Auditing Assignment: IT Management in Western Australian Agencies
Question
This auditing assignment is designed to assess students’ ability to apply theoretical learning to practical, real world situations. In this assessment students are given an IT audit report conducted by the office of the Western Australian Auditor General and required to address the followings:
- Identify the audit focus and scope
- Describe audit findings in the Department of Health
- Describe audit findings in the Department of Mines, Industry Regulation and Safety
- Describe audit findings in the Office of State Revenue
- Describe audit findings in the Western Australian Electoral Commission
- Describe audit findings in the KeyStart Housing Scheme Trust
- Discuss the professional, legal, and ethical responsibilities of an IT Auditor
Answer
Introduction
As per the research on auditing assignment, Western Australia (WA) Government agencies gather and store a lot of sensitive and confidential information. There are numerous IT tools and products used by these agencies to carry out the operations, store information, and maintain continuity of the Government activities.
There are specific management controls and mechanisms required to make sure that the IT tools and services are properly used. The IT audit report of WA State Government is reviewed to understand the audit focus, scope, and findings (Walby & Yaremko 2020).
Audit Focus and Scope
The audit focus and scope is based on the three major areas under IT management as password management, application controls, and general controls.
The five agency applications that are focussed upon in the audit are patient medical record system that comes under the department of health, tenancy bonds management system which is an integral part of department of mine, industry regulations, and safety. Also, first home owner grant online system under office of state revenue, election management system under WA Electoral Commission and Keysmart System under Keystart Housing Scheme Trust is also focussed upon in the audit (Gray, Manson & Crawford 2019).
The general control audits focus on the aspect of information security at 47 agencies to determine the gaps and weaknesses.
Audit Findings in the Department of Health
According to the audit conducted, it is found that only a small number of hospitals in WA use patient medical record system. The patient medical records system stores the sensitive and critical information of the patients including the medical records and the identity of the patients. The audit conducted provided the following findings on the system and the DoH:
- Inadequate decision-making is determined at the end of DoH which has poorly impacted the digitisation strategy in the medical and healthcare sector. One of the objectives of implementing the application was to bring down the costs in the management of paper-based records. However, no such evidences could be determined and massive gaps in the estimated and actual values of electronic storage requirements were detected. There are recurring issues around system outages and additional costs with lack of root cause analysis by the DoH (Lenning & Gremyr 2017).
- Poor contract management is detected which indicates the gaps in the budget estimated and may lead to the overrun of the budget. Currently, $20 Million contract is in place but it does not cover hardware costs, vendor licensing costs, staff resources, and offsite storage. DoH did not make any effort to fill these gaps by May 2018 indicating the massive gaps as the contract period expires in August 2018.
- Manual processes and operations still exist in the hospitals and medical centres that have implemented the automated application. This is because the implementation is not adequately made to cover all the clinical workflows. There are system instability issues resulting in manual tracking, poor reporting functionalities, and unresponsiveness of the system.
- Significant security issues are determined in the application as listed below:
- DoH does not have a formal and detailed vulnerability assessment and management mechanism in place. It can lead to massive issues around unauthorized access, data breaches, and other security violations on sensitive health information. 54 critical and 102 high severity vulnerabilities were identified in the vulnerabilities scan performed and it was primarily due to the lack of software updates (Ismail & Islam 2020).
- The issue of weak password configuration is detected on the network accounts comprising of 40% weak passwords and high number of privileged accounts. Due to the weak passwords, there are high number of accounts that may be exposed to the password-guessing issues and attacks.
- User account management techniques and practices are faulty as over 15% of the accounts are found to be dormant that have not logged in even once since past one year. It may cause issues around unauthorized access and poor access control.
- Continuity management processes are not properly defined with absence of business continuity plan and disaster recovery plans. There may be issues around lack of business continuity in the event of a disaster.
- No formal framework or procedure for identifying and managing the application risks leading to increased chances of significant security violations.
- Out of date design documentation found which makes the application at high risk of failure. The documentation is not updated after 2014.
Audit Findings in the Department of Mines, Industry Regulation and Safety
Tenancy Bonds Management System, TBMS is used to manage and handle the processing of residential and long stay tenancy bonds. The system stores and manages confidential and sensitive information, such as the driver’s license details and the banking information of the applicants. The following are the findings in the audit:
- Access control mechanisms and measures are not up to the mark with 10% of the BondsOnline passwords weak and absence of accounts lockout policy on the portal. The external user accounts, such as the real-estate agents’ accounts are poorly managed. 23% of these accounts are not accessed since more than one year and it increases the likelihood of unauthorized access. The access information is not encrypted which makes the system vulnerable to security attacks and violations (Johnson 2015).
