Abdul Rahman Saleh Al Rajhi & Partners Co. Ltd. (ARARCO) - Final IA Report - ITGC-english.pdf ·...

Tamkeen Performance Audit Final Report: IT General Controls Review

Performance Audit Services

March 2016

March 17th, 2016

Dear Mr. Jarrar,

In accordance with our provision of performance auditoutsourcing services for Tamkeen dated June 30th 2015, wehave completed our activities related to the performanceaudit task assigned by Tamkeen and we are pleased topresent our final performance audit report for theInformation Technology General Controls (ITGC).

The primary objective of this performance audit exercise was to evaluate the existing controls related to the IT process at Tamkeen. The resulting issues and recommendations were discussed with the management during the course of the audit and prior to the finalisation of this report.

Our performance audit review was performed in accordancewith the Standards for the Professional Practice of InternalAuditing as prescribed by the Institute of Internal Auditors(IIA). The procedures we performed did not constitute anexamination or a review in accordance with generallyaccepted auditing standards or attestation standards,accordingly we do not provide an opinion, attestation orother form of assurance with respect to our review, except asmay be specified in this report.

Further, we did not plan and perform our work with the objective of preventing or discovering fraud. Our procedures under this engagement are also not designed to and are not likely to reveal misrepresentation by the management of the company. Consequently, we give no assurance on whether the period covered by our audit was free of fraud (whether by management or by external parties), other irregularities or misrepresentation by the management of the company or

any other persons. Full details regarding our audit andreport limitations are stated in our Letter of Engagementwith Tamkeen dated June 30th 2015.

We would like to take this opportunity to thank themanagement and staff who assisted us in the course of ourwork.

Yours faithfully

PricewaterhouseCoopers

PricewaterhouseCoopers M.E Limited, CR # 47378, 13th Floor, Jeera I Tower, PO Box 21144 – Seef District, Kingdom of Bahrain. Telephone: +973 17 11 8800 | Fax: +973 17 540556, www.pwc.com/middle-east

Mr. Hassan Amin JarrarChairman of the Audit CommitteeTamkeenP.O. Box 18131, Manama, Kingdom of Bahrain

1 Executive Summary 1

2 Summary of Audit Observations 7

3 Detailed observations and recommendations 11

Contents

PwCMarch 2016

Executive SummarySection 1

Tamkeen • Performance Audit Final Report: IT General Controls Review1

PwCMarch 2016

The criteria adopted for classifying the importance of each observation as High, Moderate or Low are as follows:

Section 1 – Executive Summary


Priority 1High

Serious and substantial impact on Tamkeen’s ability to achieve objectives

Conditions which would have a significant impact on Tamkeen’s overall performance, the achievement of its objectives,arising through significantly deficient or degraded control processes or inefficient/ineffective working practices. Thesecould include incidents involving failure to report or react to situations where activities are placed at risk; acts ofemployee infidelity; failures of managerial staff to adequately direct activities or supervisory staff to adequately controltheir areas of responsibility; significant violations involving segregation of duties; gross breaches of standing instructionsor policies; failure to correct more material conditions previously reported; conditions which have continued for extendedperiods in management’s knowledge.

Priority 2 Moderate

Moderate impact on Tamkeen’s ability to achieve objectives

Situations might include “one off errors” arising through misunderstandings rather than neglect; less material omissions,but those of a recurring nature; variations in systems, where controls need refinement to ensure adequacy, or levels ofeffectiveness while not wholly unsatisfactory, require enhancement, incidents where reporting requirements have notbeen fulfilled on a timely basis; breaches of procedural requirements where corrective action is required to avoid loss.

Priority 3Low

Minimal impact on Tamkeen’s ability to achieve objectives

Deficiencies which are unlikely to cause other than a low level disruption to the achievement of objectives, butnevertheless represent areas where working practices could be improved, or where controls require minimalimprovement to fully achieve their objective, attention should be paid to them at some stage, but early resolution is notcritical.

This report has been prepared on an exception basis and consequently only matters that come to our attention during our review, that require to be addressed tomanagement, have been reported.

Our report has been prepared solely for your information and the management of Tamkeen and is not to be used for any other purposes. It should not beincluded or referred to in any document or publication made available to persons outside Tamkeen without our written consent. We do not accept responsibilityto any other party to whom it may be shown or who on their own volition may decide to rely on it. Our engagement has been performed on out-sourcing basis.

PwCMarch 2016

Background

Tamkeen’s senior management and audit committee have decided toembark on a performance audit project; in this regard, PwC was appointedto perform an inherent-based risk assessment, develop a 3-year internalaudit plan, and execute audit reviews over specific processes that weremutually agreed with Tamkeen’s audit committee.

