Audit Program for Management Information Systems - Excel by bcn14815

VIEWS: 46 PAGES: 10

More Info
									                                                                                                                                              433e0198-b698-4178-8307-d6f6ce41d604.xls
Company (Name):
Fiscal Year End (Date):                                                        Audit Program contains 56 controls covering ALL principal process areas in IT:
                                                                                                                                                                                                                                     Audit Program contains interview and control documentation
                                                                               • Data Center and Network Operations
Tested on (Date)/ tested by (Name):                                                                                                                                                                                                  recommendations to better assist management, auditors or internal
                                                                               • Information Security (Physical & Logical Security)
                                                                                                                                                                                                                                     control professionals in performing tests of control for each control
Tested in (System):                                                            • Change Management & Control
                                                                                                                                                                                                                                     activity.

Audit Program for AS/400 (iSeries, System i) and OS/400 (i5/OS, IBM i) - SAMPLE
Control    Control Activity Description            Control Activity Background                                                          Control         Control     IT Nature        Control      Interview Topic Recommendations
Activity                                                                                                                                Activity Type   Nature      IT Dependent/    Rating       The following interview topics should assist auditors in getting a
Code                                                                                                                                    Preventive/     Manual/     Non IT-          High/        better understanding of the steps involved in performing control
                                                                                                                                        Detective       Automated   Dependent        Medium/      activity by the process owner(s) which will assist in effectively
                                                                                                                                                                                     Low          performing tests of control for each control activity.


Data Center and Network Operations
Control Objective IT2: Organization’s financial data is appropriately managed during the update and storage process to ensure it remains complete, accurate, & valid.
(CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)
Control Objective Background: If data is not retained, in the event of systems incident, there is a risk that the entity's financial statements
may be materially misstated, because it may not be possible to reconstruct the data from source documentation.
IT2.04     Only authorized employees have     User profiles with the special authority *SAVSYS are able to back up all data and Preventive              Manual      Non-IT           Low          Manager over backup and retention of electronic data:
           access to modify backup schedules. modify the backup schedule.                                                                                           Dependent                     - Individual responsible for the backups




Information Security

Control Objective IT4: Systems configuration and security settings are appropriately implemented, administered, and safeguarded to protect against unauthorized modifications that can result in
incomplete, inaccurate, or invalid processing or recording of organization’s financial data. (CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)
Control Objective Background: If systems configuration and security settings are inadequate or not administered appropriately, security
breaches may go undetected, information resources may be compromised, and significant flows of transactions may be ineffective.
IT4.13     The i5/OS (OS/400) environment is       The i5/OS can be configured to enable audit log facility. QAUDCTL system value Detective             Manual      IT Dependent     Medium       Security administrator:
           configured and activated to record      defines whether audit logging is turned on. QAUDLVL system value defines which                                                                 - Strategy and level for audit logging
           audit events (such as unauthorized      security-related actions are recorded system-wide (for all users). The use, the                                                                - Security packages used for analyzing audit journals
           or inappropriate system activity,       level of audit logging, and the action the system should take during specific                                                                  - Frequency of review process
           including use of special authorities)   events (QAUDENDACN system value) should be determined by management.                                                                           - Assignment of the monitoring responsibility
           as defined in information security                                                                                                                                                     - Procedures for reacting to unauthorized system activity
           policies; audit reports are regularly   The audit journal should be reviewed on a periodic basis by an individual
           reviewed by management and              independent of the security administrator in order to detect and react to any
           necessary action taken.                 unauthorized system activity.




                                                                                                                                                                                                                                                                                                             Page 1 of 10
                                                                                                                                            433e0198-b698-4178-8307-d6f6ce41d604.xls
Control    Control Activity Description          Control Activity Background                                                          Control          Control       IT Nature        Control     Interview Topic Recommendations
Activity                                                                                                                              Activity Type    Nature        IT Dependent/    Rating      The following interview topics should assist auditors in getting a
Code                                                                                                                                  Preventive/      Manual/       Non IT-          High/       better understanding of the steps involved in performing control
                                                                                                                                      Detective        Automated     Dependent        Medium/     activity by the process owner(s) which will assist in effectively
                                                                                                                                                                                      Low         performing tests of control for each control activity.


