Previous | Table of Contents | Next |
The IT administration has eight tasks and should take a minimum of 7½ hours to a maximum of 14½ hours to complete, exclusive of testing.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carryforward workpapers. The auditor should evaluate the questionnaire responses and document any items that require additional investigation or follow-up. The estimated time is three hours to complete this procedure. The audit of the mainframe environment should include most of the controls covered in the questionnaire.
Task 2: Review the Organization Chart. The IT auditor should obtain a copy of the top-level organization chart and review the placement of IT in the organization in terms of its overall effectiveness. The estimated time to complete this task is 30 minutes.
Task 3: Evaluate the Long-Range IT Plan. The IT auditor should obtain the long-range IT plan and evaluate it in terms of supporting business objectives, its consistency with the business plan, the likelihood of meeting managements objectives, and its being properly developed in terms of scope, detail, quantitative analysis, and responsibility. Partially depending on the extent of the plan, the time estimate to complete this review is two to three hours. The mainframe environment is the most critical for having a plan, because the investment in personnel, hardware, software, and other resources is likely to be the most significant of the three environments covered in this supplement.
Task 4: Audit Expense and Budget Statements. The IT auditor should obtain and review appropriate expense and budget statements, paying particular attention to significant fluctuations between periods or any unusual items. The time estimated to complete this area is between two and six hours, based on the detail and extent of the budget and actual information.
Task 5: Examine Job Descriptions. The IT auditor should obtain and evaluate the IT departments job descriptions based on the business structure and observed regular responsibilities. The time estimate for this is one hour, although more time may be needed if the IT auditor determines that the job descriptions are too general or are inconsistent with the responsibilities that IT personnel have been assigned.
Task 6: Review and Evaluate the IT Standards Manual. The IT auditor should obtain and evaluate the IT standards manual in terms of scope, timeliness, and general qualitative usefulness. The standards manual is important in a large mainframe shop because it provides a foundation for consistent activities by different persons if there is substantial compliance with the procedures in the manual. The estimated time to complete this step depends on the level of testing the IT auditor decides to perform, and could vary between 2 and 80 hours. If no manual is in place, the ITA should spend at least one hour to one day to assess the need for a standards manual and to prepare the related recommendation with a sample document or, at least, a sample table of contents.
Task 7: Perform a Complete Inventory of All IT-Related Hardware. The IT auditor should obtain a complete inventory of all IT- related hardware used at the audited location and this inventory should be included in the permanent workpapers. This inventory should be tested based on a judgmental sample in both directions: from the inventory to the actual hardware, and from selected hardware to the inventory. This procedure should take no more than one hour including the preparation of the workpapers. One potential difficulty in auditing the mainframe environment is that a large number of components may be part of the central processing unit. Operations assistance may be required to determine the location of a particular hardware item.
Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the IT Administration area, all potential findings, and any other information deemed important. This task should take between one and three hours, depending on the extent and nature of the included items.
The review of physical security has five tasks and should take a minimum of six hours to complete.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the physical security portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The IT auditor should evaluate the questionnaire responses and document any items that required additional investigation or folw-up. The estimated time is two to four hours to complete this procedure. The mainframe environment should include most of the controls covered in the questionnaire.
Task 2: Test to Ensure that All Security Features Are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate security features are in place and functioning. This procedure should take between two and eight hours to complete, depending on the extent of the testing required.
Task 3: Review Physical Security Layout of Data Center. The IT auditor should obtain a layout diagram of the data center, review it for completeness and accuracy, and ensure that it identifies all key security features. This task should take approximately one hour.
Task 4: Determine Any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed. The time required for this task cannot be estimated until the auditor reviews his or her findings over the course of the fieldwork.
Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the physical security area, including any potential findings and any other information deemed important. This task should take between one and three hours, depending on the extent and nature of the included items.
Previous | Table of Contents | Next |