Engagement objectives

The objectives of this engagement are to:

• Provide an independent and objective report on Tamkeen’s selectedoperational and support functions by bringing a systematic anddisciplined approach to evaluating the risks and controls’ over thesefunctions and recommending opportunities for improvements.

• Conduct a follow up review over the previous performance auditfindings.

Audit period and time line

The audit review covers the period from January 1st, 2011 to December 31st,2014. We have assessed the specific risks identified within each scope area,evaluated the associated mitigating controls, and commented on theresults of our audit procedures which were performed on sampling basis.Management should be aware of the inherent limitations of the results ofusing a sample; if the tests were expanded to 100% of the population,observation details could have differed.

Objective and scope of this report

The objective of this report is to provide Tamkeen’s senior management andaudit committee with our performance audit observations andrecommendations over the IT process, which were established based on our(PwC) standard performance audit activities and procedures.

Our approach included the following steps:

• Conducting meetings with Tamkeen’s management and Audit Committeemembers to confirm the objective of the audit exercise and identify areasof concerns;

• Conducting meetings with the relevant process owners in order to obtain aholistic understanding of current departmental practices;

• Submitting an initial List of Requirements (LOR) and requesting samplesfrom the relevant process owners;

• Obtaining, reviewing and testing the selecting samples;

• Preparing and submitting the draft performance audit report to Tamkeen’smanagement for feedback and further discussions.

• Preparing and submitting the final performance audit report to Tamkeen’smanagement and audit committee inclusive of feedback/managementresponses.

Executive SummarySection 1 – Executive Summary


PwCMarch 2016

Audit scope and objective

The audit included gaining an understanding of the various activities within theprocess, evaluating the overall control environment and testing variousdocuments/files to provide reasonable assurance that the identified internal controlsare operating as designed. Based on our developed performance audit program, theperformance audit comprised the following areas:

• Maintenance of applications - procedures or mechanisms in place to ensure that changes made to existing program applications are appropriately controlled and projects for new developments are properly managed;

• Overall management of information security procedures - mechanisms in place to ensure that access to the computer and data environments are appropriately controlled, including performing security reviews to determine compliance with Tamkeen policies and procedures;

• Overall management of computer operations and procedures - procedures or mechanisms in place to ensure that the operation of the computer environment is appropriately controlled

Summary of audit results

The purpose of the chart below is to provide Tamkeen’s seniormanagement and audit committee with a high level summary ofthe overall risk levels corresponding to our audit observations.

Total number of observations: 18

• Total % of observations with a High Risk rating: 56%

• Total % of observations with a Moderate Risk rating: 33%

• Total % of observations with a Low Risk rating: 11%

Executive SummarySection 1 – Executive Summary


Change Management

System support and control of changes to

business as usual environment to ensure integrity of systems and

data.

IT Governance

Framework to support effective IT decision

making to achieve the organisation’s goals

and objectives.

Access to Programs and Data

Controls to ensure the confidentiality, integrity

and availability of business critical

information.

Computer Operations

Ability to maintain business operations and respond to incidents and disasters in a controlled

manner.

11%

33%56%

AUDIT RESULTS BY SEVERITY LEVEL

Low Moderate High

PwCMarch 2016

Summary of observations and potential risks

Below is a summary of the key observations. Details are set out in section 3 of this report.

IT Governance

During the course of our internal audit review, we noted that the entity’sstrategic plans for the Information Systems department are presentlyinformal. The entity may not have a clear direction and focus without aformal strategic IT plan resulting in lack of appropriate resources andprovider of ineffective solutions to business problems impacting systemsproductivity and user confidence.

Also, we noted that the entity has not carried out a formal risk assessment ofits IT environment. Without a formal risk assessment for the IT environment,it will be difficult for management to assess the possible impact on theorganisation of a failure of a particular part.

Further, the entity has a formally documented ‘IT Policy’ was approved in2006. However, the policy has not been reviewed or updated since then andno formally documented Standard Operating Procedures (SOPs) pertainingto respective department operations have been documented that couldensure the smooth and consistent execution of their business activities. If notguided by appropriate policies and procedures, the department may beunaware of their responsibilities to the entity as a whole.

Furthermore, there is no formal process to provide security awarenesstraining to entity’s staff associated with information systems and no formaltraining plans are in place. In the absence of formalised security awarenesstraining program, the end users may intentionally/unintentionally commit asecurity breach.

Access to Program And Data

During the course of our audit review, we have noted that the ‘poweruser’privilege for the Microsoft Dynamics, which is the most powerful privilegeon the financial system, is held by one individual in the Financedepartment. Also, no Access Control Matrix has been defined for businessapplication and that the business users have conflicting and excessiveaccess. The fact that the ‘poweruser’ privilege is granted to a single userincreases the risk of individual having unrestricted access to the entity’ssystems and data. If Access Control Matrix is not available, it would bedifficult for the management to define access levels for its employees and tocontrol information distribution.

