Application Logical Security & Change Management

Document Sample
Application Logical Security & Change Management Powered By Docstoc
					This is the AuditNet Standard Risk Control Audit Matix which incorporates formats
used by many audit organizations in their documentation working papers. There are
format templates for risk control, audit procedures, questionnaires and checklists.
There is a blank workpaper and a report summary that can in used by audit
organizations. AuditNet has prepared a monograph for guidance on preparing and
developing audit work programs, checklists, questionnaires and matrices. The
monograph is available to AuditNet subscribers. For more information go to
www.auditnet.org
When Internal Audit audits a department that uses a critical application, below are audit procedures to
test the logical security and change management processes around the department's application.

Requests for information

Requests for contact names
Who should Audit speak with about the below topics?
1.    Application and database password parameters
2. Application groups, privileges, and user IDs
3. Database groups, privileges, and user IDs
4.    An understanding of department functions and which functions that should be segregated
5.    Vendor access
6.    Application and database logging and monitoring
7.    Review of application and database access
8.    Changes made to the application or database during the audit time period. (e.g., new functionality,
upgrades, releases)

Information requests (electronic versions are preferable)
1. Screen shot showing application’s password parameters (e.g., minimum password length, password expiration,
password re-use ability, number of allowable unsuccessful log-on attempts, if passwords require a mix of letters
and numbers)
2. Screen shot showing database’s password parameters
3. System generated user access list showing all application groups, privileges, and user IDs
4. System generated user access list showing all database groups, privileges, and user IDs
5. Most recently performed application and database access review

Note: If a group other that the IT Help Desk adds, changes, & deletes users for the application, user account
management may be in scope for the application audit. Thus, Audit will need to request the following items from
the client:
1. Who is responsible for adding, changing, and deleting access to the application and database?
2. Procedure document around adding, changing, and deleting user access
3. List of new users added to the application and users with changes to their application groups/privileges
4. List of employees who left the department during the audit period (e.g., terminated employees and employees
who transferred to another department)
From the IT Help Desk, request the below items:
5. List of new employees to the organization (e.g., extract from New Hire/Terminations database of New Hires)
6. List of transfer employees (e.g., extract from New Hire/Terminations database of Transfers)
7. List of terminated organization employees during the audit period (e.g., extract from New Hire/Terminations
database of Separations)
Audit Program Application logical security and change management


Audit Procedure                     Audit Objective

Logical security audit procedures   Evaluate the processes and
                                    controls    around    the  [insert
                                    application name here] application
                                    and      database    to   prevent
                                    unauthorized access.
Change management audit   Determine if proper processes and
procedures                testing occur before he
                          organization implements [insert
                          application name here] upgrades.
Risk if Objective Not Met

If access to technology is not adequately controlled,
unauthorized individuals may have read or edit
access to confidential customer or the organization's
information. Unauthorized access may pose risks to
data integrity and may lead the organization's non-
compliance with applicable laws and regulations
designed to protect customer data.

Password parameters




X.1
X.2




Application security
X.3
X.4




X.5




X.6




X.7
X.8




X.9
If the organization implements [insert application
name here] upgrades without proper processes or
testing, there is a risk that upgrades will introduce
errors to existing system controls and processing.

X.1
                                                                    Workpaper   Performed
Audit Procedures                                                    Reference       By




Review password parameters for [insert application name here]
application. Compare to the organization's policies for password
parameters and evaluate adequacy of the password
parameters. Examples of password parameters to review
include minimum password length, password expiration,
password re-use ability, number of allowable unsuccessful log-
on attempts, if passwords require a mix of letters and numbers.

Review password parameters for [insert application name here]
database. Compare to the organization's policies for password
parameters and evaluate adequacy of the password
parameters. Examples of password parameters to review
include minimum password length, password expiration,
password re-use ability, number of allowable unsuccessful log-
on attempts, if passwords require a mix of letters and numbers.




