Presentation is loading. Please wait.

Presentation is loading. Please wait.

Team Member: Xiaomin Dong

Published byDina Chandler Modified over 6 years ago

Similar presentations

Presentation on theme: "Team Member: Xiaomin Dong"— Presentation transcript:

1 Team Member: Xiaomin Dong
Audit Findings Report Team Member: Xiaomin Dong Binju Gaire Borgia Casid Sohou Beryl (Mengqiao) Liu Zhixin Wei

2 Agenda: Background Objective and Scope Findings Audit Opinion

3 Background QuickBooks:
an accounting software program used to manage sales and expenses and keep track of daily business transactions. offers on-premises accounting applications as well as cloud-based versions that accept business payments, manage and pay bills, and payroll functions. Re/Max: an American international real estate company that operates through a franchise system. more than 100,000 agents in 6,800 offices operates in about 100 countries. use QuickBooks as management software to consolidate accounting, commission tracking, transaction management, reporting, and more. QuickBooks is an accounting software program used to manage sales and expenses and keep track of daily business transactions. It offer on-premises accounting applications as well as cloud-based versions that accept business payments, manage and pay bills, and payroll functions. Re/Max is an American international real estate company that operates through a franchise system. Re/Max has more than 100,000 agents in 6,800 offices operates in about 100 countries.

4 Objective and Scope Objective:
Our audit objective was to determine whether adequate controls were in place and in effect to provide reasonable assurance of using Quickbooks from a security perspective. Scope: We performed an audit the security controls of using QuickBooks at Re/Max, for the period of April 7, 2017 to April 7, The scope of our audit consisted of an evaluation of QuickBooks. This audit was conducted in accordance with the NIST special publication B guidelines and . These guidlines *ReMax has not established proper controls and procedures related to QuickBooks, so we will not perform the assessment of controls from Re/Max side.

5 Finding 1: Fact-Passwords of the computers that are used to access Quickbooks are not required to change periodically by the employees of ReMax. There is less assurance that passwords are limiting access to data files and information only to assigned users. Standards-Per NIST Special Publication B (Digital Identity Guidelines), reauthentication of the subscriber SHOULD be repeated at least once per 30 days during an extended usage session, regardless of user activity. The session SHOULD be terminated (i.e., logged out) when this time limit is reached Root cause of the issue-The issue of reauthentication exists because employees are not aware of the digital identity guidelines. Impact to the business-chance to have malicious attacks Recommendations-Passwords should be kept confidential and periodically changed to reduce the risk of unauthorized access to computer and data. (You can talk about the auto fill of Chrome, just saying lol -- Beryl)

6 Finding 2: Fact-Quickbooks doesn’t have strict controls on the accessing identity authorization. Anyone could access the information once the person have the account. Standards-NIST Special Publication B An attacker who can gain control of an authenticator will often be able to masquerade as the authenticator’s owner. Root cause of the issue-Lack of periodic reauthentication of subscriber sessions. Impact to the business-The customer personal identities and the company transactions will be disclosed. Recommendations-Use authenticators that provide verifier impersonation resistance. Or Providing different temporary passwords for different authorized users.And only the authorized users have temporary accesses to the system.

7 Finding 3: Fact-Quickbook can be hard to use in terms of oversight and compliance guarantee. The software offers no real time visibility into data collection and processes. Standards-NIST (Cloud Computing Security Reference Architecture) Root cause of the issue-The way the software is set up does not allow all its users to has access to the same data at the same time. Impact to the business-manually gathering information for audit request can be quite challenging and lead to incomplete results Recommendation-Build up a cloud software that can be easily spread out across Re/max, which will assure everyone has access to the same data at the same time and that management instantly know what's going on at any time.

8 Finding 4: Fact – Users can add or change the data at anytime or any situation as long as they have the password. They can type any number they want and there is lack of backup, which would lead to records losing or error. Standards – NIST Special Publication B (Digital Identity Guidelines) Records Retention Policy The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any NARA records retention schedules that may apply. Root cause of the issue - Quickbooks is not supported by paperless and not built with the cloud in mind Impact to the business - Records losing or error Recommendations - Go paperless and build up a cloud database

9 Audit Opinion Rate: Needs Improvement
Operating well, serving the needs, no significant deficiencies in function. Require meaningful enhancement regarding the access control, reauthentication, visibility and backups. Based upon our audit work, our opinion is that the overall effectiveness of the processes and controls evaluated during the audit is rated as Needs Improvement. We found that the QuickBook is operating well in the Re/Max., serving the needs of the company and no significant deficiencies in its function were noted. However, we just raises some questions regarding the appropriateness of the control environment. The control environment will require meaningful enhancement before it can be considered as fully effective, regarding the access control, reauthentication, visibility and backups.

10 Thanks! Any Questions?

Download ppt "Team Member: Xiaomin Dong"

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Network security policy: best practices

Network security policy: best practices
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.

Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Chapter 5 Internal Control over Financial Reporting

Chapter 5 Internal Control over Financial Reporting
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google