Previous | Table of Contents | Next |
The review of logical security has eight tasks and should take a minimum of 12 hours to complete.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The IT auditor should evaluate the questionnaire responses and document any items that require additional investigation or follow-up. The estimated time is three hours to complete this task. The mainframe environment should include most of the controls covered in the questionnaire.
Task 2: Audit the List of Logical Security Values Obtained from the System and Security Software. The IT auditor should, if possible, obtain the list of the logical security values from the system and security software and trace the values from the questionnaire to the list. Any differences should be noted and followed up to determine what the correct value should be and why the difference between the document and the list exists. This task should take no longer than two hours.
Task 3: Identify All Standard Security Profiles Supplied with the System and Security Package. The IT auditor should determine if there are any standard security profiles supplied with the system and security package. There is a risk that, if these are not reset, anyone familiar with the system will be able to use one of these standard profiles to access the system and potentially perform unauthorized activities. The auditor should attempt to log onto the system by using the standard profiles to ensure that the profiles were reset. This task should take no longer than one hour to complete.
Task 4: Test Password Controls. The IT auditor should also test other password controls to the extent possible to evaluate their functioning. The results of these tests should be documented in the workpapers. This testing can normally be completed while sitting at a terminal and should take no longer than one or two hours.
Task 5: Identify and Document Access Privileges. The IT auditor should ascertain the details of how persons within the enterprise are granted access to the system. That process should be documented if that information is not already documented. The process of granting access should then be tested by selecting a judgmental sample of users from the system and a similar sample of users from the files, and by confirming that the documents authorizing their access are present and properly completed. The estimated time for this task is two to four hours.
Task 6: Test User Profiles. The IT auditor should select a cross-sample of user profiles on the system and review them for consistency in the way that they are set up and authorized to use the system; any special capabilities given; and exceptions to established password management rules. The results of this review should be documented in the workpapers. The estimated time for this task is approximately two hours for each ten users selected for testing.
Task 7: Determine Any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed. The time required for this task cannot be estimated until the auditor reviews his or her findings over the course of the fieldwork.
Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the logical security area, including any potential findings and any other information deemed important. This task should take between one and three hours, depending on the extent and nature of the included items.
The review of change management has five tasks and should take a minimum of 17 hours to complete.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the change management and systems development portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that require additional investigation or follow-up. The estimated time is two to four hours to complete this task. The mainframe environment should include most of the controls covered in the questionnaire.
Task 2: Test to Ensure that All Change Control Features are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate control features are in place and functioning. This procedure should take between two and eight hours to complete, depending on the extent of the testing required.
Task 3: Test the Change Control Management Process. The IT auditor must determine the extent of testing that is desirable for the current audit, which is most likely based on the need to reach a conclusion on the reliability of the change management process. Once the extent of testing is determined, the auditor should perform the tests that address reviewing the changed code, evaluating the authorization process, and verifying the testing and documentation that was done. The time to complete this process is contingent on the plan for testing and can vary between 12 and 80 hours.
Task 4: Review and Evaluate the Questionnaire Responses. The auditor should, before preparing the conclusion memo for this area, review the control questionnaire responses to determine if any of them has not been reviewed or tested in any way. Any items identified during this task should either be further evaluated or noted in the workpapers to indicate why no evaluation was needed. The time to complete this task cannot be estimated in advance for auditing the mainframe environment.
Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the control change management area, including any potential findings and any other information deemed important. This task should take between one and three hours, depending on the extent and nature of the included items.
Previous | Table of Contents | Next |