XXX Audit Report

Audit Ref: XX/YYYY/Entity

Audit Title: Name

Business Unit: Entity / Function / Sb-function

Business Owner: CXO, EVP
Issue Date: MM DD, YYYY

See section 3.4 for Report Distribution and Audit Team

Overall Process Assessment

Green Satisfactory
Amber Needs Significant Improvements
Yellow Needs Minor Improvements

Red Unsatisfactory
 Table of Contents
S.no Topic Pg.no

1 Executive Summary

2 Detailed Findings and Recommendations

3 Report Discussion and Distribution

4 Appendices

Audit of (Name)
1. Executive Summary
1.1. Background

Page 2 of 9
1.2. Objective and Scope
1.3. Limitation of Scope
1.4. Number of Observations

Risk rating Assessment No of findings Action plans agree

for the
findings
Severe 1 1

Major 2 2

Moderate 0 0

Minor 0 0

Total 3 3

1.5. Conclusion

Audit of (Name)
2. Detail findings and recommendations
Finding / Risk Recommendations/ Owner / Timing Risk
Management Action Plan Rating
1. User Access
Recommendation:
Statement of Condition:
Security staff and Federal agency supervisors
application owners did should ensure such policies are
not periodically review developed and implemented
user access that ensure that if the user
authorizations to ensure leaves the organization or is
that users’ levels of terminated their data is
access to the deleted. And if someone wants
computers were to access the system with a
appropriate higher level, they should have
an application or approval from
Criteria: a higher authority that tells the
The organization access is appropriate Owner:
governing policy Will smith
requires security staff or
personnel to obtain Timing:
written documentation 20-6-2022

Page 3 of 9
and approval
from the supervisor
before allowing users
access to the
computers.

Cause:
The organization did not
have reports of user
access authority.
Although there is
functionality that user
access will be revoked
after 15 days but the
data from the database
was not deleted. The
reason is there is no
source of frequent
communication or
reports from employers
to security staff that
tells which employee is
terminated or when
they leave.

Risk:
There is no assurance
that user access was
assigned to the right
personnel. It increased
unauthorized access as
that time data can be
altered and destruction
can be done.

2. Service Continuity Recommendation:

Statement of Condition: we recommend that the

The Federal agency did superior authority should
not have the ability to develop a plan and the plan
recover data or resume should be tested and offsite
from the same place if storage should be secure.
some failure occurs. The
offsite data storage
place is way far and is
not protected through

Page 4 of 9
authorized access.
Owner:
Criteria: Will smith
According to federal
agency management Timing:
criteria, it asks the 18-6-2022
agency to test their
application, as well as if
it has major backup and
access to stored backup
in case of disaster. To
check this the policy
needs to be reinvoked.

Cause:
The agency had the plan
to check if the
application/ system has
any disaster control
plan. Testers were asked
to test the plan but as
the system was under
changes due to some
bugs that were retrieved
in 2021 the plan to test
the system was dropped
and the disaster
recovery system was
not checked or tested.

Risk:
There is an increased
risk that the system will
not be able to give
reliability as it cannot
resume from the place
where the failure
occurred.

3. Access to admin
computer Recommendation:

Statement of Condition: we recommend that priority

The passwords for the should be given to the risk.
admin access were not Updated packages should be
changed in a timely installed, and new measures
manner. Even the should be taken to for security

Page 5 of 9
session fail exception policy.
was not working if a
user is inactive for 15
days. The system highly
relies on passwords and
IDs and if an
unauthorized person Owner:
can gain access, they Will smith
can modify the files or
data. Timing:
17-6-2022
Criteria:
According to "The
automated Information
Systems Security
Handbook" passwords
should be changed
every 90 days. Users
with sensitive data
access privileges should
change their passwords
in 30 days.

Cause:
The agency has no
policy that trains people
to know about these
sensitive issues that can
lead to big disasters.
The security packages
on other hand are not
updated which will
notify users that they
need to change the
password.

Risk:
The effectiveness of the
password as a control
has been diminished,
which
increases the risk of
unauthorized access to
sensitive information.

Page 6 of 9
 Audit of (Name)
3. Report Discussion and Distribution
3.1. People interviewed during the audit
An initial meeting with Mr. Zubair was held to discuss the scope of the audit and initial information
request. During the audit, the following people were interviewed:

 Mr. Shahzaib Kashif

 Mr. Monis Javaid
 Mr. Agha muqaibullah
 Ms. Somaiya Saeed
 Ms. Maham Wadood
 Ms. Javeria Mughal

During the audit, the following questions were asked:

 At what intervals do you check the user access to the system?
 Does the system recover from the operation it got shut down?
 What is the minimum time system takes to recover the operation it shut down on?
 Does the password session fail after some interval?
 At what interval the password session failed?
 What are the ways to recover the passwords?
 What are the ways to check the authorized user?
 At what interval the password session failed?

3.2. Report Discussion

The findings in the report were discussed with Mr. Babar Junaid at the closing meeting.

 Our draft report was issued to Mr. Asaad Quraishi on 06-5-2022.

 The final management action plan was received on 20-5-2022

3.3. Period of Audit Framework

From Jan 2022 to May 2022

3.4. Audit Team

The Audit team consisted of the following individuals:

 Ms. Hafsa Parker

 Ms. Zoha Waseem
 Ms. Anusha Khalil

Page 7 of 9
3.5. Reporting Distribution
To: Assad Iqbal – Business Owner

CC: Junaid Ahmed – Department Head,

Farhan Javed – Controller,

Mehmood Aslam –Audit Subcommittee

Umar Mukhtar –Division Vice President

Shumaila ghouri – External Auditor

Audit of (Name)
4. Appendices
4.1. Individual Findings Rating Criteria

Risk Risk Action Plan

Rating Explanation – Criteria Escalation
Rating Summary Guidelines

There is no guarantee that user access was

granted to the appropriate personnel.

MD/ CEO Action plan to be

Sever Critical Control Corrective action is needed to ensure that if implemented as
e Weaknesses someone wants to access the system with Executive a matter of
a higher level, they should have an Committee urgency.
application or approval from a higher
authority that tells the access is
appropriate.

Significant
Control
Weakness
The
There is a significant weakness in controls. Department Action plan to be
system is not able to give reliability as it implemented as
Director
a matter of
cannot resume from the place where the
Department priority.
Major failure occurred.
Managers Expected to be
implemented in
Develop a backup plan and ensure that the no later than 3
Timely corrective
storage plan is tested and secure. months.
action required

Page 8 of 9
 Significant The password's effectiveness as control has
Control declined, increasing the risk of unauthorized Department Action plan to be
Weakness access to sensitive information. implemented as
Director
a matter of
Department priority.
Major
Managers Expected to be
Timely corrective Updated packages should be installed, and implemented in
action required new security policies should be no later than 3
implemented. months.

4.2. Overall Risk Rating of the Process

Risk Rating of
the Risk Summary Rating Explanation – Criteria
Process
Severe / Critical deficiencies There is no guarantee that user access was granted to the
noted in the System of appropriate personnel.
Unsatisfactory Corrective action is needed to ensure that if someone wants
Internal Controls. Immediate
corrective action required to access the system with a higher level, they should
have an application or approval from a higher authority
that tells the access is
Significant deficiencies were High residual risk exists in a major scope or risk area.
Needs noted in the System of The controls evaluated are unlikely to provide
Significant
Internal Control. reasonable assurance that risks are being managed
Improvement
Timely corrective action is and objectives met. The superior authority should
s
required. develop a plan and the plan should be tested and
offsite storage should be secure

Page 9 of 9