Auditing of Information Systems Case Study

AUDITING OF INFORMATION SYSTEMS
1
CONTENT
CHAPTER 1. INTRODUCTION
1
CHAPTER 2. MANAGEMENT
4
CHAPTER 3. SYSTEM
DEVELOPMENT LIFE CYCLE
10
CHAPTER 4. APPLICATION
50
CHAPTER 5. COMPUTER
OPERATION
71
CHAPTER 6. SYSTEM
MAINTENANCE
94
CHAPTER 7. LOCAL AREA
NETWORK AND
WIDE AREA
NETWORK
120
CHAPTER 8. MICRO COMPUTER (
PERSONAL
COMPUTER).
124
CHAPTER 9. COMPUTER
ASSISTED AUDIT SOFTWARE
127
1
Chapter 1. INTRODUCTION
Abstract
What control audit concern- segregation of duties, authorization, custody, recorded,
documentation, reconciliation, compliance with role and regulation, effective, efficiency,
reliability, continuity and accuracy.
What control audit concern are as follows:-

Internal Auditing is an independence appraisal activity established within and
organisation as a service to the organisation. it is a control which function by
examining and evaluating the adequacy and effectiveness of other controls.
Auditor should be concerned about computerised system because these systems have
major impact of organisation. All transactions and business in organisation is involve
computer. The Auditor should have skill and competent in assessing the risk and control
in computer systems.
1. Segregation of duties,
The function s which for a given transaction should be separated including
initiation, authorisation, execution, custody and recorded. No one person should
be responsible for recording and processing of a complete transaction.
1. Authorization and approval,

All transaction should require authorisation or approval by authorised person.
3. Custody,
Custody of assets must be determine and assigned appropriately, The data
owner is usually assigned to a particular user department and duties should be
specific and written. The owners of data has responsibility for determining
authorised levels required to provide adequately security while Security
Administrator is responsible for implementing and enforcing the security system.
1
4. Recorded and Documentation,
The recorded and documentation in place in the process of activities.
5. Reconciliation.
The reconciliation of data is responsibility of the users.
6 . Compliance with role and regulation,

The activity should compliance with the company and country role and regelation
Deals with complying with those laws, regulations and contractual arrangements
to which the business process is subject, i.e. externally imposed business criteria
7. Effectiveness.
Deal with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner”
The effectiveness criterion of processes that plan or deliver solutions for
business requirements will sometimes cover the criteria for availability, integrity
and confidentiality -- in practice, they have become business requirements. For
example, the process of "identify automated solutions" has to be effective in
providing the availability, integrity and confidentiality requirements.
8. Efficiency,
Concern the provision of information through the optimal use of resources.
9. Reliability.
Relate to provision of appropriate information for management to operate the
entity and for management to exercise its financial and compliance reporting
responsibilities.
10. Confidentiality
Concerns the protection of sensitive information from unauthorised disclosure.
2
11. Integrity
Relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
12. Availability
Relates to information being available when required by the business process now and
in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
13. Reliability of Information

Relates to the provision of appropriate information for management to operate the
entity and for management to exercise its financial and compliance reporting
responsibilities.
3
2. Management
Planning, policies, procedure, organization structure, role and regulation.
To ensure that computer policies and standards are established, documented and
communicated to the management of a user department.
Planning
The IS auditor should concern at least the following basics :-
Short term and Long term information technology plans exist are current, adequately
address overall enterprise.
Information technology projects are supported by the appropriate documentation as

identified in the information technology planning methodology.
Checkpoints exist to ensure that information technology objectives and long- and short-
term plans continue to meet organisational objectives.
Review should be conduct and sign-off occurs by process owners and senior
management of information technology plans.
The process used to update the information architecture model is based on long- and
short-term plans, considers associated costs and risks, and ensures that senior
management sign-off is obtained prior to making changes to the model
Changes made to the information architecture model to confirm that these changes
reflect those in the information technology long- and short-term plans and that
associated costs and risks are identified.
Changes made to the technological infrastructure plan to identify associated costs and
risks and that these changes reflect the changes in the information technology long
term and short-term plans.
Policies and procedure
A methodology is in place to formulate and modify the plans and at a minimum, they
cover:
- organisation mission and goals.
1
- information technology initiatives to support the organisation mission and goals
- opportunities for information technology initiatives.
- feasibility studies of information technology initiatives.
- risk assessments of information technology initiatives.
- optimal investment of current and future information technology investments.
- re-engineering of information technology initiatives to reflect changes in the organisation's
mission and goals.
Information services function policies and procedures address the following:

- authorisation process is in place requiring the owner of the data (as defined in the data
ownership policy) to authorise access to that data.
- security levels are defined for each data classification
- access levels are defined and are appropriate for the data classification.
- access to sensitive data requires explicit access levels and data is only provided on a
"need to know" basis.
That each data classification clearly defines:

- who can have access.
- who is responsible for determining the appropriate level of access.
- specific approval needed for access.
- special requirements for access (i.e., non-disclosure or confidentiality agreement).
The information services function policies and procedures ensure addressing the need
to evaluate and monitor current and future technology trends and regulatory conditions,
and that they are taken into consideration during the development and maintenance of
the technological infrastructure plan
Policy statements and communications from senior management ensure the

independence and authority of the information services function.
Organisation structure
2
Organisational changes, technology evolution, regulatory requirements, business
process re-engineering, staffing, in- and out-sourcing, etc. are taken into account and
adequately addressed in the planning process.
Information services function's existing physical environment for adequacy in

accommodating presently installed hardware/ software and new hardware/software to
be added under the current approved acquisition plan.
Technology standards are adhered to and incorporated as part of the development

process.
Access permitted is consistent with the security levels defined in the information
services function policies and procedures and that appropriate authorisation was
obtained for access in place.
Membership and functions of the information services function planning/steering

committee have been defined and responsibilities identified.
Information services function planning/steering committee charter aligns the

committee's goals with the organisation's objectives and long- and short-range plans
and the information technology objectives and long- and short-range plans.
Processes are in place to increase awareness, understanding, and skill in identifying and
resolving information management issues.
Regular campaigns exist to increase internal control and security awareness and
discipline.
Information security officer understanding of the office's roles and responsibilities are
adequately understood and demonstrated as consistent with the organisation's
information security policy.
Organisation's security policy clearly defines responsibilities for information security that
each information asset owner (e.g., users, management, and security Segregation of
duties exists between the following pairs of units:
- systems development and maintenance
- systems development and operations
- systems development/maintenance and information security
- operations and data control
- operations and users
- operations and information security
3
Appropriate and effective key performance indicators and/or critical success factors are
used in measuring results of the information services function in achieving
organisational objectives.
Organisation policies and procedures create a framework and awareness programme,

giving specific attention to information technology, fostering a positive control
environment and addressing such aspects
as:
- integrity
- ethical values
- code of conduct
- security and internal controls
- competence of personnel
- management philosophy and operating style
- accountability, attention and direction provided by the board of directors, or its
equivalent.
Criteria are used for recruiting and selecting personnel to fill open positions.
Specifications of required qualifications for staff positions take into account relevant
requirements of professional bodies where appropriate.
Management and employees are accepting of the job competency process.
Training programmes are consistent with the organisation's documented minimum

requirements concerning education and general awareness covering information
security issues.
Management is committed to personnel training and career development.
Technical and management skill gaps are identified and appropriate actions are taken to
address these gaps.
On-going cross-training and back-up of staff for critical job functions occurs.
Enforcement of uninterrupted holiday policy occurs.
Job change and termination processes ensure the protection of the organisation's
resources.
4
3. System Development Life cycle
dology, Feasibility study, user requirement, system design, testing, conversion, documentation,
implementation and monitoring.
The process followed by organisation in the development , acquisition and maintenance

of information system should attempt to achieve system efficiency, data integrity,
resource safe guarding, and compliance with law and regulations. The organisation
should issue a written policies statement establishing a system development life cycle
methodology as mean for structuring and controlling the process of developing or
acquiring computerised information systems.
Project management framework :

- defines scope and boundaries for managing projects
- provides for project requests to be reviewed for their consistency with the approved
operational plan and projects are prioritized according to this plan.
- defines the project management methodology to be adopted and applied to each project
undertaken, including:
- project planning.
- staffing.
- allocation of responsibilities and authorities.
- task breakdown.
- budgeting of time and resources.
- milestones.
- checkpoints.
- approvals.
- is complete and current.
- provides for participation by the affected user department (owner/sponsor) management
in the definition and authorisation of a development, implementation or modification
project.
- provides for the creation of a clear written statement defining the nature and scope of the
project before work on the project begins.
1
- includes the following reasons for undertaking the project, including:
- a statement of the problem to be remedied or process to be improved.
- a statement of the need for the project expressed in terms of enhancing the organisation's
ability to achieve its goals.
- an analysis of the deficiencies in relevant existing systems.
- the internal control and security need that would be satisfied by the projects.
- addresses the manner in which proposed project feasibility studies are to be prepared,
reviewed and approved by senior management, including the:
- environment of the project -- hardware, software, telecommunications
- constraints of the project -- what must be retained during this project, even if short term
improvement opportunities seem apparent
- benefits and costs to be realized by the project sponsor or owner/sponsor
- provides for the development of a test plan for every development, implementation and
modification project
- provides for the development of an adequate plan for training the owner/sponsor staff
and information services functions staff for every development, implementation and
modification project.
Budgeted versus actual project milestones and costs are monitored and reported to
senior management throughout every major project phase ( i.e., software purchase,
hardware purchase, contract programming, network upgrades, etc.)
Project milestones and costs in excess of budgeted timeframes and amounts are
required to be approved by appropriate organisation management
Post-implementation process is an integral part of the project management framework
to ensure that new or modified information systems have delivered the planned
benefits
Project management methodology and all requirements were consistently followed.

Project management methodology was communicated to all appropriate personnel
involved in the project
Relevant feasibility study has been prepared and approved
2
Appropriate owner/sponsor and information system function management approvals are
obtained for each phase of the development project.
Each phase of the project is being completed and appropriate sign-off is occurring as
required .
Mandatory activities/reports identified have in fact been executed/produced (i.e.,
Executive Steering Committee meetings, project meetings or the like are to be held at
set intervals, minutes of the meetings were taken and distributed to relevant parties,
and reports are prepared and distributed to relevant parties).
Test plan has been developed and approved in accordance with the project
management framework and is detailed and specific enough.
Mandatory activities/reports identified in the test plan have in fact been
executed/produced.
Determine criteria used for the project exist and:
- are derived from goals and performance indicators
- are derived from agreed-upon quantitative requirements.
- assure internal control and security requirements
are related to the essential "What" versus the arbitrary "How".
- define a formal Pass/Fail process.
- are capable of objective demonstration within a limited time period
- do not simply restate requirements of design documents
Project risk management programme was used to identify and eliminate or at least
minimize risks associated with the project.
Test plan was adhered to, written testing reviews were created by the owner/sponsor,
programming and quality assurance functions, and sign-off process was complied with
as intended.
Written plan for training the staff of the affected owner/sponsor and information
services functions was prepared, it allowed sufficient time for completing the required
training activities, and the plan was used for the project.
Post-implementation review plan was adhered to and carried out for the project
A detail review should adhere as following :

- definition of system functions
- feasibility, given constraints of the project
- determination of system costs and benefits
- appropriateness of system controls
- impact and integration in other owner/sponsor systems
- owner/sponsor commitment of resources (people and money)
3
- definition of responsibilities and authorities of project participants
- acceptance criteria are both desirable and achievable
- use of milestones and checkpoints in authorising the various project phases
- use of Gantt charts, problem logs, meeting summaries, etc. in managing the project
- quality reports to determine if systemic problems exist in the organisation's system quality
assurance planning process.
- the formal project risk management programme to determine if risks have been identified
and eliminated or at least minimized
- the execution of the test plan to determine that it thoroughly tested the entire system
development, implementation, or modification project
- the execution of the training plan to determine that it adequately prepared the
owners/sponsors and information services function staff in the use of the system.
- the post-implementation review to determine if planned versus delivered benefits of the
project were ascertained.
Identifying:
Projects that:
- are poorly managed
- exceed milestone dates
- exceed costs
- are run away projects
- have not been authorised
- are not technically feasible
- are not cost justified
- do not achieve planned benefits
- do not contain checkpoints
- are not approved at key checkpoints
- are not accredited for implementation
- do not meet internal control and security requirements
- do not eliminate or mitigate risk
- have not been thoroughly tested
- needed training which has not occurred or is inadequate for the system being
implemented
- a post-implementation review has not occurred
4
The process to produce the documentation..
The overall system Development Life cycle basically are as following:
Functional Analysis & Design.
The Functional analysis and design is deviled into four major stages :
I System Investigations
ii. Functional Analysis
iii. Functional Design
iv. Management Review.
Stage: System Investigation.
Objectives:- Understand current business objectives & operations, complexities,

problem and interrelationships.
Identify functions and information flows.
Documentation of system investigations.
Review the current system.
Task Description .
- Done by analyst with substantial knowledge and experience in the business.

- Familiarise with the existing system.
- Verify with the user all facts gathered to ensure accuracy
- Understand the purpose of business functions.
- Identify the key documents involved in the existing system.
- Identify the controls applied in the existing system.
5
- Establish the volumes.
- Study the processing exceptions and other exceptions if there are any.
- Study the operating constraints.
- Identify the problem areas in the existing system.
- Study the current level of the system performance.
- Document all facts gathered
Source of Information
Project Definition Report.
Documentation Output.
- Business/system Function chart & narratives of existing system.

- List of inputs and samples of inputs from existing system if available.
- List of outputs and samples of outputs of existing system if available.
- Timing of processes in existing system.
- Volumes measurements for existing system.
- Data fields of existing system.
- System flowchart of existing system.
- Calculations performed in existing system.
- List of relevant issues of existing system.
- List of recommendations for existing system.
- List of problems & shortcomings in existing system.
- List of user requirements.
6
Stage: Functional Analysis.
Objectives:- To provide the outline of the proposed system to be use as a basis for
functional Design stage.
Task Descriptions.
Module : Identify System Functional Requirement.
- Identify the Functional Requirement & develop function chart to a level reasonable
completeness.
- Identify the limitations of the be support.
- Identify the interfaces with other requirement functions.
- Identify requirements which will not system.
- List of inputs.
- List of Outputs.
- Identify the key data groups
- List out all data items for each data group.
- For each data group list out all functions that related to the data group.
- List all inputs relevant to each functions.
- List all outputs relevant to functions identified.
- Create data group and key items base on inputs & output.
Module : Identify Control Requirements.
- Provide the narratives for the control requirement for each functions identified.
- Project manager to ensure the completeness & accuracy of the controls identified.
7
- Identify critical functions which has timing & cut off periods, details of which will be
established later in the technical design phase.
- Identify all critical functions, for the purpose of contingency planning during system
operations.
Data.
Validation And Editing.
- To assure that input data is validated and edited as close to point of origination as
possible.
- Determine if programmed keying formats are use to ensure that data is entered in
the proper fields and formats.
- Determine if intelligent terminals or suitable microcomputer software are use to
perform front-end validation, editing and control in the data entry process.
- Determine that incorrect data are identified, ejected and not allowed to enter the
system or to update the master file.
- Individual and supervisor authorisation or approval codes.
- Check digits on all identification keys.
- Valid code.
- Valid alphanumeric or numeric values
- Valid field sizes.
- Valid limit or the reasonableness of values or range.
- Record sequences.
- Crossfooting.
- Complete input records .
- Determine data input do not permit any one to override or by pass data validation
or error editing routines. If supervisors are allowed to override or by pass these
activities ensure that an automatic logging records are produced.
8
- Ensure that the batch control totals generated by the data entry terminals to validate
the completeness of the batches of data received as input.
- - Determine data input maintains a log of source document numbers entered to
insure that all these documents are accounted for and the source document can
trace from the outputs.
- The data entered is included in an audit trail record for use in error handling and for
recovery in the event of a data processing failure.
Data error handling.
- Determine the procedures for the identification, correction and resubmission of

rejected data containing errors has been established and issued in written form.
- Provides for the display or printing of erroneous data immediately upon its being
detected in order to facilitate its prompt correction and resubmission.
– All of the data rejected are written automatically onto suspense files classified by
application.
- Review rejected data suspense files to ensure they include:
- codes identifying the error types.
- date/time at which an entry was written onto suspense file.
– identification record.
- individual whose data input activity originated the number of determine rejected
data suspense files create automatic record counts to control of the entries in
the files.
Source of Information.
-
- Business/system Function chart & narratives of existing system.
9
- List of problems & shortcomings in existing system.
- List of relevant issues of existing system.
- List of recommendations for existing system
- List of user requirements.
- List of inputs and samples of inputs from existing system If available.
- List of outputs and samples of outputs of system if available.
- Calculations performed in existing system.
- Timing of processes in existing system.
- Data fields of existing system.
- System flowchart of existing system
Documentation Output.
- Systems Function chart & narratives

- List of system's inputs .
- list of system's outputs
- Descriptions of system's limitations & problems area.
- Descriptions of interfaces with other system.
- Descriptions of control requirements for processing.
- proposed systems data items & groups.
- List of data items for each group.
- Relationship table of data groups and functions.
- Relations table of functions which changes the data group
- Description of control, security & performance.
Stage: Functional Design.

