Auditing Assignment: IT Audit Associated with NSW City Councils
In this auditing assignment you are required to analyze an IT audit report conducted by the office of the New South Wales Auditor General and asked to do the followings:
- Identify the audit focus and scope
- Describe high risk IT issues in the NSW city councils
- Describe audit findings related to IT governance in the NSW city councils
- Describe audit findings related to IT general controls in the NSW city councils
- Describe audit findings related to cyber security management in the NSW city councils
- Highlight the professional, legal, and ethical responsibilities of an IT auditor.
The audit report examined in this auditing assignment includes the various aspects associated with the NSW City Councils. The report focuses on four major aspects and the report mainly covers the findings in the area of IT audits.
Audit Focus and Scope
The first is the financial reporting and performance. Financial reporting plays an extremely important role in the maintenance of the good governance. The strong financial performance and mechanisms in the governance plays an important role in the ability to deliver the services and fulfil the community needs. The second aspect that is focussed upon is governance and internal controls (Lenning and Gremyr, 2017). The effective and streamlined governance provides the councils with the ability to manage the operations and activities.
Information technology is an important focus point for the audit processes. The delivery of the services and the operations can be effectively done using the IT tools and measures. However, there are also several risks that are presented by these issues. The audit focuses on the determination of these benefits and risks. The fourth aspect that is focussed upon in the audit is the asset management. It is the responsibility of the council to make sure that the effective management of the assets is done (Nurunnabi, Donker and Jermakowicz, 2020).
The scope of the report includes the local councils that are involved in NSW city councils. There are 128 local councils, 10 county councils, and 13 joint organizations that are associated with the NSW city councils. The scope of the audit is associated with these councils and joint organizations.
High risk IT issues in the NSW City Councils
There are some of the high-risk IT issues that are identified in the NSW City Councils. These issues are listed and explained below.
- In many of the local councils, it is determined that there is absence or lack of significant IT policies and procedures that is determined. The IT policies are essential to make sure that the proper IT management is done. However, the lack of the same can lead to the inability to manage the IT risks and concerns (Whitman and Mattford, 2019).
- There are also issues that are identified with the lack of the IT risk management processes and activities. There are limited IT risk management processes and mechanisms that are determined in the councils leading to the ease of execution of the security risks and attacks.
- There are instances determined wherein the user access reviews some of the key financial details and information. The access violation may be witnessed and the security and privacy of the information may get compromised.
- Shared user accounts are used by many of the local city councils that lead to the emergence of the various security issues (Joshi and Singh, 2017).
- The classification of the responsibilities and duties is either not done properly or it is not enforced correctly in some of the key financial systems and applications.
- The privileged user access is often not restricted properly or there is lack of monitoring that is also observed.
- The password configurations used in various systems and applications are weak.
- The implementation of various systems has been done with missing or lack of proper documentations. The sign-off on the systems is also done properly and there are also defects that may remain unresolved.
Audit Findings - IT Governance
IT Governance is one of the significant steps under information technology and information systems. There is a defined structure that is provided with the aid of IT governance so that the councils can properly manage the specific risks and issues that may emerge. Also, IT governance is necessary to make sure that the IT activities are properly aligned with the defined goals and objectives (Bishop, 2016).
The audit on IT governance has provided some of the significant findings.
One of the significant finding is associated with the IT policies. It could be determined that these policies are either not formalized effectively or the proper updates are not done on the policies. It is essential to make sure that the formalization of the IT policies is done effectively. The use of regular reviews shall be done to make sure that the consideration of the risks can be done and the significant changes are made to the IT environment. With the absence of properly developed IT policies in place, there are inconsistencies that are witnessed in the results. There are several vulnerabilities that may arise which may have higher chances of adverse implications on the inappropriate access (Peltier, 2015).
As per the audit conducted in 2017-18, it has been identified that 71% councils do not have the adequate IT policies. There are various areas that are present in the organizations. It is determined that the lack or absence of the IT policies is found in one or more areas. These include the IT security, change management in IT, incident/problem management, disaster recovery, and business continuity. It is also determined in the audit that 25% of the IT policies are not updated as per the local councils. There are no major improvements made in the councils in terms of the formalizing of the IT policies.
The second major finding that has been obtained in the field of IT governance is that more number of councils is engaged in the identification and reporting of the IT risks. It has been found that the councils must be able to determine and communicate the issues that may emerge with the use of IT to the ones that may be charged with the governance process (Goodman, Straub and Baskerville, 2016). It will be significant in ensuring that the proper risk awareness is ensured and proper response is provided to the risks. The timeframe in the process will also be determined in an effective manner. The audit conducted in 2017-18 showed that there are 41% councils that do not have and do not maintain a risk register. 22% of the councils were found to have communication gaps in reporting the issues to the management.
