Follow-up Audit of Finance and Corporate Branch's IT Controls over Financial Systems
Since the release of the Phase 2 Audit Readiness Assessment report in March 2009, significant effort has been made to address the recommendations and underlying findings regarding the 25 issues of IT financial controls. The financial system has undergone major upgrades in its platform and functionality. In particular, in the past 8 months, the Department has migrated the system from a UNIX platform to a LINUX platform, added the asset life-cycle management functionality and patched a number of security threats.
For the work plan arising from the Phase 2 Audit Readiness Assessment of March 2009 and which had a completion date of March 2011, we conclude that substantial progress has been made in addressing the 25 IT financial control recommendations. All high–risk areas of control weakness have been mitigated but further work is required to address them fully. Eleven controls were found to be well addressed by the work undertaken to date. Twelve of the remaining controls were found to be largely effective, with only minor issues that still need to be addressed--each control posing a low level of risk to the Department. The final two controls were found to still have moderate issues to address, each control posing a medium level of residual risk to the Department. The first of these two controls involves ensuring that no active accounts assigned to former employees remain active; and the second, ensuring that activity by privileged Merlin users is monitored.
When the audit fieldwork began in earnest in December of 2010, the review team found that almost none of the policy and procedural work had been accomplished. However, by the time the audit team was able to begin testing, this situation had been largely reversed, with almost all of the policy and procedural work having been completed. This was accomplished in an environment when the resources of the Finance and Corporate Services Branch were involved in the implementation of the major change in platforms in November of 2010, as well as the work involved for the financial year-end.
- Date modified: