Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015
|
|
- Austen Stanley
- 8 years ago
- Views:
Transcription
1 Solihull Metropolitan Borough Council IT Audit Findings Report September 2015
2 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control deficiencies Material weakness - risk of material misstatement Significant deficiency - risk of significant misstatement Deficiency - risk of inconsequential misstatement 2015 Grant Thornton UK LLP September
3 Introduction The recommendations of the external auditors have been reviewed by relevant SMBC managers and a solutions schedule is set out below. The delivery of the completion dates will be monitored by internal audit. Control Title Auditors Risk Assessment SMBC Solution effort/ complexity assessment Scheduled completion date Control 1 Oracle EBS user management and governance (Controls 1 7) Significant Multiple responses; see controls 2 7 Multiple dates for controls 2 7;, see below. Control 2 Excessive number of system administrators in Oracle EBS Significant High December 2015 Control 3 Users self-assigning responsibilities in Oracle EBS Significant High December 2015 Control 4 Excessive privileges assigned to generic accounts in Oracle EBS Significant Medium October 2015 Control 5 Audit logging is not fully enabled and configured in Oracle EBS Significant Medium October 2015 Control 6 Control 7 Control 8 Control 9 Control 10 Control 11 Users with 'processes tab' functionality in Oracle EBS Users with inappropriate access to elevated accounts Weak Northgate logical access controls Weak Oracle EBS logical access controls Users without password expiration date Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS) Deficiency Low 31 July 2015 Deficiency Low 31 August 2015 Deficiency Low DONE Deficiency Low DONE Deficiency Low 31 July 2015 Deficiency High December 2015 Control 12a Removal of leavers user access Deficiency Medium Short term fix October 2015 rights Control 12b Deficiency Medium Medium term fix December 2015 Control 12c Deficiency High Long term fix To be prioritised and scheduled 2015 Grant Thornton UK LLP September
4 1 1 Oracle EBS user management and governance We observe that there is no clear separation between users responsible for business functions and users with access to IT functions and utilities. There is no evidence that an effective role based access control (RBAC) process is in place, nor is there evidence that segregation of duties are properly managed within the application. This weakness manifests itself with IT users having the ability to create and post financial transactions and business users having access to certain system administration functions. We also noted that certain users have the ability to increase their own level of systems access and may have done so without requiring authorisation from an appropriate person. In complex Enterprise Resource Planning (ERP) systems such as Oracle EBS, the assignment of user privileges must be carefully considered to avoid excessive access and the potential lack of segregation of duties that can follow as a result. We noted for example, that IT users were regularly using the SYSADMIN default account which has full system access. The potential for certain users to change their own access without authorisation is a clear violation of best practice, undermines information governance principles and is likely to increase the level of incompatible duties as well as increasing the possibility of users incorrectly posting financial entries due to unfamiliarity with the application's functionality. The lack of control over information governance, excessive access and segregation of duties conflicts can increase the risk of fraudulent activity and lead to unreliable financial reporting. We also note, that it is possible that existing management controls may not be sufficient to compensate where those risks are not Solihull MBC IT Security Policy provides a framework to manage user access. Management should consider how to enforce this at all levels of the organisation including those staff managing the IT environment and applications. The following principles should be considered: enforcing appropriate authorisation of role and responsibility changes restricting System Administrator privileges to only those that need them based on operational requirements (see Issue 2) removing full System Administrator responsibility from created roles that do not require this level of access and restrict access to only those functions that the role requires (see Issue 2) eliminating self-assignment of responsibilities (see Issue 3) reinstating SYSADMIN privileges to its 'out of the box' role (see Issue 4) removing access to the process tab in all cases (see Issue 6) creating responsibilities specific to roles based on the 'least privilege' principle and remove multiple accounts for individual users (see Issue 7) Assessing the appropriateness of the above measures would benefit from further analysis relating to segregation of duties conflicts sand this should be conducted as soon as possible. We acknowledge the points made and agree, except for IT users were regularly using the SYSADMIN default account. This is not a regular occurrence and only used for scheduling required concurrent processes. For this issue and for all other issues in this report as indicated solutions to these controls are scheduled as below Grant Thornton UK LLP September