The user profiles are not reviewed periodically by user departmental headsto ensure (i) Users with access to data should continue to have such accessand (ii) Privileges granted remain appropriate. The lack of periodic reviewthat responds to these changes in employment status can result inindividuals having inappropriate or unnecessary access privileges.

We noted that the audit logs are not enabled for the database. If audit trailsare not enabled, changes made to the data whether correct / incorrect,intentional / unintentional will go undetected. Users are more likely toattempt to circumvent security policy if they know that their actions will notbe recorded in an audit log.

Executive Summary (Continued)


5Tamkeen • Performance Audit Final Report: IT General Controls Review

PwCMarch 2016

Summary of observations and potential risks (Continued)

Change Management

We noted that no Change management policy has been defined to manage changes to networks, firewalls, applications and databases. Verbal or email approvals are obtained but no standardized procedures are being followed. The entity may be exposed to non compliance of IT policy, ad hoc practices, unauthorized changes made going unnoticed, changes made may not meet the user exact requirements, lack of accountability for changes made and lack of tracking of the change request status.

Computer Operations

We understand that the entity does not have a Disaster Recovery Plan for its IT department. The entity would be unable to resume its normal operations promptly resulting in potential financial losses in the event of a disaster or business interruption.

Also, during the course of our review we noted that the backup tapes were moved offsite, however the client has discontinued this practice. If the backup media is not moved, there is a high likelihood that backup media is subject to same disaster.

Executive Summary (Continued)


6Tamkeen • Performance Audit Final Report: IT General Controls Review

PwCMarch 2016

Section 2


Summary of Audit Observations

PwCMarch 2016

The purpose of this section is to present Tamkeen’s senior management and audit committee with a high level summary of the performance audit observationsthat were identified during our performance audit review of the IT process. A priority level has been assigned to each observation; the detailed performanceaudit observations are shown in Section 3 of this report.

ITGC ReviewSection 2 – Summary of Audit Observations


Ref Observation Rating Page

IT Governance

1 Formal IT Strategy High 10

2 Formal Risk Assessment High 11

3 Review of Information Security Policy Moderate 12

4 Standard Operating Procedures Moderate 13

5 Security Awareness Training Moderate 14

6 Documented Job Descriptions For IT Personnel Moderate 15

Access Management – Business Application

7 ‘power-user’ Privileges High 16

8 Access Control Matrix High 17

9 Periodic Review Of Access Privileges High 18

10 User Access Management Low 19

PwCMarch 2016

Section 2 – Summary of Audit Observations


Ref Observation Rating Page

Access Management – Database

11 Audit Level High 20

Access Management – Operating System

12 Default Administrative account High 21

13 Domain Policy High 22

14 Domain User IDs Review Moderate 26

15 Domain Controller Security Low 27

Program Changes

16 Change Management High 28

Computer Operations

17 Absence of DCP / DR Plan High 29

18 Backup offsite movement Moderate 30

PwCMarch 2016

Observations layout & disclaimerSection 2 – Summary of Audit Observations


Observations The observations were derived from discussions with concerned managers and process owners, in addition toevaluating the process flows and the representative sample selected during our course of work. Management shouldbe aware of the inherent limitations of the results of using a sample; if the tests were expanded to 100% of thepopulation, observation details could have differed. The recommendations listed are proposed to enhance theprocess and its execution. Management should assess the relevant cost to benefit formula of implementing suchrecommendations before deciding on doing so.

PwCMarch 2016

Detailed observations and recommendationsSection 3


PwCMarch 2016

Observation (IT Governance)

During the course of our audit review, we noted that Tamkeen’s strategic plans for the Information Systems department are presently informal. A formally developed Information Systems Strategic plan would ensure that:• Information Systems strategies are developed and aligned with business strategies;

• Resources are deployed efficiently and effectively; and

• The entity capitalises on the business advantages of state of art Information Technology.

Potential risk and impact

Tamkeen currently may not have a clear direction and focus without a formal strategic IT plan resulting in lack of appropriate resources and competitive advantage. The IT organisation may not be viewed as the provider of effective solutions to business problems impacting systems productivity and user confidence.

Recommendation

Tamkeen should consider developing a formal IT strategic plan, to address the technology infrastructure that is needed for successful systems including standardization on a set of appropriate development tool, middle-ware and system software. The plan should also designate development standards and policies.

