Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com
DETAIL AUDIT PROGRAM
Information Systems General Controls Review
1.0 Introduction
The objectives of this audit are to review policies, procedures, practices, and the
organizational structure so as to provide reasonable assurance that business objectives
will be achieved and that undesired events will be prevented or detected, and corrected.
The audit program is divided into the following sections:
•
•
•
•
•
•
Section 2.0: General Organization Control Procedures
Section 3.0 IS Processes
Section 4.0 Disaster Recovery
Section 5.0 Logical Security Access
Section 6.0 Physical Access and Asset Protection
Section 7.0 IS Budget Process
•
References:
1.
2.
3.
4.
5.
6.
2.0
Corporate Financial Standards Guidelines, Section 3, Data Processing Standards
Corporate Internal Audit, Information Systems Audit Overview
Corporate Policies and Procedures
Corporate Internal Audit, Help Manual
Handbook of IT Auditing, by J. Donald Warren, Jr., Lynn W. Edelson, Xenia Ley
COBIT - Control Objectives for Information and Related Technology
General Organization Control Procedures
To identify and gain an overall general understanding of the Information System
organization's operating environment and control structure. Emphasis is placed on
Policies and Procedures which govern the IS organization and its processes.
a) Conduct entrance meeting and request briefing on IS operations, if needed.
b) Auditor should become familiar with the various IS control groups, (review file:
IS controls.doc).
c) Interview senior management and understand their issues and concerns
pertaining to IS.
d) Obtain and review copies of any previous IS audit reports, and follow-up on any
previous Action Plans to ensure all recommendations from previous reports are
corrected and still in place. In addition, review IS audit reports from other
divisions to see what type of deficiencies were uncovered. If previous action
plans are not resolved or corrected, make audit comment.
e) Obtain and review copies of IS policies, procedures, and standards, (you should
make a comparison to standards used, reference 1.) If IS policies and
procedures and/or an Information Security Policy does not exist, this would
warrant an audit comment.
f) Ask the IS manager for a copy of the IS strategic plan, it should be
documented and approved by senior management. If one does not exist an
audit comment should be made.
g) Ask the IS manager if a planning or steering committee is in place to oversee IS
Department activities (should consist of senior management, IS, and user
departments and they should ensure efficient use of data processing resources
and set priorities, examine costs and provide support to various projects.) If one
does not exist an audit comment should be made.
h) Determine how IS items are procured, and if they are aware of and using
corporate agreements (CAs). If they are not utilized, make an audit comment.
i) Determine if there is a current organization chart and if job descriptions are
clearly defined as to responsibility and authority, to ensure proper segregation of
duties within IS (review the file: IS matrix.xls to understand what duties are not
compatible.) If a current organization chart does not exist, make audit comment.
Ask IS personnel if they understand their roles and responsibilities. If they do not,
then make an audit comment.
Determine if the IS department is independent from other organizational
influences. If IS manager reports to an operational organization such as
Procurement or Operations, make an audit comment.
j) Assess audit risk and determine the scope of audit and extent of compliance
testing to be performed.
3.0
IS Processes
The purpose of this domain is to determine what processes are in place and ensure
controls exist and followed by employees. Emphasis is placed on the IS department
infrastructure and internal practices to support the company's objectives and goals; and to
support system development and implementation.
a) Determine the Change Control process/procedure through interview with IS
manager. (Ask for a copy of the change request form.) If a formal change
request process is not documented and/or changes are not documented on
Change Request forms and do not have provisions for the following items, an
audit comment should be made.
Are the forms serially numbered and contain provisions for approval by supervisors
from both IS and user departments?
Does the form identify the reason for, effective date and person who made
change?
Determine how changes are bought off/completed (should require approval from
supervisor and meet successful testing criteria).
b) Ask the IS manager how changes are tested and moved into production
(there should be a test environment separate and apart from the production
environment, for developing new software and testing modifications, and
programmers should not be allowed to have access to the production
environment.) If these environments are not separate, make an audit comment.
