2013004 It General Controls

8/11/2019 2013004 It General Controls

1/39

This is the AuditNet Standard Risk Control Audit Matix which incorporates formats

used by many audit organizations in their documentation working papers. There areformat templates for risk control, audit procedures, questionnaires and checklists.

There is a blank workpaper and a report summary that can in used by audit

organizations. AuditNet has prepared a monograph for guidance on preparing and

developing audit work programs, checklists, questionnaires and matrices. The

monograph is available to AuditNet subscribers. For more information go to

www.auditnet.org


2/39

AREA:

Process Control Objective Risk


3/39


4/39

Control Considerations

Assertion

E,A,C,V,P Description of control

Documentation W/P

Ref.


5/39


6/39

Do controls meet

objective?

Yes/NoTest

W/P Ref

Testing

exceptions

noted?

Yes/No

Resolution / remediation/ comments

W/P Ref


7/39

Audit Program Area: General Controls Audit Program

Auditor

AUDIT PROCEDURES WP Ref InitialsAudit Objectives are to determine:

Adequacy of personnel procedures to ensure integrity of Data Center

operations,

Adequacy of the system development life cycle (SDLC), including the

program change procedures, to ensure the integrity and accuracy of

information processes,

Existence of adequate and operational backup and disaster recovery

procedures that will minimize business interruption and protect against

loss of data in the event of a disaster,

Adequacy of physical and logical security controls maintained to prevent

unauthorized access to computers,

Adequacy of environmental controls maintained to minimize

hardware/software losses from fire or flood,

Compliance with the Company Department of Information Resources

requirements, and

The implementation schedule for new information systems being

implemented at .

ORGANIZATIONAL CONTROLS -- SYSTEM OVERVIEW,

DOCUMENTATION, & TRAINING

1. Document organizational structure.

a. Review the composition, roles and responsibilities of IS steering

committees for appropriateness. Determine whether the committee meets

periodically to review, approve or reject projects, monitors status of

projects and reviews the results of the post-implementation reviews.

b. Identify those positions responsible for maintaining the programs,

backing-up the system and data files, and using the various computer

center systems. Review the written job descriptions for each functional

duty described in the organization chart to determine accuracy.


8/39

c. Determine if appropriate segregation of duties exists. Ensure IS

functions are segregated from users and incompatible IS functions are

segregated.

d. Determine whether provisions are made for backup personnel in key

positions and if job rotation/cross-training is performed.

e. Evaluate skill sets for the IS staff and supervisory controls for

appropriateness.

f. Evaluate the effectiveness of the recruiting process in filling positions

with qualified candidates in a timely manner and evaluate turnover and

work environment.

g. Determine if termination procedures are adequate:

(1) The employee's I.D. badge should be collected when he or she is

terminated.

(2) Passwords that the terminating employee was privy to should be

removed or changed.

(3) His or her keys should be collected and/or locks be changed.

(4) Is there a termination check out briefing session or procedure?

h. Determine if adequate system training and supervision is provided to

the employees using the system.

2. Interview IS staff and distribute questionnaire to identify potential risks

and assess general controls.

3. Based on responses to questionnaire identify results as strengths or

weaknesses of the general control environment, and prepare a preliminary

risk assessment. Identify strengths to test and determine if controls are

functioning as management intends.

4. Review the IS strategic plan and budget to gain an understanding of IS

goals, projects, available resources and ensure agreement with the plan of

the university.

5. Obtain or document an overview of the Information Systems (Including

hardware resources, software, support/design staff, and users) for the data

center. Identify critical information systems.

6. Evaluate written system operation (especially for start-up, shut-down, file

maintenance, preventive maintenance, and vendor supplied

documentation), system development, and acquisition policies and

procedures for adequacy.

7. Evaluate compliance status with Department of Information Resources

requirements.


9/39

8. Inquire into the year 2000 issue and document the status and

implications.

PROGRAM CHANGE CONTROL MANAGEMENT

9. Ensure there are adequate guidelines to instruct programming personnel

in their duties.