For the [insert application name here] application, perform the
following:
a.     Obtain a list of groups, privileges, and users
b.     Identify the groups and individuals with high-privileged
access
c.     Gain an understanding of why these individuals have this
level of access (e.g., business need)
d.      Evaluate the levels of access (e.g., least-privileges
concept),      appropriateness      of    the    individuals, and
appropriateness of the number of individuals with high-
privileged access
e.     Verify that unique, individual user IDs are used
f.     Verify that no generic IDs are used by individuals
g.   Inquire if passwords are shared
h.    Verify that there are no users with more than one ID (e.g.,
no duplicate IDs)

Segregation of duties
a.     Gain an understanding of [insert department name here]
functions that should be segregated
b.      Understand which groups contain which key
functions/privileges
c.     Assess if segregation of duties is maintained in the set up
of groups
d.    Verify that users do not belong to multiple groups where
segregation of duties should be maintained
e.     Through interviewing the client and reviewing the system,
determine whether the system enforces segregation of duty.


Database security
For the [insert application name here] database, perform the
following:
a.      Obtain a list of groups, privileges, and users
b.     Identify groups and individuals with write/edit access to the
[insert application name here] database
c.      Gain an understanding of why these individuals have this
level of access (e.g., business need)
d.       Evaluate the levels of access (e.g., least-privileges
concept),      appropriateness       of    the    individuals,  and
appropriateness of the number of individuals who have the
ability to edit database data by directly accessing the database.
(These are individuals who do not need to go through the
application to edit, change, and delete database data.)

e.   Verify that unique, individual user IDs are used
f.    Verify that no generic IDs are used by individuals
g.   Inquire if passwords are shared
h.    Verify that there are no users with more than one ID (e.g.,
no duplicate IDs)

Vendor access
a.      Gain an understanding of vendor access to the
application or database.
b.    Evaluate the appropriateness of processes and controls
around vendor access (e.g., how one-time access is granted,
organization’s monitoring of vendor activity, number/type of
vendor user accounts)

Logging and Monitoring
a.    Determine whether application administrator activity is
logged and reviewed for appropriateness. Examples of
appropriate administrator activity includes security changes,
such as changing user profiles, adding and deleting users, and
changing security settings in the application.
b.     Determine whether security-related application and
database activity, such as failed login attempts, are logged and
reviewed for appropriateness.
c.    Evaluate the adequacy of the design of the logging and
monitoring processes.

User access reviews
a.      Verify that user access reviews (UAR) are performed at
least annually. Obtain evidence of the most recent UAR and
verify that exceptions are researched and resolved.
b.     Verify that the UAR includes all user accounts for the
application and database, not just application end-users who
report to the business owner

User account management
a.     Determine who is responsible for adding, changing, and
deleting access to the [insert application name here] application
and database (e.g., IT Help Desk, Process & Change
Management, IT Technical Services, IT Application
Development). Determine whether Audit will perform the below
user account management procedures during this audit or
during a centralized audit, such as an audit of the IT Help Desk,
PCM, or IT. Note. The above Request for Information List does
not include documents relating to the below audit procedures.

b.   Obtain the procedure document around adding, changing,
and deleting user access. Review the procedures for
appropriateness (e.g., how terminated employees are identified
and communicated, time period for deleting terminated
employees, if approval from an appropriate person is required
before adding and changing user access.)


To test a sample of new and changed users for appropriate
approval and set up in the application and database:
c.     Obtain the following lists for the audit period:
i.    List of new employees to the organization (e.g., extract
from New Hire/Terminations database of New Hires)
ii.   List of transfer employees (e.g., extract from New
Hire/Terminations database of Transfers)
iii.   List of new users added to the application and users with
changes to their application groups/privileges.
d.     Compare the lists to identify a population of new and
changed users. Select a sample of new and changed users for
testing.
e.     For each selected user, obtain the documentation used to
approve and set up the employee.
f.     Verify that a person of appropriate authority approved the
employee to be added/changed.
g.     Agree the employee’s group/privileges in the
application/database to the documentation to verify that the
employee was properly set up.
To verify that access was deleted, in a timely manner, for
terminated/transferred employees, perform the following:
h.     Obtain a list of terminated employees during the audit
period (e.g., extract from New Hire/Terminations database of
Separations)
i.      Obtain a list of employees who left the department during
the audit period (e.g., terminated employees and employees
who transferred to another department)
j.     Compare the lists to identify a population of terminated
application users. Select a sample for testing.
k.    For each selected terminated application user, review
application (and database, if applicable) user access lists to
verify that the employee no longer has a user ID. If possible,
determine when the user ID was deleted and assess if the
deletion was in a timely manner.
l.      If the application is a Citrix application, also review the
application’s Citrix group to verify that the employee no longer
has a user ID.




