Académique Documents
Professionnel Documents
Culture Documents
Fieldwork
AUDIT OBJECTIVES
Source: www.knowledgeleader.com 1
Time Project Work Step Initial Index
Source: www.knowledgeleader.com 2
Time Project Work Step Initial Index
COMPUTER OPERATIONS
JOB SCHEDULING
Obtain an understanding of job scheduling procedures and
processes; determine whether an automated scheduler is used
and how it functions.
If an automated scheduler is used, inquire about:
Whether it is purchased or is an in-house set of routines
Which jobs run and when
Security interface with the AS/400
Access mode and security policy
Violation logs produced
Procedures to add a job or to remove a job from the
schedule
Inquire as to review and control techniques over jobs:
Review of successful/unsuccessful jobs
Procedures to resolve unsuccessful jobs
Source: www.knowledgeleader.com 3
Time Project Work Step Initial Index
Testing
For both an in-house and external job scheduler, review access
over objects containing:
The job schedule
Critical commands affecting jobs
The scheduler security file
Use the following command:
DSPOBJAUT OBJ (library name) OBJTYPE (*LIB) OUTPUT
(*PRINT)
Obtain and review the latest job schedule.
Source: www.knowledgeleader.com 4
Time Project Work Step Initial Index
COMMANDS
Inquire as to whether in-house commands have been developed. If
so, determine their purpose.
Testing
Review access to the following standard commands using the
DSPOBJAUT command:
DFU
SEU
QUERY
These commands allow direct access to data and programs;
however, they can only be accessed by users whose access to
the operating system is not restricted.
Review which users have the ability to create commands by
displaying the object authority (DSPOBJAUT) over the library
which contains them Library CRTCMD
Note that the *ALL.CRTCMD can be used in order to identify the
specific library above.
Review which users have access to the power down system
(PWRDWNSYS) command using DSPOBJAUT.
Source: www.knowledgeleader.com 5
Time Project Work Step Initial Index
Visit the computer room and complete the data center control
checklist; identify only significant weaknesses and exposures which
increase the risk of failure.
BACKUPS
Obtain an understanding of backup procedures in terms of
frequency and storage for:
Data and programs
Operating system (SAVSYS command which is now
SAVSTG on the newer OS/400)
Offsite storage
Contingency planning procedures
System and application documentation
Inquire as to whether the security data is regularly saved using
the SAVSECDTA command.
Inquire about backup inventory tracking procedures and obtain
the latest inventory list if available.
If backups are stored offsite, inquire about which individuals have
access to them as well as access procedures. Inquire as to the
last date of visit to the offsite storage location to verify controls.
CONTINGENCY PLANNING
Inquire as to the existence and use of formal recovery and restart
procedures. Inquire and discuss they are regularly tested and
used.
Inquire about the existence of a formal contingency plan. If such
a plan exists, inquire about:
Procedures for its preparation and maintenance
Testing frequency and schedule
Major problems encountered to date
Obtain a copy of the plan and review it for completeness (do not
perform a detailed review).
SECURITY
SECURITY ADMINISTRATION
Source: www.knowledgeleader.com 6
Time Project Work Step Initial Index
Source: www.knowledgeleader.com 7
Time Project Work Step Initial Index
LOGICAL SECURITY
Source: www.knowledgeleader.com 8
Time Project Work Step Initial Index
1 limited session
Source: www.knowledgeleader.com 9
Time Project Work Step Initial Index
Inquire as to whether the limited capability value has been set to YES
for all users (ability to change the initial program).
Use the CHKLMTCPB command in the QUSRTOOL library to
determine which users have the LMTCPB parameter set to NO
(unless the user profile test has been performed).
Source: www.knowledgeleader.com 10
Time Project Work Step Initial Index
Determine the type files with PUBLIC access and the users listed
under PUBLIC by issuing the following commands:
DSPUSRPRF USRPRF(PUBLIC) TYPE(*GRPMBR)
OUTPUT(*PRINT)
DSPUSRPRF USRPRF(PUBLIC) TYPE(*ALL)
OUTPUT(*PRINT)
Source: www.knowledgeleader.com 11
Time Project Work Step Initial Index
Source: www.knowledgeleader.com 12