents the findings of IT audits conducted on several systems, including RAMS, Horizon Power, PRS, and NRL-T. The audit of RAMS revealed issues such as unsupported software, untested disaster recovery, and outdated documentation. Horizon Power's audit uncovered problems with staff background checks and access control for contractors. The PRS and PRX audit identified vulnerabilities related to user access, password security, and separation of responsibilities. The NRL-T audit focused on financial statement accuracy and the auditor's responsibilities. The report also details the professional, legal, and ethical responsibilities of an IT auditor, highlighting the importance of targeted integration, going concern considerations, and the duty to report indictable offenses. The audit findings emphasize the need for improved IT controls and adherence to ethical standards to ensure data security, system integrity, and compliance.

IT Audit and Controls
(Assessment 3)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Contents
INTRODUCTION...........................................................................................................................3
Main Body.......................................................................................................................................3
Audit findings in the RAMS...................................................................................................3
Audit findings in the Horizon Power......................................................................................4
Audit findings in the PRS and PRX.......................................................................................5
Audit findings in the NRL-T..................................................................................................6
Professional, legal, and ethical responsibilities of an IT Auditor...........................................7
CONCLUSION................................................................................................................................8
REEFRENCES..............................................................................................................................10

INTRODUCTION
Applications are computer programs which automate the main business functions of an
organization including accounting, human capital, support services, permitting, including billing.
Programs often promote professional roles which are specific to particular agencies and are
important (Chou, 2015). Auditing is an analysis of an individual, organization, structure, method,
corporation, program or product conducted to determine the truth and dependability of the
data and also to include an assessment of the financial reporting of a scheme. The aim of an
evaluation is to give an opinion inspired by the work performed however since, due to realistic
limitations, an audit only gives reasonable evidence that the assertion is free from physical
mistake and usually relies on statistical analysis.
Main Body
Audit findings in the RAMS.
The Council has not conducted or obtained an unbiased guarantee that the information protection
standards controlled by key providers are sufficient and work effectively. Consequently, the
Commission has no guarantee that knowledge is secured in RAMS to guarantee its secrecy,
honesty and accessibility (About RAMS, 2020).
Unsupported software: The device manufacturers no refuse to help certain software
components which underlying the software. Additionally, no new features were applied to 1
component to address known security weaknesses. Unsubstantiated and obsolete infrastructure
raises the likelihood of attackers exploiting identified bugs to obtain exposure to or interrupt
confidential information structures.
Untested Disaster Recovery: Although 2015 the company has not carried out a complete
disaster recovery study. The Council could not be sure whether it will retrieve the request as
needed.
Out-dated software design documents: The application's technological documents do not
represent the existing development setting. The Council could not be sure whether all necessary
checks are in effect to safeguard the submission.
Unspecified responsibility to disclose data protection infringements: The role and procedure
of the provider to submit data security infringements to the Commission has not been defined.
There are, however, no fixed fines or penalty fees for a violation of protection. Defining such

conditions would enable the Commission to operate in a timely manner and reclaim expenses in
the case of a violation, if appropriate.
Audit findings in the Horizon Power.
In reaction to the audit results, Horizon Power has also "enforced changes to the on-board and
then off-boarding procedures of staff and vendors, particularly background check reviews before
assignment to confidence roles (About Horizon Power, 2020). Horizon has effective systems for
the identification and correction of data defects in device readings. Economic growth tests take
place regularly with all specialized network-access devices. Where needed, the Velocity program
records major billing deviations for appropriate corrective intervention, and account managers
monitor bills until they are provided to private clients. Horizon addressed mistakes that were
worth $1.43 billion in 2017-18. This contained $1.42 billion in losses for one commercial
company and $8.5 million for certain commercial companies. The $1.42 billion loss resulted
from the client's automatic utility bill and has little network connection and must be interpreted
with a mobile unit. Remaining mistakes is attributed to causes such as the introduction of wrong
pricing to a consumer, inaccurate data and device adjustments.
Horizon's procedures and systems do not allow employees to conduct criminal background
searches. Through background records reviews, auditor discovered that workers working with
exclusive connections to vital electricity resources and networks. In fact, routine background
searches are not performed for key employees. While recruitment procedures involve citation
and certification checks, as well as diagnostic tests, security clearance checks are not included in
the method. Despite effective evaluation procedures, staff can be allocated to select roles for
which they are ineffective. Auditor checked screening tests for 9 main workers, and discovered
that 8 have not received appropriate screening following 3 to 14 months in their jobs. This
discovery is alarming as such workers have exclusive connections to the energy supply
infrastructure and other main structures. They also noticed that Horizon's access control for staff
of third parties vendors is not successful because of unreliable HR documents. Within Auditor
analysis of six contractors' allowed accounts showed 3 belonging to former companies who quit
Horizon 1 to 3 months earlier. Horizon exported much of the ICT operations and more than 300
contractors were granted access to the network and main infrastructure for carrying out their
research. There is an elevated possibility that such identities may be used to target Horizon's IT

