IT Audit and Controls: Assessment of General Computer Controls

Verified

Added on 2022/12/01

AI Summary

This report provides an in-depth analysis of IT audit and controls, focusing on general computer controls (GCC) within various governmental entities. The audit assesses six key control categories: physical security, business continuity, information security, IT risk management, change control, and IT operations. The findings reveal both strengths and weaknesses, highlighting areas where improvements are needed, such as enhanced information security awareness, updated business continuity plans, and better IT risk management practices. The report provides recommendations for executive managers to ensure effective system security, conduct regular reviews, and implement robust IT risk management policies and procedures. The report draws on industry best practices and compares findings from 2017 and 2018, highlighting specific issues and suggesting actionable steps for improvement across the assessed control categories. The audit also identifies weaknesses in areas like information security awareness, business continuity, and risk management procedures.

Running Head: IT WRITE UP
0
IT write up
IT AUDIT AND CONTROLS
(Student Details: )
9/5/2019

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

IT Write Up
1
IT AUDIT AND CONTROLS
This discussion is focused on general computer controls as well as capability assessments in
the context of IT audit and controls. The main aim of general computer controls (GCC) audits
is typically to define computer control effectively. In this context, GCC audits are used to
find whether such controls support the integrity, availability, and confidentiality of modern
information systems (IS) (Gollmann, 2010). Here, GCC includes controls all over the info
technology (IT) environ, data and programs access, computer operations as well as data and
program development changes. In this way, the discussion has analysed six control categories
include:
• physical security
• business continuity
• information security
• management of IT risks
• change control
• IT operations (Gollmann, 2010).
The developed model used accepted industry good practices as the foundation for the whole
assessment. Besides, the model which has been used for IT audit offered a benchmark for
great performance as compared to the rest of the relevant models.
As a result of GCC audits, the conducted audit reported 547 GCC issues to the 47 state govt.
entities in the year 2018 while comparing with 539 issues at different 47 entities in the year
2017. The IT audit and controls have shown that a small hike in the total number of entities
that met IT officers' expectations across all of the six GCC categories (Gupta & Shakya,
2015).

IT Write Up
2
If we talk about IT audit scope and focus then this audit has used rating scale and criteria in
order to ensure that all good practices are followed as well as automated throughout the IT
audit and assessment. In addition, the audit findings are showing a significant decline in 4 of
the 6 categories. Besides, business continuity showed improvement however they showed
that only half of the entities were sufficiently controlled in the chosen field (Gartner, 2018).
In the context of information security (IS), some weaknesses have been found, as follows:

IT Write Up
3
• Critical lack of IS awareness programs for staff
• Lack of IS policies or out of date
• Lack of procedures to find as well as rectify IS vulnerabilities in IT infrastructure
• Intrusion detection (Kizza, 2009).
Apart from this, some serious weaknesses in the context of business continuity have been
found during the IT audit, as follows:
• Tolerate outages
• No DRPs or BCPs
• Backups were not stowed securely
• Uninterrupted power supplies were not functional
From the IT risks management perspective, it has been found that risk registers were not
properly maintained, while risk management policies were not developed (Bakshi, 2016). In
addition, inappropriate as well as inadequate procedures for effectively identifying,
evaluating, as well as addressing IT risks have been observed well.
Post conducting GCC audit and assessment, the provided recommendations are as follows:
• Executive managers should ensure effective information security for the system
• Executive managers must conduct reviews
• Entities should have updated business continuity, disaster recovery as well as an
incident response plan
• Entities should manage IT risks while identifying, assessing, and treating suitable
timeframes (Gartner, 2018).
• Entities must ensure the correct policies and procedures to be executed for IS, IT risks
management and change control.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

IT Write Up
4
References
Bakshi, S., 2016. Performance Measurement Metrics for IT Governance. [Online] Available
at: https://www.isaca.org/Journal/archives/2016/volume-6/Pages/performance-measurement-
metrics-for-it-governance.aspx.
Gartner, 2018. Manage Enterprise Risk. [Online] Available at:
https://www.gartner.com/en/risk-audit/risk-leaders?
utm_source=google&utm_medium=cpc&utm_campaign=RM_GB_2018_CRISC_CPC_SEM
1_RISK-MIT-RISK-ASSESS&ef_id=EAIaIQobChMIjryU-
eem3wIVyBwrCh0tsQ8GEAAYASAAEgK0ZfD_BwE:G:s&gclid=EAIaIQobChMIjryU-
eem3wIVyBwrCh0tsQ8GEAA.
Gollmann, D., 2010. Computer Security. Wiley Interdisciplinary Reviews: Computational
Statistics, 2(5), pp.544-54.
Gupta, A. & Shakya, S., 2015. Information system audit an overview study in e-Government
of Nepal. International Conference on Green Computing on Green Computing and Internet
of Things, pp.827-31.
Kizza, J., 2009. Guide to computer network security. London: Springer.