信息安全与审计checklist一览

zdy77

我什么都没有download到.因为下载的链接已经没有了
555

降龙十八掌

Access Controls Audit Program

Audit Program Overview
Access to computer resources should be controlled to protect them against unauthorized use, damage, loss, or modifications. Proper access controls will assist in the prevention or detection of deliberate or accidental errors caused by improper use or manipulation of data files, unauthorized or incorrect use of computer programs, and/or improper use of computer resources.

Suggested interviewees for ICQ:

Documentation Librarian

System Programming Manager

Applications Programming Manager

Director of Information Systems

Data Base Administrator

Control Objective #1 - Access to Program Documentation

Observe the storage location of documentation if it is kept in printed form or determine how access to on-line documentation is restricted. Determine if the documentation is adequately secured.

Review documentation check out logs to see if only authorized persons are gaining access to documentation. Determine if checked out documentation is properly logged and can be located.

Control Objective #2 - Access to Systems Software

Interview the person responsible for access to system software. Determine if the methods used to limit access to systems software to authorized persons are adequate.

Review documentation check out logs to see if only authorized persons are gaining access to documentation. Determine if checked out documentation is properly logged and if it can be located.

Test to see that access to systems software is limited by terminal address.

Control Objective #3 - Access to Production Programs

Interview the person responsible for controlling access to production programs (source and object code) and job control instruction. Determine if passwords and utilities that affect program access are adequately controlled. Also determine if controls are adequate to limit access to only those who need it to do their jobs.

Control Objective #4 - Access to Data Files

Review the procedures for limiting access to data files. Determine if programs not in the production library are adequately restricted from processing against data files and if controls are adequate to restrict access to data files to only authorized persons.

Control Objective #5 - Access to On-line Systems

Determine who has access to confidential data. Verify with the owner of the data that these persons have authorization to access this data.

Test to see that access to applications, data, or entry and update of transactions is limited by terminal address and hours of operation.

For employees that have requested that their addresses and phone numbers not be disclosed, determine if this information is adequately protected from disclosure.

Control Objective #6 - Access to Data Bases

Interview the data base administrator and determine if controls are adequate to restrict access to the data base and data base change utilities.

Determine how concurrent access to the same data item is prevented and if it is adequate.

Control Objective #7 - Password Administration

Review the procedures for controlling passwords and determine if they are complete (using 3.4.4 of 1992 EDP Control Objectives as a guide).

Review records or interview users to determine when passwords were last changed.

In a department where an employee has recently terminated, determine if the employee's password has been deleted and if the passwords of other employees in the department have been changed.

Determine how access to password tables is restricted. Determine if access is restricted to only those who really need to access the table.

Test to see that there is a limit on the number of unsuccessful attempts to sign on (or login).

Control Objective #8 - Policies for Access Security

Review the policies for access security. Determine if they are complete.

Interview the person(s) responsible for access security and determine if they are aware of and follow the policies for access security.

Review logs that record accesses. Compare the logs to the list of authorized persons. Determine if access violations are being investigated in accordance with procedures.

Effect of Weaknesses
Access controls are designed to limit access to documentation, files, and programs. A weaknesses in or lack of such controls increases the opportunity for unauthorized modification to files and programs, as well as misuse of the computer hardware. Weaknesses in documentation and/or controls over machine use may be compensated by other strong IS controls. However, weaknesses in systems software, program, and data security significantly decrease the integrity of the system. Weaknesses in this area must be considered in the evaluation of application controls.

Notes:
Written policies for security over access to automated resources typically address guidelines and responsibilities in the following areas:

access to program documentation

access to system software

access to program and job control instructions

access to data files

access to applications

passwords

investigation of access violations

To review access controls, the reviewer may need to obtain copies of the automated logs or journals that record/monitor access to the following:

program documentation

systems software

production programs and job control language

production data files

critical application systems

password tables

Without such documentation, the reviewer may not be able to determine how access to systems software is controlled, in what kind of restrictive area systems software is kept, who are authorized to access and change systems software, and whether certain powerful utilities are being used to circumvent access controls to systems software.

