It General Audit Control

Published Date: 02 Nov 2017

Purpose of this report is provides Information Security Audit why needed for the organization and importance of the Audit process. I have analyzed the benefit of the IT Audit for the organization. There were no difficulties that I've faced with my proportion of the task due to internet references. There are lots of tutorials available on the internet regarding this subject area. I have critically discussed a need an IT Audit in an Organization in Current Sri Lanka Situation.

Contents

INTRODUCTION

Through the computerization of Business Process company can achieve the competitive advantage among the competitors and it will help them to overcome, basic operational mistakes with proper controls, while achieving the opportunities in global market. The IS Audit means, An Audit that encompasses a whole or partial review and evaluation of automated information processing system ,related non automated process and the interface between them". IT Risk Business Risk relate to the use of it can be categorized as IT Risk in a business organization. The process of collecting and evaluating evidence to determine whether computer system safeguards assets, maintain data integrity, achieves organisational goals effectively and consumes resources effectively.

BACKGROUND OF THE STUDY

The information security audit is compulsory for the organization and this will help to identify the most of the system errors/ human errors in beginning while do the IT Audit and checkup, also it’s clearly mentioned in the project what are the areas are the most critical and which will direct impact with the revenue generate areas, the above process and benefits should be aware to users and management the importance of the IT Audit.

Some of the smaller companies are not following the IT Audit process and those companies will does not aware the benefits from this process, I am strongly recommend that all company should introduce the IT policies and IT Audit this will help to improve the business with proper internal controls.

The recommendation to the company to keep IT Audit team to check all the process with interface technology and non technology for the secure transaction.

External auditing companies are E&Y, KPMG and PWC who are leading auditors in the world should advice to the management to include the IT audit with the financial audit and the recommendation the IT audit also should be part of financial audit to check entire process of the system include, User Account, System Rights/Access and Backup procedure / storages etc.. Because current situation all the companies day to day operation is used in the centralize system and the IT audit controls check and provide proper secure access. The total project is says the important of the IT audit and what is the output will get for the management and stake holder to avoid the revenue losses and proper accounting system

IT GENERAL AUDIT CONTROL

It is expected to ensure the reliability accuracy and safety of data generated through the system, including all precautionary measures to secure the system access, backup and recovery of data/system in the event of disaster.Eg: SOP for source code/document version control, incident management reporting on hardware/software with physical security.

Logging tracker mechanism for the real time interface for the software provided. Upgrading the software’s and hardware version requirements in order to meet the current scenario. To provide the safety for real time events like piggy backing. Timely review of user logging and sharing. In order to provide adequate security for malicious tools and activities. Scheduled maintenance with regard to scanning activities for the user systems. Daily scheduled backups for the activities of the operational interfaced software. Additional storage of date through online and offline backups.

FINANCIAL AUDIT

The financial audits will allow a company’s management to have creditable output of the company’s financial landscape. Company usually hires a firm to give outside option of the financial documentation to the company’s shareholders and investors. Vital information of the company data safety is utmost required through which the manner of the data being sent. Protection of the data proves the utmost important aspect for the safety of the data in order to prevent the data being misused at the time of transit

Financial audits help a company prove they are not "cooking the books" or altering the financial picture of a company through means of teeming and lading and other systemic flaws which are being used as a tool for frauds. The internal revenue service, financial institutions, banks, material providers, customers and employees all have access to the published financial audit and can gain a better understanding of where the company or business falls in a profit-loss market. Audits significantly reduce alteration to company records and can rectify such systemic accounting flaws which the system permits.

The process of financial audit to be done before end of a business’s financial year to create a financial consolidation with the schedules as an output of how a business operated in that particular financial year with a variance analysis of the previous year. Auditors evaluate industry regulations process and the systemic controls which proves to be a tool for control aspect because of the upcoming software updates due to up gradations, the way the business and nature of the business is administered with value added controls and process oriented restriction of systemic rights based on the job segregation. Audits look at the accuracy of internal controls, transaction records and ways to substantiate the excessive overheads by means of analysis required through systemic improvements like betterment of fashionable and qualitative outputs which is designed by the systemic programs. In addition to testing the accuracy of internal controls the firm systemic check becomes a vital process

The IT audit strongly recommends having internal auditor to the company to ensure and check the standard process and being management friendly with respect to provide the rights which are not contradictory to the users and also betterment and alternate solutions for the management employees, also the internal auditing executive will review daily operations with systemic analysis which cope up with the process flow of the business and follow with internal control system, the results would be appropriate internal control system to the company to avoid any errors and possible frauds.

References http://www.ehow.com/about_5066315_financial-audit.html

The term audit has been long since ages but systemic Audit had a definition and the first popularity and term usage was used by The United Kingdom government which has the first cited mention of an audit performed in 1314 at the request of Queen Elizabeth. England appointed the Auditor of the Exchequer to install a system of checks and marks on government spending. Though there was process in place for the development of the systems it did not have wide spread growth until 1866 when William Gladstone altered the monitoring program as a reform package on public finance. These reforms included spending done by Parliament. Since then, financial audits have become increasingly regulated through financial institutions, government bodies, courts and company investors. Parliament was the first government body to be audited, well the first recorded government body to be audited. But since then, governing bodies have been audited to detour corruption and prevent back-room deals which needs to be taken care by systemic controls by means of access and user logs for tracking purpose.

