IT Audit Report: Service NSW Cyber Security Incident Analysis

Verified

Added on 2023/01/03

AI Summary

This report provides an in-depth IT audit and control analysis, focusing on the cybersecurity of Service NSW. It begins with an introduction to IT audits, emphasizing the importance of aligning security measures with established criteria. The report then details the scope of the audit, highlighting a significant phishing attack that compromised customer and employee data, and assesses the IT resources involved, including user access management, program change management, and disaster recovery planning. The findings reveal vulnerabilities in IT governance, policies, and procedures, leading to recommendations such as implementing an IT governance framework, formalizing and regularly updating IT policies, enhancing user access management, and improving disaster recovery plans. The report concludes by summarizing key rules and regulations that IT auditors must adhere to, reinforcing the need for robust IT security practices to mitigate future risks and protect sensitive information. The report is a valuable resource for understanding the complexities of IT audits and the critical role they play in maintaining organizational security.

IT Audit and Controls

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Table of Contents
Introduction......................................................................................................................................3
Determine audit focus along with scope of audit report.........................................................3
IT resources on which audit will be conducted with reference to Service NSW...................4
Recommendations on the basis of findings............................................................................7
Rules as well as regulations that auditor of Service NSW must adhere to.............................8
Conclusion.......................................................................................................................................9
References......................................................................................................................................10

Introduction
The organised evaluation of different security aspects of organisations information
system by measuring that how they align with the set criteria is defined as information
technology security audit. It is liable for providing high levels of illustration with reference to
ways through which firm can access and test the security postures that have been developed by
them as a response for cyber security (Chopra and Chaudhary, 2020). The thorough audit
assesses security of physical configuration, software, environment, user practices and
information handling processes. For acknowledging this concept, the security breach will be
taken into account which has occurred in the New South Wales. This report emphasise on audit
along with scope and IT resources of the city that will be audited by detection of abnormalities
that are present within information technology systems. Furthermore, some recommendations
will be given on the basis of findings that will be identified. At last some rules as well as
regulations are illustrated that IT auditor can abide to.
Determine audit focus along with scope of audit report
The Council is liable for making sure that all the resources that are needed for ensuring
that security concerns are maintained and are effectively utilised. The audit focus on certain
aspects with reference to NSW, as per media reports that were published on 7th September, 2020
the Service NSW that is biggest information collection agency have suffered the cyber attack. It
was identified that near about 186000 customers as well as employees information was leaked
due to the phishing emails attack. The accounts of 47 employees of the organisation were
compromised and it took a time frame of around four months to identify the loss that have been
occurred within relevant frame of time. It was inferred that near about 3.8 million documents
were evaluated for assessing the severity of probable breaches. The documents that have been
compromised are handwritten notes, scans, forms as well as records related with transaction
applications. The size of the information that has been breached is 738 gigabytes but it is ensured
that all the information is not personal and as such no evidences have been found that database of
organisation was also accessed.
Service NSW has revealed that Police is carrying out further investigation related with the
incident. The Auditor is accountable for allocating resources as well as time associated with
financial reporting process, systems and resources through which all the standards can be

executed in proper manner. The scope of report involves furnishing audit to strengthen timelines
and quality of IT reports. Furthermore, recommendations will also be given in order to ensure
internal governance as well as controls. It is identified that certain attack has been occurred that
is email phishing. The fraudulent attempt that is made for obtaining sensitive data or information
like passwords, card details and usernames like trustworthy entity within the electronic
interaction is defined as phishing. It takes place when user will steal data by making use of
authenticated credentials. Email phishing implies number game where attacker sends multiple
fraudulent messages so that they can have access to information or any other financial assets
(Chopra and Chaudhary, 2020). In context of Service NSW email phishing have been carried out
in order to have access to information.
The emphasis is laid on analysing higher risks so that in future any such kinds of
activities are not conducted. In addition to this, information technology policies will be
formalised along with this they will be reviewed for ensuring that all the aspects that might
hamper functions of organisation are taken into account. Furthermore, relevant policies act as
reflective with reference to IT environment. This is mandatory that relevant risks are identified
as well as they are managed adequately so that intruder or any other unauthenticated person does
not get access to peculiar data. In addition to this, emphasis will be made on enhancing user
access management processes to make sure that information system of organisation is secured
and significant controls are utilised for possessing controls via making alterations as per the
needs. Along with this, emphasis will be made on enhancement of user access process
management, updating registers and reconciling asset management system. This comprises of
controls for maintaining integrity of information.
IT resources on which audit will be conducted with reference to Service NSW
Auditor depends on information technology in order to deliver their services along with
management of information and data. IT is liable to furnish relevant benefits and there are certain
risks that Auditor must take into consideration in an effectual manner. The Auditor have
emphasised on IT governance along with controls through which information can be managed in
an affirmative manner. It is found that attack has occurred and there are certain other factors that
have lead to compromise the overall security of the information and has lead to cyber attack. In
addition to this, there are certain higher risk issues that are because of lack of relevant
information associated with technological policies as well as procedures and this also involves

