2011-12
to download the full document - Auditor-General
to download the full document - Auditor-General
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Root cause<br />
• IT management considered the proactive review of logs as a labour-intensive exercise, given the high number of users to whom access had been granted<br />
to the network and applications and the volume of logs generated by the system.<br />
3.4.4.2. District and local municipalities<br />
At most district and local municipalities IT security policies had not been adequately designed. Most municipalities did not have mechanisms in place for<br />
reviewing security violations or failed logon attempts. Consequently, security breaches on the network or application systems might not be detected. Although<br />
no instances of unauthorised access were identified at municipalities, appropriate IT controls should be implemented to prevent this risk from materialising in<br />
future.<br />
Root causes<br />
• Municipalities that lacked IT resources relied on third-party service providers to maintain the IT security infrastructure and consequently did not have staff<br />
with sufficient capacity or technical skills to review security logs.<br />
• There were no processes in place for transferring IT knowledge and skills from third-party service providers to internal resources at municipalities.<br />
• IT resources at some municipalities did not have sufficient knowledge regarding password security parameters and relied on prior-year audit findings to<br />
provide guidance.<br />
• IT resources at municipalities focused on day-to-day operations and considered the proactive reviewing of security reports to be a labour-intensive, lowpriority<br />
task.<br />
Good practices<br />
No weaknesses were identified in the management of IT security at the Eden District, Knysna and Overstrand Municipalities. This could be attributed to the<br />
leadership demonstrated by the IT manager, hands-on management and efficient use of available IT resources.<br />
3.4.5 User access management<br />
User access controls are measures designed by management to prevent and detect the risk of unauthorised access, creation or amendment of financial and<br />
performance information stored in the application system. This responsibility normally resides within core and supporting business units. User access<br />
management controls at the municipalities were evaluated in terms of their status in relation to the IT control life cycle, namely design, implementation and<br />
operating effectiveness. Outcomes are shown below:<br />
Figure 16: User access audit outcomes – municipalities<br />
91