SBM4302 IT Audit and Controls |Asia Pacific International College
IT auditing is an evident process of auditing that is used to evaluate IT systems and applications used by a firm as a tool to operate their services. In the current study the evaluation of audit reports on various IT applications used by various business entities will be performed. The responsibilities of IT audit professionals will also be analyzed to show their importance within managing the IT system of a business.
Identify the audit focus and scope of the given audit report
The audit report has focused on the evaluation of different applications that are used by business entities in order to operate their business activities. Applications are certain software programs made for the convenience of firms in order to conduct operations such as human resources, finance, billing and operational management. Applications have now become an essential part of business entities in the current technological era. It is important to understand that the scope of the current audit was to audit the relevance and efficiency of using such software within business operations. The audit report has explained about the benefits and weaknesses of each application that is being used as a tool of operation within a business entity. It is important to understand that the audit report has covered various aspects of applications and how the firm uses them in order to deliver its services to the customers (DeFond and Zhang, 2014). In the current repo the auditor's evaluation 4 applications that are used within the firm are Recruitment Advertisement Management System, Advanced Metering Infrastructure, Pensioner Rebate Scheme and Exchange and New Land Register. The auditor is focused on evaluating the application's efficiency in a systematic manner and the parameters such as Policies and procedures, Security of sensitive information, Data input, Backup and recovery, Data output, Data processing, Segregation of duties, Audit trail and Masterfile maintenance, interface controls, data preparation were set for the evaluation process. The scope of the audit report is to show the benefits and weakness of the application being used by business and government entities in order to conduct business operations in significant manner through use of the modern technology available. This still shows whether the integration of technologies such software application is suitable for the business operations or not. The audit report has covered the aspect of how different applications are suitable for the needs of the different organizations and in this way a descriptive layout of analysis of application within business entities will be done. It should be mentioned that the testing and research over the application will be done using samples of key controls and processes so that a reasonable amount of information regarding the application is derived after which the efficiency of the application has been reported. This shows that audit size and scope is full of the information for evaluation of applications used by business entities in modern business operations. In this way different aspects about the usage and weaknesses of applications used in business activities can be understood and identified (Knechel and Salterio, 2016).
Describe audit findings in the RAMS
Recruitment Advertisement Management System or RAMS is being used by the Western Australian government entities for the purpose of managing their human resources. Through the use of this application the firm manages the process of staff requirements, redeployments and for severance information. The following application is managed by a Third party in accordance to the Software as a service program. The following application has personal individual data that includes name, education, sex, gender, home address and qualification hence it can be said that there are confdential data that is managed by this application system within the operational actvities. It should be mentioned that the following applications hold a lot of important data that are secured by the firm and operate on such digital platforms or else there can be problems within the operations of the firm as the privacy of employees and employers will be affected. It can be said that the following application has provided facilities to many recruitment processes that have been conducted in this government entity and has been implemented since the year 2003. It can be seen in the report that both the government entity and the vendor that manages the information through this application have provided the assurance of data confidentiality, integrity and security within the system. Due to the existence of service level agreement the Government body is not able to get full access to the data and information related to compliance of the system within the security levels. There is partial information received by the government from the vendor about the security process that is being done to manage the data and information stored within the application. The application is also stated to have poor access management which can potentially expose the personal data and information to unauthorized personnel and can further be misused. This application has helped the government for many years in the recruitment process and has done it in an efficient manner but the problem arises with the third party access which is there within the current scenario (Hall, 2015). From the analysis it has been made prominent that usage of inaccurate and inefficient data security systems is a major problem within the application. It is to be mentioned that through the audit process it has been found that the application has been efficient but the security system of data is not viable and efficient in nature that can potentially impact the firm's operations
Describe audit findings in the Horizon Power
