Asset Assesment and E-Commerce - Essay Example

 Asset Assessment and E-Commerce Assessment Report Summary Purpose NIRA Ltd desired to invest in e-commerce for highly competitive markets. NIRA Ltd requested for assets evaluation and assessment before transforming its traditional Website into an e-commerce. Based on audit outcome, a secured e-commerce will be developed. Scope of the Audit The auditor [is responsible] to plan and perform audit to obtain reasonable assurance … whether the financial statements are free of material misstatement, [or] caused by error … [or] fraud (SAS No. 1; Schwartz cited in CPA Journal, 1998). Ensuring the availability, integrity and confidentiality of information, assets and infrastructure requires attention to many types of threats and vulnerabilities … (Sullivan, 2006, p. 10). Details of Audit Plan Any organisation faces many risks [;] the starting point is to … list … what are collectively seen as the most significant risks (Frigo and Anderson, 2011, p.4). The Sarbanes-Oxley Act (2002) 404 identified business significant risks and preventative controls [to protect the business and clients]. Audit location: Same as company given address in chart one. Audit Reference: The audit checklist and information regarding the company will be used to perform the audit. Audit Tools: The Excel and Belarc Advisor will be used to tally audit results. The Audit Checklist Audit Date: Name of Auditor (s): Description Documented Evidence Observation CONTROL ENVIRONMENT Governance and Leadership Approved governance and leadership responsibility for assets and software approved Minutes of meetings and documented assets including software approval Annual review of software rules and regulations Policies and procedures; documented yearly internal audit reports Identified risks assessment and management methodologies documented, updated, and approved by governance include the following risks: 1. compliance of regulations 2. compliance of licensing 3. operation interruptions due to insufficient system asset management 4. over spending on IT products 5. resulting from operation of other branches Policies and procedures; documented yearly internal audit reports Delineation of Authorities and Responsibilities Roles defined and responsibilities delineated for: Overall fixed asset officer: 1. planning and overseeing of system asset management 2. involving in the implementation of asset management plan 3. taking action of defective or obsolete assets Hardware and software custodians (as related): 1. obtaining resources 2. performing functions 3. documenting and maintaining records 4. deployment and controls 5. managing contract agreements, internal and external customers’ relationships Asset Management manual and strategic plans, roles and responsibilities specified in the job description Organization-wide communication of the specified responsibilities Minutes of meetings, e-mails, posting in bulletin board Policies and Procedures Availability of policy and procedure development, periodic review, approvals, issuance, and control Approved policy and documented implementation Documented policies including: 1. Employees and leadership responsibilities on of software and hardware in use 2. limitations on the use of assets and software for personal use 3. compliance to legal and regulatory requirements, propriety and protection of data 4. asset acquisition 5. approval on installation and use of software 6. consequences of violating the policies Review of policies and documents on implementation Organization-wide communication of policies including: 1. newly joined employees during orientation period 2. continuing annually through in-house trainings 3. signing on acknowledgement 4. accessible to all anytime needed Publications through the e-mails, system database for manuals, adding to the code of conduct, e-mailing and minutes of meeting MANAGEMENT OF ASSETS INVENTORY Identification of Software Asset inventory database including asset description, locations, quantity and valuations Asset inventory registers Inventory of Software Assets Inventory management and storekeeping include: 1. unauthorized access, alteration and corruption 2. data recovery Approved policy and procedure, documentations; access to computer logs Physical presence of inventories on: 1. platforms to install and run the software assets 2. licensed software in use and held 3. software releases 4. contracts related to software assets Inventories, including package versions, update/patch status of software, platforms, master copies, hard copies and contract soft copies Description of inventory reports include identification, use and data source as in identification of software Hard copies of reports Control of Software Changes to software and hardware are documented and considered in audit tracking Documentation to include changes in location, version, custodianship and status Development, maintenance and management of software versions and releases are supported with approve policies and procedures. Check existence of related policy and procedures Security and Safety Approved policy on access and security limitations to storage of software and back ups Physical check of storage kept locked and back up in separate fully secured building Evidence of controls implemented in practice Registers and access logs Rating Scales: 0 = non-compliant; 1 = Partially Me; 2 = Fully Met Corrective Action/Improvement Suggestions Raised: No. Details Auditor: Signature: Responsible Manager: Signature: Source: Template Audit Checklist Based on ISO19770-1 Information system audit items are built-in from the Belarc Advisor with results automatically generated by the system itself. Asset Evaluation Evaluation is ‘… systematic acquisition and assessment of information to provide useful feedback [regarding an] object’ (Trochim, 2006). Current