Objectives: To Provide details of the proposed system for the user to understand.
10
To Provide details of the proposed system for Technical Design in terms
of :
i. process
ii. Data items
iii. Group items
iv. controls.
Task Descriptions.
Module :Design process.
- Base on the system Function chart, develop multilevel Data Flow diagrams.
- Decide where it would be most logical to carry out functions to increase efficiency &
reduce redundancy.
- Movement of data between functions in the Data Flow Diagram should not be
constraint by the way the current functions is being performed.
- To select the best design alternatives, the criteria should be considered are remove
problem area instead of improving areas which are already working well and satisfy
business need.
- Develop data flow diagram and narratives which will describe:

- the procedures.
- Data items & store data required to perform functions.
- The outputs of functions, security & control requirements.
- Finalized the design selection.

- Data flow diagrams should show the relationship between functions.
- Ensure minimal duplication of data items
11
- Define the processing mode of the functions
- Define process which updates the data group.
Module : Design coding and calculations.
- Finalize the code for coding systems.

- Code should reflect the of functions business units.
- Finalize with users, all calculation to be used in the system.
- Transaction code designed should take these points into considerations:-
- uniqueness.
- Expandability; the code structure must allow for its growth.
- concise.
- uniform size and format.
- simplicity; easy to understand & use .
- versatility, easy to modify.
- Sortability.
- Stability; does not need to be frequently update or changed.
- Finalize the naming conversation strategy.
Module : Design inputs & outputs layouts.
- Design system screen inputs, outputs & screen organizations.

- Design screen layouts, hierarchy & organizations.
- Input & output lay will outs be designed by DP personnel and the users.
– The screen should be grouped into logical grouping by usage.
– The screen should be user friendly.
12
System Function chart & narratives

- List of system's inputs .
- list of system's outputs.
- Descriptions of system's limitations & problems area.
- Descriptions of interfaces with other system.
- Descriptions of control requirements for processing.
- Proposed systems data items & groups.
- List of data items for each group functions
- Relationship table of data groups and
- Relations table of functions which changes the data group.
- Description of control, security & performance.
Documentation Output
- Proposed System Input Layouts.

- Proposed System Output Layouts.
- Proposed System Screen organization
- Proposed System Data Group.
- Proposed System Data Flow diagrams.
- Proposed System alternative Data Flow Diagram
- Narratives for Data Flow diagrams.
13
Stage: Management review and Approval.
Objectives –To issue the finalised version of functional specification.

To review with the management the finalised version of the Of the
functional specifications.
To obtain the approval of the management for the finalised functional
specifications.
Task Description
Module : Issue Functional Specifications
– Extract All relevant information.

– Compile extracted information into Functional Spec.
– Finalise & issue Functional Specification.
Module : Review with management.
– Presentation & review with management & user/audit on the Finalised Functional
specification.
Module :Obtain letter of acceptance .
- Obtain management approval/acceptance on the finalised Functional Specifications.
The format documentation of Functional specification are as follows:-
14
a. system overview.
i. System objectives.
Describe the purpose of the project.
ii. System functions

Explain briefly on the purposed system and how it can overcome the problems
and shortcomings identified.
iii. System benefits
Briefly describe what benefits can gained from the proposed system compared to
existing one
b. System Function.
All functions under the proposed system should be shown by diagrams i.e
system functions chart. Provide system functional narratives which describes
each function to support the chart. Also explain why the system function
interface with other system.
c. Data Flow Diagram.

The flow of all documents should be shown .The flow should indicate type of
documents, where and when the processes are done.
For each process, describe the procedures to be followed. Brief explanation is
required for automated processes.
There may be some alternatives to the data flow diagrams
d. Inputs and Outputs.

The following are required under this section:-
- List of inputs to the system, and what are to be the input
- List of outputs to the system, and what are to be the output .
- Layouts for the inputs documents.
15
- Layouts for the outputs reports.
- Screen organizations and screens layouts.
e. Data Requirements.
List out the identified data groups. Each data group must have key items
associated with it.
e. Performance.
List out the following performance factors.
- Volume of data, in terms of documents inputs to the system, master file and
history data to be stored in the computer.
- Timing i.e details on:
- schedule of processes.
- Cutoff time .
- time frame for making corrections.
- time frame for recovery.
-
f. Control security.
List of control procedure on each process.

List out the possible exceptions in the system.
Include procedure to ensure that only authorised persons can get accessed to
confidential data.
g. Calculation .
List out the formula for any special calculations applied in the proposed system.
h. Letter of Acceptance
Attach a letter of acceptance with the functional specifications.
16
Selection Preparation (package) .
Objectives: To establish criteria as a basis of package selection and to prepare a

standard Request for proposals (RFP).
Task description.
Module : Establish election criteria & prepare RFP.
Develop selection criteria, which should include the following areas :-

- user requirements for comparison against package features.
- operational status of package in multiple customer locations.
- equipment constraints for comparison against package requirement.
- software constrains such as programming language, operation, system,
database and data communications requirements.
- technical design features such as control procedures and audit trails, Input and
output options, file maintenance and reruns, ease of flexibility of operations
and programming techniques.
- flexibility of package to accommodate possible changes of user requirements.
- package's sensitivity to increases in production volumes and frequency of
operation.
- the Quality of documentation supplied by vendor such as system manual, user
manual, program documentation and operation manual.
- vendor support for installation, maintenance and enhancements.
17
- vendor reputation including the risk of vendor business failure and the quality
of vendor personnel.
-
- Identify which of the selection criteria established are - mandatory.
- Assign related weights to each of the other criteria.
- Establish a standard rating system for evaluation
- Prepare RFP, which should include the following:-
- a cover letter.
- background of organization, current operations and projected growth and
change.
- specification of requirements for new system.
- request for the vendor to describe the package.
- request for detailed costs of purchase
(purchase & lease prices, maintenance)
- request for an estimate of typical installation time and implementation plan.
- request for customer reference information.
- request for a copy of vendor's proposal contract
- - some of the criteria which might be important to vendor.
- List of input and output required.

- List of problem and shortcomings.
- List of control requirements
- Information on packages and vendors.
Documentation Outputs.
- Selection criteria. -RFP(request for proposals)
18
Stage: Package Selection.
Objectives : To select and recommend the best package that suits the requirements
through proper study and evaluation.
Task Description.
Module : Evaluate proposals.
- Receive proposals / feed backs from vendors.

- Study proposals against mandatory criteria.
- Short list proposals that meet all the mandatory criteria.
-
Module : Evaluate packages.
- Obtain more information on short listed packages from vendors and/or organization
using the packages.
- Prepare test plan and conduct demonstrations.
- Study each packages in detail against the criteria and assign scores.
- Multiply scores by corresponding weights and sum them up to get total score for
each package.
Module : Study package impacts.

- Base on total scores, select packages for further consideration.
19
- Study each package in depth and conduct further demonstration if necessary to
identify all possible changes. Changes may include new features to be added and
modification.
- Discuss with user on features which might compromise the requirements or any
additional package feature which might be useful.
- Analyse all costs related to each package.
- Do a final evaluation and selection based on package impacts and cost analysis.
- Prepare a recommendation on the package selected to the management including
the evaluation summary on various packages.
- Selection criteria
- Vendor proposals.
Documentation Outputs
- Recommendation on selection package.
Stage : Functional Adaptations.
Objectives. To provide details of the proposed system reflecting the package features
plus any modification to be done.
Task Description
20
Module : Design processes
- Consider the following:-

- user requirements as in functional analysis stage
- features of the selected package
- package impacts already studied in the previous stage.
- Base on the above, develop a multilevel data flow diagram.
- Data flow diagram must show the following:-
- the processes involved in the system
- the input documents and stored data to perform the functions.
- the output of the functions
- any controls to be provided
- processing mode (manual or automated)
- The flow should reflect a combination of package features to be retained, package

modification and any additional functions to be developed.
Module :Design coding and calculations.

- Finalize the code for coding systems.
- Code should reflect the of functions business units.
- Finalize with users, all calculation to be used in the system.
- Transaction code designed should take these points into considerations:-
- uniqueness.
- Expandability; the code structure must allow for its growth.
- concise.
- uniform size and format.
- simplicity; easy to understand & use .
- versatility, easy to modify.
- Sortability.
21
- Stability; does not need to be frequently update or changed.
- Finalize the naming conversation strategy.
Module : Design inputs & outputs layouts.
- Design system screen inputs, outputs & screen organizations.

- Design screen layouts, hierarchy & organizations.
- Input & output lay will outs be designed by DP personnel and the users.
– The screen should be grouped into logical grouping by usage.
– The screen should be user friendly.
- Package features and user requirements.
- List of system inputs
- list of system outputs
- Proposed System Input Layouts.
- Proposed System Output Layouts.
- Proposed System Screen organization.
- Proposed System Data Flow diagrams.
- Narratives for Data Flow diagrams.
Phase : Technical Design.
Stage : system approach.
22
Objectives :To finalise the system environment in terms of software combinations, in
implementing the technical solutions.
Task Description
Module : Finalise system approach .
Decide the software for the following:

- Operating system.
-DBMS/file management
-Languages
- software tools
-Network software
Source of information
- Functional specifications
- Software information
- Finalised system environment.
Stage: System Architecture
Objective: To design the i) data storage method
23
ii) the system flow,
Task Description
Module : Design database \ files
- Analyse data to get the final data groups as a basis for file designing.
- Normalization method is recommended for data analysis
- Final grouping of data is supposed to:
- reduce redundancy
- achieve maximum level of performance
- allow flexibility for expansion.
- -For each file, decide on the following and fill in the file description form:
- description
- file name
- file organization-index, sequential, direct or random.
- format-fixed/variable length record.
- block size
- record length
- record type
- sequence
- access keys
- name key fields.
- For each record, fill in the record definition form.

- Inventory of file and records.
- Identify all files whether they are master, transaction, history , work or reference files.
It suggested that there is only one reference file to cater for all tables, which each
table identified by an indicator.
24
Module : Design system flow
- Define programs to support each automated function, taking consideration all

requirements already identified.
- For each program, prepare a program outline. Which consist of system flowchart
extract, program top-level functions and input/output files.
- Build the system flowchart to show relationship of the automated functions.
- Design the recovery procedures and modules for critical function.
- Decide on what software/language to be used for each program and come up with
the inventory of programs.
- Build up the program/file cross reference.
-
Module : Design Operation outlines .
- define the processing sequence of jobs

- define the recovery sequence
- determine the performance expected.
-
- Functional specifications
- Inventory of files & file descriptions

- Inventory of records & record definitions
25
- Inventory of programs and program outlines
- Program/file cross-reference.
system flowchart & recovery flowchart
Stage : Program design.
Objectives : To develop the details of each program identified in the system.
Task Description
Module : Design program.
- For each program identified, complete program specifications by adding program

details which should include :-
- calculations
- processing requirement
- test conditions
- external routines.
.
- Program outlines
- File descriptions and record definitions
- System flowchart
Documentation Outputs.
26
- Completed program specifications.
- An inventory of programs should contains follow:
- program name
- program descriptions
- language used.
- for each program, there should be a program specification comprise of
- system flowchart extracted
- top level function
- input & output
- program details & program logic.
Technical specification
a. System overviews.
- Objectives
- daily, weekly, monthly, annually processing steps
- how the various files in the system are related to each other.
- interface with other systems
b. File descriptions
- description
- file name
- file organization-index, sequential, direct or random.
- format -fixed/variable length record.
- block size
- record length
27
- record type
- sequence
- access keys –name key fields.
c. Record definition
- An inventory of records should be provided.

- A record definition form must be completed for each logical record type appear on a
file description form.
d. System flowchart
- Title- description of each flowchart subsection

- There should be separate subsections for each processing
- All programs should appear on the flowchart.
- backup procedures should be flowchart
- Recovery procedures should also be flowcharted
- All input & output files are to be shown.
- Short narratives information should be included on the flowchart to clarify program
functions.
- Input/output is determined by the direction of arrow heads on the connecting lines.
e. Program specifications
- An inventory of programs should contains follow:

- program name
- program descriptions
- language used.
- for each program, there should be a program specification comprise of
28
- system flowchart extracted
- top level function
- input & output
- program details & program logic.
f. Program/file cross-reference.
-Each file used by each program is to be cross-reference form.
File access method by the programs should be denoted as
R – read only
W – Write only
U – Update
PHASE : SYSTEM IMPLEMENTATION PLANNING.
The system implementation planning phase involves four major module such as :
a. System Implementation Approach
b. Prepare test plan.
c. Design conversion
d. Prepare conversion Plan
The System Implementation plan is done after completing the Technical Design phase.
Module: System Implementation Approach
Objectives. –To ensure that the best approach is adopted to carry out the conversion
process.
29
Task Description
- Evaluate the various alternatives for conversion cutoff date, taking into consideration
such as factors as:
- The conversion cutoff date must coincide with the system logical closing to ensure
accuracy in file balancing and control .
- The exact date the system will be ready.
- The various processing functions which may need to be carried out immediately
before or after the conversion process.
- The selection of cutoff date must ensure that the conversion process involves:-
- less manual process.
- less temporary file created.
- use less programs.
- Identify files that are:
- to be created.
- with old formats that are to be used.
- Identify new inputs.
- Consider and recommend the most suitable implementation approach from the
following:
- direct change over
- pilot run
- parallel run
- phased implementation
- Study the resource availability in terms of manpower and machine resources
depending on the implementation approach
30
- List of new files and formats together with its corresponding all files.
- Report on user department's capability in terms of manpower to handle any of
selected implementation approach
- Old system processing schedule.
- The selected cutoff date.

- List of important processing required immediately before and after the conversion
process.
- Outline of system resource requirements for conversion and selected implementation
approach.
- List of new files and its corresponding old files and new inputs.
Stage: Prepare Test Plan
- Objective : To prepare, define and finalise all activities and plans

before system testing.
Task Description
- Identify all processing steps in the system to be tested.