Advanced Metering Infrastructure is an application that is used by Horizon Power under Regional Power Corporation for the purpose of recording and storing data reading the bills that are related to consumption electricity. Through the use of Advanced Metering Infrastructure the entity was able to record, monitor and bill the consumption of electricity. The apllication also recorded personal and confidential data of customers such as the name, address, sex, age and locations of the installed meter. It should be mentioned that this shows that Advanced Metering Infrastructure has different types of operations that it has to conduct whereas there is both confidential and general information that is stored within the system. Horizon is a state owned power providing corporation that uses Advanced Metering Infrastructure in order to manage its business operations. The firm provides power and electricity to 100,000 residents and the application has all the details regarding these residents as well as 10,000 businesses that get electricity from the following corporation. Horizon has various suites of applications that it uses in order to manage its operations and it is collectively called the Advanced Metering Infrastructure. The audit findings were that there was appropriate procedure that detected and reduced the consumption error before bills were issued although the value of error that was recognized was fairly high. Horizon has an evident system through which the following detects the errors in its process although the number of errors that are made are increasing in a constant manner and this is a covering factor for the company (Ren et al.2015). It should be mentioned that there was inadequacy found in the human resources security and contract access management. It was found that the criminal history checks up of the employees were not conducted efficiently in the firm causing an employee with criminal history to have an internal access to the power plant of the firm. It was also found that there was a third party contractor facing issues with Horizon’s contractor access management as the HR records were not updated. The system information was also found at risk because the security of sensitive information was not strong and can be accessed in a data security breach within the firm’s operations. It should be said that there is scope of improving the security to make sure that the confidential data is properly secured within the software application used by the firm in order to operate in a significant manner.
Describe audit findings in the PRS and PRX
PRS and PRX is the application used by the Office of State Revenue (State Revenue) process and local government entities’ (LGs) in order to manage the reimbursement of concessions that the following is liable to pay to the pensioners and beneficiaries. It should be mentioned that Pensioner Rebate Scheme (PRS) system and its Pensioner Rebate Exchange (PRX) is an interface that is used by the entities in order to significantly manage their operational activities. Now the audit findings revealed that the State revenue department did not perform land ownership and occupancy checks and this eventually increased the risks of payments being done to ineligible individuals. It has also been seen that the State revenue did not have proper access and security controls and this may lead to unauthorized use of information (Leung et al. 2015). Now PRS and PRX stores confidential data as well access to these servers can lead to further unauthorized use of confidential data and information for criminal purposes. This is a major risk that has been seen in the audit findings of the usage of these applications within the operations of the firm. PRS and PRX is used to deal with the repayment of concessions that coming up next is subject to pay to the retired people and recipients. It ought to be referenced that Pensioner Rebate Scheme (PRS) framework and its Pensioner Rebate Exchange (PRX) is an application that is utilized by the elements so as to essentially deal with their operational exercises. Presently the review discoveries uncovered that the State income division didn't perform land proprietorship and contractors checks and this inevitably expanded the dangers of transactions being done to ineligible people. It has additionally been seen that the State income didn't have appropriate access and security controls and this may prompt unapproved utilization of data. Presently PRS and PRX stores secret information also access to these servers can prompt further unapproved utilization of private information and data for criminal purposes. This is a significant hazard that has been found in the review discoveries of the utilization of these applications with the tasks of the firm. It is to be mentioned that through the use of effective method and mitigation procedure the following problems can be mitigated (Wang et al. 2014). Security control error may cause huge damage to the overall operations of the State revenue as confidential data can be breached and a huge IT problem that the entity may face due to the improper usage of these applications.
Describe audit findings in the NRL-T
NRL-T is an application that is used by the Western Australian Land Information Authority for the purpose of managing and maintaining information as well as data regarding property ownership and location within Western Australia. NLR-T is developed and maintained by a third party and has been outsourced by ICT in accordance to an arrangement of using public cloud infrastructure. The following system is maintained by a Landsgate subsidiary co-owned with a third party vendor. Now this shows that there are various parties involved in the operations of these applications which are used for records confidential data which include personal details of people and their property (Furnham and Gunter, 2015). Now the problems that were identified in the audit findings were that the application was that there was no review of the changes done to land information. This can cause misappropriation within the operational activities of the entity. It was also found in the IT audit process that the user access control in the application of NRL-T was weak in nature and this can cause unauthorized access of data and information that has been stored within the system. This was seen due to inadequacy indicated within the segregation of duties in the system as it was seen that a staff was appointed to perform end to end land title transaction this means that the person requesting the transaction is authorizing the same which is not correct. There were excessive user access rights causing entrance of unauthorized personnel to access the data and at last there irregular use access review indicated as users were accumulating access privileges through application. It should be mentioned that all of these loopholes were indicated within the operations of this application and within the operation of Landsgate it causes huge misappropriation and can lead to catastrophic situations (Power and Gendron, 2015). Hence the problem and weakness within the system must be mitigated at the earliest in order to mitigate the problems which can be caused due to such loopholes.
