Name(s): Agustin, MaraiahMayette, M
Atienza, Arlene Joy, Y.
AREA OF RISKS
1. Operating Systems
2. Databases and files
Schedule: M-W 8:00-9:30
I. AUDIT PROGRAM FOR TEST OF GENERAL CONTROLS
POSSIBLE AUDIT OBJECTIVES
ERRORS/IRREGULARITIES
 Virus
 Unauthorized access
 Cybercrime Attacks
 Crashing, freezing and
generally poor
performance
 Corrupted files
 Crashing database
 Lost information
 Unauthorized access to
Date of Submission: August 30, 2017
AUDIT PROCEDURES
 To assess the  Verify that all users are
effectiveness of required to have
configuration and passwords
security of operation  Verify the new users
system are instructed in the
 To identify and use Of passwords and
authenticate users and the importance of
superusers password control
 Purchase software only
from reputable vendors
and accept only those
products that are in
their original, factory
sealed packages.
 Establish entity wide
procedures for making
changes to production
programs.
 Verify the new software
is tested on standalone
workstations prior to
being implemented on
the network server\
 Verify that the current
version of anti-virus is
installed on the server
 To obtain assurance on Eliminate weak or default
the database controls in passwords
place that would ensure  Maintain role-based
compliance with IT access controls and
INTERNAL CONTROL
QUESTIONNAIRE
 Does the company
have its protection
against unwanted
access over the
system?
 Does the company
require proper
authorization of its
users? And does it
keep record of these
access?
 How does the company
secures its own
system’s operation?
 Do they provide
additional security level
against unauthorized
access?
 How do the company
prepare for loss of files?
Does it implement any
back up program?

3. IT Organizational Structure
4. Computer Center Security
information Security Governance
 To ensure adequate
controls were
consistently maintained
in databases
 Weakness of internal  To assess the
control understanding and
 Insufficient separation of clarification of everyone
duties may increase else’s role and scope
risks of errors or
inappropriate actions
• Equipment and  To obtain an
software may be understanding of
inappropriate for significant processes
achieving the and practices
business objectives supporting the Data
• Data Center Center operations,
management  To develop and
systems may be implement an
ineffective and
disable access after an  How do they prevent
employee changes possible circumvention
positions of the systems
 Protect access to the databases and files
database server from happening?
 Disable non-use  Do they have a backup
functionality plan? And does it
 Use selective assure that interruption
encryption won’t have a great
impact on the
operation?
 Provide account  Does it provide a good
management to all staff control over the
and assessments and alignment of duties?
inspections for IT  How do they respond
solutions on conflict or improper
 Provide security distribution of duties?
expertise and  If incompatible duties
resources necessary to were combined how do
protect the they manage to resolve
organization’s this? Any course action
information taken?
 Take a proactive  How do they inform the
approach to incident people about their work
prevention and different functions?
 Evaluate the
organizational structure
to assure the proper
accountability and
separation of duties
exists
 Gain an understanding  Is the place properly
of data center secured? Does it
operational processes provide a high level of
by reviewing written assurance that the
procedure manuals. If large number of data
written procedures do are properly handled?
not exist or are not  Do they take necessary
followed flowcharting procedures before
key processes may be
 inefficient due to enterprise-class data
misalignment with center for securing and
their mission and not delivering critical
capable of meeting information assets
the business  Implement security
objectives. policies and technical
• A formal risk tools to protect data
assessment may not from loss, threat, theft,
have been compromise of other
performed. inappropriate use
5. New System Development • New systems may • Provide management
not be adequately with an independent
scanned for assessment of the progress,
vulnerabilities and quality and attainment of
unnecessary project/program objectives at
services before defined milestones within the
being placed in the project/program
production environment • Provide management
with an evaluation of the
internal controls of proposed
business processes at a point in
the development cycle where
enhancements can be easily
implemented and processes
adapted
• Satisfy process
needed to identify gaining access to the
process strengths, facility?
weaknesses, and  Does it give assurance
mitigating controls that proper security
 Determine who is controls are put in place
responsible for to secure data?
declaring an  Do they have any
emergency and backup and plans? Is it
invoking the emergency effective in case of a
response plan. disaster had come?
 Identify the key Data
Center functions,
activities, services, and
missions. Some data
centers may still run
mainframe systems
and engage in program
development, batch
processing, have input
and output products
and controls and
related internal
controls, like control
totals, et
 Is it in conformity with
the objectives of the
internal control?
 Does it provide
additional benefits like
assuring that it can
deter error or possibility
of manipulation of data?
 Did the new
development passed all
the standards that the
company requires?

6. Program Maintenance Undocumented Programs
Easy access to the program
Programs can easily be altered
7. Intranet and Internet • Unauthorized access
• Virus
• Easy access Data
audit/assurance objectives in
reviewing the process before it
goes live, place future reliance
on the process based upon the
assurance work performed
while the application is under
development, and implement
integrated computer-assisted
audit techniques (CAATs) as
part of the design of the
application
To oversee maintenance
resources so that the
organization does not
experience downtime
To maximize the value security
of internent and intranet
To verify user’s identity
 Does the department
maintain a complete
machinery history of the
facility
and equipment?
 Does the department
use work standards and
review past work to
determine and
implement time saving
work methods?
 Is there a departmental
safety program of
safety training courses,
including
lockout/tagout, forklift
safety, lift-truck driving,
lifting, electrical
hazards,
electrical explosive
hazards, electrical arc
flash hazards, welding,
compressed
gases, and other state
mandated safety
courses.?
• Authentication  What are the security
• Restriction by measures needed?
username and
 • Hacking and vandals password
• Cyber terrorism • Restriction by IP
• addres, subnet or
domain
• Establish firewalls