Tamkeen should then consider preparing an IT architecture based on the IT strategy. However the success of an IT strategy depends on the following:

• IT Strategy must be driven by Business Strategy - Business Strategy must be communicated. Members of the IT Group must be encouraged and supported in their stated intention of expanding their understanding of the business;

• Active participation of IT executives in the business strategy development process;• Progress in this area will have a positive impact on IT’s understanding of user needs, and their ability to communicate these needs to the client’s

management team; and• The proposed IT strategy should be cost effective

1 – Formal IT Strategy– High

Section 3 – Detailed observations and recommendations


Management Response and Remediation Plan Responsible and Due date

1- Agree, a two-year IT strategic plan has been developed/drafted and shared with the Top Management. Planning to get the plan approved by March 2016.2- As part of the IT strategic planning activities, IT has conducted a self-situational assessment and big part of it was on the IT decision making model and governance.

Responsible: IT Department

Due date: Q2 2016

PwCMarch 2016


During our audit review, we observed that Tamkeen has not carried out a formal risk assessment of its IT environment.


Without a formal risk assessment for the IT environment, it will be difficult for management to assess the possible impact on the organisation of a failure of a particular part.

Recommendation

We recommend that Tamkeen considers carrying out a risk assessment for the IT environment. A risk assessment is a model of the organisation. It breaks the organisation down into its component parts. Each of the parts is then analysed across a number of criteria to determine the dependence of the organisation on the individual part.

2 – Formal Risk Assessment– High




1- Agree, Tamkeen has recently engaged with a subject matter expert to develop a comprehensive IT policy and operating procedures including IT threat and risk assessment. This should be ready end of May 2016.2- We are planning to have annual IT risk audit, IT penetration testing and System Source Code Review, this is all part of the IT strategic plan for 2016-2017.


Due date: Q2 2016

PwCMarch 2016


During the course of our review, we noted that Tamkeen has a formally documented ‘IT Policy’ that was approved in 2006. However, the policy has not been reviewed nor updated since then.


If the IT policy is not reviewed by the entity, it may:

• Lack accuracy, consistency and completeness; and

• Have areas for improvement but go unnoticed.

Recommendation

According to the industry’s best practice it is recommended that the information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. A record of management reviews should be maintained and management approval should be maintained for the revised policy.

Further, documented security policy should be communicated to end users and relevant third parties and a signoff should be taken from them.

3 – Review of Information Security Policy– Moderate




1- Agree, in fact we see this as high risk area and it was clearly highlighted in the IT strategic plan for 2016-2017.2- Tamkeen has recently engaged with a subject matter expert to develop a comprehensive IT policy and operating procedures including IT threat and risk assessment as well as security plan. This should be ready end of May 2016.


Due date: Q2 2016

PwCMarch 2016


During the course of our review, we noted that Tamkeen currently has a formal IT policy; however, it does not have a formally documented Standard Operating Procedures (SOPs) pertaining to their respective department’s operations that could ensure the smooth and consistent execution of their business activities.


If not guided by appropriate procedures the departments may be unaware of their responsibilities to the entity as a whole, leading to the following risk:

• Ad hoc practices due to lack of standardisation;

• Weak decision making;

• Lack of security controls within the entity;

• Loss of confidential information; and

• Damage and/or destruction of valuable IT information assets e.g. data, application and backups.

Further, in the absence of SOPs, department may be exposed to the following:

• No benchmark for performance reviews, entity goals and direction;

• Lack of accountability for non-compliance with procedures; and

• Lack of consistency in performance of tasks.

Recommendation

It is recommended that procedures should be formally developed ensuring their compliance with the IT security policy. Further, SOPs should be periodically reviewed. Well-written SOPs provide direction, improve communication, reduce training time and improve work consistency.

4 – Standard Operating Procedures– Moderate




1- Agree and work in progress (is part of the new policy and procedures manual). 2- Tamkeen has recently engaged with a subject matter expert to develop a comprehensive IT policy and operating procedures including IT threat and risk assessment as well as security plan. This should be ready end of May 2016.


Due date: Q2 2016

PwCMarch 2016


During our review of the IT Governance, we noted that there is no formal process to provide security awareness training to Tamkeen’s staff associated with information systems and that no formal training plans are in place.


In the absence of formalised security awareness training program, the end users may intentionally/unintentionally commit a security breach. Further, Tamkeen may face the following risk:

• Staff will not be aware of critical security issues such as handling security incidents, reporting requirements in case of emergency and threats including social engineering etc;

• Failure to comply with regulatory requirements may expose Tamkeen to the reputation risk and the risk of penalties from the regulatory bodies; and

• Lack of users’ accountability towards systems security.

Recommendation

It is recommended that Tamkeen develops a comprehensive security awareness training program that yields measurable results. Further, management should arrange training sessions or refresher courses should be conducted on periodic basis, to update existing and new employees about security management policies and procedures.