- Separate between manual processing steps and automated processing steps.
- For each processing steps identified, list out all conditions to be tested.
- Prepare the list of possible test conditions.
- The number of records for testing must be specified.
- Determine the number of tests conditions and group the test conditions into the
module
31
- Different combinations of test conditions should be used in different cycles to ensure
the thoroughness of the test.
- Determine the number of test conditions in each cycle.
- For each cycle, definition of data required for that cycle must be produced.
- The data definition should identify key or critical values for transaction and master
records.
- Ensure that the opening values and expected closing values of each cycle are
prerecorded.
- Prepare a list of programs used for loading data.
- Prepare a list of file to be created and file with initial values.
- Prepare a list of programs which checks for file controls and totals .
- Estimate the human resources required:
- Estimate the machine resources required :
- Processor type and system software required
-Disk space required- Calculations for files and work area.
- Number of tapes required and for what purpose the tapes are used.
- Number of user-ids and the size for each and for what purpose.
- - Estimate supplementary resources required:
- Special print forms
- PC, diskette and hard-disk
-The duration and resources are required.
-
- Special times at which the supplementary resources are required, when these
resources are required, why they are required at that time should also be specified.
-
- - Prepare an outline of items to brief the user and operations staff on systems
testing.
- Prepare a system test schedule base on information compiled.
- The system test schedule should include the following:
32
-system test organisation
- task for pretest preparation
- test cycle task:
- data preparation
- running of test
- Checking of test results
- Modification allowance .
Source Of Information
Project plan from system planning phase.
-List of test conditions

- system test cycles.
- List of loading programs
- List of checking programs
- system test schedule
- List of manual and automated processing steps.
- System test setup such as:
-outline of user & operations briefing
-List of files to be loaded and with initial values
-resource estimates:
-machine resources
-human resources
- Supplementary resources estimates

- system software setup
33
Module: Design conversion
Objective: To design the conversion system.
Task Description
- Separate between static data files and dynamic data files which are to be converted.
- Identify new files which need to be initialised and loaded with dummy records.
- Identify programs which creates each new file.
- Prepare a list of conversion programs and its descriptions
- Outline the procedure and controls requited for the creation of each new files.
- Design the system flowchart.
- Prepare the program outline by providing
- The program flowchart which is an extract from the system flowchart.
- Define the program functions for each program.
- Program input i.e file definition and Record description
- Program output i.e: file definition, record description and Report layout .
- The conversion process should be divided into steps and if possible group the steps
into phases.
- consider controls for each phase
- consider the following when designing a conversion system:
- controls by value of data in file.
- controls of quantity of data in file.
Source of information.
34
- The selected cutoff date.
process.
- Outline of system resource requirements for conversion and selected implementation
approach.
- List of new files and its corresponding old files (if any) and new inputs.
- system flowchart
- program outline such as
- flowchart
- input
(file desc. And record desc.)
- output(file desc. And €record desc.)
- program inventory.
- conversion procedure and controls.
- volumes estimates.
Module : Prepare Conversion Plan.
Objectives : To prepare & finalise activities required before and during Conversion.
Task Description.
- Prepare conversion schedule.

- From information compiled from earlier modules, the conversion schedule should
include
- conversion organisation
35
- task for pre-conversion preparation.
- conversion phases:
- running of conversion programs
- checking of results and controls.
- correction allowance
- Preparation for user briefing/training on conversion procedure.

- Preparation for operation's staff briefing on conversion procedure.
- Plan to convert static data first and dynamic/active data as late as possible.
- Identify and explain differences in totals which could not be reconciled.
- Consider contingency (time, effort etc,) when planning the conversion schedule. .
- Get realistic commitments of resources for resource requirements planning:
- DASD
- computer time
- user and operations personnel.
- Identify other additional resources required for the conversion process
- The selected cutoff date

process
- Outline of system resource requirements for conversion
and reasoning on why a particular implementation approach
is selected.
- Conversion schedule.
- Resource requirements.
- Additional resource requirements.
36
- Conversion setup
- software setup
- Outline of user and operations briefing.
Documentation :System Test plan
The plan should contain the following information:-

a. Overview
Objectives of system test plan .
b. Pretest preparations
Documents all outputs from the preparation Test plan module.
List of loading programs
list of checking programs
-program names
-program descriptions
-language used
- Outline of user and operations briefing.
-Library and data file setup
-task & responsibilities
-Procedures on problem reporting
-procedures for program change and transfer
-Filing of test results and system listing
-Channeling of recommendations to improve procedure
and operations
-other relevant points.
- List of files to be created for system test.
- List of files to be loaded before system test.
- System software setup :
37
c. Test conditions include abnormal (error) conditions as well as normal (error free)
conditions.
-List of system test conditions
List down all possible system test conditions to be tested.
-List of manual and automated processing steps
List down all processing steps in this sections
d. System test cycles

An example of the recommended format for the system test cycle is given bellow:
Cycle no: cycle description

-processing steps
-test conditions
-expected results
e. Resource requirements
Resource estimates
Human and machine resources
Supplementary resource estimates
f System test schedule

g. System test log
i. To record the successful completion of test conditions.
ii. To record errors encountered during tests such as:
- the steps taken to correct them.
- The person who corrects them.
- the time/date the errors were corrected.
38
h. Master control report .
Module : Conversion plan

The conversion plan is a documentation that identify and list all task that need to be
done before and during conversion . The plan should include the following information:-
a. Overview
- objectives
- selection of the cutoff date
- list of important processing immediately before and after the conversion
process.
b Pre conversion preparation.
- List of new files and its corresponding old files and new inputs .
- provide a table of new files to be created its corresponding old files also new inputs if
there are any.
- Recommended implementation approach
- system flow chart
- program inventory
- volume estimates
- conversion/software setup
- outline of user and operation briefing
- library and data file setup
- task & responsibilities
- Procedures on problem reporting
39
- procedures for program change and transfer
- Filing of conversion reports and controls for audits purposes
- Conversion phases
- conversion procedures and controls
c Resources requirements
- Outline of system resource requirements for conversion and reasoning on why a

particular implementation approach is selected.
- Reports of the machine and human resources available to handle the conversion
process.
- Estimate the machine and human resources required for live system.
- additional resource requirements and duration it is required
e.g. terminals, user-ids etc.
d. Conversion schedule
f. Conversion log
The conversion log is to record the result of conversion done.
i. To record the successful completion of each phases of conversion.
ii. To record of
- errors encountered
- the steps taken to correct them.
- the time/date the errors were corrected
g. Conversion Master control

This report is to summarise all the control reports produced by each phase during the
conversion.
40
41
Chapter 4. Application
Abstract
Source document origination, source document authorization,Source Document Data

Collection And Input Preparation,Source Document Error Handling,Source Document
Retention,Data Input Controls,Batch--Data Conversion And Entry,Batch--Data Validation
And Editing,Batch-data Input Error Handling, On-line-data Conversion And Entry, On-
line--data Validation and Editing, On-line-data Input Error Handling,Batch Output
Balancing and Reconciliation,On-line Output Balancing and Reconciliation and Batch-
Output Distribution.
The management should established the procedure and control on the input processing
and and output. The procedure should implemented and monitor by responsible
personnel. The following control should include in the procedure;-
1. Source Document Origination.
- Documented procedures are exist that explain the methods for proper source document
origination, authorization, data collection, input preparation, error handling, and
retention.
- The duties separated to make sure that no one individual performs more than one of the
following operations:
--Originating data.
--Inputting data.
--Processing data.
--Distributing output.
- Source documents are designed to minimize errors and omissions such that:
--Special purpose forms are used to guide the initial recording of data in a uniform
format.
--Preprinted sequential numbers are used to establish controls.
1
--Each type of transaction has a unique identifier.
--Each transaction has a cross-reference number which can be used to trace
information to and from the source document.
- Access to source documents and blank input forms are restricted to authorized
personnel only.
- Source documents and blank input forms are stored in a secure location.
- The authorization from two or more accountable individuals required before the
release of source documents from storage.
2. Source Document Authorization
- Authorizing signatures are used for all types of transactions.
- Evidence of approval is required for specific types of critical transactions (control

bypassing, system overrides, manual adjustments).
- Duties separated within the user department to make sure that one individual does not
prepare more than one type of transaction (establishing new master records plus
changing or updating master records).
- Duties separated within the user department to make sure that no one individual
performs more than one of the following phases of data preparation:
--Originating the source document.
--Authorizing the source document.
--Controlling the source document.
3. Source Document Data Collection And Input Preparation
- User department have a control group responsible for collecting and completing source
documents.
2
- This control group verify the following for source documents:
--They are accounted for.
--They are complete and accurate.
--They have been appropriately authorized.
--They are transmitted in a timely manner.
- This control group independently control data submitted for transmittal to the data
processing department for conversion or entry by using:
--Turn around transmittal documents.
--Batching techniques.
--Record counts.
--Predetermined control totals.
--Logging techniques.
--Other.
- When the user department is responsible for its own data entry, is there a separate group
which performs this input function.
- Source documents, transmitted for conversion, transported in accordance with their

security classifications.
4. Source Document Error Handling
- Documented procedures are exist that explain the methods for source document error
detection, correction, and reentry.
- Do they include:
--Types of error conditions that can occur
--Correction procedures to be followed
--Methods to be used for the reentry of source documents which have been
corrected.
3
- The Department identify errors to facilitate the correction of erroneous information.
- The Department follow the same verification and control procedures described in
questions 12 and 13 when receiving corrected source documents.
- Error logs are used to insure timely follow-up and correction of unresolved errors. -
Source document originators immediately notified by the (Blank) Department of all
errors.
5. Source Document Retention
- Source documents retained so that data lost or destroyed during subsequent processing
can be recreated.
- Each type of source document have a specific retention period.
- Source documents stored in a logical manner to facilitate retrieval.
- A copy of the source document kept in the originating department whenever the
document leaves the department.
- Access to records kept in the originating department restricted to authorized personnel
only.
- Source documents, on reaching their expiration dates, are removed from storage and
destroyed in accordance with security classifications.
6. Data Input Controls
Data input controls insure the accuracy, completeness, and timeliness of data
during its conversion into machine readable format and entry into the application.
Data input can be accomplished in two different ways: batch and on-line. The main
areas of control include
4
--data conversion and entry,
--data validation and editing, and
--data input error handling.
Also of particular importance is the critical interface between the user department and
the data procession department.
The auditor should determine the adequacy of both manual and automated
controls over data input to make sure that data is input accurately with optimum use
of computerized validation and editing, and that error handling procedures facilitate
the timely and accurate resubmission of all corrected data.
7. Batch--Data Conversion And Entry
- Documented procedures exist that explain the methods for data conversion and entry.
- Duties are separated to make sure that no one individual performs more than one of
the following operations:
--Originating data.
--Inputting data.
--Processing data
--Distributing output.
- The data processing department have a control group responsible for data conversion and
entry of all source documents received from user departments.
- The data processing control group return all turn around transmittal documents to user
department to make sure that no documents were added or lost.
- The Computer Service Center independently develop record counts which are balanced
with those of the user department, and are all discrepancies reconciled.
5
- The Computer Service Center independently develop predetermined control totals which
are balanced with those of the control group in the user department, and are all
discrepancies reconciled.
- The Computer Service Center keep a log or record showing the receipt of user
department source documents, and their actual disposition, and are there provisions to
make sure that all documents are accounted for.
- Independently control data submitted for conversion by using:

--Record counts.
--Predetermined control totals (Pre numbered Document).
- Conversion operations is established as close to the origination of the source documents
as possible.
- The data processing department have a schedule by application that shows when data
requiring conversion will be received and needs to be completed.
- The turn around transmittal documents are returned to the data processing control
group accounted for to make sure that no documents were added or lost during
conversion.
- All batches of documents are returned to the data processing control group accounted
for to make sure that no batches were added or lost during conversion.
- All record counts, developed during conversion, balanced with those of the data
processing control group, and are all discrepancies reconciled.
- All converted documents returned to the data processing control group logged in and
accounted for.
- The data processing control group independently control data submitted for data entry
by using:
6
--Record counts.
- Data entry operations is established as close to the origination of the source date as
possible.
- The data processing department have a schedule by application that shows when data
requiring entry will be received and needs to be completed.
- Must all documents entered into the application be signed or marked in some way to
indicate that they were entered into the system thereby preventing accidental
duplication or reuse of the data.
- All batches of documents are returned to the data processing control group accounted
for to make sure that no batches were added or lost during data entry.
- All record counts, developed during data entry, balanced with those of the data
processing control group, and are all discrepancies reconciled.
- All input documents are returned to the data processing control group logged in and
accounted for.
- All input documents are retained in a manner which enables tracing them to related
originating documents and output records.
8. Batch--Data Validation And Editing
- Key verification is used to check the accuracy of all keying operations.

- Keying and verifying functions are performed on a document done by different
individuals.
- Preprogrammed keying formats are used to insure that data is recorded in the proper
field, format, etc..
7
- Data validation and editing are performed as early as possible in the data flow to insure
that the application rejects any incorrect transaction before its entry into the system.
- Data validation and editing are performed for all input data fields even though an error
may be detected in an earlier field of the same transaction.
- The following checked for validity on all input transactions:
--Individual and supervisor authorization or approval codes.
--Check digits on all identification keys.
-- Check digits at the end of a string of numeric data that is not subjected to balancing.
--Codes.
--Characters.
--Fields.
--Combinations of fields.
--Transactions.
--Calculations
--Missing data.
--Extraneous data.
--Amounts.
--Units.
--Composition.
--Logic decisions.
--Limit or reasonableness checks.
--Signs.
--Record matches.
--Record mismatches.
--Sequence.
--Balancing of quantitative data.
--Crossfooting of quantitative data.
- Special routines used which automatically validate and edit input transactions dates
against a table of cutoff dates.
- All persons are prevented from overriding or bypassing data validation and editing
problems.
- If not, the following are true:
- This override capability is restricted to super visors in only a limited number of acceptable
circumstances.
- Every system override is automatically logged by the application so that these actions can
be analyzed for appropriateness and correctness.
8
- Batch control totals are submitted by the data processing control group used by
the computer-based system to validate the completeness of batches received as
input into the application.
- Record counts are submitted by the data processing control group used by the
computer-based system to validate the completeness of data input into the
application.
- Predetermined control totals submitted by the data processing control group used by
the computer-based system to validate the completeness of data input into the
application.
9. Batch-data Input Error Handling
- Documented procedures exist that explain the process of identifying, correcting, and
reprocessing data rejected by the application.
- Error messages are displayed with clearly understood corrective actions for each type of
error.
- Error messages are produced for each transaction which contains data that does not
meet edit requirements.
- Error messages produced for each data field which does not meet edit requirements.
- All data that does not meet edit requirements rejected from further processing by the
application.
- All data rejected by the application automatically written on an automated suspense
file.
- The automated suspense file also include:
--Codes indicating error type.
--Date and time the transaction was entered.
--Identity of the user who originated the transaction.
- Record counts automatically created by suspense file processing to control these
rejected transactions.
9
- Predetermined control totals automatically created by suspense file processing to
control these rejected transactions.
- Rejected transactions caused by data conversion or entry errors corrected by the data
processing department control group.
- Rejected transactions not caused by data conversion or entry errors corrected by the
user originating the transaction.
- The automated suspense file are used to control followup, correction, and reentry of
transactions rejected by the application.
- The automated suspense file are used to produce, for management review, analysis of:
--Level of transaction errors.
--Status of uncorrected transactions.
- These analyses used by management to make sure that corrective action is taken when
error levels become too high.
- These analyses used by management to make sure that corrective action is taken when
uncorrected transactions remain on the suspense file too long.
- Progressively higher levels of management reported to as these conditions worsen.
- Debit- and credit-type entries (as opposed to delete- or erase-type commands) used to
correct rejected transactions on the automated suspense file.
- The application designed to that it cannot accept a delete- or and erase-type command.
- Invalid correction transactions added to the automated suspense file, along with the
corresponding rejected transactions.
- Record counts appropriately adjusted by correction transactions.
- Predetermined control totals appropriately adjusted by correction transactions.
- All corrections are reviewed and approved by supervisors before reentry.
Procedures for processing corrected transactions the same as those for
processing original transactions with the addition of supervisory review and
approval before reentry.
10. On-line-data Conversion And Entry
10
- Documented procedures exist that explain the methods for data conversion and
entry.
- Duties separated to make sure that no one individual performs more than one of
the following operations:
--Originating data.
--Inputting data.
--Processing data.
--Distributing data.
- Is a separate group within the user department responsible for performing data
entry operations.
- All documents entered into the computer application must be signed or marked
in some way to indicate that they were in fact entered into the system to protect
against accidental duplication or reuse of the data.
- Data entry terminal devices are locked in a physically secure room, allowing only
query terminal devices to be located outside the secure room.
- Supervisors sign on each terminal device to initialize terminals before any operators
can sign on to begin work.
- The work that may be entered on a terminal restricted by the authority level
assigned to each terminal device (data entry vs. query).
- Password control in existence to prevent unauthorized use of the terminal devices.
- Non-printing, non-displaying, or obliteration facilities are used when keying and
acknowledging passwords and authorization codes.
- An immediate report is produced of unauthorized attempts to access the system
via terminal devices.
- The report include:

--Location of the terminal device.
--Date and time of the violation.
11
--Number of attempts.
--Identification of the operator at the time of the violation.
- Terminal lockup is used to prevent unauthorized access to the terminal device after a
certain predetermined number of incorrect attempts to access the system.
- The system automatically shut down the terminal if password is wrong and allow
intervention only by specially assigned supervisors.
- Data access matrix is used to restrict use of access levels by checking user
identifications (passwords).
- Each individual user of the on-line system limited to certain types of application
transactions.
- Master commands that control the operation of the application are restricted to a
limited number of supervisory data processing personnel.
- Top management is required to review the propriety of terminal authority levels in the
event of a purported or real security violation.
- Individual's passwords changed periodically.
- Individual's passwords are changed in the event of a purported or real security
violation.
- Passwords is deleted once an individual changes his job function, separates, no longer
needs the same level of access, or no longer needs access at all.
- A usage log, or the data access matrix, showing purposes of user accesses are reviewed
by top management to identify unauthorized usage.
- The security officer are initiated an aggressive review program to determine that
controls are fully operational.
- Terminal hardware features include the following:
--Built-in terminal identifications which automatically validate proper terminal
authorization.
--Terminal logs which record all transactions processed.
--Messages which are automatically date and time stamped for logging purposes.
- Record counts which are automatically accumulated for logging purposes.
12
- Each message contain an identifying message header that includes:
--Message number.
--Terminal and user identification.
--Date and time.
--Transaction code.
- Each message contain indicators for:

--End of message.
--End of transmission.
- parity checking is used to check each character.
11. On-line--data Validation and Editing
- Preprogrammed keying formats are used to make sure that data is recorded into
the proper field, format, etc..
- Interactive display is used to allow the terminal operator to interact with the
system during data entry.
- Computer-aided instructions, such as prompting, are used with on-line dialogue to
reduce the number of operator errors.
- Intelligent terminals are used to allow front-end validation, editing, and control.
- Data validation and editing is performed as early as possible in the data flow to insure
that the application rejects any incorrect transaction before its entry into the system.
- Data validation and editing is performed for all input data fields even though an error
may be detected in an earlier field of the same transaction. The following are checked
for validity on all input transactions:
--Individual and supervisor authorization or approval
codes.
-- Check digits on all identification keys.
13
-- Check digits at the end of a string of numeric data
that is not subject to balancing.
--Codes.
--Characters.
--Fields.
--Combinations of fields.
--Transactions.
--Calculations.
--Missing data.
--Extraneous data.
--Amounts.
--Units.
--Composition.
--Logic decisions.
--Limit or reasonableness checks.
--Signs.
--Record matches.
--Record mismatches.
--Sequence.
--Balancing of quantitative data.
--Crossfooting of quantitative data.
- Special routines are used which automatically validate and edit input dates
against a table of cutoff dates.
. all persons are prevented from overriding or bypassing data validation and
editing errors.
- If not, the following are allowed:
-This override capability is restricted to supervisors in a limited number of acceptable
circumstances.
--All system overrides are automatically logged by the application so that these actions
can be analyzed for appropriateness and correctness.
14
- Batch control totals are generated by the terminal, or application used by the user
department control group to validate the completeness of batches received as input
data.
- Record counts are generated by the terminal, concentrator, or application used by the
user department control group to validate the completeness of data input.
- Predetermined control totals are generated by the terminal, or application used by the
user department's control group to validate the completeness of data input.
12. On-line-data Input Error Handling
- Documented procedures are exist that explain the process of identifying,

correcting, and reprocessing data rejected by the application.
- Errors are displayed or printed immediately upon detection for immediate terminal
operator correction.
- Error messages are displayed with clearly understood cross-referenced corrective
actions for each type of error.
- Error messages are produced for each transaction which contains data that does not
meet edit requirements.
- Error messages are produced for each input data field which does not meet edit
requirements.
- All data is rejected by the application automatically written on an automated suspense
file.
- The automated suspense file include:
--Codes indicating error type.
--Date and time the transaction was entered.
--Identity of the user who originated the transaction.
15
- Record counts are automatically created by the suspense file processing to control these
- Predetermined control totals are automatically created by suspense file processing to
control these rejected transactions.
- Rejected transactions caused by data entry errors are corrected by the terminal
operator.
- Rejected transactions not caused by data entry errors are corrected by the user
originating the transaction.
- The user department independently control data rejected by the application by using:
--Record counts.
- The automated suspense file is used to control followup, correction, and reentry of
transactions rejected by the application.
- The automated suspense file is used to produce, for management review, analysis of
the following:
--Level of transaction errors.
--Status of uncorrected transactions.
- These analyses are used by management to make sure that corrective action is taken
when error levels become too high.
- These analyses are used by management to make sure that corrective action is taken
when uncorrected transactions remain on the suspense file too long.
- Progressively higher levels of management are reported to as these conditions worsen.
- Valid correction transactions purge the automated suspense file of corresponding
- Invalid correction transactions are added to the automated suspense file along
with the corresponding rejected transactions.
- All corrections are reviewed and approved by supervisors before reentry.
16
- The procedures for processing corrected transactions the same as those for
processing original transactions, with the addition of supervisory review and
approval before reentry.
DATA OUTPUT CONTROLS.
Date output controls are used to insure the integrity of output and the correct
and timely distribution of outputs produced. Not only must outputs be accurate, but
they must also be received by users in a timely and consistent manner. Outputs can be
produced in two different ways: batch and on-line. The main areas of control include
output balancing and reconciliation,
--output distribution,
--output error handling, and
--handling and retention of output records and accountable documents.
- critical importance is the interface between the data processing department
and the user department.
The auditor should evaluate the adequacy of controls over outputs to make sure
that data processing results are reliable, output control totals are accurate, and reports
are distributed in a timely manner to users.
13. Batch Output Balancing and Reconciliation
- The data processing control group monitor the processing flow to make sure that
application programs are being processed according to schedule.
- The data processing department control group review output products for general
acceptability and completeness.
17
- System output logs are kept to provide an audit trail for the outputs.
- Output logs are reviewed by supervisors to determine the correctness of output
production.
- A transaction log is kept by the application to provide an audit trail for the transactions
being processed.
- A transaction log is kept at each output device to provide an audit trail for the
transactions being processed.
- The transaction log is kept by the application compared regularly with the transaction
log kept at each output device to make sure that all transactions have been properly
processed to the final output steps.
- Transactions can be traced forward to the final outputs.
- Transactions can be traced backward to the original source documents.
- On each output product, does the application identify the:
--Title or name of product.
--Processing program name or number.
--Date and time prepared.
--Processing period covered.
--User name and location.
--Counts developed during processing.
--End-of-job/file/report indication.
--Security classification, if any.
- The user department is given lists of all internally generated transactions produced by
the application.
- The user department given a list of all transactions entered into the application.
- The user department is furnished reports produced by the application which shows the:
--Batch totals.
--Record counts.
18
-- The user department verify all computer-generated batch totals with its manually
developed batch totals.
- The user department verify all computer-generated record counts to their manually
developed record counts.
. The user department verify all computer-generated predetermined control totals with its
manually developed predetermined control totals.
- The user department verify the accuracy and completeness of all outputs.
- The user department retain ultimate responsibility for the accuracy of all outputs.
14. Batch-Output Distribution
- Documented procedures exist that explain the methods for proper handling and
distribution of output products.
- The cover sheet of every report clearly identify the recipient's name and location.
- The user department have a person who is responsible for distributing all output
produced by the computer application.
- The user department have a schedule, by application, that shows when output
processing will be completed and when output products need to be distributed.
- A priority system has been established so that critical outputs can be produced on time.
- The data processing department control group keep a log, (application, of all output
products produced by the system.
- The data processing department maintain a formalized output distribution checklist to
show the disposition of each output product.
- The output distribution checklist is used to verify the acknowledgment of all turn around
transmittal documents from recipients of output.
15. On-line Output Balancing and Reconciliation
19
- Documented procedures exist that explain the methods for proper balancing and
reconciliation of output products.
- The data processing department have a control group responsible for making
sure the output products are accurately processed by data processing and
correctly transmitted to user terminal devices.
- The data processing department control group have a schedule by application that
shows when pre-output processing ends and when output processing begins.
- The data processing department control group monitor the processing flow to make sure
that application programs are being processed according to schedule.
- The data processing department control group reconcile each output batch total with input
batch totals, before the transmission of outputs, to insure that no data was added or
lost during data processing.
- The data processing department control group reconcile output predetermined control
totals with input predetermined control totals, before the transmission of outputs, to
insure that no data was added or lost during data processing.
- A log is kept by the application to provide an audit trail for transactions being
processed.
- Terminal devices automatically disconnect from the computer-based system if they are
unused for a certain amount of time.
- Terminal devices need to be logged off at the end of the day so that they will be
disconnected from the computer-based system.
- Output devices are located in secure facilities at all times to protect against
unauthorized access.
- As outputs are transmitted and received, the terminal output device send a reply that
they have been correctly received.
- Message content is validated before displaying, writing, or printing on the
terminal output device.
- The user department have a control group responsible for reviewing all outputs
produced by the computer application.
20
- The user department control group reconcile each output batch total with input batch
totals, before the release of any reports, to insure that no data was added or lost during
data processing.
- The user department control group maintain a formalized output distribution checklist
to show the disposition of each output product.
21
apter 5. Computer operation
Abstract
Resource allocation, Management of IS operations, Computer Operations, Operating

Procedures, Job Accounting, Lights Out Operations (Automated Unattended
Operations), Jobs schedulers, Technical support/help desk, Problem Management
Procedures, System software selection process, Cost/benefit analysis, System software
implementation controls, Software control features or parameters, Program Change
Control, Librarian and backup Function, Controls of the Off-line Library, Review
hardware acquisition plan, Operating Systems Software Acquisition, or maintenance,
Service Level, Tape and disk management systems and Business Continuity Planning.
IS operations control the day-to-day functioning of IS hardware and software. IS

processing environments vary among organisations depending on the size of the
computer installation and workload.
IS operations generally include the following functional areas:
Management of IS operations;
Computer operations;
Technical support/help desk;
Scheduling;
Controlling input/output of data;
Quality assurance;
Program change control;
Librarian function;
Problem management procedures; and
Procedures for monitoring efficient and effective use of resources.
1. Management of IS operations.
IS management has the overall responsibility for all operations within the IS.
2. Resource Allocation
Management is responsible to ensure that the necessary resources are available to
perform the planned activities within the IS function.
3. Computer Operations.
1
Computer operators are responsible for the accurate and efficient operation of
scheduled jobs on the computer.
4. Operating Procedures.
Procedures detailing instructions for the operations, task and procedures, prepared in
accordance with IS Management's authorization and intent are necessary parts of the IS
control environment.
This documentation should include:

Operator procedures based on computer operation instructions and peripheral
equipment;
Procedures for rectifying machine or program failure;
Instruction for output report distribution;
Procedures for obtaining files from the off-line library and returning files to the library,
Procedures for reporting run delay; and
Procedures for reporting computer failures, job processing delays, and the recording of
corrective actions taken.
Operation task are as follows:

Restarting computer applications after an abnormal termination has been investigated
and resolved by the responsible end user department;
Facilitating daily backup of sensitive computer files;
Observing the information processing facility for unauthorized entry;
Monitoring adherence with documented job schedules as established by IS and end
user management; and
Participating in test of disaster recovery plans.
Operators should not have unrestricted access to computerized application software,
data and utilities. Operator consoles should also be properly protected.
5. Job Accounting
Job accounting applications are designed to monitor and record IS resource usage,
Information recorded by these applications- such as the performance and utilization of
2
the CPU, secondary storage media and terminal connect time - is used by IS
Management to perform activities which include:
Matching resource utilization to associated user for billing purposes; and
Optimizing hardware performance by changing or "tuning" system software default.
6. Lights Out Operations (Automated Unattended Operations)
"Lights Out Operations" refers to the automation of key computer room operations such
that these tasks can take place without human intervention. The type of tasks being
automated with the use of sophisticated system operations software are:
Job scheduling;
Console Operation;
Report balancing and distribution;
Re-run/Re-start activities
Tape mounting and management;
DASD management;
Environmental monitoring; and
Physical and data security software.
Advantages of Lights Out Operations
Cost containment and/or reduction in IS operations;
Continuous operations (24 by 7,24 hours 7 days per week); and
Reduced number of system errors and interruptions.
7. Jobs schedulers.
This software provides an orderly way to stage and initiate computer work. The
scheduling can be on FIFO (first-in first-out) basis, by time, successful completion of
preceding activities, as resources are available, by priority or combination of means.
Schedules may include a preprocess function which checks for errors in the process
request, (e.g., job Control Language (JCL) syntax errors, or invalid process or file
names.) Schedulers can accept process requests from multiple sources so the auditor
should be aware of all sources and how an authorization is checked for processes
scheduled.
Scheduling is major function within IS. The schedule includes the jobs that must be run,
the sequence of job execution and conditions that cause program execution. It also
permits the scheduling of low priority jobs if time becomes available. Job scheduling
software is often used. Automation provides control over the scheduling process since
3
job information is set up once, reducing the possibility of errors, job dependencies can
be defined, and the software can provide security over access to production data.
These schedules ensure efficient use of computer resources.
Formal Job Scheduling Procedures
Job scheduling procedures are necessary to ensure that IS resources are optimally
utilized based on processing requirements.
Management should authorize processing schedule changes ,and review the log of jobs
which have been executed.
Scheduling functions
High priority jobs should be given optimal resource availability while maintenance
functions such as backup and system reorganization should be performed during non
peak times. Schedules provide a means to keep customer demand at a manageable
level and permit unexpected or on request jobs to be processed without unnecessary
delay.
The introduction of job scheduling systems helps ensure jobs are run in proper
sequence.
8. Technical support/help desk
The responsibility of the technical support/help desk function is to provide technical

oversight and support for production systems and to identify and assist in system
problem resolution. In addition, it is technical support's responsibility to appraise
management of current technologies that may benefit overall operations.
Written Procedures
Procedures covering the tasks to be performed by the Technical support/help desk
personnel must be established in accordance with the overall strategies and policies.
Problem logs or reports that confirm problems occurring during processing were
addressed in a timely manner and appropriate corrective action taken. Specific
problems encountered and ascertain effectiveness of problem resolution process
a. Determine the source of computer problem and taking appropriate action.

b. Initials problems reports as required and ensuring that problems are resolved in a timely
manner.
c. Obtaining detailed knowledge of operating systems and other systems software.
d. Answering inquiring regarding specific systems.
4
e. controlling the installation of vendor and systems software.
f. Maintaining documentation of vendor software including issuance of new release and
problem fixed as well as documentation in houses developed systems and utilities.
The audit should be address on the control of the following.
a. Ensure that the problem should be recorded. The basics data are problem no, date report,
time report, type of software, type of hardware, problems description and type, priority,
resolved by, ascelarated to vendor, date asceleared to vendor, time ascelareted to
vendor, time resolve, date resolved time close and date close IF the problems is
involved the hardware it was suggested that the data should included the serial
number, hardware brands and models.
b. ensure that the problem is ascelarated to authorised technical support.
c. ensure that the solved problem be recorded.
e. ensure that the problem is evaluate and monitor within periodical period and consider the
statistics of the problems by software (Type of software), hardware (Type of hardware,
brand, model, serial number), problem type, duration, personnel.
f. the statistics are use to monitor the overall of performance of the system.
Trend analysis and reporting is providing assurances that reports:

a. are produced and trends acted upon for improved service
b include specific problems, trend analyses, and response times
c are delivered to a responsible individual with authority to resolve problems.
For a sample of help requests, confirmation of accuracy, timeliness, and sufficiency of

response
. Review of help desk staff competency and capability with respect to performing
duties.
. Review of selected escalated queries for adequacy of response
Review of reporting for trends and possible performance enhancement opportunities
5
Inadequate interaction of help desk activities with respect to other functions within the
information services function, as well as user organisations
Insufficient procedures and activities relating to problem reporting query receipt,
registration, logging, tracking, escalation, and resolution.
Deficient escalation process with respect to lack of managerial involvement or effective
corrective actions.
Inadequate timeliness of problem reporting or user dissatisfaction with problem
reporting process procedures.
9. Problem Management Procedures
Detection, Documentation, Control, Resolution, and reporting of Abnormal Conditions.

