Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures, practices, and the organizational structure so as to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected, and corrected. The audit program is divided into the following sections: • • • • • • Section 2.0: General Organization Control Procedures Section 3.0 IS Processes Section 4.0 Disaster Recovery Section 5.0 Logical Security Access Section 6.0 Physical Access and Asset Protection Section 7.0 IS Budget Process • References: 1. 2. 3. 4. 5. 6. 2.0 Corporate Financial Standards Guidelines, Section 3, Data Processing Standards Corporate Internal Audit, Information Systems Audit Overview Corporate Policies and Procedures Corporate Internal Audit, Help Manual Handbook of IT Auditing, by J. Donald Warren, Jr., Lynn W. Edelson, Xenia Ley COBIT - Control Objectives for Information and Related Technology General Organization Control Procedures To identify and gain an overall general understanding of the Information System organization's operating environment and control structure. Emphasis is placed on Policies and Procedures which govern the IS organization and its processes. a) Conduct entrance meeting and request briefing on IS operations, if needed. b) Auditor should become familiar with the various IS control groups, (review file: IS controls.doc). c) Interview senior management and understand their issues and concerns pertaining to IS. d) Obtain and review copies of any previous IS audit reports, and follow-up on any previous Action Plans to ensure all recommendations from previous reports are corrected and still in place. In addition, review IS audit reports from other divisions to see what type of deficiencies were uncovered. If previous action plans are not resolved or corrected, make audit comment. e) Obtain and review copies of IS policies, procedures, and standards, (you should make a comparison to standards used, reference 1.) If IS policies and procedures and/or an Information Security Policy does not exist, this would warrant an audit comment. f) Ask the IS manager for a copy of the IS strategic plan, it should be documented and approved by senior management. If one does not exist an audit comment should be made. g) Ask the IS manager if a planning or steering committee is in place to oversee IS Department activities (should consist of senior management, IS, and user departments and they should ensure efficient use of data processing resources and set priorities, examine costs and provide support to various projects.) If one does not exist an audit comment should be made. h) Determine how IS items are procured, and if they are aware of and using corporate agreements (CAs). If they are not utilized, make an audit comment. i) Determine if there is a current organization chart and if job descriptions are clearly defined as to responsibility and authority, to ensure proper segregation of duties within IS (review the file: IS matrix.xls to understand what duties are not compatible.) If a current organization chart does not exist, make audit comment. Ask IS personnel if they understand their roles and responsibilities. If they do not, then make an audit comment. Determine if the IS department is independent from other organizational influences. If IS manager reports to an operational organization such as Procurement or Operations, make an audit comment. j) Assess audit risk and determine the scope of audit and extent of compliance testing to be performed. 3.0 IS Processes The purpose of this domain is to determine what processes are in place and ensure controls exist and followed by employees. Emphasis is placed on the IS department infrastructure and internal practices to support the company's objectives and goals; and to support system development and implementation. a) Determine the Change Control process/procedure through interview with IS manager. (Ask for a copy of the change request form.) If a formal change request process is not documented and/or changes are not documented on Change Request forms and do not have provisions for the following items, an audit comment should be made. Are the forms serially numbered and contain provisions for approval by supervisors from both IS and user departments? Does the form identify the reason for, effective date and person who made change? Determine how changes are bought off/completed (should require approval from supervisor and meet successful testing criteria). b) Ask the IS manager how changes are tested and moved into production (there should be a test environment separate and apart from the production environment, for developing new software and testing modifications, and programmers should not be allowed to have access to the production environment.) If these environments are not separate, make an audit comment. If the programmers are able to move the code into production, make an audit comment. c) Ask the IS Manager for a copy of programming and documentation standards used by the software developers. (There should be written standards on the type and format of required documentation which is followed by all programmers and/or consultants and include naming conventions for programs, libraries, and data sets; standards for program documentation; program testing procedures.) If they do not have documented standards, make an audit comment. d) Ask the IS manager if there are quality checks performed on modified software to ensure standards are followed, and documentation and testing are complete before moving the changes into production. If this is not a separate function in IS and does not occur, make an audit comment. e) Ask the IS manager for a LAN Administration Manual (should include Network Security parameters, recovery procedures, hardware/software standardization guides.) If they do not have one, make an audit comment. f) Obtain copies of PC/LAN user documentation/manual and ask the IS manager if it is provided to all users (should cover user responsibilities for using the LAN and PC, protection of sensitive files, loading unapproved software onto the LAN or PC, proper use of the Internet and e-mail, and software copyright violation.) If one does not exist, make an audit comment. g) Query some users and determine if they know what to do if they encounter a problem (users should know who to contact if they encounter a problem and receive timely responses.) If they are unsure of what to do or who to contact, make an audit comment. h) Ask for copies of policies pertaining to the use of the Internet and e-mail (these should be documented and communicated to all users.) If they do not exist, make an audit comment. i) Determine if there is a Software/Systems Development Life Cycle (SDLC) in place, documented and used by the IS department. If one does not exist, make an audit comment. 