aprina@uksw.edu Audit Program Audit programs are: • Essentially checklists of the various tests that auditors must perform within the scope of their audits • To determine whether key controls intended to mitigate significant risks are functioning as designed, • Based on the test results of the test performed: → determine the adequacy of the controls over a particular process Audit Programs are necessary to perform an effective and efficient audit BENEFITS OF AUDIT PROGRAM • Assist audit management in resource planning • Promote consistency in tests performed on audits of the same process from one cycle to the next → the previous audit programs can be employed during the current audit • Promote consistency in tests performed on controls that are common to all process → standard audit program INFORMATION SYSTEMS AUDIT PROGRAM → Designed to address the primary risks of virtually all computing systems IS controls in the audit program: ➢ Environmental Controls ➢ Physical Security Controls ➢ Logical Security Controls ➢ IS Operating Controls Environmental Controls → are more general than physical and logical security controls • Dictate the extent to which physical and logical security controls are deployed • Include: – IS security policies, standards, and guidelines; – the reporting structure within the IS processing environment (including computer operations and programming); – the financial condition of service organizations and vendors, vendor software license, maintenance, and support agreements and warranties; – the status of computing systems policies and procedures placed in operation at service organizations (if applicable) Physical Security Controls • Pertain to the protection over: – Computer Hardware; – Components; – Facilities within which they reside
(…Although somewhat of an environmental
control, insurance coverage over computing system hardware and the costs to re-create or replace lost or damaged software programs and data…) Logical Security Controls → are those that have been deployed within the operating system and applications to help prevent unauthorized access and accidental or intentional destruction of programs and data • Include: – System access capabilities of users: – System access profiles and parameters; – Logging mechanisms IS Operating Controls → designed to help ensure that the information system is operating efficiently and effectively • Include: – The timely and accurate completion of production jobs; – Distribution of output media; – Performance of backup and recovery procedures; – Performance of maintenance procedures; – Documentation and resolution of system problems; – Monitoring of CPU and data storage capacity utilization