Previous Table of Contents Next


REVIEW OF QUESTIONNAIRE RESPONSES C-1.1

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I have reviewed the responses to the questionnaire section dealing with logical access controls. A copy of that section follows this working paper as 1.2. All of the items requiring further discussion, investigation, or other follow-up are described below, and referenced by the letter (and audit point reference where appropriate) shown in the left column.

Reference Audit Point Description
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

VENDOR SUPPLIED PASSWORDS C-2

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I tested whether the vendor supplied profiles and passwords have been changed since the system has been implemented. The ones identified tested are shown below:

VP1 not/successful
VP2 not/successful
VP3 not/successful
VP4 not/successful

No further procedures were deemed necessary.

PASSWORD SYNTAX TESTING C-3

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I have tested the following password control parameters:

• Periodic required changes: System parameters indicate changes are due at least every XX days.
• Minimum password length: Using the XXX sign-on, I attempted to set a password less than the indicated minimum length of XX characters and was (not) successful.
• Maximum password length: Using the XXX sign-on, I attempted to set a password longer than the indicated maximum length of XX characters and was (not) successful.
• Maximum attempts: Using the XXX sign-on, I attempted to sign on with the indicated password more than the XX maximum attempts indicated in the internal control questionnaire and was not successful.

No further procedures were deemed necessary.

USER PROFILE MANAGEMENT C-4

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I selected a random sample of ten user profiles from the population of all system users to validate the profile management procedures at this location. The profiles selected and the testing results are summarized in the table below:

User profile Name Authorization form was present Authorization form was approved

       
       
       
       
       
       
       
       
       
       

No exceptions were noted. No further procedures were deemed necessary.

USER PROFILE REVIEW C-5

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____


Note:  Update as needed.

SUMMARY LISTING

I have reviewed the user profile summary listing which follows as C-5.1 for consistency in the setup of user profiles. All profiles were scanned, and no unusual items were noted.

PREVIOUS SIGN-ON DATE

I obtained the listing of users by previous sign-on date that is enclosed as working paper C-5.2.2. An aging by date has been summarized on working paper C-5.2.1. My opinion is that the user base is (not) being kept relatively current, and will keep the related audit point, C 12, to the exit meeting only.

LAST PASSWORD CHANGE DATE

I obtained the listing of users by last password change date to use as support for the results of the C-5.2 work that was done. There should be a high consistency in the aging of the two reports. Based on the listing (C-5.3.2) and the summary (C-5.3.1), the results are consistent, and no further work was performed.

USERS WITH EXPIRED PASSWORDS

I have reviewed the appropriate listing that is included in the working papers as C-5.4, noting that there are not users with expired passwords. Based on that information, the summary worksheet for this subsection was not prepared.

COMPARISON OF RESPONSES TO THE SYSTEM VALUES LISTING C-6.1

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I have highlighted the appropriate system values on the attached copy of the system values listing, taken from the original that is included in the carryforward working papers as CF-30. Those highlighted items were compared to the questionnaire excerpt included as C-1.2 noting no exceptions. No further procedures were performed.

REVIEW OF SECURITY ITEMS IN THE HISTORY LOG C-7.1

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I have reviewed the enclosed extract from the system history log. Based on my review of those items, I noted the following:

OTHER PROCEDURES C-99

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

SUMMARY MEMO—LOGICAL ACCESS CONTROLS C-Memo

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____


Note:  Update as needed.

OBJECTIVES

The objectives in this area were to:

  Ensure that only authorized users can access the systems
  Users will be encouraged to reasonably manage their own passwords
  Users are restricted to only those items they require access to

CONCLUSION

Based on the work done in this area, my opinion is that the controls over logical access to system programs and data ____.

FINDINGS

The conclusion(s) above were made considering the following specific findings:

  
  
  


Previous Table of Contents Next