5 fully understood. 2 2 Excessive number of system administrators in Oracle EBS There are 43 accounts within the system that have the ability to perform system administrator functions. Not all of these users are members of the IT function. Of these: 16 users have the 'System Administrator' responsibility assigned to them 27 users have been assigned 'View Users', Password reset' or 'Purchasing User Details' these responsibilities are seen as a 'backdoor' which allows individuals to create new users, reset passwords and assign privileges (including their own) this is not a standard Oracle process or seen as maintaining best practice Users within Oracle EBS are considered to have system administrator abilities if they can access the forms that allow the creation or modification of user accounts or reset passwords. Management should consider: restricting System Administrator privileges to only those that need them based on operational requirements create responsibilities specific to roles based on the 'least privilege' principle We believe that some of the numbers are not quite right, but the principle of the concern is sound. We will revise and update both IT and financial operations access. Action This work requires review, discussion and documentation of requirements and access with users, as well as ensuring good documentation and processes are in place to maintain the security control. This will be completed by December Users self-assigning responsibilities in Oracle EBS We identified that in the period under review there have been 14 instances where users have assigned additional access rights to themselves in the production environment. These users are not all located within the Oracle EBS support functions. When users have done this they have not end-dated the responsibility and therefore retain access to it permanently. Information governance is undermined by such actions. Users Staff should be prohibited by policy from self-assigning additional functionality. In instances where support staff require additional functionality, for example when resolving an emergency, this should be supported by after the fact documentation and authorization. Where administrative staff require additional functionality this should be formally authorized and approved with the responsibility end-dated accordingly Grant Thornton UK LLP September
6 should not be permitted to assign themselves additional responsibilities, especially where there is no evidence of monitoring user activity. An audit log monitoring process should be established to identify occasions when users have self-assigned themselves privileges. We consider that the actions identified to resolve control 2 will also resolve control 3. This is therefore also scheduled to complete for December Grant Thornton UK LLP September
7 4 4 Excessive privileges assigned to generic accounts in Oracle EBS There are 41 additional responsibilities assigned to the SYSADMIN account. A number of these are default, unsegregated responsibilities that Oracle EBS is provided with (see Issue 6). We also identified that one individual user has four system administration accounts. This violates the principle of accountability and is indicative of poor management processes. The highest level account in Oracle EBS is the SYSADMIN account. This ships with the application and cannot be locked or disabled as it is required to perform maintenance tasks and upgrades. Best practice is that this account should only be used when required and as such it should not have any responsibilities assigned to it other that the default 'System Administrator'. As a generic account this presents a risk that users can access the account and use it to perform inappropriate or fraudulent transactions without any accountability. These responsibilities could allow users to perform end-to-end transactions and/or modify standing data, enabling fraud to be committed without detection. Management should consider: restoring the SYSADMIN account to its original settings establish audit logging on the SYSADMIN account to identify any changes to it if additional responsibilities are required for a specific reason, they should be supported by an authorised change request and end-dated Generic Sys Admin has ability to do more than is necessary and scheduled jobs (like PO workflow and CRM Calendars) use this level of privilege. The pre-requisite to restoring SYSADMIN to its original settings is to remove sys admin from scheduled jobs. We expect to complete this for October Grant Thornton UK LLP September
8 5 5 Audit logging is not fully enabled and configured in Oracle EBS We note that some auditing processes and alerts have been created and enabled. However, these have not been fully configured and updated and can be easily by-passed by other users with elevated privileges. By default, Oracle EBS automatically records the user and time that a financial or system record was created and last updated. It does not record what was changed, nor detail all changes between the point of creation and the last update. There is a risk that inappropriate or unauthorised activity within a high risk area of the application is not detected in a timely fashion. A user could disguise fraudulent activity by making a change, waiting for the change to be processed and then changing the record back to its original state, the only record of change would be the most recent. Management should implement the audit logging of key areas of the system on a riskbased approach. These logs should be secured against unauthorised access and