a.     Determine whether there were any changes to the
application or database during the audit time period. Through
discussions with the client and review of relevant
documentation, gain an understanding of the nature of the
changes made (e.g., new functionality, upgrades, releases).
Perform additional review, as described below, as needed.
b.    Through discussions with the client and review of the
appropriate documentation, such as test plans, determine the
risks associated with the application/database changes.
Examples of risks include the changes will not deliver the new,
intended functionality; changes affect the accuracy and
completeness of the application’s existing input, processing and
output controls. Determine whether processes and test plans
address these risks.
c.     Obtain the test results. Review the test results to verify
that proper documentation exists and that test plan steps are
met. Identify any outstanding issues and verify that they were
adequately addressed. Verify that the test results are signed off
by appropriate people, such as business users.
  Date       Date      Budget   Actual   Document
Expected   Completed   Hours    Hours    Reference   Source   Reviewed By
Remarks/Comments
Library Name
Objectives                                                                                               Risks
Objective Type   Objective Category   Objective Title   Objective Description   Objective Library Type   Risk Ref
Optional         Optional             Unique            Mandatory               Optional                 Unique
Risks                                          Controls                                                               Areas
        Risk Description   Risk Library Type   Control Ref   Control Description   Control Library Type   Area ref    Area desc
        Mandatory          Optional            Unique        Mandatory             Optional               Mandatory   Mandatory
Test
Test Ref    Test Title   Test Description   Test Type
Mandatory   Mandatory    Mandatory          Optional
Library Name
                  Areas                                 Test                            Risks      Controls
Area ref       Area desc      Test Ref    Test Title   Test Description   Test Type   Risk Ref   Control Ref
Mandatory      Mandatory   Mandatory     Mandatory     Mandatory          Optional    Optional   Optional
AREA:



   Process   Control Objective   Risk
                         Assertion                            Documentation W/P
Control Considerations   E,A,C,V,P   Description of control         Ref.
                               Testing
Do controls meet
                             exceptions
   objective?
                    Test       noted?     Resolution / remediation/ comments
    Yes/No
                   W/P Ref     Yes/No                    W/P Ref
       Audit Program Area

Global Audit Procedure      Control Objective Risks Control     Control      KeyControl? Frequency
Ref No,                                             Activity   Description
                                                    Number
Owner Exceptions Type   Document    Mapping to
                        Reference   Standards
Audit Program Area

                     AUDIT PROCEDURES   WP Ref
Auditor    Time      Date     Date           Checked
Initials   Spent   Expected Finished Remarks   By:
                              Client Name
                      Internal Control Framework

          Date Completed:
          Completed By:
          Reviewed By:

          Question                                                  Yes No* Comments /Description




              To the best of my knowledge, the answers and comments noted above are accu



          Name and Title of Person Completing Form (please print)                            Name and Title of Department Dire


* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed.                            Questionnaire
                   Signature of Person Completing Form                                                Signature of Department


                             7/4/2012
                          Date Form Completed                                                     Date of Department Directo




* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed.                            Questionnaire
                           Employee Responsible for Task




s noted above are accurate and reflect the current



Name and Title of Department Director (please print)


            * For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
            or is to be performed.                            Questionnaire
   Signature of Department Director



Date of Department Director's Signature




      * For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
      or is to be performed.                            Questionnaire
Finding Ref #   Control Testing   Finding
Management Response & Treatment

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:7/4/2012
language:
pages:40