If the programmers are able to move the code into production, make an audit
comment.
c) Ask the IS Manager for a copy of programming and documentation standards
used by the software developers. (There should be written standards on the
type and format of required documentation which is followed by all programmers
and/or consultants and include naming conventions for programs, libraries, and
data sets; standards for program documentation; program testing procedures.) If
they do not have documented standards, make an audit comment.
d) Ask the IS manager if there are quality checks performed on modified software
to ensure standards are followed, and documentation and testing are complete
before moving the changes into production. If this is not a separate function in IS
and does not occur, make an audit comment.
e) Ask the IS manager for a LAN Administration Manual (should include Network
Security parameters, recovery procedures, hardware/software standardization
guides.) If they do not have one, make an audit comment.
f) Obtain copies of PC/LAN user documentation/manual and ask the IS manager if
it is provided to all users (should cover user responsibilities for using the LAN
and PC, protection of sensitive files, loading unapproved software onto the LAN
or PC, proper use of the Internet and e-mail, and software copyright violation.) If
one does not exist, make an audit comment.
g) Query some users and determine if they know what to do if they encounter a
problem (users should know who to contact if they encounter a problem and
receive timely responses.) If they are unsure of what to do or who to contact,
make an audit comment.
h) Ask for copies of policies pertaining to the use of the Internet and e-mail (these
should be documented and communicated to all users.) If they do not exist,
make an audit comment.
i) Determine if there is a Software/Systems Development Life Cycle (SDLC) in
place, documented and used by the IS department. If one does not exist, make
an audit comment.
4.0
Disaster Recovery
The purpose of this domain is to determine what Disaster Recovery and Contingency
plans exist and assess their adequacy to ensure continuity of operations if either a
complete system failure or the failure of system components occurs. There should be
procedures in place to provide for the recovery of files, address disaster recovery, and
identify critical processing (data). The plan should allow for periodic testing (at least
annually), to ensure personnel understand their respective roles during a disaster and
validate the plan. There should be provisions for the backup of critical information and
materials both on-site and off-site.
a) Review backup materials/procedures. If backups are not performed, make an
audit comment and skip the rest of this section.
Determine who performs the backups and ask if it is done on a regular basis
(backups should be performed nightly on files which have changed during the
previous day and weekly for the whole system.) If this is not done, make an
audit comment.
* Ask how many copies of the files are maintained, at least three generations of
important files as well as copy of the transactions needed to bring all files to
current status should exist.) If not, make an audit comment.
Ask if system files and operating software is also backed up periodically
(especially if there is a change to the system settings.) If not, make an audit
comment.
Determine if the media is labeled and if it is stored in a secure location (off-site,
and while on-site is it stored in a secure area - fireproof file cabinet.) If it is not
stored off-site, or not kept in a secure area with limited access while on-site,
make an audit comment.
Ask to see if there are tests performed on the backup media to ensure files are
indeed written there.) If such a test is not performed, make an audit comment.
See if there are documented desk procedures which reflect current backup and
restoration steps. If not, make an audit comment.
b) Ask the IS manager if there are contingency plans to handle emergency
situations such as hard disk crashes and central processing unit (CPU) failures.
If not, make and audit comment.
c) Obtain copy of the Disaster Recovery Manual/Plan (each site should have one.)
If one does not exit, make an audit comment and skip the rest of this section.
Find out who maintains copies and where they are kept (should maintain a copy
off-site with other Disaster Recovery information.) If one is not stored off-site, make
an audit comment.
Determine if applications (critical processes and data) are identified and prioritized
as to criticality to the business and its operations. If one does not exist, make audit
comment.
Are there provisions for an alternate site to handle processing needs if a disaster
should occur? (Should have contract with outside firm or agreement with other ATI
site.) If not, then make an audit comment.
Verify the plan has provisions for periodic testing (there should be scheduled time
to test the plan, and document and resolve problems.) If the test plan has not been
tested or plans to be tested, make an audit comment.
d) Ask IS employees if they are aware of the steps they should take in case of
Disaster.
If they do not understand their roles and responsibilities, make an audit comment.
