Initial audit proposal
Overview of Wallis Building Company Australia Pty Ltd (WBC)
Wallis Building Company is a construction company registered in Melbourne. Wallis Building Company carries out installation, equipment selection and quality control analysis. Wallis Building Company conducts installation through installation of equipments, machines, wiring or managing programs that meet building and regulation specifications. Wallis Building Company carries out material assessment to ensure the materials meet standards for construction and required codes. Wallis Building Company conducts tests and inspections of products, services and processes to determine if they met or conformed to expected quality levels or performance.
Wallis Building Company Australia Pty Ltd (WBC) products
Wallis Building Company installs equipments, machines, carries out wiring of buildings to ensure they satisfy fire safety codes or meet regulatory (fire safety) order 2005 and certify products used in construction meet building codes. Wallis Building Company engages in first time construction, repair of construction and maintenance. Wallis Building Company conducts evaluation of life cycle of property and validates acquisition, control, accountability, responsibility, maintenance, utilization and deposition.
Location of the company
24 Timber Tops Drv
FAILFORD
NSW, 2430
GREATER KEMPSEY AREA
Wallis Building Company
Wallis Building Company is certified under Owners Corporation Act 2006 that came into force in 2008. Wallis Building Company is registered with Consumers Affairs Victoria. The certification domain ranges from residential and commercial as provided for by the OC Guide- Melbourne.
Staff
Wallis Building Company has a human capital of 2435. All staff of Wallis Building Company have certificate of registration in building and construction.
Audit objectives
- To test Wallis Building Company electronic data exchange and identify mechanism data exchange benefits trading partners by determining data exchange authorization protocols, validation and access.
- To test Wallis Building Company computer center integrity and identify support system to computer center integrity for instance back up power, full disaster system recovery and identify full disaster recovery plan available
- To test Wallis Building Company system maintenance controls and identify changes in Wallis Building Company system life, recording of financial transaction and determine if financial transactions are authorized and measures present to protect system integrity.
- To test Wallis Building Company operating system controls hence or otherwise determine relevance of control techniques, verify policies are in place to protect operating system through determination of operating system access privileges, password policies, virus control, audit trail controls and fault tolerance
- To test Wallis Building Company application controls hence or otherwise determine transaction paths from input to output both manually and automated and verify flow of data in the system
- To test Wallis Building Company data management controls hence or otherwise determine risks on disk space, risk of data verification, risk of data confidentiality and risks characterized by protracted test durations.
- To determine transaction integrity and input controls hence or otherwise determine if practices and procedures implemented provide for adequate controls for every data input into the system
- To conduct assessment on server environment to determine level of security, monitoring conducted, protection and access controls in place
The Audit Team
The Audit team consisted of internal and external auditors. The internal auditors included Wallis Building Company quality manager, Wallis Building Company system engineer, Wallis Building Company financial manager, Wallis Building Company occupational health and safety manager, Wallis Building Company software and hardware managers and Wallis Building Company technical manager. The external auditors were represented by student 1, student 2, student 3, and student 4 as external auditors.
Audit scope
The IT Audit involved determination of standards of Wallis Building Company computerized systems and identification of conformation of the computerized systems to accounting information standards. The core goals for the IT Audit were to conduct tests of control through determination of tests of the IT systems and their compliance with standards and carry out substantive IT testing which involved testing of the data elements in the Wallis Building Company systems.
The scope of IT auditing involved testing Wallis Building Company system maintenance controls, testing Wallis Building Company IT operating system, Testing Wallis Building Company data management controls, Testing Wallis Building Company internet and intranets, testing Wallis Building Company computer center integrity and testing Wallis Building Company system development controls, server environment and transaction integrity and input controls.
End-To-End Audit Methodology
The audit process for Wallis Building Company began with understanding of the company. This was followed by identification of risks that Wallis Building Company faced and evaluation of measures that Wallis Building Company has implemented to control the risks and identification of transparency in the Wallis Building Company reporting standards. The audit approach taken was proactive through collaboration with the company towards achievement of accountability and transparency in auditing. This ensured the auditing process achieved uniformity and consistency.