Audit Findings - IT General Controls
The key findings in the area of IT general controls are associated with the four major areas.
User Access Management
The audits conducted for the IT systems show that there are significant improvements that have been made in the user access management of the IT systems. The delivery of services is often done with the use of the IT services and systems. There is significant growth that is determined in the occurrence of unauthorized access. There are various improvements that have also been identified to make sure that the effective user access control and management is done. However, there are significant improvements that are also identified that need to be made (Choi, 2019). These are developed on the basis of the gaps determined. It is found that 40% and 38% of the councils do not have access controls for the new users and do not have restrictions on the privileged access respectively. The monitoring of the privileged user account is not carried out by 71% and period user access review is not performed by 64%. The lack of sufficient password controls is observed for 43% and 33% do not have proper user removal controls in place.
- There are significant approvals that shall be made to obtain new access and make changes in the defined access on the IT systems.
- The timely removal of the access to the IT systems shall be regulated and monitored.
- The use strong password controls is essential to make sure that the effective access control is done
- The review and monitoring of the access shall be done to determine any of the discrepancies
- There shall be restrictions that must be imposed on the access rights and permissions that are granted (Kim and Chung, 2018)
- The proper monitoring of the privileged access and measures shall be done
Program Change Management
It is determined that the controls imposed over the IT system changes shall be improved. It is determined that the lack of proper controls for program change management and the presence of weak system change controls can lead to significant risks and issues. The changes made to the systems may not be properly authorized. There can also be lack of accuracy that may be witnessed. There are gaps and issues with the data accuracy and integrity that may emerge. There are various unintended changes that may emerge with the processing and reporting of the information sets. There are issues and errors that may also be witnessed in the financial reporting.
It is found that no major changes or improvements have been made by the councils in comparison with the previous years. 33% of the councils were making unauthorized changes and 36% could not segregate the duties in an effective manner (Martinsuo and Hoverfalt, 2018).
Disaster Recovery Planning
The audit shows that there are significant improvements that must be made in disaster recovery and planning. It has been determined that a significant share of councils do not have an adequate disaster recovery planning system in place. There are 31% of the councils that do not have a formal and an approved disaster recovery planning. There is lack of review that is identified for 28%. The testing of the plan has not been performed by 55% of the councils.
Audit Findings - Cyber Security Management
There are some of the massive loopholes that are determined in the cybersecurity management system that is followed in the councils. It is determined that there is a lack of proper and formal cybersecurity framework for 80% councils. The centralized register is not developed and maintained by 78% councils. The mention of cybersecurity risks and issues is not observed in the risk registers of 46% councils. 67% councils have not conducted proper penetration testing. There is absence of cyber security policy that is observed for 48% councils. There is lack of separate budget that is determined for 84% councils. There are 76% councils that have not provided formal cybersecurity training to the members of their staff.
There are significant impacts of the cybersecurity risks and issues that are determined.
- The confidential and private details, such as financial data or corporate information may be stolen
- The theft of money may be involved
- Denial of service issues may occur (Kostopoulos, 2018)
- There is destruction that may occur for the data sets
- There may be significant cost that may be associated with the system repairs and the repair of the network and devices
- There are legal issues and obligations that may also come up from the access issues or the downtime involved
- The third-party losses may be present when the data is stored on the external systems
Professional, Legal, and Ethical Responsibilities of an IT Auditor
There are a number of responsibilities that are assigned to the IT Auditor. These responsibilities can be classified in three broad areas as professional, legal, and ethical responsibilities.
The professional activities that an IT Auditor shall fulfil are listed below.
- The examination of the internal IT controls and mediums shall be performed by the auditor along with the evaluation of the designs and operational effectiveness of the various IT tools and systems in place.
- The determination of the probability of the occurrence of the risks and the evaluation of several control strategies and techniques that can be used in the organization shall be put in place (Pratiwi et al., 2019)
- The troubleshooting of the security issues shall be conducted in the audits
- The troubleshooting of the network issues and gaps shall be done in the audits.
