Professional Documents
Culture Documents
Chapter: 01
Introduction
Firming industry is now highly dependent on Information Technology for daily work.
Information technology becomes heart of the Firming sector now. All accounting transaction of
a Firm is done through Information Technology ,which is creating high risk for the Firm . To
minimize the risk Firm need to develop an internal audit department for auditing IT based
business process. Internal audit department need to develop procedure and guideline for their
internal auditors. Information system auditing is a new type of auditing for Firm which is
different from financial auditing. As a Firmer therefore I decided to do my Masters project on
this new field of Information System auditing for Firm..
I regular staff of IMRUL SADAT Firm limited. The main objective of the report is to conduct
Information System auditing on various department and work station es of IMRUL SADAT
Firm Limited. Thus attention is geared toward following specific objectives.
c) Advise Firm management on basis of audit observation regarding its risk issues
1.2 Information System (IS) Auditing
Information system audit check Information System and Network of a organization to assess
whether the information system and Network Infrastructure is capable to provide security for its
total system .Information System audit is conducted by internal or external audit team of Firm
.It try to find out security holes, which may cause of fraudulent activity. Various auditing
standard has been developed e.g. Bangladesh Firm ICT guideline .
IT audit is different from financial audit. Financial audit check whether standard accounting
practice is followed or not but Information system audit find out information system threats
.Information is most valuable asset of Firm. Information system auditor evaluate the system
thus guard an organization’s information.
1.Avalibility: Checking whether Firm’s computer system is available for the business all the
time or not.
4.Information Asset risk: Assess information asset risk of the Firm and find out method to
minimize the risk..
1. Information System Auditing find out threats in ICT operation and advice the Firm to
minimize the threat.
2.To comply with Bangladesh Firm ICT guideline information system auditing is necessary.
3.It increase effectiveness and efficiency of ICT operation information system auditing is necessary.
3.Observations .
applications).
IMRUL SADAT Firm Ltd is a private commercial Firm operating since 1995.It is a d Work
station Firm.It is one of leading Firm of the country based on accounting principal .It has
now 129 work station es with two subsidiary company Securities Ltd, Investment Ltd. It
introduced on line Firming solution ,real time Firming solution for its client .As employee of
IMRUL SADAT Firm Ltd I decided to do this project on this Firm. I performed IT audit from
01/06/2017 to 29/06/2017 in Principal Work station of IMRUL SADAT Firm Limited where I
am also a regular employee . I also visited head office and data centre several times for audit
purpose .
1.4 Category of ICT operation of IMRUL SADAT Firm Ltd
Depending on ICT operation there are two type of Firm in our country they are as follows,
Centralized ICT operation manage business application through Data Center(DC) .The DC
continuously back up data .All work station es and booths are connected through WAN.
Decentralized ICT operation manage distributed business application through WAN. IMRUL
SADAT Firm Ltd ICT operation is centralized .
Both primary and secondary data have been collected. I have gathered primary data by personal
interview of the employees of Firm.. Mainly I have discussed with them verbally. I collected
information from them. I used data base, official manuals and several books. For preparing the
report smoothly and accurately I used primary and secondary data.
Primary sources:
Secondary sources:
Manual Documents and previous audit reports.
The analysis of the overall IT activities of Firm is not easy. So the report was completed under
following :
Firm’s IT systems are highly sensitive and without permission from concerned authority
the auditing operation can not be performed .
As audit report is a confidential report for a organization and it is not open report..
Due to time restrictions, the report is concentrated in selected areas only.
.
Chapter: 02
ICT Security Management ensure that the ICT functions and operations are efficiently and
effectively managed. Firm need to make its own policy ,guideline ,internal and external audit
team ,training to manage ICT security. A standard audit policy necessary for a Firm which guide
auditor ,employee of a Firm to follow the rule .We know that ICT is very progressing and
changing field , so the documentation regarding ICT security management need to change
periodically .
Firm need to have policy statement , fixed standards and procedure for IT auditing which need
to update periodically. I checked Firm’s policy and checked auditing procedure and found
following audit objections.