- There is no defined vulnerability management policy in place with lack of vulnerability scans and patching. 975 vulnerabilities are identified in the scan with 182 critical and 793 high-rated vulnerabilities. 508 out of these are publically available which can be exploited by the hackers. The last update was installed in November 2016. Also, the vendor released a set of updates in January 2015 and these are not implemented yet.
- Sensitive information is at the risk of exposure due to the lack of proper security controls. DMIRS shares the sensitive details to third-party using insecure portal without any authentication and encryption implemented. The weakness was first determined in 2016 and it has not been corrected yet. Alongside, insecure accesses to the documents, lack of de-identification of sensitive data, and easy to guess database passwords are the other issues.
- Absence of formal procedure and mechanism for logging and monitoring the key activities can result in major gaps. The application and the supporting infrastructure is reviewed on an ad-hoc basis without any formal schedule in place.
- The IT risks associated with the application are not assessed leading to the high probability of the occurrence of these attacks.
- The regular testing of the backups is not defined leading to the increased likelihood of data loss and integrity issues. The updates on the documentation are also not conducted with a formal procedure.
Audit Findings in the Office of State Revenue
First Home Owner Grant online system, FHOG Online is designed to determine and process one-off payment for the first home owners. The system comprises of confidential and personal details of the grant applicants including their bank account information. The audit provides the following findings:
- There is significant amount of unprotected personal data present in the test environment that does not have proper security controls and mechanisms to safeguard the information. The password validation is not applied leading to easy to guess passwords, for example, some of the passwords were the same as the username and some were only three characters long. The passwords applied on the privileged accounts are not updated since past 2 years. These can lead to the issues around access control.
- The lack of properly segregated duties brings up the risks of gaps in integrity and security of grant payments. The same person processes grant payments and carries out payment reconciliations. The files involved in the payment processes are in plain-text format and can be appended without any mechanism to detect the changes. This may lead to the compromise of sensitive information and may also bring up the data integrity issues (Mazza & Azzali 2015).
- In spite of the implementation of the application, there are several manual processes that are still in place. For example, the Grant Officers employed at the office of state revenue manually verify and validate the external systems to verify the application criteria. Manual spreadsheet is used to inform the officers regarding the additional investigations.
- Gaps in the IT controls are determined which can cause access violations and other security risks. There is no formal vulnerabilities assessment and management system in place. It may result in unrecognized vulnerabilities which can easily convert in security attacks. The change management procedure is not documented and properly defined which may lead to unrecorded changes and these can cause integrity gaps. The privileges and permissions granted to the users on the FHOG system is not reviewed constantly. It may cause access issues.
Audit Findings in the Western Australian Electoral Commission
The Election Management System WA, EMSWA is developed to manage the information associated with the elections. The system includes the personal and demographic information of the voters. The IT audit conducted on the system brings out the following set of findings:
- Security weaknesses are determined in the system which may lead to the problems around access violations and other security issues. The password policy associated with the system databases is not updated since past 2 years. The sensitive information in the database is not encrypted making it vulnerable to the security and privacy attacks. The personal information of the voters can be copied in the test environment and the security controls in test are further very weak. The easy transfer of personal and sensitive information to the test environment puts the information susceptible to security attacks (Mazza & Azzali 2016).
- WAEC has not defined any formal plan or process to be followed in the event of a disaster. In these occurrences, disaster recovery will not be planned which can cause adverse implications of a disaster and the increased time to recover from the same. Some of the recovery procedures are present in the IT DRP but these are not tested. The defined procedures may not be effective in the event of a disaster.
- WAEC does not have defined logging and monitoring process to keep a track of the key events. It can cause the changes to the system and the information sets that may go undetected. The unauthorized changes can be made and the identification of these may be extremely difficult.
- There are some manual procedures that are still followed and these can contribute towards the security gaps. For example, legislative council ballot information is entered using the manual processes. It is fed into a system called CountWA and the system calculates the results. The results are also manually entered in the system which can cause massive gaps. The same goes for legislative assembly ballot information which is manually entered in the spreadsheets.
Audit Findings in the KeyStart Housing Scheme Trust
KeySmart system is implemented to handle the home loan enquiries along with the management of application processing, broker commissions, and loans. Following are the findings determined in the system audit:
- The user management mechanisms are not up to the mark and there are issues around passwords implemented on the system. 32 system accounts are found which have not been used for 1 to 8 years which enhances the possibilities of access control violations by the malicious entities. 20 accounts are found with extremely weak passwords and the attackers can easily guess these gaining an unauthorized access to the database and the system information. 11 accounts are found that did not change the passwords in 6 years and the lack of appropriate database security is also determined in the system (Murashbekov 2019).
- In spite of the presence of the vulnerabilities management system, there are numerous vulnerabilities identified on Keysmart application and its database. These include four critical and 53 high-rated vulnerabilities which can be exploited by the attackers to carry out the security attacks and threats. The primary reason identified is the poor configuration and implementation of the patches. The confidential and private information in the Keysmart application is exposed to the security risks and attacks as an outcome (Otero 2018).