Production programs (source and object code ) and job control instructions are kept in a restricted area - using secure authentication methods to gain access. Programmers and other unauthorized personnel need to be expressly prohibited from adding, replacing, or deleting production programs. The updating of the production program storage area should be monitored through the use of a report detailing all updates to the production program storage area, and a review of the programs in the production storage area. Someone should be specifically assigned this monitoring responsibility.

Production data files also need to be kept in restricted areas. Like production programs, programmers and unauthorized users should be expressly prohibited from updating or deleting production data files. Formal procedures should be in place to limit access to confidential data to authorized persons only.

降龙十八掌

System Development Life Cycle Audit Program

AUDIT PROGRAM OVERVIEW
A system development life cycle (SDLC) is a methodology that can be used to develop or modify application systems. Each organization should establish a SDLC methodology and assign responsibility for each phase of the cycle so that system design, development, and maintenance may progress smoothly and accurately. This cycle starts with a perceived need and extends through feasibility study, design and development, testing, implementation, system acceptance and approval, post-implementation review, and maintenance of the application and systems software. Following each phase of this cycle ensures that the new or revised software meets the organization's needs, that adequate internal controls are consistent with management's objectives, and that the application is properly implemented.

This audit program assumes that an application system is developed by an in-house programming staff. However, application systems in use by many state agencies were not developed in-house but instead were purchased. In these instances, all the steps performed during in-house development of an application are not applicable for purchased software. Specifically, systems and programming standards, and file and programming specifications are not needed. In these cases, document in the Summary Memo how the scope of this audit program will be modified and answer Not Applicable (N/A) to any questions on the ICQ that do not apply.

Suggested interviewees for ICQ:

System Programming Manager

Director of Data Processing

A. Control Objective #1 - SDLC Methodology

Determine the extent of the responsibilities of management, internal audit, users, quality assurance, and data processing during the system design, development, and maintenance.

Review SDLC workpapers to determine if the appropriate levels of authorization were obtained for each phase.

Obtain and review requests for DP services. Determine if the University's procedures are being followed.

B. Control Objective #2 - Needs Analysis

Review and evaluate the procedures for performing a needs analysis.

Review a needs analysis for a recent project and determine if it conforms to standards.

C. Control Objective #3 - Systems Design and Development

Review and evaluate the procedures for systems design and development.

Review design specifications schedules, look for written evidence of approval, and determine if the design specifications comply with the standards.

Determine if an audit trail and programmed controls are incorporated in the design specifications of a recent project.

Review samples of source documents used for data entry which are included in SDLC workpapers of a recently developed application. Determine if they are designed to facilitate accurate gathering and entry of information.

Obtain and review programs to determine if they comply with the University's programming standards.

D. Control Objective #4 - Testing Procedures

Review and evaluate the procedures for system and program testing.

Review documented testing procedures, test data, and resulting output to determine if they appear to be comprehensive and if they follow University standards.

Review the adequacy of testing performed on the manual phases of an application.

E. Control Objective #5 - Implementation Procedures

Review and evaluate procedures for program promotion and implementation.

Review documentation of the program promotion procedure. Determine if the standards are followed and if documentation of compliance with the standards is available. Trace selected program and system software changes to the appropriate supporting records to determine if the changes have been properly approved.

Review documentation of the conversion/implementation of a newly developed application. Determine if the University's implementation procedures were followed.

F. Control Objective #6 - Post-implementation Review

Review and evaluate the procedures for performing post-implementation reviews.

Review program modifications, testing procedures, and the preparation of supporting documentation to determine if the University's standards are being followed.

G. Control Objective #7 - Maintenance of Applications

Review and evaluate the procedures for the maintenance of existing applications.

Review program modifications, testing procedures, and the preparation of supporting documentation to determine if the University's standards are being followed.

H. Control Objective #8 - Control over Systems Software

Review and evaluate the procedures for modifying systems software.

Review systems software modifications, testing procedures, and the preparation of supporting documentation to determine if the University's standards are being followed.

Review and evaluate documentation of in-house developed systems software and the features/options of proprietary systems software in use.

I. Control Objective #9 - Documentation Standards

Obtain and review the documentation standards to determine if they are complete.

EFFECT OF WEAKNESSES

Because it has been estimated that a major portion of the cost of an application over its useful life is incurred for maintenance after the application becomes operational, if little attention is given to the SDLC in the creation of a system, excessive maintenance costs can be incurred, especially if it is necessary to put controls in after the application is already in production. Redesign is not only expensive, but difficult to accomplish.

