Previous Table of Contents Next


Section 14
Auditing the Network

The personal computer, originally know as the microcomputer, was the third generation of business computers. The original computers were driven by commands, and appeared to be operated just as the system operators ran the networks. The difference was that where the network could simultaneously support thousands of users, the microcomputer’s resources were completely dedicated to one user, and for years only one application at a time.

Microcomputers only supported business needs in the beginning by doubling as a network or minicomputer terminal. Later, new technologies were developed that permitted microcomputers to be linked together, with the idea that their combined capabilities could offer an alternative to midrange computers, although they were not considered alternatives to networks until more recently.

A significant change from the midrange and network environment is that no effective security functionality has been available for the microcomputer because it continues to be designed to support the individual user, and the security of having a single power-up password was deemed to be sufficient for most cases. Network software providing the connectivity between microcomputers adds certain security functionality, helping to make the network an acceptable business tool.

The IT auditor has a less technical challenge when auditing the local area network and network software, although the development of alternatives for effective control mechanisms requires creativity and a complete understanding of compensating and mitigating controls in the end-user areas.

Change management becomes an even more critical control problem in a local area network setting. These environments are likely to have very small staffs, with an almost nonexistent segregation of duties, which can only be compensated for with proper end-user procedures.

The audit process follows the same three steps that were followed in both the network and midrange environments: planning, fieldwork, and finalization.

PLANNING THE AUDIT

The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if the auditor has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.

Contacting the Auditee

The IT auditor should make initial contact with the auditee by phone if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the IT auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:

  IT administration
  Physical security
  Logical security
  Operations
  Backup and recovery
  Systems development

The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The network environment is likely to require 3 to 10 days of effort, to a maximum that is only limited by the auditor’s decision to discontinue detailed testing.

The network environment is not likely to have more than a single manager, so little time should be lost to coordination. The IT auditor should send a letter confirming the planning details. This letter should be made available to the field auditors at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.

Preliminary Office Planning Before Fieldwork

The auditor should complete the following procedures while still in the office before initiating fieldwork procedures:

  Prepare an audit planning memo, including these elements.
—Location background
—Prior audit scope and results
—Detailed list of prior recommendations
—Current planned scope and timing
—Planned staffing
—Time budgets
  Define the specific audit program based on the standard program, the intended objectives based on the audit department’s planning and selection of the audit, and the planning conversations held with location personnel.
  Send out the Information Technology Internal Control Questionnaire (Workpaper III-14-1), specifying a date for its completion that will permit time for it to be returned and reviewed before fieldwork. (If there is a questionnaire from a previous audit, and if it is not materially different from the questionnaire currently in use, copy it and have the location personnel update the previous form.)
  Obtain prior audit reports related to this location and place a copy in the workpapers.
  Review past audit files for permanent and carry-forward information, and incorporate any previous findings into the current workpapers.
  Set up any necessary files on the personal computer or laptop that will facilitate the performance of fieldwork.

PERFORMING FIELDWORK PROCEDURES

Fieldwork will almost always be done at one time. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it, particularly with the limited available time. The general items that should be completed in the field that do not relate to any of the specific areas are:

  Conduct an entrance conference and document the results of that meeting.
  Prepare a list of all issues from the prior audit and determine the current status of those items by contacting the appropriate personnel, performing detailed procedures if necessary. Document the current status of those items in the workpapers. The auditor’s effort to complete this step is not related to the environment as much as it is to the nature and extent of prior audit recommendations.
  Take a plant tour, noting any unusual items or observations. This gives the IT auditor an opportunity to become acquainted with the business and to gain some indirect information about how that particular business or location is operating, which may be useful when the auditor is evaluating potential recommendations and their cost/benefit considerations. The tour, observations, and other items that the auditor deems important should be documented in the workpapers.

AUDITING SPECIFIC PROCEDURES BY AUDIT AREA

The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections, followed by the estimated time to complete and additional comments if necessary.

IT Administration

The IT administration has eight tasks and should take between two and four hours to complete, exclusive of testing.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is one hour to complete this procedure. The network audit may be the least predictable in terms of which controls are possible, making general estimates of the potential effort equally unpredictable.

Task 2: Review the Organization Chart. The IT auditor should obtain a copy of the top-level organization chart and review the placement of IT in the organization in terms of its overall effectiveness. The estimated time to complete this task is 15 minutes.


Previous Table of Contents Next