Data Center and Network Operations
Change Control
Control Objective IT6: Programs and systems are appropriately acquired or developed in a manner that supports the accurate, complete, and valid processing and recording of
organization’s financial information. (CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)
Control Objective Background: Inappropriate decisions to acquire or develop programs and systems can result in implementation of software that is unable to meet the entity's information
processing needs, there is an increased risk that financial reporting applications will not be able to pass data between underlying network and infrastructure components.
IT6.03     Any acquisition or development of     If invalid (i.e., unnecessary or inappropriate) modifications are made, systems     Preventive        Manual        IT Dependent     Medium      Manager responsible for systems development and approval of
           AS400 application systems and         may not function in a manner that is consistent with management's intentions.                                                                    change requests:
           i5/OS (OS/400) operating system       Where upgrades or changes are either not performed or are performed without                                                                      - Systems development or implementation & approval process
           software is approved by               management's approval, the consequences include (1) the entity's information                                                                     - Steps involved to ensure business requirements are met
           management prior to                   systems no longer adequately support the entity in achieving its objectives and (2)                                                              - Assessing impact on other systems & business processes
           implementation.                       the control environment may be degraded. Therefore, it is important to ensure                                                                    - User involvement in the request process
                                                 that any modifications should be approved by management. Using a process that                                                                    - Monitoring outstanding, rejected, or approved changes
                                                 requires authorization of system changes provides management with control over                                                                   - Evaluation and prioritization of modifications
                                                 those changes. This process verifies that only changes that are relevant and                                                                     - Determination of the time frame of implementation
                                                 beneficial to the enterprise are performed.                                                                                                      - Authorization of modifications for implementation
                                                                                                                                                                                                  - Monitoring of project timetables, status and milestones



           The complete audit program contains 56 Controls covering ALL principal process areas in IT, including:

           • Batch and online processing control framework - This control framework is developed to ensure that organization’s operations around scheduling, performance, and monitoring of IT
             programs and processes are adequately supervised by management in order to assure complete, accurate, and valid processing and recording of financial information. Items covered:
             - Batch and online processing
             - Automated scheduling tools on the i5/OS (OS/400) and more.

           • Backup and recovery control framework - Controls to ensure organization’s financial data is appropriately managed during the update and storage process to ensure it remains complete, accurate, and valid:
             - Data retention tools (management, security, access to such tools, etc.),
             - Backups and retention of critical i5/OS (OS/400) files (planning, scheduling, and supervision),
             - Backup tapes (management, storage, archival, readability assessments, etc.) and more.


           • Physical Security control framework - This control framework is developed to ensure that adequate physical security mechanisms are in place and operate effectively. Items covered:
             - Assessment of physical access control mechanisms,
             - Authority to change physical access control mechanisms,
             - Monitoring of physical access control mechanisms, etc.

           • Logical Security control framework - Controls to ensure that system security settings are adequately configured and are protected against unauthorized modifications. Items covered:
             - Password authentication mechanisms in the AS/400 (iSeries, System i) and OS/400 (i5/OS, IBM i) environment,
             - User access privileges (new access, removal of users, security of profiles assigned special authorities, segregation of duties, etc.),
             - Access to the command line, access to critical commands/utilities on the i5/OS (OS/400), use of adopted authority,
             - Access to the resources in the i5/OS (OS/400) Integrated File System,
             - Assessment of the overall security mode on the i5/OS (OS/400); object level security on the i5/OS (OS/400),
             - Configuration of trust relationships between i5/OS (OS/400) systems ,
             - Graphical User Interface software (the Operations (iSeries) Navigator),
             - Logging and monitoring audit events,
             - Security of default profiles (IBM supplied profiles, etc.),
             - Communication services on the i5/OS (OS/400), and much more.

           • Change Management & Control - Controls designed to ensure that programs and systems are appropriately acquired or developed, implemented, and managed in a manner that supports accurate,
              complete, and valid processing and recording of organization’s financial information. Items covered:
             - Acquisition, development, modification, and maintenance of AS400 application systems and i5/OS (OS/400) operating system software,
             - Controls around approval, testing prior to implementation, quality assurance reviews, business risk and impact assessments, adequacy of post implementation reviews, and more.

