Previous | Table of Contents | Next |
The first business computers were all mainframe computers. Mainframe computers were easily recognized because they filled large rooms if not entire buildings, and the personnel to support them could require twice the space of the system itself. At that time, the IT auditor had a very daunting task when attempting to assess the controls present in that environment.
The difficulty was driven by the technical understanding required to do the work, and the fact that controlling what happened in the computer was very closely tied to evaluating the personnel having access to the system. Physical access security was the primary audit concern because it was the foundation on which processing and other controls were built.
This is no longer true, because logical access security has replaced physical access security as a cornerstone to other controls in the mainframe computer. In the past, anyone wanting to process programs or access data required access to the data center and the tape library. Todays online interactive environments provide both program and data access from any workstation connected to the physical computer. The audit process, or at least one alternative approach, can be described in three steps: planning, fieldwork, and finalization.
This process is supported by a comprehensive set of fully articulated working papers:
The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if he or she has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.
The IT auditor should make initial contact with the auditee by phone if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the systems auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:
The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The mainframe environment is likely to require at least several work weeks of effort, to a maximum that is only limited by the auditors decision to discontinue detailed testing.
The mainframe environment is also likely to contain subfunctions reporting to different managers, so that the IT auditor has to coordinate the review with each of the affected managers. The auditor may have to contact each manager individually to complete the audit planning process if the primary contact is unable to perform the necessary coordination tasks.
The IT auditor should send a letter to each manager or designated contact to confirm the planning details. This letter should be made available to the audit field personnel at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.
The IT auditor should complete the following procedures while still in the office before initiating fieldwork procedures:
Fieldwork may be done in one continuous sequence or be completed over multiple visits. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it. The general items that should be completed in the field that do not relate to any of the specific areas are:
The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections followed by the estimated time to complete and additional comments if necessary.
Previous | Table of Contents | Next |