10. Ensure that programming personnel are adequately supervised and new

programs and enhancements are adequately tested and reviewed before

being put in the production environment.

11. Identify and ensure that controls protect production application program

libraries from unauthorized changes, additions, and deletions.

12. (a) Ensure that program libraries are adequately secured to provide

recovery of critical data and applications in case of loss or destruction.

(b) Ensure that enhancements to programs are documented, including userand data center operational procedures.

a. Examine utilization reports to determine the times of peak resource

demand.

b. Ensure that capacity planning (processor, memory, channels, disk,

network, etc.) performed are adequate for current system and long-term

strategic plans.

c. Determine whether periodic performance measurements are taken.

d. Determine whether system downtime is recorded and tracked.

a. Interview employees and/or review vendor maintenance agreements to

a. Interview employees, review scheduling policies and procedures,review scheduling logs and observe operations to determine if there is an

effective system in place to schedule jobs.

13. Performance

COMPUTER CENTER OPERATIONS

14. Preventative Maintenance

SECURITY AND ENVIRONMENTAL CONTROLS

15. Job Scheduling


10/39

NOTE:A negative response to any of the questions in the Physical

Security and Environmental Controls and Backup sections does not

necessarily represent a significant control weakness. The environment

should be evaluated as a whole and an overall determination made of the

general controls.

16. Determine if the security responsibility has been assigned to an IS staff

member. Determine if physical security policies and procedures are

adequate by evaluating controls through interview and observation. Use the

following audit steps/questions as a guideline in determining adequacy:

a. Ensure that there are written procedures in effect which prevent

unauthorized persons from gaining access to computer facilities.

b. Ensure that authorized personnel are specifically defined in operation

standards and/or procedures.

c. Observe at several different times whether only authorized personnel

are in the processing area.

d. Determine whether the data center facilities are restricted by the use of

keys, badges or other automated security devices.

e. Does the computer site have a ground floor location and possibly a

showcase window?

h. Is direct access into the data center possible from the outside or

through a public hallway?

I. Are keys to cabinets, equipment rooms, and wiring closets held under

proper custody?

j. Are all telecommunication line junction points (wiring and router closets,

etc.) secured to prevent tampering?

k. Is the data center subject to catastrophic mishap, i.e., aircraft collision,

etc.?

17. The adequacy of fire protection systems should be determined by using

the following issues as a guideline:

a. Clear and adequate fire instructions should be posted in strategic

locations.

b. Fire alarm pull boxes and emergency power switches should be clearly

visible and unobstructed.

f. Is computer site below ground level?

g. Is air conditioning air intake outside at the ground level?


11/39

c. The computer room should have an automatic fire extinguishing system

which would be tested periodically by the manufacturer or service

representative.

d. The detection system should detect smoke, temperature, humidity,

water, or combustible fumes.

e. The detectors should be located in the ceiling air ducts and beneath the

raised flooring. Detectors should be tested frequently and protected by a

backup power supply.

f. When the fire alarm is activated, it should sound outside the computer

room area at a guard station and a local fire station or emergency control

center. Data Center personnel should be able to identify the sound of the

fire alarm.

g. What are the exposures to flooding? Would a burst pipe or rising river

cause damage?

h. The computer room should be kept clean at all times.

18. The environmental equipment and controls should be adequate to

protect the computer hardware from damage. Use the following areas as a

guideline in determining adequacy:

a. Ventilation and air conditioning should be adequate to maintain

appropriate temperature level specified by the manufacturer.

b. Recording thermometers and humidity indicators should be located so

the readings can be obtained easily. These instruments should be

monitored on a routine basis by a trained person.

c. The hardware should automatically shut down to protect itself from

damage if unacceptable temperatures reached.

d. The computer equipment should be subject to periodic maintenance,

cleaning and inspection and a record kept of such.

e. The computer room ceiling should be adequately constructed to

prevent water from entering the computer room.

f. Overhead water steam and pipes should be avoided.

g. Adequate drainage should be provided.

h. Independent air conditioning system with backup power supply should

be installed.