cost is the amount that a business would have to pay to acquire an asset of equal value (Chiat, 2011). The current [amount] of ‘detailed accounts are the management’s reference in planning, controlling, and decision-makings’ (Chiat, 2011). For NIRA Ltd to decide on investing in e-commerce depends upon the current asset values. An analysis of comparative balance sheet and variances was conducted with findings reflected in chart three. Analysis of accounts showed positive [an increase] or negative [a decrease] in values. The periods covered by the analysis are two-year periods (2009 and 2010). Cash in bank showed 42% decrease in 2009 and 59% increase in 2010. Decrease in 2009 indicates fewer collections of receivable or less cash sales. An increase in 2010 indicates good collection of receivables and increased cash sales. There is decrease of other assets (two percent in 2009 and eight percent in 2010). This indicates collection of account receivables from the clients that also increased cash in 2010. Long term assets increased to 18% in 2009 and decreased by 18% in 2010. This indicates asset acquisitions in 2009 to replace fully depreciated assets for disposal or write off in 2010. Liabilities decreased to eight percent in 2009 and zero percent in 2010. The company must have paid debts in 2009 and no payment in 2010. The stock decreased by two percent in 2009 that signifies stock sales and increased in 2010 indicates stock acquisition. The company’s net worth decreased by six percent in 2009 and two percent in 2010. The outcomes resulted from operational losses as reflected in the retained earnings for 2009 and 2010. NIRE Ltd Information System Security Policy 1. Purpose To manifest changes in information technology standards, processes and practices in safeguarding the company assets of NIRA Ltd. 2. Scope: All information system, software applications, hardware, servers, networks and propriety owned and controlled by NIRA Ltd. The scope includes policies on privacy, liability, responsibilities and accountability, e-mailing, propriety, monitoring and ethical behaviour. 3. Policy Statements: Respect to Privacy and Confidentiality NIRA Ltd has the right to keep track, keep copy of employees’ logs of usage of computers, software and other propriety resources. Monitoring includes e-mails, Internet access, files, logins and changes to levels of access. Employees shall not expect privacy of using company-owned technology resources. Accountability and Liability in General NIRA Ltd shall not be liable for damages caused by the employee arising from the use of company-owned technology resources. Use of company-owned resources is a privilege granted to an employee to run official work, which is is subject to policies requiring adherence thereto. Employees Accountability and Responsibilities Consistent to accountability and liability in general, employees own events under their end-user passwords with accountability for its use and misuse. Employee shall be responsible to: access and release only information in which they are authorized be aware of all policies and governing laws (local or international) that applies to computer system and adhering to it report to designated officer violations of information security and to cooperate during the investigation procedures safeguard assigned passwords and other access keys from disclosure to anyone secure confidential printed data, reports, magnetic or electronic media and storage protocols in an approved storage or containers and dispose items in accordance with NIRA Ltd records disposal policy log off from the system or use a password protected screensaver when leaving the work station use only NIRA Ltd acquired and licensed software attend information security training as required follow security and safety rules and regulations Send information outside the organization only with written permission higher management Electronic Mail (E-Mail) Policy NIRA Ltd provides employees with guidelines on allowed use of e-mail service for incoming and outgoing electronic communication through company-owned technology devices that can send and receive e-mails. E-mails sent by mistake to an employee shall be routed to the appropriate addressee while adhering to respect to confidentiality. Monitoring NIRA Ltd monitors all activities related to information technology. Monitoring process includes collection of statistical data to ensure availability and reliability of information systems. Ethical Behaviour and Responsible Use NIRA Ltd provides its employees e-mail systems in facilitating communications and conducting work activities. Employees shall adhere to acceptable behaviour in dealing with e-mails. The Ethical (Acceptable) Behaviours (Miles, 2001): Subject of communications and exchanges is related directly NIRA Ltd mission and tasks. Notifying employees of company approved events, rules and regulations, policies and procedures, and other relevant notices. Respecting the use of copyrights and licenses that are protected by law and copyrights. Maintaining memory spaces by deleting old obsolete messages. The Unethical (Unacceptable) Behaviours (Miles, 2001): Violation of NIRA Ltd rules and regulations. Publishing or transmitting false information and inaccurate data. Using obscene, profane, sexually oriented language in e-mails. Threatening the receiver Racially offending or discriminating other party in the communication Revealing passwords to others. Using company technology resources for personal interest. Deliberately allocating, creating, or executing software causing harm to NIRA Ltd information technology. Reading, viewing, relaying e-mails not address to the employee or being an accessory to such actions. Accessing to non-company e-mail systems (e.g. Gmail, Yahoo!) for personal use 4.0 Process The process of implementation shall include but not limited to the following: Provision of computer sets and password issuance to end-users Implementation of accountability and responsibilities Monitoring, data collection, statistical analysis Detection of usage, misuse, and violations Assessment of risks 5.0 Enforcement An employee caught violating this policy is subject to disciplinary action including termination of services, in extreme cases. 