Password Policy

The password policy is vital for the organization to ensure security to the company system as a tool. But the awareness of the password policy should be communicated to the users for what is the need of the password policy for the company. The policy strictly shall mention the requirements for acceptable password selection and maintenance of the user in order not to share the user ids and safety to the user by maximizing the security of the password and minimize its misuse or theft.

Passwords are the most frequently utilized form of the authentication for accessing computing resources. But the providing weak passwords, proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, are the key risk factors and they are very often also the become weaker due to user’s negligence and unawareness of setting a strong password. Password use must therefore be fit for non comprehensive usage and adequate controls over the data of the company which are mentioned below:

All system password must be strongly designed by the standard listed below as per the mentioned process of having general password strength will increase with length, complexity and frequency of changes minimum every 3 weeks change period at frequent intervals as mentioned above.

The risk requires a perfect zero level non deviance and protection, and also the stronger password would be better with security measures such as multi-factor authentication, should be used in such situation. High risk system shall not be having access to critical or sensitive company information, controlled access to shared data by means of non sharing of public Internet protocol with outsiders, a system or application shall not have weaker security by having a public domain being used by all the users with admin passwords, and administrator account shall have utmost security and the access to control any system from remote which maintains the access of other users or provide access to a IT Security environment by means of safety measures.

Central and departmental account managers, data trustees, and security and/or system administrators are expected to set a good example through a consistent practice of sound security procedures by means of adequate controls and secrecy being maintained and non discussions of any with the outside environment which may be harmful to the environment of the company.

The system access should be controlled frequently and consistently over the period and the user access will be given by the system access form filled with approval from head of the departments and the system’s manager shall review and reason for any contradictory rights if had been asked for. All the users form should be documented, preserved and kept in safe form and the if any employees exits the organization IT department will deactivate the user account with due care after ensuring that any misuse has not happened with his user ID and the general IT control policy shall strictly mentions not to delete the user account from the system because of any further reference shall be taken to identify the user logs if required for future.

.

USER ACCESS RIGHTS

User’s access rights allocation is important from the system’s end, and the user rights are organized under five groups.

Account Administration (AA)

Funds Management (FM)

Report Management (RM)

Trading Access (TA)

User Management (UM)

The user account structure with multiple users and clients accounts, limited access may be given to a subset of User Access Rights or Accounts. For example, you might want to give "User A" the ability to only trade, while you give User B only the ability to look at account statements. User C might only be able to trade client accounts 1-5, while User D can trade client accounts 6-10.

But the user rights can be categorized depending on the management requirement, some users are allocated to multiple points in the security shell and the rights could be provided with proper document in writing and approval in this regard should be effective with the due regards of the IT manager

User rights should be monitored by the audit logs, transactions and this should be reviewed at frequent intervals this will help to identify if there is any misuse in the system. All this process should documented for the audit query. Post the happening of the event is not a major aspect it’s all about a good system which does not allow any error to happen by mean of regular checks and system control in place.

USER RULES and regulations with LIMITATIONS

The following rules and limitations apply to the creation of users:

Up to two usernames may be created for the same person.

For individual accounts (individual, joint, and IRA accounts), up to 15 persons may be added with a Power of Attorney which will be provided when adding users to an individual account.

Individual Advisors may not add any persons other than themselves (they can have two usernames for themselves).

Joint Accounts may add two usernames for each account holder.

Trust accounts may add up to two usernames for each trustee.

Organizations may add up to 50 users, including employees and non-employees.

REPORT CONTROL

The report control of the system is categorized which given below.

Master Reports

Financial Reports

Basic reports

User logs

The master’s reports rights should be assigned to IT manager only which forms a part of the crucial information for which the master rights are restrictive with single user.

Financial reports rights should be assigned to finance department users and senior managers to get financial statement and not admin rights to enable master rights , in this rights also can categorized to basic report and key report which can be controlled by viewing rights .

DATABASE BACKUPS/STORAGES PROCEDURE

Data backup is very important for the organization this should be followed daily basis by having scheduled backups or to have real time back up .Before the backups are taken adequate controls and safety measures shall be taken which does not affect the normal business process. Procedure of backups taken shall be documented at frequent intervals and the same needs to be test checked. The Database backup procedure is categorized to two ways * Online Backup and Offline Backup.

The online backup can be taken while the users logged in the system and make sure if the interface is running, Care shall be taken when at the time of the non usage the backups shall happen that in lean hours/ idle hours.

Offline backup shall be taken after all the users are logged out. While taking backup an information technology assistant shall take the responsibility of safety of data being transferred and working with adequate care. Just means of backing up the data is not sufficed and care shall be taken to ensure that the backed up data shall have the all details of the data being backed up.

