Scribd Logo
Importer

Bienvenue sur Scribd !

  • Audit Objective

    Transféré par

    Carlo Baculo
    252 vues3 pages
    b

    Copyright

    © © All Rights Reserved

    Formats disponibles

    DOCX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    b

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    252 vues3 pages

    Audit Objective

    Transféré par

    Carlo Baculo
    b

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 3

    I.

    Introduction

    This final audit report details the relevant findings, conclusions and recommendations resulting from the
    audit of the Modular Access Management System (MAMS) operated by the Information System Services
    Office (ISSO). The MAMS is responsible for processing and delivering online services which are very
    helpful and which provides convenience for the DWCC students, faculty and non-faculty members.

    The audit was conducted as a compliance to the major requirement of the course, Auditing Computer
    Information System. The audit was performed by the Fifth Year Accountancy Students specifically
    assigned to test the different procedures and control over the Database of the MAMS.

    Background

    The MAMS was introduced by the ISSO to the students, faculty and non-faculty members on 2016 to
    replace DWCC Pinnacle. The MAMS is considered as the DWCC’s response to the emerging needs of each
    students and members to conveniently access and deliver relevant information to the primary and
    qualified users.

    Access to the use of MAMS are freely given to each qualified users of the DWCC Community. Some of the
    services offered by MAMS are the following: Students can view their grades and reserve their subjects
    every enrolment, Faculties can view the list of students enrolled in their subjects and are also required to
    upload the final grades of the students every end of semester, and Non-faculty members can access the
    information stored in the MAMS to produce relevant reports necessary for a specific need.

    We, the Fifth Year Accountancy Student, is the first one to conduct an audit regarding the database of the
    MAMS. During the audit, we have identified and determined several recommendations necessary for the
    operation of the system. These suggestions and recommendations are further discussed and have been
    rolled forward within this report.

    The different processes and procedures conducted for this audit are primarily performed in the main
    office of the ISSO inside the DWCC Campus. Employees who are responsible for the operation and
    maintenance of the Database System are predominantly located in this office.

    All the ISSO Personnel that worked with the auditors were particularly helpful and open to the ideas and
    suggestions. They viewed the audit as an opportunity to examine practices and to make changes and
    improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly
    appreciated.

    AUDIT OBJECTIVE

    Determine whether the database system is properly managed and is effectively and efficiently operated
    as a value-adding system to the institution.

    Our objective regarding the access to the database was to determine whether adequate controls were
    implemented to obtain reasonable assurance that the access of the users are limited and restricted to
    their job description and only authorized personnel had access to the database system. Password
    attributes are established according to the sensitivity of the information available to the user.
    Assess whether the ISSO has adequate disaster recovery plan, database maintenance plan and business
    continuity plan including back-up onsite and offsite to provide reasonable assurance that critical data can
    be restored within acceptable period of time in case of malfunctioning of the system.

    AUDIT SCOPE (edit)

    This performance audit was conducted in accordance with the IS Audit and Assurance Guidelines of ISACA.
    This standard requires the understanding of the entity to be audited and the audit should be planned to
    obtain sufficient, relevant and valid evidence to provide reasonable basis for the conclusions, opinion and
    audit findings. The auditor obtained understanding of Modular Academics Management System and its
    internal control through interviews and observation as well as inspection of various documents including
    the job description of database users and policies and procedures. This understanding of database system
    internal controls was used in determining the extent of compliance testing and other auditing procedures
    necessary to verify the effectiveness and efficiency of internal control.

    The audit evaluated the effectiveness of access control in database system and its security control. We
    also assessed the disaster recovery plan and business continuity plan of the ISSO and found out some
    matters that they need to improve which is to be detailed in the Audit Findings and Recommendation.

    In conducting the audit, we merely relied on the interviews and observation. Because of the possibilities
    that we may intervene the operation of the system, we were restrained from verifying the accuracy of
    logical process of database system.

    The audit was performed at Divine Word College of Calapan. This audit activity was performed from
    August 2018 up to September 29, 2018.

    AUDIT METHODOLOGY

    1. To determine the audit scope and objectives, we conducted an interview to obtain understanding
    on the Database structure, be oriented on the terminologies and IT infrastructure, how they
    response to the problem raised by the users and the positions of the personnel that are working
    inside the ISSO office for us to know who are responsible on the maintenance and access on the
    MAMs and the back-up regarding it.
    2. As part of audit planning, we ask for the contracts and other documentation necessary to
    materialize the acquisition of the MAMs.
    3. We observed the security of the server and other IT infrastructure, the person who have access
    and are accountable in case of damage to the server. Our audit include whether only authorized
    person can access the server infrastructure and the environment where the server is located.
    4. In order to know how the ISSO personnel response to problems and questions raised by the users,
    we conducted interview on the users on how they are assisted by them and how the problems
    are solved.
    5. To determine whether, information that are provided by the database administrator to us are
    correct, we conducted number of confirmation with the users of MAMS or the faculties, Registrar,
    Guidance, Basic Education and the students.
    6. With respect to the maintenance and update of the system, we conducted follow-up interviews
    to have knowledge on the progress of the problems encountered during the first interview. Also,
    we are validating if the subjects indicated in the MAMs are updated and similar to what is in the
    student’s prospectus.
    7. With respect to the back-up of the MAMs, we conducted interviews to know when and how back-
    ups are made, who is responsible in doing the back-up and where the off-site storage is located.

    AUDIT FINDINGS

    Based on our audit of the database we found out:

     That the process of communicating information among the users and other involved personnel of
    the system was not properly documented. Since the system was not vendor supported and its
    features did not have any written modules, the Database Team solely learned the systems
    features. However, the adequacy and timing of corrective actions as well as the resolution of root
    causes were effective and efficient.
     As we interviewed the database administrator and sited some threats or risks that might exist to
    the system of DWCC, we found out that illegal access to MAMs such as hacking is impossible,
    however, we also found out that not all employees who were terminated of their work have their
    account deactivated, however there are no associated risk with the access of former employees
    since what they can do is just viewing of MAMS.
     During our audit, we found out that there are no existing or in-place maintenance plan of the
    system and that DWCC has no plan to implement at all because they action only when there is a
    problem encountered.
     During our tour in the ISSO office, we found out that aside from there are no security or no lock
    in the server’s site there are no CCTV in-place that anyone may enter in the server’s site.

    RECOMMENDATION

     We recommend that the team must provide documentation about the system. Those written
    documents shall include the systems features and functions, problems raised and its resolution
    and the outstanding requests of the users.
     We recommend that ISSO must have a maintenance plan as soon as possible so in case of
    problems encountered in the future there will be a definite action to undertake to correct or solve
    the problem.
     We recommend that ISSO have at least a lock that only authorized personnel can access it and
    have a closed – circuiting television (CCTV) that can help upon monitoring of the server. Lastly,
    additional fire extinguisher must be placed near the area of the server to have an assurance in
    case of fire outbreak.

    Vous aimerez peut-être aussi