Because of the highly complex nature of software, hardware and their
interrelationships, a mechanism should exist to detect and document any abnormal
conditions. This documentation generally takes the form of a mechanized or manual
log.
Examples of items which should appear in this error log include:

Program errors;
System errors;
Operator error;
Telecommunications errors; and
Hardware errors.
Examples of items which should appear in an error log entry include:

Error date;
Error resolution descriptions;
Error code;
Error description;
Source of error;
Initials of the individual responsible for maintaining the log;
Initials of the individual responsible for closing the log entry;
Department/center responsible for error resolutions;
6
Status code of problem resolution, i.e., problem open, problem closed pending some
future specified date, or problem unresolved in current environment; and
Narrative of the error resolution status.
For control purpose the ability to add entry to the error log should not be restricted.
The ability to update the error log should, however, be restricted to only authorized
individuals. Proper segregation of duties requires that ability to close an error-log entry
be assigned to a different individual than the one responsible for maintaining or
initiating the error log entry (generally, IS management).
IS Management should perform procedures to ensure that the problem management
mechanism is being properly maintained and that the problem management mechanism
is being properly maintained and that outstanding errors are being adequately
addressed and resolved.
10. Tape and disk management systems
Tape management System (TMS) or disk management System (DMS) is specialized

system software that tracks and lists tape/disk resources needed for data center
processing. The Systems include data set name and specific tape reel or disk drive
location, creation date, effective date, retention period, expiration date and contents
information. TMS/DMS minimize computer operator time and errors of locating proper
files or mounting the wrong dataset version and can improve space efficiency by
consolidating fragmented free spaces.
Review the media library management system controls for the following:
Determine if the media librarians periodically verify the accuracy of the information
created and maintained by the automated media library management system;
Verify that the library inventory specifies media number, retention period, current
custody and physical location;
Select a sample of inventories media (tape / disk) and verify that they have suitable
internal label identification;
11. System software selection process.
Review system software selections procedures to determine that they:

Address both the IS long range and business plans;
7
Include IS processing and control requirements;
Include an overview of the capabilities of the software and control options; and
Meet the IS requirements
Today's computer processing environment requires various system software which

include operating system, communication software, a DBMS, a tape management
system, a security package, a scheduler, etc. When selecting software, a number of
sophisticated and technical issues must be considered, including:
Business, functional, and technical needs and specifications;
Cost/benefit;
Obsolescence;
Compatibility with existing systems;
Security;
Demands on existing personnel;
Training and hiring requirements; and
Future growth needs.
To ensure that these and other challenging issues are addressed correctly, a feasibility
team should be established. The feasibility team should include the following members:
Software development project manager, to oversee the project development process;
Software system engineers, to provide system requirements definitions, system
analysis, the development of the functional design document, and to plan and conduct
the software requirements review;
Individuals involved in the following supporting roles: Business sector and application
specialists;
Data base and capacity planning specialists;
Data administrator;
Network and technical support specialists;
Vendor personnel;
Quality assurance personnel, to assure the development and delivery of a contractually
acceptable product;
8
Subject matter experts, to provide assistance in defining operations requirements, and
IS management, whose responsibility it is to ensure the software will be consistent with
the goals and objectives established for the organisation.
Requirement definition
The system requirements define the business/functional specifications expected from
the proposed software. The requirement include manual and automated components.
The key deliverable is the system requirements definition. The following are tasks that
should be considered for requirement definition:
Establish the scope, objectives, background and project charter;
Establish business requirements;
Develop a conceptual model of the base computer environment that will support the
efficient application development and processing required to meet the business needs
and structure;
Develop security, control and performance (speed and cost) requirements;
Consolidate the definition of all requirements; and
Analyze and evaluate alternative solutions.
Software alternatives
Software can be purchased as a package from a vendor or developed within the

organisation. Software alternatives analysis should include an evaluation of the
following:
Criteria for selecting or rejecting alternatives;
Cost factors to be considered in developing versus purchase decisions;
Software cost;
Initial and continuing support availability;
Delivery schedule including lead time requirements;
Requirements and constraints in order to use the software;
Capabilities and limitations of the software;
Potential risk of using a package in terms of future costs and vendor access to the
organisation;
Alternative approaches which may satisfy the defined requirements;
Selection advise from vendors, comparable installations and consultants;
9
Compatibility with existing in-house system software; such as operating system, data
base management system and communication software;
Financial stability of software suppliers; and
Technical expertise of software suppliers.
12. Cost/benefit analysis.
Cost/benefit analysis provides IS management with an analysis of the software

implementation cost and the benefits that may be derived from the proposed software.
The following should be included in the analysis:
Current system operating cost;
Resources and facilities required to maintain the current system;
Current system capabilities and limitations;
Resources and facilities required to develop/implement the software;
Proposed software capabilities and benefits;
Resources and facilities required to maintain the proposed system;
Ability for the future system enhancement; and
Opportunity to provide greater efficiency or cost effective use of processing resources.
The decision on system software should in the end be based on the:

Appropriateness of the proposed software to the desired computer environment;
Integration with the existing environment; and
Hard and soft costs.
13. System software implementation controls
System software implementation controls include controls over the design of new
software, testing software, controls over placing the approved software into production,
and controls to ensure all impacted system and application software and data are
properly converted and verified prior to implementation.
Upon completing the system design and program development, the software should be
tested in three stages:
Program testing to check the logic of individual programs
System testing that involves checking programs logic to ensure consistency as they are
linked together and meeting system requirements.
10
Parallel testing of the new software simultaneously with the existing software. All test
results should be documented, reviewed and approved by technically qualified subject
area experts prior to production use.
Change control procedures are designed to ensure that IS management and personnel
are aware of and involved in the system software change process.
14. Software control features or parameters
Various operating system software products provide parameters and options to change
system performance and activate features such as activity logging. Parameters are
important in determining how a system runs, physical configuration, and its interaction
with the workload. Some of the software control parameters deal with :
Data management
Resource management; and
Job management.
Parameter selections should be appropriate to the organisation's work load and control
environment structure. The most effective means of determining how controls are
functioning within an operating system is to review the software control features and/or
parameters.
Activity logging and reporting options
Computer processing activity can be logged for analysis of system functions. The
following are some of the analysis that can be performed based on the activity log:
System log analysis for approval of:
Data file versions used for production processing;
Program accesses to sensitive data;
Program schedule/run; and
Utilities or service aids usage.
Operating system analysis to ensure that integrity of the operating system has not been
compromised due to improper changes to system parameters and libraries.
15. Program Change Control
Program Change Control (PCC) procedures, often referred to as change management,

are established by IS management to control the movement, where development
occurs, to the staging environment, where through testing occurs, and then to the
productions environment That portion of the PCC mechanism that describes the actions
to be performed by IS operations personnel after a job or program has passed user
acceptance testing and is to be moved from the staging environment to the production
environment is referred to as "formal job turnover procedures."
The procedures associates with this turnover process include ensuring that:
11
System, operations and program documentation are complete, up-to-date, and in
compliance with the established standards;
Job preparation, scheduling, backup procedure and operating instructions have been
established;
System and program test results have been reviewed and approved by user and project
management;
Data file conversion, if necessary, has occurred accurately and completely as evidenced
by review and approval by user management;
System conversion has occurred accurately and completely as evidenced by review and
approval by user management ; and all aspects of jobs turned over have been tested,
reviewed and approved by Control/Operations personnel.
Review change management controls for the following:
Determine if the individual responsible for scheduling was advised in a timely manner
regarding changes to the hardware configuration;
Verify that IS Management has developed and enforced change schedules that allow
time for adequate installation and testing of new hardware;
Verify that the operator documentation used in IS is revised appropriately prior to
implementation of changes in hardware;
Select a sample of hardware changes that have affected the scheduling of IS processing
and determine if the plans for changes are being addressed in a timely manner;
Ascertain that all hardware changes have been communicated to the system
programmers, application programmers and the IS staff to assure that changes and
tests are coordinated properly; and evaluate the effectiveness of changes to assure that
they do not interfere with normal application production processing.
Review change management controls for the following:
Review system documentation specifically in the areas of:
Installation control statement;
Parameter tables;
Exit definitions; and
Activity logs/reports
Review the installation of changed system software controls to determine the following:
The schedule for system software changes consider the least impact to IS processing:
A written plan was established for testing changes to system software;
12
Tests are being completed as planned;
16. Librarian and backup Function
Because it is desirable to ensure that the profit seeking activities of a business,

including the IS operations in its supportive role, are not interrupted in the event of a
disaster, secondary storage media - usually type reels, tape cartridges, removable hard
disks, or cassettes - have been used to effectively and efficiently store programs and
associated data. These tapes or other secondary storage media are stored in one or
more physical facilities - referred to as off-line libraries- based on availability of use and
perceived business interruption risk. It is the off-line libraries- based on availability of
use and perceived business interruption risk. It is the off-line librarian responsibility to
maintain a perpetual inventory of the contents of these libraries, to control access to
library media, and to rotate media between various libraries, as applicable.
17. Controls of the Off-line Library.
Controls over the off-line/physical library facilities are important to ensure the
uninterrupted operation of the business in the event of disaster and to optimize IS
resource utilization. Unauthorized changes to this information could result in lost data,
unauthorized changes to data, and impact the IS ability to provide continuous
computing services. Control over the off-line library include:
Securing physical access to library contents;
Verifying that the library is constructed to withstand fire/heat (minimum 2 hours);
Verifying that the library is separated from the computer room;
Ensuring that only authorized personnel can have access to the library and the off-line
media;
Ensuring that a perpetual inventory of all tapes and files stored in the library is
maintained;
Ensuring that a record of all tapes and files moved into and out of the library is
maintained in Tape Management System; and
Ensuring that a record of information regarding the contents, versions and location of
data files is maintained.
Review capacity management procedures of hardware and performance evaluation

procedures to determine:
13
Whether it will ensure continuous review of hardware and system software performance
and capacity; and
Whether the criteria used in the IS management's hardware performance monitoring
plan are based on historical data obtained from the IS trouble logs, processing
schedules, job accounting system reports, preventive maintenance schedules and
reports.
18. Review hardware acquisition plan
Determine whether the hardware acquisition plan is compared regularly to IS

management's business plan;
Determine whether the environment is adequate to accommodate the current installed
hardware and new hardware to be added under the approved hardware acquisition
plan;
Compare IS Management's hardware acquisition plan has taken into consideration
technological obsolescence of the installed equipment, as well as the new equipment in
the acquisition plan; and
Verify the adequacy of documentation for hardware and software specifications,
installation requirements, and the likely lead-time associated with the planned
acquisition.
19. Operating Systems Software Acquisition, or maintenance

When auditing operating systems software development, acquisition, or maintenance
the following approach should be followed:
Interview technical service and other personnel regarding:
Review and approval process of option selection;
Tests procedures for software implementation;
Review and approval procedures of test results;
Implementation procedures; and
Documentation requirements.
Review the feasibility study and selection process to determine the following:
The proposed system objectives and purposes are consistent with the request/proposal;
and
The same selection criteria is applied to all proposals.
14
Review cost/benefit analysis of system software procedures to determine they have
addressed the following areas:
The directs financial costs associated with the product;
The cost of the product maintenance;
The hardware requirements and capacity of the product
Training and technical support requirements;
The impact of the product on processing reliability;
The impact on data security; and
The financial stability of the vendor's operations.
Problems encountered during testing were resolved and changes were retested:
Test procedures are adequate to provide reasonable assurance that problems with
changes to system software will be identified before they are placed into the production
environment; and
The schedule for system software changes considers the least impact to IS processing.
Review system software maintenance activities to determine the following:

Access to the libraries containing the system software is limited to the individual(s)
needing to have such access;
Changes to the software must be adequately documented and tested prior to
implementation; and
Software must be properly authorized prior to moving from the test environment to the
production environment.
Review systems documentation specifically in the areas of:

Installation control statements;
Parameter tables;
Exit definitions; and
Activity logs/reports.
Review and test systems software implementation to determine the adequacy of

controls in:
Change procedures;
15
Authorization procedures
Access security features;
Documentation requirements;
Documentation of system testing;
Audit trails; and
Access controls over the software in production.
Review authorization documentation to determine whether:

Addition, deletions or changes to access authorizations have been documented; and
Attempted violation reporting and follow up have been documented.
Review system software security for the following:

Procedures have been established to restrict the abilities to circumvent logical security
access provided by the system software;
Procedures have been established to limit access to the system interrupt capability;
The testing physical and logical security provisions are adequate to restrict access to
the master consoles; and
System software vendor supplied installation passwords were changed at the time of
installation.
20. Service Level
The IS is a service organisation for end users. As such, the success of the IS is
dependent upon satisfying end user processing and service requirements. These
services include accuracy, completeness, timeliness and proper distribution of output
related to application processing. Many tools are available to monitor the efficiency and
effectiveness of services provided by IS personnel. These tools include:
Time frames and level of service are defined for all services provided by the
information services function.
Time frames and service levels reflect user requirements
16
Time frames and service levels are consistent with performance expectations of
the equipment potentials.
An availability plan exists, is current, and reflects user requirements.
Ongoing performance monitoring of all equipment and capacity is occurring,
reported upon, lack of performance addressed by management, and
performance improvement opportunities are formally addressed.
Optimal configuration performance is being monitored by modelling tools to
maximise performance while minimizing capacity to required levels.
Both users and operational performance groups are proactively reviewing
capacity and performance and workload schedule modifications are occurring.
Workload forecasting includes input from users on changing demands, and from
suppliers on new
technology or current product enhancements.
Performance reporting for improvement opportunities or remedy of weaknesses Users

and confirming performance expectations are being met, and modifications based on
changing
requirements are being reflected in plan.
21. Business Continuity Planning.

This policy shall govern the development of all Corporate
Business Continuity Planning policies and standard of for company.
All policies and standards developed shall be in accordance with the guidelines of
company corporate policy(S) and standards. The divisional policy(s) and standard
developed under the same Business Continuity policies by the various Division must be
based on corporate policy.
Policy Statement :
Department recognises that corporate Business Continuity Planning is required to

ensure operation will be able to continue to fulfill its key business objectives in the
event of disruption to critical business services. As such, corporate Business Continuity
Policies and standards are essential to ensure the correct infrastructure exist to support
17
this effort. This Business Continuity Policies established by Management will ascertain to
extent of protection required for implementation; i.e limit the scope responsibilities.
Ownership
The formulation of all policies and standards be performed by the corporate planning
division. participation will be requested and given of other units of company.
Authority
The authority for formulation and implementation of all Business

Continuity Policies and standards is given by the BOD of company.
Administration.
The corporate Business Continuity Unit Manager shall serve as the nominated
representative acting on behalf of the BOD as a division's representative for all
corporate BCP committee meetings and task force.
General and definitions
key personnel designation and responsibilities.
Disaster recovery and contingency procedures are important elements of a

comprehensive operational plan for computing systems. Suppliers of computing
resources normally have some type of plan designed to facilitate recovery from a
disaster.
Often overlooked, however, is the impact of downtime on the end-users of computing

services. End-users should have their own disaster recovery/contingency procedures in
place to ensure critical operations will continue in the event access to computing
resources is unavailable.
The following list presents the major elements to be included in a disaster

recovery/contingency plan.
18
A comprehensive disaster recovery/contingency plan should include:
- Objectives of the plan.

