Previous Table of Contents Next


IT Administration

The IT administration has eight tasks and should take a minimum of four to a maximum of eight hours to complete, exclusive of testing.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward working papers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is one to two hours to complete this procedure. The audit of the midrange environment should include a substantial portion of the controls covered in the questionnaire.

Task 2: Review the Organization Chart. The IT auditor should obtain a copy of the top-level organization chart and review the placement of IT in the organization in terms of its overall effectiveness. The estimated time to complete this task is 15 minutes.

Task 3: Evaluate the Long-Range IT Plan. The IT auditor should obtain the long-range IT plan and evaluate it in terms of supporting business objectives, its consistency with the business plan, the likelihood of meeting management’s objectives, and its being properly developed in terms of scope, detail, quantitative analysis, and responsibility. Partially depending on the extent of the plan, the time estimate to complete this review is one hour. The midrange environment should also be covered by a plan, because the investment in personnel, hardware, software, and other resources is still likely to be significant.

Task 4: Audit Expense and Budget Statements. The IT auditor should obtain and review appropriate expense and budget statements, paying particular attention to significant fluctuations between periods or any unusual items. The time estimated to complete this area is between one and two hours, based on the detail and extent of the budget and actual information.

Task 5: Examine Job Descriptions. The IT auditor should obtain and evaluate the IT department’s job descriptions based on the business structure and observed regular responsibilities. The time estimate for this is one hour or less, although more time may be needed if the auditor determines that the job descriptions are too general or are inconsistent with the responsibilities that IT personnel have been assigned.

Task 6: Review and Evaluate the IT Standards Manual. The IT auditor should obtain and evaluate the IT standards manual in terms of scope, timeliness, and general qualitative usefulness. The standards manual is still important as the value of consistent practices is clear, and a staff with two or more is subject to variations. The estimated time to complete this step depends on the level of testing the IT auditor decides to perform, and could vary between 1 and 20 hours. If no manual is in place, the auditor should spend at least one hour to assess the need for a manual and to prepare the related recommendation with a sample document or, at least, a sample table of contents.

Task 7: Perform a Complete Inventory of All IT-Related Hardware. The IT auditor should obtain a complete inventory of all IT-related hardware used at the audited location and this inventory should be included in the permanent working papers. This inventory should be tested based on a judgmental sample in both directions, from the inventory to the actual hardware and from selected hardware to the inventory. This procedure should take no more than one hour, including the preparation of the workpapers.

Task 8: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the IT administration area, all potential findings, and any other information deemed important. This task should take between one and two hours, depending on the extent and nature of the included items.

Physical Security

The review of physical security has five tasks and should take a minimum of two hours to complete.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the physical security portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward working papers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is two to four hours to complete this procedure. The midrange environment should include many of the controls covered in the questionnaire.

Task 2: Test to Ensure that All Security Features Are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate security features are in place and functioning. This procedure should take between one and two hours to complete, depending on the extent of the testing required.

Task 3 - Review Physical Security Layout of Data Center. The IT auditor should obtain a layout diagram of the data center, review it for completeness and accuracy, and ensure that it identifies all key security features. This task should take less than one hour.

Task 4: Determine Any Additional Audit Procedures. The IT auditor should consider the need for additional procedures based on his or her judgment, observations made during fieldwork, and results of the other audit procedures performed. The time required for this task cannot be estimated until the auditor reviews the actual findings.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the physical security area, including any potential findings and any other information deemed important. This task should take between one and two hours, depending on the extent and nature of the included items.

Logical Security

The review of logical security has eight tasks and should take a minimum of four hours to complete.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward working papers. The auditor should evaluate the questionnaire responses and document any items that require additional investigation or follow-up. The estimated time is one hour to complete this task. The midrange environment should include many of the controls covered in the questionnaire.

Task 2: Audit the List of Logical Security Values Obtained from the System and Security Software. The IT auditor should, if possible, obtain the list of the logical security values from the system and security software and trace the values from the questionnaire to the list. Any differences should be noted and followed up to determine what the correct value should be and why the difference between the document and the list exists. This task should take no longer than one hour.

Task 3: Identify All Standard Security Profiles Supplied with the System and Security Package. The IT auditor should determine if there are any standard security profiles supplied with the system and security package. There is a risk that, if these are not reset, anyone familiar with the system will be able to use one of these standard profiles to access the system and potentially perform unauthorized activities. The auditor should attempt to log onto the system using the standard profiles to ensure that the profiles were reset. This task should take no longer than one hour to complete.

Task 4: Test Password Controls. The IT auditor should also test other password controls to the extent possible to evaluate their functioning. The results of these tests should be documented in the working papers. This testing can normally be completed while sitting at a terminal and should take no longer than one hour.


Previous Table of Contents Next