Previous Table of Contents Next


Submitted to file,

__Auditor__

__Title____

WORKPAPER INDEX - PHYSICAL SECURITY B-Index

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

B-Memo Summary memo for this audit area
B-Point Audit point(s) for this audit area
B-1 Review of questionnaire responses
B-2 Physical security testing procedures
B-3
B-4
B-5
B-6
B-7
B-8
B-9
B-99 Other facility issues

REVIEW OF QUESTIONNAIRE RESPONSES B-1.1

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

I have reviewed the responses to the questionnaire section dealing with physical security. A copy of that section follows this working paper as 1.2. All of the items requiring further discussion, investigation, or other follow-up are described below, and referenced by the letter (and audit point reference where appropriate) shown in the left column.

Reference Audit Point Description
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

TESTING OF PHYSICAL SECURITY FEATURES B-2

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____


Note:  Review and update as needed based on work performed.

I have tested the following security features that were identified in the internal control questionnaire and identified on the data center diagram included in the carryforward workpapers. The results are summarized below:

Door locks: I tried 10 combinations on the lock, working with simple sequential combinations, the factory default combination, and other combinations I have seen used in the past. I was not successful in opening the door.
Fire extinguishers: I examined all of the extinguishers in the data center and the surrounding area noting that all of them had the appropriate inspection cards attached, that all of them had a current inspection, and that all of the gages were in the green.
Water detectors I tested the water detectors by shorting one of them out with an insulated handle screw driver. (Note that the monitoring personnel were notified in advance, and that local management approved the testing before being done. This also applies to tests of the other detector systems with an annunciation feature.)
Heat/smoke sensors: I tested these directly using the included test feature/by reviewing the testing documentation from the outside security service responsible for the system. All items functioned as expected.
Control panel: I checked the control panel using the test function button included in the system without exception. I also confirmed that a sensor activation will be shown on the monitoring panels with the guards and the third-party security service.

OTHER PROCEDURES B-99

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

SUMMARY MEMO - AREA B-Memo

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

OBJECTIVE

The objective in this area was to determine the adequacy of controls over physical security.

CONCLUSION

Based on the work done in this area, my opinion is that: the controls over the physical security of the installation __ protect the personnel and equipment from relevant local risks.

FINDINGS

The conclusion(s) above were made considering the following specific findings:

  
  
  

PROCEDURES

To satisfy the audit program the following procedures were done.

  The internal control questionnaire responses related to physical security were reviewed and discussed with appropriate personnel.
  Additional observations were made directly during the course of the audit.
  Limited testing of available security features was done while on-site.

Submitted to file,

__Auditor__

__Title___

WORKPAPER INDEX - LOGICAL SECURITY C-Index

Prepared by / date ___AUDITOR___ _96/month/day

Approved by / date _________ _96/____/____

C-Memo Summary memo for this audit area
C-Point Audit point(s) for this audit area
C-1 Review of internal control questionnaire responses
C-2 Testing of vendor-supplied profiles/passwords
C-3 Testing of password syntax and control parameters
C-4 Testing of user profile management procedures
C-5 Comparison of user profile setup
C-6 Comparison of questionnaire responses and the system value listing
C-7 Evaluation of security items from the system history log
C-8
C-9
C-99 Other logical access related procedures


Previous Table of Contents Next