If accurate and comprehensive documentation is not maintained, the auditor will have difficulty assessing controls without expending substantial effort to obtain an accurate description of significant applications and their relationships to one another.

If modifications to application and system software are not adequately controlled, the integrity of the software may be compromised by unauthorized changes in programs, procedures, or data.

When an application is properly designed, systems development and documentation controls can prevent or disclose the following types of errors:

implementation of applications that do not have adequate application controls;

development of applications that either do not meet management objectives or do not operate in accordance with original specifications;

implementation of applications that have not been adequately tested, and;

implementation of applications that are susceptible to unauthorized modification.

降龙十八掌

Telecommunications Audit Preliminary Program

SCOPE

[Organization] Telecommunications - Billing September 1, 199X to August 31, 199X.

OBJECTIVES

To determine compliance with applicable policies, procedures, and regulations.

To test the integrity and reliability of interfaces with financial reporting system (FRS) and budget reporting system (BRS).

To determine the existence of and adherence to internal controls over the billing and related processes.

To determine the reliability of financial and operational information.

To determine the efficiency, economy, and effectiveness of operations related to the scope of the audit.

PRELIMINARY SURVEY

Review and update permanent file.

Review current Federal, State, and University guidelines applicable to telecommunications.

Inquire of and review any reports or audits or other reviews conducted.

Obtain an understanding of auditee's department/function:

obtain organization chart and/or job descriptions

obtain any statements of mission, goals, or operational objectives

interview key departmental personnel to obtain useful information (necessary for documenting department's profile), and

inquire about changes in past 3 years in auditee's program, organization, procedures, and level of technology.

Review department procedures manual(s).

Obtain or develop department financial information.

Determine audit objectives and scope and review with the Director.

Determine which audit programs and ICQ's should be used and whether modification is needed. Flowchart unique departmental processes.

Review level of automation and accessibility of computer files to determine if specific computer tools are needed.

Prepare engagement letter and schedule an entrance conference. Hold an entrance conference with the head of the department to be audited and designated attendees:

go over audit life cycle and discuss audit process;

discuss the tentative scope of the audit;

discuss audit objectives; and,

inquire if there are specific areas of management concern.

FIELDWORK PREPARATION

Based on information obtained from the preliminary survey and entrance conference, complete the department audit program:

finalize scope and objectives;

revise existing audit programs and ICQ's as necessary;

add or delete additional steps to audit programs; and,

prepare an audit time budget.

Obtain approval of the audit program and budget from the Director prior to commencing fieldwork.

Request automated reports from DP personnel as needed (or use available data retrieval tools to extract automated reports as needed).

When using audit programs that require confirmation letters, remember to send them out as early as possible to avoid delaying the audit project.

Review, as necessary, audit sampling methods with the Director.

Perform audit fieldwork using separate, generic programs as applicable.

Remember to:

review internal control throughout the audit;

devise, perform, and document any additional steps considered necessary based on the results of the review of internal controls; add these steps to the audit program and obtain approval;

document all findings on Point Disposition Sheets and review with auditee; note auditee comments;

obtain approval from the Director for any modifications needed to the time budget and audit scope as a result of major problems encountered during fieldwork; if significant finding needs immediate management attention, discuss with the Director.

Perform billing and accounts receivable audit program for Telecommunications.

Select a random sample of work orders to insure proper documentation exists for issuing authorization codes and activation / deactivation of previously issued Telecomm codes.

Select a random sample of credit card numbers from the Telecomm data base and trace to source document to ensure the validity of the numbers.

Complete the system control ICQ.

Review the appropriateness of the levels of accessibility to Telecomm's Prime Computer system and System 85 Switch via password authorizations.

Verify that FRS and BRS programmers at [Organization] cannot write to the billing tapes by determining the security access to their high level qualifiers.

Assess the physical security of the premise by comparing police report to premise. Also consider physical access to computer hardware and switch.

Verify that there are clear and up-to-date written procedures for each operation.

Determine if the department and/or the University meets established goals and objectives by reviewing management reports and other measures of achievement and productivity.

Review reconciliation's and other tracking to determine if the interfaces between the systems are reliable.

WRAP-UP

Clear any open points.

