Previous | Table of Contents | Next |
The personal computer, originally know as the microcomputer, was the third generation of business computers. The original computers were driven by commands, and appeared to be operated just as the system operators ran the networks. The difference was that where the network could simultaneously support thousands of users, the microcomputers resources were completely dedicated to one user, and for years only one application at a time.
Microcomputers only supported business needs in the beginning by doubling as a network or minicomputer terminal. Later, new technologies were developed that permitted microcomputers to be linked together, with the idea that their combined capabilities could offer an alternative to midrange computers, although they were not considered alternatives to networks until more recently.
A significant change from the midrange and network environment is that no effective security functionality has been available for the microcomputer because it continues to be designed to support the individual user, and the security of having a single power-up password was deemed to be sufficient for most cases. Network software providing the connectivity between microcomputers adds certain security functionality, helping to make the network an acceptable business tool.
The IT auditor has a less technical challenge when auditing the local area network and network software, although the development of alternatives for effective control mechanisms requires creativity and a complete understanding of compensating and mitigating controls in the end-user areas.
Change management becomes an even more critical control problem in a local area network setting. These environments are likely to have very small staffs, with an almost nonexistent segregation of duties, which can only be compensated for with proper end-user procedures.
The audit process follows the same three steps that were followed in both the network and midrange environments: planning, fieldwork, and finalization.
The IT auditor should always begin with planning and should be careful to put the proper effort into planning every audit, even if the auditor has performed the same basic review many times in the past. Every audit may be different, and failing to allocate to each audit assignment the appropriate amount of planning time can lead to unreliable audit results.
The IT auditor should make initial contact with the auditee by phone if possible, because it is less formal than sending a letter or even a note by electronic mail. Once the audit timing or scope is committed to paper, even as a draft, it can create subsequent problems for the IT auditor. The auditor should begin by communicating the areas to be reviewed, which can include all or a portion of the following:
The auditor should contact the head of the IT department initially, unless it has previously been agreed to that contact at a lower level is more appropriate. In the latter instance, it is appropriate to copy the head IT person once the scope and schedule of the audit have been determined. The network environment is likely to require 3 to 10 days of effort, to a maximum that is only limited by the auditors decision to discontinue detailed testing.
The network environment is not likely to have more than a single manager, so little time should be lost to coordination. The IT auditor should send a letter confirming the planning details. This letter should be made available to the field auditors at least two weeks in advance of fieldwork so that any questions or comments can be communicated, researched, and resolved before starting fieldwork.
The auditor should complete the following procedures while still in the office before initiating fieldwork procedures:
Fieldwork will almost always be done at one time. The IT auditor must take the time to ensure that there is a workable schedule and that all involved parties are aware of it, particularly with the limited available time. The general items that should be completed in the field that do not relate to any of the specific areas are:
The IT auditor should be ready to begin specific detailed audit procedures once the planning and the general office procedures have been covered. The audit tasks are discussed in the subsequent sections, followed by the estimated time to complete and additional comments if necessary.
The IT administration has eight tasks and should take between two and four hours to complete, exclusive of testing.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the IT administration portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is one hour to complete this procedure. The network audit may be the least predictable in terms of which controls are possible, making general estimates of the potential effort equally unpredictable.
Task 2: Review the Organization Chart. The IT auditor should obtain a copy of the top-level organization chart and review the placement of IT in the organization in terms of its overall effectiveness. The estimated time to complete this task is 15 minutes.
Previous | Table of Contents | Next |