Académique Documents
Professionnel Documents
Culture Documents
1
CONTENT
CHAPTER 1. INTRODUCTION
1
CHAPTER 2. MANAGEMENT
4
CHAPTER 3. SYSTEM
DEVELOPMENT LIFE CYCLE
10
CHAPTER 4. APPLICATION
50
CHAPTER 5. COMPUTER
OPERATION
71
CHAPTER 6. SYSTEM
MAINTENANCE
94
CHAPTER 7. LOCAL AREA
NETWORK AND
WIDE AREA
NETWORK
120
CHAPTER 8. MICRO COMPUTER (
PERSONAL
COMPUTER).
124
CHAPTER 9. COMPUTER
ASSISTED AUDIT SOFTWARE
127
1
Chapter 1. INTRODUCTION
Abstract
What control audit concern- segregation of duties, authorization, custody, recorded,
documentation, reconciliation, compliance with role and regulation, effective, efficiency,
reliability, continuity and accuracy.
1. Segregation of duties,
The function s which for a given transaction should be separated including
initiation, authorisation, execution, custody and recorded. No one person should
be responsible for recording and processing of a complete transaction.
3. Custody,
Custody of assets must be determine and assigned appropriately, The data
owner is usually assigned to a particular user department and duties should be
specific and written. The owners of data has responsibility for determining
authorised levels required to provide adequately security while Security
Administrator is responsible for implementing and enforcing the security system.
1
4. Recorded and Documentation,
The recorded and documentation in place in the process of activities.
5. Reconciliation.
The reconciliation of data is responsibility of the users.
7. Effectiveness.
Deal with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner”
The effectiveness criterion of processes that plan or deliver solutions for
business requirements will sometimes cover the criteria for availability, integrity
and confidentiality -- in practice, they have become business requirements. For
example, the process of "identify automated solutions" has to be effective in
providing the availability, integrity and confidentiality requirements.
8. Efficiency,
Concern the provision of information through the optimal use of resources.
9. Reliability.
Relate to provision of appropriate information for management to operate the
entity and for management to exercise its financial and compliance reporting
responsibilities.
10. Confidentiality
Concerns the protection of sensitive information from unauthorised disclosure.
2
11. Integrity
Relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
12. Availability
Relates to information being available when required by the business process now and
in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
3
2. Management
To ensure that computer policies and standards are established, documented and
communicated to the management of a user department.
Planning
Short term and Long term information technology plans exist are current, adequately
address overall enterprise.
Checkpoints exist to ensure that information technology objectives and long- and short-
term plans continue to meet organisational objectives.
Review should be conduct and sign-off occurs by process owners and senior
management of information technology plans.
The process used to update the information architecture model is based on long- and
short-term plans, considers associated costs and risks, and ensures that senior
management sign-off is obtained prior to making changes to the model
Changes made to the information architecture model to confirm that these changes
reflect those in the information technology long- and short-term plans and that
associated costs and risks are identified.
Changes made to the technological infrastructure plan to identify associated costs and
risks and that these changes reflect the changes in the information technology long
term and short-term plans.
A methodology is in place to formulate and modify the plans and at a minimum, they
cover:
- organisation mission and goals.
1
- information technology initiatives to support the organisation mission and goals
- opportunities for information technology initiatives.
- feasibility studies of information technology initiatives.
- risk assessments of information technology initiatives.
- optimal investment of current and future information technology investments.
- re-engineering of information technology initiatives to reflect changes in the organisation's
mission and goals.
- access to sensitive data requires explicit access levels and data is only provided on a
"need to know" basis.
The information services function policies and procedures ensure addressing the need
to evaluate and monitor current and future technology trends and regulatory conditions,
and that they are taken into consideration during the development and maintenance of
the technological infrastructure plan
Organisation structure
2
Organisational changes, technology evolution, regulatory requirements, business
process re-engineering, staffing, in- and out-sourcing, etc. are taken into account and
adequately addressed in the planning process.
Access permitted is consistent with the security levels defined in the information
services function policies and procedures and that appropriate authorisation was
obtained for access in place.
Processes are in place to increase awareness, understanding, and skill in identifying and
resolving information management issues.
Regular campaigns exist to increase internal control and security awareness and
discipline.
Information security officer understanding of the office's roles and responsibilities are
adequately understood and demonstrated as consistent with the organisation's
information security policy.
Organisation's security policy clearly defines responsibilities for information security that
each information asset owner (e.g., users, management, and security Segregation of
duties exists between the following pairs of units:
- systems development and maintenance
- systems development and operations
- systems development/maintenance and information security
- operations and data control
- operations and users
- operations and information security
3
Appropriate and effective key performance indicators and/or critical success factors are
used in measuring results of the information services function in achieving
organisational objectives.
Criteria are used for recruiting and selecting personnel to fill open positions.
Specifications of required qualifications for staff positions take into account relevant
requirements of professional bodies where appropriate.
Technical and management skill gaps are identified and appropriate actions are taken to
address these gaps.
On-going cross-training and back-up of staff for critical job functions occurs.
Job change and termination processes ensure the protection of the organisation's
resources.
4
3. System Development Life cycle
dology, Feasibility study, user requirement, system design, testing, conversion, documentation,
implementation and monitoring.
1
- includes the following reasons for undertaking the project, including:
- a statement of the problem to be remedied or process to be improved.
- a statement of the need for the project expressed in terms of enhancing the organisation's
ability to achieve its goals.
- an analysis of the deficiencies in relevant existing systems.
- the internal control and security need that would be satisfied by the projects.
- addresses the manner in which proposed project feasibility studies are to be prepared,
reviewed and approved by senior management, including the:
- environment of the project -- hardware, software, telecommunications
- constraints of the project -- what must be retained during this project, even if short term
improvement opportunities seem apparent
- benefits and costs to be realized by the project sponsor or owner/sponsor
- provides for the development of a test plan for every development, implementation and
modification project
- provides for the development of an adequate plan for training the owner/sponsor staff
and information services functions staff for every development, implementation and
modification project.
Budgeted versus actual project milestones and costs are monitored and reported to
senior management throughout every major project phase ( i.e., software purchase,
hardware purchase, contract programming, network upgrades, etc.)
Project milestones and costs in excess of budgeted timeframes and amounts are
required to be approved by appropriate organisation management
Post-implementation process is an integral part of the project management framework
to ensure that new or modified information systems have delivered the planned
benefits
2
Appropriate owner/sponsor and information system function management approvals are
obtained for each phase of the development project.
Each phase of the project is being completed and appropriate sign-off is occurring as
required .
Mandatory activities/reports identified have in fact been executed/produced (i.e.,
Executive Steering Committee meetings, project meetings or the like are to be held at
set intervals, minutes of the meetings were taken and distributed to relevant parties,
and reports are prepared and distributed to relevant parties).
Test plan has been developed and approved in accordance with the project
management framework and is detailed and specific enough.
Mandatory activities/reports identified in the test plan have in fact been
executed/produced.
Determine criteria used for the project exist and:
- are derived from goals and performance indicators
- are derived from agreed-upon quantitative requirements.
- assure internal control and security requirements
are related to the essential "What" versus the arbitrary "How".
- define a formal Pass/Fail process.
- are capable of objective demonstration within a limited time period
- do not simply restate requirements of design documents
Project risk management programme was used to identify and eliminate or at least
minimize risks associated with the project.
Test plan was adhered to, written testing reviews were created by the owner/sponsor,
programming and quality assurance functions, and sign-off process was complied with
as intended.
Written plan for training the staff of the affected owner/sponsor and information
services functions was prepared, it allowed sufficient time for completing the required
training activities, and the plan was used for the project.
Post-implementation review plan was adhered to and carried out for the project
3
- definition of responsibilities and authorities of project participants
- acceptance criteria are both desirable and achievable
- use of milestones and checkpoints in authorising the various project phases
- use of Gantt charts, problem logs, meeting summaries, etc. in managing the project
- quality reports to determine if systemic problems exist in the organisation's system quality
assurance planning process.
- the formal project risk management programme to determine if risks have been identified
and eliminated or at least minimized
- the execution of the test plan to determine that it thoroughly tested the entire system
development, implementation, or modification project
- the execution of the training plan to determine that it adequately prepared the
owners/sponsors and information services function staff in the use of the system.
- the post-implementation review to determine if planned versus delivered benefits of the
project were ascertained.
Identifying:
Projects that:
- are poorly managed
- exceed milestone dates
- exceed costs
- are run away projects
- have not been authorised
- are not technically feasible
- are not cost justified
- do not achieve planned benefits
- do not contain checkpoints
- are not approved at key checkpoints
- are not accredited for implementation
- do not meet internal control and security requirements
- do not eliminate or mitigate risk
- have not been thoroughly tested
- needed training which has not occurred or is inadequate for the system being
implemented
- a post-implementation review has not occurred
4
The process to produce the documentation..
The Functional analysis and design is deviled into four major stages :
I System Investigations
ii. Functional Analysis
iii. Functional Design
iv. Management Review.
5
- Establish the volumes.
- Study the processing exceptions and other exceptions if there are any.
- Study the operating constraints.
- Identify the problem areas in the existing system.
- Study the current level of the system performance.
- Document all facts gathered
Source of Information
Project Definition Report.
Documentation Output.
6
Stage: Functional Analysis.
Objectives:- To provide the outline of the proposed system to be use as a basis for
functional Design stage.
Task Descriptions.
- Identify the Functional Requirement & develop function chart to a level reasonable
completeness.
- Identify the limitations of the be support.
- Identify the interfaces with other requirement functions.
- Identify requirements which will not system.
- List of inputs.
- List of Outputs.
- Identify the key data groups
- List out all data items for each data group.
- For each data group list out all functions that related to the data group.
- List all inputs relevant to each functions.
- List all outputs relevant to functions identified.
- Create data group and key items base on inputs & output.
Module : Identify Control Requirements.
- Provide the narratives for the control requirement for each functions identified.
- Project manager to ensure the completeness & accuracy of the controls identified.
7
- Identify critical functions which has timing & cut off periods, details of which will be
established later in the technical design phase.
- Identify all critical functions, for the purpose of contingency planning during system
operations.
Data.
- To assure that input data is validated and edited as close to point of origination as
possible.
- Determine if programmed keying formats are use to ensure that data is entered in
the proper fields and formats.
- Determine if intelligent terminals or suitable microcomputer software are use to
perform front-end validation, editing and control in the data entry process.
- Determine that incorrect data are identified, ejected and not allowed to enter the
system or to update the master file.
- Individual and supervisor authorisation or approval codes.
- Check digits on all identification keys.
- Valid code.
- Valid alphanumeric or numeric values
- Valid field sizes.
- Valid limit or the reasonableness of values or range.
- Record sequences.
- Crossfooting.
- Complete input records .
