Analysis of a Business Information Systems IT Audit Report

Verified

Added on 2022/07/28

AI Summary

This report provides a detailed analysis of an IT audit report, focusing on the audit's scope and findings across various systems, including RAMS, Horizon Power, PRS, PRX, and NRL-T. The report identifies critical issues such as inadequate security controls, outdated software, lack of disaster recovery testing, and insufficient user access management. The findings highlight vulnerabilities related to data security, password complexity, and business continuity. Furthermore, the report examines the professional, legal, and ethical responsibilities of an IT auditor, emphasizing the importance of integrity, objectivity, confidentiality, and competency. The analysis covers audit methodologies, identifies relevant risks, and discusses potential actions, recommendations, and sanctions based on the irregularities found within the audit report, offering a comprehensive overview of IT audit practices and their impact on business operations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: BUSINESS INFORMATION SYSTEMS
BUSINESS INFORMATION SYSTEMS
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1BUSINESS INFORMATION SYSTEMS
Discussions
Focus and Scope of Audit
The WAIS audit report reviews the important applications of business at a large number
of entities of State Governments. Every application is essential to the entities operations and
they can influence the stakeholders consisting of the public. The WAIS audit report has a
scope and focus on which it focuses (Gildenhuis and van Rensburg 2017). The scope of the
of the WAIS report include the advertisement management system of recruitment which
includes the public sector commission. The metering infrastructure that are advanced
including the horizon power, the rebate scheme and exchange of the pensioner consisting the
office of the state and the register of new land consisting of the Lan information Authority of
Western Australia.
The audit report focuses on processing those are systematic and data handling in the
control categories those are provided below:
 Security of information: It controls the exist in order to make sure the confidentiality,
availability and integrity of information
 Policies and procedures: these are proper and these support processing of information.
 Output of data of the reports of hard copy are complete and precise
 Backup and recovery is proper and in place in case of any disaster
 Processing of data: the information are processed in a time those are acceptable
 Separation of duties: No employees can execute incompatible duties
 Maintenance of master file, preparation of data: controls over the preparation of data,
processing and collection of documents make sure that information is precise, finish and
timely before the data gets to the application

2BUSINESS INFORMATION SYSTEMS
Audit Findings of RAMS
No adequate assurance on control of vendors
 Software unsupported: the vendors of software no longer support some of the components
of software. one of the component did not have any software update in order to fix the
security weaknesses (Wilkins 2017.)
 Disaster recovery not tested: the vendors have not executed a full test of disaster recovery
since 2015
 Technical specification documentation those are outdated: the technical documentation
that describes the application does not describe about the present environment of
application
Lack of Risk evaluation
 No right to execute security audits: there are any particular rights for the commission to
execute audits of security of environment of RAMS. Due to this, the commission have
restricted capability to authorize the controls of security
 No assurance of control: there are no requirements for the vendor to offer the commission
with assurance reports of third party that the controls are in place and they are working
appropriately (Caffieri et al 2018)
 Encryption not specified: the requirements of encryption of data in order to safeguard the
information at rest or stored is not specified
 Unspecified retention of data: the requirements of retention of data have not be specified.
All information since the year 2003 has been kept in the system.
Inadequate access control
 Configuration of weak password: the portal of admin do not meet the requirement of for
the complexity of passwords and does not restrict the password re-use

3BUSINESS INFORMATION SYSTEMS
 Ineffective management of user accounts: The commission does have a procedure and
policy in order to manage the entity of user accounts consisting of the highly privileged
accounts
No proper business continuity
 Out of date plan of business continuity: the commission has not examined the Business
continuity plan of RAMS since the year 2014. There is a maximised hazard that RAMS
will operate properly during an incident
Audit Findings of Horizon Power
High value of errors
Horizon has good procedures in order to detect and resolve the errors of data in the
readings of consumption. In the year 2017-18, the company corrected errors of $ 1.43 Billion.
The other errors include incorrect rates applied to the clients and changes in the system
No proper security of human resources
The procedures and policies of Horizon do not need checks of criminal history to be
done for staffs. The audit found out that staffs without checks of criminal history had the
access to the important infrastructure of the company (Bailey, Harris and Jennings 2018).
Regular checks of background are not done by horizon
Room to upgrade security
 No proper configuration of firewall: the firewall that separates the network of AMI from
the network of Horizon is not appropriately configured. This maximized the danger of
cyber attacks and unauthorized admittance

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4BUSINESS INFORMATION SYSTEMS
 Network access accounts are not managed: the passwords for the account of administrator
have not been changed for a long time. The audit have found 16 accounts and few
belonged to former staffs are not disabled.
 Lack of logging policy: an activity log and administering policy in not there in the
company. This maximizes the risk that administering will not be consistent and there will
be a chance of the compromise of systems
Audit Findings at PRS and PRX
Do not perform checks of land ownership and occupancy
The state Revenue does not execute checks of land ownership and occupancy as
needed by the act. The State Revenue took this responsibility in the year 2003 but they
stopped doing the checks
Inadequate Controls
 Inadequate access of user: the State Revenue does not examine the user accounts of PRS
and PRX. Large number of accounts with the privilege of accounts has been found. Many
PRX accounts of user has not been accessed for 1 year
 Easy passwords: the audit recognised 10 accounts of database with easy to guess
passwords and there are 70 accounts that did not change their passwords for more than 1
year as needed by the Password policy of State Revenue (Vafaei et al 2018).
 NO acceptable use policy: the users of PRX are from LGs but the State Revenue has not
generated a policy of acceptable use in order to guide their utilisation. It is a very good
practice to develop these guidelines and ensure that all the end users understand them
Audit Findings of NRL-T
Inadequate controls of user access

