Previous Table of Contents Next


INFORMATION TECHNOLOGY STANDARD SETTING

The IT auditor in many organizations dedicates a certain amount of time to persuading members of the IT staff as to what constitutes adequate or minimum control in a particular situation. An example is the minimum length for passwords. The IT auditor is evaluating logical access controls and determines that end users can set a password as short as one character when they are prompted to change their password by the system. The IT auditor should conclude that a minimum length of one is not sufficient to limit the probability of someone else easily guessing an end user’s password. The auditor then has to decide what minimum length is appropriate and subsequently persuade the IT staff of that requirement.

Exhibit 7-2. Sample IT Tactical Plan
GENERIC DOMESTIC COMPANY FOR 199X AND 199Y
Request User Description Est.
Hours
Hours
to Date
Hours to
Complete
9Y-011 Smith Enhance credit module functionality to permit direct interface to external business rating services to increase the number of new customer transactions that can be handled interactively. 250 130 200
           
9X-005 Jones Determine reason that general ledger journal entries set up as recurring entries are not included in automatic monthly close processing in subsequent months and make necessary corrections. 75 20 35
           
9X-103 Bruce Modify the customer balance inquiry screen so that current balances in excess of established credit limits appear in red. 16 0 16
           
9Y-051 Ng Modify the accounts receivable module so that pending orders reduce the available credit balance when entered instead of when shipped to prevent orders from being accepted that are actually over the customer’s established limit. 130 42 115
           
9Y-050 Rand Add another level of subtotals on the open accounts payable report so that the report includes grand totals, regional totals, customer totals, and customer/location totals. 30 10 20

Most experienced IT auditors can describe the futility of these experiences because they will often attempt to be consistent between employer locations or even between employers, and those different groups often have their own opinions concerning what is necessary and what is effective. This does not mean that every situation will trigger a disagreement, but the issue of minimum password length selected for the example represents something that is truly opinion and not fact.

In most areas, company policy on a topic should eliminate the need to discuss alternatives and reach a consensus, because it would represent the codification of senior executive management’s opinion for a specific subject. And senior management’s opinion should normally be adequate to create change at lower levels. If IT management would adopt a security policy, for example, it can simplify the IT auditor’s work by at least one order of magnitude.

The IT auditor can focus on reviewing the policy, making comments during policy development, or suggesting that IT management make changes to the policy during the next normal updating cycle. Working in this manner changes the IT auditor’s fieldwork because much of the time that can be lost to working out basic control issues is recovered for more valuable activities. Control issues become a simple matter of compliance. Thus, the IT auditor has more time to focus on complex issues that have more potential to add value to the organization.

Exhibit 7-3 is a sample IT security policy, which is important for two reasons:

  It provides the foundation for the standard general controls questionnaire.
  It incorporates a number of elements of effective policy statements with which IT auditors should become familiar.
Exhibit 7-3. Sample IT Security Plan
SPECIFIC SECURITY PROVISIONS
1. - - - D
Unauthorized entry to the computer room shall be prevented by locks, automatic admission checking system, or guards. If the computer room is on the ground floor, the windows shall be of an unbreakable type, preferably also opaque and not possible to open.
2. - B C D
Fire extinguishers of carbon dioxide or Halon gas shall be located in the computer room and in the adjacent room. Where applicable, the fire control organization should be consulted, and they should make periodic inspections.

The complete policy that the exhibit was taken from is included as Workpaper 7-1. This sample security policy was originally designed for a holding company with a large number of operating units and a variety of hardware platforms. Its basic structure has many elements in common with other organizations, even small ones, where it is more common to find independent personal computers, network or client/server installations, and a central transaction processing system. Even if the network or client/server is responsible for transaction processing, two distinct levels of controls should be considered.

The sample security policy incorporates the following critical elements.

  Sensitivity to size. A size-based classification is presented, and policy statements are keyed to those classes.
  Clarity. The policy statements are very clear, which reduces the risk of misunderstanding and subsequent noncompliance.
  Recognizing variations in risk. Several policy provisions have more than one relevant statement because one installation class is required to take action, and smaller classes are only required to consider action.
  Delegating responsibility. The policy requires local managers, whether in information technology services or other areas, to review the policy and either take action or determine that action is not needed on an item-by-item level.
  Providing for circumstances. Allowing individual managers to request variances empowers those persons by giving them a method to deal with their individual concerns other than simply choosing to deviate from corporate policy.


Previous Table of Contents Next