5 – Security Awareness Training– Moderate




Agree. IT is working on quarter-based internal training plan for all Tamkeen staff (end of Q2 2016). Periodic training will be conducted by the IT for security and other IT topics.


Due date: Q2 2016

PwCMarch 2016


Whilst we have noted that lines of reporting are clearly defined in the IT Organizational Structure; however, we understand that Tamkeen does not have formal job descriptions for its IT personnel.


Without formally documented job descriptions, in which roles and responsibilities will be clearly defined, it is difficult to provide management with a basis for distributing workloads to the appropriate personnel. This could result in inadequate segregation of duties.

Recommendation

We recommend that Tamkeen develops detailed job descriptions for all IT personnel, which is in line with the existing Organizational Chart.

6 – Documented Job Descriptions For IT Personnel– Moderate




New JDs will be created after plan is approved. Responsible: IT Department

Due date: Q4 2016

PwCMarch 2016

Observation (Business Application)

During our audit review over business application, we have noted that the ‘power-user’ privilege for the Microsoft Dynamics, which is the most powerful privilege on the system, is held by one individual in the Finance department.


The ‘power-user’ is the most powerful user on the system. The fact that the ‘power-user’ privilege is granted to a single user increases the risk of an individual having unrestricted access to Tamkeen’s systems and data.

Recommendation

Given the powerful nature of the ‘power-user’ privilege, it is a normal practice to split the password between two senior members of staff within the various department. This would prevent the possibility of a single user attempting to make unintentional / unauthorized changes to the production programs and/or data.

Moreover, we recommend that the System Administrator’s activities be controlled, monitored and evidenced by a suitably qualified person, who can challenge the justifications provided by the System Administrator for its usage.

7 – ‘Power-User’ Privileges– High




Finance & Accounting department’s response : Currently we have only one Manager in Finance- Corporate, this will be implemented after appointing a Director and CCS.

Responsible: IT & Finance Departments

Due date: Q4 2016

PwCMarch 2016


During the course of our review of the user access profiles for Microsoft Dynamics, we noted that no Access Control Matrix has been defined for business application and that the business users have conflicting and excessive access.

Potential risk and Impact

Access Control Matrix (ACM) defines the level of access for every individual in the organization. If the ACM is not available, it would be difficult for the management to define access levels for its employees and to control information distribution.

Recommendation

Management should consider developing an ACM which defines specific roles for end users.

An Access Control Matrix should be a table that maps the permissions of end users to act upon a set of privileges within a system. The matrix should be a two-dimensional table with users down the columns and privileges across the rows.

8 – Access Control Matrix– High




Finance & Accounting department’s response:Agree and will create the Access Control Matrix although the access rights are defined in the system for each class of users.


Due date: Q3 2016

PwCMarch 2016


During the course of our audit review, we noted that the user profiles are not reviewed periodically by user departmental heads to ensure (i) Users with access to data should continue to have such access and (ii) Privileges granted remain appropriate.

Potential risk and Impact

As individuals transfer or leave the company, their needs for access to information in the system may change. The lack of periodic review that responds to these changes in employment status can result in individuals having inappropriate or unnecessary access privileges.

Recommendation

User’s access capabilities should be reviewed periodically by the departmental heads to ensure these are current and appropriate for the job. Apparent conflicts should be investigated and amended immediately.

When staff leave or are transferred, the personnel department should notify the IT for prompt deletion of access privileges.

We recommend that a report, which lists users’ profiles and access be generated from the system and reviewed by the department heads on a periodic basis.

9 – Periodic Review Of Access Privileges– High




Finance & Accounting department’s response:Agree , this was not implemented earlier due to the small number of staff in the Finance department.


Due date: Q3 2016

PwCMarch 2016


During the course of our review, we noted that a formal registration or de-registration process exist for the users requiring Tamkeen system access through the help desk system. However, instances were noted that certain requests were entertained through emails and user access forms.

Potential Risk and Impact

If formal access request process are not defined and followed, following risks may be observed:

• Segregation of duties may not be accounted for;

• Changes made to the user ID cannot be accounted for;

• In the absence of user ID information responsibility of malicious events cannot be established; and

• Ad hoc practices due to lack of standardization.

Recommendation

It is recommended that management should ensure that formal procedure for user access management are adhered to so that:

• Proper record is maintained for all users accessing the Tamkeen’s system; and

• All changes made to the user IDs are accounted for.

Moreover, it is prudent that gap analysis be conducted of the policies with any renowned framework such as ITIL, COBIT or ISO 27001 to identify and rectify any necessary gaps.

10 – User Access Management– Low




The IT ticketing system was implemented in June 2015, requests before that date were entertained through emails. All requests are now enforced to be through the ticketing system.

Responsible: IT department

Due date: Implemented

PwCMarch 2016

Observation (Database)

During the course of our audit review, we noted that the audit logs are not enabled.


