Cabalo, Procerfina C.

Article Review on: Audit: FEC Still in "Significant" Danger of Hacking

A4B

Summary The Federal Election Commission's computer and IT security continues to suffer from "significant deficiencies," and the agency remains at "high risk," according to a

new of the agency's operations. FEC

suffers from susceptibility in its internal control of information and information systems. Center for Public Integrity investigation revealed that Chinese hackers penetrated FECs system during the initial days of October's government shutdown and the most evident security breach is when an unspecified "advanced persistent threat" broke into an unnamed FEC commissioner's computer user account. This computer user account divulged an accessible malware towards sensitive documents. Another alarming incident is an FEC employee gained unauthorized access to personnel-related files, labor management files and administrative law files. Auditors of FEC cited possible reasons which could have been cause of the security breach and recommendations which can prevent further infiltration of important information. The possible reasons for breach of security include: a) not implementing various government IT security standards and b) for not heeding its IT security recommendations from a separate audit conducted in 2012. On the other hand, the recommendations stated include: a) implementation of government-wide minimum best practice IT security controls, b) provide sufficient budgetary and personnel resources to ensure that actions are properly accomplished, and c) all of its computer account passwords within the next 60 days. FEC stated that it is "moving as quickly as possible on the recommendations" and that "several of the recommendations have been implemented." It is also in the process of hiring new IT security specialists and diverting resources to reinforce systems. Application Computer auditing or sometimes referred to as IT auditing is primarily concerned with matters related to information and communications technologies like risk, control, and compliance. This article enables the readers to realize the importance of IT auditors in an organization particularly with one involving IT systems. Like in the article, IT auditors are in charge of scrutinizing how IT system and related networks and procedures for designing, developing, implementing, managing and maintaining them, handle risks to the organization. The auditors of FEC are able to detect vulnerabilities in the system of the entity in terms of information security through computer audit. The article presents the essence of computer audit and computer auditors in expressing opinion regarding the risk present in the system of an organization. It is important for an entity to be informed of the opinion of the auditor regarding the level of risk possessed by the system so that it can assess the possible effects of the risks in the daily operation of the business and in its profitability. Being aware of the

risks present indicates an opportunity for the company to mitigate the said risks and improve or change the portion of system which contributes to the risks. The opinion of the auditor as to the reliability that can be placed towards the system is of great importance to evaluate how well a system is performing especially when the system is in charge of keeping confidential information like what is presented in the case of FEC. Aside from providing the management with independent and objective assurance as to the level of security applied within the IT environment, computer auditors also provide advice. In the case of FEC, auditors provide three (3) recommendations to prevent and/or detect intrusions and breaches. The recommendation provided by computer auditors help organizations to decide what possible actions to take to improve and maintain the system. In terms of internal control, computers with proper security are good controls especially for confidential information. A reliable internal control in an IT environment helps alleviate computer fraud or abuse due to unauthorized disclosure of confidential information, unauthorized modification/destruction of software and data, and even use of IT facilities for personal business. If the internal control is weak, there is a great probability of problems to arise like in FEC case where sensitive documents, personnel-related files, labor management files and administrative law files which should only be accessed by authorized personnel were retrieved by unauthorized computer user account. Behind this entire computer auditing essence in an organization is a computer auditor. Successful computer auditing is based upon a foundation of technical excellence. Therefore, for a computer audit to add value in the organization, a computer auditor must be up to date with constant and rapid developments in IT.

http://truth-out.org/news/item/21025-audit-fec-still-in-significant-danger-of-hacking