Top 5 IT Audit Findings 2021-2022

State-Owned Enterprises (BUMN) need to pay special attention to the Governance and Implementation of Information Technology. This is because there is the latest SOE Minister Regulation,  PER -02/MBU/03/2023 Concerning Guidelines for Governance and Significant Corporate Activities of State-Owned Enterprises, which requires SOEs to report the findings of IT audits conducted independently or independently periodically 1 ( one) time in 1 (one) year. 

Therefore, the understanding of IT audits for Internal Audit companies and IT Organizations must be improved to help companies determine and take proactive actions to improve internal controls and manage risk more effectively. 

In this article,  Altha will discuss the most common IT Audit findings we encounter in the field and recommendations for solutions and mitigation measures your company can take. 

Top 5 IT Audit Findings in 2021-2022

We identify Based on our experience conducting IT audits on clients in various industries. 

Top  5 IT Audit Findings according to the statistical findings as follows:

1. Access Control: Inadequate access control (30%): 

Inadequate access controls can lead to information security risks such as unauthorized access, unauthorized changes to data, risks of data loss, and system abuse. An example of a case that Altha often encounters: there is no separation of access for personnel who can access development,  testing, and production servers and data.           

2. System Maintenance & Update: Less standardized system maintenance and updates (25%): 

Poorly standardized system maintenance and updates can increase the risk of security attacks and system failures. An example of a case that Altha often encounters: incomplete and documented testing activities and go-live approval of the system lead to the possibility of an undetected system threat that could disrupt the security and availability of data in the company.

3. Backup & Restore : Less standard backup and restore data(20%): 

Backup and restore activities that are not well-standardized lead to the possibility that all data is not backed up perfectly or data that is backed up cannot be restored to the existing database server, so the risk of data loss cannot be avoided. Examples of cases that Altha often encounters: Restoration testing is not carried out so there is a risk that the data that has been backed up will fail to be restored to the backup server when the main server is damaged.                                      

4. Policy & Procedure: Policies and procedures that are incomplete or haven't been updated for a long time (15%):

Policies and procedures related to the management of information technology processes that are not consistent, complete, and up-to-date can lead to security weaknesses and higher operational risks due to the lack of relevance of standard points to existing information technology developments. Examples of cases that Altha often encounters: Policies and procedures related to change requests are not updated despite process changes. For example: In the past, submitting a  change request (CR) was done via email, but now it has changed via the helpdesk form.                                                                             

5. Compliance: Non-compliance with regulations and IT control best practice standards (5%): 

Non-compliance with safety standards and relevant industry regulations may result in legal penalties, fines, or loss of reputation. Examples of cases that Altha often encounters: There is no monitoring of reporting compliance needs by the laws that regulate the industry. For example, the Banking Industry needs to pay attention to the need for compliance with the Regulation of the Financial Services Authority of the Republic of Indonesia Number 11/POJK.03/2022 Concerning the Implementation of Information Technology by Commercial Banks. 

How to avoid the risk of the audit findings?

Altha has proven experience in various companies, so we can provide relevant and competitive insight according to the business context. If your IT Organization is facing the risk of IT Audit findings as above, here are  some things that can be considered as mitigation efforts that can be implemented in your organization/company: 

 1. Improve access control:

• Use multi-factor authentication (MFA) 
• Manage access rights based on  the need-to-have and must-have principles
• Monitor activity logs to detect unauthorized access.

2. Perform regular system maintenance and updates:

• Ensure the operating system, software, and hardware are updated with the latest security patches.
• Perform periodic maintenance on IT infrastructure.
• Develop effective disaster recovery and business plans.

3. Prepare backup storage and adequate data recovery:

• Determine the  backup  and  restore  strategy according to business needs
• Perform  regular backups
• Perform restoration testing /  restore testing to ensure backed-up data can be restored. 

4. Review and update policies and procedures:

• Develop policies and procedures by best practice
• Conduct periodic reviews of policies and procedures.
• Conduct training to ensure understanding and compliance by employees.

5. Ensuring compliance with security and regulatory standards:

• Perform routine internal security audits 
• Conduct security training for employees
• Work with external parties to assist in assessing and improving compliance with security standards.

IT Audit Training Altha

As an experienced IT audit practitioner, Altha is committed to assisting your company in preparing reliable human resources to conduct and prepare IT audits through IT audit training services. Our training solutions combine our knowledge & practical experience in various industries so that they become more relevant & contextual in their implementation.

By participating in our IT Audit training, it is hoped that the company will be able to create qualified human resources, understand how to carry out an IT Audit, and independently conduct an IT Audit according to the company's needs. 

Are we interested in  our IT Audit training or training? We offer various types of exercise that can be tailored to the needs of our clients to ensure the best benefits for all of our clients.