Since yesterday I have completed to label the document given by client and today I would like to begin the audit work. I opened a blank working paper, the purpose of working paper is to document our evaluation of the design and implementation and the testing of the operating effectivenes of IT general controls. First of all, I fulfilled the IT environment part by briefly describe the introduction of company which including its name, subsidiary, founding year, company structure and etc. The audit can be generally categorized into five main areas which are access to programs and data, program changes, program development, computer operations and lastly IT general controls summary. I started it with the first section, access to programs and data. The objective of it is to determine whether there is adequate controls for access to programs and data have been established to reduce the risk of unauthorized or inappropriate access to the relevant information systems related to financial reporting. The controls involve information security policy, configuration of access rules, access administration, identification and authentication, monitoring of user access and super users. The first document used is all the information system policies given by client, we then noticed that except for one organization wide IT policy, other policies do not have proper review and approval, I remark this on the the audit working to be a deficiency. The following things I am looking at are the user access matrix to check whether the user access is segregated according to its responsibilities or not. Then the forms that company used for the purpose to create, modify and delete user ID, what we need to take note for the form is to check whether it has the proper signature from requestor and superior or not. After that, I moved on to check the screenshot of password policy, the purpose is to check how strong the password it is, we will be looking at the areas of password age, password length, account lockout duration, account lockout threshold. I noticed that one of the area did not comply with our given best practice, I then remarked it as another deficiency. The last two section for first area is related to the monitoring of user access to check whether there is procedure to review the user access right while the last area is on super users, which is to see is there review being conducted to check the super user audit trail.
Main things that have learnt
I performed audit for the first area, access to programs and data which including information security awareness, password control, user access right and super user monitoring.
Comment/idea/opinion
N/A
Comentarios