The auditing process involved understanding of the Testing Wallis Building Company system in order to be able to conduct assessment of control risks hence plan the audit procedure with aim of decreasing detection risks. The scope of the testing depended on assessment of key controls and included use of CAAT.
Key findings
The back up controls and access controls for the Wallis Building Company were found to be insufficient. The network infrastructures for the intranet were not secure and encrypted. This meant the data could be intercepted hence expose consumers to theft of personal data. Use of non-encrypted intranet system meant the communication control was not satisfactory which exposed data transfer to unauthorized access. It was evident that access privileges were not structured to meet password policy. The intranet system for the Wallis Building Company was prone to virus attack due to compromised virus control that was characterized by failure to update the antivirus system. The audit trail controls and fault tolerance were below standards.
The operating system controls were not up-to-date. The Wallis Building Company didn’t conduct operating system update. The company didn’t comply with operating system policies on measures to protect integrity of the operating system. Deficiencies in compliance with operating system controls were evident tin system access privileges and in extension password policy, audit trail control, fault tolerance and virus control.
The Wallis Building Company computer center integrity was not satisfactory. The back up power for the Wallis Building Company was not in operation at the time of audit. The Wallis Building Company didn’t have previous records on any tests that might have been carried out to determine data recovery procedures and plan.
The electronic data exchange for the Wallis Building Company was found to moderate. Communication with end users was satisfactory. Performance deficiencies subject to threat and data security was identified along system development protocol and system maintenance.
The server environment was found to be insecure, without protection, monitoring or access control. There were no reviews or password policy in place. There was no documentation on the system authorization and authentication. The server hardware configuration was not updated or necessary applications enabled. The system didn’t have any accounting logs maintenance or responsible system administrator. The security runs were not conducted for critical server components.
The application controls were found to be sufficient as at the time of audit. The automatic and manual transactions paths from input to output were satisfactory. The flow of the data in the Wallis Building Company was within the acceptable standards.
The company didn’t have any contingency plan in place for business continuity or business disaster recovery plan. There were no periodic reviews in place. The back up data was not available or stored offsite. The system was vulnerable to redundancies and prone to disk mirroring and back up power supply underperformance
The internal controls for the Wallis Building Company were tested and access to files, retrieval of files and data was possible. Parallel simulation for the internal controls was moderate.
Testing electronic data exchange
Identified control risks
The primary control risks identified were characterized by slow electronic data exchange which was caused by failure by Wallis Building Company to invest in system upgrade and updating. Hardware compatibility was identified as cause for slow electronic data exchange. There was no responsibility of system administration and maintenance, there were no copies of system user or operational documentation, there was no sustainability plan in place for development, modification and maintenance
Expected controls to mitigate risks identified
Wallis Building Company needed to contact software vendors to determine availability of the software and the software system requirements. There was need to identify upgrades that were required based on business needs. The company needed to identify specifications for instance files conversion and support hardware to smooth running of the electronic data exchange. The software engineer needed to identify compatibility of system upgrade with the current version before seeking procurement for recommended software and hardware. The software engineer needed to liaise with the hardware engineer for hardware compatibility. There was need to improve on system administration responsibility and maintenance.
Audit testing conducted
A gap analysis was carried out. This was done to determine system processes in order to identify system and process changes that could have added value to auditing. We determined system processes that are applicable to Wallis Building Company. This was important in order to help determine mechanism through which Wallis Building Company was to create a project plan, timeline and communication strategy. Tests on electronic data exchange were conducted to determine computer to computer exchange of invoices, orders and business documents. This was carried out to determine possibilities of errors and manipulations of the systems.
Results of the testing
The audit team was not satisfied with the test results. The results demonstrated that the electronic data exchange was negatively compromised by non-encryption of the networks. The back up system was not updated and hardware systems were not up-to-date. Access to data was not secure which made client data prone to theft. The end user communication was very slow.
Key issues raised
Wallis Building Company was on the process of training her staff to ensure they met skill competencies for the system upgrade that the company was investing in. the training was identified to focus on understanding of transaction changes, learning practices for management systems including software and hardware environments and learning workflow processes.
The company was on the process of complying with standards on electronic data exchange controls through identification of procedures that are able to verify the messages were authentic and conformed to set up protocols. The company was on the process of updating her system error checks and security system updating.
