. The lack of an approved and standardised configuration increased the risk of systems being insecurely configured and makes the accounting system vulnerable. . The current firewall was ineffective in preventing unauthorised access to the application systems and network components. . Security patches addressed important security issues in between service packs. . The aforementioned security parches were however not installed, which leaves the systems vulnerable to be exploited and to gain unauthorised access. . Antivirus software was out-dated. There was a risk that a virus may impact the system performance and availability. . There was not a sound and formally approved security policy in place therefore, users do not have any rules and procedures to follow in order to minimise the risk of errors, fraud and the loss of data confidentiality, integrity and availability.