- Documentation in the plan regarding its development, review, and approval by
management.
- A list of all authorized personnel to whom the plan will be distributed. One copy of the
plan should be kept in a secure, off-site location.
- A list of key personnel and their functions in the disaster recovery/contingency plan.
- Relevant threats to the system, their impacts, and their likelihood's for each hardware
platform (mainframe, local area network, freestanding PCs, etc.).
- The length of time the department could operate without access to computing services
(i.e. the maximum acceptable downtime before management must implement
contingency procedures).
- A list of "critical" functions, applications, hardware, and information required for
operations, including an explanation of why each item is critical. This section may
include a functional flowchart depicting key processes, and a "topographical" flowchart
showing configuration of hardware and equipment in the department.
- A list of manual/alternative procedures necessary to continue critical operations in the
event of a disaster.
- Security/control requirements for operations when alternate processing methods and/or
facilities are used. These are particularly important to identify before a disaster.
- A sequence of steps for restoring and recovering data once computing services are back
on-line. The information captured by the user department must be the same as that
needed to restore files once computing services are available again.
- A designated off-site are in which operations could be continued in the event current
facilities are inaccessible. This should take into account hardware, telecommunications,
and environmental requirements necessary to support the critical workload.
19
- Backup policies, including the location of all backup tapes/disks. Backup copies should
be kept in a secure, off-site location.
- Documentation in the plan regarding testing procedures. The plan should be tested
and evaluated periodically and updates to the plan should be made to reflect significant
test results.
-- Procedures to update the plan when there are changes in key personnel, hardware,
critical operations, etc.
20
apter 6. System maintenance
Abstract
Databases, System software, Text Editors, Debuggers and development aids, Program
library managers, Linkage editors and loaders, Security systems, Access Control Software
and Computer Contract
These utilities reduce the effort needed to understand what is processing in the CPU and
react to errors or situations slowing the performance of productive work. Computers with
more sophisticated systems software and multiple applications and users processing
concurrently require these types of aids in order to get the information needed to
efficiently run a computer system. An auditor should be alert to the presence or absence
of these types of system software product as well as what indications are monitored as an
indications of the attention given to efficient operations. []
1. Databases
An integrated file containing multiple record types or segments that may be accessed in
non sequential manner.
These systems facilitate locating and access data. Catalogue and index techniques are
used to store and locate data. The systems vary in the amount of application processing
needed and storage information provided in order to store and retrieved specific data
used and needed by a process or user. The catalogue or index structures used can
significantly affect the amount of computer time and space needed. Auditors are expected
to understand how data is structured in these systems and assesses protection means
employed through either DBMS or security software.
It is critical to maintain data base integrity. The following are some of the controls to
ensure data base integrity:
Definition standards established and closely monitored for compliance;
Data backup and recovery procedures established and implemented to ensure database
availability;
Various levels of access controls for data items and files established to prevent
inadvertent or unauthorized access.
Controls established to ensure only authorized personnel can update the database.
1
Controls established to handle concurrent access problems .i.e. multiple users desiring to
update the same data elements at the same time.
Controls established to ensure the accuracy, completeness and consistency of data
elements and relationships in the database;
Database checkpoints used to restart processing after a system failure at points in the job
stream that minimize data loss and recovery efforts;
Database compression techniques used to reduce unused space in the data base resulting
from record deletions;
Database reorganization performed to reduce unused disk space and verify defined data
relationships;
Database restructuring procedures followed when making the data base logical, physical
and procedural changes.
Data base performance monitoring tools used to monitor and maintain the data base
efficiency (available storage space, buffer size, CPU usage, and disk storage configuration
and deadlock conditions) and minimize the temptation to use non-system means, i.e.,
those outside security control, to access the data base.
Review data base supported information systems controls to determine the following:
Controls over access to shared data;
Controls over data organisation;
The controls over shared data;
Adequate change control procedures are utilized to ensure the integrity of the data base
management software;
Integrity of the data base management system's data dictionary is maintained;
Data redundancy is minimized by the data base management system, where redundant
data exists, appropriate cross-referencing is maintained within the system's data
dictionary or other documentation; and
To whom access to specific data within a particular data base is provided.
Evaluate data base structure alternatives;
2
Assess data base security;
Validate the DBA's documentation; and
Determine whether the organisation's standards have been followed.
Evaluate the access controls over critical data files/bases and programs; and
Security facilities that are active communications systems, DBMSs and applications.
2. System software
In addition to the basic operating system there are number of types of specialized
software that assist in operating the computer and developing applications systems. Some
of these tools include:
Assemblers, compilers and interpreters
These system utilities convert program statements into machine instructions which the
CPU executes. Assemblers and compilers produce machine instructions which can be
saved and rerun without preference to the program statements. These process improves
efficiency and integrity but blurs the audit trail from the program statements. Interpreters
convert program statements to machine instructions each time the program is run.
3. Text Editors
These editors assist in manipulating program, documentation and report text files. These
editors can include capabilities to format, perform repetitive operations e.g., search and
replace, and highlight potential text errors, e.g., check spelling or omitted key words,
which improves productivity and consistency.
4. Debuggers and development aids
This utility software able to tarp error messages, display program values during execution
or validate processing results is useful in developing applications systems that are reliable.
5. Program library managers

This software aids IS staff management in controlling the system and application
software inventory. A key part of library managers should be keeping track of multiple
program versions and preserving program integrity, (i.e., storing all program with all/only
authorized changes). Reporting that assists in the managing the software inventory
should be a point of interest to an auditor.
6. Linkage editors and loaders

These utilities assemble the software modules needed to execute a machine instruction
application program version. The libraries that are the source for modules and the
security over these libraries is important for the auditor to note.
3
7. Security systems
This software assists in the maintenance of computer resource s by relating users to

specific resources and type of access. Resources may include data, processes and
terminals; and may extend to a specific field on a specific record. The types of access
include read (view only), write (change contents) delete, execute (initiate a process).
Security systems expand on the segregation of users and resources provided by the basic
operating system. Auditors should be attentive to the degree (i.e. granularity) of
segregation and resources covered by the security software.
8. Access Control Software
Computing technology has made it possible for computer systems to store and contain
large quantities of valuable data, increase the capability of sharing resources, allow a
single computer to simulate the operations of several computers (virtual system), and
permit many users to access through terminals and communications lines.
While today's systems are easier to use and administer, many businesses have
experienced losses resulting from unauthorized access of corporate data and error. This
may be due to the fact that many Security Administrators and managers are not aware of
the potential holes security that may exist, even with full implementation of a highly
sophisticated access control software package. While access control software can
interface with the operating system, application software, data and system software, this
interface does not automatically happen. Nor are there assurances that, once the
interface is established, adequate security controls are established and maintained.
Fortunately, access control to today's computer systems is becoming a growing concern
to management. Access control software is design to prevent unauthorized access to
data, use of system functions and programs, unauthorized updates/changes to data, and
detect or prevent an authorized attempt to access computer resources. Access control
software interfaces with the operating system and acts as a central control for all security
decisions. The access control software functions under the operating system software and
provides the capability of restricting access to data processing resources required for both
on line and batch transaction processing.
Access control software usually can provide access controls at the following level:
User sign-on at the network and subsystem levels;
User authorization at the application and transaction level;
User authorization within the application;
User authorization at the field level; and
Subsystem authorization at the file level.
Authorization is the most important component of access control software. The following
are some of the authorization controls:
Logonids and user authentications;
Specific terminals authorized for specific logonids;
4
Access based on predetermined times;
Specific tasks initiated from a predefined authorized library and calling program;
Rules for access;
Individual accountability and auditability;
Installation defined options;
User profiles;
Data file and data base profiles;
Logging events;
Logging user activities;
Logging data base/ data communications access activities for monitoring access
violations; and
Reporting capabilities.
Access control software generally processes access requests in the following way:
User must identify themselves to the access control software such as name and account
number
User must authenticate themselves to the software. Authentication is a two way process
where the software must first verify the validity of the user, and the proceed to verify
prior knowledge information. For example, users may provide the following information:
User must identify themselves to the access control software such as name and account
number.
Users must authenticate themselves to the software. Authentication is a two way process
where the software must verify the validity of the user, and then proceed to verify prior
knowledge information. For example, users may provide the following information:
Remembered information such as name, account number and password
Processor objects such as badge, plastic cards and key; and
Personal characteristics such as fingerprint, voice and signature.
Minicomputer operating systems; such as those supplied by IBM, Hewlett Packard(HP)

and DEC include access control software. Access control software is added on to the
operating system in large mainframe computer systems and microcomputers systems.
Some of the commonly used access control software products are CA-ACF2, RACF, CA-
TOP SECRET, OMNIGUARD(on mainframes), TIGERSAFE, and WATCHDOG(on micro'')
This software generally performs the following tasks:
Verify the user,
Permit access to defined resources,
Restrict user logically accessing data from a specific terminal, and
Report unauthorized attempts to access data.
The access control software interfaces with the tape/disk management system, job
scheduling system, application programs and data files, operating system authorized
libraries, system catalogs, system exits, system datasets, system logs, data bases and on
line telecommunications systems.
5
Effective Password Controls and Considerations:
Passwords;
1. should be easy to remember
2. should be difficult to guess
3. should not be of a fixed length but rather, at least five (5) charters long
4. should not be displayed when input
5. should be changed periodically by the user
6. should be forced to change by the system administrator
7. should not be dictionary words, either forwards or backwards
8. should be made up of letters, number, and special characters
9. password complexity should be greater than the data at risk
10. should not be shared with anyone or used as a group of users "generic"
password
11. should not be posted or written down in an unsecured location, i.e. in
desk drawers or posted on the monitor
12. should be immediately changed if you suspect it was compromised
13. should not be known by a supervisor or other staff
14. should not be the same as your userID
15. should not be names of your pets or children, phone numbers, or street addresses
9. Computer Contract
Type of computer contract

- Computer product supply contracts
- software licenses
- Maintenance and support Agreements
- Software development
- Umbrella and Turnkey Agreements
- Source Code Deposit Agreements
- Distributing Agreements
- Confidentiality & Non-disclosure
- Consultancy
- Disaster and recovery
- Facilities Management & Out sourcing.
- Administration
Computer product supply contracts

These contract provide for the supply of computer hardware products, or for hardware
and software products in a combination as system.
Hardware sale Agreements: checklist of key clauses

. Equipment specifications
- Is there a right of substitution or modification ?
6
- If so, on what terms.
. Operation manuals
- are they incorporated ?
- how many copies ?
- Is there adequacy Warranted?
- Will updates be supplied, if so what term ?.
. Price
- Is the price inclusive of taxes ?
- Can the price can varied and if so, what circumstances,
and what terms ?.
- Is the exchange rate specified ?.
- Is there a right of reprocession or some other right in
the event of non payment ?.
. Site preparation.
- Are site specifications to be provided by the supplier?
- What are the Customer's responsibilities ?.
- Is the site to be inspected by the supplier before
delivery ?.
- What are consequences of inadequate site preparation ?.
. Pre-delivery testing.
- is it a requirement ?.
- What are the test specifications ?.
- may the customer observe the testing being carried out ?.
- Can the customer request additional testing ?.
. Delivery
- is a date or a period specified ?.
- is a day or longer period specified ?.
- What are the consequences of late delivery ?.
- What are the consequences of an inability or refusal to accept delivery ?.
- Can the customer postpone delivery ?.
- What happens to packing materials?.
. Title
- at what points is it agreed that title will pass ?.
. Risk
- At what point is it agreed risk passes to the customer?.
- Are the parties' insurance obligations spelt out ?.
. Warranties
- Are there any express warranties ?
- Are materials and workmanship warranted ?.
- Are any components to be exempted from warranty
protection ?.
- Is there a warranty replacement periods ?.
- Is there a warranted service response time ?.
7
- Is there an offer of backup equipment ?.
- Who has title in replacement parts ?.
- Are there warranted performance criteria ?.
Software licenses
Software is owned by its author or company. The law protects

the owner by giving rights over what has been created.
The owner has the economic benefits arising from copyright.
Software licence Agreement: Check list of key clauses.

. Duration
- does the term commence upon delivery, installation or
acceptance ?.
- Is the licence of limited duration ?.
. Operating specifications
- are they defined ?.
- What are the supplier's rights & obligations on
alteration?
- What are the customer's rights & obligations on
alteration?
. Documentation
- is the associated documents adequately defined ?.
- on what terms is it supplied ?.
- is there a rights to copy ?
- are the contents warranted ?.
- is there on going obligation to supply amended
documentation ?.
. Licence fee
- is it a lump sum, or periodic charge ?.
- What is the condition to release the progress payment ?.
- Is it initial payment due on delivery, installment or
acceptance ?.
- is the fees inclusive the taxes ?.
- can the fee be increase in any circumstances ?.
- what is the penalty for late payment or nonpayment ?.
. Licence
- Does the supplier have adequate authority to grant the
licence ?.
- Is the licence non-transferable ?.
- Is the licence non-exclusive ?.
- can the program be used on any equipment ?.
- what are the restrictions on copying, alternation or
modification ?.
8
- have maintenance arrangements been considered ?.
. Delivery
- is the supplier obliged to deliver ?.
- is there a specified deliver date ?.
- can the delivery be effected by electronic mail ?.
. Installation
- Is the supplier obliged to install ?.
- Is the customer required to assist in the installation
process
. Acceptance tests
- what are the test specifications ?.
- To what extent is the customer personally involved ?.
- what are the consequences of failure to satisfy the
specifications ?.
- at what points is the program deemed accepted ?.
. Copying
- For what purpose may the customer copy the programs ?.
. Modifications
- does the customer have the right to modify the program?.
- if so, what are the customer's obligations to supplier?.
. Reverse engineering
- is reverse engineering expressly prohibited ?
. Replacement
- Does the supplier have the right to replace the program
with an alternative program during the term of agreement ?.
- if so, what the supplier's obligations and the customer's rights ?.
. Training.
- is the supplier provide training and if so, on what terms ?.
. Refundable trial period
- may the customer return the program if it proves unsuitable for its intended purposes during a
specified period after acceptance ?.
. Security
- What are the customer's obligations ?.
. Time
- is the time of delivery of the essence ?
- is the time of installation of the essence ?
- is the time of payment of the essence ?
9
. Risk
- At what point does risk of loss of or damage to the program pass to the customer ?.
. Warranties
- Are any warranties offered ?.
- Are there warranted performance criteria.
- Is there specified warranty period ?.
- What the supplier's obligations on breach of warranty?.
MAINTENANCE AND SUPPORT AGREEMENTS
These agreements cover the provision of services relating to the maintenance and
support of hardware and software.
Hardware Maintenance Agreement: Checklist of key clause
. Equipment.
- Is the equipment adequately specified ?.
- do maintenance obligations cease on substitution or relocation of equipment's ?.
- are maintenance charges affected by such substitution or relocation ?.
. Duration
- What is the commencement date ?.
- does the maintenance period bother upon the equipment
warranty period ?.
- What circumstances will cause the agreement to be terminated ?.
- is notice necessary before termination ?.
. Preventive maintenance
- is it defined ?
- during what hours and on what days will it take place?.
- does the customer have a right to re-schedule ?.
. Remedial maintenance
- is it defined ?.
- is it limited to on-site services ?.
10
- is there a warranted services response time ?.
- is there a time-limit for requesting remedial maintenance ?.
. Emergency remedial maintenance
- is it defined ?.
- is there a warranted service response time?.
. Charges
- are the charges or rates for each type of maintenance
specified ?.
- In what circumstances may the supplier make an additional charge ?.
- is there a remote location charge ?.
- under what circumstances may charges be increased ?.
- to what extent may charges be increased ?.
- are charges inclusive of taxes ?.
- are the charges inclusive of spare parts costs ?.
. Exclusions
- Under what circumstances are the supplier's obligations
excluded ?.
. Replacement and spare parts
- who has title in replacement parts ?.
- who has title in replaced parts ?.
- are replacement parts warranted ?.
- is storage or pre-purchase by the customer required ?.
- is there a guarantee of supply by the supplier ?.
. Access
- is a vehicle parking area required ?.
- what working facilities are required ?
. Maintenance equipment's
- is storage required ?.
11
. customer records
- is the customer required to keep records of equipment
performance ?.
. warranties
- are warranties specifically offer by the supplier ?.
- is the customer adequately protected in any event by
the general provision of agreements ?.
SOFTWARE DEVELOPMENT
A customer may commission a supplier to plan, write and

implement a computer system. It may be for a project requiring special expertise.
SOFTWARE DEVELOPMENT AGREEMENT : CHECKLIST OF KEY CLAUSES
. Charges and payments

