Report on IT Audit |Asia Pacific International College
IT auditing is an evident process of auditing that is used to evaluate IT systems and applications used by a firm as a tool to operate their services. In the current study the evaluation of audit reports on various IT applications used by various business entities will be performed. The responsibilities of IT audit professionals will also be analyzed to show their importance within managing the IT system of a business.
Identify the audit focus and scope of the given audit
No matter which business one is doing IT is one of the most important features or characteristics of any business. Managing and having a dedicated and efficient IT team is very important for any business to survive in this ever changing world. The audit report has focused on the evaluation of different IT that are used by business entities in order to operate their business activities.
IT delivers and manages information for the business and is of paramount importance for the successful running of the business. There is no doubt that IT delivers considerable benefits but at the same time it has some backdrop as well. With the increasing adoption of IT business today rely on software systems and applications more than ever. Many of the IT systems often generate and process data that is useful in making financial statements of the company. The auditor also rely on the data and the reports generated by the IT systems but it is critical to understand the IT related issues and also the auditors are unsure about the integrity and and reliability of financial transaction and data flowing through company’s systems.
Therefore the focus of the audit of the IT is to ensure about the integrity, reliability and relevance of the data. But apart from some loopholes there are various advantages as well. The usage of IT in audit has many benefits as well.
It helps companies in making fast calculations and makes sure that some repetitive works are being automated to reduce the work time (Böhm, Bollen and Hassink, 2016).
As already mentioned operations are prone to risk of user access management if inappropriately accessed and misused can be dangerous and can have catastrophic effect. The focus of the audit is to find the loopholes or to identify the loopholes. The next step after identifying the loopholes are to report or monitor the risk and then rectify it. Nowadays in many business there is a special department of cyber security management as well. Therefore it is really very necessary to look and keep a check on the governance of the IT systems and with the help of professional keep the business less prone to risk.
We must evaluate and scrutinize properly about the advantages and disadvantages of IT used in audit.
High risk it issues
As per the report there were 575 high risk issues reported in 2019 compared to 448 high risk issues during the year 2018. To break it down even further the audit risk has been segregated into 3 categories low, moderate and high risks. There were 45 low risk issues in 2018 which was 10% of the total risk issues identified but in 2019 we saw 74 low risk issues identified which stands to 12.8% of the total risk, therefore from this we can conclude that we have seen a rise in low risk issues which is a positive as risk can never be zero.
Now if we take into consideration the high risk issues there were 39 high risk issues which comes around 8.7% of the total risks identified in 2018, but there were 29 high risk issues in 2019. The positive part about this is that not only the number decreased by 10 but also the percentage of high risk issues in the audit has also decreased by 3%.
The biggest chunk of risk issues are considered to be moderate. In 2018 the moderate risk was round about 82% which is same in 2019 as well. But the main concern is the surge in the moderate and low risk issues which can be dangerous for the company.
There were many reasons for the high risk issues and they are to be addressed as early as possible. One of the most alarming risk factors are the lack of IT policies and procedures. The lack of IT policies and procedures has led to user access management issues. There has been deficiencies in the governance and management as well. There should be concern about the key financial systems as well which are of paramount importance to the business. The key managerial personnel should take up the responsibility of managing the risk of IT. The company should focus on segregation of duties. Segregation of duties mitigates the ambiguity of the issues. Each and every step should be done by a different person. This is helpful as it reduces or mitigates the risk of unfair decisions and reduces ambiguity as well. If one person tries to hide the facts it will be caught in the next step and thus detecting the errors in an early stage and trying to mitigate the deficiencies of the duties performed. The IT systems should be protected by a strong password as it will mollify the chances of hacking the system. The user access management should be done properly as everyone should not be provided with the full information which may lead catastrophic effect of data phishing. The system should be strong enough to detect the missing files and report to the management of the department as early as possible. The user access should be privileged and restricted and should be monitored to identify suspicious and unauthorized activity.
