South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement and Corporate Services Martin Henry Head of Finance Sue Smith Chief Executive (Final Report Only) Key dates: Date of fieldwork: June 2011 Date of draft report: August 2011 Receipt of responses: September 2011 Date of final report: September 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07, which was extended on the 10 th December 2009, between South Northamptonshire Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of South Northamptonshire Council. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.
Contents 1. EXECUTIVE SUMMARY 1 2. SCOPE OF ASSIGNMENT 3 3. ASSESSMENT OF CONTROL ENVIRONMENT 4 4. OBSERVATIONS AND RECOMMENDATIONS 5 APPENDIX A REPORTING DEFINITIONS 20 APPENDIX B STAFF INTERVIEWED 21 APPENDIX C SUMMARY OF DOMAIN ACCOUNTS POLICY VALUES 22 APPENDIX D - SUMMARY OF DOMAIN CONTROLLER AUDIT POLICY SETTINGS 22 APPENDIX E - STATEMENT OF RESPONSIBILITY 23
1. Executive summary 1.1. Background As part of the 2011/12 Internal Audit Plan we have carried out an audit of Windows Active Directory Security. The audit made use of the third party security evaluation tool entitled Sekchek to obtain a security extract from the ADTOW02 domain controller in the snclive.gov.uk domain and involved subsequent analysis of this data extract produced. The results were benchmarked against industry and leading practice standards (see Appendices C and D). Leading practice is the standard adopted by the top 10-20% of organisations). The Active Directory is managed by Capita on behalf of the Council. 1.2. Objectives and Scope The overall objective of this audit was to provide assurance that the network system, components, configuration and access permissions are able to maintain the accuracy, confidentially and availability of the IT resources and data, in line with the control objectives listed in section 2, which also sets out the objective and scope of our work. 1.3. Summary assessment The security analysis found overall, security to be below average compared with other Windows Domain Controllers running Active Directory used in the Government sector. Weaknesses in the system of internal control design are such as to put the system objectives at risk. Our assessment in terms of the design of, and compliance with, the system of internal control covered is set out below. Design of Controls Limited Operation of Controls Limited Management should be aware that our internal audit work was performed according to UK Government Internal Audit Standards which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assessment gradings provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. The classifications of our audit assessments and priority ratings definitions for our recommendations are set out in more detail in Appendix A, whilst further analysis of the control is shown in Section 3 and Appendices C and D. 1
1.4. Key findings We have raised ten priority 2 and five priority 3 recommendations where we believe there is scope for improvement within the control environment. The key findings are set out below: The SekChek analysis found some of the system policy settings to be set at weaker settings, for example passwords are stored using reversible password encryption, account lockout settings are not fully defined, and the default administrator and guest accounts have not been renamed. These and other policies should be aligned with leading practice standards and monitored to confirm they are appropriate. The audit policy settings have not been enabled for the majority of events or activities, see Appendix D. There was also no established process for pro-active log review. While the majority of registry key settings were appropriately defined to assist in the maintenance of a secure operating environment, some exceptions were identified, for example unassigned driver installation behaviour is set to silently succeed. There were no standard account management profiles, for example inconsistent application of domain policy settings for home directories, scripts and profiles was identified. Due to account settings some users are never required to change their passwords and the accounts can be set by an Administrator to not require a password for logon. We also identified some redundant and generic accounts. The security analysis identified named accounts with rights that are recommended should not be granted to anyone. These need to be reviewed to ensure the permissions are required, and are appropriate. A large number of Discretionary Access Controls Lists (DACLs) were identified. As the system allows permissions to be granted through them, DACLs need to be monitored, to ensure that these permissions remain appropriate. A significant number of accounts can be used to dial-in to the Active Directory via RAS. However, dial-back controls have not been implemented. Full details of the audit findings and recommendations are shown in Section 4 of the report. Some of the identified weaknesses were rectified during the course of the audit: in some cases the recommendation has been withdrawn but in cases where a composite recommendation was raised this has been highlighted. 1.5. Management Response We have included a summary of management s response in Section 4 s & s. We would like to take this opportunity to thank all staff involved for their time and cooperation during the course of this visit. 2
2. Scope of assignment 2.1 Objective The overall objective of this audit was to provide assurance that the system of control in respect of the administration of Windows Active Directory, with regards the areas set out in section 2.3, are adequate and are being consistently applied. 2.2 Approach and methodology The following procedures were developed with reference to the Code of Practice for Internal Audit in Local Government as produced by CIPFA and by an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: Identification of the role and objectives of each area; Identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and Evaluation and testing of controls within the systems. 2.3 Areas covered In accordance with our agreed terms of reference, dated June 2011, our work was undertaken to ascertain whether the network system, components, configuration and access permissions are able to maintain the accuracy, confidentially and availability of the IT resources and data. The following areas were audited: System Accounts Policy; Audit Policy Setting; Registry Key Settings; Analysis of Trusted and Trusting Domains; Use of Home Directories, Logon Scripts; Analysis of Services and Drivers; User Account Management; Discretionary Access Controls; and User Permissions. 3