- Determine data input do not permit any one to override or by pass data validation
or error editing routines. If supervisors are allowed to override or by pass these
activities ensure that an automatic logging records are produced.
8
- Ensure that the batch control totals generated by the data entry terminals to validate
the completeness of the batches of data received as input.
- - Determine data input maintains a log of source document numbers entered to
insure that all these documents are accounted for and the source document can
trace from the outputs.
- The data entered is included in an audit trail record for use in error handling and for
recovery in the event of a data processing failure.
Source of Information.
-
- Business/system Function chart & narratives of existing system.
9
- List of problems & shortcomings in existing system.
- List of relevant issues of existing system.
- List of recommendations for existing system
- List of user requirements.
- List of inputs and samples of inputs from existing system If available.
- List of outputs and samples of outputs of system if available.
- Calculations performed in existing system.
- Timing of processes in existing system.
- Data fields of existing system.
- System flowchart of existing system
Documentation Output.
10
To Provide details of the proposed system for Technical Design in terms
of :
i. process
ii. Data items
iii. Group items
iv. controls.
Task Descriptions.
- Base on the system Function chart, develop multilevel Data Flow diagrams.
- Decide where it would be most logical to carry out functions to increase efficiency &
reduce redundancy.
- Movement of data between functions in the Data Flow Diagram should not be
constraint by the way the current functions is being performed.
- To select the best design alternatives, the criteria should be considered are remove
problem area instead of improving areas which are already working well and satisfy
business need.
11
- Define the processing mode of the functions
- Define process which updates the data group.
12
Source of Information.
Documentation Output
13
Stage: Management review and Approval.
Task Description
– Presentation & review with management & user/audit on the Finalised Functional
specification.
14
a. system overview.
i. System objectives.
Describe the purpose of the project.
b. System Function.
All functions under the proposed system should be shown by diagrams i.e
system functions chart. Provide system functional narratives which describes
each function to support the chart. Also explain why the system function
interface with other system.
15
- Layouts for the outputs reports.
- Screen organizations and screens layouts.
e. Data Requirements.
List out the identified data groups. Each data group must have key items
associated with it.
e. Performance.
List out the following performance factors.
- Volume of data, in terms of documents inputs to the system, master file and
history data to be stored in the computer.
- Timing i.e details on:
- schedule of processes.
- Cutoff time .
- time frame for making corrections.
- time frame for recovery.
-
f. Control security.
g. Calculation .
List out the formula for any special calculations applied in the proposed system.
h. Letter of Acceptance
Attach a letter of acceptance with the functional specifications.
16
Selection Preparation (package) .
Task description.
17
- vendor reputation including the risk of vendor business failure and the quality
of vendor personnel.
-
- Identify which of the selection criteria established are - mandatory.
- Assign related weights to each of the other criteria.
- Establish a standard rating system for evaluation
- Prepare RFP, which should include the following:-
- a cover letter.
- background of organization, current operations and projected growth and
change.
- specification of requirements for new system.
- request for the vendor to describe the package.
- request for detailed costs of purchase
(purchase & lease prices, maintenance)
- request for an estimate of typical installation time and implementation plan.
- request for customer reference information.
- request for a copy of vendor's proposal contract
- - some of the criteria which might be important to vendor.
Source of Information.
Documentation Outputs.
18
Stage: Package Selection.
Objectives : To select and recommend the best package that suits the requirements
through proper study and evaluation.
Task Description.
19
- Study each package in depth and conduct further demonstration if necessary to
identify all possible changes. Changes may include new features to be added and
modification.
- Discuss with user on features which might compromise the requirements or any
additional package feature which might be useful.
- Analyse all costs related to each package.
- Do a final evaluation and selection based on package impacts and cost analysis.
- Prepare a recommendation on the package selected to the management including
the evaluation summary on various packages.
Source of Information.
- Selection criteria
- Vendor proposals.
Documentation Outputs
- Recommendation on selection package.
Objectives. To provide details of the proposed system reflecting the package features
plus any modification to be done.
Task Description
20
Module : Design processes
21
- Stability; does not need to be frequently update or changed.
Source of Information.
- Package features and user requirements.
- List of system inputs
- list of system outputs
Documentation Outputs
- Proposed System Input Layouts.
- Proposed System Output Layouts.
- Proposed System Screen organization.
- Proposed System Data Flow diagrams.
- Narratives for Data Flow diagrams.
22
Objectives :To finalise the system environment in terms of software combinations, in
implementing the technical solutions.
Task Description
Source of information
- Functional specifications
- Software information
Documentation Outputs
23
ii) the system flow,
Task Description
- Analyse data to get the final data groups as a basis for file designing.
- Normalization method is recommended for data analysis
- Final grouping of data is supposed to:
- reduce redundancy
- achieve maximum level of performance
- allow flexibility for expansion.
- -For each file, decide on the following and fill in the file description form:
- description
- file name
- file organization-index, sequential, direct or random.
- format-fixed/variable length record.
- block size
- record length
- record type
- sequence
- access keys
- name key fields.
24
Module : Design system flow
- Functional specifications
Documentation Outputs
25
- Inventory of programs and program outlines
- Program/file cross-reference.
system flowchart & recovery flowchart
Task Description
Source of Information
.
- Program outlines
- File descriptions and record definitions
- System flowchart
Documentation Outputs.
26
- Completed program specifications.
- An inventory of programs should contains follow:
- program name
- program descriptions
- language used.
- for each program, there should be a program specification comprise of
- system flowchart extracted
- top level function
- input & output
- program details & program logic.
Technical specification
a. System overviews.
- Objectives
- daily, weekly, monthly, annually processing steps
- how the various files in the system are related to each other.
- interface with other systems
b. File descriptions
- description
- file name
- file organization-index, sequential, direct or random.
- format -fixed/variable length record.
- block size
- record length
27
- record type
- sequence
- access keys –name key fields.
c. Record definition
d. System flowchart
e. Program specifications
28
- system flowchart extracted
- top level function
- input & output
- program details & program logic.
f. Program/file cross-reference.
-Each file used by each program is to be cross-reference form.
File access method by the programs should be denoted as
R – read only
W – Write only
U – Update
The system implementation planning phase involves four major module such as :
a. System Implementation Approach
b. Prepare test plan.
c. Design conversion
d. Prepare conversion Plan
The System Implementation plan is done after completing the Technical Design phase.
Objectives. –To ensure that the best approach is adopted to carry out the conversion
process.
29
Task Description
- Evaluate the various alternatives for conversion cutoff date, taking into consideration
such as factors as:
- The conversion cutoff date must coincide with the system logical closing to ensure
accuracy in file balancing and control .
- The exact date the system will be ready.
- The various processing functions which may need to be carried out immediately
before or after the conversion process.
- The selection of cutoff date must ensure that the conversion process involves:-
- less manual process.
- less temporary file created.
- use less programs.
- Identify files that are:
- to be created.
- with old formats that are to be used.
- Identify new inputs.
- Consider and recommend the most suitable implementation approach from the
following:
- direct change over
- pilot run
- parallel run
- phased implementation
- Study the resource availability in terms of manpower and machine resources
depending on the implementation approach
Source of Information
30
- List of new files and formats together with its corresponding all files.
- Report on user department's capability in terms of manpower to handle any of
selected implementation approach
- Old system processing schedule.
Documentation Outputs
Task Description
31
- Different combinations of test conditions should be used in different cycles to ensure
the thoroughness of the test.
- Determine the number of test conditions in each cycle.
- For each cycle, definition of data required for that cycle must be produced.
- The data definition should identify key or critical values for transaction and master
records.
- Ensure that the opening values and expected closing values of each cycle are
prerecorded.
- Prepare a list of programs used for loading data.
- Prepare a list of file to be created and file with initial values.
- Prepare a list of programs which checks for file controls and totals .
- Estimate the human resources required:
- Estimate the machine resources required :
- Processor type and system software required
-Disk space required- Calculations for files and work area.
- Number of tapes required and for what purpose the tapes are used.
- Number of user-ids and the size for each and for what purpose.
- - Estimate supplementary resources required:
- Special print forms
- PC, diskette and hard-disk
-The duration and resources are required.
-
- Special times at which the supplementary resources are required, when these
resources are required, why they are required at that time should also be specified.
-
- - Prepare an outline of items to brief the user and operations staff on systems
testing.
- Prepare a system test schedule base on information compiled.
- The system test schedule should include the following:
32
-system test organisation
- task for pretest preparation
- test cycle task:
- data preparation
- running of test
- Checking of test results
- Modification allowance .
Source Of Information
Project plan from system planning phase.
Documentation Output
33
Module: Design conversion
Task Description
- Separate between static data files and dynamic data files which are to be converted.
- Identify new files which need to be initialised and loaded with dummy records.
- Identify programs which creates each new file.
- Prepare a list of conversion programs and its descriptions
- Outline the procedure and controls requited for the creation of each new files.
- Design the system flowchart.
- Prepare the program outline by providing
- The program flowchart which is an extract from the system flowchart.
- Define the program functions for each program.
- Program input i.e file definition and Record description
- Program output i.e: file definition, record description and Report layout .
- The conversion process should be divided into steps and if possible group the steps
into phases.
- consider controls for each phase
- consider the following when designing a conversion system:
- controls by value of data in file.
- controls of quantity of data in file.
Source of information.
34
- The selected cutoff date.
- List of important processing required immediately before and after the conversion
process.
- Outline of system resource requirements for conversion and selected implementation
approach.
- List of new files and its corresponding old files (if any) and new inputs.
Documentation Output
- system flowchart
- program outline such as
- flowchart
- input
(file desc. And record desc.)
- output(file desc. And €record desc.)
- program inventory.
- conversion procedure and controls.
- volumes estimates.
Module : Prepare Conversion Plan.
Objectives : To prepare & finalise activities required before and during Conversion.
Task Description.
35
- task for pre-conversion preparation.
- conversion phases:
- running of conversion programs
- checking of results and controls.
- correction allowance
Documentation Output
36
- Conversion setup
- software setup
- Outline of user and operations briefing.
37
c. Test conditions include abnormal (error) conditions as well as normal (error free)
conditions.
-List of system test conditions
List down all possible system test conditions to be tested.
-List of manual and automated processing steps
List down all processing steps in this sections
e. Resource requirements
Resource estimates
Human and machine resources
Supplementary resource estimates
38
h. Master control report .
a. Overview
- objectives
- selection of the cutoff date
- list of important processing immediately before and after the conversion
process.
- List of new files and its corresponding old files and new inputs .
- provide a table of new files to be created its corresponding old files also new inputs if
there are any.
