Management summaries in respect of completed audit assignments Appendix B (1)
advertisement
Management summaries in respect of completed audit assignments Appendix B (1) Report No. NN/11/08 – Final Report issued 8 February 2011 Audit Report on Exchequer Services Audit Opinion Adequate Assurance given Rationale Supporting Award of Opinion The audit work carried out by Internal Audit indicated that: • While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk. • There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk. • This opinion results from the two medium and three low priority recommendations that have been raised. Summary of Findings General Financial procedures are set out within the Council’s constitution with Part Four, Rules of Procedure, including a section covering Orders for Goods and Services, Authorisation of Expenditure and Insurances; however, we could not locate procedures to instruct staff on using the electronic ordering system. Ordering User access controls are in place over the E-Financials electronic ordering system and administrative rights are limited to four officers. Controls are in place to ensure that independent authorisation of expenditure is carried out in line with the authorised signatories list, and there is segregation of duties in the establishment and amendment of supplier details. Low utilisation of the electronic ordering system was identified; approximately 40% of payments are made using this method. A list of items not appropriate for electronic purchase order has not been identified. Furthermore, the functionality within the electronic ordering system to prevent orders being placed against individual budgets, where this would result in a budget overspend, is not being utilised. Testing identified scope for improvement around ensuring that a full audit trail is retained in respect of payment requests, however, no recommendation has been raised as controls have been put in place to mitigate any potential risks. It was also identified that staff within Exchequer Services can create new suppliers and process invoices; this mainly being due to operational reasons with the small size of the team.. There are though a number of mitigating controls that reduce the risk of manipulating the system including the proposed payments report which is reviewed before each payment run and therefore provides some assurance over the validity of invoices being processed through the ledger. There are also three ‘Superusers’ who have access to full functionality with respect their areas of responsibility within the purchase ledger system, with processing restrictions of £100 having been applied as a consequence of the previous audit. Creditors Weaknesses were identified regarding the frequency of reviews of creditor system access rights, in line with role changes within the Council, to ensure they reflect current roles. Controls were in place regarding receipting of goods/services, prevention of duplicate payments, verification of the appropriateness to make payment and recording of payments. Secure arrangements were verified for ordering, storage, printing, issuing and despatch of cheques. Procedures for electronic transfers/one-off payments made outside of the normal payment run were in place. The Council is required through legislation to publicly report on purchases made in excess of £500. Evidence was provided to demonstrate that this task is on track to be completed by January 2011. VAT is accounted for within Finance for purchases. VAT returns are submitted on a monthly basis. The returns are being submitted prior to authorisation being made by the Financial Services Manager. Staff and members are required to declare interests to avoid potential conflicts, in particular with regard to potential creditors. Employees are required to declare interests when they become aware of a potential conflict of interest. This is a voluntarily disclosure; however, guidance was in place within the employee Code of Conduct. Corporate VISA Charge Cards Procedure guidance for Corporate Credit Cards (CCC) was held; however, the guidance does not provide sufficient instruction regarding appropriate online use of CCCs. There are five CCCs in use by four members of Corporate Management Team and the ICT Network Manager. Two bank signatories are required to authorise new car holders, the request is then processed by the Technical Accountant. Cards statements are reconciled to VAT receipts on a monthly basis. Insurances The Council undertook a joint procurement exercise in 2009/10 with a number of local authorities led by St Edmundsbury Council, with the tender advertised in the European Journal. The Council accepted a tender from Zurich, commencing on 1st May 2010, with an expected five-year term. Insurance claims have been completed on standard forms in a timely manner. Performance Information A local performance target of 100% of invoices being paid within 30 days is in place and monitored. Performance was under the expected level at around 96.46% in September 2010. Performance is monitored through TEN on a monthly basis and reported to Cabinet quarterly. Risk Management Financial services have not undertaken a risk assessment for 2010/11 and therefore are noncompliant with the Council’s risk management framework. Adequacy and Effectiveness