1. The IMRUL SADAT Firm Ltd have an ‘ICT Security Policy’ which is approved by the
board. The policy requires regular update to deal with changes in the ICT environment but the
policy is not updated more than a year.
2. No separate ICT security professional employed in separate ICT security department .. The
Firm’s IT department is now respon e for providing IT security .A separate ICT security
department is must be establish as per Bangladesh Firm’s guideline.
2.2 Documentation
The head office audit division , IT division as well as its work station es need to have necessary
documentation.
1. The IMRUL SADAT Firm Ltd shall have a organogram for ICT department but it is not
updated and recent changes are not reflected in the organogram. It is advised to update the
organogram.
2. In Principal Work station During audit no ICT support unit/section/personnel is found in the
work station organogram.
3. In Principal Work station power user is supporting IT operation within the work station but
he having no approved job description.
4. In IT division as well as in Principal work station one employee performing multiple ICT
tasks .So a clear segmentation of task is necessary.
5. Detailed design document for all ICT systems/services (e.g. Data Center design, Network
design, Power Layout for Data Center, etc.) is not found in one place. All design and layout plan
must be kept in one place under a respon e person .
6. There is prescheduled roster for sensitive ICT tasks but it is not maintained strictly. Some of
employees found not maintaining prescheduled roster . (e.g. Network Monitoring, Security
Guard for Data Center, ATM Monitoring, etc.).
7. Updated “Operating Procedure” for all ICT functional activities is not maintained (e.g.
Backup Management, Database Management, Network Management).
8. Approved requisition forms for some ICT operation(Like user close, change user name) not
found.
1 Internal Information System (IS) audit are found carried out by Internal Audit Department of
the Firm but auditors not having sufficient skill, education and certification to perform IS audit.
There is no CISA certified auditor .CISA certification is now benchmark qualification in this
regard. Internal IS audit are found conducted by personnel with not having sufficient IS Audit
expertise and skills. Engagement of certified IS auditor having adequate audit experience in this
area is advised.
3. Internal Information System audit are done periodically at least once a year. The report is
preserved for regulators as and when required. The IMRUL SADAT Firm Ltd audit issues are
properly tracked , completely recorded but not followed up and rectified properly. In Principal
work station I found some last year objections are not rectified yet. So it is advised to rectify
previous audit objections immediately.
2.4 External Information System Audit
As per Bangladesh Firm ICT guideline external auditor for information system auditing must be
engaged along with internal audit team of the Firm . Sometime expert external system auditor
may perform more detail and depth audit than internal audit .The following is the audit objection
regarding External Information System Auditing.
1. The IMRUL SADAT Firm Ltd not engaging external auditor(s) for their information
systems auditing in-line with their regular financial and internal audit. It is advised to engage
external auditor.
Standard certificate is necessary to make ICT activity and infrastructure industry standard . Audit
observation regarding standard certification is given below.
1.Iindustry standard certification e.g. ISO certification related to their Information System
Security, Quality of ICT Service Delivery, Business Continuity Management, Payment Card
Data Security, etc is not obtained.
1. All IT relevant personnel are not getting proper training, education, updates and awareness of
the ICT security activities as relevant with their job function.
2. All IMRUL SADAT Firm Ltd ICT personnel not having Foundation Training .
2.7 Insurance
ICT asset must be insured to provide protection from financial loss if something catastrophic
happens to business .The audit observation regarding insurance is given below.
1. All ICT asset are not insurance covered .Adequate insurance coverage or risk coverage fund
is necessary.
Chapter: 03
ICT Infrastructure includes all data, application, database, operating systems and networks.
Various form of attack may hit ICT Infrastructure in many ways. A IS auditor regularly check
various components if ICT infrastructure and check lack of compliance .
2. Each ICT asset not assigned to a custodian (an individual or entity) who will be respon e for
the development, maintenance, usage, security and integrity of that asset.
3. All ICT assets are not identified and labeled. There is no classification in the leveling.
4. ICT asset inventory not stating significant details (e.g. owner, custodian, purchase date,
location, license number, configuration, etc.).It is advised to maintain inventory with details
mentioned.
6. Information system assets must be adequately protected from unauthorized access, misuse or
fraudulent modification, insertion, deletion, substitution, suppression or disclosure.