Testing Data management
Identified control risks
The audit process and compliance tests identified risks of disk space, risk of data verification, risk of data confidentiality and risks characterized by protracted test durations.
Expected controls to mitigate the identified risks
Controls for risk mitigation included purchase of higher capacity disks, improvement of data confidentiality through authentication and updating of security profile of the data management system, verification of the data to ensure it was correct and up-to-date.
Audit testing conducted
Compliance tests that were conducted sought to identify consistency of data state that is essential element in data maintenance. We sought to identify predictability of data state at the end of test run. Finite element analysis and simulations were conducted to identify system design, integrity, and performance.
Results of the testing
The audit team was not satisfied with the test results. The test results shown problems with logging, reporting and password policy authentication and authorization. The audit team identified malfunctions with progress statistics, reports generation and deficiencies with test case import from CSV, doc, web and SQL and STAF Plugin.
Key issues raised
The company didn’t have competent staff to carry out test management to identify or institute correction to identified risks associated with data management.
Testing application controls
Identified control risk
The application control risks tested demonstrated the system level controls had been manipulated. This resulted into compromise of system tolerances and system purchase approvals during entry of transactions. This meant in the event a system user had system access to manage PO approval limits, the users capability to enter a PO would mean the system user could have ability to manipulate own approval limit. This was identified to have potential of a system user issuing a PO that was outside the set policies or change approval limit to own specifications. There was risk of directly updating of tables through SQL that had been achieved through database login. The application control risk was identified through inability of update scripts being unable to track system users that had made the changes.
Expected controls to mitigate the risks of manipulation
The application control configuration for update scripts should have capacity to track down system users that make changes. The information should be built up into the script. There should be update of the standard audit fields in the database tables that provide created_by; Creation_date; last_updated_by and last_updated_date.
The application control should have an audit trail that should capture changes that are likely to be made to approval limit. This helps to identify when circumventing of approval policies are done. Application control should be configured such that it updates tables through SQL at database login.
Audit testing conducted
The audit team verified document edits, conducted assessment to to determine calculations that had been carried out and carried out assessment on the system database reliability and validity with objective of achieving inter-rater reliability. We also conducted search for system gaps and duplicates. This was carried out in order to determine data completeness and timeliness. The audit team further used audit software to conduct system document re-calculations that had been performed. This helped to identify differences in values between the audit software and the company user applications.
Results of testing carried out
The audit team was not satisfied with the test results. This is because the results demonstrated that the system had been compromised through system manipulations. The approval limits were being changes by system users against the policy. The update script didn’t identify system users that had made changes. It was also noted that the control over vendor tables allowed different vendor numbers to be assigned to equivalent vendors. This resulted into invoice processing clerks to be able to make changes that were not tracked. This compromised the application control and raised concerns over payment through duplicate invoices
Key issues that were raised
The audit team was informed that the company system for compensating controls, reviews of payment by budget managers were able to capture duplicate invoices. The management had not taken measures to control the weakness that had been identified on the vendor code. Audit team performance for the test of duplicate payments confirmed observation that the application controls had been manipulated and compromised following identification of duplicate invoices. This meant different transactions could have been carried out or incorrectly identified as duplicates.
Testing computer center integrity
Identified control risks
Following compliance tests, the audit team identified that the computer center integrity was threatened by reliability risks. Reliability risk arises subject to the planned use of the data or mechanism through which the integral of the data was to the audit team or dependent on auditor’s knowledge of the system. There was reliance risk subject to outcomes of data analysis hence vulnerability to draw inappropriate conclusions.
Expected controls to mitigate the risks
A reliability risk which is a function of auditor’s system knowledge and planned use of the data could be reduced through understanding of applications and application data. Knowledge on the system is acquired through reviewing system documentation and having focus discussion on system authentication with the system users and system programmers. Summaries of the data could be developed or generated through data stratification to determine key possible values. The risk of reliability could be decreased by decreasing reliance risk on data but relying on the auditor’s analysis and documentation. Auditor’s analysis should be arrived at through management reports and findings of previous system audits and system analysis.