Describe and discuss the professional, legal, and ethical responsibilities of an IT Auditor
IT auditor has an important task that it has to perform and there various responsibilities as well as duties that the following has to comply with. IT auditors are bound to be professional, legal and ethical in their operations. This is because the following has to produce an unbiased and fair report about the IT system used by the firm in their operational activities. An IT Auditor must be highly skilled and professional in its operation in order to conduct an efficient investigation on the IT system and application used by business entities. The investigation procedures and test must be professionally implemented so as to reap the highest benefit within the investigation and testing process. The IT auditor must also be professional when it comes to communication with the firm on which the test is being conducted. Professional communication must be established to make sure that there is proper flow of information within the two parties which will increase the efficiency of the testing and investigation procedure (Yu et al. 2015). A professional relationship must be established within the firm and the Auditor as the following must ensure that the relationship is professional so that an effective audit procedure is conducted on the IT systems of the firm. Although legal requirements of the audit procedure must be maintained and as per the Common law the auditor must perform the auditing service with due care and the following must establish is a privity or contractual relationship with their clients. This means that contractual rights must be provided to both the auditor and the firm or client in order to conduct a legal IT audit process within the operations of the firm. The contractual obligations must be followed by both the auditor and the client in order to successfully conduct the audit process so that there is legal analysis of the firm’s IT system and applications. IT auditor must also be ethical in their operations. In this process ethical means of investigation is used and ethical reporting is done. Factors such biased reporting, unfair medium of investigation and irrational communication must be avoided by the auditor in the auditing process (Sandvig et al. 2014). The auditor must stay ethical in their investigation and should not be influenced and should not influence others while conducting the IT auditing process. In this way a professional, legal and ethical auditing process can be conducted to produce an efficient IT audit report.
Concluding in the light of above context it can be said that every application used by different entities had some of the weakness and loopholes that has been identified and this can be mitigated using proper IT strategies. The responsibilities of IT auditor have shown that the auditor must be professional, ethical and lawful in nature.
DeFond, M. and Zhang, J., 2014. A review of archival auditing research. Journal of accounting and economics, 58(2-3), pp.275-326.
Furnham, A. and Gunter, B., 2015. Corporate assessment (Routledge Revivals): auditing a company's personality. Routledge.
Hall, J.A., 2015. Information technology auditing. Cengage Learning.
Knechel, W.R. and Salterio, S.E., 2016. Auditing: Assurance and risk. Taylor & Francis.
Leung, P., Coram, P., Cooper, B.J. and Richardson, P., 2015. Modern auditing and assurance services. John Wiley & Sons.
Power, M.K. and Gendron, Y., 2015. Qualitative research in auditing: A methodological roadmap. Auditing: A Journal of Practice & Theory, 34(2), pp.147-165.
Ren, Y.J., Shen, J., Wang, J., Han, J. and Lee, S.Y., 2015. Mutual verifiable provable data auditing in public cloud storage. ????????, 16(2), pp.317-323.
Sandvig, C., Hamilton, K., Karahalios, K. and Langbort, C., 2014. Auditing algorithms: Research methods for detecting discrimination on internet platforms. Data and discrimination: converting critical concerns into productive inquiry, 22.
Wang, B., Li, B. and Li, H., 2014. Oruta: Privacy-preserving public auditing for shared data in the cloud. IEEE transactions on cloud computing, 2(1), pp.43-56.
Yu, J., Ren, K., Wang, C. and Varadharajan, V., 2015. Enabling cloud storage auditing with key-exposure resistance. IEEE Transactions on Information forensics and security, 10(6), pp.1167-1179.