7. There is no Disposal Policy for information system asset protection. All data in storage
media is not destroyed before disposal .
8. Portable devise(Pen drive, Portable Hard Disk) is used with out prior permission from
authority.
9. Some of software used by employees are not licensed. It is advised l not to use any software
that has not been legally purchased or otherwise legitimately obtained.
10. The is no approved list of Software which will only be used in any computer . It is advised
to make a approved list of software immediately.
11. In work station level some of unauthorized or pirated software is used which must strictly
be prohibited throughout the Firm .
Desktop of user is always subject to attack so IS auditor need to audit all Desktop / I
conducted audit and found following audit findings.
1. Desktop computers are found connected to UPS to prevent damage of data and hardware
.Some of UPS battery is found damaged .It is advised to check UPS battery periodically .
4. Laptops, computer media and any other forms of removable storage containing sensitive
information (e.g. CD ROMs, Zip disks, PDAs, Flash drives, external hard-drives) are not stored
in a secured location or locked cabinet when not in use.
6. Other information storage media containing confidential data such as paper, files, tapes, etc.
are found not stored in a secured location or locked cabinet when not in use.
7. In work station level some Individual users install or download software applications
without prior authorization.
Server/Network Room/Rack Controls are always subject to attack therefore it requires auditing.
The following are audit findings.
1. Server/network room/rack is glass enclosure but not locked and no assigned respon e person
is found.
2. Physical access are found restricted, visitors logbook exist but not maintained properly.
Some employees enter server room without entering their name on entry resister
4. No provision to replace the server and network devices within shortest pos e time in case of
any disaster.
3.4 Networks Security Management
1.No written documentation on baseline standards is found to ensure security for Operating
Systems, Databases, Network equipments and portable devices which shall meet organization’s
policy.
2. Regular enforcement standards are not applied uniformly and non-compliances are detected
and raised for investigation.
3. All type of cables including UTP, fiber, power shall have proper labeling for further corrective
or preventive maintenance works but most of cables found not labeled.
4. Mechanism are found in place to encrypt and decrypt sensitive data travelling through WAN
or public network. But the mechanism need to be follow-up and updated updated .
5. Network security devices, such as firewalls to protect the network perimeters is installed .But
it is not monitored periodically
6. Rules on network security devices is not checked on a regular basis to determine that such
rules are appropriate and relevant.
7. All unused ports of access switch are not shut-off .
3.5 Cryptography
Following are audit objection regarding malicious code protection or virus protection..
3. The anti-virus package is found up to date with the latest virus definition file using an
automated and timely process.
4. All computers in the network is not getting updated signature of anti-virus software
automatically from the server.
5. Virus auto protection mode are not enabled in some of computers to screen disks, tapes, CDs
or other media for viruses.
6.Awareness program for the end users about computer viruses and their prevention mechanism
is not complied.
Internet access with in the Firm must be under close supervision and must be routed
through secure gateway .The audit objection regarding internet use is given below.
1. Internet access are not provided to employees according to the approved Internet Access
Policy .Some employees are using internet without approval. Internet must be used only for
official work and it must be monitored.
2. Access to the internet from Firm premises must not compromise information security of
Firm . Some of employees use internet for their personal purpose in office premises hampering
information security of the Firm .
3. Access to the Internet from Firm premises and systems is routed through secure gateways.
But gateway is not monitored and not checked on regular basis.
4. Use of locally attached modems with Firms’ systems in order to establish a connection with
the Internet or any third-party or public network via broadband, ISDN or PSTN services is
prohibited unless specifically approved. A circular in this regard must be forwarded to all work
station es.
1. Email system are not used according to the Firm’s 's policy. Employees are found sending
personal E mail using Firm’s E mail system . An employee found to have violated this policy
may be subject to disciplinary action.
2. Email shall not be used to communicate confidential information to external parties unless
encrypted using approved encryption facilities. Work station level employees are found unaware
of encryption facilities , A training in this regard is necessary.