5.0
Logical Access Security
Users of the computer systems should be accurately identified and employees permitted
to have access as authorized and required to accomplish their assigned duties. In
addition, logs or audit trails should exist and be maintained to reflect user access and
changes to sensitive data files, (i.e., Vendor Master file, Accounts Payable/Receivable
Master files, Employee Master file, Payroll files).
a) Ask for copy of Logical Access Security Policies. If one does not exist, make
audit comment.
b) Ask the IS manager if there is a written procedure to control addition or changes
to current users' access restrictions (should include a standardized form
containing written approval by appropriate level of management and process
should be managed and maintained by IS personnel.) If there is not a form or
procedure, make audit comment.
Obtain copies of a couple of access authorization forms and validate for proper
authorization and access (These should be retained by IS as an audit trail.) If
the form is not adequately filled out or retained, make an audit comment.
c) Ask the IS manager how the IS department is notified when employees are
terminated or change job responsibilities. If there is not a procedure in place to
notify IS in a timely manner, make an audit comment.
d) Ask the IS manager if there are any users who have supervisory capability users
who have unlimited access, sometimes referred to as "super users", to files,
applications and operator commands, this should be limited to only a few select
IS employees.
How are transactions or actions approved and documented when initiated by these
employees (there should be a log for recording their activities within the system
which should be reviewed by management.) If their actions are not logged and
reviewed by IS manager, make audit comment.
e) Ask the IS manager if Network changes are authorized and documented
(should be an audit trail of network equipment changes.) If they are not, make
an audit comment.
f) Ask the IS manager if system logs are maintained.
• Are there system access logs to record access to computer resources or data
communications network? (should include User ID and should be reviewed
on a regular basis for unusual activity such as invalid logon attempts).
• Are there transaction logs/audit trails to record additions, deletions, and
changes to data elements? (should include user and time change was made)
If the answer to any of these questions is no, make an audit comment.
g) Ask the IS manager if problem logs are maintained by the data
center/operations. (These are used to identify system and application problems
and ensure resolution.) If not, make audit comment.
h) Ask the IS manager if system activity logs are in use to capture utilization of
hardware resources associated with the servers, CPU utilization, access storage
activity and utilization, and job activity. (This is a primary means for identifying
processing problems created by inadequate or failing components.) If not used,
make audit comment.
i) Ask the IS manager what process/procedure ensures compliance with software
license agreements.
If process or procedure does not exist, make an audit comment.
Audit Program Steps for Logical Access Security (cont.)
j) Review Access Controls and Password Administration: (the following are usually
initialized when the system is installed.)
• Ask the IS manager if logons are shared between users (shared logons and
passwords should be disallowed unless several users require inquiry access
only to non-confidential data/information).
• Passwords should be a minimum of 5, maximum of 8 characters and not
easily guessed.
• Passwords should be masked (not displayed) when entered by user.
• Passwords should be changed periodically (every 60 - 90 days).
• Sample some employees to see if required to change password within certain
amount of time (this will support password change procedure).
• User Ids or workstations should be automatically revoked after a
predetermined number of unauthorized access attempts (should be three
attempts).
• PCs should be automatically logged off after a period of non-use (30 minutes).
If logon Ids and passwords are shared except under the aforementioned condition,
or the settings for passwords and workstations are not set properly, then make an
audit comment.
k) Ask the IS manager if modems are attached to the server (provides remote
access). If not, skip the rest of this section.
• Ask if there are additional security measures in place (there should be
additional security for this type access - user ID's and password protection,
dial-back feature, authorized dial-in user list). If additional security measures
are not in place, make an audit comment.
• Determine who controls remote access activity and ask them how they control
security to the modems and the phone numbers (verify this activity is
monitored and phone numbers for the modems are not published).
l) Interview System Administrators to determine if they have been provided formal
training which is related to securing the servers. (There are a number of security
settings unique to each platform which are related to users, files, operating
system, audit trails, etc. which affect the overall security and reporting of security
related events which Administrators should know how to initialize and manage.)