Title, index, initial, and date work papers.

Summarize the results of all tests performed in the applicable work papers. Include calculation of actual error rate for each attribute tested. Determine if the actual error rate is acceptable and document your conclusion.

Prepare audit memo(s) outlining audit work performed.

Develop audit findings and recommendations when applicable.

Submit audit work papers and draft report to the Director for review.

Clear review notes. Go over the review notes with the Director to ensure that all points are cleared.

Distribute draft audit report. Obtain and review responses. Note your receipt of the responses. Issue final audit report with responses included.

File report and work papers - Audit Control Sheet.

Verify the scope percentage breakdown was accurate and notate to the Director the "significant" recommendations.

Perform follow-up in approximately six months following the date of final report distribution.

Close the file.

降龙十八掌

Telecommunications Operational Audit Program

OBJECTIVES: Conduct an operational audit of the Telecommunications department at [Organization] to determine whether:

departmental goals and objectives are being met,

resources are being safeguarded,

applicable laws, regulations, policies, and procedures are being followed, and

reliable data are being obtained for management decision-making.

SCOPE AND PROCEDURES

Review policies and procedures.

Identify operational processes and conduct a "walkthrough" of transactions.

Analyze operations principally for the three year period ended with fiscal year 199X based on discussions, limited tests of the records and observations.

Conduct personal interviews with management representatives of user departments selected at random to evaluate customer satisfaction.

BACKGROUND

The Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) department. It originated as a department in [year] under its current director, [name]. The Director reports administratively to the Vice President for Business and Administration, [name]. The annual budget for fiscal year 199X-XX is $1.5 million (Account #XXXX-XXXX). [Name] is currently the Telecommunications Coordinator, and her annual salary is drawn from Designated Funds #XXXX (Telephone Operations).  

REVIEW POLICIES AND PROCEDURES

Review policies and procedures supporting routing departmental operations. Obtain a thorough understanding of these operations by conducting a "walkthrough" of the main processes:

Annual budget

Payroll certification

Personnel leave reports

Policy/procedures manual

Vendor payments

XXX reconciliation

Equipment inventory

Record maintenance

Job responsibilities

Departmental billings

Billing formulas

Operations reports

Work order requests

Records retention

Scan payroll journals for three years period ended August 31, 199X. Take note of anything unusual, and if necessary expand the scope of review.

Scan the leave records for two employees during the three year period ended August 31, 199X. Determine if any comp time was worked, and if so, how it was applied compared with campus policy. Take note of anything unusual, and if necessary expand the scope of review.

During the course of this review, take particular note of any activities that involved a former employee who was terminated in 199X. Consider expanding the scope of review if anything unusual is noted.

ANALYZE TELECOMMUNICATIONS OPERATIONS

Analyze financial activities for three years period ended August 31, 199X with regard to the following:

Compare actual versus budget

Note trends from year to year

Calculate approximate total of volume activity

Compute ratios for comparison to those previous year, other universities, or industry averages.

Verify detailed local telephone bills for two months in both fiscal years 199X and 199X based on existing resources. Analyze expenditures for three years to XXX and Cellular One bills by vendor and by year. Consider expanding the review if necessary.

Analyze telecommunications charges to departments for three years period ended fiscal year 199X, and verify them on the basis of accuracy, completeness and reasonableness. Compare actual and budgeted amounts. Review journal vouchers from Telecommunications as to purpose and overall propriety.

Review contract for telephone maintenance services during the three year period ended with fiscal year 199X. Reconcile contract terms with actual XXX charges for that period of time.

Obtain service records of contract maintenance performed and analyze in relation to the contract price paid for the last three fiscal years. Determine if the frequency of service justify the amount paid. Review contract for covered repairs to justify reasonableness. Also, review a sample of service orders, and determine:

How prices are computed,

How pricing disputes are settled, and

How costs are recovered.

Obtain long distance bills for two months in both fiscal years 199X and 199X (same as in #2 above), and conduct the following tests:

Analyze total long distance charges for each of the two years. Determine total journal voucher billings for the same period of time and account for any differences from actual telephone charges per telephone bills. Evaluate the reasonableness of any over-recoveries. Trace a sample of call summary reports to related journal vouchers and XXX.