           The audit program covers all critical configuration settings and access controls to ascertain the reliability of the AS/400 (iSeries, System i) & OS/400 (i5/OS, IBM i) control environment. The audit program is available for purchase at
           http://soxmadeeasy.com/AS400.html.



                                                                                                                                                                                                                                                                       Page 2 of 10
                                                                                                                                                          433e0198-b698-4178-8307-d6f6ce41d604.xls

                                                                                                                                                                                         Links to the supporting test sheets are included where
 s interview and control documentation                                                                       Audit Program contains detailed audit procedures, a step-by-                everything has been conveniently pre-documented with fill-
etter assist management, auditors or internal                                                                step guidance on how to obtain information from the system in               in fields for the data obtained as part of the testing
n performing tests of control for each control                                                               support of individual control activities.                                   procedures for further analysis.



              Control Documentation Recommendations                                       Testing Procedures                                                                                                 Testing Reference      Conclusion    Exception Details          Mitigating        Planned           Planned           Remediation
              The following documentation may assist auditors in enhancing                For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain       Reference to           Effective/    For ineffective controls   Controls          Remediation       Remediation       Status
              understanding of the control activity and performing tests of control for   reasonable assurance that controls operate effectively in accordance with established policies, procedures,        supporting evidence    Ineffective                              For ineffective   Procedures        Date              Completed/
              each control activity                                                       and guidelines. The following testing procedures will assist auditors in performing tests of control for each      considered pertinent                                            controls          For ineffective   For ineffective   In Progress
                                                                                          control activity.                                                                                                                                                                                    controls          controls




              - Backup policy                                                             Perform the following procedures to verify only appropriate users have the authority to modify backup                      Tab 4
              - Backup operations procedures, including:                                  schedules:
                (1) Backup job monitoring                                                 • Obtain a listing of users with *SAVSYS special authority:
                (2) Error resolution procedures                                             This can be done by reviewing the user profile information;
              - Listing of profiles with the special authority *SAVSYS                      To obtain user profile information, request the security administrator to run the following:
                                                                                            - DSPUSRPRF USRPRF(*ALL) TYPE(*BASIC) OUTPUT(*OUTFILE)
                                                                                          • Review users with the *SAVSYS authority
                                                                                          • Determine if access to modify backup schedules is appropriate
                                                                                          • Confirm that access to modify backup schedules is reviewed by management periodically
                                                                                          • Document your conclusions.




              - Approved information security policy                                      Obtain output from issuance of WRKSYSVAL SYSVAL(*ALL) OUTPUT(*OUTFILE) command and examine                                 Tab 15
              - Procedures for audit logging and reviewing                                the following System Values configured in the system for appropriateness:
              - OS/400 Security report with ‘Display Security Auditing’ details           • QAUDCTL (defines whether audit logging is turned on) should be set to ‘*AUDLVL’
              - Procedures for detecting and resolving unauthorized activity              • QAUDLVL (defines which security-related actions are recorded system-wide for all users)
              - Samples of approved and signed audit journals                               should be set to at least ‘*AUTFAIL,’ ‘*SAVRST’, “*SECURITY,’ and ‘*SERVICE’
                                                                                          • QAUDENDACN (determines the action that the system takes if auditing is active and the
                                                                                            system is unable to write entries to the audit journal) should be set to ‘*NOTIFY’

                                                                                          Further, obtain documentary evidence to confirm that audit journals are reviewed periodically by the appropriate
                                                                                          personnel.




                                                                                                                                                                                                                                                                                                                                       Page 3 of 10
                                                                                                                                            433e0198-b698-4178-8307-d6f6ce41d604.xls
Control Documentation Recommendations                                       Testing Procedures                                                                                              Testing Reference      Conclusion    Exception Details          Mitigating        Planned           Planned           Remediation
The following documentation may assist auditors in enhancing                For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain    Reference to           Effective/    For ineffective controls   Controls          Remediation       Remediation       Status
understanding of the control activity and performing tests of control for   reasonable assurance that controls operate effectively in accordance with established policies, procedures,     supporting evidence    Ineffective                              For ineffective   Procedures        Date              Completed/
each control activity                                                       and guidelines. The following testing procedures will assist auditors in performing tests of control for each   considered pertinent                                            controls          For ineffective   For ineffective   In Progress
                                                                            control activity.                                                                                                                                                                                 controls          controls