6.0 Definitions Terms Definitions Information System as defined by Business Dictionary.com, information system is a combination of hardware, software, infrastructure, and trained personnel organized to facilitate planning, control, coordination, and decision making in an organization Information Security as defined by Business Dictionary.com is safe-guarding an organization’s data from unauthorized assess or modification to ensure its availability, confidentiality, and integrity. 7.0 Revision History None Approvals: Source: Sato, Miles M., 2011, HIPAA Security Policy Development: A Collaborative Approach, viewed 9 November, 2011, http://www.sans.org/infosecFAQ/policy/HIPAA_policy.htm>. Carrying out of risk assessment (Audit) Risk evaluation ‘involves the establishment’ of … qualitative or quantitative relationship between risks and benefits, involving … ‘complex process of determining the significance of [inherent] risks …’ Parker, 2005). Computer fraud and abuse can have [negative] effect on an organization. (Barclay, 1989, p.3). ‘Computer Assisted Audit Techniques (CAATS) is an important tool’ [in auditing within the computer] (Computer Assisted Audit Group, 2006, p. 3). Belarc system management builds a detailed profile automatically … (Tchen, 1998). The system is useful tool in auditing within the computer. ‘… Internet is flexible, interactive, [common], global, accessible … (Castells, 2001; Cardoso cited in The Media in the Network Society, 2006, p. 34). Electronic (e)-commerce [is] ‘any form of business transaction in which the parties interact electronically [without personal] or direct physical contact’ (Rosen, 2000, p.5; Andam cited in E-Commerce and E-Business, 2003, p. 6]. Global competition is … ‘the most significant [driving] force for e-commerce development across countries’ (Gibbs, Kraemer & Dedrick, 2002, p.7). The ‘integrity’ of [NIRA Ltd asset evaluation is important for] ‘making sound financial [forecasting] and planning future expenditures’ (Chiat, 2011). NIRA Ltd asset evaluation outcome is a deciding factor on whether to expand the business through e-commerce. Inherent risk is [a danger] that an activity [can result] if no controls or other mitigating factors were in place … Simplified risk assessment model [shown in figure one] is ideally workable for risk prevention Sewall (2008). Risk assessment is carried out with tally and results in Exhibits one and two using the Excel sheet and Belarc Advisor System Audit Tool. NIRA Ltd objective is to establish an effective risk-free Website. The risk assessment on information technology policies includes the implementation of different policies. The e-commerce assessment evaluation criteria were adopted from Sewall (2008) model (figure two). Architecture of Operating System and Network Architecture of Operating System NIRA Ltd operating system is Windows XP (shown in diagram one) and network architecture is VLAN shown in figure three. Windows XP is built like a house [starting] foundation [and adding one floor to another to build layers]. All of Windows XP is based on this networking concept. ‘… The whole bridge between … kernel and user modes is CRSS.exe (Client/Server Runtime Subsystem)’. [It is like] the concept of “consuming” services provided by the system (e.g., Data Access via OLE DB or ODBC). The [operating system (OS)] provides all kinds of services that programs use as “clients”. Windows XP is built in Layers [of] …user mode – layer closest to the person … [and] Kernel mode – layer closest to hardware (Faculty Team, 2001). Architecture of Network The NIRA network architecture is a basic Virtual LAN (VLAN) shown in figure three. Network devices on VLAN1 will not be able to communicate (ping) devices on VLAN2. [However], it is possible to have devices on VLAN1 of a switch communication with VLAN1 on another switch through a method called VLAN trunking (Rodriguez, 2003). VLAN trunking protocol (VTP) shown in figure seven is the protocol that switches users to communicate among them on the VLAN configuration (Tyson, 2011). Key risk indicators … ‘provides an early signal of increasing risk exposures in various areas of the enterprise’ (Beasley, Branson and Hancock, 2010, p. 1). Search engine optimization is a complex process [in] selecting keywords [and] building a comprehensive link strategy ‘… [To] rank highly in the engines takes time, hard work and patience’ (Runberg, 2010). For online businesses… ranking high in … search engines is a must … [to] potentially increase the network traffic, page views … and return on investment [(ROI) to acquire new customers] (Terlecki, 2011). NIRA Ltd enhanced Web-based architecture (shown in figure four, five and six) ‘Architecture’ [in terms of Website] refers to … ‘three different design aspects’ … ‘site, software and network’. Site architecture (figure four) is the design of a Website without the graphics and HTML. [It] consists of black and white frame drawings, representing the way in which Web pages will link together. [The software (figure five) supports the system on] ‘…ways in which coding and database can communicate’. The network architecture (figure six) is the design of how machines are physically set up and networked with each other. The router and firewall are configured to network protocols to host the Website with the Internet Service Provider (DittoDitto Engineers, 2005). Evaluation of Audit Results Positive Findings Per Audit checklist used, management commitment is evidenced