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

user access reviews within the systems of organisation (Lai, Liu and Chen, 2020). This
comprises of making use of shared user accounts along with segregating duties are not enforced
appropriately in the information system of Service NSW. An example can be taken like in case
system of firm is not maintained in adequate way then unauthorised individuals or intruders can
get access to information which will further lead to creation of pessimistic influence on the ways
in which Auditor of Service NSW delivers their liabilities. This might lead to loss in terms of
financial assets but in case if sensitive or confidential information will be compromised then
overall functionalities will be hampered.
With reference to cyber attacks, it is crucial that relevant measures are being taken up so
that the IT resources can be protected but this has to be identified that which of the entities will
be impacted via this. Information technology general control is liable to depict certain procedures
along with activities that are formulated for making sure integrity and confidentiality of systems
as well as information. Along with this, controls are accountable for underpinning integrity
associated with the information reporting. The data and financial audit will aid in reviewing
general controls that are related with information system and will also aid within supporting
preparation of statements that will lead to acknowledge aspects associated with user access
management. In addition to this, there are certain privileged access for users to monitor as well
as restricts information access. Furthermore, this also comprises of system software acquisition
and alterations that can be made within. It is important that relevant disaster recovery plan is
developed for dealing with unlike information. This is identified that, Auditor have not reviewed
information technology system such as support service delivery which is generally outside the
scope of data audit. Moreover, Auditor must consider findings with reference to the resources
mentioned beneath:
User Access Management
Information technology is critical for Auditor with reference to ways services are being
furnished. IT enhances the delivery of services but with growing dependence on technologies
there are certain security risks that have been faced via Service NSW such as unauthenticated
access, misuse, viruses, malwares and many more. With reference to user access management,
this involves that relevant approval is being taken up for new entities and any kind of alterations
within the IT systems needs permissions as well as any new users will removed as soon as it is
identified that they are unauthenticated (Lee and Levine, 2020). In order to ensure this aspect,

strong password attributes must be developed so that it becomes difficult to have access to the
system and getting compromised due to attacks. Furthermore, it becomes important that this
resources of Service NSW organisation needs to reviewed in periodic way for making sure that
any kind of inadequate access is not given and there are certain constraints for having privileged
access to monitor all the activities that are being carried out by them in terms of having access to
information in other systems or network (Stoel and Havelka, 2020). Auditor needs to emphasise
on enhancement of privileges that have been made in order to protect this aspect from different
cyber attacks. For this, it becomes crucial that periodic reviews are made and monitoring of
privileged accounts is carried out.
Program Change Management
It becomes significant that there is significant control on the information technology
systems so that there can be an affirmative influence on the ways in which operations are being
delivered by them. Modifications can be made in terms of information technology programs that
are related with infrastructure entities and have to be authorised before carrying out any kind of
confidential transactions like network. This will enable to ensure that alterations that have been
made are significant and are in line with requirements of the organisation. In this case, it
becomes necessary that Auditor makes alterations within the weak systems as this will expose
them to certain attacks and even unauthenticated changes within the programs might also be
made (Li, No and Boritz, 2020). This further leads critical issues in terms of data accuracy as
well as integrity of the information stored within the systems of Service NSW. This comprises of
unintended modifications in context of ways in which information as well as errors related with
information and financial reporting are made. Auditor have not made any kind of improvisations
within the change management controls over IT systems as this is being identified from the
recent attack that has been occurred.
Disaster Recovery Planning
It is important that Auditor makes enhancements within planning along with testing
phases as this will enable them within minimisation of disruption as well as functionalities
related with events are conducted in critical systems outrage or if any other disasters are
conducted. If relevant analysis and planning is not carried out then Auditor cannot identify
higher tolerate outages, anticipates disruption along with recovering from them in successful way

