Auditing Assignment: Governance & General Controls of NSW Auditor
Task: In this auditing assignment you are required to analyze an IT audit report conducted by the office of the New South Wales Auditor General and asked to do the followings:
- Identify the audit focus and scope
- Describe high risk IT issues in the NSW city councils
- Describe audit findings related to IT governance in the NSW city councils
- Describe audit findings related to IT general controls in the NSW city councils
- Describe audit findings related to cyber security management in the NSW city councils
- Highlight the professional, legal, and ethical responsibilities of an IT auditor.
The local government report of 2019 in New South Wales (NSW) undertaken in this auditing assignment has represented a satisfactory result. The NSW council has 10 county councils, 128 local councils, and 3 joint organizations. It has generated a revenue of $15.3 billion with a liability of $7.3 billion. The councils have raised 1,947 audit matters, where 41% of issues are related to Information Technology. In the IT issue findings, 80% is related to the insufficient cyber-security framework or policy, and 68% is related to access management. The current report will describe the governance and general controls of the NSW auditor.
2. Identify the Audit Scope and Focus
2.1. Audit Scope
Audit scope defined the process involved in the audit report. The scope involves the topic of the council's IT governance, the risk management of the councils, and how to identify and mitigate it has been also focusing on the scope. The scope of the audits focuses on the financial sector of the council and manages the reporting about it. The objectives of the audit are to give an opinion on the financial statement of the council which will help to mitigate the risks about the council. The scope of the audit is to manage the risk management of the council and also give scopes to the IT governance to mitigate the risks.
2.2. Audit Focus
The audit office examines the small number of specified topics across the councils. The audit office determines the topics which will improve the public-sector accountability and the administration of the governance. The audit also focuses on the risks and challenges the government is facing. In 2018-19 financial audits are discussed about the Credit card management, controls of the frauds, benefits of the financial audits, discussing cybersecurity, and also discussed the rehabilitation of the landfill.
In 2020 the audit reports emphasize the credit card purpose, planning agreements, and procurement management. The audit reports also focused on the risks that are local governments are facing and how to improve on the risk's areas. The security of the system has also been discussed. The report also emphasizes the sewage problem of rural areas.
3. High-Risk Issues in The NSW City Councils
High-risk issues in the NSW city councils are based on asset management. The research shows that reduction on the high risks matter than the last year. The asset management system keeps the data about the council's property, organization. It generates risks like cybersecurity and creates conditions where the risks can be mitigated (Komljenovic et al., 2016). The risks can be faces by the council because of the complexity in the system and lack of knowledge about the infrastructure. The high risks that reported in the councils are:
- Bayside council has high-risk issues like data quality management. The data are classified incorrectly. It shows that the result of the data is not adjusted to the assets.
- Dugong Shire council made fixed assets register, which delayed the process of the financial reporting.
- Lockhart Shire council capitalized the costs wrongly, causing the reconciliation of the asset did not achieve well.
- The Mid-coast council did not upload the register until the end of the year. It falls emphasis on the disparaging the assets.
The low risks that are found in the assets management systems are, the non-timely recognition on the asset register, the spreadsheet where the data has been kept cannot be able to protect the database. The assets are not been merged with the asset management systems and numerous asset registers have been used to keep the record of the different asset classes. The audit report has shown that there are sixty-seven issues have been found related to the asset valuation process. The key issues that have been found in the councils are:
- Cootamundra-Gundagai Regional council had not sufficient information about the componentization of the assets
- Inner West Council had not performed the quality assurance of the asset valuation and this leads to mistakes in the financial statement of the council.
- Berrigan Shire Council did not do the valuation of the road assets and the workpaper of the water and sewerage were not assemble in the right way.
- Murray River council did not carry the infrastructure valuation and did not conduct the valuation of the transportation assets.
Other issues that have been found related to the asset valuation process are, the valuation of the infrastructure assets has no regularity, the absence of the quality review procedure, the assets are not assembled correctly. The non-appropriate procedure could not help to allocate the indirect cost of the asset.
4. IT Governance Related to Audit Findings in The NSW City Councils
IT or information technology provides benefits to the council system. It has been shown that information technology governance and monitors the financial system of the councils. The IT governance delivers a structure to the council to maintain their IT risks and guarantees that the IT activities should be aligned to the council objectivities. To dodge the risks the IT policies should be up to date. Lack of formal IT policies and procedures increased the unsuitable access to the database. The governance should check on the security system of information technology, it should have a problem management system which will help to mitigate the risks of the council.