3. Assessment of Control Environment The following table sets out in summary the control objectives we have covered as part of this audit, our assessment of risk based on the adequacy of controls in place, the effectiveness of the controls tested and any resultant recommendations. Control Objectives Assessed Design of Controls Operation of Controls s Raised System Accounts Policy s 1, 2,3, 4, 8 Audit Policy 5 Registry Key settings s 6,7 Analysis of Trusting and Trusted Domains 15 Use of Home Directories, Logon Scripts Analysis of Services and Drivers 10 s 13,14 User Account Management 9 Discretionary Access Controls 12 User Permissions 11 The classifications of our assessment of risk for the design and operation of controls are set out in more detail in Appendix A. 4
4. s and s 1: Password Controls (Priority 3) The following password parameter settings should be amended to comply with leading practice values. We recommend the following settings are enabled: Password complexity is enabled; Password History Size is increased from 10 to 13; and Reversible Password Encryption is disabled (when this setting is enabled, passwords are stored in clear text). Adopting stronger password system account policy settings helps to ensure that good password control policies are adopted and also increases assurance that only authenticated and authorised users can gain system access. Audit analysis and review of the system account policy settings identified the following exceptions, where password account policies were not fully applied in line with leading practice: (See Appendix C ) Password history size was set to remember the last 10 passwords; Password complexity is disabled; and Reversible Password Encryption is enabled. Evidence provided at the exit meeting showed that password complexity has now been enabled. Unless effective account policy settings are established, there is an increased risk that passwords may be compromised which could result in unauthorised access. Password complexity is enabled and was demonstrated along with screen shot as evidence (Email to Martha Nkomo 04/07/2011) Completed Password history will be adjusted from 10 months to 13 Deadline 01/11/11 Reversible Password Encryption (RPE) is disabled (when this setting is enabled, passwords are stored in clear text). A request has been passed to Capita to update this setting if there is no implication to existing systems. - Deadline 01/01/12 5
2: Account Lockout (Priority 2) The domain accounts policy settings are amended as follows: The Lockout threshold should be set to lock a user account after three unsuccessful attempts; The Lockout duration should be set to 0 which means a user account is locked out until reset by an Administrator; and The lockout counter should be set to 1440 minutes (One day). Where cases exist that settings are required to be set to weaker settings, this should be separately recorded. The lockout threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The lockout duration indicates the amount of time an account will remain locked and reset lockout counter specifies the period within which invalid logon attempts are monitored. Setting appropriate values within the domain accounts policy can play an important role in restricting access to accounts which have had repeated access attempts. Review of the domain account policy (see Appendix C) identified that the Lockout threshold has not been set and that lockout duration and reset lockout counter has not been set. Evidence provided at the exit meeting showed that lock-out threshold was subsequently set to 3 attempts. Use of suitable lockout threshold, lockout duration and reset lockout counter settings within the domain accounts policy will help reduce the risk of unauthorised access. Lockout threshold was set and demonstrated to the auditor with a duration of 15 minutes - This level lockout is considered suitable to the needs of the business at this time. We do not intend to set the lock-out counter to 1440 or require a manual intervention to unlock the account. Completed 6
3: Default Accounts (Priority 2) It is recommended that the following settings are enforced: The administrator and guest accounts are renamed from the default setting to a new name; and The lockout of the local administrator account is enabled. Renaming of the administrator and guest accounts will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain. Enabling the lockout of the local administrator account helps to ensure that the built-in administrator account can be locked out if targeted to obtain unauthorised access to the system. The policy values for 'Rename administrator account' and 'Rename guest account' were set as 'not defined' and the policy value for Allow lockout of local administrator account' was disabled. Failure to rename the administrator and guest accounts to a less obvious name increases the risk that unauthorised access can be gained to these accounts. Where lockout of the local administrator account is not enabled, there is an increased risk of repeated, unauthorised access attempts. A request has been made to Capita to cost this item - Deadline 01/12/11 7
