auditor general of bc - the status of government’s general computing controls: 2014

8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014

httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 125

THE STATUS OF GOVERNMENTrsquoS

GENERAL COMPUTING CONTROLS 2014

wwwbcauditorcom

December 2015



623 Fort StreeVictoria British Columbia

Canada V8W 1G1P 2504196100F 2503871230

wwwbcauditorcom

CONTENTS

Auditor Generalrsquos Comments 3

Report Highlights 5

Response from The Ministry of TechnologyInnovation and Citizensrsquo Services 6

Background 7

What we did 8

What we observed 10

What organizations should do 17

Appendix A Maturity level

by IT process and type of organization 18

Appendix B Summary of IT audit

recommendations over the last 10 years 23

Te Honourable Linda Reid

Speaker o he Legislaive AssemblyProvince o Briish Columbia

Parliamen Buildings

Vicoria Briish Columbia

V983096V 983089X983092

Dear Madame Speaker

I have he honour o ransmi o he Legislaive Assembly oBriish Columbia my repor Te Status of Governmentrsquos General

Computing Controls 983090983088983089983092

We conduced his audi under he auhoriy o secions 983089983088 and

983089983089 (983096) (b) o he Auditor General Act and in accordance wih he

sandards or assurance engagemens se ou by he Charered

Proessional Accounans o Canada (CPA) in he CPA Canada

Handbook ndash Assurance and in accordance wih Value-or-

Money Audiing in he Public Secor

Carol Bellringer FCPA FCA

Audior General

Vicoria BC

December 983090983088983089983093



Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014

C983137983154983151983148 B983141983148983148983154983145983150983143983141983154 FCPA FCA Auditor General

AUDITOR GENERALrsquoSCOMMENTSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) sysems are vulnerableo hreas like hacking hef and sysems disrupion due o physical

damage or saboage For governmen I sysems herersquos even more

a sake because hese sysems conain subsanial ndash and sensiive ndash

inormaion We rely on I sysems or essenial services like healhcare

educaion and ransporaion and or millions o financial ransacions

across all governmen organizaions

Srong general compuing conrols are governmenrsquos firs line o deence

agains poenial hreas Tey conrol who can access he sysems

(confidenialiy) how o make changes o he sysems (inegriy) and

backup and recovery o sysems (availabiliy)

Wersquove seen issues wih general compuing conrols in previous audis

o I sysems including PARIS CORNE JUSIN ICM and

wireless neworks in governmen Over he las 983089983088 years 983095983096 o he

recommendaions in our I audi repors have been abou improving

general compuing conrols hus illusraing heir imporance

For his repor we looked a how good governmenrsquos general compuingconrols are and how good governmen organizaions hink hey are

o do his we asked 983089983092983096 governmen organizaions (minisries Crown

corporaions healh auhoriies universiies colleges schools and more)

o sel-assess how well-developed and capable heir general compuing

conrols are Tis is known as he mauriy level We hen validaed 983089983091 sel-

assessmens rom across all ypes o organizaions

Te majoriy o organizaions sel-assessed a mauriy level 983091 and

above However in our validaion we ound ha 983094983097 o organizaions

over-raed heir sel-assessmens Tey didnrsquo have sufficien evidenceo suppor heir sel-assessmens And mos o he organizaions lacked