If audit trails are not enabled, changes made to the data whether correct / incorrect, intentional / unintentional will go undetected. Users are more likely to attempt to circumvent security policy if they know that their actions will not be recorded in an audit log.

Moreover, unavailability of audit trials may lead to:

• Non-compliance of regulatory or internal requirement; and

• Difficult tracking to origin of data corruption.

Recommendation

It is recommended to configure the audit logs since audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happen on / from a computer system), intrusion detection, and problem analysis.

11 – Audit Level– High




Finance & Accounting department’s response:Agree, will activate the audit log although it will slow the system. Currently the system captures the audit trail of transactions, Transactions last user, and a record of “posted by” for all transactions.

IT department’s response:IT advised Finance Department to enable the activity tracking log on the GP system so all logs are captured.

Responsible: IT & Finance departments

Due date: Q3 2016

PwCMarch 2016

Observation (Operating System)

During the course of our review, we noted that the value of the ‘rename administrator account’ is set to ‘Administrator’ on domain server.

Risk

The built-in Administrator account cannot be locked out; regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks and dictionary attacks that attempt to guess passwords.

Recommendation

It is recommended to rename this account; so that it becomes slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

12 – Default Administrative account– High




The administration account is not used in Tamkeen, however this has been implemented and action was taken to change the administrator account name.



PwCMarch 2016


During the course of our review, we noted that the values for following domain policy parameters are not appropriately configured on domain server:


There are several types of password attacks that can be used to exploit weak password configurations. If same passwords are reused repeatedly, chances are greater that an attacker will be able to determine the password through brute-force or password guessing attacks. Similarly, short passwords or passwords that do not contain a wide range of characters are extremely easy to crack with several publicly available utilities.

Further, auditing user activities is an essential complement to account administration. If logon events are not audited, it would not be possible to detect whether someone has attempted to break into the system, succeeded in adding an account, or has escalated privileges from less privileged ID. According to best practice, a log of security-related events should be maintained that either caution or provide post-incident evidence of attacks or misuse of account privileges, on company-owned client systems as well as servers.

13 – Domain Policy– High


Policy Security SettingEnforce password history 5 passwords rememberedMaximum password age 60 daysMinimum password age 0 dayMinimum password length 6 charactersPasswords must meet complexity requirement0s DisabledStore passwords using reversible encryption DisabledAccount Lockout Duration Not definedAccount Lockout Threshold 0 invalid attemptsReset Account Lockout After Not definedAudit account logon events SuccessAudit account management Success, FailureAudit policy change Success Audit privilege use No auditingAudit object access No auditing Audit logon events SuccessAudit system events Success


PwCMarch 2016

Recommendation

It is recommended that password strength should reflect the environment that the system is deployed in and the likely threats it will face. Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior.

Further, it is recommended to enable audit policy setting. It needs to be determined whether to audit each account management event on a computer or not. Examples of account management events include the following:

• A user account or group is created, changed, or deleted;

• A user account is renamed, disabled, or enabled; and

• A password is set or changed.

However, it is also recommended to enable prudent Audit policy settings for all computers as per the business need so that users can be held accountable for their actions and unauthorized activity could be detected and tracked. Management should define procedures and implement them accordingly. Following is the best practice:

(Refer to the next slide)

13 – Domain Policy– High (Continued)



PwCMarch 2016

Recommendation (continued)



Policy Security Setting Why?Enforce password history 24 passwords

rememberedPreventing users from re-using passwords and "root" information of previous passwords (e.g., piscitello1234, piscitello1235)

Maximum password age 42-90 days Passwords should be changed with reasonable frequencyMinimum password age 1 day Prevents users from cycling through the 24 passwords remembered so they can re-use their

favorite password

Minimum password length 8-12 characters 8 is an acceptable minimum for users, but 12 is preferred for privileged (e.g., administrator) accounts

Passwords must meet complexity requirements

Enabled Users must create passwords using upper and lowercase alphabetic characters, numbers, and special characters to make passwords difficult to crack.

Store passwords using reversible encryption

Disabled This setting causes passwords to be encrypted using a one-way hash. Passwords can't be derived from the hash.

Account Lockout Duration 15 Minutes If your Account Lockout Duration says "Not applicable," it's because you haven't set the Account Lockout Threshold yet. Enter a number greater than zero in Account Lockout Threshold, then you can set the Duration.

Account Lockout Threshold 3 Bad Login Attempts

Reset Account Lockout After 15 MinutesAudit account logon events Success, Failure Records the result of every logon attempt using domain logon credentialsAudit account management Success, Failure Records attempts to create, rename, enable, or disable users and groups and account

passwords

Audit policy change Failure only, orSuccess and Failure

Records attempts to modify the audit policy and other security settings you've made

Audit privilege use Failure only, orSuccess and Failure

Records each time a user invokes a "privileged" operation on the system such as a Backup or Restore operation.