Therefore the company should try and rectify the problems as early as possible and should try and resolve the underlying issues for the high audit risk and make the internal control of the IT as strong as possible to nullify any discrepancies.
Audit findings related to it governance
IT governance provides a structured way to effectively manage the IT systems and identify and rectify any discrepancies at the earliest. It should be aligned to the objectives of the company and should be associated to the management of the company or the persons responsible for the governance of the system. As mentioned earlier it is important to formalize the steps performed in an IT . It should also be reviewed on a regular basis to ensure and identify the emerging risk and rectify, mitigate or nullify the discrepancies as early as possible. The policies and procedures maintained in the system should be consistent to mitigate the ambiguity of an important information. Inconsistent and inappropriate steps should be reviewed properly and should be rectified at its early stages. Segregation of duties is also one of the important aspect to reduce the power of any prominent board members. It increases transparency and the decisions taken are not influenced by a single person.
Analyzing the current audit report 71% of the councils don’t have IT policies over one or more than one areas. There are various areas where IT policies should be kept mandatory. IT security is one of the prominent areas. This can be kept in check by giving limited access to every individual and should be protected by strong passwords which should be updated on a regular basis. IT change management is also one of the most important areas and they have been reluctant and complacent in this area as well. Change management in IT is one of the important functions. The objective of change management is to ensure standardized methods and procedures are used to perform the work effectively and efficiently. Another problem is that of IT incident and problem management. This refers to managing and incident or fixing any loopholes in the system to restore the system as soon as possible. While managing a problem refers to finding the underlying root causes so that incidents doesn’t get repeated. Problem management deals with solving the underlying causes of one or more incidents.
We should always expect the unexpected situations. Natural disaster is one of them which can have a catastrophic effect on any business and thus it is important for any business to have a disaster recovery management where they can restore the data as soon as it is lost and make the system work as early as possible. As per the report there were 73% councils who didn’t have IT policies over one or more of the following issues which has been reduced to 71% which is very negligible compared to the importance of the matter.
It has also been said that 25% of the available IT policies are not being reviewed in line with the councils scheduled review date to ensure that they are up to date. This was 21% of the available IT policies in 2018. This shows that the complacency and negligence of the council.
The risk can be mitigated to a great risk if the councils identify the risk and communicate it to the concerned people who are charged with the governance so that they are aware of the risk and are able to respond appropriately and take actions at the earliest. Therefore every council’s members should have IT risk registers. As per the report 50% of the councils were not having IT risk registers in 2018 this has been reduced to 41% in 2019 which is obviously a positive sign but these needs to be improved further. There is a further segregation which has been recorded of the persons who have communicated regularly the IT risks. Therefore the report shows that out of the 50% who have IT risk register only 34% reports and regularly communicates IT risks to the management or those charged with governance whereas this has been worse in 2019. Out of the 59% who has IT risk register only 22% persons communicate it risks to the management and those charged with governance. For proper functions and detecting the risk at an early stage this needs to be improved.
Audit findings related to it general controls
IT general controls are controls that can be applied to all systems, components and processes and data for any given organization or IT environment. It can also be considered as the procedures and activities designed to ensure confidentiality and integrity of systems and data. These controls underpin the integrity of financial reporting. IT general control is also included for review in financial audits and relates to key financial systems supporting the preparation of council’s financial statements. This also addresses certain problems like user access management. It signifies the importance of IT which is essential to how councils deliver services. While IT can deliver services, the evolving of technology and the growing decency on IT also exposes companies to certain risks which can be described as unauthorized access and misuse of the system (Zamanifar and Hartmann, 2020). Therefore these problems can be mitigated by certain steps like appropriate approvals for new access and inculcating some policy measures and changes of access on the IT system on a more frequent manner or in a regular manner. The timely removal of access to IT systems can also improve the security of the IT systems. One of the most important aspect and renowned step is keeping a strong password which would mitigate and avoid user access or unauthorized access. It also mitigates the degree of compromise in the IT system. The user should be kept in check and should be reviewed periodically so that if any discrepancies arise or any doubt arise the problem can be saved then and there itself. The system should keep restriction of privileged access to appropriate staff or the staff concerned for that particular job. The implementation of restricted or privileged access will not help they should be monitored regularly or on periodic basis.