- Policies around application development and approval process              Examine documentary evidence such as policies and procedures, requirement lists, and the results of the                 Tab 21
- Job descriptions and responsibilities relating to authorization of        approval processes conducted, indicating that the development and implementation projects are approved in
  implementations                                                           accordance with established policies and procedures:
- Listing of implementations performed over the period of                   • Obtain a listing of AS400 application systems and i5/OS (OS/400) operating system software
  intended reliance                                                           acquired or developed over the period of intended reliance (the audited timeframe)
- Program change status reports and prioritization                          • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
- Inventory listing of purchased software                                     or development projects completed over the period under review for further testing
- Approved project plans                                                    • For selected acquisitions or development projects, examine documentary evidence to
- Minutes of change control meetings                                          confirm that projects were approved by authorized individuals prior to implementation
                                                                            • Document your conclusions.




                                                                                                                                                                                                                                                                                                                      Page 4 of 10
                  433e0198-b698-4178-8307-d6f6ce41d604.xls




Ref. to Post-
Remediation
Testing Details
If applicable




                                                             Page 5 of 10
                  433e0198-b698-4178-8307-d6f6ce41d604.xls
Ref. to Post-
Remediation
Testing Details
If applicable




                                                             Page 6 of 10
433e0198-b698-4178-8307-d6f6ce41d604.xls                                                                                                   Tab 4

Control    IT2.04
Activity #
Control    Only authorized employees have access to modify backup schedules.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with *SAVSYS special authority;
           2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
           3) Please refer to testing table below for details.

Test         [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Users with *SAVSYS special authority:
Count        System ID     Report Date Profile Name            Profile Owner              Profile Status      Password *NONE         Initial Program               Initial Menu         Special Authorities        Access Appropriate Issues     Comments/ Issue
                                                                                          *Exclude profiles   *Exclude profiles with                                                    *Only list profiles with   Per Job            Noted?     Description
                                                                                          with ‘*DISABLED’    Password *NONE =                                                          ‘ *SAVSYS ’ special        Responsibilities?  (Yes/No)
                                                                                                                                     *Exclude profiles with ‘Initial Program’ = *NONE
                                                                                          status              ‘*YES’ (no access)                                                        authority; exclude other   (Yes/No)
                                                                                                                                     AND ‘Initial Menu’ = *SIGNOFF (end-user access
                                                                                                                                     shouldn't be possible)                             profiles

1
2




Total                                                                                                                                                                                               0                      0               0




                                                                                                                                                                                                                                                                   Page 7 of 10
433e0198-b698-4178-8307-d6f6ce41d604.xls                                                                                                   Tab 15

Control      IT4.13
Activity #
Control      The i5/OS (OS/400) environment is configured and activated to record audit events (such as unauthorized or inappropriate system activity, including use of special authorities) as defined in information security policies; audit reports
Activity     are regularly reviewed by management and necessary action taken.
Test Steps   1) Obtained output from issuance of WRKSYSVAL SYSVAL(*ALL) OUTPUT(*OUTFILE) command from [Name, Title] on [Date];
             2) Reviewed audit log facility configuration for appropriateness;
             3) Please refer to testing table below for details.
Test Results [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]