in case if disaster takes place. In addition to this, the management of Service NSW did not had
relevant disaster recovery plan for dealing with diverse conditions.
Recommendations on the basis of findings
It is recommended that Service NSW must opt for IT governance in order to furnish
structure that will allow council in effectual management of information technology risk and
ensure that associated activities are aligned with objectives. When Auditor fails within
maintaining information technology policies have been formalised as well as conduct updates
that acts like crucial aspect that might lead to any kind of attack. It is liable for making this
critical to review emergent risks that will furnish reflection on the Information technology
environment of Service NSW. In this case, there is lack of relevant procedures which will lead to
inconsistent and inadequate practices which will further lead to enhancement of likelihood for
intruder to access key systems (Lyu and et. al, 2020). Certain enhancements are not implemented
by Auditor in this context as well as conduct review in regular manner. It becomes important that
potential risks are identified along with this they are interacted so that probable solution can be
identified for having relevant knowledge associated with risks in the specified frame of time.
It is suggested that Information technology framework might be used by Auditor in order
to determine relevant manner for delivering services through the usage of information systems
within the organisation. Such kind of framework will aid them within defining methods and
ways that will enable Service NSW to conduct execution, management and monitoring of IT
governance while conduct their operations within the working environment is defined as
information technology governance framework. In this case, Auditor needs to opt for COBIT
framework that is specified below:
Controlled objective for Information and related technology (COBIT) framework: This
is formulated for management as well as IT governance which can be utilised by Auditor as well
as Council such as supportive techniques that will assist in bridging up gap among control
requirements, technical and risk perspectives. It is liable to ensure that reliability, control along
with quality of information system that are being utilised by Service NSW and respective council
are being achieved. This framework will enable them within having capabilities with reference to
plans which will be formulated, organised, furnished, rendered as well as acquired in an
appropriate manner. Along with this, overall performance will also be monitored along with this

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

has to be evaluated for attainment of relevant goals through which higher efficiency can be
achieved in context of cyber security.
Illustration 1: COBIT Framework
The major entities are contained within this framework that will enable service NSW
within illustrating processes, control objectives and will also provide significant guidelines to the
management. This will enable them within maintaining relevant levels of security with reference
to associated risks.
Rules as well as regulations that auditor of Service NSW must adhere to
These are specified beneath:
 The auditor have to develop as well as document the audit plan that comprises of planned
details, extent and timing associated with risk assessment procedures. This must also
involve the extent of tests associated with control and substantive methods.
 Objectives needs to be precise so that they can be acknowledged easily and
communicated with others (Smith, 2020).
 Preliminary judgments related with efficiency of internal control over IT resources must
be clear. This will enable within understanding the current impact of risks which have
impacted and might have probable influence in the future.

 Identify compliance with independence along with ethical requirements. This will not be
restricted to preliminary engagement activities but needs to be re-evaluated with
alterations that might occur within distinct situations.
 This must comprise strategies for engaging and development of audit plan that must
comprise of risk assessment procedures along with planned responses to risks associated
with information technology resources.
Conclusion
Form the above it can be concluded that, it is necessary for each organisation to conduct
audit in an appropriate manner as this will enable to acknowledge risks that might occur in
future. This becomes essential that adequate measures are being taken before things get adverse
and unmanageable. In this context, certain policies must be developed by organisation and also
ensure that each employee knows them so that they can deliver their functionalities accordingly.
The audit must be carried out in regular manner as it will provide an insight into what has
happened and what is going on. Furthermore, it will also provide information related with what
are the probable impacts that will be created via any particular situation in the future offerings of
the organisation.

References
Books & References
Chopra, A. and Chaudhary, M., 2020. External Audit. In Implementing an Information Security
Management System (pp. 247-258). Apress, Berkeley, CA.
Chopra, A. and Chaudhary, M., 2020. Internal Audit. In Implementing an Information Security
Management System (pp. 221-235). Apress, Berkeley, CA.
Lai, S.M., Liu, C.L. and Chen, S.S., 2020. Internal Control Quality and Investment
Efficiency. Accounting Horizons.
Lee, K.K. and Levine, C.B., 2020. Audit partner identification and audit quality. Review of
Accounting Studies, pp.1-32.
Li, H., No, W.G. and Boritz, J.E., 2020. Are external auditors concerned about cyber incidents?
Evidence from audit fees. AUDITING: A Journal of Practice, 39(1), pp.151-171.
Lyu, Q. And et. al, 2020. SBAC: A secure blockchain-based access control framework for
information-centric networking. Journal of Network and Computer Applications, 149,
p.102444.
Smith, S.S., 2020. Internal Control Considerations. In Blockchain, Artificial Intelligence and
Financial Services (pp. 143-150). Springer, Cham.
Stoel, M.D. and Havelka, D., 2020. Information Technology Audit Quality: An Investigation of
the Impact of Individual and Organizational Factors. Journal of Information Systems.