- Recommended implementation approach
- system flow chart
- program inventory
- volume estimates
- conversion/software setup
- outline of user and operation briefing
- library and data file setup
- task & responsibilities
- Procedures on problem reporting
39
- procedures for program change and transfer
- Filing of conversion reports and controls for audits purposes
- Conversion phases
- conversion procedures and controls
c Resources requirements
d. Conversion schedule
f. Conversion log
The conversion log is to record the result of conversion done.
i. To record the successful completion of each phases of conversion.
ii. To record of
- errors encountered
- the steps taken to correct them.
- the time/date the errors were corrected
40
41
Chapter 4. Application
Abstract
The management should established the procedure and control on the input processing
and and output. The procedure should implemented and monitor by responsible
personnel. The following control should include in the procedure;-
- Documented procedures are exist that explain the methods for proper source document
origination, authorization, data collection, input preparation, error handling, and
retention.
- The duties separated to make sure that no one individual performs more than one of the
following operations:
--Originating data.
--Inputting data.
--Processing data.
--Distributing output.
- Source documents are designed to minimize errors and omissions such that:
--Special purpose forms are used to guide the initial recording of data in a uniform
format.
--Preprinted sequential numbers are used to establish controls.
1
--Each type of transaction has a unique identifier.
--Each transaction has a cross-reference number which can be used to trace
information to and from the source document.
- Access to source documents and blank input forms are restricted to authorized
personnel only.
- Source documents and blank input forms are stored in a secure location.
- The authorization from two or more accountable individuals required before the
release of source documents from storage.
- Duties separated within the user department to make sure that one individual does not
prepare more than one type of transaction (establishing new master records plus
changing or updating master records).
- Duties separated within the user department to make sure that no one individual
performs more than one of the following phases of data preparation:
--Originating the source document.
--Authorizing the source document.
--Controlling the source document.
- User department have a control group responsible for collecting and completing source
documents.
2
- This control group verify the following for source documents:
--They are accounted for.
--They are complete and accurate.
--They have been appropriately authorized.
--They are transmitted in a timely manner.
- This control group independently control data submitted for transmittal to the data
processing department for conversion or entry by using:
--Turn around transmittal documents.
--Batching techniques.
--Record counts.
--Predetermined control totals.
--Logging techniques.
--Other.
- When the user department is responsible for its own data entry, is there a separate group
which performs this input function.
- Documented procedures are exist that explain the methods for source document error
detection, correction, and reentry.
- Do they include:
--Types of error conditions that can occur
--Correction procedures to be followed
--Methods to be used for the reentry of source documents which have been
corrected.
3
- The Department identify errors to facilitate the correction of erroneous information.
- The Department follow the same verification and control procedures described in
questions 12 and 13 when receiving corrected source documents.
- Error logs are used to insure timely follow-up and correction of unresolved errors. -
Source document originators immediately notified by the (Blank) Department of all
errors.
- Source documents retained so that data lost or destroyed during subsequent processing
can be recreated.
- Each type of source document have a specific retention period.
- Source documents stored in a logical manner to facilitate retrieval.
- A copy of the source document kept in the originating department whenever the
document leaves the department.
- Access to records kept in the originating department restricted to authorized personnel
only.
- Source documents, on reaching their expiration dates, are removed from storage and
destroyed in accordance with security classifications.
Data input controls insure the accuracy, completeness, and timeliness of data
during its conversion into machine readable format and entry into the application.
Data input can be accomplished in two different ways: batch and on-line. The main
areas of control include
4
--data conversion and entry,
--data validation and editing, and
--data input error handling.
Also of particular importance is the critical interface between the user department and
the data procession department.
The auditor should determine the adequacy of both manual and automated
controls over data input to make sure that data is input accurately with optimum use
of computerized validation and editing, and that error handling procedures facilitate
the timely and accurate resubmission of all corrected data.
- Documented procedures exist that explain the methods for data conversion and entry.
- Duties are separated to make sure that no one individual performs more than one of
the following operations:
--Originating data.
--Inputting data.
--Processing data
--Distributing output.
- The data processing department have a control group responsible for data conversion and
entry of all source documents received from user departments.
- The data processing control group return all turn around transmittal documents to user
department to make sure that no documents were added or lost.
- The Computer Service Center independently develop record counts which are balanced
with those of the user department, and are all discrepancies reconciled.
5
- The Computer Service Center independently develop predetermined control totals which
are balanced with those of the control group in the user department, and are all
discrepancies reconciled.
- The Computer Service Center keep a log or record showing the receipt of user
department source documents, and their actual disposition, and are there provisions to
make sure that all documents are accounted for.
- The turn around transmittal documents are returned to the data processing control
group accounted for to make sure that no documents were added or lost during
conversion.
- All batches of documents are returned to the data processing control group accounted
for to make sure that no batches were added or lost during conversion.
- All record counts, developed during conversion, balanced with those of the data
processing control group, and are all discrepancies reconciled.
- All converted documents returned to the data processing control group logged in and
accounted for.
- The data processing control group independently control data submitted for data entry
by using:
6
--Turn around transmittal documents.
--Batching techniques.
--Record counts.
--Predetermined control totals.
--Logging techniques.
- Data entry operations is established as close to the origination of the source date as
possible.
- The data processing department have a schedule by application that shows when data
requiring entry will be received and needs to be completed.
- Must all documents entered into the application be signed or marked in some way to
indicate that they were entered into the system thereby preventing accidental
duplication or reuse of the data.
- All batches of documents are returned to the data processing control group accounted
for to make sure that no batches were added or lost during data entry.
- All record counts, developed during data entry, balanced with those of the data
processing control group, and are all discrepancies reconciled.
- All input documents are returned to the data processing control group logged in and
accounted for.
- All input documents are retained in a manner which enables tracing them to related
originating documents and output records.
7
- Data validation and editing are performed as early as possible in the data flow to insure
that the application rejects any incorrect transaction before its entry into the system.
- Data validation and editing are performed for all input data fields even though an error
may be detected in an earlier field of the same transaction.
- The following checked for validity on all input transactions:
--Individual and supervisor authorization or approval codes.
--Check digits on all identification keys.
-- Check digits at the end of a string of numeric data that is not subjected to balancing.
--Codes.
--Characters.
--Fields.
--Combinations of fields.
--Transactions.
--Calculations
--Missing data.
--Extraneous data.
--Amounts.
--Units.
--Composition.
--Logic decisions.
--Limit or reasonableness checks.
--Signs.
--Record matches.
--Record mismatches.
--Sequence.
--Balancing of quantitative data.
--Crossfooting of quantitative data.
- Special routines used which automatically validate and edit input transactions dates
against a table of cutoff dates.
- All persons are prevented from overriding or bypassing data validation and editing
problems.
- If not, the following are true:
- This override capability is restricted to super visors in only a limited number of acceptable
circumstances.
- Every system override is automatically logged by the application so that these actions can
be analyzed for appropriateness and correctness.
8
- Batch control totals are submitted by the data processing control group used by
the computer-based system to validate the completeness of batches received as
input into the application.
- Record counts are submitted by the data processing control group used by the
computer-based system to validate the completeness of data input into the
application.
- Predetermined control totals submitted by the data processing control group used by
the computer-based system to validate the completeness of data input into the
application.
- Documented procedures exist that explain the process of identifying, correcting, and
reprocessing data rejected by the application.
- Error messages are displayed with clearly understood corrective actions for each type of
error.
- Error messages are produced for each transaction which contains data that does not
meet edit requirements.
- Error messages produced for each data field which does not meet edit requirements.
- All data that does not meet edit requirements rejected from further processing by the
application.
- All data rejected by the application automatically written on an automated suspense
file.
- The automated suspense file also include:
--Codes indicating error type.
--Date and time the transaction was entered.
--Identity of the user who originated the transaction.
- Record counts automatically created by suspense file processing to control these
rejected transactions.
9
- Predetermined control totals automatically created by suspense file processing to
control these rejected transactions.
- Rejected transactions caused by data conversion or entry errors corrected by the data
processing department control group.
- Rejected transactions not caused by data conversion or entry errors corrected by the
user originating the transaction.
- The automated suspense file are used to control followup, correction, and reentry of
transactions rejected by the application.
- The automated suspense file are used to produce, for management review, analysis of:
--Level of transaction errors.
--Status of uncorrected transactions.
- These analyses used by management to make sure that corrective action is taken when
error levels become too high.
- These analyses used by management to make sure that corrective action is taken when
uncorrected transactions remain on the suspense file too long.
- Progressively higher levels of management reported to as these conditions worsen.
- Debit- and credit-type entries (as opposed to delete- or erase-type commands) used to
correct rejected transactions on the automated suspense file.
- The application designed to that it cannot accept a delete- or and erase-type command.
- Invalid correction transactions added to the automated suspense file, along with the
corresponding rejected transactions.
- Record counts appropriately adjusted by correction transactions.
- Predetermined control totals appropriately adjusted by correction transactions.
- All corrections are reviewed and approved by supervisors before reentry.
Procedures for processing corrected transactions the same as those for
processing original transactions with the addition of supervisory review and
approval before reentry.
10
- Documented procedures exist that explain the methods for data conversion and
entry.
- Duties separated to make sure that no one individual performs more than one of
the following operations:
--Originating data.
--Inputting data.
--Processing data.
--Distributing data.
- Is a separate group within the user department responsible for performing data
entry operations.
- All documents entered into the computer application must be signed or marked
in some way to indicate that they were in fact entered into the system to protect
against accidental duplication or reuse of the data.
- Data entry terminal devices are locked in a physically secure room, allowing only
query terminal devices to be located outside the secure room.
- Supervisors sign on each terminal device to initialize terminals before any operators
can sign on to begin work.
- The work that may be entered on a terminal restricted by the authority level
assigned to each terminal device (data entry vs. query).
- Password control in existence to prevent unauthorized use of the terminal devices.
- Non-printing, non-displaying, or obliteration facilities are used when keying and
acknowledging passwords and authorization codes.
- An immediate report is produced of unauthorized attempts to access the system
via terminal devices.
11
--Number of attempts.
--Identification of the operator at the time of the violation.
- Terminal lockup is used to prevent unauthorized access to the terminal device after a
certain predetermined number of incorrect attempts to access the system.
- The system automatically shut down the terminal if password is wrong and allow
intervention only by specially assigned supervisors.
- Data access matrix is used to restrict use of access levels by checking user
identifications (passwords).
- Each individual user of the on-line system limited to certain types of application
transactions.
- Master commands that control the operation of the application are restricted to a
limited number of supervisory data processing personnel.
- Top management is required to review the propriety of terminal authority levels in the
event of a purported or real security violation.
- Individual's passwords changed periodically.
- Individual's passwords are changed in the event of a purported or real security
violation.
- Passwords is deleted once an individual changes his job function, separates, no longer
needs the same level of access, or no longer needs access at all.
- A usage log, or the data access matrix, showing purposes of user accesses are reviewed
by top management to identify unauthorized usage.