Trace charges to appropriate accounts on XXX for five departments. Sample departments with both large and small amounts. Determine the reasons for any differences. These amounts will be based on estimates of internal billing reports.

Review bills for unusual items (large dollar amounts, 900 numbers, unusual locations, time and weather calls, etc.). Determine how they were handled, and evaluate the appropriateness of that action.

Identify five campus departments that use telephone service (4 large and 1 small). Prepare a user survey (10 to 20 questions) to assess the efficiency and effectiveness of telecommunications' services. Personally visit the designated departments, and discuss the questions with a representative of management (business manager or higher) to obtain responses. Evaluate the results and share them with the Director of CTIS.

Review agreements for telephone services with on-campus contractors. Scan related billings to determine compliance with the agreements. Determine the reasons for any differences.

Summarize statistical operations reports prepared by the director or Telecommunications Coordinator for the three year period ended with fiscal year 199X. Compare the results and note any meaningful trends. Reconcile the volume of operations with related costs.

Review the XXX statements for the last three fiscal years. Judgementally select five vendor payments in each year other than for payment of routine telephone bills, and verify that the payments were accurate, complete, and reasonable. Include two small dollar purchase order ($200 to $500) for each year. Use XXX program for vouching vendor payments.

Obtain the latest capital equipment inventory listing. Review the listing for accuracy with the Director. Identify any inaccuracies. Consider a physical verification of selected items. Also determine if the listing is accurate and representative of the equipment on hand. Determine the adequacy of control for non-capital equipment. Examine documents supporting the addition/reduction of the capital inventory during the three year period ended as of August 31, 199X, and evaluate the nature of that action.

Review equipment purchases and leases during the three year period ended with fiscal year 199X. Compare actual expenditures to the amount budgeted. Verify unit prices for reasonableness. Determine total expenditures and charges to users. Perform additional analysis as deemed appropriate.

Obtain network documentation/diagrams and verify their completeness and accuracy.

Obtain a listing of all network hardware used by the installation and verify that operating documentation, instructions, etc. are maintained for each hardware component.

Obtain documentation supporting hardware switch settings (operators instructions, procedures, etc.). Review the switch settings by observing the physical configuration of the hardware. Evaluate controls over access to these switches and whether documentation is adequate to restore switch settings to normal in the event of accidental or intentional tampering.

Obtain a system-generated logical device address listing (configuration listing). Evaluate the extent to which terminal assignments have been logically defined and determine whether these assignments compromise segregation of duties or data security.

Obtain a system VTOC of the modules and programs used to support telecommunications services. Determine whether network software is secured from access by authorized personnel, and whether these libraries are adequately protected (OS-WRITE protected).

Evaluate the level of logon or dial-up security utilized to gain access to the computer. Note that the use of standardized vendor default logons should be removed from the system once the package has been operationally tested and accepted.

Review communications software configuration(s) for the existence of third-party (vendor, field service) logon authorization(s) or access privileges. Determine whether these third-parties have a demonstrated need for such access (remote diagnostic capabilities) or whether vendor default parameters have not been changed since implementation.

Obtain messaging routing tables (for store and forward messaging systems) and evaluate whether change controls to messaging software is restricted to the appropriate personnel. (Note: Routing tables usually form the basis for billable charges. Unauthorized changes could result in errors in both message destination and inter-institutional billable charges).

Obtain a line or port dedication listing and evaluate the extent to which system and file access have been restricted.

Review telecommunications controller documentation and determine whether controller software (i.e., ACT/VTAM-NCP) can be adequately secured by stand alone means or through mainframe software security.

Obtain system accountability (USAGE, HISTORY, SECURITY) listings and verify, on a sample basis, that users have been authorized to access the system.

Review any security violations/attempts listings and determine corrective actions taken by management.

降龙十八掌

Telecommunications Billings and Accounts Receivable
OBJECTIVES: To evaluate the adequacy of controls over telecommunications billing and accounts receivable functions (i.e., to ensure that all income transactions are promptly recorded).