If the backup is not taken with due care it becomes a nightmare at the time of system failure since there would be no database backup to restore in case of system crash and this will lead major problems to the company and the outsiders who have relied the company and the goodwill of the company gets disrupted because of which it might lose valuable customers and vendors. If in case of banking industry at the time of system failure this will be major drawback for the particular business trade which would have an impact over the marketability and reputation of the company

Reference Example: x’s banking systems failure hits 22m retail customers. In an apparently unrelated incident at the same time, some of the Co-op Bank's 2.4m banking customers were also affected, because of losing access to their accounts. The issue - which also a major drawback to the Y’s online bank Smile - was fixed after around an 1.5hrs. The mess left ABC and DEF Company being forced to open branches on a Sunday for the first time in its history to help customers left short of cash by the bungling bankers.

It was forced to earmark £125m to compensate customers affected by the glitch.

The storage backup procedure is important for the organization when the backup required for the restore, also the storage should easier and secure access to take when required and the backup should documented with easier identification, also the general IT policy is clearly mentioned about the storages.

As you construct a storage system, keep the following goals in mind:

Prevent data loss

* Offer adequate capacity that can easy scale as storage needs grow

* Provide fast access to data without interruptions

* Be prepared for equipment failures

* Use cost-effective technologies.

Back up storage system must be able to handle the volume of data to be saved. Awareness of the organization's current data storage requirements and the expected rates of growth. It is not possible to plan a storage strategy without detailed knowledge of the volume of data involved. Retrieval of the stored data must be able to deliver information to the user rapidly at the time of requirement. Fortunately, many current systems have very high performance capabilities. Designing a storage solution to service a relatively small number of users can be fairly straightforward. But a network with an extremely large user population will challenge the network architect to design a system that can handle an extremely high rate of simultaneous activity and still deliver rapid access.

All storage systems rely on assets of the IT which may have possibilities of break down. It is possible to develop a data storage environment with enough redundancy to ensure that no disruptions to occur, in case of component’s malfunction. Such high-availability of security is priced in --both in terms of the cost of the equipment and in the complexity of its operation. Smaller-scale departmental networks may be satisfied with a data system that can potentially fail, provided that it can be restored with little or no data loss within a reasonable time. It is relatively simple and inexpensive to build a storage system that is available 99 percent of the time. Eliminating that last 1 percent or 2 percent of failure possibilities is complex and expensive. Disaster recovery shall be a main aspect of safety away from the location which is much secure and reputed.

IT SERVER ROOM ACCESS

IT Server room access should be secured and needs to be monitored everyday effectively and in case of any unauthorized entry, the server rooms should have adequate fire alarm and smoke detectors and the kinds of extinguishers which do not disturb the data stored in hard disc in case of emergencies should installed and surveillance of CCTV is crucially important 24/7.

Access to the computer systems from outside the systems department shall be controlled by the proper use of user identification codes, password, and personal lock access codes which are to be changed no less than once a year. To further limit access, codes that are no longer authorized will be deleted as soon as possible.

Also the database access in Server should have only the CFO and the systems Department, also the data storage external device like Compact disks shall not be allowed to be carried to the server rooms for precautionary measures

Secure IT room access through biometrics and thumb recognition system shall be ideal or may be retina scanner’s are more appropriate for the current trends and the scenario and additionally physical attendance log if required can be keep security guard to be frisked up when enter to the room, also such magnetic items shall be taken off.

Access to the system’s room(s) shall be restricted to TMCC Information Technology personnel, approved vendor/maintenance personnel, or operations management personnel due to reporting of duty at a specified time. Tours by visitors, employees, vendors, or customers must be authorized and approved by the Executive Director of Information Technology Operations (or the Head of IT of the company)

All above process should be checked from the IT departmental Audit shall be reviewed frequently to ensure the secure access to the IT room. If the process is not adhered completely and if there are any deviations the IT auditors should recommend to the management about the seriousness to the organization to follow the process immediately. This is the standard procedure for the all IT room for secure access.

SYSTEM UP TIME / DOWN TIME MONITOR

The system uptime and downtime should monitored and documented, because during the system downtime the company might lose controls in case of revenue collected and not posted saying because of the systemic maintenance or defaults.

The IT Audit team shall strictly recommend to send the daily downtime/uptime report to the management, to update about the issue. Also IT Dept is requested to share system uptime / downtime report monthly/quarterly and year end with the management and deviancies are also observed, and this report will help to get approval to change the IT infrastructure to avoid any downtime, because the management/Board of Director and Stake holders will approve the Capex budget based on the report as proof for the investment of the new technology.

In case of back up there are three basis of modes through which the backup happens that is the hot site or cold site or the warm site and the data transmission happens by means of remote recoverer or local system recovery. Thus IT systems are essential for a management equally as equal to finance because working on an environment without safety will land up somewhere in dark in case of inadequate system controls.

CONCLUSION

The Information System Audit importance and benefit should informed to the management and the external auditors should advice to the management to include the IT Audit also in the financial audit compulsory, during the IT Audit we can solve most of the pre problem and can manage system with 0% downtime, which will help for the management to avoid any revenue loses and valuable customers. The awareness of the IT Audit will support to new technology and unexpected threats, Virus and Human misuse/errors.