Audit object access Failure only, orSuccess and Failure

Use this in conjunction with security properties you set on individual files and folders to record user attempts to access those "objects"

Audit logon events Success, Failure Records the result of every logon attempt using a local logon credentialsAudit system events Success and Failure Records system shutdown and restart events, log full events, and other events that have

system-wide significance.


PwCMarch 2016





Some of Microsoft best practice was implemented for 3 years; however, it caused some complications for the users, IT plan to re-implement some of the best practice again.


Due date: Q3 2016

PwCMarch 2016


During our review of the security settings of the active directory, we noted the following:

- (74) users have password never expires set to ‘yes’ - (15) accounts never logged in and are active- (30) accounts have not logged in for more than 60 days and are active


There are several types of password attacks that can be used to exploit weak password configurations. If same passwords are reused repeatedly, chances are greater that an attacker will be able to determine the password through brute-force or password guessing attacks.

Further, dormant user accounts may be used to gain inappropriate access to the system which may lead to unauthorized data change or data leakage.

Recommendation

We recommend that Tamkeem undertakes a review of user access to do the following:

• Password settings should reflect the environment that the system is deployed in and the likely threats it will face.

• Password settings / parameters should abide by the IT polices defined and approved by the management

Also, management should define a process to review the dormant/inactive accounts on periodic basis and delete the account if required or revoke account access rights, especially the ones having privileged access.

14 – Domain User IDs Review– Moderate




- Some of the users are Board Members. - Agree and implemented for some of the users other than the Board Members.


Due date: Q2 2016

PwCMarch 2016


During the course of our audit review, we noted that Tamkeen’s primary domain controller is not patched with the latest security updates released by the vendor.


Updates and patches to existing software have the intention of improving the security and enhancing or adding features to the product. Without updating latest patches and service packs released by the vendor, there is a risk that inherent and identified security weaknesses addressed by the vendor may still be present in the systems.

Recommendation

It is recommended to update the Domain controller Server with the latest service pack and hot-fixes released by the vendor.

15 – Domain Controller Security – Low




Agree, both DC has been updated with latest patches and hot fix.In fact, IT has in place a solution called Network Admission Controller where no computer will be able to access the IT resources if the system was not updated but this has been stopped temporarily for upgrade purposes. It will be reactivated end of March 2016.


Due date: Q1 2016

PwCMarch 2016

Observation (Program Changes)

During our audit review over program changes, we noted that currently at Tamkeen, there is no Change management policy that has been defined to manage changes to networks, firewalls, applications and databases. Verbal or email approvals are obtained but no standardized procedures are being followed.


The entity may be exposed to the following risk:

• Non compliance of IT policy;• Ad hoc practices;• Unauthorized changes made can go unnoticed;• Changes made may not meet the user exact requirements;• Lack of accountability for changes made; and• Lack of tracking of the change request status.

Recommendation

It is recommended that management should ensure that proper change management procedures are implemented and effectively followed for every change request. Further, proper logs should be maintained for all change requests. This policy should cover all aspects of change management and controls, including:

• Detailing of changes required;• Approval of changes required;• Solution design;• Time estimation;• Acceptance testing; • Version control; and• Emergency changes.

16 – Change Management– High




Agree, this will be ready by Q4 2016.This also was clearly highlighted in the IT assessment for the strategic plan 2016-2017.


Due date: Q4 2016

PwCMarch 2016

Observation (Computer Operations)

During our audit review and through inquiries with the respective process owner, we noted that Tamkeen does not currently have a Disaster Recovery Plan for its IT department.


Tamkeen would be unable to resume its normal operations promptly resulting in potential financial losses in the event of a disaster or business interruption.

Recommendation

A successful Business Continuity Plan should address all critical business functions and activities within Tamkeen. Plans and procedures necessary to maintain the operations of different departments in the event of different types of contingencies should be developed based on an evaluation of critical functions and their dependence on the data processing function.

An analysis of this type would require participation by a team representing many different functions within the entity, as well as an overall co-ordinator responsible for the contingency planning effort. This team should undertake tasks such as:

• The development of contingency planning procedures, including the identification of key functions, in conjunction with user departments;

• The identification of how those functions will be carried out in the event of a disaster;

• The identification, and storing off-site, of the back-up records, and procedures critical to key functions; and

• The establishing of how long important functions could be performed manually before the absence of automated processing capabilities has a significant impact.

Once the capacity and timing requirements for recovering different operations has been established by the review of critical functions, the data processing portion of the business continuity planning can be developed.

