Professional Documents
Culture Documents
Red Unsatisfactory
Table of Contents
S.no Topic Pg.no
1 Executive Summary
4 Appendices
Page 2 of 10
The federal Agency is a branch under the Government of Pakistan that provides details
about residents of Pakistan. This organization work with the crime department that
regulates safety in our country.
1.2. Objective and Scope
We reviewed the agency’s general controls that were placed in the application and
system. We also reviewed the agency’s policies and regulations for the year 2021. We
reviewed policies for the security department, access, and service continuity. For our
audit purpose, we interviewed main personnel such as supervisors, managers, and
employees. We also had questionnaires developed so that our process was fast. We also
reviewed the documentation and observed the system.
Major 2 2
Moderate 0 0
Minor 0 0
Total 3 3
1.5. Conclusion
We concluded that the controls of the federal agency were not that effective. There were policies by
the Government in the department of security and software updates, but the criteria are not formal
or up to date. The ignorance of this causes a high risk of unauthorized access in the system,
modification and disclosure of sensitive data to public.
Overall we have identified 3 weakness and have put possible recommendations for it.
Audit of (Name)
2. Detail findings and recommendations
Page 3 of 10
Finding / Risk Recommendations/ Owner / Timing Risk
Management Action Plan Rating
1. User Access
Recommendation:
Statement of Condition:
Security staff and Federal agency supervisors
application owners did should ensure such policies are
not periodically review developed and implemented
user access that ensure that if the user
authorizations to ensure leaves the organization or is
that users’ levels of terminated their data is
access to the deleted. And if someone wants
computers were to access the system with a
appropriate higher level, they should have
an application or approval from
Criteria: a higher authority that tells the
The organization access is appropriate Owner:
governing policy Will smith
requires security staff or
personnel to obtain Timing:
written documentation 20-6-2022
and approval
from the supervisor
before allowing users
access to the
computers.
Cause:
The organization did not
have reports of user
access authority.
Although there is
functionality that user
access will be revoked
after 15 days but the
data from the database
was not deleted. The
reason is there is no
source of frequent
communication or
reports from employers
to security staff that
tells which employee is
terminated or when
they leave.
Page 4 of 10
Risk:
There is no assurance
that user access was
assigned to the right
personnel. It increased
unauthorized access as
that time data can be
altered and destruction
can be done.
Cause:
The agency had the plan
to check if the
application/ system has
any disaster control
plan. Testers were asked
to test the plan but as
the system was under
changes due to some
bugs that were retrieved
in 2021 the plan to test
the system was dropped
Page 5 of 10
and the disaster
recovery system was
not checked or tested.
Risk:
There is an increased
risk that the system will
not be able to give
reliability as it cannot
resume from the place
where the failure
occurred.
3. Access to admin
computer Recommendation:
Cause:
The agency has no
policy that trains people
Page 6 of 10
to know about these
sensitive issues that can
lead to big disasters.
The security packages
on other hand are not
updated which will
notify users that they
need to change the
password.
Risk:
The effectiveness of the
password as a control
has been diminished,
which
increases the risk of
unauthorized access to
sensitive information.
Audit of (Name)
3. Report Discussion and Distribution
3.1. People interviewed during the audit
An initial meeting with Mr. Zubair was held to discuss the scope of the audit and initial information
request. During the audit, the following people were interviewed:
Page 7 of 10
3.2. Report Discussion
The findings in the report were discussed with Mr. Babar Junaid at the closing meeting.
Audit of (Name)
4. Appendices
4.1. Individual Findings Rating Criteria
Page 8 of 10
There is no guarantee that user access was
granted to the appropriate personnel.
Significant
Control
Weakness
The
There is a significant weakness in controls. Department Action plan to be
system is not able to give reliability as it implemented as
Director
a matter of
cannot resume from the place where the
Department priority.
Major failure occurred.
Managers Expected to be
implemented in
Develop a backup plan and ensure that the no later than 3
Timely corrective
storage plan is tested and secure. months.
action required
Risk Rating of
the Risk Summary Rating Explanation – Criteria
Process
Unsatisfactory Severe / Critical deficiencies There is no guarantee that user access was granted to the
noted in the System of appropriate personnel.
Corrective action is needed to ensure that if someone wants
Internal Controls. Immediate
corrective action required
to access the system with a higher level, they should
Page 9 of 10
have an application or approval from a higher authority
that tells the access is
Significant deficiencies were High residual risk exists in a major scope or risk area.
Needs noted in the System of The controls evaluated are unlikely to provide
Significant
Internal Control. reasonable assurance that risks are being managed
Improvement
Timely corrective action is and objectives met. The superior authority should
s
required. develop a plan and the plan should be tested and
offsite storage should be secure
Page 10 of 10