Audit testing conducted
The audit team conducted verification of analysis results. This was done to review existing reports for example standards user reports, control totals, exception reports and error and problem logs. This was conducted in order to identify mechanism through which reliability of analysis could be improved. This had objective of reducing auditor’s risk of making inappropriate conclusion that might have been based on invalid data.
Results of testing
The audit team was not satisfied with the tests results. The results demonstrated that data corruption was evident at output stage. The audit team identified possible input errors, accuracy, efficiency and completeness helped to determine the errors were not caused by input but system manipulation. These output errors were determined through simulation and were subject to processing errors. Therefore the Wallis Building Company internal auditors were responsible for the data errors. The errors were also evident when data extracts to create files for analysis were carried out.
Key issues raised
The system had been affected by virus that had spread to the whole system and network. Efforts to determine why back up system was not put up was countered by failure of the back up system. The company was therefore warned not to run the system unless all system controls were tested and proved to be free from reliability risk.
Testing physical and environmental controls
Identified control risks
There was risk of access control hence compromised security level to computer facilities. There were no reviews of computer center security and equipments were not protected from power failures and humidity. There were no procedures in place for data disposal
Expected controls to mitigate the risks
The security level of the computer center should be improved and measures be developed to control or restrict access to authorized persons only. There should be review of computer room physical security and access control. The equipments should be protected from environmentally based factors that might impact on their efficiency and functionality. There should be ongoing review of data disposal procedures
Audit testing conducted
The audit team conducted verification assessment on security and access controls to the computer center. Onsite inspections was done top evaluate sustainability of security and access controls and determine data disposal procedures.
Results of testing
The audit team was not satisfied with the results of the audit. There was no security control and access. There were no disposal procedures in place for data. The equipments were no protected from environmental risks.
Key issues raised
The company was on the process of updating her systems and policy statements.
Testing server environment
Identified control risks
The identified control risks included risk of security of server environment, lack of server environment monitoring, lack of procedures and access controls with regard to server environment, lack of accounting logs maintenance, lack of responsible administrator for the server.
Expected controls to mitigate the risks
the company should develop inventory for critical server access, improvement of server environment security through designation of server administrator, conducting accounting logs maintenance, developing a system back up cycle, adoption and implementation of hardware configuration that supports secure server environment, use if right operating system that supports enhanced server security
Audit testing conducted
The audit team verified server security and ran server security system on all critical company servers. The team determined details of hardware configuration and support software drivers, peripherals and operating system support drivers. The team ran server to determine server back up cycle, accounting logs maintenance and conducted interview to establish server system administrator and policies in place on server environment and management
Results of testing
The company didn’t have a secure server environment. There were no designated personnel in charge of server environment systems. There were no hardware configurations and enabled application to support secure server functionality, there were no accounting logs maintenance or policies in place for server system back up review and maintenance.
Key issues raised
The company was on the process of updating her systems.
Testing operating system controls
Identified control risks
The compliance tests identified presence of dummy records for example department and customer accounts on which it was possible to data could have been processed. It was found that the embedded audit facility was inactive which made it impossible to gather and store information on transactions when needed for audit review. The audit transactions were not written to the audit files (System Control and review file-SCARF) for future examinations
Expected controls to mitigate the risk
The identified control risks should have been minimized through removal of dummy records. The embedded audit facility ought to have been activated in order to ensure the system was capable of gathering and storing information on transactions when it was needed for audit review.
Audit testing conducted
Two audit testing processes were carried out. The first audit test involved a compliance testing on the operating system controls to verify control procedures were in place. An end result audit testing was done in order to determine the precise level of achievement that every unit had. The two audit tests were carried out to create system confidence. Upon verification of effectiveness and possible compliance, we went on to carry out functions tests and end results tests. The audit team tested configuration of the operating system to identify if it met or satisfied company requirements to support needed confidentiality, integrity and sustainability.
Results of the testing
The audit team was not satisfied with the results. There was no IT infrastructure that could have supported system functions that the audit team sought to identify. The tests determined the Wallis Building Company operating system, data, business continuity based on criteria and foundation for registration and security procedures were not existent. There was no interconnection policy in Wallis Building Company operating system. This was supported by lack of adequate security and business continuity controls subject to intranet, extranet and internet were not put in place to support business functions.
