Auditing

The auditor found 3 exception errors for their test cardinal tickit processing, what recommendation auditor might give to the CTP company regarding their controls objectives?

Cardinals Ticket Processing, Inc. Tests of Operating Effectiveness July 1, 2014 to June 30, 2015 Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. CTP Control Procedures Tests Performed by Dewey, Cheatem & Howe LLP Results of Tests Complementary User Controls Logical Security 6.1 Security policies and procedures have been documented, are signed by newly hired employees, and are made available on the CTP intranet for employees. 6.2 User access to systems and applications is required to be requested and approved within the System Access Manager (SAM) tool prior to access being created, changed, or removed. 6.3 Remote access to the CTP network is limited to authorized users and requires a valid user ID and password. Scanned the Information Security Policy and noted that the policy was published on the intranet and disseminated to relevant system users. Scanned a new hire's HR file and noted that a signed Employee Handbook Acknowledgement form was present. Inspected a selection of newly hired employees and noted that a signed Employee Handbook Acknowledgement form was present in the HR file. No exceptions noted. Scanned a SAM ticket and noted that access was requested and approved prior to access being granted. Inspected a selection of newly hired employees and noted that their user access to systems and applications was approved within the SAM tool. Inspected a selection of transferred employees and noted that changes in access were approved within the SAM tool. Inspected a selection of terminated employees and noted that access to systems and applications had been removed. No exceptions noted. 1 Scanned a user's access approvals within the SAM tool and noted VPN access was approved. Inspected a selection of users with access to the network via VPN and noted that the users were active employees that had a business need for that access. No exceptions noted. 1 Cardinals Ticket Processing, Inc. Tests of Operating Effectiveness July 1, 2014 to June 30, 2015 Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. CTP Control Procedures Tests Performed by Dewey, Cheatem & Howe LLP Results of Tests 6.4 Windows administrator privileges are limited to authorized CTP administration personnel. Inspected a selection of users with administrative access to the operating systems and noted that access was limited to authorized personnel. No exceptions noted. 6.5 TICKIT application administrators are established for the satellite locations (Toronto) and are limited to authorized personnel. Inspected a selection of users with the OPSET role within TICKIT and noted that access was limited to authorized personnel. Ten (10) of the 90 users with the OPSET role inspected were not authorized to have the access. Management response: See Section IV of this report - Other Information Provided by CTP Global, Inc: - CTP Management Responses to Exceptions Identified Within Section III, reference #1. Complementary User Controls Cardinals Ticket Processing, Inc. Tests of Operating Effectiveness July 1, 2014 to June 30, 2015 Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. CTP Control Procedures 6.6 Access to elevated functions within the TICKIT application is limited to authorized personnel. Tests Performed by Dewey, Cheatem & Howe LLP Inspected a selection of users with the CREDIT role within TICKIT and noted that access was limited to authorized personnel. Inspected a selection of users with the BATCH role within TICKIT and noted that access was limited to authorized personnel. Results of Tests Eight (8) of the 28 users with access to the CREDIT role inspected were not authorized to have access. Seven (7) of the 28 users with access to the BATCH role inspected were not authorized to have access. 6.7 Windows and TICKIT password parameters are established to require a minimum length, enforce complexity, and enforce periodic password changes. Scanned the Windows password parameters and noted the password requirements were established to require a minimum length, enforce complexity, and enforce periodic password changes. Performed a walkthrough of the TICKIT application and noted that password requirements were established to require a minimum length, enforce complexity, and enforce periodic password changes. Management response: See Section IV of this report - Other Information Provided by CTP Global, Inc: - CTP Management Responses to Exceptions Identified Within Section III, references #2 & 3. No exceptions noted. Complementary User Controls Cardinals Ticket Processing, Inc. Tests of Operating Effectiveness July 1, 2014 to June 30, 2015 Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. CTP Control Procedures 6.8 Designated personnel are authorized to move code changes into the production environment. Tests Performed by Dewey, Cheatem & Howe LLP Inspected a selection of users with access to move code changes into production and access to develop changes and noted that access was limited to authorized personnel and that users with access to develop code did not maintain access to migrate code changes to production. Results of Tests No exceptions noted. Complementary User Controls Cardinals Ticket Processing, Inc. Tests of Operating Effectiveness July 1, 2014 to June 30, 2015 Control Objective 6: Controls provide reasonable assurance that application and system software programs and data are restricted from unauthorized access or change. CTP Control Procedures Tests Performed by Dewey, Cheatem & Howe LLP Results of Tests Application Change Management 7.1 TICKIT application development policies and procedures are in place to guide the development of programs. Scanned the application development policies and procedures and noted that it listed the process in place for making changes to CTP applications. No exceptions noted. 7.2 Changes to programs are tracked via a task tracking system to facilitate the change management process, including retaining approvals and documentation. Scanned an application change and noted that the task tracking system was used to retain approvals and documentation. Inspected a selection of application changes and noted that the task tracking system was used to retain approvals and documentation. No exceptions noted. 7.3 Program changes are tested in a test environment and test results are retained in the program change documentation. Observed the system architecture and noted that there were separate test and production environments. Scanned an application change and noted that evidence of testing was included in the program change documentation. Inspected a selection of application changes and noted that the evidence of testing was included in the program change documentation. No exceptions noted. Inspected a selection of users with access to develop or promote TICKIT changes and noted that access was limited to authorized personnel and that users with access to develop code did not maintain access to migrate code changes to production for the application. No exceptions noted. 7.4 Authorized operations and systems administrations personnel move program changes into production. Complementary User Controls