by higher management direct involvement review of resources, asset control activities and approvals. Good compliance to rules and regulation is documented. Good control of company through automation of records and physical inventory by overall fixed assets custodian. Hardware and software custodians keep good records of maintenance activities and responses to service requests. Inventory database are well structured. Employees are aware of their responsibilities on information resources. Compliance to legal and regulatory requirements, propriety and protection of data are accessible to all anytime needed supported with stringent policy. Development, maintenance and management of software versions and releases are supported with approve policies and procedures. Findings on Comformance Using Belarc Advisor System Audit Tool Licenses Records Code Number Belarc - Advisor e06833d4 Microsoft - Interactive Training 17609-OEM-0000007-00000 (Key: TM66R-2Q86K-HXPBD-CQ9TR-9WTQY)e Microsoft - Internet Explorer 76487-640-8365391-23103 (Key: V2C47-MK7JD-3R89F-D2KXW-VPK3J) Microsoft - Office Home and Student 2007 81602-919-0365194-68463 (Key: PVWKD-8GQ2J-3D9TY-PJ2YP- P776W) Microsoft - Office Professional Edition 2003 70145-745-0267265-57216 (Key: BHY9B-G4JJD-WWKD4-G9623-YXCY3) Microsoft - Press Interactive Training 17609-OEM-0000007-00000 (Key: TM66R-2Q86K-HXPBD-CQ9TR-9WTQY)e Microsoft - WebFldrs XP 12345-111-1111111-41682 Microsoft - Windows XP Professional 76487-640-8365391-23103 (Key: V2C47-MK7JD-3R89F-D2KXW-VPK3J) 79 Marks a hotfix that verifies correctly  59   Marks a security hotfix (using the 10/11/2011 Microsoft Security Bulletin Summary)   Nil Unmarked hotfixes lack the data to allow verification (Nil) Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled) Findings on Non-conformances Per audit checklist used, internal audit is not conducted periodically. Hardware changes are not covered in internal audit. Technology resources were not considered in the current year budget plan. Functions in control of assets overlap with overall fixed custodian and software and hardware custodians. Purchasing officer has nothing to do with assets contracts. Computer games are installed in the computer networks. No regular training of employees related to information technology. Storage software back ups and consequences of information violations are not written in the policy. Findings on Non-Conformance Using Belarc Advisor System Audit Tool “Exhibit 2” Score for security benchmark is 67% out of 10. Virus definitions are older than 30 days using McAfee VirusScan Enterprise Version 8.0.0.912; Scan Engine Version 5.2.00; Virus Definitions Version 8/8/2008 Rev 4.0.5357; Last Disk Scan on Saturday, October 08, 2011 6:20:15 a.m. with “Realtime File Scanning” on. Total of 55 Microsoft security updates are not installed. Other non-conformance showed security hotFix (a security vulnerability []) fails verification. Recommendations Positive findings deserve appreciation from the management to the responsible employees. “Keep up the good work.” On the other hand, all employees should get training on information technology. IT Department should be part of orientation program presenters for new employees. Human Resources yearly training program should include information technology topics. All employees should sign the “statement of confidentiality”. Storage of software, back up system and consequences of information system violations should be included in the security policy. Findings from Belarc Advisor system audit recommendation should configure settings on account lockout, passwords, event logs, files permission, security options, user-right assignment and system services. Define policies for password issuance and usage, audit, Internet, Explorer Seven and local computer. Impose restrictions on local computer administration templates, network, systems and Windows. Create profiles for Windows firewall, domain and standard. Set up automatic scanning of computers once in a week or a month. Install the 55 Microsoft security updates and security hotFix (a security vulnerability []) that failed verification. Conclusion Overall, NIRA Ltd information technology asset management system is well developed, implemented and monitored. Some issues identified in the audit are immaterial and can be corrected appropriately. The employees were honest during the open interview, [which is a reflection of] commercial morality and honesty determined by [stakeholders]… (Anderson, 2009, p. 11). Agility is the ability to thrive in a competitive environment of … changing market opportunities (Goldman, Nagel & Preiss, 1995, p. 8). ‘[An agile business needs to] join the virtual organizations’… (Goldman, Nagel & Preiss, 1995, p. 201). ‘… Internet founded on the principle of sharing and communication’ [is the successful tool of virtual organisations] that ‘changed the model of interaction’ [between customers and organisations] (Kaplan, 2003, p. 3). Website is …World Wide Web pages maintained by [everyone] (Laudon & Laudon, 2004, p. 19). [In transforming Website to e-commerce,] “…judgment is the power to assimilate knowledge and to use it” (Beaverbrook, 2005, p. 4). ‘… [Internet] technology …[is]…good “technology of freedom” [made] ‘into a technology of control and surveillance’ (Boyle, 2008, p. 61). Judgment and technology are important in the e-commerce. ‘Internet connections [are useful] for supply chain management, after-sales support, and payments’ (McLoughlin, 2002, p. 2). References Anderson, Franklin, B., 2009, Morals in Trade and Commerce, viewed 6 November 2011, Barclay, Simpson, 1989, An Introduction to Computer Auditing, viewed 06 November 2011, . Beasley, Mark S., Branson, Bruce C. & Hancock, Bonnie V., 2010, Developing Key Risk Indicators to Strengthen Enterprise Risk Management; How Key Risk Indicators can Sharpen Focus on