Explanation of Finding
Example: Control Objective 7: Controls provide reasonable assurance that transmitted payment data is complete, accurate, and timely.
Electronic scheduler is monitored by IT staff for inbound and outbound transmissions on a daily basis.
Random sample of 51 days from transmission log found no evidence of monitoring on 3 days: April 1, 2018;
July 4, 2018; and September 22, 2018.
Control Objective 1: The controls provide reasonable assurance that physical access to computer resources within Gail Industries’ data center is restricted to authorized and appropriate personnel.
Control is handled by a control log that is filled out by the employee administering the security to the data center by entering the employee information into the log
The datacenter log shows that Gail Lucas entered the facility without presenting ID. Likewise, the last entry (John Wilson) merely showed his business card rather than a picture ID.
Control Objective 2: Controls provide reasonable assurance that physical access to assets within Gail Industries’ facilities is restricted to authorized and appropriate personnel.
Access to the Physical property is performed through use of group rights and permissions within the application and Active Directory
The employees listed in the CCS Active Users Report indicate that everyone has Administrative system rights. This should be indicated. Also, the CCS report contains Alan McDonald, who terminated in June 2018. This report, dated from 2019, has him listed as having a valid account.
Control Objective 4: Controls provide reasonable assurance that changes to network infrastructure and system software are documented, tested, approved, and properly implemented to protect data from unauthorized changes and to support user entities’ internal control over financial reporting.
Change management forms are to be used and submitted to the Governance group for any change to the current policies regarding passwords, software changes and the ability to grant permissions to the various aspects of the physical plant and network.
The settings for account lockout are not specified in the passwords policy document, but the AD shows that there are 12 invalid login attempts allowed. Is this a generally accepted setting?
Control Objective 5: Controls provide reasonable assurance that administrative access to network infrastructure and operating system resources is restricted to authorized and appropriate users to support user entities’ internal control over financial reporting.
Use of the appropriate policy within the Active Directory along with adherence to the stated policy regarding expiring passwords and access is kept up to date and applied across all groups
The password policy does not match what has been implemented in the Windows Domain. The AD controller indicates 90 days for password changed, but the policy says 60 days. The AD says that 10 passwords are stored, but the policy says that passwords can never be reused.
Control Objective 8: Controls provide reasonable assurance that deposits are processed completely, accurately, and in a timely manner.
Physical logs are kept with dates and times that couriers are scheduled to carry deposits and that they sign in and out with the deposits and are countersigned by authorized supervisors
The courier deposit log is incomplete, and it appears to be abandoned after February. A careful observer should also note that Mia Liu (a SCOPE employee) doesn’t appear on any of the employee reports (Active and Terminated).