Previous Table of Contents Next


Section 12
Auditing the Mainframe

The first business computers were all mainframe computers. Mainframe computers were easily recognized because they filled large rooms if not entire buildings, and the personnel to support them could require twice the space of the system itself. At that time, the IT auditor had a very daunting task when attempting to assess the controls present in that environment.

The difficulty was driven by the technical understanding required to do the work, and the fact that controlling what happened in the computer was very closely tied to evaluating the personnel having access to the system. Physical access security was the primary audit concern because it was the foundation on which processing and other controls were built.

This is no longer true, because logical access security has replaced physical access security as a cornerstone to other controls in the mainframe computer. In the past, anyone wanting to process programs or access data required access to the data center and the tape library. Today’s online interactive environments provide both program and data access from any workstation connected to the physical computer. The audit process, or at least one alternative approach, can be described in three steps: planning, fieldwork, and finalization.

This process is supported by a comprehensive set of fully articulated working papers:

  Data Processing Control Environment Questionnaire (Workpaper 12-1). This general controls self-assessment questionnaire is designed to be completed by the auditee and reviewed by the IT auditor.
  General Controls Audit Program (Workpaper 12-2). This audit program is closely aligned with the self-assessment questionnaire to increase the effectiveness of the standard program. Where practical, the audit program includes references to a standard workpaper set.
  General Controls Workpapers (Workpaper 12-3). This complete workpaper set is designed to optimize auditor productivity by laying out the workpapers normally required for an audit, supplying an appropriate workpaper header to eliminate the need to prepare all of them separately, and supplying basic text and formatting on the individual workpapers to facilitate their completion.

PLANNING THE AUDIT

The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if he or she has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.

Contacting the Auditee

The IT auditor should make initial contact with the auditee by phone if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the systems auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:

  IT administration
  Physical security
  Logical security
  Operations
  Backup and recovery
  Systems development

The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The mainframe environment is likely to require at least several work weeks of effort, to a maximum that is only limited by the auditor’s decision to discontinue detailed testing.

The mainframe environment is also likely to contain subfunctions reporting to different managers, so that the IT auditor has to coordinate the review with each of the affected managers. The auditor may have to contact each manager individually to complete the audit planning process if the primary contact is unable to perform the necessary coordination tasks.

The IT auditor should send a letter to each manager or designated contact to confirm the planning details. This letter should be made available to the audit field personnel at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.

Preliminary Office Planning Before Fieldwork

The IT auditor should complete the following procedures while still in the office before initiating fieldwork procedures:

  Prepare an audit planning memo, including these elements:
—Location background
—Prior audit scope and results
—Detailed list of prior recommendations
—Current planned scope and timing
—Planned staffing
—Time budgets
  Define the specific audit program based on the standard program, the intended objectives based on the audit department’s planning and selection of the audit, and the planning conversations held with location personnel.
  Send out the Information Technology Internal Control Questionnaire (Workpaper 12-1), specifying a date for its completion that will permit time for it to be returned and reviewed before fieldwork. (If there is a questionnaire from a previous audit, and if it is not materially different from the questionnaire currently in use, copy it and have the location personnel update the previous form.)
  Obtain prior audit reports related to this location and place a copy in the workpapers.
  Review past audit files for permanent and carry-forward information, and incorporate any previous findings into the current workpapers.
  Set up any necessary files on the personal computer or laptop that will facilitate the performance of fieldwork.

PERFORMING FIELDWORK PROCEDURES

Fieldwork may be done in one continuous sequence or be completed over multiple visits. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it. The general items that should be completed in the field that do not relate to any of the specific areas are:

  Conduct an entrance conference and document the results of that meeting. It may be necessary to have multiple meetings in a mainframe review, based on audit areas, physical locations, and other considerations.
  Prepare a list of all issues from the prior audit and determine the current status of those items by contacting the appropriate personnel, performing detailed procedures if necessary. Document the current status of those items in the workpapers. The auditor’s effort to complete this step is not related to the environment as much as it is to the nature and extent of prior audit recommendations.
  Take a plant tour, noting any unusual items or observations. This gives the IT auditor an opportunity to become acquainted with the business and to gain some indirect information about how that particular business or location is operating, which may be useful when the auditor is evaluating potential recommendations and their cost/benefit considerations. The tour, observations, and other items that the auditor deems important should be documented in the workpapers.

AUDITING SPECIFIC PROCEDURES BY AUDIT AREA

The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections followed by the estimated time to complete and additional comments if necessary.


Previous Table of Contents Next