Emerging Risks, viewed 04 November 2011, http://www.coso.org/documents/COSOKRIPaperFull-FINALforWebPostingDec110_001.pdf. Beaverbrook, Max Aitken, 2005, Success, 2nd Edition, Online Distributed PG, viewed 3 November 2011, . Belarc Advisor, Advisor Version: 8.2f, viewed 12 November2011, . Boyle, James, 2008, The Public Domain Enclosing the Commons of the Mind, Yale University Press, viewed 4 November 2011, . Castells, Manuel, 2001, “Projecte Internet a Catalunya” of IN3 and Universitat Oberta Catalunya; Cardoso, Gustavo cited in The Media in the Network Society, 2001, p. 34), viewed 6 November 2011, . Chiat, Brandon, 2011, The Intelligent Asset Manager Fixed Asset Evaluation, viewed 04 November 2011, . Computer Assisted Audit Group, 2006, A Guide to Computer Assisted Audit Techniques, viewed 05 November 2011, DittoDitto Engineers, 2005, Website Architecture, viewed 05 November 2011, . Faculty Team, 2001, Windows XP Architecture, Seneca College, viewed 9 November, 2011, . Frigo, Mark L. & Anderson, Richard J., 2001, Embracing Enterprise Risk Management: A Practical Approaches for Getting Started, viewed 07 November 2011 . Gibbs, Jennifer, Kraemer, Kenneth & Dedrick, Jason, 2002, Environment and Policy Factors Shaping E-commerce Diffusion: A Cross-Country Comparison, viewed 04 November 2011, http://escholarship.org/uc/item/2x73003z. Goldman, Steven L., Nagel, Roger N. & Preiss Kenneth, 1995, Agile Competitors and Virtual Organisations Strategies for Enriching the Customer, International Thomson Publishing Incorporated, p. 8, 201. Hardy, Chris, 2003, Computer Security Audit Checklist, viewed 03 November 2011 . Grudgfield, Narelle, ISO19770-1 Audit Checklist Template, viewed 9 November 2011, < www.qgcio.qld.gov.au/.../ISO19770-1_Audit_Checklist_Template.d.>. Kaplan, Jim, 2003, Auditnet Monograph Series. How to Use Statistical Sampling, viewed 07 November 2011, Laudon, Kenneth C. & Laudon, Jane P., 2004, Management Information Systems: Managing the Digital Firm, 8th Edition, Pearson Prentice Hall, p. 19. McLoughlin, Glenn J., Electronic Commerce: An Introduction, CRS Report for Congress, viewed 4 November 2011, http://fpc.state.gov/documents/organization/12056.pdf, p. 2. NIRA Limited, 2011, Company accounts at Companies House, viewed 06 November 2011, . Parker, Philip M., 2005, Risk assessment definition, Webster's Online Dictionary, Rosetta Edition, viewed 6 November 2011, . Rosen, Anita, 2000, The E-commerce Question and Answer Book (USA: American Management Association, 2000), p. 5; Zorayda Ruth Andam cited in “E-Commerce and E-Business”, 2003 p. 6. Runberg, Jessica, 2010, The Meta Title Tag: Increase Your Rankings in 60 Characters or Less, viewed 05 November 2011 . Sarbanes-Oxley Act, 2002, A Guide to the Sarbanes-Oxley Act, viewed 04 November 2011, . Sarbanes-Oxley Act 404. The audit community has their own set of standards for auditing financial statements. Similar initiatives exist in the area of technology controls. Issued by the IT Governance Institute, COBIT is a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. While the PCAOB has not officially endorsed COBIT, it is the generally accepted source in SOX 404 audits for assessing whether a business has effective IT controls. Cited by Sewall, 2008, viewed 05 November 2011, Schwartz, Donald A., 1998, The CPA Journal November 1998 Issue, viewed 06 November 2011, . Sewall, Bill, 2008, Information Security Handbook, viewed 05 November 2011, . Sullivan, Dan 2006, The Definitive Guide to Security Management, Realtimepublishers.com, viewed 05 November 2011, . p. 10. Tchen, Summin, 1998, Belarc's products deliver personalized content while allowing the visitor to remain anonymous and keep their profile information private, viewed 06 November 2011, Terlecki Abby, 2011, Eight Steps to Rank Organically High in Search Engines, viewed 04 November 2011, . Trochim, William M. K., 2006, Social Research Methods, viewed 05 November 2011, . Tyson, Jeff, 2011, How LAN Switches Work; VLAN Trunking Protocol, viewed 05 November 2011, Exhibit “A” Audit Results in Excel Sheet Audit Date: 10 November, 2011 Name of Auditor (s): Description Documented Evidence Fully Met Partially Met Not Met Observation Remarks CONTROL ENVIRONMENT 2 1 0   Governance and Leadership Approved governance and leadership responsibility for assets and software approved Minutes of meetings and documented assets including software approval 2       Annual review of software rules and regulations Policies and procedures; documented yearly internal audit reports   1   Only one review done in 2010 Identified risks assessment and management methodologies documented, updated, and approved by governance include the following risks: Policies and procedures; documented yearly internal audit reports         1.        compliance of regulations 2       2.        compliance of licensing 2       3.        operation interruptions due to insufficient system asset management 2     4.        spending on IT products     0 No asset lists and no budget monitoring 5.        resulting from operation of other branches   1   Lack documentations Delineation of Authorities and Responsibilities         Roles defined and responsibilities delineated for: Asset Management manual and strategic plans, roles and responsibilities specified in the job description, documentations         Overall fixed asset officer:         1.        planning and overseeing of system asset management   1   Overlapping functions with hardware and software custodians 2.       involving in the implementation of asset management plan 2       3.       taking action of defective or obsolete assets     0   Hardware and software custodians (as related):         1.        obtaining resources 2       2.        performing functions   1   Overlapping functions with overall fixed assets custodian 3.        documenting and maintaining records 2       4.        