retained for a sufficient period. A procedure should be introduced to ensure that audit logs of high-risk areas are subject to periodic review by a user independent of the function. To aid management, a list of best practice forms/functions to consider enabling audit logs is provided below: Application controls Affect Business Processes Development Security Fraud related Journal Sources, Journal Authorisation Limits,, Approval Groups, Adjustment Approval limits (AR), Receivables activities (AR), Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group Assignments (PO), Approval Group Hierarchies (PO), tolerances, item Master Setups, Item Categories Profile Options, Descriptive Flexfields, Key Flexfields, Value Set Changes Concurrent Programs, Executable, Functions, SQL forms Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such as Dynamic Trigger maintenance, Define Profile Options, Alerts, Collection Plans. Suppliers, Remit-To-Addresses, Locations, Bank Accounts Internal Audit have agreed to do the periodic review of audit trails Grant Thornton UK LLP September
9 Internal Audit will liaise with IT and agree which fields to audit track by October Agreed Audit tracking to be switched on shortly afterwards. 6 6 Users with 'processes tab' functionality in Oracle EBS There are an excessive number of users that have access to the 'process tab' in Oracle EBS at Solihull MBC. The 'processes tab' (also known as 'AZN menus') is a known security risk present within Oracle EBS. It is used for system developers during the implementation stage to easily configure business workflows and should not be enabled within the production environment. The processes tab displays workflows diagrammatically, however it also enables the related functions to be performed, bypassing the responsibilities allocated to a user. For example a user with the out of the box responsibility 'Payables Manager' can view the accounts payable workflow on the processes tab. This will also enable the user to perform any of these stages, such as make a payment. Of particular risk is the 'Application Developer' responsibility that allows full access to most business processes within Oracle EBS. Users are able to have unsegregated access to whole processes that system administrators and management are not aware of. There is a risk of users being able to perform end-toend transactions that could be used to commit fraudulent activity. The risk of such changes not being detected is increased by the absence of effective audit logging. A review should be undertaken to identify all responsibilities in use that could be exploited using the processes tab functionality. These can be identified by reviewing responsibilities for menus that include the string %AZN%. Exclusions should then be used to ensure that no responsibilities in use have access to these menus. To aid management the following responsibilities are in use that are either default responsibilities, or direct copies of them. Responsibility No. of users Application Developer 11 ACA General Ledger Super User 7 ACA Payables Manager 4 ACA Purchasing Super User 9 ACA iprocurement 4 GX General Ledger Super User 3 GX Payables Manager 3 GX Purchasing Super User 6 GX iprocurement 1 General Ledger Super User 5 LDC Payables Manager 3 LDC Purchasing Superuser 9 Payables Manager 7 Purchasing Super User 12 RESPONSIBILITY_NAME 1 Receivables Manager Grant Thornton UK LLP September
10 SCH General Ledger Super User 5 This functionality is not used in SMBC, so can simply switched off. Completion scheduled for August Users with inappropriate access to elevated accounts A responsibility for second-line Oracle EBS support staff to enable password resets has been created and is provided to 24 users. A weaknesses of Oracle EBS's password management controls is that the password of any account can be changed. There is no process whereby new passwords are automatically ed to the user, the system administrator is only required to type a new one in. There is therefore a risk that these 24 users could hijack privileged accounts, for example those shipped with the application of those of system administrators, through changing their passwords. These users could perform inappropriate or fraudulent transactions whilst covering their tracks due to using another's account. This risk is compounded due to the absence of pro-active monitoring of audit logs. Weak Northgate logical access controls The password settings for users with the 'First Default' profile are inadequate as passwords must only be a minimum of three characters long. The 'First-Default' profile is allocated to system administrators of the Northgate application. Users with this profile have access to all system administration functionality, including creating users and modifying access rights or system parameters. Management should consider: restricting the number of staff with this level responsibility enable logging on and independently monitor regularly (see Issue 5) We will remove password reset access privileges from the ICT service desk for both SMBC and Lichfield District Council (for whom we run a shared service). This will have the added efficiency benefit of driving more password resets to self service. Passwords for all profiles within Northgate should be set to a minimum of eight characters. Done 2015 Grant Thornton UK LLP September
