Artificial Intelligence (AI) systems have moved into the mainstream in 2022 with the development of the ChatGPT AI engine.

Since drafting quality audit findings is a critical competency for auditors. We decided to give ChatGPT a go.

The audit findings below were generated by ChatGPT from the instructions highlighted in bold.  We tried to make the audit findings slightly more complex and technical with each iteration.

We found that the audit findings generated were of a quality and creativity easily equivalent to a few hours of work from a senior audit consultant.   We believe that AI systems will disrupt and transform various consulting industries going forward.

Write me an audit finding on the risk of not having a disaster recovery plan

Audit Finding: High Risk – Lack of Disaster Recovery Plan

Description: The organization has been found to not have an effective disaster recovery plan in place to protect against data loss and system downtime in case of a disaster.

Risks:

  • In the event of a natural disaster, cyber-attack, or other unforeseen event, the organization may not have the means to restore operations and data in a timely manner.
  • Loss of data and system downtime can lead to financial losses and damage to the organization’s reputation.
  • Without a disaster recovery plan, the organization may not be able to meet regulatory compliance requirements that mandate the protection of sensitive data.

Recommendation:

  • Develop and implement a comprehensive disaster recovery plan that includes procedures for data backup, restoration, and testing.
  • Make sure that the disaster recovery plan is regularly reviewed, updated, and tested to ensure its effectiveness.
  • Implement a disaster recovery solution that can be activated quickly and with minimal disruption to business operations.
  • Ensure that all key stakeholders are aware of the disaster recovery plan and have the necessary training to implement it in case of an emergency.
  • Regularly test and audit the disaster recovery plan and all its procedures to identify any weaknesses and improve it.

 

Write me an audit finding on the risks where the disaster recovery plan has not been reviewed in the last 24 months.  Nor has the plan been tested

Audit Finding: Medium Risk – Outdated and Untested Disaster Recovery Plan

Description: The organization’s disaster recovery plan has not been reviewed in the last 24 months and has not been tested. This leaves the organization at risk of not being able to effectively respond to and recover from a disaster.

Risks:

  • An outdated disaster recovery plan may not take into account recent changes to the organization’s systems, networks, and data, making it ineffective in restoring operations and data in a timely manner.
  • Without testing the disaster recovery plan, the organization may not be aware of any shortcomings or weaknesses in the plan that could impede recovery efforts.
  • The organization may not be able to meet regulatory compliance requirements that mandate regular review and testing of disaster recovery plans.

Recommendation:

  • Review and update the disaster recovery plan on a regular basis to ensure that it takes into account any recent changes to the organization’s systems, networks, and data.
  • Test the disaster recovery plan regularly to identify any shortcomings and make necessary improvements.
  • Ensure that key stakeholders are aware of the disaster recovery plan and have the necessary training to implement it in case of an emergency.
  • Document the review and test results, including any changes made to the plan, and keep them for future reference.
  • Review the plan at least once in two years as a best practice.

 

Write me an audit finding on the risks where the client has no disaster recovery plan.  Please include a recommendation of 10 bullet points of disaster recovery best practices

Audit Finding: High Risk – Absence of Disaster Recovery Plan

Description: The organization has been found to not have a disaster recovery plan in place to protect against data loss and system downtime in case of a disaster. This puts the organization at a significant risk of not being able to recover from a disaster and resume normal operations.

Risks:

  • In the event of a natural disaster, cyber attack, or other unforeseen event, the organization may not have the means to restore operations and data in a timely manner.
  • Loss of data and system downtime can lead to financial losses and damage to the organization’s reputation.
  • Without a disaster recovery plan, the organization may not be able to meet regulatory compliance requirements that mandate the protection of sensitive data.

Recommendation:

  • Develop and implement a comprehensive disaster recovery plan that includes the following best practices:
  • Identify and prioritize critical systems and data.
  • Develop procedures for data backup, restoration, and testing.
  • Make sure that the disaster recovery plan is regularly reviewed, updated, and tested to ensure its effectiveness.
  • Implement a disaster recovery solution that can be activated quickly and with minimal disruption to business operations.
  • Ensure that all key stakeholders are aware of the disaster recovery plan and have the necessary training to implement it in case of an emergency.
  • Regularly test and audit the disaster recovery plan and all its procedures to identify any weaknesses and improve it.
  • Document the disaster recovery plan, including all procedures, roles, and contact information, and make sure that it is accessible to all stakeholders.
  • Consider using cloud-based disaster recovery solutions to provide additional redundancy and scalability.
  • Have a backup plan in place in case the primary disaster recovery plan fails.
  • Have a communication plan in place to keep all stakeholders informed and minimize confusion in case of a disaster.
  • It’s very important to have a disaster recovery plan and to review and test it regularly as a best practice to minimize the risk of data loss and system downtime, and to ensure the continuity of business operations.

 

Write me an audit finding highlighting the risks of running port 21 and 23 on internet facing servers

Audit Finding: High Risk – Unsecured FTP and Telnet Services Exposed to the Internet

Description: The servers in question have been found to be running port 21 (FTP) and port 23 (Telnet) services on internet facing interfaces. These services provide unencrypted, clear-text access to the file system and command line interface of the server, respectively.

Risks:

  • Unencrypted communications can be intercepted by attackers and sensitive data can be compromised.
  • FTP and Telnet protocols do not provide strong authentication mechanisms, leaving the servers vulnerable to brute-force password guessing attacks.
  • Unauthorized access to the command line interface of the server can provide an attacker with the ability to execute arbitrary commands and potentially compromise the entire system.

Recommendation:

  • Disable FTP and Telnet services on internet facing interfaces and use secure alternatives such as SFTP and SSH.
  • Implement strong authentication methods such as public-key authentication for secure file transfer protocols.
  • Use firewalls to block incoming traffic to these ports on internet facing interfaces.
  • Regularly monitor and audit the logs of the servers to detect any suspicious activity.