- The security officer are initiated an aggressive review program to determine that
controls are fully operational.
- Terminal hardware features include the following:
--Built-in terminal identifications which automatically validate proper terminal
authorization.
--Terminal logs which record all transactions processed.
--Messages which are automatically date and time stamped for logging purposes.
- Record counts which are automatically accumulated for logging purposes.
12
- Each message contain an identifying message header that includes:
--Message number.
--Terminal and user identification.
--Date and time.
--Transaction code.
- Preprogrammed keying formats are used to make sure that data is recorded into
the proper field, format, etc..
- Interactive display is used to allow the terminal operator to interact with the
system during data entry.
- Computer-aided instructions, such as prompting, are used with on-line dialogue to
reduce the number of operator errors.
- Intelligent terminals are used to allow front-end validation, editing, and control.
- Data validation and editing is performed as early as possible in the data flow to insure
that the application rejects any incorrect transaction before its entry into the system.
- Data validation and editing is performed for all input data fields even though an error
may be detected in an earlier field of the same transaction. The following are checked
for validity on all input transactions:
--Individual and supervisor authorization or approval
codes.
-- Check digits on all identification keys.
13
-- Check digits at the end of a string of numeric data
that is not subject to balancing.
--Codes.
--Characters.
--Fields.
--Combinations of fields.
--Transactions.
--Calculations.
--Missing data.
--Extraneous data.
--Amounts.
--Units.
--Composition.
--Logic decisions.
--Limit or reasonableness checks.
--Signs.
--Record matches.
--Record mismatches.
--Sequence.
--Balancing of quantitative data.
--Crossfooting of quantitative data.
- Special routines are used which automatically validate and edit input dates
against a table of cutoff dates.
. all persons are prevented from overriding or bypassing data validation and
editing errors.
- If not, the following are allowed:
-This override capability is restricted to supervisors in a limited number of acceptable
circumstances.
--All system overrides are automatically logged by the application so that these actions
can be analyzed for appropriateness and correctness.
14
- Batch control totals are generated by the terminal, or application used by the user
department control group to validate the completeness of batches received as input
data.
- Record counts are generated by the terminal, concentrator, or application used by the
user department control group to validate the completeness of data input.
- Predetermined control totals are generated by the terminal, or application used by the
user department's control group to validate the completeness of data input.
15
- Record counts are automatically created by the suspense file processing to control these
rejected transactions.
- Predetermined control totals are automatically created by suspense file processing to
control these rejected transactions.
- Rejected transactions caused by data entry errors are corrected by the terminal
operator.
- Rejected transactions not caused by data entry errors are corrected by the user
originating the transaction.
- The user department independently control data rejected by the application by using:
--Turn around transmittal documents.
--Batching techniques.
--Record counts.
--Predetermined control totals.
--Logging techniques.
- The automated suspense file is used to control followup, correction, and reentry of
transactions rejected by the application.
- The automated suspense file is used to produce, for management review, analysis of
the following:
--Level of transaction errors.
--Status of uncorrected transactions.
- These analyses are used by management to make sure that corrective action is taken
when error levels become too high.
- These analyses are used by management to make sure that corrective action is taken
when uncorrected transactions remain on the suspense file too long.
- Progressively higher levels of management are reported to as these conditions worsen.
- Valid correction transactions purge the automated suspense file of corresponding
rejected transactions.
- Invalid correction transactions are added to the automated suspense file along
with the corresponding rejected transactions.
- All corrections are reviewed and approved by supervisors before reentry.
16
- The procedures for processing corrected transactions the same as those for
processing original transactions, with the addition of supervisory review and
approval before reentry.
Date output controls are used to insure the integrity of output and the correct
and timely distribution of outputs produced. Not only must outputs be accurate, but
they must also be received by users in a timely and consistent manner. Outputs can be
produced in two different ways: batch and on-line. The main areas of control include
output balancing and reconciliation,
--output distribution,
--output error handling, and
--handling and retention of output records and accountable documents.
- critical importance is the interface between the data processing department
and the user department.
The auditor should evaluate the adequacy of controls over outputs to make sure
that data processing results are reliable, output control totals are accurate, and reports
are distributed in a timely manner to users.
- The data processing control group monitor the processing flow to make sure that
application programs are being processed according to schedule.
- The data processing department control group review output products for general
acceptability and completeness.
17
- System output logs are kept to provide an audit trail for the outputs.
- Output logs are reviewed by supervisors to determine the correctness of output
production.
- A transaction log is kept by the application to provide an audit trail for the transactions
being processed.
- A transaction log is kept at each output device to provide an audit trail for the
transactions being processed.
- The transaction log is kept by the application compared regularly with the transaction
log kept at each output device to make sure that all transactions have been properly
processed to the final output steps.
- Transactions can be traced forward to the final outputs.
- Transactions can be traced backward to the original source documents.
- On each output product, does the application identify the:
--Title or name of product.
--Processing program name or number.
--Date and time prepared.
--Processing period covered.
--User name and location.
--Counts developed during processing.
--End-of-job/file/report indication.
--Security classification, if any.
- The user department is given lists of all internally generated transactions produced by
the application.
- The user department given a list of all transactions entered into the application.
- The user department is furnished reports produced by the application which shows the:
--Batch totals.
--Record counts.
--Predetermined control totals.
18
-- The user department verify all computer-generated batch totals with its manually
developed batch totals.
- The user department verify all computer-generated record counts to their manually
developed record counts.
. The user department verify all computer-generated predetermined control totals with its
manually developed predetermined control totals.
- The user department verify the accuracy and completeness of all outputs.
- The user department retain ultimate responsibility for the accuracy of all outputs.
- Documented procedures exist that explain the methods for proper handling and
distribution of output products.
- The cover sheet of every report clearly identify the recipient's name and location.
- The user department have a person who is responsible for distributing all output
produced by the computer application.
- The user department have a schedule, by application, that shows when output
processing will be completed and when output products need to be distributed.
- A priority system has been established so that critical outputs can be produced on time.
- The data processing department control group keep a log, (application, of all output
products produced by the system.
- The data processing department maintain a formalized output distribution checklist to
show the disposition of each output product.
- The output distribution checklist is used to verify the acknowledgment of all turn around
transmittal documents from recipients of output.
19
- Documented procedures exist that explain the methods for proper balancing and
reconciliation of output products.
- The data processing department have a control group responsible for making
sure the output products are accurately processed by data processing and
correctly transmitted to user terminal devices.
- The data processing department control group have a schedule by application that
shows when pre-output processing ends and when output processing begins.
- The data processing department control group monitor the processing flow to make sure
that application programs are being processed according to schedule.
- The data processing department control group reconcile each output batch total with input
batch totals, before the transmission of outputs, to insure that no data was added or
lost during data processing.
- The data processing department control group reconcile output predetermined control
totals with input predetermined control totals, before the transmission of outputs, to
insure that no data was added or lost during data processing.
- A log is kept by the application to provide an audit trail for transactions being
processed.
- Terminal devices automatically disconnect from the computer-based system if they are
unused for a certain amount of time.
- Terminal devices need to be logged off at the end of the day so that they will be
disconnected from the computer-based system.
- Output devices are located in secure facilities at all times to protect against
unauthorized access.
- As outputs are transmitted and received, the terminal output device send a reply that
they have been correctly received.
- Message content is validated before displaying, writing, or printing on the
terminal output device.
- The user department have a control group responsible for reviewing all outputs
produced by the computer application.
20
- The user department control group reconcile each output batch total with input batch
totals, before the release of any reports, to insure that no data was added or lost during
data processing.
- The user department control group maintain a formalized output distribution checklist
to show the disposition of each output product.
21
apter 5. Computer operation
Abstract
1. Management of IS operations.
IS management has the overall responsibility for all operations within the IS.
2. Resource Allocation
Management is responsible to ensure that the necessary resources are available to
perform the planned activities within the IS function.
3. Computer Operations.
1
Computer operators are responsible for the accurate and efficient operation of
scheduled jobs on the computer.
4. Operating Procedures.
Procedures detailing instructions for the operations, task and procedures, prepared in
accordance with IS Management's authorization and intent are necessary parts of the IS
control environment.
5. Job Accounting
Job accounting applications are designed to monitor and record IS resource usage,
Information recorded by these applications- such as the performance and utilization of
2
the CPU, secondary storage media and terminal connect time - is used by IS
Management to perform activities which include:
Matching resource utilization to associated user for billing purposes; and
Optimizing hardware performance by changing or "tuning" system software default.
"Lights Out Operations" refers to the automation of key computer room operations such
that these tasks can take place without human intervention. The type of tasks being
automated with the use of sophisticated system operations software are:
Job scheduling;
Console Operation;
Report balancing and distribution;
Re-run/Re-start activities
Tape mounting and management;
DASD management;
Environmental monitoring; and
Physical and data security software.
Advantages of Lights Out Operations
Cost containment and/or reduction in IS operations;
Continuous operations (24 by 7,24 hours 7 days per week); and
Reduced number of system errors and interruptions.
7. Jobs schedulers.
This software provides an orderly way to stage and initiate computer work. The
scheduling can be on FIFO (first-in first-out) basis, by time, successful completion of
preceding activities, as resources are available, by priority or combination of means.
Schedules may include a preprocess function which checks for errors in the process
request, (e.g., job Control Language (JCL) syntax errors, or invalid process or file
names.) Schedulers can accept process requests from multiple sources so the auditor
should be aware of all sources and how an authorization is checked for processes
scheduled.
Scheduling is major function within IS. The schedule includes the jobs that must be run,
the sequence of job execution and conditions that cause program execution. It also
permits the scheduling of low priority jobs if time becomes available. Job scheduling
software is often used. Automation provides control over the scheduling process since
3
job information is set up once, reducing the possibility of errors, job dependencies can
be defined, and the software can provide security over access to production data.
These schedules ensure efficient use of computer resources.
Job scheduling procedures are necessary to ensure that IS resources are optimally
utilized based on processing requirements.
Management should authorize processing schedule changes ,and review the log of jobs
which have been executed.
Scheduling functions
High priority jobs should be given optimal resource availability while maintenance
functions such as backup and system reorganization should be performed during non
peak times. Schedules provide a means to keep customer demand at a manageable
level and permit unexpected or on request jobs to be processed without unnecessary
delay.
The introduction of job scheduling systems helps ensure jobs are run in proper
sequence.
Written Procedures
Procedures covering the tasks to be performed by the Technical support/help desk
personnel must be established in accordance with the overall strategies and policies.