The councils should identify the risks and monitor them properly and then report about it. The IT governance can help to mitigate the risks within the timeframe, which will not delay the councils for the works. IT governance will work within a framework. The framework helps to define the methods on which the council can manage and monitor their work. IT governance in the council can help defines the principle rules and helps to effective decision-making. IT governance is important for the council because it helps to achieve the goals and maintain the legal and ethical standards of the councils. To achieve the goal IT governance, help to enables a strategy and objectivities for the council.
IT governance will preserve the efficiency and effectiveness of the council. The information technology with the help of the COBIT 5 framework will elevate the service of the council. COBIT 5 is used rapidly use in the information technology governance to meet the goal of the council. COBIT 5 will improve the performance of the IT governance (Andry, 2016). COBIT 5 focuses on the delivery, service, and result system of the organization. The COBIT 5 domains align, plan, and organized the process in the council. The COBIT 5 framework will help the NSW city council to mitigate the risks and manages the council to give better service to the citizens.
5. General IT Controls Related to The Audit Findings in The NSW City Councils
According to NSW, the audit recommendations should be addressed by the councils within an appropriate time. It can disseminate risk issues to make the resolution process prioritize than other activities. On the other hand, the council needs to make sure the resolving process of previously assessed issues to restrict them from being happened again. The implementation of assessment tools in understanding the interaction from a professional auditing system in making risk mapping, allowing imbalance elimination and provide high-quality management information (Vovchenko et al., 2017). IT helps in managing internal controls that addressed the activities related to mitigating assessed risks to let the company achieve its objectives.
5.2. Further Improvement
The governance improvement with the internal control system by councils at NSW has explained in having an improvement, risk, and audit committee. It is mandatory to make these committees active by March 2021 and encourage the organization to adopt the committee framework as early as possible. NSW stated that they want to ensure the key IT policies and regularly review the emerging risks to provide reflective changes within a small amount of time. IT involvement plays an important role in maintaining financial auditing in the Enterprise Resource Planning (ERP) process (Barta, 2018). Further improvement is also related to the improvement of user access at the management processes to ensure making adequate changes to information systems. The councils should maintain the basic governance and control system at the internal system associated with cyber-security. The councilors are reliable on IT in managing and delivering information while focusing on cyber-security management and improvement.
5.3. Compliance Framework
The compliance framework in audit management aims to improve the security process and implement control tools for risks from IT audit functions (Mladenovi? and Radovi?, 2018). NSW councilors are also determined in having legislative framework compliance with appropriate laws and regulations. It can help NSW in identifying and preventing frauds and ensure a model code for adequate processing and controlling cyber-security management. COBIT is such a framework in IT management that helps the organizations in developing, implementing strategies with appropriate governance and information systems.
6. Cyber Security Management Related to The Audit Findings in The NSW City Councils
The following points are discussed here for the council to strengthen IT control and cyber-security management:
- The council should ensure the key policies of IT that they are formalized or not. The regularity of the IT policies is to be reviewed to ensure the risks that are emerging and are considered and whether the policies are reflected in the changes in the IT environment.
- The council should have to ensure the risks of IT and have to identify the reasons for the risks that may happen. After the identification, the risks have to be managed appropriately.
- The council should improve the access of the user's management processes to ensure that there are acceptable controls for making the changes to the information system. Also, the council has to take care of the security of the information system.
- At least the basic governance has to be implemented by the council and have to implement the internal controls to manage the risks that are associated with cyber-security.
The council city of New South Wales responses that the risks of cyber-security can be improved. The NSW Cyber Security Policy at the state government level states that it is important to have a strong security component in the strategy of the NSW Digital Government Policy. The term cyber-security covers all the measures that are used to process the information and to protect systems that are communicated or stored on the system of the cyber-security from integrity, availability, and from comprising the confidentiality. The councils may find the security system useful for further guidance to refer to the policy. The council could refer to the security system when there will be no need for current requirements for complying with the councils with the policy of cyber-security of the State Government.
The poor security of the cyber cell unit can increase the level of risks. These risks are including with the loss of financial information, damage of reputational information, and data breaches. These risks may impact cyber-security policy. These are:
- There could be theft of the financial information of the corporate and intellectual properties.
- There could be a theft of money.
- Theft of denial of services
- This theft may cause destruction of data
- The networks and devices could be get affected by the cost of repairing
- The systems are getting down and becoming critical due to the legal actions and fees from the losses that are arising from the attacks of denial-of-service
- When the personal information that is stored on governmental systems is used for the purposes of the criminals the third-party losses.