4.0 Disaster Recovery The purpose of this domain is to determine what Disaster Recovery and Contingency plans exist and assess their adequacy to ensure continuity of operations if either a complete system failure or the failure of system components occurs. There should be procedures in place to provide for the recovery of files, address disaster recovery, and identify critical processing (data). The plan should allow for periodic testing (at least annually), to ensure personnel understand their respective roles during a disaster and validate the plan. There should be provisions for the backup of critical information and materials both on-site and off-site. a) Review backup materials/procedures. If backups are not performed, make an audit comment and skip the rest of this section. Determine who performs the backups and ask if it is done on a regular basis (backups should be performed nightly on files which have changed during the previous day and weekly for the whole system.) If this is not done, make an audit comment. * Ask how many copies of the files are maintained, at least three generations of important files as well as copy of the transactions needed to bring all files to current status should exist.) If not, make an audit comment. Ask if system files and operating software is also backed up periodically (especially if there is a change to the system settings.) If not, make an audit comment. Determine if the media is labeled and if it is stored in a secure location (off-site, and while on-site is it stored in a secure area - fireproof file cabinet.) If it is not stored off-site, or not kept in a secure area with limited access while on-site, make an audit comment. Ask to see if there are tests performed on the backup media to ensure files are indeed written there.) If such a test is not performed, make an audit comment. See if there are documented desk procedures which reflect current backup and restoration steps. If not, make an audit comment. b) Ask the IS manager if there are contingency plans to handle emergency situations such as hard disk crashes and central processing unit (CPU) failures. If not, make and audit comment. c) Obtain copy of the Disaster Recovery Manual/Plan (each site should have one.) If one does not exit, make an audit comment and skip the rest of this section. Find out who maintains copies and where they are kept (should maintain a copy off-site with other Disaster Recovery information.) If one is not stored off-site, make an audit comment. Determine if applications (critical processes and data) are identified and prioritized as to criticality to the business and its operations. If one does not exist, make audit comment. Are there provisions for an alternate site to handle processing needs if a disaster should occur? (Should have contract with outside firm or agreement with other ATI site.) If not, then make an audit comment. Verify the plan has provisions for periodic testing (there should be scheduled time to test the plan, and document and resolve problems.) If the test plan has not been tested or plans to be tested, make an audit comment. d) Ask IS employees if they are aware of the steps they should take in case of Disaster. If they do not understand their roles and responsibilities, make an audit comment. 5.0 Logical Access Security Users of the computer systems should be accurately identified and employees permitted to have access as authorized and required to accomplish their assigned duties. In addition, logs or audit trails should exist and be maintained to reflect user access and changes to sensitive data files, (i.e., Vendor Master file, Accounts Payable/Receivable Master files, Employee Master file, Payroll files). a) Ask for copy of Logical Access Security Policies. If one does not exist, make audit comment. b) Ask the IS manager if there is a written procedure to control addition or changes to current users' access restrictions (should include a standardized form containing written approval by appropriate level of management and process should be managed and maintained by IS personnel.) If there is not a form or procedure, make audit comment. Obtain copies of a couple of access authorization forms and validate for proper authorization and access (These should be retained by IS as an audit trail.) If the form is not adequately filled out or retained, make an audit comment. c) Ask the IS manager how the IS department is notified when employees are terminated or change job responsibilities. If there is not a procedure in place to notify IS in a timely manner, make an audit comment. d) Ask the IS manager if there are any users who have supervisory capability users who have unlimited access, sometimes referred to as "super users", to files, applications and operator commands, this should be limited to only a few select IS employees. How are transactions or actions approved and documented when initiated by these employees (there should be a log for recording their activities within the system which should be reviewed by management.) If their actions are not logged and reviewed by IS manager, make audit comment. e) Ask the IS manager if Network changes are authorized and documented (should be an audit trail of network equipment changes.) If they are not, make an audit comment. f) Ask the IS manager if system logs are maintained. • Are there system access logs to record access to computer resources or data communications network? (should include User ID and should be reviewed on a regular basis for unusual activity such as invalid logon attempts). • Are there transaction logs/audit trails to record additions, deletions, and changes to data elements? (should include user and time change was made) If the answer to any of these questions is no, make an audit comment. g) Ask the IS manager if problem logs are maintained by the data center/operations. (These are used to identify system and application problems and ensure resolution.) If not, make audit comment. h) Ask the IS manager if system activity logs are in use to capture utilization of hardware resources associated with the servers, CPU utilization, access storage activity and utilization, and job activity. (This is a primary means for identifying processing problems created by inadequate or failing components.) If not used, make audit comment. i) Ask the IS manager what process/procedure ensures compliance with software license agreements. If process or procedure does not exist, make an audit comment. Audit Program Steps for Logical Access Security (cont.) j) Review Access Controls and Password Administration: (the following are usually initialized when the system is installed.) • Ask the IS manager if logons are shared between users (shared logons and passwords should be disallowed unless several users require inquiry access only to non-confidential data/information). • Passwords should be a minimum of 5, maximum of 