4: Group Policy Objects (Priority 2) It is recommended that: A review of all the Group Policy Objects (GPOs) defined on the network domain is undertaken, and where they appear to be redundant or inconsistent, that the required corrective action is taken; and A process is put in place to periodically review the GPOs defined on the domain to help ensure that they are valid, current and consistent. Review of the GPOs will assist in the best use of resources and will help ensure that the correct policy is applied as necessary. A review of the security analysis report identified the following exception in relation to the GPOs defined on the system: 5% (10) do not exist on disk; 13% (24) have the Computer Configuration Disabled; 54% (98) have the User Configuration Disabled; and 5% (9) are not linked to a container. The lack of review of permissions and settings provided by GPO access increases the risk that permissions could be incorrectly allocated and settings enforced on the system. A review of the group policy setup will be conducted in line with the joint working agreement with Cherwell Council as part of the life after capita program (31/03/12). This should allow both councils to work together towards a consistent and appropriate solution. Deadline 31/06/12. 8
5: Audit Policy (Priority 2) The domain audit policy settings should be reviewed and aligned to leading practice, and where appropriate the policy events should be audited for success and failure. It is also recommended that a process to regularly review audit logs for unusual or suspicious events is implemented. Effective audit policy settings help to ensure that accountability can be established for both successful and failed user activities on the network. The security analysis identified the following auditing features have been enabled: Audit Account Logon Events Success; Audit Directory Service Access Success; Audit Logon Events Success; Audit Object Access- No auditing; Audit Policy Change Success; Audit Privilege Use- No auditing; Audit Process Tracking- No auditing; and Audit System Events- No auditing. Management advised that a tool is currently being implemented to log all activity, however, there is currently no process for the proactive review of audit logs. Inappropriate audit policy settings increase the risk that accountability cannot be established for activities on the system. The SureCloud audit log tool is compliant with GCSX Government Connect 4.1 (highest level) and has been used successfully over the past year to review/highlight events within the log files. The above audit recommendation will be passed to the supplier to make sure the relevant areas logs are captured and to ask advice on automatic email escalation of key inconsistencies to avoid having to employ staff solely to review these logs. Deadline 01/01/12. 9
6: Event Logs (Priority 3) It is recommended that the event log size settings are reviewed and, where necessary, amended to ensure that logs are of appropriate size to facilitate the recording of system activity. Event logs contain all events that have been logged as directed by audit policy settings. Event log size and retention methods direct the length of time for which these event details are maintained. Reviewing event logs helps to ensure that unusual activity identified by the event logs is reported and reviewed. The default event log settings were found to be in excess of the recommended values. However, these log settings are not proactively monitored and reviewed. Where event log settings are not monitored and reviewed, there is a risk that unusual or suspicious activities identified may not be reported to management. As explained to the auditor these logs are captured by the SureCloud - GCSX Government Code Of Connection Compliant software product, and held in line with Government s for at least 6 months. Completed 10
7: Security Options (Priority 3) Security Options should be reviewed and consideration should be given to adopting the following security configuration settings: Restrict CD-ROM access to locally logged-on users only Enable; Restrict floppy access to locally logged-on users only Enable; and Unsigned driver installation behaviour: Do Not Allow' or 'Warn but allow installation'. Appropriately defined registry key settings can assist in the maintenance of a secure operating environment. Examination of the security configuration options found leading practice requirements to be generally applied and enforced, apart from the following exceptions: Restrict CD-ROM access to locally logged-on users only Disabled; Restrict floppy access to locally logged-on users only Disabled; Unsigned driver installation behaviour - silently succeed; and Clear virtual memory page file Disabled. Where appropriate restrictions are not enforced on the Windows Operating System, there is a risk that the settings identified could mean that unauthorised access to system resources is obtained. The locking out of CD Roms has been reviewed and is enabled due to widespread need to import image and MSOffice files Risk has been mitigated against installation of unauthorised software through the locking down of PCs via a enforced standard operation system (SOE) which restricts the installation or activation of unauthorised software. Completed. 11
8: Use of passwords (Priority 2) A review should be performed of all accounts whose passwords are set to never expire, and controls for these passwords to be changed in line with good password practice implemented. It is also recommended that for accounts that may be allocated a zero length password by a System Administrator are reviewed and the password requirements are aligned to comply with the Council's password policy. Requiring the use of passwords that meet leading practice standards enhances the integrity and security of the system. Changing passwords on a regular basis helps to improve security and minimises the risk of unauthorised access. The security analysis identified that due to account level security settings: 175 users and 15 administrator accounts are not required to change their password in line with the settings established by the domain policy; and 117 users may have their account set to not require a password by an Administrator. It was also established that the passwords for Councillor's accounts are not set to expire. Weak password controls can result in loss of accountability for actions performed, and increase the risk of unauthorised, or inappropriate, access to the system and information resources. It was demonstrated at the exit meeting that users on list not requiring passwords did require passwords at login or be refused access. Completed 12