deployment and controls 2       5.        managing contract agreements, internal and external customers’ relationships   1   Overlapping functions with purchasing officer Organization-wide communication of the specified responsibilities Minutes of meetings, e-mails, posting in bulletin board, observations   1   Confusion exists between the overall fixed assets officer and two IT custodians Policies and Procedures         Availability of policy and procedure development, periodic review, approvals, issuance, and control Approved policy and documented implementation 2       Documented policies including: Review of policies and documents on implementation         1.        Employees and leadership responsibilities on of software and hardware in use 2       2.        limitations on the use of assets and software for personal use 2       3.        compliance to legal and regulatory requirements, propriety and protection of data 2       4.        asset acquisition   1   Not fully covered by budget plan for 2011. 5.        approval on installation and use of software   1   Some computers are found with games software 6.        consequences of violating the policies   1   Not well cited in information system security policy Organization-wide communication of policies including: Publications through the e-mails, system database for manuals, adding to the code of conduct, e-mailing and minutes of meeting         1.        newly joined employees during orientation period   1   One newly hired employee is not aware of information system policy. 2.        continuing annually through in-house trainings   1   No training schedules and activities found in HR Training records 3.        signing on acknowledgement   0 Employees needs to sign statement of confidentiality 4.        accessible to all anytime needed 2       MANAGEMENT OF ASSETS INVENTORY         Identification of Software         Asset inventory database including asset description, locations, quantity and valuations Asset inventory registers 2       Inventory of Software Assets         Inventory management and storekeeping include: Approved policy and procedure, documentations; access to computer logs         1.        unauthorized access, alteration and corruption 2       2.        data recovery 2       Physical presence of inventories on: Inventories, including package versions, update/patch status of software, platforms, master copies, hard copies and contract soft copies         1.        platforms to install and run the software assets 2       2.        licensed software in use and held 2       3.        software releases 2       4.        contracts related to software assets 2       Description of inventory reports include identification, use and data source as in identification of software Hard copies of reports 2       Control of Software         Changes to software and hardware are documented and considered in audit tracking Documentation to include changes in location, version, custodianship and status   1   Hardware changes are not included in 2010 previous audit. Development, maintenance and management of software versions and releases are supported with approve policies and procedures. Check existence of related policy and procedures 2       Security and Safety         Approved policy on access and security limitations to storage of software and back ups Physical check of storage kept locked and back up in separate fully secured building   1   Not covered in the policy Evidence of controls implemented in practice Registers and access logs 2       Totals 46 13 0 78 Overall Rating 0.76   59 Total Score Rating Scales: 0 = non-compliant; 1 = Partially Met; 2 = Fully Met Corrective Action/Improvement Suggestions Raised: No. Details: 15 Internal audit is not conducted periodically. Hardware changes should be included in the periodic audit. Technology resources were not considered in the budget plan for the current year. Functions of overall fixed assets custodian overlaps with designated software and hardware custodians. Purchasing officer handling of assets contract is out of his function. Computer games installed in the computer networks can compromise data and waste time of employees. No regular training of employees related to information technology. Consequences of information violations are not well written out in the information system policy. Storage software and back ups are not written in policy. Auditor: Signature:   Responsible Manager: Signature:   Exhibit “2” Belarc Advisor System Audit Result   The license associated with the Belarc Advisor product allows for free personal use only.  Use on multiple computers in a corporate, educational, military or government installation is prohibited.  See the license agreement for details.  The information on this page was created locally on your computer by the Belarc Advisor.  Your computer profile was not sent to a web server.  Click here for more info. About Belarc System Management Products Your Privacy In page Links: USB Storage Use new Hosted Virtual Machinesnew Network Map Software Licenses Software Versions & Usage Missing Hotfixes Installed Hotfixes   System Security Status Security Benchmark Score 0.67 of 10 (details...) Virus Protection Virus definitions are older than 30 days  Microsoft Security Updates 55 missing    Computer Profile Summary Computer Name:  dr-0dc137c193ed (in WORKGROUP) Profile Date:  Saturday, November 12, 2011 8:22:51 PM Advisor Version:  8.2f Windows Logon:  xxxxxx   Plan for your next computer refresh... click for Belarc's System Management products   Operating System new – server roles   System Model Windows XP Professional Service Pack 2 (build 2600) Install Language: English (United States) System Locale: English (United States) Installed: 8/31/2009 6:00:29 AM   Hewlett-Packard HP OmniBook PC HP OmniBook XE3 GC System Serial Number: TW14015171 Enclosure Type: Notebook Processor a   Main Circuit Board b 1000 megahertz Intel Pentium III 32 kilobyte primary memory cache 256 kilobyte secondary memory cache Not hyper-threaded   Board: Hewlett-Packard OmniBook N32N-733 BIOS: Phoenix Technologies LTD GC.M1.63 01/01/1992 new USB Storage Use in past 30 Days (mouse over last used for details)   new Hosted Virtual Machines (mouse over name for details)   Last Used WD My Passport 0730, s/n WX81AC0T3985, rev 1012 11/11/2011 6:21:08 PM* JetFlash Transcend 8GB, s/n 134Z0MQV, rev 8.07 11/5/2011 10:35:30 AM* Toshiba External USB HDD, s/n 201008093783 11/3/2011 5:33:32 PM* * Possibly used again before the reboot following this time.   