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

infrastructure and infrastructure without an appropriate mechanism to remove contractor’s
access.
Audit findings in the PRS and PRX.
Regarding storing private and sensitive information in PRS and PRX, Tax revenue has no
suitable user’s access or previsioning (About PRS and PRX, 2020). They found the following
vulnerabilities which can undermine knowledge security and privacy in the system:
Inadequate checks and feedback on app usage: State income may not monitor accounts
for PRS and PRX periodically. They noticed a disproportionate number of Developer privileged
user profiles. Furthermore, the program has not been used for 12 months by multiple PRX
consumer accounts, even many with rights. The rights of administrators require high accessibility
rates and are often attacked by perpetrators. One could use unoccupied dormant transactions for
suspicious activity. Tax revenue launched a study of PRX consumer accounts in August 2018
although it is restricted to external services of LG and will not include internal clients of
Government revenue.
Easy to predict database passwords: Auditor found 10 quick to suppose passwords
domain transactions and 70 reports that hadn't updated their passwords for more than 12 months,
as needed by Government Revenue's Password Policy. Seven of the 70 users have for a
prolonged period would not have updated their passwords. Low authentication protections raise
the risk of unauthorized Program significant exposure.
Separation of responsibilities: They noticed 17 participants in the litigation phase were
willing to execute end-to-end actions because they had exposure to both the PRS and PRX. Such
consumers can file claims, manage allegations and send requests for payment. It is a fundamental
principle of protection that an individual initiating a procedure cannot be the one approving it.
Without sufficient division of duties the possibility of illegal or deceptive payouts is abnormally
high. Of the 60 over-privileged users, 18 may even change LG savings account data and
telephone numbers in the PRS program without permission. The PRS program does not alert
appropriate LGs when changes are made to confidential data, like bank account data. State
income and LGs can only become informed of illegal modifications if LGs insist that payments
not be issued.
System operation is not properly tracked or registered: State Revenue has no policies
or appropriate protocols for actively tracking user activities and recording improvements to the

PRS and PRX records. State Western Australian Auditor General Income cannot identify
improper accessibility or unwanted modifications without the required supervision. Although the
account data and access period are recorded, the knowledge is not checked in for any updates.
State Revenue have not established appropriate policies of use: 92% of PRX
consumers come from LGs but Tax revenue have not created an acceptable policy of use to
direct their usage. An 'appropriate use policy' is a series of rules specifying conditions of
employment for use of the program. Developing these rules is sound practice, including ensures
that all consumers are informed of and appreciate them. Without proper instructions, there is
greater potential for improper device exposure and use.
Audit findings in the NRL-T.
Their aims are to provide fair confirmation about whether the combined financial results
itself are clear of material mistake, whether attributable to theft or omission, and to provide an
inspector's report that contains their view (About NRL-T, 2020). Fair assurance is a strong degree
of reliability, which is not a promise that where it happens, an examination performed in
conjunction with SAs would often find a content flaw. Misstatements result from deception or
mistake and are deemed significant because they may fairly be presumed to affect consumer
business decisions made on the basis of such integrated financial statements, either separately or
in the cumulative.
Identify and evaluate the hazards of combined financial statements information
misrepresentation, whether attributable to fraud or mistake, plan and conduct audit protocols
relevant to such threats, and collect audit documentation that is adequate and acceptable to
establish a justification for their decision. The probability of failing to notice a material mistake
arising from fraud is greater than that resulting from mistake, because fraud that entail deception,
fraud, unintentional omissions, misstatements, or overwhelming internal control.
Acquire an overview of the internal control applicable to the audit in order to devise audit
processes that are acceptable in the situations, according to section 143 (i) of the Corporations
act, 2013, auditor are therefore liable for voicing an opinion on whether the Group has an
sufficient internal financial management structure in place and if these measures are
operationally efficient.
Conclude on the suitability of management's usage of the new accounting issue and, on the
grounds of the audit facts collected, if there is significant confusion relevant to incidents or