As per the audit report there are 40% councils without adequate controls for adding new members, the number was 47 % last year and thus the performance of this segment has been improved. There were 43% councils without adequate user access removal controls which has been reduced by 10% and now the number stands at 33%. There are 43 % of councils without sufficient password controls which remains unchanged this year as well. 48% of the councils do not restrict privilege user access which now stands at 38%. Councils who don’t monitor privilege user account activities remains unchanged. The new focus area which has been implemented in the audit report is of councils who do not conduct periodic user access reviews which stands at 64%.
IT general controls also focusses on program change management and this can also be vulnerable and thus should be monitored. There should be a focus on changes in infrastructure components which needs to be authorized prior the implementation.
As previously been discussed segregation of duties is very important. As per the report 36% of the councils do not have segregation of duties the developer and the implementor of the change which stands unchanged comparing the 2018 figure. The % of councils implementing changes to systems without appropriate approval has seen a 10% surge from 23% to 33%.
Disaster recovery planning is also one the important aspect of generalcontrols. This helps to mitigate the disruption to operations in the event of a major systems outage or other disaster (Hamdi and Junidar, 2018). 31% of the councils do not have formalized and approval DRP. 28% have not been reviewed and 55% of councils with formal DRP have not been tested. Therefore there are many changes that need to be incorporated within the system.
Audit findings related to cyber security management
Cyber security refers to the body of technologies, processes and practices designed to protect networks, devices and data from attack, damage or unauthorized access (Enaw and Check, 2018). As NSW is embracing and moving forward to digital government strategycyber security has been of paramount importance. These systems protect the confidentiality, integrity and availability of the information. Poor management of cyber security can lead to exposure of the councils and can have a catastrophic effect. There are broad ranges of risks that can arise such as financial loss, reputational damage and data breaches (Patrick, van Niekerk and Fields, 2018). There are many potential impacts that may arise like theft of corporate and financial information and intellectual property. The theft of money can have a financial loss. There can be destruction of data which can be harmful. Huge cost may be incurred on the cost of repairing the affected systems, networks and losses.
Legal action can also arise which will lead to financial loss in terms of legal fees. The audit has been performed very diligent and the risks has been segregated as well.
As per the report 80% of the councils don’t have any formal cyber security policy or framework. 78% of the councils don’t maintain a centralized register of cyber incident. 46% of the councils have not included risk of cyber-attack in their risk register which shows the lack of cognizance about cyber security.
Concluding in the light of above context it can be said that every IT system used by organization had some of the weakness and loopholes that has been identified and this can be mitigated using proper strategies. We recommend to strengthen the governance and security of the IT systems and have a dedicated and efficient cyber security branch.
Böhm, F., Bollen, L.H. and Hassink, H.F., 2016. Audit committee charter scope: Determinants and effects on audit committee effort. International Journal of Auditing, 20(2), pp.119-132
Enaw, E.E. and Check, N., 2018, April. Information Systems Security Audits in Cameroon's Public Administration. In Proceedings of the 11th International Conference on Theory and Practice of Electronic Governance (pp. 312-317)
Hamdi, N. and Junidar, J., 2018. Disaster Recovery Planning by Using Cloud Computing Technology. JOURNAL OF INFORMATICS AND COMPUTER SCIENCE, 2(1).
Patrick, H., van Niekerk, B. and Fields, Z., 2018. Information Security Management: A South African Public Sector Perspective. In Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution (pp. 382-405). IGI Global.
Zamanifar, M. and Hartmann, T., 2020. Literature review of optimization based decision model for disaster recovery planning of transportation network