documenaion o policies and procedures ndash boh hallmarks o maure




general compuing conrols We encourage all organizaions o ake a

criical look a heir I processes and be realisic abou heir level

o mauriy

We believe ha each organizaion should aim or a leas mauriy level 983091

as heir baseline Ta said some organizaions should have a higher arge

mauriy level especially hose ha have complex compuing needs or

handle sensiive inormaion

Te findings and recommendaions rom his audi should be o ineres

o all I proessionals in governmen organizaions Senior managemen

needs o ully undersand he imporance o general compuing

conrols and how hey can miigae hreas o heir I sysems We are

recommending ha organizaions review heir business and I goals and

deermine which mauriy level is bes suied or heir needs and hen

ensure ha mauriy level is achieved and mainained

We are graeul o all 983089983092983096 organizaions or compleing heir sel-

assessmens We had a 983089983088983088 response rae which helps o make our job

easier And hank you o he 983089983091 organizaions whose resuls we validaed

ndash we appreciae your cooperaion


Audior General

Vicoria BC

December 983090983088983089983093

AUDITOR GENERALrsquoS COMMENTS




78

of our previousIT audit

recommendations

were about

IT is critical to governmentrsquos

service delivery ndash

from healthcare to

education



from healthcare to

educationStrong general

computing controls

can reduce the impact

of risks

Strong general

computing controls


of risks

Over 600

IT services are outsourced

to external

parties

Over 600


to external

parties

general

computingcontrols

general

computingcontrols

69 of audited

organizations lackedsufficient evidence

to support theirself-assessed levels

Majority oforganizationsself -assessed at

MATURITY

LEVEL 3

AND

ABOVE


MATURITY

LEVEL 3

AND

ABOVE

USE OF IT COMES WITH RISKS

FRAUD

ERRORS

SYSTEMDISRUPTION

BC governmentorganizationsSELF-ASSESSED A

HIGHER AVERAGE

MATURITY LEVEL

THAN 2013

REPORT HIGHLIGHTS




RESPONSE FROM THEMINISTRY OF TECHNOLOGY

INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or

reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he

imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o

ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae

I accep he Audior Generalrsquos recommendaion

peraining o he Governmen Chie Inormaion

Officerrsquos role in promoing srong conrols and

assising organizaions wih implemening hem and

will coninue o carry ou his role wihin my mandae

I have aken promp and appropriae acion and have

planned uure improvemens o he exen ha my

office is empowered o do so under he governmen

Core Policies

o dae we have compleed our Annual Inormaion

Securiy Review and creaed a Vulnerabiliy and

Risk Managemen eam o respond o relevan

incidens inegraed ormal securiy requiremens

ino vendor service procuremens implemened

advanced cybersecuriy and vulnerabiliy scanning

ools published new sandards or Criical Sysems

and Enerprise Business Archiecure o be applied by

all minisries ormalized he erms o Reerence and

processes or OCIOrsquos Change Advisory Board and

compleed governmenrsquos annual Business Coninuiy

Plan exercise and developed plans o address he

idenified gaps

In he coming monhs we plan o underake a

comprehensive daa classificaion sandards review

coninue our work on developing a Cloud securiy

sandard coninue o implemen criical securiy

inrasrucure ino governmenrsquos daa cenres implemen

a governmen-wide proacive issues managemen process

and coninue our effors o ensure compliance wih

relevan governmen sandards and policies

We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in

heir assessmen o governmenrsquos compuing general

conrols wih he ulimae objecive o reducing overall

risk o governmen Te inormaion provided by ldquoTe

Saus o Governmenrsquos General Compuing Conrols

983090983088983089983092rdquo has provided valuable inormaion regarding he

mauriy o he managemen o he conrols and will

assis in prioriizing improvemens

My office will coninue o work wih Minisry Chie

Inormaion Officers o improve managemen o

conrols o achieve heir argeed mauriy level We

look orward o uure yearsrsquo assessmen by he Audior

General saff




BACKGROUNDTHE IMPORTANCE OF GENERAL

COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From

delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos

governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in

our province

More and more governmen is relying on hird paries

o develop heir I sysems and provide I services

Tere are currenly over 983094983088983088 ousourced I sysems

and services across governmen

All hese come wih risks such as

raud inenional access o sysems and daa

or personal gain

human errors uninenional changes o

sysems and daa

down ime inabiliy o resume criical services

quickly aer an unexpeced disrupion (power

ouages disasers or malicious aciviies)

