Previous | Table of Contents | Next |
REVIEW OF QUESTIONNAIRE RESPONSES C-1.1
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I have reviewed the responses to the questionnaire section dealing with logical access controls. A copy of that section follows this working paper as 1.2. All of the items requiring further discussion, investigation, or other follow-up are described below, and referenced by the letter (and audit point reference where appropriate) shown in the left column.
Reference | Audit Point | Description |
---|---|---|
| | |
VENDOR SUPPLIED PASSWORDS C-2
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I tested whether the vendor supplied profiles and passwords have been changed since the system has been implemented. The ones identified tested are shown below:
VP1 | not/successful |
VP2 | not/successful |
VP3 | not/successful |
VP4 | not/successful |
No further procedures were deemed necessary.
PASSWORD SYNTAX TESTING C-3
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I have tested the following password control parameters:
Periodic required changes: | System parameters indicate changes are due at least every XX days. |
Minimum password length: | Using the XXX sign-on, I attempted to set a password less than the indicated minimum length of XX characters and was (not) successful. |
Maximum password length: | Using the XXX sign-on, I attempted to set a password longer than the indicated maximum length of XX characters and was (not) successful. |
Maximum attempts: | Using the XXX sign-on, I attempted to sign on with the indicated password more than the XX maximum attempts indicated in the internal control questionnaire and was not successful. |
No further procedures were deemed necessary.
USER PROFILE MANAGEMENT C-4
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I selected a random sample of ten user profiles from the population of all system users to validate the profile management procedures at this location. The profiles selected and the testing results are summarized in the table below:
User profile | Name | Authorization form was present | Authorization form was approved |
---|
No exceptions were noted. No further procedures were deemed necessary.
USER PROFILE REVIEW C-5
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
Note: Update as needed.
SUMMARY LISTING
I have reviewed the user profile summary listing which follows as C-5.1 for consistency in the setup of user profiles. All profiles were scanned, and no unusual items were noted.
PREVIOUS SIGN-ON DATE
I obtained the listing of users by previous sign-on date that is enclosed as working paper C-5.2.2. An aging by date has been summarized on working paper C-5.2.1. My opinion is that the user base is (not) being kept relatively current, and will keep the related audit point, C 12, to the exit meeting only.
LAST PASSWORD CHANGE DATE
I obtained the listing of users by last password change date to use as support for the results of the C-5.2 work that was done. There should be a high consistency in the aging of the two reports. Based on the listing (C-5.3.2) and the summary (C-5.3.1), the results are consistent, and no further work was performed.
USERS WITH EXPIRED PASSWORDS
I have reviewed the appropriate listing that is included in the working papers as C-5.4, noting that there are not users with expired passwords. Based on that information, the summary worksheet for this subsection was not prepared.
COMPARISON OF RESPONSES TO THE SYSTEM VALUES LISTING C-6.1
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I have highlighted the appropriate system values on the attached copy of the system values listing, taken from the original that is included in the carryforward working papers as CF-30. Those highlighted items were compared to the questionnaire excerpt included as C-1.2 noting no exceptions. No further procedures were performed.
REVIEW OF SECURITY ITEMS IN THE HISTORY LOG C-7.1
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I have reviewed the enclosed extract from the system history log. Based on my review of those items, I noted the following:
OTHER PROCEDURES C-99
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
SUMMARY MEMOLOGICAL ACCESS CONTROLS C-Memo
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
Note: Update as needed.
OBJECTIVES
The objectives in this area were to:
CONCLUSION
Based on the work done in this area, my opinion is that the controls over logical access to system programs and data ____.
FINDINGS
The conclusion(s) above were made considering the following specific findings:
Previous | Table of Contents | Next |