Problem logs or reports that confirm problems occurring during processing were
addressed in a timely manner and appropriate corrective action taken. Specific
problems encountered and ascertain effectiveness of problem resolution process
4
e. controlling the installation of vendor and systems software.
f. Maintaining documentation of vendor software including issuance of new release and
problem fixed as well as documentation in houses developed systems and utilities.
a. Ensure that the problem should be recorded. The basics data are problem no, date report,
time report, type of software, type of hardware, problems description and type, priority,
resolved by, ascelarated to vendor, date asceleared to vendor, time ascelareted to
vendor, time resolve, date resolved time close and date close IF the problems is
involved the hardware it was suggested that the data should included the serial
number, hardware brands and models.
b. ensure that the problem is ascelarated to authorised technical support.
c. ensure that the solved problem be recorded.
e. ensure that the problem is evaluate and monitor within periodical period and consider the
statistics of the problems by software (Type of software), hardware (Type of hardware,
brand, model, serial number), problem type, duration, personnel.
f. the statistics are use to monitor the overall of performance of the system.
5
Inadequate interaction of help desk activities with respect to other functions within the
information services function, as well as user organisations
Insufficient procedures and activities relating to problem reporting query receipt,
registration, logging, tracking, escalation, and resolution.
Deficient escalation process with respect to lack of managerial involvement or effective
corrective actions.
Inadequate timeliness of problem reporting or user dissatisfaction with problem
reporting process procedures.
6
Status code of problem resolution, i.e., problem open, problem closed pending some
future specified date, or problem unresolved in current environment; and
Narrative of the error resolution status.
For control purpose the ability to add entry to the error log should not be restricted.
The ability to update the error log should, however, be restricted to only authorized
individuals. Proper segregation of duties requires that ability to close an error-log entry
be assigned to a different individual than the one responsible for maintaining or
initiating the error log entry (generally, IS management).
IS Management should perform procedures to ensure that the problem management
mechanism is being properly maintained and that the problem management mechanism
is being properly maintained and that outstanding errors are being adequately
addressed and resolved.
7
Include IS processing and control requirements;
Include an overview of the capabilities of the software and control options; and
Meet the IS requirements
8
Subject matter experts, to provide assistance in defining operations requirements, and
IS management, whose responsibility it is to ensure the software will be consistent with
the goals and objectives established for the organisation.
Requirement definition
The system requirements define the business/functional specifications expected from
the proposed software. The requirement include manual and automated components.
The key deliverable is the system requirements definition. The following are tasks that
should be considered for requirement definition:
Establish the scope, objectives, background and project charter;
Establish business requirements;
Develop a conceptual model of the base computer environment that will support the
efficient application development and processing required to meet the business needs
and structure;
Develop security, control and performance (speed and cost) requirements;
Consolidate the definition of all requirements; and
Analyze and evaluate alternative solutions.
Software alternatives
9
Compatibility with existing in-house system software; such as operating system, data
base management system and communication software;
Financial stability of software suppliers; and
Technical expertise of software suppliers.
System software implementation controls include controls over the design of new
software, testing software, controls over placing the approved software into production,
and controls to ensure all impacted system and application software and data are
properly converted and verified prior to implementation.
Upon completing the system design and program development, the software should be
tested in three stages:
Program testing to check the logic of individual programs
System testing that involves checking programs logic to ensure consistency as they are
linked together and meeting system requirements.
10
Parallel testing of the new software simultaneously with the existing software. All test
results should be documented, reviewed and approved by technically qualified subject
area experts prior to production use.
Change control procedures are designed to ensure that IS management and personnel
are aware of and involved in the system software change process.
Various operating system software products provide parameters and options to change
system performance and activate features such as activity logging. Parameters are
important in determining how a system runs, physical configuration, and its interaction
with the workload. Some of the software control parameters deal with :
Data management
Resource management; and
Job management.
Parameter selections should be appropriate to the organisation's work load and control
environment structure. The most effective means of determining how controls are
functioning within an operating system is to review the software control features and/or
parameters.
Activity logging and reporting options
Computer processing activity can be logged for analysis of system functions. The
following are some of the analysis that can be performed based on the activity log:
System log analysis for approval of:
Data file versions used for production processing;
Program accesses to sensitive data;
Program schedule/run; and
Utilities or service aids usage.
Operating system analysis to ensure that integrity of the operating system has not been
compromised due to improper changes to system parameters and libraries.
11
System, operations and program documentation are complete, up-to-date, and in
compliance with the established standards;
Job preparation, scheduling, backup procedure and operating instructions have been
established;
System and program test results have been reviewed and approved by user and project
management;
Data file conversion, if necessary, has occurred accurately and completely as evidenced
by review and approval by user management;
System conversion has occurred accurately and completely as evidenced by review and
approval by user management ; and all aspects of jobs turned over have been tested,
reviewed and approved by Control/Operations personnel.
Determine if the individual responsible for scheduling was advised in a timely manner
regarding changes to the hardware configuration;
Verify that IS Management has developed and enforced change schedules that allow
time for adequate installation and testing of new hardware;
Verify that the operator documentation used in IS is revised appropriately prior to
implementation of changes in hardware;
Select a sample of hardware changes that have affected the scheduling of IS processing
and determine if the plans for changes are being addressed in a timely manner;
Ascertain that all hardware changes have been communicated to the system
programmers, application programmers and the IS staff to assure that changes and
tests are coordinated properly; and evaluate the effectiveness of changes to assure that
they do not interfere with normal application production processing.
Review change management controls for the following:
Review system documentation specifically in the areas of:
Installation control statement;
Parameter tables;
Exit definitions; and
Activity logs/reports
Review the installation of changed system software controls to determine the following:
The schedule for system software changes consider the least impact to IS processing:
A written plan was established for testing changes to system software;
12
Tests are being completed as planned;
Controls over the off-line/physical library facilities are important to ensure the
uninterrupted operation of the business in the event of disaster and to optimize IS
resource utilization. Unauthorized changes to this information could result in lost data,
unauthorized changes to data, and impact the IS ability to provide continuous
computing services. Control over the off-line library include:
Securing physical access to library contents;
Verifying that the library is constructed to withstand fire/heat (minimum 2 hours);
Verifying that the library is separated from the computer room;
Ensuring that only authorized personnel can have access to the library and the off-line
media;
Ensuring that a perpetual inventory of all tapes and files stored in the library is
maintained;
Ensuring that a record of all tapes and files moved into and out of the library is
maintained in Tape Management System; and
Ensuring that a record of information regarding the contents, versions and location of
data files is maintained.
13
Whether it will ensure continuous review of hardware and system software performance
and capacity; and
Whether the criteria used in the IS management's hardware performance monitoring
plan are based on historical data obtained from the IS trouble logs, processing
schedules, job accounting system reports, preventive maintenance schedules and
reports.
Review the feasibility study and selection process to determine the following:
The proposed system objectives and purposes are consistent with the request/proposal;
and
The same selection criteria is applied to all proposals.
14
Review cost/benefit analysis of system software procedures to determine they have
addressed the following areas:
The directs financial costs associated with the product;
The cost of the product maintenance;
The hardware requirements and capacity of the product
Training and technical support requirements;
The impact of the product on processing reliability;
The impact on data security; and
The financial stability of the vendor's operations.
Problems encountered during testing were resolved and changes were retested:
Test procedures are adequate to provide reasonable assurance that problems with
changes to system software will be identified before they are placed into the production
environment; and
The schedule for system software changes considers the least impact to IS processing.
15
Authorization procedures
Access security features;
Documentation requirements;
Documentation of system testing;
Audit trails; and
Access controls over the software in production.
The IS is a service organisation for end users. As such, the success of the IS is
dependent upon satisfying end user processing and service requirements. These
services include accuracy, completeness, timeliness and proper distribution of output
related to application processing. Many tools are available to monitor the efficiency and
effectiveness of services provided by IS personnel. These tools include:
Time frames and level of service are defined for all services provided by the
information services function.
Time frames and service levels reflect user requirements
16
Time frames and service levels are consistent with performance expectations of
the equipment potentials.
An availability plan exists, is current, and reflects user requirements.
Ongoing performance monitoring of all equipment and capacity is occurring,
reported upon, lack of performance addressed by management, and
performance improvement opportunities are formally addressed.
Optimal configuration performance is being monitored by modelling tools to
maximise performance while minimizing capacity to required levels.
Both users and operational performance groups are proactively reviewing
capacity and performance and workload schedule modifications are occurring.
Workload forecasting includes input from users on changing demands, and from
suppliers on new
technology or current product enhancements.
Policy Statement :
17
this effort. This Business Continuity Policies established by Management will ascertain to
extent of protection required for implementation; i.e limit the scope responsibilities.
Ownership
The formulation of all policies and standards be performed by the corporate planning
division. participation will be requested and given of other units of company.
Authority
Administration.
The corporate Business Continuity Unit Manager shall serve as the nominated
representative acting on behalf of the BOD as a division's representative for all
corporate BCP committee meetings and task force.
18
A comprehensive disaster recovery/contingency plan should include:
19
- Backup policies, including the location of all backup tapes/disks. Backup copies should
be kept in a secure, off-site location.
- Documentation in the plan regarding testing procedures. The plan should be tested
and evaluated periodically and updates to the plan should be made to reflect significant
test results.
-- Procedures to update the plan when there are changes in key personnel, hardware,
critical operations, etc.
20
apter 6. System maintenance
Abstract
Databases, System software, Text Editors, Debuggers and development aids, Program
library managers, Linkage editors and loaders, Security systems, Access Control Software
and Computer Contract
These utilities reduce the effort needed to understand what is processing in the CPU and
react to errors or situations slowing the performance of productive work. Computers with
more sophisticated systems software and multiple applications and users processing
concurrently require these types of aids in order to get the information needed to
efficiently run a computer system. An auditor should be alert to the presence or absence
of these types of system software product as well as what indications are monitored as an
indications of the attention given to efficient operations. []
1. Databases
An integrated file containing multiple record types or segments that may be accessed in
non sequential manner.
These systems facilitate locating and access data. Catalogue and index techniques are
used to store and locate data. The systems vary in the amount of application processing
needed and storage information provided in order to store and retrieved specific data
used and needed by a process or user. The catalogue or index structures used can
significantly affect the amount of computer time and space needed. Auditors are expected
to understand how data is structured in these systems and assesses protection means
employed through either DBMS or security software.
It is critical to maintain data base integrity. The following are some of the controls to
ensure data base integrity:
Definition standards established and closely monitored for compliance;
Data backup and recovery procedures established and implemented to ensure database
availability;
Various levels of access controls for data items and files established to prevent
inadvertent or unauthorized access.
Controls established to ensure only authorized personnel can update the database.
1
Controls established to handle concurrent access problems .i.e. multiple users desiring to
update the same data elements at the same time.
Controls established to ensure the accuracy, completeness and consistency of data
elements and relationships in the database;
Database checkpoints used to restart processing after a system failure at points in the job
stream that minimize data loss and recovery efforts;
Database compression techniques used to reduce unused space in the data base resulting
from record deletions;
Database reorganization performed to reduce unused disk space and verify defined data
relationships;
Database restructuring procedures followed when making the data base logical, physical
and procedural changes.
Data base performance monitoring tools used to monitor and maintain the data base
efficiency (available storage space, buffer size, CPU usage, and disk storage configuration
and deadlock conditions) and minimize the temptation to use non-system means, i.e.,
those outside security control, to access the data base.
Review data base supported information systems controls to determine the following:
Controls over access to shared data;
Controls over data organisation;
The controls over shared data;
Adequate change control procedures are utilized to ensure the integrity of the data base
management software;
Integrity of the data base management system's data dictionary is maintained;
Data redundancy is minimized by the data base management system, where redundant
data exists, appropriate cross-referencing is maintained within the system's data
dictionary or other documentation; and
To whom access to specific data within a particular data base is provided.
Evaluate data base structure alternatives;
2
Assess data base security;
Validate the DBA's documentation; and
Determine whether the organisation's standards have been followed.
Evaluate the access controls over critical data files/bases and programs; and
Security facilities that are active communications systems, DBMSs and applications.
2. System software
In addition to the basic operating system there are number of types of specialized
software that assist in operating the computer and developing applications systems. Some
of these tools include:
Assemblers, compilers and interpreters
These system utilities convert program statements into machine instructions which the
CPU executes. Assemblers and compilers produce machine instructions which can be
saved and rerun without preference to the program statements. These process improves
efficiency and integrity but blurs the audit trail from the program statements. Interpreters
convert program statements to machine instructions each time the program is run.
3. Text Editors
These editors assist in manipulating program, documentation and report text files. These
editors can include capabilities to format, perform repetitive operations e.g., search and
replace, and highlight potential text errors, e.g., check spelling or omitted key words,
which improves productivity and consistency.
This utility software able to tarp error messages, display program values during execution
or validate processing results is useful in developing applications systems that are reliable.
3
7. Security systems
Computing technology has made it possible for computer systems to store and contain
large quantities of valuable data, increase the capability of sharing resources, allow a
single computer to simulate the operations of several computers (virtual system), and
permit many users to access through terminals and communications lines.
While today's systems are easier to use and administer, many businesses have
experienced losses resulting from unauthorized access of corporate data and error. This
may be due to the fact that many Security Administrators and managers are not aware of
the potential holes security that may exist, even with full implementation of a highly
sophisticated access control software package. While access control software can
interface with the operating system, application software, data and system software, this
interface does not automatically happen. Nor are there assurances that, once the
interface is established, adequate security controls are established and maintained.
Fortunately, access control to today's computer systems is becoming a growing concern
to management. Access control software is design to prevent unauthorized access to
data, use of system functions and programs, unauthorized updates/changes to data, and
detect or prevent an authorized attempt to access computer resources. Access control
software interfaces with the operating system and acts as a central control for all security
decisions. The access control software functions under the operating system software and
provides the capability of restricting access to data processing resources required for both
on line and batch transaction processing.
Access control software usually can provide access controls at the following level:
User sign-on at the network and subsystem levels;
User authorization at the application and transaction level;
User authorization within the application;
User authorization at the field level; and
Subsystem authorization at the file level.
Authorization is the most important component of access control software. The following
are some of the authorization controls:
Logonids and user authentications;
Specific terminals authorized for specific logonids;
4
Access based on predetermined times;
Specific tasks initiated from a predefined authorized library and calling program;
Rules for access;
Individual accountability and auditability;
Installation defined options;
User profiles;
Data file and data base profiles;
Logging events;
Logging user activities;
Logging data base/ data communications access activities for monitoring access
violations; and
Reporting capabilities.
Access control software generally processes access requests in the following way:
User must identify themselves to the access control software such as name and account
number
User must authenticate themselves to the software. Authentication is a two way process
where the software must first verify the validity of the user, and the proceed to verify
prior knowledge information. For example, users may provide the following information:
User must identify themselves to the access control software such as name and account
number.
Users must authenticate themselves to the software. Authentication is a two way process
where the software must verify the validity of the user, and then proceed to verify prior
knowledge information. For example, users may provide the following information:
Remembered information such as name, account number and password
Processor objects such as badge, plastic cards and key; and
Personal characteristics such as fingerprint, voice and signature.
The access control software interfaces with the tape/disk management system, job
scheduling system, application programs and data files, operating system authorized
libraries, system catalogs, system exits, system datasets, system logs, data bases and on
line telecommunications systems.
5
Effective Password Controls and Considerations:
Passwords;
1. should be easy to remember
2. should be difficult to guess
3. should not be of a fixed length but rather, at least five (5) charters long
4. should not be displayed when input
5. should be changed periodically by the user
6. should be forced to change by the system administrator
7. should not be dictionary words, either forwards or backwards
8. should be made up of letters, number, and special characters
9. password complexity should be greater than the data at risk
10. should not be shared with anyone or used as a group of users "generic"
password
11. should not be posted or written down in an unsecured location, i.e. in
desk drawers or posted on the monitor
12. should be immediately changed if you suspect it was compromised
13. should not be known by a supervisor or other staff
14. should not be the same as your userID
15. should not be names of your pets or children, phone numbers, or street addresses
9. Computer Contract
6
- If so, on what terms.
. Operation manuals
- are they incorporated ?
- how many copies ?
- Is there adequacy Warranted?
- Will updates be supplied, if so what term ?.
. Price
- Is the price inclusive of taxes ?
- Can the price can varied and if so, what circumstances,
and what terms ?.
- Is the exchange rate specified ?.
- Is there a right of reprocession or some other right in
the event of non payment ?.
. Site preparation.
- Are site specifications to be provided by the supplier?
- What are the Customer's responsibilities ?.
- Is the site to be inspected by the supplier before
delivery ?.
- What are consequences of inadequate site preparation ?.
. Pre-delivery testing.
- is it a requirement ?.
- What are the test specifications ?.
- may the customer observe the testing being carried out ?.
- Can the customer request additional testing ?.
. Delivery
- is a date or a period specified ?.
- is a day or longer period specified ?.
- What are the consequences of late delivery ?.
- What are the consequences of an inability or refusal to accept delivery ?.
- Can the customer postpone delivery ?.
- What happens to packing materials?.
. Title
- at what points is it agreed that title will pass ?.
. Risk
- At what point is it agreed risk passes to the customer?.
- Are the parties' insurance obligations spelt out ?.
. Warranties
- Are there any express warranties ?
- Are materials and workmanship warranted ?.
- Are any components to be exempted from warranty
protection ?.
- Is there a warranty replacement periods ?.
- Is there a warranted service response time ?.
7
- Is there an offer of backup equipment ?.
- Who has title in replacement parts ?.
- Are there warranted performance criteria ?.
Software licenses
8
- have maintenance arrangements been considered ?.
. Delivery
- is the supplier obliged to deliver ?.
- is there a specified deliver date ?.
- can the delivery be effected by electronic mail ?.
. Installation
- Is the supplier obliged to install ?.
- Is the customer required to assist in the installation
process
. Acceptance tests
- what are the test specifications ?.
- To what extent is the customer personally involved ?.
- what are the consequences of failure to satisfy the
specifications ?.
- at what points is the program deemed accepted ?.
. Copying
- For what purpose may the customer copy the programs ?.
. Modifications
- does the customer have the right to modify the program?.
- if so, what are the customer's obligations to supplier?.
. Reverse engineering
- is reverse engineering expressly prohibited ?
. Replacement
- Does the supplier have the right to replace the program
with an alternative program during the term of agreement ?.
- if so, what the supplier's obligations and the customer's rights ?.
. Training.
- is the supplier provide training and if so, on what terms ?.
. Refundable trial period
- may the customer return the program if it proves unsuitable for its intended purposes during a
specified period after acceptance ?.
. Security
- What are the customer's obligations ?.
. Time
- is the time of delivery of the essence ?
- is the time of installation of the essence ?
- is the time of payment of the essence ?
9
. Risk
- At what point does risk of loss of or damage to the program pass to the customer ?.
. Warranties
- Are any warranties offered ?.
- Are there warranted performance criteria.
- Is there specified warranty period ?.
- What the supplier's obligations on breach of warranty?.
These agreements cover the provision of services relating to the maintenance and
support of hardware and software.
. Equipment.
- Is the equipment adequately specified ?.
- do maintenance obligations cease on substitution or relocation of equipment's ?.
- are maintenance charges affected by such substitution or relocation ?.
. Duration
- What is the commencement date ?.
- does the maintenance period bother upon the equipment
warranty period ?.
- What circumstances will cause the agreement to be terminated ?.
- is notice necessary before termination ?.
. Preventive maintenance
- is it defined ?
- during what hours and on what days will it take place?.
- does the customer have a right to re-schedule ?.
. Remedial maintenance
- is it defined ?.
- is it limited to on-site services ?.
10
- is there a warranted services response time ?.
- is there a time-limit for requesting remedial maintenance ?.
. Emergency remedial maintenance
- is it defined ?.
- is there a warranted service response time?.
. Charges
- are the charges or rates for each type of maintenance
specified ?.
- In what circumstances may the supplier make an additional charge ?.
- is there a remote location charge ?.
- under what circumstances may charges be increased ?.
- to what extent may charges be increased ?.
- are charges inclusive of taxes ?.
- are the charges inclusive of spare parts costs ?.
. Exclusions
- Under what circumstances are the supplier's obligations
excluded ?.
. Replacement and spare parts
- who has title in replacement parts ?.
- who has title in replaced parts ?.
- are replacement parts warranted ?.
- is storage or pre-purchase by the customer required ?.
- is there a guarantee of supply by the supplier ?.
. Access
- What are the customer's obligations ?.
- is a vehicle parking area required ?.
- what working facilities are required ?
. Maintenance equipment's
- is storage required ?.
11
. customer records
- is the customer required to keep records of equipment
performance ?.
. warranties
- are warranties specifically offer by the supplier ?.
- is the customer adequately protected in any event by
the general provision of agreements ?.
SOFTWARE DEVELOPMENT
12
- is a final delivery date specified ?.
- what are the consequences of a failure to deliver on time ?.
. Installation
- Are the supplier's obligations defined?
. Acceptance testing
- Is acceptance testing defined ?.
- What specifications are to be used ?.
- at what point is the software deemed accepted ?.
. Title
- Is title to pass to the customer ?.
- if so, what point ?.
- if title is to be retained by the supplier, have the terms of a licence been agreed upon ?.
. Security
- What the obligations of each party in relation to the security of information and materials
belonging to the other?.
. Supplier's personnel
- have the individual personnel have been identified ?
- Is there a limitation on the number of persons involved in the project ?.
- Does the customer have the right to veto the involvement of the particular persons ?.