o reduce he impac o hese risks governmen needs

srong conrols

General compuing conrols ensure ha I sysems

and services can help organizaions ulfill heir

needs (he business objecives) hrough he proper

developmen and implemenaion o applicaions

as well as he inegriy o programs daa files andcompuer operaions

Tey play an imporan role in deecing and

prevening raud and errors proecing organizaionsrsquo

I asses and ensuring ha criical business

operaions could coninue As such 983095983096 o he

recommendaions in our I audi repors over he

las 983089983088 years ocused on improving general compuing

conrols See Appendix B or a summary o hese 983089983088983092

I audi recommendaions

RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS

Te BC Office o he Governmen Chie Inormaion

Officer is mandaed wih governance auhoriy

or sandards seting oversigh and approvals or

he provincersquos inormaion and communicaionsechnology

BC governmen organizaions are responsible

or ollowing he spiri and inen o his policy in

designing and implemening he general compuing

conrols bes suied or heir I environmen ndash

regardless o wheher I sysems or services are in-

house or ousourced

BC governmen organizaions include minisriesCrown corporaions universiies colleges school

disrics healh auhoriies and oher organizaions

conrolled by or accounable o he provincial

governmen Collecively hey are called he

Government Reporting Entity (GRE)




2013

I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC

governmen organizaion had atained

Te sel-assessmen was designed using he mauriy

model defined in he COBI 983092983089 ramework

(see Exhibi 983089) Te mauriy model is a way o

assess how well developed and capable he

esablished I conrols are

COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te

insiue was ormed by ISACA ndash an independen

non-profi global associaion ha engages in he

developmen adopion and use o globally acceped

indusry-leading knowledge and pracices or

inormaion sysems

Te sel-assessmen ocused on nine critical I processes

defined in COBI 983092983089 as essenial or mainaining

confidentiality proecing he inormaion hey

manage

integrity ensuring ha ransacions are

processed correcly

availability ensuring cr iical governmen

services are always up and running

WHAT WE DID

983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is

an issue to be addressed

983089 - Initialad hoc Tere is evidence that the enterprise

has recognized that the issues exist and need to be addressed

Tere are however no standardized processes instead there

are ad hoc approaches that tend to be applied on an individual

or case-by-case basis Te overall approach to management is

disorganized

983090 - Repeatable but intuitive Processes have developed to

the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training

or communication o standard procedures and responsibility

is lef to the individual Tere is a high degree o reliance on the

knowledge o individuals and thereore errors are likely

983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is

mandated that these processes should be ollowed however

it is unlikely that deviations will be detected Te procedures

themselves are not sophisticated but are the ormalization o

existing practices

983092 - Managed and measurable Management monitors

and measures compliance with procedures and takes action

where processes appear not to be working effectively Processes

are under constant improvement and provide good practice

Automation and tools are used in a limited or ragmented way

983093 - Optimized Processes have been refined to a level o good

practice based on the results o continuous improvement and

maturity modeling with other enterprises I is used in an

integrated way to automate the workflow providing tools to

improve quality and effectiveness making the enterprise quick

to adapt

Exhibit 1 COBIT 41 Maturity model rating definitions

Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)




