Previous | Table of Contents | Next |
The IT auditor in many organizations dedicates a certain amount of time to persuading members of the IT staff as to what constitutes adequate or minimum control in a particular situation. An example is the minimum length for passwords. The IT auditor is evaluating logical access controls and determines that end users can set a password as short as one character when they are prompted to change their password by the system. The IT auditor should conclude that a minimum length of one is not sufficient to limit the probability of someone else easily guessing an end users password. The auditor then has to decide what minimum length is appropriate and subsequently persuade the IT staff of that requirement.
GENERIC DOMESTIC COMPANY FOR 199X AND 199Y | |||||
---|---|---|---|---|---|
Request | User | Description | Est. Hours | Hours to Date | Hours to Complete |
9Y-011 | Smith | Enhance credit module functionality to permit direct interface to external business rating services to increase the number of new customer transactions that can be handled interactively. | 250 | 130 | 200 |
9X-005 | Jones | Determine reason that general ledger journal entries set up as recurring entries are not included in automatic monthly close processing in subsequent months and make necessary corrections. | 75 | 20 | 35 |
9X-103 | Bruce | Modify the customer balance inquiry screen so that current balances in excess of established credit limits appear in red. | 16 | 0 | 16 |
9Y-051 | Ng | Modify the accounts receivable module so that pending orders reduce the available credit balance when entered instead of when shipped to prevent orders from being accepted that are actually over the customers established limit. | 130 | 42 | 115 |
9Y-050 | Rand | Add another level of subtotals on the open accounts payable report so that the report includes grand totals, regional totals, customer totals, and customer/location totals. | 30 | 10 | 20 |
Most experienced IT auditors can describe the futility of these experiences because they will often attempt to be consistent between employer locations or even between employers, and those different groups often have their own opinions concerning what is necessary and what is effective. This does not mean that every situation will trigger a disagreement, but the issue of minimum password length selected for the example represents something that is truly opinion and not fact.
In most areas, company policy on a topic should eliminate the need to discuss alternatives and reach a consensus, because it would represent the codification of senior executive managements opinion for a specific subject. And senior managements opinion should normally be adequate to create change at lower levels. If IT management would adopt a security policy, for example, it can simplify the IT auditors work by at least one order of magnitude.
The IT auditor can focus on reviewing the policy, making comments during policy development, or suggesting that IT management make changes to the policy during the next normal updating cycle. Working in this manner changes the IT auditors fieldwork because much of the time that can be lost to working out basic control issues is recovered for more valuable activities. Control issues become a simple matter of compliance. Thus, the IT auditor has more time to focus on complex issues that have more potential to add value to the organization.
Exhibit 7-3 is a sample IT security policy, which is important for two reasons:
SPECIFIC SECURITY PROVISIONS |
---|
1. - - - D Unauthorized entry to the computer room shall be prevented by locks, automatic admission checking system, or guards. If the computer room is on the ground floor, the windows shall be of an unbreakable type, preferably also opaque and not possible to open. |
2. - B C D Fire extinguishers of carbon dioxide or Halon gas shall be located in the computer room and in the adjacent room. Where applicable, the fire control organization should be consulted, and they should make periodic inspections. |
The complete policy that the exhibit was taken from is included as Workpaper 7-1. This sample security policy was originally designed for a holding company with a large number of operating units and a variety of hardware platforms. Its basic structure has many elements in common with other organizations, even small ones, where it is more common to find independent personal computers, network or client/server installations, and a central transaction processing system. Even if the network or client/server is responsible for transaction processing, two distinct levels of controls should be considered.
The sample security policy incorporates the following critical elements.
Previous | Table of Contents | Next |