9: Redundant and Generic Accounts (Priority 2) It is recommended that improvements in user account management are made to: Remove redundant accounts; and Eliminate generic accounts by assigning accounts to named users where possible. Where generic system accounts are required these should be specifically recorded and approved. Removing redundant accounts and assigning accounts to specific individuals helps ensure that only the required accounts are retained. Audit testing of the of the user list, identified a number of generic accounts were present on the system: Northgate1 - Northgate8; Public01 - Public03; Soetest1 - Soetest7; Training1-Training8. It was also identified that of the active user accounts: 281 user accounts have not logged-on in the last 30 days; 266 user accounts have not logged-on in the last 60 days; 257 user accounts have not logged-on in the last 90 days; 254 user accounts have not logged-on in the last 2 years; and 254 have never been used, or their last logon date is unknown. Of the active accounts that have been assigned administrator permissions: 34 of the administrator accounts have not logged-on in the last 30 days; 31 have not logged-on in the last 60 days; and 30 have never been used, or their last logon date is unknown. Where user accounts are not reviewed to ensure they are current, there is a risk that a large number of redundant accounts exist on the network. This could mean that these accounts could be used to obtain access to the network. The use of generic accounts reduces the accountability of user actions as accountability for the use of the account cannot be established. Active accounts will be reviewed as suggested Deadline 31/03/12. 13
10: Home directories, scripts and profiles (Priority 2) Management should consider configuring and implementing standardised account management profiles, and this should be consistently applied for home directories, logon scripts and logon profiles across the domain. The consistent application of domain policy settings for user accounts including the use of home directories, logon scripts and logon profiles which can connect drives to network shares, printers, and command line utilities, such as backups and restores helps to ensure the efficient system administration, management and security. The security analysis identified that of the active user accounts defined on the ADTOW02 Domain: 299 of user accounts do not have a home directory; 559 of user accounts do not have a logon script; and 538 of user accounts do not have specific logon profiles. Inconsistent use of home directories, login scripts and login profiles can complicate user administration and increases the risk of data being retained inappropriately on local drives, resulting in the potential loss of data and weakened security. Active accounts will be reviewed as suggested Deadline 31/03/12. 14
11: Rights and Privileges (Priority 3) A review of the currently assigned rights and privileges should be performed and rights that should not be granted to anyone should only be permitted to allow the operation and maintenance of the Active Directory. Restricting powerful system rights and privileges helps to ensure that users do not have excessive rights to system processes. Examination of the rights and privileges that have been assigned to users on the ADTOW02 domain identified that while the following rights and permissions that should not have been granted to anyone were assigned to service accounts, they were also assigned to a small number of named administrator accounts: Three user accounts have the right to 'Act as part of the operating system'; Fifty-Six user accounts have the right to 'Adjust memory Quotas for a process'; Two user accounts have the right to 'Create a token object'; One user account has the right to 'Lock pages in memory'; Eleven user accounts have the right to 'Log on as a batch job'; Three user accounts have right 'Log on as a service'; and Four user accounts have the right to 'Replace a process-level token'. Where powerful system rights that should be granted to 'no one' are assigned and available for users, there is an increased risk to the security, stability and integrity of the system. The list of privileged account will be reviewed as suggested - Deadline 31/03/12. 15
12: Discretionary Access controls (DACLs) (Priority 2) The Discretionary Access Control Lists (DACLs) should be reviewed to ensure they are valid, current and that permissions granted through them are appropriate. Management should ensure that the granting of permissions through the DACL process is monitored to help ensure that the number of these control remain controlled. Reviewing the Access Control List and the permissions granted will help ensure that the DACLs and the user permissions are current, valid and in line with users responsibilities. A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. The DACL is a protective measure to add, improve and ensure security. It is also an authorisation restriction mechanism used to identify the users and groups that are assigned or denied access permissions on an object, and therefore important components of workstation and of server security. The security extract identified 29,959 DACLs defined on the following classes of container objects: Containers: 29 853 DACLs; Domains: 56 DACLs; Organizational Units: UNKNOWN; and Sites: 50 DACLs. Permissions for 14, 515 are inherited from the parent object. Unless the number of allocation of resources through DACLs is restricted there is a risk that local access controls over write or conflict with the current domain accounts policy. This causes additional requirements to maintain effective security over the system. The DACL list will be reviewed as suggested - Deadline 31/03/12. 16