Assessments Area of Scope Adequacy of Controls Effectiveness of Controls Recommendations Raised General Ordering Creditors Corporate Credit Cards Insurances Performance Information Risk Management Green Amber Green Amber Amber* Amber Amber Amber High 0 0 0 0 Green Green Green Green 0 0 0 0 0 0 n/a Red 0 1 0 2 3 Total 0 * Recommendation raised within the ordering area also relates to this area Medium 0 1 0 0 High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have agreed, or agreed in principle, with all recommendations raised. Low 0 1 1 1 Appendix B (2) Report No. NN/11/17 – Final Report issued 15 February 2011 Audit Report on Network Infrastructure, Security and Telecommunications Audit Opinion Limited Assurance given Rationale supporting award of Opinion The audit work carried out by Internal Auditindicated that there are weaknesses in the system of internal controls such as to put the client’s objectives at risk. Although overall the Council’s Domain Controller Configuration standards were on par with other local authority organisations, there are still a number of weaknesses which need to be addressed to meet good security practice and the Government Code of Connection (CoCo) requirements. A total of 15 medium priority and three low priority recommendations have been raised to lift controls to a good/leading practice standard; hence we have been able to provide a limited level of assurance. This system has not previously been audited, so there is no comparison possible with previous findings. Summary of Findings Domain Account Policies – this refers to the general practices that operate such as password policies, account lock-out policy etc. Password controls in this area are good, for example, complexity has been enabled and other available supporting controls are in place. There are a number of other controls that require review and recommendations on these have been raised. Audit Policy – The majority of the available audit functionality has been utilised, although the logs created by the audit functionality are not reviewed. Recommendations around log review and bringing the audit functionality not currently being used to a good practice standard have been raised. Event Logs – Event logs are equivalent to audit trails in the network domain. There are good controls in the configuration of event log settings. Security Options – The majority of available controls in this area are in line with good practice, although it was also noted that some still require review. For example, it is not good practice to allow the username of the previous user of a PC or laptop to be displayed to the next user upon system start. User Accounts – Good controls have been implemented, although the audit found that there appears to be a large number of user accounts with passwords set to never expire and/or do not require a password. The latter does not necessarily mean that no password is present, just that the accounts are allowed to have no password set. A recent Code of Connection onsite security IT Healthcheck found no accounts without passwords. Sample testing of the leavers’ process noted a minor weakness in that two accounts out of a sample of 22 over the period from July to September 2010 were still open. As the process clearly exists, the weakness was discussed with management and no formal recommendation has been raised here. However, recommendations on the accounts with no password expiry, and those which do not require a password, have been raised. Rights and Privileges – It was found that “rights to be granted to administrators only” were configured in line with current good practice, although there are a number of “rights to be granted to no one” that have been granted to users. There are also a number of Discretionary Access Control Lists (“DACL”) that have been created for individual users, that allow the users certain functionality within the system. Recommendations on this and the “rights to be granted to no one” have been raised. Trusted and Trusting Domains – Trust relationships allow one Domain to “trust” the access rights given within another Domain (e.g. the network password would allow access to another domain). There are no such relationships in place on the network domain. Remote Access Service (RAS) – The RAS service has been disabled and no RAS servers were defined within the domain. However, six supporting RAS services were still running on the Domain Controller and one administrator account has permission to dial in using RAS. Recommendations on stopping the services and reviewing the need to have an administrator account with this privilege have been raised. Services and Drivers – The domain controller had 276 services available, of which 148 were running at the time of the audit. There is no regular review of the service to ensure that only required services are running. A recommendation on this has been raised. Updates and Patches – It was found that the last time any patches or updates were installed was in January 2010 when Server 2003 Service Pack 2 was installed. There is no patch or update review process in place that ensures that the hardware is hardened to current patches and/or hotfixes. A recommendation on this has been raised. Logical Drives and Network Shares – Logical drives are sections of physical drives that have been