- is there a progress fee payable at specified time intervals or at specified stages of
development ?.
- In what circumstances can the periodic fee be increased bythe supplier ?.
- is the supplier required to verify expenses ?.
- what is the penalty for late payment ?.
. Development stages
- have they been specified ?.
- What is the penalty for failure to complete development of a stage as scheduled ?.
- Does the supplier have any interim obligations ?.
. Variation of specifications
- What are the consequences of a variation of the specifications requested by the customer
after commencement of the agreement ?.
- What are the customer's obligations in these circumstances ?.
- What are the Supplier's rights in these circumstances ?.
. Delivery
12
- is a final delivery date specified ?.
- what are the consequences of a failure to deliver on time ?.
. Installation
- Are the supplier's obligations defined?
. Acceptance testing
- Is acceptance testing defined ?.
- What specifications are to be used ?.
- at what point is the software deemed accepted ?.
. Title
- Is title to pass to the customer ?.
- if so, what point ?.
- if title is to be retained by the supplier, have the terms of a licence been agreed upon ?.
. Security
- What the obligations of each party in relation to the security of information and materials
belonging to the other?.
. Supplier's personnel
- have the individual personnel have been identified ?
- Is there a limitation on the number of persons involved in the project ?.
- Does the customer have the right to veto the involvement of the particular persons ?.
. Use of customer's resources
- has agreement been reached on the extent to which, and the terms on which the supplier
may use the customer's facilities during the project ?.
. Maintenance
- has consideration been given to the future of the product ?.
. warranties
- are any warranties offered by the supplier ?
- is there a specified warranty period ?
- what are the supplier's obligations on breach of warranty ?
13
UMBRELLA AND TURNKEY AGREEMENT
When a customer wishes to purchase a combination of computer products and services,

either single supplier or from number of suppliers.
The umbrella agreement is in itself a comparatively short manageable agreement which

has attached and incorporated into it all product and service-specific standard
agreements.
System Integration Agreement: Checklist of key clauses
Equipment
. Specifications
- Is there a right of substitution or modification ?.
- If so, on what terms ?.
. Operation manuals
- are they incorporated ?
- how many copies ?
- Is there adequacy Warranted?
- Will updates be supplied, if so what term ?.
. Site preparation.
- Are site specifications to be provided by the supplier?
- What are the Customer's responsibilities ?.
- Is the site to be inspected by the supplier before
delivery ?.
- What are consequences of inadequate site preparation ?.
. Pre-delivery testing.
- is it a requirement ?.
- What are the test specifications ?.
- may the customer observe the testing being carried out?.
- Can the customer request additional testing ?.
. Delivery
- is a date or a period specified ?.
- is a day or longer period specified ?.
- What are the consequences of late delivery ?.
- What are the consequences of an inability or refusal to accept delivery ?.
- Can the customer postpone delivery ?.
- What happens to packing materials?.
. Installation
- is a date or period specified ?.
- What are consequences of late installation ?.
14
- Can the customer postpone installation ?.
- Can the customer obliged to assist and if so, to what extent ?.
- What are the rights of the supplier if unexpected difficulties are encountered during
installation ?
. Equipment acceptance testing
- is it required ?.
- what are the consequences of failure to satisfy the test specifications ?.
- at what points is the equipment deemed accepted ?.
. Title
- at what points is it agreed that title will pass ?.
. Risk
- At what point is it agreed risk passes to the customer?.
- Are the parties' insurance obligations spelt out ?.
. Warranties
- Are there any express warranties ?
- Are materials and workmanship warranted ?.
- Are any components to be exempted from warranty
protection ?.
- Are installation services warranted ?.
- Is there a warranty replacement periods ?.
- Is there a specified warranty service response time ?.
- Is there an offer of backup equipment ?.
- Who has title in replacement parts ?.
- Are there warranted performance criteria ?.
- What does the warranty period commence ?
Hardware maintenance
. Maintenance services
- Are type of maintenance services defined ?.
- does the maintenance period bother upon the equipment
warranty period ?.
- What circumstances will cause the agreement to be terminated ?.
- is notice necessary before termination ?.
. Preventive maintenance
- is it defined ?
- during what hours and on what days will it take place?.
- does the customer have a right to re-schedule ?.
15
. Remedial maintenance
- is it limited to on-site services ?.
- is there a warranted services response time ?.
- is there a time-limit for requesting remedial maintenance ?.
. Exclusions
- Under what circumstances are the supplier's obligations
excluded ?.
SOFTWARE
. Duration
- When does the licence commence ?.
- is the licence of limited duration ?.
- is third party software involved and, is so, on what terms ?.
. Documentation
- is the associated documents adequately defined ?.
- on what terms is it supplied ?.
- is there a rights to copy ?
- are the contents warranted ?.
- is there on going obligation to supply amended
documentation ?.
. Licence
- Does the supplier have adequate authority to grant the
licence ?.
- Is the licence non-transferable ?.
- Is the licence non-exclusive ?.
- can the program be used on any equipment ?.
- what are the restrictions on copying, alternation or
modification ?.
- have maintenance arrangements been considered ?.
. Delivery
- is there a specified deliver date ?.
. Installation
- Is the supplier obliged to install ?.
. Acceptance tests
- To what extent is the customer personally involved ?.
specifications ?.
- at what points is the software deemed accepted ?.
. Copying
- For what purpose may the customer copy the software ?.
. Modifications
16
- does the customer have the right to modify the software?.
- if so, what are the customer's obligations to supplier?.
. Reverse engineering
- is reverse engineering expressly prohibited ?
. New release
- on what terms are new release supplied.
. Security
- Who is responsible and what term is the extent of the
obligations ?.
. Risk
- At what point does risk of loss of or damage to the software pass to the customer ?.
. Warranties
- Are any warranties offered ?.
- Are there warranted performance criteria.
- Is there specified warranty period ?.
- What the supplier's obligations on breach of warranty?.
- is there a specified warranty service response time ?.
Software Support
. Support Service
- Are the support service defined ?.
- do they overlap with the parties' obligations under the licence provisions ?
- Do the supplier's obligations extend beyond error
correction ?.
- Specifically, do the supplier's obligations included telephone support, training and the
provision of new release and upgrades?.
. Duration
- When do the support obligations commence ?.
- can support be with drawn or terminated during the currency of the installation.
. Support availability
- is support only available during certain hour or on certain days ?.
- is there a warranted service response time ?.
- in what circumstances may an additional charge be made?.
- Is the customer required to provide information regarding error ?.
. Exclusions
17
- Under what circumstances are the supplier not required
to provide support ?.
. Access
CHARGES AND PAYMENT

. Fees and charges
- Are these fully embraced by a schedule ?
- are charge inclusive taxes ?.
. Payment
- Is there staged payment to take into account various stages of installation and performance ?.
- Is the manner of payment fully embraced by a schedule ?.
- Is the penalty for late payment or nonpayment ?.
SYSTEM ACCEPTANCE AND WARRANTY
. System testing
- Are the system test specifications defined ?.
- To what extent is the customer involved in test procedure?.
test criteria ?.
- at what points is the system deemed accepted ?.
. System Warranties
- Is the system warranted independently of the component?.
- Is there a specified warranty period for the system ?.
- What are the consequences of failure of the system as a whole ?.
GENERAL
. Training
- Is the supplier obliged to train the customer in the use of the system ?.
. Third party's Obligations
- Is there a responsibility on the customer to execute relevant third party agreements ?.
- Is the supplier required to indemnity the customer in relation to breaches by a third party ?.
. Time
- is the time of delivery and installation of the system of the essence ?.
. Termination
- is it right of either party to terminate individual aspects of the agreement with out terminating
the agreement as a whole?
- What are the consequences in the event of a breach of a third party's obligation.
18
SOURCE CODE DEPOSIT AGREEMENT
A. Regular support and enhancement

B. Release of source Code
Escrow Custodian
The 3th party agree to hold source code as escrow custodian.
Software Escrow Agreement: Checklist of Key Clauses
. Term
- when does the agreement commence ?
- is there a specified period ?
- in what circumstances will the agreement be terminated?.
. Deposit of source code
- has the manner of storage been specified ?.
- Is the escrow agent obliged to accept further deposits of update code during the term of the
agreement ?.
- Is the escrow agent required to maintain a register of source code held ?.
- Is the supplier required to keep the source code current ?.
- Are verification rights and procedures prescribed ?.
. Access to source code.

- who may access to the source code during the term of the agreement ?.
- specifically, what are the supplier's rights of access and the customer's rights of access ?.
. Lost of Source code
- what are the rights and obligations of each party in event of lost or destruction of source code
?.
. Insurance
- who has the responsibility to insure the source code ?
. Release
- In what circumstances will the source code be release to the supplier ?.
- What the formalities must be complied with by the supplier in circumstances ?.
- In what circumstances does the customer have right to object ?
. Release of data to customer
- In what circumstances will the source code be release to the Customer ?.
19
- What the formalities must be complied with by the customer ?.
- What are the supplier's rights of objection ?.
- How is a dispute regarding release of source code to be resolved ?.
- are the customer's rights in relation to the release source code defined ?
. Escrow fees and charges
- Is a lump sum or a periodic fee involved ?.
- who is responsible for paying the fees ?.
- What are the Escrow agent's rights to increase its fees?.
- Which party is responsibility for payment of taxes and
charges ?.
- What are the consequences of late payment or nonpayment?.
. Escrow Agent's further obligations
- does the agreement specify the Escrow agent's obligation regarding security of source code ?.
_ on what extent may the Escrow Agent accept the validity of notices or directions given by
either of other parties ?.
20
apter 7. Local Area Network and Wide Area Network.
Abstract
Management Policies, logical security, physical and environment, network support and
management and Network Change Control.
These system provide and manage the flow of data outside and computer system. The
flow can be between computers, or terminals and a computer. The critical parts of
managing the flow are ensuring the integrity (accuracy, completeness and, if necessary,
privacy) of data from origin to destination, proper routing of data from sender to
correct recipient, identifying and isolating conditions that do or could disrupt the flow of
data, e.g. poor or broken transmission paths. The auditor is concerned with if and how
these are accomplished s well as what are the end points, i.e., terminals, on the data
communications network.
1. Network management policies

The Audit should be address the following :-
- The policy statements issued to prescribe the procedures to be followed in the selection,
acquisition and installation of LAN.
- The senior management has issued written policy statements describing the network
architectures that will be supported.
- The senior management has issued written policy statement outlining the guidelines for
the design and cost benefit analysis of a proposed local area network installation.
- The senior management has issued written policy statement outlining the guidelines to
be followed in the installation of LAN.
- These policy statements has been distributed to the appropriate levels of management
within the company.
2. Network Logical Security
- The documentation prescribed the use of a standard form for documenting requests
for the additional, change or deletion of LAN access capabilities.
1
- The form in printed or computer printed which are consists of data to be filled by
requester and approve by the requester supervisor or Head Of department.
- The basics data are Requester name/signature, requester department, tel no/extention,
head of department name/signature, System required (such as E-MAIL, Application
system), access level such as add data, inquiry, browse, delete and print report.
- For application system the module access should be define such as update Account
Payable and inquiry General Ledger the in the Accounting System. The access should be
relevent with users Job function which are need to know basis.
- An adequate security management process has been established to support changes to
LAN user access profiles. The changes of LAN user profile should be authorised by
supervisor and reviewed periodically thorough changes of User Profile printing. Basically
the changes of user profile consists previous user name, previous application, previous
module, previous access level, changes by, date changes, time changes, new module
and access level.
-. An access profile matrix can be reviewed to ensure that the access privileges granted
have been based on LAN user's need to know. Obtain list of LAN user profile and
check against the staff record from personnal or Human Resources Department. The
purpose to ensure that the users are authorised users.
- The critical file in servers file is protected. The critical file are the boot and executed file
which are use to boot and execute the server function. The files should protected from
normal users and the security administrator or system administrator only to give
permission to access to the file servers.
- The microcomputer that link to LAN is install virus protection .
- There are the software to monitor access violation to LAN.
3. Network Physical Security

- Determine that the transmission media used by a local area network are protected
adequately
2
- Verify that the LAN's server has been secured and cannot be accessed by unauthorised
individuals.
- Determine that the local area network's server is protected from damage resulting from
electric power surges and spikes.
- Determine that an uninterruptable electric power supply is connected to the LAN's server if
it is supporting critical information processing applications.
- Obtain the list of the hardware from technical support. Conduct physical sighting and
the equipment are secured.
4. Network Support and Management.
Objective : Sufficient management and support should be provided to ensure the

uninterrupted reliable operation of a local area network.
- Determine that suitable procedures have been established for periodic reviews of the
capacity of LAN and for ensuring that the network's users are provided with adequate
time and sufficient disk data storage space.
- Determine that adequate technical support for assistance in problem resolution is
available for local area network users.
- Verify that existing LAN maintenance procedures include periodic assessments of the
performance of the network and assure that problems are resolved before they affect
network performance.
- Evaluate the report on last one year and check that the LAN problems are solved in
short period.
5. Network Change Control
Objective : The management should establish control over changes to the

configuration of LAN that will assure its continued satisfactory operation.
- Determine that the process used in changing the configuration of a local area network is
documented.
3
- Verify that provisions for any need backup are considered before a change to a local
area network is implemented.
- Determine that adequate notice is given to local area network users before a change in
the configuration of the network is made.
4
PTER 8. MICRO COMPUTER ( PERSONAL COMPUTER).
Abstract
Licence and warranty, training, help desk, physical, environment, virus, training,
backup, inventory of hardware and software.
The Microcomputer is a asset and tool in the company and used to process the daily
task. Some application are running in the Microcomputer such as project management,
accounting, inventories etc. The management should established a policies and
procedure at least include the following control.
1. Microcomputer Training
- Properly trained in the use of your microcomputer.

-Can help with all problems. In addition, the Help can offer basic software and hardware
support
2. Microcomputer Copyright Practices
- Aware of the current copyright laws i.e., copying software, unless specified, is unlawful.
- Each software package is only installed on one machine.
- Each software package Is copyright documentation read before installation.
3. Protection Of Data From Accidental Damage
- Save files at reasonable intervals during extended period of system use.