13: Remote Access Service (Priority 3) A review of the accounts with Remote Access Service (RAS) dial in privileges is undertaken. Where possible accounts with RAS should have dial back enabled to provide additional controls over system access. RAS allows users to access servers remotely. Best practice requires that RAS settings on all RAS servers are reviewed on a regular basis. The analysis identified that of the 47 accounts that can access via RAS that none of these are called back. Five of these accounts have Administrator permissions. RAS increases the risk of unauthorised access to the Council's systems due to remote access provided which allows remote users to access the system. There is a risk that unless effective controls are established that unauthorised users may obtain access to the system through poorly configured remote access controls. The Councils RAS meets current standards set by GCSX Government Code of Connection 4.1 (highest level). This standard has requires an annual review as suggested in this recommendation. Completed 17
14: Services and Drivers (Priority 2) It is recommended that a review of the services and drivers installed on the network is undertaken to confirm that: Only essential devices are running; The configuration and security settings are appropriate; Service executables are in secure directories; and Devices with known vulnerabilities are not installed. Review of services and drivers provides assurance that only valid services are enabled and appropriately configured to minimise the security exposure of the network and the server. The security analysis identified a total of 321 installed services, of these 157 are running. Anti-virus software was not detected on the machine when the security analysis was run. Evidence provided at the exit meeting showed that Management had subsequently installed it this following our audit work. Inappropriate or unnecessary services and drivers that are installed can create security risks and provide potential access paths or tools to intruders. Agreed and already completed 18
15: Trusting and Trusted Domains (Priority 2) It is recommended that the Council ensure that the level of security applied to domains trusted by ADT0W02 domain are checked to confirm that the level of security applied to trusted domains remains appropriate, and does not compromise security. Establishing and monitoring compliance to clearly defined security standards by using appropriate tools, for any trusted domain ensures that the security and integrity of trusted domains is either equal to or above the corporate security standards. This will help ensure that security is not compromised by insecure controls in trusted environments. The security analysis identified that the ADT0W02 domain has trust relationships with the Cherwell domain, and that this is a trusted and trusting relationship. Security on the domain analysed is dependent on the quality of security (particularly user authentication controls) on the trusted domain, as the 1258 accounts from the trusted domain are members of local groups, including administrators group and will generally acquire the privileges of the local groups they belong to. If periodic due diligence assessments (to confirm that effective security standards are complied with) are not carried out, there is an increased risk that weak security standards applied in trusted domains could undermine security on the ADT0W02 domain. Due diligence work will be undertaken as recommended. Deadline 31/03/12 19
Appendix A Reporting definitions Audit assessment In order to provide management with an assessment of the adequacy and effectiveness of their systems of internal control, the following definitions are used: Level Symbol Design of Controls Operation of Controls Full Substantial Limited Nil There is a sound system of internal control designed to achieve the system objectives. Whilst there is a basically sound system of internal control design, there are weaknesses in design which may place some of the system objectives at risk. Weaknesses in the system of internal control design are such as to put the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. The controls are being consistently applied. There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. The level of non-compliance puts the system objectives at risk. Significant non-compliance with basic controls leaves the system open to error or abuse. The assessment gradings provided here are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of Full does not imply that there are no risks to the stated control objectives. Grading of recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows: Level Priority 1 Priority 2 Priority 3 System Improvement Opportunity Definition s which are fundamental to the system and upon which the organisation should take immediate action. s which, although not fundamental to the system, provide scope for improvements to be made. s concerning issues which are considered to be of a minor nature, but which nevertheless need to be addressed. Issues concerning potential opportunities for management to improve the operational efficiency and/or effectiveness of the system. 20
Appendix B Staff interviewed The following personnel were consulted: Mike Shaw - Tim Bartlett - Information Systems Team Daniel Clifton - Capita We would like to thank the staff involved for their co-operation during the audit. 21
Appendix C Summary of Domain Accounts Policy Values Minimum Password Length*** Effective Minimum Password Length*** Maximum Password Age*** Minimum Password Age* Password History Size** Password Complexity** Reversible Password Encryption** Lockout Duration** Lockout Threshold** Reset Lockout Counter** Force Logoff When Logon Time Expires* I N D U S T R Y A V E R A G E Allow Lockout of Local Administrator Account* Disable Password Changes for Machine Accounts* Least Secure Leading Practice Appendix D - Summary of Domain Controller Audit Policy Settings Audit Account Logon Events* Audit Account Management** Audit Directory Service Access* Audit Logon Events* Audit Object Access** Audit Policy Change** Audit Privilege Use* Audit Process Tracking* I N D U S T R Y A V E R A G E Audit System Events* Least Secure Leading Practice Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards L B security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). 22
Appendix E - Statement of responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. s for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited London September 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No 4585162. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 23