To continue yesterday work, today I will be focusing to complete the audit working paper for Leader Steel’s ITGC audit. The last section of the audit working paper is on computer operations, it is to determine whether adequate controls for computer operations have been established to ensure that the system or applications processing are appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved. Four controls are included in the area which are automated job processing, backup and recovery procedure, patch management and incident and problem management procedures. The automated job processing is to determine whether management has controls in place over the design and execution of system jobs to ensure accuracy, completeness and timely processing of system jobs, including batch jobs and interfaces, for relevant information systems related to financial reporting. Since the company does not practice automated job processing, so there is no need to us to audit this control. Second control is related to backup and storage. It is to determine whether management has controls in place over the design and execution of backup, recovery and storage to ensure accuracy, completeness, and timely processing of system backup, including restoration test of backup, for relevant information systems related to financial reporting. We asked Mr Jason to understand how the company monitor the system backup, he replied that the backup is done daily, scheduled from 12am and is stored by using Microsoft SQL Server Management and restoration test is performed when program changes requested by the users. To test the operating effectiveness, we will inspect the system setting to determine th system backup is configured in accordance with the backup and restore document and to inspect samples of backup logs to determine whether integrity and completeness of data backup. Third control is on patch management and antivirus, this control is to determine whether the management has patch management process in place to ensure the proper preventive measures are taken against potential threats and security vulnerabilities. We noted that the company use ESET as antivirus as the security controls for windows, serverl and application level. It is cloud based and monitored centrally as update will be done automatically on every workstations. To test its effectiveness, we observed that the sample of the Windows update history on the server hosting SAP B1, it showed that the patches were successfully installed and also observed that the antivirus dashboard and noted that all the PCs are scanned and updated. The last control is on incident and problem management procedures, it is to determine whether management has controls in place to ensure that system problems that could potentially impact the financial reporting process are identified and resolved in a timely manner. What we asked Mr Jason is to understand how is the process IT department handle, investigate and resolve reported incidents or failure and we noted that in case there is an IT issue, users will contact IT team through email and all the information will be recorded in IT department internal request log. To test the effectiveness is to inspect the IT Request Log for the year of 2022 and observed that all the raised issues are resolved and marked ‘closed’ on the log. The Request Log contains the following information like date, time, user, location, IT issue, status, date complete and time complete. At the end, when we come to summary part, we stated that there is no deficiencies being found for the area. Tomorrow I will continue the work by drafting the management letter which will summarize all our findings and what should we inform the client.
Main things that have learnt
To complete the ITGC audit working paper by completing the computer operation part.
Comment/idea/opinion
Today I complete the ITGC audit working paper and I would say I think that the audit process actually do take some time as we need to go through the evidence given by client and need to understand it thoroughly so that we can reach the conclusion.
Comments