Today, we visited the third property development company in Johor Bahru. Unlike the previous firms, this company lacked an established IT department, so we spent a considerable amount of time going through the information request list with the person in charge who lacked IT knowledge. We patiently explained the details and ensured that she understood the requirements.
After completing the information request list, we conducted a server room sighting and discovered several physical control weaknesses. For instance, the server room was located near the working space and was unlocked, providing unauthorized access to anyone. Furthermore, there was no log book or CCTV in the server room.
Regarding ITGC, we found that the company was using shared ID practice, which made it impossible to trace transactions to a specific employee as they all had the same ID with full module access. This posed a significant risk to the company as it created opportunities for fraud and manipulation of records without management's knowledge.
Finally, we held a brief exit meeting with the client to discuss our audit findings.
Main things that have learnt
Learn that the practice of sharing user ID will cause a material risk to the company.
Learn the important of having proper physical control in the server room.
Comments