CORTEZ, CHRISTELLE MYR A.

IT6 M36 2-3pm

CRUZ, ZELITA YZABEL PROF. C.C. GONZAGA
 IT AUDIT PROGRAM FOR TEST OF GENERAL CONTROLS

INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
1. OPERATING SYSTEM Flaws in the operating system that are exploited either Audit Objectives Relating to Access Privileges Audit Procedures Relating to Access Privileges Are there anti-
CONTROLS accidentally or intentionally. Accidental threats include The auditors objective is to verify that access Review the organizations policies for viruses installed on
hardware failures that cause the operating system to privileges are granted in a manner that is consistent separating incompatible functions and ensure the system?
crash. Errors in user application programs, which the with the need to separate incompatible functions and is that they promote reasonable security.
operating system cannot interpret, also cause operating in accordance with the organizations policy. Review the privileges of a selection of user Are there
system failures. groups and individuals to determine if their monitoring
Audit Objectives Relating to Passwords access rights are appropriate for their job systems used in
Accidental system failures may cause whole segments The auditors objective here is to ensure that the descriptions and positions. The auditor should the system (e.g.
of memory to be dumped todisks and printers, resulting organization has an adequate and effective verify that individuals are granted access to keystroke
in the unintentional disclosure of confidential password policy for controlling access to the data and programs based on their need to monitoring)?
information. Intentional threats to the operating system operating system. know.
Review personnel records to determine whether
are most commonly attempts to illegally accessdata or Does the Access
violate user privacy for financial gain. However, a Audit Objective Relating to Viruses and Other privileged employees undergo an adequately
Control List clearly
growing threat is destructive programs from which there Destructive Programs intensive security clearance check in
state who are
is no apparent gain. These exposures come from three The key to computer virus control is prevention compliance with company policy.
authorized to
sources: Review employee records to determine whether
through strict adherence to organizational policies access specific
users have formally acknowledged
and procedures that guard against virus infection. parts of the
their responsibility to maintain the confidentiality
Privileged personnel who abuse their authority. Systems The auditors objective is to verify that effective system?
of company data.
administrators and systemsprogrammers require management policies and procedures are in place to
Review the users permitted log-on times.
unlimited access to the operating system to perform prevent the introduction and spread of destructive Are passwords
Permission should be commensurate with the
maintenanceand to recover from system failures. Such programs, including viruses, worms, back doors, changed at least
tasks being performed.
individuals may use this authority to access users logic bombs, and Trojan horses. once a month?
programs and data files.
Audit Procedures Relating to Passwords
Audit Objectives Relating to System Audit Trails
Verify that all users are required to have
Individuals, both internal and external to the The auditors objective is to ensure that the
passwords.
organization, who browse the operatingsystem to established system audit trail is adequate for
Verify that new users are instructed in the use
identify and exploit security flaws. preventing and detecting abuses, reconstructing key
of passwords and the importance of password
events that precede systems failures, and planning
control.
Individuals who intentionally (or accidentally) insert resource allocation.
Review password control procedures to ensure
computer viruses or otherforms of destructive programs
that passwords are changed regularly.
into the operating system Review the password file to determine that
weak passwords are identified and disallowed.
This may involve using software to scan
 password files for known weak passwords.
Verify that the password file is encrypted and
that the encryption key is properly secured.
Assess the adequacy of password standards
such as length and expiration interval.
Review the account lockout policy and
procedures. Most operating systems allow the
system administrator to define the action to be
taken after a certain number of failed log-on
attempts. The auditor should determine how
many failed log-on attempts are allowed before
the account is locked. The duration of the
lockout also needs to be determined. This could
range from a few minutes to a permanent
lockout that requires formal reactivation of the
account.

Audit Procedures Relating to Viruses

and Other Destructive Programs
Through interviews, determine that operations
personnel have been educated about computer
viruses and are aware of the risky computing
practices that can introduce and spread viruses
and other malicious programs.
Verify that new software is tested on standalone
workstations prior to being implemented on the
host or network server.
Verify that the current version of antiviral
software is installed on the server and that
upgrades are regularly downloaded to
workstations.

Audit Procedures Relating to System Audit Trails

Most operating systems provide some form of
audit manager function to specify the events
that are to be audited. The auditor should verify
that the audit trail has been activated according
to organization policy.
Many operating systems provide an audit log
 viewer that allows the auditor to scan the log for
unusual activity. These can be reviewed on
screen or by archiving the file for subsequent
review. The auditor can use general-purpose
data extraction tools for accessing archived log
files to search for defined conditions such as:
Unauthorized or terminated user; Periods of
inactivity; Activity by user, workgroup, or
department; Log-on and log-off times; Failed
log-on attempts; Access to specific files or
applications.
The organizations security group has
responsibility for monitoring and reporting
security violations. The auditor should select a
sample of security violation cases and evaluate
their disposition to assess the effectiveness of
the security group.