11 These users have the most privileged level of access within the system strong logical access controls are necessary to adequately reduce the risk of unauthorised access being obtained through password guessing or brute force attacks. Such unauthorised access could lead to fraudulent activity or individuals having inappropriate access to information Weak Oracle EBS logical access controls The following weaknesses are in the system password settings for the Oracle EBS application: Passwords are only required to be a minimum of six characters Users are not prevented from recycling a password they have used within the previous year Weak logical access controls increase the risk of unauthorised access being obtained through the guessing of passwords or the brute force cracking. Users without password expiration date There are 70 accounts that have no password expiry date value against them. These accounts are all generic accounts and are not linked to named individuals. Two have significant business process privileges assigned to them and have not changed their password since We also note that at least one generic Oracle EBS account still has its default password and no password expiry set. We note that the majority of users have an expiry set to 90 days. However, accounts that accounts that have passwords that do not expire become vulnerable to being disclosed over time and can therefore provide access to the system and data. The Oracle EBS logical access controls should be strengthened in line with best practice: Passwords should be required to be at least eight characters long Users are prevented from re-using a password they have used within the previous 180 days Done All accounts should have a password expiry value entered against them, (unless they are system accounts performing automated tasks e.g. batch posting). This should be subject to periodic review to identify any users with administration rights who have overwritten this setting. Disciplinary action should be taken in these instances. All real user password lifespan days set to 60 days done None of the 70 accounts are people. They are processes, like WebForms and calendars, with limited privileges and where the business process requires no end 2015 Grant Thornton UK LLP September
12 Assessment Issue and risk Recommendation Passwords which either do not expire or which are not changed frequently represent a high risk that they will be enumerated and disclosed to unauthorised users. Where this is assigned to a generic account access to and subsequent activities may not be monitored or identified which could undermine security settings within the system. Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS) There are no regular processes within Solihull MBC to review access rights across functions for Active Directory, Academy or Oracle EBS. Additionally, no security audit logs are maintained to monitor user activity which would identify anomalous user actions outside their remit (see Issue 5). Over time, users can acquire access rights that are not commensurate with their functional role and bypass or override internal control processes. This contradicts the principle of least privilege, whereby users are allocated the minimum level of access rights to fulfil their role. Without this control in place the following risks are inadequately managed: gaps in user administration processes and controls may not be identified and dealt with in a timely manner access to information resources and system functionality may not be restricted on the basis of legitimate business need enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls no-longer-needed permissions may granted to end-users may lead to segregation of duties conflicts access privileges may become disproportionate with date. Management will verify that this is the case for all 70, and end date any exceptions, by August There is a need for management to perform periodic, formal reviews of the user accounts and permissions within Oracle EBS, Academy and Active Directory. These reviews should; take place at a pre-defined, risk-based frequency (annually at a minimum) create an audit trail such that a third-party could determine when the reviews were performed, who was involved, and what access changed as a result. evaluate both the necessity of existing user ID's as well as the appropriateness of user-to-group assignments (with due consideration being given to adequate segregation of duties) access to folders are only given to those with appropriate roles and responsibilities develop a process/form to document and evidence approval of user amendments including access active directory folder permissions Although some periodic reviews do take place, this can be enhanced with better input data. ICT could develop a script to produce data for analysis of leavers, movers and joiners access privileges. This requires time to review, write, discuss, revise etc.. Business system owners to agree they will use the output of the scripts to do better periodic reviews. Script to be operational and system owners will be making regular use of it by December Grant Thornton UK LLP September