. Use of customer's resources
- has agreement been reached on the extent to which, and the terms on which the supplier
may use the customer's facilities during the project ?.
. Maintenance
- has consideration been given to the future of the product ?.
. warranties
- are any warranties offered by the supplier ?
- is there a specified warranty period ?
- what are the supplier's obligations on breach of warranty ?
13
UMBRELLA AND TURNKEY AGREEMENT
Equipment
. Specifications
- Is there a right of substitution or modification ?.
- If so, on what terms ?.
. Operation manuals
- are they incorporated ?
- how many copies ?
- Is there adequacy Warranted?
- Will updates be supplied, if so what term ?.
. Site preparation.
- Are site specifications to be provided by the supplier?
- What are the Customer's responsibilities ?.
- Is the site to be inspected by the supplier before
delivery ?.
- What are consequences of inadequate site preparation ?.
. Pre-delivery testing.
- is it a requirement ?.
- What are the test specifications ?.
- may the customer observe the testing being carried out?.
- Can the customer request additional testing ?.
. Delivery
- is a date or a period specified ?.
- is a day or longer period specified ?.
- What are the consequences of late delivery ?.
- What are the consequences of an inability or refusal to accept delivery ?.
- Can the customer postpone delivery ?.
- What happens to packing materials?.
. Installation
- is a date or period specified ?.
- What are consequences of late installation ?.
14
- Can the customer postpone installation ?.
- Can the customer obliged to assist and if so, to what extent ?.
- What are the rights of the supplier if unexpected difficulties are encountered during
installation ?
. Equipment acceptance testing
- is it required ?.
- what are the test specifications ?.
- what are the consequences of failure to satisfy the test specifications ?.
- at what points is the equipment deemed accepted ?.
. Title
- at what points is it agreed that title will pass ?.
. Risk
- At what point is it agreed risk passes to the customer?.
- Are the parties' insurance obligations spelt out ?.
. Warranties
- Are there any express warranties ?
- Are materials and workmanship warranted ?.
- Are any components to be exempted from warranty
protection ?.
- Are installation services warranted ?.
- Is there a warranty replacement periods ?.
- Is there a specified warranty service response time ?.
- Is there an offer of backup equipment ?.
- Who has title in replacement parts ?.
- Are there warranted performance criteria ?.
- What does the warranty period commence ?
Hardware maintenance
. Maintenance services
- Are type of maintenance services defined ?.
- does the maintenance period bother upon the equipment
warranty period ?.
- What circumstances will cause the agreement to be terminated ?.
- is notice necessary before termination ?.
. Preventive maintenance
- is it defined ?
- during what hours and on what days will it take place?.
- does the customer have a right to re-schedule ?.
15
. Remedial maintenance
- is it limited to on-site services ?.
- is there a warranted services response time ?.
- is there a time-limit for requesting remedial maintenance ?.
. Exclusions
- Under what circumstances are the supplier's obligations
excluded ?.
SOFTWARE
. Duration
- When does the licence commence ?.
- is the licence of limited duration ?.
- is third party software involved and, is so, on what terms ?.
. Documentation
- is the associated documents adequately defined ?.
- on what terms is it supplied ?.
- is there a rights to copy ?
- are the contents warranted ?.
- is there on going obligation to supply amended
documentation ?.
. Licence
- Does the supplier have adequate authority to grant the
licence ?.
- Is the licence non-transferable ?.
- Is the licence non-exclusive ?.
- can the program be used on any equipment ?.
- what are the restrictions on copying, alternation or
modification ?.
- have maintenance arrangements been considered ?.
. Delivery
- is there a specified deliver date ?.
. Installation
- Is the supplier obliged to install ?.
. Acceptance tests
- what are the test specifications ?.
- To what extent is the customer personally involved ?.
- what are the consequences of failure to satisfy the
specifications ?.
- at what points is the software deemed accepted ?.
. Copying
- For what purpose may the customer copy the software ?.
. Modifications
16
- does the customer have the right to modify the software?.
- if so, what are the customer's obligations to supplier?.
. Reverse engineering
- is reverse engineering expressly prohibited ?
. New release
- on what terms are new release supplied.
. Security
- Who is responsible and what term is the extent of the
obligations ?.
. Risk
- At what point does risk of loss of or damage to the software pass to the customer ?.
. Warranties
- Are any warranties offered ?.
- Are there warranted performance criteria.
- Is there specified warranty period ?.
- What the supplier's obligations on breach of warranty?.
- is there a specified warranty service response time ?.
Software Support
. Support Service
- Are the support service defined ?.
- do they overlap with the parties' obligations under the licence provisions ?
- Do the supplier's obligations extend beyond error
correction ?.
- Specifically, do the supplier's obligations included telephone support, training and the
provision of new release and upgrades?.
. Duration
- When do the support obligations commence ?.
- can support be with drawn or terminated during the currency of the installation.
. Support availability
- is support only available during certain hour or on certain days ?.
- is there a warranted service response time ?.
- in what circumstances may an additional charge be made?.
- Is the customer required to provide information regarding error ?.
. Exclusions
17
- Under what circumstances are the supplier not required
to provide support ?.
. Access
- What are the customer's obligations ?.
. System testing
- Are the system test specifications defined ?.
- To what extent is the customer involved in test procedure?.
- what are the consequences of failure to satisfy the
test criteria ?.
- at what points is the system deemed accepted ?.
. System Warranties
- Is the system warranted independently of the component?.
- Is there a specified warranty period for the system ?.
- What are the consequences of failure of the system as a whole ?.
GENERAL
. Training
- Is the supplier obliged to train the customer in the use of the system ?.
. Third party's Obligations
- Is there a responsibility on the customer to execute relevant third party agreements ?.
- Is the supplier required to indemnity the customer in relation to breaches by a third party ?.
. Time
- is the time of delivery and installation of the system of the essence ?.
. Termination
- is it right of either party to terminate individual aspects of the agreement with out terminating
the agreement as a whole?
- What are the consequences in the event of a breach of a third party's obligation.
18
SOURCE CODE DEPOSIT AGREEMENT
Escrow Custodian
The 3th party agree to hold source code as escrow custodian.
. Term
- when does the agreement commence ?
- is there a specified period ?
- in what circumstances will the agreement be terminated?.
. Deposit of source code
- has the manner of storage been specified ?.
- Is the escrow agent obliged to accept further deposits of update code during the term of the
agreement ?.
- Is the escrow agent required to maintain a register of source code held ?.
- Is the supplier required to keep the source code current ?.
- Are verification rights and procedures prescribed ?.
19
- What the formalities must be complied with by the customer ?.
- What are the supplier's rights of objection ?.
- How is a dispute regarding release of source code to be resolved ?.
- are the customer's rights in relation to the release source code defined ?
. Escrow fees and charges
- Is a lump sum or a periodic fee involved ?.
- who is responsible for paying the fees ?.
- What are the Escrow agent's rights to increase its fees?.
- Which party is responsibility for payment of taxes and
charges ?.
- What are the consequences of late payment or nonpayment?.
. Escrow Agent's further obligations
- does the agreement specify the Escrow agent's obligation regarding security of source code ?.
_ on what extent may the Escrow Agent accept the validity of notices or directions given by
either of other parties ?.
20
apter 7. Local Area Network and Wide Area Network.
Abstract
Management Policies, logical security, physical and environment, network support and
management and Network Change Control.
These system provide and manage the flow of data outside and computer system. The
flow can be between computers, or terminals and a computer. The critical parts of
managing the flow are ensuring the integrity (accuracy, completeness and, if necessary,
privacy) of data from origin to destination, proper routing of data from sender to
correct recipient, identifying and isolating conditions that do or could disrupt the flow of
data, e.g. poor or broken transmission paths. The auditor is concerned with if and how
these are accomplished s well as what are the end points, i.e., terminals, on the data
communications network.
- The policy statements issued to prescribe the procedures to be followed in the selection,
acquisition and installation of LAN.
- The senior management has issued written policy statements describing the network
architectures that will be supported.
- The senior management has issued written policy statement outlining the guidelines for
the design and cost benefit analysis of a proposed local area network installation.
- The senior management has issued written policy statement outlining the guidelines to
be followed in the installation of LAN.
- These policy statements has been distributed to the appropriate levels of management
within the company.
- The documentation prescribed the use of a standard form for documenting requests
for the additional, change or deletion of LAN access capabilities.
1
- The form in printed or computer printed which are consists of data to be filled by
requester and approve by the requester supervisor or Head Of department.
- The basics data are Requester name/signature, requester department, tel no/extention,
head of department name/signature, System required (such as E-MAIL, Application
system), access level such as add data, inquiry, browse, delete and print report.
- For application system the module access should be define such as update Account
Payable and inquiry General Ledger the in the Accounting System. The access should be
relevent with users Job function which are need to know basis.
- An adequate security management process has been established to support changes to
LAN user access profiles. The changes of LAN user profile should be authorised by
supervisor and reviewed periodically thorough changes of User Profile printing. Basically
the changes of user profile consists previous user name, previous application, previous
module, previous access level, changes by, date changes, time changes, new module
and access level.
-. An access profile matrix can be reviewed to ensure that the access privileges granted
have been based on LAN user's need to know. Obtain list of LAN user profile and
check against the staff record from personnal or Human Resources Department. The
purpose to ensure that the users are authorised users.
- The critical file in servers file is protected. The critical file are the boot and executed file
which are use to boot and execute the server function. The files should protected from
normal users and the security administrator or system administrator only to give
permission to access to the file servers.
- The microcomputer that link to LAN is install virus protection .
- There are the software to monitor access violation to LAN.
2
- Verify that the LAN's server has been secured and cannot be accessed by unauthorised
individuals.
- Determine that the local area network's server is protected from damage resulting from
electric power surges and spikes.
- Determine that an uninterruptable electric power supply is connected to the LAN's server if
it is supporting critical information processing applications.
- Obtain the list of the hardware from technical support. Conduct physical sighting and
the equipment are secured.
- Verify that existing LAN maintenance procedures include periodic assessments of the
performance of the network and assure that problems are resolved before they affect
network performance.
- Evaluate the report on last one year and check that the LAN problems are solved in
short period.
- Determine that the process used in changing the configuration of a local area network is
documented.
3
- Verify that provisions for any need backup are considered before a change to a local
area network is implemented.
- Determine that adequate notice is given to local area network users before a change in
the configuration of the network is made.
4
PTER 8. MICRO COMPUTER ( PERSONAL COMPUTER).
Abstract
Licence and warranty, training, help desk, physical, environment, virus, training,
backup, inventory of hardware and software.
The Microcomputer is a asset and tool in the company and used to process the daily
task. Some application are running in the Microcomputer such as project management,
accounting, inventories etc. The management should established a policies and
procedure at least include the following control.