3. Employee’s E mail is not checked on regular basis. Information transmitted by email must not
be defamatory, abusive which damage the reputation of the Firm. The willful transmission of
any such material is likely to result in disciplinary action . Concerned department shall perform
regular review and monitoring of email services.
Vulnerability assessment (VA) is the process of identifying, assessing and discovering security
vulnerabilities in a system. Audit objection regarding Vulnerability Assessment and Penetration
Testing is given below.
2. After Vulnerability assessment and penetration testing a process to remedy issues is not
identified and gaps are not addressed .No documentation on previous VA is found.
Patch is updated pice of code of a software which is designed to update. Audit objection
regarding patch management is given below.
1. The Firm need to establish and ensure that the patch management procedures include
identification, categorization and prioritization of security patches. To implement security
patches in a timely manner, there is no patch management team.
2. Testing of security patches before deployment into the production environment is not done.
1.Security logs of systems, applications and network devices for anomalies is not regularly
reviewed . Logs are found protected and retained for defined period to facilitate future
investigation.
Chapter: 04
As data center is the heart of an information system including standard disaster recovery site, its
security is very much important both physically and environmentally. Violating proper security
measures may cause a huge loss of data including business interruption. In a critical situation a
Firm may go out of business due to data loss. Permanent loss of data will close a Firming
business forever. So guidelines to protect our data center and disaster recovery site must be
followed
Physical security plays important role in data center .Physical access to data centre is restricted
for selected person. Data centre having some physical security audit observation which is given
below.
1. Physical security are found applied to the information processing area or Data Center. DC is a
restricted area and unauthorized access are found strictly prohibited .There is no respon e officer
is found to restrict unauthorized access.
2. Grant access to the DC is not need to have basis. Physical access of staff to the DC are not
revoked immediately if it is no longer required.
3. Vendors must take written permission all time and must be accompanied by an authorized
employee for granting access to DC. Vendors visited DC many times but no written permission
is found.
4. Access authorization list are not maintained and reviewed periodically for the authorized
person to access the Data Center.
5. The Firm employed physical, human and procedural controls for 24 hours such as the use
of security guards, card access system, surveillance system .Some point in DC not covered by
surveillance system .
3. Layout design of Data Center including power supply and network connectivity not properly
documented.
4. Full functioning development and test environment is not available .It is advised to separate
Development and test environment from production.
5. Some powered off and unused router devise are found in DC .Any accessories or devices not
associated with Data Center and powered off devices shall not be allowed to store in the Data
Center. Separate store room is in place to keep all sorts of unused and redundant IT equipments.
6. Closed Circuit Television (CCTV) camera are found installed but the CCTV not sufficient for
all sides monitoring. It is advised to increase number of CCTV camera.
7. The sign of "No eating, drinking or smoking" are not found in display.
8. Dedicated office vehicles for any of the emergencies not available on-site. Availing of public
transport is advised to avoid while carrying critical equipments outside the Firm’s premises to
avoid the risk of any causality.
Data centre must be fire protected .IS auditor need to audit various issues regarding fire
prevention. Audit observation regarding fire protection of data centre is given below.
1. Wall, ceiling and door of Data Center are not all fire-resistant.
3. Automatic fire/smoke alarming system are found installed but not tested periodically.
5. Some data cables in the Data Center are not found concealed.
Access control provide assurance that data and application are protected against attack .Data
access is authorizing one to access data, change data ,system access, privileged user activity .
Data access distinguish Administrators and users .For example admin may be able to remove the
data but general user may not .The Firm must grant access right and system privilege based on
their job responsibility. It must be checked that no person using his own rank and position are
accessing confidential data, application or system resources. There two type of control
1. Physical Control
2. Logical Control
Keeping computer in safe place provide physical control whereas a software program to detect
unauthorized access provide logical control .
1. Each user must have a unique User ID and a valid password. In work station level one user ID
and password is shared by a group. Specially work station admin password is shared.
2. User ID Maintenance form with access privileges are found duly not approved by the
appropriate authority. Some time it is approved by junior staff of IT division.
3. User access privileges is not kept updated for job status changes.
4. User access privileges are not regularly reviewed to verify that privileges are granted
appropriately.
