Previous Table of Contents Next


Task 3: Evaluate the Long-Range IT Plan. The IT auditor should obtain the long-range IT plan and evaluate it in terms of supporting business objectives, its consistency with the business plan, the likelihood of meeting management’s objectives, and its being properly developed in terms of scope, detail, quantitative analysis, and responsibility. The time estimate to complete this review is less than one hour.

Task 4: Audit Expense and Budget Statements. The IT auditor should obtain and review appropriate expense and budget statements, paying particular attention to significant fluctuations between periods or any unusual items. The time estimated to complete this area is less than two hours.

Task 5: Examine Job Descriptions. The IT auditor should obtain and evaluate the IT department’s job descriptions based on the business structure and observed regular responsibilities. The time estimate for this is one hour or less.

Task 6: Review and Evaluate the IT Standards Manual. The IT auditor should obtain and evaluate the IT standards manual in terms of scope, timeliness, and general qualitative usefulness. The standards manual is less important in network environments because consistency across the staff is probably not an issue. Its importance in this setting lies in its ability to perpetuate approaches and standards. The estimated time to complete this portion of the review is less than two hours.

Task 7: Perform a Complete Inventory of All IT-Related Hardware. The IT auditor should obtain a complete inventory of all IT-related hardware used at the audited location and this inventory should be included in the permanent workpapers. This inventory should be tested based on a judgmental sample in both directions: from the inventory to the actual hardware and from selected hardware to the inventory. This procedure should take no more than one hour, including the preparation of the workpapers.

Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the IT Administration area, all potential findings, and any other information deemed important. This task should take less than one hour to complete, as will all of the remaining tasks, unless otherwise indicated.

Physical Security

The review of physical security has five tasks and should take less than one hour to complete.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the physical security portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up.

Task 2: Test to Ensure that All Security Features Are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate security features are in place and functioning.

Task 3: Review Physical Security Layout of Data Center. The IT auditor should obtain a layout diagram of the data center, review it for completeness and accuracy, and ensure that it identifies all key security features.

Task 4: Determine any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed. The time required for this task cannot be estimated until the auditor reviews his or her findings over the course of the fieldwork.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the physical security area, including any potential findings and any other information deemed important.

Logical Security

The review of logical security has eight tasks.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up.

Task 2: Audit the List of Logical Security Values Obtained from the System and Security Software. The IT auditor should, if possible, obtain the list of the logical security values from the system and security software and trace the values from the questionnaire to the list. Any differences should be noted and followed up to determine what the correct value should be and why the difference between the document and the list exists.

Task 3: Identify All Standard Security Profiles Supplied with the System and Security Package. The IT auditor should determine if there are any standard security profiles supplied with the system and security package. There is a risk that, if these are not reset, anyone familiar with the system will be able to use one of these standard profiles to access the system and potentially perform unauthorized activities. The auditor should attempt to log onto the system using the standard profiles to ensure that the profiles were reset.

Task 4: Test Password Controls. The IT auditor should also test other password controls to the extent possible to evaluate their functioning. The results of these tests should be documented in the workpapers.

Task 5: Identify and Document Access Privileges. The IT auditor should ascertain the details of how persons within the enterprise are granted access to the system. That process should be documented if that information is not already documented. The process of granting access should then be tested by selecting a judgmental sample of users from the system and a similar sample of users from the files, and by confirming that the documents authorizing their access are present and properly completed.

Task 6: Test User Profiles. The IT auditor should select a cross-sample of user profiles on the system and review them for consistency in the way that they are set up and authorized to use the system; any special capabilities given; and exceptions to established password management rules. The results of this review should be documented in the workpapers.

Task 7: Determine Any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed.

Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the logical security area, including any potential findings and any other information deemed important.


Previous Table of Contents Next