partitioned, whilst network shares are pieces of information that can be shared between users (e.g. shared files, shared printers). Good controls were noted here. Backup – Good controls were noted here. Physical and Environmental Security – Good controls were noted here. Disaster Recovery Plan (DR) – Management have been working on drafting a Disaster Recovery Plan although it requires further review to lift it to current good practice. A recommendation containing suggestions for improvement has been raised. Network Topology (layout) and Resilience – Single points of failure (which, if it failed, would mean that a significant part of the network would also fail) were noted at the Firewall and router switch. Spare devices are available to replace the active devices and management are confident in their ability to do so with little delay. The Council’s infrastructure is small and these controls have been considered to be adequate for their needs. Network Support – The support team is small, although there is good cross training in place to help ensure adequate network management resourcing. However, there are weaknesses in terms of security alert management and the lack of regular review of service desk activities to identify any support trends that may require off line resolution. Recommendations on these have been raised. Network Device Security – The CISCO switches allow connections between, and within the network. The CISCO switch configuration is such that one of the passwords has been encrypted using a CISCO “Type 7” algorithm, which is known to be weak. A recommendation to harden this encryption to the stronger Type 5 encryption has been raised. The Council currently has no Intrusion Detection System in place. A recommendation to consider implementation of such a system has also been raised. Remote Virtual Private Network (VPN) Access – These allow users to access the network from other locations, e.g. through the internet. Good controls were noted. A VASCO (a data security company) token 2-factor authentication mechanism is in place. Network Management and Administration – Good controls have been noted in that there appears to be adequate budget and resource in place to manage the network infrastructure, although no Service Level Agreement between IT and the Business Areas is in place. In addition, there is no separate Network Strategy. Recommendations on these weaknesses have been raised. Firewall – Good controls were noted in that there is evidence of regular (annual) penetration testing in place. Management use a range of different external vendors to implement these tests in order to get a cross section of opinion. Telecommunications Administration – The Council uses older technology with a small amount of Voice-over IP (VOIP) technology, which is used internally only. There is a range of Disaster Recovery options available to management should such an event be invoked. Billing is handled by apportioning total amounts equally across the total number of Council employees. Adequacy and Effectiveness Assessments Area of Scope Domain Accounts Policy Audit Policy Event Logs Security Options User Accounts Rights and Privileges Trusted and Trusting Domains Remote Access Service (RAS) Services and Drivers Updates and Patches Logical Drives and Network Shares Backup Physical and Environmental Security Disaster Recovery Plan Network Topology and Resilience Network Support Network Device Security Remote Virtual Private Network (VPN) Access Network Management and Administration Firewall Telecommunications Administration Adequacy of Controls Effectiveness of Controls Amber Amber High 0 Medium 1 Low 0 Amber Green Amber Amber Amber Green Amber Green Amber Amber Amber Green 0 0 0 0 0 0 2 0 1 1 2 0 0 0 0 1 0 0 Amber Amber 0 1 0 Amber Amber Green Amber Amber Green 0 0 0 0 1 0 1 0 0 Green Green Green Green 0 0 0 0 0 0 Amber Amber 0 1 0 Green Green 0 0 0 Amber Amber Amber Amber 0 0 2 1 0 1 Green Green 0 0 0 Amber Amber 0 2 0 Green Green Green Green 0 0 0 0 0 0 0 15 3 Total Recommendations Raised High Priority Recommendations We have raised no high priority recommendations as a result of this audit Management Responses Management have disagreed with one recommendation raised: Recommendation 18 – Network Strategy (low priority) Management should draft and agree a Network Strategy to complement the existing ICT Strategy. The document should include reference to the timescales that the strategy covers, the level of current planned investment in the infrastructure and the aims of the strategy in terms of how it is aligned to identified business needs over the lifetime of the strategy. Rationale supporting Recommendation 18 A formal Network Strategy will help to ensure transparency and accountability for the network and help to demonstrate how the IT area are supporting identified business objectives over time. There is currently no formal network strategy, although there are brief references to network plans within the main ICT strategy. A lack of formal Network Strategy increases the risk that the networks management will be ineffective and not support business objectives over time. Management Response Disagreed. However, we shall include a network plan as part of the ICT strategy instead of generating a separate document. This is to minimise the number of strategies.