Are the functions of

programming,
Review relevant documentation, including the current computer
organizational chart, mission statement, and job operations, tape
descriptions for key functions, to determine if individuals librarian, and
Non-segregation of tasks of transaction authorization
2. ORGANIZATIONAL Attest to that individuals in incompatible areas are or groups are performing incompatible functions. database
from transaction processing, record keeping from
AND STRUCTURE segregated in accordance with the level of potential risk Obtain and review the corporate policy on computer administrator
asset custody will be more susceptible for individuals
CONTROLS and in a manner that promotes a working environment. security. organizationally
to commit collusion.
Verify that the security policy is communicated to segregated?
responsible employees and supervisors. Separating the
Database
Administrator from
other functions?
3. DATABASE Data can be corrupted and destroyed by malicious acts Audit Objective Relating to Flat-File Backup Audit Procedures for Testing Flat-File Backup Are the backup
MANAGEMENT from external hackers, disgruntled employees, disk Verify that backup controls in place are effective in Controls copies created
CONTROLS failure, program errors, fires, floods, and other protecting data files from physical damage, loss, Sequential File (GPC) Backup. The auditor should select enough for the
natural calamities. accidental erasure, and data corruption through system a sample of systems and determine from the system companys
Risks to corporate databases include corruption, theft, failures and program errors. documentation that the number of GPC backup files degree of file
misuse, and destruction of data. specified for each system is adequate. If insufficient activity?
Audit Objective Relating to Database Backup backup versions exist, recovery from some types of Are these backup
Verify that controls over the data resource are sufficient failures may be impossible. created at regular
 Backup Transaction Files. The auditor should verify
through physical observation that transaction files used
to reconstruct the master files are also retained.
Without
corresponding transaction files, reconstruction is
impossible.
intervals?
Direct Access File Backup. The auditor should select a Are these backup
sample of applications and identify the direct access copies stored off-
files being updated in each system. From system site?
documentation and through observation, the auditor Does the Data
can verify that each of them was copied to tape or disk Authorization
before being updated. table clearly state
what can be done
Off-Site Storage. The auditor should verify the existence by authorized
and adequacy of off-site storage. This audit procedure users at specific
may be performed as part of the review of the disaster applications?
to preserve the integrity and physical security of the
database. recovery plan or computer center operations controls. If there are
biometric controls
Audit Procedures for Testing Database Backup installed, are
Controls these tested to be
The auditor should verify that backup is performed foolproof?
routinely and frequently to facilitate the recovery of Are data sent
lost, destroyed, or corrupted data without excessive across networks
reprocessing. Production databases should be encrypted?
copied at regular intervals (perhaps several times Are the transactions
an hour). Backup policy should strike a balance properly recorded
between the inconvenience of frequent backup at their respective
activities and the business disruption caused by logs?
excessive reprocessing that is needed to restore
the database after a failure.
The auditor should verify that automatic backup
procedures are in place and functioning, and that
copies of the database are stored off-site for further
security.

4. COMPUTER CENTER Fires, floods, wind, sabotage, earthquakes, or even Evaluate the controls governing computer center Determine architectural plans that the computer Does the insurance
SECURITY power outages can deprive an organization of its security. center is solidly built of fireproof material. package cover all
 the computer
equipment insured
Establish that fire detection and suppression by the company?
equipment, both manual and automatic are in place In cases of power
and are tested regularly. interruption, does
data-processing facilities and bring to a halt those
Ascertain that routine access to the computer the company have
CONTROLS functions that are performed or aided by the
center is restricted to authorized employees. the proper
computer.
Assess with the system administrator alternative equipment to
procedures for recovering from a disk failure. assure that there
would be enough
power t save
unfinished tasks?
5. SYSTEM The development of unauthorized projects resulting in To verify that each organization establish a SDLC Determine the extent of the responsibilities of Are user
DEVELOPMENT the misapplication of financial resources. methodology and assign responsibility for each phase management, internal audit, users, quality manuals
CONTROLS Projects are improperly prioritized resulting in inefficient of the cycle so that system design, development, and assurance, and data processing during the system prepared for all
allocation of resources. maintenance may progress smoothly and accurately. design, development, and maintenance. new systems
Newly implemented systems contain material errors, To ensure that SDLC activities are applied consistently Review SDLC work papers to determine if the developed and
fraud, or fail to meet user needs. in accordance with managements policies to all appropriate levels of authorization were obtained revised for
Poor-quality systems documentation impedes audit and systems developments project. for each phase. subsequent
maintenance activities. To ensure that the system was judged to be necessary Obtain and review requests for DP services. changes?
and justified at various checkpoints throughout the Determine if the procedures are being followed. Do they require
SDLC. Review and evaluate the procedures for performing authorization at
To ensure that system documentation is sufficiently the various
a needs analysis.
accurate and complete to facilitate audit and stages of
Review a needs analysis for a recent project and
maintenance activities. development?
determine if it conforms to standards.
Review and evaluate the procedures for system
and program testing.
Review documented testing procedures, test data,
and resulting output to determine if they appear to
be comprehensive and if they follow standards.
Review the adequacy of testing performed on the
manual phases of an application.
Review and evaluate procedures for program
promotion and implementation.
Review documentation of the program promotion
procedure. Determine if the standards are followed
and if documentation of compliance with the
standards available. Trace selected program and
 system software changes to the appropriate
supporting records to determine if the changes
have been properly approved.
Review documentation of the conversion/
implementation of a newly developed application.
Determine if the implementation procedures were
followed.