13 12 Assessment Issue and risk Recommendation respect to end users' job duties accumulation of excessive folder rights which undermines roles defined in system access profiles All issues above could result in unidentified material misstatement due to fraud or error. Removal of leavers user access rights System administrators for Oracle EBS, Northgate and Active Directory rely on the end-user community to notify them of accounts that require disabling as a result of users moving post or leaving the organisation. The end-user community should never be solely relied upon to inform security administrators of the need to revoke logical access due to leaver activity, as such notifications are typically inconsistently provided (if at all). Whilst the Oracle EBS administrators monitor leaver activity recorded through the Oracle EBS HR module, this may not capture non-hr users e.g. temps, agency staff, contractors etc. and it is not clear whether these user accounts are only removed from Oracle EBS and not from active directory or Northgate. Access to information resources and system functionality may not be restricted on the basis of legitimate business need and enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls. Terminated employees may continue to access information assets through enabled, no-longer-needed user accounts and revocation of access rights may not be performed accurately, comprehensively, or on a timely basis. Oracle EBS, Northgate and Active Directory administrators should be provided with: timely, proactive notifications from HR of leaver activity for anticipated terminations timely, per-occurrence notifications for unanticipated terminations Security administrators of financially critical applications should then use these notifications to end-date user accounts associated with anticipated leavers, or immediately disable user accounts associated with un-anticipated leavers. Management Response: There are a number of issues to resolve in this control, with short term, medium term and long term actions. The proposed solutions are: Short term: Re-instate the process with HR advising of people end dated in Oracle (probably through an improved automated script). This is scheduled for October 2015 Medium term: Add contractors and consultants (particularly those with IT systems access) to Oracle. This is scheduled for December 2015 Long term: build joiners-movers and leavers process automation. This is to be reviewed, prioritised and if appropriate scheduled, by the Oracle Exploitation Board, led by the Director of Resources Grant Thornton UK LLP September
14
The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable
The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com
More informationHigh level review of the general IT control environment
High level review of the general IT control environment South Lakeland District Council 2012/13 Last updated 9 April 2013 Summary In January 2013 our information systems specialist performed a high level
More informationNEW HAMPSHIRE RETIREMENT SYSTEM
NEW HAMPSHIRE RETIREMENT SYSTEM Auditors Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government
More informationColeg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green
Coleg Gwent Wireless Audit Internal Audit Report (2.10/11) 23 May 2011 Overall Opinion: Amber Green Coleg Gwent CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 10 Debrief
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationwww.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015
www.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle Partner Agenda 1. Introduction 2. Overview of ERP security architecture 3. Key ERP security models 4. Building and executing
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationTop Ten Fraud Risks in the Oracle E Business Suite
Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February
More informationScottish Sports Council Group and Lottery Fund
Scottish Sports Council Group and Lottery Fund Annual Audit Report 2012-13 September 2013 2 2013 Grant Thornton UK LLP. All rights reserved Scottish Sports Council Group and Lottery Fund 2012-13 Annual
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationThe Audit Findings for NHS Dorset Clinical Commissioning Group
The Audit Findings for NHS Dorset Clinical Commissioning Group Year ended 31 March 2015 27 th May 2015 Barrie Morris Director T 0117 305 7708 E barrie.morris@uk.gt.com Hannah Morris Manager T 0117 305
More informationInternal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority
Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationDepartment of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government
Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationDepartment of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report
Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report November 2006 promoting efficient & effective local government Executive Summary The Department
More informationChapter 6: Developing a Proper Audit Trail for your EBS Environment
Chapter 6: Developing a Proper Audit Trail for your EBS Environment In Chapter 2, we looked at the inherent architecture of EBS and some implications regarding the lack of a detailed audit trail. Three
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationBest Practices Report
Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationOracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA
Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation
More informationINTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL
INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM AUTHOR DISTRIBUTION David Beaton Director of Finance and Corporate Resources Internal Audit
More informationRef: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings
Appendix A Hertsmere Borough Council - Review of information technology controls 2011-12 Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account
More informationImplementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance
Financial Scrutiny and Audit Committee 11 February 2014 Agenda Item No 13 Implementation of Internal Audit : Summary of Progress Report by Finance Summary: This report updates members on progress in implementing
More informationFeature. Multiagent Model for System User Access Rights Audit
Feature Christopher A. Moturi is the head of School of Computing and Informatics at the University of Nairobi (Kenya) and has more than 20 years of experience teaching and researching on databases and
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationISP12 Information Security Policy Account Management
1 Introduction Information Security Policy Account Management and Password Policy 1.1 The University s Information and Technology [IT] systems should only be available to authorised users. Access controls
More informationBuilding an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA
Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right
More informationOFFICE OF INSPECTOR GENERAL. Audit Report
OFFICE OF INSPECTOR GENERAL Audit Report Select Financial Management Integrated System Business Process Controls Need Improvement Report No. 16-02 November 30, 2015 RAILROAD RETIREMENT BOARD EXECUTIVE
More informationHow to Audit the Top Ten E-Business Suite Security Risks
In-Source Your IT Audit Series How to Audit the Top Ten E-Business Suite Security Risks February 28, 2012 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost
More informationRegulatory Compliance Using Identity Management
Regulatory Compliance Using Identity Management 2015 Hitachi ID Systems, Inc. All rights reserved. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive
More informationArgyll and Bute Council
Argyll and Bute Council 3 June 2009 Contents Page 1 Executive Summary 1 Appendices A B Action plan Progress in implementation of prior year recommendations 1 1 Executive Summary 1.1 Introduction The Council's
More informationAudit of Government s Corporate Accounting System: Part 2
2 0 0 6 / 2 0 0 7 : R e p o r t 5 Audit of Government s Corporate Accounting System: Part 2 December 2006 Library and Archives Canada Cataloguing in Publication Data British Columbia. Office of the Auditor
More informationDepartment of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
More informationOracle E-Business Suite Controls: Application Security Best Practices
Table of Contents Table of Contents vi Acknowledgements 1 Foreword 2 What Makes This Book Different 3 Who Should Read this Book 3 Organization of this Book 4 Chapter 1: Introduction 5 Chapter 2: Introduction
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationAn Introduction to Continuous Controls Monitoring
An Introduction to Continuous Controls Monitoring Reduce compliance costs, strengthen the control environment and lessen the risk of unintentional errors and fraud Richard Hunt, Managing Director Marc
More informationOFFICE OF THE CITY CONTROLLER
OFFICE OF THE CITY CONTROLLER INFORMATION TECHNOLOGY DEPARTMENT ENTERPRISE RESOURE PLANNING (SAP) SECURITY LIMITED REVIEW PERFORMANCE AUDIT Ronald C. Green, City Controller David A. Schroeder, City Auditor
More informationAberdeen City Council IT Security (Network and perimeter)
Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More informationHow To Audit A Windows Active Directory System
South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement
More informationThe City of New York
The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope
More informationSmithsonian Enterprises
Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationDacorum Borough Council Final Internal Audit Report
Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationPeopleSoft IT General Controls
PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationThe Annual Audit Letter for Torbay Council
The Annual Audit Letter for Torbay Council Year ended 31 March 2014 October 2014 Alex Walling Engagement Lead T 0117 305 7804 E alex.j.walling@uk.gt.com Mark Bartlett Manager T 0117 305 7896 E mark.bartlett@uk.gt.com
More informationExternal Audit Reviews. Report by Director of Finance
THE HIGHLAND COUNCIL AUDIT AND STANDARDS COMMITTEE 4 DECEMBER 2003 Agenda Item Report No External Audit Reviews Report by Director of Finance SUMMARY The pages that follow contain a report from the Council's
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More information<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.
PR11 - Log Review Procedure Document Reference PR11 - Log Review Procedure Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 12 January 2010 - Initial release. 1.1 14 September
More informationOracle FLEXCUBE Security Management System User Manual Release 5.0.2.0.0 Part No E52129-01
Oracle FLEXCUBE Security Management System User Manual Release 5.0.2.0.0 Part No E52129-01 Security Management System User Manual Table of Contents (index) 1. SMS... 3 1.1. 7011 - Event Log Inquiry...
More informationEHLANZENI DISTRICT MUNICIPALITY NETWORK SCANNING POLICY FOR 2012
EHLANZENI DISTRICT MUNICIPALITY NETWORK SCANNING POLICY FOR 2012 1. OBJECT OF THE POLICY During the 2010/11 financial year, the Auditor General report highlighted findings that IT has to action to comply
More informationCloud Services. Email Anti-Spam. Admin Guide
Cloud Services Email Anti-Spam Admin Guide 10/23/2014 CONTENTS Introduction to Anti- Spam... 4 About Anti- Spam... 4 Locating the Anti- Spam Pages in the Portal... 5 Anti- Spam Best Practice Settings...
