Previous Table of Contents Next


Task 5: Identify and Document Access Privileges. The IT auditor should ascertain the details of how persons within the enterprise are granted access to the system. That process should be documented if that information is not already documented. The process of granting access should then be tested by selecting a judgmental sample of users from the system and a similar sample of users from the files, and by confirming that the documents authorizing their access are present and properly completed. The estimated time for this task is one to two hours.

Task 6: Test User Profiles. The IT auditor should select a cross-sample of user profiles on the system and review them for consistency in the way that they are set up and authorized to use the system; any special capabilities given; and exceptions to established password management rules. The results of this review should be documented in the working papers. The estimated time for this task is approximately two hours for each 10 users selected for testing.

Task 7: Determine Any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed. The time required for this task cannot be estimated until the auditor reviews the actual audit results.

Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the logical security area, including any potential findings and any other information deemed important. This task should take less than two hours, depending on the extent and nature of the included items.

Change Management

The review of change management has five tasks and should take a minimum of four hours to complete.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the change management and systems development portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward working papers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is less than two hours to complete this task. The midrange environment is not likely to include most of the controls covered in the questionnaire.

Task 2: Test to Ensure that All Change Control Features Are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate control features are in place and functioning. This procedure should take between two and eight hours to complete, depending on the extent of the testing required.

Task 3: Test the Change Control Management Process. The IT auditor must determine the extent of testing that is desirable for the current audit, which is most likely based on the need to reach a conclusion on the reliability of the change management process. Once the extent of testing is determined, the auditor should perform the tests that address reviewing the changed code, evaluating the authorization process, and verifying the testing and documentation that was done. The time to complete this process is contingent on the plan for testing and can vary between 4 and 20 hours.

Task 4: Review and Evaluate the Questionnaire Responses. The IT auditor should, before preparing the conclusion memo for this area, review the control questionnaire responses to determine if any of them have not been reviewed or tested in any way. Any items identified during this task should either be further evaluated or noted in the working papers to indicate why no evaluation was needed. The time to complete this task should be less than two hours.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the control change management area, including any potential findings and any other information deemed important. This task should take less than one hour, depending on the extent and nature of the included items.

Backup, Recovery, and Contingency Planning

The review of backup, recovery, and contingency planning has five tasks should take between 2 and 12 hours to complete.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of this portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward working papers. The auditor should evaluate the questionnaire responses and document any items that require additional investigation or follow-up. The estimated time is three hours to complete this task. The midrange environment should include most of the controls covered in the questionnaire.

Task 2: Identity, Test, and Document Backup Procedures. The IT auditor should identify the strategy for making periodic backups as it relates to the business conducted by the locations served by the installation. The results should be documented. In the midrange environment, this task should take between one and two hours, and the testing of the information obtained should require no more than an additional eight hours.

Task 3: Obtain and Evaluate the Corporate Business Continuity Plan. The IT auditor should obtain and evaluate the business continuity plan for the data center under review and for the business location by using the audit program illustrated in Workpaper 11-1. If a plan is in place, even if the plan only covers the recovery of the data center, the estimated time to complete this task is between 4 and 20 hours. A comprehensive business plan could add 30 hours to the review. As with other control areas, the final time required for this task is dependent on the level of testing desired and the results of those testing procedures.

Task 4: Review Questionnaire Responses. The IT auditor should, before preparing the conclusion memo for this area, review the questionnaire responses to determine if any of them have not been reviewed or tested in any way. Any items identified during this task should either be evaluated or noted in the working papers to indicate why no further evaluation was needed. The time to complete this task should be less than two hours for the midrange environment.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the backup, recovery, and contingency planning area, including potential findings and any other information deemed important. This task should take less than one hour, depending on the extent and nature of the included items.

AUDIT FINALIZATION

The IT auditor should review the workpapers for clarity and completeness. This task should not take more than two hours. The auditor should have the workpapers reviewed by a manager and clear all manager’s review notes. The time will vary between 2 and 20 hours, based on the review notes received.

The auditor should perform the following tasks to issue the final report:

1.  Prepare a draft report.
2.  Have the draft reviewed, clearing all questions and comments.
3.  Mail the draft to the auditee for review and response development.
4.  If the responses are not received as scheduled, contact the auditee by telephone to determine when the responses can be expected.
5.  Evaluate the responses for adequacy; add them to the draft report; and review them with Internal Audit management as needed.
6.  Based on the preceding tasks, prepare a final report.

The auditor should complete the audit program and any other remaining pieces of the audit and submit the final workpapers for filing and appropriate retention.

Workpaper 13-1. Midrange Questionnaire (AS/400)

GENERIC DOMESTIC COMPANY
IT Internal Control Questionnaire
(AS/400 Version)
SEGMENT          ______________________
DIVISION          ______________________
CITY/STATE     ______________________

PREPARED BY DATE
_________________ _________________
_________________ _________________
_________________ _________________

INTRODUCTION

This questionnaire was developed to gather the basic data required to evaluate information systems internal controls. We appreciate your timely completion of this questionnaire. The time spent completing it will greatly reduce our insight time interviewing people and documenting this information.

ASSUMPTIONS

1.  A “No” or “NA” does not automatically identify a problem.
2.  The “comments” sections provided at the end of a question, or group of questions, can be used for comments, explanations, or even questions to be followed up when we are on site.
3.  This is not a policy document. You should not interpret the questions as requiring compliance, unless the question references established policies within Generic Domestic Company.


Previous Table of Contents Next