- File backups are on separate diskettes from the working files.
- Backup copies are created in a timely manner.
- Backup copies are labeled.
- Data stored on hard disk is routinely copied to backup storage medium.
1
- Backup diskette are stored away from originals.
4. Physical Protection of hardware
- Microcomputer is located near appropriate and sufficient electrical outlets (i.e., separate
power line).
- Surge protector is used.
- Telephone modems are disconnected in the event of an electrical storm. (Lightening can
damage your microcomputer by traveling through electrical wires, surge protector and
telephone modems).
- Cables and power cords are covered or cared for to insure they are not a hazard.
- Microcomputer is maintained in a clean environment (i.e., away from drinks, food, etc.).
- Microcomputer is placed away from radiators or direct sunlight and are air intake vents
unblocked.
- Microcomputer is kept away from windows to discourage ready identification for theft.
- A record of the serial number is kept.
- Microcomputer Is kept in an area (room) which can be securely locked from outsiders.
4. Physical Protection OF Diskettes
Diskettes are stored appropriately

. in a proper container.
. away from extreme heat/cold.
. protected from dust, etc..
. away from sunlight.
. away from magnetic devices
. in protective envelopes.
. away from excessive moisture.
2
- Don’t refrain from clipping, stapling, folding or bending diskettes.
- Diskettes maintained are in a clean environment (i.e., away from drinks, food, etc..
- Diskette containers are sufficient to provide protection against accidental damage or other
potentially destructive elements.
5. Microcomputer Virus Protection
- Aware of the effect of computer viruses.
- Aware of ways to prevent or reduce the damage caused by a virus, such as:
. backing up data.
. booting up computer from hard disk.
. never leaving computer on and unattended.
. not copying other people's software (including PublicDomain)unless it has
been checked for viruses.
. isolating virus-free software to use as a backup.
- Virus protection software has been installed on your microcomputer. (The Help desk can
be contacted for a free copy of virus protection software and instruction on its use).
- Do you refrain from using your diskettes in several different microcomputers.
3
er 9. Computer Assisted Audit Software (CAATS).
Abstract
Definition, type,Methodology and procedure to use CAATs.Advantages and
disadvantages. Purpose and example.
When the computer system , data is process in machine readable form. Numerous audit
tasks can be performed readily by using the computer. In order to access computer file
independently from the IT department, and to gain advantage of using the computer to
assist their audit.
2. CAATs necessary because :-

-lack of adequate audit trail
-large volumes of data
-complex calculation
-analysis of data
-flexibility audit approach
-increase the scope
-Quantify errors
-Improve presentation of working papers
3. The Advantage of CAATS are :

a. faster availability of information
b. cost savings over time
c. enhanced sampling
d. improved exception identification
4. Types of CAATs
- Audit software
- Generalised audit software
- specialised audit software
- utility program
- Existing client programs
-Test data
- Integrated test Facilities
- Embedded Audit Facilities
- System software Data analysis
- Application program Examination
- tracing.
1
- flowchart
- mapping
5. What task are these tools appropriate for ?

- cost effective
- Data and transfer technique is available
- fixed or variable length record(ACL)
- Large Data files
- When fast processing is important
5 Benefits.
- Time savings
- Very fast processing
- flexible and easy to use
- Time is money.
- Better Auditing
- interactive
- controlled CAATS
- 100% verification
6 When not to use CAATs

- Manual techniques are more effective
- Data and transfer techniques is not available
- Databases which cannot create flat files.
- Existing CAATs require minimal maintenance
7. Standard feature of Generalised Audit software

-total and field analysis
-List and report with criteria
-Sort and summarize
-Sample -eg MUS,random samples
-Sample analysis Eg. IDEA
-Stratify on unsorted data(ACL)
-multi file processing-merge,join etc
8. Sampling & Analysis

- Additional And recalculation
- 100% re-performance
- sampling and key item selections
- exception reporting - whole population
- comparison - year to year
- analytical review procedures eg stratifications
- confirmations
9. Potential uses of CAATs
2
- exception reporting
- clerical testing
- comparison/combine Data on separate files
- sample selection and evaluation
- variables estimation sampling
- summarize or re-sequence data for analysis
PLANNING,CONTROL AND DOCUMENTATION TECHNIQUES
1. Good CAATs requires

- Planning
- clear audit Objectives
- Well trained staff
- Identification of correct data file
- Control total reconciled
- Control over logic eg Flowcharts
- Interpretation and analysis of results
2. Benefits of Proper Planning, Development And Implementation

- Reduced Audit Costs
- Valid Audit Approach
- determination of Total Error
- Effective Audit Tests
- Enhanced Knowledge of EDP Environment
- More time for Judgemental Procedures.
3. The CAATs Project Cycle

- Planning phase
- Identify objectives
- Select CAAT tool
- Ascertain Cost and Review Benefits
- Approval of Audit Team
- Ascertain Experience With Relevant CAATs
- Determine Processing Compatibility
- Identify File required
- Determine File Compatibility
- Conclude as To feasibility
- Existence of data
- Cutoff
- File and record layout documentation
- database Extract Utilities
- Data format and type
- Data transfer facilities
3
- Security and Privacy
- file sizes
- Processing capabilities
- schedule remaining phase
- Development phase
- Design
- Identify Objectives
- Identify CAAT tool
- Prepare overview flowchart
- Coding
- problem statements
- prepare program flowchart
- prepare Specification forms
- review of programs
- Test
- Obtain Data Files
- Process the application
- Review test results
- verify the integrity of files received
- reconcile to source reports
- Implementation phase
- process against client data and check output
- Issue management letter points if required
- use CAAT output as per audit program
- Ensure program documentation is complete
4. Reconciliation procedures
- Agree file totals/record counts
- parameters correctly set
- review consistency of footings
- account for included/excluded records
- agree report totals to footing
- review reports for reasonableness
- check confirmation details
- document reconciliatio procedures
5. Documentation of development
- narratives of audit objectives
- overview diagrams
- logic flowcharts
- file layouts
- source code/batch listings
4
6. Documentation of implementation
- output report
- reconciliations to client data
- follow-up procedures
- Updated required to parameters
- cross reference to audit program
Audit software Applications
Account Balances
1. Account Receivable
2. Inventory
3. Property, Plant and equipment
4. Account payable
5. Notes Payable/short-term dept
6. Shareholders Funds
Transaction Types
1. Cash receipts
2. Cash payment
3. Payroll
4. Sales
5. General Ledger and/or Journal Entry system
6. Review of operations
Account Balances
1. Accounts receivable
- Test for clerical accuracy-totals and Extensions
- Add the trial balance and aging
- age using client's method or an auditor-defined method.
Various aging:-
- Invoice date
- Date of last payment
- By customer
- By line of business.
- By type of open item(invoice,credit memo)
- Print accounts within specific aging categories and over specific dollar limits.
- Print accounts with no name or address or with an usual
name.
- Print unusual invoices,refunds,debit memos, etc.
- test for new large dollar volumes accounts.
- print account balances exceeding the credit limits by a
5
specific percentage.
- Print accounts with large overdue amounts.
- Select accounts or invoices for circularisation using
sampling and confirmation programs.
- Sort and summarise by customer number or type of account,type of collateral, or sales terms
- Using weekly transaction files, update the accounts
receivable file from date of circularisation to ear-end
- Select transactions for additional testing from these
transaction files.
- merge the accounts receivable file and the sales file
and perform cutoff tests and ratio analysis.
- Apply cash receipt transactions subsequent to confirmationdate to the accounts receivable
files. Analyse todetermine receivables not collected in the interimor receipts for which
no receivable was recorded.
- Merge interim balances with year-end balances and print
a comparative trial balance, or accounts with changes
greater than X%.
2. Inventory
- Test the clerical accuracy of totals and extensions and merge the quantity file with
pricing/cost files.
- Select a sample for price testing using large dollar
balances, monetary unit sampling, or random sampling.
- Physical count files;
- Test for duplicate or missing tag numbers.
- summarise by product number,location,type,etc.
- Price the physical count file and compare to generalledger or book/physical adjustment.
- For a perpetual inventory,use sampling programs to stratify,select,and print a sample for
physical testing.
- Using the cost master file-
- test for duplicate part/item numbers
- Test reasonableness of unit costs
- Segregate unusual increase/decrease is standard costs.
- merge with year-end inventory file for pricing test.
- Test for lower of costs or market(base on average selling pricing and current year
standard costs.
- Test for obsolete/slow-moving items-excess inventory:
- Use the client's method
6
- Use the date of the last shipment or convert the current year's sales dollars to quantities
and isolate quantities on hand in excess of the normal turnover.
- Merge the inventory file with the sales files, calculate the supply on hand and compare
to the prior usage.
- Identify potential obsolete inventory items by
printing those items with little or no current years sales.
- Perform a turnover analysis.
- calculate gross profit or potential gross profit by
product line or in total.
- Recalculate stock value using client's average cost method.
- Calculate the percentage of change for inventory items
and print those outside the average range for:
- Inventory level.
- sales level
- Change in the standard cost.
- change in the average sales price.
- Test the inventory cutoff by comparing the last receipts to the purchase register.
- Work in progress
- Provide totals of standard work hours, labour and overhead values for each cost centre so as
to verify that the charges to WIP agree with the company's standards.
- Analyse WIP,to determine slow moving orders.
3. Property,Plant and Equipment.
- test the clerical accuracy of totals and extensions, and print a trial balance of the account.
- calculate depreciation (book & tax),comparing it to the client's figures,and print exceptions.
- Compare to determine that accumulated depreciation does not exceed cost for any assets.
- Summarise activity for the year to date for both cost
and accumulated depreciation.
- Compute any investment allowance and recapture for the year's transactions.
- select samples for testing-additional,retirements,etc.
- test for duplicate or missing asset numbers.
- compute amortisation for intangibles.
- select sample payments for repairs and maintenance for testing.
- summarise leases by type.
4. Account Payable
7
- Recalculate the total of the trial balance.
- Test expense computing/groupings(e.g Account distribution - group by type expenses).
- Select sample of vendors for circularisation (base on monetary units of random
sampling).
- Develop or test history by vendor.
- search for unrecorded liabilities:-
- Sample additions to accounts payable subsequent
to the cutoff date.
- Merge cash payments subsequent to the cutoff date and accounts payable,and investigate
unmatched disbursements.
- Review potential problem areas:

- Excessive adjusting entries,
- duplicate:
- Invoice numbers
- Account Numbers
- Mailing Addresses
- Vendors Names
- Age debit items.
5. Notes Payable/Sort-term Debt

- Total and summarise the year's activity.
- Calculate the following:
i. Average interest rate during the year.
ii. Average Short term debt outstanding during the year (accrued).
iii. Weighted average interest rate.
iv. Large month-end balance.
6. Shareholders Funds.
- Analysing,selecting and confirming shareholder accounts.
- Testing allocation of contributions/incoming to participants .
- Add the file for dividends payable.
TRANSACTION TYPES.
1. CASH RECEIPTS
- Recalculate the total of cash receipts journal.
8
- Summarise cash receipts by the respective account distribution for reconciliation to the
general ledger posting.
- Select a sample for compliance or substantive testing.
- summarise/segregate by the type of receipts.
- Test for unusual items e.g large receipts,unusual
classification,unusual allowances or large discounts.
2. CASH PAYMENTS
- Recalculate the total of the cash payments journal
- Summarise cash payments by the respective account distribution for reconciliation to the
general ledger posting.
- Select a sample for compliance or substantive testing.
- summarise/segregate by the type of payments.
- Test for unusual items e.g large payments,unusual payments classification.
- Test for missing or duplicate cheque numbers.
- test for duplicate payments on invoice number or purchase order numbers.
3. PAYROLL
- Recalculate the total of the payroll transactions.

- Summarise payroll transactions by respective account distribution for reconciliation to the
general ledger and inventory,cost of goods sold,charges.
- Test computation extensions and deductions and net pay.
- Detect payroll master changes by comparison to prior period data.
- New employees and terminations.
- Employees whose year to day pay has decreased.
- Merge the payroll transaction files with the payroll master files, and test for exceptions:
- Employees with high salaries or deductions.
- Gross pay in excess of $XX.
- differing hours/salary rates.
- Duplicate or missing records( employee numbers)
- missing employee name or department.
- Hours worked greater than XX.
- List details of employees who have taken leave.
4. SALES.
- Recalculate the total of the payroll transactions.
9
- Summarise sales by respective account distribution for reconciliation to the general ledger
posting and accountreceivable file.
- Match sales records to the accounts receivable file sales posting.
- Test for unusually large amounts.
- Test for missing or duplicate invoice numbers.
- Test sales invoices for:-
- Arithmetical accuracy
- Unit price -
- Range of allowance prices.
- Match to the master file.
- Discount allowed.
- Analyse by market,product line,customer,cost ,sales commission, etc.
10
Biblogrophy
1. Courtemanche, Gil. The new Internal Auditing. New York : John Wiley & Sons,
1986.
2. Porter, W.Thomas, and William E. Perry. EDP: Controls and Auditing. 5th.ed. Boston: PWS-
Kent,1987.
3. Douglas,Ian. Computer Audit & Control Handbook. London: Butterworth Heinemann, 1995.
4 Sardinas, Joseph, ed. et.al. EDP Auditing : A Primer, New York: John Wiley & Sons, 1981.
5. COBIT :Audit Guidelines, September 1996,Information Systems Audit and Control

Foundation.
6. 1997 CISA Review Manual, Information Systems Audit and Control Association.
7 1998 CISA Review Manual, Information Systems Audit and Control Association.
8 Perry, William E.,Auditing the small Business Computer. EDP Auditors Foundation,1983.
9. Control Objectives, Controls in an Information Systems Environment: Controls, Guidelines

and Audit Procedure, Information Systems Audit and Control Foundation, 1992.
10. The 13th Annual Asia-Pasific Conference on Computer Audit, Control & Security ASIA CACS
1997, Information System Audit & Control Association. Bangkok:1997.
11. Cource on Information Technolohy Planning 10th-11th January 1998 , Institute of

Processional Advancement. Kuala Lumpur,1998.
12. Cource on Computer Assisted Audit Techniquues on 27 & 28 February 1994. Intitute of
Internal Auditor, Kuala Lumpur : 1994.
13. Fong K.L., Raymond , Cource on Computer Contracts IN 27&28 July 1994, Institute of
Processional Advancement, Kuala Lumpur:1994.
14. EDP Audit and Security Survival Skill, Intitute of Internal Auditor, Kuala Lumpur: 1994.
15. Institute of Internal Auditor. http://www.itaudit.org/
16. Audit serve. http://www. auditserve.com/
17. Association OF College And University Auditors http://www.acua.org/library.htm
1
18 AuditNet.org. http://www.auditnet.org/
19. The Official Kaplan's AuditNet Resource List, IIA Volume 5 Number8 Revised: April 03,
1999. http://users.aol.com/auditnet/karl.htm

Auditing of Information Systems Case Study

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Auditing of Information Systems Case Study

Transféré par

Droits d'auteur :

Formats disponibles

AUDITING OF INFORMATION SYSTEMS

What control audit concern are as follows:-

1. Authorization and approval,

6 . Compliance with role and regulation,

13. Reliability of Information

Planning, policies, procedure, organization structure, role and regulation.

The IS auditor should concern at least the following basics :-

Information technology projects are supported by the appropriate documentation as

Policies and procedure

Information services function policies and procedures address the following:

That each data classification clearly defines:

Policy statements and communications from senior management ensure the

Information services function's existing physical environment for adequacy in

Technology standards are adhered to and incorporated as part of the development

Membership and functions of the information services function planning/steering

Information services function planning/steering committee charter aligns the

Organisation policies and procedures create a framework and awareness programme,

Management and employees are accepting of the job competency process.

Training programmes are consistent with the organisation's documented minimum

Management is committed to personnel training and career development.

Enforcement of uninterrupted holiday policy occurs.

The process followed by organisation in the development , acquisition and maintenance

Project management framework :

Project management methodology and all requirements were consistently followed.

A detail review should adhere as following :

The overall system Development Life cycle basically are as following:

Functional Analysis & Design.

Stage: System Investigation.

Objectives:- Understand current business objectives & operations, complexities,

- Done by analyst with substantial knowledge and experience in the business.

- Business/system Function chart & narratives of existing system.

Module : Identify System Functional Requirement.

Validation And Editing.

Data error handling.

- Determine the procedures for the identification, correction and resubmission of

- Systems Function chart & narratives

Stage: Functional Design.

Module :Design process.

- Develop data flow diagram and narratives which will describe:

- Finalized the design selection.

Module : Design coding and calculations.

- Finalize the code for coding systems.

- Finalize the naming conversation strategy.

Module : Design inputs & outputs layouts.

- Design system screen inputs, outputs & screen organizations.

System Function chart & narratives

- Proposed System Input Layouts.

Objectives –To issue the finalised version of functional specification.

Module : Issue Functional Specifications

– Extract All relevant information.

Module : Review with management.

Module :Obtain letter of acceptance .

- Obtain management approval/acceptance on the finalised Functional Specifications.

The format documentation of Functional specification are as follows:-

ii. System functions

c. Data Flow Diagram.

d. Inputs and Outputs.

List of control procedure on each process.

Objectives: To establish criteria as a basis of package selection and to prepare a

Module : Establish election criteria & prepare RFP.

Develop selection criteria, which should include the following areas :-

- List of input and output required.

- Selection criteria. -RFP(request for proposals)

Module : Evaluate proposals.