More informationGuide to Auditing and Logging in the Oracle E-Business Suite
Guide to Auditing and Logging in the Oracle E-Business Suite February 13, 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Mike Miller Chief Security Officer Integrigy Corporation Phil
More informationPUR1308/12 - Service Management Tool Minimum Requirements
PUR1308/12 - Service Tool Minimum Requirements No. General Requirements The Supplier organisation must have 10 years or more experience in 1. developing Service software. 2. 3. 4. 5. 6. 7. 8. The Supplier
More informationOur Impacts: accurate base factor data supporting Audit Ready Output
Our Impacts: accurate base factor data supporting Audit Ready Output Report on third party sourced base factors used within the Our Impacts platform as at 31 January 2014 and the design of internal controls
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationIT Operations User Access Management Policies
1. Approval and Authorisation Completion of the following signature blocks signifies the review and approval of this Process (signed copy held in safe) Name Job Title Signature Date Authored by:-
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationFull Compliance Contents
Full Compliance for and EU Annex 11 With the regulation support of Contents 1. Introduction 2 2. The regulations 2 3. FDA 3 Subpart B Electronic records 3 Subpart C Electronic Signatures 9 4. EU GMP Annex
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationInterim Audit Report. Borough of Broxbourne Audit 2010/11
Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes
More informationUser Accounts and Password Standard and Procedure
Office of the Vice President for Operations / CIO User Accounts and Password Standard and Procedure Issue Date: January 1, 2011 Information Security Office Effective Date: November 21, 2014 User Account
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationAudit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit
D.2.1D Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit Office of the Chief Audit Executive Audit and Assurance Services Directorate March 2015 Cette publication
More informationLeverage T echnology: Move Your Business Forward
Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Is Oracle ERP in Scope for 2014 Audit Plan? Learn,
More informationInternal Control Systems
D. INTERNAL CONTROL 1. Internal Control Systems 2. The Use of Internal Control Systems by Auditors 3. Transaction Cycles 4. Tests of Control 5. The Evaluation of Internal Control Component 6. Communication
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More informationInformation and Communications Technology Controls Report 2013 14
Information and Communications Technology Controls Report 2013 14 Victorian Auditor-General s Report October 2014 2014 15:12 V I C T O R I A Victorian Auditor-General Information and Communications Technology
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationHertSFX. User Guide V2.04. Hertfordshire s Secure File Exchange Portal. (Jan 2014) HertSFX User Guide V2.04 Jan 2014 Page 1 of 17
Hertfordshire s Secure File Exchange Portal User Guide V2.04 (Jan 2014) HertSFX User Guide V2.04 Jan 2014 Page 1 of 17 CONTENTS 1. About HertSFX... 3 2. HertSFX Limitations... 3 3. Getting Started... 3
More informationAccount Management Standards
Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information
More informationRecommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.
Audit Committee, 25 June 2013 Internal audit Review of recommendations Executive summary and recommendations At its meeting on 29 September 2011, the Committee agreed that it should receive a paper at
More informationAntifraud program and controls assessment grid*
Advisory Services Antifraud program and * Fraud risks & controls February 2008 *connectedthinking 2008 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationApplication controls testing in an integrated audit
Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,
More informationKANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER
KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER Material Weaknesses (0) No material weaknesses were reported for FY 2013. Significant Deficiencies (1) Grant Receivable Accounting
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationWhite Paper: FSA Data Audit
Background In most insurers the internal model will consume information from a wide range of technology platforms. The prohibitive cost of formal integration of these platforms means that inevitably a
More informationIndependent Auditors Report to the Commissioner for Law Enforcement Data Security -
Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April -
More informationChange Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors
Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors Webinar Logistics Hide and unhide the Webinar control panel by clicking
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationApril 2010. promoting efficient & effective local government
Department of Public Works and Environmental Services Department of Information Technology Fairfax Inspections Database Online (FIDO) Application Audit Final Report April 2010 promoting efficient & effective
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationContinuous Monitoring: Match Your Business Needs with the Right Technique
Continuous Monitoring: Match Your Business Needs with the Right Technique Jamie Levitt, Ron Risinger, September 11, 2012 Agenda 1. Introduction 2. Challenge 3. Continuous Monitoring 4. SAP s Continuous
More informationInternal Controls, Fraud Detection and ERP
Internal Controls, Fraud Detection and ERP Recently the SEC adopted Section 404 of the Sarbanes Oxley Act. This law requires each annual report of a company to contain 1. A statement of management's responsibility
More informationTrust but Verify: Best Practices for Monitoring Privileged Users
Trust but Verify: Best Practices for Monitoring Privileged Users Olaf Stullich, Product Manager (olaf.stullich@oracle.com) Arun Theebaprakasam, Development Manager Chirag Andani, Vice President, Identity
More informationPROTECTING SYSTEMS AND DATA PASSWORD ADVICE
PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute
More informationAccess Control and Audit Trail Software
Varian, Inc. 2700 Mitchell Drive Walnut Creek, CA 94598-1675/USA Access Control and Audit Trail Software Operation Manual Varian, Inc. 2002 03-914941-00:3 Table of Contents Introduction... 1 Access Control
More informationGuardium Change Auditing System (CAS)
Guardium Change Auditing System (CAS) Highlights. Tracks all changes that can affect the security of database environments outside the scope of the database engine Complements Guardium's Database Activity
More informationGAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
More information