Some of you may not know this, but earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, thereby, business operations.

I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.

Anyway, IT audit has been a passion of mine for many years.

So, when I saw that Deloitte has published a piece, The Future of IT Audit[1], I was interested.

Here are some excerpts with my comments:

• In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.

Comment: being an auditor is being an adviser. That should not be a change.

Comment: what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.

• As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to…

Подробнее…

Political vultures were circling within hours of revelations that personal information relating to some 186,000 NSW residents had been exposed in an April data breach that saw some 3.8 million documents stolen by cyber criminals.

The breach of online government agency Service NSW was announced in May, but authorities have only now released details of the breach after a four-month investigation involving the NSW Police, auditor general, and cyber security experts that confirmed some 738 gigabytes of data had been stolen after 47 staff email accounts were compromised in a phishing attack.

Service NSW has “accelerated our cyber security plans and the modernisation of legacy business processes to keep customer information as safe as possible,” the agency said, outlining a notification process by which affected citizens will be given “important information about the specific individual data accessed during the breach”.

The agency’s success in consolidating state services – both in person and online – has made it the model for broader efforts such as the federal government’s Services Australia initiative, announced late last year, and state-based efforts in

Read More…

Only one of the federal government’s largest agencies has fully applied the Australian Signals Directorate’s essential eight to some of its most important systems, the national auditor has found.

The finding is contained in the 2019 interim financial controls audit of major entities, which reviewed the implementation of the controls now considered the baseline for cyber resilience.

The Australian National Audit Office’s review focused on the financial and HR systems of 18 agencies, including Defence, Services Australia, Home Affairs and the Tax Office.

“The review was undertaken to confirm the accuracy of reporting and identity cyber security risks that may impact on the preparation of financial statements,” the auditor said [pdf].

“The review consisted of analysis of policy and procedural documentation, testing of mitigation strategies specific to the FMIS and HRMIS, results of sprint assessments and interviews with entity personnel.”

It follows a series of target audits conducted by the auditor since 2013 that have uncovered serious cyber resilience shortcomings, particularly around the implementation of the top four.

But as with previous…

Read More…