1. Microcomputer Training
- Aware of the current copyright laws i.e., copying software, unless specified, is unlawful.
- Each software package is only installed on one machine.
- Each software package Is copyright documentation read before installation.
1
- Backup diskette are stored away from originals.
- Microcomputer is located near appropriate and sufficient electrical outlets (i.e., separate
power line).
- Surge protector is used.
- Telephone modems are disconnected in the event of an electrical storm. (Lightening can
damage your microcomputer by traveling through electrical wires, surge protector and
telephone modems).
- Cables and power cords are covered or cared for to insure they are not a hazard.
- Microcomputer is maintained in a clean environment (i.e., away from drinks, food, etc.).
- Microcomputer is placed away from radiators or direct sunlight and are air intake vents
unblocked.
- Microcomputer is kept away from windows to discourage ready identification for theft.
- A record of the serial number is kept.
- Microcomputer Is kept in an area (room) which can be securely locked from outsiders.
2
- Don’t refrain from clipping, stapling, folding or bending diskettes.
- Diskettes maintained are in a clean environment (i.e., away from drinks, food, etc..
- Diskette containers are sufficient to provide protection against accidental damage or other
potentially destructive elements.
- Aware of ways to prevent or reduce the damage caused by a virus, such as:
. backing up data.
. booting up computer from hard disk.
. never leaving computer on and unattended.
. not copying other people's software (including PublicDomain)unless it has
been checked for viruses.
. isolating virus-free software to use as a backup.
- Virus protection software has been installed on your microcomputer. (The Help desk can
be contacted for a free copy of virus protection software and instruction on its use).
- Do you refrain from using your diskettes in several different microcomputers.
3
er 9. Computer Assisted Audit Software (CAATS).
Abstract
Definition, type,Methodology and procedure to use CAATs.Advantages and
disadvantages. Purpose and example.
When the computer system , data is process in machine readable form. Numerous audit
tasks can be performed readily by using the computer. In order to access computer file
independently from the IT department, and to gain advantage of using the computer to
assist their audit.
4. Types of CAATs
- Audit software
- Generalised audit software
- specialised audit software
- utility program
- Existing client programs
-Test data
- Integrated test Facilities
- Embedded Audit Facilities
- System software Data analysis
- Application program Examination
- tracing.
1
- flowchart
- mapping
5 Benefits.
- Time savings
- Very fast processing
- flexible and easy to use
- Time is money.
- Better Auditing
- interactive
- controlled CAATS
- 100% verification
2
- exception reporting
- clerical testing
- comparison/combine Data on separate files
- sample selection and evaluation
- variables estimation sampling
- summarize or re-sequence data for analysis
3
- Security and Privacy
- file sizes
- Processing capabilities
- schedule remaining phase
- Development phase
- Design
- Identify Objectives
- Identify CAAT tool
- Prepare overview flowchart
- Coding
- problem statements
- prepare program flowchart
- prepare Specification forms
- review of programs
- Test
- Obtain Data Files
- Process the application
- Review test results
- verify the integrity of files received
- reconcile to source reports
- Implementation phase
- process against client data and check output
- Issue management letter points if required
- use CAAT output as per audit program
- Ensure program documentation is complete
4. Reconciliation procedures
- Agree file totals/record counts
- parameters correctly set
- review consistency of footings
- account for included/excluded records
- agree report totals to footing
- review reports for reasonableness
- check confirmation details
- document reconciliatio procedures
5. Documentation of development
- narratives of audit objectives
- overview diagrams
- logic flowcharts
- file layouts
- source code/batch listings
4
6. Documentation of implementation
- output report
- reconciliations to client data
- follow-up procedures
- Updated required to parameters
- cross reference to audit program
Account Balances
1. Account Receivable
2. Inventory
3. Property, Plant and equipment
4. Account payable
5. Notes Payable/short-term dept
6. Shareholders Funds
Transaction Types
1. Cash receipts
2. Cash payment
3. Payroll
4. Sales
5. General Ledger and/or Journal Entry system
6. Review of operations
Account Balances
1. Accounts receivable
- Test for clerical accuracy-totals and Extensions
- Add the trial balance and aging
- age using client's method or an auditor-defined method.
Various aging:-
- Invoice date
- Date of last payment
- By customer
- By line of business.
- By type of open item(invoice,credit memo)
- Print accounts within specific aging categories and over specific dollar limits.
- Print accounts with no name or address or with an usual
name.
- Print unusual invoices,refunds,debit memos, etc.
- test for new large dollar volumes accounts.
- print account balances exceeding the credit limits by a
5
specific percentage.
- Print accounts with large overdue amounts.
- Select accounts or invoices for circularisation using
sampling and confirmation programs.
- Sort and summarise by customer number or type of account,type of collateral, or sales terms
- Using weekly transaction files, update the accounts
receivable file from date of circularisation to ear-end
- Select transactions for additional testing from these
transaction files.
- merge the accounts receivable file and the sales file
and perform cutoff tests and ratio analysis.
- Apply cash receipt transactions subsequent to confirmationdate to the accounts receivable
files. Analyse todetermine receivables not collected in the interimor receipts for which
no receivable was recorded.
- Merge interim balances with year-end balances and print
a comparative trial balance, or accounts with changes
greater than X%.
2. Inventory
- Test the clerical accuracy of totals and extensions and merge the quantity file with
pricing/cost files.
- Select a sample for price testing using large dollar
balances, monetary unit sampling, or random sampling.
- Physical count files;
- Test for duplicate or missing tag numbers.
- summarise by product number,location,type,etc.
- Price the physical count file and compare to generalledger or book/physical adjustment.
- For a perpetual inventory,use sampling programs to stratify,select,and print a sample for
physical testing.
- Using the cost master file-
- test for duplicate part/item numbers
- Test reasonableness of unit costs
- Segregate unusual increase/decrease is standard costs.
- merge with year-end inventory file for pricing test.
- Test for lower of costs or market(base on average selling pricing and current year
standard costs.
- Test for obsolete/slow-moving items-excess inventory:
- Use the client's method
6
- Use the date of the last shipment or convert the current year's sales dollars to quantities
and isolate quantities on hand in excess of the normal turnover.
- Merge the inventory file with the sales files, calculate the supply on hand and compare
to the prior usage.
- Identify potential obsolete inventory items by
printing those items with little or no current years sales.
- Perform a turnover analysis.
- calculate gross profit or potential gross profit by
product line or in total.
- Recalculate stock value using client's average cost method.
- Calculate the percentage of change for inventory items
and print those outside the average range for:
- Inventory level.
- sales level
- Change in the standard cost.
- change in the average sales price.
- Test the inventory cutoff by comparing the last receipts to the purchase register.
- Work in progress
- Provide totals of standard work hours, labour and overhead values for each cost centre so as
to verify that the charges to WIP agree with the company's standards.
- Analyse WIP,to determine slow moving orders.
- test the clerical accuracy of totals and extensions, and print a trial balance of the account.
- calculate depreciation (book & tax),comparing it to the client's figures,and print exceptions.
- Compare to determine that accumulated depreciation does not exceed cost for any assets.
- Summarise activity for the year to date for both cost
and accumulated depreciation.
- Compute any investment allowance and recapture for the year's transactions.
- select samples for testing-additional,retirements,etc.
- test for duplicate or missing asset numbers.
- compute amortisation for intangibles.
- select sample payments for repairs and maintenance for testing.
- summarise leases by type.
4. Account Payable
7
- Recalculate the total of the trial balance.
- Test expense computing/groupings(e.g Account distribution - group by type expenses).
- Select sample of vendors for circularisation (base on monetary units of random
sampling).
- Develop or test history by vendor.
- search for unrecorded liabilities:-
- Sample additions to accounts payable subsequent
to the cutoff date.
- Merge cash payments subsequent to the cutoff date and accounts payable,and investigate
unmatched disbursements.
6. Shareholders Funds.
- Analysing,selecting and confirming shareholder accounts.
- Testing allocation of contributions/incoming to participants .
- Add the file for dividends payable.
TRANSACTION TYPES.
1. CASH RECEIPTS
- Recalculate the total of cash receipts journal.
8
- Summarise cash receipts by the respective account distribution for reconciliation to the
general ledger posting.
- Select a sample for compliance or substantive testing.
- summarise/segregate by the type of receipts.
- Test for unusual items e.g large receipts,unusual
classification,unusual allowances or large discounts.
2. CASH PAYMENTS
- Recalculate the total of the cash payments journal
- Summarise cash payments by the respective account distribution for reconciliation to the
general ledger posting.
- Select a sample for compliance or substantive testing.
- summarise/segregate by the type of payments.
- Test for unusual items e.g large payments,unusual payments classification.
- Test for missing or duplicate cheque numbers.
- test for duplicate payments on invoice number or purchase order numbers.
3. PAYROLL
4. SALES.
9
- Summarise sales by respective account distribution for reconciliation to the general ledger
posting and accountreceivable file.
- Match sales records to the accounts receivable file sales posting.
- Test for unusually large amounts.
- Test for missing or duplicate invoice numbers.
- Test sales invoices for:-
- Arithmetical accuracy
- Unit price -
- Range of allowance prices.
- Match to the master file.
- Discount allowed.
- Analyse by market,product line,customer,cost ,sales commission, etc.
10
Biblogrophy
1. Courtemanche, Gil. The new Internal Auditing. New York : John Wiley & Sons,
1986.
2. Porter, W.Thomas, and William E. Perry. EDP: Controls and Auditing. 5th.ed. Boston: PWS-
Kent,1987.
3. Douglas,Ian. Computer Audit & Control Handbook. London: Butterworth Heinemann, 1995.
4 Sardinas, Joseph, ed. et.al. EDP Auditing : A Primer, New York: John Wiley & Sons, 1981.
6. 1997 CISA Review Manual, Information Systems Audit and Control Association.
7 1998 CISA Review Manual, Information Systems Audit and Control Association.
8 Perry, William E.,Auditing the small Business Computer. EDP Auditors Foundation,1983.
10. The 13th Annual Asia-Pasific Conference on Computer Audit, Control & Security ASIA CACS
1997, Information System Audit & Control Association. Bangkok:1997.
12. Cource on Computer Assisted Audit Techniquues on 27 & 28 February 1994. Intitute of
Internal Auditor, Kuala Lumpur : 1994.
13. Fong K.L., Raymond , Cource on Computer Contracts IN 27&28 July 1994, Institute of
Processional Advancement, Kuala Lumpur:1994.
14. EDP Audit and Security Survival Skill, Intitute of Internal Auditor, Kuala Lumpur: 1994.
1
18 AuditNet.org. http://www.auditnet.org/
19. The Official Kaplan's AuditNet Resource List, IIA Volume 5 Number8 Revised: April 03,
1999. http://users.aol.com/auditnet/karl.htm