- The response shall be provided to all the security and network breaches that may have occurred on the system in the past
- The security measures and mechanisms shall be planned and monitored by the IT auditor so that the effective protection of the organization systems and the data sets can be done
- The auditor shall also be involved in the change management processes that are obtained as the result of the audit mechanisms and techniques
- The auditor shall also verify the network vulnerabilities to determine the control measures that shall be applied to protect the network from any of the attacks
- The auditor shall also verify the system vulnerabilities to determine the control measures that shall be applied to protect the system from any of the attacks
- The development of the IT audit policies and programs shall be done by the IT auditor
- The communication of the audit results and outcomes shall be performed by the auditor to the rest of the team members
- There shall be effective audit testing that must be done so that the recommendations can be provided according to the same
- The review and evaluation of the effective application controls shall be done
- The auditor shall be able to provide the recommendations on the improvements that must be made
There are a number of legal responsibilities and duties that are also assigned to the IT auditor and must be fulfilled. It is essential to make sure that the IT audits that are conducted are done in accordance with the legal policies and protocols. For example, there are Intellectual Properties and Copyrights that are associated with the information systems and technology. The IT auditor shall carry out the legal and regulatory compliance checks to understand if the adherence towards the defined norms is maintained or not. There are certain security risks and issues that may arise in the organizations. It is necessary to make sure that the legal outcomes of these issues are evaluated and the IT auditor has the responsibility to assess the same (Nikiforov, 2015).
The IT Auditor also has a lot many ethical responsibilities that must be fulfilled. The information and the data sets are exposed to a number of security risks and attacks. In the occurrence of these risks, there is an ethical violation of the processes and policies that is also witnessed. The security risks and issues are carried out by the insider attackers as well. The IT auditor is responsible for ensuring that the ethical compliance is always maintained. The IT auditor shall make sure that the ethical compliance is not violated or disturbed at any instance. It is the responsibility of the IT auditor to determine the gaps that lead to the ethical violations and suggest the measures that may be implemented to fill these gaps.
The audit has been conducted on the NSW city councils. There are several aspects that have been covered in these audits, such as finance, governance, internal controls, information technology, and asset management. The report focuses on the IT audit and the findings generated from the same. There are a number of improvements and enhancements that are identified in the IT handling and management that is done by a number of local councils. The IT audit shows that the improvements shall be made in terms of the user access and control. There are issues in the cybersecurity management. The change management is also one area that shall be improved upon. There are some of the measures that must be adopted by the councils to ascertain that the improvements are made. The IT auditor is assigned with a number of tasks and responsibilities. These comprise of the professional, legal, and ethical responsibilities that must be fulfilled so that the effective use of IT is done by the organizations.
Bishop, M. (2016). Information security. Springer International Pu.
Choi, Y. (2019). Organizational Control Policy, Information Security Deviance, and Moderating Effect of Power Distance Orientation. International Journal of Cyber Behavior, Psychology and Learning, 9(3), pp.48–60.
Goodman, S.E., Straub, D.W. and Baskerville, R. (2016). Information security?: policy, processes, and practices. London: Routledge.
Joshi, C. and Singh, U.K. (2017). Information security risks management framework – A step towards mitigating security risks in university network. Journal of Information Security and Applications, 35, pp.128–137.
Kim, W.-S. and Chung, S.-H. (2018). User-Participatory Fog Computing Architecture and Its Management Schemes for Improving Feasibility. IEEE Access, 6, pp.20262–20278.
Kostopoulos, G.K. (2018). Cyberspace and cybersecurity. Boca Raton: Crc Press, Taylor & Francis Group.
Lenning, J. and Gremyr, I. (2017). Making internal audits business-relevant. Total Quality Management & Business Excellence, 28(9–10), pp.1106–1121.
Martinsuo, M. and Hoverfalt, P. (2018). Change program management: Toward a capability for managing value-oriented, integrated multi-project change in its context. International Journal of Project Management, 36(1), pp.134–146.
Nikiforov, S.- (2015). On the competitive selection of the auditor. Auditor, 0(18), pp.18–26.
Nurunnabi, M., Donker, H. and Jermakowicz, E. (2020). Joint audits and mutual ties of audit firm networks. Business Horizons.
Peltier, T.R. (2015). Information security fundamentals. Boca Raton Florida: Crc Press, Taylor & Francis Group.
Pratiwi, W., Rizal, N., Indrianasari, N.T., M, W.W. and Ifa, K. (2019). Auditor Competence, Auditor Independence, Auditor Experience, Audit Fees and Time Budget Pressure against Fraud Detection. Journal of Advanced Research in Dynamical and Control Systems, 11(12), pp.26–33.
M.E. and Mattford, H.J. (2019). Management of information security. Boston, Ma: Cengage Learning.