circumstances that may throw serious doubt on the capacity of the Company and its affiliates and
joint projects to operate as a continuing issue. If they believe that there is a substantial doubt,
they are allowed to call attention to the associated reports in the financial statements in the
auditor's statement or, if these documents are insufficient, to alter respectable judgment. Their
findings are focused on the audit facts gathered up to the amount of the study from the auditor.
To pass comment on the combined financial accounts, receive ample acceptable audit facts
about the financial reports of the companies or contractual operations within the Company and
its associates and joint projects. They are accountable for controlling, supervising and conducting
the analysis of such organizations financial accounts contained in the combined financial
accounts of which they are the professional auditors. For the other organizations contained in the
financial statements that were investigated by other accountants, certain other accountants are
liable for the course, oversight and results of the examinations conducted by them (Reichborn-
Kjennerud, 2015).
Professional, legal, and ethical responsibilities of an IT Auditor
Professional, legal responsibilities of an IT Auditor
Targeted integration: It's a decent profit and a mediocre gain before you're justified in
doing it. For example the goal to raise the stock price of a business (Groomer and Murthy 2018).
They really do not realize what triggered the increase in market markets is but Accountants
statistics have a big effect. Therefore, a paradigm that Promoted Merger ethics articulated
beneficial stock price increase in earnings even though exploited by adjustments in reporting
policies was implemented.
Goring concern: In case if auditor fails to follow with laws and regulations will affect the
financial report as businesses may need to make arrangements for potential court charges and
penalties in breach of the legislation. That may impact the company's ability to survive as a
going business under the worst possible situation. Furthermore, if the problem involves some
intervention, the accountant may have to disclose reported non-compliance with the rules and
regulations to the administration or a governmental agency. An indication of the above will be
where the company refuses to comply with data protection laws. The accountant may therefore
perform defined audit processes to help detect cases of non-compliance with certain rules and
regulations that could have a significant effect on the financial reports. If non-compliance is
detected (or suspected) otherwise the inspector must react accordingly.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Duty To Report Indictable Offences: If auditors find evidence through an investigation that
causes them to conclude that an indictable crime has been perpetrated by the organization or
anybody connected with it under the Corporation Rules, they will disclose this to the Office of
the Director of Corporate Compliance ("ODCE") and support the ODCE in reviewing the case.
The auditor is liable for preparing and performing the audit to provide fair confirmation as to
whether the accounting records are safe from material failure, whether due to omission or fraud.
This is because of the quality of the examination proof and the crime features, the auditor may
achieve fair, although not utter, confidence that specific errors are found. The accountant has no
duty to prepare and carry out the audit in order to achieve fair certainty that irregularities,
whether triggered by accidents or theft, are found that are not relevant to the financial reports
(Mukhina, 2015).
Ethical responsibilities of an IT Auditor
Auditor actions will also be above reproach and under certain cases. Any fault in their
professional actions or any wrongdoing in their daily lives puts in an adverse way the credibility
of the accountants, they serve and the standard and legitimacy of their audit function and that
pose concerns as to the efficiency and competence. The introduction and implementation of a
code of conduct for public sector accountants encourages faith and confidence throughout the
accountants and professional job. A Code of Ethics is an elaborate description of the standards
and beliefs that will govern the auditors' everyday work. The management audit competence,
roles and duties put strong ethical expectations and the workers who are working or hired for
audit work. A code of conduct for public sector accountants would take into consideration the
ethical standards of public servants in particular and the specific criteria of accountants, such as
the ethical obligations (Popescu and Popescu, 2018). Auditors must behave in a way that
encourages co-operation and friendly ties among accountants and within the professional. The
industry's sponsorship from its leaders and co-operation with each other are important
components of qualified personality. The public trust and appreciation that an auditor receives is
primarily the product of all accountants, past and current, achieving achievements. Thus, it is in
the benefit of auditors and that of the public at large, that the accountants interact equally and
balanced with fellow accountants.

CONCLUSION
In the end of report, it has been concluded that IT auditing brings everything one step
forward and tests the security, fairness and quality safeguards across the records. Although the
quality and durability of the information must be attested by a financial audit, the IT audit must
testify to the security of the information, the credibility of the data and in cases where flexibility
is a critical consideration will also testify to the capacity and capabilities to restore in the case of
an accident. With all these accepted the financial audit, the IT accountant will be interested. But
when they are thinking about rigorous technical education and investigative IT accounting we're
talking about a substantial amount of time and effort and resources to prepare an IT accountant to
do an investigative IT monitoring.

REEFRENCES
Books and Journals
Chou, D. C., 2015. Cloud computing risk and audit issues. Computer Standards & Interfaces, 42,
pp.137-142.
Groomer, S. M. and Murthy, U. S., 2018. Continuous auditing of database applications: An
embedded audit module approach. Continuous Auditing, pp.105-124.
Mukhina, A. S., 2015. International concept of an assessment of internal control efficiency in the
conduct of an audit. Asian Social Science, 11(8), p.58.
Popescu, C. R. G. and Popescu, G. N., 2018. Risks of cyber attacks on financial audit
activity. The Audit Financiar journal, 16(149), pp.140-140.
Reichborn-Kjennerud, K., 2015. Resistance to control—Norwegian ministries’ and agencies’
reactions to performance audit. Public Organization Review, 15(1), pp.17-32.
Online
About RAMS. 2020. [Online] Available Through:
<https://audit.wa.gov.au/reports-and-publications/reports/information-systems-audit-
report-2019/recruitment-advertisement-management-system/ >.
About PRS and PRX. 2020. [Online] Available Through:
< https://audit.wa.gov.au/wp-content/uploads/2019/05/IS-Report-2019.pdf>.
About NRL-T. 2020. [Online] Available Through:
< https://www.nrl.co.in/upload/NRLAnnualReport2018-19.pdf>.
About Horizon Power. 2020. [Online] Available Through:
<https://audit.wa.gov.au/reports-and-publications/reports/information-systems-audit-report-
2019/advanced-metering-infrastructure>.