Previous Table of Contents Next


Section 13
Auditing the Midrange Computer

The mainframe computer was simply too expensive for many companies, and they looked for solutions that were more consistent with their size. Vendors began to respond by developing scaled-down versions of the mainframe. Companies first saw the minicomputer, and later the microcomputer, both carefully named to indicate their relationship to the mainframe computer. These computers were designed for small companies that were not in the market for a mainframe computer but still wanted to gain the benefits of automation. Minicomputers, like IBM’s System 32, differed from the mainframes of that era by fitting into a fraction of the space, with all of their components contained in as little as one piece of hardware.

Another significant change from the mainframe architecture was the bundling of operating system software components into a single offering. Mainframes had come with a base operating system only, requiring customers to purchase other components, such as security software, separately. These previously separate components began to be bundled into a single offering.

Minicomputers clearly supported a different market and could be easily outgrown, leading companies into the mainframe market. Technical advances significantly increased the capabilities of the minicomputer, and the name for these systems changed to “midrange” as more descriptive of their capabilities fitting between the mainframe and microcomputer markets.

The IT auditor has a less daunting task auditing midrange computers because experience with one specific midrange computer type can almost always be directly applied to another similar system, as the software components are generally the same. The IT auditor still needs technical expertise because the security and control capabilities between midrange systems, even from a single manufacturer, can vary significantly.

Physical access security is still extremely important, but logical access security clearly becomes the more important element because midrange systems increase the direct reliance on end-user input and control for data entry and maintenance instead of these functions being performed centrally. The primary control problem in the midrange environment is change management because the midrange computers are often supported by small staffs that do not have the number of personnel required for effective segregation of duties. Therefore, IT auditors must consider compensating controls as a primary control mechanism because end-user actions and responsibilities offset the segregation weakness within the IT department.

The audit process can be described in three steps: planning, fieldwork, and finalization. Most, if not all, of the audit concerns, considerations, and tasks for the mainframe environment can be applied to the midrange environment.

PLANNING THE AUDIT

The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if the auditor has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.

Contacting the Auditee

The IT auditor should make initial contact with the auditee by phone, if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the systems auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:

  IT administration
  Physical security
  Logical security
  Operations
  Backup and recovery
  Systems development

The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The midrange environment is likely to require at least one to three weeks of effort, to a maximum that is only limited by the auditor’s decision to discontinue testing.

The midrange environment is likely to contain subfunctions reporting to no more than two different managers, so that the auditor has to do less coordinating. The IT auditor should send a letter to the primary director or manager to confirm the planning details. This letter should be made available to the field personnel at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.

Preliminary Office Planning Before Fieldwork

The IT auditor should complete the following procedures while still in the office before initiating fieldwork procedures:

  Prepare an audit planning memo, including these elements:
—Location background
—Prior audit scope and results
—Detailed list of prior recommendations
—Current planned scope and timing
—Planned staffing
—Time budgets
  Define the specific audit program based on the standard program, the intended objectives based on the audit department’s planning and selection of the audit, and the planning conversations held with location personnel.
  Send out the Information Technology Internal Control Questionnaire (Workpaper 5-1), specifying a date for its completion that will permit time for it to be returned and reviewed before fieldwork. (If there is a questionnaire from a previous audit, and if it is not materially different from the questionnaire currently in use, copy it and have the location personnel update the previous form.)
  Obtain prior audit reports related to this location and place a copy in the workpapers.
  Review past audit files for permanent and carry-forward information, and incorporate any previous findings into the current workpapers.
  Set up any necessary files on the personal computer or laptop that will facilitate the performance of fieldwork.

PERFORMING FIELDWORK PROCEDURES

Fieldwork is more likely to be done in one visit, or at most two. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it. The general items that should be completed in the field that do not relate to any of the specific areas are:

  Conduct an entrance conference and document the results of that meeting. It may be necessary to have multiple meetings in a midrange review, but not as likely as when performing a mainframe review.
  Prepare a list of all issues from the prior audit and determine the current status of those items by contacting the appropriate personnel, performing detailed procedures if necessary. Document the current status of those items in the workpapers. The auditor’s effort to complete this step is not related to the environment as much as it is to the nature and extent of prior audit recommendations.
  Take a plant tour, noting any unusual items or observations. This gives the IT auditor an opportunity to become acquainted with the business and to gain some indirect information about how that particular business or location is operating, which may be useful when the auditor is evaluating potential recommendations and their cost/benefit considerations. The tour, observations, and other items that the auditor deems important should be documented in the working papers.

AUDITING SPECIFIC PROCEDURES BY AUDIT AREA

The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections, followed by the estimated time to complete and additional comments if necessary.


Previous Table of Contents Next