8 characters and not easily guessed. • Passwords should be masked (not displayed) when entered by user. • Passwords should be changed periodically (every 60 - 90 days). • Sample some employees to see if required to change password within certain amount of time (this will support password change procedure). • User Ids or workstations should be automatically revoked after a predetermined number of unauthorized access attempts (should be three attempts). • PCs should be automatically logged off after a period of non-use (30 minutes). If logon Ids and passwords are shared except under the aforementioned condition, or the settings for passwords and workstations are not set properly, then make an audit comment. k) Ask the IS manager if modems are attached to the server (provides remote access). If not, skip the rest of this section. • Ask if there are additional security measures in place (there should be additional security for this type access - user ID's and password protection, dial-back feature, authorized dial-in user list). If additional security measures are not in place, make an audit comment. • Determine who controls remote access activity and ask them how they control security to the modems and the phone numbers (verify this activity is monitored and phone numbers for the modems are not published). l) Interview System Administrators to determine if they have been provided formal training which is related to securing the servers. (There are a number of security settings unique to each platform which are related to users, files, operating system, audit trails, etc. which affect the overall security and reporting of security related events which Administrators should know how to initialize and manage.) If they have not been given formal training, make and audit comment. m) Determine if there is a network topology in existence (there should be a diagram of all computing equipment with all access paths depicted - routers, multiplexers, modems, communication links between servers and printers.) If one does not exist, make and audit comment. n) Ask the IS manager if someone is responsible for accounting for all hardware and software within the company. (A current inventory list should exist.) If not, make an audit comment. o) Ask the IS manager how the servers and PCs are protected from viruses. If servers and/or PCs do not have virus software loaded, make an audit comment. • Determine what procedures are in place to prevent or detect the presence of a virus on the servers, and verify who is responsible for performing these procedures. • Is virus software loaded on the workstations and do users know how to run the software? • Query some users to determine if they know what steps to take if a virus is detected or suspected on their workstation? If not, make an audit comment. 6.0 Physical Access and Asset Protection This section of the audit program deals with those controls which should be in place to physically protect computing assets from unauthorized modification, theft, damage and/or destruction. a) Determine location of: • • • • • • Operator consoles Computer storage rooms UPS/Generator Location of all communications equipment Servers Tape library b) Determine through observation how these assets are protected (should be restricted to authorized personnel only.) If they are not located in a secure area where access is controlled, make an audit comment. c) Ask the IS manager how equipment is covered in case of damage or loss, (insurance policies should be in place.) If insurance policies do not exist or assets are not covered by Corporate Policies, make audit comment. d) Ask the IS manager if there are vendor agreements in place to cover responding to hardware failures (should have contract with vendors to respond in a timely manner to failures which cause loss of service.) If they do not exist, make an audit comment. e) Check physical/environmental protection of equipment by touring the data center with the IS manager. Delinquency in any of the following should be noted by audit comments. • Verify the presence of water and smoke detectors and verify back up power, i.e. batteries, in case power is lost to this area. • Verify hand-held fire extinguishers are strategically located and visible (ask operators if they know how to operate the fire extinguishers.) • Verify extinguishers have been inspected within the last year (should be a tag attached to each one reflecting the last time they were inspected). • Determine if there are emergency lights installed within the computer room? • Obtain copy of emergency Evacuation Plan (should be copies posted near the computer room and ask operators if they know what to do if they are required to evacuate the building.) • Do Emergency Power Off switch(es) exist and labeled? • Are housekeeping rules documented and practiced (i.e. dusting). f) Ask the IS manager if Uninterrupted Power Supply (UPS) is connected to all significant systems. If there is not a UPS connected to servers, make an audit comment. • If UPS is used, ask the IS manager if it has been tested. g) Ask the IS manager who has access to the computer room and how is it controlled, (should only be network operators and repair personnel.) • Is there a list of those who have been given access? • Is there a log to record visitors to the computer room? 7.0 IS Budget Process This section's objective is to determine if a formal process exists and is functioning in a reasonable manner. Review supporting controls and detail for reasonableness. a) Ask the IS manager for a copy of procedure to verify one exists. If one does not exist, make and audit comment. b) Identify significant components of the Overall Budget Process (Macro View / Macro Flowchart). c) Determine how IS Budget ties into Company Budget. d) Trace and tie IS Budget Totals to IS totals in Company Budget. e) Review procedures for comparing Actual to Budget. f) Obtain an understanding of how management reviews and analyzes Variances of Actual Cost to Budgeted Cost. If a review is not performed, make and audit comment. g) Obtain Management's response regarding the effectiveness of the Budgeting Process for managing and controlling Costs. h) Obtain an understanding of the approval process. If one does not exist, make an audit comment. i) Re-evaluate and summarize your understanding of the Overall Budget Process (Macro View / Macro Flowchart) and verify using a walkthrough method with IS Management. j) Review detail line items of Budget for appropriateness and reasonableness. • If large volume of line items identify and concentrate on high dollar amount items or large volumes that add up to large dollar amounts. • Review appropriateness of volumes purchased. • Review redundancy of technology purchased. • Validate Contract Services. • Perform steps to determine how details tie into Budget Categories.