See able 983089 or he descripion o each o he

nine areas

In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir

sel-assessmens bu we sen repors o he heads o

each organizaion Te repors showed heir resuls

compared o similar organizaions and provided

recommendaions on how hey can achieve or improve

heir arge mauriy levels We also sen a summary

repor o he BC Governmen Chie Inormaion

Officer

In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as

par o our I compendium repor

2014

In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions

plus nine Independen Offices o he Legislaive

Assembly and wo new organizaions (in oal 983089983092983096

organizaions) o complee he same sel-assessmen

Tis year hough we seleced 983089983091 organizaions

and validaed heir sel-assessmens Tis sample

included a minisry a healh auhoriy wo Crown

corporaions hree universiies wo colleges and our

school disrics Te validaion process included

reviewing he compleed sel-assessmen orm

inerviewing key I personnel rom each

organizaion

examining supporing evidence or he sel-

assessed levels

983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092

WHAT WE DID

Again we sen deailed repors o he heads o all

983089983092983096 organizaions comparing heir resuls o similar

organizaions as well as heir 983090983088983089983091 resuls Tese

repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We

also sen a summary repor o he BC Governmen

Chie Inormaion Officer

We conduced his projec under secions 983089983088 and 983089983089

(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o

June 983090983088983089983093

DETERMINING THE

BENCHMARK

Te COBI 983092983089 model saes ha mauriy levels may

be differen or each organizaion depending on he

organizaionsrsquo business objecives complexiy o heir

compuing sysems and I environmen and he

value o he inormaion hey manage For example

a governmen organizaion ha has he personal

inormaion o every person in Briish Columbia or

ha provides criical services should have highermauriy levels

We believe ha each organizaion should aim or a

leas maturity level 983091 Defined Process as heir baseline

A his level organizaions have sandardized and

documened heir procedures mandaed ha hey be

ollowed and rained saff accordingly




WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s

2014 Range 2013 Range2013 Average2014 Average

ORGANIZATIONS SELF-ASSESSED A HIGHER

AVERAGE MATURITY LEVEL THAN 2013

O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and

he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween

mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)

Healh auhoriies minisries and Crown corporaions

had consisenly higher average mauriy levels

han universiies colleges and school disrics

See Appendix A or mauriy levels by he nine I

processes and ype o organizaion

Exhibit 2 Range and average self-assessed maturity level for each IT process

Source Office o he Audior General o Briish Columbia




THE MAJORITY OF ORGANIZATIONS SELF-

ASSESSED AT MATURITY LEVEL 3 AND ABOVE

Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)

WHAT WE OBSERVED

Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process

P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s

2014 - Maturity level 3 and above2014 - Below maturity level 3


49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35





MOST ORGANIZATIONS LACKED SUFFICIENT

EVIDENCE TO SUPPORT THEIR SELF-ASSESSED

MATURITY LEVEL In our validaion we ound ha nine o he 983089983091

organizaions (983094983097) did no have sufficien evidence

o suppor heir sel-assessed mauriy level in one or

as many as all nine I processes

For organizaions ha had insufficien evidence o

suppor heir sel-assessmens we discussed our

findings wih hose organizaions and adjused heir

mauriy levels accordingly

Validation findings for the nineIT processes

Te able below summarizes our validaion resuls or

each o he nine I processes we looked a

WHAT WE OBSERVED

Table 1 Validation findings for each IT process

1 Assess and manage IT risks

All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep

Number of organizations withinsufficient evidence Deficiencies in general computing controls

Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4

Risk ma nagemen processes and aciv iies were

no ormally documened

in he process o being documened

in he early sage o implemenaion

Risk ma nagemen processes were no consisenly applied o all

aciviies in I operaions




2 Manage changes

Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and

roles and responsibiliies or monioring assessing and auhorizing changes


Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5

Change managemen processes were

no esablished


in he process o being developed


Lack o managemenrsquos periodic monioring o compliance wih

esablished policies sandards and procedures

3 Install and accredit solutions and changes

In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes


Four organizaions lacked sufficienevidence o suppor sel-assessed

mauriy levels 3 or 4

Procedures were

ad hoc inormally documened

sill being developed

4 Manage third-party services

Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens


wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45

Lack o ormal documenaion in selecing and managing

hird-pary providers

Did no ollow is I purchasing policy a nd he policy was ou-daed

WHAT WE OBSERVED




5 Ensure continuous service

Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa

and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes


Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4

Roles and responsibiliies were no deined

Lack o raining a nd monioring or coninuous service

I coninuiy plans were

non-exisen


in exisence bu neiher updaed nor regularly esed

Backup aciliy wa s close o he main daa cenre and was exposed o

he same physical risks (earhquake sorm lood ire ec)

6 Ensure systems security

o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes

esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies

monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens

developing and carryi ng ou correcive acions in order o minimize heir business impac


Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45

I securiy policies procedures and plans were

no deined or ormally documened


no curren

I securiy procedures were no aligned wih I securiy policies

Responsibiliy or sysems secu riy was neiher clearly assigned nor

independen rom I operaions Securiy awareness and raining was limied

Risk and impac analysis esing monioring and reporing on

securiy were rarely car ried ou or was no aligned wih business

objecives

WHAT WE OBSERVED




7 Manage the physical environment

o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should

deine he roles and responsibiliies or managing he physical environmen

esablish appropriae physical sie requiremens

monior environmenal acors

manage physical access


Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5

Lack o ormal documenaion o deined

roles and responsibiliies

environmenal and physical securiy requiremens

Physical access o compuing aciliies was neiher moniored norreviewed

Some organizaions had no implemened prevenive measures

where hey had he monioring was weak

No all sa were rained in healh saey and emergency procedures

WHAT WE OBSERVED




8 Manage operations

o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis

includes deining roles and responsibiliies or managing I operaions

esablishing operaing pol icies and procedures or daa processing

proecing sensiive repors

monioring I inrasrucure perormance

ensuring prevenive mainenance o compuing hardware


Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45

Lack o ormal or up-o-dae documenaion o

I sandards a nd operaing procedures

clearly deined responsibiliies

Lack o

ongoing raining

monioring agains I sandards

High degree o reliance on he knowledge o individuals managi ng

I operaions

Processes or monioring he I inrasr ucure were no suicienly

addressing he roo causes o operaional errors and ailures

9 Monitor and evaluate IT performance

Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply



Organizaions used ad hoc and in ormal approaches in monioring

and evaluaing I perormance

High degree o reliance on he knowledge o individuals monioring

aciviies

Procedures and indicaors or managing I perormance were sill

in developmen

Where mon ioring processes exis he indicaors were oupu-based

raher han oucome-based

WHAT WE OBSERVED





WHAT ORGANIZATIONSSHOULD DO

W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC

Governmen Reporing Eniy periodically

983089 review heir business and I goals and

deermine he arge mauriy level

983090 analyze he conrols necessary or meeing he

arge mauriy level

983091 deermine wha needs o be done o achieve he

arge mauriy level983092 monior he progress in achieving he arge

mauriy level

in accordance wih he COBI 983092983089 mauriy model

We also recommend ha he BC Office o he

Governmen Chie Inormaion Officer coninue o

promoe srong general compuing conrols and assis

governmen organizaions in achieving and improving

heir arge mauriy level




APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION

A v e r a g e m a t u r i t y

l e v e

l s


0

1

2

3

4

5

2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area

2013 Average for IT process area

School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries

38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28

2013 Average for type of organization

2014 Average for type of organization 2014 Average for IT process area



l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s





APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS

IT audit report titleTotal number of

recommendations

Number of

recommendationswithin the nine ITprocesses

Percentage of


Audi o he Governmens Corporae AccouningSysem Par 1

14 12 86


13 5 38

Elecronic Healh Record Implemenaionin Briish Columbia

3 2 67

Inormaion echnology Compendium - Web Applicaion Securiy Audi

4 4 100

Inegraed Case Managemen Sysem 7 5 71

I Coninuiy Planning in Governmen 9 9 100

Managing Access o he CorrecionsCase Managemen Sysem

9 9 100

Managing Governmens Paymen Processing 6 3 50

Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice

5 5 100

Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks

6 6 100

Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3

22 16 73

Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90

Wireless Neworking Securiy inGovernmen Phase 2

21 15 71

Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line

4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088

oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095

In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089

Fax 983090983093983088-983091983096983095-983089983090983091983088

Email bcaudiorbcaudiorcom

Website wwwbcaudiorcom

Tis repor and ohers are available a our websie which also conains

urher inormaion abou he Office

Reproducing

Inormaion presened here is he inellecual propery o he Audior

General o Briish Columbia and is copyrigh proeced in righ o he

Crown We invie readers o reproduce any maerial asking only ha

hey credi our Office wih auhorship when any inormaion resuls or

recommendaions are used

AUDIT TEAMCornell Dover

Assistant Auditor General

Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak

Senior Auditor Financial Audit

Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee

Senior Audit Associate

Financial Audit

Tank you to our staff members

not listed above for your work on

this project





623 Fort StreeVictoria British Columbia

Canada V8W 1G1P 2504196100F 2503871230

wwwbcauditorcom

CONTENTS

Auditor Generalrsquos Comments 3

Report Highlights 5

Response from The Ministry of TechnologyInnovation and Citizensrsquo Services 6

Background 7

What we did 8

What we observed 10

What organizations should do 17

Appendix A Maturity level

by IT process and type of organization 18

Appendix B Summary of IT audit

recommendations over the last 10 years 23

Te Honourable Linda Reid

Speaker o he Legislaive AssemblyProvince o Briish Columbia

Parliamen Buildings


V983096V 983089X983092

Dear Madame Speaker

I have he honour o ransmi o he Legislaive Assembly oBriish Columbia my repor Te Status of Governmentrsquos General