1. Password definition parameters shall ensure that minimum password length is maintained
according to Firm's Policy (at least 6 characters).
2. Password are not found combination of at least three of stated criteria like uppercase,
lowercase, special characters and numbers.
3. Maximum validity period of password shall not be beyond the number of days permitted in the
Firm's Policy (maximum 30 days cycle).
4. Parameter to control maximum number of invalid logon attempts are found specified properly
in the system according to the Firm’s Policy (maximum 3 consecutive times).
2. Operating time schedule of users’ input for Firming applications are not implemented.
3. Software shall not allow the same user to be both maker and checker of the same transaction
unless otherwise permitted from appropriate authority. In practice checker password is
sometime shared by several makers and they verify their own transaction without checking .This
type of practice must be stopped.
4. Sensitive data and fields of Firming applications are not restricted from being accessed.
Information security relies on trusting a small group of skilled staff, who are found subject to
proper checks and balances. Audit observation regarding Privileged Access Management is
given below.
1.Entry level junior staff are assigned in critical operations and security functions .
2)Following controls and security practices for privileged users are advised to follow:
a) Number of privileged users are should be limited and fixed by the management.
Firm keep record of public money therefore business continuity plan is very important for a
Firm. Firm need to have proper planning on Business Continuity and Disaster Recovery
Management . The primary objective of Business Continuity Plan (BCP) is to survive in a
disaster and to re-establish normal business operations within least pos e time and minimum
financial and reputational loss.
1. Backup plan
2. Recovery process
3. Restore process.
1. Approved Business Continuity Plan addressing the recovery from disaster to continue its
operation is not updated for last one year.
2. One copy of BCP fount in head office .Documents related to BCP need to keep in some
secured off-site locations.
a) Action plan to restore business operations within the specified time frame for:
b) Emergency contacts, addresses and phone numbers of employees, venders and agencies.
c) Grab list of items such as backup tapes, laptops, flash drives, etc.
d) Disaster recovery site map
Disaster recovery site is a backup location. It is a place where a Firm can relocate following
disaster like fire ,flood , terrorist threat. .Audit observation regarding Disaster Recovery Plan
(DRP) is given below.
1.Scenario analysis to identify and address various types of contingency scenarios is not included
in DRP. Contingency scenario may be fire, flood, terrorist attack. In DRP all type of scenario
must be included.
2. Disaster Recovery Site (DRS) in different seismic zone is not established . Disaster
Recovery Site (DRS) which is geographically separated from the primary site (minimum of 10
kilometers radial distance but choice of different seismic zone will be preferred).
3. Real-time data replication is enhancing the Firm’s recovery capability but more copy of
replication is necessary.
4. An up-to-date and tested copy of the DR plan are not found more than one off site location.
One copy are found stored in the office for ready reference.
5. DR plan is not tested and validated annually. The effectiveness of recovery requirements and
the ability of staff to execute is not tested annually.
6. DR test documentation not including Test Result. Test report not communicated to
management and other stakeholders .
Data backup help to recover and continue the business . Following are audit observation
regarding data backup and restore management.
2. There is no detailed planned backup schedule as per local and regulatory requirement. The
details of the planned backup schedule for each business application must include the retention
period for backed-up or archived information and the retention period is consistent with local
legal and regulatory requirements.
3. Media contained backed-up information is not labeled with the information content, backup
cycle, backup serial identifier, backup date and classification of the information content.
4. Periodic testing and validation of the recovery capability of backup media and assess whether
it is adequate and sufficiently effective to support the Firm’s recovery process is not done.
Chapter: 07
Conclusion
Conclusion
Information system auditing is a vast area and it is very difficult to cover whole for a single
person and within short period of time. At the end of audit I presented audit observation to
management . I expect my audit findings and observations will help the Firm to find out and
rectify security threats. I also expect that this report will help to assess and review organization’s
IT based business. For more effective audit Firm need to employ external auditor from
independent audit firm. Financial audit findings is monitored and rectified but information
system audit findings are not monitored and rectified like financial audit findings. Now a days
information system is heart of Firming therefore information system audit findings must be
rectified properly.
Appendix
ICT Security Audit Checklist