19. Ensure physical controls exist over IS physical inventory.

a. Periodic inventories should be taken.


12/39

b. Identify the operating privileges and review accounts having elevated

privileges and system over-ride capabilities for propriety.

c. Evaluate the use of proxy accounts and privileges assigned.

d. Evaluate user privileges by determining job function and privileges.

23. Test to determine if access for recently terminated or transferredemployees was removed or disabled in a timely manner.

24. Evaluate sufficiency of password administration considering: syntax,

minimum and maximum lengths, periodic changes and expiration time

frames.

25. Determine if the access authorization tables and password files are

adequately secured against unauthorized access.

26. Evaluate controls related to remote access to the data center. Ensure

that dial-in lines include a call back feature or some other means of control

to ensure only authorized access.

27. Determine if audit security logs are activated and monitored for unusual

activity (i.e. break-in attempts). Determine if internal audit is receiving logs.

28. Gain an understanding of the MVS and RACF environments and

evaluate security controls for effectiveness.

29. Evaluate the procedures for handling and disposing of confidential and

sensitive documents and reports.

BACKUP AND DISASTER RECOVERY CONTROLS

30. Ensure that system and data file backup procedures are adequate tominimize recovery time and/or loss of data.

31. Ensure that backups are maintained off-site, rotated, and if a periodic

inventory is taken. Visit off-site facility and evaluate security, if necessary.

32. Identify the backup power supplies/equipment and determine adequacy

relating to the following areas:

b. All software copies should have proper l icenses.

20. Determine whether vendor service personnel are supervised while on site?

LOGICAL CONTROLS

21. Evaluate procedures for creating and removing user IDs.

22. Obtain listing of user IDs:

a. Sample to determine if appropriate authorization was obtained.


13/39

a. Emergency backup lights.

b. Computer systems.

c. Telecommunications system.

33. Review the disaster recovery plan for adequacy.

Other

34. Determine the implementation schedule for new information systems

being implemented at .

35. Identify other information systems connected to the data center that may

compromise security established within the data center.


14/39

Time Date Date Checked

Spent Expected Finished Remarks By:


15/39


16/39


17/39


18/39


19/39


20/39


21/39

Audit Program

Audit Procedure Control Objective


22/39

Risk if Objective Not Met Control Technique

Performed

By

Date

Expected


23/39

Date

Completed

Budget

Hours

Actual

Hours

Document

Reference Source Reviewed By


24/39

Remarks/Comments


25/39

Audit Program Area

GlobalRef No,

Audit Procedure Control Objective Risks ControlActivity

Number

ControlDescription

KeyControl? Frequency


26/39

Owner Exceptions Type DocumentReference

Mapping toStandards


27/39

AREA:

Process Control Objective Risk


28/39


29/39

Control Considerations

Assertion

E,A,C,V,P Description of control

Documentation W/P

Ref.


30/39


31/39

Do controls meet

objective?

Yes/NoTest

W/P Ref

Testing

exceptions

noted?

Yes/No

Resolution / remediation/ comments

W/P Ref


32/39

Client NameInternal Control Framework

Completed By:

Reviewed By:

Question Yes No* Comments /Description

Name and Title of Person Completing Form (please print)

Date Completed:

To the best of my knowledge, the answers and comments noted a

Name and Tit

* For a No answer, cross-reference to either a compensating control or to audit work which has been performed

or is to be performed. Questionnaire


33/39

Signature of Person Completing Form

10/3/2014Date Form Completed

Sig

Date o




34/39

Employee Responsible for Task

ove are accurate and reflect the current

le of Department Director (please print)




35/39

ature of Department Director

Department Director's Signature




36/39


37/39


38/39

Finding Ref # Control Testing Finding


39/39

Management Response & Treatment

2013004 It General Controls

Documents

Transcript of 2013004 It General Controls