Key issues raised
The company was updating her operating systems. The audit team questioned system back up. The Wallis Building Company operating system had program code errors. There was no system controls over program changes. There were unauthorized amendments. The system was not protected by passwords and there were no approval of changes to operating system. There were no controls over installation and maintenance of the software environment. The system was affected negatively by access control failures. There were no controls over application development.
Testing system maintenance controls
Audit controls identified
The compliance tests identified maintenance risks, system monitoring risks and inadequate analysis of audit logs.
Expected controls to mitigate the risks
Wallis Building Company ought to ensure she improved on her system maintenance controls, demonstrate system monitoring controls and conduct analysis of audit logs. Wallis Building Company ought to have implemented and validated her audit logs settings for her hardware devices and support software. Wallis Building Company should have ensured the logs had expected characteristic traits that are associated with audit logs. Wallis Building Company should have ensured her system was bale to record logs in a standards format as syslog entries. She should have ensured she had enough disk space for system logs.
Audit testing conducted
The audit team conducted tests on efficiency of the security logging. The audit team conducted tests on logging records and possibility of presence of malicious software on the system.
Results of the testing
The audit team was not satisfied with the test results. The audit team found problems with the security logging. The operating system was found to have malicious software. There was no documentation on logging records. There was no traceability of system attackers or possible details of the system attack. There was no verbose logging on remote access to the internal network whether the access was achieved through VPN or dial up. The system didn’t have configurations that are necessary to execute was not log access control events.
Key issues that were raised
The system should have capacity to logging record as evidence of attack. The company should not keep audit records for compliance only. The company should have review of audit logs in order to be able to determine when the system has been compromised. The log analysis process should be an ongoing process.
Conclusion
The audit determined that Wallis Building Company ought to improve on her data management controls through improvement of her firewall security, network based IPSs and inbound and outbound proxies. These should be configured to ensure they are able to log verbosely traffic that gets to the network devices. The Wallis Building Company should ensure her servers logs should be written to write-only devices or be written to dedicated logging servers that have capacity to run independently from the host that generates the logs. This would have potential of ensuring any site attack or fraud or manipulation doesn’t contribute into compromise of the system security or data integrity.
The company should develop a contingency plan and business continuity plan through review of her business continuity and disaster recovery plan to meet expected standards. The backup data should be stored offsite, company should manage redundancies and conduct periodic reviews and testing.
Wallis Building Company should deploy a Security Event-Information Management (SEIM) system that could help in log aggregation and consolidation. This could facilitate correlation and analysis. The Wallis Building Company should ensure her system doesn’t contribute into material misstatement that arises following changes in employee or restructuring of information systems. Wallis Building Company should; ensure her internal control system is designed and operates towards enhancing effectiveness and efficiency of business operations, reliability of financial reporting and compliance with applicable legislative policies on auditing.
Wallis Building Company should setup PO approval limits, authorization limits and adjustment approval limits. This could translate into decrease of risk assessment processes and facilitate audit trails that have potential to support audit process. Wallis Building Company should have a centralized logging server for receiving logs from her network devices and firewall through configuration of her system firewall proxies and remote access systems. Wallis Building Company should have ensured her remote system access based on type for instance VPN or dial-up supported verbose logging. The system should have been configured to create logs whenever any system user made efforts to have authorized or non-authorized access to Wallis Building Company resources.
The company should improve on her physical and environmental controls through development of disposal procedures, conducting onsite inspections to evaluate controls and improving security of computer center through restricting access. There should be a system administrator.
The company should develop policies for enhancing security of her server environment. This should be achieved by running security scans on all server critical components, updating hardware configurations to conform to expected standards for server security and deploying a server system administrator. There should be a backup cycle monitoring, accounting logs maintenance and use of appropriate operating system that supports drivers for enhanced server security.
Recommendations
The audit team recommended Wallis Building Company ceases her business operations until a future date after her systems complied with legislative framework or open up to business if it was able to challenge the audit team recommendations. Wallis Building Company should ensure she complies with Sarbanes Oxley Act on internal controls auditing and work towards achievement of ISO 9001: 2008 quality management system certification.