5BUSINESS INFORMATION SYSTEMS
 Inadequate duty segregation: two employees have been allocated extra privileges
permitting them transactions of land title. It is an important principle of security that an
individual starting a request should not be the one to authorize the request.
 Excessive rights of user access: it was found that 7 users were given the users rights of
Assistant Registrar that can be utilised in order to bypass the checks of system when they
only required basic rights to execute their duties
 Irregular reviews of user access: the rights of user access and permissions are not
examined regularly in order to confirm that they are still needed and proper. Over time,
this permits the users to accumulate extra privileges leading to improper admittance to
information.
Lack of external penetration testing
The Company executes internal penetration testing of its infrastructure but it had not
performed the external penetration testing. A failure of controls can affect the availability,
integrity and confidentiality of information (Auditor-General 2019). The penetration tests
must be executed regularly in order to keep pace with the evolving cyber attacks
The IT services have not been reviewed
The Company did not outsource the services of ICT since the agreement in the
November 2016. The agreement recommended examination of delivery and cost of the
services after 1 year (McHugh et al 2018).
Professional, Legal and Ethical responsibilities of IT Auditor
Ethical responsibilities

6BUSINESS INFORMATION SYSTEMS
The IT auditors must have proper ethics before they audit the information technologies of
a company. The ethical responsibilities of the IT auditors are as follows (Cheng and Flasher
2018):
 Integrity: the clients expect the auditors to uphold the guidelines and principles of the
industry
 Objectivity: the auditors must execute services free from any impartiality, bias and
activities of self –serving
 Confidentiality: the auditors should share information with the stakeholders those are
authorized
 Competency: the professional development make sure that the auditors remain
knowledgeable and current
Legal Responsibilities
The auditors of IT are responsible in order to obtain assurance that the information
taken as a whole is free from any misstatement caused by error or fraud. The Non-compliance
with the regulations and laws can influence the information as Companies in breach of the
law may require making provisions for future fines and costs. Therefore, in order to plan the
audit of Information Technology, the auditor must take into account the regulatory
framework those are applicable (Chen and Tsay 2017). The IT auditor must execute
procedures of audit those are specified in order to assist recognise instances of non-
compliance with the regulations and laws. If any non-compliance is recognised, the auditor
must respond properly.
Professional Responsibility

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7BUSINESS INFORMATION SYSTEMS
The IT auditor must have some professional responsibility so that they can perform the
duty of the IT auditor properly (DeZoort and Harrison 2018). The IT auditor must perform
the following duties:
 Get an understanding of the Companies and its operations
 Evaluate the procedures of internal control
 Evaluate Security of the company and the policies and procedures of the company
The IT auditors must not perform the following things:
 Produce statements that have untrue facts of materials
 Omitting the facts of materials
 Failing to include that information that can mislead

8BUSINESS INFORMATION SYSTEMS
References
Gildenhuis, C.E. and van Rensburg, J.O.J., 2017. The fourth E of performance
auditing. Southern African Journal of Accountability and Auditing Research, 19(1), pp.117-
127.
Cheng, C. and Flasher, R., 2018. Two short case studies in staff auditor and student ethical
decision making. Issues in Accounting Education Teaching Notes, 33(1), pp.28-37.
Chen, S. and Tsay, B.Y., 2017. Refer to materiality as a legal concept. Journal of Corporate
Accounting & Finance, 28(2), pp.55-61.
DeZoort, F.T. and Harrison, P.D., 2018. Understanding auditors’ sense of responsibility for
detecting fraud within organizations. Journal of Business Ethics, 149(4), pp.857-874.
Wilkins, P., 2017. Parliaments and their watchdogs: Evaluating the role of periodic statutory
reviews of auditors general. Australasian Parliamentary Review, 32(2), p.63.
Caffieri, J.J., Love, P.E., Whyte, A. and Ahiaga-Dagbui, D.D., 2018. Planning for production
in construction: controlling costs in major capital projects. Production Planning &
Control, 29(1), pp.41-50.
Bailey, J., Harris, T. and Jennings, P., 2018. State of the environment reporting in Western
Australia: law, land and beyond. Australasian Journal of Environmental Management, 25(4),
pp.371-384.
Vafaei, E., Gilchrist, D., Scully, G. and Singh, H., 2018. Same, same but different: A
comparison between performance audit and operational audit. In Public Sector Accounting,
Accountability and Governance (pp. 92-104). Routledge.
Auditor-General, W.A., 2019. Fraud prevention in local government.

9BUSINESS INFORMATION SYSTEMS
McHugh, C., Campbell, A., Chapman, M. and Balaratnasingam, S., 2016. Increasing
Indigenous self-harm and suicide in the Kimberley: an audit of the 2005–2014 data. The
Medical Journal of Australia, 205(1), p.33.