8. Electronic Data interchange • To determine that • •Tests of

all EDI transactions Authorization and
are authorize, Validation Controls.
validated, and in The auditor should
compliance with the establish that
trading partner trading partner
agreement identification codes
• To determine that are verified before
no unauthorized transactions are
organizations gain processed. To
access to database accomplish this,
records. the auditor should
• To determine (1) review
authorized trading agreements with
partners have the VAN facility to
access only to validate
approved data transactions and
• To determine ensure that
adequate controls information
are in place to regarding valid
ensure complete trading partners is
audit trail of all EDI complete and
transactions correct, and (2)
examine the
organization’s valid
trading partner file
for accuracy and
completeness.
• Tests of Access
Controls. Security
over the valid
trading partner file
and databases is
central to the EDI
 control
• Tests of Audit Trail
Controls. The
auditor should
verify that the EDI
system produces a
transaction log that
tracks transactions
through all stages
of processing. By
selecting a sample
of transactions and
tracing these
through the
process, the
auditor can verify
that key data
values were
recorded correctly
at each point.
9. Stand-alone pc’s and peripheral Minimal Security for data files • Verify that controls • Where appropriate,
devices Weak access control are in place to the auditor should
Inadequate segregation of duties protect data, determine that
Risk of theft programs, and multilevel password
Weak back up procedures computers from control is used to
Rik of virus infection unauthorized limit access to data
access, • •If removable or
manipulation, external hard
destruction, and drives are used,
theft. the auditor should
• •Verify that verify that the
adequate drives are removed
supervision and and stored in a
operating secure location
procedures exist to when not in use
compensate for
lack of segregation • •By selecting a
between the duties sample of backup
of users, files, the auditor
programmers, and can verify that
 operators. backup procedures
• •Verify that backup are being followed.
procedures are in By comparing data
place to prevent values and dates
data and program on the backup
loss due to system disks to production
failures, errors, and files, the auditor
so on. can assess the
• •Verify that systems frequency and
selection and adequacy of
acquisition backup
procedures procedures. If an
produce online backup
applications that service is used, the
are high quality, auditor should
and protected from verify that the
unauthorized contract is current
changes. and adequate to
• •Verify that the meet the
system is free from organizations
viruses and needs.
adequately
protected to
minimize the risk of
becoming infected
with a virus or
similar object.

REFERENCES:https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/UNIX-LINUX-Operating-System-Security-Audit-Assurance-Program.aspx
https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Microsoft-SQL-Server-Database-Audit-Assurance-Program.aspx
https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Systems-Development-and-Project-Management-Audit-Assurance-Program.aspx
https://johnthecpa.wikispaces.com/file/view/Lecture+6.pptx
https://www.sajim.co.za/index.php/SAJIM/article/viewFile/82/79
https://it.ouhsc.edu/services/datacenterhost/sds/GoalsBenefitsObjectives.asp

Name(s): Agustin, MaraiahMayette M. Shedule: M-W 8:00-9:30 Date of submission: August 30, 2017

Atienza, Arlene Joy, Y.

 II. I. AUDIT
PROGRAM FOR
TEST OF
APPLICATION
CONTROLS
AREA OF RISK POSSIBLE
ERRORS/IRREGULARITIES
DATA INPUTS Improper/erroneousrecording of
transaction or access to
data,non-recording of inputs of
unauthorized users, inappropriate
separation of duties
DATA PROCESSING Inputs put in the process may be
manipulated by unauthorized and
even authorized users, the
procedures can be changed by
the people who gains access to
the system. A database-
management system or other
software may provide some
security functions.
AUDIT OBJECTIVES
 To determine if proper
controls were placed to
secure that only authorized
people can access the
system
 To verify if controls are
already in place, does it
provide assurance that they
are properly utilized
 To examine if the system’s
function is doing what it is
intended for
 To verify if the system was
able to detect irregularities
and errors
 To determine how the
system respond to failures
and errors
AUDIT PROCEDURES INTERNAL CONTROL
QUESTIONNAIRE
 Review security  Does it provide
packages access- information integrity?
What controls are put into
control definitions,
place according to the
logon IDs and need of the company?
associated privileges Will it suffice the needed
 authentication security?
methods, access and  Does it prevent any
resource rules, source unauthorized access?
and shift group Does it make the data
more accurate?
definitions, and logical
transactional groups
for appropriateness
 Observe the operation  How does the process
and interview staff to works in alignment with
the established controls
determine that
and desired outcome?
terminals are
 Does it provides more
restricted to meaningful data?
authorized personnel  Does it prevent human
by these means: error or corrects them?
• Terminals are located
in supervised and
secured areas.
• Physical identifiers
such as cards or keys
are required for
terminal operation.

OUTPUT/REPORTS Reports may be circumvented
that can make it materially
misstated.
 To verify the level of
information integrity that the
systems provides
 To determine if
irregularities and errors are
already eliminated before
the reports were made
Cards and keys are
controlled by
authorized personnel
only.
• Terminals are
restricted to
authorized functions.
 Review approval forms  Do they review prior
to determine that period reports? How do
they respond to material
access to data,
differences?
terminals, and
 Do they consider proper
applications have been segregation of duties?
approved by That the responsible
data/application person for the output
owners. weren’t capable of
• Review violation reports manipulating data.
 What are the methods of
to determine that
evaluating reports?
exceptions have been
resolved promptly