None discovered Drives new – drive encryption   Memory Modules c,d 40.00 Gigabytes Usable Hard Drive Capacity 27.08 Gigabytes Hard Drive Free Space TOSHIBA DVD-ROM SD-C2502 [Optical drive] 3.5" format removeable media [Floppy drive] TOSHIBA MK4025GAS [Hard drive] (40.01 GB) -- drive 0, s/n 35LT4838T, rev KA100A, SMART Status: Healthy   512 Megabytes Usable Installed Memory Slot '0' has 256 MB Slot '1' has 256 MB   Local Drive Volumes new – volume encryption   c: (NTFS on drive 0) 40.00 GB 27.08 GB free   Network Drives   None discovered Users (mouse over user name for details)   Printers local user accounts last logon  xxxxxx 11/12/2011 7:01:46 PM (admin) local system accounts  Administrator never (admin)  Guest never  HelpAssistant never  SUPPORT_388945a0 Never  Marks a disabled account;    Marks a locked account   Canon MP250 series Printer on USB001 Microsoft Office Document Image Writer Driver on Microsoft Document Imaging Writer Port: Send To Microsoft OneNote Driver on Send To Microsoft OneNote Port: Controllers   Display Standard floppy disk controller Intel(R) 82371AB/EB PCI Bus Master IDE Controller Primary IDE Channel [Controller] Secondary IDE Channel [Controller]   S3 Graphics Inc. SavageIX [Display adapter] Digital Flat Panel (1024x768) [Monitor] (19.7"vis, January 2000) Bus Adapters   Multimedia Texas Instruments PCI-1420 CardBus Controller (2x) Intel(R) 82371AB/EB PCI to USB Universal Host Controller   ESS Allegro PCI Audio (WDM) Virus Protection [Back to Top]   Group Policies McAfee VirusScan Enterprise Version 8.0.0.912     Scan Engine Version 5.2.00     Virus Definitions Version 8/8/2008 Rev 4.0.5357     Last Disk Scan on Saturday, October 08, 2011 6:20:15 AM     Realtime File Scanning On   None discovered Communications new – connection speed & status   Other Devices ESS ES56CVM-PI Data Fax Voice Modem ↑ Accton EN2242 Series MiniPCI Fast Ethernet Adapter  primary  Auto IP Address:  xxx.xxx.xxx.xxx / xx Gateway:  xxx.xxx.xxx.1 Dhcp Server:  xxx.xxx.xxx.1 Physical Address:  00:D0:59:7A:EC:CE   Networking Dns Servers:  xx.xx.xx.xx xx.xx.xx.xx   Microsoft AC Adapter Microsoft ACPI-Compliant Control Method Battery USB Human Interface Device Standard 101/102-Key or Microsoft Natural PS/2 Keyboard HID-compliant mouse PS/2 Compatible Mouse USB Root Hub   See your entire network map... click for Belarc's System Management products   Network Map (mouse over IP address for physical address) [Back to Top] IP Device Type Device Details Device Roles xxx.xxx.xxx.1  Router Linux Upnp Igd Project / IGD Version 1.00 DHCP Server, Gateway, Web Server xxx.xxx.xxx.10x  Windows XP Workstation Dr-0dc137c193ed (in WORKGROUP)   Find your security vulnerabilities... click for Belarc's System Management products   Missing Microsoft Security Hotfixes [Back to Top]     These required security hotfixes were not found installed (using the 10/11/2011 Microsoft Security Bulletin Summary with definitions version 2011.10.27.1). Note: Security benchmarks require thatCritical and Important severity security hotfixes must be installed. KB971961 - Critical  (details...) Q873339 - Important  (details...) Q885835 - Important  (details...) Q885836 - Important  (details...) Q887472 - Moderate  (details...) Q888302 - Important  (details...) Q890046 - Moderate  (details...) Q890859 - Important  (details...) Q893756 - Important  (details...) Q896358 - Critical  (details...) Q896423 - Critical  (details...) Q899591 - Moderate  (details...) Q900725 - Important  (details...) Q901017 - Important  (details...) Q901214 - Critical  (details...) Q902400 - Important  (details...) Q905414 - Moderate  (details...) Q905749 - Important  (details...) Q908531 - Critical  (details...) Q911280 - Important  (details...) Q911562 - Critical  (details...) Q911564 - Important  (details...) Q911927 - Important  (details...) Q913580 - Low  (details...) Q914388 - Critical  (details...) Q914389 - Important  (details...) Q918118 - Important  (details...) Q918439 - Critical  (details...) Q920213 - Critical  (details...) Q920670 - Important  (details...) Q920683 - Critical  (details...) Q923191 - Critical  (details...) Q923980 - Important  (details...) Q924667 - Important  (details...) Q925398 - Critical  (details...) Q925902 - Critical  (details...) Q926255 - Important  (details...) Q926436 - Important  (details...) Q927779 - Critical  (details...) Q927802 - Important  (details...) Q928255 - Important  (details...) Q928843 - Critical  (details...) Q929123 - Important  (details...) Q930178 - Critical  (details...) Q931261 - Critical  (details...) Q932168 - Critical  (details...) Q936960 - Important  (details...) Q943055 - Critical  (details...) Q944653 - Important  (details...) Q945553 - Important  (details...) Q946026 - Critical  (details...) Q950130 - Critical  (details...) Q950749 - Critical  (details...) Q951550 - Important  (details...) Q981332 - Important  (details...) Hotfixes from Microsoft Update (agent version 7.4.7600.226) install automatically. Last install: 10/13/2011 5:58:18 PM, download: 11/9/2011 7:20:58 AM, check: 11/11/2011 1:36:55 AM.   