Previous | Table of Contents | Next |
The mainframe computer was simply too expensive for many companies, and they looked for solutions that were more consistent with their size. Vendors began to respond by developing scaled-down versions of the mainframe. Companies first saw the minicomputer, and later the microcomputer, both carefully named to indicate their relationship to the mainframe computer. These computers were designed for small companies that were not in the market for a mainframe computer but still wanted to gain the benefits of automation. Minicomputers, like IBMs System 32, differed from the mainframes of that era by fitting into a fraction of the space, with all of their components contained in as little as one piece of hardware.
Another significant change from the mainframe architecture was the bundling of operating system software components into a single offering. Mainframes had come with a base operating system only, requiring customers to purchase other components, such as security software, separately. These previously separate components began to be bundled into a single offering.
Minicomputers clearly supported a different market and could be easily outgrown, leading companies into the mainframe market. Technical advances significantly increased the capabilities of the minicomputer, and the name for these systems changed to midrange as more descriptive of their capabilities fitting between the mainframe and microcomputer markets.
The IT auditor has a less daunting task auditing midrange computers because experience with one specific midrange computer type can almost always be directly applied to another similar system, as the software components are generally the same. The IT auditor still needs technical expertise because the security and control capabilities between midrange systems, even from a single manufacturer, can vary significantly.
Physical access security is still extremely important, but logical access security clearly becomes the more important element because midrange systems increase the direct reliance on end-user input and control for data entry and maintenance instead of these functions being performed centrally. The primary control problem in the midrange environment is change management because the midrange computers are often supported by small staffs that do not have the number of personnel required for effective segregation of duties. Therefore, IT auditors must consider compensating controls as a primary control mechanism because end-user actions and responsibilities offset the segregation weakness within the IT department.
The audit process can be described in three steps: planning, fieldwork, and finalization. Most, if not all, of the audit concerns, considerations, and tasks for the mainframe environment can be applied to the midrange environment.
The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if the auditor has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.
Contacting the Auditee
The IT auditor should make initial contact with the auditee by phone, if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the systems auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:
The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The midrange environment is likely to require at least one to three weeks of effort, to a maximum that is only limited by the auditors decision to discontinue testing.
The midrange environment is likely to contain subfunctions reporting to no more than two different managers, so that the auditor has to do less coordinating. The IT auditor should send a letter to the primary director or manager to confirm the planning details. This letter should be made available to the field personnel at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.
Preliminary Office Planning Before Fieldwork
The IT auditor should complete the following procedures while still in the office before initiating fieldwork procedures:
Fieldwork is more likely to be done in one visit, or at most two. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it. The general items that should be completed in the field that do not relate to any of the specific areas are:
The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections, followed by the estimated time to complete and additional comments if necessary.
Previous | Table of Contents | Next |