FIELDWORK PREPARATION

Discuss all program steps, ICQ questions, and work paper format with the Director to determine applicability to the area to be audited. Obtain Director's approval of the Audit Program.
Extract data from the department's FRS general ledger for the period under review. Determine the amount of outstanding accounts receivable recorded.
REVENUE CYCLE CONTROLS

Complete the Billing and Accounts Receivable ICQ.
Gain a thorough understanding of the department's revenue cycle. Determine controls designed to ensure: sales are billed accurately and promptly, sales and accounts receivable are recorded accurately, and outstanding receivables are monitored and collected. Prepare flowcharts which include:
types of accounts;
determination of fees and charges;
discounts to customers and employees;
credit investigation procedures;
billing procedures;
recognition or non-recognition of accounts receivable on FRS;
collection procedures; aging of accounts receivable;
bad debt policies and procedures;
other pertinent facts, policies, procedures.
Determine if the proper controls are present for manual charges and credit transactions.
Verify that there are current written procedures for the revenue cycle.
Determine if there is separation of the billing and accounts receivable duties.
BILLING

If pre-numbered workorder forms are used, examine the department's records to insure the department controlled the numerical sequence.
Test a sample of workorders for the following attributes:
goods/services provided match goods/services billed;
charges to FRS accounts are approved;
footings and extensions are correct;
invoices are properly recorded in customer accounts on FRS and BRS;
appropriate rates were applied;
other tests as necessary to evaluate whether all transactions are properly authorized, billed and recorded
NOTE: Provide documentation for at least one account in the work papers as an example. Also, record details of any discrepancies.

Determine that credits issued were properly documented and authorized.
Test samples of long distant carrier charges from MCI, AT&T, US West, and other carriers to determine if the billing statements contain any erroneous charges to Telecommunications.
ACCOUNTS RECEIVABLE

Obtain (or prepare) an aging of accounts receivable as of the audit date (or a listing of outstanding accounts if an aging is not feasible) to determine if department is effectively collecting outstanding accounts.
Select a sample of accounts for confirmation and send confirmations (with department's invoices if possible). Consider positive and/or negative confirmations. Send positive confirmations on administrative billings and negative confirmations on BRS billing.
Determine if there are controls to ensure that all customers are billed. Review the reconciliation procedures of the long distant carriers to Telecommunications' management system. Determine if controls exist to insure that Telecommunications is rebilling carrier charges to administrative and student accounts.
Determine if the department is extending credit to customers with past-due balances by comparing current customers with customers with past-due balances. Inquire why any additional credit is extended.
Obtain and review department's most current reconciliation of customer ledger balances (or other records by customer) with the aging of accounts receivable and the balance of accounts receivable recorded on FRS. If a current reconciliation is not performed, reconcile total of customer ledger balances to accounts receivable recorded on FRS.
Document if there are any intra-university accounts receivable and determine if the reason for establishment of these accounts is in compliance with sponsored research policies and guidelines.
Examine confirmation replies. Investigate and document explanations for any exceptions.
Mail second requests for positive confirmation where replies were not received after 14-21 days from the date of the original request.
If the customer did not return the confirmation, perform alternative procedures such as examination of customers' payment subsequent to the audit date as evidence of the existence of the account balance.
Summarize confirmation results.
Judgmentally select a sample of past due accounts receivable (or as an alternative, consider statistical sampling). Review collection efforts on each accounts selected and record details in the working papers. Review procedures for coordinating collection efforts with the Fiscal Office.
Examine procedures and documentation for accounts receivable previously written off and review controls to insure all were properly authorized.
Examine procedures and documentation for accounts receivable sent to campus Fiscal Office to put on BRS and review controls to ensure all were properly recorded on BRS.
RATE SETTING

Review the department's method of setting rates to determine if cost studies are prepared, costs are tracked, and rates are approved.
Send a confirmation letter to the Computing, Telecommunications and Information Services (CTIS) to confirm the latest rate table supplied to Telecommunications.
Select a sample of long distance charges from administrative and student billing. Manually recalculate charges from rate tables and compare results.
List additional audit steps determined necessary during the audit. Obtain Director's approval.
Prepare interim recommendations, complete workpapers and prepare an audit draft report. Submit for review. Clear review notes. Complete audit report. Set up exit conference.
If, as a result of your work on this program, you have any suggestions for revising this program, indicate below and describe your suggestions.

降龙十八掌

nt_checklist

pgfish

降龙这是好人啊

armitage

why all the trouble ? just go to www.itaudit.org and download all the audit checklist and programs you want !!!

armitage

http://www.auditnet.org/docs/