Computing Controls 983090983088983089983092

We conduced his audi under he auhoriy o secions 983089983088 and

983089983089 (983096) (b) o he Auditor General Act and in accordance wih he

sandards or assurance engagemens se ou by he Charered

Proessional Accounans o Canada (CPA) in he CPA Canada

Handbook ndash Assurance and in accordance wih Value-or-

Money Audiing in he Public Secor


Audior General

Vicoria BC

December 983090983088983089983093



































o mauriy

















Audior General

Vicoria BC

December 983090983088983089983093





78


recommendations

were about



from healthcare to

education



from healthcare to


computing controls


of risks

Strong general

computing controls


of risks

Over 600


to external

parties

Over 600


to external

parties

general

computingcontrols

general

computingcontrols

69 of audited




MATURITY

LEVEL 3

AND

ABOVE


MATURITY

LEVEL 3

AND

ABOVE


FRAUD

ERRORS

SYSTEMDISRUPTION


HIGHER AVERAGE

MATURITY LEVEL

THAN 2013

REPORT HIGHLIGHTS

















Core Policies













idenified gaps





















General saff








our province







or personal gain


sysems and daa





srong conrols














RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS










house or ousourced









2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project





































o mauriy

















Audior General

Vicoria BC

December 983090983088983089983093





78


recommendations

were about



from healthcare to

education



from healthcare to


computing controls


of risks

Strong general

computing controls


of risks

Over 600


to external

parties

Over 600


to external

parties

general

computingcontrols

general

computingcontrols

69 of audited




MATURITY

LEVEL 3

AND

ABOVE


MATURITY

LEVEL 3

AND

ABOVE


FRAUD

ERRORS

SYSTEMDISRUPTION


HIGHER AVERAGE

MATURITY LEVEL

THAN 2013

REPORT HIGHLIGHTS

















Core Policies













idenified gaps





















General saff








our province







or personal gain


sysems and daa





srong conrols














RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS










house or ousourced









2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






78


recommendations

were about



from healthcare to

education



from healthcare to


computing controls


of risks

Strong general

computing controls


of risks

Over 600


to external

parties

Over 600


to external

parties

general

computingcontrols

general

computingcontrols

69 of audited




MATURITY

LEVEL 3

AND

ABOVE


MATURITY

LEVEL 3

AND

ABOVE


FRAUD

ERRORS

SYSTEMDISRUPTION


HIGHER AVERAGE

MATURITY LEVEL

THAN 2013

REPORT HIGHLIGHTS

















Core Policies













idenified gaps





















General saff








our province







or personal gain


sysems and daa





srong conrols














RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS










house or ousourced









2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project



















Core Policies













idenified gaps





















General saff








our province







or personal gain


sysems and daa





srong conrols














RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS










house or ousourced









2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project










our province







or personal gain


sysems and daa





srong conrols














RESPONSIBI LITY FOR

GENERAL COMPUTING

CONTROLS










house or ousourced









2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






2013













inormaion sysems




manage


processed correcly



WHAT WE DID








disorganized










existing practices











to adapt







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project







nine areas








Officer



2014












organizaion


assessed levels


WHAT WE DID









June 983090983088983089983093

DETERMINING THE

BENCHMARK

















WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






WHAT WE OBSERVED

0

1

2

3

4

5

27 26

31 3130 29 28

3028

32 3134 33

23 22

30 3029

M a t u r i t y

l e v e

l s

IT processes

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l e

n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n a

g e t h i r d -

p a r t y

s e r v i c e

s

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A

s s e s s a n

d m a n

a g e I T

r i s k s




















WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project









WHAT WE OBSERVED


P e r c e n t a g e

IT processes

0

20

40

60

80

100

M o n i t o

r a n d

e v a l u a

t e

I T p e r f o

r m a n

c e

M a n

a g e o p

e r a t i o

n s

M a n

a g e t h e

p h y s i c a l

e n v i r o

n m e n t

E n s u r e

s y s t e

m s s e

c u r i t y

E n s u r e

c o n t i n u

o u s s e

r v i c e

M a n

a g e t h i r d -

p a r t y

s e r v i c e

I n s t a l l a n

d a c c r

e d i t

s o l u t i o

n s a n d

c h a n g

e s

M a n

a g e c h a

n g e s

A s s e s s

a n d

m a n

a g e I T r i s k s



49 52

51 48

30 39

70 61

33 35

67 65

25 31

75 69

41 43

59 57

32 39

68 61

18 20

82 80

16 20

84 80

60 65

40 35


















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project



















WHAT WE OBSERVED















2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






2 Manage changes






no esablished











Procedures were








hird-pary providers


WHAT WE OBSERVED












non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project














non-exisen















no curren






objecives

WHAT WE OBSERVED



















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project





















WHAT WE OBSERVED




8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






8 Manage operations












Lack o

ongoing raining



I operaions










aciviies


in developmen



WHAT WE OBSERVED











arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project












arge mauriy level



mauriy level












l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project








l e v e

l s


0

1

2

3

4

5




38 36 30 29 40 38 25 25 23 21 23 22


l e v e

l s

2 Manage changes

0

1

2

3

4

5


39 39 36 33 38 38 31 28 26 24 27 25







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project







l e v e

l s


0

1

2

3

4

5


38 37 33 31 38 40 34 30 21 20 27 28





l e v e

l s


0

1

2

3

4

5


39 38 36 34 35 32 28 29 30 29 27 25








0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project







0

1

2

3

4

5


32 32 30 29 34 33 24 23 26 25 28 27





l e v e

l s


0

1

2

3

4

5


37 37 32 28 33 38 28 25 22 25 28 26


l e v e

l s








0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project







0

1

2

3

4

5


37 35 36 35 38 38 38 34 30 28 29 29





l e v e

l s

8 Manage operations

0

1

2

3

4

5


37 36 38 36 41 40 35 32 33 33 31 32




l e v e

l s






0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project







0

1

2

3

4

5


28 25 28 25 32 28 18 16 22 18 21 21





l e v e

l s







recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project








recommendations

Number of


Percentage of



14 12 86


13 5 38


3 2 67


4 4 100




9 9 100



5 5 100


6 6 100


22 16 73



21 15 71


4 4 100

Total 133 104 78




Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project






Location

983094983090983091 For Sree


Canada V983096W 983089G983089

Office Hours

Monday o Friday

983096983091983088 am ndash 983092983091983088 pm

Telephone 983090983093983088-983092983089983097-983094983089983088983088



Fax 983090983093983088-983091983096983095-983089983090983091983088





Reproducing








Corporate Services

David Lau

Director I Audit

Joji Forin

Manager I Audit

Joyce Mak


Helen Li- Hennessey


Nijjy Poikanon

Auditor I Audit

Wendy Lee


Financial Audit



this project



auditor general of bc - the status of government’s general computing controls: 2014

Documents