Documente Academic
Documente Profesional
Documente Cultură
INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
1. OPERATING SYSTEM Flaws in the operating system that are exploited either Audit Objectives Relating to Access Privileges Audit Procedures Relating to Access Privileges Are there anti-
CONTROLS accidentally or intentionally. Accidental threats include The auditors objective is to verify that access Review the organizations policies for viruses installed on
hardware failures that cause the operating system to privileges are granted in a manner that is consistent separating incompatible functions and ensure the system?
crash. Errors in user application programs, which the with the need to separate incompatible functions and is that they promote reasonable security.
operating system cannot interpret, also cause operating in accordance with the organizations policy. Review the privileges of a selection of user Are there
system failures. groups and individuals to determine if their monitoring
Audit Objectives Relating to Passwords access rights are appropriate for their job systems used in
Accidental system failures may cause whole segments The auditors objective here is to ensure that the descriptions and positions. The auditor should the system (e.g.
of memory to be dumped todisks and printers, resulting organization has an adequate and effective verify that individuals are granted access to keystroke
in the unintentional disclosure of confidential password policy for controlling access to the data and programs based on their need to monitoring)?
information. Intentional threats to the operating system operating system. know.
Review personnel records to determine whether
are most commonly attempts to illegally accessdata or Does the Access
violate user privacy for financial gain. However, a Audit Objective Relating to Viruses and Other privileged employees undergo an adequately
Control List clearly
growing threat is destructive programs from which there Destructive Programs intensive security clearance check in
state who are
is no apparent gain. These exposures come from three The key to computer virus control is prevention compliance with company policy.
authorized to
sources: Review employee records to determine whether
through strict adherence to organizational policies access specific
users have formally acknowledged
and procedures that guard against virus infection. parts of the
their responsibility to maintain the confidentiality
Privileged personnel who abuse their authority. Systems The auditors objective is to verify that effective system?
of company data.
administrators and systemsprogrammers require management policies and procedures are in place to
Review the users permitted log-on times.
unlimited access to the operating system to perform prevent the introduction and spread of destructive Are passwords
Permission should be commensurate with the
maintenanceand to recover from system failures. Such programs, including viruses, worms, back doors, changed at least
tasks being performed.
individuals may use this authority to access users logic bombs, and Trojan horses. once a month?
programs and data files.
Audit Procedures Relating to Passwords
Audit Objectives Relating to System Audit Trails
Verify that all users are required to have
Individuals, both internal and external to the The auditors objective is to ensure that the
passwords.
organization, who browse the operatingsystem to established system audit trail is adequate for
Verify that new users are instructed in the use
identify and exploit security flaws. preventing and detecting abuses, reconstructing key
of passwords and the importance of password
events that precede systems failures, and planning
control.
Individuals who intentionally (or accidentally) insert resource allocation.
Review password control procedures to ensure
computer viruses or otherforms of destructive programs
that passwords are changed regularly.
into the operating system Review the password file to determine that
weak passwords are identified and disallowed.
This may involve using software to scan
password files for known weak passwords.
Verify that the password file is encrypted and
that the encryption key is properly secured.
Assess the adequacy of password standards
such as length and expiration interval.
Review the account lockout policy and
procedures. Most operating systems allow the
system administrator to define the action to be
taken after a certain number of failed log-on
attempts. The auditor should determine how
many failed log-on attempts are allowed before
the account is locked. The duration of the
lockout also needs to be determined. This could
range from a few minutes to a permanent
lockout that requires formal reactivation of the
account.
4. COMPUTER CENTER Fires, floods, wind, sabotage, earthquakes, or even Evaluate the controls governing computer center Determine architectural plans that the computer Does the insurance
SECURITY power outages can deprive an organization of its security. center is solidly built of fireproof material. package cover all
the computer
equipment insured
Establish that fire detection and suppression by the company?
equipment, both manual and automatic are in place In cases of power
and are tested regularly. interruption, does
data-processing facilities and bring to a halt those
Ascertain that routine access to the computer the company have
CONTROLS functions that are performed or aided by the
center is restricted to authorized employees. the proper
computer.
Assess with the system administrator alternative equipment to
procedures for recovering from a disk failure. assure that there
would be enough
power t save
unfinished tasks?
5. SYSTEM The development of unauthorized projects resulting in To verify that each organization establish a SDLC Determine the extent of the responsibilities of Are user
DEVELOPMENT the misapplication of financial resources. methodology and assign responsibility for each phase management, internal audit, users, quality manuals
CONTROLS Projects are improperly prioritized resulting in inefficient of the cycle so that system design, development, and assurance, and data processing during the system prepared for all
allocation of resources. maintenance may progress smoothly and accurately. design, development, and maintenance. new systems
Newly implemented systems contain material errors, To ensure that SDLC activities are applied consistently Review SDLC work papers to determine if the developed and
fraud, or fail to meet user needs. in accordance with managements policies to all appropriate levels of authorization were obtained revised for
Poor-quality systems documentation impedes audit and systems developments project. for each phase. subsequent
maintenance activities. To ensure that the system was judged to be necessary Obtain and review requests for DP services. changes?
and justified at various checkpoints throughout the Determine if the procedures are being followed. Do they require
SDLC. Review and evaluate the procedures for performing authorization at
To ensure that system documentation is sufficiently the various
a needs analysis.
accurate and complete to facilitate audit and stages of
Review a needs analysis for a recent project and
maintenance activities. development?
determine if it conforms to standards.
Review and evaluate the procedures for system
and program testing.
Review documented testing procedures, test data,
and resulting output to determine if they appear to
be comprehensive and if they follow standards.
Review the adequacy of testing performed on the
manual phases of an application.
Review and evaluate procedures for program
promotion and implementation.
Review documentation of the program promotion
procedure. Determine if the standards are followed
and if documentation of compliance with the
standards available. Trace selected program and
system software changes to the appropriate
supporting records to determine if the changes
have been properly approved.
Review documentation of the conversion/
implementation of a newly developed application.
Determine if the implementation procedures were
followed.
7. INTERNET/INTRANE The most common problem in data communications is To verify the security and integrity of financial Assess the adequacy of the firewall in achieving the Is there any
T CONTROLS data loss due to line error. transactions. proper balance between control and convenience proper policy
To prevent and detect illegal access both internally and based on the organizations business objectives regarding the
from the Internet. and potential risks. use of internet
To render useless any data that are successfully Appraise security procedures governing the by the
captured by a perpetrator administration of data encryption keys. employees?
To preserve the integrity of the electronic commerce Verify the encryption process by transmitting a test Does the policy
transactions by determining that controls are in place message and examining the contents at various identify the
To detect and correct messages loss due to equipment points along the channel between the sending and specific assets
failure receiving locations. that the firewall
Look at the message transaction logs to verify that is intended to
all messages were received in their proper
sequence.
Test the operation of the call-back feature by
placing an unauthorized call from outside the
installation. protect and the
Select a sample of messages from the transaction objectives of
log and examine them for garbled contents caused that protection?
by line noise. The auditor should verify that all
corrupted messages were successfully
retransmitted.
Sources: Hall, James A. (2011). Information Technology Auditing and Assurance. (3rd Edition); http://www.auditnet.org; http://www.isaca.org
INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
9. MICROCOMPUTER/
PERSONAL
COMPUTER
CONTROLS
INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
1. INPUT Exposures of this sort can cause
CONTROLS serious disruptions to operations
and may result to a financial losses
to a firm