IT Auditor - Professional, Legal, and Ethical Responsibilities
IT Auditor is the primary resource responsible to conduct the IT Audits. There are certain professional, legal, and ethical responsibilities defined for IT Auditor and these must be fulfilled.
Some of the professional duties and responsibilities include:
- Examination of the internal IT controls and measures implemented to find out the gaps present and calculate the exposure of the risk based on the identified set of gaps
- Investigate the security status of the IT tools, products, and services implemented to develop the list of risks with risk level in the area of information, network, and system security (Nikiforov 2015)
- To list down the measures to be adopted by the organization to improve the security and operations status
- Exploration of the documents and procedures defined in the organization for the management of IT changes, IT risk management, Disaster Recovery Plan, Vulnerabilities Assessment and Management Plan, and Business Continuity Plan
- Determination of the backup plan and scheme followed in the organization to back up the data
- Exploration of the updates, monitoring, and patch management processes and plans followed in the organization with listing of the gaps found (Pompon 2016)
- Development of the recommendations for the enhancement of IT security and management with mapping of the recommendations to the gaps and issues identified
- Development of detailed IT audit report with explanation of the focus, scope, findings, recommendations, and action plan
IT Auditor is also required to fulfill certain legal and ethical responsibilities. Some of these are as listed below:
- Compliance with the legislative and regulatory frameworks and requirements, such as IT Privacy Act, Cyber Laws, Intellectual Property, and other applicable laws associated with IT systems and security management
- To uphold and comply with the integrity principles and norms followed in the organization at the time of audit and while reporting the outcomes of the audit
- To conduct the IT audits without any bias or involvement of the preconceived notions with maintenance of the privacy and confidentiality of the outcomes at all times
- Sharing of the information during and after the audit with only the authorized members and stakeholders (Pratiwi et al. 2019)
- Continual enhancement of the professional knowledge and skills to be able to conduct audits with utmost accuracy and to be able to guide the rest of the team members
- Adherence and compliance with the internal organization policies, procedures, and frameworks during the audit
Conclusion
The audit conducted on the five major applications used in WA agencies brings up some of the significant gaps and issues that must be filled. There is lack of effective and proper security controls in all the five agencies which can lead to massive security attacks and risks in the future. The access control norms and measures are either not implemented properly or are not updated since long. The weak passwords and poor database security is also a common issue determined with lack of proper risk assessment and vulnerabilities assessment procedures. The user accounts are not managed effectively with numerous dormant accounts present increasing the chances of access violations. The lack of encryption, absence of disaster recovery plan, and poor change management procedures are some other security issues identified in the IT audit.
References
Gray, Manson, S & Crawford, L 2019, The audit process : principles, practice and cases., Cengage Learning, Andover.
Ismail, UM & Islam, S 2020, ‘A unified framework for cloud security transparency and audit’, Journal of Information Security and Applications, vol. 54, p. 102594.
Johnson, R 2015, Security policies and implementation issues, Jones & Bartlett Learning, Burlington, Ma.
Lenning, J & Gremyr, I 2017, ‘Making internal audits business-relevant’, Total Quality Management & Business Excellence, vol. 28, no. 9-10, pp. 1106–1121.
Mazza, T & Azzali, S 2015, ‘Effects of Internal Audit Quality on the Severity and Persistence of Controls Deficiencies’, International Journal of Auditing, vol. 19, no. 3, pp. 148–165.
Mazza, T & Azzali, S 2016, ‘Information Technology Controls Quality and Audit Fees: Evidence From Italy’, Journal of Accounting, Auditing & Finance, vol. 33, no. 1, pp. 123–146.
Murashbekov, O 2019, ‘CHALLENGES ON INTRODUCING INFORMATION SECURITY STANDARDS: A CASE STUDY’, Journal of Security and Sustainability Issues, pp. 665–674.
Nikiforov, S - 2015, ‘On the competitive selection of the auditor’, Auditor, vol. 0, no. 18, pp. 18–26.
Otero, AR 2018, Information Technology Control and Audit, Auerbach Publications.
Pompon, R 2016, IT Security Risk Control Management An Audit Preparation Plan, Berkeley, Ca Apress.
Pratiwi, W, Rizal, N, Indrianasari, NT, M, WW & Ifa, K 2019, ‘Auditor Competence, Auditor Independence, Auditor Experience, Audit Fees and Time Budget Pressure against Fraud Detection’, Journal of Advanced Research in Dynamical and Control Systems, vol. 11, no. 12, pp. 26–33.
Walby, K & Yaremko, J 2020, ‘Freedom of Information Audits as Access Advocacy’, The Journal of Civic Information, vol. 2, no. 2, pp. 22–42.