Manage all your software licenses... click for Belarc's System Management products   Software Licenses [Back to Top] Belarc - Advisor e06833d4 Microsoft - Interactive Training 17609-OEM-0000007-00000 (Key: TM66R-2Q86K-HXPBD-CQ9TR-9WTQY)e Microsoft - Internet Explorer 76487-640-8365391-23103 (Key: V2C47-MK7JD-3R89F-D2KXW-VPK3J) Microsoft - Office Home and Student 2007 81602-919-0365194-68463 (Key: PVWKD-8GQ2J-3D9TY-PJ2YP-P776W) Microsoft - Office Professional Edition 2003 70145-745-0267265-57216 (Key: BHY9B-G4JJD-WWKD4-G9623-YXCY3) Microsoft - Press Interactive Training 17609-OEM-0000007-00000 (Key: TM66R-2Q86K-HXPBD-CQ9TR-9WTQY)e Microsoft - WebFldrs XP 12345-111-1111111-41682 Microsoft - Windows XP Professional 76487-640-8365391-23103 (Key: V2C47-MK7JD-3R89F-D2KXW-VPK3J)   Audit your security posture... click for Belarc's System Management products   Installed Microsoft Hotfixes [Back to Top] MSXML4SP2     KB973688  on 5/13/2011  (details...) Step By Step Interactive Training     SP2         KB923723  on 5/13/2011  (details...) Windows Media Format 11 SDK     SP0         KB929399  on 10/8/2011  (details...) Windows Media Player 11 SPO         KB939683  on 10/8/2011  (details...)         KB954154_WM11  on 10/8/2011  (details...) Windows Media Player SPO         KB952069_WM9  on 5/13/2011  (details...)         KB954155_WM9  on 5/13/2011  (details...)         KB973540_WM9L  on 5/13/2011  (details...)         KB978695_WM9  on 5/13/2011  (details...) Windows XP SPO         KB941569  on 10/8/2011  (details...)         KB982381-IE8  on 10/13/2011  (details...)     SP10         MSCOMPPACKV1 (Microsoft Compression Client Pack 1.0 for Windows XP) SP3  on 5/13/2011           KB893803V2  on 5/13/2011  (details...)         KB898461  on 5/13/2011  (details...)         KB926239  on 5/13/2011  (details...)         KB944338-V2  on 5/13/2011  (details...)         KB958470  on 5/13/2011  (details...)         KB971032  on 5/13/2011  (details...)         KB971961  on 5/13/2011  (details...)         KB981350  on 5/13/2011  (details...)     SP4         KB923561  on 5/13/2011  (details...)         KB946648  on 5/13/2011  (details...)         KB950762  on 5/13/2011  (details...)         KB950974  on 5/13/2011  (details...)         KB951376-V2  on 5/13/2011  (details...)         KB951748  on 5/13/2011  (details...)         KB952004  on 5/13/2011  (details...)         KB952287  on 5/13/2011  (details...)         KB952954  on 5/13/2011  (details...)         KB955069  on 5/13/2011  (details...)         KB955759  on 5/13/2011  (details...)         KB956572  on 5/13/2011  (details...)         KB956802  on 5/13/2011  (details...)         KB956803  on 5/13/2011  (details...)         KB956844  on 5/13/2011  (details...)         KB958644  on 5/13/2011  (details...)   Windows XP     SP4 (continued)         KB958869  on 5/13/2011  (details...)         KB959426  on 5/13/2011  (details...)         KB960225  on 5/13/2011  (details...)         KB960803  on 5/13/2011  (details...)         KB960859  on 5/13/2011  (details...)         KB961501  on 5/13/2011  (details...)         KB967715  on 5/13/2011  (details...)         KB968389  on 5/13/2011  (details...)         KB969059  on 5/13/2011  (details...)         KB970238  on 5/13/2011  (details...)         KB970430  on 10/8/2011  (details...)         KB971468  on 5/13/2011  (details...)         KB971657  on 5/13/2011  (details...)         KB971737  on 10/8/2011  (details...)         KB972270  on 5/13/2011  (details...)         KB973507  on 5/13/2011  (details...)         KB973687  on 5/13/2011  (details...)         KB973815  on 5/13/2011  (details...)         KB973869  on 5/13/2011  (details...)         KB973904  on 5/13/2011  (details...)         KB974112  on 5/13/2011  (details...)         KB974318  on 5/13/2011  (details...)         KB974392  on 5/13/2011  (details...)         KB974571  on 5/13/2011  (details...)         KB975025  on 5/13/2011  (details...)         KB975467  on 5/13/2011  (details...)         KB975560  on 5/13/2011  (details...)         KB975561  on 5/13/2011  (details...)         KB975562  on 5/13/2011  (details...)         KB975713  on 5/13/2011  (details...)         KB977816  on 5/13/2011  (details...)         KB977914  on 5/13/2011  (details...)         KB978037  on 5/13/2011  (details...)         KB978338  on 5/13/2011  (details...)         KB978542  on 5/13/2011  (details...)         KB978601  on 5/13/2011  (details...)         KB978706  on 5/13/2011  (details...)         KB979309  on 5/13/2011  (details...)         KB979482  on 5/13/2011  (details...)         KB979559  on 5/13/2011  (details...)         KB979683  on 5/13/2011  (details...)         KB980195  on 5/13/2011  (details...)         KB980218  on 5/13/2011  (details...)         KB980232  on 5/13/2011  (details...)         KB981793  on 5/13/2011  (details...)         KB982381  on 5/13/2011  (details...)         KB2229593  on 5/13/2011  (details...) Click here to see all available Microsoft security hotfixes for this computer.       Marks a security hotfix (using the 10/11/2011 Microsoft Security Bulletin Summary)      Marks a security hotFix that fails verification (a security vulnerability) Marks a hotfix that verifies correctly Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled)   Unmarked hotfixes lack the data to allow verification a. Processor clock speed is measured at computer start-up, and on laptops may be impacted by power option settings. b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate. c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows. d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong. e. This is the manufacturer's factory installed product key rather than yours. You can change it to your product key here http://go.microsoft.com/fwlink/?LinkId=45668 for Windows, or here http://support.microsoft.com/?kbid=895456 for Office. Copyright 2000-11, Belarc, Inc. All rights reserved.  Legal notice. U.S. Patents 5665951, 6085229 and Patents pending. Read More