Review and evaluate the procedures for the

maintenance of existing applications.
Review program modifications, testing procedures, Are the
and the preparation of supporting documentation to programs being
determine if the standards are being followed. used by the
Review and evaluate the procedures for modifying end users
systems software. permitted by
Review systems software modifications, testing the company?
Financial loss due to programming errors.
6. SYSTEM To detect unauthorized program maintenance. procedures, and the preparation of supporting Do
Program fraud more easily takes root in an environment
MAINTENANCE To determine that maintenance procedures protect documentation to determine if the standards are irregularities
of poorly controlled maintenance and can go
CONTROLS applications from unauthorized changes. being followed. exist between
undetected for years.
Review and evaluate documentation of in-house the
developed systems software and the features/ programmers
options of proprietary systems software in use. maintenance
Obtain and review the documentation standards to authority and
determine if they are complete. the authority
Review programmer authority tables table?
Test authority table

7. INTERNET/INTRANE The most common problem in data communications is To verify the security and integrity of financial Assess the adequacy of the firewall in achieving the Is there any
T CONTROLS data loss due to line error. transactions. proper balance between control and convenience proper policy
To prevent and detect illegal access both internally and based on the organizations business objectives regarding the
from the Internet. and potential risks. use of internet
To render useless any data that are successfully Appraise security procedures governing the by the
captured by a perpetrator administration of data encryption keys. employees?
To preserve the integrity of the electronic commerce Verify the encryption process by transmitting a test Does the policy
transactions by determining that controls are in place message and examining the contents at various identify the
To detect and correct messages loss due to equipment points along the channel between the sending and specific assets
failure receiving locations. that the firewall
Look at the message transaction logs to verify that is intended to
 all messages were received in their proper
sequence.
Test the operation of the call-back feature by
placing an unauthorized call from outside the
installation. protect and the
Select a sample of messages from the transaction objectives of
log and examine them for garbled contents caused that protection?
by line noise. The auditor should verify that all
corrupted messages were successfully
retransmitted.

Establish that trading partner identification codes Is there a

are verified before transactions are processed. transaction log
To determine that all EDI transactions are authorized,
Determine that access to the valid vendor or that tracks all
validated, and in compliance with the trading partner
The absence of human intervention in this process customer file is limited to authorized employees transaction
agreement.
presents a unique twist to traditional control only throughout the
8. ELECTRONIC DATA To determine that no authorized organizations gain
problems, including ensuring that transactions are Determine that access to this file is controlled by stages of
INTERCHANGE access to database records.
authorized and valid, preventing unauthorized access password and authority tables and that the data are processing?
CONTROLS To determine that authorized trading partners have
to data files, and maintaining an audit trail of encrypted. Is the access to
access only to approved data
transactions. Verify that the EDI system produces a transaction the vendor or
To determine that adequate controls are in place to
lot that tracks transactions through all stages of customer files
ensure a complete audit trail of all EDI transactions
processing. limited to
employees?

Sources: Hall, James A. (2011). Information Technology Auditing and Assurance. (3rd Edition); http://www.auditnet.org; http://www.isaca.org
INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
9. MICROCOMPUTER/
PERSONAL
COMPUTER
CONTROLS

INTERNAL
AREA OF CONTROL RISKS/EXPOSURES AUDIT OBJECTIVES AUDIT PROCEDURES CONTROL
CHECKLIST
1. INPUT Exposures of this sort can cause
CONTROLS serious disruptions to operations
and may result to a financial losses
to a firm