Improvement of the council's cyber-security is required because the implementations of the basic government elements are yet to happen in most of the councils. Like the framework of the cyber-security policy.
7. Highlights of The Legal, Professional and The Ethical
Responsibilities of An IT Auditor
7.1. Legal Responsibilities of an IT Auditor
The responsibilities of an IT auditor are to analyze and assess the technological infrastructure of a company to ensure the systems and the processes. The IT auditor ensures that the systems are running efficiently and accurately or not, the remaining meeting and security compliance the regulations. Legal responsibilities are there to achieve the objectives of the IT auditor. Internal audit prescribes the professional responsibilities that are related to the detection of the frauds (DeZoort and Harrison, 2016). The responsibilities of an IT auditor are auditor objectivity, auditor independence, auditor integrity, and the technical standards that are related to the auditor. These responsibilities are required to satisfy the council according to the NSAs and International standards of accounting.
The legal responsibilities of an IT auditor are to ensure compliance with the procedures of the internal controls that are established. The procedures are ensured by examining the reports, the records, examining the operating practices, and the documentation. The responsibilities of the IT auditors are to verify the liabilities and the assets by comparing the items to documentations. By documenting the audit findings and the audit tests the completion of the audit work papers is done.
7.2. Professional Responsibilities of an IT Auditor
Professional responsibilities of an IT auditor should not be predicted till the time of presenting reasonable judgments and made good faith (Brown, Majors and Peecher, 2020). The professional responsibilities of an IT auditor are:
- Identifying the weakness in the system and preventing the security breaches the IT auditor makes an action plan.
- Planning the procedures of the internal audit.
- Creating the reports of internal audit.
- Creating and collaborating a solid infrastructure of the IT.
- Implementing and devising procedures and network security policies.
- Traveling to the sites of the clients.
The responsibilities explained in a brief way:
- The professional responsibilities of the IT auditor are to contribute the team effort by accomplishing the related results as per requirements.
- The IT auditor helps in maintaining the technical and professional knowledge by attending the workshops regarding educations. The educational workshops include reviews of professional publications, participation in the professional societies and establish the personal networks.
- By summarizing, analyzing and collecting trends and information the IT audit prepares special control reports and audits.
- The IT audit complies with the help of state, federal, and the legal requirements of the local security by studying the existing and new security legislations.
7.3. Ethical Responsibilities of an IT Auditor
For the auditors the code of ethics sets forth four rules. The four rules are integrity rules, objectivity rules, confidentiality and competency. The integrity rule is expectations of the clients from the auditors to support the guidelines and the principles. The objectivity rule is to perform services by the auditor which are free from impartiality, self-serving and bias activities. The confidentiality rules are to share the information with only the stakeholders those are authorized. Competency rules of the IT auditor is to develop the professional continuity to ensure the current remaining auditors and the knowledgeable.
The IT audit in NSW is responsible for assessing and analyzing technological infrastructure and internal issues regarding security structure, governance process, and technology implementation. It ensures efficiency and accuracy in the system process. The report has generated that the council should provide enough time and resources during the financial reporting. It also generated a high standard in the accounting process.
Andry, J. F. (2016) ‘Audit of IT Governance Based on COBIT 5 assessments: A case study’, Jurnal Nasional Teknologi dan Sistem Informasi, 2(2), pp. 27–34.
Barta, G. (2018) ‘The increasing role of IT auditors in financial audit: risks and intelligent answers’, Business, Management and Education, 16(1), pp. 81–93.
Brown, T., Majors, T. M. and Peecher, M. E. (2020) ‘Evidence on how different interventions affect juror assessment of auditor legal culpability and responsibility for damages after auditor failure to detect fraud’, Accounting, Organizations and Society, p. 101172.
DeZoort, T. and Harrison, P. (2016) ‘An evaluation of internal auditor responsibility for fraud detection’, The Institute of Internal Auditors Research Foundation. Komljenovic, D. et al. (2016) ‘Risks of extreme and rare events in Asset Management’, Safety science, 88, pp. 129–145.
Mladenovi?, V. and Radovi?, O. (2018) ‘ESTABLISHING AN EFFECTIVE INTERNAL IT–AUDIT FUNCTION AND CONTROL’.
Vovchenko, N. G. et al. (2017) ‘Ensuring financial stability of companies on the basis of international experience in construction of risks maps, internal control and audit’.