Additionally, to be effective, the plan should be periodically tested. Significant improvements may be made in a business continuity plan based on test results and situations experienced during tests. Tests also help ensure that personnel are aware of their duties and responsibilities in the event of a disaster.

17 – Absence of DCP / DR Plan– High




1- Tamkeen data is being replicated using Microsoft Cloud-based DR solution. 2- IT Department has recently released RFP to engage with a consultant to develop Business Continuity Plan/ Disaster Recovery Plan. Tamkeen IT department plans to have the BCP ready by Q3 2016.


Due date: Q3 2016

PwCMarch 2016

Observation (Computer Operations)

During the course of our review, we noted that the backup tapes were moved offsite; however, Tamkeen has discontinued this practice.


If the backup media is not moved, there is a high likelihood that backup media is subject to same disaster.

Recommendation

Backup facility should be away from the proximity of the primary site so that same disaster does not affect both locations. Additionally, packaging should be sufficient to protect the contents from any physical damage such as:

• Exposure to heat, moisture or electromagnetic fields; and

• Use of locked containers.

18 – Backup offsite movement– Moderate




Agree. Tamkeen IT used to move their backup tapes on a weekly basis to Amwaj DR site but the rent contract of this site has been canceled. This is already included in the existing backup and procedure policy and it will be included in the new policy as well. Tamkeen IT will resume this activity immediately by moving the backup tapes to Tamkeen Computer Room in SeefMall (starting Sunday 28/2/2016).



Limitations and ResponsibilitiesLimitations inherent to the internal auditor’s workWe have undertaken the review associated with evaluating the existing controls within Tamkeen’s ITGC process, subject to the limitations outlinedbelow:

Internal controlInternal control systems, no matter how well designed and operated, are affected by inherent limitations. These include the possibility of poorjudgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overridingcontrols and the occurrence of unforeseeable circumstances. The observations raised within this report are resulting from conducting our auditwithin the limited time of each audit. The observations were raised based on a risk-based audit approach where the focus was to highlightobservations to Tamkeen Audit Committee based on the risk exposure of the department or function. Action plans and deadlines were committed byTamkeen management process owners based on agreement on the raised observations.

The work we performed did not constitute a review in accordance with generally accepted auditing standards or attestation standards. Accordingly,we do not provide an opinion, attestation or other form of assurance with respect to our work.

Future periodsOur assessment of controls relating to this Internal Audit review is for the period from 01 January 2011 to 31 December 2014. Historic evaluation ofeffectiveness is not relevant to future periods due to the risk that:

• the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or• the degree of compliance with policies and procedures may deteriorate.

Responsibilities of management and internal auditorsDespite the fact that we did not plan and perform our work with the objective of preventing or discovering fraud or misrepresentation by Tamkeen, itis management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the preventionand detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design andoperation of these systems.

We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carryout additional work directed towards identification of consequent fraud or other irregularities. However, performance audit procedures alone, evenwhen carried out with due professional care, do not guarantee that fraud will be detected.

Accordingly, our examinations as performance auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities whichmay exist.

Disclaimer

This report has been prepared in accordance with our Agreement and Agreements Terms and Conditions with Tamkeen dated 30 June 2018,

and has been prepared for Tamkeen only and not for any other purpose. To the extent permitted by law, PricewaterhouseCoopers, M.E.Limited does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than(i) the intended recipient to the extent agreed in the Agreement for the matter to which this document relates (if any), or (ii) as expressly

agreed by PricewaterhouseCoopers, M.E. Limited at its sole discretion in writing in advance. Accordingly, regardless of the form of action,

whether in contract or otherwise, and to the extent permitted by applicable law, PricewaterhouseCoopers, M.E. Limited accepts no liability ofany kind and disclaims all responsibility for the consequences of any person acting or refraining to act in reliance on the contents of this reportor for any decisions made or not made which are based upon the contents of this report.

“PricewaterhouseCoopers” refers to PricewaterhouseCoopers (a partnership) or, as the context requires, other member firms ofPricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

© 2016 PricewaterhouseCoopers. All rights reserved.

© 2016 PricewaterhouseCoopers. All rights reserved.

pwc.com/middle-east

PwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 203,000 people in 157 countries in firms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See pwc.com for more information.

“PwC” is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.

PwC in the Middle East

Established in the region for over 45 years, PwC has offices in 12 countries: Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Oman, Palestine, Qatar, Saudi Arabia and the United Arab Emirates, with around 3,000 people.

Complementing our depth of industry expertise and breadth of skills is our sound knowledge of local business environments across the Middle East.

www.pwc.com/middle-east

Date post:	15-May-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Abdul Rahman Saleh Al Rajhi & Partners Co. Ltd. (ARARCO) - Final IA Report - ITGC-english.pdf ·...

Documents