Auditing system value parameters configured the system:
Count        Audit Log          Audit Log            Possible Values                                                                                                                            Recommended   Auditing         Issues      Comments/
             Facility           Facility                                                                                                                                                        Minimum       Appropriately    Noted?      Issue
                                Description                                                                                                                                                                   Performed?       (Yes/No)    Description
                                                                                                                                                                                                              (Yes/No)
1            QAUDCTL            Defines whether      *NONE - No auditing performed (Note: AUDLVL might be used for individual users). If set to *NONE, it will not be possible to monitor security *AUDLVL
                                audit logging is     violations and detect unauthorized or undesirable activity on the system.
                                turned on and the    *OBJAUD - Objects selected using CHGOBJAUD (change object), CHGDLOAUD (change document library object), or CHGAUD (change
                                type of auditing     audit) commands are audited
                                allowed              *AUDLVL - Auditing is performed for functions selected on the QAUDLVL system value and on the AUDLVL parameter on specific user
                                                     profiles
                                                     *NOQTEMP - Auditing is not performed for most actions if the object is in the QTEMP library; this value must be specified with either
                                                     *OBJAUD or *AUDLVL
2            QAUDLVL            Defines which        *NONE - No audit logging; if events are not logged, cannot monitor security violations and undesirable activity on the system              *AUTFAIL
             (Operates in       security-related     *AUTFAIL - Authority failure events are logged                                                                                             *SAVRST
             conjunction with   actions are          *AUDLVL2 - Allows more auditing actions (if specified)                                                                                     *SECURITY
             the QAUDCTL        recorded system-     *CREATE - Object create operations are logged                                                                                              *SERVICE
             system value)      wide for all users   *DELETE - Object delete operations are logged
                                                     *JOBDTA - Actions that affect a job are logged
                                                     *NETCMN - Violation detected by APPN Filter support is logged
                                                     *OBJMGT - Object move and rename operations are logged
                                                     *OFCSRV - Changes to the system distribution directory and office mail actions are logged
                                                     *OPTICAL - Use of Optical Volumes is logged
                                                     *PGMADP - Obtaining authority from a program that adopts authority is logged
                                                     *PGMFAIL - System integrity violations are logged
                                                     *PRTDTA - Printing a spooled file and sending output to printers are logged
                                                     *SAVRST - Restore operations are logged
                                                     *SECURITY - Security-related functions are logged
                                                     *SERVICE - Using service tools is logged
                                                     *SPLFDTA - Actions performed on spooled files are logged
                                                     *SYSMGT - Use of system management functions is logged

3            *QAUDENDACN        Specifies the        *NOTIFY - messages sent to QSYSOPR and QSYSMSG (if it exists) message queues every hour until auditing is restarted                        *NOTIFY
                                action the system    *PWRDWNSYS - if unable to write an audit journal entry, system powers down
                                should take if
                                journal entries
                                cannot be
                                recorded




                                                                                                                                                                                                                                                          Page 8 of 10
433e0198-b698-4178-8307-d6f6ce41d604.xls                                                                                           Tab 15

Additional auditing features to consider for V5R3 or later:
Count        Audit Log Facility                    Possible Values
1            *NETCMN - Network and                 *NETBAS - Network base functions are audited
             communication functions are audited   *NETCLU - Cluster and cluster resource group operations are audited
                                                   *NETFAIL - Network failures are audited
                                                   *NETSCK - Socket tasks are audited
2            *SECURITY - Security-related          *SECCFG - Security configuration is audited
             functions are logged                  *SECDIRSRV - Changes or updates when doing directory service functions are audited
                                                   *SECIPC - Changes to inter-process communications are audited
                                                   *SECNAS - Network authentication service actions are audited
                                                   *SECRUN - Security run time functions are audited
                                                   *SECSCKD - Socket descriptors are audited
                                                   *SECVFY - Use of verification functions are audited
                                                   *SECVLDL - Changes to validation list objects are audited




                                                                                                                                            Page 9 of 10
433e0198-b698-4178-8307-d6f6ce41d604.xls                                                                                                   Tab 21

Control      IT6.03
Activity #
Control      Any acquisition or development of AS400 application systems and i5/OS (OS/400) operating system software is approved by management prior to implementation.
Activity
Test Steps   1) On [date], obtained from [name, title] a listing of AS400 application systems and i5/OS (OS/400) operating system software acquired or developed between [date] and [date], noting [count] projects took place during that time
             2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that projects were approved by authorized individuals prior to implementation
             3) Please refer to testing table below for details.

Test         [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Listing of AS400 application systems and i5/OS (OS/400) operating system software acquired or developed during the period of intended reliance:
Count        Project ID    Project Description                               Project            Project      Project             Approved      Approved By                            Approved by        Approved Prior to     Issues       Comments/ Issue Description
                                                                             Completed/         Selected     Approved by         On            (Name, Title)                          Authorized         Implementation?       Noted?
                                                                             Implemented        for          Management?         (Date)                                               Approver?          (Yes/No)              (Yes/ No)
                                                                             On                 Detailed     (Yes/No)                                                                 (Yes/No)
                                                                             (Date)             Testing?
                                                                                                (Yes/No)                      Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.


1
2




Total                                                                                                0                0                                                                        0                    0                0




                                                                                                                                                                                                                                                                          Page 10 of 10

								
To top