If they have not been given formal training, make and audit comment.
m) Determine if there is a network topology in existence (there should be a diagram
of all computing equipment with all access paths depicted - routers, multiplexers,
modems, communication links between servers and printers.) If one does not
exist, make and audit comment.
n) Ask the IS manager if someone is responsible for accounting for all hardware
and software within the company. (A current inventory list should exist.) If not,
make an audit comment.
o) Ask the IS manager how the servers and PCs are protected from viruses. If
servers and/or PCs do not have virus software loaded, make an audit comment.
• Determine what procedures are in place to prevent or detect the presence of a
virus on the servers, and verify who is responsible for performing these
procedures.
• Is virus software loaded on the workstations and do users know how to run the
software?
• Query some users to determine if they know what steps to take if a virus is
detected or suspected on their workstation? If not, make an audit comment.
6.0
Physical Access and Asset Protection
This section of the audit program deals with those controls which should be in place to
physically protect computing assets from unauthorized modification, theft, damage and/or
destruction.
a) Determine location of:
•
•
•
•
•
•
Operator consoles
Computer storage rooms
UPS/Generator
Location of all communications equipment
Servers
Tape library
b) Determine through observation how these assets are protected (should be
restricted to authorized personnel only.) If they are not located in a secure area
where access is controlled, make an audit comment.
c) Ask the IS manager how equipment is covered in case of damage or loss,
(insurance policies should be in place.) If insurance policies do not exist or
assets are not covered by Corporate Policies, make audit comment.
d) Ask the IS manager if there are vendor agreements in place to cover responding
to hardware failures (should have contract with vendors to respond in a timely
manner to failures which cause loss of service.) If they do not exist, make an
audit comment.
e) Check physical/environmental protection of equipment by touring the data center
with the IS manager. Delinquency in any of the following should be noted by
audit comments.
• Verify the presence of water and smoke detectors and verify back up power,
i.e. batteries, in case power is lost to this area.
• Verify hand-held fire extinguishers are strategically located and visible (ask
operators if they know how to operate the fire extinguishers.)
• Verify extinguishers have been inspected within the last year (should be a tag
attached to each one reflecting the last time they were inspected).
• Determine if there are emergency lights installed within the computer room?
• Obtain copy of emergency Evacuation Plan (should be copies posted near the
computer room and ask operators if they know what to do if they are required
to evacuate the building.)
• Do Emergency Power Off switch(es) exist and labeled?
• Are housekeeping rules documented and practiced (i.e. dusting).
f) Ask the IS manager if Uninterrupted Power Supply (UPS) is connected to all
significant systems. If there is not a UPS connected to servers, make an audit
comment.
• If UPS is used, ask the IS manager if it has been tested.
g) Ask the IS manager who has access to the computer room and how is it
controlled, (should only be network operators and repair personnel.)
• Is there a list of those who have been given access?
• Is there a log to record visitors to the computer room?
7.0
IS Budget Process
This section's objective is to determine if a formal process exists and is functioning in a
reasonable manner. Review supporting controls and detail for reasonableness.
a) Ask the IS manager for a copy of procedure to verify one exists. If one does not
exist, make and audit comment.
b) Identify significant components of the Overall Budget Process (Macro View /
Macro Flowchart).
c) Determine how IS Budget ties into Company Budget.
d) Trace and tie IS Budget Totals to IS totals in Company Budget.
e) Review procedures for comparing Actual to Budget.
f) Obtain an understanding of how management reviews and analyzes Variances of
Actual Cost to Budgeted Cost. If a review is not performed, make and audit
comment.
g) Obtain Management's response regarding the effectiveness of the Budgeting
Process for managing and controlling Costs.
h) Obtain an understanding of the approval process. If one does not exist, make an
audit comment.
i) Re-evaluate and summarize your understanding of the Overall Budget Process
(Macro View / Macro Flowchart) and verify using a walkthrough method with IS
Management.
j) Review detail line items of Budget for appropriateness and reasonableness.
• If large volume of line items identify and concentrate on high dollar amount
items or large volumes that add up to large dollar amounts.
• Review appropriateness of volumes purchased.
• Review redundancy of technology purchased.
• Validate Contract Services.
• Perform steps to determine how details tie into Budget Categories.